From owner-freebsd-pf@FreeBSD.ORG Mon Nov 22 11:07:10 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D06CF1065675 for ; Mon, 22 Nov 2010 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BDDC48FC20 for ; Mon, 22 Nov 2010 11:07:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oAMB7AIh051787 for ; Mon, 22 Nov 2010 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oAMB7Ac1051783 for freebsd-pf@FreeBSD.org; Mon, 22 Nov 2010 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Nov 2010 11:07:10 GMT Message-Id: <201011221107.oAMB7Ac1051783@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2010 11:07:11 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Nov 24 01:50:02 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCA77106566C for ; Wed, 24 Nov 2010 01:50:02 +0000 (UTC) (envelope-from roman@anchorfree.com) Received: from afmail2.anchorfree.com (afmail2.anchorfree.com [74.115.4.40]) by mx1.freebsd.org (Postfix) with ESMTP id C4B838FC0A for ; Wed, 24 Nov 2010 01:50:02 +0000 (UTC) Received: from [192.168.1.112] (99.39.2.1) by afmail2.anchorfree.com (192.168.12.42) with Microsoft SMTP Server id 14.0.702.0; Tue, 23 Nov 2010 17:49:14 -0800 Message-ID: <4CEC6F49.4030301@anchorfree.com> Date: Tue, 23 Nov 2010 17:50:01 -0800 From: Roman Vasilyev User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101030 Icedove/3.0.10 MIME-Version: 1.0 To: "freebsd-pf@FreeBSD.org" Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: FreeBSD PF rdr load balancing question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2010 01:50:02 -0000 Hi, my company using openvpn with UDP transport on SMP machine, currently we using Linux as server platform. So for more effective CPU usage we're running openvpn instances which equals to CPU count. For load balancing we using iptables with simple rule: iptables -t nat -A PREROUTING -p udp -m state --state NEW -m udp -j REDIRECT --to-ports 8041-8048 --random We are moving to freebsd, and I want to use best firewall PF, I didn't found any ability for load balancing by ports only IP's, my question is: what's the best way to have load balancing by ports on LOCAL machine with PF? From owner-freebsd-pf@FreeBSD.ORG Wed Nov 24 07:06:49 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BB90106564A for ; Wed, 24 Nov 2010 07:06:49 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by mx1.freebsd.org (Postfix) with ESMTP id E4FCB8FC0A for ; Wed, 24 Nov 2010 07:06:48 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id oAO76lSs097845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Nov 2010 07:06:47 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com oAO76lSs097845 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1290582407; x=1291187207; bh=UeYH90JKum9unfXchCsW0hH7vV6Nuq9qNPLuDUfgoJc=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=M6UczO7rhlWMSNfAdenm0mXCwOTv7nRDFQxDCSHlagCl7b9cI1f43e5mfyrrHft6P 19415Fg3IleZyta8ubRRLWhADR68L4hi4uFgDna1dDWFbSf4eGari5hNoL7qFG92Kp xmQsqU39oixLOEJSzJjhoQN+a/DTWbob73nhr2VU= Date: Wed, 24 Nov 2010 07:06:47 +0000 (UTC) From: Janne Snabb To: Roman Vasilyev In-Reply-To: <4CEC6F49.4030301@anchorfree.com> Message-ID: References: <4CEC6F49.4030301@anchorfree.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.6 (tiktik.epipe.com [IPv6:2001:1828:0:3::2]); Wed, 24 Nov 2010 07:06:47 +0000 (UTC) Cc: "freebsd-pf@FreeBSD.org" Subject: Re: FreeBSD PF rdr load balancing question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2010 07:06:49 -0000 On Tue, 23 Nov 2010, Roman Vasilyev wrote: > We are moving to freebsd, and I want to use best firewall PF, I didn't found > any ability for load balancing by ports only IP's, my question is: > what's the best way to have load balancing by ports on LOCAL machine with PF? I believe this is not possible with PF. I think your best alternative solution would be to assign additional IP addresses (aliases) either to your external interface or to your loopback interface. These do not need to be proper IP addresses; using RFC1918 addresses or addresses from the 127.0.0.0/8 block should be fine. You would bind each of your OpenVPN instances to one of these alias addresses by using "local IP.AD.DR.ESS" in your openvpn.conf files or "--local" command line option (instead of using "port PORT" as you probably do now) and have the appropriate "rdr" rules in your pf.conf. Search for "RDR ROUND ROBIN" in "man pf.conf" for an example of such a rule. Hope this helps, -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Nov 25 19:14:29 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D70F2106566B for ; Thu, 25 Nov 2010 19:14:29 +0000 (UTC) (envelope-from daniel.iliev@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6B34E8FC14 for ; Thu, 25 Nov 2010 19:14:29 +0000 (UTC) Received: by wyf19 with SMTP id 19so1180108wyf.13 for ; Thu, 25 Nov 2010 11:14:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:x-mailer:mime-version:content-type :content-transfer-encoding; bh=XuwZi9A5r7SJbRwrILgIUfKVHbjSA7wTeie7Cw9Qsnw=; b=Woa+HUsq72YGBLZ0yUg12oTOauKzp7I6Rnk0jkzV9dQ0sX/vRWNy8mNuM35AptDrl0 rA7oY3O4Q2jpT4M/D4izl+YVZrUtgTlR7WnStA+/WiOcohfDt1By7+3pR6sKcgev7Xio tCXVFdm3aoq2QIKTVdV9iZCun2QgsxLdfqciM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:x-mailer:mime-version:content-type :content-transfer-encoding; b=XpxNxTQa5ftFqBJSbGmxprqz/EGe7MIIaZrr4j20dzwI4w7WEnAZOFRJ8i2nEouU2z C/o3aJw9NqytkYAnj/9HESNmEXSCDVUJL+Ieiyw5cABb/KKg9pgk3Ocp8YUTEVZ0fk3U 9y5bdrWSwyp9IGKVF4W4zZODJJN86dzO8QAos= Received: by 10.227.157.203 with SMTP id c11mr1322877wbx.87.1290710576928; Thu, 25 Nov 2010 10:42:56 -0800 (PST) Received: from bsd.ilievnet.com ([82.137.108.200]) by mx.google.com with ESMTPS id ga16sm709443wbb.7.2010.11.25.10.42.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 25 Nov 2010 10:42:56 -0800 (PST) Date: Thu, 25 Nov 2010 20:42:53 +0200 From: Daniel Iliev To: freebsd-pf@freebsd.org Message-ID: <20101125204253.1ffc11fb@bsd.ilievnet.com> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; amd64-portbld-freebsd8.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: redirecting local traffic to localhost X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2010 19:14:29 -0000 Hi, I'm trying to setup a transparent squid. While intercepting traffic from other hosts works fine, I can't figure out how to redirect locally originated packets to the proxy daemon. Squid is listening on 127.0.0.1:3128 with the "intercept" flag set. PF redirects the http traffic like this: rdr on msk0 from any to any port 80 -> 127.0.0.1 port 3128 So far, so good, but how should I redirect the packets from the squid box itself? The rule I'm looking for looks like this on Linux: iptables -t nat -I OUTPUT -m owner ! --uid-owner squid -p tcp --dport \ 80 -j REDIRECT --to-port 3128 -- Best regards, Daniel