From owner-freebsd-pf@FreeBSD.ORG Sun Jul 3 09:49:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1513F16A41F for ; Sun, 3 Jul 2005 09:49:18 +0000 (GMT) (envelope-from nocturnal@aspalliance.com) Received: from ip3e8390c3.speed.planet.nl (ip3e8390c3.speed.planet.nl [62.131.144.195]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F62E43D5D for ; Sun, 3 Jul 2005 09:49:17 +0000 (GMT) (envelope-from nocturnal@aspalliance.com) Received: from [229.215.95.227] (port=4395 helo=[accustoming]) by ip3e8390c3.speed.planet.nl with esmtp id 53834115665magnitudes60124 for freebsd-pf@freebsd.org; Sun, 3 Jul 2005 11:49:16 +0200 Mime-Version: 1.0 (Apple Message framework v728) Content-Transfer-Encoding: 7bit Message-Id: <64673124701.5326030213@ip3e8390c3.speed.planet.nl> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Bart Date: Sun, 3 Jul 2005 11:49:15 +0200 X-Mailer: Apple Mail (2.728) Subject: Software suites. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2005 09:49:18 -0000 75% Off for All New Software. http://ajbd.8xu5tp8jni8f59q.canellaih.info Human history becomes more and more a race between education and catastrophe. Everything has beauty, but not everyone sees it. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 3 17:50:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 285E816A41C for ; Sun, 3 Jul 2005 17:50:53 +0000 (GMT) (envelope-from alex-bsd@yandex.ru) Received: from mfront8.yandex.ru (mfront8.yandex.ru [213.180.200.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8E5C43D48 for ; Sun, 3 Jul 2005 17:50:52 +0000 (GMT) (envelope-from alex-bsd@yandex.ru) Received: from YAMAIL (mfront8.yandex.ru) by mail.yandex.ru id ; Sun, 3 Jul 2005 21:50:48 +0400 Date: Sun, 3 Jul 2005 21:50:48 +0400 (MSD) From: "alex-bsd" Sender: alex-bsd@yandex.ru Message-Id: <42C82578.000006.17576@mfront8.yandex.ru> MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] Errors-To: alex-bsd@yandex.ru To: freebsd-pf@freebsd.org X-Source-Ip: 83.237.249.141 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: 8bit Subject: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: alex-bsd@yandex.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2005 17:50:53 -0000 I am adherent BSD of systems, in the last time have passed with IPFW to use PF, other useful and interesting opportunities have liked in it Firewall, more convenient syntax and many. I wish to offer developers PF, to add new (IMHO very necessary and convenient) functionality! In iptables it is possible to block means Firewall uploading of files (.mp3, .avi and another) to limit access to a porno to resources and the other undesirable traffic. Very much it would be desirable, that PF also was able to do similar. In the presents time for blocking uploading "unnecessary" files I use Squid. Personally to me Squid it is necessary only for the decision above the described problem. With pleasure would refuse use Squid if in PF this opportunity will be realized. P.S. I understand that ×ÏÚÍÏÖÎÅÅ addition of this function, will cause huge work and global changes in code Firewall. P.P.S Sorry for my bad English. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 3 18:27:19 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCBAF16A41C; Sun, 3 Jul 2005 18:27:19 +0000 (GMT) (envelope-from thompsa@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EBE343D46; Sun, 3 Jul 2005 18:27:19 +0000 (GMT) (envelope-from thompsa@FreeBSD.org) Received: from freefall.freebsd.org (thompsa@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j63IRJo7084898; Sun, 3 Jul 2005 18:27:19 GMT (envelope-from thompsa@freefall.freebsd.org) Received: (from thompsa@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j63IRJMR084894; Sun, 3 Jul 2005 18:27:19 GMT (envelope-from thompsa) Date: Sun, 3 Jul 2005 18:27:19 GMT From: Andrew Thompson Message-Id: <200507031827.j63IRJMR084894@freefall.freebsd.org> To: petrisimolin@petrisimolin.FreeBSD.ORG, thompsa@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2005 18:27:19 -0000 Synopsis: Unaligned Reference with pf on 5.4/IA64 State-Changed-From-To: open->patched State-Changed-By: thompsa State-Changed-When: Sun Jul 3 18:26:29 GMT 2005 State-Changed-Why: Both patches committed to HEAD. http://www.freebsd.org/cgi/query-pr.cgi?pr=81284 From owner-freebsd-pf@FreeBSD.ORG Sun Jul 3 20:46:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 927B316A41F for ; Sun, 3 Jul 2005 20:46:32 +0000 (GMT) (envelope-from altitude@corporatecareers.net) Received: from adsl-191-134-192-81.adsl2.iam.net.ma (adsl-191-134-192-81.adsl2.iam.net.ma [81.192.134.191]) by mx1.FreeBSD.org (Postfix) with SMTP id 6EBD643D49 for ; Sun, 3 Jul 2005 20:46:30 +0000 (GMT) (envelope-from altitude@corporatecareers.net) Received: from [127.161.70.106] (port=4286 helo=[taker]) by adsl-191-134-192-81.adsl2.iam.net.ma with esmtp id 18985121917coral38488 for freebsd-pf@freebsd.org; Mon, 4 Mar 2002 10:33:58 +0000 Mime-Version: 1.0 (Apple Message framework v728) Content-Transfer-Encoding: 7bit Message-Id: <5463298423.2942136992@adsl-191-134-192-81.adsl2.iam.net.ma> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Silvia X-Mailer: Apple Mail (2.728) Subject: Back To Happy And Healthy Life . . . X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 20:46:32 -0000 X-Original-Date: Mon, 4 Mar 2002 10:33:57 +0000 X-List-Received-Date: Sun, 03 Jul 2005 20:46:32 -0000 Have trouble picking up women? Click here. http://imperial.pharmacy4allonline.info/?adriftxtvuyacquiredzgvdemoralize All governments eventually lean further and further towards aristocracy. Concentration comes out of a combination of confidence and hunger. Be more splendid, more extraordinary. Use every moment to fill yourself up. It is a bad plan that admits of no modification. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 4 11:02:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8988216A41F for ; Mon, 4 Jul 2005 11:02:22 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7513F43D48 for ; Mon, 4 Jul 2005 11:02:22 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j64B2Mvk034615 for ; Mon, 4 Jul 2005 11:02:22 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j64B2LWN034609 for freebsd-pf@freebsd.org; Mon, 4 Jul 2005 11:02:21 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 4 Jul 2005 11:02:21 GMT Message-Id: <200507041102.j64B2LWN034609@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 11:02:22 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- f [2005/02/09] kern/77308 pf ALTQ doesn't seem to be working on tun0 o [2005/05/15] conf/81042 pf /etc/pf.os doesn't match FreeBSD 5.3->5.4 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 5 15:38:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A27116A41C for ; Tue, 5 Jul 2005 15:38:19 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 0633A43D48 for ; Tue, 5 Jul 2005 15:38:18 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 23178 invoked from network); 5 Jul 2005 15:38:18 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?192.168.1.105?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 5 Jul 2005 15:38:18 -0000 Message-ID: <42CAA969.8080305@xecu.net> Date: Tue, 05 Jul 2005 11:38:17 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: carp still not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 15:38:19 -0000 I still haven't gotten carp working properly. I am hoping someone on this list has some insight for me. I have 2 machines in a test environment, the carp0 interface on the machines will not become master. The config is as follows: test1# ifconfig em0: flags=8943 mtu 1500 options=b inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::230:48ff:fe82:a77c%em0 prefixlen 64 scopeid 0x1 ether 00:30:48:82:a7:7c media: Ethernet autoselect (100baseTX ) status: active em1: flags=8943 mtu 1500 options=b inet 10.10.10.2 netmask 0xfffffff8 broadcast 10.10.10.7 inet6 fe80::230:48ff:fe82:a77d%em1 prefixlen 64 scopeid 0x2 ether 00:30:48:82:a7:7d media: Ethernet autoselect (100baseTX ) status: active carp0: flags=41 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 0 carp1: flags=41 mtu 1500 inet 10.10.10.1 netmask 0xfffffff8 carp: MASTER vhid 2 advbase 1 advskew 0 em0: flags=8943 mtu 1500 options=b inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::230:48ff:fe80:21bc%em0 prefixlen 64 scopeid 0x1 ether 00:30:48:80:21:bc media: Ethernet autoselect (100baseTX ) status: active em1: flags=8943 mtu 1500 options=b inet 10.10.10.3 netmask 0xfffffff8 broadcast 10.10.10.7 inet6 fe80::230:48ff:fe80:21bd%em1 prefixlen 64 scopeid 0x2 ether 00:30:48:80:21:bd media: Ethernet autoselect (100baseTX ) status: active carp0: flags=41 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 100 carp1: flags=41 mtu 1500 inet 10.10.10.1 netmask 0xfffffff8 carp: BACKUP vhid 2 advbase 1 advskew 100 both test1 and test2 have these sysctl variables: net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 0 The carp1 interface seems to operate properly. I can't get either box to become master for 192.168.1.10 If I do a tcpdump on the em0 interface on the boxes, I see multicast traffic out on em0 on test1 and I see multicast traffic from test1 on em0 of test2. The only firewall rules are pass in all and pass out all. On test1(should be the master): > netstat -ssp carp carp: 40572 packets received (IPv4) 326 discarded for bad vhid 160550 packets sent (IPv4) On test2(the backup); > netstat -ssp carp carp: 134298 packets received (IPv4) I'm hoping someone out here can help because this is driving me crazy and I can not even think about this for a production environment if I can't get it working in very simple test setup. Thanks, Chris From owner-freebsd-pf@FreeBSD.ORG Tue Jul 5 19:42:38 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54B4016A420 for ; Tue, 5 Jul 2005 19:42:38 +0000 (GMT) (envelope-from bsdboxes@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1990E442A8 for ; Tue, 5 Jul 2005 19:06:25 +0000 (GMT) (envelope-from bsdboxes@gmail.com) Received: by wproxy.gmail.com with SMTP id i25so956634wra for ; Tue, 05 Jul 2005 12:06:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ld0rCTxkBdmNEqTdNr9Sc/OhbSDeu/xSrJUqNdoFexgWQYm2RKYVugrXJCu0pgqx4YcXdTVToW49ZYk6wd9En7L63k2Ai6HXisE1itrOXRw33ojhcfBnSs11fNUbB7XsQNEK++sEKv3xyL7UwwpoGFZcAr52LTAQI5E4yg/+O/Y= Received: by 10.54.142.11 with SMTP id p11mr4903209wrd; Tue, 05 Jul 2005 11:59:47 -0700 (PDT) Received: by 10.54.51.41 with HTTP; Tue, 5 Jul 2005 11:59:47 -0700 (PDT) Message-ID: <60bf53d705070511595889365@mail.gmail.com> Date: Tue, 5 Jul 2005 14:59:47 -0400 From: R A To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Bad State question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: R A List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 19:42:38 -0000 I've read through some of the pf.c, in order to attempt to figure out what the state failure | 5 was, since it wasn't a really helpfull number, and the C code means very little to me, I'm still at a loss. At the end of this email, I do state what I hope to find out, or what I am asking for. First, the output from PF, complaining: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Jul 5 14:52:54 www1 kernel: pf: BAD state: TCP dest_host Jul 5 14:52:54 www1 kernel: :443 dest_host:443 src_host:60855 [lo=3D2680241336 high=3D2680307943 win=3D33304 modulator=3D0 wscale=3D1] [lo=3D3834753739 high=3D3834820347 win=3D33304 modulator=3D0 wscale=3D1] 9:= 9 S seq=3D2686921612 ack=3D3834753739 len=3D0 ackskew=3D0 pkts=3D9:8 dir=3Din,f= wd Jul 5 14:52:54 www1 kernel: pf: State failure on: 1 | 5 =20 Jul 5 14:52:57 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:60855 [lo=3D2680241336 high=3D2680307943 win=3D33304 modulator=3D0 wscale=3D1] [lo=3D38 Jul 5 14:52:57 www1 kernel: 34753739 high=3D3834820347 win=3D33304 modulator=3D0 wscale=3D1] 9:9 S seq=3D2686921612 ack=3D3834753739 len=3D0 ackskew=3D0 pkts=3D9:8 dir=3Din,fwd Jul 5 14:52:57 www1 kernel: pf: State failure on: 1 | 5 =20 Jul 5 14:52:58 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:64766 [lo=3D3295466676 high=3D3295533283 win=3D33304 modulator=3D0 wscale=3D1] [lo=3D2237679877 high=3D2237746485 win=3D33304 modulator=3D0 wscale=3D1] 9:9 S seq=3D3303296462 ack=3D2237679877 len=3D0 ackskew=3D0 pkts=3D9:9 dir=3Din,fwd Jul 5 14:52:58 www1 kernel: pf: State failure on: 1 | 5 =20 Jul 5 14:53:00 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:60855 [lo=3D2680241336 high=3D2680307943 win=3D33304 modulator=3D0 wscale=3D1] [lo=3D3834753739 high=3D3834820347 win=3D33304 modulator=3D0 wscale=3D1] 9:9 S seq=3D2686921612 ack=3D3834753739 len=3D0 ackskew=3D0 pkts=3D9:8 dir=3Din,fwd Jul 5 14:53:00 www1 kernel: pf: State failure on: 1 | 5 =20 Jul 5 14:53:00 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:64766 [lo=3D3295466676 high=3D3295533283 win=3D33304 modulator=3D0 wscale=3D1 Jul 5 14:53:01 www1 kernel: ] [lo=3D2237679877 high=3D2237746485 win=3D33304 modulator=3D0 wscale=3D1] 9:9 S seq=3D3303296462 ack=3D22376798= 77 len=3D0 ackskew=3D0 pkts=3D9:9 dir=3Din,fwd Jul 5 14:53:01 www1 kernel: pf: State failure on: 1 | 5=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D I noticed that if I hit my webserver up with about 30 threads from a python load script, simply retrieving a web page through https, with a password, and a database call on the php page it hits, threads were 'hanging'. When I looked closer, I found that the connections were hanging, not the threads. So I disabled PF, the connections got dropped (otherwise they time out), and the python threads resumed their pace at downloading. 30 threads generates around 500kilobytes per second in traffic from the dest host returning http data without PF on. So when I managed to get the PF to report the errors, I read many help topics that people have asked about, but none seemed to pertain exactly to me. The host doing the requesting is on the same subnet as the destination, shouldn't have any routers to go through. The requesting machine is 5.3 bsd, and the host with the PF problem is running 5.4-p3. Could someone please help point out the error, I know that some sequence numbers don't match, but since PF is complaining, and taking PF out seems to not generate any timeouts, I'm curious if I can turn this type of watching off. Or, at least understand where my packets are going south :) Being as it's my first post, please be gentle, and I will attempt to respond with whatever information is needed. Thanks From owner-freebsd-pf@FreeBSD.ORG Wed Jul 6 08:59:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6D1316A41C for ; Wed, 6 Jul 2005 08:59:44 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B60E43D53 for ; Wed, 6 Jul 2005 08:59:43 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j668xeQr002834 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 6 Jul 2005 10:59:40 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j668xe6S031484; Wed, 6 Jul 2005 10:59:40 +0200 (MEST) Date: Wed, 6 Jul 2005 10:59:39 +0200 From: Daniel Hartmeier To: R A Message-ID: <20050706085939.GH6024@insomnia.benzedrine.cx> References: <60bf53d705070511595889365@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <60bf53d705070511595889365@mail.gmail.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: Bad State question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 08:59:45 -0000 On Tue, Jul 05, 2005 at 02:59:47PM -0400, R A wrote: > I've read through some of the pf.c, in order to attempt to figure out > what the state failure | 5 was, since it wasn't a really helpfull > number, and the C code means very little to me, I'm still at a loss. > > At the end of this email, I do state what I hope to find out, or what > I am asking for. > > First, the output from PF, complaining: > ============================= > Jul 5 14:52:54 www1 kernel: pf: BAD state: TCP dest_host > Jul 5 14:52:54 www1 kernel: :443 dest_host:443 src_host:60855 > [lo=2680241336 high=2680307943 win=33304 modulator=0 wscale=1] > [lo=3834753739 high=3834820347 win=33304 modulator=0 wscale=1] 9:9 S > seq=2686921612 ack=3834753739 len=0 ackskew=0 pkts=9:8 dir=in,fwd > Jul 5 14:52:54 www1 kernel: pf: State failure on: 1 | 5 The digits correspond to the various sequence number comparisons pf does. Those checks that are ok are not printed, the digits you see (1 and 5) show the checks failed. SEQ_GEQ(src->seqhi, end) ? ' ' : '1', SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', The end of the packet, that is the start of the packet (its th_seq, 2686921612) plus its length (len=0), is end=2686921612. This is both higher than the upper limit of the window (src->seqhi) and higher than the upper limit plus fudge factor (src->seqhi + MAXACKWINDOW). This is why pf blocks it. The "dir=in,fwd" means that the state entry was created for an incoming packet, and subsequently matched 9 incoming and 8 outgoing packets ("pkts=9:8"). The "9:9" means the state entry is in "FIN_WAIT_2:FIN_WAIT_2", i.e. it has seen a normal connection close or RST, and the state will timeout in about 45s. But the "S" means the packet being blocked has the SYN flag set, i.e. is part of a handshake for a new connection. The client seems to be re-using its source port 60855 to establish a new connection to the server port 443, before waiting 2MSL (about 90s), which violates the TCP RFC. Maybe it's not a new handshake, but a late arrival of a retransmission of the initial SYN, but then why is "seq=2686921612" (much higher than the initial sequence number)? So, why would you see a SYN packet (with a too-high, but not completely different, th_seq), after the state has matched 9+8 packets already, and seems to have seen a connection shutdown? Maybe you can tcpdump on the real interface and try to capture one entire connection up to the point where it stalls. For instance, limit the dumping to one particular source port number, or dump everything for a while, then grep the dump for one particular connection. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Jul 6 13:07:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA37116A41C for ; Wed, 6 Jul 2005 13:07:28 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 222E743D45 for ; Wed, 6 Jul 2005 13:07:27 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j66D7P7l096777; Wed, 6 Jul 2005 17:07:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j66D7P4p096776; Wed, 6 Jul 2005 17:07:25 +0400 (MSD) (envelope-from yar) Date: Wed, 6 Jul 2005 17:07:25 +0400 From: Yar Tikhiy To: alex-bsd Message-ID: <20050706130725.GA92549@comp.chem.msu.su> References: <42C82578.000006.17576@mfront8.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42C82578.000006.17576@mfront8.yandex.ru> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 13:07:29 -0000 On Sun, Jul 03, 2005 at 09:50:48PM +0400, alex-bsd wrote: > I am adherent BSD of systems, in the last time have passed with IPFW to use PF, other useful and interesting opportunities have liked in it Firewall, more convenient syntax and many. > I wish to offer developers PF, to add new (IMHO very necessary and convenient) functionality! > In iptables it is possible to block means Firewall uploading of files (.mp3, .avi and another) to limit access to a porno to resources and the other undesirable traffic. > Very much it would be desirable, that PF also was able to do similar. > In the presents time for blocking uploading "unnecessary" files I use Squid. Personally to me Squid it is necessary only for the decision above the described problem. > With pleasure would refuse use Squid if in PF this opportunity will be realized. IMHO, filtering network traffic by bulk content is not a task for a packet filter. Indeed, many commercial firewall vendors offer content inspection in their products because customers want to buy it. However, implementing a similar feature in PF would increase PF's complexity greately, thus affecting its robustness negatively. The Unix way is to build complex systems from simple, specialized components. Therefore one should use PF for TCP/IP filtering and a HTTP proxy, e.g., Squid, for HTTP filtering. Besides, filtering HTTP objects by their filename or content type is a half measure. First, many web sites offering MP3 or AVI files also provide means to circumvent such filters if necessary. Second, I believe that the need to filter HTTP traffic is usually indicative of problems lying deeper, like too many people in the office having nothing to do but download porn ;-) -- Yar From owner-freebsd-pf@FreeBSD.ORG Wed Jul 6 18:34:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00B2C16A41C for ; Wed, 6 Jul 2005 18:34:21 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id A476843D45 for ; Wed, 6 Jul 2005 18:34:21 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id g11so12413rne for ; Wed, 06 Jul 2005 11:34:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=CT+Y3slEfUdnYIYa8mgc1o7+zY1cTblX2Svl5TVKHCMITItWLUJdHC6PH8JjyGvX8HMCX3PcXBEmG6m8eKarNFrOmYC2JHCALo172TEiT/weJF+X9seNc3G/c+oa+In8QAMVFbJ0ytW6U0VoywAbex7wpnjusXKaO0UqXphV3fg= Received: by 10.38.24.4 with SMTP id 4mr38175rnx; Wed, 06 Jul 2005 11:34:20 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Wed, 6 Jul 2005 11:34:20 -0700 (PDT) Message-ID: Date: Wed, 6 Jul 2005 14:34:20 -0400 From: Scott Ullrich To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: IPSEC with CARP public IP's and Racoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 18:34:22 -0000 Greetings list! I've been playing around with failover VPN and have ran into some interesting results that I cannot honestly explain. When trying to setup a failover VPN situation we setup 2 public ip's with racoon listening on the carp ip, etc. This all works great and the tunnel gets established when I ping from one firewall to the other firewalls lan ip. But for some reason when pinging from clients behind the ipsec tunnel the kernel seems to get confused and routes the traffic out even with the setkey policy in place. Changing the public ip's to non-carp ip's fixes the problem and everything works perfectly. So my question is, has anyone gotten this situation to work? I have recently ported sasyncd from open and would love to use it http://www.pfsense.com/downloads/other/sasyncd.tgz ... ;) Here's some ASCII art of the setup: http://www.pfsense.com/failover-vpn.txt Any pointers, questions would be greatly helpful to try and figure out why ipsec doesn't play well with CARP. Thanks again in advance! Scott From owner-freebsd-pf@FreeBSD.ORG Wed Jul 6 19:30:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A238816A421 for ; Wed, 6 Jul 2005 19:30:46 +0000 (GMT) (envelope-from demoniac@hoefer.com) Received: from blockiss.rdspt.ro (blockiss.rdspt.ro [81.196.154.44]) by mx1.FreeBSD.org (Postfix) with SMTP id 178C043D5F for ; Wed, 6 Jul 2005 19:30:44 +0000 (GMT) (envelope-from demoniac@hoefer.com) Received: from [91.163.150.80] (port=4226 helo=[retractions]) by blockiss.rdspt.ro with esmtp id 7419122618cable51452 for freebsd-pf@freebsd.org; Wed, 6 Jul 2005 22:30:42 +0300 Mime-Version: 1.0 (Apple Message framework v728) Content-Transfer-Encoding: 7bit Message-Id: <6693371200.12573767324@blockiss.rdspt.ro> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Patrick Date: Wed, 6 Jul 2005 22:30:41 +0300 X-Mailer: Apple Mail (2.728) Subject: Prescription medicine through an easy, secure and confidential environment. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 19:30:46 -0000 Your in-home source of health information http://Vanderpoel.onlinepills4all.info/?visualizextvuyshorthandedzvpgoals The only thing that comes to a sleeping man are dreams. If you chase two rabbits, both will escape. All true wealth is biological. It's getting hard to be someone, but it all works out. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 03:29:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DF7116A41C for ; Thu, 7 Jul 2005 03:29:51 +0000 (GMT) (envelope-from bsdboxes@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19C7543D48 for ; Thu, 7 Jul 2005 03:29:50 +0000 (GMT) (envelope-from bsdboxes@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so104572wra for ; Wed, 06 Jul 2005 20:29:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=seAJgAo7lBt0sDoOtFuu52JtCu7qOnsSTHDzBNKmPA2yl8yeIvqGJapFZnm4Ee7gn37xnAA9NLVmi9pZzMkAo6/PL42i1UKLaaHl6bzPYDm2Bbg+iL9gCUn9zoxnTjMwTopvzbRtwz3K/GNZ9isUia7x2KRuyChk5Szk2sBCqdM= Received: by 10.54.26.9 with SMTP id 9mr370510wrz; Wed, 06 Jul 2005 20:29:50 -0700 (PDT) Received: by 10.54.51.41 with HTTP; Wed, 6 Jul 2005 20:29:50 -0700 (PDT) Message-ID: <60bf53d705070620293812572b@mail.gmail.com> Date: Wed, 6 Jul 2005 23:29:50 -0400 From: R A To: Daniel Hartmeier In-Reply-To: <20050706085939.GH6024@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <60bf53d705070511595889365@mail.gmail.com> <20050706085939.GH6024@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: Bad State question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: R A List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 03:29:51 -0000 Thanks for the great breakdown on the code. I think I may know what is going on, and it's quite possibly most of my fau= lt. The box that hosts the DEST host in the connection is running on about 5 total ip's, when you said: > So, why would you see a SYN packet (with a too-high, but not completely > different, th_seq), after the state has matched 9+8 packets already, and > seems to have seen a connection shutdown? It ended up that the host's IP was in a NAT rule,but not the IP that is in the state failure I sent to the list. I had to sanitize the output a bit, from the sample I sent, but I think you'll get the picture. Once I changed that NAT entry to use another IP available on that machine, the state errors went away, and I was able to hit the IP not referenced at all by any rules, or masks in PF.conf at the same rates, just as if I had the problem and turned PF off. Easy fix it seems, but it took your comments to help me out. If you need more info because I -should- be able to do the aformentioned NAT rule without generating state erorrs, let me know. Thanks for taking what time you do put out there for PF to help me. I remember what life was life with IPfilter for many years, and I'm glad PF is on FreeBSD. This was my -first- problem in over two years of using PF, and it didn't last long. Now I'm curious if it's a freebsd problem with how the box was using a different IP, but yet it seems maybe port values stay the same across IP range. tcpdump will be next, but I'm knee deep in something else right now. Thanks again, Robert On 7/6/05, Daniel Hartmeier wrote: > On Tue, Jul 05, 2005 at 02:59:47PM -0400, R A wrote: >=20 > > I've read through some of the pf.c, in order to attempt to figure out > > what the state failure | 5 was, since it wasn't a really helpfull > > number, and the C code means very little to me, I'm still at a loss. > > > > At the end of this email, I do state what I hope to find out, or what > > I am asking for. > > > > First, the output from PF, complaining: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > > Jul 5 14:52:54 www1 kernel: pf: BAD state: TCP dest_host > > Jul 5 14:52:54 www1 kernel: :443 dest_host:443 src_host:60855 > > [lo=3D2680241336 high=3D2680307943 win=3D33304 modulator=3D0 wscale=3D1= ] > > [lo=3D3834753739 high=3D3834820347 win=3D33304 modulator=3D0 wscale=3D1= ] 9:9 S > > seq=3D2686921612 ack=3D3834753739 len=3D0 ackskew=3D0 pkts=3D9:8 dir=3D= in,fwd > > Jul 5 14:52:54 www1 kernel: pf: State failure on: 1 | 5 >=20 > The digits correspond to the various sequence number comparisons pf > does. Those checks that are ok are not printed, the digits you see (1 > and 5) show the checks failed. >=20 > SEQ_GEQ(src->seqhi, end) ? ' ' : '1', > SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', >=20 > The end of the packet, that is the start of the packet (its th_seq, > 2686921612) plus its length (len=3D0), is end=3D2686921612. This is both > higher than the upper limit of the window (src->seqhi) and higher than > the upper limit plus fudge factor (src->seqhi + MAXACKWINDOW). This is > why pf blocks it. >=20 > The "dir=3Din,fwd" means that the state entry was created for an > incoming packet, and subsequently matched 9 incoming and 8 outgoing > packets ("pkts=3D9:8"). The "9:9" means the state entry is in > "FIN_WAIT_2:FIN_WAIT_2", i.e. it has seen a normal connection close or > RST, and the state will timeout in about 45s. >=20 > But the "S" means the packet being blocked has the SYN flag set, i.e. is > part of a handshake for a new connection. The client seems to be > re-using its source port 60855 to establish a new connection to the > server port 443, before waiting 2MSL (about 90s), which violates the TCP > RFC. >=20 > Maybe it's not a new handshake, but a late arrival of a retransmission > of the initial SYN, but then why is "seq=3D2686921612" (much higher than > the initial sequence number)? >=20 > So, why would you see a SYN packet (with a too-high, but not completely > different, th_seq), after the state has matched 9+8 packets already, and > seems to have seen a connection shutdown? >=20 > Maybe you can tcpdump on the real interface and try to capture one > entire connection up to the point where it stalls. For instance, limit > the dumping to one particular source port number, or dump everything for > a while, then grep the dump for one particular connection. >=20 > Daniel > From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 06:55:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E925E16A41C for ; Thu, 7 Jul 2005 06:55:20 +0000 (GMT) (envelope-from maack@vittig.dk) Received: from mail.galnet.dk (mail.galnet.dk [192.38.163.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C20643D55 for ; Thu, 7 Jul 2005 06:55:19 +0000 (GMT) (envelope-from maack@vittig.dk) Received: from localhost (localhost [127.0.0.1]) by mail.galnet.dk (Postfix) with ESMTP id 7F82EB897 for ; Thu, 7 Jul 2005 08:55:18 +0200 (CEST) Received: from mail.galnet.dk ([127.0.0.1]) by localhost (mail.galnet.dk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90220-19 for ; Thu, 7 Jul 2005 08:55:17 +0200 (CEST) Received: from [127.0.0.1] (unknown [85.218.161.209]) by mail.galnet.dk (Postfix) with ESMTP id B6AECB836 for ; Thu, 7 Jul 2005 08:55:17 +0200 (CEST) Date: Thu, 07 Jul 2005 08:55:18 +0200 From: Thomas Maack Nielsen To: freebsd-pf@freebsd.org Message-Id: <20050707084850.E93D.MAACK@vittig.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.20.04 [en] X-Virus-Scanned: by galnet.dk Subject: freebsd 5.4 with pf nat and voip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 06:55:21 -0000 I have the following setup: FreeBSD 5.4 with pf enabled. pf works as the firewall and does the NAT to. On the NAT side i got 2 x pc's and 2 x Grandstream 286 voip adaptors. My NAT rule is the following: nat pass on $extern from $intern:network to any -> $extern This works fine for my pc's, but not for my Grandstreams, they are setup to use a STUN serve for easy configuration, but the tell me that I am using symmetric NAT type, and for symmetric NAT a STUN server doesn't work, is it possiable to change the NAT type to any other than symmetric NAT? Or is it the STUN server detecting wrong? Regards, Thomas Maack Nielsen From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 09:16:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DB3916A41C for ; Thu, 7 Jul 2005 09:16:07 +0000 (GMT) (envelope-from bastien.rozenzwejg@enstimac.fr) Received: from etoile.enstimac.fr (etoile.enstimac.fr [194.167.200.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id E960B43D45 for ; Thu, 7 Jul 2005 09:16:03 +0000 (GMT) (envelope-from bastien.rozenzwejg@enstimac.fr) Received: from [194.167.200.247] (i2727 [194.167.200.247]) by etoile.enstimac.fr (8.13.4/8.13.4) with ESMTP id j679Fxuh012018 for ; Thu, 7 Jul 2005 11:15:59 +0200 (MEST) Message-ID: <42CCF2CF.8030507@enstimac.fr> Date: Thu, 07 Jul 2005 11:15:59 +0200 From: Rozen User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050414 X-Accept-Language: fr-fr, en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200505191206.14685.eugene@imedia.ru> <20050519145410.GC20705@insomnia.benzedrine.cx> In-Reply-To: <20050519145410.GC20705@insomnia.benzedrine.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-EMAC-MailScanner-Information: Please contact the ISP for more information X-EMAC-MailScanner: Found to be clean X-EMAC-MailScanner-From: bastien.rozenzwejg@enstimac.fr Subject: AuthPF & OpenLDAP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bastien.rozenzwejg@enstimac.fr List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 09:16:07 -0000 I have a some little questions. Is it possible to use AuthPF with OpenLDAP ? I want to use the actual Ldap DB to authenticate users and give them the AUTHPF shell. The goal is only to give Internet to allowed users. Now, the users can authenticate them but they get the tcsh shell, whereas authpf shell is defined in the Ldap DB. Thanks in advance for answers. Bastien R From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 13:03:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7341216A41F for ; Thu, 7 Jul 2005 13:03:08 +0000 (GMT) (envelope-from jmelo@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 8A8D643D4C for ; Thu, 7 Jul 2005 13:03:06 +0000 (GMT) (envelope-from jmelo@freebsdbrasil.com.br) Received: (qmail 48726 invoked by uid 0); 7 Jul 2005 10:03:05 -0300 Received: from jmelo@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.3.20/v4529. spamassassin: 2.64. Clear:RC:1(201.17.165.147):. Processed in 0.415182 secs); 07 Jul 2005 13:03:05 -0000 Received: from unknown (HELO ?10.69.69.2?) (201.17.165.147) by capeta.freebsdbrasil.com.br with SMTP; 7 Jul 2005 10:03:04 -0300 Message-ID: <42CD2829.4020007@freebsdbrasil.com.br> Date: Thu, 07 Jul 2005 10:03:37 -0300 From: Jean Milanez Melo User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050614) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd 5.4 with pf nat and voip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 13:03:08 -0000 Thomas Maack Nielsen wrote: >I have the following setup: > >FreeBSD 5.4 with pf enabled. > >pf works as the firewall and does the NAT to. > >On the NAT side i got 2 x pc's and 2 x Grandstream 286 voip adaptors. > >My NAT rule is the following: > >nat pass on $extern from $intern:network to any -> $extern > >This works fine for my pc's, but not for my Grandstreams, they are setup >to use a STUN serve for easy configuration, but the tell me that I am >using symmetric NAT type, and for symmetric NAT a STUN server doesn't >work, is it possiable to change the NAT type to any other than symmetric NAT? >Or is it the STUN server detecting wrong? > >Regards, > >Thomas Maack Nielsen > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Thomas, What the protocols are you using in Grandstremas? SIP? If it is SIP try to configure redirect ports like this: rdr on $ife proto tcp from any to any port 5060 -> $Grandstream_IP port 5060 rdr on $ife proto udp from any to any port 5060 -> $Grandstream_IP port 5060 I hope it can help you. -- Atenciosamente Jean Milanez Melo FreeBSD Brasil LTDA. Fone: (31) 3281-9633 http://www.freebsdbrasil.com.br From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 18:17:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC8BE16A41C for ; Thu, 7 Jul 2005 18:17:36 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (p15110767.pureserver.info [217.160.166.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50A3A43D45 for ; Thu, 7 Jul 2005 18:17:36 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (heinz.dinsnail.net [127.0.0.1]) by heinz.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67IHQ5A025035 for ; Thu, 7 Jul 2005 20:17:26 +0200 Received: from khazad-dum.weiser.dinsnail.net (uucp@localhost) by heinz.dinsnail.net (8.13.4/8.13.4/Submit) with bsmtp id j67IHQTd025034 for freebsd-pf@freebsd.org; Thu, 7 Jul 2005 20:17:26 +0200 Received: from khazad-dum.weiser.dinsnail.net (localhost [127.0.0.1]) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67IGK6h062066 for ; Thu, 7 Jul 2005 20:16:20 +0200 (CEST) (envelope-from michael@khazad-dum.weiser.dinsnail.net) Received: (from michael@localhost) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4/Submit) id j67IGKLD062065 for freebsd-pf@freebsd.org; Thu, 7 Jul 2005 20:16:20 +0200 (CEST) (envelope-from michael) Date: Thu, 7 Jul 2005 20:16:20 +0200 From: Michael Weiser To: freebsd-pf@freebsd.org Message-ID: <20050707181620.GA57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-MailScanner: Found to be clean X-MailScanner-From: michael@weiser.dinsnail.net Subject: pftpx rules not showing in pfctl X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 18:17:37 -0000 Hello, this may sound ridiculous but I've actually managed to set up pftpx and now can't seem to figure out why it works. :) I've compiled pftpx on my FreeBSD-CURRENT box with some minor tweaking because of missing stnvis. I added the required rules to my pf.conf: nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr on $intif inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 and anchor "pftpx/*" on $dslif pass out quick on $dslif inet proto tcp from $dslif port $unpriv to any port = ftp modulate state (no-sync) flags S/SA label $dslif-out-ftp $dslif is xl0 for me. It's present on the anchor because I also have a $pppif tun0 which is used occasionally and rules for it are defined further down the filter list. Anyway. I fired up pftpx -d -D 7 and lo, everything works nicely. Then I went and said 'pfctl -a pftpx -s r' whilst running an ftp download. No matter what I do, it says the rule list is empty. When running it with '-s a' I see that there are entries for the ftp connections in the state table, but still no rules. Is it supposed to behave that way or should I be seeing some rule entries? Thanks in advance, -- bye, Michael From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 18:25:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15D2116A41C for ; Thu, 7 Jul 2005 18:25:50 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id A67DF43D48 for ; Thu, 7 Jul 2005 18:25:49 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id c16so220782rne for ; Thu, 07 Jul 2005 11:25:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FN/yrpqrPUdpHz+3I/fqFfHoAML83vkYHKzfM99HTbh+wMgI2q0koToN/bcr+1nZyG4BxRdbQI0MD+YwyoM4uBXRAQ8Wz7EXLsAbuoy8q/0YMfwcAi2WEo3tje6DuK+wy7UMGDLj/nI44hRbbof07ON4jJ1kaKy7OJSUyRz3olI= Received: by 10.38.149.76 with SMTP id w76mr768979rnd; Thu, 07 Jul 2005 11:25:49 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Thu, 7 Jul 2005 11:25:49 -0700 (PDT) Message-ID: Date: Thu, 7 Jul 2005 14:25:49 -0400 From: Scott Ullrich To: Michael Weiser In-Reply-To: <20050707181620.GA57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050707181620.GA57981@weiser.dinsnail.net> Cc: freebsd-pf@freebsd.org Subject: Re: pftpx rules not showing in pfctl X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 18:25:50 -0000 On 7/7/05, Michael Weiser wrote: > Hello, >=20 > this may sound ridiculous but I've actually managed to set up pftpx and > now can't seem to figure out why it works. :) >=20 > I've compiled pftpx on my FreeBSD-CURRENT box with some minor tweaking > because of missing stnvis. I added the required rules to my pf.conf: >=20 > nat-anchor "pftpx/*" > rdr-anchor "pftpx/*" > rdr on $intif inet proto tcp from any to any port 21 -> 127.0.0.1 port 8= 021 >=20 > and >=20 > anchor "pftpx/*" on $dslif > pass out quick on $dslif inet proto tcp from $dslif port $unpriv to any p= ort =3D ftp modulate state (no-sync) flags S/SA label $dslif-out-ftp >=20 > $dslif is xl0 for me. It's present on the anchor because I also have a > $pppif tun0 which is used occasionally and rules for it are defined > further down the filter list. >=20 > Anyway. I fired up pftpx -d -D 7 and lo, everything works nicely. >=20 > Then I went and said 'pfctl -a pftpx -s r' whilst running an ftp > download. No matter what I do, it says the rule list is empty. When > running it with '-s a' I see that there are entries for the ftp > connections in the state table, but still no rules. >=20 > Is it supposed to behave that way or should I be seeing some rule > entries? First do this: pfctl -sA -v | grep pftpx # pfctl -sA -v | grep pftpx pftpx pftpx/419.1 Then do a: # pfctl -v -a pftpx/419.1 -sr pass in log quick inet proto tcp from 204.152.184.73 to 10.0.0.69 port =3D commplex-link flags S/FSRA keep state (max 1) [ Evaluations: 1071 Packets: 8 Bytes: 501 States: 0 = ] pass out log quick inet proto tcp from 204.152.184.73 to 10.0.0.69 port =3D commplex-link flags S/FSRA keep state (max 1) [ Evaluations: 286 Packets: 8 Bytes: 501 States: 0 = ] This will show your rules. ;) Regards, Scott From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 18:32:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3815416A41F for ; Thu, 7 Jul 2005 18:32:40 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (p15110767.pureserver.info [217.160.166.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ADC443D46 for ; Thu, 7 Jul 2005 18:32:39 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (heinz.dinsnail.net [127.0.0.1]) by heinz.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67IWQh6025418 for ; Thu, 7 Jul 2005 20:32:26 +0200 Received: from khazad-dum.weiser.dinsnail.net (uucp@localhost) by heinz.dinsnail.net (8.13.4/8.13.4/Submit) with bsmtp id j67IWQnh025417 for freebsd-pf@freebsd.org; Thu, 7 Jul 2005 20:32:26 +0200 Received: from khazad-dum.weiser.dinsnail.net (localhost [127.0.0.1]) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67IKNca062928 for ; Thu, 7 Jul 2005 20:20:23 +0200 (CEST) (envelope-from michael@khazad-dum.weiser.dinsnail.net) Received: (from michael@localhost) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4/Submit) id j67IKNDi062923 for freebsd-pf@freebsd.org; Thu, 7 Jul 2005 20:20:23 +0200 (CEST) (envelope-from michael) Date: Thu, 7 Jul 2005 20:20:23 +0200 From: Michael Weiser To: freebsd-pf@freebsd.org Message-ID: <20050707182023.GB57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-MailScanner: Found to be clean X-MailScanner-From: michael@weiser.dinsnail.net Subject: ftp connections not working from firewall box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 18:32:40 -0000 Hi again, another problem with my new pftpx setup is that because of rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 only connections coming in via the internal interface get redirected to pftpx. Due to that FTP connections originating on the machine itself don't work because they leave directly via the external interface so that pftpx doesn't see them to add the proper firewall rules. Is there a workaround or proper solution for this (possibly including a rant about my braindamage ;) ? -- bye, Micha From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 18:37:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72A0916A41C for ; Thu, 7 Jul 2005 18:37:26 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 059A343D58 for ; Thu, 7 Jul 2005 18:37:25 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so224217rng for ; Thu, 07 Jul 2005 11:37:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TDPGXFNmj7Se2suV8bGVsc0+IcVk4KJyI5SYgg/8DDpKHnUNtc7K4oJl4Q8PhONTOcgvPa9kKaTBffhEuZmY7afwBuztdBEWgd1STnBr+T87QcaDmbZBzKe8GV0c+B6g1IVXFyVgxpyVRudatkQOH4q2UIDlTLsVV2BovnVB4pU= Received: by 10.38.151.27 with SMTP id y27mr1073837rnd; Thu, 07 Jul 2005 11:37:25 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Thu, 7 Jul 2005 11:37:25 -0700 (PDT) Message-ID: Date: Thu, 7 Jul 2005 14:37:25 -0400 From: Scott Ullrich To: Michael Weiser In-Reply-To: <20050707182023.GB57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050707182023.GB57981@weiser.dinsnail.net> Cc: freebsd-pf@freebsd.org Subject: Re: ftp connections not working from firewall box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 18:37:26 -0000 On 7/7/05, Michael Weiser wrote: > Hi again, >=20 > another problem with my new pftpx setup is that because of >=20 > rdr on xl0 inet proto tcp from any to any port =3D ftp -> 127.0.0.1 port = 8021 >=20 > only connections coming in via the internal interface get redirected to > pftpx. Due to that FTP connections originating on the machine itself > don't work because they leave directly via the external interface so that > pftpx doesn't see them to add the proper firewall rules. >=20 > Is there a workaround or proper solution for this (possibly including a > rant about my braindamage ;) ? If you default to deny on the WAN what happens if you change the rdr statement to: rdr inet proto tcp from any to any port =3D ftp -> 127.0.0.1 port 8021 Scott From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 19:47:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EF3616A41C for ; Thu, 7 Jul 2005 19:47:36 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (p15110767.pureserver.info [217.160.166.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 516B243D73 for ; Thu, 7 Jul 2005 19:47:32 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (heinz.dinsnail.net [127.0.0.1]) by heinz.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67JlQjG027275; Thu, 7 Jul 2005 21:47:26 +0200 Received: from khazad-dum.weiser.dinsnail.net (uucp@localhost) by heinz.dinsnail.net (8.13.4/8.13.4/Submit) with bsmtp id j67JlQkG027274; Thu, 7 Jul 2005 21:47:26 +0200 Received: from khazad-dum.weiser.dinsnail.net (localhost [127.0.0.1]) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67JZJuh002260; Thu, 7 Jul 2005 21:35:19 +0200 (CEST) (envelope-from michael@khazad-dum.weiser.dinsnail.net) Received: (from michael@localhost) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4/Submit) id j67JZJw3002255; Thu, 7 Jul 2005 21:35:19 +0200 (CEST) (envelope-from michael) Date: Thu, 7 Jul 2005 21:35:19 +0200 From: Michael Weiser To: Scott Ullrich Message-ID: <20050707193519.GC57981@weiser.dinsnail.net> References: <20050707181620.GA57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-MailScanner: Found to be clean X-MailScanner-From: michael@weiser.dinsnail.net Cc: freebsd-pf@freebsd.org Subject: Re: pftpx rules not showing in pfctl X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 19:47:36 -0000 On Thu, Jul 07, 2005 at 02:25:49PM -0400, Scott Ullrich wrote: > > Is it supposed to behave that way or should I be seeing some rule > > entries? > First do this: > # pfctl -sA -v | grep pftpx > pftpx > pftpx/419.1 > Then do a: > # pfctl -v -a pftpx/419.1 -sr > This will show your rules. ;) As usual the error sits in front of the computer. ;) Thanks for the lightning response - it works like a charm and shows lots of rules. -- bye, Michael I like Kaba! From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 19:47:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8385B16A41C for ; Thu, 7 Jul 2005 19:47:41 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (p15110767.pureserver.info [217.160.166.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35FE843D5F for ; Thu, 7 Jul 2005 19:47:35 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (heinz.dinsnail.net [127.0.0.1]) by heinz.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67JlRlP027277; Thu, 7 Jul 2005 21:47:27 +0200 Received: from khazad-dum.weiser.dinsnail.net (uucp@localhost) by heinz.dinsnail.net (8.13.4/8.13.4/Submit) with bsmtp id j67JlRVt027276; Thu, 7 Jul 2005 21:47:27 +0200 Received: from khazad-dum.weiser.dinsnail.net (localhost [127.0.0.1]) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67JibNf002466; Thu, 7 Jul 2005 21:44:37 +0200 (CEST) (envelope-from michael@khazad-dum.weiser.dinsnail.net) Received: (from michael@localhost) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4/Submit) id j67JibaR002465; Thu, 7 Jul 2005 21:44:37 +0200 (CEST) (envelope-from michael) Date: Thu, 7 Jul 2005 21:44:36 +0200 From: Michael Weiser To: Scott Ullrich Message-ID: <20050707194436.GD57981@weiser.dinsnail.net> References: <20050707182023.GB57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-MailScanner: Found to be clean X-MailScanner-From: michael@weiser.dinsnail.net Cc: freebsd-pf@freebsd.org Subject: Re: ftp connections not working from firewall box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 19:47:41 -0000 On Thu, Jul 07, 2005 at 02:37:25PM -0400, Scott Ullrich wrote: > > another problem with my new pftpx setup is that because of > > > > rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 > > > > only connections coming in via the internal interface get redirected to > > pftpx. Due to that FTP connections originating on the machine itself > > don't work because they leave directly via the external interface so that > > pftpx doesn't see them to add the proper firewall rules. > > > > Is there a workaround or proper solution for this (possibly including a > > rant about my braindamage ;) ? > If you default to deny on the WAN what happens if you change the rdr > statement to: > rdr inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 No change. My understanding is, that rdr only works for incoming packets. This would explain why the above doesn't work. Because packets originating on the local machine directly go out via xl1 they are not picked up by rdr because they're outgoing already, not incoming. Is that understanding correct or am I missing something? One possible workaround might be to have applications that support it use the IP of the internal interface as source address so that the packets appear as incoming on that interface and get redirected to xpftp. But squid for example doesn't support it and when I tried with wget --bind-address just now it didn't work. -- bye, Micha From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 20:11:44 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D15916A41F; Thu, 7 Jul 2005 20:11:44 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5569643D48; Thu, 7 Jul 2005 20:11:44 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j67KBiqL033836; Thu, 7 Jul 2005 20:11:44 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j67KBhZZ033832; Thu, 7 Jul 2005 20:11:43 GMT (envelope-from mlaier) Date: Thu, 7 Jul 2005 20:11:43 GMT From: Max Laier Message-Id: <200507072011.j67KBhZZ033832@freefall.freebsd.org> To: xdivac02@stud.fit.vutbr.cz, mlaier@FreeBSD.org, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/80627: pf_test6: kif == NULL ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 20:11:44 -0000 Synopsis: pf_test6: kif == NULL ... State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Thu Jul 7 20:10:19 GMT 2005 State-Changed-Why: Patch available for testing. Responsible-Changed-From-To: mlaier->freebsd-pf Responsible-Changed-By: mlaier Responsible-Changed-When: Thu Jul 7 20:10:19 GMT 2005 Responsible-Changed-Why: Over to freebsd-pf for evaluation. http://www.freebsd.org/cgi/query-pr.cgi?pr=80627 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 21:11:01 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 741D616A41C for ; Thu, 7 Jul 2005 21:11:01 +0000 (GMT) (envelope-from marco+freebsd-pf@lordsith.net) Received: from maul.lordsith.net (maul.lordsith.net [82.169.114.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CE1643D49 for ; Thu, 7 Jul 2005 21:11:00 +0000 (GMT) (envelope-from marco+freebsd-pf@lordsith.net) Received: by maul.lordsith.net (Postfix, from userid 1001) id A5D18B940; Thu, 7 Jul 2005 23:08:15 +0200 (CEST) Date: Thu, 7 Jul 2005 23:08:15 +0200 From: Marco van Lienen To: freebsd-pf Message-ID: <20050707210815.GB6875@lordsith.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="6sX45UoQRIJXqkqR" Content-Disposition: inline Organization: LordSith.Net X-Operating-System: FreeBSD 6.0-CURRENT X-FreeBSD: RULEZ Them All X-GPG-Fingerprint: A025 D8AA AC1B D2FC 380D 4FC1 8EA0 0BA8 8580 E6CB X-GPG-Key: http://lordsith.net/gpgkey X-Uptime: 11:05PM up 7 days, 6:25, 4 users, load averages: 0.46, 0.52, 0.33 User-Agent: mutt-ng devel (FreeBSD) Subject: OpenBSD 3.7 pf codebase? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Marco van Lienen List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 21:11:01 -0000 --6sX45UoQRIJXqkqR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Will the OpenBSD 3.7 pf codebase (existing in -CURRENT) be MFC'ed to RELENG_5(_4) any time soon? TIA Regards. Marco --=20 WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tomorrow?" BSD: "Are you guys coming or what?" --6sX45UoQRIJXqkqR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCzZm/jqALqIWA5ssRA9HuAJ9a8P3rjiVbJH+PoI7qcI6b9VVezgCfclit iRnJAKTb/eClGS+9w7g7JkU= =u+sB -----END PGP SIGNATURE----- --6sX45UoQRIJXqkqR-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 21:13:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D29C416A41C for ; Thu, 7 Jul 2005 21:13:00 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89DD543D45 for ; Thu, 7 Jul 2005 21:13:00 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from [165.91.46.121] (tamulink-0121.vpn.tamu.edu [165.91.46.121]) by smtp-relay.tamu.edu (8.13.3/8.13.3) with ESMTP id j67LCuJd078260 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Thu, 7 Jul 2005 16:12:57 -0500 (CDT) (envelope-from tyler@tamu.edu) In-Reply-To: <20050707210815.GB6875@lordsith.net> References: <20050707210815.GB6875@lordsith.net> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <1AEFDEC6-D88C-49B2-87C9-EEA42E2722A2@tamu.edu> Content-Transfer-Encoding: 7bit From: "R. Tyler Ballance" Date: Thu, 7 Jul 2005 16:12:54 -0500 To: Marco van Lienen X-Mailer: Apple Mail (2.730) Received-SPF: none (smtp-relay.tamu.edu: domain of tyler@tamu.edu does not designate permitted sender hosts) Cc: freebsd-pf Subject: Re: OpenBSD 3.7 pf codebase? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 21:13:00 -0000 It will never be MFC'ed to RELENG_5 because of the amount of API changes behind the scenes. OPENBSD_3_7 changes a lot of the backend stuff to packet filter, so it's a no-no in -STABLE :-/ -R, Tyler Ballance On Jul 7, 2005, at 4:08 PM, Marco van Lienen wrote: > Will the OpenBSD 3.7 pf codebase (existing in -CURRENT) be MFC'ed to > RELENG_5(_4) any time soon? > > TIA > > Regards. > Marco > > -- > > WINDOWS: "Where do you want to go today?" > LINUX: "Where do you want to go tomorrow?" > BSD: "Are you guys coming or what?" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 8 08:09:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4D9916A41C for ; Fri, 8 Jul 2005 08:09:40 +0000 (GMT) (envelope-from jinmei@isl.rdc.toshiba.co.jp) Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F25543D5E for ; Fri, 8 Jul 2005 08:09:39 +0000 (GMT) (envelope-from jinmei@isl.rdc.toshiba.co.jp) Received: from ocean.jinmei.org (unknown [2001:200:0:8002:c5cf:e0cf:f5ab:8252]) by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id 5934015218; Fri, 8 Jul 2005 17:14:35 +0900 (JST) Date: Fri, 08 Jul 2005 17:09:38 +0900 Message-ID: From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: tmas@dei.uc.pt In-Reply-To: <200507010042.j610ffmt009548@smtp.dei.uc.pt> References: <200507010042.j610ffmt009548@smtp.dei.uc.pt> User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI) Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan. MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org, snap-users@kame.net Subject: Re: DiffServ with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 08:09:40 -0000 >>>>> On Fri, 1 Jul 2005 01:41:32 +0100,=20 >>>>> "Tiago Sousa" said: > My goal is to install the diffserv model in my test-bed. How can I do it? I don't know the direct answer to this question, but: > The problem is that i=B4m trying to compile the kame kernel with the altq > options and, although no compilations error occurs, when I am configuring > the rc.conf options, namely, when I add the ipv6_enable or > ipv6_gateway_enable options an error occurs: > in6_if2idlen:unknown link type (34)=20 > in6_if2idlen:unknown link type (249) > in6_if2idlen:unknown link type (244) > Anyone knows how can I solve this error? These are just warnings. You can ignore them. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp From owner-freebsd-pf@FreeBSD.ORG Fri Jul 8 09:39:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC5A416A41C for ; Fri, 8 Jul 2005 09:39:39 +0000 (GMT) (envelope-from bastien.rozenzwejg@enstimac.fr) Received: from etoile.enstimac.fr (etoile.enstimac.fr [194.167.200.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3028B43D4C for ; Fri, 8 Jul 2005 09:39:38 +0000 (GMT) (envelope-from bastien.rozenzwejg@enstimac.fr) Received: from [194.167.200.247] (i2727 [194.167.200.247]) by etoile.enstimac.fr (8.13.4/8.13.4) with ESMTP id j689dSa8011193 for ; Fri, 8 Jul 2005 11:39:29 +0200 (MEST) Message-ID: <42CE49D0.8010305@enstimac.fr> Date: Fri, 08 Jul 2005 11:39:28 +0200 From: Rozen User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050414 X-Accept-Language: fr-fr, en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <42CE2DB6.7010909@enstimac.fr> In-Reply-To: <42CE2DB6.7010909@enstimac.fr> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-EMAC-MailScanner-Information: Please contact the ISP for more information X-EMAC-MailScanner: Found to be clean X-EMAC-MailScanner-From: bastien.rozenzwejg@enstimac.fr Subject: AuthPF & MacSSH X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 09:39:39 -0000 Hi I have a problem with my test machine (on MacOS 9). I haven't SSH Client, so i downloaded MacSSH. But it doesn't accept the connection with authpf. error : lsh : user authentication failed lsh : protocol error : no more auth method available lsh : need real authentication But I can SSH on another machine without authpf. What can I do ? From owner-freebsd-pf@FreeBSD.ORG Fri Jul 8 10:38:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F30716A41F for ; Fri, 8 Jul 2005 10:38:32 +0000 (GMT) (envelope-from tmas@dei.uc.pt) Received: from smtp.dei.uc.pt (smtp.dei.uc.pt [193.137.203.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id E931C43D46 for ; Fri, 8 Jul 2005 10:38:29 +0000 (GMT) (envelope-from tmas@dei.uc.pt) Received: from mail.dei.uc.pt (mail.dei.uc.pt [193.137.203.250]) by smtp.dei.uc.pt (8.13.4/8.13.4) with ESMTP id j68Ac1b3020648; Fri, 8 Jul 2005 11:38:01 +0100 Received: (from nobody@localhost) by mail.dei.uc.pt (8.11.7/8.11.7) id j68AbtC29741; Fri, 8 Jul 2005 11:37:55 +0100 X-Authentication-Warning: mail.dei.uc.pt: nobody set sender to tmas@dei.uc.pt using -f Received: from radius-pii.uc.pt (radius-pii.uc.pt [193.136.236.65]) by mail.dei.uc.pt (IMP) with HTTP for ; Fri, 8 Jul 2005 11:37:55 +0100 Message-ID: <1120819075.42ce578346c3b@mail.dei.uc.pt> Date: Fri, 8 Jul 2005 11:37:55 +0100 From: Tiago Miguel Amaral de Sousa To: "JINMEI Tatuya / $B?@L@C#:H(B" References: <200507010042.j610ffmt009548@smtp.dei.uc.pt> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.2 X-UC-FCT-DEI-MailScanner-Information: Please contact helpdesk@dei.uc.pt for more information X-UC-FCT-DEI-MailScanner: Found to be clean X-MailScanner-From: tmas@dei.uc.pt Cc: freebsd-pf@freebsd.org, snap-users@kame.net Subject: Re: DiffServ with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 10:38:32 -0000 Hello Thanks for your help/reply. Just one more thing to help people with the same problem: these warnings occurs when, in rc.conf, the ipv6 protocol or ipv6_gateway options are enable. In tis case the router can not forwarding packets or even make pings to other neworks (it can only ping direct attached links). My goal was to implement the diffserv model and due to this and to the fact that the pf packet was not mature for FreeBSD (doesn't implement traffic conditioners, for instance) i choose to install the FreeBSD4.11, i.e., FreeBSD prior release 5. Thanks. Tiago Sousa Quoting "JINMEI Tatuya / $B?@L@C#:H(B" : > >>>>> On Fri, 1 Jul 2005 01:41:32 +0100, > >>>>> "Tiago Sousa" said: > > > My goal is to install the diffserv model in my test-bed. How can I do it? > > I don't know the direct answer to this question, but: > > > The problem is that i´m trying to compile the kame kernel with the altq > > options and, although no compilations error occurs, when I am configuring > > the rc.conf options, namely, when I add the ipv6_enable or > > ipv6_gateway_enable options an error occurs: > > > in6_if2idlen:unknown link type (34) > > > in6_if2idlen:unknown link type (249) > > > in6_if2idlen:unknown link type (244) > > > Anyone knows how can I solve this error? > > These are just warnings. You can ignore them. > > JINMEI, Tatuya > Communication Platform Lab. > Corporate R&D Center, Toshiba Corp. > jinmei@isl.rdc.toshiba.co.jp > -- Tiago Miguel Amaral de Sousa Laboratório de Comunicações e Telemática Universidade de Coimbra tmas@dei.uc.pt tsousa@netcabo.pt From owner-freebsd-pf@FreeBSD.ORG Fri Jul 8 13:01:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6750B16A41C for ; Fri, 8 Jul 2005 13:01:54 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1E8643D45 for ; Fri, 8 Jul 2005 13:01:53 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3F860.dip.t-dialin.net [84.163.248.96] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwtQ-1DqsUK1mSC-0001sU; Fri, 08 Jul 2005 15:01:52 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 8 Jul 2005 15:01:33 +0200 User-Agent: KMail/1.8 References: <200507072011.j67KBhZZ033832@freefall.freebsd.org> In-Reply-To: <200507072011.j67KBhZZ033832@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1215201.YWVHhoJ0lJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507081501.38596.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: kern/80627: pf_test6: kif == NULL ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 13:01:54 -0000 --nextPart1215201.YWVHhoJ0lJ Content-Type: multipart/mixed; boundary="Boundary-01=_tknzC3SXIpNBddT" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_tknzC3SXIpNBddT Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 07 July 2005 22:11, Max Laier wrote: > Synopsis: pf_test6: kif =3D=3D NULL ... > > State-Changed-From-To: open->feedback > State-Changed-By: mlaier > State-Changed-When: Thu Jul 7 20:10:19 GMT 2005 > State-Changed-Why: > Patch available for testing. > > > Responsible-Changed-From-To: mlaier->freebsd-pf > Responsible-Changed-By: mlaier > Responsible-Changed-When: Thu Jul 7 20:10:19 GMT 2005 > Responsible-Changed-Why: > Over to freebsd-pf for evaluation. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D80627 Can you please test the patch? Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_tknzC3SXIpNBddT Content-Type: text/x-diff; charset="iso-8859-6"; name="if.c.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="if.c.patch" Index: if.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/net/if.c,v retrieving revision 1.234 diff -u -r1.234 if.c =2D-- if.c 1 Jul 2005 16:28:31 -0000 1.234 +++ if.c 7 Jul 2005 19:16:30 -0000 @@ -652,7 +652,6 @@ */ taskqueue_drain(taskqueue_swi, &ifp->if_linktask); =20 =2D EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); #ifdef DEV_CARP /* Maybe hook to the generalized departure handler above?!? */ if (ifp->if_carp) @@ -713,6 +712,7 @@ =20 /* Announce that the interface is gone. */ rt_ifannouncemsg(ifp, IFAN_DEPARTURE); + EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); =20 IF_AFDATA_LOCK(ifp); for (dp =3D domains; dp; dp =3D dp->dom_next) { @@ -1332,9 +1332,9 @@ if (ifunit(new_name) !=3D NULL) return (EEXIST); =09 =2D EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); /* Announce the departure of the interface. */ rt_ifannouncemsg(ifp, IFAN_DEPARTURE); + EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); =20 log(LOG_INFO, "%s: changing name to '%s'\n", ifp->if_xname, new_name); --Boundary-01=_tknzC3SXIpNBddT-- --nextPart1215201.YWVHhoJ0lJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCznkyXyyEoT62BG0RAkPPAJ0bKHV2EzEvTYKxyR/C6xzfLXPCDwCfVQ+K aac/ti4EHYv8EvKW7XI3D+4= =HNyr -----END PGP SIGNATURE----- --nextPart1215201.YWVHhoJ0lJ-- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 8 13:04:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A68B16A41C for ; Fri, 8 Jul 2005 13:04:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 524FA43D49 for ; Fri, 8 Jul 2005 13:04:24 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3F860.dip.t-dialin.net [84.163.248.96] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1DqsWh27VG-0006HN; Fri, 08 Jul 2005 15:04:19 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 8 Jul 2005 15:04:10 +0200 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4431019.7DtTJ9QfDD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507081504.16363.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Export pfsync statistics to netstat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 13:04:25 -0000 --nextPart4431019.7DtTJ9QfDD Content-Type: multipart/mixed; boundary="Boundary-01=_LnnzC5+8raykqbM" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_LnnzC5+8raykqbM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, can you please give the attached patch a try? It's relative to CURRENT and= =20 should enable you to say: $ netstat -sp pfsync to get pfsync statistics. You need to recompile the kernel and netstat of= =20 course. Thanks for your reports! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_LnnzC5+8raykqbM Content-Type: text/x-diff; charset="us-ascii"; name="pfsyncstat.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pfsyncstat.diff" Index: usr.bin/netstat/if.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/usr.bin/netstat/if.c,v retrieving revision 1.58 diff -u -r1.58 if.c =2D-- usr.bin/netstat/if.c 26 Jul 2004 20:18:11 -0000 1.58 +++ usr.bin/netstat/if.c 7 Jul 2005 17:36:51 -0000 @@ -52,12 +52,16 @@ #include #include #include +#include +#include #include #include #include #include #include =20 +#include +#include #include #include #include @@ -118,8 +122,50 @@ } } =20 +/*=20 + * Dump pfsync statistics structure. + */ +void +pfsync_stats(u_long off __unused, const char *name, int af1 __unused) +{ + struct pfsyncstats pfsyncstat, zerostat; + size_t len =3D sizeof(struct pfsyncstats); =20 + if (zflag) + memset(&zerostat, 0, len); + if (sysctlbyname("net.inet.pfsync.stats", &pfsyncstat, &len, + zflag ? &zerostat : NULL, zflag ? len : 0) < 0) { + if (errno !=3D ENOENT) + warn("sysctl: net.inet.pfsync.stats"); + return; + } + + printf("%s:\n", name); =20 +#define p(f, m) if (pfsyncstat.f || sflag <=3D 1) \ + printf(m, (unsigned long long)pfsyncstat.f, plural(pfsyncstat.f)) +#define p2(f, m) if (pfsyncstat.f || sflag <=3D 1) \ + printf(m, (unsigned long long)pfsyncstat.f) + + p(pfsyncs_ipackets, "\t%llu packet%s received (IPv4)\n"); + p(pfsyncs_ipackets6, "\t%llu packet%s received (IPv6)\n"); + p(pfsyncs_badif, "\t\t%llu packet%s discarded for bad interface\n"); + p(pfsyncs_badttl, "\t\t%llu packet%s discarded for bad ttl\n"); + p(pfsyncs_hdrops, "\t\t%llu packet%s shorter than header\n"); + p(pfsyncs_badver, "\t\t%llu packet%s discarded for bad version\n"); + p(pfsyncs_badauth, "\t\t%llu packet%s discarded for bad HMAC\n"); + p(pfsyncs_badact,"\t\t%llu packet%s discarded for bad action\n"); + p(pfsyncs_badlen, "\t\t%llu packet%s discarded for short packet\n"); + p(pfsyncs_badval, "\t\t%llu state%s discarded for bad values\n"); + p(pfsyncs_stale, "\t\t%llu stale state%s\n"); + p(pfsyncs_badstate, "\t\t%llu failed state lookup/insert%s\n"); + p(pfsyncs_opackets, "\t%llu packet%s sent (IPv4)\n"); + p(pfsyncs_opackets6, "\t%llu packet%s sent (IPv6)\n"); + p2(pfsyncs_onomem, "\t\t%llu send failed due to mbuf memory error\n"); + p2(pfsyncs_oerrors, "\t\t%llu send error\n"); +#undef p +#undef p2 +} =20 /* * Display a formatted value, or a '-' in the same space. Index: usr.bin/netstat/main.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/usr.bin/netstat/main.c,v retrieving revision 1.72 diff -u -r1.72 main.c =2D-- usr.bin/netstat/main.c 22 Feb 2005 13:04:04 -0000 1.72 +++ usr.bin/netstat/main.c 7 Jul 2005 17:28:08 -0000 @@ -138,6 +138,8 @@ { "_clust_lowm" }, #define N_CARPSTAT 33 { "_carpstats" }, +#define N_PFSYNCSTAT 34 + { "_pfsyncstats" }, { "" }, }; =20 @@ -175,6 +177,8 @@ pim_stats, NULL, "pim", IPPROTO_PIM }, { -1, N_CARPSTAT, 1, 0, carp_stats, NULL, "carp", 0}, + { -1, -1, 1, NULL, + pfsync_stats, NULL, "pfsync", 1}, { -1, -1, 0, NULL, NULL, NULL, NULL, 0 } }; Index: usr.bin/netstat/netstat.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/usr.bin/netstat/netstat.h,v retrieving revision 1.41 diff -u -r1.41 netstat.h =2D-- usr.bin/netstat/netstat.h 22 Feb 2005 13:04:05 -0000 1.41 +++ usr.bin/netstat/netstat.h 7 Jul 2005 17:23:39 -0000 @@ -72,6 +72,7 @@ void igmp_stats(u_long, const char *, int); void pim_stats(u_long, const char *, int); void carp_stats (u_long, const char *, int); +void pfsync_stats (u_long, const char *, int); #ifdef IPSEC void ipsec_stats(u_long, const char *, int); #endif Index: sys/contrib/pf/net/if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.19 diff -u -r1.19 if_pfsync.c =2D-- sys/contrib/pf/net/if_pfsync.c 26 Jun 2005 21:00:52 -0000 1.19 +++ sys/contrib/pf/net/if_pfsync.c 7 Jul 2005 16:40:21 -0000 @@ -119,8 +119,10 @@ struct pfsync_softc pfsyncif; #endif struct pfsyncstats pfsyncstats; =2D #ifdef __FreeBSD__ +SYSCTL_STRUCT(_net_inet_pfsync, 0, stats, CTLFLAG_RW, + &pfsyncstats, pfsyncstats, + "PFSYNC statistics (struct pfsyncstats, net/if_pfsync.h)"); =20 /* * Locking notes: --Boundary-01=_LnnzC5+8raykqbM-- --nextPart4431019.7DtTJ9QfDD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCznnQXyyEoT62BG0RAjMZAJ9fOxn2x7RCmdhwduiBMJ2NbgwYvACggRq7 C9XUvsV3dtj8R/ZzUgskLM0= =Oo/4 -----END PGP SIGNATURE----- --nextPart4431019.7DtTJ9QfDD--