From owner-freebsd-pf@FreeBSD.ORG Mon Sep 3 11:08:26 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5ECC816A50B for ; Mon, 3 Sep 2007 11:08:26 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 358CF13C47E for ; Mon, 3 Sep 2007 11:08:26 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l83B8QTo079144 for ; Mon, 3 Sep 2007 11:08:26 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l83B8N3c079141 for freebsd-pf@FreeBSD.org; Mon, 3 Sep 2007 11:08:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Sep 2007 11:08:23 GMT Message-Id: <200709031108.l83B8N3c079141@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2007 11:08:26 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 3 12:51:00 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DAC416A420; Mon, 3 Sep 2007 12:51:00 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 12BD913C4B3; Mon, 3 Sep 2007 12:51:00 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l83CoxuU088259; Mon, 3 Sep 2007 12:50:59 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l83Cox6t088255; Mon, 3 Sep 2007 12:50:59 GMT (envelope-from remko) Date: Mon, 3 Sep 2007 12:50:59 GMT Message-Id: <200709031250.l83Cox6t088255@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/116048: [pf]: Different anchor wildcards in pfctl and kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2007 12:51:00 -0000 Old Synopsis: Different anchor wildcards in pfctl and kernel New Synopsis: [pf]: Different anchor wildcards in pfctl and kernel Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Mon Sep 3 12:50:13 UTC 2007 Responsible-Changed-Why: redirect to pf team. http://www.freebsd.org/cgi/query-pr.cgi?pr=116048 From owner-freebsd-pf@FreeBSD.ORG Mon Sep 3 13:29:45 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 499E716A418; Mon, 3 Sep 2007 13:29:45 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1CA9413C45B; Mon, 3 Sep 2007 13:29:45 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l83DTiWM089329; Mon, 3 Sep 2007 13:29:45 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l83DTi8D089325; Mon, 3 Sep 2007 13:29:44 GMT (envelope-from mlaier) Date: Mon, 3 Sep 2007 13:29:44 GMT Message-Id: <200709031329.l83DTi8D089325@freefall.freebsd.org> To: blaze@ruddy.ru, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/116048: [pf]: Different anchor wildcards in pfctl and kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2007 13:29:45 -0000 Synopsis: [pf]: Different anchor wildcards in pfctl and kernel State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Mon Sep 3 13:27:28 UTC 2007 State-Changed-Why: As detailed in the man-page the anchor name must be enclosed in "" when using wildcards. i.e anchor "foo/*" http://www.freebsd.org/cgi/query-pr.cgi?pr=116048 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 4 19:18:30 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1D5E16A41A for ; Tue, 4 Sep 2007 19:18:30 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.freebsd.org (Postfix) with ESMTP id 8D26913C45A for ; Tue, 4 Sep 2007 19:18:30 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id CF99B26849 for ; Tue, 4 Sep 2007 14:59:12 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Tue, 04 Sep 2007 14:59:12 -0400 X-Sasl-enc: ZKmiarNOGpBzXQKwYIH1GDrIK/LVBd79Q1UZJmLhG2Av 1188932352 Received: from [141.58.158.19] (unknown [141.58.158.19]) by mail.messagingengine.com (Postfix) with ESMTP id 6E5B013C5 for ; Tue, 4 Sep 2007 14:59:12 -0400 (EDT) Message-ID: <46DDAAFB.6040301@casino.uni-stuttgart.de> Date: Tue, 04 Sep 2007 20:59:07 +0200 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: replacement for nested tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2007 19:18:30 -0000 Hi! I am setting up a bridging firewall on FreeBSD 6.2 that has, among others three interfaces: one for the internal LAN and two demilitarized zones sharing the same subnet. Now I want to have a convenient way to refer to any machine that is not in one of the demilitarized zones. Here is my first shot: # DMZ #1 DMZ1 = "192.168.1.3, 192.168.1.4" table { $DMZ1 } # DMZ #2 DMZ2 = "192.168.1.5, 192.168.1.6" table { $DMZ2 } # The internal lan table { 192.168.1.0/24, !, ! } This fails because nested tables are not supported. Sort of makes sense. My next shot was table { 192.168.1.0/24, !$DMZ1, !$DMZ2 } but this gives the wrong result because the "!" operator is only applied to the first element in "DMZ1". Is there any way to populate with all IP addresses that are /not/ in DMZ1 or DMZ2 without having to explictly repeat the addresses of the machines in each DMZ? I would prefer not to have any redundant "points of editing" in my pf.conf. TIA Tobias From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 20:57:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBA7216A419 for ; Wed, 5 Sep 2007 20:57:14 +0000 (UTC) (envelope-from rian.shelley@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id 9605713C48E for ; Wed, 5 Sep 2007 20:57:14 +0000 (UTC) (envelope-from rian.shelley@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1439911rvb for ; Wed, 05 Sep 2007 13:57:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=f0ZVo94zIyIEg+esKix+9jm17t+Mp6HpESoDVqEUY2VH2WmssiMEgFqyjM+OyLDxlS8b33wYfA0inZ19s+DOwUSbVWOlUYQIIp6XDRWh085JlmW8vqsoIfB4aoAV13a4T1Bvh5fUdGbdROGJC0oe2tmYcXjzvJOsX3iu3kU1LT4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=hLg3OPrQPdb4AsquDnTOaWIK+Ci7aFDhfgE08aP/nZkuvJyB35eGxgdafYNq3M8nWyd6twE40Q/+nP2p69IfVaGRbJWhChvGNn9pZ+2eFNGYm9I4YJ64y/98mZGDPOz25tLFeichf+7/yyKfjg+dkAAACHz5BvKFQA9DdchHlWA= Received: by 10.141.198.8 with SMTP id a8mr2960511rvq.1189024270830; Wed, 05 Sep 2007 13:31:10 -0700 (PDT) Received: by 10.141.43.16 with HTTP; Wed, 5 Sep 2007 13:31:10 -0700 (PDT) Message-ID: Date: Wed, 5 Sep 2007 14:31:10 -0600 From: "Rian Shelley" Sender: rian.shelley@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: da5aa14cf5b9752e Subject: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 20:57:14 -0000 As far as I can tell, am having the same problem described by bill marquette. I have two firewalls using pfsync, where the secondary firewall just increases its state count steadily. I created a simple libpcap program to watch the pfsync headers flowing by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which are the ones that delete state. As far as i can tell, states are pumped across the link, but never removed and are left to time out on their own. I'd like to add myself as another datapoint for this problem. Currently I am getting about 15k send errors per second, and im up to 1.8 million states on the secondary firewall :D # while true; do netstat -s -p pfsync | grep send\ error; sleep 1; done 2096018860 send error 2096036208 send error 2096052950 send error 2096070675 send error 2096089621 send error 2096106671 send error 2096121646 send error 2096138996 send error 2096158012 send error 2096177555 send error 2096194727 send error 2096216490 send error 2096238626 send error [root@secondary /]# pfctl -si Status: Enabled for 1 days 00:06:01 Debug: Urgent Hostid: 0x97bb3fdc State Table Total Rate current entries 1877429 [root@primary /]# pfctl -si Status: Enabled for 2 days 06:54:26 Debug: Urgent Hostid: 0x85c326db State Table Total Rate current entries 172889 From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 21:16:43 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF0516A419 for ; Wed, 5 Sep 2007 21:16:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id A453413C45B for ; Wed, 5 Sep 2007 21:16:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-044-167.pools.arcor-ip.net [88.66.44.167] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1IT2Em3IDR-0002Ql; Wed, 05 Sep 2007 23:16:37 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 5 Sep 2007 23:16:35 +0200 User-Agent: KMail/1.9.7 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3147102.ViYZi2FlqM"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709052316.41257.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19yrGogZiDc3OjMizQ/VGMJfWDCvMHzw9WU2zT bnqdxhoUeooB1xPGv2Vi5dCTaHnFGKkO1Gf2gKicALt64/K9pH iOwH8Cq6SBXgX/Hr41djsc0ADOMuXOpNceAHWBZ9aY= Cc: Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 21:16:43 -0000 --nextPart3147102.ViYZi2FlqM Content-Type: multipart/mixed; boundary="Boundary-01=_0yx3GPUlzgcylMK" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_0yx3GPUlzgcylMK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 05 September 2007, Rian Shelley wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own. Very good observation. I don't quite believe that you don't see *any*=20 three or fives, but I do see that those would get lost most easily. The=20 problem stems from the way states are purged in 3.7/RELENG_6. Newer pf=20 4.1/(soon to be)RELENG_7 splits the state removal. I'm attaching a *very* experimental *HACK* that might help the situation. = =20 I believe however, that you would be better off with moving to=20 4.1/RELENG_6 (patches at [1]) or 4.1/RELENG_7 as soon as it's done. The=20 state purge is one of the biggest weaknesses of 3.7/RELENG_6 which isn't=20 easily solveable. Another way to go is setting the queuelength for the internal processing=20 queue to something insanely high (1000+). This will most likely work=20 around the problem at the cost of burning (mbuf) memory. [1] http://people.freebsd.org/~mlaier/PF41/ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_0yx3GPUlzgcylMK Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_purge.hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_purge.hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.5 diff -u -r1.34.2.5 pf.c =2D-- pf.c 28 Jul 2007 22:32:57 -0000 1.34.2.5 +++ pf.c 9 Aug 2007 20:51:42 -0000 @@ -1145,17 +1145,34 @@ pf_status.states--; } =20 +static struct pf_state *pf_purge_pickup; + void pf_purge_expired_states(void) { struct pf_state *cur, *next; + int max_purge =3D 5000; + + if (pf_purge_pickup !=3D NULL) + cur =3D pf_purge_pickup; + else + cur =3D RB_MIN(pf_state_tree_id, &tree_id); =20 =2D for (cur =3D RB_MIN(pf_state_tree_id, &tree_id); =2D cur; cur =3D next) { + pf_purge_pickup =3D NULL; + for (;cur && max_purge; max_purge--, cur =3D next) { next =3D RB_NEXT(pf_state_tree_id, &tree_id, cur); if (pf_state_expires(cur) <=3D time_second) pf_purge_expired_state(cur); } + if (max_purge) { + cur =3D RB_MIN(pf_state_tree_id, &tree_id); + for (;cur && max_purge; max_purge--, cur =3D next) { + next =3D RB_NEXT(pf_state_tree_id, &tree_id, cur); + if (pf_state_expires(cur) <=3D time_second) + pf_purge_expired_state(cur); + } + } + pf_purge_pickup =3D cur; } =20 int --Boundary-01=_0yx3GPUlzgcylMK-- --nextPart3147102.ViYZi2FlqM Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG3xy5XyyEoT62BG0RAqk5AJ0TvzCPnRQN3bs2wlPBSQCxPVzIggCeJ0Gi /qKGaIoHHDv41N9aJS+zLVQ= =L2wy -----END PGP SIGNATURE----- --nextPart3147102.ViYZi2FlqM-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 00:41:46 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9BB816A41B for ; Thu, 6 Sep 2007 00:41:46 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 7108113C474 for ; Thu, 6 Sep 2007 00:41:46 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id k4so1840444nfd for ; Wed, 05 Sep 2007 17:41:25 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZM79R5YS6Q8VbxQnEGDqV2ZD0HED+o1VEh0voDehYv97LvQAJMeH7akVFyhnKcSoFkxPRiKcaZMmZj8i7HBL9Zq9aktIYPR13SMX3lLDEZHkPclUYhVUpxe5fik43xZl6VgMKk92VuR/9QujQdgAB6dBtB7P6ykAtz7SDH0NMAc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jdVnbos19Gnx/r8osf65GhSfIXSd6pKou1GUSP9RpNZk1evJKSW/XpQdlT7Z9XbGrmW9REw09veysF3i3o8aN+x9lDd8Gu3Pp5V6wnBD9/wMcAOHouClqEVVkIaXJV4++VMggPlB5QLgH+0xXQej8wD7pnAdEWrroVoJBtyZMJE= Received: by 10.78.140.16 with SMTP id n16mr5699511hud.1189039284593; Wed, 05 Sep 2007 17:41:24 -0700 (PDT) Received: by 10.78.11.2 with HTTP; Wed, 5 Sep 2007 17:41:24 -0700 (PDT) Message-ID: <55e8a96c0709051741y4a21bba1ycc1e65d2b7c4332@mail.gmail.com> Date: Wed, 5 Sep 2007 19:41:24 -0500 From: "Bill Marquette" To: "Rian Shelley" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 00:41:47 -0000 On 9/5/07, Rian Shelley wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own. I'll have to run our scripts again, but I'm pretty sure we were seeing state deletions. But we certainly were not seeing 1 for 1 insert/deletion messages (one of our clusters frontends the web servers so we have LOTS of short lived states). > I'd like to add myself as another datapoint for this problem. > Currently I am getting about 15k send errors per second, and im up to > 1.8 million states on the secondary firewall :D Nice. How much RAM is that eating? I'm happy to hear that FreeBSD seems to be able to handle a state count this high. What's the state limit in your config? --Bill From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 00:46:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2900E16A418 for ; Thu, 6 Sep 2007 00:46:04 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id A4EDF13C45A for ; Thu, 6 Sep 2007 00:46:03 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id k4so1841332nfd for ; Wed, 05 Sep 2007 17:45:40 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IOaAKR24gVrwJbu3MOZo9WaofO7r8S9mDYWrvuqIanvBPFFKDXOtkmJnHhYgZb4cOa6UdWOHcCaAJN529QxLtf2IB7dCYyLqj3MoMdF4VtrTShmlv9xt48ogI0BYH9/cVapGHpEnTu00OlrlQNCtYW79e0Ixn8EwIjod7fbnPbk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VXkwmNl8UvHPzZ2nUiRGZtwQ3CuF5UWKUx0223EM2LeavksNbuX/+6yXEGBA8e+ffauHYGGdHpJIaLWFRQztbey9cUoQOMZsEynlmk0IhqASRyNvrgqFeQUCliLJsOPi4tGmCNVvDTOyBrojlmn3n3HFLTWCFePFxJGkXbL47vY= Received: by 10.78.171.13 with SMTP id t13mr5707111hue.1189039540347; Wed, 05 Sep 2007 17:45:40 -0700 (PDT) Received: by 10.78.11.2 with HTTP; Wed, 5 Sep 2007 17:45:40 -0700 (PDT) Message-ID: <55e8a96c0709051745v45a40cf3qb8d9ff9725ad8a55@mail.gmail.com> Date: Wed, 5 Sep 2007 19:45:40 -0500 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <200709052316.41257.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200709052316.41257.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 00:46:04 -0000 On 9/5/07, Max Laier wrote: > > Another way to go is setting the queuelength for the internal processing > queue to something insanely high (1000+). This will most likely work > around the problem at the cost of burning (mbuf) memory. Assuming mbuf memory is essentially free that's certainly not a problem for me. Is this the max ifqlen patch you had me try last week? If so, what's a reasonably (relative to insanely high :)) number to set that multiplier to? 2 times queue length "helped". I don't want to set it so high that the box panics or something silly :) Or for that matter, stops forwarding traffic while processing. We'll give these patches a try in our lab shortly. We just started getting the Smartbits online to try and duplicate the errors (straight up udp testing can't replicate it). --Bill From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 06:45:39 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0D2716A41A for ; Thu, 6 Sep 2007 06:45:38 +0000 (UTC) (envelope-from gavin@shadow-security.net) Received: from pecan.exetel.com.au (pecan.exetel.com.au [220.233.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id 4CB4713C467 for ; Thu, 6 Sep 2007 06:45:38 +0000 (UTC) (envelope-from gavin@shadow-security.net) Received: from 39.233.233.220.exetel.com.au ([220.233.233.39] helo=[192.168.1.150]) by pecan.exetel.com.au with esmtp (Exim 4.63) (envelope-from ) id 1IT8VK-0002Sz-Go for freebsd-pf@freebsd.org; Thu, 06 Sep 2007 13:58:07 +1000 Message-ID: <46DF7AD3.9010104@shadow-security.net> Date: Thu, 06 Sep 2007 13:58:11 +1000 From: Gavin Cooper User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ports/mail/spamd not greylisting correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 06:45:39 -0000 Hi all, I've been playing with this for a while to get it working and below is my status. First, my setup - (NB, all servers mentioned are running 6-STABLE). I have a FreeBSD tri-homed gateway/router which is where I'm trying to run spamd. On one NIC of the router I have my modem, the second has my private network, the third has my DMZ. The private network doesn't come into this story much at all. The DMZ has my FreeBSD/Qmail Mailserver. My intention is to run spamd on the gateway to reduce the amount of processing the mailserver has to run for Spam Filtering. My strategy is this - spamd on the gateway using a moderate to gentle selection of block lists via spamd-setup. I also (more so) want to configure greylisting. My understanding is that with this setup, pf and spamd work together to send all unknown servers a 455 Temp Failure error and asking them politely to come back later. If they come back after 30 mins (default) they're added to the pf table via spamd. When they come back a third time they're rdr'd to my real mailserver which to this point has no knowledge of the SMTP attempt. Failing to retry the SMTP session in the alloted time essentially means nothing other than the sending server failed to send me mail - presumably spam if they're too busy / poorly configured to come back. Additionally, I can modify a table via a txt file of servers which need not proceed through the greylisting treatment. All servers added via spamd-setup are entered into the table and are immediately tarpitted/stuttered on connection. Assuming my understanding is correct thus far, I've configured as follows - spamd is started via rc.conf thus: # options for pf and spamd pf_enable="YES" pfspamd_enable="YES" pfspamd_flags="-g -v -p 8025" pfspamlogd_enable="YES" my spamd.conf is this: (I'll more carefully select lists when I know the config is working) all:\ :spews1:china:korea: # Mirrored from http://www.spews.org/spews_list_level1.txt spews1:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=/usr/local/etc/spamd/spews_list_level1.txt: # Mirrored from http://www.spews.org/spews_list_level2.txt spews2:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=www.openbsd.org/spamd/spews_list_level2.txt.gz: # Mirrored from http://www.okean.com/chinacidr.txt china:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=/usr/local/etc/spamd/chinacidr.txt: # Mirrored from http://www.okean.com/koreacidr.txt korea:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=/usr/local/etc/spamd/koreacidr.txt: I've mounted fdescfs on /dev/fd (fdescfs) manually and added the appropriate line to my fstab file. I've checked that spamd is running and have proven to myself it's working by telnetting to port 8025 on the localhost and am tarpitted. (On that, I'm note sure that I *should* be tarpitted, but more on that later). In my pf.conf I have commented out my default rdr of tcp/25 to my mailserver and added these six lines: (I've also included a full copy of my pf.conf at the end of this message) table persist table persist table persist file "/usr/local/etc/spamd-mywhite" rdr pass on $ext_if inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from to any port smtp -> $mail port smtp Those rules make the most sense to me for what I'm trying to do - my understanding is the first hands the table generated by the lists in spamd-setup straight through to the spamd for tarpitting. The second rule sends anything that's NOT in my spamd-mywhite table to spamd to be given a 445 temp failure until they finally prove themselves as sane and are added to spamd-white which is covered by the third rule and sent straight through to my mailserver. So what's happening? When the above rules are applied to pf (pfctl -f /etc/pf.conf) I tested and received the following: telnet port 25 from an external, unknown server and I am tarpitted. Try again after 30 minutes and I'm still tarpitted. /var/log/spamd.log reports xxx.xxx.xxx.xxx Connection 1/10 - or something to that effect. After either typing 'quit' or finishing the SMTP telnet session the log reports xxx.xxx.xxx.xxx disconnected after 383 seconds. This is my biggest problem. It seems no matter what, grey servers are never submitted into the table. Servers in the spamd-mywhite table are allowed through, no questions asked and servers in are tarpitted (that's fine by me). I tested with first an unknown server, was tarpitted indefinitely. I then added the same server to my table and was allowed through. This ws done by issuing the command 'pfctl -t spamd-white -T add xxx.xxx.xxx.xxx'. I then removed this (-T delete xxx.xxx.xxx.xxx) and added the server to the table and was tarpitted. So basically, can anyone see where I'm going wrong with my configuration? My apologies this message is quite lengthy, but I'm hoping that I've provided all information necessary. I eagerly await any assistance provided. Check below for my full pf.conf Kind Regards, Sh4d03 ----- /etc/pf.conf ------ (comments about remainder of ruleset are welcome) # Macros # # User-defined variables may be defined and used later, simplifying the # configuration file. Macros must be defined before they are referenced. # # available interfaces ext_if= "tun0" int_if= "vr0" dmz_if= "sis0" # list of networks ext_ip= "2xx.xxx.xxx.xxx" int_net= "192.168.1.0/24" dmz_net= "10.10.1.0/24" # list of hosts mail= "10.10.1.10" mail2= "10.10.1.11" ns= "10.10.1.12" ns2= "10.10.1.13" fserv= "10.10.1.14" desktop= "192.168.1.150" # list of ports webports= "{ 80 }" mailports= "{ 43, 110, 143, 789 }" dnsports= "{ 53 }" fservSSH= "{ 7878 }" fservNFS= "{ 111, 2049, 9875 }" samba= "{ 137, 128, 445 }" mailSSH= "{ 3232 }" mail2SSH= "{ 3333 }" ntp= "{ 123 }" cvsupd= "{ 5999 }" dataweb= "{ 9980 }" torrentflux= "{ 49160:49300 }" rdp= "{ 3389 }" ############################################################################### # Tables # # Tables provide a mechanism for increasing the performance and flexibility # of rules with large numbers of source or destination addresses. # table const { 10/8, 172.16/12 } table persist table persist table persist file "/usr/local/etc/spamd-mywhite" ############################################################################### # Options # # Options tune the behaviour of the packet filtering engine. # set optimization normal set block-policy drop set skip on lo0 ############################################################################### # Traffic Normalization # # Traffic normalization protects internal machines against in Internet # protocols and implementations. # scrub in all no-df random-id scrub out all ############################################################################### # Translation # # Translation rules specify how addresses are to be mapped or redirected to # other addresses. # nat on $ext_if inet from $int_if:network to any -> $ext_ip nat on $ext_if inet from $dmz_if:network to any -> $ext_ip ############################################################################### # Redirection # # Traffic Redirection (or Port Forwarding) enables traffic to be routed to # different interfaces, ports and addresses. # # Redirect via FTP proxy rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $dmz_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # Redirect for mail and web traffic rdr on $ext_if inet proto tcp from any to any port $mailports -> $mail rdr on $ext_if inet proto tcp from any to any port $webports -> $mail rdr on $ext_if inet proto tcp from any to any port $mailSSH -> $mail rdr on $ext_if inet proto tcp from any to any port $mail2SSH -> $mail2 #rdr on $ext_if inet proto tcp from any to any port smtp -> $mail port smtp # Redirect for DNS rdr on $ext_if inet proto { tcp, udp } from any to any port 53 -> $ns # Redirect for dataserver rdr on $ext_if inet proto tcp from any to any port $fservSSH -> $fserv rdr on $ext_if inet proto { tcp, udp } from any to any port $torrentflux -> $fserv rdr on $ext_if inet proto { tcp, udp } from any to any port $dataweb -> $fserv rdr on $ext_if inet proto { tcp } from any to any port $rdp -> $desktop # Redirect for spamd rdr pass on $ext_if inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from to any port smtp -> $mail port smtp ############################################################################### # Packet Filtering # # Stateful and stateless packet filtering provides rule-based blocking or # passing of packets. # # DO NOT ENABLE THE FOLLOWING WITHOUT CAREFUL CONSIDERATION!!! #pass quick all # Uncomment the following to allow pings #pass quick inet proto icmp keep state # default policy block in log all block out log all block quick from # trusted interfaces pass in quick on $int_if all keep state pass out quick on $int_if all keep state # dmz interface pass in quick on $dmz_if inet from $dmz_net to !$int_net keep state pass out log quick on $dmz_if inet all flags S/SA modulate state # Cvsup from Lan to DMZ (dataserver) pass in quick on $int_if inet proto tcp from $int_if:network to $fserv port $cvsupd keep state # Samba from Lan to DMZ (dataserver) pass in quick on $int_if inet proto tcp from $int_if:network to $fserv port $samba keep state pass in quick on $int_if inet proto tcp from $int_if:network to $mail port $mailSSH keep state # anti-spoofing block drop in quick on $ext_if inet from to any block drop out quick on $ext_if inet from any to # anti-ping block drop quick inet proto icmp # outbound traffic (icmp, udp, tcp) pass out on $ext_if inet proto { tcp } all flags S/SA modulate state pass out on $ext_if inet proto { udp } all keep state pass out on $ext_if inet proto { icmp } all keep state # inbound traffic (firewall) pass in on $dmz_if inet proto { tcp, udp } from any to $dmz_if port 53 keep state pass in on $int_if inet proto { tcp, udp } from any to $int_if port 53 keep state pass in on $int_if inet proto udp from $int_if:network to $int_if port $ntp keep state pass in on $dmz_if inet proto udp from $dmz_if:network to $dmz_if port $ntp keep state # inbound traffic (web/mail) pass in on $ext_if inet proto tcp from any to $mail port $webports keep state \ (max-src-conn-rate 9/10, overload flush global) pass in on $ext_if inet proto tcp from any to $mail port $mailports flags S/SA modulate state \ (max-src-conn-rate 9/10, overload flush global) pass in log on $ext_if inet proto tcp from any to $mail port smtp flags S/SA modulate state \ (max-src-conn-rate 9/10, overload flush global) pass in on $ext_if inet proto tcp from any to $mail port $mailSSH flags S/SA modulate state \ (max-src-conn-rate 5/10, overload flush global) pass in on $ext_if inet proto tcp from any to $mail2 port $mail2SSH flags S/SA modulate state \ (max-src-conn-rate 5/10, overload flush global) # inbound traffic (dns) pass in on $ext_if inet proto { tcp, udp } from any to $ns port 53 keep state pass out on $dmz_if inet proto { tcp, udp } from any to $ns port 53 keep state # inbound traffic (fileserver) pass in on $ext_if inet proto tcp from any to any port $fservSSH keep state pass in on $ext_if inet proto tcp from any to any port $torrentflux keep state pass in on $ext_if inet proto tcp from any to any port $dataweb keep state pass in on $int_if inet proto { tcp, udp } from any to any port $fservNFS keep state pass out on $dmz_if inet proto {tcp, udp } from any to any port $fservNFS keep state # inbound traffic (desktop) pass in on $ext_if inet proto tcp from any to any port $rdp keep state pass out on $int_if inet proto tcp from any to any port $rdp keep state From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 11:41:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62B3C16A419 for ; Thu, 6 Sep 2007 11:41:18 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id 50DD513C459 for ; Thu, 6 Sep 2007 11:41:18 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-170-114-32.dllstx.fios.verizon.net ([71.170.114.32] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1ITFj4-0001JI-2y; Thu, 06 Sep 2007 04:40:46 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 12057-1189078843; Thu, 06 Sep 2007 06:40:45 -0500 Date: Thu, 6 Sep 2007 06:40:43 -0500 (CDT) From: "Jeremy C. Reed" To: Gavin Cooper In-Reply-To: <46DF7AD3.9010104@shadow-security.net> Message-ID: References: <46DF7AD3.9010104@shadow-security.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: ports/mail/spamd not greylisting correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 11:41:18 -0000 On Thu, 6 Sep 2007, Gavin Cooper wrote: > table persist file "/usr/local/etc/spamd-mywhite" The table is not used in your provided pf.conf. I don't think this is related to your problem though. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 14:25:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B807A16A418 for ; Thu, 6 Sep 2007 14:25:04 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id 72B7213C478 for ; Thu, 6 Sep 2007 14:25:02 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so354779pyb for ; Thu, 06 Sep 2007 07:24:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=C0s0yQJKQ5yNYkXwhklBxwKmcdKKJcNxriWtRapH3Aw=; b=QKwn335ePsdNzMRf5BvW3n1C8gLghC9WbZPafotp+Sjxdyj1XJUNidUWqgbpoW1nF8orkJse1kaywDfAI7fp4shHjloUVxeg1oh+FleC9AwsLGg2G4loykiO6ttb83/p4H3cgeD/jfUrECGpAud57A9a7I71CTN1vDtNDH9wQ0Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=sfMXgxoFe+zUOrtZrD6O00C+cUczf6PQJ3fQHJtGKsCPzUeH+dF537Mme9k8d8daTkcGO8Sl19fLNfz+yGsNIryV8kBQuLQqa3wAUtTZviwFOtSfo7J3SQ8HQ6q+IfkYB3b9Axqbmi3N91FGPt/rVMaF0cZ8rGaTdr5fulAbghc= Received: by 10.64.199.2 with SMTP id w2mr1221504qbf.1189087108692; Thu, 06 Sep 2007 06:58:28 -0700 (PDT) Received: by 10.65.206.14 with HTTP; Thu, 6 Sep 2007 06:58:28 -0700 (PDT) Message-ID: <70f41ba20709060658l75fb3c4eiee255151abc07f8@mail.gmail.com> Date: Thu, 6 Sep 2007 06:58:28 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Gavin Cooper" In-Reply-To: <46DF7AD3.9010104@shadow-security.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46DF7AD3.9010104@shadow-security.net> X-Google-Sender-Auth: 54b6736600762e82 Cc: freebsd-pf@freebsd.org Subject: Re: ports/mail/spamd not greylisting correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: schneecrash+pf@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 14:25:04 -0000 > First, my setup - (NB, all servers mentioned are running > 6-STABLE) ... > # options for pf and spamd > pf_enable="YES" > pfspamd_enable="YES" > pfspamd_flags="-g -v -p 8025" > pfspamlogd_enable="YES" I currently run FreeBSD 6.2-RELEASE-p7. Checking, grep PORTVERSION= /usr/ports/mail/spamd/Makefile PORTVERSION= 4.1.2 iirc, @ the change from spamd v3x->v4x, the required rc.conf options changed. check in your startup file "/usr/local/etc/rc.d/obspamd", and you'll see they're now, e.g., obspamd_enable="YES" obspamd_flags="-v -l 127.0.0.1 -b -4 -s5 -S15 -w1 -c 300 -B 200 -h mail.mydomain.com -n tarpit" obspamlogd_enable="YES" obspamlogd_flags="" hth From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 20:39:40 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7070416A419 for ; Thu, 6 Sep 2007 20:39:40 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 2FC1D13C45A for ; Thu, 6 Sep 2007 20:39:38 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id D3F4D7BFF2B for ; Thu, 6 Sep 2007 22:39:36 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id oYHyAwBCVqhV for ; Thu, 6 Sep 2007 22:39:36 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 8D4AE7BFCCB for ; Thu, 6 Sep 2007 22:39:36 +0200 (CEST) Date: Thu, 6 Sep 2007 22:39:36 +0200 From: Gergely CZUCZY To: freebsd-pf@freebsd.org Message-ID: <20070906203936.GA7448@harmless.hu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Subject: duplicate rule on :broadcast X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 20:39:40 -0000 --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello I've got a configuration when i've got 2 IPs on em0 =66rom the very same subnet. This means, they have the same broadcast address. I have the following rule in my pf.conf: block in quick on $if_inet proto udp from any to $if_inet:broadcast port 13= 7 label "broadcast deny" Since I've got two addresses on that interface it expands to the folowing accordin got ptfctl -sr: block return in quick on em0 inet proto udp from any to 195.56.55.255 port = =3D netbios-ns label "broadcast deny" block return in quick on em0 inet proto udp from any to 195.56.55.255 port = =3D netbios-ns label "broadcast deny" Is it really neccessery to have duplicates when the boradcast addresses of the assigned addresses are the very same? Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owHFVL1rFEEUz5fNiEVqCx9BCGh2vbtkL5eTI8JF4zUqGLAQkdndt7eDuzPrzGyS jU0aMUUKsVJsUtkJES1FQQvBwn/ARltBCwtr3+7lLqbQ1m5m3tv3+5jf7MMTk2MT 05/2X908u/vo6fjzyZ/+mTS3VvadlOt1IZ16rVZ3FhcWWs6840U1v9XERn2xtYQt v3bpC+50lbQorbNWZNgGi5v2XJZwIc9DEHNt0HZyGzktNuxbESZTRlihZBuETITE UW1Nc2ki1M5FGahQyH4b7ubKYuhkWkjL/QQZu4xJohjrza4j9JUFDoGSkejnmpdD YSNGCWJYbUDvmgE6xrTGOs2mVinYGGEddQGGpwgm9yVaF9ZiYSBFYjBXdhQQc5pB K1a1+VrxMOCGAMNQozEu9EYtECkitUGMQedEUkhIC8git6TWZn6igjskltQIWhCb 0yK6TcotZFpZBXmYQVRS47IA2g/L7UPUTGkL9fkOW4SE+5jAzGEtRFnMMHZdyABh ZIzdUEOuWFlgY26JhUUdcWoUluFmxmVoSsgDFQMRPAiUpguo5mQ2CmwCjtFDJRpt ruURQWQv/ENQfclzvabreW7D8wZaOqwzvwL0iS+UcaT5m6z/AMl6htwhTJ4kBfUH QemhrsZWVx7mWSICbsnXKm5lSnyljwakND2qfOXGiL7E8I8K14NsjXK4fHB/GpNi jrFV1H1aQXcrD7YKlnKRWNWG/uDYDarjC/TC0qTMYpwz5jidRo3dQJSCAIgbhXqV NnmJZ1RCvMkpekOpGUSBa2HQZTvLk8fGyqc8/A1MT+y+Hdt78Gzb6z7exu77Xz++ 3p+69+L4u+9jT8Zff/728cObKX7l1stTUbx/8urs3m8= =FQOA -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 21:04:32 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03E9416A417 for ; Thu, 6 Sep 2007 21:04:32 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 8F59E13C442 for ; Thu, 6 Sep 2007 21:04:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-009-198.pools.arcor-ip.net [88.66.9.198] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1ITOWW1CGQ-0007up; Thu, 06 Sep 2007 23:04:30 +0200 From: Max Laier Organization: FreeBSD To: "Bill Marquette" Date: Thu, 6 Sep 2007 23:04:13 +0200 User-Agent: KMail/1.9.7 References: <200709052316.41257.max@love2party.net> <55e8a96c0709051745v45a40cf3qb8d9ff9725ad8a55@mail.gmail.com> In-Reply-To: <55e8a96c0709051745v45a40cf3qb8d9ff9725ad8a55@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1547838.xefFnp1Rc7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709062304.19833.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/JtpWRxYRz1iQXKVZC5YgUmdsTn4MM03kkw/3 Ll6/bg7OCPWtPQ1d0BATJnmvKOgkabZLg0iFjGcPrA2xPbZ3la Wns2TKdyztImWgTY9Mv+YmcoZWa59ZpmykjwQnSmSc= Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 21:04:32 -0000 --nextPart1547838.xefFnp1Rc7 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 06 September 2007, Bill Marquette wrote: > On 9/5/07, Max Laier wrote: > > Another way to go is setting the queuelength for the internal > > processing queue to something insanely high (1000+). This will most > > likely work around the problem at the cost of burning (mbuf) memory. > > Assuming mbuf memory is essentially free that's certainly not a > problem for me. Is this the max ifqlen patch you had me try last > week? If so, what's a reasonably (relative to insanely high :)) > number to set that multiplier to? 2 times queue length "helped". I > don't want to set it so high that the box panics or something silly :) > Or for that matter, stops forwarding traffic while processing. We'll > give these patches a try in our lab shortly. We just started getting > the Smartbits online to try and duplicate the errors (straight up udp > testing can't replicate it). Try 1000 (or 20 * maxifqlen iirc). =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1547838.xefFnp1Rc7 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG4GtTXyyEoT62BG0RAmZZAJ94PN/SmpSiGUO66BO1/p7MC34EaACfUm79 Hu27MuXtK03i1I1cMY3GVrk= =lbMv -----END PGP SIGNATURE----- --nextPart1547838.xefFnp1Rc7-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 22:16:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E72316A419 for ; Thu, 6 Sep 2007 22:16:42 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.238]) by mx1.freebsd.org (Postfix) with ESMTP id 4034E13C48D for ; Thu, 6 Sep 2007 22:16:42 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so213357nzf for ; Thu, 06 Sep 2007 15:16:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=MIr/1k1yK8AslIqWMunxYZhOdJp11oPZN2q/nv4H5Pg=; b=bEFFRi4qjs0QckIChG/TpHsBq/A7X0drV877CF68Y6QMdIEpY6wgZ+bw6KSzU0F9nSZgmBQlAr5sAEdTJryNf/6+s6CKDiow1I6yfRjAgtF11e9yoXbN4BOePZKm+qWNkymp+F/HW8v2CJ7KVwREfmNMOZx+GEFk/Jl8GVU0HuY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lXonhts/jnGs+5sGnljH/qzchH9badtdzNsbOteu2ctagVwICdGWb3fYv71g4BdznRv2VwJEOjHDQwGifADXT+ufSzIJCoklq/Er/gtsM6nkdB0sNxgvihjrTmh90U/+18FqIA/W0Kbq5/d+jDqPS+U1p8/K5SR/YNyLSVl4D4k= Received: by 10.142.156.13 with SMTP id d13mr57090wfe.1189117001142; Thu, 06 Sep 2007 15:16:41 -0700 (PDT) Received: by 10.142.147.5 with HTTP; Thu, 6 Sep 2007 15:16:41 -0700 (PDT) Message-ID: <8eea04080709061516k5a35e15qdf85a5f3be34af7b@mail.gmail.com> Date: Thu, 6 Sep 2007 15:16:41 -0700 From: "Jon Simola" To: "Gergely CZUCZY" In-Reply-To: <20070906203936.GA7448@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070906203936.GA7448@harmless.hu> Cc: freebsd-pf@freebsd.org Subject: Re: duplicate rule on :broadcast X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 22:16:42 -0000 On 9/6/07, Gergely CZUCZY wrote: > Hello > > I've got a configuration when i've got 2 IPs on em0 > from the very same subnet. This means, they have the > same broadcast address. ifconfig(8) suggests: alias Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate. > Is it really neccessery to have duplicates when the > boradcast addresses of the assigned addresses are the > very same? pfctl doesn't check to see if rules created by expansion make sense or duplicate other rules. Doing so would increase the complexity, and duplicate rules end up getting skipped anyways. You may want to check out the -o option for optimizing the running ruleset, or you can rewrite your rule to avoid using :broadcast if_inet = "int0" table persist {$if_inet} block in quick on $if_inet from any to ! port 137 label "broadcast deny" That has the same effect (block stuff that isn't explicitly addressed to me), and doesn't expand to more than a single rule. -- Jon From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 23:54:56 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB2AB16A417 for ; Thu, 6 Sep 2007 23:54:55 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (216-70-250-4.static-ip.telepacific.net [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8C25413C48D for ; Thu, 6 Sep 2007 23:54:55 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 4DF4895824 for ; Thu, 6 Sep 2007 16:29:04 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Thu, 6 Sep 2007 16:29:04 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0099@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Thu, 6 Sep 2007 16:29:03 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 23:54:56 -0000 Hi all, I've been running pf+obspamd on FBSD 6.2-RELEASE. I appear to be blocking some addresses that appear in my spamd-mywhite file and I don't understand why that would be the case here. I'm guessing I've screwed up my pf.conf file. Here's my config file: # pfctl -vvnf /etc/pf.conf ext_if = "rl0" int_if = "xl0" internal_net = "192.168.1.1/24" external_addr = "216.70.250.4" vpn_net = "10.8.0.0/24" NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" webserver1 = "192.168.1.4" set skip on { lo0 } set skip on { gif0 } @0 scrub in all fragment reassemble @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http -> 192.168.1.4 port 80 table persist table persist table persist file "/usr/local/etc/spamd/spamd-mywhite" table persist file "/usr/local/etc/spamd/spamd.alloweddomains" @4 rdr pass inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 25 @5 rdr pass inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025 @6 rdr pass inet proto tcp from ! to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025 @7 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state @8 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state @9 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state @10 block drop in log all @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any @21 block drop in log quick inet from 192.168.1.25 to any @22 pass in on xl0 inet from 192.168.1.0/24 to any @23 pass out log on xl0 inet from any to 192.168.1.0/24 @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 @25 pass out on rl0 proto tcp all flags S/SA modulate state @26 pass out on rl0 proto udp all keep state @27 pass out on rl0 proto icmp all keep state @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state /var/log/pflog0 shows the following: 141748 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 2. 049208 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 3. 068169 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 5. 594277 rule 3/0(match): block in on rl0: 205.188.139.137.61419 > 216.70.250.4.25: S 2510359871:2510359871(0) win 24820 525916 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 # pfctl -t spamd-mywhite -T show | grep 205.188. No ALTQ support in kernel ALTQ related functions disabled 205.188.139.0/24 205.188.144.0/24 205.188.156.0/23 205.188.157.0/24 205.188.159.0/24 Thus 205.188.159.7 shouldn't be blocked. # spamdb | grep 205\.188\. WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|0 WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0 WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0 # spamdb doesn't show any entries for 205.188.159.7. These entries are for AOL mail. I've received complaints from AOL users of mail bouncing back to them. What am I doing wrong? Are CIDR records accepted by pf+obspamd? I can't trace the block back to the proper rules- i.e. rule 3/0 as shown in pflog0 matches up with which rule in pf.conf? Any suggestions are appreciated! ~Doug