From owner-freebsd-pf@FreeBSD.ORG Mon Oct 13 22:05:49 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F666E28 for ; Mon, 13 Oct 2014 22:05:49 +0000 (UTC) Received: from nm3-vm1.bullet.mail.bf1.yahoo.com (nm3-vm1.bullet.mail.bf1.yahoo.com [98.139.213.167]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F40BC7E6 for ; Mon, 13 Oct 2014 22:05:48 +0000 (UTC) Received: from [66.196.81.173] by nm3.bullet.mail.bf1.yahoo.com with NNFMP; 13 Oct 2014 22:03:44 -0000 Received: from [98.139.212.213] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 13 Oct 2014 22:03:44 -0000 Received: from [127.0.0.1] by omp1022.mail.bf1.yahoo.com with NNFMP; 13 Oct 2014 22:03:44 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 250743.8408.bm@omp1022.mail.bf1.yahoo.com Received: (qmail 95760 invoked by uid 60001); 13 Oct 2014 22:03:44 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1413237824; bh=bEZikZY2E6TGpDfJssR0fOsdffbb8AeafB+rI4oAOao=; h=References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=t+FIXBGcNvNTouq89mc17MXeXxZqgM04r0PForqWvWNHMwMIZ1AtE34MVt8qS1Y9ZY24zUvh+eUvi7Kma6wyuKn8GuCq2lvhSfbBIdwPW+IX6CXzctkhP41Y6c5rvm/fyhn/dxDGlV/+wXQf4bfj2ywOoGnloq9OBP/BR1chfyE= X-YMail-OSG: QXZ0XtMVM1n.8cCpxjBMhDkwavhzqHO_o8geAw4UazgOzEb CQNRKvBck0.IAPY_OfghBnBKjC6uAfTUV0Nocpg.RarUAjpAFdjQi5ZMw41J xoVPaofgthDdxzWwl5bO.0A5X_Vzxby6CAInhO3PYsqMZUOmsR5uLNxppD6s xJ1EwjjfD9D8VqI9MbHFPDclHGbkcD.FCEur9QV.2095UAtDk30uVrdcJLuc MLLZw_zpzpgBM1KCk7rbtFyLvFQaRkQKExapVcFXNX7jzDcjU0_nfyDvpFhy r4n_HMaT1nAQ4kMxob5k3uSWDCBZy4xaIZFjcehhS_cQ0hVmD5BeswnUAGu4 saLPMbMzydZ4s6cBXd4rLYYJ2abCbgTUNQpH7Rbx8bK98KeA41SACZopjEyY rJeIwVsWEq0fl5tThbzfCKkDmfIPJeQl8.O..8Z0wMEeGAfIfvxLhCIzAk4T aSn2qz3hPDs7Mn898nlDTqQL1vEhTca12O.gjm3o2hffbqnso4TvNqOrp08j OFGGRIKVdIZB6QAGtHFpDdWaBYdgSkzpy8we6WL5jgxhkakcBuUfLlm9aDab MhbIsLJ6vfII4ZI5VllvQcJxcBHo.CdZMKKOwUpxOJum.lu9ETIj9zLP9Jgh EE0v0TKV4Dr6w.y2BfSwCx2Oq8YT4shWjJu9eMphpCc56ktkA1K4yimPiIou jjBnK_a8UHQDjkDrA4jPS4MuSka50fMoPgW1ALaiEYwJykitJVNMBNq7hCmg NdO3p Received: from [178.48.83.58] by web160702.mail.bf1.yahoo.com via HTTP; Mon, 13 Oct 2014 15:03:44 PDT X-Rocket-MIMEInfo: 002.001, VGhhbmsgeW91IERhbmllbCEKCgpPbiBGcmlkYXksIFNlcHRlbWJlciAyNiwgMjAxNCAxOjUxIFBNLCBEYW5pZWwgSGFydG1laWVyIDxkYW5pZWxAYmVuemVkcmluZS5jeD4gd3JvdGU6CiAKCgpPbiBUaHUsIFNlcCAyNSwgMjAxNCBhdCAxMToyNDowMUFNIC0wNzAwLCBMYXN6bG8gRGFuaWVsaXN6IHZpYSBmcmVlYnNkLXBmIHdyb3RlOgoKPiBJIHdhcyB3b25kZXJpbmcgaG93IGlzIHBvc3NpYmxlIHRvIGFjY2VwdCBhIGNvbm5lY3Rpb24sIGxldHMgc2F5IG9uIHBvcnQgODAgb25seSBpZiBpdCBjb21lcyBmcm8BMAEBAQE- X-Mailer: YahooMailWebService/0.8.203.696 References: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com> <20140926112213.GA18108@insomnia.benzedrine.cx> Message-ID: <1413237824.91751.YahooMailNeo@web160702.mail.bf1.yahoo.com> Date: Mon, 13 Oct 2014 15:03:44 -0700 From: Laszlo Danielisz Reply-To: Laszlo Danielisz Subject: Re: referer filtering To: Daniel Hartmeier In-Reply-To: <20140926112213.GA18108@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2014 22:05:49 -0000 Thank you Daniel! On Friday, September 26, 2014 1:51 PM, Daniel Hartmeier wrote: On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote: > I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer. > Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A. You mean filtering based on a HTTP Referer: header? pf doesn't work on that layer at all. Technically, B has to accept the client's connection and read the HTTP request (for the Referer: header) to make its decision. It can produce an error (or redirect) or close the connection, but "not accepting the connection" is impossible. You'd have to do this at the application layer, e.g. Apache has modules that allow access control based on HTTP headers[1], or use a HTTP proxy like squid (pf can assist redirecting to it). Also note that the referer header isn't always reliable, as it can be faked easily[2]. HTH, Daniel [1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation [2] http://www.stardrifter.org/refcontrol/ _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Oct 14 09:40:38 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2FA8310C for ; Tue, 14 Oct 2014 09:40:38 +0000 (UTC) Received: from mail1.bemta14.messagelabs.com (mail1.bemta14.messagelabs.com [193.109.254.105]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta14.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE7D182 for ; Tue, 14 Oct 2014 09:40:37 +0000 (UTC) Received: from [85.158.140.211:50505] by server-1.bemta-14.messagelabs.com id 80/AE-24760-AFDEC345; Tue, 14 Oct 2014 09:33:46 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-4.tower-194.messagelabs.com!1413279225!20262222!1 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 2559 invoked from network); 14 Oct 2014 09:33:45 -0000 Received: from unassigned (HELO HIKAWSEXHC04.ad.harman.com) (194.121.90.173) by server-4.tower-194.messagelabs.com with AES128-SHA encrypted SMTP; 14 Oct 2014 09:33:45 -0000 Received: from HIKAWSEXMB02.ad.harman.com ([169.254.2.176]) by HIKAWSEXHC04.ad.harman.com ([172.16.1.114]) with mapi id 14.03.0195.001; Tue, 14 Oct 2014 11:33:45 +0200 From: "Spenst, Aleksej" To: "freebsd-pf@freebsd.org" Subject: Fragmented packets are not redirected Thread-Topic: Fragmented packets are not redirected Thread-Index: Ac/nkfAvIWGsjtOvSuyBBqYZc4mz4g== Date: Tue, 14 Oct 2014 09:33:44 +0000 Message-ID: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.102.147] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 09:40:38 -0000 Hi All, I have one problem with redirection of the fragmented packets. My use case: A mobile phone sends the RTP video stream to my server. The server has the = pf installed. All RTP packets are redirected from the server to my PC: |Mobile|------>---RTP---->-----|Server|------->---RTP--->-----|PC| The small RTP packets are redirected to my PC without any problems. The problem is with the large RTP packets that are fragmented and transmitt= ed in several IP fragments. These IP fragments are not redirected to PC. Th= e redirection rule at the server: rdr on wlan0 proto udp from any to (self) port 9870 -> 192.168.0.1 port 987= 0 | S e r v e r | ->--|wlan0 eth0|-->-------|PC 192.168.0.1| It is clear that if the IP fragments are not reassembled at the server they= cannot be redirected since the redirection rule is written for UDP packets= . That is why I have this scrub rule at the very beginning of my pf.conf: scrub in on wlan0 all I thought that this rule should reassemble all the incoming fragments. The = reassembled UDP packets should be then correctly passed through the rdr rul= e and redirected to my PC. But this does not happen. Do you have any ideas/tips? Thanks a lot! Aleksej. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 14 13:57:18 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFEB463C for ; Tue, 14 Oct 2014 13:57:18 +0000 (UTC) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A110FFE7 for ; Tue, 14 Oct 2014 13:57:18 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 0F9F013298; Tue, 14 Oct 2014 15:57:15 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id 09264E40F; Tue, 14 Oct 2014 15:57:15 +0200 (CEST) Date: Tue, 14 Oct 2014 15:57:15 +0200 From: Kristof Provost To: "Spenst, Aleksej" Subject: Re: Fragmented packets are not redirected Message-ID: <20141014135714.GT2017@vega.codepro.be> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-PGP-Fingerprint: E114 D9EA 909E D469 8F57 17A5 7D15 91C6 9EFA F286 X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.23 (2014-03-12) Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 13:57:19 -0000 On 2014-10-14 09:33:44 (+0000), Spenst, Aleksej wrote: > It is clear that if the IP fragments are not reassembled at the server > they cannot be redirected since the redirection rule is written for > UDP packets. That is why I have this scrub rule at the very beginning > of my pf.conf: > > scrub in on wlan0 all > > I thought that this rule should reassemble all the incoming fragments. > The reassembled UDP packets should be then correctly passed through > the rdr rule and redirected to my PC. But this does not happen. > I think that you want 'scrub in on wlan0 all fragment reassemble'. Regards, Kristof From owner-freebsd-pf@FreeBSD.ORG Tue Oct 14 14:17:23 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ACAF8B15 for ; Tue, 14 Oct 2014 14:17:23 +0000 (UTC) Received: from mail1.bemta14.messagelabs.com (mail1.bemta14.messagelabs.com [193.109.254.117]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta14.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47DEB27D for ; Tue, 14 Oct 2014 14:17:22 +0000 (UTC) Received: from [85.158.140.195:12384] by server-13.bemta-14.messagelabs.com id EC/BD-19311-FBE2D345; Tue, 14 Oct 2014 14:10:07 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-9.tower-193.messagelabs.com!1413295269!19334660!13 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1719 invoked from network); 14 Oct 2014 14:03:47 -0000 Received: from unassigned (HELO HIKAWSEXHC02.ad.harman.com) (194.121.90.173) by server-9.tower-193.messagelabs.com with AES128-SHA encrypted SMTP; 14 Oct 2014 14:03:47 -0000 Received: from HIKAWSEXMB02.ad.harman.com ([169.254.2.176]) by HIKAWSEXHC02.ad.harman.com ([172.16.1.120]) with mapi id 14.03.0195.001; Tue, 14 Oct 2014 16:02:44 +0200 From: "Spenst, Aleksej" To: Kristof Provost Subject: AW: Fragmented packets are not redirected Thread-Topic: Fragmented packets are not redirected Thread-Index: Ac/nkfAvIWGsjtOvSuyBBqYZc4mz4gAFA7GAAARHfZA= Date: Tue, 14 Oct 2014 14:02:43 +0000 Message-ID: References: <20141014135714.GT2017@vega.codepro.be> In-Reply-To: <20141014135714.GT2017@vega.codepro.be> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.102.147] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 14:17:23 -0000 SGkgS3Jpc3RvZiwNCg0KVGhhbmsgeW91IGZvciB5b3VyIGFuc3dlci4NCkkgcmVhZCB0aGF0ICJm cmFnbWVudCByZWFzc2VtYmxlIiBpcyB0aGUgZGVmYXVsdCBiZWhhdmlvciBvZiBzY3J1Yi4gU28s ICJzY3J1YiBpbiIgYW5kICJzY3J1YiBpbiBmcmFnbWVudCByZWFzc2VtYmxlIiBpcyB0aGUgc2Ft ZS4gQnV0IGp1c3QgdG8gYmUgc3VyZSBJJ3ZlIGFsc28gdHJpZWQgaXQgYWxyZWFkeSAtPiBkaWRu J3QgaGVscC4NCg0KUmVnYXJkcywNCkFsZWtzZWouDQoNCg0KLS0tLS1VcnNwcsO8bmdsaWNoZSBO YWNocmljaHQtLS0tLQ0KVm9uOiBLcmlzdG9mIFByb3Zvc3QgW21haWx0bzprcmlzdG9mQHNpZ3Nl Z3YuYmVdIA0KR2VzZW5kZXQ6IERpZW5zdGFnLCAxNC4gT2t0b2JlciAyMDE0IDE1OjU3DQpBbjog U3BlbnN0LCBBbGVrc2VqDQpDYzogZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw0KQmV0cmVmZjogUmU6 IEZyYWdtZW50ZWQgcGFja2V0cyBhcmUgbm90IHJlZGlyZWN0ZWQNCg0KT24gMjAxNC0xMC0xNCAw OTozMzo0NCAoKzAwMDApLCBTcGVuc3QsIEFsZWtzZWogPEFsZWtzZWouU3BlbnN0QGhhcm1hbi5j b20+IHdyb3RlOg0KPiBJdCBpcyBjbGVhciB0aGF0IGlmIHRoZSBJUCBmcmFnbWVudHMgYXJlIG5v dCByZWFzc2VtYmxlZCBhdCB0aGUgc2VydmVyIA0KPiB0aGV5IGNhbm5vdCBiZSByZWRpcmVjdGVk IHNpbmNlIHRoZSByZWRpcmVjdGlvbiBydWxlIGlzIHdyaXR0ZW4gZm9yIA0KPiBVRFAgcGFja2V0 cy4gVGhhdCBpcyB3aHkgSSBoYXZlIHRoaXMgc2NydWIgcnVsZSBhdCB0aGUgdmVyeSBiZWdpbm5p bmcgDQo+IG9mIG15IHBmLmNvbmY6DQo+IA0KPiBzY3J1YiBpbiBvbiB3bGFuMCBhbGwNCj4gDQo+ IEkgdGhvdWdodCB0aGF0IHRoaXMgcnVsZSBzaG91bGQgcmVhc3NlbWJsZSBhbGwgdGhlIGluY29t aW5nIGZyYWdtZW50cy4NCj4gVGhlIHJlYXNzZW1ibGVkIFVEUCBwYWNrZXRzIHNob3VsZCBiZSB0 aGVuIGNvcnJlY3RseSBwYXNzZWQgdGhyb3VnaCANCj4gdGhlIHJkciBydWxlIGFuZCByZWRpcmVj dGVkIHRvIG15IFBDLiBCdXQgdGhpcyBkb2VzIG5vdCBoYXBwZW4uDQo+IA0KSSB0aGluayB0aGF0 IHlvdSB3YW50ICdzY3J1YiBpbiBvbiB3bGFuMCBhbGwgZnJhZ21lbnQgcmVhc3NlbWJsZScuDQoN ClJlZ2FyZHMsDQpLcmlzdG9mDQo= From owner-freebsd-pf@FreeBSD.ORG Tue Oct 14 19:55:09 2014 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 24B9D1F7 for ; Tue, 14 Oct 2014 19:55:09 +0000 (UTC) Received: from nm33-vm8.bullet.mail.bf1.yahoo.com (nm33-vm8.bullet.mail.bf1.yahoo.com [72.30.238.198]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA71FD7A for ; Tue, 14 Oct 2014 19:55:05 +0000 (UTC) Received: from [66.196.81.173] by nm33.bullet.mail.bf1.yahoo.com with NNFMP; 14 Oct 2014 19:54:58 -0000 Received: from [98.139.212.217] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 14 Oct 2014 19:54:58 -0000 Received: from [127.0.0.1] by omp1026.mail.bf1.yahoo.com with NNFMP; 14 Oct 2014 19:54:58 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 824381.93100.bm@omp1026.mail.bf1.yahoo.com Received: (qmail 19931 invoked by uid 60001); 14 Oct 2014 19:54:58 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1413316498; bh=X8zqOvzM/W+iGX3PI/dPg5/o6eP+7cMlGFlyaR5N2jk=; h=Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=Cc9rjok1emz50cqbDuNDLT+7C9lG2rcWbas0ZoTDcKIoQaanxyT4EGyVh9PNdHMYDuM3UsQRt0UGVLYkO2xGoDjdu8/wvIOtxVDh4TrvbtbONjAD2lZeigC/eyk2212fhuEjnRrPQD7cbD8/qljt6rZL4lwhOT2+qGOU++2Kkj0= X-YMail-OSG: _8q7nqwVM1n78ennq8Vhmp.IWKuooghnnHdsPc5XNGavapj QdKVCZpu4dbvL0kFWCx4N_sD3ZnLKyKDkO0kPeg64ZoSZqHWSBESVLXW8G_. t2sHXzBvy.ZZ_nmYumOBgwPzX440HHtmcKzTgwQl13RgZCr58w7GZ9Q0fvEG BJM0YRNOhZHGvnNAmmZs5jCvgiKKlTsCsaaCZOjfbD1sqGEkhoTjj5JCeY8X 0j51e29Vddq_vp7.nvOIuNiKxdZp4PWKO3vnzIUxjVsAmrUJ5tootlymPupm wdkwedphsXPE89KXCNaPMWJnrfVuJ0n1Wc2YfHH4UYg55IyjLakNz4YoG88j C1uUhsGvYv_2UhryqcHUWylnZ0nhalqMf4YpZkg7fuVBe51a_1xphj1Vo1hA udP5pSWXMvi0hSnyqiUyvLCjByFG64eWuC7n5.IiOUIjoqUvJu8D6yMtFxrY oebBzNTESODXvxTPLdbrn0huVXV36GWpy.YJCRc__Ht.zfnw4upgPiUvfrVq dsRm1TKZ4AVjhuTH20WA53qIK0XePBfQSMMrVkK42WMzZqGnkIJ32_9y6X16 coce98Q-- Received: from [178.48.83.58] by web160701.mail.bf1.yahoo.com via HTTP; Tue, 14 Oct 2014 12:54:58 PDT X-Rocket-MIMEInfo: 002.001, SGksCgpXaGljaCBpcyB5b3VyIHNldCBibG9jay1wb2xpY3k_IERyb3Agb3IgUmV0dXJuPwpBbmQgd2h5PwoKQ2hlZXJzLApMYXN6bG8BMAEBAQE- X-Mailer: YahooMailWebService/0.8.203.696 Message-ID: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com> Date: Tue, 14 Oct 2014 12:54:58 -0700 From: Laszlo Danielisz Reply-To: Laszlo Danielisz Subject: drop vs return To: "pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 19:55:09 -0000 Hi, Which is your set block-policy? Drop or Return? And why? Cheers, Laszlo From owner-freebsd-pf@FreeBSD.ORG Fri Oct 17 10:14:45 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A73F7A40 for ; Fri, 17 Oct 2014 10:14:45 +0000 (UTC) Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.141]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta5.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D3521C0 for ; Fri, 17 Oct 2014 10:14:44 +0000 (UTC) Received: from [85.158.139.51:50298] by server-5.bemta-5.messagelabs.com id E3/BD-11546-F7AE0445; Fri, 17 Oct 2014 10:07:59 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-12.tower-180.messagelabs.com!1413540366!30955484!15 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4397 invoked from network); 17 Oct 2014 10:07:28 -0000 Received: from unassigned (HELO HIKAWSEXHC03.ad.harman.com) (194.121.90.173) by server-12.tower-180.messagelabs.com with AES128-SHA encrypted SMTP; 17 Oct 2014 10:07:28 -0000 Received: from HIKAWSEXMB02.ad.harman.com ([169.254.2.176]) by HIKAWSEXHC03.ad.harman.com ([172.16.1.113]) with mapi id 14.03.0195.001; Fri, 17 Oct 2014 12:07:08 +0200 From: "Spenst, Aleksej" To: "freebsd-pf@freebsd.org" Subject: AW: Fragmented packets are not redirected Thread-Topic: Fragmented packets are not redirected Thread-Index: Ac/nkfAvIWGsjtOvSuyBBqYZc4mz4gAFA7GAAARHfZAAi6eJ8A== Date: Fri, 17 Oct 2014 10:07:07 +0000 Message-ID: References: <20141014135714.GT2017@vega.codepro.be> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.102.147] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2014 10:14:45 -0000 SGkgQWxsLA0KDQpJJ20gdGhpbmtpbmcgYWJvdXQgaG93IEkgY2FuIGRlYnVnIHRoaXMgcHJvYmxl bS4NCkkgZW5hYmxlIGxvZ2dpbmcgZm9yIGJsb2NrZWQgcGFja2V0cyAoYmxvY2sgbG9nLWFsbCBh bGwpLiBNeSBwZi5jb25mIGxvb2tzIGFwcHJveGltYXRlbHkgc286IA0KDQpzY3J1YiBpbiBvbiB3 bGFuMCBhbGwNCnJkciBvbiB3bGFuMCBwcm90byB1ZHAgZnJvbSBhbnkgdG8gKHNlbGYpIHBvcnQg OTg3MCAtPiAxOTIuMTY4LjAuMSBwb3J0IDk4NzANCmJsb2NrIGxvZy1hbGwgYWxsDQpwYXNzIG9u IHdsYW4wIGFsbA0KDQpUaGUgZnJhZ21lbnRlZCBwYWNrZXRzIGFyZSBub3QgcmVkaXJlY3RlZCB0 byAxOTIuMTY4LjAuMSwgYnV0IHRoZXkgYXJlIGFsc28gbm90IGJsb2NrZWQgc2luY2UgSSBkb24n dCBzZWUgdGhlbSBpbiBsb2dzICh3aXRoIHRjcGR1bXAgLWkgcGZsb2cwKS4gV2hlcmUgZG8gdGhl eSBkaXNhcHBlYXI/IEFyZSB0aGV5IGp1c3Qgc2lsZW50bHkgZGlzY2FyZGVkIGJ5IHBmPw0KDQpJ IGFsc28gdHJpZWQgdG8gYWRkICJsb2ctYWxsIiB0byB0aGUgc2NydWIgcnVsZToNCg0Kc2NydWIg aW4gbG9nLWFsbCBvbiB3bGFuMCBhbGwNCg0KLS0+IEkgZG9uJ3Qgc2VlIGFueXRoaW5nIGZyb20g dGhpcyBydWxlIGluIHRoZSBsb2dzIGFzIHdlbGwhDQoNCk15IGFub3RoZXIgcXVlc3Rpb24gaXMg YWJvdXQgdGhlIG9wdGlvbiAic2V0IGRlYnVnIDxsZXZlbD4iIHRoYXQgb25lIGNhbiB3cml0ZSBh dCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBwZi5jb25mLiBXaGF0IGlzIHRoaXMgZGVidWcgbGV2ZWwg Zm9yPyBJIHRob3VnaHQgdGhhdCB0aGVyZSBpcyBvbmx5IG9uZSB3YXkgdG8gZGVidWcgcGYgcnVs ZXM6IHdpdGggdGhpcyAibG9nIi8ibG9nLWFsbCIga2V5d29yZCBhbmQgcGZsb2cwIGludGVyZmFj ZS4gSXMgdGhpcyBkZWJ1ZyBsZXZlbCBzb21lIG90aGVyIGtpbmQgb2YgZGVidWdnaW5nPyBXaGVu IEkgd3JpdGUgdGhlIG9wdGlvbiAic2V0IGRlYnVnIG5vbmUiIGluIHRoZSBwZi5jb25mLCBJIHN0 aWxsIGNhbiBzZWUgYWxsIHBhY2tldHMgbG9nZ2VkIGF0IHRoZSBwZmxvZzAgaW50ZXJmYWNlLiBT bywgaXMgaXQgc29tZXRoaW5nIGRpZmZlcmVudD8NCg0KVGhhbmtzIQ0KQWxla3Nlai4NCg0KDQoN Cg0KDQotLS0tLVVyc3Byw7xuZ2xpY2hlIE5hY2hyaWNodC0tLS0tDQpWb246IFNwZW5zdCwgQWxl a3NlaiANCkdlc2VuZGV0OiBEaWVuc3RhZywgMTQuIE9rdG9iZXIgMjAxNCAxNjowMw0KQW46IEty aXN0b2YgUHJvdm9zdA0KQ2M6IGZyZWVic2QtcGZAZnJlZWJzZC5vcmcNCkJldHJlZmY6IEFXOiBG cmFnbWVudGVkIHBhY2tldHMgYXJlIG5vdCByZWRpcmVjdGVkDQoNCkhpIEtyaXN0b2YsDQoNClRo YW5rIHlvdSBmb3IgeW91ciBhbnN3ZXIuDQpJIHJlYWQgdGhhdCAiZnJhZ21lbnQgcmVhc3NlbWJs ZSIgaXMgdGhlIGRlZmF1bHQgYmVoYXZpb3Igb2Ygc2NydWIuIFNvLCAic2NydWIgaW4iIGFuZCAi c2NydWIgaW4gZnJhZ21lbnQgcmVhc3NlbWJsZSIgaXMgdGhlIHNhbWUuIEJ1dCBqdXN0IHRvIGJl IHN1cmUgSSd2ZSBhbHNvIHRyaWVkIGl0IGFscmVhZHkgLT4gZGlkbid0IGhlbHAuDQoNClJlZ2Fy ZHMsDQpBbGVrc2VqLg0KDQoNCi0tLS0tVXJzcHLDvG5nbGljaGUgTmFjaHJpY2h0LS0tLS0NClZv bjogS3Jpc3RvZiBQcm92b3N0IFttYWlsdG86a3Jpc3RvZkBzaWdzZWd2LmJlXQ0KR2VzZW5kZXQ6 IERpZW5zdGFnLCAxNC4gT2t0b2JlciAyMDE0IDE1OjU3DQpBbjogU3BlbnN0LCBBbGVrc2VqDQpD YzogZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw0KQmV0cmVmZjogUmU6IEZyYWdtZW50ZWQgcGFja2V0 cyBhcmUgbm90IHJlZGlyZWN0ZWQNCg0KT24gMjAxNC0xMC0xNCAwOTozMzo0NCAoKzAwMDApLCBT cGVuc3QsIEFsZWtzZWogPEFsZWtzZWouU3BlbnN0QGhhcm1hbi5jb20+IHdyb3RlOg0KPiBJdCBp cyBjbGVhciB0aGF0IGlmIHRoZSBJUCBmcmFnbWVudHMgYXJlIG5vdCByZWFzc2VtYmxlZCBhdCB0 aGUgc2VydmVyIA0KPiB0aGV5IGNhbm5vdCBiZSByZWRpcmVjdGVkIHNpbmNlIHRoZSByZWRpcmVj dGlvbiBydWxlIGlzIHdyaXR0ZW4gZm9yIA0KPiBVRFAgcGFja2V0cy4gVGhhdCBpcyB3aHkgSSBo YXZlIHRoaXMgc2NydWIgcnVsZSBhdCB0aGUgdmVyeSBiZWdpbm5pbmcgDQo+IG9mIG15IHBmLmNv bmY6DQo+IA0KPiBzY3J1YiBpbiBvbiB3bGFuMCBhbGwNCj4gDQo+IEkgdGhvdWdodCB0aGF0IHRo aXMgcnVsZSBzaG91bGQgcmVhc3NlbWJsZSBhbGwgdGhlIGluY29taW5nIGZyYWdtZW50cy4NCj4g VGhlIHJlYXNzZW1ibGVkIFVEUCBwYWNrZXRzIHNob3VsZCBiZSB0aGVuIGNvcnJlY3RseSBwYXNz ZWQgdGhyb3VnaCANCj4gdGhlIHJkciBydWxlIGFuZCByZWRpcmVjdGVkIHRvIG15IFBDLiBCdXQg dGhpcyBkb2VzIG5vdCBoYXBwZW4uDQo+IA0KSSB0aGluayB0aGF0IHlvdSB3YW50ICdzY3J1YiBp biBvbiB3bGFuMCBhbGwgZnJhZ21lbnQgcmVhc3NlbWJsZScuDQoNClJlZ2FyZHMsDQpLcmlzdG9m DQoNCg0KDQpWb246IFNwZW5zdCwgQWxla3NlaiANCkdlc2VuZGV0OiBEaWVuc3RhZywgMTQuIE9r dG9iZXIgMjAxNCAxMTozNA0KQW46IGZyZWVic2QtcGZAZnJlZWJzZC5vcmcNCkJldHJlZmY6IEZy YWdtZW50ZWQgcGFja2V0cyBhcmUgbm90IHJlZGlyZWN0ZWQNCg0KSGkgQWxsLA0KDQpJIGhhdmUg b25lIHByb2JsZW0gd2l0aCByZWRpcmVjdGlvbiBvZiB0aGUgZnJhZ21lbnRlZCBwYWNrZXRzLiBN eSB1c2UgY2FzZToNCg0KQSBtb2JpbGUgcGhvbmUgc2VuZHMgdGhlIFJUUCB2aWRlbyBzdHJlYW0g dG8gbXkgc2VydmVyLiBUaGUgc2VydmVyIGhhcyB0aGUgcGYgaW5zdGFsbGVkLiBBbGwgUlRQIHBh Y2tldHMgYXJlIHJlZGlyZWN0ZWQgZnJvbSB0aGUgc2VydmVyIHRvIG15IFBDOg0KDQp8TW9iaWxl fC0tLS0tLT4tLS1SVFAtLS0tPi0tLS0tfFNlcnZlcnwtLS0tLS0tPi0tLVJUUC0tLT4tLS0tLXxQ Q3wNCg0KVGhlIHNtYWxsIFJUUCBwYWNrZXRzIGFyZSByZWRpcmVjdGVkIHRvIG15IFBDIHdpdGhv dXQgYW55IHByb2JsZW1zLg0KVGhlIHByb2JsZW0gaXMgd2l0aCB0aGUgbGFyZ2UgUlRQIHBhY2tl dHMgdGhhdCBhcmUgZnJhZ21lbnRlZCBhbmQgdHJhbnNtaXR0ZWQgaW4gc2V2ZXJhbCBJUCBmcmFn bWVudHMuIFRoZXNlIElQIGZyYWdtZW50cyBhcmUgbm90IHJlZGlyZWN0ZWQgdG8gUEMuIFRoZSBy ZWRpcmVjdGlvbiBydWxlIGF0IHRoZSBzZXJ2ZXI6DQoNCnJkciBvbiB3bGFuMCBwcm90byB1ZHAg ZnJvbSBhbnkgdG8gKHNlbGYpIHBvcnQgOTg3MCAtPiAxOTIuMTY4LjAuMSBwb3J0IDk4NzANCg0K ICAgICB8IFMgZSByIHYgZSByIHwNCi0+LS18d2xhbjAgICAgICBldGgwfC0tPi0tLS0tLS18UEMg MTkyLjE2OC4wLjF8DQoNCkl0IGlzIGNsZWFyIHRoYXQgaWYgdGhlIElQIGZyYWdtZW50cyBhcmUg bm90IHJlYXNzZW1ibGVkIGF0IHRoZSBzZXJ2ZXIgdGhleSBjYW5ub3QgYmUgcmVkaXJlY3RlZCBz aW5jZSB0aGUgcmVkaXJlY3Rpb24gcnVsZSBpcyB3cml0dGVuIGZvciBVRFAgcGFja2V0cy4gVGhh dCBpcyB3aHkgSSBoYXZlIHRoaXMgc2NydWIgcnVsZSBhdCB0aGUgdmVyeSBiZWdpbm5pbmcgb2Yg bXkgcGYuY29uZjoNCg0Kc2NydWIgaW4gb24gd2xhbjAgYWxsDQoNCkkgdGhvdWdodCB0aGF0IHRo aXMgcnVsZSBzaG91bGQgcmVhc3NlbWJsZSBhbGwgdGhlIGluY29taW5nIGZyYWdtZW50cy4gVGhl IHJlYXNzZW1ibGVkIFVEUCBwYWNrZXRzIHNob3VsZCBiZSB0aGVuIGNvcnJlY3RseSBwYXNzZWQg dGhyb3VnaCB0aGUgcmRyIHJ1bGUgYW5kIHJlZGlyZWN0ZWQgdG8gbXkgUEMuIEJ1dCB0aGlzIGRv ZXMgbm90IGhhcHBlbi4gDQoNCkRvIHlvdSBoYXZlIGFueSBpZGVhcy90aXBzPw0KDQpUaGFua3Mg YSBsb3QhDQpBbGVrc2VqLg0KDQo= From owner-freebsd-pf@FreeBSD.ORG Sat Oct 18 04:50:53 2014 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AB247F30 for ; Sat, 18 Oct 2014 04:50:53 +0000 (UTC) Received: from mail.pfsense.org (mail.pfsense.org [IPv6:2610:160:11:11::79]) by mx1.freebsd.org (Postfix) with ESMTP id 842C9E73 for ; Sat, 18 Oct 2014 04:50:53 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.pfsense.org (Postfix) with ESMTP id 42A111FBEB for ; Fri, 17 Oct 2014 23:50:52 -0500 (CDT) Received: from mail.pfsense.org ([127.0.0.1]) by localhost (mail.pfsense.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dndN-DjyKseK for ; Fri, 17 Oct 2014 23:50:51 -0500 (CDT) Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) by mail.pfsense.org (Postfix) with ESMTPSA id BE3F71FBE4 for ; Fri, 17 Oct 2014 23:50:51 -0500 (CDT) Received: by mail-ob0-f175.google.com with SMTP id wn1so1625492obc.20 for ; Fri, 17 Oct 2014 21:50:51 -0700 (PDT) X-Received: by 10.182.112.233 with SMTP id it9mr10540120obb.8.1413607851356; Fri, 17 Oct 2014 21:50:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.61.66 with HTTP; Fri, 17 Oct 2014 21:50:31 -0700 (PDT) In-Reply-To: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com> References: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com> From: Chris Buechler Date: Fri, 17 Oct 2014 23:50:31 -0500 Message-ID: Subject: Re: drop vs return To: Laszlo Danielisz Content-Type: text/plain; charset=UTF-8 Cc: "pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Oct 2014 04:50:53 -0000 On Tue, Oct 14, 2014 at 2:54 PM, Laszlo Danielisz via freebsd-pf wrote: > Hi, > > Which is your set block-policy? Drop or Return? > And why? > Depends on the circumstance. Generally speaking, for traffic sourced from trusted networks, return so you don't hang applications or services by blocking their traffic. It's friendlier. For any traffic sourced from the Internet, or networks with devices that aren't "trusted" (for whatever your definition of trusted), block so untrusted machines can't make your firewall generate reply packets (which will exacerbate a DoS/DDoS, among other potential issues).