From owner-freebsd-pf@FreeBSD.ORG Mon Feb 2 11:06:57 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF3FF1065680 for ; Mon, 2 Feb 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A1E0F8FC0C for ; Mon, 2 Feb 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n12B6vAw094517 for ; Mon, 2 Feb 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n12B6vet094513 for freebsd-pf@FreeBSD.org; Mon, 2 Feb 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Feb 2009 11:06:57 GMT Message-Id: <200902021106.n12B6vet094513@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2009 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 11:56:04 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB9AE106567F for ; Tue, 3 Feb 2009 11:56:04 +0000 (UTC) (envelope-from sebster@sebster.com) Received: from mail.sebster.com (mail.sebster.com [193.46.80.82]) by mx1.freebsd.org (Postfix) with SMTP id 00CFA8FC12 for ; Tue, 3 Feb 2009 11:56:03 +0000 (UTC) (envelope-from sebster@sebster.com) Received: (qmail 86226 invoked from network); 3 Feb 2009 11:29:22 -0000 Received: from unknown (HELO ?10.1.0.6?) (sebster@85.147.225.232) by mail.sebster.com with SMTP; 3 Feb 2009 11:29:22 -0000 Message-ID: <49882A91.3050307@sebster.com> Date: Tue, 03 Feb 2009 12:29:21 +0100 From: Sebastiaan van Erk User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030304040101070206050604" Cc: Subject: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 11:56:07 -0000 This is a cryptographically signed message in MIME format. --------------ms030304040101070206050604 Content-Type: multipart/mixed; boundary="------------090705060907050206000504" This is a multi-part message in MIME format. --------------090705060907050206000504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 7.1-p2. However, now my firewall will suddenly no longer NAT GRE, so none of client connections to remote (PPTP) VPNs are working. When trying to connect from the client (10.1.0.6) to internet, everything works fine (tcp/udp are natted), but when trying to set up a VPN my firewall log says: 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] (vr0 is my external interface, which is connected to the ADSL modem) The rule that is blocking is: @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any (192.168.1.2 is my "external" address). This rule is supposed to block any internal stuff going out that is not NATted properly. It is correct to block my client (10.1.0.6), since it should have had its address translated. My nat rule is simple (and DOES NAT tcp/udp): nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if The entire config is attached. Am I doing something stupid? Does anybody know what I'm doing wrong? Thanks in advance, Sebastiaan --------------090705060907050206000504 Content-Type: text/plain; name="pf.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pf.conf" #============================================================================ # MACROS #---------------------------------------------------------------------------- # External (internet, natted) interface. ext_if = "vr0" ext_net = $ext_if:network ext_ip = "192.168.1.2" ext_gw = "192.168.1.1" # Internal (trusted) interface. int_if = "rl0" int_net = $int_if:network int_ip = "10.0.0.1" # Wifi (untrusted) interface. wifi_if = "rl1" wifi_net = $wifi_if:network wifi_ip = "10.1.0.1" # Allowed ICMP types. icmp_types = "{ echoreq, echorep, timex, unreach }" # Services. tcp_services = "{ ssh, http, https, 8881 }" udp_services = "{ 8881 }" # Internal IPs. blauwoor_ip = "10.1.0.6" printer_ip = "10.0.0.2" # Interal ports. blauwoor_torrent_port = 7880 #============================================================================ # TABLES #---------------------------------------------------------------------------- table const { self } table const { $int_net } #============================================================================ # OPTIONS #---------------------------------------------------------------------------- #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" #============================================================================ # NORMALIZATION #---------------------------------------------------------------------------- # Reassemble fragments and resolve or reduce traffic ambiguities. scrub in all #============================================================================ # QUEUING #---------------------------------------------------------------------------- altq on $ext_if priq bandwidth 900Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) #============================================================================ # NAT #---------------------------------------------------------------------------- # Packets going out through $ext_if with source address $int_net or $wifi_net # will get translated as coming from the address of $ext_if, a state is # created for such packets, and incoming packets will be redirected to the # internal address. nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if #============================================================================ # REDIRECTS #---------------------------------------------------------------------------- # Torrent for blauwoor. rdr on $ext_if proto { tcp, udp } from any to $ext_ip port $blauwoor_torrent_port -> $blauwoor_ip #============================================================================ # BASIC FILTERING RULES #---------------------------------------------------------------------------- # Skip loopback interface. set skip on lo0 # Activate spoofing protection for all interfaces. antispoof for { vr0, rl0, rl1 } inet # Block and log packets going out the external interface that do # not have the external ip address. They are either spoofed or # else something is misconfigured (e.g. NAT disabled). block out log quick on $ext_if from !$ext_ip to any # Silently drop broadcasts (so they do not clog the logs). block in quick on $ext_if from any to 255.255.255.255 # Setup default deny policy. block log all # Prioritize TCP acks. pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri) pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri) #============================================================================ # CUSTOM FILTERING RULES #---------------------------------------------------------------------------- # Open up for allowed ICMP types. pass in quick inet proto icmp all icmp-type $icmp_types # Open up GRE for VPNs pass quick proto gre # Open up LAN network. pass in quick on $int_if from $int_net to any pass out quick on $int_if from any to $int_net # Open up WIFI network, but block access to private networks. pass in quick on $wifi_if from $wifi_net to any pass out quick on $wifi_if from any to $wifi_net block in on $wifi_if from $wifi_net to # Open up outgoing traffic to internet. pass out quick on $ext_if proto tcp all pass out quick on $ext_if proto { udp, icmp } all # Open up services to internet. pass in quick on $ext_if proto tcp from any to $ext_ip port $tcp_services pass in quick on $ext_if proto udp from any to $ext_ip port $udp_services # Open up services and dns to wifi pass in quick on $wifi_if proto tcp from any to port $tcp_services pass in quick on $wifi_if proto udp from any to port $udp_services pass in quick on $wifi_if proto udp from $wifi_net to $int_ip port domain # Printer for wifi pass in quick on $wifi_if proto { tcp, udp } from any to $printer_ip # Torrent for blauwoor. pass in quick on $ext_if proto { tcp, udp } from any to $blauwoor_ip port $blauwoor_torrent_port --------------090705060907050206000504-- --------------ms030304040101070206050604 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/ GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8 h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY 5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDIwMzExMjkyMVowIwYJKoZI hvcNAQkEMRYEFINtGsGuBHgQlwJ+tUATczUwj93IMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEAgkZKT/oHIt5jQ83n 9TfaIdAOYushG+oWr9jXoTvMmZTj0aiGOY8AjYtIp+tiEP5/wVPFWz+ZvH109XVeHB4PZ5W/ p8XzClmxk9zV9HRaTW8ogQvbyVWy5trLbKswgy0CPtRsJzCkvCHOBnSBZdDz5vO9mWD99oC5 P49qgNSTuHk488CJ6CCGVPWpUDFI8Cap4GiZUrOCXETGp4Y7v/Aj8Cce0Y8nuNk29bnlGJDa oQ+IVuUMPTGuwI0n5HvDf5jcxWiPs6fwsu0yzmM4wKg9zwRzbAZFKYIU0qajmUFeM8egLDOv CsrlC7Pmpnyk2Nr7ZDtQ+R2X+XvtfriFUZwGMQAAAAAAAA== --------------ms030304040101070206050604-- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 12:45:18 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C09510656D1 for ; Tue, 3 Feb 2009 12:45:18 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 299948FC20 for ; Tue, 3 Feb 2009 12:45:15 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 61835 invoked by uid 90); 3 Feb 2009 12:18:33 +0000 Received: from 78-105-9-127.zone3.bethere.co.uk (postmaster@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.05st (clamdscan: 0.94/8452. spamassassin: 3.2.3. perlscan: 2.05st. Clear:RC:1(78.105.9.127):. Processed in 0.015348 secs); 03 Feb 2009 12:18:33 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenlabtop) (postmaster@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 3 Feb 2009 12:18:33 +0000 From: "torsten Kersandt" To: References: <49882A91.3050307@sebster.com> In-Reply-To: <49882A91.3050307@sebster.com> Date: Tue, 3 Feb 2009 12:17:36 -0000 Message-ID: <004101c985f9$66fcbc40$34f634c0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-gb Thread-Index: AcmF9mwr47Ni1xvgRzmUEZt3TLrr7wAAn/LA Cc: Subject: RE: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 12:45:24 -0000 Hi Sebastian I use the following # VPN GRE PROTOCALL pass in proto gre all keep state pass out proto gre all keep state That works fine for me I have read somewhere that the pass quick is not what you want, but I could be wrong Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Sebastiaan van Erk Sent: 03 February 2009 11:29 To: freebsd-pf@FreeBSD.org Subject: GRE not natted on FreeBSD 7.1-p2 Hi, I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 7.1-p2. However, now my firewall will suddenly no longer NAT GRE, so none of client connections to remote (PPTP) VPNs are working. When trying to connect from the client (10.1.0.6) to internet, everything works fine (tcp/udp are natted), but when trying to set up a VPN my firewall log says: 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] (vr0 is my external interface, which is connected to the ADSL modem) The rule that is blocking is: @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any (192.168.1.2 is my "external" address). This rule is supposed to block any internal stuff going out that is not NATted properly. It is correct to block my client (10.1.0.6), since it should have had its address translated. My nat rule is simple (and DOES NAT tcp/udp): nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if The entire config is attached. Am I doing something stupid? Does anybody know what I'm doing wrong? Thanks in advance, Sebastiaan From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 13:29:26 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B471106566C for ; Tue, 3 Feb 2009 13:29:26 +0000 (UTC) (envelope-from sebster@sebster.com) Received: from mail.sebster.com (mail.sebster.com [193.46.80.82]) by mx1.freebsd.org (Postfix) with SMTP id 7414E8FC0A for ; Tue, 3 Feb 2009 13:29:25 +0000 (UTC) (envelope-from sebster@sebster.com) Received: (qmail 87352 invoked from network); 3 Feb 2009 13:29:23 -0000 Received: from unknown (HELO ?10.1.0.6?) (sebster@85.147.225.232) by mail.sebster.com with SMTP; 3 Feb 2009 13:29:23 -0000 Message-ID: <498846B2.1080306@sebster.com> Date: Tue, 03 Feb 2009 14:29:22 +0100 From: Sebastiaan van Erk User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org References: <49882A91.3050307@sebster.com> In-Reply-To: <49882A91.3050307@sebster.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090404080304040601010108" Cc: Subject: Re: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 13:29:26 -0000 This is a cryptographically signed message in MIME format. --------------ms090404080304040601010108 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, I changed the GRE rule to: pass out quick proto gre and it was still giving me the same errors after flushing the firewall: pfctl -f /etc/pf.conf Log: 3. 003875 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 7, proto PPP (0x880b), length 36: [|ppp] But a few minutes later I started up the VPN (without having changed anything in the firewall), and now it suddenly did work. I don't know where the delay comes from, I've never seen that before... Regards, Sebastiaan Sebastiaan van Erk wrote: > Hi, > > I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD > 7.1-p2. > > However, now my firewall will suddenly no longer NAT GRE, so none of > client connections to remote (PPTP) VPNs are working. > > When trying to connect from the client (10.1.0.6) to internet, > everything works fine (tcp/udp are natted), but when trying to set up a > VPN my firewall log says: > > 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: > GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] > > (vr0 is my external interface, which is connected to the ADSL modem) > > The rule that is blocking is: > @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any > > (192.168.1.2 is my "external" address). This rule is supposed to block > any internal stuff going out that is not NATted properly. It is correct > to block my client (10.1.0.6), since it should have had its address > translated. > > My nat rule is simple (and DOES NAT tcp/udp): > > nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if > > The entire config is attached. Am I doing something stupid? Does anybody > know what I'm doing wrong? > > Thanks in advance, > Sebastiaan > > > --------------ms090404080304040601010108 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/ GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8 h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY 5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDIwMzEzMjkyMlowIwYJKoZI hvcNAQkEMRYEFKt1iUIlsUayf06eJfgPk3+s39k8MF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEAEDd3gCXLhkTxPaV6 AsEy26f3Rj3Ga3TBBA7FHBXlsiRuoarhv6D24lZ4YtPvHGIBcaIr9ag/U9gDdRtC0Q8R8BX6 paqZRIICE/SVz0YjDxuZuMe5VEhs9PtTEUgC7L8Iis7+s3//kUEExAbxkpfLdYVcdwrkLyo9 0BFdXCF4UZEtY6KkVHrf33tkcde2TVIL1RqRQyra69GfMgW2DwYe+du2QwQngWDUEO8M2nvL VlGipezfdMNsh8CiWM2vy/ad21gu3H4o1DjRrumPb9gFjZfqwLFG1fT6E0ZxI0WGdFEqLZtI DrXsjg/TSCmr9UGS2vaRfrYku5nr7BxK9K0vOgAAAAAAAA== --------------ms090404080304040601010108-- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 13:48:47 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEA331065672 for ; Tue, 3 Feb 2009 13:48:47 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 457C68FC08 for ; Tue, 3 Feb 2009 13:48:46 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 71478 invoked by uid 89); 3 Feb 2009 13:48:45 +0000 Received: from localhost (HELO webmail.cnc-london.net) (127.0.0.1) by mailhost.cnc-london.net with SMTP; 3 Feb 2009 13:48:45 +0000 Received: from 78-105-9-127.zone3.bethere.co.uk ([78.105.9.127]) (SquirrelMail authenticated user postmaster) by webmail.cnc-london.net with HTTP; Tue, 3 Feb 2009 13:48:45 -0000 (GMT) Message-ID: <1401.78.105.9.127.1233668925.squirrel@webmail.cnc-london.net> In-Reply-To: <498846B2.1080306@sebster.com> References: <49882A91.3050307@sebster.com> <498846B2.1080306@sebster.com> Date: Tue, 3 Feb 2009 13:48:45 -0000 (GMT) From: "torsten" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Freebsd 7.1 route-to, reply-to working now?? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: torsten@cnc-london.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 13:48:47 -0000 Hi I have seen a anouncement just a month ago that the route-to and keep session is now fixed. can anyone confirm in which release or source it is in the kernel (7.1-RELEASE, HEAD, CURRENT) I now that the question was ask but no definet answer could be found. Thanks Torsten From owner-freebsd-pf@FreeBSD.ORG Wed Feb 4 18:56:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 222D11065675 for ; Wed, 4 Feb 2009 18:56:16 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from honeysuckle.london.02.net (honeysuckle.london.02.net [87.194.255.144]) by mx1.freebsd.org (Postfix) with ESMTP id DBED28FC1B for ; Wed, 4 Feb 2009 18:56:15 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (78.86.177.183) by honeysuckle.london.02.net (8.5.016.1) id 497A2AF00019CE28 for freebsd-pf@freebsd.org; Wed, 4 Feb 2009 18:44:50 +0000 Message-ID: <4989E220.2070606@nviz.net> Date: Wed, 04 Feb 2009 18:44:48 +0000 From: Greg Hennessy User-Agent: Thunderbird 3.0a1 (Windows/2008050715) MIME-Version: 1.0 To: Sebastiaan van Erk References: <49882A91.3050307@sebster.com> In-Reply-To: <49882A91.3050307@sebster.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 18:56:16 -0000 Sebastiaan van Erk wrote: > > > nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if > This is the nub of the problem, 'hide' NAT breaks GRE. To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE call id header to track each session in a manner analagous to rewriting the source port of a 'hide' natted tcp/udp session. The last time I looked, Daniel, Henning et al have not added that facility to PF as of yet. You can statically translate the flow instead which should sort the problem. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Feb 4 20:34:33 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B49C1106566C for ; Wed, 4 Feb 2009 20:34:33 +0000 (UTC) (envelope-from sebster@sebster.com) Received: from mail.sebster.com (mail.sebster.com [193.46.80.82]) by mx1.freebsd.org (Postfix) with SMTP id ECF228FC1E for ; Wed, 4 Feb 2009 20:34:32 +0000 (UTC) (envelope-from sebster@sebster.com) Received: (qmail 6024 invoked from network); 4 Feb 2009 20:34:31 -0000 Received: from unknown (HELO ?10.0.1.6?) (sebster@85.147.225.232) by mail.sebster.com with SMTP; 4 Feb 2009 20:34:31 -0000 Message-ID: <4989FBD6.1030801@sebster.com> Date: Wed, 04 Feb 2009 21:34:30 +0100 From: Sebastiaan van Erk User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Greg Hennessy References: <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net> In-Reply-To: <4989E220.2070606@nviz.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms010200050703080108050809" Cc: freebsd-pf@freebsd.org Subject: Re: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 20:34:33 -0000 This is a cryptographically signed message in MIME format. --------------ms010200050703080108050809 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Greg Hennessy wrote: > Sebastiaan van Erk wrote: >> >> >> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if >> > This is the nub of the problem, 'hide' NAT breaks GRE. > > To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE > call id header to track each session in a manner analagous to rewriting > the source port of a 'hide' natted tcp/udp session. > > The last time I looked, Daniel, Henning et al have not added that > facility to PF as of yet. > > You can statically translate the flow instead which should sort the > problem. > Greg Thanks for the reply, I have a feeling that my "upstream" ADSL modem has a similar issue, because what I did was use multiple "external" addresses on my pf machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get GRE packets back on 192.168.1.3 from the ADSL modem, which presumably still had an old NAT rule from a recent session via the .3 address). In the end I took the plunge and kicked PPTP out of the equation (since all the remote servers are managed by me anyway), and converted everthing to OpenVPN with bridging. All my problems have vaporized and I've learned quite a bit in the process. Regards, Sebastiaan --------------ms010200050703080108050809 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/ GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8 h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY 5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDIwNDIwMzQzMFowIwYJKoZI hvcNAQkEMRYEFFYsSyTi4hNSf7jUe7ht5rxDUFgfMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEALklTNUXjPcJoiGFt zPR+2/XcX4TdFKDI7wPCc4xcSdoW8CSwIGXnMt2ewT+GmtPLJGR962V5dbWj+YGe8mZS7HZt evdMSLaruvAB7bYAqC2VTSlgQOLmB6D9qT6e4bUZHBrqCwKcEGYGQ4w6VIZ89azuA0zAe6xT Jgg7mZpTacrbNEojLe+Ya9dziJGbMKB2u9k9o4WUi/O+o2dwFaAFXsDba38VRBBIJI6EiJfD tqJHiiynAOS0OyUc8FEclDCkWT4jiNZz97593MDJzBiVbMSrLSd+vdXvI9c12+w8gm3nf9mF SJkew2Kmfo/3R0Dys0vF7oCLdMOwSnLG1OVFBAAAAAAAAA== --------------ms010200050703080108050809-- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 5 02:51:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A78B61065672 for ; Thu, 5 Feb 2009 02:51:25 +0000 (UTC) (envelope-from mij@bitchx.it) Received: from voodoo.publicshout.org (heroin.publicshout.org [81.208.58.150]) by mx1.freebsd.org (Postfix) with SMTP id E081A8FC1C for ; Thu, 5 Feb 2009 02:51:24 +0000 (UTC) (envelope-from mij@bitchx.it) Received: (qmail 58891 invoked by uid 0); 5 Feb 2009 02:24:42 -0000 Received: from unknown (HELO ?192.168.10.172?) (m.mazzucchi@keencons.com@unknown) by unknown with SMTP; 5 Feb 2009 02:24:42 -0000 Message-Id: <397AAEFD-1C61-4EB4-8913-461A43EA9E2C@bitchx.it> From: Mij To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 5 Feb 2009 03:24:41 +0100 X-Mailer: Apple Mail (2.930.3) Subject: bridge and PF for transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2009 02:51:25 -0000 Hello folks, On a FBSD7.1 box I would like to implement this sort of "transparent reverse proxy": inet <---> (vr0)(vr1) <---> host such box is expected to 1) pass transparently anything from inet to host and viceversa 2) redirect some of such traffic (some well-defined TCP connections) from "inet" to an application listening on 127.0.0.1 on the box 3) make this application connect to "host" pretending to be the original source -- that is, using as source address the address of the client that connected to it from inet I use bridge(4) over vr0 and vr1 to implement 1). I use something similar to http://marc.info/?l=openbsd-misc&m=108089194621750&w=2 for 2). Although from the network perspective 3) seems easily feasible as well, I cannot think of a reasonable setup on the box host for it. Anyone has some advice for it? From owner-freebsd-pf@FreeBSD.ORG Thu Feb 5 17:26:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43A2C1065715 for ; Thu, 5 Feb 2009 17:26:56 +0000 (UTC) (envelope-from lawrence.auster@att.net) Received: from eastrmmtao104.cox.net (eastrmmtao104.cox.net [68.230.240.46]) by mx1.freebsd.org (Postfix) with ESMTP id DDD838FC25 for ; Thu, 5 Feb 2009 17:26:55 +0000 (UTC) (envelope-from lawrence.auster@att.net) Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao104.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20090205172655.LARR3752.eastrmmtao104.cox.net@eastrmimpo03.cox.net> for ; Thu, 5 Feb 2009 12:26:55 -0500 Received: from 9elei ([72.196.247.230]) by eastrmimpo03.cox.net with bizsmtp id CHSp1b0044yzo8g02HSsVG; Thu, 05 Feb 2009 12:26:55 -0500 X-Authority-Analysis: v=1.0 c=1 a=0SupJxqRzSMA:10 a=kJTAj4xyIcUA:10 a=8da1oD9WnRMA:10 a=83w08j1LAAAA:8 a=E8-wytWAAAAA:8 a=tpmbEzLDrbVtqtOxwFsA:9 a=TRknvpt0WwlApOZwZygA:7 a=2x8-k7kbg6_3UEo4wgNBtzypWWwA:4 a=6gryP8oqIuwA:10 a=HeoGohOdMD0A:10 a=5FtdkfQUxfIA:10 a=sh6PArqQtYdngLzxv5aEQJAsMbE=:19 X-CM-Score: 0.00 From: "Lawrence Auster" To: freebsd-pf@freebsd.org Content-Type: text/plain; charset="US-ASCII" Date: Thu, 5 Feb 2009 18:26:47 +0100 X-Priority: 3 Message-Id: <20090205172655.LARR3752.eastrmmtao104.cox.net@eastrmimpo03.cox.net> Subject: Wealth of U.S.A. Plundered by Jews -- The Holocaust is Now Catholic Dogma -- Why No Neocon Assassinations? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lawrence.auster@att.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2009 17:27:01 -0000 Wealth of U.S.A. Plundered by Jews Thursday, 05 February 2009 By Texe Marrs It's all over the media, how one Wall Street crook, Bernie Madoff, masterminded the greatest Ponzi scheme in history. Bernie ripped off investors to the tune of $50 billion, and they're still counting. Fifty billion! That's more than the current market value of General Motors, Disney, Boeing, and Anheuser-Busch combined. And just one solitary individual—a corrupt, money-grabbing Jew named "Madoff"—is the culprit. But, wait...hold on. Is this one crime the whole picture, the full extent of Wall Street's monumental scam and robbery extravaganza? Not by a long shot! Yes Virginia, There is a Santa Claus Citibank's Jewish money-shovelers stole some $200 billion—and then got the idiots at the U.S. Treasury to dole out some $160 billion of our—the suffering taxpayers—hard-earned money into their coffers. Yes, Virginia, there is a Santa Claus and his name is "Uncle Sam." America's banking industry is exclusively Jewish-run. The same goes for Wall Street brokerage and investment houses. Investigate for yourself and you'll discover that the New York-Chicago money crowd is nearly 100 percent Jews. They're the ones—these bamboozling and crafty, satanic Jews—who greedily have broken the backs of millions of bedraggled and unsuspecting American workers through their unparalleled lust for filthy lucre. Jesus told us this would be the case. He warned us in advance. He gave the Jews a choice: God or Mammon. They chose Mammon (i.e., money) and then added icing to their cake on earth by torturing, mocking, then finally nailing our Lord and Savior to a wooden cross. Oh, excuse me. The Jews didn't do it themselves. They never do. They got the Romans to do their dirty work. Pilate at first refused, until the Jews made it clear to the Roman Governor he better do their bidding, or else. Like today's miserly and cowardly politicians, Pilate caved in. Crucified on a Cross of Gold Now, it's America's turn to be crucified, on a cross of Jewish-owned gold. The Jews of Wall Street are the perps of this crucifixion. They run Wall Street, have their grimy hands all over our U.S. Treasury, force Congress to bow down and worship their murderous idol, "Israel," and then lie and cast blame elsewhere. Now Bernie Madoff, former chairman of the NASDAQ Stock Exchange, is only one of thousands of money manipulating Jewish thugs running loose in these 50 states—and they all have Gentile lackeys kissing their feet and mopping floors for them—men like George W. ("McMoron") Bush, Bill ("Bimbo") Clinton, and Vice President Joe ("Big Mouth Clown") Biden, just to name a few. But consider the damage that this one scheming Jew, Madoff, did and multiply that times, say, 100,000. Writing in the Business section of the Austin American-Statesman (December 28, 2008), news reporter Scott Burns commented on the Madoff robbery: "The loss is mind-boggling...One way to measure the extent of the damage is to compare the $50 billion to measures of loss in the FBI Uniform Crime Reports. In 2007 there were 9.8 million crimes against property in the United States. This included about 2.2 million burglaries, 6.6 million thefts, and 1.1 million car thefts. I think you'll agree that 9.8 million crimes represent a veritable army of miscreants. In spite of that, our total losses to such property crimes in 2007 throughout the entire United States were a mere $17.6 billion... But when you add up all the losses in 9.8 million common property crimes, it's just a fraction of the estimated $50 billion loss attributed to Madoff. Jews Also Behind the Most Inhumane, Bloody Crime in History Think of it. One evil Jew, Madoff, made off with a staggering total equal to somewhere near the losses of about 30 million crimes. There's more, of course. It's not just the money. The Jews are also behind the most sinister and bloody inhuman crime ever committed in the annals of human history—the Soviet Communist Holocaust. The late Aleksandr Solzhenitsyn, the 20th century's most acclaimed literary figure and historian, reported in his final book, Two Hundred Years Together, that the Jews were the revolutionary conspirators and mass murderers responsible for the Communist holocaust in which a mind-warping 66 million innocent victims were tortured, imprisoned in filthy, gruesome gulag camps and, finally, unmercifully executed. Lenin, Trotsky, Kaganovich—all these Communist monsters were Jews and their talmudic goal was a global Communist "Utopia," led, of course, exclusively by Zionist Jews. Allegedly—and I use that word advisedly—the Jews accuse Hitler and his Nazis of the murder of six million in the misnamed German "holocaust." Modern-day researchers, however, are discovering that this figure, six million, is grossly exaggerated so that Jews can appear as "victims" and thus continue incessantly to demand money and reparations from a clueless and guilt-filled Gentile world. 66 Million Butchered by Jews! Nevertheless, contrast this six million Jewish dead number to Solzhenitsyn's very accurate statistic of 66 million slain by the psychopathic Jewish Communists in the former Soviet Union. Many, if not most, of these victims were Christians. (Note: Jews were favored in the U.S.S.R. and synagogues were protected. Anti-Semitic "crimes"—even thought crimes—were met with death sentences by Jewish courts in the Soviet justice system). Tally it up: 66 million Christians slaughtered by the Jews, 6 million (allegedly) by the Nazis. That's eleven dead Christians for each and every Jew. The world has no sorrow for these 66 million dead, their survivors get no reparations, and their Jewish tormentors—including scores of Jewish Gulag Commandants—today remain free. Some live in luxury in Israel and pleasurably enjoy fat bank accounts, money plundered from hapless Christian victims. Barack Obama, America's First Jewish President The Jews did it to Russia, Ukraine, Georgia, Estonia, Kazakhstan, and all the other Communist prison nations. Now, in 2009, they're scheduled to do the same thing to the once, great U.S.A. Barack Obama—whom Chicago's wealthiest Jews boast is America's "First Jewish President"—is their chosen instrument. Wily, cunning, handsome, Obama has a cohort Jew to assist him in this assigned mission of human and national destruction. That would be Rahm "The Cruel" Emanuel, the Enforcer, the new White House Chief of Staff. Just for writing this article, I expect to be placed near the top of this wicked man's "Hit List." And I suspect there will be so many on this list that the White House and its Homeland Security Department will need a whole warehouse full of computers just to store all the millions of names. FDR had his "New Deal;" today, in 2009, Barack Hussein Obama and his Trotskyite, left-hand lieutenant, the beady-eyed Israeli dual citizen, "Rahm the Cruel," have in mind the "Jew Deal." The goal: The Sovietization of America, the extinguishing of our historic Bill of Rights, the end of U.S. sovereignty, and the death of multitudes who will refuse to bow down to the ruthless tyrants who wear the six-pointed Red Star in their hearts like a dagger. "If You Can, Come and Take It" Our enemies, regrettably, occupy the highest offices in the land. But they don't have everything they desire and lust for. They don't have the fawning allegiance and docile service of you, me, and thousands of other patriots who bravely oppose their black-hearted plot. I am not, by nature, a violent man, and I pray fervently for peace and harmony to prevail. I pray, too, that the schemes of the Zionist Jews plotting against America will fail, that our Constitution will be respected and that the corrupt money-thieves on Wall Street and elsewhere will soon be outed and put in prisons, where they belong. But if not, then I say, let us fight for the right. Here we stand, by virtue of Truth and Justice, and I say to Obama, Emanuel, and the other Zionist traitors: "Here we are; if you can, come and take it, but know this: You have a fight on your hands, because we will not go quietly out into that soft, sweet night. And believe me, you can take that, along with your ill-begotten gains, to the bank." Source : http://ziopedia.org/articles/jewry/wealth_of_u.s.a._plundered_by_jews/ ----<>---- The Holocaust is Now Catholic Dogma Thursday, 05 February 2009 By Mark Glenn The last time a Pope of the Catholic Church defined an infallible dogma was in the year 1950. Pope Pius XII used this power reserved for the Vicar of Christ when speaking ex cathedra to define the Dogma of the Assumption of Mary. It was an extraordinary event because a pope using the power of infallibly to define a dogma is done so rarely, and most popes have never used this power. Before Pius XII, the last pope to invoke papal infallibly to define a dogma was Pius IX in 1854, when he defined the Dogma of the Immaculate Conception. Both of these dogmas referred to events that had occurred 19 centuries before , and that had been studied by the best minds of the Church for almost as long. That’s because when making an infallible statement - it goes without saying - it can’t contain any errors! Fast forward to 2009 and Pope Benedict XVI has just defined a new dogma regarding a secular event that has nothing to do with the Faith. Moreover, this ‘dogmatic event’ only occurred in the middle of the 20th Century- and no one is allowed to investigate to see if it contains any errors! A dogma is an infallible teaching of the Catholic Church that must be believed by every Catholic or they’re not in communion with the Church. In the past, a dogma referred only to a matter of Christian faith, and Catholics could believe whatever they wanted about historical events. But today’s remarks from the Vatican make it clear that the Jewish version of the Holocaust, in which 6 million Jews were killed in gas chambers, must be believed by every Catholic or they’re not in communion with the Church. That makes the Holocaust an official ‘dogma’ of the Catholic Faith (*sarcasm*). Here’s the news out of the Vatican. On Jan. 28, the pope said he felt “full and indisputable solidarity” with Jews, and warned against any denial of the full horror of the Nazi genocide. Bishop Williamson, in order to be admitted to episcopal functions within the church, will have to take his distance, in an absolutely unequivocal and public fashion, from his position on the Shoah, which the Holy Father was not aware of when the excommunication was lifted,” the statement said. The Shoah is the Hebrew term for the Holocaust. Jewish groups welcomed the Vatican statement, saying it satisfied their key demand. “This was the sign the Jewish world has been waiting for,” said Ronald Lauder, president of the World Jewish Congress. Yes, this is the sign the Jewish world has been waiting for, but what exactly does this “sign” really mean? It means that in the post-Vatican II Church, the “Shoah” has replaced the Crucifixion as the central event in history. And do you notice the subtle switcheroo here? Now, instead of the central tenet of the Christian faith pertaining to the murder of the Christ by Jews, the new central tenet refers to the murder of Jews by Christians! This should come as no surprise to those who understand what really lies at the heart of the problem. At its core, this is a spiritual battle that’s being waged above our heads. It’s Christ vs. anti-Christ, and each of us must choose a side. Lucifer wanted to be equal to God and out of pride refused to accept being a servant. When he uttered his famous “non servium” he took a third of the angels with him and set about waging war against God. When God sent His Son to redeem the world, Lucifer tried to prevent it. He took Jesus to the mountain top and tempted Him, saying “if you just bow down and worship me, I will give you all these things.” Jesus told the devil to buzz off. The Jews who rejected Jesus as the Messiah did so out of racial pride and ambition. They wanted an earthly kingdom where they would always be the ‘Chosen Ones’ and did not want to share a kingdom with the gentiles. But Jesus emphatically said that His kingdom was not of this world and to share the good news with the gentiles. The Jews who accepted the Messiah became the first Christians, and those who rejected Him fell into spiritual blindness. Satan takes advantage of Jewish hatred of Jesus and uses them to battle against the Church of Christ. The Jews continue to wait for a wordly Messiah, but the Messiah they await is known to us as the anti-Christ. Therefore, all Christians must love and pray for the Jewish people to accept Christ as the Messiah, thereby snatching them from the jaws of Satan, whom they don’t realize they are serving. This battle between Christ and anti-Christ is 2,000 years old and all popes throughout history have waged it (at least until 1958). That’s what makes the Church’s post-Vatican II attitude toward the Jews so perplexing, since it enables them to continue in spiritual blindness and sets the stage for the coming of the anti-Christ. Pope Leo XIII had a vision at the end of the 19th Century in which he forsaw that the devil had been given extra powers for 100 years to try to destroy the Church. This seems to coincide with the shift in power that took place in the 20th Century when after two world wars, the Jews took Palestine and solidified their control over the West. This was also the century in which the Jews unleashed their most deadly weapon, Communism, which caused the deaths of millions of people. But these people’s genocides go unnoticed and certainly have not been declared ”dogma” by a pope of the Catholic Church. Another clue that something is amiss inside the Church is that the Second Vatican Council refused to condemn Communism, but declared that anti-Semitism was a sin (without defining what constitutes anti-Semitism). Enter Archbishop Marcel Lefebvre, the Society of St. Pius X (SSPX), and the man who’s currently being crucified, Bishop Richard Williamson. Archbishop Lefebvre himself had fought inside the Second Vatican Council to prevent the coup of the liberals. He also stated that the mere fact that the Council refused to condemn Communism was enough to call the Council into question. The Archbishop knew that something nefarious had happened inside the Church and sensed that he was waging a battle against powers and principalities. In terms of his plans to restore Tradition, in the Biography of Marcel Lefebvre by Bishop Tissier de Mallerais, he quotes the Archbishop as saying (pp. 500-501): The Council is a non-infallible act of the Magisterium and, therefore, it is open to being influenced by a bad spirit … Therefore, we need to apply the criterion of Tradition to the various Council documents to see what we can keep, what needs clarifying, and what should be rejected. And that’s exactly the whole point of the negotiations between the SSPX and the Vatican that have been going on for almost 40 years. After the release of the Latin Mass and the lifting of the excommunications, the next phase is doctrinal discussions. But somebody doesn’t want that to happen. Archbishop Lefebvre founded the SSPX in 1970 in order to train priests in Tradition and not in the confusing, untraditional, Judeo-Masonic manner of the post-Conciliar era. The greatest threat to Revolutionaries is those who are not afraid to resist them to the face, i.e., the Counter-Revolutionaries. That is why Pope John Paul II would not allow Archbishop Lefebvre to consecrecate bishops, something that is usually rubber-stamped for every other order. John Paul II wanted the SSPX to go extinct after the death of its founder and put a stop to the Counter-Revolution. And if the Council really was influenced by a “bad spirit” as the Archbishop said, then certainly any attempt to exorcise this bad spirit would be met with the fiercest resistance by those who work for the anti-Christ. This is where the controversy over Bishop Williamson’s remarks about the actual number of Jews killed in the Holocaust comes into the scenario. If the Jews are (wittingly or unwittingly) working to bring about the reign of the anti-Christ, then part of their strategy has to be to neutralize the Church. In their effort to overturn the crucifixion and replace it with the “Shoah,” they’re trying to utilize the Church to bring this about. And any force that appears to provide resistance to this switcheroo will be seen as the gravest possible threat. Because truly, it wouldn’t have mattered if Bishop Williamson had not said a word about the Shoah, they would have found something else to try to impede the Church’s return to Tradition. Because Christ and anti-Christ cannot co-exist on equal terms - one must naturally dominate the other. And the Church returning to Tradition and her normal role as the Church Militant is the one monkey wrench that could be thrown into the plans of the anti- Christ. No other challenger intimidates them, absolutely no one else causes them to tremble. But a fully traditional Church Militant with a billion souls in her army is the one thing that could defeat their plans. And that’s what this is really all about. Bishop Williamson now finds himself in the center of a controvery that has been coming to a head for a very long time. In perusing the Catholic blogosphere, it appears that most Catholics (even trads) wish that he had just kept his mouth shut. But they would probably have said the same thing to Jesus, so as not to annoy the Pharisees. But I’m convinced Our Lord Jesus Christ knows what he is doing. Because it is time to confront the truth, as the the hour glass of time winds down, and get ready for the final conflagration. But it appears most Christians would rather retreat to the hills, rather than risk not being popular with the world. Thankfully, for the sake of our salvation, Jesus Himself was not so pusillanimous. And hopefully Bishop Williamson won’t be so pusillanimous either, since his founder, Archbishop Marcel Lefebvre, most assuredly was not. The Archbishop personally chose Richard Williamson to carry on his work after his death, to be a successor to the apostles. The only question that remains is: will he be like St. John or like the others who abandoned Jesus ”for fear of the Jews.’ The Church and the Jews have been locked in this battle for 2,000 years, so this latest controversy is nothing to be surprised about. Satan uses the poor, blinded Jews to attack the Lord’s Church because he doesn’t want us or them to be saved. But at least in the past, it used to be clear which side the popes were on! The Pope and SSPX bishops need all our prayers and support right now, because they are going through a trial by fire. And, at least in this early stage, it appears Bishop Fellay is starting to get cold feet. Every day for the past several days he has issued a denunciation of his colleague, Bishop Williamson, each one more hysterical than the last. He even went so far as to refer to the Jews as our “elder brothers in the faith,” as though the Talmud has anything to do with our Faith. When I said last week that I wished Bishop Fellay would one day be pope, I didn’t mean in the mold of John Paul II! Let us pray especially for Pope Benedict XVI, the keeper of the keys to heaven, that he prove himself a worthy successor of St. Peter, and that he not imitate Peter in his denial of Jesus Christ. Archbishop Lefebvre recognized that the day would come when the SSPX would be called on to save the Church. And judging by the howls and screams from the satanic press, that day might be just around the corner. Let us hope that we also have the courage to stand beside them, no matter how much the media attack and lambaste us. It’s for the Jews’ own good after all, for they know not whom they are serving. As the Archbishop wrote in 1966 (ibid, pp. 382-83): When the Holy Father realizes that those whom he trusted are leading the Church to her ruin, he will find himself a group of bishops … who are ready to rebuild. Unfortunately, the time has not yet come, because the Holy Father himself must change what he is doing, and that conversion will be painful. Let us hope that the time has come and that Pope Benedict will accept the help of the SSPX. It is time for the Holy Father to stop taking sides with the enemies of the Church and stop defining secular events as “dogma,” especially ones so riddled through with holes. May God save the Church through His servant, Pope Benedict, although the Pope’s conversion will be painful. Source : http://ziopedia.org/articles/holocaust/the_holocaust_is_now_catholic_dogma/ ----<>---- Why No Neocon Assassinations? Because The War On Terror Is A Hoax February 03, 2009 By Paul Craig Roberts According to US government propaganda, terrorist cells are spread throughout America, making it necessary for the government to spy on all Americans and violate most other constitutional protections. Among President Bush’s last words as he left office was the warning that America would soon be struck again by Muslim terrorists. If America were infected with terrorists, we would not need the government to tell us. We would know it from events. As there are no events, the US government substitutes warnings in order to keep alive the fear that causes the public to accept pointless wars, the infringement of civil liberty, national ID cards, and inconveniences and harassments when they fly. The most obvious indication that there are no terrorist cells is that not a single neocon has been assassinated. I do not approve of assassinations, and am ashamed of my country’s government for engaging in political assassination. The US and Israel have set a very bad example for al Qaeda to follow. The US deals with al Qaeda and Taliban by assassinating their leaders, and Israel deals with Hamas by assassinating its leaders. It is reasonable to assume that al Qaeda would deal with the instigators and leaders of America’s wars in the Middle East in the same way. Today every al Qaeda member is aware of the complicity of neoconservatives in the death and devastation inflicted on Muslims in Iraq, Afghanistan, Lebanon and Gaza. Moreover, neocons are highly visible and are soft targets compared to Hamas and Hezbollah leaders. Neocons have been identified in the media for years, and as everyone knows, multiple listings of their names are available online. Neocons do not have Secret Service protection. Dreadful to contemplate, but it would be child’s play for al Qaeda to assassinate any and every neocon. Yet, neocons move around freely, a good indication that the US does not have a terrorist problem. If, as neocons constantly allege, terrorists can smuggle nuclear weapons or dirty bombs into the US with which to wreak havoc upon our cities, terrorists can acquire weapons with which to assassinate any neocon or former government official. Yet, the neocons, who are the Americans most hated by Muslims, remain unscathed. The "war on terror" is a hoax that fronts for American control of oil pipelines, the profits of the military-security complex, the assault on civil liberty by fomenters of a police state, and Israel’s territorial expansion. There were no al Qaeda in Iraq until the Americans brought them there by invading and overthrowing Saddam Hussein, who kept al Qaeda out of Iraq. The Taliban is not a terrorist organization, but a movement attempting to unify Afghanistan under Muslim law. The only Americans threatened by the Taliban are the Americans Bush sent to Afghanistan to kill Taliban and to impose a puppet state on the Afghan people. Hamas is the democratically elected government of Palestine, or what little remains of Palestine after Israel’s illegal annexations. Hamas is a terrorist organization in the same sense that the Israeli government and the US government are terrorist organizations. In an effort to bring Hamas under Israeli hegemony, Israel employs terror bombing and assassinations against Palestinians. Hamas replies to the Israeli terror with homemade and ineffectual rockets. Hezbollah represents the Shi’ites of southern Lebanon, another area in the Middle East that Israel seeks for its territorial expansion. The US brands Hamas and Hezbollah "terrorist organizations" for no other reason than the US is on Israel’s side of the conflict. There is no objective basis for the US Department of State’s "finding" that Hamas and Hezbollah are terrorist organizations. It is merely a propagandistic declaration. Americans and Israelis do not call their bombings of civilians terror. What Americans and Israelis call terror is the response of oppressed people who are stateless because their countries are ruled by puppets loyal to the oppressors. These people, dispossessed of their own countries, have no State Departments, Defense Departments, seats in the United Nations, or voices in the mainstream media. They can submit to foreign hegemony or resist by the limited means available to them. The fact that Israel and the United States carry on endless propaganda to prevent this fundamental truth from being realized indicates that it is Israel and the US that are in the wrong and the Palestinians, Lebanese, Iraqis, and Afghans who are being wronged. The retired American generals who serve as war propagandists for Fox "News" are forever claiming that Iran arms the Iraqi and Afghan insurgents and Hamas. But where are the arms? To deal with American tanks, insurgents have to construct homemade explosive devices out of artillery shells. After six years of conflict the insurgents still have no weapon against the American helicopter gunships. Contrast this "arming" with the weaponry the US supplied to the Afghans three decades ago when they were fighting to drive out the Soviets. The films of Israel’s murderous assault on Gaza show large numbers of Gazans fleeing from Israeli bombs or digging out the dead and maimed, and none of these people are armed. A person would think that by now every Palestinian would be armed, every man, woman, and child. Yet, all the films of the Israeli attack show an unarmed population. Hamas has to construct homemade rockets that are little more than a sign of defiance. If Hamas were armed by Iran, Israel’s assault on Gaza would have cost Israel its helicopter gunships, its tanks, and hundreds of lives of its soldiers. Hamas is a small organization armed with small caliber rifles incapable of penetrating body armor. Hamas is unable to stop small bands of Israeli settlers from descending on West Bank Palestinian villages, driving out the Palestinians, and appropriating their land. The great mystery is: why after 60 years of oppression are the Palestinians still an unarmed people? Clearly, the Muslim countries are complicit with Israel and the US in keeping the Palestinians unarmed. The unsupported assertion that Iran supplies sophisticated arms to the Palestinians is like the unsupported assertion that Saddam Hussein had weapons of mass destruction. These assertions are propagandistic justifications for killing Arab civilians and destroying civilian infrastructure in order to secure US and Israeli hegemony in the Middle East. Source : http://vdare.com/roberts/090203_terror.htm ------------------------------------- You or someone using your email adress is currently subscribed to the Lawrence Auster Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling "to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact: lawrence.auster@att.net ------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Sat Feb 7 11:50:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 401E81065672 for ; Sat, 7 Feb 2009 11:50:06 +0000 (UTC) (envelope-from awd@awdcomp.net) Received: from home.awdcomp.net (ppp234-119.static.internode.on.net [203.122.234.119]) by mx1.freebsd.org (Postfix) with ESMTP id 72ECE8FC13 for ; Sat, 7 Feb 2009 11:50:06 +0000 (UTC) (envelope-from awd@awdcomp.net) Received: from getafix.abdulla ([192.168.202.99]) by home.awdcomp.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LVl3c-0006SE-Db; Sat, 07 Feb 2009 21:39:16 +1030 Message-ID: <498D6BBE.3050901@awdcomp.net> Date: Sat, 07 Feb 2009 21:38:46 +1030 From: Andrew User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Sebastiaan van Erk References: <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net> <4989FBD6.1030801@sebster.com> In-Reply-To: <4989FBD6.1030801@sebster.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Report: Spam detection software, running on the system "gateway.abdulla", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see The administrator of that system for details. Content preview: Howdy, If you (or others watching this list) ever need to go back to the pptp route then consider using net/frickin which is a pptp proxy :) I'm using it successfully with redirection. [...] Content analysis details: (-1.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Score: -13 (-) Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 11:50:07 -0000 Howdy, If you (or others watching this list) ever need to go back to the pptp route then consider using net/frickin which is a pptp proxy :) I'm using it successfully with redirection. rdr on $int_if proto tcp from $lnet to any port 1723 -> 127.0.0.1 port 1724 rdr on $int_if proto gre from $lnet to any -> 127.0.0.1 Cheers cya Andrew Sebastiaan van Erk wrote: > Greg Hennessy wrote: >> Sebastiaan van Erk wrote: >>> >>> >>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if >>> >> This is the nub of the problem, 'hide' NAT breaks GRE. >> >> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE >> call id header to track each session in a manner analagous to >> rewriting the source port of a 'hide' natted tcp/udp session. >> >> The last time I looked, Daniel, Henning et al have not added that >> facility to PF as of yet. >> >> You can statically translate the flow instead which should sort the >> problem. > >> Greg > > Thanks for the reply, > > I have a feeling that my "upstream" ADSL modem has a similar issue, > because what I did was use multiple "external" addresses on my pf > machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange > behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get > GRE packets back on 192.168.1.3 from the ADSL modem, which presumably > still had an old NAT rule from a recent session via the .3 address). > > In the end I took the plunge and kicked PPTP out of the equation (since > all the remote servers are managed by me anyway), and converted > everthing to OpenVPN with bridging. All my problems have vaporized and > I've learned quite a bit in the process. > > Regards, > Sebastiaan >