From owner-freebsd-pf@FreeBSD.ORG Sun Dec 12 14:29:52 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAF8316A4CE for ; Sun, 12 Dec 2004 14:29:52 +0000 (GMT) Received: from mxsf14.cluster1.charter.net (mxsf14.cluster1.charter.net [209.225.28.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D90643D48 for ; Sun, 12 Dec 2004 14:29:52 +0000 (GMT) (envelope-from pathiaki@pathiaki.com) Received: from mxip03.cluster1.charter.net (mxip03a.cluster1.charter.net [209.225.28.133])iBCETpWj027062 for ; Sun, 12 Dec 2004 09:29:51 -0500 Received: from cpe-66-189-12-20.ma.charter.com (HELO pc4.atlantisservices.com) (66.189.12.20) by mxip03.cluster1.charter.net with ESMTP; 12 Dec 2004 09:29:51 -0500 X-Ironport-AV: i="3.87,137,1099285200"; d="scan'208"; a="496558898:sNHT131603406" From: "Paul J. Pathiakis" Organization: Pathiakis Home To: freebsd-pf@freebsd.org Date: Sun, 12 Dec 2004 09:30:11 -0500 User-Agent: KMail/1.7.1 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200412120930.11712.pathiaki@pathiaki.com> Subject: PF on two gateways X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Dec 2004 14:29:53 -0000 Hi, There is more than just PF questions here. However, I ask of the list what could be accomplished with PF. It seems highly versatile, stateful, and may be able to solve things that I am not aware of due to light exposure to the PF technology. I want/need to revamp my gateway. I have a machine with the following interfaces: rl0 - interface to ISP cable modem rl1 - interface to ISP DSL modem (also, due to PPPoE, tun0) re0 - interface to internal 10.1.1.0/24 internal client/servers network re1 - interface to internal 10.1.2.0/24 internal servers network (Yes, the servers on the two networks 10.1.{1,2}.0/24 are the same machines with two NICs in them. The servers are dual function at this time and support various services on the different networks) I have two gateways. Both are DHCP addresses. 1) Cable modem rl0 (3 Mb down, 256 Kb up) 2) DSL modem rl1 (1.5 Mb down, 384 Kb up) Cable modem is simplistic, bang I'm up and running. DSL requires PPPoE, bang that's now working. (I believe that I should just leave this connection wide open with regards to ppp filters and let pf handle this interface, yes? Also, which interface will I be addressing with pf, tun0 or rl1?) The big issue is how to firewall this configuration. I believe that I should just use one firewall. After researching, I find that my IPFW has been pseudo-obsoleted and IPfilter may be going the same route. It seems that pf (with ALTQ if shaping/limiting is needed, have to read about ALTQ too) is the way to go now. The first issue encountered is that of default routes: Depending on which interface comes up last, I get that interface's default route. Is there a way to load balance outbound connections? Simple Round Robin or something like it? Or, can FreeBSD support multiple default routes now? If so, how? Or can I load balance/failover with PF (and CARP is it?). If I lose one interface due to the ISP having issues, can I redirect traffic to the other? I believe that this would involve something similar to a cluster where I have a "default route address" like 10.1.1.1 that all my internal desktop/client machines would have as their default route in their routing tables which would be mapped/balanced to the two outbound interfaces. How would I accomplish this? (Do this make sense? Is it possible?) Since both use DHCP, I believe I need to parse the leases file to acquire any info like default routes, nameservers for resolv.conf (<-After 127.0.0.1, how should these be put in the file? Alternating from one provider to the next?) Does PF require IPs in all cases or can generic interface names be used? Next, I have my first cut at my firewall, please hack as you see fit. It tries to do all the right things, including the load balancing on the outbound. Is there a better way to do all these things? Any reordering? # Define gateway int and ext i/fs, int nets, ext gw lan_net1 = "10.1.1.0/24" lan_net2 = "10.1.2.0/24 int_if1 = "re0" int_if2 = "re1" ext_if1 = "rl0" ext_if2 = "rl1" ext_gw1 = "68.146.224.1" (anyone got a script to parse dhclient_leases?) ext_gw2 = "142.59.76.1" (anyone got a script to parse dhclient_leases?) # Define tcp services needed/provided tcp_services = "{ 22 25 53 110 123 143 389 9102 9103 }" # Define udp services needed/provided udp_services = "{ 53 8880 33435-33524 58800 }" # Define icmp services needed for internal traceroute and ping icmp_services = "{ return-rst return-icmp echoreply }" # Define tables for faster lookups, int addresses, rfc1918, spammers, firewall # state/rules to be kept in memory table { 10.1.1.0/24, 10.1.2.0/24 } table const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } table persist file "/etc/spammers" table const { self } # Block any rfc1918 and spammers trying to get in on outside i/fs block in on $ext_if1 from { , } to any block in on $ext_if2 from { , } to any # Block any internal addresses knocking on the front door pass in on $ext_if1 from to any pass in on $ext_if2 from to any # Scrub incoming packets scrub in all # Nat outgoing connections on each internet interface nat on $ext_if1 from $lan_net1 to any -> ($ext_if1) nat on $ext_if1 from $lan_net2 to any -> ($ext_if1) nat on $ext_if2 from $lan_net1 to any -> ($ext_if2) nat on $ext_if2 from $lan_net2 to any -> ($ext_if2) # Default deny block all # pass traffic on the loopback interface in either direction pass quick on lo0 all # Antispoof antispoof log quick for $int_if1 inet antispoof log quick for $int_if2 inet # Pass all outgoing packets on internal interfaces pass out on $int_if1 from any to $lan_net1 pass out on $int_if2 from any to $lan_net2 # Pass in quick any packets destined for the gateway itself pass in quick on $int_if1 from $lan_net1 to $int_if1 pass in quick on $int_if2 from $lan_net2 to $int_if2 # Pass all traffic to and from the local networks pass in on $int_if1 from $lan_net1 to any pass out on $int_if1 from any to $lan_net1 pass in on $int_if2 from $lan_net2 to any pass out on $int_if2 from any to $lan_net2 # Load balance outgoing tcp and udp traffic from internal network1. pass in on $int_if1 route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net1 to any flags S/SA modulate state pass in on $int_if1 route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net1 to any keep state # Load balance outgoing tcp and udp traffic from internal network2. pass in on $int_if2 route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net2 to any flags S/SA modulate state pass in on $int_if2 route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net2 to any keep state # Allow connection to provided TCP services on both external i/fs pass in on $ext_if1 inet proto tcp from any to ($ext_if1) \ port $tcp_services flags S/SA keep state pass in on $ext_if2 inet proto tcp from any to ($ext_if2) \ port $tcp_services flags S/SA keep state # Allow access to provided UDP services on both external i/fs pass in on $ext_if1 inet proto udp from any to ($ext_if1) \ port $udp_services flags S/SA keep state pass in on $ext_if2 inet proto udp from any to ($ext_if2) \ port $udp_services flags S/SA keep state # Allo "pass out" rules for both external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # Route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Thank you, Paul Pathiakis From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 11:59:58 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 189E316A4CE for ; Tue, 14 Dec 2004 11:59:58 +0000 (GMT) Received: from pharoe.com (dsl-96.249.240.220.dsl.comindico.com.au [220.240.249.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8799243D53 for ; Tue, 14 Dec 2004 11:59:55 +0000 (GMT) (envelope-from aris@pharoe.com) Received: from osiris (osiris [10.200.2.1]) by pharoe.com (8.13.1/8.13.1) with ESMTP id iBEBvJA8040238 for ; Tue, 14 Dec 2004 22:57:23 +1100 (EST) (envelope-from aris@pharoe.com) Message-Id: <200412141157.iBEBvJA8040238@pharoe.com> From: "Miki Shapiro" To: Date: Tue, 14 Dec 2004 22:59:26 +1100 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTh1FvOc/mpJp7CR8CU7y6ybMhTXw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Question on capabilities of ALTQ and HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 11:59:58 -0000 Hi all I'm using FreeBSD 5.3 Release, with a kernel recompiled to support ALTQ and HFSC After playing for a while with pf and packetshaping using the HFSC queue implementation, I'm still at a loss on whether this is possible or not: The FreeBSD box serves as a router for a small natt'ed LAN, with a proprietary protocol running bulk data in both directions, alongside regular traffic. The internet connection is asymmetric - bigger downlink than uplink. I wish to regulate (limit) the upstream traffic of the bulk-data connection as it hurts other traffic when it peaks. Since I queue traffic using the firewall rules in pf, queueing a stateful rule (keep state) affects incoming packets as well as outgoing packets that run along the session allowed by this rule. I believe specifying the interface on the queue definition (altq on $ext_if .) was meant to prevent this, but the application responsible for the traffic runs in a jail on the machine itself, whose IP is aliased to the internal interface, but since the arriving packets never actually go out on the (internal) wire, the "interface" of both incoming and outgoing packets stays the external one as far as the queue is concerned, thus putting both incoming and outgoing packets in the queue. mrtg shows both uplink and downlink choked at the bandwidth I attempted to impose on the bulk uplink traffic. Furthermore, allowing freeflow in both directions, grabbing the incoming traffic with a non-stateful rule and queueing it apparently solves the problem (not that I'd call an wide-open firewall a solution) My queues are apparently defined correctly and otherwise work great, it is only a matter of removing the unwanted limitation of inbound traffic. Is this at all possible? Miki From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 21:35:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FE1D16A4CE for ; Tue, 14 Dec 2004 21:35:01 +0000 (GMT) Received: from hotmail.com (bay103-dav17.bay103.hotmail.com [65.54.174.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4558343D1F for ; Tue, 14 Dec 2004 21:35:01 +0000 (GMT) (envelope-from zeno_lee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 14 Dec 2004 13:35:00 -0800 Message-ID: Received: from 68.236.191.168 by BAY103-DAV17.phx.gbl with DAV; Tue, 14 Dec 2004 21:34:23 +0000 X-Originating-IP: [68.236.191.168] X-Originating-Email: [zeno_lee@hotmail.com] X-Sender: zeno_lee@hotmail.com From: "Zeno Lee" To: Date: Tue, 14 Dec 2004 16:34:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 14 Dec 2004 21:35:00.0790 (UTC) FILETIME=[C3FAA560:01C4E224] Subject: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 21:35:03 -0000 I am just starting off with PF. I had it compiled into the kernel in 5.3 stable. I have not setup any rules yet. I'm just trying to set up NAT and forwarding. My network setup Internet <----> em0 | FreeBSD | em1 <-----> LAN my pf.conf file only has: ext_if="em0" int_if="em1" webserver="192.168.1.54" nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if from any to any port 80 -> $webserver NAT works, however, I cannot get port forwarding to work. I am testing it vial a remote computer on the internet whose packets only come through em0. Am I missing anything here? From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 21:46:41 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3381616A4CE for ; Tue, 14 Dec 2004 21:46:41 +0000 (GMT) Received: from mxsf39.cluster1.charter.net (mxsf39.cluster1.charter.net [209.225.28.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A0A043D2D for ; Tue, 14 Dec 2004 21:46:40 +0000 (GMT) (envelope-from pathiaki@pathiaki.com) Received: from mxip12.cluster1.charter.net (mxip12a.cluster1.charter.net [209.225.28.142])iBELkcCs020055 for ; Tue, 14 Dec 2004 16:46:38 -0500 Received: from cpe-66-189-12-20.ma.charter.com (HELO pc4.atlantisservices.com) (66.189.12.20) by mxip12.cluster1.charter.net with ESMTP; 14 Dec 2004 16:46:38 -0500 X-Ironport-AV: i="3.87,142,1099285200"; d="scan'208"; a="668828247:sNHT25006132" From: "Paul J. Pathiakis" Organization: Pathiakis Home To: freebsd-pf@freebsd.org Date: Tue, 14 Dec 2004 16:47:01 -0500 User-Agent: KMail/1.7.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412141647.01789.pathiaki@pathiaki.com> Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 21:46:41 -0000 Hi, just getting back into the networking side of things, but did you turn on packet forwarding? (it should be on if you turned on gateway enable <-I think) Do a: sysctl -a | grep forward do you get a "1". I may be way off, but I am trying to help. :-) P. On Tuesday 14 December 2004 16:34, Zeno Lee wrote: > I am just starting off with PF. I had it compiled into the kernel in 5.3 > stable. I have not setup any rules yet. I'm just trying to set up NAT and > forwarding. > > My network setup > > Internet <----> em0 | FreeBSD | em1 <-----> LAN > > > my pf.conf file only has: > > ext_if="em0" > int_if="em1" > webserver="192.168.1.54" > > nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $ext_if from any to any port 80 -> $webserver > > > NAT works, however, I cannot get port forwarding to work. I am testing it > vial a remote computer on the internet whose packets only come through em0. > > Am I missing anything here? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 21:58:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE90B16A4CE for ; Tue, 14 Dec 2004 21:58:00 +0000 (GMT) Received: from hotmail.com (bay103-dav16.bay103.hotmail.com [65.54.174.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8386F43D5A for ; Tue, 14 Dec 2004 21:58:00 +0000 (GMT) (envelope-from zeno_lee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 14 Dec 2004 13:58:00 -0800 Message-ID: Received: from 68.236.191.168 by BAY103-DAV16.phx.gbl with DAV; Tue, 14 Dec 2004 21:57:00 +0000 X-Originating-IP: [68.236.191.168] X-Originating-Email: [zeno_lee@hotmail.com] X-Sender: zeno_lee@hotmail.com From: "Zeno Lee" To: References: <200412141647.01789.pathiaki@pathiaki.com> Date: Tue, 14 Dec 2004 16:57:00 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 14 Dec 2004 21:58:00.0346 (UTC) FILETIME=[FA422FA0:01C4E227] Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 21:58:01 -0000 That's a good try, however, I had gateway_enabled="YES" # sysctl -a |grep forward net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 ----- Original Message ----- From: "Paul J. Pathiakis" To: Sent: Tuesday, December 14, 2004 4:47 PM Subject: Re: NAT works but port forwarding does not > Hi, > > just getting back into the networking side of things, but did you turn on > packet > forwarding? (it should be on if you turned on gateway enable <-I think) > Do a: > sysctl -a | grep forward > do you get a "1". > > I may be way off, but I am trying to help. :-) > > P. > > > > On Tuesday 14 December 2004 16:34, Zeno Lee wrote: >> I am just starting off with PF. I had it compiled into the kernel in 5.3 >> stable. I have not setup any rules yet. I'm just trying to set up NAT >> and >> forwarding. >> >> My network setup >> >> Internet <----> em0 | FreeBSD | em1 <-----> LAN >> >> >> my pf.conf file only has: >> >> ext_if="em0" >> int_if="em1" >> webserver="192.168.1.54" >> >> nat on $ext_if from $int_if:network to any -> ($ext_if) >> rdr on $ext_if from any to any port 80 -> $webserver >> >> >> NAT works, however, I cannot get port forwarding to work. I am testing >> it >> vial a remote computer on the internet whose packets only come through >> em0. >> >> Am I missing anything here? >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 21:58:19 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9830D16A4CE for ; Tue, 14 Dec 2004 21:58:19 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A5F143D1F for ; Tue, 14 Dec 2004 21:58:19 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by wproxy.gmail.com with SMTP id 67so162237wri for ; Tue, 14 Dec 2004 13:58:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=qeAazOv+PKLpyX+5CdffB0QGh97tCDquvdd60ka819Uy8GGX6c0MGIdC94CdoaFYlCEf4Gw/mMb4hNGUayYJssZyYIdzDBiaJlEnKPuysQmQ//JSNTNqlJsXdL1GqDr78Z1B+KLuBjvd9GPS0tyKnk6B5mnfYYam3ZqTHyVlM0E= Received: by 10.54.27.79 with SMTP id a79mr2740222wra; Tue, 14 Dec 2004 13:58:18 -0800 (PST) Received: by 10.54.21.10 with HTTP; Tue, 14 Dec 2004 13:58:18 -0800 (PST) Message-ID: Date: Tue, 14 Dec 2004 23:58:18 +0200 From: Claudiu Dragalina-Paraipan To: freebsd-pf@freebsd.org In-Reply-To: <200412141647.01789.pathiaki@pathiaki.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200412141647.01789.pathiaki@pathiaki.com> Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 21:58:19 -0000 I think that NAT would not work either without net.inet.ip.forwarding=1, so I assume it is already set to 1. Can you access the webserver (192.168.1.54) from the FreeBSD gateway ? What are the settings for em1 interface ? On Tue, 14 Dec 2004 16:47:01 -0500, Paul J. Pathiakis wrote: > Hi, > > just getting back into the networking side of things, but did you turn on packet > forwarding? (it should be on if you turned on gateway enable <-I think) Do a: > sysctl -a | grep forward > do you get a "1". > > I may be way off, but I am trying to help. :-) > > P. > > > On Tuesday 14 December 2004 16:34, Zeno Lee wrote: > > I am just starting off with PF. I had it compiled into the kernel in 5.3 > > stable. I have not setup any rules yet. I'm just trying to set up NAT and > > forwarding. > > > > My network setup > > > > Internet <----> em0 | FreeBSD | em1 <-----> LAN > > > > > > my pf.conf file only has: > > > > ext_if="em0" > > int_if="em1" > > webserver="192.168.1.54" > > > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > rdr on $ext_if from any to any port 80 -> $webserver > > > > > > NAT works, however, I cannot get port forwarding to work. I am testing it > > vial a remote computer on the internet whose packets only come through em0. > > > > Am I missing anything here? > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 22:15:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 667EF16A4CE for ; Tue, 14 Dec 2004 22:15:01 +0000 (GMT) Received: from hotmail.com (bay103-dav14.bay103.hotmail.com [65.54.174.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A1BE43D58 for ; Tue, 14 Dec 2004 22:15:01 +0000 (GMT) (envelope-from zeno_lee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 14 Dec 2004 14:15:00 -0800 Message-ID: Received: from 68.236.191.168 by BAY103-DAV14.phx.gbl with DAV; Tue, 14 Dec 2004 22:14:08 +0000 X-Originating-IP: [68.236.191.168] X-Originating-Email: [zeno_lee@hotmail.com] X-Sender: zeno_lee@hotmail.com From: "Zeno Lee" To: References: <200412141647.01789.pathiaki@pathiaki.com> Date: Tue, 14 Dec 2004 17:14:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 14 Dec 2004 22:15:00.0772 (UTC) FILETIME=[5A7AD640:01C4E22A] Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 22:15:01 -0000 Yes I can reach the web server via the gateway I did a simple telnet to port 80 and did a GET on index.html. em0: flags=8943 mtu 1500 options=1b inet6 fe80::211:43ff:fecd:19d6%em0 prefixlen 64 scopeid 0x1 inet 160.79.174.98 netmask 0xfffffff8 broadcast 160.79.174.103 ether 00:11:43:cd:19:d6 media: Ethernet autoselect (100baseTX ) status: active em1: flags=8843 mtu 1500 options=1b inet6 fe80::211:43ff:fecd:19d7%em1 prefixlen 64 scopeid 0x2 inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:11:43:cd:19:d7 media: Ethernet autoselect (100baseTX ) status: active tcpdump of em0 (external interface) during a web request: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 17:07:02.077447 IP user-0cdfece.cable.mindspring.com.4220 > pbx.streetsolutions.com.http: S 1534882456:1534882456(0) win 65535 17:07:02.077474 IP pbx.streetsolutions.com.http > user-0cdfece.cable.mindspring.com.4220: R 0:0(0) ack 1534882457 win 0 17:07:02.461973 IP user-0cdfece.cable.mindspring.com.4220 > pbx.streetsolutions.com.http: S 1534882456:1534882456(0) win 65535 17:07:02.461988 IP pbx.streetsolutions.com.http > user-0cdfece.cable.mindspring.com.4220: R 0:0(0) ack 1 win 0 17:07:02.889477 IP pbx.streetsolutions.com.63430 > ns1.east.us.intellispace.net.domain: 61596+ PTR? 142.185.215.24.in-addr.arpa. (45) 17:07:02.900474 IP ns1.east.us.intellispace.net.domain > pbx.streetsolutions.com.63430: 61596 1/7/8 (383) 17:07:03.032150 IP user-0cdfece.cable.mindspring.com.4220 > pbx.streetsolutions.com.http: S 1534882456:1534882456(0) win 65535 17:07:03.032168 IP pbx.streetsolutions.com.http > user-0cdfece.cable.mindspring.com.4220: R 0:0(0) ack 1 win 0 17:07:03.898931 IP pbx.streetsolutions.com.54055 > ns1.east.us.intellispace.net.domain: 61597+ PTR? 130.6.79.160.in-addr.arpa. (43) 17:07:03.902284 IP ns1.east.us.intellispace.net.domain > pbx.streetsolutions.com.54055: 61597* 1/1/1 (119) tcpdump of em1 during a web request shows no visible traffic between em0 and em1 ----- Original Message ----- From: "Claudiu Dragalina-Paraipan" To: Cc: Sent: Tuesday, December 14, 2004 4:58 PM Subject: Re: NAT works but port forwarding does not >I think that NAT would not work either without > net.inet.ip.forwarding=1, so I assume it is already set to 1. > Can you access the webserver (192.168.1.54) from the FreeBSD gateway ? > What are the settings for em1 interface ? > > > On Tue, 14 Dec 2004 16:47:01 -0500, Paul J. Pathiakis > wrote: >> Hi, >> >> just getting back into the networking side of things, but did you >> turn on packet >> forwarding? (it should be on if you turned on gateway enable <-I think) >> Do a: >> sysctl -a | grep forward >> do you get a "1". >> >> I may be way off, but I am trying to help. :-) >> >> P. >> >> >> On Tuesday 14 December 2004 16:34, Zeno Lee wrote: >> > I am just starting off with PF. I had it compiled into the kernel in >> > 5.3 >> > stable. I have not setup any rules yet. I'm just trying to set up NAT >> > and >> > forwarding. >> > >> > My network setup >> > >> > Internet <----> em0 | FreeBSD | em1 <-----> LAN >> > >> > >> > my pf.conf file only has: >> > >> > ext_if="em0" >> > int_if="em1" >> > webserver="192.168.1.54" >> > >> > nat on $ext_if from $int_if:network to any -> ($ext_if) >> > rdr on $ext_if from any to any port 80 -> $webserver >> > >> > >> > NAT works, however, I cannot get port forwarding to work. I am testing >> > it >> > vial a remote computer on the internet whose packets only come through >> > em0. >> > >> > Am I missing anything here? >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > -- > Claudiu Dragalina-Paraipan > e-mail: dr.clau@gmail.com > From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 22:58:07 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E64C16A4CE for ; Tue, 14 Dec 2004 22:58:07 +0000 (GMT) Received: from smtp.uol.com.br (smtpout1.uol.com.br [200.221.4.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC2EA43D64 for ; Tue, 14 Dec 2004 22:58:05 +0000 (GMT) (envelope-from antonio.torres@newspace.net.br) Received: from thinkpad (200-221-52-129.speedy.speeduol.com.br [200.221.52.129]) by scorpion1.uol.com.br (Postfix) with SMTP id 519109FB1 for ; Tue, 14 Dec 2004 20:58:04 -0200 (BRST) Date: Tue, 14 Dec 2004 20:58:09 -0200 From: Antonio Torres To: freebsd-pf@freebsd.org Message-Id: <20041214205809.5bc3564f.antonio.torres@newspace.net.br> In-Reply-To: References: <200412141647.01789.pathiaki@pathiaki.com> X-Mailer: Sylpheed version 1.0.0beta3 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 22:58:07 -0000 On Tue, 14 Dec 2004 17:14:08 -0500 "Zeno Lee" wrote: ... > >> > My network setup > >> > > >> > Internet <----> em0 | FreeBSD | em1 <-----> LAN > >> > > >> > > >> > my pf.conf file only has: > >> > > >> > ext_if="em0" > >> > int_if="em1" > >> > webserver="192.168.1.54" > >> > > >> > nat on $ext_if from $int_if:network to any -> ($ext_if) > >> > rdr on $ext_if from any to any port 80 -> $webserver > >> > > >> > > >> > NAT works, however, I cannot get port forwarding to work. I am testing > >> > it > >> > vial a remote computer on the internet whose packets only come through > >> > em0 try a full sintax: rdr on $ext_if proto tcp from any to any port 80 -> $webserver port 80 works fine to me. Antonio Torres antonio.torres@newspace.net.br From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 23:14:59 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36ED616A4CE for ; Tue, 14 Dec 2004 23:14:59 +0000 (GMT) Received: from mxsf15.cluster1.charter.net (mxsf15.cluster1.charter.net [209.225.28.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE90E43D2D for ; Tue, 14 Dec 2004 23:14:58 +0000 (GMT) (envelope-from pathiaki@pathiaki.com) Received: from mxip04.cluster1.charter.net (mxip04a.cluster1.charter.net [209.225.28.134])iBENEvQD030594 for ; Tue, 14 Dec 2004 18:14:57 -0500 Received: from cpe-66-189-12-20.ma.charter.com (HELO pc4.atlantisservices.com) (66.189.12.20) by mxip04.cluster1.charter.net with ESMTP; 14 Dec 2004 18:14:57 -0500 X-Ironport-AV: i="3.87,143,1099285200"; d="scan'208"; a="496306588:sNHT16223420" From: "Paul J. Pathiakis" Organization: Pathiakis Home To: freebsd-pf@freebsd.org Date: Tue, 14 Dec 2004 18:15:20 -0500 User-Agent: KMail/1.7.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412141815.20614.pathiaki@pathiaki.com> Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 23:14:59 -0000 > > My network setup > > Internet <----> em0 | FreeBSD | em1 <-----> LAN > > > my pf.conf file only has: > > ext_if="em0" > int_if="em1" > webserver="192.168.1.54" > > nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $ext_if from any to any port 80 -> $webserver > > If Antonio's solution works, forget the below. However, it seems to me that there should be a way of allowing the internal card to talk to the external card It seems to me that outgoing nat works, but nothing about incoming traffic being allowed to traverse from the external if/lan to the internal if/lan was ever put in place. # Pass in quick any packets destined for the gateway pass in quick on $ext_if from $int_if:network to $ext_if (again, just trying to help, and I'm NEW to pf) P. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 15 15:30:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB06B16A4CE for ; Wed, 15 Dec 2004 15:30:01 +0000 (GMT) Received: from hotmail.com (bay103-dav18.bay103.hotmail.com [65.54.174.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5466B43D5D for ; Wed, 15 Dec 2004 15:30:01 +0000 (GMT) (envelope-from zeno_lee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 15 Dec 2004 07:30:01 -0800 Message-ID: Received: from 68.236.191.168 by BAY103-DAV18.phx.gbl with DAV; Wed, 15 Dec 2004 15:29:18 +0000 X-Originating-IP: [68.236.191.168] X-Originating-Email: [zeno_lee@hotmail.com] X-Sender: zeno_lee@hotmail.com From: "Zeno Lee" To: References: <200412141647.01789.pathiaki@pathiaki.com> <20041214205809.5bc3564f.antonio.torres@newspace.net.br> Date: Wed, 15 Dec 2004 10:29:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 15 Dec 2004 15:30:01.0003 (UTC) FILETIME=[F11A17B0:01C4E2BA] Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 15:30:01 -0000 I appreciate all your help. It's still not working. Antonio's suggestion is the syntax I already had. I mistyped my email. I tried Paul's suggestion but it still doesn't work. I'm not a network expert. It's probably something very obvious. I'm going to describe my 2 interfaces more external interface is: em0 inet 160.79.174.98 netmask 255.255.255.248 internal interface is: em1 inet 192.168.1.55 netmask 255.255.255.0 em0 is running at 100 half duplex em1 is running at 100 full duplex /etc/pf.conf ext_if="em0" int_if="em1" webserver=192.168.1.54 nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to $ext_if port 80 -> $webserver port 80 NAT is working perfectly fine. I can ssh into em0 and then telnet to port 80 and do a GET on index.html. It's a brand new FreeBSD 5.3 install. I updated to 5.3 stable and rebuilt the kernel only adding the following to the configuration device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build options ALTQ_DEBUG From owner-freebsd-pf@FreeBSD.ORG Wed Dec 15 17:00:44 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5A9E16A4CE for ; Wed, 15 Dec 2004 17:00:44 +0000 (GMT) Received: from hotmail.com (bay103-dav16.bay103.hotmail.com [65.54.174.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id A960D43D39 for ; Wed, 15 Dec 2004 17:00:44 +0000 (GMT) (envelope-from zeno_lee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 15 Dec 2004 09:00:02 -0800 Message-ID: Received: from 68.236.191.168 by BAY103-DAV16.phx.gbl with DAV; Wed, 15 Dec 2004 16:59:08 +0000 X-Originating-IP: [68.236.191.168] X-Originating-Email: [zeno_lee@hotmail.com] X-Sender: zeno_lee@hotmail.com From: "Zeno Lee" To: References: <200412141647.01789.pathiaki@pathiaki.com> <20041214205809.5bc3564f.antonio.torres@newspace.net.br> <7c8f279204121508191075f751@mail.gmail.com> Date: Wed, 15 Dec 2004 11:59:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 15 Dec 2004 17:00:02.0522 (UTC) FILETIME=[84A87BA0:01C4E2C7] Subject: Re: NAT works but port forwarding does not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 17:00:45 -0000 It seems it's not a PF issue. Some kind of network/routing issue. I setup an IPFILTER rule to do the same with NAT and RDR. Just as with PF, NAT works fine but redirection does not. I'm gonna take my questions to freebsd-net. Thanks to everyone who replied. ----- Original Message ----- From: "Josh Kayse" To: "Zeno Lee" Sent: Wednesday, December 15, 2004 11:19 AM Subject: Re: NAT works but port forwarding does not > On Wed, 15 Dec 2004 10:29:11 -0500, Zeno Lee wrote: > > > Did you try putting the rdr rule before the nat rule? > > I am also new to pf... > From owner-freebsd-pf@FreeBSD.ORG Thu Dec 16 08:06:19 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2AA016A4CE for ; Thu, 16 Dec 2004 08:06:19 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB62943D54 for ; Thu, 16 Dec 2004 08:06:18 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 9163 invoked from network); 16 Dec 2004 08:06:18 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 16 Dec 2004 08:06:18 -0000 Message-ID: <41C141D4.9030303@authtec.com> Date: Thu, 16 Dec 2004 16:05:40 +0800 From: sam wun User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: current@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: pfctl -t private_ips -vTshow X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 08:06:19 -0000 Hi The following pfctl command returns error # pfctl -t private_ips -vTshow pfctl: Table does not exist. The table optin is defined in he pf.conf as shown below: table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } Have I used incorrect syntax? Thanks Sam. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 16 11:14:10 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1266916A4CE; Thu, 16 Dec 2004 11:14:10 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C89B43D3F; Thu, 16 Dec 2004 11:14:09 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CetaC-0007XO-00; Thu, 16 Dec 2004 12:14:08 +0100 Received: from [217.83.12.28] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CetaC-0008BJ-00; Thu, 16 Dec 2004 12:14:08 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 16 Dec 2004 12:14:54 +0100 User-Agent: KMail/1.7.1 References: <41C141D4.9030303@authtec.com> In-Reply-To: <41C141D4.9030303@authtec.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1682355.8grx1pTHo5"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412161215.02476.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-current@freebsd.org cc: sam wun Subject: Re: pfctl -t private_ips -vTshow X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 11:14:10 -0000 --nextPart1682355.8grx1pTHo5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 16 December 2004 09:05, sam wun wrote: > Hi > > The following pfctl command returns error > > # pfctl -t private_ips -vTshow > pfctl: Table does not exist. > > The table optin is defined in he pf.conf as shown below: > table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, > 192.168.1.18 } > > Have I used incorrect syntax? =46rom pf.conf(5): | persist The persist flag forces the kernel to keep the table even wh= en | no rules refer to it. If the flag is not set, the kernel wi= ll | automatically remove the table when the last rule referring = to | it is flushed. i.e. if you don't have a rule using the table pf will trow it away unless y= ou=20 define the table as persist(ent) as in: table persistent { ... } =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1682355.8grx1pTHo5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBwW42XyyEoT62BG0RAuDdAJ9LHqQH5KUcOnP5IT+2ij6G4L/Q1gCdFNOD jCWaCUVWC9eJ9KjEiQEyZ5M= =Hi2K -----END PGP SIGNATURE----- --nextPart1682355.8grx1pTHo5-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 16 11:37:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 778BB16A4D0 for ; Thu, 16 Dec 2004 11:37:26 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id A437043D39 for ; Thu, 16 Dec 2004 11:37:24 +0000 (GMT) (envelope-from choco.bn@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so212967wri for ; Thu, 16 Dec 2004 03:37:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=luchhONhp4DlRPrsXC1Ddih5kCNZDDwc0Vvju75r8aZSjYYW63rA8hZchXv1hsBCHoGFXyjH4J8FJo4ncNHKWzGf5AjpnCJH2yM8RRQ1cNhX9VS2E5XKwpJDwFhQfA1wIYpTHuvOf008cEPIUGjWxf26WrNRB4NMLWc1m+vKky8= Received: by 10.54.30.3 with SMTP id d3mr945667wrd; Thu, 16 Dec 2004 03:36:45 -0800 (PST) Received: by 10.54.24.56 with HTTP; Thu, 16 Dec 2004 03:36:45 -0800 (PST) Message-ID: Date: Thu, 16 Dec 2004 12:36:45 +0100 From: ChOcO Bn To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: cannot define table guardian: Cannot allocate memory X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ChOcO Bn List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 11:37:26 -0000 i'm using freebsd 5.3 with pf and altq compiled in kernel. i'm trying to fill a table with a file containing some range of ips ( according to CIDR norms ) choco ~/ip_guardian# cat guarding.ip | wc -l 46916 and when i try to reload my rules, it can't work : "cannot define table guardian: Cannot allocate memory" How could i handle this ? From owner-freebsd-pf@FreeBSD.ORG Fri Dec 17 05:56:36 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A29716A4CE for ; Fri, 17 Dec 2004 05:56:36 +0000 (GMT) Received: from msr36.hinet.net (msr36.hinet.net [168.95.4.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA0DA43D46 for ; Fri, 17 Dec 2004 05:56:35 +0000 (GMT) (envelope-from distro.watch@msa.hinet.net) Received: from [192.168.0.128] (61-229-2-147.dynamic.hinet.net [61.229.2.147]) by msr36.hinet.net (8.9.3/8.9.3) with ESMTP id NAA04793 for ; Fri, 17 Dec 2004 13:56:33 +0800 (CST) From: Ladislav Bodnar Organization: DistroWatch.com To: freebsd-pf@freebsd.org Date: Fri, 17 Dec 2004 13:56:34 +0800 User-Agent: KMail/1.7.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412171356.34608.distro.watch@msa.hinet.net> Subject: Can pf block illegal relay access attempts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 05:56:36 -0000 Hi, Over the last 7 days my Postfix mail server received almost 80,000 requests to relay mail to a third destination. Since it is not an open relay, it rejected all these requests, but it is still annoying to see this happening. The requests came from varying (almost 20,000 different) IP addresses, but they had one thing in common - the destination address was always "$some-user-name"@infomagic.com. Is there a way to prevent these attempts to access the mail server at all? I only started using pf recently, so I still have a lot to learn, but I would appreciate any advice. Or is pf not the right tool for this? Thanks a lot for your help. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 17 06:07:49 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E366816A4CE for ; Fri, 17 Dec 2004 06:07:49 +0000 (GMT) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 234D443D3F for ; Fri, 17 Dec 2004 06:07:49 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (dhcp065-031-041-029.woh.rr.com [65.31.41.29]) iBH67kJl012270; Fri, 17 Dec 2004 01:07:46 -0500 (EST) Message-ID: <000901c4e3fe$9c710f30$0400a8c0@satellite> From: "dave" To: "Ladislav Bodnar" , References: <200412171356.34608.distro.watch@msa.hinet.net> Date: Fri, 17 Dec 2004 01:06:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: Can pf block illegal relay access attempts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 06:07:50 -0000 Hello, I'm in an identical situation, my postfix system is getting heavy traffic from spammers a majority of which are from the asia area. I've got the beginnings of a concept but don't know how best to implement it. Use a spammers table and point that to a file that contains one IP address perline. Then somehow trigger a script that takes an offending ip out of the maillog or also in my case the ssh log, and drops it in that file. When that is done pfctl reloads and blocks it. Any help or improvements appreciated. Dave. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 17 06:14:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3DC616A4CE for ; Fri, 17 Dec 2004 06:14:47 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2FD043D54 for ; Fri, 17 Dec 2004 06:14:46 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iBH69sAh016394 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 17 Dec 2004 15:09:54 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iBH6EiNV005342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Dec 2004 15:14:44 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iBH6EcKZ005341; Fri, 17 Dec 2004 15:14:38 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Fri, 17 Dec 2004 15:14:38 +0900 From: Pyun YongHyeon To: Ladislav Bodnar Message-ID: <20041217061437.GA5119@kt-is.co.kr> References: <200412171356.34608.distro.watch@msa.hinet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200412171356.34608.distro.watch@msa.hinet.net> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: Can pf block illegal relay access attempts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 06:14:47 -0000 On Fri, Dec 17, 2004 at 01:56:34PM +0800, Ladislav Bodnar wrote: > Hi, > > Over the last 7 days my Postfix mail server received almost 80,000 requests > to relay mail to a third destination. Since it is not an open relay, it > rejected all these requests, but it is still annoying to see this > happening. The requests came from varying (almost 20,000 different) IP > addresses, but they had one thing in common - the destination address was > always "$some-user-name"@infomagic.com. > > Is there a way to prevent these attempts to access the mail server at all? I > only started using pf recently, so I still have a lot to learn, but I would > appreciate any advice. Or is pf not the right tool for this? > Try spamd in ports/mail. > Thanks a lot for your help. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Fri Dec 17 16:58:02 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 098B916A4CE for ; Fri, 17 Dec 2004 16:58:02 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC75F43D5E for ; Fri, 17 Dec 2004 16:58:01 +0000 (GMT) (envelope-from choco.bn@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so54870wra for ; Fri, 17 Dec 2004 08:58:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=OK3fQZaLEz96KnMcossCi7rsMTYOOvzEtGUhaLHPthMK0biL2EhMgim2IlXtdYbnR5lCsqjGYHTil6B5b/nofRuEzFK7VD+W876K4qDBjT8ccj2pQv/fzYDAmLiLsC1lWI7j8s3ZjUZMj90zoeilWZnBuaLEdYeaLUrCG5kxF2Y= Received: by 10.54.31.20 with SMTP id e20mr342350wre; Fri, 17 Dec 2004 08:58:00 -0800 (PST) Received: by 10.54.24.56 with HTTP; Fri, 17 Dec 2004 08:58:00 -0800 (PST) Message-ID: Date: Fri, 17 Dec 2004 17:58:00 +0100 From: ChOcO Bn To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: problem with table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ChOcO Bn List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 16:58:02 -0000 i'm using freebsd 5.3 with pf and altq compiled in kernel. i'm trying to fill a table with a file containing some range of ips ( according to CIDR norms ) choco ~/ip_guardian# cat guarding.ip | wc -l 46916 and when i try to reload my rules, i can't get it work : "cannot define table guardian: Cannot allocate memory" How could i handle this ? From owner-freebsd-pf@FreeBSD.ORG Fri Dec 17 18:32:45 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 857D716A4CE for ; Fri, 17 Dec 2004 18:32:45 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 187DD43D48 for ; Fri, 17 Dec 2004 18:32:45 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CfMuB-0005Vr-00; Fri, 17 Dec 2004 19:32:43 +0100 Received: from [84.128.129.6] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CfMuB-00074E-00; Fri, 17 Dec 2004 19:32:43 +0100 From: Max Laier To: freebsd-pf@freebsd.org, ChOcO Bn Date: Fri, 17 Dec 2004 19:33:25 +0100 User-Agent: KMail/1.7.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1664770.PeCE0kjUjt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412171933.34934.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: problem with table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 18:32:45 -0000 --nextPart1664770.PeCE0kjUjt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 17 December 2004 17:58, ChOcO Bn wrote: > i'm using freebsd 5.3 with pf and altq compiled in kernel. > i'm trying to fill a table with a file containing some range of ips ( > according to CIDR norms ) > > choco ~/ip_guardian# cat guarding.ip | wc -l > 46916 > > > and when i try to reload my rules, i can't get it work : > > "cannot define table guardian: Cannot allocate memory" > > How could i handle this ? What is your maxusers setting? ($sysctl kern.maxusers) Try to recompile you= r=20 kernel with a higher value. With a setting of 384 (the automatic maximum) I= =20 can allocate up to 60000 table entries: =2Dpa-r- spam Addresses: 60000 =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1664770.PeCE0kjUjt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBwyZ+XyyEoT62BG0RAt8xAJ977t6COW1iptQ+K3Xw8lW+a6vkOACeJOwQ I63moTtCnPlxMADSljG5YYQ= =iLpN -----END PGP SIGNATURE----- --nextPart1664770.PeCE0kjUjt-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 17 18:40:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBCC916A4CE for ; Fri, 17 Dec 2004 18:40:01 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 688D043D4C for ; Fri, 17 Dec 2004 18:40:01 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 36so97022wra for ; Fri, 17 Dec 2004 10:40:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=D7DMtXNOvpSBZIL0ePm1ggINeCnZ92lXQe5/65xNS/lHMem12lEh77riTD1rMwU1eWUeyXW3/3v2Ao27/6Rt8D4Vfl0MgbbN9b8Tx0DWbfIM2MtnXPGBlRR4jP4fcI1nMfWVVuk6EWJBGWFDXZ6G7WKljgzZuqDLGltArnt1Gb4= Received: by 10.54.45.7 with SMTP id s7mr471727wrs; Fri, 17 Dec 2004 10:40:00 -0800 (PST) Received: by 10.54.39.49 with HTTP; Fri, 17 Dec 2004 10:40:00 -0800 (PST) Message-ID: <8eea0408041217104076562192@mail.gmail.com> Date: Fri, 17 Dec 2004 10:40:00 -0800 From: Jon Simola To: freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: Subject: Re: problem with table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 18:40:01 -0000 On Fri, 17 Dec 2004 17:58:00 +0100, ChOcO Bn wrote: > i'm using freebsd 5.3 with pf and altq compiled in kernel. > i'm trying to fill a table with a file containing some range of ips ( > according to CIDR norms ) > > choco ~/ip_guardian# cat guarding.ip | wc -l > 46916 > > and when i try to reload my rules, i can't get it work : > > "cannot define table guardian: Cannot allocate memory" > > How could i handle this ? I'd try various amounts to see how many you can load into a table. I suspect 47 thousand is a bit much, perhaps trying multiple smaller tables? From owner-freebsd-pf@FreeBSD.ORG Sat Dec 18 01:28:08 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A82D016A4CE for ; Sat, 18 Dec 2004 01:28:08 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 216C243D48 for ; Sat, 18 Dec 2004 01:28:08 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iBI1N1Ah054765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 18 Dec 2004 10:23:01 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iBI1S4Q6002688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 18 Dec 2004 10:28:04 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iBI1Rx47002687; Sat, 18 Dec 2004 10:27:59 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Sat, 18 Dec 2004 10:27:59 +0900 From: Pyun YongHyeon To: jon@abccomm.com Message-ID: <20041218012759.GA2648@kt-is.co.kr> References: <8eea0408041217104076562192@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8eea0408041217104076562192@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: problem with table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 01:28:08 -0000 On Fri, Dec 17, 2004 at 10:40:00AM -0800, Jon Simola wrote: > On Fri, 17 Dec 2004 17:58:00 +0100, ChOcO Bn wrote: > > i'm using freebsd 5.3 with pf and altq compiled in kernel. > > i'm trying to fill a table with a file containing some range of ips ( > > according to CIDR norms ) > > > > choco ~/ip_guardian# cat guarding.ip | wc -l > > 46916 > > > > and when i try to reload my rules, i can't get it work : > > > > "cannot define table guardian: Cannot allocate memory" > > > > How could i handle this ? > > I'd try various amounts to see how many you can load into a table. I > suspect 47 thousand is a bit much, perhaps trying multiple smaller > tables? During early days of pf porting, I measured table's locking overhead within copyin/copyout using TSC. At that time I used 108000 entries generated by shell script. AFAIK, the number of entries that can be loaded into a table depends on available kernel memory. And there is no limit if your system has enough memory. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Sat Dec 18 04:49:57 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 163CF16A4CE for ; Sat, 18 Dec 2004 04:49:57 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB56E43D46 for ; Sat, 18 Dec 2004 04:49:55 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 43972 invoked from network); 18 Dec 2004 04:49:53 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 18 Dec 2004 04:49:53 -0000 Message-ID: <41C3B6CE.4080704@authtec.com> Date: Sat, 18 Dec 2004 12:49:18 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.unix.bsd.openbsd.misc,comp.unix.bsd.freebsd.misc To: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Error with sample PF code X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 04:49:57 -0000 Hi, I found some sample code in the man pf page (just scoll down to the end of the page, you will see it). After compiled it and give it a shoot, it returned error: # pfctl -sn nat on tun0 inet from 192.168.9.0/24 to any -> (tun0) round-robin nat on tun0 inet from 192.168.4.0/24 to any -> (tun0) round-robin nat on tun0 inet from 172.16.0.0/24 to any -> (tun0) round-robin rdr on tun0 inet proto tcp from any to 1.2.3.4 port = 3000 -> 192.168.4.254 port 25 # ./a.out ./a.out ./a.out 192.168.4.254 25 1.2.3.4 3000 a.out: DIOCNATLOOK: No such file or directory I may be have overlooked something. Your suggestion is highly appreciated. Thanks Sam. From owner-freebsd-pf@FreeBSD.ORG Sat Dec 18 04:57:04 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ED5216A4CE; Sat, 18 Dec 2004 04:57:04 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1180043D45; Sat, 18 Dec 2004 04:57:04 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CfWeM-0005KC-00; Sat, 18 Dec 2004 05:57:02 +0100 Received: from [217.227.152.17] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CfWeM-0003aL-00; Sat, 18 Dec 2004 05:57:02 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 18 Dec 2004 05:56:53 +0100 User-Agent: KMail/1.7.1 References: <41C3B6CE.4080704@authtec.com> In-Reply-To: <41C3B6CE.4080704@authtec.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1236187.uhNXn7runR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412180557.00999.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: sam Subject: Re: Error with sample PF code X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 04:57:04 -0000 --nextPart1236187.uhNXn7runR Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Please choose one mailinglist, freebsd-pf is appropriate - MOVED ] On Saturday 18 December 2004 05:49, sam wrote: > Hi, > > I found some sample code in the man pf page (just scoll down to the end > of the page, you will see it). > > After compiled it and give it a shoot, it returned error: > > # pfctl -sn > nat on tun0 inet from 192.168.9.0/24 to any -> (tun0) round-robin > nat on tun0 inet from 192.168.4.0/24 to any -> (tun0) round-robin > nat on tun0 inet from 172.16.0.0/24 to any -> (tun0) round-robin > rdr on tun0 inet proto tcp from any to 1.2.3.4 port =3D 3000 -> > 192.168.4.254 port 25 > > # ./a.out > ./a.out > > ./a.out 192.168.4.254 25 1.2.3.4 3000 > a.out: DIOCNATLOOK: No such file or directory That's ENOENT which simply means that pf was not able to find a state that= =20 matches your lookup. You should have an *open* connection to have a state=20 around. Crosscheck with $pfctl -ss > I may be have overlooked something. > > Your suggestion is highly appreciated. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1236187.uhNXn7runR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBw7icXyyEoT62BG0RAqIRAJ9dPKxtcEtMk59JGFCEh0PT+SsJugCcDfbU jtVvJBupOCR8Aqcth5G1i88= =wLDv -----END PGP SIGNATURE----- --nextPart1236187.uhNXn7runR-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 18 05:04:08 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D96EA16A4CE for ; Sat, 18 Dec 2004 05:04:08 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 100FF43D1D for ; Sat, 18 Dec 2004 05:04:08 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 51673 invoked from network); 18 Dec 2004 05:04:07 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 18 Dec 2004 05:04:07 -0000 Message-ID: <41C3BA23.5070207@authtec.com> Date: Sat, 18 Dec 2004 13:03:31 +0800 From: sam wun User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <41C3B6CE.4080704@authtec.com> <200412180557.00999.max@love2party.net> In-Reply-To: <200412180557.00999.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Add new PF rules from C. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 05:04:09 -0000 Hi, Thanks for the sugestion. I use pfctl -ss found some Established state, the sample code works great. I would like to write a C program add rule to PF base on based on user defined anchor and tables. Where can I find more inforamtion and guideline about doing that? Thanks Sam Max Laier wrote: >[ Please choose one mailinglist, freebsd-pf is appropriate - MOVED ] > >On Saturday 18 December 2004 05:49, sam wrote: > > >>Hi, >> >>I found some sample code in the man pf page (just scoll down to the end >>of the page, you will see it). >> >>After compiled it and give it a shoot, it returned error: >> >># pfctl -sn >>nat on tun0 inet from 192.168.9.0/24 to any -> (tun0) round-robin >>nat on tun0 inet from 192.168.4.0/24 to any -> (tun0) round-robin >>nat on tun0 inet from 172.16.0.0/24 to any -> (tun0) round-robin >>rdr on tun0 inet proto tcp from any to 1.2.3.4 port = 3000 -> >>192.168.4.254 port 25 >> >># ./a.out >>./a.out >> >>./a.out 192.168.4.254 25 1.2.3.4 3000 >>a.out: DIOCNATLOOK: No such file or directory >> >> > >That's ENOENT which simply means that pf was not able to find a state that >matches your lookup. You should have an *open* connection to have a state >around. Crosscheck with $pfctl -ss > > > >>I may be have overlooked something. >> >>Your suggestion is highly appreciated. >> >> > > > From owner-freebsd-pf@FreeBSD.ORG Sat Dec 18 07:08:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 170F816A4CE for ; Sat, 18 Dec 2004 07:08:01 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id A585E43D31 for ; Sat, 18 Dec 2004 07:08:00 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by wproxy.gmail.com with SMTP id 55so131050wri for ; Fri, 17 Dec 2004 23:08:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Ye5a4JsdAVmkk/5JEVMMZm18eTDpWN2ZvXUFw+lKPoMQjukoHze9LHvUcx5DOlMId79nUGKcMRB0VCdLqYBptoSv3rCU0M2hNdpDddWmMBr4YjZMoCubqMoR+IHZpGGNmEIYfM4EPO+sebK6OI9mFDC3j0cBjNW9b4niwyFv2a0= Received: by 10.54.2.15 with SMTP id 15mr83654wrb; Fri, 17 Dec 2004 23:08:00 -0800 (PST) Received: by 10.54.21.10 with HTTP; Fri, 17 Dec 2004 23:08:00 -0800 (PST) Message-ID: Date: Sat, 18 Dec 2004 09:08:00 +0200 From: Claudiu Dragalina-Paraipan To: sam wun In-Reply-To: <41C3BA23.5070207@authtec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <41C3B6CE.4080704@authtec.com> <41C3BA23.5070207@authtec.com> cc: freebsd-pf@freebsd.org Subject: Re: Add new PF rules from C. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 07:08:01 -0000 Hi, actually pf manual page has all the information you need (ioctl's). Eventually you might want to take a look into pf code. On Sat, 18 Dec 2004 13:03:31 +0800, sam wun wrote: > Hi, > > Thanks for the sugestion. I use pfctl -ss found some Established state, > the sample code works great. > I would like to write a C program add rule to PF base on based on user > defined anchor and tables. Where can I find more inforamtion and > guideline about doing that? > > Thanks > Sam > > Max Laier wrote: > > >[ Please choose one mailinglist, freebsd-pf is appropriate - MOVED ] > > > >On Saturday 18 December 2004 05:49, sam wrote: > > > > > >>Hi, > >> > >>I found some sample code in the man pf page (just scoll down to the end > >>of the page, you will see it). > >> > >>After compiled it and give it a shoot, it returned error: > >> > >># pfctl -sn > >>nat on tun0 inet from 192.168.9.0/24 to any -> (tun0) round-robin > >>nat on tun0 inet from 192.168.4.0/24 to any -> (tun0) round-robin > >>nat on tun0 inet from 172.16.0.0/24 to any -> (tun0) round-robin > >>rdr on tun0 inet proto tcp from any to 1.2.3.4 port = 3000 -> > >>192.168.4.254 port 25 > >> > >># ./a.out > >>./a.out > >> > >>./a.out 192.168.4.254 25 1.2.3.4 3000 > >>a.out: DIOCNATLOOK: No such file or directory > >> > >> > > > >That's ENOENT which simply means that pf was not able to find a state that > >matches your lookup. You should have an *open* connection to have a state > >around. Crosscheck with $pfctl -ss > > > > > > > >>I may be have overlooked something. > >> > >>Your suggestion is highly appreciated. > >> > >> > > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com From owner-freebsd-pf@FreeBSD.ORG Sat Dec 18 16:14:55 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9001716A4CE for ; Sat, 18 Dec 2004 16:14:55 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2536943D4C for ; Sat, 18 Dec 2004 16:14:55 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CfhEM-0003n9-00; Sat, 18 Dec 2004 17:14:54 +0100 Received: from [217.227.152.17] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CfhEL-0001Vy-00; Sat, 18 Dec 2004 17:14:54 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 18 Dec 2004 17:14:44 +0100 User-Agent: KMail/1.7.1 References: <41C3B6CE.4080704@authtec.com> <200412180557.00999.max@love2party.net> <41C3BA23.5070207@authtec.com> In-Reply-To: <41C3BA23.5070207@authtec.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9351370.MO4ATsnkBD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412181714.51674.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: sam wun Subject: Re: Add new PF rules from C. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 16:14:55 -0000 --nextPart9351370.MO4ATsnkBD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 18 December 2004 06:03, sam wun wrote: > Thanks for the sugestion. I use pfctl -ss found some Established state, > the sample code works great. > I would like to write a C program add rule to PF base on based on user > defined anchor and tables. Where can I find more inforamtion and > guideline about doing that? Look at pfctl(8) (src/contrib/pf/pfctl/...) it's all in there. The code is= =20 quite readable and it should be easy to determine what to hand to the vario= us=20 ioctls. In most of the cases you don't really need to write your own C code= =2E=20 Most of the time it should be sufficient to exec() pfctl(8) and pipe rules = to=20 it. Take a look at the spamd port (mail/spamd) which does just that. You=20 might need a fdescfs(5) in order to drop root privs and use the -p option.= =20 But that should all be obvious from the spamd code. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9351370.MO4ATsnkBD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxFd7XyyEoT62BG0RAnWTAJ9rYlpdIwq064560LfPaUguCCkudwCffnd+ sVXG9W37wPKc8arTkAegsqw= =dH3w -----END PGP SIGNATURE----- --nextPart9351370.MO4ATsnkBD--