From owner-freebsd-pf@FreeBSD.ORG Mon May 28 11:08:36 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D06C016A4DC for ; Mon, 28 May 2007 11:08:36 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id BF62813C45A for ; Mon, 28 May 2007 11:08:36 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4SB8aIA068568 for ; Mon, 28 May 2007 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4SB8ZB7068564 for freebsd-pf@FreeBSD.org; Mon, 28 May 2007 11:08:35 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 May 2007 11:08:35 GMT Message-Id: <200705281108.l4SB8ZB7068564@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 11:08:36 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 28 23:06:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E405A16A41F for ; Mon, 28 May 2007 23:06:27 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id A65F913C48C for ; Mon, 28 May 2007 23:06:27 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id 485DE95840; Mon, 28 May 2007 19:42:25 -0300 (BRT) Date: Mon, 28 May 2007 19:42:25 -0300 From: Hugo Koji Kobayashi To: freebsd-pf@freebsd.org Message-ID: <20070528224225.GC40678@registro.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Subject: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 23:06:28 -0000 Hello, While making some tests with fragmented udp DNS responses (with EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and 7.0 (200705 snapshot). Our test is a DNS query to an DNSSEC enabled server which replies with a ~4KB udp response. We do this with the following dig command: dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries timeout. Disabling the firewall, complete replies are received with no problem. The same test was run on an OpenBSD 4.1 box with no problem. Complete test results were sent to the freebsd-stable and freebsd-net mailing lists and can be found here: http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html (The email message above includes tests with ipf) pf rules looks like this in all tests: scrub in all fragment reassemble block drop in log all pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA keep state pass out on bge0 proto udp all keep state pass out on bge0 proto icmp all keep state Am I doing something wrong? Is there anything else I should try on FreeBSD? Thanks, Hugo From owner-freebsd-pf@FreeBSD.ORG Tue May 29 02:19:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A946116A4C1 for ; Tue, 29 May 2007 02:19:05 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from a.outbound.bsdwebsolutions.com (a.outbound.bsdwebsolutions.com [64.72.68.2]) by mx1.freebsd.org (Postfix) with ESMTP id 18AB613C480 for ; Tue, 29 May 2007 02:19:04 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from mail.bsdwebsolutions.com ([64.72.68.15]) by a.outbound.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD Web Solutions, Inc.) (envelope-from ) id 1Hsqho-000CPc-AL for freebsd-pf@freebsd.org; Mon, 28 May 2007 21:41:00 -0400 Received: from [64.72.66.117] (helo=mail.poughkeepsieschools.org) by mail.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD WebSolutions, Inc.) (envelope-from ) id 1Hsqho-000FiC-1h for freebsd-pf@freebsd.org ; Mon, 28 May 2007 21:41:00 -0400 Received: from localhost ([127.0.0.1]:63166 helo=mail.poughkeepsieschools.org) by mail.poughkeepsieschools.org with esmtp (BSD WebSolutions, Inc.) (envelope-from ) id 1Hsqhn-000ECx-QI for freebsd-pf@freebsd.org ; Mon, 28 May 2007 21:40:59 -0400 Received: from 24.161.13.8 (SquirrelMail authenticated user bcook) by mail.poughkeepsieschools.org with HTTP; Mon, 28 May 2007 21:40:59 -0400 (EDT) X-BSD-Virus-Check: ClamAV 0.90.2/3314 on mail.poughkeepsieschools.org; Mon, 28 May 2007 21:40:59 -0400 Message-ID: <64264.24.161.13.8.1180402859.squirrel@mail.poughkeepsieschools.org> Date: Mon, 28 May 2007 21:40:59 -0400 (EDT) From: "B. Cook" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: multiple vlans and altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 02:19:05 -0000 I am trying to figure out the best way to do this, and I am quite confused about where I have to altq. I am sure that I am the source of my own confusion, but I can not seem to find anything to help myself. :) I have a new box that we would like to use to replace our aging router that currently does not do any traffic shaping. I am using a P4 2G box w/ 256MB and two em cards running FreeBSD 6.2-p5 and Dell PowerConnects. I have all the vlan interfaces setup, and routing properly in my test area; but I can not seem to figure out how to altq the vlans logically. The new router will have em0 as a /30 facing the provider and em1 will be setup with vlans. What I have is a 4mbit link symmetrical and what I would like to do is make one parent queue on the external interface (cbq). Then split that into three queues (25% servers(borrow), and 74% users and 1% other). And then split the users queue up into 4 queues 25% each that can also borrow. (this is inferred from the 'Building Firewalls with OpenBSD and PF: second edition (paper page211, pdf page225) The mental problem I am having is how do the vlans work with respect to the 4mbit link? As in how can I give all the vlan networks ethernet bandwith when going vlan to vlan? Do I want not want to do that? (this was the problem with our 3620 is that the vlans overwhelm the router when there is too much traffic) If I want to limit their upload ability to the Internet would I have to do that on each vlan interface? Or would I need a second altq rule on the other interface em1? Should I just let them have free run of the ethernet - as this pc can handle it? (I have also been reading the Absolute OpenBSD book from Michael Lucas, in which he uses an example of a dmznet, localnet and a t1. He subtracks the bandwidth of the t1 from the ethernet and makes a local queue of the difference of the two; I do not understand that. This is what got me confused and scared about all of this.) I am not sure if I am helping myself by out thinking myself, or making this harder on myself than it needs to be. Can anyone tell me how to do this? Or what I am thinking that is incorrect? I have something like 20+ vlans that will be going into each of the 4 users queues, so I really need to know what I'm missing and why I think this is so hard. Thank you greatly, - Confused From owner-freebsd-pf@FreeBSD.ORG Tue May 29 02:19:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A502016A46E for ; Tue, 29 May 2007 02:19:06 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from a.outbound.bsdwebsolutions.com (a.outbound.bsdwebsolutions.com [64.72.68.2]) by mx1.freebsd.org (Postfix) with ESMTP id 466FC13C4B0 for ; Tue, 29 May 2007 02:19:06 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from mail.bsdwebsolutions.com ([64.72.68.15]) by a.outbound.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD Web Solutions, Inc.) (envelope-from ) id 1Hsqhi-000CPZ-BU for freebsd-pf@freebsd.org; Mon, 28 May 2007 21:40:54 -0400 Received: from [64.72.66.117] (helo=mail.poughkeepsieschools.org) by mail.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD WebSolutions, Inc.) (envelope-from ) id 1Hsqhi-000Fi2-33 for freebsd-pf@freebsd.org ; Mon, 28 May 2007 21:40:54 -0400 Received: from localhost ([127.0.0.1]:50610 helo=mail.poughkeepsieschools.org) by mail.poughkeepsieschools.org with esmtp (BSD WebSolutions, Inc.) (envelope-from ) id 1Hsqhh-0004Kv-Re for freebsd-pf@freebsd.org ; Mon, 28 May 2007 21:40:53 -0400 Received: from 24.161.13.8 (SquirrelMail authenticated user bcook) by mail.poughkeepsieschools.org with HTTP; Mon, 28 May 2007 21:40:53 -0400 (EDT) X-BSD-Virus-Check: ClamAV 0.90.2/3314 on mail.poughkeepsieschools.org; Mon, 28 May 2007 21:40:53 -0400 Message-ID: <60516.24.161.13.8.1180402853.squirrel@mail.poughkeepsieschools.org> Date: Mon, 28 May 2007 21:40:53 -0400 (EDT) From: "B. Cook" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: multiple vlans and altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 02:19:06 -0000 I am trying to figure out the best way to do this, and I am quite confused about where I have to altq. I am sure that I am the source of my own confusion, but I can not seem to find anything to help myself. :) I have a new box that we would like to use to replace our aging router that currently does not do any traffic shaping. I am using a P4 2G box w/ 256MB and two em cards running FreeBSD 6.2-p5 and Dell PowerConnects. I have all the vlan interfaces setup, and routing properly in my test area; but I can not seem to figure out how to altq the vlans logically. The new router will have em0 as a /30 facing the provider and em1 will be setup with vlans. What I have is a 4mbit link symmetrical and what I would like to do is make one parent queue on the external interface (cbq). Then split that into three queues (25% servers(borrow), and 74% users and 1% other). And then split the users queue up into 4 queues 25% each that can also borrow. (this is inferred from the 'Building Firewalls with OpenBSD and PF: second edition (paper page211, pdf page225) The mental problem I am having is how do the vlans work with respect to the 4mbit link? As in how can I give all the vlan networks ethernet bandwith when going vlan to vlan? Do I want not want to do that? (this was the problem with our 3620 is that the vlans overwhelm the router when there is too much traffic) If I want to limit their upload ability to the Internet would I have to do that on each vlan interface? Or would I need a second altq rule on the other interface em1? Should I just let them have free run of the ethernet - as this pc can handle it? (I have also been reading the Absolute OpenBSD book from Michael Lucas, in which he uses an example of a dmznet, localnet and a t1. He subtracks the bandwidth of the t1 from the ethernet and makes a local queue of the difference of the two; I do not understand that. This is what got me confused and scared about all of this.) I am not sure if I am helping myself by out thinking myself, or making this harder on myself than it needs to be. Can anyone tell me how to do this? Or what I am thinking that is incorrect? I have something like 20+ vlans that will be going into each of the 4 users queues, so I really need to know what I'm missing and why I think this is so hard. Thank you greatly, - Confused From owner-freebsd-pf@FreeBSD.ORG Tue May 29 05:20:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7CC3316A4D6 for ; Tue, 29 May 2007 05:20:31 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id 3C7B313C458 for ; Tue, 29 May 2007 05:20:31 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so552223anc for ; Mon, 28 May 2007 22:20:30 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Qq9f80X+t5HqFcISerrxdSFSrDY67NbFBtTLOV7KIu0jxXCPkZM8Zrpx8xveh4jOAw3uGJ4YZmRMOInHpyTLM+xSoFmwUBZB00KZxEW3AgWbhIWZtXF2+e9w6CMsG2/tW4V7aSgeiMxNx9lm7fWsiJdq9o1rfhBfMeI40TtkzMU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SFQHZnBpZ1JtB5k4rA8S441n5sTiY328X8FqY2qUxwX/I7RYYteF8CvFqMGNNBOUc5Fj8NzzW5JwpVul2LqMuiPA6a19cnjkeTnMjak0Rz4aZN7B5Z3WzXNyilFa+0FDaDsGABSeMR/TwbF7vmd1lKUjgiRSm5bVCXHAQn647qI= Received: by 10.100.32.1 with SMTP id f1mr4947080anf.1180416030560; Mon, 28 May 2007 22:20:30 -0700 (PDT) Received: by 10.100.9.9 with HTTP; Mon, 28 May 2007 22:20:30 -0700 (PDT) Message-ID: <8eea04080705282220w53d84caao521ef94dfb6cf431@mail.gmail.com> Date: Mon, 28 May 2007 22:20:30 -0700 From: "Jon Simola" To: "B. Cook" In-Reply-To: <60516.24.161.13.8.1180402853.squirrel@mail.poughkeepsieschools.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <60516.24.161.13.8.1180402853.squirrel@mail.poughkeepsieschools.org> Cc: freebsd-pf@freebsd.org Subject: Re: multiple vlans and altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 05:20:31 -0000 On 5/28/07, B. Cook wrote: > The new router will have em0 as a /30 facing the provider and em1 will be > setup with vlans. You have to queue on the parent interface for the vlans, em1. > What I have is a 4mbit link symmetrical and what I would like to do is > make one parent queue on the external interface (cbq). Then split that > into three queues (25% servers(borrow), and 74% users and 1% other). And > then split the users queue up into 4 queues 25% each that can also borrow. You probably want queues on both interfaces. Traffic can only be shaped as it leaves an interface. So downloads will be queued on em1 (out to the clients) and uploads are queued on em0 at 4Mbit (out to the internet). Because em1 is a LAN, you actually have 100Mbit (or 1000, or 10) that can exit the router on that interface. The max that can come into the router on em0 is 4Mbit, so you want to queue that same traffic to 4Mbit as it leaves the router into your vlans on em1. The rest of the link speed available on em1 can be used for inter-vlan routing. > The mental problem I am having is how do the vlans work with respect to > the 4mbit link? As in how can I give all the vlan networks ethernet > bandwith when going vlan to vlan? Do I want not want to do that? That's up to you. It might help to visualize the router as having 21 interfaces (your 20 vlans plus the external em0). Using a seperate queue for each tuple of [inbound interface, outbound interface] is easy to understand. The only problem might be the 400 queues required (imagine each queue as a one-way water pipe). The other extreme would require 3 queues to address all of your concerns: 1. Traffic headed to the internet leaving on em0 (4Mbit) 2. Traffic from the internet going to servers/clients on em1 (4Mbit) 3. Inter-vlan traffic (Link speed of em1 minus the 4Mbit already used in 2) > (I have also been reading the Absolute OpenBSD book from Michael Lucas, in > which he uses an example of a dmznet, localnet and a t1. He subtracks the > bandwidth of the t1 from the ethernet and makes a local queue of the > difference of the two; I do not understand that. This is what got me > confused and scared about all of this.) Explained above, number 3 in the three queue example. > I am not sure if I am helping myself by out thinking myself, or making > this harder on myself than it needs to be. > > I have something like 20+ vlans that will be going into each of the 4 > users queues, so I really need to know what I'm missing and why I think > this is so hard. PF is a very flexible tool with a broad range of applications. What it can do is an awful lot more than what most people probably need it to do. -- Jon From owner-freebsd-pf@FreeBSD.ORG Tue May 29 09:09:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0532716A54D for ; Tue, 29 May 2007 09:09:01 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id B63F113C45E for ; Tue, 29 May 2007 09:08:58 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d87.q.ppp-pool.de [89.53.125.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 2BA4212884A; Tue, 29 May 2007 11:08:46 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 5DCD93F4E8; Tue, 29 May 2007 11:07:57 +0200 (CEST) Message-ID: <465BED72.6090100@vwsoft.com> Date: Tue, 29 May 2007 11:08:02 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Zhouyi Zhou References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> In-Reply-To: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: mlaier@FreeBSD.org, "FreeBSD \(PF\)" Subject: Re: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 09:09:01 -0000 On 05/28/07 14:17, Zhouyi Zhou wrote: > high everyone,( in pariticular Max :-)) > The configuration line in my pf.conf is: > pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy > state > > But: > the connection is established, but the control did not seams to pass to the > ftpd > Sincerely yours > Zhouyi Zhou Zhouyi, security@ is the wrong mailing list. Please post questions like this to pf@. I'm wondering where this traffic originates? You're using interface lo0 which will (most likely) be used for traffic on the local machine but you should not find much traffic on that interface from other hosts. As you're using 21/tcp I assume you're playing with ftp traffic. Ftp is not just using that single (control) port but a pair of 21/tcp and a dynamic allocated port. You have to pass that traffic, too or otherwise no data communication will be established. Also it is most likely that you will have to use an FTP proxy. I suspect your whole problem is really not synproxy related. HTH Volker > (Sorry for the previouly base64 encode mail caused by M$ outlook) PS: FreeBSD is also great for workstations! :) From owner-freebsd-pf@FreeBSD.ORG Tue May 29 09:44:09 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BDCC816A501 for ; Tue, 29 May 2007 09:44:09 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id 60F7F13C457 for ; Tue, 29 May 2007 09:44:07 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 87621 invoked by uid 98); 29 May 2007 09:15:19 -0000 Received: from 124.16.138.62 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.582869 secs); 29 May 2007 09:15:19 -0000 X-Spam-Status: No, hits=0.0 required=10.0 X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.582869 secs) Received: from unknown (HELO zzy.H.qngy.gscas) (zhouzhouyi@ercist.iscas.ac.cn@124.16.138.62) by 0 with SMTP; 29 May 2007 09:15:18 -0000 Date: Tue, 29 May 2007 17:19:17 +0800 From: zhouyi zhou To: Volker Message-Id: <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn> In-Reply-To: <465BED72.6090100@vwsoft.com> References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> <465BED72.6090100@vwsoft.com> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: mlaier@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 09:44:09 -0000 Dear Mr. Volker Thank you very much Zelest persuade me add a "set skip on lo0". That becomes: set skip on lo0 pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy stat\e Sincerely yours Zhouyi Zhou On Tue, 29 May 2007 11:08:02 +0200 Volker wrote: > On 05/28/07 14:17, Zhouyi Zhou wrote: > > high everyone,( in pariticular Max :-)) > > The configuration line in my pf.conf is: > > pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy > > state > > > > But: > > the connection is established, but the control did not seams to pass to the > > ftpd > > Sincerely yours > > Zhouyi Zhou > > Zhouyi, > > security@ is the wrong mailing list. Please post questions like this > to pf@. > > I'm wondering where this traffic originates? You're using interface > lo0 which will (most likely) be used for traffic on the local machine > but you should not find much traffic on that interface from other hosts. > > As you're using 21/tcp I assume you're playing with ftp traffic. Ftp > is not just using that single (control) port but a pair of 21/tcp and > a dynamic allocated port. You have to pass that traffic, too or > otherwise no data communication will be established. Also it is most > likely that you will have to use an FTP proxy. > > I suspect your whole problem is really not synproxy related. > > HTH > > Volker > > > > (Sorry for the previouly base64 encode mail caused by M$ outlook) > PS: FreeBSD is also great for workstations! :) > From owner-freebsd-pf@FreeBSD.ORG Tue May 29 10:10:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B2A416A4D1 for ; Tue, 29 May 2007 10:10:12 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 3918613C44B for ; Tue, 29 May 2007 10:10:12 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so566552anc for ; Tue, 29 May 2007 03:10:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jLtwVZkX4/RrAwxdVv/Bq+ujpZrtR+zrwp7JJBMMI4tttuD/ZSSKxT/IVofvRnW+0Kxospy++jRQK1+zlg63JV8e2HUOY0I3P1EA6ybJgNwlbN0k8AKSmNPR9Ve+nc/2Zc0Dw3hl7WZssaLAqwusd/fNyINBK9vU0kH97ekolxg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QFCjOBxIu2rCTWD6+5tQkwWRjWgqVPM0bFzD1xEduQxlXr6/P825DckWBUUNLmjh4SuS2lrexY5t4q2V5/Q8HZwnFQpA8ILIVI2C1PzLsK02Q0kPPYpvBcGmNu+AssA6n+0G9/0x2S+qjXfuy+D9jEZeFDq5/h82u/Qmzl1x9I0= Received: by 10.100.253.12 with SMTP id a12mr5051056ani.1180433411418; Tue, 29 May 2007 03:10:11 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Tue, 29 May 2007 03:10:11 -0700 (PDT) Message-ID: <499c70c0705290310r125510f3ibba97895bcd105c9@mail.gmail.com> Date: Tue, 29 May 2007 13:10:11 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "zhouyi zhou" In-Reply-To: <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> <465BED72.6090100@vwsoft.com> <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 10:10:12 -0000 On 5/29/07, zhouyi zhou wrote: > Dear Mr. Volker > Thank you very much > Zelest persuade me add a "set skip on lo0". > That becomes: > set skip on lo0 > pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy stat\e > Sincerely yours > Zhouyi Zhou > On Tue, 29 May 2007 11:08:02 +0200 > Volker wrote: > > > On 05/28/07 14:17, Zhouyi Zhou wrote: > > > high everyone,( in pariticular Max :-)) > > > The configuration line in my pf.conf is: > > > pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy > > > state > > > > > > But: > > > the connection is established, but the control did not seams to pass to the > > > ftpd > > > Sincerely yours > > > Zhouyi Zhou > > > > Zhouyi, > > > > security@ is the wrong mailing list. Please post questions like this > > to pf@. > > > > I'm wondering where this traffic originates? You're using interface > > lo0 which will (most likely) be used for traffic on the local machine > > but you should not find much traffic on that interface from other hosts. > > > > As you're using 21/tcp I assume you're playing with ftp traffic. Ftp > > is not just using that single (control) port but a pair of 21/tcp and > > a dynamic allocated port. You have to pass that traffic, too or > > otherwise no data communication will be established. Also it is most > > likely that you will have to use an FTP proxy. > > > > I suspect your whole problem is really not synproxy related. > > > > HTH > > > > Volker > > > > > > > (Sorry for the previouly base64 encode mail caused by M$ outlook) > > PS: FreeBSD is also great for workstations! :) Please make sure you fix the typos in your rule it's state and not stat\e pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy state As for Volker he is a real helpful guy, thank you Volker :) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Tue May 29 10:27:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7218916A484 for ; Tue, 29 May 2007 10:27:31 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id 8FC4A13C4F3 for ; Tue, 29 May 2007 10:27:28 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 12070 invoked by uid 98); 29 May 2007 10:25:16 -0000 Received: from 124.16.138.62 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 1.147227 secs); 29 May 2007 10:25:16 -0000 X-Spam-Status: No, hits=0.0 required=10.0 X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 1.147227 secs) Received: from unknown (HELO zzy.H.qngy.gscas) (zhouzhouyi@ercist.iscas.ac.cn@124.16.138.62) by 0 with SMTP; 29 May 2007 10:25:14 -0000 Date: Tue, 29 May 2007 18:29:04 +0800 From: zhouyi zhou To: "Abdullah Ibn Hamad Al-Marri" Message-Id: <20070529182904.0ff69667.zhouzhouyi@ercist.iscas.ac.cn> In-Reply-To: <499c70c0705290310r125510f3ibba97895bcd105c9@mail.gmail.com> References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> <465BED72.6090100@vwsoft.com> <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn> <499c70c0705290310r125510f3ibba97895bcd105c9@mail.gmail.com> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: volker@vwsoft.com, freebsd-pf@freebsd.org Subject: Re: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 10:27:31 -0000 It is state and surely not stat\e, sorry for the error :-) On Tue, 29 May 2007 13:10:11 +0300 "Abdullah Ibn Hamad Al-Marri" wrote: > On 5/29/07, zhouyi zhou wrote: > > Dear Mr. Volker > > Thank you very much > > Zelest persuade me add a "set skip on lo0". > > That becomes: > > set skip on lo0 > > pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy stat\e > > Sincerely yours > > Zhouyi Zhou > > On Tue, 29 May 2007 11:08:02 +0200 > > Volker wrote: > > > > > On 05/28/07 14:17, Zhouyi Zhou wrote: > > > > high everyone,( in pariticular Max :-)) > > > > The configuration line in my pf.conf is: > > > > pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy > > > > state > > > > > > > > But: > > > > the connection is established, but the control did not seams to pass to the > > > > ftpd > > > > Sincerely yours > > > > Zhouyi Zhou > > > > > > Zhouyi, > > > > > > security@ is the wrong mailing list. Please post questions like this > > > to pf@. > > > > > > I'm wondering where this traffic originates? You're using interface > > > lo0 which will (most likely) be used for traffic on the local machine > > > but you should not find much traffic on that interface from other hosts. > > > > > > As you're using 21/tcp I assume you're playing with ftp traffic. Ftp > > > is not just using that single (control) port but a pair of 21/tcp and > > > a dynamic allocated port. You have to pass that traffic, too or > > > otherwise no data communication will be established. Also it is most > > > likely that you will have to use an FTP proxy. > > > > > > I suspect your whole problem is really not synproxy related. > > > > > > HTH > > > > > > Volker > > > > > > > > > > (Sorry for the previouly base64 encode mail caused by M$ outlook) > > > PS: FreeBSD is also great for workstations! :) > > Please make sure you fix the typos in your rule it's state and not stat\e > > pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy state > > As for Volker he is a real helpful guy, thank you Volker :) > > > -- > Regards, > > -Abdullah Ibn Hamad Al-Marri > Arab Portal > http://www.WeArab.Net/ > From owner-freebsd-pf@FreeBSD.ORG Tue May 29 10:49:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9288316A573 for ; Tue, 29 May 2007 10:49:01 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id 3190A13C45A for ; Tue, 29 May 2007 10:48:57 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 18221 invoked by uid 98); 29 May 2007 10:46:45 -0000 Received: from 124.16.138.62 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.613765 secs); 29 May 2007 10:46:45 -0000 X-Spam-Status: No, hits=0.0 required=10.0 X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.613765 secs) Received: from unknown (HELO zzy.H.qngy.gscas) (zhouzhouyi@ercist.iscas.ac.cn@124.16.138.62) by 0 with SMTP; 29 May 2007 10:46:44 -0000 Date: Tue, 29 May 2007 18:50:33 +0800 From: zhouyi zhou To: freebsd-pf@freebsd.org Message-Id: <20070529185033.39bf3222.zhouzhouyi@ercist.iscas.ac.cn> In-Reply-To: <20070528120029.DFCCB16A5BC@hub.freebsd.org> References: <20070528120029.DFCCB16A5BC@hub.freebsd.org> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: (Security Regression Testsuites)Request for comments X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 10:49:01 -0000 Dear All, I am a student enrolled google summer code 2007. My job is to write security regression testsuites for FreeBSD under the guidance of my mentor Dr. Robert Watson. Under his encourage, I write following request for comments RFC :-) ////////////////////////////////////////////////////////////// What I plan to do: 1) to test the stability of Mandatory Access Control and Audit Subsystem for FreeBSD and TrustedBSD. Backgroud: a) there are many other modules in FreeBSD such as PF¡¢IPFW and IPSec and VIMAGE have had ignored the existance of Mandatory Access Control, they generate mbuf without a tag for Mandatory Access Control. Many of these has been corrected. b) The audit subsystem's handling of auditing disk full is wrong in locking vnodes 2) to test the correct enforement of various of access control (Mandatory Access Control, ACL, and priviledges in jail). Goal: To prevent the access right violation of the designer's intension 3) the consistency between the Mandatory Access Control Label generated by userland application and the label kernel actually handles. 4) to test the various of Firewalls and IPSec /////////////////////////////////////////////////////////////// What I have done: 1) investigate the Linux Test Project, especially for SeLinux 2) investigate the stress2 package for FreeBSD 3) summary the reason and the settlement of the confliction between Mandatory Access Control and PF, IPFW, IPSEC and VIMAGE 4) write a pair of pseudo ethernet pairs following the idea of another Socer Dr. Nanjun Li and Oreilly's , so that the network tests can be done in a single machine /////////////////////////////////////////////////////////////// Where I am still confused: 1) Which area and direction should I focus. The security subsystem in FreeBSD is large, which area deserves a testsuite in higher priority. 2) The general structure of the testsuite: Will it be a userland application package like stress2, or include a kernel module cooperation (like security/mac_test) 3) How to write a testsuite that will prevent the furthor violation of security instead of test the cases which are already corrected. PF¡¢IPFW and IPSec have already corrected their confliction with Mandatory Access Control, I think the testcases for the already corrected problems will not discover the newly generated problems, for example: test case for the PF's synproxy state rule only verify PF have correctly add a correct tag for Mandatory access control in function pf_send_tcp, how we discover a problem which may create in the future by means of create a mbuf without a correct tag for Mandatory access control in a new function? /////////////////////////////////////////////////////////////////// Finally I owe greatly thanks for various kind of suggestions not limited to above Sincerely yours Zhouyi Zhou Insitute of Software Chinese Academy of Sciences From owner-freebsd-pf@FreeBSD.ORG Tue May 29 11:25:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D79CB16A41F for ; Tue, 29 May 2007 11:25:03 +0000 (UTC) (envelope-from info@plot.uz) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id 555ED13C4B0 for ; Tue, 29 May 2007 11:25:03 +0000 (UTC) (envelope-from info@plot.uz) Received: by py-out-1112.google.com with SMTP id a29so3357506pyi for ; Tue, 29 May 2007 04:25:02 -0700 (PDT) Received: by 10.35.88.17 with SMTP id q17mr10046875pyl.1180436188688; Tue, 29 May 2007 03:56:28 -0700 (PDT) Received: from plot.uz ( [83.221.183.16]) by mx.google.com with ESMTP id x72sm12611494pyg.2007.05.29.03.56.26; Tue, 29 May 2007 03:56:28 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000002691.msg for ; Tue, 29 May 2007 15:55:47 +0500 Delivered-To: aleksey@plot.uz Received: by 10.100.123.18 with SMTP id v18cs749873anc; Tue, 29 May 2007 03:51:29 -0700 (PDT) Received: by 10.114.154.1 with SMTP id b1mr3379070wae.1180435889425; Tue, 29 May 2007 03:51:29 -0700 (PDT) Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by mx.google.com with ESMTP id z20si11555492pod.2007.05.29.03.51.26; Tue, 29 May 2007 03:51:29 -0700 (PDT) Received-SPF: pass (google.com: domain of owner-freebsd-security@freebsd.org designates 69.147.83.53 as permitted sender) Received: from hub.freebsd.org (hub.freebsd.org [69.147.83.54]) by mx2.freebsd.org (Postfix) with ESMTP id 87A13FA18; Tue, 29 May 2007 10:49:09 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 785C616A5BD; Tue, 29 May 2007 10:49:08 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A5F8316A566 for ; Tue, 29 May 2007 10:49:00 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id 317DE13C457 for ; Tue, 29 May 2007 10:48:57 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 18221 invoked by uid 98); 29 May 2007 10:46:45 -0000 Received: from 124.16.138.62 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.613765 secs); 29 May 2007 10:46:45 -0000 X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.613765 secs) Received: from unknown (HELO zzy.H.qngy.gscas) (zhouzhouyi@ercist.iscas.ac.cn@124.16.138.62) by 0 with SMTP; 29 May 2007 10:46:44 -0000 Date: Tue, 29 May 2007 18:50:33 +0800 To: freebsd-pf@freebsd.org Message-Id: <20070529185033.39bf3222.zhouzhouyi@ercist.iscas.ac.cn> In-Reply-To: <20070528120029.DFCCB16A5BC@hub.freebsd.org> References: <20070528120029.DFCCB16A5BC@hub.freebsd.org> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Errors-To: owner-freebsd-security@freebsd.org X-Return-Path: owner-freebsd-security@freebsd.org X-Envelope-From: owner-freebsd-security@freebsd.org X-MDaemon-Deliver-To: freebsd-pf@freebsd.org X-Spam-Processed: plot.uz, Tue, 29 May 2007 15:55:48 +0500 From: zhouyi zhou Cc: freebsd-security@freebsd.org Subject: (Security Regression Testsuites)Request for comments X-BeenThere: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 11:25:03 -0000 Dear All, I am a student enrolled google summer code 2007. My job is to write security regression testsuites for FreeBSD under the guidance of my mentor Dr. Robert Watson. Under his encourage, I write following request for comments RFC :-) ////////////////////////////////////////////////////////////// What I plan to do: 1) to test the stability of Mandatory Access Control and Audit Subsystem for FreeBSD and TrustedBSD. Backgroud: a) there are many other modules in FreeBSD such as PF¡¢IPFW and IPSec and VIMAGE have had ignored the existance of Mandatory Access Control, they generate mbuf without a tag for Mandatory Access Control. Many of these has been corrected. b) The audit subsystem's handling of auditing disk full is wrong in locking vnodes 2) to test the correct enforement of various of access control (Mandatory Access Control, ACL, and priviledges in jail). Goal: To prevent the access right violation of the designer's intension 3) the consistency between the Mandatory Access Control Label generated by userland application and the label kernel actually handles. 4) to test the various of Firewalls and IPSec /////////////////////////////////////////////////////////////// What I have done: 1) investigate the Linux Test Project, especially for SeLinux 2) investigate the stress2 package for FreeBSD 3) summary the reason and the settlement of the confliction between Mandatory Access Control and PF, IPFW, IPSEC and VIMAGE 4) write a pair of pseudo ethernet pairs following the idea of another Socer Dr. Nanjun Li and Oreilly's , so that the network tests can be done in a single machine /////////////////////////////////////////////////////////////// Where I am still confused: 1) Which area and direction should I focus. The security subsystem in FreeBSD is large, which area deserves a testsuite in higher priority. 2) The general structure of the testsuite: Will it be a userland application package like stress2, or include a kernel module cooperation (like security/mac_test) 3) How to write a testsuite that will prevent the furthor violation of security instead of test the cases which are already corrected. PF¡¢IPFW and IPSec have already corrected their confliction with Mandatory Access Control, I think the testcases for the already corrected problems will not discover the newly generated problems, for example: test case for the PF's synproxy state rule only verify PF have correctly add a correct tag for Mandatory access control in function pf_send_tcp, how we discover a problem which may create in the future by means of create a mbuf without a correct tag for Mandatory access control in a new function? /////////////////////////////////////////////////////////////////// Finally I owe greatly thanks for various kind of suggestions not limited to above Sincerely yours Zhouyi Zhou Insitute of Software Chinese Academy of Sciences _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue May 29 20:18:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D12A16A468 for ; Tue, 29 May 2007 20:18:51 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.226]) by mx1.freebsd.org (Postfix) with ESMTP id 2CDF513C484 for ; Tue, 29 May 2007 20:18:51 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1379970wxd for ; Tue, 29 May 2007 13:18:50 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=T63WJlWh1PGs6BIWhrnYEdKyz+i7TXrW8eyFtOsJFWdfO0RvQ8FBW7Av8fJQq5FQOfsIShuKIt+iMTWAhG5ZTvatqz2/cbMQs5k54MJbGm+M2pjLu2oko8YZ/pvsak7g6sND1hj2yzsihKzpZsrHN/iZ4sWh49WCz6QoJ5TRTbM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=bRulQYBEFhPK5/YeGLsL5QUsD+62cR6JeopuHDdsQyXcAkZE3fdYFEUdv/ZlqjWsYEerHMpZXMswNB4iYlWr4x8vMdqIT6tcsah2kZia8ys4HFzyyRV02O5UZ9GAzVhxn6X7ZWDe4o3b/B6aHZ6WBRCgPhf39IX37Y3K38lFvoA= Received: by 10.70.47.19 with SMTP id u19mr10785682wxu.1180469930181; Tue, 29 May 2007 13:18:50 -0700 (PDT) Received: by 10.70.73.1 with HTTP; Tue, 29 May 2007 13:18:49 -0700 (PDT) Message-ID: <9a542da30705291318t29b2d956j36b5b3ec2cb6b377@mail.gmail.com> Date: Tue, 29 May 2007 22:18:49 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_152823_30069899.1180469929739" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 20:18:51 -0000 ------=_Part_152823_30069899.1180469929739 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline This is ng_pf node based on ng_ipfw code and idea. It allows interaction of PF and netgraph. Below are the node features and a dummy example of how to use it. Patch is attached. Features, 1- By default it sends any packet that matches the rule to netgraph. Syntax: pass in from any to any netgraph 41 #41 is the hook number(it needs to be a number) 2- You can specify how many packets will be sent to netgraph. This is implemented as a keep state option. Syntax: pass in from any to any netgraph 41 keep state(max-packets-to-netgraph 4) 3- You can specify flags when adding the tag to the node. Syntax ngctl msg pf: addtag { tagname=\"TEST\" tag=60 flags=4 } There are 4 flags for now: NG_PF_KILL_STATE (actually removes state from the state pool directly from the node NG_PF_IGNORE_STATE (it schedules the state to be removed later but behaves as the above and is really faster and safer) NG_PF_SKIP_FIREWALLS (skips firewalls; the way it is implemented this really skips any firewall on freebsd at least ipfw and pf). This is per tag setting meaning you can specify which packet whith a specific tag should skip reparssing the rules. NG_PF_DROP_PACKET (really drops packet; faster than telling a rule on PF to drop it, i don't like it personally cause is kinda magic; but it is there) 4- The node has these messages: NGM_PF_ADD_TAG (needs tagname, tagid, flags) struct ng_pf_command { char name[NG_PF_TAG_NAME_SIZE]; u_int16_t tag; int flags; }; NGM_PF_RMV_TAG, (needs tagname) NGM_PF_GET_TAGS, (no arguments) #ifdef NG_PF_DEBUG NGM_PF_GET_STATS, (number of packets in/out) NGM_PF_CLR_STATS, NGM_PF_GETCLR_STATS, #endif NGM_PF_SET_TAGZONE, NGM_PF_GET_TAGZONE, NGM_PF_DEFAULT_TAGZONE (for help) 5- You can send back and forth a packet(reparse ruleset multiple times) by resending a packet that has already passed once to netgraph by a matching rule with a different hook number. I.e.: .... ..... pass in on $int from any to any netgraph 41 pass in on $int tagged ONCE_TO_NETGRAPH netgraph 42 pass in on $int tagged TWICE_TO_NETGRAPH netgraph 43 .... ... For an example how to find DC++ packets with ng_bpf tag these packets with ng_tag is available at ng_tag manual page. After that just connect a hook to ng_pf and you're done. Surely even the rule that sends the packet to the correct queue on PF side. For more discussion on ng_bpf and packet matching for P2P packets follow, http://lists.freebsd.org/pipermail/freebsd-current/2006-June/063863.html. Sample configuration of the node. 1 - kldload ng_pf (after compiling). 2 - create a sample pf.conf file like the following: pass out quick on $INT all tagged TRY keep state pass out quick on $INT proto tcp from any to any port 80 netgraph 41 # or even this. It does the same thing. pass out on $INT proto tcp from any to any port 80 netgraph 41 pass out on $INT all tagged TRY keep state #The tag TRY is added to ng_pf list of tags to translate and the tag is added to the #packet with ng_tag. 3 - configure netgraph part of things. I used the following commands on my tests: # You understand the first 2 commands :). pfctl -e pfctl -F all -f /etc/pf.test # Here we configure a tag to be translated on ng_pf node. The node translates # tagname=TRY as known by PF. ngctl msg pf: addtag { tagname=\"TRY\" tag=52 flags=0 } # Create a hook with a ng_tag node. ngctl mkpeer pf: tag 41 th1 # Give a name to the hook for simplicity. ngctl name pf:41 match # Configure ng_tag node. # We tell ng_tag to not touch the packets incoming/entering on hook = "th1" ngctl msg match: sethookin { thisHook=\"th1\" ifNotMatch=\"th1\" } # ng_tag will tag packets leaving hook="th1" with tagname=TRY. ngctl msg match: sethookout { \ thisHook=\"th1\" \ #hookname tag_id=24 \ # PACKET_TAG_PF_TAG.(1) tag_len=4 \ # usually 4 bytes since we only pass a number/tag_id. tag_data=[ 52 ] } # the tag we want to apply packets on this hook. { (1) PACKET_TAG_PF_TAG = 24 is taken from sys/mbuf.h } After this if you try to connect to port 80 of any webserver if you check the PF statistics on rule matches with: pfctl -s rules -v you'll see that packets have gone through 'match by tag' rule after passing through netgraph. Feedback is appriciated, Ermali ------=_Part_152823_30069899.1180469929739-- From owner-freebsd-pf@FreeBSD.ORG Wed May 30 11:48:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85ACF16A421 for ; Wed, 30 May 2007 11:48:52 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.freebsd.org (Postfix) with ESMTP id F1A7613C46A for ; Wed, 30 May 2007 11:48:51 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from [195.248.178.122] (HELO [192.168.3.2]) by mail.alkar.net (CommuniGate Pro SMTP 5.1.7) with ESMTPS id 760564864; Wed, 30 May 2007 14:18:50 +0300 Message-ID: <465D5D50.2020009@freebsd.org> Date: Wed, 30 May 2007 14:17:36 +0300 From: Alexander Motin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXQk2k=?= References: <1180481012.00748860.1180470003@10.7.7.3> In-Reply-To: <1180481012.00748860.1180470003@10.7.7.3> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 11:48:52 -0000 Hi. Ermal Luçi wrote: > 4- The node has these messages: > #ifdef NG_PF_DEBUG > NGM_PF_GET_STATS, (number of packets in/out) > NGM_PF_CLR_STATS, > NGM_PF_GETCLR_STATS, > #endif What for comment them out? To save CPU on several addition operations? This stats could be used not only by developers but also by users and they may not be to rebuild kernel module to get that stats. -- Alexander Motin From owner-freebsd-pf@FreeBSD.ORG Wed May 30 14:02:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F418A16A46C for ; Wed, 30 May 2007 14:02:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 8C50213C44C for ; Wed, 30 May 2007 14:02:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.6.92] (helo=max41.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1HtOkd0JpO-00045g; Wed, 30 May 2007 16:02:11 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 30 May 2007 10:02:03 +0200 User-Agent: KMail/1.9.4 References: <20070528224225.GC40678@registro.br> In-Reply-To: <20070528224225.GC40678@registro.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200705301002.04911.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18PubWOU8UcizjWKbrSmECn5wYd6ZXoNGpqUNb ErOE1DjPcZ725KHfydiYWeCKhdj7+IIHdRPHZ+TzshM1yH40gI 5aTRxFsYgHH+9Kdvin05Q== Cc: Hugo Koji Kobayashi Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 14:02:16 -0000 Hi Hugo, On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote: > While making some tests with fragmented udp DNS responses (with > EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and > 7.0 (200705 snapshot). > > Our test is a DNS query to an DNSSEC enabled server which replies with > a ~4KB udp response. We do this with the following dig command: > > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 > > pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries > timeout. Disabling the firewall, complete replies are received with no > problem. The same test was run on an OpenBSD 4.1 box with no problem. > > Complete test results were sent to the freebsd-stable and freebsd-net > mailing lists and can be found here: > > http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html > > (The email message above includes tests with ipf) > > > pf rules looks like this in all tests: > > scrub in all fragment reassemble > block drop in log all > pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 > port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA > keep state > pass out on bge0 proto udp all keep state > pass out on bge0 proto icmp all keep state > > > Am I doing something wrong? Is there anything else I should try on > FreeBSD? Can you enable extended logging (pfctl -xm) and check your console for messages? Also please check "pfctl -si" for counter increases. Thanks, -- Max From owner-freebsd-pf@FreeBSD.ORG Wed May 30 15:26:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 93D2816A469 for ; Wed, 30 May 2007 15:26:03 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.227]) by mx1.freebsd.org (Postfix) with ESMTP id 497A813C468 for ; Wed, 30 May 2007 15:26:03 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1569409wxd for ; Wed, 30 May 2007 08:26:02 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Tfx/Wm63FyB3M0Yen82GbJOyUVeYO4oKmmOSKERH3JRnx3857ktbquoMYTx1yFGXxPwHUZuVBUBZp0rt+nX6gSA9VM00pEgYRpHnzYA3hO+7cYgYEmNgMnA96Xh60G+gim2qGoBucr7LmOobdlEQADc16OixcNwVP7lk/qPi1GI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BsC7ZHzxw6A8BVEC6hllROpi79/hE/i+Lh45uFmiJdg+B2LUVjjR/27t/A9PsZ0Q3/x9z3bDIDexfX4z41BW+v7huwLfrA9QS1MFBSMfPz+9zttcg74mpfVcbLgrNSTl7ngzMDSvyXxADTyWqohrBbIaNbaT1Gcabzeid8+WI04= Received: by 10.70.52.1 with SMTP id z1mr12284925wxz.1180538762184; Wed, 30 May 2007 08:26:02 -0700 (PDT) Received: by 10.70.73.1 with HTTP; Wed, 30 May 2007 08:26:02 -0700 (PDT) Message-ID: <9a542da30705300826g30e281bal6a68d5e17902fc21@mail.gmail.com> Date: Wed, 30 May 2007 17:26:02 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Alexander Motin" In-Reply-To: <465D5D50.2020009@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1180481012.00748860.1180470003@10.7.7.3> <465D5D50.2020009@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 15:26:03 -0000 Alexander, the only reason i made them available only for debugging is cause of int32_t types of those counter and these could overflow easily on busy environments. For 64bit counters on 32bit archs you need atomic operations and i don't know how much overhead it will be!?(correct me if i am wrong) On 5/30/07, Alexander Motin wrote: > Hi. > > Ermal Lu=E7i wrote: > > 4- The node has these messages: > > #ifdef NG_PF_DEBUG > > NGM_PF_GET_STATS, (number of packets in/out) > > NGM_PF_CLR_STATS, > > NGM_PF_GETCLR_STATS, > > #endif > > What for comment them out? To save CPU on several addition operations? > This stats could be used not only by developers but also by users and > they may not be to rebuild kernel module to get that stats. > > -- > Alexander Motin > From owner-freebsd-pf@FreeBSD.ORG Wed May 30 17:18:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85DA416A477; Wed, 30 May 2007 17:18:00 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.freebsd.org (Postfix) with ESMTP id A936A13C4B9; Wed, 30 May 2007 17:17:59 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from [195.248.178.122] (HELO [192.168.3.2]) by mail.alkar.net (CommuniGate Pro SMTP 5.1.7) with ESMTPS id 760923115; Wed, 30 May 2007 20:17:58 +0300 Message-ID: <465DB17B.1070203@freebsd.org> Date: Wed, 30 May 2007 20:16:43 +0300 From: Alexander Motin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: <1180481012.00748860.1180470003@10.7.7.3> <465D5D50.2020009@freebsd.org> <9a542da30705300826g30e281bal6a68d5e17902fc21@mail.gmail.com> In-Reply-To: <9a542da30705300826g30e281bal6a68d5e17902fc21@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 17:18:00 -0000 Ermal Luçi wrote: > the only reason i made them available only for debugging is cause of > int32_t types of those counter and these could overflow easily on > busy environments. Yes it's could. But sometimes they can be needed just to see if/how it works. I just wanted to say that making it commented is nearly the same as not making. -- Alexander Motin From owner-freebsd-pf@FreeBSD.ORG Wed May 30 20:52:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6C73C16A46B for ; Wed, 30 May 2007 20:52:33 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by mx1.freebsd.org (Postfix) with ESMTP id EB09013C489 for ; Wed, 30 May 2007 20:52:32 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1636010wxd for ; Wed, 30 May 2007 13:52:32 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=YLxlVoh3LjbhfdUf5jN7xsEzWeyt0XXyjjJ1qdgsrLJX+ty5EjYIfPGDjkqQBK5v9VJZFnckBgbPlsCZsu4gnqnxH39VvwgMCIkLZDn70QNaIhHyGAV8QA9xF1V6vAejO8HdqLNVbjdvo9cSpEh+5rjm1VDj3MvU+sVyu6GF950= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=pA/9rN8o4bTz6RIgSiehwGph+6RE129+ehnxVaW4KXwM5tY4yFfP6fJnY96i0vncgoOhHOrtY3oyryKgiUi1Jqhvl1rNp/W7qwlmmHYgYmBmIiq9eT7tCkIyTuWbYlZKH7r588iK6w4eKpmK95VAmVDtVLSWQhG3p8VIlZ8GZLU= Received: by 10.70.130.19 with SMTP id c19mr1516905wxd.1180558352142; Wed, 30 May 2007 13:52:32 -0700 (PDT) Received: by 10.70.73.1 with HTTP; Wed, 30 May 2007 13:52:31 -0700 (PDT) Message-ID: <9a542da30705301352s2229196v4ed2fa286036380a@mail.gmail.com> Date: Wed, 30 May 2007 22:52:31 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Alexander Motin" In-Reply-To: <465DB17B.1070203@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_6766_8930394.1180558351937" References: <1180481012.00748860.1180470003@10.7.7.3> <465D5D50.2020009@freebsd.org> <9a542da30705300826g30e281bal6a68d5e17902fc21@mail.gmail.com> <465DB17B.1070203@freebsd.org> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 20:52:33 -0000 ------=_Part_6766_8930394.1180558351937 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline OK, here it is with stats activated :). On 5/30/07, Alexander Motin wrote: > Ermal Lu=E7i wrote: > > the only reason i made them available only for debugging is cause of > > int32_t types of those counter and these could overflow easily on > > busy environments. > > Yes it's could. But sometimes they can be needed just to see if/how it > works. > > I just wanted to say that making it commented is nearly the same as not > making. > > -- > Alexander Motin > ------=_Part_6766_8930394.1180558351937-- From owner-freebsd-pf@FreeBSD.ORG Wed May 30 21:54:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A9FA416A41F; Wed, 30 May 2007 21:54:14 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.freebsd.org (Postfix) with ESMTP id F1A5813C46C; Wed, 30 May 2007 21:54:13 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from [195.248.178.122] (HELO [192.168.3.2]) by mail.alkar.net (CommuniGate Pro SMTP 5.1.7) with ESMTPS id 761138548; Thu, 31 May 2007 00:54:12 +0300 Message-ID: <465DF238.4010902@freebsd.org> Date: Thu, 31 May 2007 00:52:56 +0300 From: Alexander Motin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXQk2k=?= References: <1180481012.00748860.1180470003@10.7.7.3> <465D5D50.2020009@freebsd.org> <9a542da30705300826g30e281bal6a68d5e17902fc21@mail.gmail.com> <465DB17B.1070203@freebsd.org> <9a542da30705301352s2229196v4ed2fa286036380a@mail.gmail.com> In-Reply-To: <9a542da30705301352s2229196v4ed2fa286036380a@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 21:54:14 -0000 Ermal Luçi wrote: > OK, here it is with stats activated :). One more: all binary netgraph messages are hidden from user-level in ng_pf.h. They are all covered with #ifdef _KERNEL. Specially? -- Alexander Motin From owner-freebsd-pf@FreeBSD.ORG Thu May 31 09:46:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B7C3416A400 for ; Thu, 31 May 2007 09:46:46 +0000 (UTC) (envelope-from mahabubbasha@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.237]) by mx1.freebsd.org (Postfix) with ESMTP id 7A16E13C45B for ; Thu, 31 May 2007 09:46:46 +0000 (UTC) (envelope-from mahabubbasha@gmail.com) Received: by nz-out-0506.google.com with SMTP id 14so95047nzn for ; Thu, 31 May 2007 02:46:46 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Rgia57++oy23WQGf5fIbZghHMCcIl7k+mrj44bqAG2Md66n4sExzdtrSZbRgFHB4fTb7tBBl4FSb4P6rKFRwJJgC44P22aEg/LBQffBH387PRhkWC0T4zt6aOP0hGaIcmkJp4EN0RLPQz+1YM1je7i5KRDBhvnWSPKpm7auUpTw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=gameNjenrDKx4jETrxNmiE1IwIUt31Ux3QetUHMs52TzevbWKiMOTcmwknPD2CFuJmJ441b3XPbOyzmZZZRgc4MpGP/15q6icxgrghMiezMFFCdp5tmfv1ER+p3B4X5rFjUb53G+FXHXWSuJaq0zngHnJzj0kYrg7V35s82PmF4= Received: by 10.114.12.9 with SMTP id 9mr437367wal.1180603082456; Thu, 31 May 2007 02:18:02 -0700 (PDT) Received: by 10.114.191.12 with HTTP; Thu, 31 May 2007 02:18:02 -0700 (PDT) Message-ID: Date: Thu, 31 May 2007 14:48:02 +0530 From: "Mahabub Basha" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem to access FTP server X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 09:46:46 -0000 Hi all, I am a newbie for freebsd. I am using freebsd 6.1. I have some problem to access ftp server through external ip behind a pf firewall. I can access my ftp server through active mode , but not working in passive mode. My ruleset file is in the following: ====================================================================== pf.conf ====================================================================== lan = "port2" wan = "port1" # User BiNAT Rules binat on $wan from 10.0.0.10 to any -> 172.16.1.10 # User RDR Rules rdr on $wan from any to 172.16.1.10 -> 10.0.0.10 # User Filter Rules pass all ========================================================================= my lan ip address is 10.0.0.10 and my wan ip is 172.16.1.10 I just put above three rules. And run my ftp server using inetd. I used core-ftp client in windows xp to connect my ftp server machine , in active mode its working fine. But in passive mode its not working. Before i asked this problem here, i read the following links and try out the same. but its not working. ===================================================================== http://www.openbsd.org/faq/pf/ftp.html http://article.gmane.org/gmane.os.freebsd.devel.pf4freebsd/2952/match=issues+ftp+windows+pf ===================================================================== I want to use binat rule. can anyone help me to solve this issue. - Mahabub Basha.S From owner-freebsd-pf@FreeBSD.ORG Thu May 31 13:49:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6FED616A421 for ; Thu, 31 May 2007 13:49:25 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id DBA7E13C447 for ; Thu, 31 May 2007 13:49:24 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id D9D6995857; Thu, 31 May 2007 10:49:23 -0300 (BRT) Date: Thu, 31 May 2007 10:49:23 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070531134923.GH39552@registro.br> References: <20070528224225.GC40678@registro.br> <200705301002.04911.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <200705301002.04911.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 13:49:25 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Max, Please find attached the tests results after enabling extended logging. I've done the test twice, changing dig's "+bufsize" parameter. Thanks, Hugo On Wed, May 30, 2007 at 10:02:03AM +0200, Max Laier wrote: > Hi Hugo, > > On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote: > > While making some tests with fragmented udp DNS responses (with > > EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and > > 7.0 (200705 snapshot). > > > > Our test is a DNS query to an DNSSEC enabled server which replies with > > a ~4KB udp response. We do this with the following dig command: > > > > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 > > > > pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries > > timeout. Disabling the firewall, complete replies are received with no > > problem. The same test was run on an OpenBSD 4.1 box with no problem. > > > > Complete test results were sent to the freebsd-stable and freebsd-net > > mailing lists and can be found here: > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html > > > > (The email message above includes tests with ipf) > > > > > > pf rules looks like this in all tests: > > > > scrub in all fragment reassemble > > block drop in log all > > pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 > > port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA > > keep state > > pass out on bge0 proto udp all keep state > > pass out on bge0 proto icmp all keep state > > > > > > Am I doing something wrong? Is there anything else I should try on > > FreeBSD? > > Can you enable extended logging (pfctl -xm) and check your console for > messages? Also please check "pfctl -si" for counter increases. > > Thanks, > > -- > Max > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf-edns0-tests.txt" fbsd7# date; pfctl -si Tue May 8 04:12:25 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:02:28 Debug: Urgent Hostid: 0xfd3ea603 State Table Total Rate current entries 3 searches 335 2.3/s inserts 39 0.3/s removals 36 0.2/s Counters match 39 0.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date ; pfctl -xm Tue May 8 04:13:00 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled debug level set to 'misc' fbsd7# date ; pfctl -si Tue May 8 04:13:10 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:03:13 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 3 searches 370 1.9/s inserts 39 0.2/s removals 36 0.2/s Counters match 39 0.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached ---- Console begin pf_normalize_ip: reass frag 11881 @ 0-1480 pf_normalize_ip: reass frag 11881 @ 1480-2960 pf_normalize_ip: reass frag 11881 @ 2960-4094 pf_reassemble: 4094 < 4094? pf_reassemble: complete: 0xc4338000(4114) ---- Console end fbsd7# date ; pfctl -si Tue May 8 04:15:24 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:05:27 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 3 searches 405 1.2/s inserts 40 0.1/s removals 37 0.1/s Counters match 40 0.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s # dig @192.36.144.107 se dnskey +dnssec +bufsize=4000 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4000 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached % ---- Console begin pf_normalize_ip: reass frag 12137 @ 0-1480 pf_normalize_ip: reass frag 12137 @ 1480-2960 pf_normalize_ip: reass frag 12137 @ 2960-3932 pf_reassemble: 3932 < 3932? pf_reassemble: complete: 0xc443b600(3952) ---- Console end fbsd7# date ; pfctl -si Tue May 8 04:17:02 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:07:05 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 661 1.6/s inserts 42 0.1/s removals 37 0.1/s Counters match 42 0.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --ew6BAiZeqk4r7MaW-- From owner-freebsd-pf@FreeBSD.ORG Thu May 31 16:41:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C8D316A400 for ; Thu, 31 May 2007 16:41:04 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.freebsd.org (Postfix) with ESMTP id ACD4513C4AD for ; Thu, 31 May 2007 16:41:03 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so191713wra for ; Thu, 31 May 2007 09:41:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=OswBUd3aOtEU9G5mTv1aY2+aDfBGB5VI6wrNIhgA7e2/XWYcIgtgl2ah9jLTqRkWjPpxKbclb4RuJ2uupnzD4gvmcJwKpmZwEfIspwFNxMm91kbhxg61dwYYBuFk7Pfe6BeZafCIna3htWaxjs3wy8CbCK4PGCv1/G0t65TbGaA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=fyfMzX2ZHEcDYw4ogNwSaaFvCkUgURQdSoesJr7FcjsCqE/UTBs8CFcFI4LOSkgCfunqNCeY2dz4tS3InGdJK72QMKRTxRy3sfMDraqlaL8Ri4VRx+6x4vRCERbIZljnoP+4fZaYTk76jjLLB5TDervuy4yGYeVoYrtw8CrWrkY= Received: by 10.90.78.9 with SMTP id a9mr802497agb.1180629662935; Thu, 31 May 2007 09:41:02 -0700 (PDT) Received: by 10.90.66.12 with HTTP; Thu, 31 May 2007 09:41:02 -0700 (PDT) Message-ID: <70f41ba20705310941l62a95d98s22651e2ec5fed7fb@mail.gmail.com> Date: Thu, 31 May 2007 09:41:02 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: d43f83def377a54e Subject: how best to block this port 25 traffic/spam? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: schneecrash+pf@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 16:41:04 -0000 hi, i use fbsd 6.2-release/p5's pf + spamd v4.1.1 to manage port 25 traffic. in my pf.conf, i've ... set require-order no ... nat on $extif from $intif:network to any -> ($extif) ... no rdr on $extif from to any tag MXbl block log quick tagged MXbl label "(MXbl)" ... rdr on $extif proto tcp from to $MXwan port 25 -> $MXlan port 25 rdr pass on $extif proto tcp from to ($extif) port 25 -> 127.0.0.1 port 8025 rdr pass on $extif proto tcp from ! to ($extif) port 25 -> 127.0.0.1 port 8025 rdr on $extif proto tcp from to $MXwan port 25 -> $MXlan port 25 ... pass in log quick on $extif proto tcp from { , } to $MXlan port 25 keep-state pass out log quick on $extif proto tcp from any to any port 25 keep-state pass out log quick on $intif proto tcp from $MXlan to any port 25 keep-state ... all works great! in my spamd logs, i'm seeing lots of May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37: -> May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37: -> May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37: -> characterized by, (1) forged FROM: @hotmail.com (2) multiple connections per second from a given IP (3) 100% of the IPs are in Spamhaus PBL &/or CBL dnsbls; anything that _does_ sneak past the spamd stutter etc gets dropped anyway. i'd LIKE to simply BLOCK, with NO logging, these nosiy, from-@-hotmail connections at the fw PRIOR to spamd ever seeing them. iiuc, my options to do so include: (a) install a small SMTP server on the router to ONLY reject at CBL *prior* to passing on to spamd (b) use the same SMTP server to reject FROM: == *@hotmail (b) DL/rsync the whole CBL into a local pf/spamd table (c) throttle # of connections / second, and add to pf block element if match/exceed thoughts/comments on the 'best' approach? thanks! From owner-freebsd-pf@FreeBSD.ORG Thu May 31 20:28:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9FFB916A469 for ; Thu, 31 May 2007 20:28:47 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.226]) by mx1.freebsd.org (Postfix) with ESMTP id 37E0C13C480 for ; Thu, 31 May 2007 20:28:47 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so252675wxd for ; Thu, 31 May 2007 13:28:46 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=mhskiyF/0gwDPONf3r+fyP5ybcg2kkv68AZRnnxK6Os22Aapwbs2m8pdhQJIWJD8C/B8hm0Vwmo2lFkBZ57yPxYRC5RrQhO/2WGgTwCq04Rr0NWsQIwMgHd5q6aOUshsNK+RDPRymD8bJlE1VH+ZRJuWA3mjCoLEgfJFtebW6no= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ECI74gilc7DWBHGfmZEFDzlatBHMu/fSuFJfVignU2wd4CjMKW3r+IjWBelECZfunaoBYrm7wwVYRA4EBpElfK0Z2ZXWGlqw0EOtmX5ogH8um5LUA3r10EDW1/9gzRQqDZRkCW/NC5wtQpOCgb0EMXmFlprML4F0zInp/dfrJ9o= Received: by 10.70.57.8 with SMTP id f8mr1546667wxa.1180643326561; Thu, 31 May 2007 13:28:46 -0700 (PDT) Received: by 10.70.73.1 with HTTP; Thu, 31 May 2007 13:28:46 -0700 (PDT) Message-ID: <9a542da30705311328i4d1d0265v91565eb3dc90e6d6@mail.gmail.com> Date: Thu, 31 May 2007 22:28:46 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Alexander Motin" In-Reply-To: <465DF238.4010902@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_17759_18224793.1180643326262" References: <1180481012.00748860.1180470003@10.7.7.3> <465D5D50.2020009@freebsd.org> <9a542da30705300826g30e281bal6a68d5e17902fc21@mail.gmail.com> <465DB17B.1070203@freebsd.org> <9a542da30705301352s2229196v4ed2fa286036380a@mail.gmail.com> <465DF238.4010902@freebsd.org> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 20:28:47 -0000 ------=_Part_17759_18224793.1180643326262 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On 5/30/07, Alexander Motin wrote: > Ermal Lu=E7i wrote: > > OK, here it is with stats activated :). > > One more: all binary netgraph messages are hidden from user-level in > ng_pf.h. They are all covered with #ifdef _KERNEL. Specially? No special need just forgotten by me. I fixed that too and another bug with max-packets-to-netgraph option which i am surprised have not seen before. Thanks for your help, Ermali > > -- > Alexander Motin > ------=_Part_17759_18224793.1180643326262-- From owner-freebsd-pf@FreeBSD.ORG Thu May 31 22:45:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1ABC16A468 for ; Thu, 31 May 2007 22:45:37 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id 0117713C45A for ; Thu, 31 May 2007 22:45:36 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so339393mue for ; Thu, 31 May 2007 15:45:36 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=XgqPDYUXW2mjcZYldRepZYeObTVT7rcpKmxjS01wyo1vdJGiriuacaghpAjWpMkigXgWpUq0LvM7GxZ9827vLk+gy+AEpLQFJPpyiCtpWEHEeXfOYjGVgy3c89pb5lhUggzpuQvTdvc0iXbY+GyKxY2Iue/sYntvEG0XPPO08mg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=GVWsm3g1VWCLirj/AXg3wG8rqL8yNx20WdN8TuqNLjPz/2ZR+r27RrpD6khdUuSMw7h+CxSbowk4XncZ7N3Xko9DTf4TsJO/8gFSFwsLIg48eOFVeSBUzPb2DKbgPge9Mnxh4xJfkYK/ty2bU87pn7uTXaAc01eHE5vLHQ+6mPA= Received: by 10.82.151.14 with SMTP id y14mr642400bud.1180649964652; Thu, 31 May 2007 15:19:24 -0700 (PDT) Received: from amandla2.scii.nl ( [217.19.30.147]) by mx.google.com with ESMTP id c25sm161343ika.2007.05.31.15.19.23; Thu, 31 May 2007 15:19:24 -0700 (PDT) Message-ID: <465F49E9.3050009@gmail.com> Date: Fri, 01 Jun 2007 00:19:21 +0200 From: albinootje User-Agent: Thunderbird 2.0.0.0 (X11/20070326) MIME-Version: 1.0 To: schneecrash+pf@gmail.com References: <70f41ba20705310941l62a95d98s22651e2ec5fed7fb@mail.gmail.com> In-Reply-To: <70f41ba20705310941l62a95d98s22651e2ec5fed7fb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf Subject: Re: how best to block this port 25 traffic/spam? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 22:45:38 -0000 snowcrash wrote: > i'd LIKE to simply BLOCK, with NO logging, these nosiy, from-@-hotmail > connections at the fw PRIOR to spamd ever seeing them. --- cut for brevity --- > (a) install a small SMTP server on the router to ONLY reject at CBL > *prior* to passing on to spamd i recommend assp : http://assp.sourceforge.net/ assp = anti-spam smtp proxy if installed correctly it will sit in front of your smtp-server, in my opinion it works awesome, and has lots of options, RBL being one of them beware however... make sure you look at all the option and do not just go with all the default examples in the web-interface HTH From owner-freebsd-pf@FreeBSD.ORG Thu May 31 23:29:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B145B16A41F for ; Thu, 31 May 2007 23:29:07 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.freebsd.org (Postfix) with ESMTP id 6C70F13C45B for ; Thu, 31 May 2007 23:29:07 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so285848wxd for ; Thu, 31 May 2007 16:29:06 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Hay0uCesznXWWNhVMj2Kgr9eYDxY/GF3k/zuCd4PYFH3DPgqiDur1a16xjuMNFjaq+HeZrOnNuvS2sqSpVHJ5Ll1X5RrWapTD5gBtji2uGs9F6v7qcZL1OltENnIz0g1An1GUWq6TrZyb9tKs0hLHCelP5F+PLpnyCLJM/J7xJE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=VtxppSkCTTNaLl57iJo6KqyGCfXgNsd1v9wXVrJdJGQ5UZ658bCSIMrXXegT2CwF7gkGwFkSH06yhwkt1+4RvnWNEFDRSTZWz1miz3btAImgAyq+vttm6kJIw/BUxVw8hiy8knDESFBT2OO8tHra9Co0FfDyNXCntReTi133dw8= Received: by 10.90.49.1 with SMTP id w1mr1297375agw.1180654146783; Thu, 31 May 2007 16:29:06 -0700 (PDT) Received: by 10.90.66.12 with HTTP; Thu, 31 May 2007 16:29:06 -0700 (PDT) Message-ID: <70f41ba20705311629o7d1f5f07n2477f7473ddee64a@mail.gmail.com> Date: Thu, 31 May 2007 16:29:06 -0700 From: snowcrash Sender: schneecrash@gmail.com To: albinootje In-Reply-To: <465F49E9.3050009@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20705310941l62a95d98s22651e2ec5fed7fb@mail.gmail.com> <465F49E9.3050009@gmail.com> X-Google-Sender-Auth: 0febc2fc5b9af919 Cc: freebsd-pf Subject: Re: how best to block this port 25 traffic/spam? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: schneecrash+pf@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 23:29:07 -0000 hi, > i recommend assp : http://assp.sourceforge.net/ > > assp = anti-spam smtp proxy > > if installed correctly it will sit in front of your smtp-server, > in my opinion it works awesome, and has lots of options, RBL being one > of them now that looks very interesting. not familiar with it as yet. thanks! > beware however... make sure you look at all the option and do not just > go with all the default examples in the web-interface understood. as i'd be running this on a 'small' headless router box, i'm interested in keeping anything i enable as lean/lightweight as possible -- which usually menas trimming default options! :-) thanks again! From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 15:17:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 447FF16A4C1 for ; Fri, 1 Jun 2007 15:17:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id CE57C13C44C for ; Fri, 1 Jun 2007 15:17:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.190.12] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1Hu8t13UvO-0002nZ; Fri, 01 Jun 2007 17:17:57 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 1 Jun 2007 17:17:52 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <465FFFA4.1060706@delphij.net> In-Reply-To: <465FFFA4.1060706@delphij.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706011717.54698.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18VOe2RTE2yAFYGZXWkT0lheDVW49sTtEoY5ab HlmNMDpnpsqEIQiv0iUr8o5xXG7T1IfqxiEZHOBqrF9INyRhzx YRtL5ndsKRZa93bvqBkzA== Cc: freebsd-current@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 15:17:59 -0000 [ moving this to the more specific list ] On Friday 01 June 2007, LI Xin wrote: > Stanislaw Halik wrote: > > Heya, > > > > Are there any plans to sync pf(4) before 7.0-R? OpenBSD has some neat > > stuff in it, including expiretable functionality, which would come in > > handy. > > Last time I have talked with Max (Cc'ed) about the issue, we finally > figured out that porting the whole stuff would need some > infrastructural changes to our routing code, which could be risky so we > wanted to avoid it at this stage (about 15 days before RELENG_7 code > freeze). On the other hand, some functionality (like the expiretable > feature) does not seem to touch a large part of kernel and might be > appropriate > RELENG_7(_0) candidate. > > Could you please enumerate some features that FreeBSD is currently lack > of and are considered "high priority" so we will be able to evaluate > whether to port? > > BTW. Patches are always welcome, as usual :-) So don't hesitate to > submit if you already did some work. ditto. I'd like to import a couple of features on a per-feature base rather than doing a complete import which isn't possible anymore due to SMP and routing code changes. Submit your list of features and I'll see what I can do this weekend. My list includes: - keep state and flags S/SA to default - improved state table purgeing (this is internal, but a huge benefit) - interface handling (groups etc.) - pfsync / pflog update (not 100% sure about these due to libpcap / tcpdump dependency) While at it, I might also introduce needed ABI breakage for netgraph interaction. Anything else? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 16:22:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF3E516A400; Fri, 1 Jun 2007 16:22:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 84B8513C457; Fri, 1 Jun 2007 16:22:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.190.12] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1Hu9ta0SKN-0000vl; Fri, 01 Jun 2007 18:22:34 +0200 From: Max Laier Organization: FreeBSD To: "Greg Hennessy" Date: Fri, 1 Jun 2007 18:22:31 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <002801c7a467$d70da190$8528e4b0$@Hennessy@nviz.net> In-Reply-To: <002801c7a467$d70da190$8528e4b0$@Hennessy@nviz.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706011822.33043.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18hwusLaMnRZmFlIMYzj160kuR69ZLtljyZ+8O G5fxUdHW+bCDITKYR4k/T93VM1FAHoK4kNzYBr5z6iuVxP8j/K GwozcweIbJqoANt3Uqouw== Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 16:22:37 -0000 On Friday 01 June 2007, Greg Hennessy wrote: > > ditto. I'd like to import a couple of features on a per-feature base > > rather than doing a complete import which isn't possible anymore due > > to SMP and routing code changes. > > Is the inability to completely sync PF with the latest OpenBSD release > cast in stone for here on, or it an issue of resource to do ? > > Just curious in light of recent PF improvements as detailed here > > http://www.undeadly.org/cgi?action=article&sid=20070528213858 This is a completely unrelated issue really. Is debateable if it is good practice to put all that information into the pkthdr, but the speed improvement is something for sure. It remains to be seen if FreeBSD's mbuf tags perform as badly as OpenBSD's and - if they do - what can be done about that. One thing to keep in mind, however, pf is not the one and only Firewall in FreeBSD and there are *many* other places that use mbuf tags, too. I would rather look for a more general optimization of the mbuf tag framework - if required - , than gluttering the m_pkthdr with all fields one can think of (pf, ipfw, ipf, vlans, ipsec, altq ...) -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 16:26:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F37B216A41F; Fri, 1 Jun 2007 16:26:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 88FA613C45D; Fri, 1 Jun 2007 16:26:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.190.12] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1Hu9xD07NI-0004C8; Fri, 01 Jun 2007 18:26:25 +0200 From: Max Laier Organization: FreeBSD To: "Greg Hennessy" Date: Fri, 1 Jun 2007 18:26:10 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <002801c7a467$d70da190$8528e4b0$@Hennessy@nviz.net> In-Reply-To: <002801c7a467$d70da190$8528e4b0$@Hennessy@nviz.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706011826.12105.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+JG21euYm0xs1o2Ft+gZR1JzSkP6kt+lIjVgz xE0OuLcwjQyfsMdXjfB0FQoGk6/JPScL5NepZEmsprlL1iS5Ty IQPTHm2/q1KlSB80bg0rw== Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 16:26:28 -0000 On Friday 01 June 2007, Greg Hennessy wrote: > > ditto. I'd like to import a couple of features on a per-feature base > > rather than doing a complete import which isn't possible anymore due > > to SMP and routing code changes. > > Is the inability to completely sync PF with the latest OpenBSD release > cast in stone for here on, or it an issue of resource to do ? Oh, and to answer to this part as well ... I'd like to keep the user interface as similar as possible, but the internal workings will and have to diverge due to different takes on SMP and other infrastructure. Also coming FreeBSD specific features (e.g. netgraph) will make a verbatim sync impossible. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 16:28:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B7EFB16A468; Fri, 1 Jun 2007 16:28:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-1.gradwell.net (lon-mail-1.gradwell.net [193.111.201.125]) by mx1.freebsd.org (Postfix) with ESMTP id EAB9913C4AD; Fri, 1 Jun 2007 16:28:19 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from [90.204.45.169] ([90.204.45.169] helo=d620 ident=gregh^pop3*nviz#net) by lon-mail-1.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.243) id 466045be.8099.478c; Fri, 1 Jun 2007 17:13:50 +0100 (envelope-sender ) From: "Greg Hennessy" To: "'Max Laier'" , References: <20070601103549.GA22490@localhost.localdomain> <465FFFA4.1060706@delphij.net> <200706011717.54698.max@love2party.net> In-Reply-To: <200706011717.54698.max@love2party.net> Date: Fri, 1 Jun 2007 17:13:49 +0100 Message-ID: <002801c7a467$d70da190$8528e4b0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcekYd7LygmX91nLTy226Ye+GpbLtAABXN1A Content-Language: en-gb Cc: freebsd-current@freebsd.org Subject: RE: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 16:28:20 -0000 > ditto. I'd like to import a couple of features on a per-feature base > rather than doing a complete import which isn't possible anymore due to > SMP and routing code changes. Is the inability to completely sync PF with the latest OpenBSD release cast in stone for here on, or it an issue of resource to do ? Just curious in light of recent PF improvements as detailed here http://www.undeadly.org/cgi?action=article&sid=20070528213858 Greg From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 16:31:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F55316A41F for ; Fri, 1 Jun 2007 16:31:59 +0000 (UTC) (envelope-from henrik@brixandersen.dk) Received: from solow.pil.dk (relay.pil.dk [195.41.47.164]) by mx1.freebsd.org (Postfix) with ESMTP id E6BDE13C457 for ; Fri, 1 Jun 2007 16:31:58 +0000 (UTC) (envelope-from henrik@brixandersen.dk) Received: from tirith.brixandersen.dk (osgiliath.brixandersen.dk [87.53.223.189]) by solow.pil.dk (Postfix) with ESMTP id BF6061CC0DF; Fri, 1 Jun 2007 18:06:16 +0200 (CEST) Received: by tirith.brixandersen.dk (Postfix, from userid 1001) id 2CBC1B840; Fri, 1 Jun 2007 18:06:16 +0200 (CEST) Date: Fri, 1 Jun 2007 18:06:15 +0200 From: Henrik Brix Andersen To: Max Laier Message-ID: <20070601160615.GA97576@tirith.brixandersen.dk> Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, freebsd-current@freebsd.org, LI Xin References: <20070601103549.GA22490@localhost.localdomain> <465FFFA4.1060706@delphij.net> <200706011717.54698.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline In-Reply-To: <200706011717.54698.max@love2party.net> X-PGP-Key: http://www.brixandersen.dk/files/HenrikBrixAndersen.asc User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 16:31:59 -0000 --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Max, On Fri, Jun 01, 2007 at 05:17:52PM +0200, Max Laier wrote: > Submit your list of features and I'll see what I can do this weekend. My= =20 > list includes: >=20 > - keep state and flags S/SA to default > - improved state table purgeing (this is internal, but a huge benefit) > - interface handling (groups etc.) > - pfsync / pflog update (not 100% sure about these due to libpcap /=20 > tcpdump dependency) Thank you for looking into this - much appreciated :) > While at it, I might also introduce needed ABI breakage for netgraph=20 > interaction. >=20 > Anything else? I'm not sure how related this is, but 'carpdev' support is a feature I (and judging from the archives, many other people) would really like to see in FreeBSD. Sincerely, Brix --=20 Henrik Brix Andersen --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: GnuPG signed iD8DBQFGYEP3v+Q4flTiePgRAgXhAKDBAPDClSfRa+xp/nQVKeW8G+9llwCgo0FT 4yhzxCLGlpIVx6uVZCZTwts= =irOH -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 17:28:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1CC1B16A400 for ; Fri, 1 Jun 2007 17:28:12 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8152313C458 for ; Fri, 1 Jun 2007 17:28:11 +0000 (UTC) (envelope-from andre@freebsd.org) Received: (qmail 46748 invoked from network); 1 Jun 2007 16:17:05 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 1 Jun 2007 16:17:05 -0000 Message-ID: <466050E9.70301@freebsd.org> Date: Fri, 01 Jun 2007 19:01:29 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050217 MIME-Version: 1.0 To: Max Laier References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <002801c7a467$d70da190$8528e4b0$@Hennessy@nviz.net> <200706011822.33043.max@love2party.net> In-Reply-To: <200706011822.33043.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 17:28:12 -0000 Max Laier wrote: > On Friday 01 June 2007, Greg Hennessy wrote: > >>>ditto. I'd like to import a couple of features on a per-feature base >>>rather than doing a complete import which isn't possible anymore due >>>to SMP and routing code changes. >> >>Is the inability to completely sync PF with the latest OpenBSD release >>cast in stone for here on, or it an issue of resource to do ? >> >>Just curious in light of recent PF improvements as detailed here >> >>http://www.undeadly.org/cgi?action=article&sid=20070528213858 > > This is a completely unrelated issue really. Is debateable if it is good > practice to put all that information into the pkthdr, but the speed > improvement is something for sure. It remains to be seen if FreeBSD's > mbuf tags perform as badly as OpenBSD's and - if they do - what can be > done about that. One thing to keep in mind, however, pf is not the one > and only Firewall in FreeBSD and there are *many* other places that use > mbuf tags, too. I would rather look for a more general optimization of > the mbuf tag framework - if required - , than gluttering the m_pkthdr > with all fields one can think of (pf, ipfw, ipf, vlans, ipsec, altq ...) I don't think it is appropriate to put pf specific flags and pointers into out mbuf header. Optimizations that may help is to make a UMA zone for the pf mtags, or - a bit hacky - use the remaining space in the mbuf when a cluster is attached (almost always the case for inbound packets). -- Andre From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 19:38:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D089F16A46E for ; Fri, 1 Jun 2007 19:38:28 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by mx1.freebsd.org (Postfix) with ESMTP id 09D7813C457 for ; Fri, 1 Jun 2007 19:38:27 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so675654mue for ; Fri, 01 Jun 2007 12:38:26 -0700 (PDT) Received: by 10.82.112.3 with SMTP id k3mr1904187buc.1180724945883; Fri, 01 Jun 2007 12:09:05 -0700 (PDT) Received: by 10.82.134.6 with HTTP; Fri, 1 Jun 2007 12:09:05 -0700 (PDT) Message-ID: <6e6841490706011209t589558c1xfa49cd0a663f8ea3@mail.gmail.com> Date: Fri, 1 Jun 2007 16:09:05 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Problem to access FTP server X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 19:38:28 -0000 On 31/05/07, Mahabub Basha wrote: > Hi all, > > I am a newbie for freebsd. I am using freebsd 6.1. I have some problem to > access ftp server through external ip behind a pf firewall. > > I can access my ftp server through active mode , but not working in passive > mode. > > My ruleset file is in the following: > > ====================================================================== > pf.conf > ====================================================================== > lan = "port2" > wan = "port1" > > # User BiNAT Rules > binat on $wan from 10.0.0.10 to any -> 172.16.1.10 > > # User RDR Rules > rdr on $wan from any to 172.16.1.10 -> 10.0.0.10 > > # User Filter Rules > pass all > > ========================================================================= > > my lan ip address is 10.0.0.10 and my wan ip is 172.16.1.10 > > I just put above three rules. And run my ftp server using inetd. > > I used core-ftp client in windows xp to connect my ftp server machine , in > active mode its working fine. > > But in passive mode its not working. > > Before i asked this problem here, i read the following links and try out the > same. but its not working. > > ===================================================================== > http://www.openbsd.org/faq/pf/ftp.html > > http://article.gmane.org/gmane.os.freebsd.devel.pf4freebsd/2952/match=issues+ftp+windows+pf > ===================================================================== > > I want to use binat rule. > > can anyone help me to solve this issue. > > - Mahabub Basha.S > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, First, try exclude: rdr on $wan from any to 172.16.1.10 -> 10.0.0.10 because you are using binat, so try to use ftp on passive mode. If it doens't work, tray to use ftp-proxy (http://www.openbsd.org/faq/pf/ftp.html). -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Sat Jun 2 06:52:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C54916A421; Sat, 2 Jun 2007 06:52:53 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [89.185.226.22]) by mx1.freebsd.org (Postfix) with ESMTP id E544A13C447; Sat, 2 Jun 2007 06:52:52 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [89.185.226.22]) by nxm.secservers.com (8.13.4/8.13.8) with ESMTP id l526dCL5098901; Sat, 2 Jun 2007 08:39:12 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: Max Laier In-Reply-To: <200706011717.54698.max@love2party.net> References: <20070601103549.GA22490@localhost.localdomain> <465FFFA4.1060706@delphij.net> <200706011717.54698.max@love2party.net> Content-Type: text/plain Date: Sat, 02 Jun 2007 08:39:06 +0200 Message-Id: <1180766346.30151.3.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2007 06:52:53 -0000 Max Laier wrote: > [ moving this to the more specific list ] > > On Friday 01 June 2007, LI Xin wrote: > > Stanislaw Halik wrote: > > > Heya, > > > > > > Are there any plans to sync pf(4) before 7.0-R? OpenBSD has some neat > > > stuff in it, including expiretable functionality, which would come in > > > handy. > > > > Last time I have talked with Max (Cc'ed) about the issue, we finally > > figured out that porting the whole stuff would need some > > infrastructural changes to our routing code, which could be risky so we > > wanted to avoid it at this stage (about 15 days before RELENG_7 code > > freeze). On the other hand, some functionality (like the expiretable > > feature) does not seem to touch a large part of kernel and might be > > appropriate > > RELENG_7(_0) candidate. > > > > Could you please enumerate some features that FreeBSD is currently lack > > of and are considered "high priority" so we will be able to evaluate > > whether to port? > > > > BTW. Patches are always welcome, as usual :-) So don't hesitate to > > submit if you already did some work. > > ditto. I'd like to import a couple of features on a per-feature base > rather than doing a complete import which isn't possible anymore due to > SMP and routing code changes. > > Submit your list of features and I'll see what I can do this weekend. My > list includes: > > - keep state and flags S/SA to default > - improved state table purgeing (this is internal, but a huge benefit) > - interface handling (groups etc.) > - pfsync / pflog update (not 100% sure about these due to libpcap / > tcpdump dependency) > > While at it, I might also introduce needed ABI breakage for netgraph > interaction. > > Anything else? > The updated ftp-proxy - the one in the tree does not rewrite source IP address of data connections and some firewalls (e.g. Windows Firewall) don't let the connection through. It should be pretty easy to import - the program it already in some form in the ports tree. Michal From owner-freebsd-pf@FreeBSD.ORG Sat Jun 2 15:05:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2C2BF16A421 for ; Sat, 2 Jun 2007 15:05:03 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id B763113C458 for ; Sat, 2 Jun 2007 15:05:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.46.219] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HuVA42BTi-0002n2; Sat, 02 Jun 2007 17:05:01 +0200 From: Max Laier Organization: FreeBSD To: Hugo Koji Kobayashi Date: Sat, 2 Jun 2007 17:04:52 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200705301002.04911.max@love2party.net> <20070531134923.GH39552@registro.br> In-Reply-To: <20070531134923.GH39552@registro.br> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: base64 Content-Disposition: inline Message-Id: <200706021704.53787.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+zaD7g3yo4mIBjLwPzTJWa4pvOSWyvCkmb+VH 46dmApwwEUmQu9BruPxIDHoI0tCkAFFylycDL95KZ8IaL1GfFY xFlsCca8j6vvhzwbGME9A== Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2007 15:05:03 -0000 SGkgSHVnbywKCk9uIFRodXJzZGF5IDMxIE1heSAyMDA3LCBIdWdvIEtvamkgS29iYXlhc2hpIHdy b3RlOgo+IFBsZWFzZSBmaW5kIGF0dGFjaGVkIHRoZSB0ZXN0cyByZXN1bHRzIGFmdGVyIGVuYWJs aW5nIGV4dGVuZGVkCj4gbG9nZ2luZy4KPgo+IEkndmUgZG9uZSB0aGUgdGVzdCB0d2ljZSwgY2hh bmdpbmcgZGlnJ3MgIitidWZzaXplIiBwYXJhbWV0ZXIuCgpsb29raW5nIGF0IHlvdXIgbG9nIGZp bGUsIGl0IHNlZW1zIHRoYXQgdGhlIHBhY2tldCB0cmF2ZXJzZXMgcGYgYWxyaWdodDoKCj4gLS0t LSBDb25zb2xlIGJlZ2luCj4gcGZfbm9ybWFsaXplX2lwOiByZWFzcyBmcmFnIDExODgxIEAgMC0x NDgwCj4gcGZfbm9ybWFsaXplX2lwOiByZWFzcyBmcmFnIDExODgxIEAgMTQ4MC0yOTYwCj4gcGZf bm9ybWFsaXplX2lwOiByZWFzcyBmcmFnIDExODgxIEAgMjk2MC00MDk0Cj4gcGZfcmVhc3NlbWJs ZTogNDA5NCA8IDQwOTQ/Cj4gcGZfcmVhc3NlbWJsZTogY29tcGxldGU6IDB4YzQzMzgwMDAoNDEx NCkKPiAtLS0tIENvbnNvbGUgZW5kCj4KPiBmYnNkNyMgZGF0ZSA7IHBmY3RsIC1zaQo+IFR1ZSBN YXkgoDggMDQ6MTU6MjQgQlJUIDIwMDcKPiBObyBBTFRRIHN1cHBvcnQgaW4ga2VybmVsCj4gQUxU USByZWxhdGVkIGZ1bmN0aW9ucyBkaXNhYmxlZAo+IFN0YXR1czogRW5hYmxlZCBmb3IgMCBkYXlz IDAwOjA1OjI3IKAgoCCgIKAgoCCgIERlYnVnOiBNaXNjCj4KPiBIb3N0aWQ6IDB4ZmQzZWE2MDMK Pgo+IFN0YXRlIFRhYmxlIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBUb3RhbCCgIKAgoCCgIKAg oCBSYXRlCj4goCBjdXJyZW50IGVudHJpZXMgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAzIKAgoCCg IKAgoCCgIKAKPiCgIHNlYXJjaGVzIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCA0MDUgoCCg IKAgoCCgIKAxLjIvcwo+IKAgaW5zZXJ0cyCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCA0 MCCgIKAgoCCgIKAgoDAuMS9zCj4goCByZW1vdmFscyCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCg IKAgoDM3IKAgoCCgIKAgoCCgMC4xL3MKPiBDb3VudGVycwo+IKAgbWF0Y2ggoCCgIKAgoCCgIKAg oCCgIKAgoCCgIKAgoCCgIKAgoCA0MCCgIKAgoCCgIKAgoDAuMS9zCj4goCBiYWQtb2Zmc2V0IKAg oCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCAwIKAgoCCgIKAgoCCgMC4wL3MKPiCgIGZyYWdtZW50 IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIDAgoCCgIKAgoCCgIKAwLjAvcwo+IKAgc2hv cnQgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgMCCgIKAgoCCgIKAgoDAuMC9zCj4g oCBub3JtYWxpemUgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAwIKAgoCCgIKAgoCCgMC4w L3MKPiCgIG1lbW9yeSCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIDAgoCCgIKAgoCCg IKAwLjAvcwo+IKAgYmFkLXRpbWVzdGFtcCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgMCCgIKAg oCCgIKAgoDAuMC9zCj4goCBjb25nZXN0aW9uIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCAw IKAgoCCgIKAgoCCgMC4wL3MKPiCgIGlwLW9wdGlvbiCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCg IKAgoDAgoCCgIKAgoCCgIKAwLjAvcwo+IKAgcHJvdG8tY2tzdW0goCCgIKAgoCCgIKAgoCCgIKAg oCCgIKAgoCCgMCCgIKAgoCCgIKAgoDAuMC9zCj4goCBzdGF0ZS1taXNtYXRjaCCgIKAgoCCgIKAg oCCgIKAgoCCgIKAgoCAwIKAgoCCgIKAgoCCgMC4wL3MKPiCgIHN0YXRlLWluc2VydCCgIKAgoCCg IKAgoCCgIKAgoCCgIKAgoCCgIDAgoCCgIKAgoCCgIKAwLjAvcwo+IKAgc3RhdGUtbGltaXQgoCCg IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgMCCgIKAgoCCgIKAgoDAuMC9zCj4goCBzcmMtbGltaXQg oCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAwIKAgoCCgIKAgoCCgMC4wL3MKPiCgIHN5bnBy b3h5IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIDAgoCCgIKAgoCCgIKAwLjAvcwoKU28g dGhlIGN1bHByaXQgc2hvdWxkIGJlIHNvbWV3aGVyZSB1cCB0aGUgc3RhY2suIGkuZS4gRnJlZUJT RCBjaG9rZXMgb24gCnRoZSBhbHJlYWR5IHJlYXNzZW1ibGVkIHBhY2tldC4gIENvdWxkIHlvdSBh bHNvIHByb3ZpZGUgbmV0c3RhdCAtc3NwIHVkcCAKYW5kIG5ldHN0YXQgLXNzcCBpcCBmcm9tIGJl Zm9yZSBhbmQgYWZ0ZXIgeW91ciB0ZXN0IHRvIGdldCBhbiBpZGVhIHdoZXJlIAp0aGUgcGFja2V0 IGlzIGxvc3Q/ICBUbyBtYWtlIHN1cmUgSSB1bmRlcnN0YW5kIHlvdXIgc2V0dXAgY29ycmVjdGx5 OiAgcGYgCmlzIHJ1bm5pbmcgb24gdGhlIEROUyBzZXJ2ZXIgaS5lLiB0aGUgZGVzdGluYXRpb24g YWRkcmVzcyBvZiB0aGUgZGF0YWdyYW0gCmlzIGEgbG9jYWwgYWRkcmVzcz8KCi0tIAovIlwgIEJl c3QgcmVnYXJkcywgICAgICAgICAgICAgICAgICAgICAgfCBtbGFpZXJAZnJlZWJzZC5vcmcKXCAv ICBNYXggTGFpZXIgICAgICAgICAgICAgICAgICAgICAgICAgIHwgSUNRICM2Nzc3NDY2MQogWCAg IGh0dHA6Ly9wZjRmcmVlYnNkLmxvdmUycGFydHkubmV0LyAgfCBtbGFpZXJARUZuZXQKLyBcICBB U0NJSSBSaWJib24gQ2FtcGFpZ24gICAgICAgICAgICAgIHwgQWdhaW5zdCBIVE1MIE1haWwgYW5k IE5ld3MK From owner-freebsd-pf@FreeBSD.ORG Sat Jun 2 20:18:25 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 79A8F16A469 for ; Sat, 2 Jun 2007 20:18:25 +0000 (UTC) (envelope-from nobody@server.accesscountry.com) Received: from server.accesscountry.com (server.accesscountry.com [64.22.89.10]) by mx1.freebsd.org (Postfix) with ESMTP id 3E69613C46A for ; Sat, 2 Jun 2007 20:18:25 +0000 (UTC) (envelope-from nobody@server.accesscountry.com) Received: from nobody by server.accesscountry.com with local (Exim 4.63) (envelope-from ) id 1Hua3H-0000XU-TN for pf@freebsd.org; Sat, 02 Jun 2007 16:18:19 -0400 To: pf@freebsd.org From: Andrea Richard Frank MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 02 Jun 2007 16:18:19 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.accesscountry.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [99 32002] / [47 12] X-AntiAbuse: Sender Address Domain - server.accesscountry.com X-Source: X-Source-Args: /usr/local/apache/bin/httpd -DSSL X-Source-Dir: angrycountry.com:/public_html/magazine/backend Cc: Subject: Job Proposal X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: richard23402@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2007 20:18:25 -0000 Hello, Let me crave your indulgence to introduce myself to you. I'm Mr. Andrew Frank from OmniPay Company in United Kingdom. The OmniPay Company is the World’s largest and most established trader of Digital Gold and Silver (also known as e-currency, Digital Currency or e-money). We are a reputable independent international business with offices in Europe and Asia/Pacific. We sell Gold,Silver,Diamond and some other Antiques product and also we Buy, Sell or Convert Digital Gold Currency. We are currently in need of company representative/Payment coordinators and if you are willing because we find your details and email from a resume search under the country: Canada/New Zealand and we believe you can work with us, i will want you to furnish me with your particulars, so as to enable me give you further details. Please, you have to be an honest and trusted person because working as a Payment coordinator more payments will be made through you in the course of this transaction and business and you will be in control of every clients who want to make payment for e-gold or other products/services too.Subject to your satisfaction you will be given the opportunity to negotiate the mode with which we will pay for your services as OmniPay company representative/Payment coordinator. REQUIREMENT: (a) You will need to have access to computer with internet service because you will need to check your E-mail message at least twice everyday for company update and payment confirmations from any of our clients. (b) You will need to have a direct mobile phone line where the company secretary can reach you over the phone anytime is needed. (c)You will need to have a good knowledge of english lanaguage and you dont need an office because this is just a work at home. Security: We are assuring you that at no time will you be required to make any upfront payments of your personal funds to us for whatever reasons. Futhermore,the salary payment is negotiable between $5,000.00USD - $61,000.00USD while you will have 10% discount on every transaction process by you too. Your first salary will be paid by next month 2007. You can fill the application form below, so that you can start working with OmniPay company as our company representative/Payment coordinator. > - FULL NAME: > - ADDRESS: > - City > - STATE/COUNTRY: > - TEL NUMBERS: > - FAX NUMBERS: > - Mobile NUMBERS: > - COMPANY NAME(if any): > - Direct Mobile Number: PLEASE SUMMIT THE DETAILS DIRECTLY THROUGH EMAIL: binta4ryluv@yahoo.com N-B: We are very much aware of scams going on all over the Internet and as such we are assuring you that at no time will you be required to make any upfront payments of your personal funds to us for whatever reasons, we are legitimate entrepreneur seeking for a trustworthy partners/relationship on a long term bases. We await your immediate response. Regards, Mr. Andrew Frank OmniPay Company www.omnipay.com email: binta4ryluv@yahoo.com Tel: +44-7024067187 Please reply to Mr. Andrew Frank email only: binta4ryluv@yahoo.com N.B- YOU CAN CHAT WITH ONE OF OUR REPRESENTATIVE THROUGH YAHOO MESSENGER BELOW: YAHOO MESSENGER ID: margiehilla116Job Proposal From owner-freebsd-pf@FreeBSD.ORG Sat Jun 2 20:42:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 834F016A46D; Sat, 2 Jun 2007 20:42:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 18E3113C48A; Sat, 2 Jun 2007 20:42:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.46.219] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1HuaQt1MIi-00045T; Sat, 02 Jun 2007 22:42:44 +0200 From: Max Laier Organization: FreeBSD To: Michal Mertl Date: Sat, 2 Jun 2007 22:42:28 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <1180766346.30151.3.camel@genius.i.cz> In-Reply-To: <1180766346.30151.3.camel@genius.i.cz> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart13748422.R2svJu85Op"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706022242.37207.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19VP/2qh1uDrGOlm6O7Q3q/ChOvkyrJCF70fgA tQkayOro7Sy/3cydl/89pOXv59XmpPsUgKugQ/kgdg0g9VG8b0 uUsAC60ErCa5ZYaTDej5w== Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2007 20:42:53 -0000 --nextPart13748422.R2svJu85Op Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 02 June 2007, Michal Mertl wrote: > Max Laier wrote: > > [ moving this to the more specific list ] > > > > On Friday 01 June 2007, LI Xin wrote: > > > Stanislaw Halik wrote: > > > > Heya, > > > > > > > > Are there any plans to sync pf(4) before 7.0-R? OpenBSD has some > > > > neat stuff in it, including expiretable functionality, which > > > > would come in handy. > > > > > > Last time I have talked with Max (Cc'ed) about the issue, we > > > finally figured out that porting the whole stuff would need some > > > infrastructural changes to our routing code, which could be risky > > > so we wanted to avoid it at this stage (about 15 days before > > > RELENG_7 code freeze). On the other hand, some functionality (like > > > the expiretable feature) does not seem to touch a large part of > > > kernel and might be appropriate > > > RELENG_7(_0) candidate. > > > > > > Could you please enumerate some features that FreeBSD is currently > > > lack of and are considered "high priority" so we will be able to > > > evaluate whether to port? > > > > > > BTW. Patches are always welcome, as usual :-) So don't hesitate > > > to submit if you already did some work. > > > > ditto. I'd like to import a couple of features on a per-feature base > > rather than doing a complete import which isn't possible anymore due > > to SMP and routing code changes. > > > > Submit your list of features and I'll see what I can do this weekend. > > My list includes: > > > > - keep state and flags S/SA to default > > - improved state table purgeing (this is internal, but a huge > > benefit) - interface handling (groups etc.) > > - pfsync / pflog update (not 100% sure about these due to libpcap / > > tcpdump dependency) > > > > While at it, I might also introduce needed ABI breakage for netgraph > > interaction. > > > > Anything else? > > The updated ftp-proxy - the one in the tree does not rewrite source IP > address of data connections and some firewalls (e.g. Windows Firewall) > don't let the connection through. It should be pretty easy to import - > the program it already in some form in the ports tree. How do people feel about removing ftp-proxy from the base altogether? I=20 think it's better off in ports anyway. Opinions? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart13748422.R2svJu85Op Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGYdY9XyyEoT62BG0RAgciAJ0bB5tH0BO4gqlVM48gqoLde0U2HQCeLE8w eI/K30KEEvnjBIpCFL/NPGA= =1ebt -----END PGP SIGNATURE----- --nextPart13748422.R2svJu85Op-- From owner-freebsd-pf@FreeBSD.ORG Sat Jun 2 20:52:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 992E416A41F; Sat, 2 Jun 2007 20:52:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 2DC6513C455; Sat, 2 Jun 2007 20:52:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.48.230] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1HuaZu1qAx-0003BO; Sat, 02 Jun 2007 22:52:04 +0200 From: Max Laier Organization: FreeBSD To: Henrik Brix Andersen Date: Sat, 2 Jun 2007 22:51:59 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <20070601160615.GA97576@tirith.brixandersen.dk> In-Reply-To: <20070601160615.GA97576@tirith.brixandersen.dk> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart20734089.1AeCckRkm5"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706022252.01630.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/+Zou9X5TUpKfXg5QyhPRJs1xnsFo/OAmZpKi ONOVhSZf29CEDC96i78QErk9Axjf9G01IoFh8VVxHQXDRdZtMi x4OSCfM2wSy4Bpw/wVNpg== Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2007 20:52:06 -0000 --nextPart20734089.1AeCckRkm5 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 01 June 2007, Henrik Brix Andersen wrote: > Hi Max, > > On Fri, Jun 01, 2007 at 05:17:52PM +0200, Max Laier wrote: > > Submit your list of features and I'll see what I can do this weekend. > > My list includes: > > > > - keep state and flags S/SA to default > > - improved state table purgeing (this is internal, but a huge > > benefit) - interface handling (groups etc.) > > - pfsync / pflog update (not 100% sure about these due to libpcap / > > tcpdump dependency) > > Thank you for looking into this - much appreciated :) > > > While at it, I might also introduce needed ABI breakage for netgraph > > interaction. > > > > Anything else? > > I'm not sure how related this is, but 'carpdev' support is a feature I > (and judging from the archives, many other people) would really like > to see in FreeBSD. In lack of a working test-setup, I will not touch CARP. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart20734089.1AeCckRkm5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGYdhxXyyEoT62BG0RArXNAJ9YdViPgGxKUmDd6KQ2xm744MY9+ACfd9tJ Y85Ql1wo8PU9FSNF6Ntb5k0= =bo4F -----END PGP SIGNATURE----- --nextPart20734089.1AeCckRkm5--