From owner-freebsd-pf@FreeBSD.ORG Mon Jul 28 07:09:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4B071065673 for ; Mon, 28 Jul 2008 07:09:47 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from mx.agservice.lt (mx.agservice.lt [88.119.128.106]) by mx1.freebsd.org (Postfix) with ESMTP id 7E7C88FC0C for ; Mon, 28 Jul 2008 07:09:47 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from localhost (localhost [127.0.0.1]) by mx.agservice.lt (Postfix) with ESMTP id EF59E7444A for ; Mon, 28 Jul 2008 09:52:27 +0300 (EEST) X-Virus-Scanned: amavisd-new at agtrade.lt Received: from mx.agservice.lt ([127.0.0.1]) by localhost (mail.agtrade.lt [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GuSR0lAPzXS6 for ; Mon, 28 Jul 2008 09:52:25 +0300 (EEST) Received: from mx.agservice.lt (localhost [127.0.0.1]) (Authenticated sender: news@topocentras.lt) by mx.agservice.lt (Postfix) with ESMTPA id 1FF0274442 for ; Mon, 28 Jul 2008 09:52:25 +0300 (EEST) Received: from 88.119.128.115 (SquirrelMail authenticated user news@topocentras.lt) by mx.agservice.lt with HTTP; Mon, 28 Jul 2008 09:52:25 +0300 (EEST) Message-ID: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> Date: Mon, 28 Jul 2008 09:52:25 +0300 (EEST) From: news@topocentras.lt To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.10a MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2008 07:09:47 -0000 ext_if="bge0" int_if="bge1" pass out quick on $ext_if from 10.0.0.1 to any queue upload1 pass out quick on $int_if from any to 10.0.0.1 queue download1 pass out quick on $ext_if from 10.0.0.2 to any queue upload2 pass out quick on $int_if from any to 10.0.0.2 queue download2 pass out quick on $ext_if from 10.0.0.3 to any queue upload3 pass out quick on $int_if from any to 10.0.0.3 queue download3 pass in all pass out all #10.0.0.x users subnet Hello, I have problems with keep state usage. I need to shape ingoing and outgoing trafic (no nat). Before I used sintax like above, but then I used it with keyword "keep state" some useres reported problems with trafic. With version FreeBSD 7 with keep state on pass rules are not working at all. Question is how to deal with keep state for in and out trafic then i need to shape both? I tried to use set state-policy if-bound but it had no impact. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 28 11:07:01 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A31571065692 for ; Mon, 28 Jul 2008 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8AA0C8FC1B for ; Mon, 28 Jul 2008 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6SB717A078997 for ; Mon, 28 Jul 2008 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6SB718B078993 for freebsd-pf@FreeBSD.org; Mon, 28 Jul 2008 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Jul 2008 11:07:01 GMT Message-Id: <200807281107.m6SB718B078993@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2008 11:07:01 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 09:25:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EFA21065671 for ; Tue, 29 Jul 2008 09:25:28 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id 373CE8FC1C for ; Tue, 29 Jul 2008 09:25:26 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id BAB97B941 for ; Tue, 29 Jul 2008 11:18:01 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 65729-07 for ; Tue, 29 Jul 2008 11:17:58 +0200 (CEST) Received: from [192.168.0.7] (pisarna.iskreni.net [213.143.68.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id CFFA8B940 for ; Tue, 29 Jul 2008 11:17:58 +0200 (CEST) Message-ID: <488EE046.4010602@skoberne.net> Date: Tue, 29 Jul 2008 11:17:58 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Subject: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 09:25:28 -0000 Hello, I have a FreeBSD 7.0 system with jails (and services in them). In one of the jails there is an Apache server, which also runs on the host system (and forwards traffic using mod_proxy to the jailed Apache). Everything works as expected, I only have problems with pf which seems to block certain packets randomly (not all of them). This is how my rc.conf on host system looks like (relevant parts): --------------------------------------------------------------------------------- defaultrouter="172.20.2.1" ifconfig_em0="inet 172.20.2.2 netmask 255.255.255.0" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" apache22_enable="YES" cloned_interfaces="lo1" ifconfig_lo1="192.168.223.1" jail_enable="YES" jail_sysvipc_allow="YES" jail_list="mail" jail_mail_rootdir="/usr/jail/j/mail" jail_mail_hostname="mail" jail_mail_ip="192.168.223.10" jail_mail_interface="lo1 netmask 255.255.255.0" jail_mail_devfs_enable="YES" jail_mail_procfs_enable="YES" jail_mail_devfs_ruleset="devfsrules_jail" --------------------------------------------------------------------------------- This is how my pf.conf looks like: --------------------------------------------------------------------------------- int_Trust = "em0" int_Loop = "lo0" int_Jails = "lo1" int_jail_mail = "{" $int_Trust "}" addr_net_Private = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" addr_net_Local = "{" $int_Trust:network ", 172.20.2.0/24, 192.168.0.0/16 }" addr_sysSvarun = "a.b.c.d" addr_jail_mail = "192.168.223.10" svc_TCP_HOST_Private = "{ ssh, iwebmin, itelnet }" svc_TCP_HOST_Public = "{ ssh, http, https, domain }" svc_UDP_HOST_Public = "{ domain }" svc_TCP_jail_mail = "{ smtp, smtps, pop3, pop3s, imap, imaps }" ICMPTypes = "echoreq" AllProtocols = "{ tcp, udp, ipv6, icmp, esp, ipencap, gre }" table persist file "/usr/local/etc/trusted.addresses" set loginterface $int_Trust scrub on $int_Trust all no-df random-id reassemble tcp nat on $int_Trust from $int_Jails:network to any -> $int_Trust rdr pass on $int_jail_mail proto tcp from any to $int_jail_mail port \ $svc_TCP_jail_mail -> $addr_jail_mail block log all pass in quick on $int_Trust from $addr_sysSvarun to any keep state pass quick on $int_Loop all pass quick on $int_Jails all pass quick inet proto icmp all icmp-type $ICMPTypes keep state pass in on $int_Trust from any to any keep state pass out on $int_Trust from any to $addr_net_Local keep state pass out on $int_Trust from $int_Trust to any keep state pass out on lo1 from 192.168.223.10 to 192.168.223.10 keep state --------------------------------------------------------------------------------- So as you can see there is a "pass quick on $int_Jails all" line. Which, as far as I understand, should do exactly that. But, when I do "tcpdump -n -r /var/log/pflog", I get these: 10:22:56.353027 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:23:06.744057 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:23:27.330096 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:23:47.918481 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:24:08.508126 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:24:29.096918 IP 192.168.223.10.53777 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 10:33:12.341285 IP 192.168.223.10.51214 > 192.168.223.10.80: F 1457218003:1457218003(0) ack 1764186631 win 8960 10:33:12.637811 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:13.029827 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:13.609705 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:14.561443 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:16.256344 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:19.073348 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:24.504722 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:35.163039 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:56.274140 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:34:38.293842 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:35:20.310801 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:36:02.326561 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:36:44.339793 IP 192.168.223.10.51214 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 or, if I pass "-e -ttt" parameters to tcpdump as well, these: rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 1457218003:1457218003(0) ack 1764186631 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 Which means, pf blocks these packets. Why would this be? The consequence of blocking these packets are, that I get this in the hosts's Apache server: [Fri Jul 25 09:57:10 2008] [error] (1)Operation not permitted: proxy: HTTP: attempt to connect to 192.168.223.10:80 (mail) failed [Fri Jul 25 09:57:10 2008] [error] ap_proxy_connect_backend disabling worker for (mail) [Fri Jul 25 09:57:10 2008] [error] proxy: HTTP: disabled connection for (mail) which disables connections to the jailed Apache for a while. Which is very annoying. However, this (that Apache get's blocked) doesn't happen always, I would say 10-20 times daily. Any ideas? Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 10:10:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAEF9106567A for ; Tue, 29 Jul 2008 10:10:52 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id DFA668FC1F for ; Tue, 29 Jul 2008 10:10:52 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 994E11CC0B2; Tue, 29 Jul 2008 03:10:52 -0700 (PDT) Date: Tue, 29 Jul 2008 03:10:52 -0700 From: Jeremy Chadwick To: Nejc ?koberne Message-ID: <20080729101052.GA65160@eos.sc1.parodius.com> References: <488EE046.4010602@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <488EE046.4010602@skoberne.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 10:10:53 -0000 On Tue, Jul 29, 2008 at 11:17:58AM +0200, Nejc ?koberne wrote: > I have a FreeBSD 7.0 system with jails (and services in them). In one of the jails there > is an Apache server, which also runs on the host system (and forwards traffic using > mod_proxy to the jailed Apache). > > Everything works as expected, I only have problems with pf which seems to block certain > packets randomly (not all of them). > > {snip} Does removing "reassemble tcp" from your scrub rules fix anything? I cannot comment on the rest of the ruleset. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 10:31:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34AD9106564A for ; Tue, 29 Jul 2008 10:31:33 +0000 (UTC) (envelope-from peter.wullinger@googlemail.com) Received: from mail.uni-bamberg.de (ldap.uni-bamberg.de [141.13.240.52]) by mx1.freebsd.org (Postfix) with ESMTP id 951668FC1B for ; Tue, 29 Jul 2008 10:31:32 +0000 (UTC) (envelope-from peter.wullinger@googlemail.com) Received: from peterw.uni-bamberg.de [141.13.2.77] by mail.uni-bamberg.de with ESMTP (SMTPD-8.22) id A8590200; Tue, 29 Jul 2008 11:52:25 +0200 Message-ID: <488EE858.9010708@googlemail.com> Date: Tue, 29 Jul 2008 11:52:24 +0200 From: Peter Wullinger User-Agent: Thunderbird 2.0.0.9 (X11/20080213) MIME-Version: 1.0 To: =?ISO-8859-2?Q?Nejc_=A9koberne?= References: <488EE046.4010602@skoberne.net> In-Reply-To: <488EE046.4010602@skoberne.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 10:31:33 -0000 Nejc ©koberne wrote: > pass in quick on $int_Trust from $addr_sysSvarun to any keep state Note: You can remove "keep state". This is implicit for newer version of pf. > pass quick on $int_Loop all > pass quick on $int_Jails all Note: These keep state, see above. You might want to add "no state" here, to decrease state table usage. > pass quick inet proto icmp all icmp-type $ICMPTypes keep state > pass in on $int_Trust from any to any keep state > pass out on $int_Trust from any to $addr_net_Local keep state > pass out on $int_Trust from $int_Trust to any keep state > pass out on lo1 from 192.168.223.10 to 192.168.223.10 keep state > --------------------------------------------------------------------------------- > > > So as you can see there is a "pass quick on $int_Jails all" line. > Which, as far > as I understand, should do exactly that. But, when I do > "tcpdump -n -r /var/log/pflog", I get these: > > 10:22:56.353027 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) > ack 1 win 8960 From the frequency of the logs, it looks like that there is heavy load on the server (or a high connection latency). If so, this may be a problem of state table exhaustion or timeouts. pf may drop a "dangling, almost finished" connection before the final "FIN" packet arrives and thus create such log entries as the final packet gets blocked, when the corresponding state table entry is not present any more. Do you monitor your state table size? If this is exhausted, other problems are likely to occur, too. > > Which means, pf blocks these packets. Why would this be? The > consequence of > blocking these packets are, that I get this in the hosts's Apache server: > > [Fri Jul 25 09:57:10 2008] [error] (1)Operation not permitted: proxy: > HTTP: attempt to connect to 192.168.223.10:80 (mail) failed What is being blocked by PF are TCP packets with the FIN bit set. These are part of the connection shutdown sequence. The error message here indicates, that connection establishment failed. I would find it strange, if these are really related /directly/, but see below. If I figure out the error message correctly, this means that the "connect()"system call failed. I guess (would have to confirm by looking at the source code but after a short mailing list search it seems to be likely), that a state table exhaustion can also create "connect()" errors such as these. "Cannot connect, because pf cannot create a state table entry for your connection". To eliminate this possibility, you should monitor the size of your state table and possible increase the limits, if so. Or insert some "no state" statements into your ruleset. Regards, Peter From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 10:41:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74E101065675 for ; Tue, 29 Jul 2008 10:41:31 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id 2C25D8FC0C for ; Tue, 29 Jul 2008 10:41:30 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id 722B3B938; Tue, 29 Jul 2008 12:41:29 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 76894-07; Tue, 29 Jul 2008 12:41:25 +0200 (CEST) Received: from [192.168.0.7] (pisarna.iskreni.net [213.143.68.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id 31743B939; Tue, 29 Jul 2008 12:41:25 +0200 (CEST) Message-ID: <488EF3D4.40100@skoberne.net> Date: Tue, 29 Jul 2008 12:41:24 +0200 From: =?windows-1252?Q?Nejc_=8Akoberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Jeremy Chadwick References: <488EE046.4010602@skoberne.net> <20080729101052.GA65160@eos.sc1.parodius.com> In-Reply-To: <20080729101052.GA65160@eos.sc1.parodius.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 10:41:31 -0000 Hey, > Does removing "reassemble tcp" from your scrub rules fix anything? Will try and let you know if it helps. Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 11:11:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2896B1065689; Tue, 29 Jul 2008 11:11:56 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id D44688FC15; Tue, 29 Jul 2008 11:11:55 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id BA268B93A; Tue, 29 Jul 2008 13:11:54 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 77069-08; Tue, 29 Jul 2008 13:11:52 +0200 (CEST) Received: from [192.168.0.7] (pisarna.iskreni.net [213.143.68.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id 162B6B939; Tue, 29 Jul 2008 13:11:52 +0200 (CEST) Message-ID: <488EFAF7.8000104@skoberne.net> Date: Tue, 29 Jul 2008 13:11:51 +0200 From: =?windows-1252?Q?Nejc_=8Akoberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Jeremy Chadwick References: <488EE046.4010602@skoberne.net> <20080729101052.GA65160@eos.sc1.parodius.com> <488EF3D4.40100@skoberne.net> In-Reply-To: <488EF3D4.40100@skoberne.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 11:11:56 -0000 Hey, >> Does removing "reassemble tcp" from your scrub rules fix anything? > > Will try and let you know if it helps. Looks like this doesn't help. I still get those blocks logged in pflog. By the way, if I comment out "block log all" from pf.conf, the pf doesn't block those packets any more. But I'd like to have "block log all" turned on, of course. Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 11:33:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37521106566C for ; Tue, 29 Jul 2008 11:33:28 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 298DF8FC22 for ; Tue, 29 Jul 2008 11:33:28 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 1326C1CC0AC; Tue, 29 Jul 2008 04:33:28 -0700 (PDT) Date: Tue, 29 Jul 2008 04:33:28 -0700 From: Jeremy Chadwick To: Peter Wullinger Message-ID: <20080729113328.GA67866@eos.sc1.parodius.com> References: <488EE046.4010602@skoberne.net> <488EE858.9010708@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <488EE858.9010708@googlemail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 11:33:28 -0000 On Tue, Jul 29, 2008 at 11:52:24AM +0200, Peter Wullinger wrote: > Nejc ?koberne wrote: >> pass in quick on $int_Trust from $addr_sysSvarun to any keep state > Note: You can remove "keep state". This is implicit for newer version of pf. >> pass quick on $int_Loop all >> pass quick on $int_Jails all > Note: These keep state, see above. You might want to add "no state" here, > to decrease state table usage. Or better use, use "set skip on $int_Loop $int_Jails", and avoid having pf process any of them. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Jul 29 12:53:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 424031065677 for ; Tue, 29 Jul 2008 12:53:53 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id EB6BE8FC0A for ; Tue, 29 Jul 2008 12:53:52 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id 0F7E0B81A; Tue, 29 Jul 2008 14:53:51 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 91176-02; Tue, 29 Jul 2008 14:53:48 +0200 (CEST) Received: from [192.168.0.7] (pisarna.iskreni.net [213.143.68.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id 9860DB818; Tue, 29 Jul 2008 14:53:48 +0200 (CEST) Message-ID: <488F12DB.8090908@skoberne.net> Date: Tue, 29 Jul 2008 14:53:47 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Peter Wullinger References: <488EE046.4010602@skoberne.net> <488EE858.9010708@googlemail.com> In-Reply-To: <488EE858.9010708@googlemail.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 12:53:53 -0000 Hello, > Note: You can remove "keep state". This is implicit for newer version of > pf. > Note: These keep state, see above. You might want to add "no state" here, > to decrease state table usage. But if it is "no state" it means it eats more CPU? Or not? > From the frequency of the logs, it looks like that there is heavy load > on the server > (or a high connection latency). If so, this may be a problem of state > table exhaustion > or timeouts. pf may drop a "dangling, almost finished" connection before > the final "FIN" > packet arrives and thus create such log entries as the final packet gets > blocked, when the > corresponding state table entry is not present any more. Actually the server was just deployed and there shouldn't be much traffic going through. I checked with pfctl: State Table Total Rate current entries 79 searches 9652489 16.2/s inserts 486382 0.8/s removals 486303 0.8/s These seem pretty low, huh? > To eliminate this possibility, you should monitor the size of your state > table and possible increase the limits, if so. > Or insert some "no state" statements into your ruleset. So, what would be the next idea to try? For now I did "set skip on $int_Jails" and it seems to help. Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Wed Jul 30 06:43:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AE191065674 for ; Wed, 30 Jul 2008 06:43:20 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from mx.agservice.lt (mx.agservice.lt [88.119.128.106]) by mx1.freebsd.org (Postfix) with ESMTP id EBF1B8FC19 for ; Wed, 30 Jul 2008 06:43:19 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from localhost (localhost [127.0.0.1]) by mx.agservice.lt (Postfix) with ESMTP id C8DD276211 for ; Wed, 30 Jul 2008 09:43:17 +0300 (EEST) X-Virus-Scanned: amavisd-new at agtrade.lt Received: from mx.agservice.lt ([127.0.0.1]) by localhost (mail.agtrade.lt [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72oxdGxRtli8 for ; Wed, 30 Jul 2008 09:43:15 +0300 (EEST) Received: from mx.agservice.lt (localhost [127.0.0.1]) (Authenticated sender: news@topocentras.lt) by mx.agservice.lt (Postfix) with ESMTPA id 20E1E76219 for ; Wed, 30 Jul 2008 09:43:15 +0300 (EEST) Received: from 88.119.128.115 (SquirrelMail authenticated user news@topocentras.lt) by mx.agservice.lt with HTTP; Wed, 30 Jul 2008 09:43:15 +0300 (EEST) Message-ID: <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> In-Reply-To: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> Date: Wed, 30 Jul 2008 09:43:15 +0300 (EEST) From: news@topocentras.lt To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.10a MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2008 06:43:20 -0000 Hello once more, It whould be very interesting to hear from you how to use keep state for router, shaping in and out traffic. I am using around thousand of queues(hfsc) and it makes a lot of performace problems. Using keep state it would reduce it, but as i mention before, i have problems using it. Sincerely Yours, Albertas > ext_if="bge0" > int_if="bge1" > > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > pass out quick on $int_if from any to 10.0.0.1 queue download1 > > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > pass out quick on $int_if from any to 10.0.0.2 queue download2 > > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > pass out quick on $int_if from any to 10.0.0.3 queue download3 > > pass in all > pass out all > > #10.0.0.x users subnet > > Hello, > I have problems with keep state usage. I need to shape ingoing and > outgoing trafic (no nat). > Before I used sintax like above, but then I used it with keyword "keep > state" some useres reported problems with trafic. > With version FreeBSD 7 with keep state on pass rules are not working at > all. > Question is how to deal with keep state for in and out trafic then i need > to shape both? I tried to use set state-policy if-bound but it had no > impact. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 30 07:58:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40D02106567A for ; Wed, 30 Jul 2008 07:58:22 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id F3C8D8FC08 for ; Wed, 30 Jul 2008 07:58:21 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so105435qwb.7 for ; Wed, 30 Jul 2008 00:58:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=YLUsGub61PzR7oFeahR3JM8zgZnnSCPqpN4+3SlcXn0=; b=eUPxbYRVUPxr6K8Igzbd6oiyeqPeJcnh5uVNVsFZh1RablkDUT3Mi8VUfx9f4mXHnI iP8L9IoYUDBmj916kGijoVbRJS9oZKdBoVyxPXpUb3d9EkoiBIvZr0vk4mA0ve9WbrHD tM5tlFnoUnHFsLww/XFgYOC6V3G3nZyYlueXo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=wOpn5sXTJnNFBBkzWkKrWlgVI6Rf8eEdtfUY7KMTZMk1nWfqKytyJKOnwX+Qp0aJe+ GRI9c3BF0hJWjci/eOJRmhRbQiIY+z4QTEPQmRWkysIFdPQzcjiWp6vQ75JBrGZ98cIY Bq31UfTT1K1dCefNkGY1P2vwzzbPf6fdMtBDQ= Received: by 10.214.81.3 with SMTP id e3mr4305761qab.92.1217404701152; Wed, 30 Jul 2008 00:58:21 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 30 Jul 2008 00:58:21 -0700 (PDT) Message-ID: Date: Wed, 30 Jul 2008 10:58:21 +0300 From: "Ivan Petrushev" To: news@topocentras.lt In-Reply-To: <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> Cc: freebsd-pf@freebsd.org Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2008 07:58:22 -0000 Hello ALbertas, I thought 'keep state' is a default behavior in FreeBSD 7 and you don't have to specify that keyword? Regards, Ivan On Wed, Jul 30, 2008 at 9:43 AM, wrote: > Hello once more, > It whould be very interesting to hear from you how to use keep state for > router, shaping in and out traffic. > I am using around thousand of queues(hfsc) and it makes a lot of > performace problems. Using keep state it would reduce it, but as i mention > before, i have problems using it. > > Sincerely Yours, > Albertas > >> ext_if="bge0" >> int_if="bge1" >> >> pass out quick on $ext_if from 10.0.0.1 to any queue upload1 >> pass out quick on $int_if from any to 10.0.0.1 queue download1 >> >> pass out quick on $ext_if from 10.0.0.2 to any queue upload2 >> pass out quick on $int_if from any to 10.0.0.2 queue download2 >> >> pass out quick on $ext_if from 10.0.0.3 to any queue upload3 >> pass out quick on $int_if from any to 10.0.0.3 queue download3 >> >> pass in all >> pass out all >> >> #10.0.0.x users subnet >> >> Hello, >> I have problems with keep state usage. I need to shape ingoing and >> outgoing trafic (no nat). >> Before I used sintax like above, but then I used it with keyword "keep >> state" some useres reported problems with trafic. >> With version FreeBSD 7 with keep state on pass rules are not working at >> all. >> Question is how to deal with keep state for in and out trafic then i need >> to shape both? I tried to use set state-policy if-bound but it had no >> impact. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 30 08:23:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62DEF1065670 for ; Wed, 30 Jul 2008 08:23:19 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from mx.sitkom.cz (mx.sitkom.cz [88.146.187.34]) by mx1.freebsd.org (Postfix) with ESMTP id 1B0FF8FC18 for ; Wed, 30 Jul 2008 08:23:19 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from [10.6.1.134] (buchtajz.dlsystem.buchlovice.sfn [10.6.1.134]) by mx.sitkom.cz (Postfix) with ESMTP id 4663F1C4682; Wed, 30 Jul 2008 10:24:54 +0200 (CEST) From: Michal Buchtik To: news@topocentras.lt In-Reply-To: <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> Content-Type: text/plain; charset=UTF-8 Date: Wed, 30 Jul 2008 10:22:16 +0200 Message-Id: <1217406136.31805.6.camel@buchtajz> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-5.fc8) Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2008 08:23:19 -0000 PF makes 2 states per connection, so try this ($int_if is users LAN) pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 pass out quick on $int_if tagged user1 queue download1 pass out quick on $ext_if tagged user1 queue upload1 .....and so on for another users news@topocentras.lt píše v St 30. 07. 2008 v 09:43 +0300: > Hello once more, > It whould be very interesting to hear from you how to use keep state for > router, shaping in and out traffic. > I am using around thousand of queues(hfsc) and it makes a lot of > performace problems. Using keep state it would reduce it, but as i mention > before, i have problems using it. > > Sincerely Yours, > Albertas > > > ext_if="bge0" > > int_if="bge1" > > > > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > > pass out quick on $int_if from any to 10.0.0.1 queue download1 > > > > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > > pass out quick on $int_if from any to 10.0.0.2 queue download2 > > > > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > > pass out quick on $int_if from any to 10.0.0.3 queue download3 > > > > pass in all > > pass out all > > > > #10.0.0.x users subnet > > > > Hello, > > I have problems with keep state usage. I need to shape ingoing and > > outgoing trafic (no nat). > > Before I used sintax like above, but then I used it with keyword "keep > > state" some useres reported problems with trafic. > > With version FreeBSD 7 with keep state on pass rules are not working at > > all. > > Question is how to deal with keep state for in and out trafic then i need > > to shape both? I tried to use set state-policy if-bound but it had no > > impact. > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Jul 30 08:29:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1FEF1065672 for ; Wed, 30 Jul 2008 08:29:17 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from mx.agservice.lt (mx.agservice.lt [88.119.128.106]) by mx1.freebsd.org (Postfix) with ESMTP id 8D7538FC17 for ; Wed, 30 Jul 2008 08:29:17 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from localhost (localhost [127.0.0.1]) by mx.agservice.lt (Postfix) with ESMTP id 9B99276351 for ; Wed, 30 Jul 2008 11:29:15 +0300 (EEST) X-Virus-Scanned: amavisd-new at agtrade.lt Received: from mx.agservice.lt ([127.0.0.1]) by localhost (mail.agtrade.lt [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p1VCZ+0UbyS4 for ; Wed, 30 Jul 2008 11:29:13 +0300 (EEST) Received: from mx.agservice.lt (localhost [127.0.0.1]) (Authenticated sender: news@topocentras.lt) by mx.agservice.lt (Postfix) with ESMTPA id 0C19576353 for ; Wed, 30 Jul 2008 11:29:13 +0300 (EEST) Received: from 88.119.128.115 (SquirrelMail authenticated user news@topocentras.lt) by mx.agservice.lt with HTTP; Wed, 30 Jul 2008 11:29:13 +0300 (EEST) Message-ID: <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> In-Reply-To: <1217406136.31805.6.camel@buchtajz> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> Date: Wed, 30 Jul 2008 11:29:13 +0300 (EEST) From: news@topocentras.lt To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.10a MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2008 08:29:18 -0000 Thanks for suggestion. Is any difference using set state-policy if-bound? When what state policy to use? Thanks, Albertas > PF makes 2 states per connection, so try this > ($int_if is users LAN) > > pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 > pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 > pass out quick on $int_if tagged user1 queue download1 > pass out quick on $ext_if tagged user1 queue upload1 > .....and so on for another users > > > news@topocentras.lt píše v St 30. 07. 2008 v 09:43 +0300: >> Hello once more, >> It whould be very interesting to hear from you how to use keep state for >> router, shaping in and out traffic. >> I am using around thousand of queues(hfsc) and it makes a lot of >> performace problems. Using keep state it would reduce it, but as i >> mention >> before, i have problems using it. >> >> Sincerely Yours, >> Albertas >> >> > ext_if="bge0" >> > int_if="bge1" >> > >> > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 >> > pass out quick on $int_if from any to 10.0.0.1 queue download1 >> > >> > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 >> > pass out quick on $int_if from any to 10.0.0.2 queue download2 >> > >> > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 >> > pass out quick on $int_if from any to 10.0.0.3 queue download3 >> > >> > pass in all >> > pass out all >> > >> > #10.0.0.x users subnet >> > >> > Hello, >> > I have problems with keep state usage. I need to shape ingoing and >> > outgoing trafic (no nat). >> > Before I used sintax like above, but then I used it with keyword "keep >> > state" some useres reported problems with trafic. >> > With version FreeBSD 7 with keep state on pass rules are not working >> at >> > all. >> > Question is how to deal with keep state for in and out trafic then i >> need >> > to shape both? I tried to use set state-policy if-bound but it had no >> > impact. >> > >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 30 09:59:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EA521065679 for ; Wed, 30 Jul 2008 09:59:56 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from mx.sitkom.cz (mx.sitkom.cz [88.146.187.34]) by mx1.freebsd.org (Postfix) with ESMTP id 26CDC8FC26 for ; Wed, 30 Jul 2008 09:59:56 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from [10.6.1.134] (buchtajz.dlsystem.buchlovice.sfn [10.6.1.134]) by mx.sitkom.cz (Postfix) with ESMTP id 0E9211C4B0D; Wed, 30 Jul 2008 12:01:33 +0200 (CEST) From: Michal Buchtik To: news@topocentras.lt In-Reply-To: <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> Content-Type: text/plain; charset=UTF-8 Date: Wed, 30 Jul 2008 11:58:51 +0200 Message-Id: <1217411931.31805.10.camel@buchtajz> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-5.fc8) Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2008 09:59:56 -0000 I use default state-policy (floating). As I can remember, if-bound policy works diferent. news@topocentras.lt píše v St 30. 07. 2008 v 11:29 +0300: > Thanks for suggestion. Is any difference using set state-policy if-bound? > When what state policy to use? > > Thanks, Albertas > > > > PF makes 2 states per connection, so try this > > ($int_if is users LAN) > > > > pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 > > pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 > > pass out quick on $int_if tagged user1 queue download1 > > pass out quick on $ext_if tagged user1 queue upload1 > > .....and so on for another users > > > > > > news@topocentras.lt píše v St 30. 07. 2008 v 09:43 +0300: > >> Hello once more, > >> It whould be very interesting to hear from you how to use keep state for > >> router, shaping in and out traffic. > >> I am using around thousand of queues(hfsc) and it makes a lot of > >> performace problems. Using keep state it would reduce it, but as i > >> mention > >> before, i have problems using it. > >> > >> Sincerely Yours, > >> Albertas > >> > >> > ext_if="bge0" > >> > int_if="bge1" > >> > > >> > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > >> > pass out quick on $int_if from any to 10.0.0.1 queue download1 > >> > > >> > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > >> > pass out quick on $int_if from any to 10.0.0.2 queue download2 > >> > > >> > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > >> > pass out quick on $int_if from any to 10.0.0.3 queue download3 > >> > > >> > pass in all > >> > pass out all > >> > > >> > #10.0.0.x users subnet > >> > > >> > Hello, > >> > I have problems with keep state usage. I need to shape ingoing and > >> > outgoing trafic (no nat). > >> > Before I used sintax like above, but then I used it with keyword "keep > >> > state" some useres reported problems with trafic. > >> > With version FreeBSD 7 with keep state on pass rules are not working > >> at > >> > all. > >> > Question is how to deal with keep state for in and out trafic then i > >> need > >> > to shape both? I tried to use set state-policy if-bound but it had no > >> > impact. > >> > > >> > _______________________________________________ > >> > freebsd-pf@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > > >> > >> > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 16:10:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33DBC106566B for ; Thu, 31 Jul 2008 16:10:02 +0000 (UTC) (envelope-from arved@knut.arved.priv.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by mx1.freebsd.org (Postfix) with ESMTP id A3DC58FC24 for ; Thu, 31 Jul 2008 16:10:01 +0000 (UTC) (envelope-from arved@knut.arved.priv.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by knut.arved.priv.at (8.14.2/8.14.2) with ESMTP id m6VFZ7cn062792 for ; Thu, 31 Jul 2008 17:35:12 +0200 (CEST) (envelope-from arved@knut.arved.priv.at) Received: (from arved@localhost) by knut.arved.priv.at (8.14.2/8.14.2/Submit) id m6VFZ6uU062791 for freebsd-pf@freebsd.org; Thu, 31 Jul 2008 17:35:06 +0200 (CEST) (envelope-from arved) Date: Thu, 31 Jul 2008 17:35:06 +0200 From: Tilman Linneweh To: freebsd-pf@freebsd.org Message-ID: <20080731153506.GA61317@arved.priv.at> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 16:10:02 -0000 Hi list, My setup: LAN -> Router with PF <- gif tunnel with IPSEC -> Server The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, but TCPv6 from LAN to Server does not work, unless i disable PF. Excerpt from pf.conf: pass in quick on gif0 all keep state pass out quick on gif0 all keep state pflog0 contains some strange packets: http://arved.priv.at/~arved/strangepackets.pcap IPSEC_FILTERTUNNEL does not make a difference. I don't understand why pf is dropping something on gif0. And i can't decode what kind of packets these are, and why they are necessary for TCPv6. Any ideas? regards arved From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 16:26:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 217101065675 for ; Thu, 31 Jul 2008 16:26:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id ACD3E8FC08 for ; Thu, 31 Jul 2008 16:26:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-193.pools.arcor-ip.net [88.66.21.193]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1KOazM1WY2-0000cy; Thu, 31 Jul 2008 18:26:52 +0200 Received: (qmail 47107 invoked from network); 31 Jul 2008 16:26:51 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 31 Jul 2008 16:26:51 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 31 Jul 2008 18:26:51 +0200 User-Agent: KMail/1.9.52 (FreeBSD/8.0-CURRENT; KDE/4.0.83; i386; ; ) References: <20080731153506.GA61317@arved.priv.at> In-Reply-To: <20080731153506.GA61317@arved.priv.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807311826.51457.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+HzWxLl05THyWRlWQIiikbtlJ4zG6Olbj7xgF YRVZiDQat4CMQDxcL11duxJHLWAbjDxMwYRlnzykPVlM4gXuoj JxY8rLbX9woQJU2MkQGDw== Cc: Tilman Linneweh Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 16:26:54 -0000 On Thursday 31 July 2008 17:35:06 Tilman Linneweh wrote: > Hi list, > > My setup: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > but TCPv6 from LAN to Server does not work, unless i disable PF. > > Excerpt from pf.conf: > pass in quick on gif0 all keep state > pass out quick on gif0 all keep state > > pflog0 contains some strange packets: > http://arved.priv.at/~arved/strangepackets.pcap That dump is useless, please cap with "-s0". > IPSEC_FILTERTUNNEL does not make a difference. > > I don't understand why pf is dropping something on gif0. And i can't decode > what kind of packets these are, and why they are necessary for TCPv6. > > Any ideas? I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really want to trust gif0 completely, you could simply add "skip on gif0" and pf will not mess with it at all. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 17:38:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1622E1065680 for ; Thu, 31 Jul 2008 17:38:09 +0000 (UTC) (envelope-from arved@knut.arved.priv.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by mx1.freebsd.org (Postfix) with ESMTP id B3BCC8FC0C for ; Thu, 31 Jul 2008 17:38:07 +0000 (UTC) (envelope-from arved@knut.arved.priv.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by knut.arved.priv.at (8.14.2/8.14.2) with ESMTP id m6VHc1bI068056; Thu, 31 Jul 2008 19:38:06 +0200 (CEST) (envelope-from arved@knut.arved.priv.at) Received: (from arved@localhost) by knut.arved.priv.at (8.14.2/8.14.2/Submit) id m6VHc1xY068055; Thu, 31 Jul 2008 19:38:01 +0200 (CEST) (envelope-from arved) Date: Thu, 31 Jul 2008 19:38:01 +0200 From: Tilman Linneweh To: Max Laier Message-ID: <20080731173801.GB61317@arved.priv.at> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807311826.51457.max@love2party.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 17:38:09 -0000 * Max Laier [2008-07-31 18:27]: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > Excerpt from pf.conf: > > pass in quick on gif0 all keep state > > pass out quick on gif0 all keep state > > > > pflog0 contains some strange packets: > > http://arved.priv.at/~arved/strangepackets.pcap > > That dump is useless, please cap with "-s0". Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > IPSEC_FILTERTUNNEL does not make a difference. > > > > I don't understand why pf is dropping something on gif0. And i can't decode > > what kind of packets these are, and why they are necessary for TCPv6. > > > > Any ideas? > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really > want to trust gif0 completely, you could simply add "skip on gif0" and pf will > not mess with it at all. > Ok, allow-opts does not change anything. skip on gif0 works. pfctl -si confirms that there are packets blocked. Status: Enabled for 0 days 02:37:07 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 261859 Bytes Out 0 207299 Packets In Passed 0 2347 Blocked 0 90 Packets Out Passed 0 2185 Blocked 0 0 State Table Total Rate current entries 31 searches 44046 4.7/s inserts 2768 0.3/s removals 2737 0.3/s Counters match 13425 1.4/s bad-offset 0 0.0/s [...rest is all zeros] ...and later: status: Enabled for 0 days 02:37:21 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 263327 Bytes Out 0 208711 Packets In Passed 0 2356 Blocked 0 96 Packets Out Passed 0 2197 Blocked 0 0 State Table Total Rate current entries 30 searches 44128 4.7/s inserts 2772 0.3/s removals 2742 0.3/s Counters match 13451 1.4/s bad-offset 0 0.0/s So yeah, thanks for the "skip on" hint, i can do the filtering on the non-gif interfaces, but i still would like to know what's going on, and why these packets are blocked. regards arved From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 18:03:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 067C71065672 for ; Thu, 31 Jul 2008 18:03:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 8D4858FC0C for ; Thu, 31 Jul 2008 18:03:56 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-193.pools.arcor-ip.net [88.66.21.193]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1KOcVF3UzS-0005Ar; Thu, 31 Jul 2008 20:03:54 +0200 Received: (qmail 48306 invoked from network); 31 Jul 2008 18:03:53 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 31 Jul 2008 18:03:53 -0000 From: Max Laier Organization: FreeBSD To: Tilman Linneweh Date: Thu, 31 Jul 2008 20:03:52 +0200 User-Agent: KMail/1.9.52 (FreeBSD/8.0-CURRENT; KDE/4.0.83; i386; ; ) References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at> In-Reply-To: <20080731173801.GB61317@arved.priv.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807312003.53098.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/ri5SPkLuAsf1bSBn51GF/oDna9WQ0NemdpdB 27Q+6Z254TLm2D19AG8jN8g8P/WJA8DpH/b4kD3FD8hVyqtn7/ VXANme75Rzcs9Hmxf38HQ== Cc: freebsd-pf@freebsd.org Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 18:03:57 -0000 On Thursday 31 July 2008 19:38:01 Tilman Linneweh wrote: > * Max Laier [2008-07-31 18:27]: > > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > > > Excerpt from pf.conf: > > > pass in quick on gif0 all keep state > > > pass out quick on gif0 all keep state > > > > > > pflog0 contains some strange packets: > > > http://arved.priv.at/~arved/strangepackets.pcap > > > > That dump is useless, please cap with "-s0". > > Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap alright ... for some reasons we are blocking the ACKs - i.e. they don't seem to match any state (and the SYN must have gone through somehow). That can happen for two reasons: 1) There is no state created 2) Somethings wrong with the state entry or the involved tcp stacks. To debug this further you could enable pf debug logging (pfctl -xm) and watch the console for state mismatches ... however ... > > > IPSEC_FILTERTUNNEL does not make a difference. > > > > > > I don't understand why pf is dropping something on gif0. And i can't > > > decode what kind of packets these are, and why they are necessary for > > > TCPv6. > > > > > > Any ideas? > > > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you > > really want to trust gif0 completely, you could simply add "skip on gif0" > > and pf will not mess with it at all. > > Ok, allow-opts does not change anything. skip on gif0 works. > > pfctl -si confirms that there are packets blocked. > Status: Enabled for 0 days 02:37:07 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 261859 > Bytes Out 0 207299 > Packets In > Passed 0 2347 > Blocked 0 90 > Packets Out > Passed 0 2185 > Blocked 0 0 > > State Table Total Rate > current entries 31 > searches 44046 4.7/s > inserts 2768 0.3/s > removals 2737 0.3/s > Counters > match 13425 1.4/s > bad-offset 0 0.0/s > [...rest is all zeros] > > ...and later: > status: Enabled for 0 days 02:37:21 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 263327 > Bytes Out 0 208711 > Packets In > Passed 0 2356 > Blocked 0 96 > Packets Out > Passed 0 2197 > Blocked 0 0 > > State Table Total Rate > current entries 30 > searches 44128 4.7/s > inserts 2772 0.3/s > removals 2742 0.3/s > Counters > match 13451 1.4/s > bad-offset 0 0.0/s ... if there is no counter increase on "state-mismatch" (please double-check), it would suggest that no state is created in the first place. Could you provide your complete ruleset with rule numbers? (pfctl -vvvsr) > So yeah, thanks for the "skip on" hint, i can do the filtering on the > non-gif interfaces, but i still would like to know what's going on, and > why these packets are blocked. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 20:08:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDE2F106566C for ; Thu, 31 Jul 2008 20:08:49 +0000 (UTC) (envelope-from arved@arved.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by mx1.freebsd.org (Postfix) with ESMTP id 2BBE08FC0C for ; Thu, 31 Jul 2008 20:08:48 +0000 (UTC) (envelope-from arved@arved.at) Received: from ferdinand.arved.priv.at (chello062178208015.1.15.vie.surfer.at [62.178.208.15]) by knut.arved.priv.at (8.14.2/8.14.2) with ESMTP id m6VJei1o074295; Thu, 31 Jul 2008 21:40:49 +0200 (CEST) (envelope-from arved@arved.at) Received: from [IPv6:2001:6f8:13fb:3:20d:93ff:fe75:d4cc] (minimac.arved.priv.at [IPv6:2001:6f8:13fb:3:20d:93ff:fe75:d4cc]) by ferdinand.arved.priv.at (8.14.2/8.14.2) with ESMTP id m6VJeZJm002289; Thu, 31 Jul 2008 21:40:40 +0200 (CEST) (envelope-from arved@arved.at) In-Reply-To: <200807312003.53098.max@love2party.net> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at> <200807312003.53098.max@love2party.net> Mime-Version: 1.0 (Apple Message framework v753.1) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <96F634DC-33DE-407D-A56C-6E28FE327276@arved.at> Content-Transfer-Encoding: 7bit From: Tilman Linneweh Date: Thu, 31 Jul 2008 21:39:52 +0200 To: Max Laier X-Mailer: Apple Mail (2.753.1) Cc: freebsd-pf@freebsd.org, Tilman Linneweh Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 20:08:50 -0000 On Jul 31, 2008, at 20:03, Max Laier wrote: >>>> LAN -> Router with PF <- gif tunnel with IPSEC -> Server >>>> >>>> The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, >>>> but TCPv6 from LAN to Server does not work, unless i disable PF. >>>> >>>> Excerpt from pf.conf: >>>> pass in quick on gif0 all keep state >>>> pass out quick on gif0 all keep state >>>> >> Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > alright ... for some reasons we are blocking the ACKs - i.e. they > don't seem > to match any state (and the SYN must have gone through somehow). > That can > happen for two reasons: 1) There is no state created 2) Somethings > wrong with > the state entry or the involved tcp stacks. > > To debug this further you could enable pf debug logging (pfctl -xm) > and watch > the console for state mismatches ... however ... >> >> pfctl -si confirms that there are packets blocked. >> Status: Enabled for 0 days 02:37:07 Debug: Urgent >> >> Interface Stats for gif0 IPv4 IPv6 >> Bytes In 0 261859 >> Bytes Out 0 207299 >> Packets In >> Passed 0 2347 >> Blocked 0 90 >> Packets Out >> Passed 0 2185 >> Blocked 0 0 >> >> State Table Total Rate >> current entries 31 >> searches 44046 4.7/s >> inserts 2768 0.3/s >> removals 2737 0.3/s >> Counters >> match 13425 1.4/s >> bad-offset 0 0.0/s >> [...rest is all zeros] >> >> ...and later: >> status: Enabled for 0 days 02:37:21 Debug: Urgent >> >> Interface Stats for gif0 IPv4 IPv6 >> Bytes In 0 263327 >> Bytes Out 0 208711 >> Packets In >> Passed 0 2356 >> Blocked 0 96 >> Packets Out >> Passed 0 2197 >> Blocked 0 0 >> >> State Table Total Rate >> current entries 30 >> searches 44128 4.7/s >> inserts 2772 0.3/s >> removals 2742 0.3/s >> Counters >> match 13451 1.4/s >> bad-offset 0 0.0/s > > ... if there is no counter increase on "state-mismatch" (please > double-check), > it would suggest that no state is created in the first place. > Could you > provide your complete ruleset with rule numbers? (pfctl -vvvsr) > There is now a single state-mismatch. But that could be something else. The debug-logging shows nothing about state mismatch. @0 scrub in all fragment reassemble [ Evaluations: 3890 Packets: 2146 Bytes: 255350 States: 0 ] [ Inserted: uid 0 pid 2258 ] @0 pass in all flags S/SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @1 pass out all flags S/SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @2 block return log all [ Evaluations: 75 Packets: 23 Bytes: 7440 States: 0 ] [ Inserted: uid 0 pid 2258 ] @3 pass in quick on sis0 proto tcp from any to any port = ssh flags S/ SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @4 pass in quick on sis0 proto tcp from any to any port = domain flags S/SA keep state [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @5 pass in quick on sis0 proto tcp from any to any port = smtp flags S/SA keep state [ Evaluations: 2 Packets: 30 Bytes: 2340 States: 2 ] [ Inserted: uid 0 pid 2258 ] @6 pass in quick on sis0 proto udp from any to any port = ssh keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @7 pass in quick on sis0 proto udp from any to any port = domain keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @8 pass in quick on sis0 proto udp from any to any port = smtp keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @9 block return out quick on sis0 inet proto udp from 62.178.208.15 to any port = who [ Evaluations: 43 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @10 pass in on sis1 inet from 192.168.1.0/24 to any flags S/SA keep state allow-opts [ Evaluations: 73 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @11 pass in on sis1 inet6 from 2001:6f8:13fb:3::/64 to any flags S/SA keep state allow-opts [ Evaluations: 23 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @12 pass out on sis1 inet from any to 192.168.1.0/24 flags S/SA keep state allow-opts [ Evaluations: 25 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @13 pass out on sis1 inet6 from any to 2001:6f8:13fb:3::/64 flags S/ SA keep state allow-opts [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @14 pass in on sis1 inet6 all flags S/SA keep state [ Evaluations: 25 Packets: 2 Bytes: 144 States: 2 ] [ Inserted: uid 0 pid 2258 ] @15 pass out on sis1 inet6 all flags S/SA keep state [ Evaluations: 4 Packets: 2 Bytes: 136 States: 2 ] [ Inserted: uid 0 pid 2258 ] @16 pass in on sis1 inet from 192.168.0.0/16 to any flags S/SA keep state [ Evaluations: 25 Packets: 180 Bytes: 51414 States: 21 ] [ Inserted: uid 0 pid 2258 ] @17 pass out on sis1 inet from any to 192.168.0.0/16 flags S/SA keep state [ Evaluations: 23 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @18 pass in inet proto icmp all icmp-type echoreq keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @19 pass out inet proto icmp all keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @20 pass out on sis0 proto tcp all flags S/SA keep state [ Evaluations: 73 Packets: 160 Bytes: 49118 States: 11 ] [ Inserted: uid 0 pid 2258 ] @21 pass out on sis0 proto udp all keep state [ Evaluations: 21 Packets: 21 Bytes: 2100 States: 10 ] [ Inserted: uid 0 pid 2258 ] @22 pass in quick on gif0 all flags S/SA keep state allow-opts [ Evaluations: 73 Packets: 382 Bytes: 27496 States: 2 ] [ Inserted: uid 0 pid 2258 ] @23 pass out quick on gif0 all flags S/SA keep state allow-opts [ Evaluations: 2 Packets: 3 Bytes: 288 States: 2 ] [ Inserted: uid 0 pid 2258 ] @24 pass in quick on sis0 inet proto ipv6 from any to 62.178.208.15 keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @25 pass out quick on sis0 inet proto ipv6 from 62.178.208.15 to any keep state [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @26 pass in quick proto esp all keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @27 pass in quick proto ipencap all keep state [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @28 pass in quick proto udp from any port = isakmp to any port = isakmp keep state [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @29 pass in quick proto tcp from any port = isakmp to any port = isakmp flags S/SA keep state [ Evaluations: 11 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @30 pass out quick proto esp all keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @31 pass out quick proto ipencap all keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @32 pass out quick proto udp from any port = isakmp to any port = isakmp keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @33 pass out quick proto tcp from any port = isakmp to any port = isakmp flags S/SA keep state [ Evaluations: 13 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @34 anchor "ftp-proxy/*" all [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @35 pass out inet6 proto tcp from ::1 to any port = ftp flags S/SA keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @36 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/ SA keep state [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] From owner-freebsd-pf@FreeBSD.ORG Fri Aug 1 10:07:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 125171065693 for ; Fri, 1 Aug 2008 10:07:20 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from mx.agservice.lt (mx.agservice.lt [88.119.128.106]) by mx1.freebsd.org (Postfix) with ESMTP id 884C18FC38 for ; Fri, 1 Aug 2008 10:07:19 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from localhost (localhost [127.0.0.1]) by mx.agservice.lt (Postfix) with ESMTP id C52507316C for ; Fri, 1 Aug 2008 13:07:17 +0300 (EEST) X-Virus-Scanned: amavisd-new at agtrade.lt Received: from mx.agservice.lt ([127.0.0.1]) by localhost (mail.agtrade.lt [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gn1FI533UlTU for ; Fri, 1 Aug 2008 13:07:15 +0300 (EEST) Received: from mx.agservice.lt (localhost [127.0.0.1]) (Authenticated sender: news@topocentras.lt) by mx.agservice.lt (Postfix) with ESMTPA id 1F19373038 for ; Fri, 1 Aug 2008 13:07:15 +0300 (EEST) Received: from 88.119.128.115 (SquirrelMail authenticated user news@topocentras.lt) by mx.agservice.lt with HTTP; Fri, 1 Aug 2008 13:07:15 +0300 (EEST) Message-ID: <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt> In-Reply-To: <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> Date: Fri, 1 Aug 2008 13:07:15 +0300 (EEST) From: news@topocentras.lt To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.10a MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2008 10:07:20 -0000 Hello once more, What difference in state-policy floating and if-bound? If i am using tagging for incoming and outgoing traffic? Which policy I need to use? Thanks, Albertas > Thanks for suggestion. Is any difference using set state-policy if-bound? > When what state policy to use? > > Thanks, Albertas > > >> PF makes 2 states per connection, so try this >> ($int_if is users LAN) >> >> pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 >> pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 >> pass out quick on $int_if tagged user1 queue download1 >> pass out quick on $ext_if tagged user1 queue upload1 >> .....and so on for another users >> >> >> news@topocentras.lt píše v St 30. 07. 2008 v 09:43 +0300: >>> Hello once more, >>> It whould be very interesting to hear from you how to use keep state >>> for >>> router, shaping in and out traffic. >>> I am using around thousand of queues(hfsc) and it makes a lot of >>> performace problems. Using keep state it would reduce it, but as i >>> mention >>> before, i have problems using it. >>> >>> Sincerely Yours, >>> Albertas >>> >>> > ext_if="bge0" >>> > int_if="bge1" >>> > >>> > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 >>> > pass out quick on $int_if from any to 10.0.0.1 queue download1 >>> > >>> > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 >>> > pass out quick on $int_if from any to 10.0.0.2 queue download2 >>> > >>> > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 >>> > pass out quick on $int_if from any to 10.0.0.3 queue download3 >>> > >>> > pass in all >>> > pass out all >>> > >>> > #10.0.0.x users subnet >>> > >>> > Hello, >>> > I have problems with keep state usage. I need to shape ingoing and >>> > outgoing trafic (no nat). >>> > Before I used sintax like above, but then I used it with keyword >>> "keep >>> > state" some useres reported problems with trafic. >>> > With version FreeBSD 7 with keep state on pass rules are not working >>> at >>> > all. >>> > Question is how to deal with keep state for in and out trafic then i >>> need >>> > to shape both? I tried to use set state-policy if-bound but it had no >>> > impact. >>> > >>> > _______________________________________________ >>> > freebsd-pf@freebsd.org mailing list >>> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> > >>> >>> >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 1 10:20:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F070C1065682 for ; Fri, 1 Aug 2008 10:20:30 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from mx.sitkom.cz (mx.sitkom.cz [88.146.187.34]) by mx1.freebsd.org (Postfix) with ESMTP id 75D548FC15 for ; Fri, 1 Aug 2008 10:20:30 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from [10.6.1.134] (buchtajz.dlsystem.buchlovice.sfn [10.6.1.134]) by mx.sitkom.cz (Postfix) with ESMTP id 509771C4BFE; Fri, 1 Aug 2008 12:22:09 +0200 (CEST) From: Michal Buchtik To: news@topocentras.lt In-Reply-To: <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt> Content-Type: text/plain; charset=UTF-8 Date: Fri, 01 Aug 2008 12:18:43 +0200 Message-Id: <1217585923.9406.18.camel@buchtajz> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-5.fc8) Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2008 10:20:31 -0000 as i write in last mail I use default state-policy (floating). As I can remember, if-bound policy works diferent. leave default (floating) there news@topocentras.lt píše v Pá 01. 08. 2008 v 13:07 +0300: > Hello once more, > What difference in state-policy floating and if-bound? > If i am using tagging for incoming and outgoing traffic? Which policy I > need to use? > > Thanks, > Albertas > > > Thanks for suggestion. Is any difference using set state-policy if-bound? > > When what state policy to use? > > > > Thanks, Albertas > > > > > >> PF makes 2 states per connection, so try this > >> ($int_if is users LAN) > >> > >> pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 > >> pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 > >> pass out quick on $int_if tagged user1 queue download1 > >> pass out quick on $ext_if tagged user1 queue upload1 > >> .....and so on for another users > >> > >> > >> news@topocentras.lt píše v St 30. 07. 2008 v 09:43 +0300: > >>> Hello once more, > >>> It whould be very interesting to hear from you how to use keep state > >>> for > >>> router, shaping in and out traffic. > >>> I am using around thousand of queues(hfsc) and it makes a lot of > >>> performace problems. Using keep state it would reduce it, but as i > >>> mention > >>> before, i have problems using it. > >>> > >>> Sincerely Yours, > >>> Albertas > >>> > >>> > ext_if="bge0" > >>> > int_if="bge1" > >>> > > >>> > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > >>> > pass out quick on $int_if from any to 10.0.0.1 queue download1 > >>> > > >>> > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > >>> > pass out quick on $int_if from any to 10.0.0.2 queue download2 > >>> > > >>> > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > >>> > pass out quick on $int_if from any to 10.0.0.3 queue download3 > >>> > > >>> > pass in all > >>> > pass out all > >>> > > >>> > #10.0.0.x users subnet > >>> > > >>> > Hello, > >>> > I have problems with keep state usage. I need to shape ingoing and > >>> > outgoing trafic (no nat). > >>> > Before I used sintax like above, but then I used it with keyword > >>> "keep > >>> > state" some useres reported problems with trafic. > >>> > With version FreeBSD 7 with keep state on pass rules are not working > >>> at > >>> > all. > >>> > Question is how to deal with keep state for in and out trafic then i > >>> need > >>> > to shape both? I tried to use set state-policy if-bound but it had no > >>> > impact. > >>> > > >>> > _______________________________________________ > >>> > freebsd-pf@freebsd.org mailing list > >>> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >>> > > >>> > >>> > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > >> > > > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Aug 1 17:31:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC1401065679 for ; Fri, 1 Aug 2008 17:31:14 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 79B878FC13 for ; Fri, 1 Aug 2008 17:31:14 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 84C33B0380EF for ; Fri, 1 Aug 2008 13:31:13 -0400 (EDT) thread-index: Acjz/GVCf2AKY9wUQAOJHsxR2OTQ8Q== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 1 Aug 2008 13:31:13 -0400 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 9DE658E29B; Fri, 1 Aug 2008 12:31:07 -0500 (CDT) Date: Fri, 1 Aug 2008 12:31:07 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: Importance: normal Priority: normal Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 Message-ID: <20080801173107.GC13898@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt> MIME-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset="us-ascii" Content-Disposition: inline In-Reply-To: <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 01 Aug 2008 17:31:13.0451 (UTC) FILETIME=[652857B0:01C8F3FC] Subject: Re: need help with keep state and shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2008 17:31:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 news@topocentras.lt wrote: > > What difference in state-policy floating and if-bound? "if-bound" means that the state becomes bound to the particular interfaces over which traffic was flowing at the start of the connection (when state is created). If your interfaces have hard assignments that don't change, and your routing table is static, this is the most secure choice. It means that traffic which suddenly starts coming in or going out a different interface than it used to, will no longer match the state, and therefore will be dropped. The "floating" state does not have this restriction, and traffic can come in or go out any interface and it will still be matched. > If i am using tagging for incoming and outgoing traffic? Which policy > I need to use? The policy you choose depends on how dynamic your interface and routing environment are. For instance, if you had multiple ISP's and use a routing protocol to choose dynamically between them, you would want the "floating" policy. Likewise, if you use PPP or other types of tunnels which go up and down, you will want "floating." Otherwise, choose "if-bound" for security reasons. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIk0hbFSrKRjX5eCoRAl8qAJ0Z23RD25cHiy6anw3A7NW7+88qewCfcRd7 H2Th1ZZAraXLgQ+G3G+r/T0= =+noD -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.