From owner-freebsd-pf@FreeBSD.ORG Sun Feb 17 13:29:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5EA016A41B for ; Sun, 17 Feb 2008 13:29:07 +0000 (UTC) (envelope-from sebosik@demax.sk) Received: from mail.demax.sk (mail.demax.sk [213.215.102.234]) by mx1.freebsd.org (Postfix) with ESMTP id 8DD0913C45B for ; Sun, 17 Feb 2008 13:29:07 +0000 (UTC) (envelope-from sebosik@demax.sk) Received: from mail.demax.sk (localhost [127.0.0.1]) by nod32.demax.sk (Postfix) with ESMTP id 672EF42AC9 for ; Sun, 17 Feb 2008 14:11:53 +0100 (CET) X-Virus-Scanner: This message was checked by NOD32 Antivirus system NOD32 for Linux Mail Server. For more information on NOD32 Antivirus System, please, visit our website: http://www.nod32.com/. Received: from sql.demax.sk (sql.demax.sk [213.215.102.236]) by mail.demax.sk (Postfix) with ESMTP id 3F11D42AC7 for ; Sun, 17 Feb 2008 14:11:53 +0100 (CET) Received: from 158.193.82.109 (SquirrelMail authenticated user sebosik) by webmail.demax.sk with HTTP; Sun, 17 Feb 2008 14:11:53 +0100 (CET) Message-ID: <63806.158.193.82.109.1203253913.squirrel@webmail.demax.sk> Date: Sun, 17 Feb 2008 14:11:53 +0100 (CET) From: sebosik@demax.sk To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-2 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: enable multicast forwarding in the kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Feb 2008 13:29:07 -0000 Hi > I am customizing my own kernel, and part of it is enabling multicast > forwarding. I have been trying to figure out how to enable multicast > forwarding in the kernel for both ipv4 and ipv6 > (e.g.net.inet.ip.mforwarding) but no luck. Can you please help on how to > do this? don`t you mind multicast routing? If yes you can configure PIM Sparse-mode in XORP (it`s inside ports -> net/xorp). Best regards --- Jan Sebosik, Slovakia sebosik@demax.sk From owner-freebsd-pf@FreeBSD.ORG Mon Feb 18 11:07:14 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE8F216A496 for ; Mon, 18 Feb 2008 11:07:14 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BDD5013C447 for ; Mon, 18 Feb 2008 11:07:14 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1IB7EkE039493 for ; Mon, 18 Feb 2008 11:07:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1IB7Eve039489 for freebsd-pf@FreeBSD.org; Mon, 18 Feb 2008 11:07:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Feb 2008 11:07:14 GMT Message-Id: <200802181107.m1IB7Eve039489@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 11:07:14 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 20 05:55:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E29E016A403 for ; Wed, 20 Feb 2008 05:55:28 +0000 (UTC) (envelope-from marcin.polewski@gmail.com) Received: from hs-out-0708.google.com (hs-out-0708.google.com [64.233.178.240]) by mx1.freebsd.org (Postfix) with ESMTP id A247213C468 for ; Wed, 20 Feb 2008 05:55:28 +0000 (UTC) (envelope-from marcin.polewski@gmail.com) Received: by hs-out-0708.google.com with SMTP id h53so2087848hsh.11 for ; Tue, 19 Feb 2008 21:55:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=3E0k+2EJTgMZacj3xBzsBjTR3LpUyeQaJxuZV5XnIZg=; b=J6iPFBsvl119xcb8+AnckDZ8Uu+ybI5vvT55gv7H+/K+rucO/S19YSW7efESLgPRl4dVAAGtWnrbY0SYGzJGuRHEMwbtxCrOYMb3oj0eIB9KzawR43oZV1tEnvuHPLaZCg4dLGfSti3ehgpV1ycD6yAtygY3mtNhHbDy6UlwWsI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=G9GAvEqYuAC7wfZ9qMx+7MkSDDYCChyNaqw4HFeePwWURQIJkQFYBstXic8P+1/BeZE/grEJLixZbKcQ1193ZnpIjyT/bmtr+RGJw4yIfkh5mCPqzb3gzvJGxU681Onz6lXJvTDjiJFHGG7IiCnZeSMxxaVXg3Hf2qMF9osucRI= Received: by 10.141.85.13 with SMTP id n13mr5338870rvl.256.1203485338407; Tue, 19 Feb 2008 21:28:58 -0800 (PST) Received: by 10.141.189.11 with HTTP; Tue, 19 Feb 2008 21:28:53 -0800 (PST) Message-ID: <37a72e270802192128y68328b6bob38116ef64881466@mail.gmail.com> Date: Tue, 19 Feb 2008 23:28:53 -0600 From: "Marcin Polewski" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Port triggering X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 05:55:29 -0000 Hello, I am trying to figure out if PF support port triggering? Essentially when an outbound connection is initiated on a certain port, a temporary dynamic redirection is setup between the external interface to the original host on a different port. Thank you, --Marcin From owner-freebsd-pf@FreeBSD.ORG Wed Feb 20 13:33:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF5AC16A419 for ; Wed, 20 Feb 2008 13:33:53 +0000 (UTC) (envelope-from gberkes@freemail.hu) Received: from fmx22.freemail.hu (fmx22.freemail.hu [195.228.245.72]) by mx1.freebsd.org (Postfix) with SMTP id 4295613C474 for ; Wed, 20 Feb 2008 13:33:53 +0000 (UTC) (envelope-from gberkes@freemail.hu) Received: (qmail 44716 invoked from network); 20 Feb 2008 14:07:09 +0100 Received: from fm02.freemail.hu (195.228.245.102) by fmx22.freemail.hu with SMTP; 20 Feb 2008 14:07:09 +0100 Received: (qmail 3778 invoked by uid 618565); 20 Feb 2008 14:07:09 +0100 Date: Wed, 20 Feb 2008 14:07:09 +0100 (CET) From: =?ISO-8859-2?Q?Berkes_G=E1bor?= To: freebsd-pf@freebsd.org Message-ID: X-Originating-IP: [91.120.142.80] X-HTTP-User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=ISO-8859-2 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: NAT bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 13:33:54 -0000 Hi! There is a strange NAT behaviour in our cfg. OS: amd64 7.0-RC1 kernel recomplied wint IPSEC and IPSEC_FILTERTUNNEL We are using isakmp-tools, and we have a dozen ipsec tunnels working fine. The internal users can do practically anything through NAT. Except one. There is one user, who has an ipsec client sw on Windoze. The user wants a connection to a remote customer, through our fw, nat. If I tcpdump on the external interface i see that all of user traffic is nat-ed, but udp 500. It was sent out with private address, without nat. In this case no trace of traffic in pflog (every rule has 'log' directive in pf.conf). If using stricter rules, not to allow priv addr to go out, the traffic is appeared in pflog, but instead of nat and allow out (like everything else) I see that pf blocks the outgoing isakmp traffic on external if with the private address of the PC. The pf.conf has the recommended order of rules: first nat after filter. I tried nat proxy as well (and this is the current cfg), but it does not helped (I didn't hoped really). So how can it be, that everything is nat-ed except udp-isakmp? Everything is working very well, except this one. Thanks in advance Gabor From owner-freebsd-pf@FreeBSD.ORG Sat Feb 23 01:17:06 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 222A916A402; Sat, 23 Feb 2008 01:17:06 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F2BAA13C44B; Sat, 23 Feb 2008 01:17:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1N1H5s1031989; Sat, 23 Feb 2008 01:17:05 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1N1H5eZ031985; Sat, 23 Feb 2008 01:17:05 GMT (envelope-from linimon) Date: Sat, 23 Feb 2008 01:17:05 GMT Message-Id: <200802230117.m1N1H5eZ031985@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: bin/120974: [patch] bsnmpd(1) snmp_pf module work incorrect when DIOCGETALTQ return queue list not in qid order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Feb 2008 01:17:06 -0000 Synopsis: [patch] bsnmpd(1) snmp_pf module work incorrect when DIOCGETALTQ return queue list not in qid order Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Feb 23 01:16:52 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=120974