From owner-freebsd-pf@FreeBSD.ORG Sun Oct 12 02:02:33 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E64101065699 for ; Sun, 12 Oct 2008 02:02:33 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer02.adhost.com (mail-defer02.adhost.com [216.211.128.177]) by mx1.freebsd.org (Postfix) with ESMTP id C4F128FC24 for ; Sun, 12 Oct 2008 02:02:33 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in06.adhost.com (mail-in06.adhost.com [10.212.3.16]) by mail-defer02.adhost.com (Postfix) with ESMTP id 28B04174ADD6 for ; Sat, 11 Oct 2008 18:47:01 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in06.adhost.com (Postfix) with ESMTP id 3A265164836 for ; Sat, 11 Oct 2008 18:46:59 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from 10.142.3.89 ([10.142.3.89]) by ad-exh01.adhost.lan ([10.142.0.20]) with Microsoft Exchange Server HTTP-DAV ; Sun, 12 Oct 2008 01:46:58 +0000 User-Agent: Microsoft-Entourage/12.12.0.080729 Date: Sat, 11 Oct 2008 18:46:58 -0700 From: "Michael K. Smith" To: Message-ID: Thread-Topic: Passive FTP Issues Thread-Index: AcksDGme4Pyo6l3i00COJHZNF1VMhQ== Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Cc: Subject: Passive FTP Issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Oct 2008 02:02:34 -0000 Hello All: We are having issues with a =B3standard=B2 configuration and getting passive ft= p to work. Here are our present rules related to one server $liv_ftp_int/ex= t nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext rdr pass on ! $vlan924_if proto tcp from any to $liv_ftp_ext port { ftp, 990, 49152:65535 } -> $liv_ftp_int pass in quick on $vlan2_if proto tcp from any to port { ftp, 49152:65535 } keep state flags S/SA When we put a =B3block in log on $vlan2_if=B2 rule before everything else, ftp breaks. When we move the block rule to the end of the pass rules, it works like a champ. Am I missing something obvious? Any help would be greatly appreciated. This is 6.3 Release 1. Regards, Mike From owner-freebsd-pf@FreeBSD.ORG Mon Oct 13 11:06:54 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68EBE1065697 for ; Mon, 13 Oct 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 551B78FC1B for ; Mon, 13 Oct 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9DB6s9n029517 for ; Mon, 13 Oct 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9DB6rL4029513 for freebsd-pf@FreeBSD.org; Mon, 13 Oct 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Oct 2008 11:06:53 GMT Message-Id: <200810131106.m9DB6rL4029513@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2008 11:06:54 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 24 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 14 00:01:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73BAB1065686 for ; Tue, 14 Oct 2008 00:01:48 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.226]) by mx1.freebsd.org (Postfix) with ESMTP id 2E1EA8FC1C for ; Tue, 14 Oct 2008 00:01:48 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: by wr-out-0506.google.com with SMTP id c8so468142wra.27 for ; Mon, 13 Oct 2008 17:01:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=d43oTkY2jU+Y7CpdjyBK4hWqTFYqgQYM7z6IUKpr4ag=; b=srTHrhGx5gRxZ6gOcJnRmJLpr30hNpcz8hofiTrwv4glXoUeJokhjMd9o94/wjpQmd KBGwctIZ8uaUTAUXZ/Hq4oo5Itk3FLrXvbizfJRkx9ujMW5pj4kgSeDVr/D5wxqCNgAR S+p/z2EZZU2UFoqySVH5lXUOR1/+CAAJa0s+4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=NIJkg7uumBemTSedG4Enw0oGECf1RBkbEnGoUTGgkHFPQfZ1jFPTU12swz+Df9m0uW 0un6TDLryg2udYmGG1cbKMbMC+/JsVnULPp/wmzT5YQeLzTEDBVeX13+jQisxG93aMf1 rXLVqO5EsM49lh59bByIYWROcRrDs0D7adT2s= Received: by 10.150.137.8 with SMTP id k8mr2785732ybd.42.1223942507184; Mon, 13 Oct 2008 17:01:47 -0700 (PDT) Received: by 10.150.191.21 with HTTP; Mon, 13 Oct 2008 17:01:47 -0700 (PDT) Message-ID: <290865fd0810131701i3a0b87cfma7fab18fead4e4a9@mail.gmail.com> Date: Mon, 13 Oct 2008 17:01:47 -0700 From: "alan yang" To: freebsd-pf@freebsd.org In-Reply-To: <290865fd0810091536s2fa38f4ao8fb2114fa7431441@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <290865fd0810091536s2fa38f4ao8fb2114fa7431441@mail.gmail.com> Subject: Re: packet flow in pf framework X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2008 00:01:48 -0000 can people shed some light on how packet flow through ether_input, ether_demux, ip_input, tcp_input the pf code got invoke. really appreciate. On Thu, Oct 9, 2008 at 3:36 PM, alan yang wrote: > sorry if this is naive. > > i wonder how packet flow in / out pf framework within kernel, is it > BSD Packet Filter (BPF) approach...? > appreciate if people can shed some light where to start tracing pf code. > > thanks in advance. > From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 20:27:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9D76106568F for ; Wed, 15 Oct 2008 20:27:27 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA04.emeryville.ca.mail.comcast.net (qmta04.emeryville.ca.mail.comcast.net [76.96.30.40]) by mx1.freebsd.org (Postfix) with ESMTP id A04848FC28 for ; Wed, 15 Oct 2008 20:27:26 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA13.emeryville.ca.mail.comcast.net ([76.96.30.52]) by QMTA04.emeryville.ca.mail.comcast.net with comcast id T0dn1a00417UAYkA48TSRa; Wed, 15 Oct 2008 20:27:26 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA13.emeryville.ca.mail.comcast.net with comcast id T8TR1a00Q2P6wsM8Z8TSQ2; Wed, 15 Oct 2008 20:27:26 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=fL8Q24mehDBDap-IyugA:9 a=W6xQjslTlZ0VOzopT6sA:7 a=JjOj0Z1bilJW3VxxYefSxD5SR6YA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id B06CEC9419; Wed, 15 Oct 2008 13:27:25 -0700 (PDT) Date: Wed, 15 Oct 2008 13:27:25 -0700 From: Jeremy Chadwick To: Peter Clark Message-ID: <20081015202725.GA88225@icarus.home.lan> References: <48F621C2.8080405@mtmary.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48F621C2.8080405@mtmary.edu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 20:27:27 -0000 On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: > Hello, > > I am not sure if I should be here or over at a pf specific list but here > is my problem. I've changed the CC list, so this will now go to the freebsd-pf mailing list instead. > I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving > me problems. > > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > global) > > Actually the "pass in" line does not generate the error. The next line does. > > /etc/pf.conf:71: syntax error > If I remove the line the error goes away (obviously). I have tried using > the exact line from the FreeBSD pf.conf man page: > > (max-src-conn-rate 100/10, overload flush global) > > (I changed to )and that generates the same > error. I tried just using: > (max-src-conn-rate 100/10) > > but that too gives me a syntax error. > > Any help is appreciated. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 20:52:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5402106568A for ; Wed, 15 Oct 2008 20:52:30 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id 9D4CF8FC08 for ; Wed, 15 Oct 2008 20:52:29 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so902489qwb.7 for ; Wed, 15 Oct 2008 13:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=5Vp4hCxhKSlqBhIfsNgHliqzn9RcGxBxYKtVaDliv5w=; b=S18HMQzNGWT5N7N0HsGtnJN9evkeoiAsL4eqVZKGU1OCOzft0YOiFG6SwjUeDtkGWF 2w5lrjQlMVeW8uR2r2h0Cfkw7IqScaEjg5Wt+2gbtu6AI8sgKg5hGyeaqlaGB+/iPzHU wN3z1zeS9bt2Bo7XqSge6aQVWtzgDu4Z2v4aI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=IbMOBpfqGwZwFmhi62PJ1tMzYRKHj7zDZEp26aZKCnOgWrnfIkBfmvSmcmpr/h75pN S/q+Ixg8OCY4EauCU2vO9qVTBwWwyhQwyxo5c+Pj5zBPwFY8vK7SAcRzGidqHid6OdwZ TxFfgdOXSJeH+GnruS2FKflaeemzkuLeq0rfU= Received: by 10.214.181.1 with SMTP id d1mr1721910qaf.1.1224102742888; Wed, 15 Oct 2008 13:32:22 -0700 (PDT) Received: by 10.214.43.4 with HTTP; Wed, 15 Oct 2008 13:32:22 -0700 (PDT) Message-ID: <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> Date: Wed, 15 Oct 2008 22:32:22 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Jeremy Chadwick" In-Reply-To: <20081015202725.GA88225@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> Cc: Peter Clark , freebsd-pf@freebsd.org Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 20:52:31 -0000 On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: > On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >> Hello, >> >> I am not sure if I should be here or over at a pf specific list but here >> is my problem. > > I've changed the CC list, so this will now go to the freebsd-pf mailing > list instead. > >> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >> me problems. >> >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> global) Is it a copy-paste error or you forgot keep state in there? It should look pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ keep state(max-src-conn 15, max-src-conn-rate 5/3, overload flush global) >> >> Actually the "pass in" line does not generate the error. The next line does. >> >> /etc/pf.conf:71: syntax error >> If I remove the line the error goes away (obviously). I have tried using >> the exact line from the FreeBSD pf.conf man page: >> >> (max-src-conn-rate 100/10, overload flush global) >> >> (I changed to )and that generates the same >> error. I tried just using: >> (max-src-conn-rate 100/10) >> >> but that too gives me a syntax error. >> >> Any help is appreciated. > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 21:04:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C8EA1065698 for ; Wed, 15 Oct 2008 21:04:46 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id B27A58FC1A for ; Wed, 15 Oct 2008 21:04:45 +0000 (UTC) (envelope-from jon@radel.com) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 8036863; Wed, 15 Oct 2008 17:04:45 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 8036861; Wed, 15 Oct 2008 17:04:26 -0400 Message-ID: <48F65AD9.808@radel.com> Date: Wed, 15 Oct 2008 17:04:25 -0400 From: Jon Radel User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> In-Reply-To: <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms010301000303070306020306" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: Peter Clark , freebsd-pf@freebsd.org Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 21:04:46 -0000 This is a cryptographically signed message in MIME format. --------------ms010301000303070306020306 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Ermal Lu=E7i wrote: > On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick = wrote: >> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>> Hello, >>> >>> I am not sure if I should be here or over at a pf specific list but h= ere >>> is my problem. >> I've changed the CC list, so this will now go to the freebsd-pf mailin= g >> list instead. >> >>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giv= ing >>> me problems. >>> >>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA= \ >>> >>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush= >>> global) >=20 > Is it a copy-paste error or you forgot keep state in there? > It should look > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \= > keep state(max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) And here I thought "keep state" was the default in the pf shipped with FreeBSD 7.0.... Actually, it is, as is "flags S/SA" on TCP connections. Those defaults came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.= 0. --Jon Radel --------------ms010301000303070306020306 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODEwMTUyMTA0MjVaMCMGCSqGSIb3DQEJBDEWBBQrQh0zf+c+AoSosWfXOrsoS7a8fTBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAeZOx QXz4hluDMdvbkNoUfA9eaR/sN+l3aNF/WWPFYLrPSIUXxqLJyv8F4OYo62Co7k/JKBDrdKc9 DVCXhhqGckon16DxXlg1Zksjzwu/Lk/5eSnVViPJ0VtkK7wUFaJHpHvN0rShw1u3IKOKiYj+ wBDAfoycNJCX52bOhDAY3LwD6/xDwNCD2KsZ4lhEW34wPql3+QLtUumn2WOhnOE2aBF5ZKMz ytAGvR5nscbatla84x4eWFv7v5NX5uB8DlFX1qsrYJ01iOy9XsmJdBbfRCcG1JjqL1KCz4d5 jGbxWzzJsnQtSRkWDDeFZpzjvLzcUviwMZAa3IXaXpEUtNVKcgAAAAAAAA== --------------ms010301000303070306020306-- From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 21:18:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8059E1065686 for ; Wed, 15 Oct 2008 21:18:22 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 2F3348FC14 for ; Wed, 15 Oct 2008 21:18:22 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so906613qwb.7 for ; Wed, 15 Oct 2008 14:18:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=l0cERy53mMiZiE03Py8aHswpC+fAeToyBKeHF9WJIvw=; b=UCIbamOfWHbr8KrVxW3/LqGFwEGQcWelc9qpcVFOvgFerzFYTkzX3uQsul6eEde7C/ e0hpni76YLEz/RRXeNGK2OtS/apdX6C0WFfdN6CcxNo5yahlPMGq74/VHxdLrVC59z9D O02jIYRGB64557ALOfYwrJHV+7DYCxRoX8T5M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=VstFnoq4ZWDc1ZzLwnMcsgKOVIB/RdgMAhRCytBz+iiiJdW+TmE5Wyzt6qvVisJgBD R9IXK1SzDmnxMw6eR0EK8YID9doqU1G/6mLHfUTlgSSNtS8XN3x7JIpGIP7JiM3onsWB OIsrjb1TsP8Q+YHbqvUZmV4xlt1MAjjcLB0E8= Received: by 10.214.81.4 with SMTP id e4mr1799181qab.5.1224105501358; Wed, 15 Oct 2008 14:18:21 -0700 (PDT) Received: by 10.214.43.4 with HTTP; Wed, 15 Oct 2008 14:18:21 -0700 (PDT) Message-ID: <9a542da30810151418j2afc5086te6a23da90889d26f@mail.gmail.com> Date: Wed, 15 Oct 2008 23:18:21 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Jon Radel" In-Reply-To: <48F65AD9.808@radel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> Cc: Peter Clark , freebsd-pf@freebsd.org Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 21:18:22 -0000 On Wed, Oct 15, 2008 at 11:04 PM, Jon Radel wrote: > Ermal Lu=E7i wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick w= rote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but he= re >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is givi= ng >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA = \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> global) >> >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... Well its just code that tries to be smart if he finds s syntax of the form pass in quick on $ext_if proto tcp from any to any port 22 other than that it needs to be certain that you meant what you meant. > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.= 0. > > --Jon Radel > > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 21:54:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A835D106568A for ; Wed, 15 Oct 2008 21:54:16 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3888FC23 for ; Wed, 15 Oct 2008 21:54:15 +0000 (UTC) (envelope-from jon@radel.com) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 8036835; Wed, 15 Oct 2008 16:54:15 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 8036832; Wed, 15 Oct 2008 16:53:56 -0400 Message-ID: <48F65863.6040703@radel.com> Date: Wed, 15 Oct 2008 16:53:55 -0400 From: Jon Radel User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: Peter Clark References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> In-Reply-To: <20081015202725.GA88225@icarus.home.lan> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020502060204060102060508" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: freebsd-pf@freebsd.org Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 21:54:16 -0000 This is a cryptographically signed message in MIME format. --------------ms020502060204060102060508 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Jeremy Chadwick wrote: > On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >> me problems. >> >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> global) >> >> Actually the "pass in" line does not generate the error. The next line does. >> >> /etc/pf.conf:71: syntax error Are you absolutely, positively positive that the backslash on the end of the first line has no space or tab character after it and is escaping the newline character? You're trying to split a single line into two, and that has to be done just so. --Jon Radel --------------ms020502060204060102060508 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODEwMTUyMDUzNTVaMCMGCSqGSIb3DQEJBDEWBBS7iuvzPV7sJNJivXe5l3Gevo2CHDBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAv+xp ioGcme7S9Qocy1/tWuq5Sh9ZoAugWyvXW+nEg9E//NFnwXKHMWUHgM0OdW7bngDtLD2KpH7w kebpAjehTTP81C44hwJ9dmsXkHshTTmEsc2iThYjkoFh35kZkzwIIIk3ojstM4bPz6+judaB fvhs1SoID4kCUj4imdDoL80gKKNDLIw08DzcuMpEkhmoo/xDouTGo1ykcruFn2F13kXpFLUs q0DjrcbTz6fMwnpaBVQ3pIJcl6xtJMgauhLZ20+hEYYBcwbGW83KHuyx+AEIYA2aXrAqGAtJ oD5YENCNsLoeBbQ9uGMRRcuT+5jjw/bHU29CcKcNQLheQGeV8gAAAAAAAA== --------------ms020502060204060102060508-- From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 22:17:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D39AA106564A for ; Wed, 15 Oct 2008 22:17:52 +0000 (UTC) (envelope-from clarkp@mtmary.edu) Received: from fear.mtmary.edu (fear.mtmary.edu [208.24.226.210]) by mx1.freebsd.org (Postfix) with ESMTP id AE66C8FC0C for ; Wed, 15 Oct 2008 22:17:52 +0000 (UTC) (envelope-from clarkp@mtmary.edu) Received: from [127.0.0.1] (war.mtmary.edu [172.16.0.200]) by fear.mtmary.edu (Postfix) with ESMTP id 7A1A5596E44; Wed, 15 Oct 2008 16:19:53 -0500 (CDT) Message-ID: <48F65E78.9060905@mtmary.edu> Date: Wed, 15 Oct 2008 16:19:52 -0500 From: Peter Clark User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Jon Radel References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> In-Reply-To: <48F65AD9.808@radel.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org, =?ISO-8859-1?Q?Ermal_Lu=E7i?= Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 22:17:52 -0000 Jon Radel wrote: > Ermal Luçi wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but here >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> global) >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. > > --Jon Radel > A number of people all stated (on this list and on questions-freebsd) that it was because I was missing "keep state" from the directive. Sure enough, when I added that it worked. I am curious why this particular syntax is different from the default of "flags S/SA keep state" for the rest of the connections. Is it only on FreeBSD? Thank you for looking at this. Peter Clark From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 22:19:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F8A9106568A for ; Wed, 15 Oct 2008 22:19:19 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 1A5DA8FC1C for ; Wed, 15 Oct 2008 22:19:18 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id CA61219E023; Thu, 16 Oct 2008 00:19:17 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 8EEE519E02A; Thu, 16 Oct 2008 00:19:15 +0200 (CEST) Message-ID: <48F66C84.3030505@quip.cz> Date: Thu, 16 Oct 2008 00:19:48 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Jon Radel References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> In-Reply-To: <48F65AD9.808@radel.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Peter Clark , freebsd-pf@freebsd.org, =?ISO-8859-1?Q?Ermal_Lu=E7i?= Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 22:19:19 -0000 Jon Radel wrote: > Ermal Luçi wrote: > >>On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >> >>>On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>> >>>>Hello, >>>> >>>>I am not sure if I should be here or over at a pf specific list but here >>>>is my problem. >>> >>>I've changed the CC list, so this will now go to the freebsd-pf mailing >>>list instead. >>> >>> >>>>I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>>me problems. >>>> >>>>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>>global) >> >>Is it a copy-paste error or you forgot keep state in there? >>It should look >>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. Yes, keep state is the default, but syntax for source tracking required these explicitly as stated in man pf.conf: ------------- man pf.conf -------------- STATEFUL TRACKING OPTIONS A number of options related to stateful tracking can be applied on a per rule basis. keep state, modulate state and synproxy state support these options, and *keep state must be specified explicitly* to apply options to a rule. ------------- man pf.conf -------------- Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Thu Oct 16 06:05:00 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4F2B1065692 for ; Thu, 16 Oct 2008 06:05:00 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe5.ukr.net (ffe5.ukr.net [195.214.192.21]) by mx1.freebsd.org (Postfix) with ESMTP id 9E23C8FC0A for ; Thu, 16 Oct 2008 06:05:00 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe5.ukr.net with local ID 1KqLyj-000826-Od ; Thu, 16 Oct 2008 09:04:57 +0300 MIME-Version: 1.0 To: Jeremy Chadwick From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.5.2 X-Originating-Ip: [194.0.148.10] In-Reply-To: <20081015202725.GA88225@icarus.home.lan> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17 Message-Id: Date: Thu, 16 Oct 2008 09:04:57 +0300 X-UkrNet-Flag: 1 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Peter Clark , freebsd-pf@freebsd.org Subject: Re[2]: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 06:05:01 -0000 --- Original Message --- From: Jeremy Chadwick To: Peter Clark Date: 15 october, 20:27:25 Subject: Re: PF syntax error On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: > Hello, > > I am not sure if I should be here or over at a pf specific list but here > is my problem. I've changed the CC list, so this will now go to the freebsd-pf mailing list instead. > I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving > me problems. > > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > global) > > Actually the "pass in" line does not generate the error. The next line does. > > /etc/pf.conf:71: syntax error > If I remove the line the error goes away (obviously). I have tried using > the exact line from the FreeBSD pf.conf man page: > > (max-src-conn-rate 100/10, overload flush global) > > (I changed to )and that generates the same > error. I tried just using: > (max-src-conn-rate 100/10) > > but that too gives me a syntax error. > > Any help is appreciated. If you want use the  stateful tracking options you should specify source-track option: source-track rule or source-track global.   From owner-freebsd-pf@FreeBSD.ORG Fri Oct 17 17:05:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 189131065689 for ; Fri, 17 Oct 2008 17:05:13 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id C0C208FC1B for ; Fri, 17 Oct 2008 17:05:12 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1KqsWY-0001AF-KP for freebsd-pf@freebsd.org; Fri, 17 Oct 2008 16:50:02 +0000 Received: from p4fe5cf52.dip.t-dialin.net ([79.229.207.82]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Oct 2008 16:50:02 +0000 Received: from jumper99 by p4fe5cf52.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Oct 2008 16:50:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: "Helmut Schneider" Date: Fri, 17 Oct 2008 18:43:49 +0200 Lines: 11 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: p4fe5cf52.dip.t-dialin.net X-MSMail-Priority: Normal X-Newsreader: vi with a tiny GUI... X-MimeOLE: Huh, what?! Sender: news Subject: net-snmp support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 17:05:13 -0000 Hi, are there any plans/projects to support net-snmp like http://www.packetmischief.ca/openbsd/snmp/#pfmib? Thanks, Helmut -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn From owner-freebsd-pf@FreeBSD.ORG Fri Oct 17 17:13:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE64E1065686 for ; Fri, 17 Oct 2008 17:13:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 6B61C8FC12 for ; Fri, 17 Oct 2008 17:13:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-184-198.pools.arcor-ip.net [88.64.184.198]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1Kqstf2kM1-0000qC; Fri, 17 Oct 2008 19:13:56 +0200 Received: (qmail 49151 invoked from network); 17 Oct 2008 17:13:54 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 17 Oct 2008 17:13:54 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 17 Oct 2008 19:13:53 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810171913.54009.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18KZzRaAoN4+u9u8dcE+PzSUDdH7CtHdvpZDdQ w28qEe22/l3kBKY+zg8PIhZAILv/lpTIkg1DDj0eNx+wm3xtyk eaBgi8GyE2Rgswz7/4YpQ== Cc: Subject: Re: net-snmp support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 17:13:58 -0000 On Friday 17 October 2008 18:43:49 Helmut Schneider wrote: > are there any plans/projects to support net-snmp like > http://www.packetmischief.ca/openbsd/snmp/#pfmib? We have a pf-mib in bsnmpd, see http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ Not sure if that's the same as the one you are after, but there is a definition in that directory so it's easy enough to check. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Oct 17 19:00:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A544106568A for ; Fri, 17 Oct 2008 19:00:45 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 504958FC1B for ; Fri, 17 Oct 2008 19:00:44 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1KquYy-000723-JO for freebsd-pf@freebsd.org; Fri, 17 Oct 2008 19:00:40 +0000 Received: from p4fe5cf52.dip.t-dialin.net ([79.229.207.82]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Oct 2008 19:00:40 +0000 Received: from jumper99 by p4fe5cf52.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Oct 2008 19:00:40 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: "Helmut Schneider" Date: Fri, 17 Oct 2008 21:00:29 +0200 Lines: 20 Message-ID: References: <200810171913.54009.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: p4fe5cf52.dip.t-dialin.net X-MSMail-Priority: Normal X-Newsreader: vi with a tiny GUI... X-MimeOLE: Huh, what?! Sender: news Subject: Re: net-snmp support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 19:00:45 -0000 Max Laier wrote: > On Friday 17 October 2008 18:43:49 Helmut Schneider wrote: >> are there any plans/projects to support net-snmp like >> http://www.packetmischief.ca/openbsd/snmp/#pfmib? > > We have a pf-mib in bsnmpd, see > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ > > Not sure if that's the same as the one you are after, but there is a > definition in that directory so it's easy enough to check. For lack of knowledge in C and ports I will try to contact the maintainer of net-snmp. What is the preferred way, open a PR? Helmut -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn