From owner-freebsd-pf@FreeBSD.ORG Mon May 30 23:25:55 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 861A016A41C; Mon, 30 May 2005 23:25:55 +0000 (GMT) (envelope-from thompsa@fud.org.nz) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2781043D1D; Mon, 30 May 2005 23:25:55 +0000 (GMT) (envelope-from thompsa@fud.org.nz) Received: from thompsa by heff.fud.org.nz with local (Exim 4.50 (FreeBSD)) id 1Dctdq-0002GV-4T; Tue, 31 May 2005 11:25:54 +1200 Date: Tue, 31 May 2005 11:25:54 +1200 From: Andrew Thompson To: net@freebsd.org Message-ID: <20050530232554.GA8674@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Sender: Andrew Thompson Cc: pf@freebsd.org, hackers@freebsd.org Subject: RFC: if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 23:25:55 -0000 Hi, I am looking for testers and code review for if_bridge, the bridge implementation from NetBSD (and OpenBSD). The patch and instructions can be found at: http://people.freebsd.org/~thompsa/ Highlights include: - 802.1d spanning tree support - management of the bridge MAC table - view bridged packets with bpf(4) - good firewall support I am especially interested in people who can test !i386, and users with existing STP networks. I am looking forward to getting your feedback! Andrew From owner-freebsd-pf@FreeBSD.ORG Tue May 31 07:15:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21B6F16A41C for ; Tue, 31 May 2005 07:15:53 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id C996A43D4C for ; Tue, 31 May 2005 07:15:52 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-41-46.woh.res.rr.com [65.31.41.46]) by ms-smtp-02-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j4V7FnXV008646 for ; Tue, 31 May 2005 03:15:49 -0400 (EDT) Message-ID: <000501c565b0$92b5bac0$0200a8c0@satellite> From: "dave" To: Date: Tue, 31 May 2005 03:15:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf and lan ftp clients X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 07:15:53 -0000 Hello, I've got a 5.4 fbsd box doing routing and firewall for an internal lan of machines. I'm using pf and having an issue with ftp. I believe it's passive ftp that's giving me the difficulty, but on lan clients i am getting timeout errors, while on the firewall itself both active and passive ftp connections work fine. On lan clients active connections work fine, only the passive ones on lan clients have timeout errors. An example is trying to access the readme file link on www.webalizer.org. On two unrelated subjects i've ot an ssh redirection and a rule that passes ssh traffic from the internet to an internal computer. I'd like to set that so that when a single IP hits the box it's directed to the router and not the internal box. Also, on 5.4, what is the status of synproxy and pf? In 5.3 when i used synproxy on rules internet clients were unable to connect, changing synproxy state to keep state corrected the issue. My rules are below. Any help appreciated. Thanks. Dave. # $LAN is internal interface, $EXT is external, and $LAN_SERVER is the internal service-serving box # redirect lan client active FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $EXT proto tcp from xxx.xxx.xxx.xxx/32 to ($EXT) port 22 -> ($EXT) port 22 rdr on $EXT proto tcp from any to any port 22 -> $LAN_SERVER port 22 # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in on $EXT \ inet proto tcp \ from any port 20 \ to $EXT port 55000 >< 57000 \ user proxy \ flags S/SA keep state # special requirements pass in quick on $EXT \ inet proto tcp \ from xxx.xxx.xxx.xxx/32 port 22 to ($EXT) \ port 22 flags S/SA keep state # allow ftp active requests out pass out on $EXT \ inet proto tcp \ from $EXT to any \ port 20 \ flags S/SA keep state # allow firewall to contact ftp server on behalf of passive ftp client # on control port 21 pass out on $EXT \ inet proto tcp \ from $EXT to any \ port 21 \ flags S/SA keep state # allow firewall to contact ftp server on behalf of passive ftp client # on standard unprivileged port range ( > 1024 ) pass out on $EXT \ inet proto tcp \ from $EXT to any \ port > 1024 \ flags S/SA keep state From owner-freebsd-pf@FreeBSD.ORG Tue May 31 10:28:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EEC516A41C for ; Tue, 31 May 2005 10:28:58 +0000 (GMT) (envelope-from marco+freebsd-pf@lordsith.net) Received: from maul.lordsith.net (maul.lordsith.net [82.169.114.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D85843D1D for ; Tue, 31 May 2005 10:28:57 +0000 (GMT) (envelope-from marco+freebsd-pf@lordsith.net) Received: by maul.lordsith.net (Postfix, from userid 1001) id D35371704C; Tue, 31 May 2005 12:28:55 +0200 (CEST) Date: Tue, 31 May 2005 12:28:55 +0200 From: Marco van Lienen To: freebsd-pf Message-ID: <20050531102855.GA40275@lordsith.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: LordSith.Net X-Operating-System: FreeBSD 5.4-STABLE X-FreeBSD: RULEZ Them All X-GPG-Fingerprint: A025 D8AA AC1B D2FC 380D 4FC1 8EA0 0BA8 8580 E6CB X-GPG-Key: http://lordsith.net/gpgkey X-Uptime: 11:50AM up 3 days, 21:31, 1 user, load averages: 0.24, 0.11, 0.09 User-Agent: Mutt/1.5.9i Subject: authpf does authenticate but gives no shell X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Marco van Lienen List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 10:28:58 -0000 Hello list, I'm trying to setup authpf on a RELENG_5_4 box. After setting up the environment for authpf, when I try to logon to this box as a user which should be given /usr/sbin/authpf as the login shell I get the "Hello $user, You are authenticated from host "$user_ip" but then I don't get a prompt. When I logon to the same box as a regular user I do see the authpf user logged in making use of authpf. Usernames changed for example purposes: $ ps auxww|grep authpf foo 1383 0.0 0.4 1540 952 p0 S+ 12:26PM 0:00.00 grep authpf bar 1361 0.0 0.5 1672 1376 p1 Ss+ 12:24PM 0:00.01 -authpf: bar@10.31.12.165 (authpf) The authpf box is a box with 1 NIC and it has regular and admin users (admin users need to receive less restrictive access into the network). All users are allowed to ssh into the box but only the admin users should be allowed to ssh further into the network. Regular users may login but are only allowed to do local work. Here is how I've setup the environment. In /etc/pf.conf I have: # interface definitions # if_loop = "lo0" if_pub = "em0" if_log = "em0" # # TCP services sshd = "22" block in log block out # # pass all loopback traffic pass quick on $if_loop # ICMP pass in quick inet proto icmp icmp-type 8 code 0 keep state pass in quick inet proto icmp icmp-type 3 code 4 keep state pass in quick inet proto icmp icmp-type 11 keep state pass out quick inet proto icmp keep state # # input rules pass in log quick on $if_pub proto tcp from any port > 1023 to port $sshd flags S/SA keep state anchor authpf pass out quick on $if_pub proto udp keep state In /etc/authpf/ I've created: authpf.allow (contains 1 admin user only) authpf.conf (empty zero-byte file) authpf.message (additional text which is being echoed upon login) authpf.rules authpf.rules: # interface definitions # if_pub = "em0" # # input rules pass in quick on $if_pub proto tcp from $user_ip to port = ssh flags S/SA keep state # # output rules pass out log quick on $if_pub proto tcp to 10.31.12.165 port = ssh flags S/SA modulate state pass out quick on $if_pub proto udp keep state As you can see, the 1 admin user is allowed to establish an ssh connection to host: 10.31.12.165. A `pfctl -a anchor -sr` shows that the anchor is being picked up and the authpf.rules file has been parsed and activated: # pfctl -a authpf -sr No ALTQ support in kernel ALTQ related functions disabled pass in quick on em0 inet proto tcp from 10.31.12.165 to any port = ssh flags S/SA keep state pass out log quick on em0 inet proto tcp from any to 10.31.12.165 port = ssh flags S/SA modulate state pass out quick on em0 proto udp all keep state I've setup an additional login class through login.conf(5): authpf:\ :shell=/usr/sbin/authpf:\ :tc=default: I've ran cap_mkdb /etc/login.conf and there is a new login.conf.db. I've tried only changing the class entry via chpass(1) to authpf and keeping the admin users' original shell (/usr/local/bin/bash (according to /var/log/messages this wouldn't allow me onto the box; it was warning about wrong shell or something)). After then changing the user shell to /usr/sbin/authpf it atleast echoes the Welcome text with the contents of /etc/authpf/authpf.message but then I don't get a prompt to input shell commands. Hope someone can help me out here. Cheers. Marco -- WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tomorrow?" BSD: "Are you guys coming or what?" From owner-freebsd-pf@FreeBSD.ORG Tue May 31 11:14:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54CA116A41C; Tue, 31 May 2005 11:14:27 +0000 (GMT) (envelope-from unixtools@hotmail.com) Received: from hotmail.com (bay21-f14.bay21.hotmail.com [65.54.233.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3593943D49; Tue, 31 May 2005 11:14:27 +0000 (GMT) (envelope-from unixtools@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 31 May 2005 04:14:26 -0700 Message-ID: Received: from 203.199.109.161 by by21fd.bay21.hotmail.msn.com with HTTP; Tue, 31 May 2005 11:14:26 GMT X-Originating-IP: [203.199.109.161] X-Originating-Email: [unixtools@hotmail.com] X-Sender: unixtools@hotmail.com From: "Sunil Sunder Raj" To: freebsd-pf@freebsd.org Date: Tue, 31 May 2005 11:14:26 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 31 May 2005 11:14:26.0918 (UTC) FILETIME=[E842A860:01C565D1] Cc: freebsd-cluster@freebsd.org Subject: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 11:14:27 -0000 Hi, I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster with the load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is ext_if="fxp0" internal_smtp_servers="{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" rdr on $ext_if proto tcp from any to any port 25 -> $internal_smtp_servers round-robin sticky-address If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 from its table. Regards Sunil Sunder Raj From owner-freebsd-pf@FreeBSD.ORG Tue May 31 11:56:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3161016A41C for ; Tue, 31 May 2005 11:56:18 +0000 (GMT) (envelope-from derkjan@haanjdj.demon.nl) Received: from haanjdj.demon.nl (haanjdj.demon.nl [82.161.5.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31B2643D1D for ; Tue, 31 May 2005 11:56:16 +0000 (GMT) (envelope-from derkjan@haanjdj.demon.nl) Received: from localhost (localhost [127.0.0.1]) by haanjdj.demon.nl (Postfix) with ESMTP id 0B56E1C080F for ; Tue, 31 May 2005 13:56:09 +0200 (CEST) Received: from haanjdj.demon.nl ([127.0.0.1]) by localhost (haanjdj.demon.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 00605-07 for ; Tue, 31 May 2005 13:55:50 +0200 (CEST) Received: from haanjdj.demon.nl (localhost [127.0.0.1]) by haanjdj.demon.nl (Postfix) with ESMTP id EEA261C080B for ; Tue, 31 May 2005 13:55:48 +0200 (CEST) Received: from 195.50.100.20 (SquirrelMail authenticated user derkjan) by haanjdj.demon.nl with HTTP; Tue, 31 May 2005 13:55:49 +0200 (CEST) Message-ID: <60550.195.50.100.20.1117540549.squirrel@haanjdj.demon.nl> Date: Tue, 31 May 2005 13:55:49 +0200 (CEST) From: "Derkjan de Haan" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at haanjdj.demon.nl Subject: no-df and cksum errors in tcpdump X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 11:56:18 -0000 All, I am using FreeBSD-STABLE on my home server/firewall. Yesterday I played a bit with the no-df scrub option. However, this yields errors with tcpdump in protocol decoding mode: tcpdump -n -e -ttt -v -r /var/log/pflog A couple of lines from the log: 088889 rule 31/0(match): pass in on em1: IP (tos 0x10, ttl 58, id 21397, offset 0, flags [none], length: 60, bad cksum 7186 (->b186)!) 195.245.244.241.40947 > 192.168.2.1.6346: S [tcp sum ok] 855340762:855340762(0) win 5840 095894 rule 31/0(match): pass in on em1: IP (tos 0x10, ttl 60, id 18568, offset 0, flags [none], length: 60, bad cksum bf87 (->ff87)!) 62.241.53.2.46125 > 192.168.2.1.6346: S [tcp sum ok] 3675198613:3675198613(0) win 5840 882863 rule 0/0(match): block in on em1: IP (tos 0x0, ttl 123, id 55684, offset 0, flags [none], length: 48, bad cksum e3b2 (->23b3)!) 82.161.151.113.4988 > 82.161.5.221.445: S [tcp sum ok] 1263353290:1263353290(0) win 64240 The relevant line from pf config (full config available on request): scrub on $ext_if all no-df random-id reassemble tcp The strange thing is that as soon as I remove the no-df from my pf configuration, the 'bad cksum' disappears. Has anybody seen this before ? Can it be that pf doesn't recompute the checksum after altering the packet ? regards, Derkjan From owner-freebsd-pf@FreeBSD.ORG Tue May 31 12:14:13 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4767A16A41C; Tue, 31 May 2005 12:14:13 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01BA843D58; Tue, 31 May 2005 12:14:12 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from [128.194.150.11] (vpn-11.cs.tamu.edu [128.194.150.11]) by smtp-relay.tamu.edu (8.12.10/8.12.10) with ESMTP id j4VCE76v075913; Tue, 31 May 2005 07:14:08 -0500 (CDT) In-Reply-To: <20050530232554.GA8674@heff.fud.org.nz> References: <20050530232554.GA8674@heff.fud.org.nz> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "R. Tyler Ballance" Date: Tue, 31 May 2005 07:14:47 -0500 To: Andrew Thompson X-Mailer: Apple Mail (2.730) Received-SPF: pass (smtp-relay.tamu.edu: 128.194.150.11 is authenticated by a trusted mechanism) Cc: pf@freebsd.org, hackers@freebsd.org, net@freebsd.org Subject: Re: RFC: if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 12:14:13 -0000 I'll throw another hme interface in my Sun Ultra 2 some time later today to test it out some more. Do you have any specific "tests" you would want us to run the if_bridge code through? Just simplistic bridging of two networks, or are there any bells and whistles you want me(/us) to setup as well? Other than that, do you know if the new OPENBSD_3_7 pf code will work with this patch? Thanks a lot for working on it! :) -R. Tyler Ballance On May 30, 2005, at 6:25 PM, Andrew Thompson wrote: > Hi, > > I am looking for testers and code review for if_bridge, the bridge > implementation from NetBSD (and OpenBSD). > > The patch and instructions can be found at: > > http://people.freebsd.org/~thompsa/ > > Highlights include: > - 802.1d spanning tree support > - management of the bridge MAC table > - view bridged packets with bpf(4) > - good firewall support > > > I am especially interested in people who can test !i386, and users > with > existing STP networks. I am looking forward to getting your feedback! > > > Andrew > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue May 31 12:25:48 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4C0916A41C for ; Tue, 31 May 2005 12:25:48 +0000 (GMT) (envelope-from jw@innerewut.de) Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.18.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD2D443D1D for ; Tue, 31 May 2005 12:25:47 +0000 (GMT) (envelope-from jw@innerewut.de) Received: (qmail 9494 invoked from network); 31 May 2005 12:25:44 -0000 Received: from unknown (HELO [192.168.0.200]) (068076@[85.178.225.13]) (envelope-sender ) by smtprelay03.ispgateway.de (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 31 May 2005 12:25:44 -0000 User-Agent: Microsoft-Entourage/11.1.0.040913 Date: Tue, 31 May 2005 14:25:43 +0200 From: Jonathan Weiss To: Marco van Lienen , FreeBSD-PF Message-ID: In-Reply-To: <20050531102855.GA40275@lordsith.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: Subject: Re:authpf does authenticate but gives no shell X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 12:25:48 -0000 > I've tried only changing the class entry via chpass(1) to authpf and keeping > the admin users' original shell (/usr/local/bin/bash (according to > /var/log/messages this wouldn't allow me onto the box; it was warning about > wrong > shell or something)). > After then changing the user shell to /usr/sbin/authpf it atleast echoes the > Welcome text with the contents of /etc/authpf/authpf.message but then I don't > get a prompt to input shell commands. > As far as I know, authpf is only for authentification. This means that it will activate you rules, nothing more. It is not a shell or will it fork to your shell. You need a second SSH connection for this. Please somebody correct me if I'm wrong. > Hope someone can help me out here. > > Cheers. > Marco Jonathan -- Jonathan Weiss jw@innerewut.de http://blog.innerewut.de From owner-freebsd-pf@FreeBSD.ORG Tue May 31 13:09:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF5BE16A41C; Tue, 31 May 2005 13:09:08 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63A4643D1F; Tue, 31 May 2005 13:09:08 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 521B11CC23; Tue, 31 May 2005 15:09:07 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 81F891CC22; Tue, 31 May 2005 15:08:57 +0200 (CEST) Date: Tue, 31 May 2005 15:05:59 +0200 From: Daniel Gerzo X-Priority: 3 (Normal) Message-ID: <751754961.20050531150559@rulez.sk> To: "Sunil Sunder Raj" In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, hits=-1.374 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-2.82, AWL=0.261, PRIORITY_NO_NAME=1.185] X-Spam-Level: Cc: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 13:09:08 -0000 Hi Sunil, Tuesday, May 31, 2005, 1:14:26 PM, you Cannot open file "C\TXT COOKIES\repl= y-en.txt":: > Hi, > I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster with t= he > load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is > ext_if=3D"fxp0" > internal_smtp_servers=3D"{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" > rdr on $ext_if proto tcp from any to any port 25 -> $internal_smtp_servers > round-robin sticky-address > If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 from = its > table. people use CARP for this, don't they? > Regards > Sunil Sunder Raj --=20 Best regards +----------=3D=3D/\/\=3D=3D----------+ (__) FreeBSD | DanGer | \\\'',) The | DanGer@IRCnet ICQ261701668 | \/ \ ^ Power | http://danger.rulez.sk | .\._/_) To +----------=3D=3D\/\/=3D=3D----------+ Serve [ ANIMANI.COM loaded SOCIALIF.DAT removed from memory. ] From owner-freebsd-pf@FreeBSD.ORG Tue May 31 13:10:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9B8916A41C; Tue, 31 May 2005 13:10:21 +0000 (GMT) (envelope-from so14k@so14k.com) Received: from ender.liquidneon.com (ender.liquidneon.com [64.78.150.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 943CE43D1D; Tue, 31 May 2005 13:10:21 +0000 (GMT) (envelope-from so14k@so14k.com) Received: from localhost (localhost [127.0.0.1]) by ender.liquidneon.com (Postfix) with ESMTP id 770EEA6C70; Tue, 31 May 2005 07:10:20 -0600 (MDT) Received: from ender.liquidneon.com ([127.0.0.1]) by localhost (ender.liquidneon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89734-06; Tue, 31 May 2005 07:10:20 -0600 (MDT) Received: by ender.liquidneon.com (Postfix, from userid 1000) id 3CA5CA6C6E; Tue, 31 May 2005 07:10:20 -0600 (MDT) Date: Tue, 31 May 2005 07:10:20 -0600 From: Brad Davis To: Sunil Sunder Raj Message-ID: <20050531131020.GA50106@ender.liquidneon.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new at ender.liquidneon.com Cc: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 13:10:21 -0000 On Tue, May 31, 2005 at 11:14:26AM +0000, Sunil Sunder Raj wrote: > Hi, > I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster with the > load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is > > ext_if="fxp0" > internal_smtp_servers="{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" > rdr on $ext_if proto tcp from any to any port 25 -> $internal_smtp_servers > round-robin sticky-address > > If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 from > its table. Hi, I would use something line Nagios[1] or a perl script to do this. It is not in PFs realm to handle this sort of thing. [1]: http://www.nagios.org/ See the parts about Event handlers. Regards, Brad Davis From owner-freebsd-pf@FreeBSD.ORG Tue May 31 13:15:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9887C16A41C for ; Tue, 31 May 2005 13:15:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id F062543D58 for ; Tue, 31 May 2005 13:15:28 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.3/8.12.11) with ESMTP id j4VDFMmS018494 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 31 May 2005 15:15:23 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j4VDFLJ3023121; Tue, 31 May 2005 15:15:21 +0200 (MEST) Date: Tue, 31 May 2005 15:15:19 +0200 From: Daniel Hartmeier To: Derkjan de Haan Message-ID: <20050531131519.GC16010@insomnia.benzedrine.cx> References: <60550.195.50.100.20.1117540549.squirrel@haanjdj.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <60550.195.50.100.20.1117540549.squirrel@haanjdj.demon.nl> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: no-df and cksum errors in tcpdump X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 13:15:29 -0000 On Tue, May 31, 2005 at 01:55:49PM +0200, Derkjan de Haan wrote: > The strange thing is that as soon as I remove the no-df from my pf > configuration, the 'bad cksum' disappears. Has anybody seen this before ? > Can it be that pf doesn't recompute the checksum after altering the packet > ? This can be perfectly fine, when you have a NIC that does checksum calculation in hardware. In that case, pf will invalidate the packet checksum with any modification (nat, modulate state, no-df, etc.) and bpf (i.e. tcpdump, pflogd) will see packets before they actually reach the NIC (which then fixes the checksum in hardware). To make sure, tcpdump what goes out on the wire, from a second host (like the peer or a sniffer). If you see invalid checksums on the wire, then something is wrong. But you can't check this on the sending host itself, due to the order in which bpf gets packets first. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue May 31 13:18:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4DFB16A41C for ; Tue, 31 May 2005 13:18:43 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C51F843D1F for ; Tue, 31 May 2005 13:18:42 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.3/8.12.11) with ESMTP id j4VDIgEx001381 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 31 May 2005 15:18:42 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j4VDIg9r004902; Tue, 31 May 2005 15:18:42 +0200 (MEST) Date: Tue, 31 May 2005 15:18:42 +0200 From: Daniel Hartmeier To: Jonathan Weiss Message-ID: <20050531131842.GD16010@insomnia.benzedrine.cx> References: <20050531102855.GA40275@lordsith.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i Cc: FreeBSD-PF Subject: Re: authpf does authenticate but gives no shell X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 13:18:43 -0000 On Tue, May 31, 2005 at 02:25:43PM +0200, Jonathan Weiss wrote: > As far as I know, authpf is only for authentification. This means that it > will activate you rules, nothing more. It is not a shell or will it fork to > your shell. > > You need a second SSH connection for this. With a second user id, which has a real shell, yes. Some people would argue that you shouldn't give out interactive shells ON THE FIREWALL ITSELF. > Please somebody correct me if I'm wrong. No, that's correct. Working as intended. :) Daniel From owner-freebsd-pf@FreeBSD.ORG Tue May 31 13:20:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D469416A41C; Tue, 31 May 2005 13:20:53 +0000 (GMT) (envelope-from steve@n2sw.com) Received: from tbwachiat.com (venus.tbwachiat.com [208.244.203.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BAF543D1F; Tue, 31 May 2005 13:20:53 +0000 (GMT) (envelope-from steve@n2sw.com) Received: from [10.20.4.87] steve_rieger [10.20.4.87] by tbwachiat.com with NetMail SMTP Agent $Revision: 3.22.1.16 $ on Novell NetWare via secured & encrypted transport (TLS); Tue, 31 May 2005 09:20:52 -0400 In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v622) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: steve Rieger Date: Tue, 31 May 2005 09:20:59 -0400 To: "Sunil Sunder Raj" X-Mailer: Apple Mail (2.622) Cc: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 13:20:54 -0000 On May 31, 2005, at 7:14 AM, Sunil Sunder Raj wrote: > Hi, > I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster > with the load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is > > ext_if="fxp0" > internal_smtp_servers="{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" > rdr on $ext_if proto tcp from any to any port 25 -> > $internal_smtp_servers round-robin sticky-address > > If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 > from its table. > > Regards > Sunil Sunder Raj > check out vrrp \-- Steve Rieger (212) 804-1131 (Work) (646) 335-8915 (Cell) chozrim (aim) From owner-freebsd-pf@FreeBSD.ORG Tue May 31 13:58:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DDD016A41C; Tue, 31 May 2005 13:58:51 +0000 (GMT) (envelope-from so14k@so14k.com) Received: from ender.liquidneon.com (ender.liquidneon.com [64.78.150.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2867043D4C; Tue, 31 May 2005 13:58:51 +0000 (GMT) (envelope-from so14k@so14k.com) Received: from localhost (localhost [127.0.0.1]) by ender.liquidneon.com (Postfix) with ESMTP id 9D8C5A6C31; Tue, 31 May 2005 07:58:50 -0600 (MDT) Received: from ender.liquidneon.com ([127.0.0.1]) by localhost (ender.liquidneon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90512-07; Tue, 31 May 2005 07:58:50 -0600 (MDT) Received: by ender.liquidneon.com (Postfix, from userid 1000) id 4F486A6C24; Tue, 31 May 2005 07:58:50 -0600 (MDT) Date: Tue, 31 May 2005 07:58:50 -0600 From: Brad Davis To: Daniel Gerzo Message-ID: <20050531135850.GA90363@ender.liquidneon.com> References: <751754961.20050531150559@rulez.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <751754961.20050531150559@rulez.sk> User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new at ender.liquidneon.com Cc: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 13:58:51 -0000 On Tue, May 31, 2005 at 03:05:59PM +0200, Daniel Gerzo wrote: > Hi Sunil, > > Tuesday, May 31, 2005, 1:14:26 PM, you Cannot open file "C\TXT COOKIES\reply-en.txt":: > > > Hi, > > I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster with the > > load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is > > > ext_if="fxp0" > > internal_smtp_servers="{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" > > rdr on $ext_if proto tcp from any to any port 25 -> $internal_smtp_servers > > round-robin sticky-address > > > If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 from its > > table. > > people use CARP for this, don't they? No.. This is not what CARP does. CARP is for redundant firewalls/routers. Regards, Brad Davis From owner-freebsd-pf@FreeBSD.ORG Tue May 31 14:01:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32F3016A41C; Tue, 31 May 2005 14:01:20 +0000 (GMT) (envelope-from so14k@so14k.com) Received: from ender.liquidneon.com (ender.liquidneon.com [64.78.150.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id E88BE43D58; Tue, 31 May 2005 14:01:19 +0000 (GMT) (envelope-from so14k@so14k.com) Received: from localhost (localhost [127.0.0.1]) by ender.liquidneon.com (Postfix) with ESMTP id 91675A6C67; Tue, 31 May 2005 08:01:19 -0600 (MDT) Received: from ender.liquidneon.com ([127.0.0.1]) by localhost (ender.liquidneon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90512-10; Tue, 31 May 2005 08:01:19 -0600 (MDT) Received: by ender.liquidneon.com (Postfix, from userid 1000) id 55975A6C5E; Tue, 31 May 2005 08:01:19 -0600 (MDT) Date: Tue, 31 May 2005 08:01:19 -0600 From: Brad Davis To: steve Rieger Message-ID: <20050531140119.GC90363@ender.liquidneon.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new at ender.liquidneon.com Cc: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 14:01:20 -0000 On Tue, May 31, 2005 at 09:20:59AM -0400, steve Rieger wrote: > > On May 31, 2005, at 7:14 AM, Sunil Sunder Raj wrote: > > >Hi, > >I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster > >with the load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is > > > >ext_if="fxp0" > >internal_smtp_servers="{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" > >rdr on $ext_if proto tcp from any to any port 25 -> > >$internal_smtp_servers round-robin sticky-address > > > >If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 > >from its table. > > > >Regards > >Sunil Sunder Raj > > > > check out vrrp VRRP is for redundant routers. Regards, Brad Davis From owner-freebsd-pf@FreeBSD.ORG Tue May 31 14:07:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE6F216A41F for ; Tue, 31 May 2005 14:07:56 +0000 (GMT) (envelope-from mclone@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20E5C43D5D for ; Tue, 31 May 2005 14:07:55 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by rproxy.gmail.com with SMTP id b11so90630rne for ; Tue, 31 May 2005 07:07:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CVQ7EQTmoSVVH6CcGCCmtOOpWG7OVYL3pAUel79veynuJ9rvDd7OXwcTkXfxg/6CIuGoAWXWtxLPQIrvoFKYlifAKy/kQxUsGlwXiu5wS+UVCooPifpBPyMRslOo8ukGN6uHf/SMqHeq1rHqy6rALL5jpjVf+raGH6E7eJ/yfBU= Received: by 10.11.88.29 with SMTP id l29mr59771cwb; Tue, 31 May 2005 07:07:55 -0700 (PDT) Received: by 10.11.98.32 with HTTP; Tue, 31 May 2005 07:07:55 -0700 (PDT) Message-ID: <451cb301050531070737602bed@mail.gmail.com> Date: Tue, 31 May 2005 17:07:55 +0300 From: McLone To: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org In-Reply-To: <20050531135850.GA90363@ender.liquidneon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <751754961.20050531150559@rulez.sk> <20050531135850.GA90363@ender.liquidneon.com> Cc: Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: McLone List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 14:07:57 -0000 On 5/31/05, Brad Davis wrote: > > people use CARP for this, don't they? > No.. This is not what CARP does. CARP is for redundant firewalls/routers. CARP is for sharing one IP between multiple hosts/NICs. pfsync is for edundant PFs. Do yourself a favor, RTFM some. http://openbsd.org/faq/faq6.html#CARP http://openbsd.org/faq/pf/carp.html --=20 wbr, |\ _,,,---,,_ dog bless ya! ` Zzz /,`.-'`' -. ;-;;,_ McLone at GMail dot com |,4- ) )-,_. ,\ ( `'-' net- and *BSD admin '---''(_/--' `-'\_) ...sorry for translit From owner-freebsd-pf@FreeBSD.ORG Tue May 31 14:08:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D781916A41C; Tue, 31 May 2005 14:08:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E38043D1D; Tue, 31 May 2005 14:08:28 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.3/8.12.11) with ESMTP id j4VE8SPX016661 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 31 May 2005 16:08:28 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j4VE8RBL021234; Tue, 31 May 2005 16:08:27 +0200 (MEST) Date: Tue, 31 May 2005 16:08:27 +0200 From: Daniel Hartmeier To: Brad Davis Message-ID: <20050531140827.GF16010@insomnia.benzedrine.cx> References: <751754961.20050531150559@rulez.sk> <20050531135850.GA90363@ender.liquidneon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050531135850.GA90363@ender.liquidneon.com> User-Agent: Mutt/1.5.6i Cc: Daniel Gerzo , freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 14:08:30 -0000 On Tue, May 31, 2005 at 07:58:50AM -0600, Brad Davis wrote: > No.. This is not what CARP does. CARP is for redundant firewalls/routers. That's just one of it's uses. Take a look at http://www.countersiege.com/doc/pfsync-carp/ and scroll down to the example about load balancing, then see carp(4) and search for arpbalance. You can automate the simpler (?) rdr balancing using a script that checks outage and removes/adds addresses to tables, if you prefer that, see http://marc.theaimsgroup.com/?l=openbsd-pf&m=106883416904625&w=2 for an example. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue May 31 14:11:01 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AB2F16A41C for ; Tue, 31 May 2005 14:11:01 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00F5843D5C for ; Tue, 31 May 2005 14:11:00 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 4380324F1CD for ; Tue, 31 May 2005 15:10:57 +0100 (BST) From: "Greg Hennessy" To: Date: Tue, 31 May 2005 15:11:10 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20050531135850.GA90363@ender.liquidneon.com> Thread-Index: AcVl6XaCCqEqR6qEQ3253WJBKpZrmQAAMz4w X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050531141109.D00FE28@gw2.local.net> Subject: RE: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 14:11:01 -0000 > > people use CARP for this, don't they? > > No.. This is not what CARP does. CARP is for redundant > firewalls/routers. > CARP can also be utilised for SLB. From owner-freebsd-pf@FreeBSD.ORG Tue May 31 14:53:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C82FB16A41C; Tue, 31 May 2005 14:53:33 +0000 (GMT) (envelope-from steve@n2sw.com) Received: from tbwachiat.com (mercury.tbwachiat.com [204.17.229.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 760B543D1F; Tue, 31 May 2005 14:53:33 +0000 (GMT) (envelope-from steve@n2sw.com) Received: from [10.20.4.87] steve_rieger [10.20.4.87] by tbwachiat.com with NetMail SMTP Agent $Revision: 3.22.1.16 $ on Novell NetWare via secured & encrypted transport (TLS); Tue, 31 May 2005 07:53:32 -0700 In-Reply-To: <20050531140119.GC90363@ender.liquidneon.com> References: <20050531140119.GC90363@ender.liquidneon.com> Mime-Version: 1.0 (Apple Message framework v622) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <60bcc00e76e1ba18afc5e943135810a3@n2sw.com> Content-Transfer-Encoding: 7bit From: steve Rieger Date: Tue, 31 May 2005 10:53:36 -0400 To: Brad Davis X-Mailer: Apple Mail (2.622) Cc: freebsd-cluster@freebsd.org, freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 14:53:33 -0000 On May 31, 2005, at 10:01 AM, Brad Davis wrote: > On Tue, May 31, 2005 at 09:20:59AM -0400, steve Rieger wrote: >> >> On May 31, 2005, at 7:14 AM, Sunil Sunder Raj wrote: >> >>> Hi, >>> I have 3 smtp servers 10.0.0.2, 10.0.0.3, 10.0.0.4 under a cluster >>> with the load balancing done by 10.0.0.1. The pf rule on 10.0.0.1 is >>> >>> ext_if="fxp0" >>> internal_smtp_servers="{ 10.0.0.2, 10.0.0.3, 10.0.0.4 }" >>> rdr on $ext_if proto tcp from any to any port 25 -> >>> $internal_smtp_servers round-robin sticky-address >>> >>> If 10.0.0.4 port 25 goes down, how do I force pf to remove 10.0.0.4 >>> from its table. >>> >>> Regards >>> Sunil Sunder Raj >>> >> >> check out vrrp > > VRRP is for redundant routers. > > > Regards, > Brad Davis > mr brad davis, whilst i am not here to yell at you. you have no idea what you are talking about. i work for one of the largest stock exchanges in the world and we use vrrp on 73 servers to server apache vrrp was invented by cisco and they use it on their load balancers but as somebody already said rtfm dude. From owner-freebsd-pf@FreeBSD.ORG Tue May 31 15:23:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ACB716A41C; Tue, 31 May 2005 15:23:13 +0000 (GMT) (envelope-from matt@fruitsalad.org) Received: from mandarin.fruitsalad.org (pc117.net160.koping.net [81.16.160.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08A1B43D54; Tue, 31 May 2005 15:23:10 +0000 (GMT) (envelope-from matt@fruitsalad.org) Received: from [192.168.15.27] (helo=jeriksso.universe.hasta.se) by mandarin.fruitsalad.org with esmtp (Exim 4.34 (FreeBSD)) id 1Dd8aD-0001y6-6r; Tue, 31 May 2005 17:23:09 +0200 From: Matt Douhan Organization: fruitsalad.org To: freebsd-cluster@freebsd.org Date: Tue, 31 May 2005 17:20:08 +0200 User-Agent: KMail/1.8.50 References: <20050531140119.GC90363@ender.liquidneon.com> <60bcc00e76e1ba18afc5e943135810a3@n2sw.com> In-Reply-To: <60bcc00e76e1ba18afc5e943135810a3@n2sw.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200505311720.09703.matt@fruitsalad.org> Cc: steve Rieger , freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 15:23:13 -0000 On Tuesday 31 May 2005 16.53, steve Rieger wrote: > whilst i am not here to yell at you. then why are you? > > you have no idea what you are talking about. And as shown below neither do you > > i work for one of the largest stock exchanges in the world and we use > vrrp on 73 servers to server apache and your point being? if we are going to make this a competion for who runs the largest server farms or the largest networks you will loose, since 73 servers is simply the front end to the systems we are running. > > > vrrp was invented by cisco and they use it on their load balancers but > as somebody already said rtfm dude. Dood I suggest YOU read up on this and then post back to the list who really invented VRRP. -- Matt Douhan www.fruitsalad.org kolab + toltec + horde + kontact == success From owner-freebsd-pf@FreeBSD.ORG Tue May 31 23:48:17 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2406F16A41C; Tue, 31 May 2005 23:48:17 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.3/8.13.1) with ESMTP id j4VNmGok021529; Tue, 31 May 2005 19:48:16 -0400 (EDT) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.3/8.13.1/Submit) id j4VNmG5V021528; Tue, 31 May 2005 19:48:16 -0400 (EDT) (envelope-from green) Date: Tue, 31 May 2005 19:48:16 -0400 From: Brian Fundakowski Feldman To: Andrew Thompson Message-ID: <20050531234816.GA975@green.homeunix.org> References: <20050530232554.GA8674@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050530232554.GA8674@heff.fud.org.nz> User-Agent: Mutt/1.5.6i Cc: pf@freebsd.org, hackers@freebsd.org, net@freebsd.org Subject: Re: RFC: if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 23:48:17 -0000 On Tue, May 31, 2005 at 11:25:54AM +1200, Andrew Thompson wrote: > Hi, > > I am looking for testers and code review for if_bridge, the bridge > implementation from NetBSD (and OpenBSD). > > The patch and instructions can be found at: > > http://people.freebsd.org/~thompsa/ > > Highlights include: > - 802.1d spanning tree support > - management of the bridge MAC table > - view bridged packets with bpf(4) > - good firewall support > > > I am especially interested in people who can test !i386, and users with > existing STP networks. I am looking forward to getting your feedback! As you know, I've been testing this on 5.4 in a transparent ipfw/ALTQ bridging/traffic-shaping-firewall setup. I ran into quite a few more issues with the driver's usage of locking while determining the proper configuration (which, btw, is to assign no layer 3 addresses to the internal or external interfaces, but assign them to the bridge interface). Some of these have since been fixed by you or I, but the most serious is the deadlock caused by not having consistency in data access between the input/output interfaces attached to the bridge and the bridge interface itself. It was quite simple to reproduce using IPFW dynamic rules and two fxp(4). The situation that occurs is the input path having locked the bridge, then the interface, and the output path locking the real interface and then trying to lock the bridge. It can be fixed by deferring the if_start(9), but having not run it with WITNESS I'm not certain that is the only big problem. Ideally, there should be a global bridge-list shared/exclusive lock and per-bridge shared/exclusive locks. This will require a fair bit of code churn... but the current state is largely not productionable on FreeBSD thanks to a locking versus IPL model being used in the kernel versus the if_bridge(4) code having been structured for IPL. I very much like this far more featureful and cleaner bridging implementation; it would benefit from implementing a locking strategy almost entirely not unlike Netgraph. -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ From owner-freebsd-pf@FreeBSD.ORG Tue May 31 23:58:51 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7093716A41C; Tue, 31 May 2005 23:58:51 +0000 (GMT) (envelope-from thompsa@fud.org.nz) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id E173E43D1D; Tue, 31 May 2005 23:58:50 +0000 (GMT) (envelope-from thompsa@fud.org.nz) Received: from thompsa by heff.fud.org.nz with local (Exim 4.50 (FreeBSD)) id 1DdGdF-0003VG-MF; Wed, 01 Jun 2005 11:58:49 +1200 Date: Wed, 1 Jun 2005 11:58:49 +1200 From: Andrew Thompson To: Brian Fundakowski Feldman Message-ID: <20050531235849.GA13258@heff.fud.org.nz> References: <20050530232554.GA8674@heff.fud.org.nz> <20050531234816.GA975@green.homeunix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050531234816.GA975@green.homeunix.org> User-Agent: Mutt/1.4.2.1i Sender: Andrew Thompson Cc: pf@freebsd.org, hackers@freebsd.org, net@freebsd.org Subject: Re: RFC: if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 23:58:51 -0000 On Tue, May 31, 2005 at 07:48:16PM -0400, Brian Fundakowski Feldman wrote: > On Tue, May 31, 2005 at 11:25:54AM +1200, Andrew Thompson wrote: > > Hi, > > > > I am looking for testers and code review for if_bridge, the bridge > > implementation from NetBSD (and OpenBSD). > > > > The patch and instructions can be found at: > > > > http://people.freebsd.org/~thompsa/ > > > > Some of these have since been fixed by you or I, but the most serious > is the deadlock caused by not having consistency in data access > between the input/output interfaces attached to the bridge and the > bridge interface itself. It was quite simple to reproduce using IPFW > dynamic rules and two fxp(4). The situation that occurs is the input > path having locked the bridge, then the interface, and the output path > locking the real interface and then trying to lock the bridge. It > can be fixed by deferring the if_start(9), but having not run it with > WITNESS I'm not certain that is the only big problem. > > Ideally, there should be a global bridge-list shared/exclusive lock > and per-bridge shared/exclusive locks. This will require a fair bit > of code churn... but the current state is largely not productionable > on FreeBSD thanks to a locking versus IPL model being used in the > kernel versus the if_bridge(4) code having been structured for IPL. > Have you looked at the patch above, I have been using bridge-list and per-bridge locks for about a week now. There have been a couple of changes from the original patch you have, are you able to re-test? cheers, Andrew From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 00:18:34 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 35FD216A41C; Wed, 1 Jun 2005 00:18:34 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.3/8.13.1) with ESMTP id j510IXTg021703; Tue, 31 May 2005 20:18:33 -0400 (EDT) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.3/8.13.1/Submit) id j510IXp5021702; Tue, 31 May 2005 20:18:33 -0400 (EDT) (envelope-from green) Date: Tue, 31 May 2005 20:18:33 -0400 From: Brian Fundakowski Feldman To: Andrew Thompson Message-ID: <20050601001833.GB975@green.homeunix.org> References: <20050530232554.GA8674@heff.fud.org.nz> <20050531234816.GA975@green.homeunix.org> <20050531235849.GA13258@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050531235849.GA13258@heff.fud.org.nz> User-Agent: Mutt/1.5.6i Cc: pf@freebsd.org, hackers@freebsd.org, net@freebsd.org Subject: Re: RFC: if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 00:18:34 -0000 On Wed, Jun 01, 2005 at 11:58:49AM +1200, Andrew Thompson wrote: > On Tue, May 31, 2005 at 07:48:16PM -0400, Brian Fundakowski Feldman wrote: > > On Tue, May 31, 2005 at 11:25:54AM +1200, Andrew Thompson wrote: > > > Hi, > > > > > > I am looking for testers and code review for if_bridge, the bridge > > > implementation from NetBSD (and OpenBSD). > > > > > > The patch and instructions can be found at: > > > > > > http://people.freebsd.org/~thompsa/ > > > > > > > Some of these have since been fixed by you or I, but the most serious > > is the deadlock caused by not having consistency in data access > > between the input/output interfaces attached to the bridge and the > > bridge interface itself. It was quite simple to reproduce using IPFW > > dynamic rules and two fxp(4). The situation that occurs is the input > > path having locked the bridge, then the interface, and the output path > > locking the real interface and then trying to lock the bridge. It > > can be fixed by deferring the if_start(9), but having not run it with > > WITNESS I'm not certain that is the only big problem. > > > > Ideally, there should be a global bridge-list shared/exclusive lock > > and per-bridge shared/exclusive locks. This will require a fair bit > > of code churn... but the current state is largely not productionable > > on FreeBSD thanks to a locking versus IPL model being used in the > > kernel versus the if_bridge(4) code having been structured for IPL. > > > > Have you looked at the patch above, I have been using bridge-list and > per-bridge locks for about a week now. There have been a couple of > changes from the original patch you have, are you able to re-test? I only skimmed it enough to see you had fixed one of the issues (bridge_rtable_fini() asserting a lock it did not own) but not the issue where you simply cannot call or be called from both directions with regard to a bridged interface. Unfortunately, I don't think there's a 100% reliable way to defer if_start() calls :-/ -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 02:23:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F16916A41C for ; Wed, 1 Jun 2005 02:23:51 +0000 (GMT) (envelope-from blauziere@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23DBB43D48 for ; Wed, 1 Jun 2005 02:23:50 +0000 (GMT) (envelope-from blauziere@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so2511763wra for ; Tue, 31 May 2005 19:23:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=HLENkbetMQn7Enr2CNRAdiuTuFlEKQxgDpFXB/5POmcbwao+wfB0gbuUlNhyVPKoLfYJglppPu9MEvw7djYJjXPXK59OXZmPrgKpAj4gLaCUI71M9FOC8iIgVyGs87KGTYnPBtlzwA1JlQl5B8ae0UXEmlRXHnbrfsqubbY0QeM= Received: by 10.54.26.62 with SMTP id 62mr2848735wrz; Tue, 31 May 2005 19:23:50 -0700 (PDT) Received: by 10.54.41.24 with HTTP; Tue, 31 May 2005 19:23:50 -0700 (PDT) Message-ID: Date: Tue, 31 May 2005 22:23:50 -0400 From: Benjamin Lauziere To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: ALTQ on vlan interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Benjamin Lauziere List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 02:23:51 -0000 I am trying get ALTQ to work on a vlan interface. When I try to load my pf config file I get this error: fw# pfctl -f /etc/pf.conf pfctl: vlan50: driver does not support altq I searched the web and the only relevant thing that I found is this: > > * I have been testing the vlan(4) driver and found that it wouldn't > > get ALTQ-enabled if it was loaded as a separate module instead of > > compiled in kernel. This possibly goes with any network interface > > dynamically loaded and needs further investigations. (This come from http://daemon.rofug.ro/mailarchive/freebsd-altq.2004-01/msg00006.html) I tryed to compile the vlan driver in the kernel by adding "device vlan" in the kernel config file and then recompiling & installing the new kernel but I am getting the same error. My question is Is it possible to have ALTQ working on a vlan interface ? And if yes, how ? Thanks, Ben From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 03:22:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06CD316A41C for ; Wed, 1 Jun 2005 03:22:39 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EE3543D55 for ; Wed, 1 Jun 2005 03:22:38 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so2202424rng for ; Tue, 31 May 2005 20:22:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CkHq2KUlP2V7hC/9Sl/WsBdbH67FOhbLpCJ+HoYHRmGwM26NP4wAnNnlKdCI7debYJTITeXOHD2GbauyBXUKK/3ukFrL59+gvHvQ22IB1ma5D3EPwRL5RQyjp+j8zsQQ46T9BFoAkYTxI43NjSS7cWfukb7gesnn/zJ7vZVoDLA= Received: by 10.38.153.45 with SMTP id a45mr7484207rne; Tue, 31 May 2005 20:22:37 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Tue, 31 May 2005 20:22:37 -0700 (PDT) Message-ID: Date: Tue, 31 May 2005 23:22:37 -0400 From: Scott Ullrich To: Benjamin Lauziere In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ on vlan interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 03:22:39 -0000 On 5/31/05, Benjamin Lauziere wrote: > I am trying get ALTQ to work on a vlan interface. When I try to load > my pf config file I get this error: >=20 > fw# pfctl -f /etc/pf.conf > pfctl: vlan50: driver does not support altq >=20 > I searched the web and the only relevant thing that I found is this: >=20 > > > * I have been testing the vlan(4) driver and found that it wouldn't > > > get ALTQ-enabled if it was loaded as a separate module instead of > > > compiled in kernel. This possibly goes with any network interface > > > dynamically loaded and needs further investigations. >=20 > (This come from > http://daemon.rofug.ro/mailarchive/freebsd-altq.2004-01/msg00006.html) >=20 > I tryed to compile the vlan driver in the kernel by adding "device > vlan" in the kernel config file and then recompiling & installing the > new kernel but I am getting the same error. >=20 > My question is Is it possible to have ALTQ working on a vlan interface > ? And if yes, how ? Have you tried http://www.pfsense.com/downloads/patches/altq-vlan-patch.dif= f ? Regards, Scott From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 04:37:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9879F16A41C for ; Wed, 1 Jun 2005 04:37:47 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D9D143D54 for ; Wed, 1 Jun 2005 04:37:47 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so3073251wri for ; Tue, 31 May 2005 21:37:46 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cH6t0F009aw8bbzy1qi5iw/65QiKp9hb2DhBqWCAtrfbCl6cyvA0KEX33WPb6NXs17npeCcS1HfejMc9ZKT2JF7GpTk0rzsV5axjtDgjVEAqV5gZT2oV/3nWm/uupvVhEQAFDgzNpgdTtcu9paqCv+1MEZKdf07WdOZS+RGKt4w= Received: by 10.54.27.62 with SMTP id a62mr7205675wra; Tue, 31 May 2005 21:31:06 -0700 (PDT) Received: by 10.54.39.65 with HTTP; Tue, 31 May 2005 21:31:06 -0700 (PDT) Message-ID: <8eea040805053121312cb41e05@mail.gmail.com> Date: Tue, 31 May 2005 21:31:06 -0700 From: Jon Simola To: Benjamin Lauziere In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ on vlan interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jon@abccomm.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 04:37:47 -0000 On 5/31/05, Benjamin Lauziere wrote: > I am trying get ALTQ to work on a vlan interface. When I try to load > my pf config file I get this error: Heh, I asked this exact question before, and even wrote up some patches, but the "official" word is from Max Laier: http://lists.freebsd.org/mailman/htdig/freebsd-net/2005-February/006456.htm Here's the bits from my pf.conf (vlan100's parent is em1): altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } queue default_ext qlimit 200 cbq(default) queue throttle_ext bandwidth 128Kb cbq(red ecn) altq on em1 cbq bandwidth 100Mb queue { default_int, throttle_int, e10_int = } queue default_int cbq(default) queue throttle_int bandwidth 128Kb cbq(ecn) queue e10_int bandwidth 9Mb cbq(ecn) pass out quick on em0 from to any keep state queue throttle= _ext pass out on em0 pass in on vlan100 keep state pass out quick log on vlan100 from any to keep state queue throttle_int pass out on vlan100 keep state --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 08:44:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 147D716A41C for ; Wed, 1 Jun 2005 08:44:58 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8783743D54 for ; Wed, 1 Jun 2005 08:44:55 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Wed, 1 Jun 2005 10:44:51 +0200 Message-ID: From: "Constant, Benjamin" To: freebsd-pf@freebsd.org Date: Wed, 1 Jun 2005 10:44:49 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: ALTQ on carp + pfsync? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 08:44:58 -0000 Hello @list, I've 2 interface (internal em0 and external em1) on a FreeBSD 5.4 (stable) box acting as a router + traffic shaper. - Pfsync is using internal interface (don't have 3 nic in the box) to exchange data. - ATLQ is enabled on external interface (em1). - CARP is in use on both interface (in failover mode). I'm currently using CBQ scheduler for the traffic shaping and as I've no specific rule for carp and pfsync protocols, I think this traffic is falling in the default (mandatory) cbq child queue (which of course doesn't have the biggest priority). Is there a good way to avoid traffic shaping on carp and pfsync proto? Do I have to *split* my interface real bandwith in 2? One part for real traffic shaping and the other part for carp + pfsync? How do you deal with this? I would be happy to share comments on this... Regards, Benjamin Constant TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 09:19:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CF7516A41C for ; Wed, 1 Jun 2005 09:19:51 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6CAF43D48 for ; Wed, 1 Jun 2005 09:19:50 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.3/8.12.11) with ESMTP id j519JmVT018935 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 1 Jun 2005 11:19:49 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j519JmQH001036; Wed, 1 Jun 2005 11:19:48 +0200 (MEST) Date: Wed, 1 Jun 2005 11:19:48 +0200 From: Daniel Hartmeier To: "Constant, Benjamin" Message-ID: <20050601091948.GA15431@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ on carp + pfsync? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 09:19:51 -0000 On Wed, Jun 01, 2005 at 10:44:49AM +0200, Constant, Benjamin wrote: > - Pfsync is using internal interface (don't have 3 nic in the box) to > exchange data. > - ATLQ is enabled on external interface (em1). > - CARP is in use on both interface (in failover mode). > > I'm currently using CBQ scheduler for the traffic shaping and as I've no > specific rule for carp and pfsync protocols, > I think this traffic is falling in the default (mandatory) cbq child queue > (which of course doesn't have the biggest priority). If you have ALTQ enabled only on the external interface, and pfsync uses only the internal interface, the pfsync traffic is not queued at all (i.e. not using up any bandwidth in any queue on the external interface), and the problem just doesn't exist. Or what did I misunderstand? CARP doesn't itself generate significant traffic, you don't need to worry about that (unless the external interface is so saturated that CARP traffic can't get through at all, causing failovers). You could simply give CARP traffic the highest priority (using a top-level priority queue, possibly) in that case. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Jun 2 07:11:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B58C416A41C for ; Thu, 2 Jun 2005 07:11:15 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A9EF43D54 for ; Thu, 2 Jun 2005 07:11:14 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 2 Jun 2005 09:11:09 +0200 Message-ID: From: "Constant, Benjamin" To: 'Daniel Hartmeier' Date: Thu, 2 Jun 2005 09:11:08 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-pf@freebsd.org Subject: RE: ALTQ on carp + pfsync? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2005 07:11:15 -0000 You are right and this is logical, pfsync is not impacted at all as it is using internal interface. It is also true that tcpdump is not showing too much traffic for CARP. I will assign this type of traffic to the queue with the highest priority. I still have some interrogation regarding CARP. Do you know why I see so much message like this one in kernel log? I've another big problem: I'm currently using two different hardware on the router boxes. The master router is a dual P4 Xeon (HTT enabled) using 2 em interface (scsi raid amr). The backup router is a single P4 (HTT enabled) using 2 em interface (sata raid asr). They are both using FreeBSD5.4 stable with same kernel configuration : backup router: 5.4-STABLE FreeBSD 5.4-STABLE #1: Tue May 31 08:53:13 BST 2005 master router: 5.4-STABLE FreeBSD 5.4-STABLE #10: Wed Jun 1 11:44:51 BST 2005 When the router crashs, it do not always panic, I just lost access to it (kbd, network,...). Here are some result of other tests I made yesterday: SMP on + CARP on = crash SMP off + CARP on = ok SMP on + CARP off = ok I've a spare box on which I'm able to reproduce the problem so I don't think it is hardware related. I'll be happy to help debugging the problem, just let me know how to... Regards, Benjamin Constant TI Automotive > -----Original Message----- > From: Daniel Hartmeier [mailto:daniel@benzedrine.cx] > Sent: mercredi 1 juin 2005 11:20 > To: Constant, Benjamin > Cc: freebsd-pf@freebsd.org > Subject: Re: ALTQ on carp + pfsync? > > On Wed, Jun 01, 2005 at 10:44:49AM +0200, Constant, Benjamin wrote: > > > - Pfsync is using internal interface (don't have 3 nic in > the box) to > > exchange data. > > - ATLQ is enabled on external interface (em1). > > - CARP is in use on both interface (in failover mode). > > > > I'm currently using CBQ scheduler for the traffic shaping > and as I've > > no specific rule for carp and pfsync protocols, I think > this traffic > > is falling in the default (mandatory) cbq child queue > (which of course > > doesn't have the biggest priority). > > If you have ALTQ enabled only on the external interface, and > pfsync uses only the internal interface, the pfsync traffic > is not queued at all (i.e. not using up any bandwidth in any > queue on the external interface), and the problem just > doesn't exist. Or what did I misunderstand? > > CARP doesn't itself generate significant traffic, you don't > need to worry about that (unless the external interface is so > saturated that CARP traffic can't get through at all, causing > failovers). You could simply give CARP traffic the highest > priority (using a top-level priority queue, possibly) in that case. > > Daniel > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Fri Jun 3 11:58:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C42D216A41C for ; Fri, 3 Jun 2005 11:58:46 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04A6843D49 for ; Fri, 3 Jun 2005 11:58:45 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j53BwiXo015977 for ; Fri, 3 Jun 2005 15:58:44 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j53Bwhp8015972 for freebsd-pf@freebsd.org; Fri, 3 Jun 2005 15:58:44 +0400 (MSD) (envelope-from yar) Date: Fri, 3 Jun 2005 15:58:43 +0400 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20050603115843.GA15561@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: Fwd: pfsync and asymmetric paths X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2005 11:58:46 -0000 Hi folks, I wrote the following mail to Ryan McBride, but he is likely to be busy, so I'd like to present it here, too, for the sake of keeping the audience informed, as well as in the hope of it reaching someone with a clue. Anyway, I'm going to start hacking around this issue in a couple of weeks, when I get some free time, because it really bites me in my network setup. ----- Forwarded message from Yar Tikhiy ----- Let's consider the following reference configuration: net2 net1 | +-----+ | +----+ pf1 +----+ | +--+--+ | +--------+ | | | +---------+ | client +----+ pfsync +----+ gateway +====> Internet +--------+ | | | +---------+ | +--+--+ | +----+ pf2 +----+ | +-----+ | Let's assume, that routes are as follows: on gateway: net2 reachable via pf1 on client: default route via pf2 So we have a simple asymmetric routing case where traffic from client to Internet goes via pf2 while traffic from Internet to client goes back via pf1. In the real world, such case can appear if the network runs a routing protocol and both client and gateway can choose either of the equal paths via pf1 and pf2. According to my observations in OpenBSD 3.7, PF state table doesn't seem to converge on pf1 and pf2 in this case despite pfsync is active between them. For an open TCP session, its state on pf1 promotes as far as to ESTABLISHED:SYN_SENT while its state on pf2 never reachs beyond SYN_SENT:CLOSED. As soon as the TCP session finishes, pf1 gets stuck in CLOSING:CLOSING while pf2 reachs CLOSING:CLOSED. This looks as though pf1 and pf2 won't re-broadcast a state received from pfsync even if the state gets promoted locally due to a network packet seen by this router. Is it by design? I'd like to make the asymmetric configuration functional if possible at all, but I've been unable to find any background information on the issue, such as mailing list discussions or whatever. Thank you in advance! ----- End forwarded message ----- -- Yar From owner-freebsd-pf@FreeBSD.ORG Fri Jun 3 13:07:45 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02C7016A41C for ; Fri, 3 Jun 2005 13:07:45 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2DA643D4C for ; Fri, 3 Jun 2005 13:07:44 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id CEFF62549C3 for ; Fri, 3 Jun 2005 14:07:40 +0100 (BST) From: "Greg Hennessy" To: Date: Fri, 3 Jun 2005 14:07:41 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcVoM/c1wkhg+fD7QE61FZPTh3V0TQACQS9w X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <20050603115843.GA15561@comp.chem.msu.su> Message-Id: <20050603130741.D427416@gw2.local.net> Subject: RE: pfsync and asymmetric paths X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2005 13:07:45 -0000 > Is it by design? I'd like to make the asymmetric > configuration functional if possible at all, but I've been > unable to find any background information on the issue, such > as mailing list discussions or whatever. Silly question, why are you not using CARP and using the virtual IP as the egress/ingress next hop on both sides ? Greg