From owner-freebsd-pf@FreeBSD.ORG Mon Jun 22 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 974181065670 for ; Mon, 22 Jun 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6A8D98FC29 for ; Mon, 22 Jun 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n5MB71Uj018136 for ; Mon, 22 Jun 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n5MB70kI018132 for freebsd-pf@FreeBSD.org; Mon, 22 Jun 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Jun 2009 11:07:00 GMT Message-Id: <200906221107.n5MB70kI018132@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 33 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 01:24:24 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25B45106564A for ; Wed, 24 Jun 2009 01:24:24 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-pz0-f194.google.com (mail-pz0-f194.google.com [209.85.222.194]) by mx1.freebsd.org (Postfix) with ESMTP id F0B938FC0A for ; Wed, 24 Jun 2009 01:24:23 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pzk32 with SMTP id 32so315065pzk.3 for ; Tue, 23 Jun 2009 18:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=BIAueYQF3Bp2j+JJH9y1KQf8SoOyi+Jdwz9n0iw93j0=; b=Pz8uQWZ5adfnWL9eYLMyiAJJmkUXvrJeKCzxSUdlXIHuhvvgrmPvcK+JakM2B7aXYC k9e9XuycKFDk4xli4/lq9Cg4+BDHi9PzkbAosUOS51wT6RmNDmR12rqpjEcOUBtn22V+ n62/xLYEUtZ2CjLgMyfNcZcSDR6U3lY5ljdgU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=pBhhe5yOGw6FD+HSd6am+tl/+bcIOgVE8up96un9OLJH9SMU1APZi7OS9VdfY13oMl LKo1aN/g7FusYPq+gnv40Hr3+jFFLZdqsg6uNL2CWI1cWQOji8+zN/mb7Em71ZxgP5RC DX75F5wGI9HUCyAkt0Aw8h7Mk8T47wYHfmpfM= MIME-Version: 1.0 Received: by 10.142.169.4 with SMTP id r4mr189521wfe.262.1245805081078; Tue, 23 Jun 2009 17:58:01 -0700 (PDT) Date: Tue, 23 Jun 2009 17:58:00 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Understanding the keep state? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 01:24:24 -0000 Hi people. I start working with pf in freebsd 7.2. Is working, but I have some doubts that I would like someone to clarify me. My home network is the classic one, 2 nics: Nic1 --> ng0 Public IP PPPoE Nic2 --> sis0 My Home network. All my clients like winboxes, linux and bsd OS receive the IP from my firewall. If someone try to access to the outside they reach the Nic2 and them Nic1 and done they can access the outside. The keep state function is to track each connection, in my case I prefer to open just the ports I need, example the www. Nic1 --> ExtIF Nic2 --> IntIF LOCALLAN= 192.168.50.0/24 *Nat Rule nat on $ExtIF inet from $LOCALLAN to any -> ($ExtIF) *LAN Rule pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA *Firewall Rule pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep state label "Internet Browsing http" In my case, anyone who need access to the outside(www) they first reach the "LAN Rule", them the IntIF detect that they need are trying to access a IP that is not in his site, them that nic forward the package to the next gate in this case the ExtIF and touch the "Firewall Rule". Working this way, where is the best way to put the "keep state" statement, in the "LAN Rules" or in the "Firewall Rules" or in both parts? Thanks all for your help, if Im doing this the wrong way please let me know, I want to get a deep understanding of pf. -- :-) From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 04:31:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17644106566C for ; Wed, 24 Jun 2009 04:31:28 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-px0-f191.google.com (mail-px0-f191.google.com [209.85.216.191]) by mx1.freebsd.org (Postfix) with ESMTP id E005B8FC1A for ; Wed, 24 Jun 2009 04:31:27 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pxi29 with SMTP id 29so210428pxi.3 for ; Tue, 23 Jun 2009 21:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=G+AC9yFju+yX4dWqoFvZA6YB3jjGIJA73ZcRcB3DHdQ=; b=d500mJ2r8wYuzVLQF8mZZe8PVAvMtImIFQ6iR6N1gYXFtaKHjKQ1GC99XKBqYetvi/ MehYkFZGlq5j9QueO1b6R3FxuKY9Qe7mpCYL8OghRvPFRaeqTMsX6CKBUxmNh1TWgNjA s0XmAQdUEtxLtJ7hjSXKkHAbbV+6mWnsGe1pA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=wZftkLnWsrkXwFauJop48tzgMrvjW1X3dxAm5K2/0nyot4YTO2tCtBn9l5j9qkSQKI Aq7vY48S2pOU81xwbvWFcmO0dMbnwrI44afuRW/epy2iJjVdN0ROe6trsQPz0v+kcrXH CUR5jGtQOA2ZGTSbJ+T93UqV3Redt56ChcdPs= MIME-Version: 1.0 Received: by 10.143.13.16 with SMTP id q16mr268701wfi.67.1245817887509; Tue, 23 Jun 2009 21:31:27 -0700 (PDT) In-Reply-To: <4A41814B.7010909@gmail.com> References: <4A41814B.7010909@gmail.com> Date: Tue, 23 Jun 2009 21:31:27 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Understanding the keep state? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 04:31:28 -0000 On Tue, Jun 23, 2009 at 6:28 PM, Eric Williams wrote: > On 6/23/2009 7:58 PM, Fire walls wrote: > > > > Working this way, where is the best way to put the "keep state" > statement, > > in the "LAN Rules" or in the "Firewall Rules" or in both parts? > > > > Thanks all for your help, if Im doing this the wrong way please let me > > know, I want to get a deep understanding of pf. > > Excluding certain rare cases, generally you want to keep state on all > rules. Because of this more recent pf versions keep state by default. If > you have a particular reason you don't want state kept, you need to use > the "no state" statement, however, take note that if you're using NAT, > you need state for proper routing of responses. > > Thanks for your quick answer. Them in make case is better to have: *LAN Rule pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA keep state *Firewall Rule pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep state Like u say, the current version add the "keep state" by default, is the same thing I'm doing here, there will not be any problem? Thanks for your help!!! -- :-) From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 15:52:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9194A106566C for ; Wed, 24 Jun 2009 15:52:56 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-pz0-f194.google.com (mail-pz0-f194.google.com [209.85.222.194]) by mx1.freebsd.org (Postfix) with ESMTP id 68E778FC16 for ; Wed, 24 Jun 2009 15:52:56 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pzk32 with SMTP id 32so703662pzk.3 for ; Wed, 24 Jun 2009 08:52:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=bUyHGJOIVsZM0U/YuvUUfjiiw2NogxPrEYp2yIJ7qxM=; b=rZex4a74pQ4om6SZgOCmDQkMZUqoW3CwCzTylxPwvgz2BFqLBvIWlWE5jC4JIx2RtW U7liNaB6HSrvJf1SfFmRRnuggnoPlmaWUS1tK3C4P4ua/dzdB8OcCvN2mlEPmg9+G7yL Vyt7gzgCcZXJS7z3CwwLy1YkDhDYAFSnp4Xgk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=i6e8WeTn/0nuBxuDY2X0NhMBXjmMAqaaqRnOugq/rFUof+MhFm1pVWRtcabk43BeSK zfxfHxuhBfAaJdv+99rM9LRY5pXH57mRAjV/ujRR0hwOm6spA/ZgBjXP7X+uT6KMd1t0 mgGQHIgI8kgj2RWQZk7YAYjdK5ie3/NNl6aoE= MIME-Version: 1.0 Received: by 10.143.29.17 with SMTP id g17mr418796wfj.337.1245858775916; Wed, 24 Jun 2009 08:52:55 -0700 (PDT) Date: Wed, 24 Jun 2009 08:52:55 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: OpenVPN Client Nat question? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 15:52:56 -0000 Hi people. Working with pf, every day I'm understanding more pf. I have openvpn at work running on gentoo, I add my openvpn in my home FW with freebsd 7.2, I setup everything and is working, I can reach my work network. I read some sites on internet about this setup and they say something about NAT the openvpn network but doesn't explain if this must be done just in the server side or both sides, I mean server + client. In my case I'm a client, I have to NAT my vpn network? nat on $ext_if from $vpn_network to any -> ($ext_if) Or just need to play with the pass/block rules? Thanks all for your time!!! -- :-) From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 19:33:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84F6C106566C for ; Wed, 24 Jun 2009 19:33:30 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-pz0-f174.google.com (mail-pz0-f174.google.com [209.85.222.174]) by mx1.freebsd.org (Postfix) with ESMTP id 589CE8FC18 for ; Wed, 24 Jun 2009 19:33:30 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pzk4 with SMTP id 4so66388pzk.3 for ; Wed, 24 Jun 2009 12:33:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=xocU82jjT+J/rz3K0YwEoCEPrH3Lb98lxizhsgp3PTg=; b=Bn2oK87dFOKZbPr2EY00qHXPVRejXeRzr0ttsOLxAA3SJ0YIPjdiOUZcbbSM6Kg2a2 s1m6HjhIy6Ywwhp7pz9ir0+fJoEty4Hy8L67T/srsv7HaQhFzn3syltO9oM7ornEflaH Ze1E9CCAuspUU5Jtc/WDftF5H1r1x/RFr5QEY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=gkWIxZbXJiAWpKUA5J3E6KEzo2CIolilDxV7xfkndTErBcth/cQt2GHh/WRV9spy4w ufoquk7N346Nh+WbLZASRtIcU/hYQ2KgzNBnld9CQSdSUFRMnXRLfpWWtUC3kTickD+b a5DrLxYoJvylvtuEwvAToRg9pJhzvN6K0K4eA= MIME-Version: 1.0 Received: by 10.143.18.21 with SMTP id v21mr562885wfi.84.1245872009852; Wed, 24 Jun 2009 12:33:29 -0700 (PDT) In-Reply-To: <014301c9f4fb$bb7893e0$3269bba0$@net> References: <014301c9f4fb$bb7893e0$3269bba0$@net> Date: Wed, 24 Jun 2009 12:33:29 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: OpenVPN Client Nat question? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 19:33:30 -0000 On Wed, Jun 24, 2009 at 11:43 AM, Torsten Kersandt wrote: > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On > Behalf Of Fire walls > Sent: 24 June 2009 16:53 > To: freebsd-pf@freebsd.org > Subject: OpenVPN Client Nat question? > > Hi people. > > Working with pf, every day I'm understanding more pf. > > I have openvpn at work running on gentoo, I add my openvpn in my home FW > with freebsd 7.2, I setup everything and is working, I can reach my work > network. > > I read some sites on internet about this setup and they say something > about NAT the openvpn network but doesn't explain if this must be done just > in the server side or both sides, I mean server + client. > > In my case I'm a client, I have to NAT my vpn network? > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > Or just need to play with the pass/block rules? > > Thanks all for your time!!! > > -- > :-) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > This is what I have got on my boxes > Openvpn.conf: > server 10.12.215.0 255.255.255.0 > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt > > # Certificates for VPN Authentication > ca /usr/local/etc/openvpn/keys/soundnet/ca.crt > cert /usr/local/etc/openvpn/keys/soundnet/ca.crt > key /usr/local/etc/openvpn/keys/soundnet/ca.key > dh /usr/local/etc/openvpn/keys/soundnet/dh1024.pem > > # Routes to push to the client > push "route 192.168.100.0 255.255.255.0" > push "dhcp-option WINS 192.168.100.12" > push "dhcp-option DNS 192.168.100.12" > push "dhcp-option DNS 192.168.100.12" > push "dhcp-option DOMAIN home" > > pf.conf > vpn_if="tun0" > vpn_network="10.12.215.0/24" > > nat on $ext_if from $vpn_network to any -> ($ext_if) > nat on $int_if from $vpn_network to $int_net -> ($int_if) > > pass in quick on $vpn_if > pass out quick > > regards > Torsten > > > Hi Torsten. Hey but this config is for the server side right? What questions is, if I have have to NAT to in the client side? Thanks for your quick answer!!! -- :-) From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 20:14:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7DA5106564A for ; Wed, 24 Jun 2009 20:14:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.195]) by mx1.freebsd.org (Postfix) with ESMTP id 699708FC1B for ; Wed, 24 Jun 2009 20:14:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 11169 invoked by uid 90); 24 Jun 2009 20:47:24 +0100 Received: from 78-105-9-127.zone3.bethere.co.uk (torsten@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 82) with qmail-scanner-2.05st (clamdscan: 0.95.1/9472. perlscan: 2.06st. Clear:RC:1(78.105.9.127):. Processed in 0.038869 secs); 24 Jun 2009 19:47:24 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenpc) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 24 Jun 2009 20:47:23 +0100 From: "Torsten Kersandt" To: References: <014301c9f4fb$bb7893e0$3269bba0$@net> In-Reply-To: Date: Wed, 24 Jun 2009 20:47:05 +0100 Message-ID: <014901c9f504$8dfbe620$a9f3b260$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acn1Aq23UH8GD70XQoadGS9z3UZJygAAHT4A Content-Language: en-gb Subject: OpenVPN Client Nat question? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 20:14:08 -0000 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On > Behalf Of Fire walls > Sent: 24 June 2009 16:53 > To: freebsd-pf@freebsd.org > Subject: OpenVPN Client Nat question? > > Hi people. > > Working with pf, every day I'm understanding more pf. > > I have openvpn at work running on gentoo, I add my openvpn in my home FW > with freebsd 7.2, I setup everything and is working, I can reach my work > network. > > I read some sites on internet about this setup and they say something > about NAT the openvpn network but doesn't explain if this must be done just > in the server side or both sides, I mean server + client. > > In my case I'm a client, I have to NAT my vpn network? > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > Or just need to play with the pass/block rules? > > Thanks all for your time!!! > > -- > :-) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > This is what I have got on my boxes > Openvpn.conf: > server 10.12.215.0 255.255.255.0 > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt > > # Certificates for VPN Authentication > ca /usr/local/etc/openvpn/keys/soundnet/ca.crt > cert /usr/local/etc/openvpn/keys/soundnet/ca.crt > key /usr/local/etc/openvpn/keys/soundnet/ca.key > dh /usr/local/etc/openvpn/keys/soundnet/dh1024.pem > > # Routes to push to the client > push "route 192.168.100.0 255.255.255.0" > push "dhcp-option WINS 192.168.100.12" > push "dhcp-option DNS 192.168.100.12" > push "dhcp-option DNS 192.168.100.12" > push "dhcp-option DOMAIN home" > > pf.conf > vpn_if="tun0" > vpn_network="10.12.215.0/24" > > nat on $ext_if from $vpn_network to any -> ($ext_if) > nat on $int_if from $vpn_network to $int_net -> ($int_if) > > pass in quick on $vpn_if > pass out quick > > regards > Torsten > > > Hi Torsten. Hey but this config is for the server side right? What questions is, if I have have to NAT to in the client side? Thanks for your quick answer!!! -- :-) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" The client side only needs to which route to which network to take. In this case my internal network is 192.168.100.0/24 and fully accessible by all openvpn connections. If you want your computer to fully become part (of the other sites network bi directional and fully accessible as in a common Micros..t Network), You may have to go down the bridging way , meaning tun0<-->ext_if, never done that and can't help on this. But as much as have been reading about it not a impossible thing to do Regards T From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 21:23:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4D2E1065670 for ; Wed, 24 Jun 2009 21:23:55 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-pz0-f174.google.com (mail-pz0-f174.google.com [209.85.222.174]) by mx1.freebsd.org (Postfix) with ESMTP id B5B2A8FC1E for ; Wed, 24 Jun 2009 21:23:55 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pzk4 with SMTP id 4so104053pzk.3 for ; Wed, 24 Jun 2009 14:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=nt2syO0Op5/YzV+BqynVLz2Cp51HGE7ZB52i3g39tr8=; b=w9Q7T6AG9pT/Y+O+qhsVzN06LK3ncWRon/yq6pZFPQR7kb4PCitwQjHX5PTxD5bmyw 04biwwbInD3t5uuiQTsNZ2km+Iey3JAIVyojlZV0qWGvmR6cz+AG83sXapf8mvA9TdMl 9Q63HhclHiGHu2nayyWbEcEL+tadPtoEATMcs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=OKqUXWGkLGQy9Uauj6Z/n/Dm301b0cAFbET5CJNcQm/j0I0gVsK94lospqKEZW3b/t JBILZhige4gxKzUlicHzGzZuJJTEm4jCdq2qubRoZc8/3e8JGBpR+XrNJiREEEYNRmv4 wzFcYyBEV0SiW68eoZtZ+BFIiCYtNzrxbSxGs= MIME-Version: 1.0 Received: by 10.142.86.4 with SMTP id j4mr555464wfb.111.1245878635435; Wed, 24 Jun 2009 14:23:55 -0700 (PDT) In-Reply-To: <014901c9f504$8dfbe620$a9f3b260$@net> References: <014301c9f4fb$bb7893e0$3269bba0$@net> <014901c9f504$8dfbe620$a9f3b260$@net> Date: Wed, 24 Jun 2009 14:23:55 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: OpenVPN Client Nat question? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 21:23:56 -0000 On Wed, Jun 24, 2009 at 12:47 PM, Torsten Kersandt wrote: > > -----Original Message----- > > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > > On > > Behalf Of Fire walls > > Sent: 24 June 2009 16:53 > > To: freebsd-pf@freebsd.org > > Subject: OpenVPN Client Nat question? > > > > Hi people. > > > > Working with pf, every day I'm understanding more pf. > > > > I have openvpn at work running on gentoo, I add my openvpn in my home > FW > > with freebsd 7.2, I setup everything and is working, I can reach my work > > network. > > > > I read some sites on internet about this setup and they say something > > about NAT the openvpn network but doesn't explain if this must be done > just > > in the server side or both sides, I mean server + client. > > > > In my case I'm a client, I have to NAT my vpn network? > > > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > > > Or just need to play with the pass/block rules? > > > > Thanks all for your time!!! > > > > -- > > :-) > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > This is what I have got on my boxes > > Openvpn.conf: > > server 10.12.215.0 255.255.255.0 > > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt > > > > # Certificates for VPN Authentication > > ca /usr/local/etc/openvpn/keys/soundnet/ca.crt > > cert /usr/local/etc/openvpn/keys/soundnet/ca.crt > > key /usr/local/etc/openvpn/keys/soundnet/ca.key > > dh /usr/local/etc/openvpn/keys/soundnet/dh1024.pem > > > > # Routes to push to the client > > push "route 192.168.100.0 255.255.255.0" > > push "dhcp-option WINS 192.168.100.12" > > push "dhcp-option DNS 192.168.100.12" > > push "dhcp-option DNS 192.168.100.12" > > push "dhcp-option DOMAIN home" > > > > pf.conf > > vpn_if="tun0" > > vpn_network="10.12.215.0/24" > > > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > nat on $int_if from $vpn_network to $int_net -> ($int_if) > > > > pass in quick on $vpn_if > > pass out quick > > > > regards > > Torsten > > > > > > > Hi Torsten. > > Hey but this config is for the server side right? > > What questions is, if I have have to NAT to in the client side? > > Thanks for your quick answer!!! > > > -- > :-) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > The client side only needs to which route to which network to take. > In this case my internal network is 192.168.100.0/24 and fully accessible > by > all openvpn connections. > > If you want your computer to fully become part (of the other sites network > bi directional and fully accessible as in a common Micros..t Network), > You may have to go down the bridging way , meaning tun0<-->ext_if, never > done that and can't help on this. > But as much as have been reading about it not a impossible thing to do > > Regards T > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Thanks Torsten. U already had answer my question, I appreciated your very well help and time. See u latter, thanks again!!! -- :-) From owner-freebsd-pf@FreeBSD.ORG Thu Jun 25 07:29:20 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABE5810656C5; Thu, 25 Jun 2009 07:29:20 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 820E88FC1A; Thu, 25 Jun 2009 07:29:20 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n5P7TKLW086785; Thu, 25 Jun 2009 07:29:20 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n5P7TKKM086781; Thu, 25 Jun 2009 07:29:20 GMT (envelope-from linimon) Date: Thu, 25 Jun 2009 07:29:20 GMT Message-Id: <200906250729.n5P7TKKM086781@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/135948: [pf] [gre] pf not natting gre protocol X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jun 2009 07:29:21 -0000 Old Synopsis: pf not natting gre protocol New Synopsis: [pf] [gre] pf not natting gre protocol Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jun 25 07:29:00 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=135948 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 25 08:35:10 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74078106566C for ; Thu, 25 Jun 2009 08:35:10 +0000 (UTC) (envelope-from tutorial@gawab.com) Received: from info3.gawab.com (mailhost18.gawab.com [66.220.20.18]) by mx1.freebsd.org (Postfix) with SMTP id 642B38FC23 for ; Thu, 25 Jun 2009 08:35:10 +0000 (UTC) (envelope-from tutorial@gawab.com) Received: (qmail 2484 invoked by uid 1004); 25 Jun 2009 08:08:29 -0000 Received: from unknown (HELO ?192.168.1.5?) (tutorial@gawab.com@92.80.26.61) by gawab.com with SMTP; 25 Jun 2009 08:08:29 -0000 X-Trusted: Whitelisted Message-ID: <4A433076.1060006@gawab.com> Date: Thu, 25 Jun 2009 11:08:22 +0300 From: x User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Any kind of hashing filters for Pf ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jun 2009 08:35:10 -0000 Hi everyone! I am new to Pf and ALTQ. My question is fairly obscure. Does pf support any kind hashing ? (for large rulesets). Basically like this: http://lartc.org/howto/lartc.adv-filter.hashing.html How does a QoS hfsc solution behave for two /24 blocks (500 hosts), each with 4 queues ? Anyone can share some experience? Best regards From owner-freebsd-pf@FreeBSD.ORG Thu Jun 25 08:40:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD75F106564A for ; Thu, 25 Jun 2009 08:40:12 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from mail-bw0-f209.google.com (mail-bw0-f209.google.com [209.85.218.209]) by mx1.freebsd.org (Postfix) with ESMTP id 565E98FC0C for ; Thu, 25 Jun 2009 08:40:11 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: by bwz5 with SMTP id 5so1189036bwz.43 for ; Thu, 25 Jun 2009 01:40:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.252.17 with SMTP id e17mr1359083mus.14.1245919210673; Thu, 25 Jun 2009 01:40:10 -0700 (PDT) In-Reply-To: <4A433076.1060006@gawab.com> References: <4A433076.1060006@gawab.com> From: Vlad Galu Date: Thu, 25 Jun 2009 11:39:10 +0300 Message-ID: To: x Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Any kind of hashing filters for Pf ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jun 2009 08:40:13 -0000 On Thu, Jun 25, 2009 at 11:08 AM, x wrote: > Hi everyone! > I am new to Pf and ALTQ. =A0My question is fairly obscure. Does pf suppor= t any > kind hashing ? (for large rulesets). Basically like this: > =A0http://lartc.org/howto/lartc.adv-filter.hashing.html > How does a QoS hfsc solution behave for two /24 blocks (500 hosts), each > with 4 queues ? Anyone can share some experience? It scales very well when you use PF tables (they're basically tries) for matching packets when queueing. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 25 09:47:02 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CDA5106566C for ; Thu, 25 Jun 2009 09:47:02 +0000 (UTC) (envelope-from v.prokofyev@gmail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id D08F98FC1A for ; Thu, 25 Jun 2009 09:47:01 +0000 (UTC) (envelope-from v.prokofyev@gmail.com) Received: by fxm18 with SMTP id 18so42404fxm.43 for ; Thu, 25 Jun 2009 02:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=1T/EAnBxlnre7tlN1hTDm36ZtJ1Wz8kj0GHLB3KGmH4=; b=ViSTiyHUnpKJ389n5/ucaEX4LPv1Ve5k3qmeMM+YMl4BYMTYMohuiy+9cQCBHo3Mnw /ktf8TAmaKFfdmDcBLzxQev8vIJv+PcHqowrV4/rveLZHKpNqvOiErsoVbSOg7afbhgn izq1SP1Vli5RtgHIV4eLDc2DOAVTWo4Lv4chs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=eM6FwnZSL9XBVuLqlOhcoPDnNFrRdb+Cc6UyT3s8hhQy1zTuM66Blh6gAjfOJW78Nn txNFRBbzvq9I7cAdGc++AWoGOsNS19cUrEPAb5Z8uBWrsYMfhi52DW9Nh9n+96V377m6 F4u23xg0uZy7T42hfGnNbbdA/1aSQPbTP2V+o= MIME-Version: 1.0 Received: by 10.204.71.134 with SMTP id h6mr2278961bkj.70.1245921398542; Thu, 25 Jun 2009 02:16:38 -0700 (PDT) In-Reply-To: <46dcef4e0906250213q235be17dw2bf81e61cd5a6a79@mail.gmail.com> References: <4A433076.1060006@gawab.com> <46dcef4e0906250213q235be17dw2bf81e61cd5a6a79@mail.gmail.com> From: Prokofyev Vladislav Date: Thu, 25 Jun 2009 13:16:18 +0400 Message-ID: <46dcef4e0906250216o3a9cb302h28e6b5d9142478e0@mail.gmail.com> To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Any kind of hashing filters for Pf ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jun 2009 09:47:02 -0000 2009/6/25 Vlad Galu > > It scales very well when you use PF tables (they're basically tries) > for matching packets when queueing. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Also, tables are recommended according to PF howto. ps: sorry, forgot to send copy to the mail-list at once. -- With best regards, Vladislav Prokofyev From owner-freebsd-pf@FreeBSD.ORG Fri Jun 26 09:04:11 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B81D1065672 for ; Fri, 26 Jun 2009 09:04:11 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id A22048FC0C for ; Fri, 26 Jun 2009 09:04:10 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-005-052.pools.arcor-ip.net [88.66.5.52]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0MKt2u-1MK7Lt1M2g-000nXz; Fri, 26 Jun 2009 11:04:09 +0200 Received: (qmail 50911 invoked from network); 26 Jun 2009 09:04:08 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.187) by laiers.local with SMTP; 26 Jun 2009 09:04:08 -0000 From: Max Laier Organization: FreeBSD To: freebsd-current@freebsd.org Date: Fri, 26 Jun 2009 11:04:06 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.30-rc5-ARCH; KDE/4.2.3; x86_64; ; ) References: <4A444BC2.4010606@FreeBSD.org> In-Reply-To: <4A444BC2.4010606@FreeBSD.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200906261104.07597.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19cg1pjICdVr1x1IEgunFsvwwWBTmBrEsLUjx2 t7zVtmTZp76n8ZmyX1yIwuYRXpdpswxqgqcG+s1tRu1TKBLW4h l2J30VbuVRXGYT1RFbKMw== Cc: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 09:04:11 -0000 On Friday 26 June 2009 06:17:06 Doug Barton wrote: > I have reverted the change that caused pf and ipfw to appear before > netif in the rcorder. While I still feel strongly that it is the > "right thing" to configure the firewalls first, the changes caused too > many problems for too many users, and it's too late in the release > cycle to make a change like this that has significant side effects. > > I would like to strongly encourage those who use pf and ipfw to > consider doing the work required to make this change possible. With > ipfw it's not quite as urgent since by default it does not pass > packets till it is configured. This is not the case with pf, as its > default is wide open until it is configured. It's not a simple problem and I'm not sure we can really come up with a "one-size-fits-all" solution. That does not mean we shouldn't try, though. My idea how this should work is something along the following lines: 1) Very early in the boot (just after the necessary firewall configuration tools are available [NFS-root might be a problem here!]) setup an "initial firewall" configuration. For most users this could be a default (allow dhcp, outgoing DNS, maybe ssh in/out, NFS(???), ...). 2) After setting up the interfaces have the option to start a more involved firewall that is fully user supplied. At this point we should be able to look up DNS (though this is clearly a bad idea from the security PoV unless you have DNSSEC), get interface configurations and maybe even routing information. The latter could be another chicken-egg-problem as we might need a routing daemon active to get this. However, people who really need that should be able to modify the early setup accordingly. It is unclear to me where stage 2 should be located. I would argue that with a reasonable default setup we can easily get away with putting stage 2 at the very end of the start up procedure. If people need early holes in the firewall (e.g. for smbfs, routing daemons, ...) they can place them in the early stage. I would like input about how a very simple "save default" setup could look like. A ruleset for pf or ipfw that allows most of the boot process to complete without opening the host to the outside world, yet. For extra points this ruleset is aware of the rc.conf variables and adjusts accordingly (e.g. opening access to sshd iff it is configured). In addition there might be *one or two* configuration variables for the early stage to open additional ports or to select a default interface. However, the fewer the better. Input greatly appreciated! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Jun 26 11:58:22 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC2361065742; Fri, 26 Jun 2009 11:58:22 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from tensor.andric.com (cl-327.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:146::2]) by mx1.freebsd.org (Postfix) with ESMTP id 697E78FC18; Fri, 26 Jun 2009 11:58:22 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from [IPv6:2001:7b8:3a7:0:98bc:1464:29cc:daae] (unknown [IPv6:2001:7b8:3a7:0:98bc:1464:29cc:daae]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 95F105C42; Fri, 26 Jun 2009 13:58:21 +0200 (CEST) Message-ID: <4A44B7DE.2090503@andric.com> Date: Fri, 26 Jun 2009 13:58:22 +0200 From: Dimitry Andric User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1pre) Gecko/20090620 Shredder/3.0b3pre MIME-Version: 1.0 To: Max Laier References: <4A444BC2.4010606@FreeBSD.org> <200906261104.07597.max@love2party.net> In-Reply-To: <200906261104.07597.max@love2party.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 11:58:24 -0000 On 2009-06-26 11:04, Max Laier wrote: > I would like input about how a very simple "save default" setup could look > like. A ruleset for pf or ipfw that allows most of the boot process to > complete without opening the host to the outside world, yet. For extra > points this ruleset is aware of the rc.conf variables and adjusts > accordingly (e.g. opening access to sshd iff it is configured). In > addition there might be *one or two* configuration variables for the early > stage to open additional ports or to select a default interface. However, > the fewer the better. If you look at how OpenBSD implements their /etc/rc script, you will see it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and (if applicable) IPv6 routing and neighbor advertisements. Then it does the regular network setup (/etc/netstart), followed by loading the full PF rules. Relevant excerpt: ###################### if [ X"${pf}" != X"NO" ]; then RULES="block all" RULES="$RULES\npass on lo0" RULES="$RULES\npass in proto tcp from any to any port 22 keep state" RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state" RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" if ifconfig lo0 inet6 >/dev/null 2>&1; then RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv" RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv" fi RULES="$RULES\npass proto carp keep state (no-sync)" case `sysctl vfs.mounts.nfs 2>/dev/null` in *[1-9]*) # don't kill NFS RULES="set reassemble yes no-df\n$RULES" RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any" RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }" ;; esac echo $RULES | pfctl -f - pfctl -e fi # Fill net.inet.(tcp|udp).baddynamic lists from /etc/services fill_baddynamic udp fill_baddynamic tcp sysctl_conf # set hostname, turn on network echo 'starting network' ifconfig -g carp carpdemote 128 if [ -f /etc/resolv.conf.save ]; then mv /etc/resolv.conf.save /etc/resolv.conf touch /etc/resolv.conf fi . /etc/netstart if [ X"${pf}" != X"NO" ]; then if [ -f ${pf_rules} ]; then pfctl -f ${pf_rules} fi # bring up pfsync after the working ruleset has been loaded if [ -f /etc/hostname.pfsync0 ]; then . /etc/netstart pfsync0 fi fi ###################### Perhaps this approach can be molded into /etc/rc.d form? :) From owner-freebsd-pf@FreeBSD.ORG Fri Jun 26 14:56:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFDA61065670 for ; Fri, 26 Jun 2009 14:56:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 576568FC1D for ; Fri, 26 Jun 2009 14:56:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 2695 invoked by uid 399); 26 Jun 2009 14:56:26 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 26 Jun 2009 14:56:26 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4A44E198.3050004@FreeBSD.org> Date: Fri, 26 Jun 2009 07:56:24 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 To: Dimitry Andric References: <4A444BC2.4010606@FreeBSD.org> <200906261104.07597.max@love2party.net> <4A44B7DE.2090503@andric.com> In-Reply-To: <4A44B7DE.2090503@andric.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 14:56:31 -0000 Dimitry Andric wrote: > On 2009-06-26 11:04, Max Laier wrote: >> I would like input about how a very simple "save default" setup could look >> like. A ruleset for pf or ipfw that allows most of the boot process to >> complete without opening the host to the outside world, yet. For extra >> points this ruleset is aware of the rc.conf variables and adjusts >> accordingly (e.g. opening access to sshd iff it is configured). In >> addition there might be *one or two* configuration variables for the early >> stage to open additional ports or to select a default interface. However, >> the fewer the better. > > If you look at how OpenBSD implements their /etc/rc script, you will see > it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and > (if applicable) IPv6 routing and neighbor advertisements. > > Then it does the regular network setup (/etc/netstart), followed by > loading the full PF rules. I think that would be a great approach, it's just waiting for someone familiar with pf to implement it. :) I also forgot to mention, there is no need to include me on future cc's for this topic. Regards, Doug -- This .signature sanitized for your protection From owner-freebsd-pf@FreeBSD.ORG Fri Jun 26 18:47:38 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13D24106564A for ; Fri, 26 Jun 2009 18:47:38 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id DC24C8FC19 for ; Fri, 26 Jun 2009 18:47:37 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1MKGDt-0003eg-26 for freebsd-pf@freebsd.org; Fri, 26 Jun 2009 11:32:29 -0700 Message-ID: <24225285.post@talk.nabble.com> Date: Fri, 26 Jun 2009 11:32:29 -0700 (PDT) From: Edward2a To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: Edward2a@gmail.com Subject: Problems with connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 18:47:38 -0000 Hello to everyone. Sorry to bother, probably I'm somewhat loose. I'm having problems with various pf configurations. Basicly, all of them work as router/firewall, with scrub, and all are behind a cisco asa. 1st: I have to make a nat rule for all passing trough smtp connections that send mail with attachments. 2nd: Connections dynamically drop. Wether downloading a file trhough web or ftp, or using rdp client, connection drops alike. Any tips would be helpful. Thanks in advance. -- View this message in context: http://www.nabble.com/Problems-with-connections-tp24225285p24225285.html Sent from the freebsd-pf mailing list archive at Nabble.com.