From owner-freebsd-pf@FreeBSD.ORG Sun Dec 25 23:53:16 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60F4E16A41F for ; Sun, 25 Dec 2005 23:53:16 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id B898F43D46 for ; Sun, 25 Dec 2005 23:53:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.231.236] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2Dk-1Eqffu0WTB-0005ql; Mon, 26 Dec 2005 00:53:14 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 26 Dec 2005 00:53:24 +0100 User-Agent: KMail/1.8.3 References: <43AAFA9A.3070808@dequim.ist.utl.pt> <200512222217.32015.max@love2party.net> In-Reply-To: <200512222217.32015.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3282727.DHkUZLq4o7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200512260053.30288.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: connections weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Dec 2005 23:53:16 -0000 --nextPart3282727.DHkUZLq4o7 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 December 2005 22:17, Max Laier wrote: > On Thursday 22 December 2005 20:12, Bruno Afonso wrote: > > Hey guys (and gals!), > > > > I'm hitting what seems to be a bug on PF @ FreeBSD 6-stable: > > > > 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Nov 20 05:14:34 WET 2005 > > > > If I do a pfct -vvsS | grep connetions I get some lines like this: > > > > 10.10.11.208 -> 0.0.0.0 ( states 3, connections 4294967295, rate 0.0/0s= ) > > 10.10.13.213 -> 0.0.0.0 ( states 2, connections 4294967294, rate 0.0/0s= ) > > > > 10.10.14.236 -> 0.0.0.0 ( states 96, connections 4294967013, rate 0.0/0s > > ) 10.10.12.238 -> 0.0.0.0 ( states 9, connections 4294967281, rate 0.0/= 0s > > ) > > > > I also get a normal number of connections, like 2, 10, 20, 30, etc. Now, > > this number is completely insane, specially if we take into account the > > rule that creates it: > > > > ala# pfctl -vvsS |grep 10.10.11.208 -A1 > > 10.10.11.208 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/0s ) > > age 02:22:00, 657 pkts, 39752 bytes, filter rule 171 > > -- > > 10.10.11.208 -> 0.0.0.0 ( states 1, connections 4294967295, rate 0.0/0s= ) > > age 02:22:15, 618 pkts, 52535 bytes, filter rule 148 > > > > ala# pfctl -vvsr |grep @148 -A1 > > @148 pass in log on fxp0 from to any keep state > > (max 5000, source-track rule, max-src-states 120, max-src-conn 100) > > queue p2p > > [ Evaluations: 43699 Packets: 353469 Bytes: 122287213 > > States: 210 ] > > > > > > I have been seeing this on rules in which I use max-src-conn but not on > > others. So, what might be happening here? hasn't no one seen this > > before? Also notice how similar the connections are, with the first 7 > > numbers equal. > > This is a underflow of the connection counter which is fixed in OpenBSD's > pf.c rev. 1.499. Unfortunately, the fix involves breaking ABI and thus is > not easily imported. Here is a local fix - please try and report back. =46YI: Committed to HEAD, MFC count down 3 days - please test! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3282727.DHkUZLq4o7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDrzD6XyyEoT62BG0RAsTFAJ9vVd8LZWGzuQkTIKDUFShkQaTL5gCfS/Nx jxY+WRiGnq+B3dsEH6kXpcw= =kbTj -----END PGP SIGNATURE----- --nextPart3282727.DHkUZLq4o7-- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 26 02:49:30 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A081D16A41F for ; Mon, 26 Dec 2005 02:49:30 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-147-44-26.hsd1.nh.comcast.net [24.147.44.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2264443D60 for ; Mon, 26 Dec 2005 02:49:29 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jBQ2nUWF071250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 25 Dec 2005 21:49:30 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <43AF5AAE.6040200@forrie.com> Date: Sun, 25 Dec 2005 21:51:26 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051223) MIME-Version: 1.0 To: pf@freebsd.org X-Virus-Scanned: ClamAV 0.87/1217/Sat Dec 24 09:39:31 2005 on mail.forrie.com X-Virus-Status: Clean Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Block rule not working... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2005 02:49:30 -0000 My pf.conf is below. I have this idiot at 24.147.135.133 who has been attempting to break my webserver for about a week - presumably he's running some script. Port 80 of his machine has an impressive MP3 collection. Comcast doesn't care, so my reports have been unheard. I have rules to block this /24, but he manages to get through anyway. First, I block via a negation to the table, second I have an explicit block rule to block all traffic from anyone in that table. Since the block rule comes first before the "pass" rule below, I would presume it would work. I can match it in the table, it's there. Can anyone tell me what's wrong with the rules so I can correct this ASAP. Thank you. ext_if = "fxp0" int_if = "em0" prv_if = "em0" server = "192.168.1.2/32" ext_ad = "xx.xx.xx.xx/32" prv_ad = "192.168.1.2/32" prv_net = "192.168.1.0/24" tcp_services = "imap, imaps, smtp, smtps" set require-order yes set limit { frags 30000, states 25000 } set block-policy drop set optimization normal set timeout tcp.first 20 set timeout { udp.first 300, udp.single 150, udp.multiple 900 } table persist file "/etc/pf.d/spammers" \ file "/etc/pf.d/abuse" \ file "/etc/pf.d/geoip" table persist file "/etc/pf.d/spammers" * table persist file "/etc/pf.d/abuse"* table persist file "/etc/pf.d/spammers" scrub all reassemble tcp no-df scrub in all fragment reassemble scrub out all random-id nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port { $tcp_services } -> $server *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port 80 -> $server port 80* *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port 443 -> $server port 443* antispoof quick for $ext_if set skip on lo0 block log all *block in quick on $ext_if from to any* block in quick on $ext_if proto tcp from to port { smtp, smtps, imap, imaps } pass quick on $int_if inet all keep state pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ modulate state pass in on $ext_if inet proto tcp from any to any port { 80, 443 } modulate state pass in on $ext_if inet proto udp all keep state pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32) pass out quick on $ext_if inet proto tcp all \ keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state From owner-freebsd-pf@FreeBSD.ORG Mon Dec 26 11:02:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68CFD16A41F for ; Mon, 26 Dec 2005 11:02:32 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B53143D68 for ; Mon, 26 Dec 2005 11:02:31 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id jBQB2OW9018169 for ; Mon, 26 Dec 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id jBQB2Nep018162 for freebsd-pf@freebsd.org; Mon, 26 Dec 2005 11:02:23 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 26 Dec 2005 11:02:23 GMT Message-Id: <200512261102.jBQB2Nep018162@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2005 11:02:32 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 26 20:47:32 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD60416A41F for ; Mon, 26 Dec 2005 20:47:32 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-147-44-26.hsd1.nh.comcast.net [24.147.44.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66B5E43D93 for ; Mon, 26 Dec 2005 20:47:22 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jBQKlMnc077485 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 26 Dec 2005 15:47:23 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <43B0574D.30406@forrie.com> Date: Mon, 26 Dec 2005 15:49:17 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051223) MIME-Version: 1.0 To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1218/Mon Dec 26 08:46:59 2005 on mail.forrie.com X-Virus-Status: Clean Cc: Subject: Block rule not working... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2005 20:47:32 -0000 My pf.conf is below. I have this idiot at 24.147.135.133 who has been attempting to break my webserver for about a week - presumably he's running some script. Port 80 of his machine has an impressive MP3 collection. Comcast doesn't care, so my reports have been unheard. I have rules to block this /24, but he manages to get through anyway. First, I block via a negation to the table, second I have an explicit block rule to block all traffic from anyone in that table. Since the block rule comes first before the "pass" rule below, I would presume it would work. I can match it in the table, it's there. Can anyone tell me what's wrong with the rules so I can correct this ASAP. Thank you. ext_if = "fxp0" int_if = "em0" prv_if = "em0" server = "192.168.1.2/32" ext_ad = "xx.xx.xx.xx/32" prv_ad = "192.168.1.2/32" prv_net = "192.168.1.0/24" tcp_services = "imap, imaps, smtp, smtps" set require-order yes set limit { frags 30000, states 25000 } set block-policy drop set optimization normal set timeout tcp.first 20 set timeout { udp.first 300, udp.single 150, udp.multiple 900 } table persist file "/etc/pf.d/spammers" \ file "/etc/pf.d/abuse" \ file "/etc/pf.d/geoip" table persist file "/etc/pf.d/spammers" * table persist file "/etc/pf.d/abuse"* table persist file "/etc/pf.d/spammers" scrub all reassemble tcp no-df scrub in all fragment reassemble scrub out all random-id nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port { $tcp_services } -> $server *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port 80 -> $server port 80* *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port 443 -> $server port 443* antispoof quick for $ext_if set skip on lo0 block log all *block in quick on $ext_if from to any* block in quick on $ext_if proto tcp from to port { smtp, smtps, imap, imaps } pass quick on $int_if inet all keep state pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ modulate state pass in on $ext_if inet proto tcp from any to any port { 80, 443 } modulate state pass in on $ext_if inet proto udp all keep state pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32) pass out quick on $ext_if inet proto tcp all \ keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state From owner-freebsd-pf@FreeBSD.ORG Tue Dec 27 08:48:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0D0416A41F for ; Tue, 27 Dec 2005 08:48:24 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: from web32611.mail.mud.yahoo.com (web32611.mail.mud.yahoo.com [68.142.207.238]) by mx1.FreeBSD.org (Postfix) with SMTP id 3B9CD43D46 for ; Tue, 27 Dec 2005 08:48:24 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: (qmail 28386 invoked by uid 60001); 27 Dec 2005 08:48:23 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ppugHq8zIyuTKYLs6jsY/7Va37h+ZAX2/nRCbNYUbxLTu+dY/QHPK7XEyCeOMIf2mjeeGAciVl0FqfHvO2A3QmBGaRoMDE/YGa4HYU0HDQXyGV0YB/asgX7cRccNtxwv4Y49FmNZtWnaBGc28RG4+LXcZogiyAoGDti170kikJE= ; Message-ID: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> Received: from [24.6.214.44] by web32611.mail.mud.yahoo.com via HTTP; Tue, 27 Dec 2005 00:48:23 PST Date: Tue, 27 Dec 2005 00:48:23 -0800 (PST) From: Alberto Alesina To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: tracking half-open connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 08:48:24 -0000 Hello, For minimizing effects of SYN flood attacks, is there a way in PF to limit the number of possible "half-open" TCP connections to protect servers offering public services from SYN flood attacks from spoofed IP source addresses? Turning on PF synproxy filter rule flag and choosing aggressive timeouts seems a good defense against SYN flood attacks, but I was curious if there are any options similar to some commercial firewall vendors, where after a configured maximum threshold of "half-open" connections is exceeded, new connection setup requests cause an existing (either the oldest or random) half-open TCP connection to be dropped (with the corresponding RST to the server to clear the entry) before any new connection is allowed through. Is overwhelming the system (by causing generation of RST's) a pitfall of such an approach and hence the reason not to implement it? Appreciate your time. Thanks a lot. - Alberto Alesina __________________________________________ Yahoo! DSL – Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Tue Dec 27 12:24:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2F4516A41F for ; Tue, 27 Dec 2005 12:24:50 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: from mail.etsplus.net (cable-tv.sumy.ua [193.110.17.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id B118E43D58 for ; Tue, 27 Dec 2005 12:24:49 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: (qmail 8958 invoked by uid 80); 27 Dec 2005 12:25:12 -0000 Received: from 193.110.17.129 (SquirrelMail authenticated user butsyk@mail.etsplus.net) by mail.etsplus.net with HTTP; Tue, 27 Dec 2005 14:25:11 +0200 (EET) Message-ID: <57558.193.110.17.129.1135686311.squirrel@mail.etsplus.net> In-Reply-To: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> Date: Tue, 27 Dec 2005 14:25:11 +0200 (EET) From: "Anton Butsyk" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: tracking half-open connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 12:24:50 -0000 > Hello, > For minimizing effects of SYN flood attacks, is there > a way in PF to limit the number of possible > "half-open" TCP connections to protect servers > offering public services from SYN flood attacks from > spoofed IP source addresses? > > Turning on PF synproxy filter rule flag and choosing > aggressive timeouts seems a good defense against SYN > flood attacks, but I was curious if there are any > options similar to some commercial firewall vendors, > where after a configured maximum threshold of > "half-open" connections is exceeded, new connection > setup requests cause an existing (either the oldest or > random) half-open TCP connection to be dropped (with > the corresponding RST to the server to clear the > entry) before any new connection is allowed through. > Is overwhelming the system (by causing generation of > RST's) a pitfall of such an approach and hence the > reason not to implement it? > > Appreciate your time. Thanks a lot. > - Alberto Alesina Hi! man pf.conf will help you options: set timeout { tcp.first 10, tcp.opening 20 } or set optimization aggressive follow the same man page ... synproxy state option can be used to cause pf itself to complete handshake ... No packets are sent to the passive endpoint before the active endpoint has complete the handshake, hence so-called SYN floods with spoofed source... I wonder what kind of options present in "commercial firewall vendors", doesn't exist in pf? -- Regards, Anton Butsyk http://studiori.net/ From owner-freebsd-pf@FreeBSD.ORG Tue Dec 27 12:26:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3847416A41F for ; Tue, 27 Dec 2005 12:26:09 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01F1743D45 for ; Tue, 27 Dec 2005 12:26:07 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jBRCPniR030685 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 27 Dec 2005 13:25:50 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jBRCPmeb032192; Tue, 27 Dec 2005 13:25:48 +0100 (MET) Date: Tue, 27 Dec 2005 13:25:47 +0100 From: Daniel Hartmeier To: Alberto Alesina Message-ID: <20051227122546.GE81@insomnia.benzedrine.cx> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: tracking half-open connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 12:26:09 -0000 On Tue, Dec 27, 2005 at 12:48:23AM -0800, Alberto Alesina wrote: > Turning on PF synproxy filter rule flag and choosing > aggressive timeouts seems a good defense against SYN > flood attacks, but I was curious if there are any > options similar to some commercial firewall vendors, > where after a configured maximum threshold of > "half-open" connections is exceeded, new connection > setup requests cause an existing (either the oldest or > random) half-open TCP connection to be dropped (with > the corresponding RST to the server to clear the > entry) before any new connection is allowed through. > Is overwhelming the system (by causing generation of > RST's) a pitfall of such an approach and hence the > reason not to implement it? Using synproxy state (max) and aggressive tcp.first/opening timeouts on that particular rule achieves just that effect, doesn't it? The attacker sending a flood of spoofed SYNs from different source addresses creates state entries, but can't deliver a single SYN to the real server (hence, not allocating any resources on the server), up to the point where the rule's max limit is reached. After that, the attacker and legitimate client race for new empty slots in the state table (quickly generated due to the aggressive timeouts). Unlike with a 'remove random half-open state on overflow' scheme, the legitimate client is guaranteed to get a working connection when a) it (randomly) gets a free slot in the state table, and b) it completes the handshake before the (aggressive) timeout expires If the attacker has such overwhelming bandwidth that he can cause most legitimate client packets to get dropped upstream of you, either scheme will fail similarily, like in a plain DoS flood case. So, how is synproxy not the best possible solution in this case? How would the other scheme (passing the SYN to the real server, generating RSTs to the server on overflow) have ANY advantage, in ANY case? Ignoring the non-technical "advantage" of providing a feature present in a competitor's product for the mere sake of marketing (which you'll have to excuse me for completely ignoring ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Dec 27 12:28:40 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 232F516A41F for ; Tue, 27 Dec 2005 12:28:40 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: from mail.etsplus.net (cable-tv.sumy.ua [193.110.17.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3859043D5A for ; Tue, 27 Dec 2005 12:28:38 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: (qmail 12324 invoked by uid 80); 27 Dec 2005 12:29:02 -0000 Received: from 193.110.17.129 (SquirrelMail authenticated user butsyk@mail.etsplus.net) by mail.etsplus.net with HTTP; Tue, 27 Dec 2005 14:29:02 +0200 (EET) Message-ID: <56746.193.110.17.129.1135686542.squirrel@mail.etsplus.net> In-Reply-To: <43B0574D.30406@forrie.com> References: <43B0574D.30406@forrie.com> Date: Tue, 27 Dec 2005 14:29:02 +0200 (EET) From: "Anton Butsyk" To: pf@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Subject: Re: Block rule not working... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 12:28:40 -0000 > My pf.conf is below. > > I have this idiot at 24.147.135.133 who has been attempting to break my > webserver for about a week - presumably he's running some script. Port > 80 of his machine has an impressive MP3 collection. > > Comcast doesn't care, so my reports have been unheard. > > I have rules to block this /24, but he manages to get through anyway. > First, I block via a negation to the table, second I have an > explicit block rule to block all traffic from anyone in that table. > > Since the block rule comes first before the "pass" rule below, I would > presume it would work. > > I can match it in the table, it's there. > > Can anyone tell me what's wrong with the rules so I can correct this ASAP. > > > Thank you. > > > ext_if = "fxp0" > int_if = "em0" > prv_if = "em0" > server = "192.168.1.2/32" > ext_ad = "xx.xx.xx.xx/32" > prv_ad = "192.168.1.2/32" > prv_net = "192.168.1.0/24" > > > tcp_services = "imap, imaps, smtp, smtps" > > > set require-order yes > set limit { frags 30000, states 25000 } > set block-policy drop > set optimization normal > > > set timeout tcp.first 20 > set timeout { udp.first 300, udp.single 150, udp.multiple 900 } > > > > table persist file "/etc/pf.d/spammers" \ > file "/etc/pf.d/abuse" \ > file "/etc/pf.d/geoip" > > table persist file "/etc/pf.d/spammers" > * > table persist file "/etc/pf.d/abuse"* > > table persist file "/etc/pf.d/spammers" > > > scrub all reassemble tcp no-df > scrub in all fragment reassemble > scrub out all random-id > > > > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > rdr on $ext_if inet proto tcp from ! to ($ext_if) \ > port { $tcp_services } -> $server > > *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ > port 80 -> $server port 80* > > *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ > port 443 -> $server port 443* > > > > antispoof quick for $ext_if > > set skip on lo0 > > block log all > *block in quick on $ext_if from to any* > block in quick on $ext_if proto tcp from to port { smtp, smtps, > imap, imaps } > > pass quick on $int_if inet all keep state > > > pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ > modulate state > > pass in on $ext_if inet proto tcp from any to any port { 80, 443 } > modulate state > > > > pass in on $ext_if inet proto udp all keep state > > pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32) > > > pass out quick on $ext_if inet proto tcp all \ > keep state > > pass out quick on $ext_if inet proto udp all keep state > > pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state > -- Hi, Forrest. Is pf enabled? Is $ext_if the interface for 24.147.135.133's packets? Why don't you try to replace definition with table const { 24.147.135.133, 24.147.135/24 } or any addresses you want and rule without iface: block in quick from to any -- Regards, Anton Butsyk http://studiori.net/ From owner-freebsd-pf@FreeBSD.ORG Thu Dec 29 08:20:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAB0616A41F for ; Thu, 29 Dec 2005 08:20:39 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 671F943D5A for ; Thu, 29 Dec 2005 08:20:35 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.60 #0 (FreeBSD 4.11-STABLE)) id 1Ert1T-000GfN-Pn by authid for ; Thu, 29 Dec 2005 11:20:31 +0300 Date: Thu, 29 Dec 2005 11:20:31 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20051229082031.GA55581@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Subject: PF and MAC framework - panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2005 08:20:40 -0000 Hello everyone, I'm a PF newbie only from this week. I've been using IPFilter all along. On my 6.0 box acting as a router, I was also playing with Mandatory Access Control, especially mac_lomac. This seemed to work with IPFilter but the moment I switched to PF, the machine would panic and reboot. I had mac_lomac_enable="YES" in /boot/loader.conf. This is after I compiled a kernel with " options MAC". in /etc/sysctl.conf I had the following: security.mac.lomac.enabled=1 security.mac.lomac.revocation_enabled=1 security.mac.lomac.ptys_equal=1 And in /etc/rc.conf, all active interfaces were configured with "maclabel lomac/equal" added to the ifconfig args. I'd switch from ipfilter/ipnat to PF by flushing rules in this order: ipf -Fa ipnat -FC pfctl -e pfctl -f /etc/pf.conf At this juncture, the box would panic: panic: mac_lomac_dominate_element: a->mle_type invalid. A memory dump would then occur and the box reboots. I went a step ahead: disabled IPFilter in rc.conf and enabled PF and rebooted. The box would fail to reboot in this case and panic over and over until I disabled mac_lomac_enable="YES" in /boot/loader.conf, the relevant entries in rc.conf and sysctl.conf Anyone using MAC who can reproduce the same? -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ If life is a stage, I want some better lighting. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 30 12:39:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AA0516A41F for ; Fri, 30 Dec 2005 12:39:31 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id E97A243D58 for ; Fri, 30 Dec 2005 12:39:29 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1702878wri for ; Fri, 30 Dec 2005 04:39:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:organization:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=rnNwEp7BBjzOaW0zyXFuacbYMblPYpBPH/ivZFxeK87NZb6iOgiOojb4nqAWdGkJ/konQyBkYJ9pgNOoBrs7Gx+fJtuUTvxW2PN8QV3dPIzyYMJftpjZxzzejvvFMwX0OxFJ2VXRe4lj3Hk6ZTZX2aWDwHjfMwFrtMCALnIo1L0= Received: by 10.65.153.12 with SMTP id f12mr4058099qbo; Fri, 30 Dec 2005 04:39:28 -0800 (PST) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.gmail.com with ESMTP id d12sm2356257qbc.2005.12.30.04.39.26; Fri, 30 Dec 2005 04:39:28 -0800 (PST) Date: Fri, 30 Dec 2005 15:40:27 +0300 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.62.14) Professional Organization: Acropolis X-Priority: 3 (Normal) Message-ID: <191576858.20051230154027@gmail.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: how to include bytes and srcip into pf report X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 12:39:31 -0000 Hello, freebsd-pf. Is there any way to make pf, generate reports including srcip and bytes for rules like "pass in log-all quick on $ext_if proto tcp from any to $me port 80"? -- Roman Gorohov mailto:roma.a.g@gmail.com From owner-freebsd-pf@FreeBSD.ORG Fri Dec 30 23:47:48 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6374516A41F for ; Fri, 30 Dec 2005 23:47:48 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id DED8743D5F for ; Fri, 30 Dec 2005 23:47:47 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [192.168.0.10] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id B1ACB108C44; Sat, 31 Dec 2005 00:53:12 +0100 (CET) Message-ID: <43B5C7E1.8060400@mr0vka.eu.org> Date: Sat, 31 Dec 2005 00:50:57 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051206) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> In-Reply-To: <20051227122546.GE81@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 23:47:48 -0000 Hi all, Is there by any chance work being done on pf to include functionality that is present in FreeBSD ipfw, that checks if packet entered router via correct interface as pointed out by routing table? I know there is antispoof, but it's simple check of connected network and interface address, not full lookup to routing table contents. On ipfw it's called verrevpath (checking if routing table points for this source IP to the interface it came on) and versrcreach (the same but default and blackhole routes don't count). -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-pf@FreeBSD.ORG Sat Dec 31 00:34:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE1816A41F for ; Sat, 31 Dec 2005 00:34:44 +0000 (GMT) (envelope-from daffy@xview.net) Received: from mail.oav.net (mail.oav.net [193.218.105.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id C385543D53 for ; Sat, 31 Dec 2005 00:34:43 +0000 (GMT) (envelope-from daffy@xview.net) Received: from localhost (mail.oav.net [193.218.105.18]) by mail02.oav.net (Postfix) with ESMTP id A32C63F42C for ; Sat, 31 Dec 2005 01:34:42 +0100 (CET) (envelope-from daffy@xview.net) Received: from mail02.oav.net ([193.218.105.18]) by localhost (mail02.oav.net [172.31.1.2]) (amavisd-new, port 10026) with LMTP id 71876-10 for ; Sat, 31 Dec 2005 01:34:42 +0100 (CET) Received: from [192.168.1.10] (ALille-151-1-61-43.w83-198.abo.wanadoo.fr [83.198.135.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail02.oav.net (Postfix) with ESMTP id DC3D33F422 for ; Sat, 31 Dec 2005 01:34:41 +0100 (CET) (envelope-from daffy@xview.net) Mime-Version: 1.0 (Apple Message framework v746.2) In-Reply-To: <43B5C7E1.8060400@mr0vka.eu.org> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Message-Id: <8669F63F-2290-446E-90AF-C95FE5C17129@xview.net> Content-Transfer-Encoding: quoted-printable From: Olivier Warin Date: Sat, 31 Dec 2005 01:34:07 +0100 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.746.2) X-Virus-Scanned: by amavisd-new at mail02.oav.net Subject: Re: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 00:34:45 -0000 Hi, This feature will help to mitigate DoS atttacks, I vote for :-) verrevpath & versrcreach are references to Cisco Revers Path =20 Forwarding algorithm and was first time cited in RFC1812. I would add that, AFAIK, the partial implementation, antispoof, =20 (which is unable to make the distinction between "strict" & "loose" =20 modes) prevents pf to be used on Internet eXchange Points, in an ISP-=20 ISP environment (because of asymmetric routing). Maybee recent commits in pf related to openbgpd change this ? Regards, Le 31 d=C3=A9c. 05 =C3=A0 00:50, =C5=81ukasz Bromirski a =C3=A9crit : > Hi all, > > Is there by any chance work being done on pf to include functionality > that is present in FreeBSD ipfw, that checks if packet entered > router via correct interface as pointed out by routing table? > > I know there is antispoof, but it's simple check of connected network > and interface address, not full lookup to routing table contents. > On ipfw it's called verrevpath (checking if routing table points > for this source IP to the interface it came on) and versrcreach > (the same but default and blackhole routes don't count). > > --=20 > this space was intentionally left blank | =C5=81ukasz =20= > Bromirski > you can insert your favourite quote here | =20 > lukasz:bromirski,net > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Olivier Warin - http://xview.net Stay connected ! From owner-freebsd-pf@FreeBSD.ORG Sat Dec 31 00:35:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBB7616A41F for ; Sat, 31 Dec 2005 00:35:50 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEAA443D58 for ; Sat, 31 Dec 2005 00:35:49 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jBV0Zi00012211 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 31 Dec 2005 01:35:44 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jBV0ZhNH028987; Sat, 31 Dec 2005 01:35:43 +0100 (MET) Date: Sat, 31 Dec 2005 01:35:41 +0100 From: Daniel Hartmeier To: ?ukasz Bromirski Message-ID: <20051231003540.GA17829@insomnia.benzedrine.cx> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43B5C7E1.8060400@mr0vka.eu.org> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 00:35:50 -0000 On Sat, Dec 31, 2005 at 12:50:57AM +0100, ?ukasz Bromirski wrote: > Is there by any chance work being done on pf to include functionality > that is present in FreeBSD ipfw, that checks if packet entered > router via correct interface as pointed out by routing table? Not that I know of, no. Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Dec 31 01:25:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F03816A41F for ; Sat, 31 Dec 2005 01:25:22 +0000 (GMT) (envelope-from reed@pilchuck.reedmedia.net) Received: from pilchuck.reedmedia.net (pilchuck.reedmedia.net [209.166.74.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id C317843D46 for ; Sat, 31 Dec 2005 01:25:21 +0000 (GMT) (envelope-from reed@pilchuck.reedmedia.net) Received: from reed by pilchuck.reedmedia.net with local (Exim 4.44) id 1EsVUn-0001wq-NQ for freebsd-pf@freebsd.org; Fri, 30 Dec 2005 17:25:21 -0800 Date: Fri, 30 Dec 2005 17:25:21 -0800 (PST) From: "Jeremy C. Reed" To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Sender: "Jeremy C. Reed" Subject: differences between pf and upstream? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 01:25:22 -0000 Does FreeBSD have any list of differences between pf and OpenBSD's pf? Or does it all work and behave the same (at least up to last version imported)? (So same version of PF behaves the same on both platforms?) Or should I look at all the differences in pf up to OpenBSD's 3.8 version? It looks like 3.7 is in FreeBSD 6.0 and 3.5 is in FreeBSD 5.x. The pf chapter in the handbook should update the "warning" to mention the version for FreeBSD 6.0 also. I am hoping to work on the OpenBSD's PF guide to also mention FreeBSD and note which items (new features) are specific to OpenBSD. Does anyone know if that documentation has been worked on before for FreeBSD? Jeremy C. Reed