From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 07:16:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E93FC16A4DA for ; Sun, 16 Jul 2006 07:16:40 +0000 (UTC) (envelope-from christian@qunec.net) Received: from spamvir03.de.clara.net (spamvir03.de.clara.net [212.82.240.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EEF343D46 for ; Sun, 16 Jul 2006 07:16:39 +0000 (GMT) (envelope-from christian@qunec.net) Received: from localhost ([127.0.0.1]) by spamvir03.de.clara.net with esmtp (Exim 4.62) (envelope-from ) id 1G20rm-0004aK-LG; Sun, 16 Jul 2006 09:16:38 +0200 Received: from [192.168.0.221] (helo=[62.24.31.231]) by spamvir03.de.clara.net with esmtp (Exim 4.62) (envelope-from ) id 1G20rm-0004aG-C5; Sun, 16 Jul 2006 09:16:38 +0200 Message-ID: <44B9E7CD.6050401@qunec.net> Date: Sun, 16 Jul 2006 09:16:29 +0200 From: christian User-Agent: Mozilla Thunderbird 1.0.8 (Windows/20060417) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Travis H." , freebsd-pf@freebsd.org References: <44B8F827.5000602@de.clara.net> <44B9398C.2080307@de.clara.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: RDR for locally generated traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 07:16:41 -0000 > > Hmm, gosh, I don't really know without trying. I think so, it should > be like any other incoming packet as it arrives on the lo0 interface. > Try it and let us know! > > You could also use route-to, or a static route, rather than an if > alias, to get it to go to lo0, I think. Hi again, the route-to variant doesnt work, because the RDR has to be placed before the route-to rule :-( cheers, Christian From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 14:01:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C131816A4DF for ; Sun, 16 Jul 2006 14:01:18 +0000 (UTC) (envelope-from christian@qunec.net) Received: from spamvir05.de.clara.net (spamvir05.de.clara.net [212.82.240.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC60843D5A for ; Sun, 16 Jul 2006 14:01:11 +0000 (GMT) (envelope-from christian@qunec.net) Received: from localhost ([127.0.0.1]) by spamvir05.de.clara.net with esmtp (Exim 4.62) (envelope-from ) id 1G27BG-0003Pc-Jj; Sun, 16 Jul 2006 16:01:10 +0200 Received: from [192.168.0.221] (helo=[62.24.31.231]) by spamvir05.de.clara.net with esmtp (Exim 4.62) (envelope-from ) id 1G27BG-0003PY-Cu; Sun, 16 Jul 2006 16:01:10 +0200 Message-ID: <44BA46C6.6030307@qunec.net> Date: Sun, 16 Jul 2006 16:01:42 +0200 From: christian User-Agent: Mozilla Thunderbird 1.0.8 (Windows/20060417) X-Accept-Language: en-us, en MIME-Version: 1.0 To: christian , freebsd-pf@freebsd.org References: <44B8F827.5000602@de.clara.net> <44B9398C.2080307@de.clara.net> <44B948CD.2060003@qunec.net> In-Reply-To: <44B948CD.2060003@qunec.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: RDR for locally generated traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 14:01:18 -0000 > So, didnt worked on lo0 (dont know why). > Instead I used a secondary NIC which is not in use and assigned there the > IP address, this worked of course, but isnt the nicest solution. > This setup affects 10 servers, all of them will get this RDR rule and the > secondary IP address. > Maybe its the only way. I have to correct my statement: Its not working! Have to search for an other solution then... cheers! From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 18:23:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D72816A4DF; Sun, 16 Jul 2006 18:23:20 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92A1B43D53; Sun, 16 Jul 2006 18:23:19 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6GINIPO006956 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 16 Jul 2006 20:23:18 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6GINFA0026185; Sun, 16 Jul 2006 20:23:15 +0200 (MEST) Date: Sun, 16 Jul 2006 20:23:15 +0200 From: Daniel Hartmeier To: Ari Suutari Message-ID: <20060716182315.GC3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44B7D8B8.3090403@suutari.iki.fi> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 18:23:20 -0000 On Fri, Jul 14, 2006 at 08:47:36PM +0300, Ari Suutari wrote: > There has been discussion about this before. I know that perfect > solution would be PF_DEFAULT_BLOCK, but while waiting for that > I wonder why we cannot have pf_boot, which closes the > boot hole (at least when run with proper filter rules). That is certainly not a perfect solution, as it misses the point, mostly. The "hole" being discussed is the time, during boot, before pf is fully functional with the production ruleset. For a comparatively long time, the pf module isn't even loaded yet. The time after module load and enabling pf with the production ruleset is much smaller. So, you first need to check the boot sequence for - interfaces being brought up before pf is loaded - addresses assigned to those interfaces - daemons starting and listening on those addresses - route table getting set up - IP forwarding getting enabled - etc. And to get rid of the "hole", you need to get the order right so there is nothing being exposed before the pf module is loaded. Once you have ensured that nothing gets exposed before rc.d/pf is started, it's trivial to make sure that that script only exits after pf has been enabled and the production ruleset is in place. Hence, a "default block" switch or compile time option _within_ pf is not going to make any difference. The problem lies mostly outside of pf, and the boot order needs to be carefully examined and adjusted, if needed. I think the chronological placement of rc.d/pf is already meant to achieve precisely that, have you actually checked the rc.d scripts and found some order that needs to be adjusted? Daniel From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 18:53:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B27B316A4DF; Sun, 16 Jul 2006 18:53:23 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout4-sn1.fre.skanova.net (pne-smtpout4-sn1.fre.skanova.net [81.228.11.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F2B743D49; Sun, 16 Jul 2006 18:53:22 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout4-sn1.fre.skanova.net (7.2.075) id 44A36A0A00086378; Sun, 16 Jul 2006 20:53:21 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GIrIDc001761; Sun, 16 Jul 2006 21:53:19 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BA8A95.10300@suutari.iki.fi> Date: Sun, 16 Jul 2006 21:51:01 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 18:53:23 -0000 Hi, Daniel Hartmeier wrote: > And to get rid of the "hole", you need to get the order right so there > is nothing being exposed before the pf module is loaded. Once you have > ensured that nothing gets exposed before rc.d/pf is started, it's > trivial to make sure that that script only exits after pf has been > enabled and the production ruleset is in place. Too much tuning on security-related issue. The standard startup sequence should be secure. I really cannot understand what there is so bad on /etc/rc.d/pf_boot that it cannot be added to FreeBSD as NetBSD & OpenBSD use it or something similar. I'm not yelling after default block - others are and use it as a reason not to use something like pf_boot. > I think the chronological placement of rc.d/pf is already meant to > achieve precisely that, have you actually checked the rc.d scripts and > found some order that needs to be adjusted? I could of course adjust my rc.d scripts, but I would very much appreciate that security-related things are there correctly in standard setup. I'll try to port pf_boot myself if nobody else volunteers. (I don't think there is much porting to do, however). Ari S. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 19:17:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7577016A4E0; Sun, 16 Jul 2006 19:17:44 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 193BE43D55; Sun, 16 Jul 2006 19:17:35 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6GJHWlo022178 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 16 Jul 2006 21:17:33 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6GJHWZS011626; Sun, 16 Jul 2006 21:17:32 +0200 (MEST) Date: Sun, 16 Jul 2006 21:17:32 +0200 From: Daniel Hartmeier To: Ari Suutari Message-ID: <20060716191732.GD3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BA8A95.10300@suutari.iki.fi> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 19:17:44 -0000 On Sun, Jul 16, 2006 at 09:51:01PM +0300, Ari Suutari wrote: > I could of course adjust my rc.d scripts, but I would very much > appreciate that security-related things are there correctly in > standard setup. > > I'll try to port pf_boot myself if nobody else volunteers. > (I don't think there is much porting to do, however). The point of OpenBSD's "boot-time" (preliminary) ruleset is that pf can be activated earlier, before the production ruleset can be loaded. The production ruleset can usually not be loaded very early on in the boot sequence, because it can contain constructs that rely on interfaces having been created, IP addresses assigned, or host name resolution working. At the point in time where all these things work, other things are already exposed (briefly). So what OpenBSD does (and I guess what that pf_boot script does on NetBSD) is enable pf with a short hard-coded preliminary ruleset very early on in the boot sequence, which only allows traffic which is needed by the boot process itself subsequently. This protects the things exposed afterwards, but before the production ruleset can be loaded. It also remains effective should the production ruleset fail to load (hence it usually allows ssh access to the firewall itself). So first you need to identify whether FreeBSD's boot sequence suffers the same issue (things are being exposed prior to the point where you can load the production ruleset). Then you need to find the proper time to load the kernel module and activate a preliminary ruleset. And of course the preliminary ruleset needs to account for all legitimate traffic that can subsequently occur during boot on various kinds of setups. One word of warning, the OpenBSD preliminary ruleset had to be revised many times when people found it broke things that the boot sequence needs in non-default setups. You'll likely go through several revisions on FreeBSD as well. You claimed there was a hole. If you can't explain what it consists of ("thing X might get exposed prior to rc.d/pf due to the following sequence of events..."), blindly sticking in pf_boot at some convenient place in the boot order is not guaranteed to solve more than it can break. Whoever is going to do this, will NEED to carefully go through the rc.d sequence with regards to networking. Daniel From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 20:19:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F7516A4DD; Sun, 16 Jul 2006 20:19:35 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id B058743D45; Sun, 16 Jul 2006 20:19:34 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A1309900097CE9; Sun, 16 Jul 2006 22:19:33 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GKJVC6002258; Sun, 16 Jul 2006 23:19:31 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BA9ECA.6090607@suutari.iki.fi> Date: Sun, 16 Jul 2006 23:17:14 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> In-Reply-To: <20060716191732.GD3240@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:19:35 -0000 Hi, Daniel Hartmeier wrote: > You claimed there was a hole. If you can't explain what it consists of > ("thing X might get exposed prior to rc.d/pf due to the following > sequence of events..."), On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that pf is run after netif so if one is using only pf as firewall, there is a window between run of "netif" and "pf" where network interfaces are up but there is no firewall loaded. Adding pf_boot, which runs before "netif" would fix this, woudn't it ? Please correct me if I'm wrong here (that would be nice since then there wouldn't be any problem at all). > blindly sticking in pf_boot at some convenient > place in the boot order is not guaranteed to solve more than it can > break. I don't think I have been talking about blindly sticking pf_boot into boot order. I would only like to be sure that there *is* no hole. I have been suggesting about using pf_boot because it seeems to be the approach used in other bsds (well, I must admit that I didn't check how OpenBSD does it, but I know that there is somekind of boot-time ruleset there). I assumed that since the pf_boot solution is there possible problems with it had been ironed out on other bsds. Even Windows XP has boot-time firewall protection today - we don't want to be worse than them, do we :-) Ari S. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 20:22:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D47716A4DA for ; Sun, 16 Jul 2006 20:22:56 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from grunt7.ihug.co.nz (grunt7.ihug.co.nz [203.109.254.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 473BE43D72 for ; Sun, 16 Jul 2006 20:22:55 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz) [203.109.251.39] by grunt7.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1G2D8c-00073m-00; Mon, 17 Jul 2006 08:22:51 +1200 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 83C4D1CC22; Mon, 17 Jul 2006 08:22:53 +1200 (NZST) Date: Mon, 17 Jul 2006 08:22:53 +1200 From: Andrew Thompson To: Ari Suutari Message-ID: <20060716202253.GF29207@heff.fud.org.nz> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BA9ECA.6090607@suutari.iki.fi> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:22:56 -0000 On Sun, Jul 16, 2006 at 11:17:14PM +0300, Ari Suutari wrote: > Hi, > > > Daniel Hartmeier wrote: > >You claimed there was a hole. If you can't explain what it consists of > >("thing X might get exposed prior to rc.d/pf due to the following > >sequence of events..."), > > > On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that > pf is run after netif so if one is using only pf as firewall, > there is a window between run of "netif" and "pf" where network > interfaces are up but there is no firewall loaded. Adding > pf_boot, which runs before "netif" would fix this, woudn't it ? But.. pf runs before any userland daemons are loaded so how does it matter if there is a short window between netif and pf if nothing is listening? Andrew From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 20:30:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 552AD16A4DA; Sun, 16 Jul 2006 20:30:54 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DAC043D45; Sun, 16 Jul 2006 20:30:53 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A1309900097D80; Sun, 16 Jul 2006 22:30:52 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GKUpD0002393; Sun, 16 Jul 2006 23:30:51 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BAA171.8070302@suutari.iki.fi> Date: Sun, 16 Jul 2006 23:28:33 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Andrew Thompson References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> <20060716202253.GF29207@heff.fud.org.nz> In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:30:54 -0000 Hi, Andrew Thompson wrote: >> >> On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that >> pf is run after netif so if one is using only pf as firewall, >> there is a window between run of "netif" and "pf" where network >> interfaces are up but there is no firewall loaded. Adding >> pf_boot, which runs before "netif" would fix this, woudn't it ? > > But.. pf runs before any userland daemons are loaded so how does it > matter if there is a short window between netif and pf if nothing is > listening? I wasn't thinking about firewall itself, but the network it protects. But now I notice that routing is run *after* pf so things should be ok ? Sorry to be such a pain but I have tried asking about this many times but got no good answers (and I got even more worried when I noticed that NetBSD had special boot-time ruleset). I guess this is case closed then! Ari S. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 20:54:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBA0816A4DD; Sun, 16 Jul 2006 20:54:11 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (noop.in-addr.com [208.58.23.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BCAB43D58; Sun, 16 Jul 2006 20:54:11 +0000 (GMT) (envelope-from gpalmer@freebsd.org) Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD)) id 1G2Dcw-0007Ew-D9; Sun, 16 Jul 2006 16:54:10 -0400 Date: Sun, 16 Jul 2006 16:54:10 -0400 From: Gary Palmer To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060716205410.GB6444@in-addr.com> Mail-Followup-To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> <20060716202253.GF29207@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz> Cc: Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:54:11 -0000 On Mon, Jul 17, 2006 at 08:22:53AM +1200, Andrew Thompson wrote: > But.. pf runs before any userland daemons are loaded so how does it > matter if there is a short window between netif and pf if nothing is > listening? That is one use case for PF, where you are protecting the local system. What if you are running PF on a multi-homed host? Is net.inet.ip.forwarding only ever set to 1 by /etc/rc.d/routing, or can that be set by something else before it gets that far? Gary From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 21:05:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C1DB16A4DA; Sun, 16 Jul 2006 21:05:32 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBF0A43D45; Sun, 16 Jul 2006 21:05:31 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id C1F9E2085; Sun, 16 Jul 2006 23:05:27 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on tim.des.no Received: from xps.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id B22892082; Sun, 16 Jul 2006 23:05:27 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id 9D17633C31; Sun, 16 Jul 2006 23:05:27 +0200 (CEST) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> Date: Sun, 16 Jul 2006 23:05:27 +0200 In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> (Daniel Hartmeier's message of "Sun, 16 Jul 2006 20:23:15 +0200") Message-ID: <86y7utgt0o.fsf@xps.des.no> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 21:05:32 -0000 Daniel Hartmeier writes: > Hence, a "default block" switch or compile time option _within_ pf is > not going to make any difference. Sure it will, if pf is compiled into the kernel or loaded by the BTX loader. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 21:45:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0F8416A4E0; Sun, 16 Jul 2006 21:45:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A40343D53; Sun, 16 Jul 2006 21:45:00 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6GLivff008269 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 16 Jul 2006 23:44:57 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6GLivPW011825; Sun, 16 Jul 2006 23:44:57 +0200 (MEST) Date: Sun, 16 Jul 2006 23:44:56 +0200 From: Daniel Hartmeier To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20060716214456.GE3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86y7utgt0o.fsf@xps.des.no> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 21:45:03 -0000 On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote: > > Hence, a "default block" switch or compile time option _within_ pf is > > not going to make any difference. > > Sure it will, if pf is compiled into the kernel or loaded by the BTX > loader. Ok, in that case I guess you want to enable pf by default, too. I haven't tried it in this mode, but the default block can be achieved by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() - pf_default_rule.action = PF_PASS; + pf_default_rule.action = PF_DROP; bzero(&pf_status, sizeof(pf_status)); + pf_status.running = 1; That would then block all packets on all interfaces, until a ruleset is loaded. If anything started through the startup scripts needs unblocked packets (including the production ruleset loading requiring name resolution over network), you'd need to first load a simpler temporary ruleset to pass that, and finally replace it with the production ruleset. And, of course, if the boot sequence for any reason doesn't reach that point, you can only fix stuff with local access... :) I'm not sure the average user _really_ is worried enough about that half a second period on boot. But I DO know there will be people locking themselves out from far-away remote hosts (on updates, for instance) if this becomes the default. Daniel From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 22:17:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15BF716A4DE; Sun, 16 Jul 2006 22:17:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC9BD43D4C; Sun, 16 Jul 2006 22:17:13 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.181.216] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1G2EvC2aW0-00041a; Mon, 17 Jul 2006 00:17:07 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 17 Jul 2006 00:16:57 +0200 User-Agent: KMail/1.9.3 References: <44B7715E.8050906@suutari.iki.fi> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1233698.PquWgbKCin"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607170017.05241.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 22:17:15 -0000 --nextPart1233698.PquWgbKCin Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 16 July 2006 23:44, Daniel Hartmeier wrote: > On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm=F8rgrav wrote: > > > Hence, a "default block" switch or compile time option _within_ pf is > > > not going to make any difference. > > > > Sure it will, if pf is compiled into the kernel or loaded by the BTX > > loader. > > Ok, in that case I guess you want to enable pf by default, too. > > I haven't tried it in this mode, but the default block can be achieved > by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() > > - pf_default_rule.action =3D PF_PASS; > + pf_default_rule.action =3D PF_DROP; > > bzero(&pf_status, sizeof(pf_status)); > + pf_status.running =3D 1; You will also need this (just one line below): pf_pfil_hooked =3D 0; + error =3D hook_pf(); + if (error || !pf_pfil_hooked) + panic("Unable to protect you from the scary internet!"); > That would then block all packets on all interfaces, until a ruleset is > loaded. If anything started through the startup scripts needs unblocked > packets (including the production ruleset loading requiring name > resolution over network), you'd need to first load a simpler temporary > ruleset to pass that, and finally replace it with the production > ruleset. > > And, of course, if the boot sequence for any reason doesn't reach that > point, you can only fix stuff with local access... :) > > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1233698.PquWgbKCin Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEurrhXyyEoT62BG0RAgAnAJ9d4AeS7swmGE9FeY9KeouULCvfBwCeJ7wq CvP7kzmkx0Ek/ateDa039dg= =pQS2 -----END PGP SIGNATURE----- --nextPart1233698.PquWgbKCin-- From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 22:56:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B43F316A4DA; Sun, 16 Jul 2006 22:56:39 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01A6A43D5D; Sun, 16 Jul 2006 22:56:38 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 29B282376B8; Sun, 16 Jul 2006 23:56:33 +0100 (BST) From: "Greg Hennessy" To: "'Daniel Hartmeier'" , =?iso-8859-1?Q?'Dag-Erling_Sm=F8rgrav'?= Date: Sun, 16 Jul 2006 23:56:35 +0100 Keywords: freebsd-pf Message-ID: <000c01c6a92b$167fcd00$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcapI1FTJviArYNETTy3a0qJjTWQMQABozmA In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-OriginalArrivalTime: 16 Jul 2006 22:56:35.0280 (UTC) FILETIME=[167FCD00:01C6A92B] Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: RE: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 22:56:39 -0000 =20 > I'm not sure the average user _really_ is worried enough=20 > about that half a second period on boot. But I DO know there=20 > will be people locking themselves out from far-away remote=20 > hosts (on updates, for instance) if this becomes the default. That is pretty much guaranteed. Murphy will always find a way to f*ck up = a reboot and simultaneously cause the 2611 on the console port to halt and catch fire.=20 If punters want a default block, IMHO it doesn=92t get much easier than = using the mac_ifoff(4) kernel option discussed earlier on in the week, they = can tweak the pf startup to twiddle the relevant sysctl appropriately at the right moment in time.=20 In order to salve the consciences of those who know naught but tick = boxes, and more importantly make them STFU and annoy someone else.=20 Perhaps a codicil to the FreeBSD pf.conf manpage, detailing the = mac_ifoff approach as a wholly unsupported solution for 'default block' to satisfy = the anally retentive.=20 Greg From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 00:00:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93BEA16A4DD; Mon, 17 Jul 2006 00:00:41 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4DC043D45; Mon, 17 Jul 2006 00:00:40 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (patr530-a126.otenet.gr [212.205.215.126]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-1) with ESMTP id k6H00Lt9011602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 17 Jul 2006 03:00:25 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k6GNxUN9005583; Mon, 17 Jul 2006 02:59:31 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k6GMa1gV005106; Mon, 17 Jul 2006 01:36:01 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 17 Jul 2006 01:36:01 +0300 From: Giorgos Keramidas To: Daniel Hartmeier Message-ID: <20060716223601.GA5039@gothmog.pc> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.105, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.29, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: Dag-Erling Sm?rgrav , freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 00:00:41 -0000 On 2006-07-16 23:44, Daniel Hartmeier wrote: >On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm?rgrav wrote: >>> Hence, a "default block" switch or compile time option _within_ pf is >>> not going to make any difference. >> >> Sure it will, if pf is compiled into the kernel or loaded by the BTX >> loader. > > Ok, in that case I guess you want to enable pf by default, too. > > I haven't tried it in this mode, but the default block can be achieved > by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() > > - pf_default_rule.action = PF_PASS; > + pf_default_rule.action = PF_DROP; > > bzero(&pf_status, sizeof(pf_status)); > + pf_status.running = 1; If this is the only change needed, then do you think it would be nice to have it as a compile-time option, like IPFW does? Something like this perhaps? options PF_DEFAULT_TO_ACCEPT #allow everything by default I haven't verified that this is the _only_ change needed to make PF block everything by default, but having it as a compile-time option which defaults to block everything would be nice, right? From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 02:37:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1A6E16A4DA; Mon, 17 Jul 2006 02:37:13 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2507143D45; Mon, 17 Jul 2006 02:37:12 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6H2b1Xu023117 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 17 Jul 2006 04:37:01 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6H2b1Or010073; Mon, 17 Jul 2006 04:37:01 +0200 (MEST) Date: Mon, 17 Jul 2006 04:37:00 +0200 From: Daniel Hartmeier To: Giorgos Keramidas Message-ID: <20060717023700.GF3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> <20060716223601.GA5039@gothmog.pc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716223601.GA5039@gothmog.pc> User-Agent: Mutt/1.5.10i Cc: Dag-Erling Sm?rgrav , freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 02:37:14 -0000 On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote: > I haven't verified that this is the _only_ change needed to make PF > block everything by default, but having it as a compile-time option > which defaults to block everything would be nice, right? Sure, when FreeBSD's default becomes to compile pf into the kernel or load it by BTX, that makes sense. Otherwise it doesn't. This is not about a style pet-peeve that some people have. There is no common case where users forget to add a default block rule when they intend to have one. Real production rulesets contain not just one but several explicit block rules (generating replies for only certain blocks, logging only certain blocks, etc.). The only technical reason for this is in a specific case like DES brought up. If you load pf as module and enable it half way through the rc.d startup sequence, there's no need for it that I can see. It doesn't plug the boot-time hole, if there is one. Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 03:40:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4987D16A4E2 for ; Mon, 17 Jul 2006 03:40:30 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16BED43D5C for ; Mon, 17 Jul 2006 03:40:28 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so1343961pyc for ; Sun, 16 Jul 2006 20:40:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KIMhUZHbKUzuO36qMbgseuXBdF31esCVJZaGxMp7UhoJ6PnmOOQ3dlN4M3tBGHrBrgm6TUhWGlPdTDIj2LFwm23zDEvBoj3Z+wlHS4j64+6tDE/Iirf2fl4zUHPfP+aoCFT2BMRnzdSD5kFjSYqaJ2leqIQ0Ce5Vef29C7eVYUs= Received: by 10.35.37.18 with SMTP id p18mr3374396pyj; Sun, 16 Jul 2006 20:40:27 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Sun, 16 Jul 2006 20:40:27 -0700 (PDT) Message-ID: Date: Sun, 16 Jul 2006 22:40:27 -0500 From: "Travis H." To: "Daniel Hartmeier" In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 03:40:30 -0000 I'm pretty much in agreement on the necessity to examine startup order, &c. However, On 7/16/06, Daniel Hartmeier wrote: > That would then block all packets on all interfaces, until a ruleset is > loaded. If anything started through the startup scripts needs unblocked > packets (including the production ruleset loading requiring name > resolution over network), you'd need to first load a simpler temporary > ruleset to pass that, and finally replace it with the production > ruleset. Yes. And it can have other effects, too; for example, squid won't start up unless DNS is working. And your main firewall ruleset might have (gasp) DNS names in it... not that relying on DNS for firewall rules is particularly wise, but it is certainly much more manageable, and DNS _can_ be secure for local servers with the right amount of work. And IPv6 will basically make it effectively mandatory. > And, of course, if the boot sequence for any reason doesn't reach that > point, you can only fix stuff with local access... :) Another person said: > That is pretty much guaranteed. Murphy will always find a way to f*ck up a > reboot and simultaneously cause the 2611 on the console port to halt and > catch fire. Tradeoff between security and convenience. Murphy's law cuts both ways; if you're under an aggressive scan and happen to have a power blip... or if the attacker can get your firewall to spontaneously reboot... you have problems. The basic question is; do you want security or availability? Seems to me this should be a personal choice, and I think both sides have a point. Making it a compile-time option or sysctl would solve it, wouldn't it? > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. Generally, Unix has provided enough rope for people to hang themselves (or their servers). And then he said: > If punters want a default block, IMHO it doesn't get much easier than using > the mac_ifoff(4) kernel option discussed earlier on in the week, they can > tweak the pf startup to twiddle the relevant sysctl appropriately at the > right moment in time. It's not particularly maintainable to be tweaking startup scripts; the tweaks have a way of disappearing during upgrades, and I'm not about to put all of etc under revision control to track one or two changes. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 06:04:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 777EE16A4DF; Mon, 17 Jul 2006 06:04:02 +0000 (UTC) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D46C143D45; Mon, 17 Jul 2006 06:04:01 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.13.6/8.13.6) with ESMTP id k6H63pbT017633; Mon, 17 Jul 2006 16:03:51 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.13.6/8.13.6/Submit) id k6H63lgD017631; Mon, 17 Jul 2006 16:03:47 +1000 (EST) From: Darren Reed Message-Id: <200607170603.k6H63lgD017631@caligula.anu.edu.au> To: daniel@benzedrine.cx (Daniel Hartmeier) Date: Mon, 17 Jul 2006 16:03:47 +1000 (Australia/ACT) In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> from "Daniel Hartmeier" at Jul 16, 2006 11:44:56 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 06:04:02 -0000 In some mail from Daniel Hartmeier, sie said: ... > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. For me this has always been the over riding reason to have IPFilter always default (as shipped) to default allow. There are just too many things that can go wrong that can lead to no access to a system. That said, I believe NetBSD (and FreeBSD?) have this: options IPFILTER_DEFAULT_BLOCK You might want to do something similar for pf to make this easier for those who (think they) now what they're doing. Darren From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 08:11:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4324B16A4DA; Mon, 17 Jul 2006 08:11:41 +0000 (UTC) (envelope-from fb-security@psconsult.nl) Received: from ps226.psconsult.nl (ps226.psconsult.nl [213.222.19.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB59643D53; Mon, 17 Jul 2006 08:11:39 +0000 (GMT) (envelope-from fb-security@psconsult.nl) Received: from phuket.psconsult.nl (localhost [127.0.0.1]) by phuket.psconsult.nl (8.13.1/8.13.1) with ESMTP id k6H8ACbp072309; Mon, 17 Jul 2006 10:10:12 +0200 (CEST) (envelope-from fb-security@psconsult.nl) Received: (from paul@localhost) by phuket.psconsult.nl (8.13.1/8.13.1/Submit) id k6H8ACgc072308; Mon, 17 Jul 2006 10:10:12 +0200 (CEST) (envelope-from fb-security@psconsult.nl) Date: Mon, 17 Jul 2006 10:10:12 +0200 From: Paul Schenkeveld To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060717081012.GA71385@psconsult.nl> Mail-Followup-To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.6i Cc: Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 08:11:41 -0000 On Sun, Jul 16, 2006 at 11:44:56PM +0200, Daniel Hartmeier wrote: > On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote: > > That would then block all packets on all interfaces, until a ruleset is > loaded. If anything started through the startup scripts needs unblocked > packets (including the production ruleset loading requiring name > resolution over network), you'd need to first load a simpler temporary > ruleset to pass that, and finally replace it with the production > ruleset. > > And, of course, if the boot sequence for any reason doesn't reach that > point, you can only fix stuff with local access... :) > > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. There are two completely different issues here. One is protecting the machine itself, the other is to protect the complete network behind it if this is a firewall. Having a firewall open for half a second (is it really ONLY half a second in all cases?) is not acceptable if this is a firewall. So if you build a pf based firewall: - Include pf in your kernel ("device pf" in ${ARCH}/conf/KERNEL) or load pf from BTX ("pf_load=YES" in /boot/loader.conf) - Make sure you have console access before making changes to pf.conf or make sure you can get back to the firewall even after a mistake in pf.conf. I've done quite a lot of remote ipfw.conf and ipf.rules maintenance on remote, unattended firewalls and come up with several easy ways to make sure the device reverts to the last known to work ruleset if I get locked out during the process. One way is to schedule a "pfctl -Fa -f /etc/pf.conf" or a reboot after several minutes using at(1) and make changes to /etc/pf.conf.new, load it manually using pfctl and atrm(1) the scheduled job if you can still reach the firewall. Finally when you are really sure about the changes working correctly, move them to /etc/pf.conf. If you are to protect your company network or your customers network, maintaining access to the firewall is very important but exposing the network behind it, even for a short time, is IMO not acceptable. So I still believe in having some kind of PF_DEFAULT_BLOCK for those caring about the protection of the network behind the firewall. OTOH I see a good point in having the rc.d/pf_boot script the OP asked for as well and install /etc/pf.boot.conf early giving applications DNS (and access to i.e. a remote database needed to start up a certain app) and give the sysadmin access until all required apps are loaded and maybe even proven to work correctly. Regards, Paul Schenkeveld From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 08:23:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D1A916A4DA; Mon, 17 Jul 2006 08:23:08 +0000 (UTC) (envelope-from harald@clef.at) Received: from stud3.tuwien.ac.at (stud3.tuwien.ac.at [193.170.75.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1276443D49; Mon, 17 Jul 2006 08:23:06 +0000 (GMT) (envelope-from harald@clef.at) Received: from bluedaemon.clef.test (v209-200.vps.tuwien.ac.at [128.131.209.200]) by stud3.tuwien.ac.at (8.9.3 (PHNE_29774)/8.9.3) with ESMTP id KAA10122; Mon, 17 Jul 2006 10:23:04 +0200 (METDST) To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> <20060716223601.GA5039@gothmog.pc> <20060717023700.GF3240@insomnia.benzedrine.cx> From: Harald Muehlboeck Date: Mon, 17 Jul 2006 10:25:37 +0200 In-Reply-To: <20060717023700.GF3240@insomnia.benzedrine.cx> (Daniel Hartmeier's message of "Mon, 17 Jul 2006 04:37:00 +0200") Message-ID: <86hd1ghc3i.fsf@tuha.clef.at> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 08:23:08 -0000 Daniel Hartmeier writes: > On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote: > >> I haven't verified that this is the _only_ change needed to make PF >> block everything by default, but having it as a compile-time option >> which defaults to block everything would be nice, right? > > Sure, when FreeBSD's default becomes to compile pf into the kernel or load > it by BTX, that makes sense. Otherwise it doesn't. What do you mean with default? None of the the firewalls available with FreeBSD (ipfw, ipf, pf) is part of the GENERIC Kernel. But many users will compile the firewall of their choise into their CUSTOM kernels. For ipfw and ipf this can be done either with "default to accept" or "default to deny" ploicy by adding the option options IPVFIREWALL_DEFAULT_TO_DENY or options IPFILTER_DEFAULT_BLOCK to the custom kernel configruation file. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 09:13:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD83016A4DD; Mon, 17 Jul 2006 09:13:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id E372243D6A; Mon, 17 Jul 2006 09:13:56 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.82] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1G2PAp2XFG-0001sZ; Mon, 17 Jul 2006 11:13:55 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 17 Jul 2006 11:13:43 +0200 User-Agent: KMail/1.9.3 References: <44B7715E.8050906@suutari.iki.fi> <20060717023700.GF3240@insomnia.benzedrine.cx> <86hd1ghc3i.fsf@tuha.clef.at> In-Reply-To: <86hd1ghc3i.fsf@tuha.clef.at> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9370727.r2jcNg7TsT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607171113.54110.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 09:13:57 -0000 --nextPart9370727.r2jcNg7TsT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [Replying to the latest message available] Okay, now this is getting pretty pointless. It started out pretty promissi= ng=20 with an attempt to really investigate into a problem that might exist with= =20 the way we boot up pf. No-one has yet provided evidence that it does exist= ,=20 though. What Daniel and others have suggested is, that interested parties= =20 look at the boot process closely, identify possible windows of vulnarabilit= y=20 and propose a *proper* fix in form of reorder of the boot process, an early= =20 pf_boot or something else. As more and more people are screaming for rope to hang themself with, I am= =20 going to provide it. As we have established, the "fix" is a three line=20 change in pf_ioctl.c and otherwise non-intrusive. You will of course have = to=20 rewrite your rulesets if you have a default to block policy, but since you= =20 care about security, that's a little price to pay - right? I would love to see somebody[tm] *really* looking into the boot process and= =20 come up with a sollution if we do have a problem there. Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of=20 cool-off time, if people then still think it's a good idea then, I'll commi= t=20 it. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9370727.r2jcNg7TsT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEu1TSXyyEoT62BG0RAqUIAJoDm86oQQDKv89ejblJ4XMU/pwzeQCeKMV3 9ST0ZlzZM2H/4vW0C4V1CX4= =anvo -----END PGP SIGNATURE----- --nextPart9370727.r2jcNg7TsT-- From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 11:03:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10F8D16A5B0 for ; Mon, 17 Jul 2006 11:03:01 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACC3343D4C for ; Mon, 17 Jul 2006 11:03:00 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6HB30JC071610 for ; Mon, 17 Jul 2006 11:03:00 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6HB2wQG071602 for freebsd-pf@freebsd.org; Mon, 17 Jul 2006 11:02:58 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Jul 2006 11:02:58 GMT Message-Id: <200607171102.k6HB2wQG071602@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 11:03:01 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/03/27] kern/94992 pf [pf] [patch] pfctl complains about ALTQ m o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 12:21:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97EB516A4DE; Mon, 17 Jul 2006 12:21:43 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5623243D5C; Mon, 17 Jul 2006 12:21:30 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id C6E8D2D4921; Mon, 17 Jul 2006 12:21:28 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 8FDAF11444; Mon, 17 Jul 2006 14:21:28 +0200 (CEST) Date: Mon, 17 Jul 2006 14:21:28 +0200 From: "Simon L. Nielsen" To: Daniel Hartmeier Message-ID: <20060717122127.GC1087@zaphod.nitro.dk> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 12:21:43 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > The "hole" being discussed is the time, during boot, before pf is fully > functional with the production ruleset. For a comparatively long time, > the pf module isn't even loaded yet. The time after module load and > enabling pf with the production ruleset is much smaller. >=20 > So, you first need to check the boot sequence for >=20 > - interfaces being brought up before pf is loaded > - addresses assigned to those interfaces > - daemons starting and listening on those addresses > - route table getting set up > - IP forwarding getting enabled > - etc. Since nobody else seems to have actually done this, I took a look at FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really see a hole. Most importantly pf is enabled before routing. Personally I would still like a default to deny knob, but that's mainly to handle the case of an invalid ruleset which causes pf to be left open. Yes, this is only a problem when the admin screws up, but it happens... (I have been looking at a rc.conf know which would only enable routing/forwarding if pf was properly enabled with a configured ruleset, but I haven't gotten around to finishing that.) # rcorder -s nostart /etc/rc.d/* /etc/rc.d/dumpon /etc/rc.d/initrandom /etc/rc.d/geli /etc/rc.d/gbde /etc/rc.d/encswap /etc/rc.d/ccd /etc/rc.d/swap1 /etc/rc.d/mdconfig /etc/rc.d/ramdisk /etc/rc.d/early.sh /etc/rc.d/fsck /etc/rc.d/root /etc/rc.d/mountcritlocal /etc/rc.d/var /etc/rc.d/cleanvar /etc/rc.d/random /etc/rc.d/adjkerntz /etc/rc.d/atm1 /etc/rc.d/hostname /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/kldxref /etc/rc.d/sppp /etc/rc.d/addswap /etc/rc.d/sysctl /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/devd /etc/rc.d/ipsec /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/routing [...] --=20 Simon L. Nielsen --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEu4DHh9pcDSc1mlERAihWAJ9+tEkPYzYys9h1aZ/WsH9+zj/BOQCfeXDb PvhBgOI2Ufu/uFawHrW8spg= =k7Oi -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 18:18:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F04E16A4DF for ; Mon, 17 Jul 2006 18:18:32 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A7CF43D58 for ; Mon, 17 Jul 2006 18:18:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so1500662pyb for ; Mon, 17 Jul 2006 11:18:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tM6sMnJ7bzBAu0DHy2QifG5nqnonXaP7HO/NzFTf/KHwhFyjoO2WJ62Yq7z5unc7QXF0zGuzL3fbruLbSu2dBCuvafAgJAebxjahtl6GbJ0OHqhaO2ioMaRaQ4Bntw6qJ2jUFyrKcKtxPJt/EddDYLVXWnHnydPAyl6xZQTiuxg= Received: by 10.35.62.19 with SMTP id p19mr4369200pyk; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Message-ID: Date: Mon, 17 Jul 2006 13:18:26 -0500 From: "Travis H." To: "Simon L. Nielsen" In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 18:18:32 -0000 On 7/17/06, Simon L. Nielsen wrote: > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Since you mention it, this would have been useful to me too. My dynamic firewall daemon manages the ruleset (see homepage), and not all rules are sent to pf at once, and the active rules persist across reboots. In my case, I made a simple error in the script, it flushed the rules (I think...), failed to load a ruleset, but in any case I ended up with an invalid ruleset at boot time, and consequently a completely open firewall. Subsequent to this, I made sure it wouldn't happen again in various ways, but since I didn't have adequate reporting I didn't know it was wide open until several days later. It may be that I hung myself, but I'm pretty good with firewalls and if it can happen to me it can happen to others. OTOH, if it had had default block, I would have known immediately. Fortunately I didn't seem to suffer any ill effects; the obsd firewall runs minimal services. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 18:59:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9230216A4DE; Mon, 17 Jul 2006 18:59:20 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BBB343D45; Mon, 17 Jul 2006 18:59:19 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A13099000A05B7; Mon, 17 Jul 2006 20:59:18 +0200 Received: from [127.0.0.1] (raisa.suutari.iki.fi [192.168.60.100]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6HIxGJs012613; Mon, 17 Jul 2006 21:59:16 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BBDE0B.6050004@suutari.iki.fi> Date: Mon, 17 Jul 2006 21:59:23 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: "Simon L. Nielsen" References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 18:59:20 -0000 Hi, Simon L. Nielsen wrote: > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. I did this yesterday, but this thread has gotten quite active so maybe you lost the results. But my findings were same as yours: pf is enabled before routing which means that the hole I was afraid of doesn't exist. > > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Yes, and it might be quite common: some edits ruleset but leaves it unfinished because other, more high-priority jobs arrive (from boss...) and the someone other accidentally reboots your firewall... Default deny (or rc.d/pf_boot) would help here. Ari S. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 18 17:30:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A746D16A4DA for ; Tue, 18 Jul 2006 17:30:59 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6488643D64 for ; Tue, 18 Jul 2006 17:30:52 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so28673uge for ; Tue, 18 Jul 2006 10:30:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=t0S/WlY6TStx9YyE7lNAst0Jsgjm07tjNZtTxQPxZ+NOjibK28GKmBBtZqPWTdZnlSqoTwEIBL15gRX9HHSOYvXq2efZpjJ578XRW//osG6IHfGkUHx85N9poZu8P668iTPJG5/I/UQTeHBuj0BvVWD5EPUi8DJuZdY7wpqdcxo= Received: by 10.78.178.5 with SMTP id a5mr1668084huf; Tue, 18 Jul 2006 10:30:51 -0700 (PDT) Received: by 10.78.120.13 with HTTP; Tue, 18 Jul 2006 10:30:51 -0700 (PDT) Message-ID: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> Date: Tue, 18 Jul 2006 23:00:51 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 17:30:59 -0000 Hi, I am trying to do a pf module for snortsam, that requires a function to add and delete rules, much like iptables -A and -D As pfctl does not support deletion of rules, and as reloading all rules every time a new rule has to be added or deleted is a pita, I am trying to write a program to do it, which will be used to write snortsam plugin. After going through sources of pfctl and some other programs, I wrote a skeltel program to add a rule via ioctl, but that is not working. My feeling is that I need to do some more init of pfioc_rule and pf_rule structures to get it working, but the code of pfctl is bit dense to get a clear understanding. It will be great if some one here can lend a helping hand! with warm regards, raj #include #include #include #include #include #include #include #define IP_PROTO_TCP 6 int main (){ struct pfioc_trans trans; struct pfioc_trans_e trans_e; struct pf_rule pr; struct pfioc_rule pr_ioctl; struct pfioc_pooladdr pp; struct hostent *h; char *pf_device = "/dev/pf"; char anchor[100]; int dev; int mode = O_RDWR; dev = open(pf_device, mode); bzero(&trans, sizeof(trans)); bzero(&trans_e, sizeof(trans_e)); bzero(&pr, sizeof(pr)); bzero(&pp, sizeof(pp)); bzero(&h, sizeof(h)); strlcpy(trans_e.anchor, "snortsam", sizeof(trans_e.anchor)); trans_e.rs_num = PF_RULESET_FILTER; trans.size = 1; trans.esize = sizeof(struct pfioc_trans_e); trans.array = &trans_e; if (ioctl(dev, DIOCXBEGIN, &trans)) printf ("Error\n"); memcpy(pp.anchor, anchor, sizeof(pp.anchor)); pp.r_action = PF_DROP; pp.r_num = 0; if (ioctl(dev, DIOCGETADDRS, &pp)) printf ("DIOCGETADDRS\n"); pr.action = PF_DROP; pr.direction = PF_IN; pr.af = AF_INET; pr.proto = IP_PROTO_TCP; pr_ioctl.ticket = trans_e.ticket; pr_ioctl.pool_ticket = pp.ticket; memcpy(&pr_ioctl.rule, &pr, sizeof(pr_ioctl.rule)); strlcpy(pr_ioctl.anchor_call, anchor, sizeof(pr_ioctl.anchor_call)); if (ioctl(dev, DIOCADDRULE, &pr_ioctl)) printf ("DIOCADDRULE\n"); close (dev); } From owner-freebsd-pf@FreeBSD.ORG Tue Jul 18 17:50:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 472CE16A4E0 for ; Tue, 18 Jul 2006 17:50:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9616443D46 for ; Tue, 18 Jul 2006 17:50:13 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.53] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1G2thz2VAu-0005bw; Tue, 18 Jul 2006 19:50:11 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 18 Jul 2006 19:50:04 +0200 User-Agent: KMail/1.9.3 References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> In-Reply-To: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1429672.VqGyfOLyfm"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607181950.10304.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 17:50:14 -0000 --nextPart1429672.VqGyfOLyfm Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 18 July 2006 19:30, Rajkumar S wrote: > Hi, > > I am trying to do a pf module for snortsam, that requires a function > to add and delete > rules, much like iptables -A and -D As pfctl does not support deletion > of rules, and as > reloading all rules every time a new rule has to be added or deleted > is a pita, I am > trying to write a program to do it, which will be used to write snortsam > plugin. > > After going through sources of pfctl and some other programs, I wrote > a skeltel program > to add a rule via ioctl, but that is not working. Just a short hint rather than debugging your code: Did you look into using= =20 anchors like spamd and authpf do? That way it will be a simple matter of=20 flushing an anchor ruleset and the users of your plugin can have some say=20 where your rules end up by placing the anchor(s) accordingly. > My feeling is that I need to do some more init of pfioc_rule and > pf_rule structures to > get it working, but the code of pfctl is bit dense to get a clear > understanding. It will > be great if some one here can lend a helping hand! > > with warm regards, > > raj > > > #include > #include > #include > #include > #include > #include > #include > > #define IP_PROTO_TCP 6 > > int main (){ > struct pfioc_trans trans; > struct pfioc_trans_e trans_e; > struct pf_rule pr; > struct pfioc_rule pr_ioctl; > struct pfioc_pooladdr pp; > > struct hostent *h; > > char *pf_device =3D "/dev/pf"; > char anchor[100]; > int dev; > int mode =3D O_RDWR; > > dev =3D open(pf_device, mode); > > bzero(&trans, sizeof(trans)); > bzero(&trans_e, sizeof(trans_e)); > bzero(&pr, sizeof(pr)); > bzero(&pp, sizeof(pp)); > bzero(&h, sizeof(h)); > > strlcpy(trans_e.anchor, "snortsam", sizeof(trans_e.anchor)); > trans_e.rs_num =3D PF_RULESET_FILTER; > > trans.size =3D 1; > trans.esize =3D sizeof(struct pfioc_trans_e); > trans.array =3D &trans_e; > if (ioctl(dev, DIOCXBEGIN, &trans)) printf ("Error\n"); > > memcpy(pp.anchor, anchor, sizeof(pp.anchor)); > pp.r_action =3D PF_DROP; > pp.r_num =3D 0; > if (ioctl(dev, DIOCGETADDRS, &pp)) printf ("DIOCGETADDRS\n"); > > pr.action =3D PF_DROP; > pr.direction =3D PF_IN; > pr.af =3D AF_INET; > pr.proto =3D IP_PROTO_TCP; > pr_ioctl.ticket =3D trans_e.ticket; > pr_ioctl.pool_ticket =3D pp.ticket; > memcpy(&pr_ioctl.rule, &pr, sizeof(pr_ioctl.rule)); > strlcpy(pr_ioctl.anchor_call, anchor, > sizeof(pr_ioctl.anchor_call)); > > if (ioctl(dev, DIOCADDRULE, &pr_ioctl)) printf ("DIOCADDRULE\n"); > close (dev); > } > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1429672.VqGyfOLyfm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEvR9SXyyEoT62BG0RAnuNAJ97Z+bjUJCfQdxr2cU0rlL4QwA9owCfb9cK vajzEpiWARfbCj2zk1bYKvI= =KHGZ -----END PGP SIGNATURE----- --nextPart1429672.VqGyfOLyfm-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 19 00:50:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B82316A4E1 for ; Wed, 19 Jul 2006 00:50:12 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1741843D46 for ; Wed, 19 Jul 2006 00:50:11 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b29so69583pya for ; Tue, 18 Jul 2006 17:50:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cmKfH8Bl48UHR5I58xrZN8OSR3nXvjHsvQ2tUTnJvktp+qqIdCAg7ZZHfUyGEfcp/wOlHPkAPHqm7Y9n5CLgQRFGICAiVNluFUxFRzAMyaiAb8DvdZbccY9yIX20c13IrmQHcbcE9NWoGI3P9+M3kXOpA4UtLCBg7rMmPd3PWrM= Received: by 10.35.135.12 with SMTP id m12mr268542pyn; Tue, 18 Jul 2006 17:50:11 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Tue, 18 Jul 2006 17:50:10 -0700 (PDT) Message-ID: Date: Tue, 18 Jul 2006 19:50:10 -0500 From: "Travis H." To: "Max Laier" , rajkumars@gmail.com In-Reply-To: <200607181950.10304.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 00:50:12 -0000 On 7/18/06, Max Laier wrote: > > After going through sources of pfctl and some other programs, I wrote > > a skeltel program > > to add a rule via ioctl, but that is not working. That sounds like the hard ware to do it. > Just a short hint rather than debugging your code: Did you look into using > anchors like spamd and authpf do? That way it will be a simple matter of > flushing an anchor ruleset and the users of your plugin can have some say > where your rules end up by placing the anchor(s) accordingly. That's probably the easiest way. Another way is to use my dfd_keeper program, located at my homepage below. It allows you to make arbitrary modification to the pf rules. It doesn't use ioctls; it remembers all the rules, make modification to them at run-time, and re-loads the ruleset completely. No anchors are really necessary, but you might want to use a few so you can "patch" the rulest temporarily without modifying your dfd_keeper script (I provide the library, you provide the client script). There is an example. It's meant for making run-time rule changes, and even takes care of things like flushing states if you remove a pass rule, etc. I would appreciate feedback on it. It may seem a bit like overkill at first, but it's really not that hard to understand. I have an example script, and the whole thing is not very much code... maybe 2k lines. There are OpenBSD packages for it and other prerequisites on my homepage as well. The net result is that you get a textual interface to the firewall, and you can define an arbitrary set of commands that are available to the text interface. It's kind of like having a Unix shell, but for your firewall. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Wed Jul 19 06:20:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8343016A4E6 for ; Wed, 19 Jul 2006 06:20:26 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2C1E43D4C for ; Wed, 19 Jul 2006 06:20:25 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so167650uge for ; Tue, 18 Jul 2006 23:20:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kex4goSMQ3v/+rhfZqZQIS0pwSkhRXKYZfsTo6rNynMcQCRJKUSTnkZ7WMl2lFApT/qmGmhzmyG1io5WBKDno5IIBqIF6py2Rw/tSuGj7WkbTuW4qyZta6Bju9rzrmWTDJWb8k5zjdJimhsJ7YLQhh5V2JXCl+0mpV0EgeQtdhI= Received: by 10.78.151.15 with SMTP id y15mr152743hud; Tue, 18 Jul 2006 23:20:24 -0700 (PDT) Received: by 10.78.120.13 with HTTP; Tue, 18 Jul 2006 23:20:24 -0700 (PDT) Message-ID: <64de5c8b0607182320m6c9d0d9er5636de052e448bf3@mail.gmail.com> Date: Wed, 19 Jul 2006 11:50:24 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org In-Reply-To: <200607181950.10304.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 06:20:26 -0000 On 7/18/06, Max Laier wrote: > On Tuesday 18 July 2006 19:30, Rajkumar S wrote: > Just a short hint rather than debugging your code: Did you look into using > anchors like spamd and authpf do? That way it will be a simple matter of > flushing an anchor ruleset and the users of your plugin can have some say > where your rules end up by placing the anchor(s) accordingly. Yes, I did consider that. Infact there is already an existing plugin for snortsam working along this line. The way it works is to have an anchor with following rules. table persist table persist block in log quick from to any block out log quick from any to Now the disadvantage is that this block all connections from an ip if a rule get's triggered, which is pretty broad. What I want is to have finer grained rules, ie block only the offending connection, defined by the sip, dip, sport and dport. Such a configuration cannot be handled by tables, afik. This is the reason I wanted to add and remove the rules itself. ofcourse this will be done inside an anchor. Just to clarify once more, My requirement is to add and remove rules like the one below inside an anchor. block in quick on fxp0 proto tcp from 192.168.3.3 port 1025 to 64.233.167.99 port 80 block in quick on fxp0 proto tcp from 192.168.3.23 port 1054 to 72.14.207.99 port 8080 Rules addition and deletions will be triggered by snort, via snortsam. I would have been happy if pfctl supported a -D options like iptables, as that is the only thing I am lacking. I do not want to flush the anchor completly and start all over again to delete a rule. raj From owner-freebsd-pf@FreeBSD.ORG Wed Jul 19 06:51:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 852D516A4DD for ; Wed, 19 Jul 2006 06:51:29 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id D03FE43D4C for ; Wed, 19 Jul 2006 06:51:28 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so175908uge for ; Tue, 18 Jul 2006 23:51:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EvtxTDEKLzazDsZGjUpgXVhHy8UCa3MQsAhWUkFugGNaLM+rAWZs4SxTcCI4kq7ZcDG1y+wMnWUv6Ji76BDh8yOkEMifc988A8zRwvFTOqGxuoJOCvJRlbayqTfTysLF3shzia1qpQ2U6PICUDVeCp4fOwEf1kJhNl8Zs0AIXoI= Received: by 10.78.170.17 with SMTP id s17mr156496hue; Tue, 18 Jul 2006 23:35:34 -0700 (PDT) Received: by 10.78.120.13 with HTTP; Tue, 18 Jul 2006 23:35:34 -0700 (PDT) Message-ID: <64de5c8b0607182335q4fae2ed9w233f2ea6438504ad@mail.gmail.com> Date: Wed, 19 Jul 2006 12:05:34 +0530 From: "Rajkumar S" To: "Travis H." In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 06:51:29 -0000 On 7/19/06, Travis H. wrote: > Another way is to use my dfd_keeper program, located at my homepage > below. It allows you to make arbitrary modification to the pf rules. > It doesn't use ioctls; it remembers all the rules, make modification > to them at run-time, and re-loads the ruleset completely. No anchors > are really necessary, but you might want to use a few so you can > "patch" the rulest temporarily without modifying your dfd_keeper > script (I provide the library, you provide the client script). There > is an example. It's meant for making run-time rule changes, and even > takes care of things like flushing states if you remove a pass rule, > etc. I would appreciate feedback on it. Thanks for the link, but there are couple of problems preventing me from using it. 1. My motive is to get a snortsam plugin for freebsd pf to block an offending connection, and contribute it back to snortsam. So I do not want to use Zope or twisted. 2. The license of the code does not permit me to contribute it back to snortsam, which BSD licenced. btw, is there any other program (other than pfctl) that interfaces with pf using ioctl to add a rule (not a table entry) so that I can look into the code? raj From owner-freebsd-pf@FreeBSD.ORG Wed Jul 19 10:54:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8FA516A4E0 for ; Wed, 19 Jul 2006 10:54:55 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E18E43D53 for ; Wed, 19 Jul 2006 10:54:54 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so247737uge for ; Wed, 19 Jul 2006 03:54:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OUOOniLEjQo9W6qkOyM0tihnLsY3nEH6m+uwuGG3LpJn1yFRdC0Mu5f1L/3OKn1OOnnWe9whA26HHSL3Cc73saO8xROmpKzl8q1XnNWPvaF4C/T/NUDhkl4f+87Pw1fMPmcdPGMwj+CNAz0ttVbjgmXbjCin1o+CeT+/If9oWgs= Received: by 10.78.170.17 with SMTP id s17mr256549hue; Wed, 19 Jul 2006 03:54:53 -0700 (PDT) Received: by 10.78.120.13 with HTTP; Wed, 19 Jul 2006 03:54:53 -0700 (PDT) Message-ID: <64de5c8b0607190354r6fec30afh3e1d10c5463e31eb@mail.gmail.com> Date: Wed, 19 Jul 2006 16:24:53 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org In-Reply-To: <64de5c8b0607182320m6c9d0d9er5636de052e448bf3@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> <64de5c8b0607182320m6c9d0d9er5636de052e448bf3@mail.gmail.com> Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 10:54:55 -0000 On 7/19/06, Rajkumar S wrote: > Just to clarify once more, My requirement is to add and remove rules > like the one below inside an anchor. > > block in quick on fxp0 proto tcp from 192.168.3.3 port 1025 to > 64.233.167.99 port 80 > block in quick on fxp0 proto tcp from 192.168.3.23 port 1054 to > 72.14.207.99 port 8080 Got a reply from Daniel Hartmeier in the main pf list: Why don't you create sub-anchors, one for each single rule? Then removing one rule (and the sub-anchor that contains it) can be done by simply flushing the sub-anchor. You need one call in the main ruleset or the existing anchor, using the wildcard '*', that call evaluates all sub-anchors, and the call doesn't need to be updated when you insert/remove sub-anchors. You could even use the sub-anchor names in some clever way, like put the rule's expiration time (unix epoch) in that string, so to purge expired rules, you can traverse the list of sub-anchors alphabetically and stop when a name is larger than time(NULL). Or store some ID in the name (which your plugin associates with the entry), which helps you purge the sub-anchor without traversing them all searching for some rule. Unless you expect to have several thousand rules like this concurrently, the overhead of the sub-anchor evaluation isn't that terrible. IIRC, the ioctl API once contained a call to insert/remove one particular rule in a certain place of the ruleset, but it was cumbersome, and the entire (sub-)anchor concept makes it superfluous in most cases. Daniel This basically solves my problem. Thanks every one for help and suggetions. raj From owner-freebsd-pf@FreeBSD.ORG Thu Jul 20 00:10:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 266B116A4EA for ; Thu, 20 Jul 2006 00:10:18 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DC6143D46 for ; Thu, 20 Jul 2006 00:10:17 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b29so570620pya for ; Wed, 19 Jul 2006 17:10:17 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qTKfPJDze1jLviIFdolvEGue9y8PoLxuJ0JO+QDL3jQaAh/0Y5gDJcDP5RK7bVLgDOYdogT4TaykoaubYv6N4XUsO9VYbuAR3YAVezwFxtW4zP4gutqZ+btaGDz7thlzv2YlNyJsD1pjX7UkFTdlpV7jQw4yo2rUJhCvLd+Np40= Received: by 10.35.135.12 with SMTP id m12mr2028464pyn; Wed, 19 Jul 2006 17:10:16 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Wed, 19 Jul 2006 17:10:16 -0700 (PDT) Message-ID: Date: Wed, 19 Jul 2006 19:10:16 -0500 From: "Travis H." To: "Rajkumar S" In-Reply-To: <64de5c8b0607182335q4fae2ed9w233f2ea6438504ad@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> <64de5c8b0607182335q4fae2ed9w233f2ea6438504ad@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2006 00:10:18 -0000 On 7/19/06, Rajkumar S wrote: > Thanks for the link, but there are couple of problems preventing me > from using it. > 1. ... Zope and Twisted A valid concern, they are a bit much for the task. Strictly speaking, it's only the ZopeInterface code, and the base Twisted code, but yeah, it's a bit bulky overall. > 2. The license of the code does not permit me to contribute it back to > snortsam, which BSD licenced. You can certainly take the example script and make a similar one without violating it... of course, then users would have to use dfd_keeper to take advantage of the script. The license is not set in stone; my current feeling is that if nobody will pay me to do earn a living, then they don't deserve the fruits of my obsession^W largesse. One day everything I wrote was BSD-licensed, but a prolonged period of unemployment left me relatively bitter. > btw, is there any other program (other than pfctl) that interfaces > with pf using ioctl to add a rule (not a table entry) so that I can > look into the code? Check out these links for possibilities: http://www.benzedrine.cx/pf.html https://solarflux.org/pf/ -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 20 00:11:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19A4F16A4DA for ; Thu, 20 Jul 2006 00:11:59 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99E4E43D49 for ; Thu, 20 Jul 2006 00:11:58 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b29so571076pya for ; Wed, 19 Jul 2006 17:11:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=t/JvjFdDTdbAYKPlcStAmz/+a1yXISg106o+tz4cpNJY2ftPh61CdcE5YuWXEaev+E65w5RVMfuOHxCF9Qrtr1L9llHKrDz3Vy2FhUV9mKU5vUQsh2UZiwFCfailnmshXxrL/AYVX+29b2PEkDhVH6qYupnxZzFqmBnoYf7X5gE= Received: by 10.35.127.7 with SMTP id e7mr2005007pyn; Wed, 19 Jul 2006 17:11:57 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Wed, 19 Jul 2006 17:11:56 -0700 (PDT) Message-ID: Date: Wed, 19 Jul 2006 19:11:56 -0500 From: "Travis H." To: "Rajkumar S" In-Reply-To: <64de5c8b0607190354r6fec30afh3e1d10c5463e31eb@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> <64de5c8b0607182320m6c9d0d9er5636de052e448bf3@mail.gmail.com> <64de5c8b0607190354r6fec30afh3e1d10c5463e31eb@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2006 00:11:59 -0000 On 7/19/06, Rajkumar S wrote: > Unless you expect to have several thousand rules like this concurrently, > the overhead of the sub-anchor evaluation isn't that terrible. Especially because of the state table. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 00:05:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4095A16A4DD; Fri, 21 Jul 2006 00:05:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8438C43D46; Fri, 21 Jul 2006 00:05:54 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.184.76] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1G3iWf0DQe-000441; Fri, 21 Jul 2006 02:05:53 +0200 From: Max Laier Organization: FreeBSD To: freebsd-stable@freebsd.org Date: Fri, 21 Jul 2006 02:05:45 +0200 User-Agent: KMail/1.9.3 References: <1153410809.1126.66.camel@genius.i.cz> In-Reply-To: <1153410809.1126.66.camel@genius.i.cz> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2043876.unpcXM98FI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607210205.51614.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Michal Mertl , freebsd-pf@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 00:05:55 -0000 --nextPart2043876.unpcXM98FI Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [CC'ing -pf] On Thursday 20 July 2006 17:53, Michal Mertl wrote: > Hello, > > I am deploying FreeBSD based application proxies' based firewall > (www.kernun.com, but not much English there) and am having frequent > panics of RELENG_6_1 under load. The server has IP forwarding disabled. > > I've got two machines in a carp cluster and the transparent proxies use > PF to get the data. Which proxies are you using? The "pool_ticket: 1429 !=3D 1430" messages yo= u=20 quote below indicate a synchronization problem within the app talking to pf= =20 via ioctl's. Tickets are used to ensure atomic commits for operations that= =20 require more than one ioctl. If your proxy app runs in parallel it might=20 screw up the internal state and thus leave it undefined afterwards. I give= =20 you that this shouldn't cause a kernel problem, but if we could fix the app= =20 we can probably find the right sanity check more easily. > I don't know much about kernel internals and PF but from the following > backtrace I understand that the crash happens because rpool->cur on line > 2158 in src/sys/contrib/pf/net/pf.c is NULL and is dereferenced. It > probably shouldn't happen yet it does. > > The machines are SMP and were running SMP kernel. The only places where > pool.cur (or pool->cur) is assigned to are in pf_ioctl.c. It seems there > are some lock operations though so it is probably believed that the > coder is properly locked. > > I have been running with kern.smp.disabled=3D1 for a moment before I put > the old firewall in place and haven't seen the panic but the time was > deffinitely too short to make me believe it fixes the issue. Can setting > debug.mpsafenet to 0 possibly also help? > > I could probably bandaid this particular failure mode by returning > failure instead of panicing but the bug is probably elsewhere. > > I've lost the debug kernel from which this backtrace is and can't > therefore continue much :-(. Unfortunately so far I can only reproduce > the problem in production and for obvious reasons I can't put it there. > > Fatal trap 12: page fault while in kernel mode > cpuid =3D 0; apic id =3D 00 > fault virtual address =3D 0x28 > fault code =3D supervisor read, page not present > instruction pointer =3D 0x8:0xffffffff801ab528 > stack pointer =3D 0x10:0xffffffffb1ade650 > frame pointer =3D 0x10:0xffffff004cc7cc30 > code segment =3D base 0x0, limit 0xfffff, type 0x1b > =3D DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > current process =3D 15 (swi1: net) > trap number =3D 12 > panic: page fault > > #0 doadump () at pcpu.h:172 > #1 0x0000000000000004 in ?? () > #2 0xffffffff803d5137 in boot (howto=3D260) > at ../../../kern/kern_shutdown.c:402 > #3 0xffffffff803d58a1 in panic (fmt=3D0xffffff007ba32000 "@\223{") > at ../../../kern/kern_shutdown.c:558 > #4 0xffffffff80543b3f in trap_fatal (frame=3D0xffffff007ba32000, > eva=3D18446742976272241472) at ../../../amd64/amd64/trap.c:660 > #5 0xffffffff80543e5f in trap_pfault (frame=3D0xffffffffb1ade5a0, > usermode=3D0) > at ../../../amd64/amd64/trap.c:573 > #6 0xffffffff80544113 in trap (frame=3D > {tf_rdi =3D 2, tf_rsi =3D -1098223465792, tf_rdx =3D -1098439497700, > tf_rcx =3D -1 > 314002464, tf_r8 =3D 0, tf_r9 =3D -1314002776, tf_rax =3D 0, tf_rbx =3D 0, > tf_rbp =3D -109 > 8223465424, tf_r10 =3D 1, tf_r11 =3D 257, tf_r12 =3D -1098439497700, tf_r= 13 =3D > -1314002 > 776, tf_r14 =3D 2, tf_r15 =3D -1314002464, tf_trapno =3D 12, tf_addr =3D = 40, > tf_flags =3D > 216171684640539392, tf_err =3D 0, tf_rip =3D -2145733336, tf_cs =3D 8, > tf_rflags =3D 661 > 18, tf_rsp =3D -1314003360, tf_ss =3D 16}) > at ../../../amd64/amd64/trap.c:352 > #7 0xffffffff8052feab in calltrap () > at ../../../amd64/amd64/exception.S:168 > #8 0xffffffff801ab528 in pf_map_addr (af=3D2 '\002', > r=3D0xffffff004cc7cac0, > saddr=3D0xffffff003fe7681c, naddr=3D0xffffffffb1ade9e0, init_addr=3D0= x0, > sn=3D0xffffffffb1ade8a8) at ../../../contrib/pf/net/pf.c:2163 > #9 0xffffffff801acab6 in pf_get_translation (pd=3D0xffffffffb1ade9c0, > m=3D0xffffff0042ede900, off=3D20, direction=3D1, kif=3D0xffffff007b03= 8a00, > sn=3D0xffffffffb1ade8a8, saddr=3D0xffffff003fe7681c, sport=3D0, > daddr=3D0xffffff003fe76820, dport=3D50881, naddr=3D0xffffffffb1ade9e0, > nport=3D0xffffffffb1ade8b6) at ../../../contrib/pf/net/pf.c:2618 > #10 0xffffffff801b315b in pf_test_tcp (rm=3D0xffffffffb1ade960, > sm=3D0xffffffffb1ade950, direction=3D1, kif=3D0xffffff007b038a00, > m=3D0xffffff0042ede900, off=3D20, h=3D0xffffff003fe76810, > pd=3D0xffffffffb1ade9c0, am=3D0xffffffffb1ade968, > rsm=3D0xffffffffb1ade970, > ifq=3D0x2, inp=3D0x0) at ../../../contrib/pf/net/pf.c:3013 > #11 0xffffffff801b5694 in pf_test (dir=3D1, ifp=3D0xffffff0000bee800, > m0=3D0xffffffffb1adeaa0, eh=3D0xffffffffb1ade97e, inp=3D0x0) > at ../../../contrib/pf/net/pf.c:6449 > #12 0xffffffff801bafb2 in pf_check_in (arg=3D0x2, m=3D0xffffffffb1adeaa0, > ifp=3D0xffffff004cc7cac0, dir=3D-1314002464, inp=3D0xffffffffb1ade9e0) > at ../../../contrib/pf/net/pf_ioctl.c:3358 > #13 0xffffffff80461c2e in pfil_run_hooks (ph=3D0xffffffff807e0920, > mp=3D0xffffffffb1adeb28, ifp=3D0xffffff0000bee800, dir=3D1, inp=3D0x0) > at ../../../net/pfil.c:139 > #14 0xffffffff8048d225 in ip_input (m=3D0xffffff0042ede900) > at ../../../netinet/ip_input.c:465 > #15 0xffffffff8046180c in netisr_processqueue (ni=3D0xffffffff807df690) > at ../../../net/netisr.c:236 > #16 0xffffffff80461abd in swi_net (dummy=3D0x2) > at ../../../net/netisr.c:349 > #17 0xffffffff803bbd99 in ithread_loop (arg=3D0xffffff00000506a0) > at ../../../kern/kern_intr.c:684 > #18 0xffffffff803ba527 in fork_exit ( > callout=3D0xffffffff803bbc50 , arg=3D0xffffff00000506a0, > frame=3D0xffffffffb1adec50) at ../../../kern/kern_fork.c:805 > #19 0xffffffff8053020e in fork_trampoline () > at ../../../amd64/amd64/exception.S:394 > #20 0x0000000000000000 in ?? () > > The firewall also reports lots of PF problems durings operation: > > Jul 20 10:44:11 fw1 kernel: Jul 20 10:44:11 fw1 HTTP[7607]: KERN-100-E > [natutil.c:770] ioctl(): Invalid argument (EINVAL=3D22) > Jul 20 10:44:11 fw1 kernel: Jul 20 10:44:11 fw1 HTTP[7607]: NATT-111-E > add_rule(): PF ioctl DIOCADDRULE failed > Jul 20 10:44:11 fw1 kernel: Jul 20 10:44:11 fw1 HTTP[7607]: NATT-701-E > addnatmap out(): Adding TCP NAT MAP from [127.0.0.1]:60860 to > [212.80.76.13]:80 -> [193.179.161.10]:60860 failed > Jul 20 10:44:11 fw1 kernel: Jul 20 10:44:11 fw1 HTTP[7607]: NETL-210-E > netbind(server,10): NAT binding failed > > Kernel often reports "pool_ticket: 1429 !=3D 1430" (with increasing > numbers over time). > > Thank you very much for any advice. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2043876.unpcXM98FI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEwBpfXyyEoT62BG0RAgnrAJ4h0goY21wyFk8+rrdlnNAMcY9vQACfbT4Y fNf0Vs1dEldK2z5HktYUh+g= =I4KF -----END PGP SIGNATURE----- --nextPart2043876.unpcXM98FI-- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 01:06:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7039C16A4DA; Fri, 21 Jul 2006 01:06:05 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6614343D69; Fri, 21 Jul 2006 01:06:03 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6L15x6d005288 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 21 Jul 2006 03:06:00 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6L15x5k025156; Fri, 21 Jul 2006 03:05:59 +0200 (MEST) Date: Fri, 21 Jul 2006 03:05:59 +0200 From: Daniel Hartmeier To: Max Laier Message-ID: <20060721010559.GB23227@insomnia.benzedrine.cx> References: <1153410809.1126.66.camel@genius.i.cz> <200607210205.51614.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200607210205.51614.max@love2party.net> User-Agent: Mutt/1.5.10i Cc: Michal Mertl , freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 01:06:05 -0000 On Fri, Jul 21, 2006 at 02:05:45AM +0200, Max Laier wrote: > Which proxies are you using? The "pool_ticket: 1429 != 1430" messages you > quote below indicate a synchronization problem within the app talking to pf > via ioctl's. Tickets are used to ensure atomic commits for operations that > require more than one ioctl. If your proxy app runs in parallel it might > screw up the internal state and thus leave it undefined afterwards. I give > you that this shouldn't cause a kernel problem, but if we could fix the app > we can probably find the right sanity check more easily. This looks like a bug in pf_ioctl.c pfioctl() DIOCCHANGERULE if (((((newrule->action == PF_NAT) || (newrule->action == PF_RDR) || (newrule->action == PF_BINAT) || (newrule->rt > PF_FASTROUTE)) && - !pcr->anchor[0])) && + !newrule->anchor)) && (TAILQ_FIRST(&newrule->rpool.list) == NULL)) error = EINVAL; i.e. the pool must not be empty for routing and translation rules, except for translation rules that are actually anchor _calls_. The confusion is between translation rules within anchors (pcr->anchor[0] != '\0') and calls to anchors' translation rules (rule->anchor != NULL). If the proxy is using DIOCCHANGERULE (it must be the proxy, pfctl isn't using it at all), AND is trying to add/update a rule that requires at least one replacement address but contains an empty list, then this would cause the panic seen when that rule later matches a packet. This needs fixing in OpenBSD as well. Michal, can you please confirm that the patch above fixes the panic? The proxy will still misbehave and cause the log messages (one more EINVAL in this case ;), but the kernel shouldn't crash anymore. Thanks for the excellent bug report! Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 08:38:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E41016A4DF for ; Fri, 21 Jul 2006 08:38:18 +0000 (UTC) (envelope-from asg@suedfactoring.com) Received: from sffwb.suedfactoring.com (pd95b40f5.dip0.t-ipconnect.de [217.91.64.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8833C43D53 for ; Fri, 21 Jul 2006 08:37:37 +0000 (GMT) (envelope-from asg@suedfactoring.com) Received: from localhost (localhost [127.0.0.1]) by sffwb.suedfactoring.com (Postfix) with ESMTP id BA46F7ED30 for ; Fri, 21 Jul 2006 10:37:36 +0200 (CEST) Received: from sffwb.suedfactoring.com ([127.0.0.1]) by localhost (sffwd0.suedfactoring.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84557-06 for ; Fri, 21 Jul 2006 10:37:32 +0200 (CEST) Received: by sffwb.suedfactoring.com (Postfix, from userid 1011) id 4FF017ED32; Fri, 21 Jul 2006 10:37:32 +0200 (CEST) Received: from [10.4.1.186] (unknown [10.4.1.186]) by sffwb.suedfactoring.com (Postfix) with ESMTP id 0AE907EB36 for ; Fri, 21 Jul 2006 10:37:32 +0200 (CEST) From: "Axel S. Gruner" To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Fri, 21 Jul 2006 10:34:09 +0200 Message-Id: <1153470849.716.23.camel@sn001.suedfac.com> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Copyrighted-Material: This material is copyrighted X-Virus-Scanned: amavisd-new at suedfactoring.de Subject: Problem with CARP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 08:38:18 -0000 Hi, we have two primary firewalls (named fw1 and fw2) which are connected to the WAN via one Router. Behind these Firewalls, we have our ApplicationServers (app1 and app2), also running PF, and one of these Applicationservers is also the GW for the internal Clients. So, just fw1 and fw2 should work as a transparent Firewall, running PF +CARP+PFSYNC. GW for the internal clients is app2 (10.4.1.251), and the GW for app2 is .252/29 (the CARP interface on fw1 and fw2). The app2 has an external address, .251/29 and is also connected to the internal net(10.4.1.251). So, no problem getting out,and no problem getting in from the internet. Rules are fine. fw1 (two external addresses) ext -> .242/29 int -> .249/29 fw2 (two external addresses) ext -> .243/29 int -> .250/29 on both fw i have: CARP0 -> .252/29 CARP1 -> .244/29 fw1 is the Master (etc/rc.conf): ------------------------------- cloned_interfaces="carp0 carp1" network_interfaces="lo0 xl0 xl1 xl2 carp0 carp1 pfsync0 pflog0" ifconfig_carp0="vhid 1 pass foo xxx.xxx.xxx.244 255.255.255.248" ifconfig_carp1="vhid 2 pass bar xxx.xxx.xxx.252 255.255.255.248" pfsync_enable="YES" pfsync_syncdev="xl2" fw2 the slave (etc/rc.conf): --------------------------- cloned_interfaces="carp0 carp1" network_interfaces="lo0 xl0 xl1 xl2 carp0 carp1 pfsync0 pflog0" ifconfig_carp0="vhid 1 pass foo advskew 128 xxx.xxx.xxx.244 255.255.255.248" ifconfig_carp1="vhid 2 pass bar advskew 128 xxx.xxx.xxx.252 255.255.255.248" pfsync_enable="YES" pfsync_syncdev="xl2" On both, fw1 and fw2 /etc/sysctl.conf: -------------------------------------- net.inet.carp.preempt=1 net.inet.carp.allow=1 net.inet.carp.log=1 In both /etc/pf.conf i have: ---------------------------- pass out on $ext_if proto carp keep state pass out on $int_if proto carp keep state pass quick on { xl2 } proto pfsync pass on { xl0 xl1 } proto carp keep state where xl0 is the external interface, xl1 the internal, and xl2 crossover cable between both hosts fw1 and fw2. Ok, if i shutdown CARP0 on the fw1: ifconfig carp0 down the output of ifconfig looks like this: fw1: --- carp0: flags=8 mtu 1500 inet 212.202.224.244 netmask 0xffffff00 carp: INIT vhid 1 advbase 1 advskew 0 carp1: flags=49 mtu 1500 inet 212.202.224.252 netmask 0xffffff00 carp: MASTER vhid 2 advbase 1 advskew 0 fw2: --- carp0: flags=49 mtu 1500 inet 212.202.224.244 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 128 carp1: flags=49 mtu 1500 inet 212.202.224.252 netmask 0xffffff00 carp: BACKUP vhid 2 advbase 1 advskew 128 Ok, fw2 is working as the master, but why only on carp0, i thought with preempt all of the CARP interfaces should switch to state BACKUP on fw1 and switch to MASTER on fw2. So, before i shutdown CARP0, i pinged a host in the internet from the internal net. So, i can not see any pause or break if i switch of CARP0 on fw1. But, my connection to the IRC dropped. Also ssh connection, ftp will drop. So, after all that stuff a simple question: What is the problem? What am i missing, or did i misunderstood something? ######################################################################## # DISCLAIMER # # # # Der Inhalt dieser E-Mail ist vertraulich. Falls Sie nicht der # # angegebene Empfaenger sind oder falls diese Email irrtuemlich an Sie # # addressiert wurde, verstaendigen Sie bitte den Absender sofort und # # loeschen Sie die Email umgehend. Das unerlaubte Kopieren sowie die # # unbefugte Uebermittlung sind nicht gestattet. # # Die Sicherheit von Uebermittlungen per Email kann nicht garantiert # # werden. Falls Sie eine Bestaetigung wuenschen, fordern Sie bitte den # # Inhalt der Email als Hardcopy an. # # # # # # The contents of this e-mail are confidential. # # If you are not the named addressee you should not disseminate, # # distribute or copy this e-mail. Please notify the sender immediately # # if you have received this e-mail by mistake and delete this e-mail # # from your system. Finally, the recipient should check this email and # # any attachments for the presence of viruses. The company accepts no # # liability for any damage caused by any virus transmitted by this # # email. # # # # SuedFactoring GmbH, Heilbronner Strasse 86, 70191 Stuttgart # ######################################################################## From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 08:57:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D19EA16A4DE; Fri, 21 Jul 2006 08:57:39 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4732C43D49; Fri, 21 Jul 2006 08:57:38 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k6L8vaF8030088 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 21 Jul 2006 10:57:36 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: Max Laier In-Reply-To: <200607210205.51614.max@love2party.net> References: <1153410809.1126.66.camel@genius.i.cz> <200607210205.51614.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-2 Date: Fri, 21 Jul 2006 10:57:28 +0200 Message-Id: <1153472248.1140.13.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 08:57:39 -0000 Max Laier pí¹e v pá 21. 07. 2006 v 02:05 +0200: > [CC'ing -pf] > > On Thursday 20 July 2006 17:53, Michal Mertl wrote: > > Hello, > > > > I am deploying FreeBSD based application proxies' based firewall > > (www.kernun.com, but not much English there) and am having frequent > > panics of RELENG_6_1 under load. The server has IP forwarding disabled. > > > > I've got two machines in a carp cluster and the transparent proxies use > > PF to get the data. > > Which proxies are you using? The "pool_ticket: 1429 != 1430" messages you > quote below indicate a synchronization problem within the app talking to pf > via ioctl's. Tickets are used to ensure atomic commits for operations that > require more than one ioctl. If your proxy app runs in parallel it might > screw up the internal state and thus leave it undefined afterwards. I give > you that this shouldn't cause a kernel problem, but if we could fix the app > we can probably find the right sanity check more easily. The proxy in fact runs in parallel (according to "pfctl -s info" it did about 50 inserts and removal in the state table per second - some 10Mbit of traffic, probably mostly HTTP) and it is quite possible that your explanation is correct. I will forward your suspicion to the vendor. This functionality of the software (using PF with anchors) is quite new - they used different mechanisms in previous versions so it may well have some bugs. Thanks Michal From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 09:05:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B4E16A4DA; Fri, 21 Jul 2006 09:05:50 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7FA943D46; Fri, 21 Jul 2006 09:05:49 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k6L95YBY031301 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 21 Jul 2006 11:05:37 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: Daniel Hartmeier In-Reply-To: <20060721010559.GB23227@insomnia.benzedrine.cx> References: <1153410809.1126.66.camel@genius.i.cz> <200607210205.51614.max@love2party.net> <20060721010559.GB23227@insomnia.benzedrine.cx> Content-Type: text/plain Date: Fri, 21 Jul 2006 11:05:26 +0200 Message-Id: <1153472726.1140.23.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 09:05:50 -0000 Daniel Hartmeier wrote: > On Fri, Jul 21, 2006 at 02:05:45AM +0200, Max Laier wrote: > > > Which proxies are you using? The "pool_ticket: 1429 != 1430" messages you > > quote below indicate a synchronization problem within the app talking to pf > > via ioctl's. Tickets are used to ensure atomic commits for operations that > > require more than one ioctl. If your proxy app runs in parallel it might > > screw up the internal state and thus leave it undefined afterwards. I give > > you that this shouldn't cause a kernel problem, but if we could fix the app > > we can probably find the right sanity check more easily. > > This looks like a bug in pf_ioctl.c pfioctl() DIOCCHANGERULE > > if (((((newrule->action == PF_NAT) || > (newrule->action == PF_RDR) || > (newrule->action == PF_BINAT) || > (newrule->rt > PF_FASTROUTE)) && > - !pcr->anchor[0])) && > + !newrule->anchor)) && > (TAILQ_FIRST(&newrule->rpool.list) == NULL)) > error = EINVAL; > > i.e. the pool must not be empty for routing and translation rules, > except for translation rules that are actually anchor _calls_. > > The confusion is between translation rules within anchors > (pcr->anchor[0] != '\0') and calls to anchors' translation rules > (rule->anchor != NULL). > > If the proxy is using DIOCCHANGERULE (it must be the proxy, pfctl isn't > using it at all), AND is trying to add/update a rule that requires at > least one replacement address but contains an empty list, then this > would cause the panic seen when that rule later matches a packet. > > This needs fixing in OpenBSD as well. > > Michal, can you please confirm that the patch above fixes the panic? > The proxy will still misbehave and cause the log messages (one more > EINVAL in this case ;), but the kernel shouldn't crash anymore. I am afraid I can't test it at the moment. I am going to get one of the machines to my lab and will experiment with it there. I am afraid I will have problems generating enough traffic for the problem to appear but I will try. > Thanks for the excellent bug report! Thank you. I don't think is was that good as I now see that you had to guess there are anchors used. The rules look like this (except the rules seen by 'pfctl -s nat' they are generated by the proxies when they start): fw1#pfctl -s rule fw1#pfctl -s nat nat-anchor "/kernun/*" all rdr-anchor "/kernun/*" all fw1#pfctl -s Anchors -v kernun kernun/4026 kernun/4039 kernun/4088 kernun/4112 kernun/4134 kernun/4164 kernun/4197 kernun/4257 kernun/4296 kernun/4338 kernun/4383 kernun/4431 kernun/4482 kernun/4590 kernun/4649 fw1# pfctl -a kernun/4039 -s nat rdr on em0 inet proto tcp from any to any port = http label "HTTP" -> 127.0.0.1 When the system was under load I saw ~5000 states in 'pfctl -s state'. Thank you again. I will let you know when I get a chance to test your patch and or find out anything new. Michal From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 09:15:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E75616A4DE; Fri, 21 Jul 2006 09:15:54 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0C4C43D45; Fri, 21 Jul 2006 09:15:53 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6L9FnPA012187 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 21 Jul 2006 11:15:50 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6L9FnxU003713; Fri, 21 Jul 2006 11:15:49 +0200 (MEST) Date: Fri, 21 Jul 2006 11:15:49 +0200 From: Daniel Hartmeier To: Michal Mertl Message-ID: <20060721091549.GC23227@insomnia.benzedrine.cx> References: <1153410809.1126.66.camel@genius.i.cz> <200607210205.51614.max@love2party.net> <1153472248.1140.13.camel@genius.i.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1153472248.1140.13.camel@genius.i.cz> User-Agent: Mutt/1.5.10i Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 09:15:54 -0000 On Fri, Jul 21, 2006 at 10:57:28AM +0200, Michal Mertl wrote: > The proxy in fact runs in parallel (according to "pfctl -s info" it did > about 50 inserts and removal in the state table per second - some 10Mbit > of traffic, probably mostly HTTP) and it is quite possible that your > explanation is correct. I will forward your suspicion to the vendor. > This functionality of the software (using PF with anchors) is quite new > - they used different mechanisms in previous versions so it may well > have some bugs. Anchors were introduced for this purpose, i.e. splitting the ruleset into separate pieces, over each of which a single process can have authority, so different processes don't stomp on each other's toes with ruleset modifications. Ask them if they really need to still use DIOCCHANGERULE, as the idea with anchors is generally to only operate within one anchor, and usually flush or replace the (smaller) ruleset within. Each anchor has its own ticket, so if you're seeing ticket mismatches, that means there are concurrent operations on the same anchor, even. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jul 21 10:03:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2ED16A4DA; Fri, 21 Jul 2006 10:03:56 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59B9043D55; Fri, 21 Jul 2006 10:03:56 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k6LA3mt2039954 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 21 Jul 2006 12:03:48 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: Daniel Hartmeier In-Reply-To: <20060721091549.GC23227@insomnia.benzedrine.cx> References: <1153410809.1126.66.camel@genius.i.cz> <200607210205.51614.max@love2party.net> <1153472248.1140.13.camel@genius.i.cz> <20060721091549.GC23227@insomnia.benzedrine.cx> Content-Type: text/plain Date: Fri, 21 Jul 2006 12:03:40 +0200 Message-Id: <1153476220.1140.34.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 10:03:57 -0000 Daniel Hartmeier wrote: > On Fri, Jul 21, 2006 at 10:57:28AM +0200, Michal Mertl wrote: > > > The proxy in fact runs in parallel (according to "pfctl -s info" it did > > about 50 inserts and removal in the state table per second - some 10Mbit > > of traffic, probably mostly HTTP) and it is quite possible that your > > explanation is correct. I will forward your suspicion to the vendor. > > This functionality of the software (using PF with anchors) is quite new > > - they used different mechanisms in previous versions so it may well > > have some bugs. > > Anchors were introduced for this purpose, i.e. splitting the ruleset > into separate pieces, over each of which a single process can have > authority, so different processes don't stomp on each other's toes with > ruleset modifications. They (the Kernun authors) run multiple processes for each proxy. Originally they used slightly modified Apached core for their proxies I believe. Thus there are probably more processes using the same anchor. I don't really understand what they do inside - I would think that when there are no traffic blocking rules, there's no point in doing anything with PF except initial setting of the rdr rule to the proxy. > Ask them if they really need to still use DIOCCHANGERULE, as the idea > with anchors is generally to only operate within one anchor, and usually > flush or replace the (smaller) ruleset within. > > Each anchor has its own ticket, so if you're seeing ticket mismatches, > that means there are concurrent operations on the same anchor, even. I see. It would be better if they were part of this communication because I don't know the internals (although I have the source code). I have problems reaching them at the moment though. > Daniel >