From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 20:25:27 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 245574E0; Tue, 3 Feb 2015 20:25:27 +0000 (UTC) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCC0F96C; Tue, 3 Feb 2015 20:25:26 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 7E354B8C5; Tue, 3 Feb 2015 21:25:22 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id B4FB619AC; Tue, 3 Feb 2015 21:25:20 +0100 (CET) Date: Tue, 3 Feb 2015 21:25:20 +0100 From: Kristof Provost To: freebsd-pf@freebsd.org Subject: PF IPv6 fragments handling Message-ID: <20150203202519.GD2167@vega.codepro.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-PGP-Fingerprint: E114 D9EA 909E D469 8F57 17A5 7D15 91C6 9EFA F286 X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Mark Felder X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 20:25:27 -0000 Hi, I have a couple of patches to let PF handle fragmented IPv6 packets. They've been uploaded to phabricator: https://reviews.freebsd.org/D1764 https://reviews.freebsd.org/D1765 https://reviews.freebsd.org/D1766 https://reviews.freebsd.org/D1767 Two of my systems are currently running them, seemingly without problems. Regards, Kristof From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 20:43:02 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8FA79B80 for ; Tue, 3 Feb 2015 20:43:02 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5F77EB95 for ; Tue, 3 Feb 2015 20:43:02 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 98F6E20CC2 for ; Tue, 3 Feb 2015 15:34:27 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Tue, 03 Feb 2015 15:34:27 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to:cc :mime-version:content-transfer-encoding:content-type:subject :date:in-reply-to:references; s=smtpout; bh=kpmNOGII4pUvQWvB49hf tFoDUg0=; b=BwfmVNrtT6Zdg/Q3cIqvXE8qYBB7z62dsgRnn0bghgWvWbEg85wh euQkK0GWkm8PI5AWDNK3Y5scacNGuX1eO3M2rZhLdBsXR1ywYgxme6C7H2KVln8o dxOzil6BpfjPHKenxLTwoBuXatHQwmzJ1moY9HcVO8oB5o3F9yecZj0= Received: by web3.nyi.internal (Postfix, from userid 99) id 63911101DED; Tue, 3 Feb 2015 15:34:27 -0500 (EST) Message-Id: <1422995667.3937612.222676285.30AA6118@webmail.messagingengine.com> X-Sasl-Enc: bzGx99hcGXRinphP0HRTyaMO85MNAFNKsKwaWZ5PqU1t 1422995667 From: Mark Felder To: Kristof Provost , freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b6284d51 Subject: Re: PF IPv6 fragments handling Date: Tue, 03 Feb 2015 14:34:27 -0600 In-Reply-To: <20150203202519.GD2167@vega.codepro.be> References: <20150203202519.GD2167@vega.codepro.be> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 20:43:02 -0000 On Tue, Feb 3, 2015, at 14:25, Kristof Provost wrote: > Hi, > > I have a couple of patches to let PF handle fragmented IPv6 packets. > They've been uploaded to phabricator: > > https://reviews.freebsd.org/D1764 > https://reviews.freebsd.org/D1765 > https://reviews.freebsd.org/D1766 > https://reviews.freebsd.org/D1767 > > Two of my systems are currently running them, seemingly without > problems. > I'm building a 10.1 kernel with these patches applied to test as well. Thanks so much for looking into this! From owner-freebsd-pf@FreeBSD.ORG Thu Feb 5 09:21:47 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3C5EB80 for ; Thu, 5 Feb 2015 09:21:47 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 23608BDF for ; Thu, 5 Feb 2015 09:21:47 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t159LlIZ090070 for ; Thu, 5 Feb 2015 09:21:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 124933] [pf] [ip6] pf does not support (drops) IPv6 fragmented packets Date: Thu, 05 Feb 2015 09:21:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 7.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kristof@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2015 09:21:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kristof@freebsd.org --- Comment #7 from Kristof Provost --- There are patches here: https://reviews.freebsd.org/D1764 https://reviews.freebsd.org/D1765 https://reviews.freebsd.org/D1766 https://reviews.freebsd.org/D1767 -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 6 19:55:31 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E6F5809 for ; Fri, 6 Feb 2015 19:55:31 +0000 (UTC) Received: from mx2.security.edu.pl (mx2.security.edu.pl [91.197.89.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5205A33F for ; Fri, 6 Feb 2015 19:55:30 +0000 (UTC) Received: from mx2.security.edu.pl (mx2.security.edu.pl [192.168.34.10]) by mx2.security.edu.pl (Postfix) with ESMTP id 37E9542960B for ; Fri, 6 Feb 2015 20:45:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=i-pi.pl; s=dkim; t=1423251948; bh=wwmAdtbJpwCtMBR5Yd0oWSxZKXCZjFiUSKKD154kvmE=; h=Date:From:To:Subject; b=MoeMDBpaDV7vKuIYP7m+WjoqlSwqOw1y6cQT6LSG7tajywWeSSSFQDf/Sdp9NsUD7 BET9YVJ91HNljLF2x0UpJBjp5ZLDrlF2fRNTpv9Yly4+IkgOl56btJJ2jfPcVsewBw aNlrETrjAOMHXuIEXHipH5aqTTKUcEukos9okVII= Received: from pocztav2.i-pi.pl (unknown [192.168.34.11]) by mx2.security.edu.pl (Postfix) with ESMTPA id CE61F429609 for ; Fri, 6 Feb 2015 20:45:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=i-pi.pl; s=dkim; t=1423251947; bh=wwmAdtbJpwCtMBR5Yd0oWSxZKXCZjFiUSKKD154kvmE=; h=Date:From:To:Subject; b=WLxAQhfCl/g8qQ775dKjDA3JfriYhoewdnfL5COB4/Sx0zYINVd1s/H3lu8N2f8Z1 z6i3Fj32W8POiWWghazyN2/eX+vkh2SAjJAmcEZkVC5f+UUa6OFQykQVezc0278J/S g7f0qkGaLP2Uk/0UVGG9uEKmBWESEGtzCeLglS1Y= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_1ed02fc24531505b1970ef6ca1fcb439" Date: Fri, 06 Feb 2015 20:45:47 +0100 From: Adrian Huryn To: freebsd-pf@freebsd.org Subject: FreeBSD 10 + reverse ftp-proxy Organization: i-Pi sp. z o.o. Message-ID: X-Sender: ahuryn@i-pi.pl User-Agent: Roundcube Webmail/1.0.3 X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2015 19:55:31 -0000 --=_1ed02fc24531505b1970ef6ca1fcb439 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hello. I search little @google for this problem but i can't find any good solution for it. I have 2 pureftpd servers in my DMZ. FTP 1 INTERNET > 212.12.12.1:2121 > 192.168.34.12:2121 FTP 2 INTERNET > 212.12.12.2:2121 > 192.168.34.19:2121 And i try to set reverse proxy for it, i add to my pf.conf anchor "ftp-proxy/*" pass in log 212.12.12.1 inet proto tcp from any to 212.12.12.1 port 2121 flags S/SAFR modulate state divert-to lo0 port 9021 pass in log 212.12.12.2 inet proto tcp from any to 212.12.12.2 port 2121 flags S/SAFR modulate state divert-to lo0 port 9022 And i run 2 x ftp-proxy ftp-proxy -p 9021 -R 192.168.34.12 -P 2121 -D7 -v ftp-proxy -p 9022 -R 192.168.34.19 -P 2121 -D7 -v But when i try to check pf.conf syntax i got this error : /etc/pf.conf:106: syntax error 106: pass in log 212.12.12.1 inet proto tcp from any to 212.12.12.1 port 2121 flags S/SAFR modulate state divert-to lo0 port 9021 My uname -a : FreeBSD cerber 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 Thanks for help. Best regards. --=_1ed02fc24531505b1970ef6ca1fcb439 Content-Transfer-Encoding: base64 Content-Type: text/plain; name=pubkey.asc Content-Disposition: attachment; filename=pubkey.asc; size=1 IA== --=_1ed02fc24531505b1970ef6ca1fcb439-- From owner-freebsd-pf@FreeBSD.ORG Fri Feb 6 19:56:10 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 187D0859 for ; Fri, 6 Feb 2015 19:56:10 +0000 (UTC) Received: from mx2.security.edu.pl (mx2.security.edu.pl [91.197.89.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C2C3034C for ; Fri, 6 Feb 2015 19:56:09 +0000 (UTC) Received: from mx2.security.edu.pl (mx2.security.edu.pl [192.168.34.10]) by mx2.security.edu.pl (Postfix) with ESMTP id 4F91342974E for ; Fri, 6 Feb 2015 20:56:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=i-pi.pl; s=dkim; t=1423252567; bh=oR6fbI9Z36yOOen1xtT3HbJTHd/aF8Xw9Y7yYQS9wHM=; h=Date:From:To:Subject; b=RxvgnrdVMMkT9DB7TONO0hhDsofRN1jHnm3g4OB0PftBSP3ZRIpKRrsbQCmIJDL4q bF7bgIQv2SneoPExA9xMUT9wMCKr6laG0qN/KDYxM2K+7CKVRi0CRJsCVZmehfPk33 /IcGW8w1yFV47+YGXj/bkN0LYxETDShGWCaclu6Q= Received: from pocztav2.i-pi.pl (unknown [192.168.34.11]) by mx2.security.edu.pl (Postfix) with ESMTPA id F378842974B for ; Fri, 6 Feb 2015 20:56:06 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=i-pi.pl; s=dkim; t=1423252567; bh=oR6fbI9Z36yOOen1xtT3HbJTHd/aF8Xw9Y7yYQS9wHM=; h=Date:From:To:Subject; b=RxvgnrdVMMkT9DB7TONO0hhDsofRN1jHnm3g4OB0PftBSP3ZRIpKRrsbQCmIJDL4q bF7bgIQv2SneoPExA9xMUT9wMCKr6laG0qN/KDYxM2K+7CKVRi0CRJsCVZmehfPk33 /IcGW8w1yFV47+YGXj/bkN0LYxETDShGWCaclu6Q= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 06 Feb 2015 20:56:06 +0100 From: Lista PF To: freebsd-pf@freebsd.org Subject: Fwd: FreeBSD 10 + reverse ftp-proxy Organization: i-Pi sp. z o.o. Message-ID: <06ae8e0870798b33511a98cb975d64c4@i-pi.pl> X-Sender: a+pf@i-pi.pl User-Agent: Roundcube Webmail/1.0.3 X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2015 19:56:10 -0000 Hello. I search little @google for this problem but i can't find any good solution for it. I have 2 pureftpd servers in my DMZ. FTP 1 INTERNET > 212.12.12.1:2121 > 192.168.34.12:2121 FTP 2 INTERNET > 212.12.12.2:2121 > 192.168.34.19:2121 And i try to set reverse proxy for it, i add to my pf.conf anchor "ftp-proxy/*" pass in log 212.12.12.1 inet proto tcp from any to 212.12.12.1 port 2121 flags S/SAFR modulate state divert-to lo0 port 9021 pass in log 212.12.12.2 inet proto tcp from any to 212.12.12.2 port 2121 flags S/SAFR modulate state divert-to lo0 port 9022 And i run 2 x ftp-proxy ftp-proxy -p 9021 -R 192.168.34.12 -P 2121 -D7 -v ftp-proxy -p 9022 -R 192.168.34.19 -P 2121 -D7 -v But when i try to check pf.conf syntax i got this error : /etc/pf.conf:106: syntax error 106: pass in log 212.12.12.1 inet proto tcp from any to 212.12.12.1 port 2121 flags S/SAFR modulate state divert-to lo0 port 9021 My uname -a : FreeBSD cerber 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 Thanks for help. Best regards. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 6 23:35:37 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87B1E4A7 for ; Fri, 6 Feb 2015 23:35:37 +0000 (UTC) Received: from mario.brtsvcs.net (mario.brtsvcs.net [IPv6:2607:fc50:0:a400::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5AE48F7F for ; Fri, 6 Feb 2015 23:35:34 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:2580:181:21c:c0ff:fe7f:96ee]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mario.brtsvcs.net (Postfix) with ESMTPSA id B6EF22C1619 for ; Fri, 6 Feb 2015 23:35:24 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 6616BDB9 for ; Fri, 6 Feb 2015 15:35:23 -0800 (PST) Message-ID: <54D54FB3.9020305@bluerosetech.com> Date: Fri, 06 Feb 2015 15:35:15 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Re: [Bug 124933] [pf] [ip6] pf does not support (drops) IPv6 fragmented packets References: In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2015 23:35:37 -0000 On 2/5/2015 1:21 AM, bugzilla-noreply@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 > > Kristof Provost changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |kristof@freebsd.org > > --- Comment #7 from Kristof Provost --- > There are patches here: > > https://reviews.freebsd.org/D1764 > https://reviews.freebsd.org/D1765 > https://reviews.freebsd.org/D1766 > https://reviews.freebsd.org/D1767 Sweet! Please tell me these will MFC in time for 10.2? From owner-freebsd-pf@FreeBSD.ORG Sat Feb 7 08:46:34 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1F472B15 for ; Sat, 7 Feb 2015 08:46:34 +0000 (UTC) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D40C4BDD for ; Sat, 7 Feb 2015 08:46:33 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 9F06DB385; Sat, 7 Feb 2015 09:46:30 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 9925919203; Sat, 7 Feb 2015 09:46:30 +0100 (CET) Date: Sat, 7 Feb 2015 09:46:30 +0100 From: Kristof Provost To: Darren Pilgrim Subject: Re: [Bug 124933] [pf] [ip6] pf does not support (drops) IPv6 fragmented packets Message-ID: <20150207084630.GF2167@vega.codepro.be> References: <54D54FB3.9020305@bluerosetech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <54D54FB3.9020305@bluerosetech.com> X-PGP-Fingerprint: E114 D9EA 909E D469 8F57 17A5 7D15 91C6 9EFA F286 X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2015 08:46:34 -0000 On 2015-02-06 15:35:15 (-0800), Darren Pilgrim wrote: > On 2/5/2015 1:21 AM, bugzilla-noreply@freebsd.org wrote: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 > > --- Comment #7 from Kristof Provost --- > > There are patches here: > > > > https://reviews.freebsd.org/D1764 > > https://reviews.freebsd.org/D1765 > > https://reviews.freebsd.org/D1766 > > https://reviews.freebsd.org/D1767 > > Sweet! Please tell me these will MFC in time for 10.2? > There are still issues at the moment. I'm trying to get those fixed as soon as possible. Specifically, there's a problem with the refragmentation. If you're using pf on a gateway it will correctly defragment and then filter, but it won't refragment before trying to send the packet out again. As a result you get an ICMP6 Packet Too Big error if you do 'ping6 -s 9000 ...' through it. The current patches apply to stable/10 (I'm currently running two stable/10 systems with them), so if you like you can already give them a try. Regards, Kristof From owner-freebsd-pf@FreeBSD.ORG Sat Feb 7 09:37:09 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 12FFC64B for ; Sat, 7 Feb 2015 09:37:09 +0000 (UTC) Received: from mail-la0-f51.google.com (mail-la0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9344DFE9 for ; Sat, 7 Feb 2015 09:37:08 +0000 (UTC) Received: by labge10 with SMTP id ge10so5444890lab.12 for ; Sat, 07 Feb 2015 01:37:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=tRGUV9vRpTRio/zbT0dzZApG4HFkxGUaJ0tVuvdicmA=; b=BY87m/8V2eQ0WuEapy/XSP0MnA06Nyasz95pqD58Je26NeWOnRvKT8lJWpBdreOf7T BWgPmbr4MsELgyGIfIU+2WOMFC6JE7hGLU/t+j3qGuIl9vt2v4Jjz+SPD/ESgD6HJa2L 2/R1EveD5ZGbVPHcMfh7i3PlKTYViy+SYwPovy+2l85vhRhteBkUt5rrvi11tTGjyQn0 Ct+PCWxgoolTsZF1TDc6b6fH2BgeWH7kGb2rafGlOrOI4jlahlwybVz4wYQLf6+CiGhz mEnxczA8J1QDGyl8JlICSqLhK7Ba04nXWwixLL/j1yAn8sQYlkHauOoHv0GwA0iZVOVl xmMA== X-Received: by 10.112.40.201 with SMTP id z9mr6487135lbk.117.1423301826351; Sat, 07 Feb 2015 01:37:06 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.138.4 with HTTP; Sat, 7 Feb 2015 01:36:26 -0800 (PST) From: Odhiambo Washington Date: Sat, 7 Feb 2015 12:36:26 +0300 Message-ID: Subject: Request for critique on pf.conf To: "freebsd-pf@freebsd org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2015 09:37:09 -0000 Hello experts, Being new to PF could be trouble, but I really need to control torrent traffic and so have been reading about queuing, and it's not an easy subject. I have looked at several examples too and finally settled on one which seemed to fit my bill. Would you guys please spare a few minutes and look at this pf.conf - http://pastebin.com/VHfHyf2R and comment/critique on it's flaws or effectiveness in your own opinions, please? Thank you in advance. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler." From owner-freebsd-pf@FreeBSD.ORG Sat Feb 7 16:54:25 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A830F10A for ; Sat, 7 Feb 2015 16:54:25 +0000 (UTC) Received: from oslo.ath.cx (oslo.ath.cx [IPv6:2a01:4f8:200:42e4::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "oslo.ath.cx", Issuer "oslo.ath.cx" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 21DEED14 for ; Sat, 7 Feb 2015 16:54:24 +0000 (UTC) Received: by oslo.ath.cx (OpenSMTPD) with ESMTP id e9da0663 for ; Sat, 7 Feb 2015 17:54:21 +0100 (CET) Date: Sat, 7 Feb 2015 17:54:21 +0100 From: "Herbert J. Skuhra" To: freebsd-pf@freebsd.org Subject: Re: FreeBSD 10 + reverse ftp-proxy Message-ID: <20150207165421.GA82206@oslo.ath.cx> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2015 16:54:25 -0000 On Fri, Feb 06, 2015 at 08:45:47PM +0100, Adrian Huryn wrote: > Hello. > I search little @google for this problem but i can't find any good > solution for it. > > I have 2 pureftpd servers in my DMZ. > > FTP 1 > INTERNET > 212.12.12.1:2121 > 192.168.34.12:2121 > > FTP 2 > INTERNET > 212.12.12.2:2121 > 192.168.34.19:2121 > > And i try to set reverse proxy for it, i add to my pf.conf > anchor "ftp-proxy/*" > pass in log 212.12.12.1 inet proto tcp from any to 212.12.12.1 port 2121 > flags S/SAFR modulate state divert-to lo0 port 9021 > pass in log 212.12.12.2 inet proto tcp from any to 212.12.12.2 port 2121 > flags S/SAFR modulate state divert-to lo0 port 9022 > > And i run 2 x ftp-proxy > > ftp-proxy -p 9021 -R 192.168.34.12 -P 2121 -D7 -v > ftp-proxy -p 9022 -R 192.168.34.19 -P 2121 -D7 -v > > But when i try to check pf.conf syntax i got this error : > /etc/pf.conf:106: syntax error > 106: pass in log 212.12.12.1 inet proto tcp from any to 212.12.12.1 port ^^^^ > 2121 flags S/SAFR modulate state divert-to lo0 port 9021 To fix syntax error, have you tried to remove the IP address after the log or replace it with 'on $ext_if'? -- Herbert