From owner-freebsd-pf@FreeBSD.ORG Mon Oct 3 11:07:13 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E686B106566B for ; Mon, 3 Oct 2011 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CC03E8FC08 for ; Mon, 3 Oct 2011 11:07:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p93B7CFb033845 for ; Mon, 3 Oct 2011 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p93B7CQW033843 for freebsd-pf@FreeBSD.org; Mon, 3 Oct 2011 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Oct 2011 11:07:12 GMT Message-Id: <201110031107.p93B7CQW033843@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2011 11:07:13 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 4 21:22:50 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2372C106566B for ; Tue, 4 Oct 2011 21:22:50 +0000 (UTC) (envelope-from brad-fbsd-pf@duttonbros.com) Received: from uno.mnl.com (uno.mnl.com [64.221.209.136]) by mx1.freebsd.org (Postfix) with ESMTP id F3A548FC13 for ; Tue, 4 Oct 2011 21:22:49 +0000 (UTC) Received: from uno.mnl.com (localhost [127.0.0.1]) by uno.mnl.com (Postfix) with ESMTP id 2F30D321B for ; Tue, 4 Oct 2011 14:06:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=duttonbros.com; h=date :message-id:from:to:subject:content-type:mime-version; s=mail; bh=RkMkX7RYXpvnoFDKQtCScJrcQ/s=; b=BACcZ2j8O7NcQ6h1DUC1DBCxKrnw pAiY+UBswZmPDdutkHCBUemMbJnNKlGo+0tD2T7msDaFnDCqvIIxqNA+ov53q56M KIdNWMGoz+0YOHnhzayo96joOlwAD9f8Bwp6zQXVE98kiVihz4jd3eq0jLYV8M86 Xo8i3+IX5UfSvwY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=duttonbros.com; h=date :message-id:from:to:subject:content-type:mime-version; q=dns; s= mail; b=kljzrmUVM/FHvyjiJonIxwQrIKHLvVOvCjT72maWjwpBf8HkilUXDQ9d sfwRw7KYLh7qeMyUvHLuztXggRnuMWv2NBfR0gUuzaXsnQBruXEGSj6+hyZCL2Jf ng2cfiH7sI7U0Z4VC8XxWb31MFrCMXuA7NBRZDzZI8DiabLQ2sc= Received: from localhost (localhost [127.0.0.1]) by uno.mnl.com (Postfix) with ESMTP id 82D42321A for ; Tue, 4 Oct 2011 14:06:05 -0700 (PDT) Received: from bradd-mac.mnl.com (bradd-mac.mnl.com [192.168.0.31]) by duttonbros.com (Horde Framework) with HTTP; Tue, 04 Oct 2011 14:06:05 -0700 Date: Tue, 04 Oct 2011 14:06:05 -0700 Message-ID: <20111004140605.Horde.FqODeklJCItOi3U9N79RPQs@duttonbros.com> From: "Bradley W. Dutton" To: freebsd-pf@freebsd.org User-Agent: Internet Messaging Program (IMP) H4 (5.0.13) Content-Type: text/plain; charset=ISO-8859-1; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline Subject: 9-BETA3 "current entries" growing indefinitely X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 21:22:50 -0000 Hi, I just updated an 8-STABLE box to 9-BETA3 and have a problem where PF keeps growing the "current entries" indefinitely. I saw another person with a similar issue: http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/f350be446d1914d8?pli=1 But I didn't get any reply. I rebuilt world again once more after the initial 8-STABLE upgrade to see if it would fix itself but no luck. My firewall rules haven't changed and from what I've read I shouldn't need to change anything for this update. Anyone have any ideas? Flusing states will clear out the 34 states but won't clear the current entries. I've had to do the following in pf.conf to keep my home router up for more than a day: set limit states 1600000 # this used to be 30k Thanks, Brad pfctl -ss | wc -l 34 pfctl -si Status: Enabled for 3 days 13:53:17 Debug: Urgent Interface Stats for em0 IPv4 IPv6 Bytes In 3305522392 0 Bytes Out 425326123 0 Packets In Passed 3651954 0 Blocked 25784 0 Packets Out Passed 2919432 0 Blocked 737 0 State Table Total Rate current entries 229706 searches 45831728 148.2/s inserts 229706 0.7/s removals 0 0.0/s Counters match 287626 0.9/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 264 0.0/s state-insert 1 0.0/s state-limit 0 0.0/s src-limit 62 0.0/s synproxy 2194 0.0/s From owner-freebsd-pf@FreeBSD.ORG Tue Oct 4 21:39:50 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0535C1065674 for ; Tue, 4 Oct 2011 21:39:50 +0000 (UTC) (envelope-from flo@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E6FB68FC08; Tue, 4 Oct 2011 21:39:49 +0000 (UTC) Received: from nibbler-wlan.home.lan (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p94LdmYH018660; Tue, 4 Oct 2011 21:39:49 GMT (envelope-from flo@FreeBSD.org) Message-ID: <4E8B7D24.107@FreeBSD.org> Date: Tue, 04 Oct 2011 23:39:48 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "Bradley W. Dutton" References: <20111004140605.Horde.FqODeklJCItOi3U9N79RPQs@duttonbros.com> In-Reply-To: <20111004140605.Horde.FqODeklJCItOi3U9N79RPQs@duttonbros.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: Re: 9-BETA3 "current entries" growing indefinitely X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 21:39:50 -0000 On 04.10.11 23:06, Bradley W. Dutton wrote: > Hi, > > I just updated an 8-STABLE box to 9-BETA3 and have a problem where PF > keeps growing the "current entries" indefinitely. I saw another person > with a similar issue: > http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/f350be446d1914d8?pli=1 > > But I didn't get any reply. > > I rebuilt world again once more after the initial 8-STABLE upgrade to > see if it would fix itself but no luck. My firewall rules haven't > changed and from what I've read I shouldn't need to change anything for > this update. Anyone have any ideas? Flusing states will clear out the 34 > states but won't clear the current entries. I've had to do the following > in pf.conf to keep my home router up for more than a day: > set limit states 1600000 # this used to be 30k > Hi, this is a known problem, and it's being worked on. A workaround is to use the pf module and not compile it into the kernel. HTH, Florian From owner-freebsd-pf@FreeBSD.ORG Fri Oct 7 15:22:14 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D1EE106566B for ; Fri, 7 Oct 2011 15:22:14 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og116.obsmtp.com (exprod6og116.obsmtp.com [64.18.1.37]) by mx1.freebsd.org (Postfix) with SMTP id CB54D8FC0A for ; Fri, 7 Oct 2011 15:22:13 +0000 (UTC) Received: from HIKAWSEX02.ad.harman.com ([194.121.90.173]) (using TLSv1) by exprod6ob116.postini.com ([64.18.5.12]) with SMTP; Fri, 07 Oct 2011 08:22:14 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([172.16.1.216]) with mapi; Fri, 7 Oct 2011 17:11:19 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Fri, 7 Oct 2011 17:11:18 +0200 Thread-Topic: How to block HTTP packets going to 0.0.0.0 via proxy Thread-Index: AcyFA12IH/ovZwklSnit3YDsshhq8A== Message-ID: <20290C577F743240B5256C89EFA753810D28E8E174@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: How to block HTTP packets going to 0.0.0.0 via proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2011 15:22:14 -0000 Hi, my browser goes online via proxy. So, when I type http://0.0.0.0 in my browser I see in wireshark the followi= ng: Source Destination Protocol = Info 172.16.102.100 172.16.2.17 HTTP GET http://0.0= .0.0/ HTTP/1.1 That is the http GET request with the 0.0.0.0 IP address is sent to my prox= y 172.16.2.17. I do not want these requests to go to proxy. How can I block such requests = with pf rules? I could easily write a rule to block all packets directly going to IP 0.0.0= .0, but in case with proxy, I don't know how to block such requests. Thanks for any help. Regards, Aleks. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 7 15:54:03 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0426D106567C for ; Fri, 7 Oct 2011 15:54:03 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 9433A8FC17 for ; Fri, 7 Oct 2011 15:54:02 +0000 (UTC) Received: by wwe3 with SMTP id 3so5789100wwe.31 for ; Fri, 07 Oct 2011 08:54:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=E3HkfVZAsNWPVK9c81N2wIB+BeHx09Nf8H6Ha5uJIgI=; b=bLAWwvkbAG0+bkUZMbiIMLZ11yvyL6cEo1bqjmu0X6bSVzhN5hW7/qeNbFU+evMbHf ttgA7YTKOQJNNgPcePjhtNhXL3Bobz7yQyJY4AEMIF3etmpoAP+VQh3HYwryJMM1/zw0 iOPmugI8y4fMjtWJK0vdMWsIy6zY7vetBo3rM= Received: by 10.227.28.96 with SMTP id l32mr2632012wbc.50.1318001101088; Fri, 07 Oct 2011 08:25:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.72.212 with HTTP; Fri, 7 Oct 2011 08:24:41 -0700 (PDT) In-Reply-To: <20290C577F743240B5256C89EFA753810D28E8E174@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810D28E8E174@HIKAWSEX01.ad.harman.com> From: Chris Buechler Date: Fri, 7 Oct 2011 17:24:41 +0200 Message-ID: To: "Spenst, Aleksej" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: How to block HTTP packets going to 0.0.0.0 via proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2011 15:54:03 -0000 On Fri, Oct 7, 2011 at 5:11 PM, Spenst, Aleksej wrote: > Hi, > > my browser goes online via proxy. > So, when I type http://0.0.0.0 in my browser I see in wireshark the follo= wing: > > =A0 =A0 Source =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Destination =A0 =A0 = =A0 =A0 =A0Protocol =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Info > 172.16.102.100 =A0 =A0 =A0 =A0172.16.2.17 =A0 =A0 =A0 =A0 =A0 =A0 HTTP = =A0 =A0 =A0 =A0 =A0 GET http://0.0.0.0/ HTTP/1.1 > > That is the http GET request with the 0.0.0.0 IP address is sent to my pr= oxy 172.16.2.17. > I do not want these requests to go to proxy. How can I block such request= s with pf rules? > > I could easily write a rule to block all packets directly going to IP 0.0= .0.0, but in case with proxy, I don't know how to block such requests. > Block them on the proxy. PF can't tell the difference between GET http://0.0.0.0 and GET http://google.com From owner-freebsd-pf@FreeBSD.ORG Fri Oct 7 21:21:46 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9CF71065674 for ; Fri, 7 Oct 2011 21:21:46 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og105.obsmtp.com (exprod6og105.obsmtp.com [64.18.1.189]) by mx1.freebsd.org (Postfix) with SMTP id 096298FC14 for ; Fri, 7 Oct 2011 21:21:45 +0000 (UTC) Received: from HIKAWSEX02.ad.harman.com ([194.121.90.173]) (using TLSv1) by exprod6ob105.postini.com ([64.18.5.12]) with SMTP; Fri, 07 Oct 2011 14:21:46 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([172.16.1.216]) with mapi; Fri, 7 Oct 2011 23:21:43 +0200 From: "Spenst, Aleksej" To: Chris Buechler Date: Fri, 7 Oct 2011 23:21:42 +0200 Thread-Topic: How to block HTTP packets going to 0.0.0.0 via proxy Thread-Index: AcyFBUn97xzUOMqkShSp44elDuChyAAMO3GV Message-ID: <20290C577F743240B5256C89EFA753810D28CDC051@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810D28E8E174@HIKAWSEX01.ad.harman.com>, In-Reply-To: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" Subject: AW: How to block HTTP packets going to 0.0.0.0 via proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2011 21:21:46 -0000 Thanks, Chris! Unfortunately, I don't have access to this proxy and can't configure any ru= les on it. Hmm... then it seems that this is not possible with pf. Regards, Aleks. ________________________________________ Von: Chris Buechler [cbuechler@gmail.com] Gesendet: Freitag, 7. Oktober 2011 17:24 An: Spenst, Aleksej Cc: freebsd-pf@freebsd.org Betreff: Re: How to block HTTP packets going to 0.0.0.0 via proxy On Fri, Oct 7, 2011 at 5:11 PM, Spenst, Aleksej wrote: > Hi, > > my browser goes online via proxy. > So, when I type http://0.0.0.0 in my browser I see in wireshark the follo= wing: > > Source Destination Protocol = Info > 172.16.102.100 172.16.2.17 HTTP GET http://0= .0.0.0/ HTTP/1.1 > > That is the http GET request with the 0.0.0.0 IP address is sent to my pr= oxy 172.16.2.17. > I do not want these requests to go to proxy. How can I block such request= s with pf rules? > > I could easily write a rule to block all packets directly going to IP 0.0= .0.0, but in case with proxy, I don't know how to block such requests. > Block them on the proxy. PF can't tell the difference between GET http://0.0.0.0 and GET http://google.com From owner-freebsd-pf@FreeBSD.ORG Fri Oct 7 23:19:58 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CCF4106564A for ; Fri, 7 Oct 2011 23:19:58 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id E99458FC0A for ; Fri, 7 Oct 2011 23:19:57 +0000 (UTC) Received: from pemexhub02.jellyfishnet.co.uk.local (93.91.20.63) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.436.0; Sat, 8 Oct 2011 00:09:04 +0100 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.51]) by pemexhub02.jellyfishnet.co.uk.local ([192.168.65.8]) with mapi; Sat, 8 Oct 2011 00:07:03 +0100 From: Greg Hennessy To: "Spenst, Aleksej" , "'freebsd-pf@freebsd.org'" Date: Sat, 8 Oct 2011 00:09:01 +0100 Thread-Topic: How to block HTTP packets going to 0.0.0.0 via proxy Thread-Index: AcyFA12IH/ovZwklSnit3YDsshhq8AAQmhww Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83261280798259@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <20290C577F743240B5256C89EFA753810D28E8E174@HIKAWSEX01.ad.harman.com> In-Reply-To: <20290C577F743240B5256C89EFA753810D28E8E174@HIKAWSEX01.ad.harman.com> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: How to block HTTP packets going to 0.0.0.0 via proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2011 23:19:58 -0000 If you have no access to the gateway system, the only other alternative is = a client side configuration, either use a PAC file or browser exception or = routing statement to send traffic elsewhere.=20 Greg > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Spenst, Aleksej > Sent: 08 October 2011 2:11 AM > To: 'freebsd-pf@freebsd.org' > Subject: How to block HTTP packets going to 0.0.0.0 via proxy >=20 > Hi, >=20 > my browser goes online via proxy. > So, when I type http://0.0.0.0 in my browser I see in wireshark the follo= wing: >=20 > Source Destination Protocol = Info > 172.16.102.100 172.16.2.17 HTTP GET http://0= .0.0.0/ HTTP/1.1 >=20 > That is the http GET request with the 0.0.0.0 IP address is sent to my pr= oxy > 172.16.2.17. > I do not want these requests to go to proxy. How can I block such request= s > with pf rules? >=20 > I could easily write a rule to block all packets directly going to IP 0.0= .0.0, but in > case with proxy, I don't know how to block such requests. >=20 > Thanks for any help. >=20 > Regards, > Aleks. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"