From owner-freebsd-pf@FreeBSD.ORG Sun Feb 20 18:37:56 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8B8616A4CF; Sun, 20 Feb 2005 18:37:56 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79B6A43D48; Sun, 20 Feb 2005 18:37:56 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1KIbuir070740; Sun, 20 Feb 2005 18:37:56 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1KIbt8L070736; Sun, 20 Feb 2005 18:37:55 GMT (envelope-from mlaier) Date: Sun, 20 Feb 2005 18:37:55 GMT From: Max Laier Message-Id: <200502201837.j1KIbt8L070736@freefall.freebsd.org> To: harry@schmalzbauer.de, mlaier@FreeBSD.org, mlaier@FreeBSD.org, pf@FreeBSD.org Subject: Re: kern/77645: pfctl panices the system when interface renaming is used X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2005 18:37:56 -0000 Synopsis: pfctl panices the system when interface renaming is used State-Changed-From-To: open->analyzed State-Changed-By: mlaier State-Changed-When: Sun Feb 20 18:36:58 GMT 2005 State-Changed-Why: Patch for HEAD available. Testing requested. Responsible-Changed-From-To: mlaier->pf Responsible-Changed-By: mlaier Responsible-Changed-When: Sun Feb 20 18:36:58 GMT 2005 Responsible-Changed-Why: Patch for HEAD available. Testing requested. http://www.freebsd.org/cgi/query-pr.cgi?pr=77645 From owner-freebsd-pf@FreeBSD.ORG Mon Feb 21 11:03:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F5D416A4CE for ; Mon, 21 Feb 2005 11:03:44 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 392E843D54 for ; Mon, 21 Feb 2005 11:03:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1LB3iuw035916 for ; Mon, 21 Feb 2005 11:03:44 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1LB3hvS035910 for pf@freebsd.org; Mon, 21 Feb 2005 11:03:43 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 21 Feb 2005 11:03:43 GMT Message-Id: <200502211103.j1LB3hvS035910@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 11:03:44 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2005/02/17] kern/77645 pf pfctl panices the system when interface r 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Mon Feb 21 17:24:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D4CD16A4CE; Mon, 21 Feb 2005 17:24:27 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1073643D1D; Mon, 21 Feb 2005 17:24:27 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1LHOQCr088638; Mon, 21 Feb 2005 17:24:26 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1LHOQh4088634; Mon, 21 Feb 2005 17:24:26 GMT (envelope-from mlaier) Date: Mon, 21 Feb 2005 17:24:26 GMT From: Max Laier Message-Id: <200502211724.j1LHOQh4088634@freefall.freebsd.org> To: harry@schmalzbauer.de, mlaier@FreeBSD.org, pf@FreeBSD.org Subject: Re: kern/77645: pfctl panices the system when interface renaming is used X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 17:24:27 -0000 Synopsis: pfctl panices the system when interface renaming is used State-Changed-From-To: analyzed->patched State-Changed-By: mlaier State-Changed-When: Mon Feb 21 17:23:42 GMT 2005 State-Changed-Why: Patch applied to current, MFC in 3 days. http://www.freebsd.org/cgi/query-pr.cgi?pr=77645 From owner-freebsd-pf@FreeBSD.ORG Mon Feb 21 17:52:05 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A454816A4CE for ; Mon, 21 Feb 2005 17:52:05 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id E298D43D6B for ; Mon, 21 Feb 2005 17:52:04 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D3Hj2-00070D-00 for freebsd-pf@freebsd.org; Mon, 21 Feb 2005 18:52:04 +0100 Received: from [217.83.10.18] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D3Hj1-00072R-00 for freebsd-pf@freebsd.org; Mon, 21 Feb 2005 18:52:04 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Mon, 21 Feb 2005 18:51:49 +0100 User-Agent: KMail/1.7.2 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2325617.StZqZKbVle"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502211852.01792.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Please test: MPSAFE callouts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 17:52:05 -0000 --nextPart2325617.StZqZKbVle Content-Type: multipart/mixed; boundary="Boundary-01=_1+hGCbzovbXwYE7" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_1+hGCbzovbXwYE7 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, Pyun reminded me that we are still useing Giant to protect our callouts. We= =20 don't have to since we protect our code in there with our own mutex and the= =20 netstack is Giant-free as well now (provided that mpsafenet is enabled). If you have testing capabilities, please take the attached diffs for a ride= =20 (on SMP hardware) with debug.mpsafenet=3D1 and MPSAFE NICs. It'd be great = if=20 we could enable it for 5.4R, but we need proper testing to do so! NOTE: If you use user/group rules you still need to set debug.mpsafenet=3D0= , but=20 testing of this scenario is welcome as well. Thanks in advance for your feedback! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_1+hGCbzovbXwYE7 Content-Type: text/x-diff; charset="us-ascii"; name="callout_mpsafe.RELENG_5.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="callout_mpsafe.RELENG_5.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 if_pfsync.c =2D-- if_pfsync.c 20 Sep 2004 15:25:57 -0000 1.11.2.1 +++ if_pfsync.c 21 Feb 2005 17:39:18 -0000 @@ -196,14 +196,10 @@ ifp->if_baudrate =3D IF_Mbps(100); ifp->if_softc =3D sc; pfsync_setmtu(sc, MCLBYTES); =2D /* =2D * XXX =2D * The 2nd arg. 0 to callout_init(9) shoule be set to CALLOUT_MPSAFE =2D * if Gaint lock is removed from the network stack. =2D */ =2D callout_init(&sc->sc_tmo, 0); =2D callout_init(&sc->sc_bulk_tmo, 0); =2D callout_init(&sc->sc_bulkfail_tmo, 0); + callout_init(&sc->sc_tmo, debug_mpsafenet ? CALLOUT_MPSAFE : 0); + callout_init(&sc->sc_bulk_tmo, debug_mpsafenet ? CALLOUT_MPSAFE : 0); + callout_init(&sc->sc_bulkfail_tmo, + debug_mpsafenet ? CALLOUT_MPSAFE : 0); if_attach(&sc->sc_if); =20 LIST_INSERT_HEAD(&pfsync_list, sc, sc_next); Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.12.2.5 diff -u -r1.12.2.5 pf_ioctl.c =2D-- pf_ioctl.c 21 Jan 2005 19:07:44 -0000 1.12.2.5 +++ pf_ioctl.c 21 Feb 2005 17:38:34 -0000 @@ -322,12 +322,7 @@ my_timeout[PFTM_FRAG] =3D 30; /* Fragment expire */ my_timeout[PFTM_INTERVAL] =3D 10; /* Expire interval */ =20 =2D /* =2D * XXX =2D * The 2nd arg. 0 to callout_init(9) shoule be set to CALLOUT_MPSAFE =2D * if Gaint lock is removed from the network stack. =2D */ =2D callout_init(&pf_expire_to, 0); + callout_init(&pf_expire_to, debug_mpsafenet ? CALLOUT_MPSAFE : 0); callout_reset(&pf_expire_to, my_timeout[PFTM_INTERVAL] * hz, pf_purge_timeout, &pf_expire_to); =20 --Boundary-01=_1+hGCbzovbXwYE7 Content-Type: text/x-diff; charset="us-ascii"; name="callout_mpsafe.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="callout_mpsafe.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.14 diff -u -r1.14 if_pfsync.c =2D-- if_pfsync.c 9 Feb 2005 19:29:13 -0000 1.14 +++ if_pfsync.c 21 Feb 2005 17:43:01 -0000 @@ -197,14 +197,10 @@ ifp->if_baudrate =3D IF_Mbps(100); ifp->if_softc =3D sc; pfsync_setmtu(sc, MCLBYTES); =2D /* =2D * XXX =2D * The 2nd arg. 0 to callout_init(9) shoule be set to CALLOUT_MPSAFE =2D * if Gaint lock is removed from the network stack. =2D */ =2D callout_init(&sc->sc_tmo, 0); =2D callout_init(&sc->sc_bulk_tmo, 0); =2D callout_init(&sc->sc_bulkfail_tmo, 0); + callout_init(&sc->sc_tmo, debug_mpsafenet ? CALLOUT_MPSAFE : 0); + callout_init(&sc->sc_bulk_tmo, debug_mpsafenet ? CALLOUT_MPSAFE : 0); + callout_init(&sc->sc_bulkfail_tmo, + debug_mpsafenet ? CALLOUT_MPSAFE : 0); if_attach(ifp); =20 LIST_INSERT_HEAD(&pfsync_list, sc, sc_next); Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.18 diff -u -r1.18 pf_ioctl.c =2D-- pf_ioctl.c 9 Feb 2005 19:29:13 -0000 1.18 +++ pf_ioctl.c 21 Feb 2005 17:42:33 -0000 @@ -322,12 +322,7 @@ my_timeout[PFTM_FRAG] =3D 30; /* Fragment expire */ my_timeout[PFTM_INTERVAL] =3D 10; /* Expire interval */ =20 =2D /* =2D * XXX =2D * The 2nd arg. 0 to callout_init(9) shoule be set to CALLOUT_MPSAFE =2D * if Gaint lock is removed from the network stack. =2D */ =2D callout_init(&pf_expire_to, 0); + callout_init(&pf_expire_to, debug_mpsafenet ? CALLOUT_MPSAFE : 0); callout_reset(&pf_expire_to, my_timeout[PFTM_INTERVAL] * hz, pf_purge_timeout, &pf_expire_to); =20 --Boundary-01=_1+hGCbzovbXwYE7-- --nextPart2325617.StZqZKbVle Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCGh/BXyyEoT62BG0RAsd4AJ9fwlQyd8f6w3UO/2zRJzIZn8l8LwCbBN1k iZdYhN2253fntXTJrI+Bma0= =JKRQ -----END PGP SIGNATURE----- --nextPart2325617.StZqZKbVle-- From owner-freebsd-pf@FreeBSD.ORG Mon Feb 21 19:02:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3512116A4CE for ; Mon, 21 Feb 2005 19:02:47 +0000 (GMT) Received: from srv1a-cta.bs2.com.br (srv1a-cta.bs2.com.br [200.203.183.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B2EF43D58 for ; Mon, 21 Feb 2005 19:02:46 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (srv1a-cta.bs2.com.br [200.203.183.35]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id 861BF1C7198 for ; Mon, 21 Feb 2005 16:02:56 -0300 (BRST) Received: from [192.168.0.49] (201-003-087-178.mganm7011.dsl.brasiltelecom.net.br [201.3.87.178]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id D20631C6EF8 for ; Mon, 21 Feb 2005 16:02:55 -0300 (BRST) Message-ID: <421A3053.4050904@tirloni.org> Date: Mon, 21 Feb 2005 16:02:43 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 0.9 (X11/20041127) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@freebsd.org X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: rdr for ftp-proxy doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 19:02:47 -0000 Hi, I've a pf.conf without any filter rules, only this one and nat: rdr on sk0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 And ftp-proxy is listening through inetd on that port: sockstat -4l: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root inetd 5470 4 tcp4 *:8021 *:* inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n pfctl -s nat -v: rdr on sk0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 [ Evaluations: 28723 Packets: 2 Bytes: 96 States: 1 ] uname: FreeBSD 5.3-STABLE #0: Fri Feb 18 07:24:35 BRST 2005 When I run tcpdump on sk0 (internal interface) I see the host trying to connect to port 21 (syn) but no packets go to the loopback interface or any other place. If I remove the rdr rule it client connects and authenticates but is unable to start a active connection, of course. Any idea about what is causing this? Strange enough I've the same set of rules on another 6 machines and it works. The Thanks in advance, -- Giovanni P. Tirloni From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 02:59:37 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2A6F16A4CE for ; Tue, 22 Feb 2005 02:59:37 +0000 (GMT) Received: from srv1a-cta.bs2.com.br (srv1a-cta.bs2.com.br [200.203.183.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93EA043D31 for ; Tue, 22 Feb 2005 02:59:37 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (srv1a-cta.bs2.com.br [200.203.183.35]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id AB2D81C6A16; Mon, 21 Feb 2005 23:59:47 -0300 (BRST) Received: from [200.138.70.29] (200-138-070-029.mganm7004.dsl.brasiltelecom.net.br [200.138.70.29]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id 24F941C6BE8; Mon, 21 Feb 2005 23:59:47 -0300 (BRST) Message-ID: <421AA011.3020208@tirloni.org> Date: Mon, 21 Feb 2005 23:59:29 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Nick Buraglio References: <421A3053.4050904@tirloni.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: pf@freebsd.org Subject: Re: rdr for ftp-proxy doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 02:59:38 -0000 Nick Buraglio wrote: > Try adding: > > pass in from any to any > pass out from any to any > > to the rules section. I believe you have to tell it to actually handle > the traffic. I tried that but it didn't help. Then I tried changing 127.0.0.1 by another external IP that I knew it had a ftp server running: all packets were redirected and I could login. There seems to be something locking the redirection to 127.0.0.1 and/or the internal interface address. -- Giovanni P. Tirloni From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 03:29:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C54B16A4CE for ; Tue, 22 Feb 2005 03:29:46 +0000 (GMT) Received: from srv1a-cta.bs2.com.br (srv1a-cta.bs2.com.br [200.203.183.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id F29BA43D54 for ; Tue, 22 Feb 2005 03:29:45 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (srv1a-cta.bs2.com.br [200.203.183.35]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id 0CB431C6E21 for ; Tue, 22 Feb 2005 00:29:57 -0300 (BRST) Received: from [200.138.70.29] (200-138-070-029.mganm7004.dsl.brasiltelecom.net.br [200.138.70.29]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id 81F8C1C7003 for ; Tue, 22 Feb 2005 00:29:56 -0300 (BRST) Message-ID: <421AA724.4030807@tirloni.org> Date: Tue, 22 Feb 2005 00:29:40 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@freebsd.org References: <421A3053.4050904@tirloni.org> <421AA011.3020208@tirloni.org> In-Reply-To: <421AA011.3020208@tirloni.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: rdr for ftp-proxy doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 03:29:46 -0000 Giovanni P. Tirloni wrote: > Nick Buraglio wrote: > >> Try adding: >> >> pass in from any to any >> pass out from any to any >> >> to the rules section. I believe you have to tell it to actually >> handle the traffic. > > > I tried that but it didn't help. Then I tried changing 127.0.0.1 by > another external IP that I knew it had a ftp server running: all packets > were redirected and I could login. > > There seems to be something locking the redirection to 127.0.0.1 and/or > the internal interface address. My temporary fix was to use ipfw and ports/ftp/frox but I'd like to help to investigate this situation. I've tried to enable transparent ftp proxy with pf and ftp-proxy on another 5.3-STABLE and it didn't work also. No packet gets redirect to loopback but it redirects for anything outside. -- Giovanni P. Tirloni From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 07:03:58 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEC6516A4CE for ; Tue, 22 Feb 2005 07:03:58 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F89843D45 for ; Tue, 22 Feb 2005 07:03:58 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1D3U5M-0002lo-DM; Tue, 22 Feb 2005 08:03:56 +0100 Date: Tue, 22 Feb 2005 08:03:55 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1761371051.20050222080355@hexren.net> To: "Giovanni P. Tirloni" In-Reply-To: <421AA724.4030807@tirloni.org> References: <421A3053.4050904@tirloni.org> <421AA011.3020208@tirloni.org> <421AA724.4030807@tirloni.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: pf@freebsd.org Subject: Re[2]: rdr for ftp-proxy doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 07:03:59 -0000 GPT> Giovanni P. Tirloni wrote: >> Nick Buraglio wrote: >> >>> Try adding: >>> >>> pass in from any to any >>> pass out from any to any >>> >>> to the rules section. I believe you have to tell it to actually >>> handle the traffic. >> >> >> I tried that but it didn't help. Then I tried changing 127.0.0.1 by >> another external IP that I knew it had a ftp server running: all packets >> were redirected and I could login. >> >> There seems to be something locking the redirection to 127.0.0.1 and/or >> the internal interface address. GPT> My temporary fix was to use ipfw and ports/ftp/frox but I'd like to GPT> help to investigate this situation. I've tried to enable transparent ftp GPT> proxy with pf and ftp-proxy on another 5.3-STABLE and it didn't work GPT> also. No packet gets redirect to loopback but it redirects for anything GPT> outside. GPT> -- GPT> Giovanni P. Tirloni GPT> _______________________________________________ GPT> freebsd-pf@freebsd.org mailing list GPT> http://lists.freebsd.org/mailman/listinfo/freebsd-pf GPT> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------------------- I would guess that it would be wiser to use not the loopback address but a "normal" address of the proxy you want to use in the redirection. Only a guess. Hexren From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 12:50:02 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC48B16A4CF for ; Tue, 22 Feb 2005 12:50:02 +0000 (GMT) Received: from smtp-out.wananchi.com (smtp-out.wananchi.com [62.8.64.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E78643D46 for ; Tue, 22 Feb 2005 12:50:01 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com ([62.8.64.4]) by smtp-out.wananchi.com with esmtp (Exim 4.43 #1 (FreeBSD 5.2.1)) id 1D3ZUL-0008tN-Kg for ; Tue, 22 Feb 2005 15:50:05 +0300 Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.10-STABLE)) id 1D3ZTy-000EW8-Tl by authid for ; Tue, 22 Feb 2005 15:49:42 +0300 Date: Tue, 22 Feb 2005 15:49:42 +0300 From: Odhiambo Washington To: pf@FreeBSD.org Message-ID: <20050222124942.GG52536@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.6i (2004-02-01) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.6i Subject: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 12:50:02 -0000 I am a newbie to PF, running on FreeBSD 5.3-STABLE. I would like some critique of the following pf.conf, which I am using, but which appears to have a loophole! Some folk is accessing my port 8080, which I am thinking I have only opened to 62.8.64.0/19. I must be missing something critical! #freebsd nat/firewall box ext_if="vr0" # replace with actual external interface name i.e., dc0 int_if="fxp0" # replace with actual internal interface name i.e., dc1 tcp_services = "{ 21, 22, 25, 53, 80, 110, 443, 465, 995, 8020, 8180 }" icmp_types = "{ 8, 11 }" internal_net="192.168.50.0/24" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" ## OPTIONS - network settings # use 'return' instead of 'drop' if you wish to return responses to connection # attempts, 'drop' is the same as the 'blackhole' sysctl option set timeout { frag 15, interval 5 } set limit { frags 2500, states 5000 } set optimization aggressive set block-policy return set loginterface $ext_if scrub in all #rdr # nat nat on $ext_if from $internal_net to any -> ($ext_if) # Filtering: The good stuff. block in on $ext_if all # stuff to block but not log because it's irritating block in quick on $ext_if proto {tcp, udp} from any to any port {67, 68} block in quick on $ext_if proto {tcp, udp} from any port {67, 68} to any # because these should never appear on a public internet interface block in quick on $ext_if from $priv_nets to any block out quick on $ext_if from any to $priv_nets block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR # loopback stuff is good! pass in quick on lo0 all # allow our services pass in on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from 62.8.64.0/19 to any flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $internal_net to any keep state pass out on $int_if from any to $internal_net keep state #pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Arbitrary systems, pl.n.: Systems about which nothing general can be said, save "nothing general can be said." From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 13:27:50 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1846516A4CE for ; Tue, 22 Feb 2005 13:27:50 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74B7C43D1F for ; Tue, 22 Feb 2005 13:27:49 +0000 (GMT) (envelope-from kay.abendroth@raxion.net) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D3a4q-0007P9-00 for pf@freebsd.org; Tue, 22 Feb 2005 14:27:48 +0100 Received: from [62.158.90.195] (helo=[10.0.0.10]) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D3a4q-00063u-00 for pf@FreeBSD.org; Tue, 22 Feb 2005 14:27:48 +0100 Message-ID: <421B334F.8080008@raxion.net> Date: Tue, 22 Feb 2005 13:27:43 +0000 From: Kay Abendroth User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050111 X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@FreeBSD.org References: <20050222124942.GG52536@ns2.wananchi.com> In-Reply-To: <20050222124942.GG52536@ns2.wananchi.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:b74ade515889ad97333045239a316a52 Subject: Re: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 13:27:50 -0000 Odhiambo Washington wrote: > I am a newbie to PF, running on FreeBSD 5.3-STABLE. > I would like some critique of the following pf.conf, which I am using, > but which appears to have a loophole! Some folk is accessing my port > 8080, which I am thinking I have only opened to 62.8.64.0/19. [...] How do you know some are accessing? The only thing you actually log is the traffic blocked by this rule: block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR Kay From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 14:12:57 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABEF216A4CF for ; Tue, 22 Feb 2005 14:12:57 +0000 (GMT) Received: from smtp-out.wananchi.com (smtp-out.wananchi.com [62.8.64.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id A53DB43D4C for ; Tue, 22 Feb 2005 14:12:56 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com ([62.8.64.4]) by smtp-out.wananchi.com with esmtp (Exim 4.43 #1 (FreeBSD 5.2.1)) id 1D3amc-000Bz2-8w for ; Tue, 22 Feb 2005 17:13:03 +0300 Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.10-STABLE)) id 1D3aY8-0006xC-Ir by authid for ; Tue, 22 Feb 2005 16:58:04 +0300 Date: Tue, 22 Feb 2005 16:58:04 +0300 From: Odhiambo Washington To: pf@FreeBSD.org Message-ID: <20050222135804.GL52536@ns2.wananchi.com> References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <421B334F.8080008@raxion.net> X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.6i (2004-02-01) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.6i Subject: Re: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 14:12:57 -0000 * Kay Abendroth [20050222 16:28]: wrote: > Odhiambo Washington wrote: > >I am a newbie to PF, running on FreeBSD 5.3-STABLE. > >I would like some critique of the following pf.conf, which I am using, > >but which appears to have a loophole! Some folk is accessing my port > >8080, which I am thinking I have only opened to 62.8.64.0/19. > [...] > > > How do you know some are accessing? The only thing you actually log is > the traffic blocked by this rule: > > block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR Hi Kay, I have an application running on port 8080 of this box. That application logs the IPs of machines accessing it, and I can see a foreign IP accessing that service. What I meant to say is that "the filter is NOT working as expected by blocking access to disallowed hosts". If you'd like to test accessing the box on that port, go ahead and set your proxy settings to 62.8.64.13:8080 and try going to badboys.com -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ "Do not meddle in the affairs of wizards, for you are crunchy and good with ketchup." From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 16:29:36 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C60D16A4CE for ; Tue, 22 Feb 2005 16:29:36 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F27F43D53 for ; Tue, 22 Feb 2005 16:29:36 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1D3cul-0005zB-0C; Tue, 22 Feb 2005 17:29:35 +0100 Date: Tue, 22 Feb 2005 17:29:33 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1242093159.20050222172933@hexren.net> To: Odhiambo Washington In-Reply-To: <20050222135804.GL52536@ns2.wananchi.com> References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> <20050222135804.GL52536@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: pf@FreeBSD.org Subject: Re[2]: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 16:29:36 -0000 OW> * Kay Abendroth [20050222 16:28]: wrote: >> Odhiambo Washington wrote: >> >I am a newbie to PF, running on FreeBSD 5.3-STABLE. >> >I would like some critique of the following pf.conf, which I am using, >> >but which appears to have a loophole! Some folk is accessing my port >> >8080, which I am thinking I have only opened to 62.8.64.0/19. >> [...] >> >> >> How do you know some are accessing? The only thing you actually log is >> the traffic blocked by this rule: >> >> block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR OW> Hi Kay, OW> I have an application running on port 8080 of this box. That OW> application logs the IPs of machines accessing it, and I can see a OW> foreign IP accessing that service. OW> What I meant to say is that "the filter is NOT working as expected by OW> blocking access to disallowed hosts". OW> If you'd like to test accessing the box on that port, go ahead and OW> set your proxy settings to 62.8.64.13:8080 and try going to badboys.com --------------------------------------------- Looking over it I can't see any obvious mistakes. Have you enabled pf, (e.g. done "pfctl -e") ? And can you provide the output of "pfctl -sr". A good way to narrow your problem down would be to log all rules that pass and see which one lets outside connections in. Hexren From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 16:40:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B85616A4D1 for ; Tue, 22 Feb 2005 16:40:25 +0000 (GMT) Received: from smtp-out.wananchi.com (smtp-out.wananchi.com [62.8.64.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 530EE43D58 for ; Tue, 22 Feb 2005 16:40:15 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com ([62.8.64.4]) by smtp-out.wananchi.com with esmtp (Exim 4.43 #1 (FreeBSD 5.2.1)) id 1D3d5C-000FwE-9x for ; Tue, 22 Feb 2005 19:40:22 +0300 Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.10-STABLE)) id 1D3d4q-000Amt-TC by authid for ; Tue, 22 Feb 2005 19:40:00 +0300 Date: Tue, 22 Feb 2005 19:40:00 +0300 From: Odhiambo Washington To: pf@FreeBSD.org Message-ID: <20050222164000.GA35111@ns2.wananchi.com> References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> <20050222135804.GL52536@ns2.wananchi.com> <1242093159.20050222172933@hexren.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1242093159.20050222172933@hexren.net> X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.6i (2004-02-01) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.6i Subject: Re: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 16:40:25 -0000 * Hexren [20050222 19:30]: wrote: > OW> * Kay Abendroth [20050222 16:28]: wrote: > >> Odhiambo Washington wrote: > >> >I am a newbie to PF, running on FreeBSD 5.3-STABLE. > >> >I would like some critique of the following pf.conf, which I am using, > >> >but which appears to have a loophole! Some folk is accessing my port > >> >8080, which I am thinking I have only opened to 62.8.64.0/19. > >> [...] > >> > >> > >> How do you know some are accessing? The only thing you actually log is > >> the traffic blocked by this rule: > >> > >> block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR > > OW> Hi Kay, > > OW> I have an application running on port 8080 of this box. That > OW> application logs the IPs of machines accessing it, and I can see a > OW> foreign IP accessing that service. > > OW> What I meant to say is that "the filter is NOT working as expected by > OW> blocking access to disallowed hosts". > > OW> If you'd like to test accessing the box on that port, go ahead and > OW> set your proxy settings to 62.8.64.13:8080 and try going to badboys.com > > > --------------------------------------------- > > Looking over it I can't see any obvious mistakes. > Have you enabled pf, (e.g. done "pfctl -e") ? Yes! > And can you provide the output of "pfctl -sr". Gives no output. > A good way to narrow your problem down would be to log all rules that > pass and see which one lets outside connections in. I am gonna try that! Best regards, Odhiambo Washington Systems Admin, Wananchi Online Ltd. Are you hosting your domain name with the leaders??: See http://webhosting.info/webhosts/tophosts/Country/KE DISCLAIMER : http://ns2.wananchi.com/~wash/Email/disclaimer.txt ----------------------------------+----------------------------------------- Odhiambo WASHINGTON . WANANCHI ONLINE LTD (Nairobi, KE) http://www.wananchi.com/email/ . 1ere Etage, Loita Hse, Loita St., Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI ----------------------------------+----------------------------------------- L'Argent ne fait pas le bonheur! - Pepe Kalle (Ya Mpanya) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 16:45:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C64716A4CE for ; Tue, 22 Feb 2005 16:45:47 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1224143D48 for ; Tue, 22 Feb 2005 16:45:47 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1D3dAQ-0000Si-3v; Tue, 22 Feb 2005 17:45:46 +0100 Date: Tue, 22 Feb 2005 17:45:45 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <73064646.20050222174545@hexren.net> To: Odhiambo Washington In-Reply-To: <20050222164000.GA35111@ns2.wananchi.com> References: <20050222124942.GG52536@ns2.wananchi.com> <20050222135804.GL52536@ns2.wananchi.com> <20050222164000.GA35111@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: pf@FreeBSD.org Subject: Re[2]: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 16:45:47 -0000 OW> * Hexren [20050222 19:30]: wrote: >> OW> * Kay Abendroth [20050222 16:28]: wrote: >> >> Odhiambo Washington wrote: >> >> >I am a newbie to PF, running on FreeBSD 5.3-STABLE. >> >> >I would like some critique of the following pf.conf, which I am using, >> >> >but which appears to have a loophole! Some folk is accessing my port >> >> >8080, which I am thinking I have only opened to 62.8.64.0/19. >> >> [...] >> >> >> >> >> >> How do you know some are accessing? The only thing you actually log is >> >> the traffic blocked by this rule: >> >> >> >> block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR >> >> OW> Hi Kay, >> >> OW> I have an application running on port 8080 of this box. That >> OW> application logs the IPs of machines accessing it, and I can see a >> OW> foreign IP accessing that service. >> >> OW> What I meant to say is that "the filter is NOT working as expected by >> OW> blocking access to disallowed hosts". >> >> OW> If you'd like to test accessing the box on that port, go ahead and >> OW> set your proxy settings to 62.8.64.13:8080 and try going to badboys.com >> >> >> --------------------------------------------- >> >> Looking over it I can't see any obvious mistakes. >> Have you enabled pf, (e.g. done "pfctl -e") ? OW> Yes! >> And can you provide the output of "pfctl -sr". OW> Gives no output. >> A good way to narrow your problem down would be to log all rules that >> pass and see which one lets outside connections in. OW> I am gonna try that! --------------------------------------------- Then please show "pfctl -sa" "pfctl -sr" should output all active rules. Having no output implies that you have no rules, imho. Please describe the procedure you used to install your ruleset into pf. Regards Hexren From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 16:53:39 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A7A016A4CE for ; Tue, 22 Feb 2005 16:53:39 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1345443D45 for ; Tue, 22 Feb 2005 16:53:39 +0000 (GMT) (envelope-from kay.abendroth@raxion.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D3dI2-00078q-00 for pf@freebsd.org; Tue, 22 Feb 2005 17:53:38 +0100 Received: from [62.158.90.195] (helo=[10.0.0.10]) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D3dI1-0007vE-00 for pf@FreeBSD.org; Tue, 22 Feb 2005 17:53:37 +0100 Message-ID: <421B638C.4020009@raxion.net> Date: Tue, 22 Feb 2005 16:53:32 +0000 From: Kay Abendroth User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050111 X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@FreeBSD.org References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> <20050222135804.GL52536@ns2.wananchi.com> In-Reply-To: <20050222135804.GL52536@ns2.wananchi.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:b74ade515889ad97333045239a316a52 Subject: Re: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 16:53:39 -0000 Hello, Odhiambo Washington wrote: [...] > What I meant to say is that "the filter is NOT working as expected by > blocking access to disallowed hosts". If so, it isn't working. Did you enable PF? Do you have this line in /etc/rc.conf or /etc/rc.conf.local: ? pf_enable="YES" As you have a nat-rule in your pf.conf, this shouldn't work either, if pf isn't enabled! > If you'd like to test accessing the box on that port, go ahead and > set your proxy settings to 62.8.64.13:8080 and try going to badboys.com Works for me (I get a customized error-page)! Kay From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 16:55:29 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7934316A4CE for ; Tue, 22 Feb 2005 16:55:29 +0000 (GMT) Received: from smtp-out.wananchi.com (smtp-out.wananchi.com [62.8.64.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A77A43D1D for ; Tue, 22 Feb 2005 16:55:26 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com ([62.8.64.4]) by smtp-out.wananchi.com with esmtp (Exim 4.43 #1 (FreeBSD 5.2.1)) id 1D3dJs-000GB9-B0 for ; Tue, 22 Feb 2005 19:55:33 +0300 Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.10-STABLE)) id 1D3dGn-000CQ4-AS by authid for ; Tue, 22 Feb 2005 19:52:21 +0300 Date: Tue, 22 Feb 2005 19:52:21 +0300 From: Odhiambo Washington To: pf@FreeBSD.org Message-ID: <20050222165221.GC35111@ns2.wananchi.com> References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> <20050222135804.GL52536@ns2.wananchi.com> <1242093159.20050222172933@hexren.net> <20050222164000.GA35111@ns2.wananchi.com> <73064646.20050222174545@hexren.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <73064646.20050222174545@hexren.net> X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.6i (2004-02-01) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.6i Subject: Re: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 16:55:29 -0000 * Hexren [20050222 19:46]: wrote: > OW> * Hexren [20050222 19:30]: wrote: > >> OW> * Kay Abendroth [20050222 16:28]: wrote: > >> >> Odhiambo Washington wrote: > >> >> >I am a newbie to PF, running on FreeBSD 5.3-STABLE. > >> >> >I would like some critique of the following pf.conf, which I am using, > >> >> >but which appears to have a loophole! Some folk is accessing my port > >> >> >8080, which I am thinking I have only opened to 62.8.64.0/19. > >> >> [...] > >> >> > >> >> > >> >> How do you know some are accessing? The only thing you actually log is > >> >> the traffic blocked by this rule: > >> >> > >> >> block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR > >> > >> OW> Hi Kay, > >> > >> OW> I have an application running on port 8080 of this box. That > >> OW> application logs the IPs of machines accessing it, and I can see a > >> OW> foreign IP accessing that service. > >> > >> OW> What I meant to say is that "the filter is NOT working as expected by > >> OW> blocking access to disallowed hosts". > >> > >> OW> If you'd like to test accessing the box on that port, go ahead and > >> OW> set your proxy settings to 62.8.64.13:8080 and try going to badboys.com > >> > >> > >> --------------------------------------------- > >> > >> Looking over it I can't see any obvious mistakes. > >> Have you enabled pf, (e.g. done "pfctl -e") ? > > OW> Yes! > > >> And can you provide the output of "pfctl -sr". > > OW> Gives no output. > > >> A good way to narrow your problem down would be to log all rules that > >> pass and see which one lets outside connections in. > > OW> I am gonna try that! > > > --------------------------------------------- > > Then please show "pfctl -sa" FILTER RULES: INFO: Status: Enabled for 0 days 00:08:31 Debug: Urgent Hostid: 0x13453171 State Table Total Rate current entries 0 searches 105399 206.3/s inserts 0 0.0/s removals 0 0.0/s Counters match 105399 206.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 0 frags hard limit 5000 > "pfctl -sr" should output all active rules. Having no output implies > that you have no rules, imho. Please describe the procedure you > used to install your ruleset into pf. I created the file, /etc/pf.conf, checked it to be sure that at least I was understanding what I have written, then I did: pfctl -e Isn't that the way? ;) Best regards, Odhiambo Washington Systems Admin, Wananchi Online Ltd. Are you hosting your domain name with the leaders??: See http://webhosting.info/webhosts/tophosts/Country/KE DISCLAIMER : http://ns2.wananchi.com/~wash/Email/disclaimer.txt ----------------------------------+----------------------------------------- Odhiambo WASHINGTON . WANANCHI ONLINE LTD (Nairobi, KE) http://www.wananchi.com/email/ . 1ere Etage, Loita Hse, Loita St., Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI ----------------------------------+----------------------------------------- L'Argent ne fait pas le bonheur! - Pepe Kalle (Ya Mpanya) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Seen in a post on a mailing list: > The message you sent breaks RFC1521. It has this line: > Content-Type: text/html; charset:ISO-8859-1 > But according to 7.1 of the RFC there should be an '=' sign after charset, > not ':'. Yes. We must ask all spammers and virus authors to kindly send their stuff in rfc compliant way. Cause our systems goes down and they loose their $$$$ bussiness. --Petr From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 17:04:05 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD20D16A4CE for ; Tue, 22 Feb 2005 17:04:05 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id D761E43D48 for ; Tue, 22 Feb 2005 17:04:04 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1D3dS7-0003g6-M3; Tue, 22 Feb 2005 18:04:04 +0100 Date: Tue, 22 Feb 2005 18:04:02 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <764162355.20050222180402@hexren.net> To: Odhiambo Washington In-Reply-To: <20050222165221.GC35111@ns2.wananchi.com> References: <20050222124942.GG52536@ns2.wananchi.com> <20050222135804.GL52536@ns2.wananchi.com> <1242093159.20050222172933@hexren.net> <73064646.20050222174545@hexren.net> <20050222165221.GC35111@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: pf@FreeBSD.org Subject: Re[2]: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 17:04:06 -0000 OW> * Hexren [20050222 19:46]: wrote: >> OW> * Hexren [20050222 19:30]: wrote: >> >> OW> * Kay Abendroth [20050222 16:28]: wrote: >> >> >> Odhiambo Washington wrote: >> >> >> >I am a newbie to PF, running on FreeBSD 5.3-STABLE. >> >> >> >I would like some critique of the following pf.conf, which I am using, >> >> >> >but which appears to have a loophole! Some folk is accessing my port >> >> >> >8080, which I am thinking I have only opened to 62.8.64.0/19. >> >> >> [...] >> >> >> >> >> >> >> >> >> How do you know some are accessing? The only thing you actually log is >> >> >> the traffic blocked by this rule: >> >> >> >> >> >> block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR >> >> >> >> OW> Hi Kay, >> >> >> >> OW> I have an application running on port 8080 of this box. That >> >> OW> application logs the IPs of machines accessing it, and I can see a >> >> OW> foreign IP accessing that service. >> >> >> >> OW> What I meant to say is that "the filter is NOT working as expected by >> >> OW> blocking access to disallowed hosts". >> >> >> >> OW> If you'd like to test accessing the box on that port, go ahead and >> >> OW> set your proxy settings to 62.8.64.13:8080 and try going to badboys.com >> >> >> >> >> >> --------------------------------------------- >> >> >> >> Looking over it I can't see any obvious mistakes. >> >> Have you enabled pf, (e.g. done "pfctl -e") ? >> >> OW> Yes! >> >> >> And can you provide the output of "pfctl -sr". >> >> OW> Gives no output. >> >> >> A good way to narrow your problem down would be to log all rules that >> >> pass and see which one lets outside connections in. >> >> OW> I am gonna try that! >> >> >> --------------------------------------------- >> >> Then please show "pfctl -sa" OW> FILTER RULES: OW> INFO: OW> Status: Enabled for 0 days 00:08:31 Debug: Urgent OW> Hostid: 0x13453171 OW> State Table Total Rate OW> current entries 0 OW> searches 105399 206.3/s OW> inserts 0 0.0/s OW> removals 0 0.0/s OW> Counters OW> match 105399 206.3/s OW> bad-offset 0 0.0/s OW> fragment 0 0.0/s OW> short 0 0.0/s OW> normalize 0 0.0/s OW> memory 0 0.0/s OW> TIMEOUTS: OW> tcp.first 120s OW> tcp.opening 30s OW> tcp.established 86400s OW> tcp.closing 900s OW> tcp.finwait 45s OW> tcp.closed 90s OW> udp.first 60s OW> udp.single 30s OW> udp.multiple 60s OW> icmp.first 20s OW> icmp.error 10s OW> other.first 60s OW> other.single 30s OW> other.multiple 60s OW> frag 30s OW> interval 10s OW> adaptive.start 0 states OW> adaptive.end 0 states OW> src.track 0s OW> LIMITS: OW> states hard limit 10000 OW> src-nodes hard limit 0 OW> frags hard limit 5000 >> "pfctl -sr" should output all active rules. Having no output implies >> that you have no rules, imho. Please describe the procedure you >> used to install your ruleset into pf. OW> I created the file, /etc/pf.conf, checked it to be sure that at least OW> I was understanding what I have written, then I did: OW> pfctl -e OW> Isn't that the way? ;) --------------------------------------------- Indeed it is not ;) try "pfctl -f /etc/pf.conf" that should load the configuration from /etc/pf.conf. Have you read the pf man pages ? You should :) Hexren From owner-freebsd-pf@FreeBSD.ORG Tue Feb 22 17:07:50 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F2716A4CE for ; Tue, 22 Feb 2005 17:07:50 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E31343D46 for ; Tue, 22 Feb 2005 17:07:50 +0000 (GMT) (envelope-from kay.abendroth@raxion.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D3dVl-00072f-00 for pf@freebsd.org; Tue, 22 Feb 2005 18:07:49 +0100 Received: from [62.158.90.195] (helo=[10.0.0.10]) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D3dVl-0002l9-00 for pf@FreeBSD.org; Tue, 22 Feb 2005 18:07:49 +0100 Message-ID: <421B66E5.7020402@raxion.net> Date: Tue, 22 Feb 2005 17:07:49 +0000 From: Kay Abendroth User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050111 X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@FreeBSD.org References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> <20050222135804.GL52536@ns2.wananchi.com> <1242093159.20050222172933@hexren.net> <20050222164000.GA35111@ns2.wananchi.com> <73064646.20050222174545@hexren.net> <20050222165221.GC35111@ns2.wananchi.com> In-Reply-To: <20050222165221.GC35111@ns2.wananchi.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:b74ade515889ad97333045239a316a52 Subject: Re: Stumped with pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 17:07:50 -0000 Odhiambo Washington wrote: [...] > I created the file, /etc/pf.conf, checked it to be sure that at least > I was understanding what I have written, then I did: > > pfctl -e > > Isn't that the way? ;) ;-)) No. That means not exactly. "Note that this just enables or disables PF, it doesn't actually load a ruleset. The ruleset must be loaded separately, either before or after PF is enabled." (from http://www.openbsd.org/faq/pf/config.html) Try 'pfctl -e -f /etc/pf.conf' instead! Or to just flush and reload: 'pfctl -F all -f /etc/pf.conf'. Kay From owner-freebsd-pf@FreeBSD.ORG Wed Feb 23 15:31:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D3B516A4CE; Wed, 23 Feb 2005 15:31:14 +0000 (GMT) Received: from hermes.niicommunications.com (hermes.niicommunications.com [207.207.35.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1BCE43D45; Wed, 23 Feb 2005 15:31:13 +0000 (GMT) (envelope-from jhunt@niicommunications.com) Received: from ASSP-nii (localhost.niicommunications.com [127.0.0.1]) id j1NFVCns059952; Wed, 23 Feb 2005 09:31:12 -0600 (CST) Received: from 207.207.35.35 ([207.207.35.35] helo=[192.168.2.5]) by ASSP-nii ; 23 Feb 05 15:31:12 -0000 User-Agent: Microsoft-Entourage/11.0.0.040405 Date: Wed, 23 Feb 2005 09:31:11 -0600 From: Jason Hunt To: Message-ID: In-Reply-To: <421B66E5.7020402@raxion.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: pf@freebsd.org Subject: pf Transparent Proxy Return X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 15:31:14 -0000 Greetings, Pretty new to pf, but was wondering how it would be possible to redirect traffic to a specific site back to port 80 instead of going through 3128. Using iptables, it is pretty much like so: $IPTABLES -t nat -I PREROUTING -p tcp --dport 80 -d x.x.x.x/32 -j RETURN Also in iptables, I could exclude a specific IP from even going through the proxy: $IPTABLES -t nat -I PREROUTING -p tcp -s 192.168.x.x --dport 80 -j RETURN I'm sure this can be done through pf, but was wondering what exactly the rule would be. Is there any good books out on pf? Or does one believe the man pages from online are good enough to get a good understanding. Thanks for the help. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 23 15:31:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D3B516A4CE; Wed, 23 Feb 2005 15:31:14 +0000 (GMT) Received: from hermes.niicommunications.com (hermes.niicommunications.com [207.207.35.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1BCE43D45; Wed, 23 Feb 2005 15:31:13 +0000 (GMT) (envelope-from jhunt@niicommunications.com) Received: from ASSP-nii (localhost.niicommunications.com [127.0.0.1]) id j1NFVCns059952; Wed, 23 Feb 2005 09:31:12 -0600 (CST) Received: from 207.207.35.35 ([207.207.35.35] helo=[192.168.2.5]) by ASSP-nii ; 23 Feb 05 15:31:12 -0000 User-Agent: Microsoft-Entourage/11.0.0.040405 Date: Wed, 23 Feb 2005 09:31:11 -0600 From: Jason Hunt To: Message-ID: In-Reply-To: <421B66E5.7020402@raxion.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: pf@freebsd.org Subject: pf Transparent Proxy Return X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 15:31:14 -0000 Greetings, Pretty new to pf, but was wondering how it would be possible to redirect traffic to a specific site back to port 80 instead of going through 3128. Using iptables, it is pretty much like so: $IPTABLES -t nat -I PREROUTING -p tcp --dport 80 -d x.x.x.x/32 -j RETURN Also in iptables, I could exclude a specific IP from even going through the proxy: $IPTABLES -t nat -I PREROUTING -p tcp -s 192.168.x.x --dport 80 -j RETURN I'm sure this can be done through pf, but was wondering what exactly the rule would be. Is there any good books out on pf? Or does one believe the man pages from online are good enough to get a good understanding. Thanks for the help. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 23 16:34:03 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB8BB16A4CE for ; Wed, 23 Feb 2005 16:34:03 +0000 (GMT) Received: from gunfright.epcdirect.co.uk (gunfright.epcdirect.co.uk [195.10.242.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1477243D1D for ; Wed, 23 Feb 2005 16:34:03 +0000 (GMT) (envelope-from freebsd-isp@epcdirect.co.uk) Received: from lfarr (l-farr.int.epcdirect.co.uk [192.168.6.200]) by gunfright.epcdirect.co.uk (Postfix) with ESMTP id 03A6667824; Wed, 23 Feb 2005 16:34:02 +0000 (GMT) From: "Lawrence Farr" To: "'Jason Hunt'" , Date: Wed, 23 Feb 2005 16:34:02 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcUZvMWeANFT3wGMQsebWQ4R7TfG5QACHVxw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: Message-Id: <20050223163402.03A6667824@gunfright.epcdirect.co.uk> Subject: RE: pf Transparent Proxy Return X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 16:34:03 -0000 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Jason Hunt > Sent: 23 February 2005 15:31 > To: freebsd-pf@freebsd.org > Cc: pf@freebsd.org > Subject: pf Transparent Proxy Return > > Greetings, > > Pretty new to pf, but was wondering how it would be possible > to redirect > traffic to a specific site back to port 80 instead of going > through 3128. > > > Using iptables, it is pretty much like so: > > $IPTABLES -t nat -I PREROUTING -p tcp --dport 80 -d > x.x.x.x/32 -j RETURN > Hi Jason, I think you mean like this: rdr on $int_if proto tcp from to ! port www -> $http_proxy port 3128 where are the hosts that you want redirected, are the destinations you don't want proxied. Hope this helps From owner-freebsd-pf@FreeBSD.ORG Thu Feb 24 15:20:16 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89D7D16A4CE for ; Thu, 24 Feb 2005 15:20:16 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2E1A43D54 for ; Thu, 24 Feb 2005 15:20:13 +0000 (GMT) (envelope-from max@love2party.net) Received: from pD9E39FED.dip.t-dialin.net[217.227.159.237] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1D4Kmg2S7N-00039x; Thu, 24 Feb 2005 16:20:10 +0100 From: Max Laier Date: Thu, 24 Feb 2005 16:20:03 +0100 User-Agent: KMail/1.7.2 To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1130251.bRyjLZdzGv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502241620.08861.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: FYI: [Fwd: CARP in 5.4-RELEASE] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Feb 2005 15:20:16 -0000 --nextPart1130251.bRyjLZdzGv Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline JIC you are not monitoring cvs-all or freebsd-stable: Big "thank you" to Glebius for taking this, while I am busy with my exams! =2D--------- Forwarded Message ---------- Subject: CARP in 5.4-RELEASE Date: Thursday 24 February 2005 14:13 =46rom: Gleb Smirnoff To: stable@freebsd.org Dear colleagues, I'm glad to announce CARP support already commited to HEAD. The porting job has been done by Max Laier, and I'm going to maintain CARP in the nearest future, because I use it at my day job. We will do our best to ship 5.4-RELEASE with CARP. Long time ago Max has extended struct ifnet before RELENG_5 branching. With this far-seeing change we can now MFC without ABI breakage. Patches for RELENG_5, that are going to be commited soon are available here: http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch If you are interested in CARP, or if you are going to use it in near future, then do not hesitate, download the patch and try it out! Before asking any questions, pls consult man page. It is already in the patch. If you still have questions, I'd be glad to help you. =2D- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE =2D------------------------------------------------------ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1130251.bRyjLZdzGv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCHfCoXyyEoT62BG0RAoBdAJ0YgGZoGqQwolGbmUiiTSDFBqaGlQCfbXFx 1M8ZRkvUi4UkU6FyzgePZtk= =G6lj -----END PGP SIGNATURE----- --nextPart1130251.bRyjLZdzGv-- From owner-freebsd-pf@FreeBSD.ORG Fri Feb 25 16:34:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A78516A4CE for ; Fri, 25 Feb 2005 16:34:11 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90E1E43D5D for ; Fri, 25 Feb 2005 16:34:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D4iPp-0007qL-00 for freebsd-pf@freebsd.org; Fri, 25 Feb 2005 17:34:09 +0100 Received: from [217.227.150.76] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D4iPp-0003v7-00 for freebsd-pf@freebsd.org; Fri, 25 Feb 2005 17:34:09 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 25 Feb 2005 17:33:49 +0100 User-Agent: KMail/1.7.2 References: <200502211852.01792.max@love2party.net> In-Reply-To: <200502211852.01792.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1981642.I2isSrg5ml"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502251734.08309.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Please test: MPSAFE callouts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2005 16:34:11 -0000 --nextPart1981642.I2isSrg5ml Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 21 February 2005 18:51, Max Laier wrote: > All, > > Pyun reminded me that we are still useing Giant to protect our callouts. = We > don't have to since we protect our code in there with our own mutex and t= he > netstack is Giant-free as well now (provided that mpsafenet is enabled). > > If you have testing capabilities, please take the attached diffs for a ri= de > (on SMP hardware) with debug.mpsafenet=3D1 and MPSAFE NICs. It'd be grea= t if > we could enable it for 5.4R, but we need proper testing to do so! > > NOTE: If you use user/group rules you still need to set debug.mpsafenet= =3D0, > but testing of this scenario is welcome as well. > > Thanks in advance for your feedback! Has anyone even cared enough to compile this? C'mon it's not that hard and= we=20 really need some feedback! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1981642.I2isSrg5ml Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCH1OAXyyEoT62BG0RAq5GAJ0Y/tqTNGKDrfZ5N+XFjlic/BIn7wCbBkvX 8XBUtmKG+5CEdKqWwQgiiVY= =WFIh -----END PGP SIGNATURE----- --nextPart1981642.I2isSrg5ml-- From owner-freebsd-pf@FreeBSD.ORG Sat Feb 26 10:17:51 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AD6016A4CE for ; Sat, 26 Feb 2005 10:17:51 +0000 (GMT) Received: from smtp-out.wananchi.com (smtp-out.wananchi.com [62.8.64.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84AEA43D5F for ; Sat, 26 Feb 2005 10:17:47 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com ([62.8.64.4]) by smtp-out.wananchi.com with esmtp (Exim 4.44 #0 (FreeBSD 5.2.1)) id 1D4iXO-000PL0-1Q for ; Fri, 25 Feb 2005 19:41:58 +0300 Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.10-STABLE)) id 1D4iXN-000Dny-64 by authid for ; Fri, 25 Feb 2005 19:41:57 +0300 Date: Fri, 25 Feb 2005 19:41:57 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20050225164156.GC43437@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org References: <200502211852.01792.max@love2party.net> <200502251734.08309.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200502251734.08309.max@love2party.net> X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.6i (2004-02-01) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.6i Subject: Re: Please test: MPSAFE callouts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 10:17:51 -0000 * Max Laier [20050225 19:34]: wrote: > On Monday 21 February 2005 18:51, Max Laier wrote: > > All, > > > > Pyun reminded me that we are still useing Giant to protect our callouts. We > > don't have to since we protect our code in there with our own mutex and the > > netstack is Giant-free as well now (provided that mpsafenet is enabled). > > > > If you have testing capabilities, please take the attached diffs for a ride > > (on SMP hardware) with debug.mpsafenet=1 and MPSAFE NICs. It'd be great if > > we could enable it for 5.4R, but we need proper testing to do so! > > > > NOTE: If you use user/group rules you still need to set debug.mpsafenet=0, > > but testing of this scenario is welcome as well. > > > > Thanks in advance for your feedback! > > Has anyone even cared enough to compile this? C'mon it's not that hard and we > really need some feedback! I don't have an SMP hardware otherwise I could have tried ;) -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ WARNING TO ALL PERSONNEL: Firings will continue until morale improves. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 26 11:23:04 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D15EB16A4CE for ; Sat, 26 Feb 2005 11:23:04 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 394F543D58 for ; Sat, 26 Feb 2005 11:23:04 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1D502G-0006Ut-I0; Sat, 26 Feb 2005 12:23:00 +0100 Date: Sat, 26 Feb 2005 12:22:59 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <72456382.20050226122259@hexren.net> To: Odhiambo Washington In-Reply-To: <20050225164156.GC43437@ns2.wananchi.com> References: <200502211852.01792.max@love2party.net> <200502251734.08309.max@love2party.net> <20050225164156.GC43437@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re[2]: Please test: MPSAFE callouts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 11:23:04 -0000 OW> * Max Laier [20050225 19:34]: wrote: >> On Monday 21 February 2005 18:51, Max Laier wrote: >> > All, >> > >> > Pyun reminded me that we are still useing Giant to protect our callouts. We >> > don't have to since we protect our code in there with our own mutex and the >> > netstack is Giant-free as well now (provided that mpsafenet is enabled). >> > >> > If you have testing capabilities, please take the attached diffs for a ride >> > (on SMP hardware) with debug.mpsafenet=1 and MPSAFE NICs. It'd be great if >> > we could enable it for 5.4R, but we need proper testing to do so! >> > >> > NOTE: If you use user/group rules you still need to set debug.mpsafenet=0, >> > but testing of this scenario is welcome as well. >> > >> > Thanks in advance for your feedback! >> >> Has anyone even cared enough to compile this? C'mon it's not that hard and we >> really need some feedback! OW> I don't have an SMP hardware otherwise I could have tried ;) --------------------------------------------- For showing that I actually read what is postet here ;) Me too :( From owner-freebsd-pf@FreeBSD.ORG Sat Feb 26 12:06:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F3A316A4CE for ; Sat, 26 Feb 2005 12:06:25 +0000 (GMT) Received: from proxy1.ufanet.ru (proxy1.ufanet.ru [81.30.199.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA7C543D49 for ; Sat, 26 Feb 2005 12:06:24 +0000 (GMT) (envelope-from cybermart@ufanet.ru) Received: from mail.ufanet.ru (mail.ufanet.ru [81.30.199.70]) by proxy1.ufanet.ru (Postfix) with ESMTP id 846FA1D2F52 for ; Sat, 26 Feb 2005 17:06:24 +0500 (YEKT) Received: from www1.ufanet.ru (www1.ufanet.ru [81.30.199.65]) by mail.ufanet.ru (8.13.1/8.13.1) with ESMTP id j1QC6KsZ061948 for ; Sat, 26 Feb 2005 17:06:21 +0500 (YEKT) (envelope-from cybermart@ufanet.ru) Message-ID: <19990265.1109419580583.JavaMail.root@www1.ufanet.ru> Date: Sat, 26 Feb 2005 17:06:20 +0500 (YEKT) From: cybermart@ufanet.ru To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-Spam-Flag: NO X-Scanned-By: milter-spamc/0.25.321 (mail.ufanet.ru [81.30.199.70]); Sat, 26 Feb 2005 17:06:22 +0500 X-Spam-Status: NO, hits=0.10 required=5.00 X-Spam-Level: Subject: pfsync isn't up after startup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 12:06:25 -0000 hi all, I have pfsync compiled as a device into kernel. After regular system load ifconfig shows device pfsync0 is not UP, though ifconfig pfsync0 up does the job. Is that my system oddity or I miss someth? thanks vlad From owner-freebsd-pf@FreeBSD.ORG Sat Feb 26 13:35:29 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED7BA16A4CE for ; Sat, 26 Feb 2005 13:35:29 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F2A643D1D for ; Sat, 26 Feb 2005 13:35:29 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D526S-0005no-00; Sat, 26 Feb 2005 14:35:28 +0100 Received: from [84.128.138.77] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D526S-00017L-00; Sat, 26 Feb 2005 14:35:28 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 26 Feb 2005 14:35:18 +0100 User-Agent: KMail/1.7.2 References: <19990265.1109419580583.JavaMail.root@www1.ufanet.ru> In-Reply-To: <19990265.1109419580583.JavaMail.root@www1.ufanet.ru> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2753576.UhLkcelQE3"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502261435.26718.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: cybermart@ufanet.ru Subject: Re: pfsync isn't up after startup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 13:35:30 -0000 --nextPart2753576.UhLkcelQE3 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 26 February 2005 13:06, cybermart@ufanet.ru wrote: > hi all, > I have pfsync compiled as a device into kernel. After regular system > load ifconfig shows device pfsync0 is not UP, though > ifconfig pfsync0 up > does the job. Is that my system oddity or I miss someth? Just put something like: ifconfig_pfsync0=3D"up syncif sis2" in /etc/rc.conf =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2753576.UhLkcelQE3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCIHseXyyEoT62BG0RArPoAJ0RynQN2dJ4plG4k0vmZpo+4BkVPQCdEIyU x61fHW7m4rSe8b9CvvzmqKo= =nTle -----END PGP SIGNATURE----- --nextPart2753576.UhLkcelQE3-- From owner-freebsd-pf@FreeBSD.ORG Sat Feb 26 14:41:32 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA50516A4CE for ; Sat, 26 Feb 2005 14:41:32 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1278843D5A for ; Sat, 26 Feb 2005 14:41:32 +0000 (GMT) (envelope-from edwin.brown@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so646548rnf for ; Sat, 26 Feb 2005 06:41:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=dAaMyFS0680CGOsq4ItaICgl8JlVspp5qPT6Y3gnibNYl9yt7u+yUXeabe5dkRhKbi8oRV7B6fkXZS1kIu9gfFT+RouiU2IuMPwwWG/IrdT3sVkC1nLeMkBtbEvpHk/1mIS4aJ+a3kxWw7QUfEc7d9WVUWU2NGCha1LQzsst+OE= Received: by 10.38.65.62 with SMTP id n62mr8288rna; Sat, 26 Feb 2005 06:41:31 -0800 (PST) Received: by 10.38.78.45 with HTTP; Sat, 26 Feb 2005 06:41:31 -0800 (PST) Message-ID: <8b6eae960502260641730eac9@mail.gmail.com> Date: Sat, 26 Feb 2005 09:41:31 -0500 From: Edwin Brown To: Max Laier , freebsd-pf@freebsd.org In-Reply-To: <200502251734.08309.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200502211852.01792.max@love2party.net> <200502251734.08309.max@love2party.net> Subject: Re: Please test: MPSAFE callouts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Edwin Brown List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 14:41:32 -0000 I've compiled and been running it on a hypertrheaded box for two days along with the carp patches posted to Stable. I've put it through some basic tests. Nothing interesting. Today's the big testing day. I'll post anything exciting or not to the list. Best Regards, Edwin On Fri, 25 Feb 2005 17:33:49 +0100, Max Laier wrote: > On Monday 21 February 2005 18:51, Max Laier wrote: > > All, > > > > Pyun reminded me that we are still useing Giant to protect our callouts. We > > don't have to since we protect our code in there with our own mutex and the > > netstack is Giant-free as well now (provided that mpsafenet is enabled). > > > > If you have testing capabilities, please take the attached diffs for a ride > > (on SMP hardware) with debug.mpsafenet=1 and MPSAFE NICs. It'd be great if > > we could enable it for 5.4R, but we need proper testing to do so! > > > > NOTE: If you use user/group rules you still need to set debug.mpsafenet=0, > > but testing of this scenario is welcome as well. > > > > Thanks in advance for your feedback! > > Has anyone even cared enough to compile this? C'mon it's not that hard and we > really need some feedback! > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > >