From owner-freebsd-pf@FreeBSD.ORG Sun May 22 14:27:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4154F16A425 for ; Sun, 22 May 2005 14:27:32 +0000 (GMT) (envelope-from me@hexren.net) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id E64DE43D1F for ; Sun, 22 May 2005 14:27:31 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp from pd9e02ddd.dip.t-dialin.net ([217.224.45.221] helo=hexren.steenbuck.net) id 1DZrQO-0002Z1-Ed; Sun, 22 May 2005 16:27:28 +0200 Date: Sun, 22 May 2005 16:27:27 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1552697228.20050522162727@hexren.net> To: dave In-Reply-To: <001101c55de0$f6423a00$0200a8c0@satellite> References: <001101c55de0$f6423a00$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: two questions: ssh and synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hexren List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 14:27:32 -0000 > Hello, > Running pf on a 5.3 box and all is working, almost. I have a requirement > that if a connection is made from one host it will be directed to a > different machine, all other connections go somewhere else. For example > host1 makes an ssh connection and gets machine1, all other ssh connecting > hosts get machine2. I've tried various rdr rules and pass rules, but all > machines including host1 are getting machine2. > Thanks. > Dave. --------------------------------------------- rdr pass on $ext_if proto tcp from $host1_ip to any port { 22 } -> $machine1_ip (all in one line ofcourse :) should do the trick, imho. Can you show the things that you've tried that didn't do it ? Kind regards Hexren From owner-freebsd-pf@FreeBSD.ORG Mon May 23 06:12:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F7C316A41C for ; Mon, 23 May 2005 06:12:19 +0000 (GMT) (envelope-from slaveszeroes@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10A7F43D49 for ; Mon, 23 May 2005 06:12:18 +0000 (GMT) (envelope-from slaveszeroes@gmail.com) Received: by zproxy.gmail.com with SMTP id 16so324720nzp for ; Sun, 22 May 2005 23:12:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=CwL32193Dv6woEjgX07MDnJWgXlZjEWPzXM8/TXT5csV/e2KDpHa1rqz/UmvxLk1onTObcw2xV82DMb0Wj/XwxaDlH79lB+N9MAuRBzdtHsAvh03r2ojwitajcuqHD18elocwxrweaAA6cIkzNtnXxfqrHWZfCIW0qy2s8ONChY= Received: by 10.36.42.13 with SMTP id p13mr1226118nzp; Sun, 22 May 2005 23:12:18 -0700 (PDT) Received: by 10.36.32.4 with HTTP; Sun, 22 May 2005 23:12:18 -0700 (PDT) Message-ID: Date: Mon, 23 May 2005 13:12:18 +0700 From: RdBSD To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Simetric Upload Download Bandwidth pf+altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: RdBSD List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 06:12:19 -0000 Dear all,=20 I want to ask something that strange for me. I Have freebsd 5.4 Stable with pf+altq compiled in kernel. i try to use the altq for bandwidth shaping. the script is : altq on $internet_if bandwidth 64Kb cbq queue { gateway, internet } queue gateway priority 1 bandwidth 64Kb cbq( ecn default ) queue internet priority 2 bandwidth 64Kb cbq( ecn ) { standard, pri_3, pri_6, pri_7 } queue standard priority 5 cbq( ecn borrow ) queue pri_3 bandwidth 64Kb priority 3 cbq( ecn ) { http, smtp, ssh_data, ftp, pop3 } queue smtp cbq( ecn ) queue ssh_data cbq( ecn ) queue ftp cbq( ecn ) queue pop3 cbq( ecn ) queue pri_6 bandwidth 64Kb priority 4 cbq( ecn ) queue http cbq( ecn ) queue pri_7 priority 7 cbq( ecn borrow ) { im, ssh_login, domain } queue im cbq( ecn ) queue ssh_login cbq( ecn ) queue domain cbq( ecn ) pass on $internet_if proto tcp from any port { ftp, 49999><55001 } queue ftp $tcp_options pass on $internet_if proto tcp to any port { ftp, 49999><55001 } queue ftp $tcp_options but when i try to upload my files, my speed meter show 416Kbps. but it's different with download speed. it has a 64Kbps and i think this speed is correct. My question is why it;s different beetwen upload and download in pf+altq Rgds, From owner-freebsd-pf@FreeBSD.ORG Tue May 24 13:10:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C2B116A41C for ; Tue, 24 May 2005 13:10:22 +0000 (GMT) (envelope-from bastien.rozenzwejg@enstimac.fr) Received: from etoile.enstimac.fr (etoile.enstimac.fr [194.167.200.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA7EB43D1F for ; Tue, 24 May 2005 13:10:20 +0000 (GMT) (envelope-from bastien.rozenzwejg@enstimac.fr) Received: from [194.167.200.247] (i2727 [194.167.200.247]) by etoile.enstimac.fr (8.13.1/8.13.1) with ESMTP id j4OD7ddd022271 for ; Tue, 24 May 2005 15:07:40 +0200 (MEST) Message-ID: <429326E1.6030607@enstimac.fr> Date: Tue, 24 May 2005 15:06:41 +0200 From: Rozen User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050414 X-Accept-Language: fr-fr, en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200505191206.14685.eugene@imedia.ru> <20050519145410.GC20705@insomnia.benzedrine.cx> In-Reply-To: <20050519145410.GC20705@insomnia.benzedrine.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-EMAC-MailScanner-Information: Please contact the ISP for more information X-EMAC-MailScanner: Found to be clean X-MailScanner-From: bastien.rozenzwejg@enstimac.fr Subject: Altq & authpf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bastien.rozenzwejg@enstimac.fr List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 13:10:22 -0000 I have a some little questions. * Can altq & authpf function both ? and altq in authpf.rules ? * How can we do some graphes of Bandwidth used by each protocol or port ? Have you some example please ? I don't find the solution since a week !! * Is it possible to analyze traffic per authenticated user ? Thanks in advance for answers. Bastien R From owner-freebsd-pf@FreeBSD.ORG Wed May 25 01:14:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88FF716A41F for ; Wed, 25 May 2005 01:14:43 +0000 (GMT) (envelope-from slaveszeroes@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0B1B43D1D for ; Wed, 25 May 2005 01:14:42 +0000 (GMT) (envelope-from slaveszeroes@gmail.com) Received: by zproxy.gmail.com with SMTP id 18so2349048nzp for ; Tue, 24 May 2005 18:14:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Z1QLDufLd6ky7hzg/ge9DkRAb1ViIBybPGRYOmM2i4P3a21rQNui9bOXefEYqmDAQX5oH0dlJuUOOGJEygiaDGg2KFiIYqrCV24xDqBCTx+3VSojLFeIdO0UlCUhiw40nrvYjlweQm0C8i3/22H+2GLU32sYdzj4dEdVt2i85b0= Received: by 10.36.39.19 with SMTP id m19mr1998149nzm; Tue, 24 May 2005 18:14:42 -0700 (PDT) Received: by 10.36.32.4 with HTTP; Tue, 24 May 2005 18:14:42 -0700 (PDT) Message-ID: Date: Wed, 25 May 2005 08:14:42 +0700 From: RdBSD To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: Subject: Simetric Upload Download Bandwidth pf+altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: RdBSD List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2005 01:14:43 -0000 Dear all, I want to ask something that strange for me. I Have freebsd 5.4 Stable with pf+altq compiled in kernel. i try to use the altq for bandwidth shaping. the script is : altq on $internet_if bandwidth 64Kb cbq queue { gateway, internet } queue gateway priority 1 bandwidth 64Kb cbq( ecn default ) queue internet priority 2 bandwidth 64Kb cbq( ecn ) { standard, pri_3, pri_6, pri_7 } queue standard priority 5 cbq( ecn borrow ) queue pri_3 bandwidth 64Kb priority 3 cbq( ecn ) { http, smtp, ssh_data, ftp, pop3 } queue smtp cbq( ecn ) queue ssh_data cbq( ecn ) queue ftp cbq( ecn ) queue pop3 cbq( ecn ) queue pri_6 bandwidth 64Kb priority 4 cbq( ecn ) queue http cbq( ecn ) queue pri_7 priority 7 cbq( ecn borrow ) { im, ssh_login, domain } queue im cbq( ecn ) queue ssh_login cbq( ecn ) queue domain cbq( ecn ) pass on $internet_if proto tcp from any port { ftp, 49999><55001 } queue ftp $tcp_options pass on $internet_if proto tcp to any port { ftp, 49999><55001 } queue ftp $tcp_options but when i try to upload my files, my speed meter show 416Kbps. but it's different with download speed. it has a 64Kbps and i think this speed is correct. My question is why it;s different beetwen upload and download in pf+altq Rgds, Rino From owner-freebsd-pf@FreeBSD.ORG Wed May 25 04:46:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46C3716A41C for ; Wed, 25 May 2005 04:46:11 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id D367343D1F for ; Wed, 25 May 2005 04:46:10 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by rproxy.gmail.com with SMTP id f1so58075rne for ; Tue, 24 May 2005 21:46:10 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=IY/BueS6+tv7By4TUlC80/yr0p+0ShQkAd5rcX5sKJqgEfFHVmO/tvNZOVl+ch19vGt7pI2ta1G0i4RNcx99quq+tkOXu19iL7rUgaHb/Bw6WkZj5iBVqGRKt1QRAnrMKQrm7F4w62CFhQ+XXayqdKajbE20e8cDyWJOllVGKIA= Received: by 10.11.88.18 with SMTP id l18mr864cwb; Tue, 24 May 2005 21:46:10 -0700 (PDT) Received: by 10.11.120.66 with HTTP; Tue, 24 May 2005 21:46:10 -0700 (PDT) Message-ID: <55e8a96c05052421465b2ae125@mail.gmail.com> Date: Tue, 24 May 2005 23:46:10 -0500 From: Bill Marquette To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: ALTQ last match queing? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bill Marquette List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2005 04:46:11 -0000 Hi, I'm trying to have pf do what's essentially a queue assignment in one rule and a final pass/keep state in second rule. The man page for FreeBSD 6 (and OpenBSD 3.7) reads like it should work the same as tags. The rule a packet hits that has a queue is the last queue the packet gets. "During the filtering component of pf.conf, the last referenced queue name is where any packets from pass rules will be queued". To me this reads that the following rule set will assign an outbound SSH to the qHighUp and qHighDown queues (depending on which interface it traverses) In reality it doesn't work (and I sorta understand why - I guess after reading the man page it read like it worked like tags) altq on { dc0, dc1 } cbq bandwidth 200Mb queue { q_up, q_down, lan2lan } queue q_up priority 7 bandwidth 384Kb cbq { qHighUp, qHatedUp } queue q_down priority 7 bandwidth 384Kb cbq { qHighDown, qHatedDown } queue lan2lan priority 1 bandwidth 190Mb cbq (default) { qdefault } queue qHighUp priority 5 bandwidth 256Kb cbq( borrow ) queue qHatedUp priority 3 bandwidth 64Kb cbq( red ecn borrow ) queue qHighDown priority 4 bandwidth 256Kb cbq ( red ecn borrow ) queue qHatedDown priority 2 bandwidth 64Kb cbq ( red ecn borrow ) queue qdefault priority 0 cbq ( red ecn ) pass in on dc0 proto tcp from any to any port =3D 22 flags S/SA keep state queue qHighPriDown pass out on dc1 proto tcp from any to any port =3D 22 flags S/SA keep state queue qHighPriUp block in all pass in quick on dc0 proto tcp from any to any port =3D 22 flags S/SA keep = state pass out quick on dc1 proto tcp from any to any port =3D 22 flags S/SA keep= state In the above rule set the ssh hits the lan2lan queue - not intended.=20 If I use quicks on the first two ssh rules the traffic does indeed hit the right queue, but this won't work for what I'm trying to do (split rule management between traffic shaping and security policy). The following does work, but will give me some interesting design challenges (such as creating a filter rules with tag/queue mismatches :)) pass in on dc0 proto tcp from any to any port =3D ssh flags S/SA keep state tag sshdown pass out on dc1 proto tcp from any to any port =3D ssh flags S/SA keep state tag sshup block all pass in quick on dc0 proto tcp from any to any port =3D ssh flags S/SA keep state queue qHighDown tagged sshdown pass out quick on dc1 proto tcp from any to any port =3D ssh flags S/SA keep state queue qHighUp tagged sshup Any thoughts? I haven't looked at code, so I'm not sure how the queue persists (or doesn't) with a packet. Thanks --Bill From owner-freebsd-pf@FreeBSD.ORG Thu May 26 13:18:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFE9216A41C for ; Thu, 26 May 2005 13:18:33 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id C33C443D7E for ; Thu, 26 May 2005 13:18:26 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j4QDIOQr010665 for ; Thu, 26 May 2005 17:18:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j4QDIOKP010664 for freebsd-pf@freebsd.org; Thu, 26 May 2005 17:18:24 +0400 (MSD) (envelope-from yar) Date: Thu, 26 May 2005 17:18:24 +0400 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20050526131824.GA10179@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: Rapid state loss problem seems fixed in PF 3.7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 13:18:33 -0000 Hi there, Some time ago I complained here that in my environment state entries would expire too fast when pfsync was active. I've just upgraded my production routers to FreeBSD 5.4-STABLE + PF 3.7 and I no longer can observe the problem, pfsync working like a charm now. Many thanks to Max Laier for his great work at keeping PF up-to-date in FreeBSD! -- Yar From owner-freebsd-pf@FreeBSD.ORG Thu May 26 21:13:25 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9708F16A41C for ; Thu, 26 May 2005 21:13:25 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id E344043D72 for ; Thu, 26 May 2005 21:13:21 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from dsl-201-144-92-62.prod-infinitum.com.mx ([201.144.92.62]) by 72-12-2-214.wan.networktel.net with esmtp; Thu, 26 May 2005 16:13:16 -0500 id 00095A9C.42963BED.000141AC Received: from localhost (localhost [127.0.0.1]) (uid 80) by dsl-201-144-92-62.prod-infinitum.com.mx with local; Thu, 26 May 2005 16:13:15 -0500 Received: from localhost.encontacto.net (localhost.encontacto.net [127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for ; Thu, 26 May 2005 16:13:15 -0500 Message-ID: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> Date: Thu, 26 May 2005 16:13:15 -0500 From: "Edwin L. Culp" To: pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Cc: Subject: problem with dns on all and squid on some. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 21:13:25 -0000 # macros I am trying to learn to use pf. I basically took this from a home office example and made some modifications. That is probably the problem ;) I have installed this on three different servers and the only change from one to another are the int_if and ex_if values. The three servers are primary and secondary dns' for each other and when all are running this configuration there is no dns resolution. The first problem. The second problem is that the redirect for squid initially worked for all three servers but now only works for one. The other two give an error in the squid.log with 1117043675.879 5 192.168.1.2 TCP_DENIED/400 1807 GET error:pf-open-failed - NONE/- text/html [] [HTTP/1.0 40 0 Bad Request\r\nServer: squid/2.5.STABLE10\r\nMime-Version: 1.0\r\nDate: Wed, 25 May 2005 17:54:35 GMT\r\nConten t-Type: text/html\r\nContent-Length: 1509\r\nExpires: Wed, 25 May 2005 17:54:35 GMT\r\nX-Squid-Error: ERR_INVALID _REQ 0\r\n\r] The squid configurations are more or less identical also. The following is my pf.conf file. int_if = "rl1" ext_if = "rl0" tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }" icmp_types = "echoreq" priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 # rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # filter rules block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Thanks in advance for any and all suggestions. Hopefully, I'll learn something ;) and have a better firewall for it. Thanks, ed From owner-freebsd-pf@FreeBSD.ORG Thu May 26 21:17:33 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9E4716A41C for ; Thu, 26 May 2005 21:17:33 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 617C143D4C for ; Thu, 26 May 2005 21:17:33 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 36so2182027wra for ; Thu, 26 May 2005 14:17:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=areGm6Kmxz/V5Bm+PxAnQ+pq0B2chUsU3tNRARm+CFLekawf7UgQMtSsM2jHEsHj786YeljSJsk242tTso+/ngDv0ny/pjuuWxBRRKhPicA8DYNWPWF+Rvw66Rt+oLU+U3iztVqfEd4jjnm8yX+2xklpmdS1SCf6YKf5JzB7l34= Received: by 10.54.8.8 with SMTP id 8mr2121518wrh; Thu, 26 May 2005 14:17:32 -0700 (PDT) Received: by 10.54.39.65 with HTTP; Thu, 26 May 2005 14:17:32 -0700 (PDT) Message-ID: <8eea040805052614177ca5e3d9@mail.gmail.com> Date: Thu, 26 May 2005 14:17:32 -0700 From: Jon Simola To: "Edwin L. Culp" In-Reply-To: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> Cc: pf@freebsd.org Subject: Re: problem with dns on all and squid on some. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jon@abccomm.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 21:17:33 -0000 On 5/26/05, Edwin L. Culp wrote: > this configuration there is no dns resolution. The first problem. > tcp_services =3D "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }" > block all > pass in on $ext_if inet proto tcp from any to ($ext_if) port > $tcp_services flags S/SA keep state DNS is UDP port 53, which you've blocked.=20 --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Thu May 26 21:20:29 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 774C416A41C for ; Thu, 26 May 2005 21:20:29 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19D8743D49 for ; Thu, 26 May 2005 21:20:28 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 66968119E6; Thu, 26 May 2005 23:20:27 +0200 (CEST) Date: Thu, 26 May 2005 23:20:27 +0200 From: "Simon L. Nielsen" To: jon@abccomm.com Message-ID: <20050526212026.GG794@zaphod.nitro.dk> References: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> <8eea040805052614177ca5e3d9@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="S5HS5MvDw4DmbRmb" Content-Disposition: inline In-Reply-To: <8eea040805052614177ca5e3d9@mail.gmail.com> User-Agent: Mutt/1.5.9i Cc: pf@freebsd.org Subject: Re: problem with dns on all and squid on some. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 21:20:29 -0000 --S5HS5MvDw4DmbRmb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.05.26 14:17:32 -0700, Jon Simola wrote: > On 5/26/05, Edwin L. Culp wrote: >=20 > > this configuration there is no dns resolution. The first problem. >=20 > > tcp_services =3D "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }" >=20 > > block all > > pass in on $ext_if inet proto tcp from any to ($ext_if) port > > $tcp_services flags S/SA keep state >=20 > DNS is UDP port 53, which you've blocked.=20 Well, more accurately... it's TCP and UDP, both port 53, though it uses UDP most of the time. --=20 Simon L. Nielsen --S5HS5MvDw4DmbRmb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFClj2ah9pcDSc1mlERAklaAKCegV1Jzk66dMFAc7E2CQIew516ZQCdHYfz YDFjXBt1b1C76kZf07LBk1M= =aA4Q -----END PGP SIGNATURE----- --S5HS5MvDw4DmbRmb-- From owner-freebsd-pf@FreeBSD.ORG Thu May 26 21:42:10 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 711A116A41C for ; Thu, 26 May 2005 21:42:10 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id F228C43D4C for ; Thu, 26 May 2005 21:42:09 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from dsl-201-144-92-62.prod-infinitum.com.mx ([201.144.92.62]) by 72-12-2-214.wan.networktel.net with esmtp; Thu, 26 May 2005 16:42:07 -0500 id 00095A99.429642B0.000143AE Received: from localhost (localhost [127.0.0.1]) (uid 80) by dsl-201-144-92-62.prod-infinitum.com.mx with local; Thu, 26 May 2005 16:42:06 -0500 Received: from localhost.encontacto.net (localhost.encontacto.net [127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for ; Thu, 26 May 2005 16:42:06 -0500 Message-ID: <20050526164206.8s06d5veg44gkocg@mail.encontacto.net> Date: Thu, 26 May 2005 16:42:06 -0500 From: "Edwin L. Culp" To: pf@freebsd.org References: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> <8eea040805052614177ca5e3d9@mail.gmail.com> In-Reply-To: <8eea040805052614177ca5e3d9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Cc: Subject: Re: problem with dns on all and squid on some. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 21:42:10 -0000 Quoting Jon Simola : > On 5/26/05, Edwin L. Culp wrote: > >> this configuration there is no dns resolution. The first problem. > >> tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }" > >> block all >> pass in on $ext_if inet proto tcp from any to ($ext_if) port >> $tcp_services flags S/SA keep state > > DNS is UDP port 53, which you've blocked. Thanks, Jon, I thought it would work with either but I added a udp line before the tcp line. pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state and it works. Hmmmm......, I wonder if there is something else that I need to add to udp? Thanks, ed From owner-freebsd-pf@FreeBSD.ORG Thu May 26 21:44:17 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAF0116A41C for ; Thu, 26 May 2005 21:44:17 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67AED43D4C for ; Thu, 26 May 2005 21:44:17 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from dsl-201-144-92-62.prod-infinitum.com.mx ([201.144.92.62]) by 72-12-2-214.wan.networktel.net with esmtp; Thu, 26 May 2005 16:44:15 -0500 id 00095A96.4296432F.000143D7 Received: from localhost (localhost [127.0.0.1]) (uid 80) by dsl-201-144-92-62.prod-infinitum.com.mx with local; Thu, 26 May 2005 16:44:14 -0500 Received: from localhost.encontacto.net (localhost.encontacto.net [127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for ; Thu, 26 May 2005 16:44:14 -0500 Message-ID: <20050526164414.l1s0t1u4fksoc48c@mail.encontacto.net> Date: Thu, 26 May 2005 16:44:14 -0500 From: "Edwin L. Culp" To: pf@freebsd.org References: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> <8eea040805052614177ca5e3d9@mail.gmail.com> <20050526212026.GG794@zaphod.nitro.dk> In-Reply-To: <20050526212026.GG794@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Cc: Subject: Re: problem with dns on all and squid on some. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 21:44:18 -0000 Quoting "Simon L. Nielsen" : > On 2005.05.26 14:17:32 -0700, Jon Simola wrote: >> On 5/26/05, Edwin L. Culp wrote: >> >> > this configuration there is no dns resolution. The first problem. >> >> > tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }" >> >> > block all >> > pass in on $ext_if inet proto tcp from any to ($ext_if) port >> > $tcp_services flags S/SA keep state >> >> DNS is UDP port 53, which you've blocked. > > Well, more accurately... it's TCP and UDP, both port 53, though it > uses UDP most of the time. Thanks, Simon. I thought it would use TCP but I guess not because adding udp to port 53 seems to have fixed it. Thanks again to you both, ed