From owner-freebsd-pf@FreeBSD.ORG Mon Aug 29 11:02:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C5BA16A420 for ; Mon, 29 Aug 2005 11:02:15 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C126943D5A for ; Mon, 29 Aug 2005 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7TB2Dpt021583 for ; Mon, 29 Aug 2005 11:02:13 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7TB2Cl5021577 for freebsd-pf@freebsd.org; Mon, 29 Aug 2005 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Aug 2005 11:02:12 GMT Message-Id: <200508291102.j7TB2Cl5021577@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 11:02:15 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 29 22:13:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B84916A41F for ; Mon, 29 Aug 2005 22:13:49 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4017A43D46 for ; Mon, 29 Aug 2005 22:13:48 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.189]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 040CF24C81D for ; Mon, 29 Aug 2005 23:58:19 +0200 (CEST) Date: Tue, 30 Aug 2005 01:13:37 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <513797718.20050830011337@spaingsm.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: pf+tables option X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 22:13:49 -0000 Hi! I want to load tables entries for pf from file pc.conf tables const file "/etc/list1" What is the syntax for this file? I create an list of ip's like: 192.168.0.0/24 192.168.101.0/24 .......... I dont receive any error when load pf.conf but i dont see any entries in table with "pfctl -s Tables" From owner-freebsd-pf@FreeBSD.ORG Mon Aug 29 22:49:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5683A16A41F for ; Mon, 29 Aug 2005 22:49:29 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB7C843D45 for ; Mon, 29 Aug 2005 22:49:28 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.160]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id BA7A424C81D for ; Tue, 30 Aug 2005 00:34:01 +0200 (CEST) Date: Tue, 30 Aug 2005 01:49:29 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <4410288456.20050830014929@spaingsm.com> To: freebsd-pf@freebsd.org In-Reply-To: <20050829222130.GL50923@qube.teaser.fr> References: <513797718.20050830011337@spaingsm.com> <20050829222130.GL50923@qube.teaser.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: [FreeBSD-PF] pf+tables option X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 22:49:29 -0000 Not work. I'm new on pf. When i give: #pfctl -T show -t list1 pfctl: Table does not exist. i try this: #pfctl -T show -t list1 Missing name for redirect. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 29 22:57:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1B4E16A41F for ; Mon, 29 Aug 2005 22:57:53 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DA1343D7D for ; Mon, 29 Aug 2005 22:57:49 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.160]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 203A324C81D for ; Tue, 30 Aug 2005 00:42:20 +0200 (CEST) Date: Tue, 30 Aug 2005 01:57:45 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1279440152.20050830015745@spaingsm.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: question about queue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 22:57:53 -0000 Hi! I'm new with pf+altq. So i have this question: If i want traffic from each host on my local network to be passed on different queue (i want each user to receive same bandwith, but if no traffic, can get more bandwith), how can do that? One solutionn is to create queue for each user and then assign traffic from him to queue. But if i have 100-200 or more users? Exist another solution to do that? From owner-freebsd-pf@FreeBSD.ORG Tue Aug 30 12:59:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 638CC16A41F for ; Tue, 30 Aug 2005 12:59:28 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 022FC43D45 for ; Tue, 30 Aug 2005 12:59:27 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.171]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 32AE224C7F7 for ; Tue, 30 Aug 2005 14:43:55 +0200 (CEST) Date: Tue, 30 Aug 2005 15:59:22 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1136893358.20050830155922@spaingsm.com> To: freebsd-pf@freebsd.org In-Reply-To: <4410288456.20050830014929@spaingsm.com> References: <513797718.20050830011337@spaingsm.com> <20050829222130.GL50923@qube.teaser.fr> <4410288456.20050830014929@spaingsm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[3]: [FreeBSD-PF] pf+tables option X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 12:59:28 -0000 I resolv this. To view tables if no traffic, need to put option "persist": tables persist file "/etc/list_addresses" From owner-freebsd-pf@FreeBSD.ORG Tue Aug 30 19:54:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 921EA16A41F for ; Tue, 30 Aug 2005 19:54:32 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C6E143D45 for ; Tue, 30 Aug 2005 19:54:31 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.192]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id E9A7524C89B for ; Tue, 30 Aug 2005 21:38:57 +0200 (CEST) Date: Tue, 30 Aug 2005 22:54:25 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <61195093.20050830225425@spaingsm.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: altq question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 19:54:32 -0000 Hi! I want to use pf+altq to make some traffic shaping. I dont understand very well all, so this is what i want to do: Is easy to use table option. I want to make two tables - table file "/path" - table file "/path" I want to shape traffic to each IP in users1 or users2. For example: queue hight bandwidth 512Kb queue low bandwidth 128Kb Is posibil to assign for each traffic flow from users1 or users2 a queue, without make this for each IP that exist in tables? Somthing like: pass out on $int_if from any to queue hight Is not very easy to define queue for each user, and then assign'it. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 30 23:47:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C06016A41F; Tue, 30 Aug 2005 23:47:13 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from pipa.profix.cz (pipa.profix.cz [82.208.25.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC35543D45; Tue, 30 Aug 2005 23:47:12 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from localhost (localhost [127.0.0.1]) by pipa.profix.cz (Postfix) with ESMTP id 9719D4E706; Wed, 31 Aug 2005 01:47:18 +0200 (CEST) Received: from pipa.profix.cz ([127.0.0.1]) by localhost (pipa [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05812-08; Wed, 31 Aug 2005 01:47:18 +0200 (CEST) Received: from gandalf (unknown [80.95.121.105]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pipa.profix.cz (Postfix) with ESMTP id 3D5E14E704; Wed, 31 Aug 2005 01:47:17 +0200 (CEST) From: =?iso-8859-2?Q?Daniel_Dvo=F8=E1k?= To: , , Date: Wed, 31 Aug 2005 01:47:09 +0200 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWtvSK61OuDttUMQUioxjDpS/tELg== Message-Id: <20050830234717.3D5E14E704@pipa.profix.cz> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at profix.cz Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dandee@volny.cz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 23:47:13 -0000 Hi all, let me ask you for task "how to control p2p applications and their = traffic with dynamic ports from user=B4s commputers on gateway". We are small wireless community and have shared access to internet for = all members. Core members decided to control p2p traffic by default and to = allow each person in individual way, after showing their knowledge of = authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so = on use dynamic not standard ports, how to control it ? Linux use l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is = based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall = with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in = searching so far. If my question is not right in this mailing list, if my question is = annoying here, so I am sorry. Dan From owner-freebsd-pf@FreeBSD.ORG Wed Aug 31 00:08:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7574816A41F; Wed, 31 Aug 2005 00:08:51 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E57B43D46; Wed, 31 Aug 2005 00:08:49 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 21740BC071; Wed, 31 Aug 2005 03:08:45 +0300 (EEST) Received: from R3B (unknown [62.38.169.11])by smtp.freemail.gr (Postfix) with ESMTP id 22D64BC00A; Wed, 31 Aug 2005 03:08:43 +0300 (EEST) Message-ID: <000f01c5adc0$1d0d1590$0100000a@R3B> From: "Chris Dionissopoulos" To: , , References: <20050830234717.3D5E14E704@pipa.profix.cz> Date: Wed, 31 Aug 2005 03:08:26 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Cc: Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 00:08:51 -0000 Hi, How about to use snort (/usr/ports/security/snort) to create alerts based on snort p2p rules, and snortsams (i)pf(w) plugin (www.snortsam.net) to make (i)pf(w) deny (or delay) such p2p sessions ? Chris. ----- Original Message ----- From: "Daniel Dvoψαk" To: ; ; Sent: Wednesday, August 31, 2005 2:47 AM Subject: Application layer firewall on FreeBSD, is it possible ? Hi all, let me ask you for task "how to control p2p applications and their traffic with dynamic ports from user΄s commputers on gateway". We are small wireless community and have shared access to internet for all members. Core members decided to control p2p traffic by default and to allow each person in individual way, after showing their knowledge of authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so on use dynamic not standard ports, how to control it ? Linux use l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in searching so far. If my question is not right in this mailing list, if my question is annoying here, so I am sorry. Dan ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 31 00:16:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1138716A41F; Wed, 31 Aug 2005 00:16:28 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from pipa.profix.cz (server1.pcsvet.net [82.208.25.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76E4C43D45; Wed, 31 Aug 2005 00:16:27 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from localhost (localhost [127.0.0.1]) by pipa.profix.cz (Postfix) with ESMTP id BF1434E706; Wed, 31 Aug 2005 02:16:34 +0200 (CEST) Received: from pipa.profix.cz ([127.0.0.1]) by localhost (pipa [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23968-08; Wed, 31 Aug 2005 02:16:34 +0200 (CEST) Received: from gandalf (unknown [80.95.121.105]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pipa.profix.cz (Postfix) with ESMTP id 63B2C4E704; Wed, 31 Aug 2005 02:16:34 +0200 (CEST) From: =?iso-8859-2?Q?Daniel_Dvo=F8=E1k?= To: , , Date: Wed, 31 Aug 2005 02:16:26 +0200 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWtvSK61OuDttUMQUioxjDpS/tELgAA+4+w Message-Id: <20050831001634.63B2C4E704@pipa.profix.cz> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at profix.cz Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: FW: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dandee@volny.cz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 00:16:28 -0000 ... but you know, proxy is not what I am asking, proxy is not firewall. We do not need to restrict everything and all members. We like full routeable network with full access to IPv6 / IPv4 internet without any necessary action like configure proxy clients at all pc=B4s = our members. We only want to deny only p2p applications by default for all pc=B4s regardless of used protocol/ports and to allow grantting access to p2p networks each members in individual way, because we have to prevent = another letter from our ISP which was contacted by BSA that from our public IP ( from one member in private ip space ) ... traffic ... share ... violate = ... authorial law.=20 So of course it must be combination of IP and application osi model firewall. Gateway server should check all packets and their contents to decide if allowed or denied in fast way like l7-filter on Linux OS. So is it possible on FreeBSD OS ? Thanks Dan _____ =20 From: Daniel Dvo=F8=E1k [mailto:dandee@hellteam.net]=20 Sent: Wednesday, August 31, 2005 1:47 AM To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; 'freebsd-pf@freebsd.org' Subject: Application layer firewall on FreeBSD, is it possible ? Hi all, let me ask you for task "how to control p2p applications and their = traffic with dynamic ports from user=B4s commputers on gateway". We are small wireless community and have shared access to internet for = all members. Core members decided to control p2p traffic by default and to = allow each person in individual way, after showing their knowledge of = authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so = on use dynamic not standard ports, how to control it ? Linux use l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is = based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall = with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in = searching so far. If my question is not right in this mailing list, if my question is = annoying here, so I am sorry. Dan From owner-freebsd-pf@FreeBSD.ORG Wed Aug 31 12:07:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE00516A420 for ; Wed, 31 Aug 2005 12:07:54 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93FBA43D78 for ; Wed, 31 Aug 2005 12:07:50 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by bafirst.com with local; Wed, 31 Aug 2005 07:07:49 -0500 id 0009580A.43159D95.000176A0 Received: from dsl-201-144-82-159.prod-infinitum.com.mx (dsl-201-144-82-159.prod-infinitum.com.mx [201.144.82.159]) by mail.bafirst.com (Horde MIME library) with HTTP; Wed, 31 Aug 2005 07:07:49 -0500 Message-ID: <20050831070749.b200501hq80w0csg@mail.bafirst.com> Date: Wed, 31 Aug 2005 07:07:49 -0500 From: eculp@bafirst.com To: freebsd-pf@freebsd.org References: <20050831001634.63B2C4E704@pipa.profix.cz> In-Reply-To: <20050831001634.63B2C4E704@pipa.profix.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: FW: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 12:07:55 -0000 Quoting Daniel Dvo=C5=99=C3=A1k : > ... but you know, proxy is not what I am asking, proxy is not firewall. > > We do not need to restrict everything and all members. > > We like full routeable network with full access to IPv6 / IPv4 internet > without any necessary action like configure proxy clients at all pc=C2=B4= s our > members. > > We only want to deny only p2p applications by default for all pc=C2=B4s > regardless of used protocol/ports and to allow grantting access to p2p > networks each members in individual way, because we have to prevent anoth= er > letter from our ISP which was contacted by BSA that from our public IP ( > from one member in private ip space ) ... traffic ... share ... violate .= .. > authorial law. > > So of course it must be combination of IP and application osi model > firewall. > > Gateway server should check all packets and their contents to decide if > allowed or denied in fast way like l7-filter on Linux OS. > > So is it possible on FreeBSD OS ? Dan, Thanks for bringing this up. I have been looking for a way to control p2p for a while also. It is a problem that I can see only getting worse. I was unaware of l7-filter on Linux and want to see how it works because for us the word "FAST" is key. If you find a solution, I would appreciate your posting it to the list, which I'm sure you will do anyway. Have a great day, ed From owner-freebsd-pf@FreeBSD.ORG Wed Aug 31 13:30:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E6B216A41F for ; Wed, 31 Aug 2005 13:30:00 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from mail.3gne.com (ded191-fbsd-174-39.netsonic.net [66.180.174.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 313DD43D45 for ; Wed, 31 Aug 2005 13:29:59 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from localhost (localhost.3gne.com [127.0.0.1]) by mail.3gne.com (Postfix) with ESMTP id 59AA0D433C for ; Wed, 31 Aug 2005 08:29:59 -0500 (CDT) Received: from [192.168.209.9] (12-221-99-249.client.insightBB.com [12.221.99.249]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.3gne.com (Postfix) with ESMTP id 21CDCD428E for ; Wed, 31 Aug 2005 08:29:55 -0500 (CDT) Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <20050831001634.63B2C4E704@pipa.profix.cz> References: <20050831001634.63B2C4E704@pipa.profix.cz> Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Message-Id: <98DDA057-48F4-4AE6-A1EB-9E32C9297BB2@buraglio.com> Content-Transfer-Encoding: quoted-printable From: Nick Buraglio Date: Wed, 31 Aug 2005 08:29:37 -0500 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.734) X-Virus-Scanned: by amavisd-new at 3gne.com Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 13:30:00 -0000 I think what the pf developers will tell you (and what I think is =20 correct) is that firewalling is meant for layer 3 and layer 7 is =20 meant to be proxied. I hear the l7 stuff for linux is somewhat of a =20 messy hack (although it does seem to work). I asked what they =20 thought of this a few years ago just out of curiosity and was =20 answered with some fairly good responses re: l7 filtering. At least =20 in regards to pf, I don't think it will ever be able to do it since =20 thats not really what it's for (again, though, I'm not a developer on =20= that project so I really have no idea of their roadmap). I'd =20 recommend a combination of snort2pf and transparent squid to start, =20 of course you can always use the linux stuff if you aren't opposed to =20= using linux. Check out snort2pf http://www.thinknerd.org/~ssc/wiki/doku.php?=20 id=3Dsnort2pf It should do what you want it to do. nb On Aug 30, 2005, at 7:16 PM, Daniel Dvo=C5=99=C3=A1k wrote: > ... but you know, proxy is not what I am asking, proxy is not =20 > firewall. > > We do not need to restrict everything and all members. > > We like full routeable network with full access to IPv6 / IPv4 =20 > internet > without any necessary action like configure proxy clients at all pc=20 > =C2=B4s our > members. > > We only want to deny only p2p applications by default for all pc=C2=B4s > regardless of used protocol/ports and to allow grantting access to p2p > networks each members in individual way, because we have to prevent =20= > another > letter from our ISP which was contacted by BSA that from our public =20= > IP ( > from one member in private ip space ) ... traffic ... share ... =20 > violate ... > authorial law. > > So of course it must be combination of IP and application osi model > firewall. > > Gateway server should check all packets and their contents to =20 > decide if > allowed or denied in fast way like l7-filter on Linux OS. > > So is it possible on FreeBSD OS ? > > Thanks > > Dan > > _____ > > From: Daniel Dvo=C5=99=C3=A1k [mailto:dandee@hellteam.net] > Sent: Wednesday, August 31, 2005 1:47 AM > To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; > 'freebsd-pf@freebsd.org' > Subject: Application layer firewall on FreeBSD, is it possible ? > > > > Hi all, > > let me ask you for task "how to control p2p applications and their =20 > traffic > with dynamic ports from user=C2=B4s commputers on gateway". > > We are small wireless community and have shared access to internet =20 > for all > members. Core members decided to control p2p traffic by default and =20= > to allow > each person in individual way, after showing their knowledge of =20 > authorial > low. :) > > But since many dc hubs, edonkey servers, bittorents web trackers =20 > and so on > use dynamic not standard ports, how to control it ? > > Linux use l7-filter > sourceforge.net/projects/l7-filter sourceforge freeware and , it is =20= > based on > iptables, defination application protocols like ethereal project do. > > So, is there any way to do same application layer osi model =20 > firewall with > FreeBSD gateway ? > > Of course, I tried to find on web, I have not been successful in =20 > searching > so far. > > If my question is not right in this mailing list, if my question is =20= > annoying > here, so I am sorry. > > Dan > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Aug 31 14:54:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1737116A41F for ; Wed, 31 Aug 2005 14:54:44 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from f37.mail.ru (f37.mail.ru [194.67.57.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9ED043D49 for ; Wed, 31 Aug 2005 14:54:43 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f37.mail.ru with local id 1EATz8-000Fkz-00 for freebsd-pf@freebsd.org; Wed, 31 Aug 2005 18:54:42 +0400 Received: from [194.190.210.150] by win.mail.ru with HTTP; Wed, 31 Aug 2005 18:54:42 +0400 From: Boris Polevoy To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.8 via proxy [194.190.210.150] Date: Wed, 31 Aug 2005 18:54:42 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: PF ioctl(DIOCCHANGERULE) NAT -> core dumped X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 14:54:44 -0000 Hello, All! FreeBSD 5.4-RELEASE: 1) via ioctl(DIOCCHANGERULE) add NAT rule with table in outside pool: nat on fxp0 inet from to any -> port 1024:65535 round-robin 2) ping from inside network to outside host crash system whith core dump. After analysing core dump: pf_test_icmp() | pf_get_translation() | pf_get_sport() | pf_map_addr() | pfr_pool_get(NULL,...) ^^^^ Possible problem in funcion pf_ioctl.c/pfioctl() switch (cmd) { case DIOCADDRULE: .... if (pf_tbladdr_setup(ruleset, &rule->dst.addr)) error = EINVAL; TAILQ_FOREACH(pa, &pf_pabuf, entries) if (pf_tbladdr_setup(ruleset, &pa->addr)) error = EINVAL; pf_mv_pool(&pf_pabuf, &rule->rpool.list); .... case DIOCCHANGERULE: .... if (pf_tbladdr_setup(ruleset, &newrule->dst.addr)) error = EINVAL; >>> pf_mv_pool(&pf_pabuf, &newrule->rpool.list); .... This case have not pf_tbladdr_setup(ruleset, &pa->addr) loop. After inserting TAILQ_FOREACH()loop in case DIOCCHANGERULE NAT rule became work well: --- pf_ioctl.c Wed Aug 31 17:59:27 2005 +++ pf_ioctl.c-fix Wed Aug 31 17:59:23 2005 @@ -1552,6 +1552,10 @@ if (pf_tbladdr_setup(ruleset, &newrule->dst.addr)) error = EINVAL; + TAILQ_FOREACH(pa, &pf_pabuf, entries) + if (pf_tbladdr_setup(ruleset, &pa->addr)) + error = EINVAL; + pf_mv_pool(&pf_pabuf, &newrule->rpool.list); if (((((newrule->action == PF_NAT) || (newrule->action == PF_RDR) || Is it bug or not? With best regards Boris Polevoy From owner-freebsd-pf@FreeBSD.ORG Thu Sep 1 03:24:16 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F24516A41F; Thu, 1 Sep 2005 03:24:16 +0000 (GMT) (envelope-from marcel@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3C9A43D49; Thu, 1 Sep 2005 03:24:15 +0000 (GMT) (envelope-from marcel@FreeBSD.org) Received: from freefall.freebsd.org (marcel@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j813OFJE048982; Thu, 1 Sep 2005 03:24:15 GMT (envelope-from marcel@freefall.freebsd.org) Received: (from marcel@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j813OFtf048978; Thu, 1 Sep 2005 03:24:15 GMT (envelope-from marcel) Date: Thu, 1 Sep 2005 03:24:15 GMT From: Marcel Moolenaar Message-Id: <200509010324.j813OFtf048978@freefall.freebsd.org> To: petrisimolin@petrisimolin.FreeBSD.ORG, marcel@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 03:24:16 -0000 Synopsis: Unaligned Reference with pf on 5.4/IA64 State-Changed-From-To: patched->closed State-Changed-By: marcel State-Changed-When: Thu Sep 1 03:18:08 GMT 2005 State-Changed-Why: Close. No apparent problems have been encountered and having this PR show up in queries is confusing. http://www.freebsd.org/cgi/query-pr.cgi?pr=81284 From owner-freebsd-pf@FreeBSD.ORG Thu Sep 1 20:59:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E74916A446 for ; Thu, 1 Sep 2005 20:59:20 +0000 (GMT) (envelope-from kl@os.lv) Received: from paipala.latnet.lv (paipala.latnet.lv [159.148.1.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4BFF43D88 for ; Thu, 1 Sep 2005 20:58:59 +0000 (GMT) (envelope-from kl@os.lv) Received: from localhost (localhost.localdomain [127.0.0.1]) by paipala.latnet.lv (Postfix) with ESMTP id 6C7CF8E42B for ; Thu, 1 Sep 2005 23:58:57 +0300 (EEST) Received: from paipala.latnet.lv ([127.0.0.1]) by localhost (paipala.latnet.lv [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02118-30 for ; Thu, 1 Sep 2005 23:58:54 +0300 (EEST) Received: from os.lv (unknown [159.148.155.3]) by paipala.latnet.lv (Postfix) with SMTP id C86448E410 for ; Thu, 1 Sep 2005 23:58:54 +0300 (EEST) Received: from 80.70.26.44 ([80.70.26.44]) by os.lv (WinRoute Pro 4.1) with SMTP; Fri, 2 Sep 2005 00:02:17 +0300 Message-ID: <43176B92.8050301@os.lv> Date: Thu, 01 Sep 2005 23:58:58 +0300 From: Casper User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new 2.2.1 (20041222) at latnet.lv Subject: FreeBSD 5.4 router with pf nat, bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 20:59:20 -0000 Hi, I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw with pf, to learn more pf... I have added to kernel options: device pf device pflog device pfsync options ALTQ Setuped jails with 172.22.x.x addreses and local network I have 192.168.x.x addreses... ifconfig rl0 is real ip and jails aliases... rl1 is internal network... /etc/pf.conf now looks like: --------------------------------------------- ext_if="rl0" int_if="rl1" set state-policy if-bound set loginterface $ext_if scrub reassemble tcp fragment reassemble nat on $ext_if from 172.1.1.1/8 to any -> ($ext_if) nat on $ext_if from 192.168.1.1/8 to any -> $ext_if rdr on $ext_if proto tcp from any to 159.148.155.14 port 8080 -> 172.22.1.2 port www antispoof log quick for $ext_if inet antispoof log quick for $int_if inet block in log quick on $ext_if inet from any to ! ($ext_if) pass quick on lo0 all pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA synproxy state ----------------------------------------------------------------------- The problem is when I make conection from jail or internal network, any conection http, ping, etc first package goes trought and got reply, second no... like: # traceroute www.ass.lv traceroute to www.ass.lv (195.13.160.54), 64 hops max, 40 byte packets 1 my_router (my_router) 0.166 ms 0.143 ms 0.130 ms 2 * next_router (next_router) 1.274 ms * 3 titan-v12-gw.latnet.lv (159.148.13.150) 1.970 ms * 1.992 ms 4 * 80.232.230.89 (80.232.230.89) 2.205 ms * From my_router all working ok: 1 next_router (next_router) 1.331 ms 0.962 ms 1.037 ms 2 titan-v12-gw.latnet.lv (159.148.13.150) 1.287 ms 0.757 ms 1.660 ms 3 80.232.230.89 (80.232.230.89) 1.218 ms 2.233 ms 1.352 ms So only nat`ed packages every second get lost... with tcpdump and pf loging all shows that nothing is blocking them... Any idea what is going on, or how to test where is problem? tnx, K. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 3 00:41:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFD9D16A41F for ; Sat, 3 Sep 2005 00:41:20 +0000 (GMT) (envelope-from mclone@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6D7E43D48 for ; Sat, 3 Sep 2005 00:41:19 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so450762rnf for ; Fri, 02 Sep 2005 17:41:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=emVkW6s7pjHGpQctFyrQwfJpQn3doFKzDd7hIBK9108MXq34QfGvIWnYZLN3olEkzVn8ata4qX1ej8hfARNnKDwR8lGCpf8bkyK1opCC5wf87QfMZN2VFPn4TxZegA2O72I9S/fhAKOotddIB9NNzFTThVkyi9+MruVFzP33X3w= Received: by 10.11.118.77 with SMTP id q77mr97959cwc; Fri, 02 Sep 2005 17:41:18 -0700 (PDT) Received: by 10.11.94.31 with HTTP; Fri, 2 Sep 2005 17:41:18 -0700 (PDT) Message-ID: <451cb30105090217415694810d@mail.gmail.com> Date: Sat, 3 Sep 2005 03:41:18 +0300 From: McLone To: Odhiambo Washington , freebsd-pf@freebsd.org In-Reply-To: <20050822101004.GL71208@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43097666.8020207@alvorlig.dk> <20050822101004.GL71208@ns2.wananchi.com> Cc: Subject: Re: OT - ugrade from 5.4 to 6.0-BETA X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mclone@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2005 00:41:20 -0000 On 8/22/05, Odhiambo Washington wrote: > I'd like to do this without reinstalling. Just changing the > RELENG_TAG Works here, except that i saw re-buildworld brokennes on 2nd stage of RELENG_5 -> 6.0-BETA1 -> 6.0-BETA3 sequence, while using NO_NIS in /etc/make.conf It can be /dev/hands b0rkage too. As for PF+ALTQ - works ok, even under DDoS. No panicks. --=20 wbr, dog bless ya! McLone net- and *BSD admin