From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 05:28:09 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85E0E1065675 for ; Mon, 6 Jul 2009 05:28:09 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: from mta2.scaledsystems.com (mta2.scaledsystems.com [209.132.4.202]) by mx1.freebsd.org (Postfix) with ESMTP id 4D7CD8FC16 for ; Mon, 6 Jul 2009 05:28:08 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: (qmail 48934 invoked from network); 6 Jul 2009 05:28:08 -0000 Received: from unknown (HELO ?192.168.1.101?) (tt@simplenet.com@76.176.154.181) by mail.ssl.simplenet.com with ESMTPA; 6 Jul 2009 05:28:08 -0000 Message-ID: <4A518B6B.1010407@simplenet.com> Date: Sun, 05 Jul 2009 22:28:11 -0700 From: Tim Traver User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: Chris Buechler References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tt-list@simplenet.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 05:28:10 -0000 Chris Buechler wrote: > > rdr works fine in 7.0 and 7.1 and 7.2 and every other version since pf > has been in FreeBSD. The person who claimed it didn't work in some > version is wrong. I suspect you're testing from inside your network, > which won't work. Test from outside. > _______________________________________________ > Chris, Thanks for responding. I am indeed testing this from within the same machine, as I need the redirection to take place when attempting to make requests FROM the machine to an outside source. Is there not a way to do that with pf ??? Thanks, Tim. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 05:37:57 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAEE2106564A for ; Mon, 6 Jul 2009 05:37:57 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id 624908FC14 for ; Mon, 6 Jul 2009 05:37:57 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by qw-out-2122.google.com with SMTP id 5so1418742qwd.7 for ; Sun, 05 Jul 2009 22:37:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ZAnQbZTRGy8OAHwuL0BYH1l9gXGO/tbGg1hAKn6YRLk=; b=MkohfKDjfaWRVu3mrw8e0RbJGM8+CNd6RoqGa0WZtggZW1KJujFYe1ucI7b3eSgg9G JawfMytQBCIGNvElcay4W3gsvN+cWwqGgGW+32HBicWrdUfpffU3Uk17ATiMfKncgKj/ U8K6ga7LyP24dpj9tRLZNs2NdET62mY/Enr6Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=bFCOs8c/Pueb05e9baDnDrCP5j5Ec/qoXKTsWtw5iEN5RjeJr1Vc1eKA6lYCs28fNK 2ILHNVA4D2v1PkY1tUlKibK5cfwd6G2+hFBz7unuKZ+jPciErkP3bRg5UxrDjnk878iE P9t0jJr/MfLjpvfdOE2B8TM1vK1qw0pj5lzDw= MIME-Version: 1.0 Received: by 10.224.60.149 with SMTP id p21mr4302310qah.327.1246858676717; Sun, 05 Jul 2009 22:37:56 -0700 (PDT) In-Reply-To: <4A518B6B.1010407@simplenet.com> References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> <4A518B6B.1010407@simplenet.com> Date: Mon, 6 Jul 2009 01:37:56 -0400 Message-ID: From: Chris Buechler To: tt-list@simplenet.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 05:37:57 -0000 On Mon, Jul 6, 2009 at 1:28 AM, Tim Traver wrote: > > Thanks for responding. I am indeed testing this from within the same > machine, as I need the redirection to take place when attempting to make > requests FROM the machine to an outside source. > > Is there not a way to do that with pf ??? > There are multiple options, see: http://www.openbsd.org/faq/pf/rdr.html From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 05:43:33 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C2711065670 for ; Mon, 6 Jul 2009 05:43:33 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: from mta2.scaledsystems.com (mta2.scaledsystems.com [209.132.4.202]) by mx1.freebsd.org (Postfix) with ESMTP id 26C738FC0A for ; Mon, 6 Jul 2009 05:43:32 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: (qmail 54719 invoked from network); 6 Jul 2009 05:43:32 -0000 Received: from unknown (HELO ?192.168.1.101?) (tt@simplenet.com@76.176.154.181) by mail.ssl.simplenet.com with ESMTPA; 6 Jul 2009 05:43:32 -0000 Message-ID: <4A518F07.1070209@simplenet.com> Date: Sun, 05 Jul 2009 22:43:35 -0700 From: Tim Traver User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: Chris Buechler References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> <4A518B6B.1010407@simplenet.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tt-list@simplenet.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 05:43:33 -0000 Chris Buechler wrote: > On Mon, Jul 6, 2009 at 1:28 AM, Tim Traver wrote: > >> Thanks for responding. I am indeed testing this from within the same >> machine, as I need the redirection to take place when attempting to make >> requests FROM the machine to an outside source. >> >> Is there not a way to do that with pf ??? >> >> > > There are multiple options, see: > http://www.openbsd.org/faq/pf/rdr.html > Chris, yes, that is where I originally got all of the information, and made my original post with my redirection line in the pf.conf that does not appear to be doing anything. I couldn't figure out why, hence the post here. Here is a copy of the original post if you think you might have any insight... Hi all, ok, I'm a little new to messing around with pf, but have come up for a need that it sounds like it should be able to solve. I want to be able to redirect outgoing http requests from the box back to local addresses on the box... In reading up, it appears that the redirect config line should do that, and in testing, I have a simple line like this in the pf.conf rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal address here] port 80 now, I haven't made that internal address be an address on the local box yet, cause I'm testing to see how this works... I can manually telnet to [internal address here] port 80 with no problems and get the apache greeting. Once I turn on and load the pf.conf file (with pfctl -F all -f /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic www.yahoo.com), I don't get redirected to the internal address port 80 and get the apache greeting that is expected... I did turn on port forwarding as per the instructions for NAT, although it didn't say if it was needed for rdr. net.inet.ip.forwarding=1 in netstat, I see it trying to actually reach the ouside IP, which it cant, so the translation didn't appear to take affect... am I missing something ? Thanks, Tim. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 05:54:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCCD1106566C for ; Mon, 6 Jul 2009 05:54:25 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-qy0-f204.google.com (mail-qy0-f204.google.com [209.85.221.204]) by mx1.freebsd.org (Postfix) with ESMTP id 826E18FC19 for ; Mon, 6 Jul 2009 05:54:25 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by qyk42 with SMTP id 42so492591qyk.3 for ; Sun, 05 Jul 2009 22:54:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Qh0qoMGfLVKm82dzzPVm0X3OHyIBAKY8s3oN5o2WV/g=; b=sRAXDrWASyFbuKHGDYskGxU0+hnNHK+xK+ZmHTRlpUSO2L+IhMcPJYJCZIlzyveUfS LXQ3UD9QK+I/aR2OIMsx4jgck5bxRgmUWKHU8rOd0aUK0ChLk5idS/lLMEds2hXUaCLZ NWoUr1FN7hK8FlS/UzxI4WrGu666MuJ4UKV8Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xI/kN/DTszDFeBsq1JyTVXCHHbIJ/cQNvJZlnaNMpmAICTBuSxWjPNP1b/SyZrEgsb 3gHGcUSjKKmKQ3lpGEcZ6Hy1gV5McNM/MnSSDJmybbyyFbsxwQzDcyqd8LiHjHt6TZYR +TecTbDf0UjKTViHSfCP8+WjCxHTAiQmPE9yM= MIME-Version: 1.0 Received: by 10.224.45.212 with SMTP id g20mr4342041qaf.229.1246859664892; Sun, 05 Jul 2009 22:54:24 -0700 (PDT) In-Reply-To: <4A518F07.1070209@simplenet.com> References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> <4A518B6B.1010407@simplenet.com> <4A518F07.1070209@simplenet.com> Date: Mon, 6 Jul 2009 01:54:24 -0400 Message-ID: From: Chris Buechler To: tt-list@simplenet.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 05:54:26 -0000 On Mon, Jul 6, 2009 at 1:43 AM, Tim Traver wrote: > > > > yes, that is where I originally got all of the information, and made my > original post with my redirection line in the pf.conf that does not appear > to be doing anything. Then you didn't read the bottom of that page. What you're missing is "Redirection and Reflection". http://www.openbsd.org/faq/pf/rdr.html#reflect From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 06:20:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 612CB106564A for ; Mon, 6 Jul 2009 06:20:59 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from infoweapons.com (mail0.infoweapons.org [204.2.248.50]) by mx1.freebsd.org (Postfix) with ESMTP id 0A1A98FC19 for ; Mon, 6 Jul 2009 06:20:58 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ([58.71.34.146]) by mail0.infoweapons.com with ESMTP id 4321444.4046491; Mon, 06 Jul 2009 02:05:32 -0400 Received: from [10.3.1.41] ([10.3.1.41]) by cebexch01.cebu.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 6 Jul 2009 14:05:32 +0800 Message-ID: <4A5190C1.2060205@infoweapons.com> Date: Mon, 06 Jul 2009 13:50:57 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: tt-list@simplenet.com References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> <4A518B6B.1010407@simplenet.com> <4A518F07.1070209@simplenet.com> In-Reply-To: <4A518F07.1070209@simplenet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 06 Jul 2009 06:05:32.0203 (UTC) FILETIME=[C51957B0:01C9FDFF] Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 06:20:59 -0000 Tim Traver wrote: > > > Chris Buechler wrote: >> On Mon, Jul 6, 2009 at 1:28 AM, Tim Traver wrote: >> >>> Thanks for responding. I am indeed testing this from within the same >>> machine, as I need the redirection to take place when attempting to >>> make >>> requests FROM the machine to an outside source. >>> >>> Is there not a way to do that with pf ??? >>> >>> >> >> There are multiple options, see: >> http://www.openbsd.org/faq/pf/rdr.html >> > > Chris, > > yes, that is where I originally got all of the information, and made > my original post with my redirection line in the pf.conf that does not > appear to be doing anything. I couldn't figure out why, hence the post > here. > > Here is a copy of the original post if you think you might have any > insight... > > Hi all, > > ok, I'm a little new to messing around with pf, but have come up for a > need that it sounds like it should be able to solve. > > I want to be able to redirect outgoing http requests from the box back > to local addresses on the box... > > In reading up, it appears that the redirect config line should do > that, and in testing, I have a simple line like this in the pf.conf > > rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> > [internal address here] port 80 > > now, I haven't made that internal address be an address on the local > box yet, cause I'm testing to see how this works... > > I can manually telnet to [internal address here] port 80 with no > problems and get the apache greeting. > > Once I turn on and load the pf.conf file (with pfctl -F all -f > /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic > www.yahoo.com), I don't get redirected to the internal address port 80 > and get the apache greeting that is expected... > > I did turn on port forwarding as per the instructions for NAT, > although it didn't say if it was needed for rdr. > > net.inet.ip.forwarding=1 > > in netstat, I see it trying to actually reach the ouside IP, which it > cant, so the translation didn't appear to take affect... > > am I missing something ? > Yes, I believe so. rdr works only for incoming traffic. To redirect outgoing traffic locally you need to re-route the traffic using the route-to option. Try these rules. -- rdr pass on lo0 inet proto tcp from any to 209.131.36.158 port 80 -> port 80 pass out log quick on lo0 no state pass in log quick on lo0 no state pass out quick on route-to (lo0 ) inet proto tcp from any to 209.131.36.158 port 80 keep state -- > Thanks, > > Tim. > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 08:15:04 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA9A1106564A for ; Mon, 6 Jul 2009 08:15:04 +0000 (UTC) (envelope-from greenx@yartv.ru) Received: from mail.yartv.ru (smtp.yartv.ru [94.158.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id AA1FA8FC1F for ; Mon, 6 Jul 2009 08:15:04 +0000 (UTC) (envelope-from greenx@yartv.ru) Received: from greenx.yartelenet.ru (unknown [213.187.114.73]) by mail.yartv.ru (Postfix) with ESMTP id 63ED1730CB for ; Mon, 6 Jul 2009 12:07:14 +0400 (MSD) Message-ID: <4A51B0A2.5060208@yartv.ru> Date: Mon, 06 Jul 2009 12:06:58 +0400 From: Andrey Groshev User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: tftp-proxy don't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 08:15:05 -0000 Hi, Today there was a need to have tftp-proxy, but I found that it does not work. It was this way: Jul 6 10:53:27 vakhtyor tftp-proxy [47783]: pf connection lookup failed (no rdr?) Jul 6 10:53:27 vakhtyor inetd [47778]: / usr / libexec / tftp-proxy [47783]: exited, status 1 After that I looked the source code, and found the error: tftp-proxy trying to find is state connection to him and did not find it, because not correctly sets the protocol: server_lookup4 (struct sockaddr_in * client, struct sockaddr_in * proxy, struct sockaddr_in * server) ( ..... --> pnl.proto = IPPROTO_TCP; ..... After that I started looking for where the legs grow and discovered that it corrected openbsd (added argument function proto). It may be to synchronize the source code? Best regards, Andrey Groshev From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 11:07:04 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E8821065675 for ; Mon, 6 Jul 2009 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 605E28FC1E for ; Mon, 6 Jul 2009 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n66B74rQ010882 for ; Mon, 6 Jul 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n66B73X3010878 for freebsd-pf@FreeBSD.org; Mon, 6 Jul 2009 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Jul 2009 11:07:03 GMT Message-Id: <200907061107.n66B73X3010878@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 34 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 7 08:43:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FAED106566C for ; Tue, 7 Jul 2009 08:43:07 +0000 (UTC) (envelope-from gdakos@enovation.gr) Received: from server.8com.gr (server.8com.gr [213.163.64.14]) by mx1.freebsd.org (Postfix) with ESMTP id AB0998FC14 for ; Tue, 7 Jul 2009 08:43:06 +0000 (UTC) (envelope-from gdakos@enovation.gr) Received: from john ([83.235.249.6]) by server.8com.gr (IceWarp 9.1.0) with ESMTP id OPL26519 for ; Tue, 07 Jul 2009 11:30:19 +0300 From: "John Dakos [ Enovation Technologies ]" To: Date: Tue, 7 Jul 2009 11:30:18 +0300 Message-ID: MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acn+3Si5INzAStORSYqq+HPhJB5Gfg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Simple Config PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2009 08:43:07 -0000 Hello All, I m newbie on PF I want a simple pf.conf, I have one NIC I want filtered ports 21,22,25,80,110, 53 DNS and Samba, and all other ports to be closed. Is any one to have this config? Thanks John Dakos Network Administrator Enovation Technologies Filellinon 35, Chalandrion 15232 Athens, GREECE Tel: +30-210 8119784 Mob: +30-6979348082 From owner-freebsd-pf@FreeBSD.ORG Tue Jul 7 09:02:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83EDF1065672 for ; Tue, 7 Jul 2009 09:02:16 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id 25E868FC0A for ; Tue, 7 Jul 2009 09:02:16 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from pemexhub02.jellyfishnet.co.uk.local (93.91.20.3) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.340.0; Tue, 7 Jul 2009 09:51:19 +0100 Received: from PEMEXMBXVS01.jellyfishnet.co.uk.local ([192.168.65.9]) by pemexhub02.jellyfishnet.co.uk.local ([192.168.103.12]) with mapi; Tue, 7 Jul 2009 09:48:55 +0100 From: Greg Hennessy To: "freebsd-pf@freebsd.org" Date: Tue, 7 Jul 2009 09:51:16 +0100 Thread-Topic: Simple Config PF Thread-Index: Acn+3Si5INzAStORSYqq+HPhJB5GfgAAtH3w Message-ID: <6CE8D2A5CE118747811E51143A68BA0A72F4406606@PEMEXMBXVS01.jellyfishnet.co.uk.local> References: In-Reply-To: Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: Simple Config PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2009 09:02:16 -0000 http://www.openbsd.org/faq/pf/index.html will teach you everything you need to know. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On= Behalf Of John Dakos [ Enovation Technologies ] Sent: 07 July 2009 09:30 To: freebsd-pf@freebsd.org Subject: Simple Config PF Hello All, I m newbie on PF I want a simple pf.conf, I have one NIC I want filtered ports 21,22,25,80,110, 53 DNS and Samba, and all other ports to be closed. Is any one to have this config? Thanks John Dakos Network Administrator Enovation Technologies Filellinon 35, Chalandrion 15232 Athens, GREECE Tel: +30-210 8119784 Mob: +30-6979348082 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" __________ Information from ESET NOD32 Antivirus, version of virus signatur= e database 4219 (20090705) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From owner-freebsd-pf@FreeBSD.ORG Tue Jul 7 09:26:37 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C070C106564A for ; Tue, 7 Jul 2009 09:26:37 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id 4A5068FC0C for ; Tue, 7 Jul 2009 09:26:33 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by fxm18 with SMTP id 18so4026212fxm.43 for ; Tue, 07 Jul 2009 02:26:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=LxmD7nuNBMuw4lmQmZi7o+V6fH/xnsxVhIT9oIgWbmA=; b=s0I+4wTWs0r49zV8WnNmc50umWHcEh25XNP1yFSCfLh3fn7FOC3aelWkYIqdlhTRZ8 o0K+DpbbONhcPHsCwfdxpPfeGruWVucZgw3GBLXyx0ad54Pu4qGqvIV5TyTaYT4xO+RX l4W0g/vLBCkqrMjZHXLSTizTnjZfXted7bktk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=uKLtvoI0G1BV+khQK+bl1QKedB5UEZLq1hkXO7aO2vLkX48rL6U86YJseeE5Yy3wip 9X0zBbyhY2JcYy9wNieBuYuju9UrpH+pXHQ3oiGeuBURXrZgPE4QUKp9xJqppjSDgs8J 1pE3x4OEKLUHWDG7nv9cpW0jyaZuiNFvGYRQQ= MIME-Version: 1.0 Received: by 10.223.112.130 with SMTP id w2mr2546171fap.65.1246956801157; Tue, 07 Jul 2009 01:53:21 -0700 (PDT) In-Reply-To: References: From: Valentin Bud Date: Tue, 7 Jul 2009 11:53:01 +0300 Message-ID: <139b44430907070153o12a1da1dx39fb67292743016c@mail.gmail.com> To: "John Dakos [ Enovation Technologies ]" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Simple Config PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2009 09:26:38 -0000 On Tue, Jul 7, 2009 at 11:30 AM, John Dakos [ Enovation Technologies ] < gdakos@enovation.gr> wrote: > > > Hello All, I m newbie on PF > > > > I want a simple pf.conf, I have one NIC > > > > I want filtered ports 21,22,25,80,110, 53 DNS and Samba, and all other > ports to be closed. > > > > Is any one to have this config? > > > > Thanks Hello Mr. John, The pf FAQ should be a good place to start. http://openbsd.org/faq/pf/index.html Blindly copying some rules written here by some person be them good will not make you understand how pf works and how to debug and use in the future. Another must have resource regarding PF is "The book of PF" by Peter N. M. Hansteen. And to quote him: "The Pledge of the Network Admin This is my network. It is mine, or technically, my employer's; it is my responsibility, and I care for it with all my heart. There are many other networks a lot like mine, but none are just like it. I solemnly swear that I will not mindlessly paste from HOWTOs." I don't want to be rude with you, I (as well as many others) could provide a simple ruleset but that would break "Your Pledge" as a Network Admin and plus the knowledge you'll gain by learning pf will be of use in the future. a great day, v -- network warrior since 2005 From owner-freebsd-pf@FreeBSD.ORG Wed Jul 8 00:52:40 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89F5E106564A for ; Wed, 8 Jul 2009 00:52:40 +0000 (UTC) (envelope-from v.prokofyev@gmail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id 1D0868FC1A for ; Wed, 8 Jul 2009 00:52:39 +0000 (UTC) (envelope-from v.prokofyev@gmail.com) Received: by fxm18 with SMTP id 18so4490269fxm.43 for ; Tue, 07 Jul 2009 17:52:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=R0KAws3WTS1LqIpax4XmpjxZ05uf8DgoX52QDuDnY2k=; b=yDDuVKTpDico5CUo2LfoT2ZdVNd0KShIg8O0dKLuNPjHYyRgx0JJKy5OZzG8kAcr0Z JkyqmFhVD3Tj+xcOBaBKjJsC9D4Bqzpox9EaFFEvjZWqFrVclzEhN+yYtV+WgAoSUBRD +0woRaHQSISe/7jn6i+arokshtZpwsqLhHa8U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=vK5nSx3FwOAT721V4SMYC7bT40CPC1cOLZb4Tge/K83V0gID17N5VhZ6GUdyCPtZIM yFvz0jz7oWwGVnxwMAuOzoGlXdsZoRotMp1Pi9HO3j4etQPTCHGBxdiy2WT73Sj8PYwk nN2dncNqG7n0QlFEOUfrlr6j9UH9s2U6gfscQ= MIME-Version: 1.0 Received: by 10.204.116.212 with SMTP id n20mr6358548bkq.138.1247014359084; Tue, 07 Jul 2009 17:52:39 -0700 (PDT) In-Reply-To: <139b44430907070153o12a1da1dx39fb67292743016c@mail.gmail.com> References: <139b44430907070153o12a1da1dx39fb67292743016c@mail.gmail.com> From: Prokofyev Vladislav Date: Wed, 8 Jul 2009 04:52:19 +0400 Message-ID: <46dcef4e0907071752y868f57s162b4026d26475f9@mail.gmail.com> To: Valentin Bud Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Simple Config PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 00:52:40 -0000 2009/7/7 Valentin Bud > "The Pledge of the Network Admin > This is my network. > It is mine, > or technically, my employer's; > it is my responsibility, > and I care for it with all my heart. > There are many other networks a lot like mine, > but none are just like it. > I solemnly swear > that I will not mindlessly paste from HOWTOs." > > Sounds like devotion to a rifle in "Full Metal Jacket" by Stanley Kubrick :) Thanks for this quote, will keep in mind it. -- With best regards, Vladislav Prokofyev From owner-freebsd-pf@FreeBSD.ORG Sat Jul 11 06:06:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CC0D106566C for ; Sat, 11 Jul 2009 06:06:28 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: from mta1.scaledsystems.com (mta1.scaledsystems.com [209.132.4.201]) by mx1.freebsd.org (Postfix) with ESMTP id 4ADAB8FC1C for ; Sat, 11 Jul 2009 06:06:28 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: (qmail 6543 invoked from network); 11 Jul 2009 06:06:27 -0000 Received: from unknown (HELO ?192.168.1.101?) (tt@simplenet.com@76.176.154.181) by mail.ssl.simplenet.com with ESMTPA; 11 Jul 2009 06:06:27 -0000 Message-ID: <4A582BE5.8020300@simplenet.com> Date: Fri, 10 Jul 2009 23:06:29 -0700 From: Tim Traver User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: "Ronnel P. Maglasang" References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> <4A518B6B.1010407@simplenet.com> <4A518F07.1070209@simplenet.com> <4A5190C1.2060205@infoweapons.com> In-Reply-To: <4A5190C1.2060205@infoweapons.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tt-list@simplenet.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jul 2009 06:06:28 -0000 >> >> am I missing something ? >> > Yes, I believe so. > > rdr works only for incoming traffic. To redirect outgoing traffic > locally you > need to re-route the traffic using the route-to option. > > Try these rules. > > -- > rdr pass on lo0 inet proto tcp from any to 209.131.36.158 port 80 -> > port 80 > pass out log quick on lo0 no state > pass in log quick on lo0 no state > > pass out quick on route-to (lo0 ) > inet proto tcp from any to 209.131.36.158 port 80 keep state > -- > Hmmm...I tried that configuration, but it still doesn't seem to produce anything : here is the exact config that I am using based on your statements : rdr pass on lo0 inet proto tcp from any to 209.131.36.158 port 80 -> 209.132.4.203 port 80 pass out log quick on lo0 no state pass in log quick on lo0 no state pass out quick on fxp0 route-to 127.0.0.1 inet proto tcp from any to 209.131.36.158 port 80 keep state when I reload pf, it looks like the rules and nat stuff is indeed in place, but I get nothing when I attempt from the command line to telnet to 209.131.36.158 on port 80 I was expecting it to get answered on the local 127.0.0.1 port 80 which is indeed responding... any other ideas on how to accomplish this? Once again, I'm trying to make it so that any calls out from this box to certain IP's get redirected to a local IP on the box, so it never actually leaves the server... Thanks, Tim. From owner-freebsd-pf@FreeBSD.ORG Sat Jul 11 18:09:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B87EC106566C for ; Sat, 11 Jul 2009 18:09:32 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id D187C8FC15 for ; Sat, 11 Jul 2009 18:09:31 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: by vwj2 with SMTP id 2so1268570vwj.3 for ; Sat, 11 Jul 2009 11:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=yodbm4/PC3CPuV0tHZ2N4wsNzs9sXI8fb0jpwORmzI0=; b=D5pXJZgZyp9B7ASN/qfPqem1hCOZBNi/OlApJjZT1nmJXcIu9XC+KB2tssrtvLkLBK PZprRyon0AhwPTnbukcRFDoWwNN42OH0sFDzoQui13yfYPqyCWs2TUeT+KYWiXXe483C 6YGThzpcjG5nH/Hi8TM7rUJfSEy22cbHkHTuM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=vsb06ShwA9Q0LTAsxrUSkolGRorvznEX6Ro7AHqczPNvsdoH0krMQ0mY1N+X2212SR B5iLisXdum3+ImzwwWwGcMzKmdEgMuTpNP35ScMs6ll+6xhXeUjpypysnTuiq9+HPp9f nnR6PfLLytCgF9hqne6tpRDVJXFpIph/w1XLs= MIME-Version: 1.0 Received: by 10.220.94.69 with SMTP id y5mr4793966vcm.6.1247334270207; Sat, 11 Jul 2009 10:44:30 -0700 (PDT) Date: Sat, 11 Jul 2009 13:44:30 -0400 Message-ID: <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com> From: rascal To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pfsync question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jul 2009 18:09:33 -0000 Hello all, I have a question regarding pfsync and configuring it. I guess the first thing I need to make sure of is that I understand it's functionality. As I understand it pfsync is used to sync the state tables and the pf.conf file between two firewalls setup with pfsync/pf/carp. So I have setup two firewalls in a test environment with the following configurations (on both firewalls, em0 is the primary interface, em2 is the heartbeat/crossover connection between the two firewalls and carp0 has a VIP assigned to it): *firewall 1 rc.conf* # -- sysinstall generated deltas -- # Tue Jun 30 12:57:37 2009 # Created: Tue Jun 30 12:57:37 2009 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. sshd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" gateway_enable="YES" pfsync_enable="YES" pfsync_syncdev="em2" defaultrouter="10.222.5.1" hostname="firewall1" network_interfaces="em0 em1 em2 lo0 pfsync0" cloned_interfaces="carp0" ifconfig_em0="inet 10.222.5.159 netmask 255.255.255.0" ifconfig_em2="192.168.0.1 netmask 0xffffff00" ifconfig_carp0="advskew 200 vhid 1 pass blah 10.222.5.164 netmask 255.255.255.0" ifconfig_pfsync0="up syncif em2" *pf.conf* ##### increase limit on states ##### set limit { states 100000, frags 5000 } ##### set our macros ##### #### testing the sync### ext_if="em0" int_if="em1" sync_if="em2" ###### Network Infrastructure ###### infrastructure_ip="{bunch of ips}" scrub in all pass quick on $sync_if proto pfsync keep state pass on { $ext_if, $sync_if } proto carp keep state #pass on $sync_if proto pfsync #pass quick on { em2 } proto pfsync keep state #pass on { em0 em1 } proto carp keep state *ifconfig output* em0: flags=8943 metric 0 mtu 1500 options=9b ether 00:c0:9f:3d:b9:ad inet 10.222.5.159 netmask 0xffffff00 broadcast 10.222.5.255 media: Ethernet autoselect (100baseTX ) status: active em1: flags=8802 metric 0 mtu 1500 options=9b ether 00:c0:9f:3d:b9:ae media: Ethernet autoselect status: no carrier em2: flags=8843 metric 0 mtu 1500 options=9b ether 00:04:23:d6:df:16 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX ) status: active em3: flags=8802 metric 0 mtu 1500 options=9b ether 00:04:23:d6:df:17 media: Ethernet autoselect status: no carrier pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 carp0: flags=49 metric 0 mtu 1500 inet 10.222.5.164 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 200 *pfctl -vvss output* No ALTQ support in kernel ALTQ related functions disabled all pfsync 192.168.0.1 -> 224.0.0.240 SINGLE:NO_TRAFFIC age 10:22:46, expires in 00:00:28, 20964:0 pkts, 2683640:0 bytes id: 4a582b5900000000 creatorid: 1801692c (no-sync) all carp 10.222.5.159 -> 224.0.0.18 SINGLE:NO_TRAFFIC age 10:22:46, expires in 00:00:29, 20957:0 pkts, 1173592:0 bytes id: 4a582b5900000002 creatorid: 1801692c all pfsync 224.0.0.240 <- 192.168.0.2 NO_TRAFFIC:SINGLE age 10:05:54, expires in 00:00:28, 20393:0 pkts, 2610328:0 bytes id: 4a582b5900000003 creatorid: 1801692c (no-sync) all carp 224.0.0.18 <- 10.222.5.159 NO_TRAFFIC:SINGLE age 10:05:25, expires in 00:00:28, 0:0 pkts, 0:0 bytes id: 4a582cf200000004 creatorid: 3b64bdb5 *pftop output* pfTop: Up State 1-4/4, View: default, Order: none, Cache: 10000 12:27:19 PR DIR SRC DEST STATE AGE EXP PKTS BYTES pfsync Out 192.168.0.1:0 224.0.0.240:0 SINGLE:NO_TRAFFIC 10:23:05 00:00:29 20975 2685048 carp Out 10.222.5.159:0 224.0.0.18:0 SINGLE:NO_TRAFFIC 10:23:05 00:00:30 20968 1174208 pfsync In 192.168.0.2:0 224.0.0.240:0 NO_TRAFFIC:SINGLE 10:06:13 00:00:29 20404 2611736 carp In 10.222.5.159:0 224.0.0.18:0 NO_TRAFFIC:SINGLE 10:05:44 00:00:29 0 0 *Firewall 2 rc.conf* # -- sysinstall generated deltas -- # Tue Jun 30 13:09:12 2009 # Created: Tue Jun 30 13:09:12 2009 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. sshd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" gateway_enable="YES" pfsync_enable="YES" pfsync_syncdev="em2" defaultrouter="10.222.5.1" hostname="firewall2" network_interfaces="em0 em1 em2 lo0 pfsync0" cloned_interfaces="carp0" ifconfig_em0="inet 10.222.5.160 netmask 255.255.255.0" ifconfig_em2="192.168.0.2 netmask 0xffffff00" ifconfig_carp0="advskew 202 vhid 1 pass blah 10.222.5.164 netmask 255.255.255.0" ifconfig_pfsync0="up syncif em2" *pf.conf* ##### increase limit on states ##### set limit { states 100000, frags 5000 } ##### set our macros ##### #### testing the sync### ext_if="em0" int_if="em1" sync_if="em2" ###### Network Infrastructure ###### infrastructure_ip="{ bunch of ips }" pass quick on $sync_if proto pfsync keep state pass on { $ext_if, $sync_if } proto carp keep state #pass on $sync_if proto pfsync #pass quick on { em2 } proto pfsync keep state #pass on { em0 em1 } proto carp keep state *ifconfig output* em0: flags=8943 metric 0 mtu 1500 options=9b ether 00:c0:9f:3e:23:9d inet 10.222.5.160 netmask 0xffffff00 broadcast 10.222.5.255 media: Ethernet autoselect (100baseTX ) status: active em1: flags=8802 metric 0 mtu 1500 options=9b ether 00:c0:9f:3e:23:9e media: Ethernet autoselect status: no carrier em2: flags=8843 metric 0 mtu 1500 options=9b ether 00:04:23:d6:de:0a inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX ) status: active em3: flags=8802 metric 0 mtu 1500 options=9b ether 00:04:23:d6:de:0b media: Ethernet autoselect status: no carrier pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 carp0: flags=49 metric 0 mtu 1500 inet 10.222.5.164 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 202 *pfctl -vvss output* No ALTQ support in kernel ALTQ related functions disabled all pfsync 224.0.0.240 <- 192.168.0.1 NO_TRAFFIC:SINGLE age 10:04:48, expires in 00:00:30, 20362:0 pkts, 2606504:0 bytes, rule 0 id: 4a582cf200000000 creatorid: 3b64bdb5 (no-sync) all carp 10.222.5.159 -> 224.0.0.18 SINGLE:NO_TRAFFIC age 10:21:40, expires in 00:00:30, 0:0 pkts, 0:0 bytes, rule 1 id: 4a582b5900000002 creatorid: 1801692c all pfsync 192.168.0.2 -> 224.0.0.240 SINGLE:NO_TRAFFIC age 10:04:47, expires in 00:00:30, 20354:0 pkts, 2605544:0 bytes, rule 0 id: 4a582cf200000003 creatorid: 3b64bdb5 (no-sync) all carp 224.0.0.18 <- 10.222.5.159 NO_TRAFFIC:SINGLE age 10:04:21, expires in 00:00:29, 20337:0 pkts, 1138872:0 bytes, rule 1 id: 4a582cf200000004 creatorid: 3b64bdb5 *pftop output* pfTop: Up State 1-4/4, View: default, Order: none, Cache: 10000 12:16:18 PR DIR SRC DEST STATE AGE EXP PKTS BYTES pfsync In 192.168.0.1:0 224.0.0.240:0 NO_TRAFFIC:SINGLE 10:05:15 00:00:29 20377 2608424 carp Out 10.222.5.159:0 224.0.0.18:0 SINGLE:NO_TRAFFIC 10:22:07 00:00:29 0 0 pfsync Out 192.168.0.2:0 224.0.0.240:0 SINGLE:NO_TRAFFIC 10:05:14 00:00:29 20369 2607464 carp In 10.222.5.159:0 224.0.0.18:0 NO_TRAFFIC:SINGLE 10:04:48 00:00:30 20353 1139768 As you can see from pf.conf on firewall1, I have added spacing and the additional "scrub in all" line and on firewall2 these are not present. I guess I am curious, based on what I have presented, is if I am not doing something wrong (must be) or if I have something mis-configured or if pfsync doesn't really sync the two files, just the state table. Thanks in advance for any help! -- Matthew From owner-freebsd-pf@FreeBSD.ORG Sat Jul 11 19:38:09 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2E931065672 for ; Sat, 11 Jul 2009 19:38:09 +0000 (UTC) (envelope-from lists@loveturtle.net) Received: from loveturtle.net (loveturtle.net [216.89.228.174]) by mx1.freebsd.org (Postfix) with ESMTP id A3AE28FC0A for ; Sat, 11 Jul 2009 19:38:09 +0000 (UTC) (envelope-from lists@loveturtle.net) Received: from localhost (localhost [127.0.0.1]) by loveturtle.net (Postfix) with ESMTP id 112C2108F07 for ; Sat, 11 Jul 2009 15:20:22 -0400 (EDT) X-Virus-Scanned: amavisd-new at loveturtle.net Received: from loveturtle.net ([127.0.0.1]) by localhost (loveturtle.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQSQl6uP3n+T for ; Sat, 11 Jul 2009 15:20:17 -0400 (EDT) Received: from vier.loveturtle.net (vier.loveturtle.net [216.182.254.140]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by loveturtle.net (Postfix) with ESMTPSA id 32D4D108EFC for ; Sat, 11 Jul 2009 15:20:17 -0400 (EDT) Message-ID: <4A58E5EC.1020905@loveturtle.net> Date: Sat, 11 Jul 2009 15:20:12 -0400 From: Dillon Kass User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2 MIME-Version: 1.0 CC: freebsd-pf@freebsd.org References: <4A4D2010.4020908@simplenet.com> <4A4DE199.4010701@andric.com> <4A4F0992.8090906@simplenet.com> In-Reply-To: <4A4F0992.8090906@simplenet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jul 2009 19:38:10 -0000 It's hard to say exactly what is happening here without more information but here is the likely scenario. What is most likely happening is simple but a little tricky to notice. Your rdr rule is likely working fine. For the sake of this example lets just say that your lan is 192.168.0.0/24 your router is 192.168.0.1 the machine you want to forward to is 192.168.0.2 and your computer is 192.168.0.100 So lets say you have your rdr rule as follows rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> 192.168.0.2 port 80 This rule is probably working just fine, this is most likely what is happening. Your computer is 192.168.0.100 and you send a request to 209.131.36.158 which is redirected to 192.168.0.2, 192.168.0.2 recives a request with the source ip of 192.168.0.100 and responds directly to you. This is the problem. You send a packet to 209.131.36.158 You get a response from 192.168.0.2, the packet is then dropped because your computer has no idea why 192.168.0.2 is sending you what would appear to be random crap. Install something like trafshow and open it up and attempt to connect again, look for two things. look at pfctl -vsr and see if your rule is being hit, and look at the output of trafshow and see if you're getting tcp traffic directly from the ip you're forwarding to. If you are than this is your problem. You should be able to use some fancy nat magic in pf so that the forwarded packet has a different source address (not from the same subnet) which will cause your 192.168.0.2 to send it's packet back to the router instead of directly to your 192.168.0.100 lan machine. On the way back through the router you can use some more fancy nat magic to rewrite the replys source ip to be 209.131.36.158 instead of 192.168.0.2.