From owner-freebsd-pf@FreeBSD.ORG Sun Nov 6 02:30:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C36416A41F for ; Sun, 6 Nov 2005 02:30:50 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id D245043D45 for ; Sun, 6 Nov 2005 02:30:49 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-43-91.woh.res.rr.com [65.31.43.91]) by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id jA62UkWY002246 for ; Sat, 5 Nov 2005 21:30:46 -0500 (EST) Message-ID: <000301c5e279$122015e0$0900a8c0@satellite> From: "Dave" To: Date: Sat, 5 Nov 2005 21:23:26 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: samba and smbfs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Nov 2005 02:30:50 -0000 Hello, I've got a pf firewall on a box that blocks by default. I want samba to listen on the internal interface only, this happens, yet machines still can't get to the samba box. The relevant rules are below. I'm also trying to mount some xp shares via smbfs this too is not working probably for the same reason. Can someone tell me where my rules went wrong? Thanks. Dave. # allow internal samba pass in quick on $int_if inet proto tcp from $int_if:network to ($int_if) port 137 flags S/SA modulate state pass in quick on $int_if inet proto tcp from $int_if:network to ($int_if) port 138 flags S/SA modulate state pass in quick on $int_if inet proto tcp from $int_if:network to ($int_if) port 139 flags S/SA modulate state pass in quick on $int_if inet proto tcp from $int_if:network to ($int_if) port 445 flags S/SA modulate state pass in quick on $int_if inet proto udp from $int_if:network to ($int_if) port 137 keep state pass in quick on $int_if inet proto udp from $int_if:network to ($int_if) port 138 keep state pass in quick on $int_if inet proto udp from any to ($int_if) port 139 keep state pass in quick on $int_if inet proto udp from any to ($int_if) port 445 keep state pass quick on $int_if from ($int_if) to $int_if:broadcast keep state From owner-freebsd-pf@FreeBSD.ORG Sun Nov 6 07:24:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43D0016A41F for ; Sun, 6 Nov 2005 07:24:06 +0000 (GMT) (envelope-from micke@litet.se) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6976043D45 for ; Sun, 6 Nov 2005 07:24:04 +0000 (GMT) (envelope-from micke@litet.se) Received: from nystrom.mine.nu ([85.226.65.50] [85.226.65.50]) by mxfep01.bredband.com with ESMTP id <20051106072403.XGWR28583.mxfep01.bredband.com@nystrom.mine.nu> for ; Sun, 6 Nov 2005 08:24:03 +0100 Received: from [127.0.0.1] (laptop [192.168.1.3]) by nystrom.mine.nu (8.13.4/8.13.4) with ESMTP id jA67NglS009548 for ; Sun, 6 Nov 2005 08:24:03 +0100 (CET) (envelope-from micke@litet.se) Message-ID: <436DAF70.7000409@litet.se> Date: Sun, 06 Nov 2005 08:23:28 +0100 From: =?ISO-8859-1?Q?Mikael_Nystr=F6m?= User-Agent: Thunderbird 1.6a1 (Windows/20051101) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on nystrom.mine.nu X-Virus-Status: Clean Subject: pf not working when going to FBSD 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Nov 2005 07:24:06 -0000 Hi, I just upgraded my FreeBSD from 5.4 to 6.0. Everything works fine except for pf. Everything generated from the localhost works well, but incoming packets to my services gets accepted but no answer is returned. Can anyone please give me a hint of what I'm don't understand. My pf.conf looks like this: lan_net = "192.168.1.0/24" # scrub incoming packets scrub in all # setup a default deny policy block in all block out all # pass traffic on the loopback interface in either direction pass quick on lo0 all # activate spoofing protection antispoof quick for bfe0 inet # pass all traffic to and from the local network pass in on bfe0 from $lan_net to any pass out on bfe0 from any to $lan_net pass in log on bfe0 proto tcp from any to bfe0 port ssh flags S/SA synproxy state pass in log on bfe0 proto tcp from any to bfe0 port smtp flags S/SA synproxy state pass in log on bfe0 proto tcp from any to bfe0 port http flags S/SA synproxy state pass in log on bfe0 proto tcp from any to bfe0 port https flags S/SA synproxy state # pass tcp, udp, and icmp out. # keep state on udp and icmp and modulate state on tcp. pass out on bfe0 proto tcp all modulate state flags S/SA pass out on bfe0 proto { udp, icmp } all keep state Thanks, //Micke From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 00:36:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8BCA16A426 for ; Mon, 7 Nov 2005 00:36:25 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 986D243D45 for ; Mon, 7 Nov 2005 00:36:24 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-43-91.woh.res.rr.com [65.31.43.91]) by ms-smtp-02-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id jA70aLXV015949 for ; Sun, 6 Nov 2005 19:36:21 -0500 (EST) Message-ID: <000701c5e332$3d293d70$0900a8c0@satellite> From: "Dave" To: Date: Sun, 6 Nov 2005 19:28:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 00:36:25 -0000 Hello, Just a quick note, synproxy is working in 6.0. I had a ruleset that it did not previously work in, i added synproxy to the inbound rules and it now works. Dave. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 11:02:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0351116A41F for ; Mon, 7 Nov 2005 11:02:12 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3AEF43D45 for ; Mon, 7 Nov 2005 11:02:11 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA7B2BTP049937 for ; Mon, 7 Nov 2005 11:02:11 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA7B2AcL049931 for freebsd-pf@freebsd.org; Mon, 7 Nov 2005 11:02:10 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 7 Nov 2005 11:02:10 GMT Message-Id: <200511071102.jA7B2AcL049931@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 11:02:12 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency o [2005/09/13] i386/86072 pf [pf] Packet Filter rule not working prope o [2005/11/01] kern/88362 pf [pf] [panic] carp with pfsync causing sys 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 11:59:43 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B48016A420; Mon, 7 Nov 2005 11:59:43 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3AB943D4C; Mon, 7 Nov 2005 11:59:42 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (glebius@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA7Bxgjq060686; Mon, 7 Nov 2005 11:59:42 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA7BxgOw060682; Mon, 7 Nov 2005 11:59:42 GMT (envelope-from glebius) Date: Mon, 7 Nov 2005 11:59:42 GMT From: Gleb Smirnoff Message-Id: <200511071159.jA7BxgOw060682@freefall.freebsd.org> To: neon@NE6.NET, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/88362: [pf] [panic] carp with pfsync causing system crash, dump debug attached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 11:59:43 -0000 Synopsis: [pf] [panic] carp with pfsync causing system crash, dump debug attached State-Changed-From-To: open->feedback State-Changed-By: glebius State-Changed-When: Mon Nov 7 11:58:15 GMT 2005 State-Changed-Why: Patch has been committed, and PR can be closed after submitter reports that upgrading to RELENG_5 fixes his problem, or after feedback timeout. http://www.freebsd.org/cgi/query-pr.cgi?pr=88362 From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 13:31:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31B4316A41F for ; Mon, 7 Nov 2005 13:31:21 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CE7A43D76 for ; Mon, 7 Nov 2005 13:31:10 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by xproxy.gmail.com with SMTP id t13so381373wxc for ; Mon, 07 Nov 2005 05:31:10 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sAA4eIzFuf1v1029H+YWm3PP0a43P/NQv+I93BufCnBcmSYXi6Ge/i0q8xkc7BVuPst8gJrZTEX5DG0NX2DgPyRn+y7DmBR4f8mrTmI+A7+F7HEcdGWr8XAZBgBpQNtMfu1z3Vih/8ihQG/cK9+E7V8QRUAAatI43XN1EBvnp0k= Received: by 10.70.100.20 with SMTP id x20mr4168804wxb; Mon, 07 Nov 2005 05:02:54 -0800 (PST) Received: by 10.70.116.17 with HTTP; Mon, 7 Nov 2005 05:02:54 -0800 (PST) Message-ID: <64de5c8b0511070502jd164aa2od7bd2a7ee032ace@mail.gmail.com> Date: Mon, 7 Nov 2005 18:32:54 +0530 From: Rajkumar S To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: pf ipctl programming question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 13:31:21 -0000 Hi, I am trying to add FreeBSD 6.0 support to snortsam http://www.snortsam.net/ But before hacking in to the actual code I am currently learning to use pf ioctl, and I am facing a problem. I created a small test program to test the ioctl interface, #include #include #include #include #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct pfioc_rule rule; int pfdev; pfdev =3D open("/dev/pf", O_RDWR); if (pfdev =3D=3D -1) err(1, "open(\"/dev/pf\") failed"); bzero(&rule, sizeof(struct pfioc_rule)); strncpy(rule.rule.ifname, "rl0", IFNAMSIZ); strncpy(rule.anchor, "testanchor", PF_ANCHOR_NAME_SIZE-1); rule.action =3D PF_CHANGE_GET_TICKET; if(ioctl(pfdev, DIOCCHANGERULE, &rule)<0) { printf("Error: DIOCCHANGERULE %s.\n", strerror(errno)); return 255; } This is basically as simple as it could be, and while I run it I get the er= ror: Error: DIOCCHANGERULE Invalid argument. Looking through the google*, I found that the problem is that I did not init the ruleset along with anchor. But from the docs or man pages I could not find out how can I init the ruleset. Can some one point me towads the right direction? with warm regards, raj *: http://62.65.145.30/pf/msg03157.html From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 16:21:23 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B3C616A420 for ; Mon, 7 Nov 2005 16:21:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC0AF43D66 for ; Mon, 7 Nov 2005 16:20:12 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA7GKCpA004393 for ; Mon, 7 Nov 2005 16:20:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA7GKCvj004392; Mon, 7 Nov 2005 16:20:12 GMT (envelope-from gnats) Date: Mon, 7 Nov 2005 16:20:12 GMT Message-Id: <200511071620.jA7GKCvj004392@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Gregory T." Cc: Subject: Re: kern/88362: [pf] [panic] carp with pfsync causing system crash, dump debug attached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Gregory T." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 16:21:23 -0000 The following reply was made to PR kern/88362; it has been noted by GNATS. From: "Gregory T." To: bug-followup@FreeBSD.org, neon@NE6.NET Cc: Subject: Re: kern/88362: [pf] [panic] carp with pfsync causing system crash, dump debug attached Date: Mon, 07 Nov 2005 09:11:29 -0700 Going to RELENG_5 seems to fix the problem, both firewalls master and backup have been running since upgrade (4days now) without a kernel panic. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 20:44:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 950DF16A424 for ; Mon, 7 Nov 2005 20:44:56 +0000 (GMT) (envelope-from leccine@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71D5243D58 for ; Mon, 7 Nov 2005 20:44:55 +0000 (GMT) (envelope-from leccine@gmail.com) Received: by nproxy.gmail.com with SMTP id o25so132405nfa for ; Mon, 07 Nov 2005 12:44:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=tNe/Db3Jn5nAocUb8qjhn6vbjylxLcx5UGA+0HfJ+Q+Yq9+JGXYF/KITBNsHcFDJyyllFt4r3jmTRUh6OvuDcN8ateEYNcIA1dD3+hvA/dNDr/LW0OvhncI9IhK4s6Q/sC2XaGwyMI/S0DXfY5PEvKMuJMozy4T4GwA6EfSxEZg= Received: by 10.48.42.14 with SMTP id p14mr964291nfp; Mon, 07 Nov 2005 12:44:54 -0800 (PST) Received: from ?192.168.0.2? ( [80.99.231.218]) by mx.gmail.com with ESMTP id o45sm286415nfa.2005.11.07.12.44.53; Mon, 07 Nov 2005 12:44:53 -0800 (PST) Message-ID: <436FBCBF.7000405@gmail.com> Date: Mon, 07 Nov 2005 21:44:47 +0100 From: =?ISO-8859-1?Q?Szuk=E1cs_Istv=E1n?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.11) Gecko/20050728 Mnenhy/0.7.2.0 X-Accept-Language: hu MIME-Version: 1.0 CC: freebsd-pf@freebsd.org References: <000701c5e332$3d293d70$0900a8c0@satellite> In-Reply-To: <000701c5e332$3d293d70$0900a8c0@satellite> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 20:44:56 -0000 \o/ i have to try Dave írta: > Hello, > Just a quick note, synproxy is working in 6.0. I had a ruleset that it > did not previously work in, i added synproxy to the inbound rules and > it now works. > Dave. > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 7 23:00:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A2D116A42A; Mon, 7 Nov 2005 23:00:20 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from nu.cuk.nu (tm.213.143.78.60.lc.telemach.net [213.143.78.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A28943D7B; Mon, 7 Nov 2005 23:00:12 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from localhost (localhost.cuk.nu [127.0.0.1]) by nu.cuk.nu (Postfix) with ESMTP id 1FB35E0439; Tue, 8 Nov 2005 00:00:11 +0100 (CET) Received: from nu.cuk.nu ([127.0.0.1]) by localhost (nu.cuk.nu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82717-07; Tue, 8 Nov 2005 00:00:10 +0100 (CET) Received: from [192.168.6.60] (unknown [192.168.6.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by nu.cuk.nu (Postfix) with ESMTP id 35315E0431; Tue, 8 Nov 2005 00:00:10 +0100 (CET) Message-ID: <436FDC90.3020108@cuk.nu> Date: Tue, 08 Nov 2005 00:00:32 +0100 From: Marko Cuk Organization: NetInet User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at NetInet.si Cc: Subject: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 23:00:20 -0000 Resend... Please, does anyone have any ideas... What is the status of the tun0 driver and ALTQ ? I have FreeBSD 6.0-RELEASE and have tried it without success. Why 6.0 ? Don't know... curious maybe... if you think, that 5.4 will work better, I'll reinstall it. The tun0 is because od xDSL ( PPPoE ) It seems like packets won't match queue. Look at the pfctl output ( look at the "bucy" rules -- he is a huge consumer and the primary uplink is out for a week, xDSL is only backup and he consumes all the avail bandwidth ) THIS IFACE IS TUN0 ( pppoe ) queue root_em0 bandwidth 1Gb priority 0 cbq( wrr root ) {std_ext, bucy_out} [ pkts: 76053 bytes: 7390221 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 199.0 packets/s, 146.71Kb/s ] queue std_ext bandwidth 384Kb cbq( default ) [ pkts: 76053 bytes: 7390221 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 59 ] [ measured: 199.0 packets/s, 146.71Kb/s ] THIS ONE IS PROBLEMATIC - Won't match queue bucy_out bandwidth 128Kb [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue root_em1 bandwidth 1Gb priority 0 cbq( wrr root ) {std_int, bucy_in} [ pkts: 91920 bytes: 100394990 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 260.4 packets/s, 2.37Mb/s ] queue std_int bandwidth 2Mb cbq( default ) [ pkts: 50302 bytes: 58076735 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 2359 ] [ measured: 194.6 packets/s, 1.89Mb/s ] queue bucy_in bandwidth 900Kb [ pkts: 41618 bytes: 42318255 dropped pkts: 446 bytes: 433317 ] [ qlength: 0/ 50 borrows: 0 suspends: 7440 ] [ measured: 65.8 packets/s, 475.89Kb/s ] queue root_dc0 bandwidth 10Mb priority 0 cbq( wrr root ) {std_int_wifi_in} [ pkts: 3967 bytes: 1730908 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 2.6 packets/s, 4.17Kb/s ] queue std_int_wifi_in bandwidth 5Mb cbq( default ) [ pkts: 3967 bytes: 1730908 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 2.6 packets/s, 4.17Kb/s ] This are the rules: ########################################################################################## # QUEUEING: rule-based bandwidth control. ########################################################################################### # TOLE JE NAS ODHODNI PROMET VEN - UPLOAD altq on em0 cbq bandwidth 100% queue { std_ext,bucy_out } queue std_ext bandwidth 384Kb cbq(default) queue bucy_out bandwidth 128Kb ######################################################################################### # TOLE JE NAS DOHODNI PROMER NOTRI - DOWNLOAD altq on em1 cbq bandwidth 100% queue { std_int,bucy_in } queue std_int bandwidth 2Mb cbq(default) queue bucy_in bandwidth 900Kb # QUEUE rule pass in log on em1 from 10.0.100.0/24 to any queue bucy_out pass out log on em1 from any to 10.0.100.0/24 queue bucy_in Many thanks for any informations. I have changed the various eth cards, from dc cards to em gigabit cards, etc, etc. Without success. I know, that there has been some issues with tun0 on OpenBSD, but that was a little time ago. Cuk -- NetInet d.o.o. http://www.NetInet.si Private: http://cuk.nu MountainBikeSlovenia team: http://mtb.si Slovenian FreeBSD mirror admin http://www2.si.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 01:36:48 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 57CEC16A420; Tue, 8 Nov 2005 01:36:48 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.4/8.13.1) with ESMTP id jA81alwR087925; Mon, 7 Nov 2005 20:36:47 -0500 (EST) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.4/8.13.1/Submit) id jA81ajlC087924; Mon, 7 Nov 2005 20:36:45 -0500 (EST) (envelope-from green) Date: Mon, 7 Nov 2005 20:36:45 -0500 From: Brian Fundakowski Feldman To: Marko Cuk Message-ID: <20051108013645.GE37350@green.homeunix.org> References: <436FDC90.3020108@cuk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <436FDC90.3020108@cuk.nu> User-Agent: Mutt/1.5.11 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 01:36:48 -0000 On Tue, Nov 08, 2005 at 12:00:32AM +0100, Marko Cuk wrote: > Resend... > > Please, does anyone have any ideas... > > > What is the status of the tun0 driver and ALTQ ? > I have FreeBSD 6.0-RELEASE and have tried it without success. Why 6.0 ? > Don't know... curious maybe... if you think, that 5.4 will work better, > I'll reinstall it. > > The tun0 is because od xDSL ( PPPoE ) > > It seems like packets won't match queue. Look at the pfctl output ( look > at the "bucy" rules -- he is a huge consumer and the primary uplink is > out for a week, xDSL is only backup and he consumes all the avail > bandwidth ) > > > THIS IFACE IS TUN0 ( pppoe ) > queue root_em0 bandwidth 1Gb priority 0 cbq( wrr root ) {std_ext, bucy_out} > [ pkts: 76053 bytes: 7390221 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 199.0 packets/s, 146.71Kb/s ] No it isn't, it's em0. You probably want to be using ALTQ on tun0. I've done it; it works.... -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 07:42:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4F9216A41F for ; Tue, 8 Nov 2005 07:42:41 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: from web32602.mail.mud.yahoo.com (web32602.mail.mud.yahoo.com [68.142.207.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 402FE43D45 for ; Tue, 8 Nov 2005 07:42:36 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: (qmail 18258 invoked by uid 60001); 8 Nov 2005 07:42:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=0IuHBM1Ye85cLcDlmLu8/pufZCFM2cC/4YouoF08Bn6u08e+DXnWKptr9+7oI3fgr0F3ADihESAdl+fm3YfNxggXBWdjZ4PG8pEsvgDBxobLpbsK0GsowaU56V532Rao24q/hGqN7LEdukmAgPObg6RQgHImeGyHChqxvzETn/A= ; Message-ID: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com> Received: from [24.6.214.44] by web32602.mail.mud.yahoo.com via HTTP; Mon, 07 Nov 2005 23:42:36 PST Date: Mon, 7 Nov 2005 23:42:36 -0800 (PST) From: Alberto Alesina To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: PF "keep state" for ICMP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 07:42:41 -0000 Hello, I have a question about ICMP states while using the "keep state" flags for PF rules. Intf-A A ----- B------ C B is running PF on FreeBSD 5.4 and has a rule with "keep state" for ICMP traffic in the "out" direction on Intf-A. There is also a rule to block all traffic in the "in" direction on Intf-A Now, if a ping is initiated from host C to host A, a state is created with the ICMP ID and source address and destination address as key. My question is - would *only* ICMP echo *replies* be allowed back against that state? Or, would *any* ICMP traffic with the corresponding ICMP ID, source address and destination address be allowed? If *any* ICMP traffic is allowed back, if I happen to initiate ICMP echo *requests* from A to C (picking the same ICMP ID as the one in the state created by the ICMP echo requests from C to A), wouldn't that be a case where you can bypass the PF firewall? Thank you very much. Alberto Alesina. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 09:59:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ACAF16A41F for ; Tue, 8 Nov 2005 09:59:06 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC61F43D55 for ; Tue, 8 Nov 2005 09:59:05 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jA89x4LO024833 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 8 Nov 2005 10:59:04 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jA89x4jh022933; Tue, 8 Nov 2005 10:59:04 +0100 (MET) Date: Tue, 8 Nov 2005 10:59:03 +0100 From: Daniel Hartmeier To: Alberto Alesina Message-ID: <20051108095903.GB6116@insomnia.benzedrine.cx> References: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: PF "keep state" for ICMP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 09:59:06 -0000 On Mon, Nov 07, 2005 at 11:42:36PM -0800, Alberto Alesina wrote: > My question is - would *only* ICMP echo *replies* be > allowed back against that state? Or, would *any* ICMP > traffic with the corresponding ICMP ID, source address > and destination address be allowed? The latter. > If *any* ICMP traffic is allowed back, if I happen to > initiate ICMP echo *requests* from A to C (picking the > same ICMP ID as the one in the state created by the > ICMP echo requests from C to A), wouldn't that be a > case where you can bypass the PF firewall? If you want to put it that way, yes. Assuming you're a malicious A, what do you gain, though? You're already getting pinged by C, so you know it's there. You could already deliver an arbitrary amount of reply packets. Fingerprinting sillyness? Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 16:49:34 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E86D16A421; Tue, 8 Nov 2005 16:49:34 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C5D943D48; Tue, 8 Nov 2005 16:49:34 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8GnY5c057394; Tue, 8 Nov 2005 16:49:34 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8GnYDr057390; Tue, 8 Nov 2005 16:49:34 GMT (envelope-from mlaier) Date: Tue, 8 Nov 2005 16:49:34 GMT From: Max Laier Message-Id: <200511081649.jA8GnYDr057390@freefall.freebsd.org> To: neon@NE6.NET, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/88362: [pf] [panic] carp with pfsync causing system crash, dump debug attached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 16:49:34 -0000 Synopsis: [pf] [panic] carp with pfsync causing system crash, dump debug attached State-Changed-From-To: feedback->closed State-Changed-By: mlaier State-Changed-When: Tue Nov 8 16:48:44 GMT 2005 State-Changed-Why: Fixed in RELENG_5 and later as confirmed by originator - Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=88362 From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 16:53:06 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D266D16A420; Tue, 8 Nov 2005 16:53:06 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A18C43D46; Tue, 8 Nov 2005 16:53:06 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8Gr6Ej057676; Tue, 8 Nov 2005 16:53:06 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8Gr68T057672; Tue, 8 Nov 2005 16:53:06 GMT (envelope-from mlaier) Date: Tue, 8 Nov 2005 16:53:06 GMT From: Max Laier Message-Id: <200511081653.jA8Gr68T057672@freefall.freebsd.org> To: fb@crou.net, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: i386/86072: [pf] Packet Filter rule not working properly (with SYNPROXY option) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 16:53:06 -0000 Synopsis: [pf] Packet Filter rule not working properly (with SYNPROXY option) State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Tue Nov 8 16:51:34 GMT 2005 State-Changed-Why: In order to debug this problem, more information is required. Can you please discuss with the freebsd-pf@ and submit a result to the PR audit trail? Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=86072 From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 17:03:14 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBFF516A420; Tue, 8 Nov 2005 17:03:14 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 741B243D48; Tue, 8 Nov 2005 17:03:14 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8H3Er5058149; Tue, 8 Nov 2005 17:03:14 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8H3EJT058145; Tue, 8 Nov 2005 17:03:14 GMT (envelope-from mlaier) Date: Tue, 8 Nov 2005 17:03:14 GMT From: Max Laier Message-Id: <200511081703.jA8H3EJT058145@freefall.freebsd.org> To: ricardo_bsd@yahoo.com.br, mlaier@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/84370: [modules] Unload pf.ko cause page fault X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 17:03:15 -0000 Synopsis: [modules] Unload pf.ko cause page fault State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Tue Nov 8 17:01:24 GMT 2005 State-Changed-Why: Can you provide a trace or at least an IP + related source code for this? Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: mlaier Responsible-Changed-When: Tue Nov 8 17:01:24 GMT 2005 Responsible-Changed-Why: Over to pf ML for broader experimentation. http://www.freebsd.org/cgi/query-pr.cgi?pr=84370 From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 17:15:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DCF8116A41F; Tue, 8 Nov 2005 17:15:48 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.4/8.13.1) with ESMTP id jA8HFlVP099340; Tue, 8 Nov 2005 12:15:47 -0500 (EST) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.4/8.13.1/Submit) id jA8HFi5I099339; Tue, 8 Nov 2005 12:15:44 -0500 (EST) (envelope-from green) Date: Tue, 8 Nov 2005 12:15:44 -0500 From: Brian Fundakowski Feldman To: Marko Cuk Message-ID: <20051108171544.GI37350@green.homeunix.org> References: <436FDC90.3020108@cuk.nu> <20051108013645.GE37350@green.homeunix.org> <4370AA76.8000309@cuk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4370AA76.8000309@cuk.nu> User-Agent: Mutt/1.5.11 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 17:15:50 -0000 On Tue, Nov 08, 2005 at 02:39:02PM +0100, Marko Cuk wrote: > It seems that it work. Thanks. > > Damn, for vlan's ( 802.1Q) you should specify "em", for "tun", vice > versa... what a mess, hehe. No prob; I don't see why using the em(4) backing the tun(4) wouldn't work for ALTQ _IF_ you actually tagged the (PPPoE?) traffic on em(4). I think that might be really hard, though, so for ALTQ you should probably just specify the "logical" interface that you intend to limit (that would be the IP tun(4) rather than the PPPoE em(4)). Do you have suggestion on what would be good text to go into pf.conf(5) so that this particular case is documented? -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 17:38:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D71116A420 for ; Tue, 8 Nov 2005 17:38:44 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA88243D70 for ; Tue, 8 Nov 2005 17:38:34 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-43-91.woh.res.rr.com [65.31.43.91]) by ms-smtp-02-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id jA8HcVXV022805 for ; Tue, 8 Nov 2005 12:38:31 -0500 (EST) Message-ID: <004f01c5e48a$2d0db520$0900a8c0@satellite> From: "Dave" To: Date: Tue, 8 Nov 2005 12:30:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: continuing issue with ftp from gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 17:38:44 -0000 Hello, I'm still having issues with ftp. I've got a 6.0 machine acting as a firewall/gateway for my network of natted machines. Machines behind the gateway can ftp passively just fine, active no. The gateway can't do either or. I've run some tcpdump and the block by default rule is stopping incoming responses from the server. Here's what it does: #tcpdump -ne -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel My inetd is running ftp-proxy and inetd is listening on 127.0.0.1 here's my inetd.conf entry: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 Here's my ftp entries in pf.conf, ext_if and int_if are my external and internal network interfaces and int_net is a macro that says $int_if:network, and the $tcp_state is another one that says flags S/SA modulate state. # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021 # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if port 55000 >< 57000 user proxy $tcp_state pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 >< 57000 user proxy $tcp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state pass out quick on $ext_if inet proto tcp from $int_net port 55000:57000 to any user proxy $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state Any help appreciated. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 18:46:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3E3B16A41F; Tue, 8 Nov 2005 18:46:28 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id C205743D48; Tue, 8 Nov 2005 18:46:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E050.dip.t-dialin.net [84.163.224.80] (helo=donor.laier.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1EZYU91ree-0002U6; Tue, 08 Nov 2005 19:46:21 +0100 From: Max Laier To: Marko Cuk Date: Tue, 8 Nov 2005 19:45:59 +0100 User-Agent: KMail/1.8.2 References: <436FDC90.3020108@cuk.nu> <4370AA76.8000309@cuk.nu> <20051108171544.GI37350@green.homeunix.org> In-Reply-To: <20051108171544.GI37350@green.homeunix.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2460443.PiCAeWLt4t"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200511081946.19860.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Brian Fundakowski Feldman , freebsd-doc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 18:46:28 -0000 --nextPart2460443.PiCAeWLt4t Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 08 November 2005 18:15, Brian Fundakowski Feldman wrote: > On Tue, Nov 08, 2005 at 02:39:02PM +0100, Marko Cuk wrote: > > It seems that it work. Thanks. > > > > Damn, for vlan's ( 802.1Q) you should specify "em", for "tun", vice > > versa... what a mess, hehe. > > No prob; I don't see why using the em(4) backing the tun(4) wouldn't > work for ALTQ _IF_ you actually tagged the (PPPoE?) traffic on em(4). > I think that might be really hard, though, so for ALTQ you should > probably just specify the "logical" interface that you intend to > limit (that would be the IP tun(4) rather than the PPPoE em(4)). The problem with tun(4) in contrast to vlan(4) is that in some cases the=20 packet has to go through userland (i.e. userland PPPoE). During this detou= r=20 the packet loses the ALTQ mbuf_tag and thus can no longer be stuck into the= =20 right queue. That is why there is ALTQ support on tun(4) eventhough it=20 doesn't make that much sense to introduce "unnatural" queueing in the pseud= o=20 interface. For vlan(4) there is no such problem (VLANs are handled in the= =20 kernel all the way) so it's easy to stick the ALTQ tags on the packet and=20 queue on the hardware interface underneath. > Do you have suggestion on what would be good text to go into pf.conf(5) > so that this particular case is documented? [-> doc@, maybe somebody is interested/creative? ] =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2460443.PiCAeWLt4t Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDcPJ7XyyEoT62BG0RAi1GAJ9aJ9EPEA9c/7xy48qC9zcp/JRQoACeJhMP 2bPguV7gqyhXE95EWNLwp3w= =PCrd -----END PGP SIGNATURE----- --nextPart2460443.PiCAeWLt4t-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 19:23:10 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9BD816A41F; Tue, 8 Nov 2005 19:23:10 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4ED2C43D48; Tue, 8 Nov 2005 19:23:10 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (ip68-105-180-11.dc.dc.cox.net [68.105.180.11]) (authenticated bits=0) by pittgoth.com (8.13.4/8.13.4) with ESMTP id jA8JbFub073162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Nov 2005 14:37:15 -0500 (EST) (envelope-from trhodes@FreeBSD.org) Date: Tue, 8 Nov 2005 14:22:48 -0500 From: Tom Rhodes To: Max Laier Message-Id: <20051108142248.5745d091.trhodes@FreeBSD.org> In-Reply-To: <200511081946.19860.max@love2party.net> References: <436FDC90.3020108@cuk.nu> <4370AA76.8000309@cuk.nu> <20051108171544.GI37350@green.homeunix.org> <200511081946.19860.max@love2party.net> X-Mailer: Sylpheed version 1.0.5 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: green@FreeBSD.org, freebsd-doc@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 19:23:10 -0000 On Tue, 8 Nov 2005 19:45:59 +0100 Max Laier wrote: > On Tuesday 08 November 2005 18:15, Brian Fundakowski Feldman wrote: > > On Tue, Nov 08, 2005 at 02:39:02PM +0100, Marko Cuk wrote: > > > It seems that it work. Thanks. > > > > > > Damn, for vlan's ( 802.1Q) you should specify "em", for "tun", vice > > > versa... what a mess, hehe. > > > > No prob; I don't see why using the em(4) backing the tun(4) wouldn't > > work for ALTQ _IF_ you actually tagged the (PPPoE?) traffic on em(4). > > I think that might be really hard, though, so for ALTQ you should > > probably just specify the "logical" interface that you intend to > > limit (that would be the IP tun(4) rather than the PPPoE em(4)). > > The problem with tun(4) in contrast to vlan(4) is that in some cases the > packet has to go through userland (i.e. userland PPPoE). During this detour > the packet loses the ALTQ mbuf_tag and thus can no longer be stuck into the > right queue. That is why there is ALTQ support on tun(4) eventhough it > doesn't make that much sense to introduce "unnatural" queueing in the pseudo > interface. For vlan(4) there is no such problem (VLANs are handled in the > kernel all the way) so it's easy to stick the ALTQ tags on the packet and > queue on the hardware interface underneath. > > > Do you have suggestion on what would be good text to go into pf.conf(5) > > so that this particular case is documented? > > [-> doc@, maybe somebody is interested/creative? ] I'll work with Max on this. -- Tom Rhodes From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 23:51:14 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49A5316A422 for ; Tue, 8 Nov 2005 23:51:13 +0000 (GMT) (envelope-from mv@roq.com) Received: from p4.roq.com (ns1.ecoms.com [207.44.130.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 071D143D7B for ; Tue, 8 Nov 2005 23:51:05 +0000 (GMT) (envelope-from mv@roq.com) Received: from p4.roq.com (localhost.roq.com [127.0.0.1]) by p4.roq.com (Postfix) with ESMTP id 7E2D14CA83; Tue, 8 Nov 2005 23:51:15 +0000 (GMT) Received: from [192.168.46.52] (ppp166-27.static.internode.on.net [150.101.166.27]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by p4.roq.com (Postfix) with ESMTP id 2BC624CA7C; Tue, 8 Nov 2005 23:51:13 +0000 (GMT) Message-ID: <437139E3.2050804@roq.com> Date: Wed, 09 Nov 2005 10:50:59 +1100 From: Michael VInce User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.7.12) Gecko/20051019 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dave References: <004f01c5e48a$2d0db520$0900a8c0@satellite> In-Reply-To: <004f01c5e48a$2d0db520$0900a8c0@satellite> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-pf@freebsd.org Subject: Re: continuing issue with ftp from gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 23:51:15 -0000 I was having trouble implementing the ftp-proxy daemon as well I got it working after doing a few things, I upgraded to 6.0 (its a old U1 Sparc64 Sun netra) I discovered from the pf.conf man that it says "the use of the group and user filter parameter in conjunction with a Giant-free netstack can result in a deadlock. If you have to use group or user you must set debug.mpsafenet to ``0'' from the loader(8), for the moment." So I set the systctl correctly, in loader.conf debug.mpsafenet="0" I hacked my firewall rules even more, and it does work. no one can do anything ftp wise without going through the daemon as user proxy # Redirect rules - ftp-proxy rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # FTP all "user proxy" based no direct connections pass out quick on tun0 proto tcp from any to any port = 21 user proxy modulate state pass in quick on $ext_if inet proto tcp from any port = 20 to any user proxy flags S/SA modulate state pass out quick on tun0 proto tcp from any to any port > 49151 user proxy modulate state The firewall rules are still a bit dodge compared to the official examples given for PF but its all I need. Dave wrote: > Hello, > I'm still having issues with ftp. I've got a 6.0 machine acting as > a firewall/gateway for my network of natted machines. Machines behind > the gateway can ftp passively just fine, active no. The gateway can't > do either or. I've run some tcpdump and the block by default rule is > stopping incoming responses from the server. Here's what it does: > > #tcpdump -ne -i pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture > size 96 bytes > 10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 1400,nop,wscale 2,[|tcp]> > 10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 1400,nop,wscale 2,[|tcp]> > 10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 1400,nop,wscale 2,[|tcp]> > 10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 > 10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 > 10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 > 10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 > 10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 > ^C > 8 packets captured > 8 packets received by filter > 0 packets dropped by kernel > > My inetd is running ftp-proxy and inetd is listening on 127.0.0.1 > here's my inetd.conf entry: > > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u > proxy -m 55000 -M 57000 -t 180 > > Here's my ftp entries in pf.conf, ext_if and int_if are my external > and internal network interfaces and int_net is a macro that says > $int_if:network, and the $tcp_state is another one that says flags > S/SA modulate state. > # Redirect lan client FTP requests (to an FTP server's control port 21) > # to the ftp-proxy running on the firewall host (via inetd on port 8021) > rdr on $int_if inet proto tcp from $int_net to any port 21 -> > 127.0.0.1 port 8021 > > # Allow remote FTP servers (on data port 20) to respond to the proxy's > # active FTP requests by contacting it on the port range specified in > inetd.conf > pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if > port 55000 >< 57000 user proxy $tcp_state > pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 > port 55000 >< 57000 user proxy $tcp_state > > # Allow ftp-proxy packets destined to port 20 to exit $ext_if > # in order to maintain communications with the ftp server > pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 > $tcp_state > > # Allow firewall to contact ftp server on behalf of passive ftp client > pass out quick on $ext_if inet proto tcp from $ext_if port > 55000:57000 to any user proxy $tcp_state > pass out quick on $ext_if inet proto tcp from $int_net port > 55000:57000 to any user proxy $tcp_state > > # allow ftp connections from lan to proxy > pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 > $tcp_state > pass in quick on $int_if inet proto tcp from $int_net to $ext_if port > 55000:57000 $tcp_state > > Any help appreciated. > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Nov 9 00:30:19 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F5B416A41F for ; Wed, 9 Nov 2005 00:30:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C9B643D5E for ; Wed, 9 Nov 2005 00:30:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA90UJ5k027955 for ; Wed, 9 Nov 2005 00:30:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA90UJls027954; Wed, 9 Nov 2005 00:30:19 GMT (envelope-from gnats) Date: Wed, 9 Nov 2005 00:30:19 GMT Message-Id: <200511090030.jA90UJls027954@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Ricardo A. Reis" Cc: Subject: Re: kern/84370: [modules] Unload pf.ko cause page fault X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Ricardo A. Reis" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 00:30:19 -0000 The following reply was made to PR kern/84370; it has been noted by GNATS. From: "Ricardo A. Reis" To: ricardo_bsd@yahoo.com.br, bug-followup@FreeBSD.org Cc: Subject: Re: kern/84370: [modules] Unload pf.ko cause page fault Date: Tue, 08 Nov 2005 20:24:16 -0200 hi mlaier, I've this problem in many beta's releases, but this not happen more with the recent rc1. I have more one test for this pr in oficial release in next weekend, my workstation is a very old machine ( k6-2 500 + 192MB ) and i update this machine in next saturday. in my workstation i see severals panics related with this, http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/87371 Thanks Ricardo A. Reis UNIFESP Unix and Network Admin _______________________________________________________ Yahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Wed Nov 9 03:22:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 777AB16A41F; Wed, 9 Nov 2005 03:22:55 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.4/8.13.1) with ESMTP id jA93MsfJ004031; Tue, 8 Nov 2005 22:22:54 -0500 (EST) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.4/8.13.1/Submit) id jA93MrQD004030; Tue, 8 Nov 2005 22:22:53 -0500 (EST) (envelope-from green) Date: Tue, 8 Nov 2005 22:22:52 -0500 From: Brian Fundakowski Feldman To: Marko Cuk Message-ID: <20051109032252.GN37350@green.homeunix.org> References: <436FDC90.3020108@cuk.nu> <4370AA76.8000309@cuk.nu> <20051108171544.GI37350@green.homeunix.org> <200511081946.19860.max@love2party.net> <43715469.9030505@cuk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43715469.9030505@cuk.nu> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 03:22:55 -0000 On Wed, Nov 09, 2005 at 02:44:09AM +0100, Marko Cuk wrote: > Max, tnx for explanation and others to help. > > Second thing is route-to routing capability of pf. > I have one dual homed firewall and the configuration is very > complicated, because I must have two NAT's ( certain subnets through one > ISP, certain through another ) , routing, filtering, ALTQ, ... > The firewall has one default route and that NAT, which is on default > route, works ok. The problem is NAT on another ISP, which works, but the > packet ( translated from RFC1918 to public IP ) is sent through DEFAULT > route instead on the ISP2's default gateway ( next hop ). > > I have solved it like that: > em0 is default ISP and has default route, em1 is ISP2 > pass out on em0 route-to (em1 x.x.x.1.) from x.x.x.2 to any > > but still it won't "catch" all packets and tcpdumping em0 show me, that > on em0 i get outgoing x.x.x.2 IP's ... The reply comes on em1 , that's ok. > > I have managed it with ipf, like that: > pass out quick on em0 to em1:x.x.x.1 from x.x.x.2 to any > > but I still don't like to have 2 packet filters on host... > > Does anyone have a clue for that ? I can't catch the packet on internal > interface, because there is RFC1918 IP ( 192.168.x.x ) and if I route-to > it, it will "bypass" NAT and that not ok :) . If I do NAT and catch it > on outer interface, there are some packets "leaking" through on default > route. > Anyone with that setup here ? I can show you my setup -- it won't apply directly as I use IPFW, but it should give you an idea of how it can be done. /etc/hosts: 66.92.150.152 extip1 66.92.150.217 extip2 /etc/rc.conf: network_interfaces="lo0 xl0 dc0" ifconfig_xl0="inet extip1 netmask 255.255.255.0" ifconfig_xl0_alias0="inet extip2 netmask 255.255.255.0" ifconfig_dc0="inet 10.0.0.1 netmask 255.255.0.0" defaultrouter="66.92.150.1" ppp_enable="NO" ppp_mode="dedicated" ppp_profile="t-mobile" ppp_user="green" natd1_enable="YES" natd1_flags="-port 8668 -alias_address extip1 -redirect_port tcp macintosh:6882 6882 -use_sockets -same_ports" natd2_enable="YES" natd2_flags="-port 8669 -alias_address extip2 -use_sockets -same_ports" pf_only_altq="YES" pf_enable="YES" firewall_enable="YES" firewall_type="/etc/firewall-altq" /etc/pf.conf: altq on xl0 cbq bandwidth 650Kb queue { \ local, \ my_nat, \ not_my_nat \ } queue local bandwidth 25% priority 7 cbq(borrow) { \ local_int_ssh, \ local_fasts, \ local_rest \ } queue local_int_ssh priority 7 bandwidth 40% qlimit 20 cbq(borrow) queue local_fasts priority 4 bandwidth 20% qlimit 20 cbq(borrow) { \ local_fast, \ local_faster \ } queue local_fast bandwidth 50% priority 1 qlimit 20 cbq(borrow) queue local_faster bandwidth 50% priority 7 qlimit 20 cbq(borrow) queue local_rest priority 1 bandwidth 40% cbq(borrow) { \ local_ssh, \ local_surf, \ local_def \ } queue local_surf bandwidth 25% priority 7 qlimit 20 cbq(borrow) queue local_ssh bandwidth 50% priority 4 qlimit 20 cbq(borrow) queue local_def bandwidth 25% priority 1 qlimit 20 cbq(borrow default) queue my_nat bandwidth 25% priority 4 cbq(borrow) { \ my_nat_int_ssh, \ my_nat_fasts, \ my_nat_rest \ } queue my_nat_int_ssh priority 7 bandwidth 40% qlimit 20 cbq(borrow) queue my_nat_fasts priority 4 bandwidth 20% qlimit 20 cbq(borrow) { \ my_nat_fast, \ my_nat_faster \ } queue my_nat_fast bandwidth 50% priority 1 qlimit 20 cbq(borrow) queue my_nat_faster bandwidth 50% priority 7 qlimit 20 cbq(borrow) queue my_nat_rest priority 1 bandwidth 40% cbq(borrow) { \ my_nat_ssh, \ my_nat_surf, \ my_nat_def \ } queue my_nat_surf bandwidth 25% priority 7 qlimit 20 cbq(borrow) queue my_nat_ssh bandwidth 50% priority 4 qlimit 20 cbq(borrow) queue my_nat_def bandwidth 25% priority 1 qlimit 20 cbq(borrow) queue not_my_nat bandwidth 50% priority 1 cbq(borrow) { \ nat_fast, \ nat_def \ } queue nat_fast bandwidth 50% priority 7 qlimit 20 cbq(borrow) queue nat_def bandwidth 50% priority 1 qlimit 20 cbq(borrow) /etc/firewall-altq: # Enable one_pass optimization (no dummynet used). enable one_pass # Turn ALTQ off. disable altq # Make all unknown traffic natd reinserts start after the divert section. add skipto 1000 ip from any to any diverted # Divert non-locally-generated egress and all ingress traffic to natd. add divert 8668 ip from macintosh to not 10.0/8 out via xl0 add divert 8668 ip from not 10.0/8 to extip1 in via xl0 add divert 8669 ip from 10.0/8 to not 10.0/8 out via xl0 add divert 8669 ip from not 10.0/8 to extip2 in via xl0 # Explicitly deny private addresses to/from the world. add 1000 deny log ip from any to 10.0/8 in via xl0 not diverted-loopback add deny log ip from 10.0/8 to any out via xl0 add allow ip from 10.0/8 to not 10.0/8 in via dc0 add allow ip from not 10.0/8 to 10.0/8 in via xl0 diverted-loopback add allow ip from not 10.0/8 to 10.0/8 out via dc0 # Respect the loopback net. add allow ip from any to any via lo0 add deny log ip from any to 127.0.0.0/8 add deny log ip from 127.0.0.0/8 to any # Deny+log interesting local services from the outside world. add deny log tcp from any to any 25,137,138,139,445,631 setup in via xl0 add deny log udp from any to any 53,137,138,139 in via xl0 # ALTQ classification: # All ALTQ overrides that need to ignore state. They are not passed or # dropped here, but simply given a tag. Multiple tags result in the first # one being used by ALTQ. # # NAT'd egress traffic: # My NAT'd interactive SSH. add count altq my_nat_int_ssh tcp from extip1 to any 22 iptos lowdelay out diverted-output # My NAT'd TCP ack w/o data, TCP setup, IPTOS_LOWDELAY: add count altq my_nat_faster tcp from extip1 to any setup diverted-output add count altq my_nat_fast ip from extip1 to any iptos lowdelay diverted-output add count altq my_nat_fast tcp from extip1 to any tcpflags ack tcpdatalen 0 diverted-output # Their NAT'd TCP ack w/o data, TCP setup, IPTOS_LOWDELAY: add count altq nat_fast ip from extip2 to any iptos lowdelay diverted-output add count altq nat_fast tcp from extip2 to any setup diverted-output add count altq nat_fast tcp from extip2 to any tcpflags ack tcpdatalen 0 diverted-output # Interactive SSH: add count altq local_int_ssh tcp from any 22 to any iptos lowdelay out add count altq local_int_ssh tcp from any to any 22 iptos lowdelay out # TCP ack w/o data, TCP setup, IPTOS_LOWDELAY: add count altq local_faster tcp from any to any setup out add count altq local_fast ip from any to any iptos lowdelay out add count altq local_fast tcp from any to any tcpflags ack tcpdatalen 0 out # Cut-off point: now we account for state. add check-state # # Services allowed internally: add allow tcp from any to any 22,80,113,123,139,443,445,8080,8443,88,749 setup keep-state in via dc0 add allow udp from any to any 53,68,137,138,88,464 keep-state in via dc0 # # Chat: add allow altq my_nat_fast tcp from extip1 to any 5190-5193,6666-6667 setup keep-state diverted-output # My non-interactive SSH: add allow altq my_nat_ssh tcp from extip1 to any 22 setup keep-state diverted-output # My web surfing: add allow altq my_nat_surf tcp from extip1 to any dst-port 80,443,8080,8443 setup keep-state out # My NAT'd default: add allow altq my_nat_def icmp from extip1 to any diverted-output add allow altq my_nat_def tcp from extip1 to any diverted-output add allow altq my_nat_def udp from extip1 to any diverted-output # NAT'd default: add allow altq nat_def icmp from any to any diverted-output add allow altq nat_def tcp from any to any diverted-output add allow altq nat_def udp from any to any diverted-output # locally-generated egress traffic: # DNS, NTP: add allow altq local_fast udp from any to any 53,123 keep-state # Chat: add allow altq local_fast tcp from any to any 5190-5193,6666-6667 setup keep-state out # Non-interactive SSH: add allow altq local_ssh tcp from any to any 22 setup keep-state out add allow altq local_ssh tcp from any to any 22 setup keep-state in # Web surfing: add allow altq local_surf tcp from any to any dst-port 80,443,8080,8443 setup keep-state out # Services allowed inbound: add allow altq local_fast tcp from any to any 113 setup keep-state in add allow altq local_def tcp from any to any 22,80,113,443,5432,6881-6980,8080,8443 setup keep-state in # default: add allow altq local_def icmp from any to any add allow altq local_def tcp from any to any setup keep-state out add allow altq local_def udp from any to any keep-state out # Turn ALTQ back on. enable altq -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ From owner-freebsd-pf@FreeBSD.ORG Wed Nov 9 12:23:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A1CC16A41F; Wed, 9 Nov 2005 12:23:31 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from jedi.netinet.si (jedi.netinet.si [213.143.65.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3746943D60; Wed, 9 Nov 2005 12:23:20 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from localhost (localhost [127.0.0.1]) by jedi.netinet.si (Postfix) with ESMTP id E6C98125485; Tue, 8 Nov 2005 14:38:07 +0100 (CET) Received: from jedi.netinet.si ([127.0.0.1]) by localhost (jedi.netinet.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12354-07; Tue, 8 Nov 2005 14:38:07 +0100 (CET) Received: from [192.168.6.60] (tm.213.143.78.60.lc.telemach.net [213.143.78.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jedi.netinet.si (Postfix) with ESMTP id 48385125461; Tue, 8 Nov 2005 14:38:07 +0100 (CET) Message-ID: <4370AA76.8000309@cuk.nu> Date: Tue, 08 Nov 2005 14:39:02 +0100 From: Marko Cuk Organization: NetInet User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brian Fundakowski Feldman References: <436FDC90.3020108@cuk.nu> <20051108013645.GE37350@green.homeunix.org> In-Reply-To: <20051108013645.GE37350@green.homeunix.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at NetInet.si Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 12:23:31 -0000 It seems that it work. Thanks. Damn, for vlan's ( 802.1Q) you should specify "em", for "tun", vice versa... what a mess, hehe. Cuk Brian Fundakowski Feldman wrote: >On Tue, Nov 08, 2005 at 12:00:32AM +0100, Marko Cuk wrote: > > >>Resend... >> >>Please, does anyone have any ideas... >> >> >>What is the status of the tun0 driver and ALTQ ? >>I have FreeBSD 6.0-RELEASE and have tried it without success. Why 6.0 ? >>Don't know... curious maybe... if you think, that 5.4 will work better, >>I'll reinstall it. >> >>The tun0 is because od xDSL ( PPPoE ) >> >>It seems like packets won't match queue. Look at the pfctl output ( look >>at the "bucy" rules -- he is a huge consumer and the primary uplink is >>out for a week, xDSL is only backup and he consumes all the avail >>bandwidth ) >> >> >>THIS IFACE IS TUN0 ( pppoe ) >>queue root_em0 bandwidth 1Gb priority 0 cbq( wrr root ) {std_ext, bucy_out} >>[ pkts: 76053 bytes: 7390221 dropped pkts: 0 bytes: >>0 ] >>[ qlength: 0/ 50 borrows: 0 suspends: 0 ] >>[ measured: 199.0 packets/s, 146.71Kb/s ] >> >> > >No it isn't, it's em0. You probably want to be using ALTQ on tun0. >I've done it; it works.... > > > -- NetInet d.o.o. http://www.NetInet.si Private: http://cuk.nu MountainBikeSlovenia team: http://mtb.si Slovenian FreeBSD mirror admin http://www2.si.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Nov 9 12:23:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1012B16A420; Wed, 9 Nov 2005 12:23:33 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from jedi.netinet.si (jedi.netinet.si [213.143.65.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20D4643D45; Wed, 9 Nov 2005 12:23:21 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from localhost (localhost [127.0.0.1]) by jedi.netinet.si (Postfix) with ESMTP id 45A96125493; Wed, 9 Nov 2005 02:43:12 +0100 (CET) Received: from jedi.netinet.si ([127.0.0.1]) by localhost (jedi.netinet.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62363-09; Wed, 9 Nov 2005 02:43:11 +0100 (CET) Received: from [192.168.6.60] (tm.213.143.78.60.lc.telemach.net [213.143.78.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jedi.netinet.si (Postfix) with ESMTP id 9CFB4125461; Wed, 9 Nov 2005 02:43:11 +0100 (CET) Message-ID: <43715469.9030505@cuk.nu> Date: Wed, 09 Nov 2005 02:44:09 +0100 From: Marko Cuk Organization: NetInet User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <436FDC90.3020108@cuk.nu> <4370AA76.8000309@cuk.nu> <20051108171544.GI37350@green.homeunix.org> <200511081946.19860.max@love2party.net> In-Reply-To: <200511081946.19860.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at NetInet.si Cc: Brian Fundakowski Feldman , freebsd-doc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 12:23:33 -0000 Max, tnx for explanation and others to help. Second thing is route-to routing capability of pf. I have one dual homed firewall and the configuration is very complicated, because I must have two NAT's ( certain subnets through one ISP, certain through another ) , routing, filtering, ALTQ, ... The firewall has one default route and that NAT, which is on default route, works ok. The problem is NAT on another ISP, which works, but the packet ( translated from RFC1918 to public IP ) is sent through DEFAULT route instead on the ISP2's default gateway ( next hop ). I have solved it like that: em0 is default ISP and has default route, em1 is ISP2 pass out on em0 route-to (em1 x.x.x.1.) from x.x.x.2 to any but still it won't "catch" all packets and tcpdumping em0 show me, that on em0 i get outgoing x.x.x.2 IP's ... The reply comes on em1 , that's ok. I have managed it with ipf, like that: pass out quick on em0 to em1:x.x.x.1 from x.x.x.2 to any but I still don't like to have 2 packet filters on host... Does anyone have a clue for that ? I can't catch the packet on internal interface, because there is RFC1918 IP ( 192.168.x.x ) and if I route-to it, it will "bypass" NAT and that not ok :) . If I do NAT and catch it on outer interface, there are some packets "leaking" through on default route. Anyone with that setup here ? Bye, Marko Max Laier wrote: >On Tuesday 08 November 2005 18:15, Brian Fundakowski Feldman wrote: > > >>On Tue, Nov 08, 2005 at 02:39:02PM +0100, Marko Cuk wrote: >> >> >>>It seems that it work. Thanks. >>> >>>Damn, for vlan's ( 802.1Q) you should specify "em", for "tun", vice >>>versa... what a mess, hehe. >>> >>> >>No prob; I don't see why using the em(4) backing the tun(4) wouldn't >>work for ALTQ _IF_ you actually tagged the (PPPoE?) traffic on em(4). >>I think that might be really hard, though, so for ALTQ you should >>probably just specify the "logical" interface that you intend to >>limit (that would be the IP tun(4) rather than the PPPoE em(4)). >> >> > >The problem with tun(4) in contrast to vlan(4) is that in some cases the >packet has to go through userland (i.e. userland PPPoE). During this detour >the packet loses the ALTQ mbuf_tag and thus can no longer be stuck into the >right queue. That is why there is ALTQ support on tun(4) eventhough it >doesn't make that much sense to introduce "unnatural" queueing in the pseudo >interface. For vlan(4) there is no such problem (VLANs are handled in the >kernel all the way) so it's easy to stick the ALTQ tags on the packet and >queue on the hardware interface underneath. > > > >>Do you have suggestion on what would be good text to go into pf.conf(5) >>so that this particular case is documented? >> >> > >[-> doc@, maybe somebody is interested/creative? ] > > > -- NetInet d.o.o. http://www.NetInet.si Private: http://cuk.nu MountainBikeSlovenia team: http://mtb.si Slovenian FreeBSD mirror admin http://www2.si.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Nov 10 21:21:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB7B216A420 for ; Thu, 10 Nov 2005 21:21:28 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id B262D43D70 for ; Thu, 10 Nov 2005 21:21:26 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so177386wra for ; Thu, 10 Nov 2005 13:21:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AtzAcpLkG2rXE6EgqYRfBTT242F97YQzfOBGKF0AWCgrDzsPSvrAfK5+OI1gte7dMGnndD5dDpHAeXpZZ9uZWKrIV7t8kHAO6nDrJoex1FPAeB3Z/EpvpOSFwm5Hq9q/su0ExL8+Qb3SRlD+iSPNiVxs9+BYlTMLT44GsDR0i4g= Received: by 10.54.150.12 with SMTP id x12mr256407wrd; Thu, 10 Nov 2005 13:21:26 -0800 (PST) Received: by 10.54.81.15 with HTTP; Thu, 10 Nov 2005 13:21:26 -0800 (PST) Message-ID: Date: Thu, 10 Nov 2005 15:21:26 -0600 From: "Travis H." To: Dave In-Reply-To: <003301c5e0f6$6ce6d150$0900a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <003301c5e0f6$6ce6d150$0900a8c0@satellite> Cc: freebsd-pf@freebsd.org Subject: Re: pf and dhcp client or isp? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 21:21:28 -0000 Well it looks good, at least the DHCP rule seems to allow it in. Have you checked to see if the DHCP server address is valid? RR tends to renumber internal hosts quite a bit (and use RFC1918 addresses for some of their servers). -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Thu Nov 10 21:33:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC06216A41F for ; Thu, 10 Nov 2005 21:33:07 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62DF543D45 for ; Thu, 10 Nov 2005 21:33:07 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so179201wra for ; Thu, 10 Nov 2005 13:33:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XcEdS63d4ArzBDg6C7Gaq2xl1PpYcaFzupUdxXA156EwDC1/T0nU7n/meYsQ04MwrMoDYqmUiZ6gRxm3C81LmC1vAcd/4c6XNOPRmT6yewVtshSGjfDU9yDSZ8TyM4095fQS/h+cSHqqb0a/8yytZEpQtfjkfHwCKV15srUwTiE= Received: by 10.54.109.9 with SMTP id h9mr301895wrc; Thu, 10 Nov 2005 13:33:06 -0800 (PST) Received: by 10.54.81.15 with HTTP; Thu, 10 Nov 2005 13:33:06 -0800 (PST) Message-ID: Date: Thu, 10 Nov 2005 15:33:06 -0600 From: "Travis H." To: Dave In-Reply-To: <000301c5e279$122015e0$0900a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000301c5e279$122015e0$0900a8c0@satellite> Cc: freebsd-pf@freebsd.org Subject: Re: samba and smbfs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 21:33:07 -0000 Are you allowing stuff out from these ports as well? See my homepage, the "firewalls and protocols" document for the flows you'll need to support SMB across a firewall. It does not cover browsing yet, but I have had success with simple sharing. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Thu Nov 10 23:05:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD74116A41F for ; Thu, 10 Nov 2005 23:05:05 +0000 (GMT) (envelope-from mjeung@cisdata.net) Received: from dagobah.cisdata.net (dagobah.cisdata.net [63.82.223.109]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76CB643D45 for ; Thu, 10 Nov 2005 23:05:05 +0000 (GMT) (envelope-from mjeung@cisdata.net) Received: from adsl-69-237-115-101.dsl.scrm01.pacbell.net ([69.237.115.101] helo=[192.168.45.245]) by dagobah.cisdata.net with esmtp (Exim 4.52 (FreeBSD)) id 1EaLTg-000Dln-UD for freebsd-pf@freebsd.org; Thu, 10 Nov 2005 15:05:09 -0800 Mime-Version: 1.0 (Apple Message framework v733) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Michael Jeung Date: Thu, 10 Nov 2005 15:05:06 -0800 X-Mailer: Apple Mail (2.733) Subject: CARP Partners X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 23:05:05 -0000 Hello all, I'm trying to set up a CARP situation wherein two of my servers will back each other up via CARP. Server1 has static IP address 10.0.0.1 Server2 has static IP address 10.0.0.2 I would like Server1 to have a CARP address of 10.0.0.10 Server2 to have a CARP address of 10.0.0.20 In the event that Server1 dies, I want 10.0.0.10 to hop over to Server2 In the event that Server2 dies, I want 10.0.0.20 to hop over to Server1. My /etc/rc.conf on Server1 looks like this: cloned_interfaces="carp0 carp1" ifconfig_carp0="vhid 10 pass carp10 10.0.0.10" ifconfig_carp1="vhid 20 advskew 100 pass carp20 10.0.0.20" My /etc/rc.conf on Server2 looks like this: cloned_interfaces="carp0 carp1" ifconfig_carp0="vhid 10 advskew 100 pass carp10 10.0.0.10" ifconfig_carp1="vhid 20 pass carp20 10.0.0.20" On both machines, net.inet.carp.preempt is set to 0. Now, everything seems to be working exactly as it should --- except that my /var/log/messages is filling up with messages like this: Nov 10 15:03:00 server2 kernel: carp_input: received len 20 < sizeof (struct carp_header) Nov 10 15:03:31 server2 last message repeated 121 times Nov 10 15:03:37 server2 last message repeated 278 times Any suggestions? Thanks! Regards, Michael Jeung