From owner-freebsd-pf@FreeBSD.ORG Sun Oct 9 01:10:22 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BE9016A41F for ; Sun, 9 Oct 2005 01:10:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2097543D45 for ; Sun, 9 Oct 2005 01:10:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j991ALk6063135 for ; Sun, 9 Oct 2005 01:10:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j991ALB0063134; Sun, 9 Oct 2005 01:10:21 GMT (envelope-from gnats) Date: Sun, 9 Oct 2005 01:10:21 GMT Message-Id: <200510090110.j991ALB0063134@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/86752: pf does not use default timeouts when reloading config file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2005 01:10:22 -0000 The following reply was made to PR kern/86752; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, vlada@devnull.cz Cc: Subject: Re: kern/86752: pf does not use default timeouts when reloading config file Date: Sun, 9 Oct 2005 03:07:30 +0200 This problem has been addressed in OpenBSD by the following commit in a clean fashion: http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c#rev1.231 I will look at bringing this back into RELENG_6 after importing OpenBSD 3.8 to HEAD. Meanwhile, as this is not a critical problem, I'd like to avoid creating large diffs against the vendor branch. Thanks for the report. -- Max From owner-freebsd-pf@FreeBSD.ORG Sun Oct 9 01:12:49 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CC7016A420; Sun, 9 Oct 2005 01:12:49 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5827443D45; Sun, 9 Oct 2005 01:12:49 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j991CngO063306; Sun, 9 Oct 2005 01:12:49 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j991Cmvp063302; Sun, 9 Oct 2005 01:12:48 GMT (envelope-from mlaier) Date: Sun, 9 Oct 2005 01:12:48 GMT From: Max Laier Message-Id: <200510090112.j991Cmvp063302@freefall.freebsd.org> To: vlada@devnull.cz, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org, mlaier@FreeBSD.org Cc: Subject: Re: kern/86752: pf does not use default timeouts when reloading config file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2005 01:12:49 -0000 Synopsis: pf does not use default timeouts when reloading config file State-Changed-From-To: open->analyzed State-Changed-By: mlaier State-Changed-When: Sun Oct 9 01:11:24 GMT 2005 State-Changed-Why: Import OpenBSD's solution later. Responsible-Changed-From-To: freebsd-pf->mlaier Responsible-Changed-By: mlaier Responsible-Changed-When: Sun Oct 9 01:11:24 GMT 2005 Responsible-Changed-Why: Over to my TODO stack. http://www.freebsd.org/cgi/query-pr.cgi?pr=86752 From owner-freebsd-pf@FreeBSD.ORG Mon Oct 10 11:01:59 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DBFA16A41F for ; Mon, 10 Oct 2005 11:01:59 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B87C843D46 for ; Mon, 10 Oct 2005 11:01:58 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9AB1w2J051367 for ; Mon, 10 Oct 2005 11:01:58 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9AB1vt8051361 for freebsd-pf@freebsd.org; Mon, 10 Oct 2005 11:01:57 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 10 Oct 2005 11:01:57 GMT Message-Id: <200510101101.j9AB1vt8051361@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2005 11:01:59 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency o [2005/09/13] i386/86072 pf Packet Filter rule not working properly ( 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 08:12:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 426C716A41F for ; Tue, 11 Oct 2005 08:12:09 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Received: from stalker.bmc.brk.ru (stalker.bmc.brk.ru [217.150.59.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6D4D43D48 for ; Tue, 11 Oct 2005 08:12:08 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Date: Tue, 11 Oct 2005 12:12:05 +0400 From: Artemiev Igor To: freebsd-pf@freebsd.org Message-Id: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> Organization: Bryansk Medical Center X-Mailer: Sylpheed version 2.0.0beta4 (GTK+ 2.6.8; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: NAT states X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 08:12:09 -0000 nat pass from to any -> ($extif:0) block in log all pass on $lanif from $lanif:network to $lanif:network allow-opts pass out on $extif from $extif to any keep state allow-opts When viewing states, no NAT state never evaluated. The construction above is not working, no packet matched to state, created by translation rule. Am I missing something, or is this some kind of error? -- iprefetch ai From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 10:38:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F9816A41F for ; Tue, 11 Oct 2005 10:38:09 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4A2943D45 for ; Tue, 11 Oct 2005 10:38:08 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-187.woh.res.rr.com [65.31.44.187]) by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j9BAc5WY008853 for ; Tue, 11 Oct 2005 06:38:05 -0400 (EDT) Message-ID: <001501c5ce4f$0fe373f0$0900a8c0@satellite> From: "Dave" To: Date: Tue, 11 Oct 2005 06:32:20 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: does pf in 5.4 support anchors? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 10:38:09 -0000 Hi, Does the version of pf included with freebsd 5.4 support anchors? I want to use nat-anchor and maybe a filter anchor as well. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 11:54:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2112116A41F for ; Tue, 11 Oct 2005 11:54:26 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Received: from stalker.bmc.brk.ru (stalker.bmc.brk.ru [217.150.59.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id A489343D4C for ; Tue, 11 Oct 2005 11:54:25 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Date: Tue, 11 Oct 2005 15:54:21 +0400 From: Artemiev Igor To: "Travis H." Message-Id: <20051011155421.4e3b69cb.ai@bmc.brk.ru> In-Reply-To: References: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> Organization: Bryansk Medical Center X-Mailer: Sylpheed version 2.0.0beta4 (GTK+ 2.6.8; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: NAT states X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 11:54:26 -0000 On Tue, 11 Oct 2005 05:37:48 -0500 "Travis H." wrote: > Oh, also another thing; do you initialize table somewhere? > If it is empty, nothing will match NAT rule. NAT state didn`t match, i see it by pfctl -vs state and packet dropped. Consequently, nat is not working without an explicit rule for incoming traffic lan->internet on $lanif, and incoming internet->lan on $extif, in spite of created state and "pass" existing in nat rule. Why is that so? -- iprefetch ai From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 19:32:59 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D448B16A41F for ; Tue, 11 Oct 2005 19:32:59 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DFBD43D64 for ; Tue, 11 Oct 2005 19:32:59 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [10.0.1.16] (LAPTOPFGOUNARI.dfci.harvard.edu [155.52.50.246]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id 031574089; Tue, 11 Oct 2005 20:32:56 +0100 (WEST) Message-ID: <434C1376.4020605@dequim.ist.utl.pt> Date: Tue, 11 Oct 2005 15:33:10 -0400 From: Bruno Afonso User-Agent: Thunderbird 1.4 (Windows/20050908) MIME-Version: 1.0 To: Dave References: <001501c5ce4f$0fe373f0$0900a8c0@satellite> In-Reply-To: <001501c5ce4f$0fe373f0$0900a8c0@satellite> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: does pf in 5.4 support anchors? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 19:32:59 -0000 Have you tried man pf.conf? BA Dave wrote: > Hi, > Does the version of pf included with freebsd 5.4 support anchors? I want > to use nat-anchor and maybe a filter anchor as well. > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Bruno Afonso, Biological Engineer Dana-Farber Cancer Institute 1 Jimmy Fund Way Smith Building Boston, MA 02115 GABBA Graduate Student (http://gabba.up.pt) Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 16:03:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9910116A420 for ; Wed, 12 Oct 2005 16:03:02 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CC6243D55 for ; Wed, 12 Oct 2005 16:03:01 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-187.woh.res.rr.com [65.31.44.187]) by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j9CG2wWY024721 for ; Wed, 12 Oct 2005 12:02:58 -0400 (EDT) Message-ID: <000301c5cf45$9ccd4b00$0900a8c0@satellite> From: "Dave" To: Date: Wed, 12 Oct 2005 11:57:13 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: altq on more than one interface? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 16:03:02 -0000 Hello, I've got a mostly working firewall that filters traffic based on interface allowing only selected items in or out. I'd like now to add altq in to this, but am uncertain as to which interface to set up queueing on, the internal which connects to my 100 mbps switch or the external which goes to my cable modem or both? If i use both i'm thinking of using cbq and am uncertain how to move traffic from the internal interface's queue for ssh to the external interface's queue for ssh and so on. Any tips? Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 18:00:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1821816A41F for ; Wed, 12 Oct 2005 18:00:33 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0A0643D45 for ; Wed, 12 Oct 2005 18:00:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j9CHxcCE005531 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 12 Oct 2005 19:59:38 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j9CHxbTE014937; Wed, 12 Oct 2005 19:59:37 +0200 (MEST) Date: Wed, 12 Oct 2005 19:59:37 +0200 From: Daniel Hartmeier To: Artemiev Igor Message-ID: <20051012175937.GA2605@insomnia.benzedrine.cx> References: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> <20051011155421.4e3b69cb.ai@bmc.brk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051011155421.4e3b69cb.ai@bmc.brk.ru> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: NAT states X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 18:00:33 -0000 On Tue, Oct 11, 2005 at 03:54:21PM +0400, Artemiev Igor wrote: > On Tue, 11 Oct 2005 05:37:48 -0500 > "Travis H." wrote: > > Oh, also another thing; do you initialize table somewhere? > > If it is empty, nothing will match NAT rule. > NAT state didn`t match, i see it by pfctl -vs state and packet dropped. > Consequently, nat is not working without an explicit rule for incoming > traffic lan->internet on $lanif, and incoming internet->lan on $extif, > in spite of created state and "pass" existing in nat rule. Why is that > so? Because a state entry does not allow a packet to pass _through_ the firewall, but only to pass on one interface (the interface the state was created on), in general. Imagine a case where you have three interfaces. You want to allow a particular connection to pass only between two of those interfaces, but never through the third. If a state entry would be a free ticket through the entire firewall, you wouldn't be able to enforce this. Create state on both interfaces, you'll end up with two states per connection, and it'll work. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 21:12:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 972B116A41F for ; Wed, 12 Oct 2005 21:12:28 +0000 (GMT) (envelope-from ovidiue@unixware.ro) Received: from lion.newwebsite.com (lion.newwebsite.com [12.180.200.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBCC843D6A for ; Wed, 12 Oct 2005 21:12:25 +0000 (GMT) (envelope-from ovidiue@unixware.ro) Received: from [86.35.115.10] (helo=[10.0.0.15]) by lion.newwebsite.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.50) id 1EPnxK-000648-PA for freebsd-pf@freebsd.org; Wed, 12 Oct 2005 17:16:11 -0400 Message-ID: <416C4935.304@unixware.ro> From: ovidiue User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Newwebsite.com-12.180.200.93: Yes This email did come through a server owned by Newwebsite.com. Subject: ALTQ support for MPD (ng_iface patch?) (pf+altq+mpd) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 12 Oct 2005 21:12:28 -0000 X-Original-Date: Wed, 13 Oct 2004 00:14:29 +0300 X-List-Received-Date: Wed, 12 Oct 2005 21:12:28 -0000 Hello Does anybody know of a patch for netgraph to use ALTQ suppport in pf with mpd ? (I am using 5.4 version) Best Regards, Ovidiu Ene From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 21:25:35 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 453FC16A41F for ; Wed, 12 Oct 2005 21:25:35 +0000 (GMT) (envelope-from leccine@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 257F543D46 for ; Wed, 12 Oct 2005 21:25:32 +0000 (GMT) (envelope-from leccine@gmail.com) Received: by qproxy.gmail.com with SMTP id f9so4295qba for ; Wed, 12 Oct 2005 14:25:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=kjJmJ2pqv1tsW/PdF91dvX6PdqMqj6hLZwLRrvRGln13jjYAKysUbuOXTKTfR/mRsgV/oqm8TBzlEfWGT1ZmTSMirIsKBRZrfguas9tQYgqqjZbF7oxixoHUmbLCIYxHbapHAeS98ntQBmVN/P+hHJMR9QV0HP9jtT6GTrTScuI= Received: by 10.65.138.4 with SMTP id q4mr606886qbn; Wed, 12 Oct 2005 14:25:29 -0700 (PDT) Received: from ?192.168.0.2? ( [80.99.126.206]) by mx.gmail.com with ESMTP id e16sm4643152qbe.2005.10.12.14.25.27; Wed, 12 Oct 2005 14:25:28 -0700 (PDT) Message-ID: <434D7F32.5090105@gmail.com> Date: Wed, 12 Oct 2005 23:25:06 +0200 From: =?ISO-8859-1?Q?Szuk=E1cs_Istv=E1n?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.11) Gecko/20050728 Mnenhy/0.7.2.0 X-Accept-Language: hu MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <416C4935.304@unixware.ro> In-Reply-To: <416C4935.304@unixware.ro> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: ALTQ support for MPD (ng_iface patch?) (pf+altq+mpd) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 21:25:35 -0000 you live in the past? 2004.10.12 ;> ovidiue írta: > Hello > > Does anybody know of a patch for netgraph to use ALTQ suppport in pf > with mpd ? > (I am using 5.4 version) > > Best Regards, > Ovidiu Ene > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 23:43:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F2CA16A41F for ; Wed, 12 Oct 2005 23:43:57 +0000 (GMT) (envelope-from rgrempel@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id E731B43D45 for ; Wed, 12 Oct 2005 23:43:56 +0000 (GMT) (envelope-from rgrempel@gmail.com) Received: by qproxy.gmail.com with SMTP id f10so14095qba for ; Wed, 12 Oct 2005 16:43:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=r7pRNu/bD/1L8+5quVQ+Evgk141lQDb2JwEIzAgCDtweYw0bROdp2PjbePalCeJVfNm10vNtsDlyLivsFlx6KZuHDOfI9oS0tCjC0sohZ2Uo41fk9CrNnAWdPSSmgLP0DQmm8f1yJHBCutjDIe/2hDeJ0JwoeR/EDh01sVLHiQ4= Received: by 10.64.183.5 with SMTP id g5mr687557qbf; Wed, 12 Oct 2005 16:43:56 -0700 (PDT) Received: by 10.65.43.8 with HTTP; Wed, 12 Oct 2005 16:43:56 -0700 (PDT) Message-ID: Date: Wed, 12 Oct 2005 18:43:56 -0500 From: Ryan Rempel To: ovidiue In-Reply-To: <416C4935.304@unixware.ro> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_15506_11390085.1129160636029" References: <416C4935.304@unixware.ro> Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ support for MPD (ng_iface patch?) (pf+altq+mpd) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 23:43:57 -0000 ------=_Part_15506_11390085.1129160636029 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On 10/12/04, ovidiue wrote: > Does anybody know of a patch for netgraph to use ALTQ suppport in pf > with mpd ? > (I am using 5.4 version) I have attached a patch which was created by Daniel O'Connor -- I just modified it slightly to make it apply cleanly to 5.4, and to remove a logging statement. I've tested it a fair bit on 5.4, and it seems to work very well indeed, but YMMV. ------=_Part_15506_11390085.1129160636029 Content-Type: application/octet-stream; name=netgraph-altq.diff Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="netgraph-altq.diff" Index: sys/netgraph/ng_iface.c =================================================================== RCS file: /usr/CVS-Repository/src/sys/netgraph/ng_iface.c,v retrieving revision 1.44 diff -u -p -r1.44 ng_iface.c --- sys/netgraph/ng_iface.c 9 Aug 2005 10:19:59 -0000 1.44 +++ sys/netgraph/ng_iface.c 29 Aug 2005 06:05:19 -0000 @@ -107,6 +107,14 @@ }; #define NUM_FAMILIES (sizeof(gFamilies) / sizeof(*gFamilies)) +#define NGM_MTAG_ID_IFFAM 29 + +/* Tag for mbufs to tell ng_iface_start where to send them */ +struct iffamtag { + struct m_tag tag; + iffam_p iffam_p; +}; + /* Node private data */ struct ng_iface_private { struct ifnet *ifp; /* Our interface */ @@ -118,6 +126,7 @@ /* Interface methods */ static void ng_iface_start(struct ifnet *ifp); +static void ng_iface_start2(node_p node, hook_p hook, void *arg1, int arg2); static int ng_iface_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data); static int ng_iface_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr *dst, struct rtentry *rt0); @@ -351,10 +360,10 @@ ng_iface_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, struct rtentry *rt0) { - const priv_p priv = (priv_p) ifp->if_softc; const iffam_p iffam = get_iffam_from_af(dst->sa_family); - int len, error = 0; + int error = 0; - + struct iffamtag *mtag; + /* Check interface flags */ if ((ifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING)) { m_freem(m); @@ -380,28 +389,71 @@ return (EAFNOSUPPORT); } - /* Copy length before the mbuf gets invalidated */ - len = m->m_pkthdr.len; + /* Tag mbuf with hook information */ + /* XXX: kind of dumb that the alloc routine adds the size of + * struct mtag adds to our length, this make it hard to + * allocate the correct size.. */ + mtag = (struct iffamtag *)m_tag_alloc(NGM_MTAG_ID_IFFAM, NGM_MTAG_ID_IFFAM, + sizeof(struct iffamtag) - sizeof(struct m_tag), M_NOWAIT); + if (mtag == NULL) + return (ENOBUFS); + mtag->iffam_p = iffam; + m_tag_prepend(m, (struct m_tag *)mtag); + + IFQ_HANDOFF(ifp, m, error); + + return (error); - /* Send packet; if hook is not connected, mbuf will get freed. */ - NG_SEND_DATA_ONLY(error, *get_hook_from_iffam(priv, iffam), m); - /* Update stats */ - if (error == 0) { - ifp->if_obytes += len; - ifp->if_opackets++; - } - return (error); } /* - * This routine should never be called + * Called to move queued packets off the interface. + * + * We wait for netgraph to call us back when we can really move the + * data */ - static void ng_iface_start(struct ifnet *ifp) { - if_printf(ifp, "%s called?", __func__); + const priv_p priv = (priv_p)ifp->if_softc; + + ng_send_fn(priv->node, NULL, &ng_iface_start2, ifp, 0); +} + +static void +ng_iface_start2(node_p node, hook_p hook, void *arg1, int arg2) +{ + struct ifnet *ifp = arg1; + const priv_p priv = (priv_p) ifp->if_softc; + struct iffamtag *mtag; + struct mbuf *m; + int error = 0, len; + + // if_printf(ifp, "%s called\n", __func__); + while (1) { + IFQ_DRV_DEQUEUE(&ifp->if_snd, m); + if (m == NULL) + break; + + mtag = (struct iffamtag *)m_tag_locate(m, NGM_MTAG_ID_IFFAM, NGM_MTAG_ID_IFFAM, NULL); + if (mtag == NULL) { /* mbuf with no tag? shouldn't be possible */ + if_printf(ifp, "mbuf found without a tag, discarding\n"); + m_freem(m); /* XXX: does this free tags too? */ + } + + /* Copy length before the mbuf gets invalidated */ + len = m->m_pkthdr.len; + + /* Send packet; if hook is not connected, mbuf will get freed. */ + NG_SEND_DATA_ONLY(error, *get_hook_from_iffam(priv, mtag->iffam_p), m); + + /* Update stats */ + if (error == 0) { + ifp->if_obytes += len; + ifp->if_opackets++; + } + } } /* @@ -493,13 +545,15 @@ ifp->if_start = ng_iface_start; ifp->if_ioctl = ng_iface_ioctl; ifp->if_watchdog = NULL; - ifp->if_snd.ifq_maxlen = IFQ_MAXLEN; ifp->if_mtu = NG_IFACE_MTU_DEFAULT; ifp->if_flags = (IFF_SIMPLEX|IFF_POINTOPOINT|IFF_NOARP|IFF_MULTICAST); ifp->if_type = IFT_PROPVIRTUAL; /* XXX */ ifp->if_addrlen = 0; /* XXX */ ifp->if_hdrlen = 0; /* XXX */ ifp->if_baudrate = 64000; /* XXX */ TAILQ_INIT(&ifp->if_addrhead); + IFQ_SET_MAXLEN(&ifp->if_snd, IFQ_MAXLEN); + ifp->if_snd.ifq_drv_maxlen = IFQ_MAXLEN; + IFQ_SET_READY(&ifp->if_snd); /* Give this node the same name as the interface (if possible) */ if (ng_name_node(node, ifp->if_xname) != 0) ------=_Part_15506_11390085.1129160636029-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 13 04:33:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5458216A41F for ; Thu, 13 Oct 2005 04:33:49 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Received: from stalker.bmc.brk.ru (stalker.bmc.brk.ru [217.150.59.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9176F43D62 for ; Thu, 13 Oct 2005 04:33:47 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Date: Thu, 13 Oct 2005 08:33:43 +0400 From: Artemiev Igor To: Daniel Hartmeier Message-Id: <20051013083343.0c8dbb2d.ai@bmc.brk.ru> In-Reply-To: <20051012175937.GA2605@insomnia.benzedrine.cx> References: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> <20051011155421.4e3b69cb.ai@bmc.brk.ru> <20051012175937.GA2605@insomnia.benzedrine.cx> Organization: Bryansk Medical Center X-Mailer: Sylpheed version 2.0.0beta4 (GTK+ 2.6.8; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: NAT states X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 04:33:49 -0000 On Wed, 12 Oct 2005 19:59:37 +0200 Daniel Hartmeier wrote: > Because a state entry does not allow a packet to pass _through_ the > firewall, but only to pass on one interface (the interface the state > was created on), in general. By default, if an interface is not specified, state operates on any interface. State was created on "self" aka any local interface, but didn`t match passing packets. I tried to set "set state-policy floating" explicitly, but to no effect. -- iprefetch ai From owner-freebsd-pf@FreeBSD.ORG Thu Oct 13 06:39:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDB6516A424 for ; Thu, 13 Oct 2005 06:39:11 +0000 (GMT) (envelope-from tyler@tylercentral.com) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC4BF43D5E for ; Thu, 13 Oct 2005 06:38:59 +0000 (GMT) (envelope-from tyler@tylercentral.com) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IOA007YED4ZUY10@l-daemon> for freebsd-pf@freebsd.org; Thu, 13 Oct 2005 00:38:59 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IOA00D0BD4ZGOL0@pd3mr1so.prod.shaw.ca> for freebsd-pf@freebsd.org; Thu, 13 Oct 2005 00:38:59 -0600 (MDT) Received: from Ubuntu.tylercentral.com (S01060080c86f7208.cg.shawcable.net [70.72.194.29]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IOA0031ND4Y8W@l-daemon> for freebsd-pf@freebsd.org; Thu, 13 Oct 2005 00:38:59 -0600 (MDT) Date: Thu, 13 Oct 2005 00:38:58 -0600 From: Tyler To: freebsd-pf@freebsd.org Message-id: <1129185539.14560.25.camel@Ubuntu.tylercentral.com> MIME-version: 1.0 X-Mailer: Evolution 2.4.1 Content-type: text/plain Content-transfer-encoding: 7bit Subject: Per Protocol Traffic Accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 06:39:12 -0000 Hi All, I'm trying to count both in and out traffic on a per-protocol basis. With the ultimate goal of MRTG'ing and recording the amount of traffic in and out of the server for each service. So far, my Googling, and mailing list archive searches have not produced a solution. What happens is the "pass in" line increments, but the "pass out" does not. Probably because I'm keeping state on the inbound connections, so it thinks that entire flow is on that one rule? Can that be changed? My network is fairly simple. One /24 of 192.168.0.x IP's behind my firewall/server. Running typical HTTP, POP3, DNS, etc services on the firewall/server for both external and internal clients. The firewall/server does the NAT and has 2 NIC's. I would only need to count traffic on the external interface. So if a machine behind the firewall surfs the web, it would count all HTTP packets in and out of the external interface, regardless of where the source is. Here's what I've got so far. # uname -a FreeBSD domain.com 5.4-STABLE FreeBSD 5.4-STABLE #3: Sat Oct 1 18:14:26 MDT 2005 root@domain.com:/usr/obj/usr/src/sys/CUSTOM i386 RuleSet: I do plan on setting up ALTQ and source state limitations, but it's not important now. So if the code that's in there is messing things up, it can be removed. ================================================================================= # Interfaces int_if = "dc0" <--- 192.168.0.1 / 24 ext_if = "de0" <--- Dynamic IP from ISP. # Services tcp_ftp = "{ 20, 21 }" tcp_ssh = "22" tcp_smtp = "25" tcp_dns = "53" tcp_http = "80" tcp_pop3 = "110" tcp_https = "443" tcp_vnc = "{ 5801, 5802 }" tcp_bittorrent = "6800:7000" udp_dns = "53" # Internal Subnet internal_net="192.168.0.0/23" <-- Might want another /24 someday. # Non Routable IP Addresses table persist file "/etc/bogons.txt" # NOTE: bogons.txt contains a list of non-routable IP's from ARIN. # One network/mask per line. Mask is in slash notation. # Options: tune the behavior of pf. <--- I pulled these off the net. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 6000, adaptive.end 12000 } set limit { states 12000, frags 5000 } # Logs stats on the external interface. set loginterface de0 # More default values. set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" set debug urgent # Normalization: reassemble fragments. scrub on de0 all reassemble tcp scrub in on de0 all fragment reassemble # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # Network Address Translation with FTP Fix nat on $ext_if from $internal_net to any -> ($ext_if) rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # Filtering: Last Matching Rule Wins. So the defaults are at the top. block in log all label "Blocked" # Allow all internal traffic out. pass in on $int_if from $internal_net to any keep state label "Int In" pass out on $int_if from any to $internal_net keep state label "Int Out" # Allow all traffic from the box out and keep the state. pass out proto { tcp, udp, icmp } from any to any keep state label "Catch All Out $proto" # Don't firewall the loopback interface. pass quick on lo0 # Block non-routable IP's on the external interface block in log quick on $ext_if from to any label "Bogons In" block out log quick on $ext_if from any to label "Bogons Out" # NOTE: These are the 2 setup's I've tried. # Tried FTP without in/out specification. # Tried SSH with in/out specification. # I also tried without keeping state, but that didn't work either. # FTP pass proto tcp to any port $tcp_ftp flags S/SA keep state (max 32000, source-track rule, max-src-nodes 75, max-src-states 6) label "FTP In" pass proto tcp from any port $tcp_ftp keep state label "FTP Out" # SSH pass in proto tcp to any port $tcp_ssh modulate state (max 32000, source-track rule, max-src-nodes 75, max-src-states 6) label "SSH In" pass out proto tcp from any to any port $tcp_ssh keep state label "SSH Out" <... Continues on with the other protocols defined at the top ...> # Make the box pingable. icmp_types = "echoreq" pass in quick inet proto icmp all icmp-type $icmp_types keep state label "ICMP In" pass out quick inet proto icmp all icmp-type $icmp_types keep state label "ICMP Out" =========================================================================== Any help is surely appreciated. I remember IPF having a "count" command, which didn't actually filter traffic like the "pass/block" commands, but just counted traffic. I guess PF doesn't have that. I'd prefer not to use an external program to count traffic. I'm hoping there's someway PF can automagically do this. Thanks in Advance. Tyler Here's a snippet of "pfctl -sl" # So, no FTP traffic, which is correct. FTP In 10139 0 0 FTP In 6687 0 0 FTP Out 6687 0 0 FTP Out 6687 0 0 # I've been SSH'd from my internal machine to the firewall all night. Considering I didn't tell PF what interface to pass out on, I thought SSH Out would increment. SSH In 6687 1859 241590 SSH Out 1030 0 0 # Being on an ISP's dynamic IP block, I don't send mail via the firewall, but I'd think there would be more than 28 packets out. SMTP In 6687 1078 301740 SMTP Out 1018 28 6407 # Didnt do any zone transfers tonight. DNS-TCP In 6651 0 0 DNS-TCP Out 1017 0 0 # This is definitely not right. HTTP In 6651 23611 19562724 HTTP Out 6651 0 0 Thanks Again, Tyler From owner-freebsd-pf@FreeBSD.ORG Thu Oct 13 09:34:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B9A516A41F for ; Thu, 13 Oct 2005 09:34:52 +0000 (GMT) (envelope-from peceka@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id D906743D48 for ; Thu, 13 Oct 2005 09:34:51 +0000 (GMT) (envelope-from peceka@gmail.com) Received: by wproxy.gmail.com with SMTP id i6so141628wra for ; Thu, 13 Oct 2005 02:34:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=IjpyUVgO4r0cAfEvYqhWuy1x7Sz5mC4L/2sD7zny5f7k3zDaP8VWZm3ElSuC5d2TrBD1BAbnateZj3OhWnheKhAwpPAXQloncDbfF6J1rqPaTrkPy+9DGN4zTm4feachzH1mRabq/zUt1/t9OjwrHEd1IezdLJo0qgXuUevz7kQ= Received: by 10.54.136.11 with SMTP id j11mr536617wrd; Thu, 13 Oct 2005 02:34:51 -0700 (PDT) Received: from OP8 ( [217.153.93.59]) by mx.gmail.com with ESMTP id 11sm946184wrl.2005.10.13.02.34.50; Thu, 13 Oct 2005 02:34:51 -0700 (PDT) Date: Thu, 13 Oct 2005 11:34:47 +0200 From: peceka X-Mailer: The Bat! Professional (v3.0.2.10) X-Priority: 3 (Normal) Message-ID: <898712203.20051013113447@gmail.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: problem with route-to on fbsd 5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: peceka List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 09:34:52 -0000 Hi, i've got problem with route-to rule on fbsd 5.4. all the time when i've make pfctl -f /etc/pf.conf and wait 30 seconds my machine hungs up. even keyboard doesn't work. i've seen on http://pf4freebsd.love2party.net/problems.html that there was an error with route-to and it was fixed. So how can i update pf in my fbsd 5.4 box? i don't want to have -CURRENT on router and i can't install openbsd there. Best regards, p. From owner-freebsd-pf@FreeBSD.ORG Thu Oct 13 12:45:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84D6B16A422 for ; Thu, 13 Oct 2005 12:45:54 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45D3743D46 for ; Thu, 13 Oct 2005 12:45:52 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j9DCj6U7018838 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 13 Oct 2005 14:45:06 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j9DCj4pi028175; Thu, 13 Oct 2005 14:45:04 +0200 (MEST) Date: Thu, 13 Oct 2005 14:45:04 +0200 From: Daniel Hartmeier To: Artemiev Igor Message-ID: <20051013124504.GE2605@insomnia.benzedrine.cx> References: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> <20051011155421.4e3b69cb.ai@bmc.brk.ru> <20051012175937.GA2605@insomnia.benzedrine.cx> <20051013083343.0c8dbb2d.ai@bmc.brk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051013083343.0c8dbb2d.ai@bmc.brk.ru> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: NAT states X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 12:45:54 -0000 On Thu, Oct 13, 2005 at 08:33:43AM +0400, Artemiev Igor wrote: > By default, if an interface is not specified, state operates on any > interface. State was created on "self" aka any local interface, > but didn`t match passing packets. > I tried to set "set state-policy floating" explicitly, but to no effect. That does not apply when the state involves address/port translation. In your case, the incoming replies from the external peer match the state entry on the external interface. Right then, the translation is reversed. Then (afterwards), the packet passes back through the stack and then gets filtered again on the internal interface. There, it does NOT match the same state, because the (re-translated) address does not match. Example: nat pass from to any -> ($extif:0) block in log all pass on $lanif from $lanif:network to $lanif:network allow-opts pass out on $extif from $extif to any keep state allow-opts LAN host 10.1.2.3 (source port 65000) connects to external host 62.65.145.30 (destination port 80). The TCP SYN looks like this: src dst 10.1.2.3:65000 -> 62.65.145.30:80 It passes in on $lanif statelessly (not creating state), last matching your first pass rule. It then passes out on $extif, last matching your second pass rule, creating a translating state: lan gwy ext 10.1.2.3:65000 24.25.26.27:20000 62.65.145.30:80 where 24.25.26.27 is your $extif address and 20000 is a random proxy port. Then, the peer's reply SYN-ACK arrives in on $extif, it looks like this: src dst 62.65.145.30:80 -> 24.25.26.27:20000 Incoming packets cause a state lookup with src = ext AND dst = gwy (replacing dst with lan, if different) which matches your state entry above. So the packet is passed according to this state entry. Since lan != gwy, the destination address is replaced, i.e. dst := lan. The packet now looks like this: src dst 62.65.145.30:80 -> 10.1.2.3:65000 It is now filtered outgoing on $lanif. Outgoing packets cause a state lookup with src = lan AND dst = ext (replacing src with gwy, if different) This does not match your state entry, both conditions are false. The ruleset is evaluated. The last matching rule is 'block in log all'. Packet dropped. Handshake fails. So, even a floating state does not allow packets related to a connection to pass through all interfaces in arbitrary directions. And translation is applied whenever a packet does match a state. It's unlikely that the same packet, after translation, will match the same state on another interface again. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Oct 13 17:50:01 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67DFF16A41F for ; Thu, 13 Oct 2005 17:50:01 +0000 (GMT) (envelope-from KBuff@zetron.com) Received: from zetxch01.zetron.com (zetmail2.zetron.com [216.202.42.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10E8043D49 for ; Thu, 13 Oct 2005 17:50:00 +0000 (GMT) (envelope-from KBuff@zetron.com) Received: by zetxch01.zetron.com with Internet Mail Service (5.5.2657.72) id ; Thu, 13 Oct 2005 10:49:56 -0700 Message-ID: <054222519C2ED411A68E00508B603AC70A3D0A16@zetxch01.zetron.com> From: Kurt Buff To: 'Tyler' , freebsd-pf@freebsd.org Date: Thu, 13 Oct 2005 10:49:46 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: Subject: RE: Per Protocol Traffic Accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 17:50:01 -0000 Tyler wrote: > Hi All, > > I'm trying to count both in and out traffic on a per-protocol basis. > With the ultimate goal of MRTG'ing and recording the amount of traffic > in and out of the server for each service. So far, my Googling, and > mailing list archive searches have not produced a solution. Uh, perhaps ntop, bound to the external NIC? It's a very nice package, and although it doesn't provide 'accounting' as such, it's a very nice tool for understanding who is talking to whom, on what protocol. From owner-freebsd-pf@FreeBSD.ORG Thu Oct 13 22:08:37 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6029816A420 for ; Thu, 13 Oct 2005 22:08:37 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD16143D4C for ; Thu, 13 Oct 2005 22:08:36 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3EFA2.dip.t-dialin.net [84.163.239.162] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1EQBFY2OIs-0007oO; Fri, 14 Oct 2005 00:08:32 +0200 From: Max Laier To: freebsd-pf@freebsd.org, peceka Date: Fri, 14 Oct 2005 00:08:16 +0200 User-Agent: KMail/1.8.2 References: <898712203.20051013113447@gmail.com> In-Reply-To: <898712203.20051013113447@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1526732.JBMF3eg3jR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510140008.29930.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: problem with route-to on fbsd 5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 22:08:37 -0000 --nextPart1526732.JBMF3eg3jR Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 13 October 2005 11:34, peceka wrote: > i've got problem with route-to rule on fbsd 5.4. all the time when > i've make pfctl -f /etc/pf.conf and wait 30 seconds my machine hungs > up. even keyboard doesn't work. > i've seen on http://pf4freebsd.love2party.net/problems.html that there > was an error with route-to and it was fixed. > So how can i update pf in my fbsd 5.4 box? i don't want to have > -CURRENT on router and i can't install openbsd there. The problem you are seeing is most likely fixed in RELENG_5. So you should= be=20 able to cvsup to RELENG_5 and do a source upgrade. If you don't feel=20 comfortable with tracking RELENG_5 either, you can just get a RELENG_5=20 version of sys/contrib/pf and reinstall a new kernel. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1526732.JBMF3eg3jR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDTtrdXyyEoT62BG0RAh5ZAJ9g7wp2TDHJFyWqZkifSrDCrJDhXACfScdT O2+5PoTXPDY5NFgmwutj6f4= =1mFQ -----END PGP SIGNATURE----- --nextPart1526732.JBMF3eg3jR-- From owner-freebsd-pf@FreeBSD.ORG Sat Oct 15 14:24:35 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B54D16A41F for ; Sat, 15 Oct 2005 14:24:35 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90F0443D45 for ; Sat, 15 Oct 2005 14:24:34 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9FEOV5U039497 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 15 Oct 2005 18:24:32 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9FEOVXj039496 for freebsd-pf@FreeBSD.org; Sat, 15 Oct 2005 18:24:31 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sat, 15 Oct 2005 18:24:31 +0400 From: Gleb Smirnoff To: freebsd-pf@FreeBSD.org Message-ID: <20051015142431.GC14542@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.6i Cc: Subject: ALTQ and PPP access concentrator X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2005 14:24:35 -0000 Colleagues, I've got two problems when running ALTQ on PPP access concentrator. May be you have ideas on how to solve them in a nice way. - When pf.conf is parsed at boot time, the p2p interfaces (ng_iface(4) in my case) do not exist, so the ALTQ queues are not created. The PPP software (mpd in my case) usually starts at later stage of boot. Moreover, some programs like ppp(8) create interfaces dynamically, not at boot time. - The PPP access concentrator may have a lot of interfaces. Why isn't it possible to specify same ALTQ policy on all interfaces of given type, like this: altq on ng* priq bandwidth 56Kb queue { cvsup def dns ack ssh } Instead, one needs to copy and paste a lot of lines differing only in interface unit number. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Sat Oct 15 14:39:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07B0016A41F; Sat, 15 Oct 2005 14:39:12 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 635CC43D45; Sat, 15 Oct 2005 14:39:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3D1B7.dip.t-dialin.net [84.163.209.183] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1EQnBl084Y-0001RS; Sat, 15 Oct 2005 16:39:09 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 15 Oct 2005 16:39:37 +0200 User-Agent: KMail/1.8.2 References: <20051015142431.GC14542@cell.sick.ru> In-Reply-To: <20051015142431.GC14542@cell.sick.ru> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3620562.Y0OnfmycZB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510151639.51156.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Brian Fundakowski Feldman Subject: Re: ALTQ and PPP access concentrator X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2005 14:39:12 -0000 --nextPart3620562.Y0OnfmycZB Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 15 October 2005 16:24, Gleb Smirnoff wrote: > I've got two problems when running ALTQ on PPP access > concentrator. May be you have ideas on how to solve them > in a nice way. > > - When pf.conf is parsed at boot time, the p2p interfaces > (ng_iface(4) in my case) do not exist, so the ALTQ queues > are not created. The PPP software (mpd in my case) usually > starts at later stage of boot. Moreover, some programs like > ppp(8) create interfaces dynamically, not at boot time. > > - The PPP access concentrator may have a lot of interfaces. > Why isn't it possible to specify same ALTQ policy on all > interfaces of given type, like this: > > altq on ng* priq bandwidth 56Kb queue { cvsup def dns ack ssh } > > Instead, one needs to copy and paste a lot of lines differing > only in interface unit number. I agree that ALTQ configuration (esp for big setups) has some limitations a= nd=20 gotchas as is. I'd like to take the opportunity to start a discussion abou= t=20 what features are required to make it more useable. It is certainly=20 interesting to look at decoupling /dev/pf and altq configuration. The end= =20 result would be a (in-kernel) lookup service that allows pf (or any other=20 end-user of ALTQ) to lookup QIDs by interface:qname. In order to keep thin= gs=20 in sync I am thinking of a eventhandler of some kind. This would allow us to keep the inlined configuration as it happens right n= ow=20 (just a little rewriting in pfctl), but enable easy changes for interfaces= =20 coming late. mpd would just trigger necessary altq-configuration from its= =20 UP-script. I talked about this with green some time ago - CCed. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3620562.Y0OnfmycZB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDURS3XyyEoT62BG0RAs1mAJ9nnQDQrZuMzjo6LJ/luMhcbgUw7gCfWzLp jXAQ6etPUKNvvK3rh4GnTN4= =6Q5c -----END PGP SIGNATURE----- --nextPart3620562.Y0OnfmycZB--