From owner-freebsd-pf@FreeBSD.ORG Sun Jan 1 11:17:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FE5E16A41F for ; Sun, 1 Jan 2006 11:17:46 +0000 (GMT) (envelope-from bjoern.koenig@spray.se) Received: from efacilitas.de (smtp.efacilitas.de [85.10.196.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEBDF43D45 for ; Sun, 1 Jan 2006 11:17:45 +0000 (GMT) (envelope-from bjoern.koenig@spray.se) Received: from eurystheus.local (port-212-202-169-24.dynamic.qsc.de [212.202.169.24]) by efacilitas.de (Postfix) with ESMTP id B76764B0DA; Sun, 1 Jan 2006 12:26:24 +0100 (CET) Received: from [192.168.1.2] (muhkuh.local [192.168.1.2]) by eurystheus.local (Postfix) with ESMTP id 0FC605285C; Sun, 1 Jan 2006 12:16:36 +0100 (CET) Message-ID: <43B7BA58.7090000@spray.se> Date: Sun, 01 Jan 2006 12:17:44 +0100 From: =?ISO-8859-15?Q?Bj=F6rn_K=F6nig?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: Odhiambo Washington References: <20051229082031.GA55581@ns2.wananchi.com> In-Reply-To: <20051229082031.GA55581@ns2.wananchi.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: PF and MAC framework - panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2006 11:17:46 -0000 Odhiambo Washington schrieb: > Hello everyone, > > > I'm a PF newbie only from this week. I've been using IPFilter all along. > On my 6.0 box acting as a router, I was also playing with Mandatory > Access Control, especially mac_lomac. This seemed to work with IPFilter > but the moment I switched to PF, the machine would panic and reboot. > > I had mac_lomac_enable="YES" in /boot/loader.conf. This is after I > compiled a kernel with " options MAC". > in /etc/sysctl.conf I had the following: > > security.mac.lomac.enabled=1 > security.mac.lomac.revocation_enabled=1 > security.mac.lomac.ptys_equal=1 > > And in /etc/rc.conf, all active interfaces were configured with > "maclabel lomac/equal" added to the ifconfig args. > > I'd switch from ipfilter/ipnat to PF by flushing rules in this order: > ipf -Fa > ipnat -FC > > pfctl -e > pfctl -f /etc/pf.conf > > At this juncture, the box would panic: > > panic: mac_lomac_dominate_element: a->mle_type invalid. > A memory dump would then occur and the box reboots. > > I went a step ahead: disabled IPFilter in rc.conf and enabled > PF and rebooted. The box would fail to reboot in this case and > panic over and over until I disabled mac_lomac_enable="YES" in > /boot/loader.conf, the relevant entries in rc.conf and sysctl.conf > > Anyone using MAC who can reproduce the same? Not exactly the same, but I had similar problems with mac_mls using pf. These panics occur because pf is imported from OpenBSD and not aware of using MAC at all; in fact it ignores MAC completely and thus it breaks policies. The best thing that you can do now is either to avoid using MAC or to use ipfw instead of pf. Regards Björn From owner-freebsd-pf@FreeBSD.ORG Sun Jan 1 17:58:04 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4220516A41F for ; Sun, 1 Jan 2006 17:58:04 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B45743D49 for ; Sun, 1 Jan 2006 17:58:03 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id k01Hw13l068817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 1 Jan 2006 20:58:01 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id k01Hw0Yx068816; Sun, 1 Jan 2006 20:58:00 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 1 Jan 2006 20:58:00 +0300 From: Gleb Smirnoff To: ?ukasz Bromirski Message-ID: <20060101175800.GP42629@FreeBSD.org> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <43B5C7E1.8060400@mr0vka.eu.org> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2006 17:58:04 -0000 On Sat, Dec 31, 2005 at 12:50:57AM +0100, ?ukasz Bromirski wrote: ?> Is there by any chance work being done on pf to include functionality ?> that is present in FreeBSD ipfw, that checks if packet entered ?> router via correct interface as pointed out by routing table? ?> ?> I know there is antispoof, but it's simple check of connected network ?> and interface address, not full lookup to routing table contents. ?> On ipfw it's called verrevpath (checking if routing table points ?> for this source IP to the interface it came on) and versrcreach ?> (the same but default and blackhole routes don't count). Implementing this feature is very easy. The code that does this check is only a few lines. You can just copy and paste code from ipfw(4) and add new keywords to pf(4). Then submit patch to Daniel and Max. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Sun Jan 1 19:40:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C31516A41F for ; Sun, 1 Jan 2006 19:40:08 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: from a.6f2.net (a.6f2.net [213.189.5.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3508843D48 for ; Sun, 1 Jan 2006 19:40:08 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: by a.6f2.net (Postfix, from userid 66) id A0DB4BF8E8B; Sun, 1 Jan 2006 20:40:06 +0100 (CET) Received: by cc.bashibuzuk.net (Postfix, from userid 1001) id 96675BCA8; Sun, 1 Jan 2006 20:39:09 +0100 (CET) Date: Sun, 1 Jan 2006 20:39:09 +0100 From: Yann Berthier To: freebsd-pf@freebsd.org Message-ID: <20060101193909.GK826@bashibuzuk.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> <20060101175800.GP42629@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060101175800.GP42629@FreeBSD.org> X-Operating-System: FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.11 Subject: Re: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2006 19:40:08 -0000 Hello, On Sun, 01 Jan 2006, at 20:58, Gleb Smirnoff wrote: > On Sat, Dec 31, 2005 at 12:50:57AM +0100, ?ukasz Bromirski wrote: > ?> Is there by any chance work being done on pf to include functionality > ?> that is present in FreeBSD ipfw, that checks if packet entered > ?> router via correct interface as pointed out by routing table? > ?> > ?> I know there is antispoof, but it's simple check of connected network > ?> and interface address, not full lookup to routing table contents. > ?> On ipfw it's called verrevpath (checking if routing table points > ?> for this source IP to the interface it came on) and versrcreach > ?> (the same but default and blackhole routes don't count). > > Implementing this feature is very easy. The code that does this > check is only a few lines. You can just copy and paste code from > ipfw(4) and add new keywords to pf(4). Then submit patch to Daniel > and Max. Is there reasons to not implement conditionaly these checks (the strict and the loose mode) in the stack itself, in the same vein than say ithe blackhole or the drop_synfin checks ? Just curious - but uRPF filtering can be very handy, and i don't need full-fledged filtering on every machine. Regards, - yann From owner-freebsd-pf@FreeBSD.ORG Sun Jan 1 19:55:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2207816A420; Sun, 1 Jan 2006 19:55:21 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-4.gradwell.net (lon-mail-4.gradwell.net [193.111.201.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D1DB43D6A; Sun, 1 Jan 2006 19:55:11 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from 88-105-199-248.dynamic.dsl.as9105.com ([88.105.199.248] helo=vaio) by lon-mail-4.gradwell.net with esmtp (Gradwell gwh-smtpd 1.207) id 43b8339d.7f9a.111; Sun, 1 Jan 2006 19:55:09 +0000 (envelope-sender ) From: "Greg Hennessy" To: "'Gleb Smirnoff'" , "'?ukasz Bromirski'" Date: Sun, 1 Jan 2006 19:54:56 -0000 Message-ID: <000f01c60f0d$3e69f240$0201a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcYO/ZcHkAdLaRSQRFCbqnHXUGcjkAADsyWg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 In-Reply-To: <20060101175800.GP42629@FreeBSD.org> Cc: freebsd-pf@freebsd.org Subject: RE: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2006 19:55:21 -0000 > Implementing this feature is very easy. The code that does > this check is only a few lines. You can just copy and paste code from > ipfw(4) and add new keywords to pf(4). Then submit patch to > Daniel and Max. On a side note, I would have thought that the logical place for RPF unicast checking would be as part of antispoof, would it really require additional keywords ? Greg From owner-freebsd-pf@FreeBSD.ORG Sun Jan 1 23:11:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 336C216A41F for ; Sun, 1 Jan 2006 23:11:05 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 996A643D5E for ; Sun, 1 Jan 2006 23:11:04 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [192.168.0.10] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id 35379108A22 for ; Mon, 2 Jan 2006 00:17:19 +0100 (CET) Message-ID: <43B86260.3070209@mr0vka.eu.org> Date: Mon, 02 Jan 2006 00:14:40 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051206) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> <20060101175800.GP42629@FreeBSD.org> <20060101193909.GK826@bashibuzuk.net> In-Reply-To: <20060101193909.GK826@bashibuzuk.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2006 23:11:05 -0000 Yann Berthier wrote: > Is there reasons to not implement conditionaly these checks (the > strict and the loose mode) in the stack itself, in the same vein than > say ithe blackhole or the drop_synfin checks ? Just curious - but > uRPF filtering can be very handy, and i don't need full-fledged > filtering on every machine. Yes, after some work on the pf sources I realized that doing the uRPF work in ip_input.c and controlling it for example via sysctl of some kind would be cleaner - no dependency on packet filtering of any kind and functionality done once not splattered over few places. But I asked because my lack of time and experience in coding *BSD. I'm slowly moving on, but if someone has 15 minutes of his precious time free and can code it with closed eyes, surely we'd be grateful. -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-pf@FreeBSD.ORG Mon Jan 2 11:02:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86DC316A41F for ; Mon, 2 Jan 2006 11:02:52 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CA5D43D81 for ; Mon, 2 Jan 2006 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k02B2jJq037610 for ; Mon, 2 Jan 2006 11:02:45 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k02B2isT037604 for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 11:02:44 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 2 Jan 2006 11:02:44 GMT Message-Id: <200601021102.k02B2isT037604@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 11:02:52 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 2 16:18:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C56416A41F for ; Mon, 2 Jan 2006 16:18:35 +0000 (GMT) (envelope-from eric.tyberghien@francetelecom.com) Received: from relais-inet.francetelecom.com (relais-inet.francetelecom.com [212.234.67.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0817243D58 for ; Mon, 2 Jan 2006 16:18:34 +0000 (GMT) (envelope-from eric.tyberghien@francetelecom.com) Received: from prive-Rline2.com ([192.168.1.22] [192.168.1.22]) by Rline2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:32 +0100 Received: from Pico2.francetelecom.com ([10.160.49.250] [10.160.49.250]) by Rline2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:31 +0100 Received: from localhost.localdomain ([10.160.49.5] [10.160.49.5]) by RPico2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:31 +0100 Received: from ginnbc099.ftgin.com ([10.238.11.103] [10.238.11.103]) by RPico2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:31 +0100 To: freebsd-pf@freebsd.org X-Mailer: Lotus Notes Edition France 5.0.2c 8 =?iso-8859-1?Q?f=E9vrier_2000?= Message-Id: From: TYBERGHIEN Eric TRANSPAC Date: Mon, 2 Jan 2006 17:18:30 +0100 X-MIMETrack: Serialize by Router on TPC005GRW/TRANSPAC-SRD/F-T(Release 5.0.12 |February 13, 2003) at 02/01/2006 17:18:34, Serialize complete at 02/01/2006 17:18:34 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF/FreeBSD 6 and FIN_WAIT2 TCP exhaustion X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 16:18:35 -0000 Hi and Happy new year I have some problems with FreeBSD 6 et PF. This is my test config : set limit ( states 600000, frags 5000 ) pass quick on { $internal_if $external_if } proto tcp keep state pass quick on { $internal_if $external_if } proto udp keep state nat on $ext_if from $internal_net to $external_net -> $external_nat The UDP's performances are excellent (more than 500 000 contexts without=0D packet loss). In TCP, using a simple test with ab ( apache bench ) failed very quickly : - loosing between 2 and 3 sessions/1000 (serial number mode) After analysing tcpdump traces; it seems that the problem is the=0D non-releasing of TCP contexts after the end of the TCP session. These contexts remained in PF during 90 secs after the end of the TCP=0D session with the FIN_WAIT2 state. Can you help me to solve this feature. Is it a bug, a mechanism of DOS=0D auto-protection or a mis-understood of the PF features ? Best Regards=0D Eric Tyberghien FT/TPC/DO/DIT/S=E9curite Tel : 02 23 28 31 00 Port : 06 82 81 51 85=0D Fax : 02 23 28 45 81 Email : eric.tyberghien@francetelecom.com ***************************************************************************= ***************************************************************************= ************************** Ce message et toutes les pieces jointes (ci-apres le "message") sont=0D confidentiels et etablis a l'intention exclusive de ses=0D destinataires.Toute utilisation ou diffusion non autorisee est=0D interdite.Tout message electronique est susceptible d'alteration. Le=0D Groupe France Telecom decline toute responsabilite au titre de ce message=0D s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire=0D immediatement et d'avertir l'expediteur. ***************************************************************************= ***************************************************************************= ************************** This message and any attachments (the "message") are confidential and=0D intended solely for the addressees. Any unauthorised use or dissemination=0D is prohibited.Messages are susceptible to alteration. France Telecom Group= =0D shall not be liable for the message if altered, changed or falsified. If you are not receiver of this message, please cancel it immediately and=0D inform the sender. ***************************************************************************= ***************************************************************************= ************************** ******************************** Ce message et toutes les pieces jointes (ci-apres le "message") sont= confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Le Groupe France= Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire= immediatement et d'avertir l'expediteur. ********************************* This message and any attachments (the "message") are confidential and= intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be= liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it= immediately and inform the sender. ******************************** From owner-freebsd-pf@FreeBSD.ORG Mon Jan 2 17:31:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 168B616A41F for ; Mon, 2 Jan 2006 17:31:31 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22C0F43D68 for ; Mon, 2 Jan 2006 17:31:21 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id k02HUp4K023249 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 2 Jan 2006 18:30:52 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k02HUmb5016607; Mon, 2 Jan 2006 18:30:49 +0100 (MET) Date: Mon, 2 Jan 2006 18:30:45 +0100 From: Daniel Hartmeier To: TYBERGHIEN Eric TRANSPAC Message-ID: <20060102173044.GE17829@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: PF/FreeBSD 6 and FIN_WAIT2 TCP exhaustion X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 17:31:31 -0000 On Mon, Jan 02, 2006 at 05:18:30PM +0100, TYBERGHIEN Eric TRANSPAC wrote: > Can you help me to solve this feature. Is it a bug, a mechanism of DOS > auto-protection or a mis-understood of the PF features ? Look at the TCP RFC, sections "Knowing When to Keep Quiet" and "The TCP Quiet Time Concept" starting on page 27 of http://www.faqs.org/rfcs/rfc793.html After a client closes the connection to a server, it may not re-use the same source port (to the same server port) before a quiet period has passed. This is designed so packets from the first connection arriving late at the server (due to taking different routes) can't disturb the second connection. This obviously limits the (sustained) rate at which your client can connect to the server (to 65536 connections per 90 seconds, no matter how fast your network may be). This was probably considered more than enough when the TCP RFC was written, but nowadays people expect higher connection rates in this case. The reasonable thing would be send multiple HTTP requests over one persistent connection, since the overhead of establishing (and tearing down) all those connections, for a single request each, is significant. But yours is a benchmark, and not a real application protocol, so I guess that's beside the point. :) FreeBSD (and other OS) re-use ports from connections in TIME_WAIT state when they need to. The assumption is that the disadvantage of not detecting late arrivals of earlier connections is outweighed by the increased connection rate possible. You can tell pf to purge states in TIME_WAIT earlier, too. Those 90s are merely the default, $ pfctl -st tcp.closed 90s and you can change it, either globally with 'set timeout tcp.closed 15' or per rule with 'keep state (tcp.closed 15)'. Note that purging only occurs in intervals (default 10s), so if you set the timeout to 15s, a state may be purged after 15+10s. If you need higher resolution, lower the interval (set timeout interval 5). Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Jan 2 21:12:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40ECE16A41F for ; Mon, 2 Jan 2006 21:12:02 +0000 (GMT) (envelope-from daffy@xview.net) Received: from mail.oav.net (mail.oav.net [193.218.105.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A706043D8D for ; Mon, 2 Jan 2006 21:11:48 +0000 (GMT) (envelope-from daffy@xview.net) Received: from localhost (mail.oav.net [193.218.105.18]) by mail02.oav.net (Postfix) with ESMTP id 41B863F42C; Mon, 2 Jan 2006 22:11:47 +0100 (CET) (envelope-from daffy@xview.net) Received: from mail01.oav.net ([193.218.105.18]) by localhost (mail03.oav.net [172.31.1.3]) (amavisd-new, port 10026) with LMTP id 58687-08; Mon, 2 Jan 2006 22:11:46 +0100 (CET) Received: from [192.168.1.10] (ALille-151-1-16-236.w82-127.abo.wanadoo.fr [82.127.174.236]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail01.oav.net (Postfix) with ESMTP id 17FC03F41C; Mon, 2 Jan 2006 22:11:46 +0100 (CET) (envelope-from daffy@xview.net) In-Reply-To: <20060102173044.GE17829@insomnia.benzedrine.cx> References: <20060102173044.GE17829@insomnia.benzedrine.cx> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Olivier Warin Date: Mon, 2 Jan 2006 22:11:15 +0100 To: Daniel Hartmeier X-Mailer: Apple Mail (2.746.2) X-Virus-Scanned: by amavisd-new at mail03.oav.net Cc: freebsd-pf@freebsd.org Subject: Re: PF/FreeBSD 6 and FIN_WAIT2 TCP exhaustion X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 21:12:02 -0000 Le 2 janv. 06 =E0 18:30, Daniel Hartmeier a =E9crit : > On Mon, Jan 02, 2006 at 05:18:30PM +0100, TYBERGHIEN Eric TRANSPAC =20 > wrote: > >> Can you help me to solve this feature. Is it a bug, a mechanism of =20= >> DOS >> auto-protection or a mis-understood of the PF features ? > > Look at the TCP RFC, sections "Knowing When to Keep Quiet" and "The =20= > TCP > Quiet Time Concept" starting on page 27 of > > http://www.faqs.org/rfcs/rfc793.html > > After a client closes the connection to a server, it may not re-use =20= > the > same source port (to the same server port) before a quiet period has > passed. This is designed so packets from the first connection arriving > late at the server (due to taking different routes) can't disturb the > second connection. > > This obviously limits the (sustained) rate at which your client can > connect to the server (to 65536 connections per 90 seconds, no matter > how fast your network may be). This was probably considered more than > enough when the TCP RFC was written, but nowadays people expect higher > connection rates in this case. RFC793 was written in the 80's ;-) > The reasonable thing would be send > multiple HTTP requests over one persistent connection, since the > overhead of establishing (and tearing down) all those connections, =20 > for a > single request each, is significant. But yours is a benchmark, and =20 > not a > real application protocol, so I guess that's beside the point. :) > > FreeBSD (and other OS) re-use ports from connections in TIME_WAIT =20 > state > when they need to. The assumption is that the disadvantage of not > detecting late arrivals of earlier connections is outweighed by the > increased connection rate possible. > > You can tell pf to purge states in TIME_WAIT earlier, too. Those =20 > 90s are > merely the default, > > $ pfctl -st > tcp.closed 90s Then he may reach another limits, kernel default values, not pf =20 states ones. net.inet.tcp.msl (10000ms by default) can be lower for production use. RFC793, page 23 says sockets stay in a TIME_WAIT state two times the =20 msl value. Page 28: " To be sure that a TCP does not create a segment that carries a sequence number which may be duplicated by an old segment =20 remaining in the network, the TCP must keep quiet for a maximum segment lifetime (MSL) before assigning any sequence numbers upon starting up or recovering from a crash in which memory of sequence numbers in use =20= was lost. For this specification the MSL is taken to be 2 minutes. This is an engineering choice, and may be changed if experience indicates it is desirable to do so. " [...] " TCP segments for at least the agreed Maximum Segment Lifetime (MSL) in the internet system of which the host is a part. In the paragraphs below, an explanation for this specification is given. TCP implementors may violate the "quiet time" restriction, but only at the risk of causing some old data to be accepted as new or new data rejected as old duplicated by some receivers in the internet system." Nevertheless, please consider that this can prohibe high latency =20 connections to reach your servers, especially if your customers are =20 transiting by operators with bad peerings agreement. On the other hand, MSL was, at the origin, arbitrary defined... > and you can change it, either globally with 'set timeout tcp.closed =20= > 15' > or per rule with 'keep state (tcp.closed 15)'. Note that purging only > occurs in intervals (default 10s), so if you set the timeout to 15s, a > state may be purged after 15+10s. If you need higher resolution, lower > the interval (set timeout interval 5). -- Olivier Warin - http://xview.net Stay connected ! From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 00:35:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AD5D16A41F; Tue, 3 Jan 2006 00:35:42 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87E5C43D49; Tue, 3 Jan 2006 00:35:41 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [192.168.0.10] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id 69EA31089D9; Tue, 3 Jan 2006 01:42:22 +0100 (CET) Message-ID: <43B9C7CC.7090703@mr0vka.eu.org> Date: Tue, 03 Jan 2006 01:39:40 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051206) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 00:35:42 -0000 Hi, Following some short discussion on freebsd-pf I've written (mostly copied, but let's skip that for a moment) short patch for ip_input.c, that does uRPF check for incoming packets. In some simple words, it's exactly the function ipfw2 is calling when You specify a rule with `versrcreach', but it's there in core network processing path and it's controlled via sysctl, so You don't need any packet filter in system to get the job done. If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if it's set to 1, checking of source address/interface against routing table is in effect. Checks will skip packets coming on from loopback or CARP interfaces. When the packet is going to be dropped, there's syslog message generated with source IP address and input interface it came on, and system counters are increased. Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 (latest RELENG_5 checkout). It will also work with latest RELENG_4 checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). Please note however, this code is for IPv4 only. http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf Please also note, there's already similar sysctl in ip_input.c - it's named ip_checkinterface and does subset of urpf checks, so while I don't think this patch is going to make into source tree, maybe it's time for someone wiser than me to review the code and 'update' ip_input.c code? -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 00:53:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C2BD16A41F; Tue, 3 Jan 2006 00:53:07 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 768B443D5F; Tue, 3 Jan 2006 00:53:06 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [192.168.0.10] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id 3FCAF1089C3; Tue, 3 Jan 2006 01:59:48 +0100 (CET) Message-ID: <43B9CBA4.4070303@mr0vka.eu.org> Date: Tue, 03 Jan 2006 01:56:04 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051206) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> In-Reply-To: <43B9C7CC.7090703@mr0vka.eu.org> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 00:53:07 -0000 Łukasz Bromirski wrote: > Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 > (latest RELENG_5 checkout). It will also work with latest RELENG_4 > checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). Sorry for small mistake - patch applies cleanly to: ip_input.c v1.301.2.3 z 2005/10/09 (RELENG_6) ip_input.c v1.283.2.14 2005/07/20 (RELENG_5) ip_input.c v1.130.2.55 z 2005/01/02 (RELENG_4) -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 11:52:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ED2216A41F; Tue, 3 Jan 2006 11:52:17 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: from a.6f2.net (a.6f2.net [213.189.5.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6460F43D45; Tue, 3 Jan 2006 11:52:10 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: by a.6f2.net (Postfix, from userid 66) id EDEC7BF8D4E; Tue, 3 Jan 2006 12:52:08 +0100 (CET) Received: by cc.bashibuzuk.net (Postfix, from userid 1001) id EF538BEC0; Tue, 3 Jan 2006 12:51:20 +0100 (CET) Date: Tue, 3 Jan 2006 12:51:20 +0100 From: Yann Berthier To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060103115120.GG840@bashibuzuk.net> Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43B9C7CC.7090703@mr0vka.eu.org> X-Operating-System: FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.11 Cc: Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 11:52:17 -0000 Hello, On Tue, 03 Jan 2006, at 01:39, ?ukasz Bromirski wrote: > Hi, > > Following some short discussion on freebsd-pf I've written (mostly > copied, but let's skip that for a moment) short patch for ip_input.c, > that does uRPF check for incoming packets. > > In some simple words, it's exactly the function ipfw2 is calling when > You specify a rule with `versrcreach', but it's there in core > network processing path and it's controlled via sysctl, so You don't > need any packet filter in system to get the job done. > > If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if > it's set to 1, checking of source address/interface against routing > table is in effect. Checks will skip packets coming on from > loopback or CARP interfaces. > > When the packet is going to be dropped, there's syslog message > generated with source IP address and input interface it came on, > and system counters are increased. > > Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 > (latest RELENG_5 checkout). It will also work with latest RELENG_4 > checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). > > Please note however, this code is for IPv4 only. > > http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff > SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf Nice ! > Please also note, there's already similar sysctl in ip_input.c - > it's named ip_checkinterface and does subset of urpf checks, so > while I don't think this patch is going to make into source tree, > maybe it's time for someone wiser than me to review the code and > 'update' ip_input.c code? If this yet to be found wiser guy would not forget the loose check too (verrevpath in ipfw speaking), where packets matching the default route are ok ... :) Cheers, - yann From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 12:40:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8F4616A423 for ; Tue, 3 Jan 2006 12:40:28 +0000 (GMT) (envelope-from link@warped.ro) Received: from warped.ro (warped.ro [86.104.83.66]) by mx1.FreeBSD.org (Postfix) with SMTP id A7B6543D49 for ; Tue, 3 Jan 2006 12:40:27 +0000 (GMT) (envelope-from link@warped.ro) Received: (qmail 1532 invoked by uid 89); 3 Jan 2006 12:39:56 -0000 Received: from link.warped.ro (HELO warped) (86.104.83.83) by warped.ro with SMTP; 3 Jan 2006 12:39:56 -0000 Message-ID: <001101c61062$e4668040$53536856@warped> From: "Robert" To: "pf" Date: Tue, 3 Jan 2006 14:40:34 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 12:40:28 -0000 I had pf running on a bridge but it doesn't seemd to work. The firsti problem was that bridge0 didn't appear at the ifconfig = command but the bridge worked And the second was that pf didn't limit the bandwidth .=20 Does pf work on a bridge ? From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 13:58:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4D8C16A420; Tue, 3 Jan 2006 13:58:28 +0000 (GMT) (envelope-from lukasz@bromirski.net) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5860B43D64; Tue, 3 Jan 2006 13:58:23 +0000 (GMT) (envelope-from lukasz@bromirski.net) Received: from [127.0.0.1] (r2d2.bromirski.net [217.153.57.194]) by r2d2.bromirski.net (Postfix) with ESMTP id D11251089C8; Tue, 3 Jan 2006 15:05:17 +0100 (CET) Message-ID: <43BA82F7.7070408@bromirski.net> Date: Tue, 03 Jan 2006 14:58:15 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051207) MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net> In-Reply-To: <20060103115120.GG840@bashibuzuk.net> X-Enigmail-Version: 0.93.2.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 13:58:29 -0000 Yann Berthier wrote: > If this yet to be found wiser guy would not forget the loose check > too (verrevpath in ipfw speaking), where packets matching the default > route are ok ... :) Actually it does that and will until we'll have option to have two or more default routes. Presently, if packets comes via interface and reply for it should be sent on the same interface (because default route points to it and there are no other routes pointing for the same destination to another interface) it will work. Check fails if there's either interface mismatch, or source is present in routing table but marked as RTF_REJECT/BLACKHOLE one. OpenBSD imported KAME mroute extension that enables them to have more than one route for given destination simultaneously in routing table. I'm looking into it now, as it's very attractive thing, however as Andre is doing rework of network code I'm sure we'll have it sooner or later and then maybe someone will revise old checks already marked as 'XXX' in the code ;) -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 14:32:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98CFE16A41F; Tue, 3 Jan 2006 14:32:10 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: from a.6f2.net (a.6f2.net [213.189.5.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35AF343D5A; Tue, 3 Jan 2006 14:32:10 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: by a.6f2.net (Postfix, from userid 66) id D4CFBBF8D34; Tue, 3 Jan 2006 15:32:08 +0100 (CET) Received: by cc.bashibuzuk.net (Postfix, from userid 1001) id 63FE9BEC0; Tue, 3 Jan 2006 15:31:16 +0100 (CET) Date: Tue, 3 Jan 2006 15:31:16 +0100 From: Yann Berthier To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060103143116.GH840@bashibuzuk.net> Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net> <43BA82F7.7070408@bromirski.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43BA82F7.7070408@bromirski.net> X-Operating-System: FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.11 Cc: Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 14:32:10 -0000 On Tue, 03 Jan 2006, at 14:58, ?ukasz Bromirski wrote: > Yann Berthier wrote: > > > If this yet to be found wiser guy would not forget the loose check > > too (verrevpath in ipfw speaking), where packets matching the default > > route are ok ... :) > > Actually it does that and will until we'll have option to have two > or more default routes. > > Presently, if packets comes via interface and reply for it should be > sent on the same interface (because default route points to it and > there are no other routes pointing for the same destination to > another interface) it will work. > > Check fails if there's either interface mismatch, or source is present > in routing table but marked as RTF_REJECT/BLACKHOLE one. My bad, i didn't looked at your patch, I was misleaded by the verrevpath / versrcreach description. > OpenBSD imported KAME mroute extension that enables them to have > more than one route for given destination simultaneously in routing > table. I'm looking into it now, as it's very attractive thing, > however as Andre is doing rework of network code I'm sure we'll have > it sooner or later and then maybe someone will revise old checks > already marked as 'XXX' in the code ;) Amen - yann From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 18:28:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4180F16A41F; Tue, 3 Jan 2006 18:28:30 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4843443D60; Tue, 3 Jan 2006 18:28:29 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 03 Jan 2006 10:28:30 -0800 X-IronPort-Anti-Spam-Filtered: true Message-ID: <43BAC24C.9050702@elischer.org> Date: Tue, 03 Jan 2006 10:28:28 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net> <43BA82F7.7070408@bromirski.net> In-Reply-To: <43BA82F7.7070408@bromirski.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 18:28:30 -0000 Łukasz Bromirski wrote: >Yann Berthier wrote: > > > >> If this yet to be found wiser guy would not forget the loose check >> too (verrevpath in ipfw speaking), where packets matching the default >> route are ok ... :) >> >> > >Actually it does that and will until we'll have option to have two >or more default routes. > >Presently, if packets comes via interface and reply for it should be >sent on the same interface (because default route points to it and >there are no other routes pointing for the same destination to >another interface) it will work. > >Check fails if there's either interface mismatch, or source is present >in routing table but marked as RTF_REJECT/BLACKHOLE one. > >OpenBSD imported KAME mroute extension that enables them to have >more than one route for given destination simultaneously in routing >table. I'm looking into it now, as it's very attractive thing, >however as Andre is doing rework of network code I'm sure we'll have >it sooner or later and then maybe someone will revise old checks >already marked as 'XXX' in the code ;) > > Several routes with the same dest would be interesting but how do you select between them? What I'm looking for is a way to make a machine use two totally separate routes depending on the socket address locally.. I'm currenty achieving this with ipfw fwd rules, bu that has side effects that are troublesome.. The vimage patches would do this for me but they are only for 4.x and I see no way to do what they do in a truely extensible manner that woruld work for 5.x and beyond.' From owner-freebsd-pf@FreeBSD.ORG Thu Jan 5 19:14:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CCA516A41F for ; Thu, 5 Jan 2006 19:14:19 +0000 (GMT) (envelope-from leon@trusc.net) Received: from cluster1.trusc.net (clgw.trusc.net [196.25.95.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 207E743D5C for ; Thu, 5 Jan 2006 19:14:16 +0000 (GMT) (envelope-from leon@trusc.net) Received: from [172.18.0.240] (helo=[172.18.0.240]) by cluster1.trusc.net (Exim 4.52 0 (FreeBSD 5.3)) protocol: esmtp id 1EuaX1-0007Xg-8Q for ; Thu, 05 Jan 2006 21:12:21 +0200 Message-ID: <43BD6FFB.10807@trusc.net> Date: Thu, 05 Jan 2006 21:14:03 +0200 From: Leon Botes Organization: TruscTechnologies User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.4 (-) Subject: PF ruleset NAT assistance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: leon@trusc.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2006 19:14:19 -0000 I have a strange scenario that i am sure pf can cope with but i am not sure how to write the ruleset and i cant find clarification on it. We have a gateway freebsd box with the following interfaces ext_if1 (internet connection 1) ext_if1_rt (router ip connected to the ext_if1) ext_if1_ip (the ip of ext_if1) ext_if1_ip2 (the 2nd ip of ext_if1) ext_if2 (internet connection 2) ext_if2_rt (router ip connected to the ext_if2) ext_if2_ip (the ip of ext_if2) ext_if2_ip2 (the 2nd ip of ext_if2) ext_if3 (internet connection 3) ext_if3_rt (router ip connected to the ext_if3) ext_if3_ip (the ip of ext_if3) ext_if3_ip2 (the 2nd ip of ext_if3) dmz_if (DMZ server interface) dmz_srv (DMZ server ip) dmz_if_ip (DMZ interface ip) lan_if (lan pc network interface)# network diagram lan_if_ip (lan interface ip) pri_net (entire subnet of the lan pc's) The default gateway is the router ext_if_rt. All external interfaces need to be natted. The second ips on the interfaces are intended for binat use which is where the problem comes in. I need to allow various ports in on all the ext_if's and be redirected to the dmz server. The returning packets must then be sent back out the same interface they arrived on. These rules seem logical but dont seem to work (specific ports omitted) Can anyone point out my fault? nat on $ext_if1 from pri_net to any -> $ext_if1_ip binat on ext_if1 from dmz_srv to any -> ext_if1_ip2 nat on $ext_if2 from pri_net to any -> $ext_if2_ip binat on ext_if2 from dmz_srv to any -> ext_if2_ip2 nat on $ext_if3 from pri_net to any -> $ext_if3_ip binat on ext_if3 from dmz_srv to any -> ext_if3_ip2 Can someone help me with these three binat rules plz. -- Regards Leon From owner-freebsd-pf@FreeBSD.ORG Fri Jan 6 18:47:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FDCB16A41F for ; Fri, 6 Jan 2006 18:47:50 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-147-44-26.hsd1.nh.comcast.net [24.147.44.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id A21FA43D45 for ; Fri, 6 Jan 2006 18:47:49 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id k06Ilm8W094156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 6 Jan 2006 13:47:48 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <43BEBBC9.8070203@forrie.com> Date: Fri, 06 Jan 2006 13:49:45 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20060105) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1234/Fri Jan 6 08:54:31 2006 on forrie.com X-Virus-Status: Clean Subject: Useful utilities for PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2006 18:47:50 -0000 I was pointed to this page: http://expiretable.fnord.se/ which has "expiretable" and "tableutils". Both appear to be very useful - though I'm not sure they'll compile out-of-the-box for FreeBSD-6. Might be good candidates for the ports collection. _F From owner-freebsd-pf@FreeBSD.ORG Sat Jan 7 00:53:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E268416A41F for ; Sat, 7 Jan 2006 00:53:55 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au [211.29.132.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9559143D45 for ; Sat, 7 Jan 2006 00:53:54 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-70-138.dsl.nsw.optusnet.com.au [220.236.70.138]) by mail16.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k070rqVD000795 for ; Sat, 7 Jan 2006 11:53:52 +1100 Message-ID: <007c01c61324$d4bd1630$0600a8c0@delta> From: "Josh Finlay" To: Date: Sat, 7 Jan 2006 10:53:52 +1000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPv6 RDR on FBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2006 00:53:56 -0000 Hi, Trying to use PF to redirect incoming IPv4 to IPv6 Ive tried:=20 rdr pass on $ExtIF inet6 proto tcp to port 6667 -> 192.168.0.101 port = 6667 However this gives the following error: /etc/pf.conf:23: no translation address with matching address family = found. (line 23 being the line above) Any ideas what im doing wrong? Regards, Josh Finlay From owner-freebsd-pf@FreeBSD.ORG Sat Jan 7 20:43:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E67A116A41F for ; Sat, 7 Jan 2006 20:43:23 +0000 (GMT) (envelope-from cristiano.deana@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C77C43D45 for ; Sat, 7 Jan 2006 20:43:23 +0000 (GMT) (envelope-from cristiano.deana@gmail.com) Received: by wproxy.gmail.com with SMTP id i20so3331158wra for ; Sat, 07 Jan 2006 12:43:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CSLqX1TWne37L+8FM4hQGj4kQiDYwDwmLPwQ1O43fr3zrvdtkUL2CED0lOPE/R00Vr/MaAalKz4rvCvxWKL4o/XPcMdm7yAfl5hTxXur5+mOYIgLbiRdJYYesG4sJggbZgs/lzicF2Hqf8mErHZRRvTUWFU2RC1fUlpLexRAGVg= Received: by 10.54.72.15 with SMTP id u15mr6658575wra; Sat, 07 Jan 2006 12:43:22 -0800 (PST) Received: by 10.54.123.4 with HTTP; Sat, 7 Jan 2006 12:43:22 -0800 (PST) Message-ID: Date: Sat, 7 Jan 2006 21:43:22 +0100 From: Cristiano Deana To: freebsd-pf@freebsd.org In-Reply-To: <43BEBBC9.8070203@forrie.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43BEBBC9.8070203@forrie.com> Subject: Re: Useful utilities for PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2006 20:43:24 -0000 2006/1/6, Forrest Aldrich : > http://expiretable.fnord.se/ > Might be good candidates for the ports collection. I prepared a port, you can found it here: http://brothersbsd.org/expiretable.tar.gz -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/