From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 11:02:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9727316A420 for ; Mon, 30 Jan 2006 11:02:41 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FE3043D45 for ; Mon, 30 Jan 2006 11:02:41 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0UB2fWL019926 for ; Mon, 30 Jan 2006 11:02:41 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0UB2eDa019920 for freebsd-pf@freebsd.org; Mon, 30 Jan 2006 11:02:40 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 30 Jan 2006 11:02:40 GMT Message-Id: <200601301102.k0UB2eDa019920@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 11:02:41 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 13:08:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C696116A420 for ; Mon, 30 Jan 2006 13:08:33 +0000 (GMT) (envelope-from who.kill.the.blind.dogs@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EB3D43D48 for ; Mon, 30 Jan 2006 13:08:32 +0000 (GMT) (envelope-from who.kill.the.blind.dogs@gmail.com) Received: by uproxy.gmail.com with SMTP id s2so857324uge for ; Mon, 30 Jan 2006 05:08:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=cbmG90qF5fcli6YPxq6jG4DotVcULDPtjvjfeJS3j14HDZncW2tLYX1cjLivFEb9IvZ99S4tYe0jHivTony5MSZBTdXp8sXHilOfUqnpFzxmh29zd5pLg7SeIGvNrqOsHiSilc4zY6plIm4MikkUirfKcLasvsT5L8K0csi0WWU= Received: by 10.48.244.4 with SMTP id r4mr967478nfh; Mon, 30 Jan 2006 05:02:31 -0800 (PST) Received: by 10.48.221.7 with HTTP; Mon, 30 Jan 2006 05:02:30 -0800 (PST) Message-ID: Date: Mon, 30 Jan 2006 20:02:30 +0700 From: Admin Indoglobalhost Sender: who.kill.the.blind.dogs@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: pf altq on bge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: admin@indoglobalhost.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 13:08:34 -0000 Hi I have some problems with FreeBSD 5.4 Stable using pf and altq This my kernconf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D machine i386 cpu I686_CPU ident JOSS maxusers 512 # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for device= s. options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking ##options INET6 # IPv6 communications protocols options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big direct= ories options MD_ROOT # MD is a potential root device options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEU= DOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_GPT # GUID Partition Tables. options COMPAT_43 # Compatible with BSD 4.3 [KEEP THI= S!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. options ADAPTIVE_GIANT # Giant mutex is adaptive. device apic # I/O APIC # Bus support. Do not remove isa, even if you have no isa slots device isa device eisa device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc device agp # support several AGP chipsets # Floating point support - do not disable. device npx # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device sio # 8250, 16[45]50 based serial ports # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs= ! device miibus # MII bus support device bge # Broadcom BCM570xx Gigabit Ethernet # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" ##device gif # IPv6 and IPv4 tunneling ##device faith # IPv6-to-IPv4 relaying (translation) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # SMP options SMP # snooop device snp ## PF device pf device pflog device pfsync options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options QUOTA pf.conf + altq config =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ## set macros ext_if=3D"bge0" main_ip=3D"xx.xx.xx" < i remove :) http_ports=3D"{ 43, 80 }" sec_ports=3D"{ 22 }" tcp_serv=3D"{ 20, 21, 25, 53 }" dns_ports=3D"{ 43, 53, 123 }" irc_ports=3D"{ 113, 2000 >< 8005, 8300 >< 9000, 30000 >< 40000 }" icmp_t=3D"echoreq" tracert=3D"33434 >< 33450" ## main set options set timeout { frag 30, interval 10 } set limit { frags 5000, states 3000 } set loginterface $ext_if set block-policy drop set optimization normal scrub in all ## QUEUES - ALTQ rules altq on bge0 cbq bandwidth 100Mb queue { q_all } queue q_all bandwidth 100% cbq { q_def, q_pri, q_misc, q_web, q_dns, q_irc = } queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn) queue q_misc bandwidth 10% priority 0 cbq(red) queue q_web bandwidth 15% priority 4 cbq(borrow) queue q_dns bandwidth 25% priority 5 cbq(borrow) queue q_irc bandwidth 25% priority 6 cbq(borrow) queue q_pri priority 7 ## Default Block block in all block out all #=3D- Table table persist file "/etc/pftable/spoof.conf" table persist file "/etc/pftable/ddos.conf" table persist file "/etc/pftable/servindo.conf" table persist file "/etc/pftable/bfd.conf" table persist file "/etc/pftable/int.conf" table persist file "/etc/pftable/joss.conf" block in quick on $ext_if from { , , , , } t= o any pass quick on lo0 all pass inet proto icmp from to any icmp-type $icmp_t keep state queue q_misc pass out quick proto udp from any to any port $tracert keep state queue q_d= ef pass quick proto tcp from any to any port $tcp_serv keep state queue q_def pass in quick proto tcp from to any port 22 keep state pass quick proto tcp from any to any port $sec_ports keep state queue q_pri pass quick proto udp from any to any port $dns_ports keep state queue q_dns pass out quick proto { tcp, udp } from to any port { 161, 162 } keep state queue q_dns pass in quick proto tcp from any to $main_ip port $http_ports flags S/SA synproxy state queue q_web pass out quick proto tcp from $main_ip to any port $http_ports keep state queue q_web pass quick proto tcp from any to any port $irc_ports keep state queue q_irc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D i try to load the configuration conf, # pfctl -f /etc/pf.conf.altq pfctl: bge0: driver does not support altq any one can help me to resolv this problem. Nb: no error messege if the altq disabled. Thank's From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 13:31:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF39616A420 for ; Mon, 30 Jan 2006 13:31:28 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 294B643D46 for ; Mon, 30 Jan 2006 13:31:27 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: by uproxy.gmail.com with SMTP id m3so723978ugc for ; Mon, 30 Jan 2006 05:31:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:organization:x-priority:message-id:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; b=kBGlE5MUVYUFLEClkEBk/JggoGWSA4tMK8F7RNUxUi5hKcHnU/uCHksOGuOGeZzpifxsU5b0T7QBukMO3GxocBCCstWYkRCODPGG+EtPDZcDdNnoLCgdb6T0pbLdPgmzCeengMgJcHOCE6B7pLFieGdM9syAph8uipG8qO114vE= Received: by 10.66.219.19 with SMTP id r19mr2648161ugg; Mon, 30 Jan 2006 05:31:26 -0800 (PST) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.gmail.com with ESMTP id m1sm1927754uge.2006.01.30.05.31.19; Mon, 30 Jan 2006 05:31:20 -0800 (PST) Date: Mon, 30 Jan 2006 16:32:36 +0300 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.62.14) Professional Organization: Acropolis X-Priority: 3 (Normal) Message-ID: <1115316351.20060130163236@gmail.com> To: Admin Indoglobalhost In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: pf altq on bge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 13:31:29 -0000 =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, Admin. =C2=FB =EF=E8=F1=E0=EB=E8 30 ?????? 2006 ?., 16:02:30: > Hi I have some problems with FreeBSD 5.4 Stable using pf and altq > This my kernconf > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > machine i386 > cpu I686_CPU > ident JOSS > maxusers 512 > # To statically compile in device wiring instead of /boot/device.hints > #hints "GENERIC.hints" # Default places to look for devi= ces. > options SCHED_4BSD # 4BSD scheduler > options INET # InterNETworking > ##options INET6 # IPv6 communications protocols > options FFS # Berkeley Fast Filesystem > options SOFTUPDATES # Enable FFS soft updates support > options UFS_ACL # Support for access control lists > options UFS_DIRHASH # Improve performance on big dire= ctories > options MD_ROOT # MD is a potential root device > options CD9660 # ISO 9660 Filesystem > options PROCFS # Process filesystem (requires PS= EUDOFS) > options PSEUDOFS # Pseudo-filesystem framework > options GEOM_GPT # GUID Partition Tables. > options COMPAT_43 # Compatible with BSD 4.3 [KEEP T= HIS!] > options COMPAT_FREEBSD4 # Compatible with FreeBSD4 > options KTRACE # ktrace(1) support > options SYSVSHM # SYSV-style shared memory > options SYSVMSG # SYSV-style message queues > options SYSVSEM # SYSV-style semaphores > options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time > extensions > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > options AHC_REG_PRETTY_PRINT # Print register bitfields in deb= ug > # output. Adds ~128k to driver. > options AHD_REG_PRETTY_PRINT # Print register bitfields in deb= ug > # output. Adds ~215k to driver. > options ADAPTIVE_GIANT # Giant mutex is adaptive. > device apic # I/O APIC > # Bus support. Do not remove isa, even if you have no isa slots > device isa > device eisa > device pci > # ATA and ATAPI devices > device ata > device atadisk # ATA disk drives > device atapicd # ATAPI CDROM drives > options ATA_STATIC_ID # Static device numbering > # atkbdc0 controls both the keyboard and the PS/2 mouse > device atkbdc # AT keyboard controller > device atkbd # AT keyboard > device vga # VGA video card driver > device splash # Splash screen and screen saver support > # syscons is the default console driver, resembling an SCO console > device sc > device agp # support several AGP chipsets > # Floating point support - do not disable. > device npx > # Add suspend/resume support for the i8254. > device pmtimer > # Serial (COM) ports > device sio # 8250, 16[45]50 based serial ports > # PCI Ethernet NICs that use the common MII bus controller code. > # NOTE: Be sure to keep the 'device miibus' line in order to use these NI= Cs! > device miibus # MII bus support > device bge # Broadcom BCM570xx Gigabit Ethernet > # Pseudo devices. > device loop # Network loopback > device mem # Memory and kernel memory devices > device io # I/O device > device random # Entropy device > device ether # Ethernet support > device tun # Packet tunnel. > device pty # Pseudo-ttys (telnet etc) > device md # Memory "disks" > ##device gif # IPv6 and IPv4 tunneling > ##device faith # IPv6-to-IPv4 relaying (translation) > # The `bpf' device enables the Berkeley Packet Filter. > # Be aware of the administrative consequences of enabling this! > # Note that 'bpf' is required for DHCP. > device bpf # Berkeley packet filter > # SMP > options SMP > # snooop > device snp > ## PF > device pf > device pflog > device pfsync > options ALTQ > options ALTQ_CBQ > options ALTQ_RED > options ALTQ_RIO > options ALTQ_HFSC > options ALTQ_PRIQ > options QUOTA > pf.conf + altq config > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > ## set macros > ext_if=3D"bge0" > main_ip=3D"xx.xx.xx" < i remove :) > http_ports=3D"{ 43, 80 }" > sec_ports=3D"{ 22 }" > tcp_serv=3D"{ 20, 21, 25, 53 }" > dns_ports=3D"{ 43, 53, 123 }" > irc_ports=3D"{ 113, 2000 >< 8005, 8300 >< 9000, 30000 >< 40000 }" > icmp_t=3D"echoreq" tracert=3D"33434 >>< 33450" > ## main set options > set timeout { frag 30, interval 10 } > set limit { frags 5000, states 3000 } > set loginterface $ext_if > set block-policy drop > set optimization normal > scrub in all > ## QUEUES - ALTQ rules > altq on bge0 cbq bandwidth 100Mb queue { q_all } > queue q_all bandwidth 100% cbq { q_def, q_pri, q_misc, q_web, q_dns, q_ir= c } > queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn) > queue q_misc bandwidth 10% priority 0 cbq(red) > queue q_web bandwidth 15% priority 4 cbq(borrow) > queue q_dns bandwidth 25% priority 5 cbq(borrow) > queue q_irc bandwidth 25% priority 6 cbq(borrow) > queue q_pri priority 7 > ## Default Block > block in all > block out all > #=3D- Table > table persist file "/etc/pftable/spoof.conf" > table persist file "/etc/pftable/ddos.conf" > table persist file "/etc/pftable/servindo.conf" > table persist file "/etc/pftable/bfd.conf" > table persist file "/etc/pftable/int.conf" > table persist file "/etc/pftable/joss.conf" > block in quick on $ext_if from { , , , , }= to any > pass quick on lo0 all > pass inet proto icmp from to any icmp-type $icmp_t keep state > queue q_misc > pass out quick proto udp from any to any port $tracert keep state queue q= _def > pass quick proto tcp from any to any port $tcp_serv keep state queue q_def > pass in quick proto tcp from to any port 22 keep state > pass quick proto tcp from any to any port $sec_ports keep state queue q_p= ri > pass quick proto udp from any to any port $dns_ports keep state queue q_d= ns > pass out quick proto { tcp, udp } from to any port { 161, 162 } > keep state queue q_dns > pass in quick proto tcp from any to $main_ip port $http_ports flags > S/SA synproxy state queue q_web > pass out quick proto tcp from $main_ip to any port $http_ports keep > state queue q_web > pass quick proto tcp from any to any port $irc_ports keep state queue q_i= rc > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > i try to load the configuration conf, > # pfctl -f /etc/pf.conf.altq > pfctl: bge0: driver does not support altq > any one can help me to resolv this problem. > Nb: no error messege if the altq disabled. > Thank's > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" ALTQ doen not support device bge on 5.4. It does on 6.0. --=20 Roman Gorohov. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 14:36:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02A1016A420 for ; Mon, 30 Jan 2006 14:36:02 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from kale.cc.metu.edu.tr (kale.general.services.metu.edu.tr [144.122.144.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7925B43D48 for ; Mon, 30 Jan 2006 14:36:00 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from simena.user.services.metu.edu.tr (simena.user.services.metu.edu.tr [144.122.144.15]) by kale.cc.metu.edu.tr (8.12.11/8.12.11) with ESMTP id k0UEZwFu014542; Mon, 30 Jan 2006 16:35:58 +0200 Received: (from hdemir@localhost) by simena.user.services.metu.edu.tr (8.13.5/8.13.5/Submit) id k0UEZvSi704638; Mon, 30 Jan 2006 16:35:57 +0200 Date: Mon, 30 Jan 2006 16:35:56 +0200 From: husnu demir To: "Roman Gorohov. " Message-ID: <20060130143555.GA356464@metu.edu.tr> References: <1115316351.20060130163236@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-9 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1115316351.20060130163236@gmail.com> User-Agent: Mutt/1.5.10i X-Virus-Scanned: ClamAV 0.88/1260/Mon Jan 30 12:41:27 2006 on kale.cc.metu.edu.tr X-Virus-Status: Clean Cc: Admin Indoglobalhost , freebsd-pf@freebsd.org Subject: Re: pf altq on bge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 14:36:02 -0000 Also NOTES says that for altq; options ALTQ_NOPCC # Required for SMP build Just in case you want to use that. Husnu Demir. On Mon, Jan 30, 2006 at 04:32:36PM +0300, Roman Gorohov. wrote: > Здравствуйте, Admin. > > Вы писали 30 ?????? 2006 ?., 16:02:30: > > > Hi I have some problems with FreeBSD 5.4 Stable using pf and altq > > > This my kernconf > > ============ > > machine i386 > > cpu I686_CPU > > ident JOSS > > maxusers 512 > > > # To statically compile in device wiring instead of /boot/device.hints > > #hints "GENERIC.hints" # Default places to look for devices. > > > options SCHED_4BSD # 4BSD scheduler > > options INET # InterNETworking > > ##options INET6 # IPv6 communications protocols > > options FFS # Berkeley Fast Filesystem > > options SOFTUPDATES # Enable FFS soft updates support > > options UFS_ACL # Support for access control lists > > options UFS_DIRHASH # Improve performance on big directories > > options MD_ROOT # MD is a potential root device > > options CD9660 # ISO 9660 Filesystem > > options PROCFS # Process filesystem (requires PSEUDOFS) > > options PSEUDOFS # Pseudo-filesystem framework > > options GEOM_GPT # GUID Partition Tables. > > options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] > > options COMPAT_FREEBSD4 # Compatible with FreeBSD4 > > options KTRACE # ktrace(1) support > > options SYSVSHM # SYSV-style shared memory > > options SYSVMSG # SYSV-style message queues > > options SYSVSEM # SYSV-style semaphores > > options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time > > extensions > > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > > options AHC_REG_PRETTY_PRINT # Print register bitfields in debug > > # output. Adds ~128k to driver. > > options AHD_REG_PRETTY_PRINT # Print register bitfields in debug > > # output. Adds ~215k to driver. > > options ADAPTIVE_GIANT # Giant mutex is adaptive. > > > device apic # I/O APIC > > > # Bus support. Do not remove isa, even if you have no isa slots > > device isa > > device eisa > > device pci > > > # ATA and ATAPI devices > > device ata > > device atadisk # ATA disk drives > > device atapicd # ATAPI CDROM drives > > options ATA_STATIC_ID # Static device numbering > > > # atkbdc0 controls both the keyboard and the PS/2 mouse > > device atkbdc # AT keyboard controller > > device atkbd # AT keyboard > > > device vga # VGA video card driver > > > device splash # Splash screen and screen saver support > > > # syscons is the default console driver, resembling an SCO console > > device sc > > > device agp # support several AGP chipsets > > > # Floating point support - do not disable. > > device npx > > > # Add suspend/resume support for the i8254. > > device pmtimer > > > > # Serial (COM) ports > > device sio # 8250, 16[45]50 based serial ports > > > # PCI Ethernet NICs that use the common MII bus controller code. > > # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! > > device miibus # MII bus support > > device bge # Broadcom BCM570xx Gigabit Ethernet > > > # Pseudo devices. > > device loop # Network loopback > > device mem # Memory and kernel memory devices > > device io # I/O device > > device random # Entropy device > > device ether # Ethernet support > > device tun # Packet tunnel. > > device pty # Pseudo-ttys (telnet etc) > > device md # Memory "disks" > > ##device gif # IPv6 and IPv4 tunneling > > ##device faith # IPv6-to-IPv4 relaying (translation) > > > # The `bpf' device enables the Berkeley Packet Filter. > > # Be aware of the administrative consequences of enabling this! > > # Note that 'bpf' is required for DHCP. > > device bpf # Berkeley packet filter > > > # SMP > > options SMP > > > # snooop > > device snp > > > ## PF > > device pf > > device pflog > > device pfsync > > > options ALTQ > > options ALTQ_CBQ > > options ALTQ_RED > > options ALTQ_RIO > > options ALTQ_HFSC > > options ALTQ_PRIQ > > > options QUOTA > > > pf.conf + altq config > > ============== > > ## set macros > > ext_if="bge0" > > main_ip="xx.xx.xx" < i remove :) > > http_ports="{ 43, 80 }" > > sec_ports="{ 22 }" > > tcp_serv="{ 20, 21, 25, 53 }" > > dns_ports="{ 43, 53, 123 }" > > irc_ports="{ 113, 2000 >< 8005, 8300 >< 9000, 30000 >< 40000 }" > > icmp_t="echoreq" > tracert="33434 >>< 33450" > > > ## main set options > > set timeout { frag 30, interval 10 } > > set limit { frags 5000, states 3000 } > > set loginterface $ext_if > > set block-policy drop > > set optimization normal > > scrub in all > > > ## QUEUES - ALTQ rules > > altq on bge0 cbq bandwidth 100Mb queue { q_all } > > queue q_all bandwidth 100% cbq { q_def, q_pri, q_misc, q_web, q_dns, q_irc } > > queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn) > > queue q_misc bandwidth 10% priority 0 cbq(red) > > queue q_web bandwidth 15% priority 4 cbq(borrow) > > queue q_dns bandwidth 25% priority 5 cbq(borrow) > > queue q_irc bandwidth 25% priority 6 cbq(borrow) > > queue q_pri priority 7 > > > ## Default Block > > block in all > > block out all > > > #=- Table > > table persist file "/etc/pftable/spoof.conf" > > table persist file "/etc/pftable/ddos.conf" > > table persist file "/etc/pftable/servindo.conf" > > table persist file "/etc/pftable/bfd.conf" > > table persist file "/etc/pftable/int.conf" > > table persist file "/etc/pftable/joss.conf" > > > > block in quick on $ext_if from { , , , , } to any > > > pass quick on lo0 all > > pass inet proto icmp from to any icmp-type $icmp_t keep state > > queue q_misc > > pass out quick proto udp from any to any port $tracert keep state queue q_def > > pass quick proto tcp from any to any port $tcp_serv keep state queue q_def > > > pass in quick proto tcp from to any port 22 keep state > > pass quick proto tcp from any to any port $sec_ports keep state queue q_pri > > > pass quick proto udp from any to any port $dns_ports keep state queue q_dns > > pass out quick proto { tcp, udp } from to any port { 161, 162 } > > keep state queue q_dns > > > pass in quick proto tcp from any to $main_ip port $http_ports flags > > S/SA synproxy state queue q_web > > pass out quick proto tcp from $main_ip to any port $http_ports keep > > state queue q_web > > > pass quick proto tcp from any to any port $irc_ports keep state queue q_irc > > > ============================ > > > i try to load the configuration conf, > > > # pfctl -f /etc/pf.conf.altq > > pfctl: bge0: driver does not support altq > > > any one can help me to resolv this problem. > > > Nb: no error messege if the altq disabled. > > > Thank's > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > ALTQ doen not support device bge on 5.4. It does on 6.0. > > -- > Roman Gorohov. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 16:19:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C29E16A420 for ; Mon, 30 Jan 2006 16:19:57 +0000 (GMT) (envelope-from who.kill.the.blind.dogs@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12D3743D46 for ; Mon, 30 Jan 2006 16:19:55 +0000 (GMT) (envelope-from who.kill.the.blind.dogs@gmail.com) Received: by uproxy.gmail.com with SMTP id y2so13395uge for ; Mon, 30 Jan 2006 08:19:53 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hZ2G4y0B9PwrnJftHLRsn1U4rahO7hh4KX4pw8EdwUDYcmGT/VjELagaHjp3Jm/jaZHHK8cXYu2seKF8OBT0GxRYw9enAB5rT/GJ+Aa3x3+bg8TqkmtbA6cq6pDR9kmkKdasfDeJnKGMJPzJcyJE4A9iLW2voU3fZIpZMMUWA8Y= Received: by 10.49.88.16 with SMTP id q16mr1027101nfl; Mon, 30 Jan 2006 07:51:11 -0800 (PST) Received: by 10.48.221.7 with HTTP; Mon, 30 Jan 2006 07:51:11 -0800 (PST) Message-ID: Date: Mon, 30 Jan 2006 22:51:11 +0700 From: Admin Indoglobalhost Sender: who.kill.the.blind.dogs@gmail.com To: husnu demir In-Reply-To: <20060130143555.GA356464@metu.edu.tr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: base64 Content-Disposition: inline References: <1115316351.20060130163236@gmail.com> <20060130143555.GA356464@metu.edu.tr> Cc: freebsd-pf@freebsd.org Subject: Re: pf altq on bge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: admin@indoglobalhost.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 16:19:57 -0000 VGhhbmsncwoKaSB0cnllZCBmb3IgcmVidWlsZCBub3cuLiA6KQoKT24gMS8zMC8wNiwgaHVzbnUg ZGVtaXIgPGhkZW1pckBtZXR1LmVkdS50cj4gd3JvdGU6Cj4gQWxzbyBOT1RFUyBzYXlzIHRoYXQg Zm9yIGFsdHE7Cj4KPiBvcHRpb25zICAgICAgICAgQUxUUV9OT1BDQyAgICAgICMgUmVxdWlyZWQg Zm9yIFNNUCBidWlsZAo+Cj4KPgo+IEp1c3QgaW4gY2FzZSB5b3Ugd2FudCB0byB1c2UgdGhhdC4K Pgo+IEh1c251IERlbWlyLgo+Cj4gT24gTW9uLCBKYW4gMzAsIDIwMDYgYXQgMDQ6MzI6MzZQTSAr MDMwMCwgUm9tYW4gR29yb2hvdi4gICAgICAgICAgICAgICB3cm90ZToKPiA+IMfk8ODi8fLi8+ny 5SwgQWRtaW4uCj4gPgo+ID4gwvsg7+jx4OvoIDMwID8/Pz8/PyAyMDA2ID8uLCAxNjowMjozMDoK PiA+Cj4gPiA+IEhpIEkgaGF2ZSBzb21lIHByb2JsZW1zIHdpdGggRnJlZUJTRCA1LjQgU3RhYmxl ICB1c2luZyBwZiBhbmQgYWx0cQo+ID4KPiA+ID4gVGhpcyBteSBrZXJuY29uZgo+ID4gPiA9PT09 PT09PT09PT0KPiA+ID4gbWFjaGluZSAgICAgICAgIGkzODYKPiA+ID4gY3B1ICAgICAgICAgICAg IEk2ODZfQ1BVCj4gPiA+IGlkZW50ICAgICAgICAgICBKT1NTCj4gPiA+IG1heHVzZXJzICAgICAg ICA1MTIKPiA+Cj4gPiA+ICMgVG8gc3RhdGljYWxseSBjb21waWxlIGluIGRldmljZSB3aXJpbmcg aW5zdGVhZCBvZiAvYm9vdC9kZXZpY2UuaGludHMKPiA+ID4gI2hpbnRzICAgICAgICAgICJHRU5F UklDLmhpbnRzIiAgICAgICAgICMgRGVmYXVsdCBwbGFjZXMgdG8gbG9vayBmb3IgZGV2aWNlcy4K PiA+Cj4gPiA+IG9wdGlvbnMgICAgICAgICBTQ0hFRF80QlNEICAgICAgICAgICAgICAjIDRCU0Qg c2NoZWR1bGVyCj4gPiA+IG9wdGlvbnMgICAgICAgICBJTkVUICAgICAgICAgICAgICAgICAgICAj IEludGVyTkVUd29ya2luZwo+ID4gPiAjI29wdGlvbnMgICAgICAgICBJTkVUNiAgICAgICAgICAg ICAgICAgICAjIElQdjYgY29tbXVuaWNhdGlvbnMgcHJvdG9jb2xzCj4gPiA+IG9wdGlvbnMgICAg ICAgICBGRlMgICAgICAgICAgICAgICAgICAgICAjIEJlcmtlbGV5IEZhc3QgRmlsZXN5c3RlbQo+ ID4gPiBvcHRpb25zICAgICAgICAgU09GVFVQREFURVMgICAgICAgICAgICAgIyBFbmFibGUgRkZT IHNvZnQgdXBkYXRlcyBzdXBwb3J0Cj4gPiA+IG9wdGlvbnMgICAgICAgICBVRlNfQUNMICAgICAg ICAgICAgICAgICAjIFN1cHBvcnQgZm9yIGFjY2VzcyBjb250cm9sIGxpc3RzCj4gPiA+IG9wdGlv bnMgICAgICAgICBVRlNfRElSSEFTSCAgICAgICAgICAgICAjIEltcHJvdmUgcGVyZm9ybWFuY2Ug b24gYmlnIGRpcmVjdG9yaWVzCj4gPiA+IG9wdGlvbnMgICAgICAgICBNRF9ST09UICAgICAgICAg ICAgICAgICAjIE1EIGlzIGEgcG90ZW50aWFsIHJvb3QgZGV2aWNlCj4gPiA+IG9wdGlvbnMgICAg ICAgICBDRDk2NjAgICAgICAgICAgICAgICAgICAjIElTTyA5NjYwIEZpbGVzeXN0ZW0KPiA+ID4g b3B0aW9ucyAgICAgICAgIFBST0NGUyAgICAgICAgICAgICAgICAgICMgUHJvY2VzcyBmaWxlc3lz dGVtIChyZXF1aXJlcyBQU0VVRE9GUykKPiA+ID4gb3B0aW9ucyAgICAgICAgIFBTRVVET0ZTICAg ICAgICAgICAgICAgICMgUHNldWRvLWZpbGVzeXN0ZW0gZnJhbWV3b3JrCj4gPiA+IG9wdGlvbnMg ICAgICAgICBHRU9NX0dQVCAgICAgICAgICAgICAgICAjIEdVSUQgUGFydGl0aW9uIFRhYmxlcy4K PiA+ID4gb3B0aW9ucyAgICAgICAgIENPTVBBVF80MyAgICAgICAgICAgICAgICMgQ29tcGF0aWJs ZSB3aXRoIEJTRCA0LjMgW0tFRVAgVEhJUyFdCj4gPiA+IG9wdGlvbnMgICAgICAgICBDT01QQVRf RlJFRUJTRDQgICAgICAgICAjIENvbXBhdGlibGUgd2l0aCBGcmVlQlNENAo+ID4gPiBvcHRpb25z ICAgICAgICAgS1RSQUNFICAgICAgICAgICAgICAgICAgIyBrdHJhY2UoMSkgc3VwcG9ydAo+ID4g PiBvcHRpb25zICAgICAgICAgU1lTVlNITSAgICAgICAgICAgICAgICAgIyBTWVNWLXN0eWxlIHNo YXJlZCBtZW1vcnkKPiA+ID4gb3B0aW9ucyAgICAgICAgIFNZU1ZNU0cgICAgICAgICAgICAgICAg ICMgU1lTVi1zdHlsZSBtZXNzYWdlIHF1ZXVlcwo+ID4gPiBvcHRpb25zICAgICAgICAgU1lTVlNF TSAgICAgICAgICAgICAgICAgIyBTWVNWLXN0eWxlIHNlbWFwaG9yZXMKPiA+ID4gb3B0aW9ucyAg ICAgICAgIF9LUE9TSVhfUFJJT1JJVFlfU0NIRURVTElORyAjIFBPU0lYIFAxMDAzXzFCIHJlYWwt dGltZQo+ID4gPiBleHRlbnNpb25zCj4gPiA+IG9wdGlvbnMgICAgICAgICBLQkRfSU5TVEFMTF9D REVWICAgICAgICAjIGluc3RhbGwgYSBDREVWIGVudHJ5IGluIC9kZXYKPiA+ID4gb3B0aW9ucyAg ICAgICAgIEFIQ19SRUdfUFJFVFRZX1BSSU5UICAgICMgUHJpbnQgcmVnaXN0ZXIgYml0ZmllbGRz IGluIGRlYnVnCj4gPiA+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAj IG91dHB1dC4gIEFkZHMgfjEyOGsgdG8gZHJpdmVyLgo+ID4gPiBvcHRpb25zICAgICAgICAgQUhE X1JFR19QUkVUVFlfUFJJTlQgICAgIyBQcmludCByZWdpc3RlciBiaXRmaWVsZHMgaW4gZGVidWcK PiA+ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICMgb3V0cHV0LiAg QWRkcyB+MjE1ayB0byBkcml2ZXIuCj4gPiA+IG9wdGlvbnMgICAgICAgICBBREFQVElWRV9HSUFO VCAgICAgICAgICAjIEdpYW50IG11dGV4IGlzIGFkYXB0aXZlLgo+ID4KPiA+ID4gZGV2aWNlICAg ICAgICAgIGFwaWMgICAgICAgICAgICAgICAgICAgICMgSS9PIEFQSUMKPiA+Cj4gPiA+ICMgQnVz IHN1cHBvcnQuICBEbyBub3QgcmVtb3ZlIGlzYSwgZXZlbiBpZiB5b3UgaGF2ZSBubyBpc2Egc2xv dHMKPiA+ID4gZGV2aWNlICAgICAgICAgIGlzYQo+ID4gPiBkZXZpY2UgICAgICAgICAgZWlzYQo+ ID4gPiBkZXZpY2UgICAgICAgICAgcGNpCj4gPgo+ID4gPiAjIEFUQSBhbmQgQVRBUEkgZGV2aWNl cwo+ID4gPiBkZXZpY2UgICAgICAgICAgYXRhCj4gPiA+IGRldmljZSAgICAgICAgICBhdGFkaXNr ICAgICAgICAgIyBBVEEgZGlzayBkcml2ZXMKPiA+ID4gZGV2aWNlICAgICAgICAgIGF0YXBpY2Qg ICAgICAgICAjIEFUQVBJIENEUk9NIGRyaXZlcwo+ID4gPiBvcHRpb25zICAgICAgICAgQVRBX1NU QVRJQ19JRCAgICMgU3RhdGljIGRldmljZSBudW1iZXJpbmcKPiA+Cj4gPiA+ICMgYXRrYmRjMCBj b250cm9scyBib3RoIHRoZSBrZXlib2FyZCBhbmQgdGhlIFBTLzIgbW91c2UKPiA+ID4gZGV2aWNl ICAgICAgICAgIGF0a2JkYyAgICAgICAgICAjIEFUIGtleWJvYXJkIGNvbnRyb2xsZXIKPiA+ID4g ZGV2aWNlICAgICAgICAgIGF0a2JkICAgICAgICAgICAjIEFUIGtleWJvYXJkCj4gPgo+ID4gPiBk ZXZpY2UgICAgICAgICAgdmdhICAgICAgICAgICAgICMgVkdBIHZpZGVvIGNhcmQgZHJpdmVyCj4g Pgo+ID4gPiBkZXZpY2UgICAgICAgICAgc3BsYXNoICAgICAgICAgICMgU3BsYXNoIHNjcmVlbiBh bmQgc2NyZWVuIHNhdmVyIHN1cHBvcnQKPiA+Cj4gPiA+ICMgc3lzY29ucyBpcyB0aGUgZGVmYXVs dCBjb25zb2xlIGRyaXZlciwgcmVzZW1ibGluZyBhbiBTQ08gY29uc29sZQo+ID4gPiBkZXZpY2Ug ICAgICAgICAgc2MKPiA+Cj4gPiA+IGRldmljZSAgICAgICAgICBhZ3AgICAgICAgICAgICAgIyBz dXBwb3J0IHNldmVyYWwgQUdQIGNoaXBzZXRzCj4gPgo+ID4gPiAjIEZsb2F0aW5nIHBvaW50IHN1 cHBvcnQgLSBkbyBub3QgZGlzYWJsZS4KPiA+ID4gZGV2aWNlICAgICAgICAgIG5weAo+ID4KPiA+ ID4gIyBBZGQgc3VzcGVuZC9yZXN1bWUgc3VwcG9ydCBmb3IgdGhlIGk4MjU0Lgo+ID4gPiBkZXZp Y2UgICAgICAgICAgcG10aW1lcgo+ID4KPiA+Cj4gPiA+ICMgU2VyaWFsIChDT00pIHBvcnRzCj4g PiA+IGRldmljZSAgICAgICAgICBzaW8gICAgICAgICAgICAgIyA4MjUwLCAxNls0NV01MCBiYXNl ZCBzZXJpYWwgcG9ydHMKPiA+Cj4gPiA+ICMgUENJIEV0aGVybmV0IE5JQ3MgdGhhdCB1c2UgdGhl IGNvbW1vbiBNSUkgYnVzIGNvbnRyb2xsZXIgY29kZS4KPiA+ID4gIyBOT1RFOiBCZSBzdXJlIHRv IGtlZXAgdGhlICdkZXZpY2UgbWlpYnVzJyBsaW5lIGluIG9yZGVyIHRvIHVzZSB0aGVzZSBOSUNz IQo+ID4gPiBkZXZpY2UgICAgICAgICAgbWlpYnVzICAgICAgICAgICMgTUlJIGJ1cyBzdXBwb3J0 Cj4gPiA+IGRldmljZSAgICAgICAgICBiZ2UgICAgICAgICAgICAgIyBCcm9hZGNvbSBCQ001NzB4 eCBHaWdhYml0IEV0aGVybmV0Cj4gPgo+ID4gPiAjIFBzZXVkbyBkZXZpY2VzLgo+ID4gPiBkZXZp Y2UgICAgICAgICAgbG9vcCAgICAgICAgICAgICMgTmV0d29yayBsb29wYmFjawo+ID4gPiBkZXZp Y2UgICAgICAgICAgbWVtICAgICAgICAgICAgICMgTWVtb3J5IGFuZCBrZXJuZWwgbWVtb3J5IGRl dmljZXMKPiA+ID4gZGV2aWNlICAgICAgICAgIGlvICAgICAgICAgICAgICAjIEkvTyBkZXZpY2UK PiA+ID4gZGV2aWNlICAgICAgICAgIHJhbmRvbSAgICAgICAgICAjIEVudHJvcHkgZGV2aWNlCj4g PiA+IGRldmljZSAgICAgICAgICBldGhlciAgICAgICAgICAgIyBFdGhlcm5ldCBzdXBwb3J0Cj4g PiA+IGRldmljZSAgICAgICAgICB0dW4gICAgICAgICAgICAgIyBQYWNrZXQgdHVubmVsLgo+ID4g PiBkZXZpY2UgICAgICAgICAgcHR5ICAgICAgICAgICAgICMgUHNldWRvLXR0eXMgKHRlbG5ldCBl dGMpCj4gPiA+IGRldmljZSAgICAgICAgICBtZCAgICAgICAgICAgICAgIyBNZW1vcnkgImRpc2tz Igo+ID4gPiAjI2RldmljZSAgICAgICAgICBnaWYgICAgICAgICAgICAgIyBJUHY2IGFuZCBJUHY0 IHR1bm5lbGluZwo+ID4gPiAjI2RldmljZSAgICAgICAgICBmYWl0aCAgICAgICAgICAgIyBJUHY2 LXRvLUlQdjQgcmVsYXlpbmcgKHRyYW5zbGF0aW9uKQo+ID4KPiA+ID4gIyBUaGUgYGJwZicgZGV2 aWNlIGVuYWJsZXMgdGhlIEJlcmtlbGV5IFBhY2tldCBGaWx0ZXIuCj4gPiA+ICMgQmUgYXdhcmUg b2YgdGhlIGFkbWluaXN0cmF0aXZlIGNvbnNlcXVlbmNlcyBvZiBlbmFibGluZyB0aGlzIQo+ID4g PiAjIE5vdGUgdGhhdCAnYnBmJyBpcyByZXF1aXJlZCBmb3IgREhDUC4KPiA+ID4gZGV2aWNlICAg ICAgICAgIGJwZiAgICAgICAgICAgICAjIEJlcmtlbGV5IHBhY2tldCBmaWx0ZXIKPiA+Cj4gPiA+ ICMgU01QCj4gPiA+IG9wdGlvbnMgICAgICAgICBTTVAKPiA+Cj4gPiA+ICMgc25vb29wCj4gPiA+ IGRldmljZSAgICAgICAgICBzbnAKPiA+Cj4gPiA+ICMjIFBGCj4gPiA+IGRldmljZSAgICAgICAg ICBwZgo+ID4gPiBkZXZpY2UgICAgICAgICAgcGZsb2cKPiA+ID4gZGV2aWNlICAgICAgICAgIHBm c3luYwo+ID4KPiA+ID4gb3B0aW9ucyAgICAgICAgIEFMVFEKPiA+ID4gb3B0aW9ucyAgICAgICAg IEFMVFFfQ0JRCj4gPiA+IG9wdGlvbnMgICAgICAgICBBTFRRX1JFRAo+ID4gPiBvcHRpb25zICAg ICAgICAgQUxUUV9SSU8KPiA+ID4gb3B0aW9ucyAgICAgICAgIEFMVFFfSEZTQwo+ID4gPiBvcHRp b25zICAgICAgICAgQUxUUV9QUklRCj4gPgo+ID4gPiBvcHRpb25zICAgICAgICAgUVVPVEEKPiA+ Cj4gPiA+IHBmLmNvbmYgKyBhbHRxIGNvbmZpZwo+ID4gPiA9PT09PT09PT09PT09PQo+ID4gPiAj IyBzZXQgbWFjcm9zCj4gPiA+IGV4dF9pZj0iYmdlMCIKPiA+ID4gbWFpbl9pcD0ieHgueHgueHgi IDwgaSByZW1vdmUgOikKPiA+ID4gaHR0cF9wb3J0cz0ieyA0MywgODAgfSIKPiA+ID4gc2VjX3Bv cnRzPSJ7IDIyIH0iCj4gPiA+IHRjcF9zZXJ2PSJ7IDIwLCAyMSwgMjUsIDUzIH0iCj4gPiA+IGRu c19wb3J0cz0ieyA0MywgNTMsIDEyMyB9Igo+ID4gPiBpcmNfcG9ydHM9InsgMTEzLCAyMDAwID48 IDgwMDUsIDgzMDAgPjwgOTAwMCwgMzAwMDAgPjwgNDAwMDAgfSIKPiA+ID4gaWNtcF90PSJlY2hv cmVxIgo+ID4gdHJhY2VydD0iMzM0MzQgPj48IDMzNDUwIgo+ID4KPiA+ID4gIyMgbWFpbiBzZXQg b3B0aW9ucwo+ID4gPiBzZXQgdGltZW91dCB7IGZyYWcgMzAsIGludGVydmFsIDEwIH0KPiA+ID4g c2V0IGxpbWl0IHsgZnJhZ3MgNTAwMCwgc3RhdGVzIDMwMDAgfQo+ID4gPiBzZXQgbG9naW50ZXJm YWNlICRleHRfaWYKPiA+ID4gc2V0IGJsb2NrLXBvbGljeSBkcm9wCj4gPiA+IHNldCBvcHRpbWl6 YXRpb24gbm9ybWFsCj4gPiA+IHNjcnViIGluIGFsbAo+ID4KPiA+ID4gIyMgUVVFVUVTIC0gQUxU USBydWxlcwo+ID4gPiBhbHRxIG9uIGJnZTAgY2JxIGJhbmR3aWR0aCAxMDBNYiBxdWV1ZSB7IHFf YWxsIH0KPiA+ID4gcXVldWUgcV9hbGwgYmFuZHdpZHRoIDEwMCUgY2JxIHsgcV9kZWYsIHFfcHJp LCBxX21pc2MsIHFfd2ViLCBxX2RucywgcV9pcmMgfQo+ID4gPiBxdWV1ZSBxX2RlZiBiYW5kd2lk dGggMjUlIHByaW9yaXR5IDEgY2JxKGJvcnJvdyBkZWZhdWx0IHJlZCBlY24pCj4gPiA+IHF1ZXVl IHFfbWlzYyBiYW5kd2lkdGggMTAlIHByaW9yaXR5IDAgY2JxKHJlZCkKPiA+ID4gcXVldWUgcV93 ZWIgYmFuZHdpZHRoIDE1JSBwcmlvcml0eSA0IGNicShib3Jyb3cpCj4gPiA+IHF1ZXVlIHFfZG5z IGJhbmR3aWR0aCAyNSUgcHJpb3JpdHkgNSBjYnEoYm9ycm93KQo+ID4gPiBxdWV1ZSBxX2lyYyBi YW5kd2lkdGggMjUlIHByaW9yaXR5IDYgY2JxKGJvcnJvdykKPiA+ID4gcXVldWUgcV9wcmkgcHJp b3JpdHkgNwo+ID4KPiA+ID4gIyMgRGVmYXVsdCBCbG9jawo+ID4gPiBibG9jayBpbiBhbGwKPiA+ ID4gYmxvY2sgb3V0IGFsbAo+ID4KPiA+ID4gIz0tIFRhYmxlCj4gPiA+IHRhYmxlIDxzcG9vZj4g cGVyc2lzdCBmaWxlICIvZXRjL3BmdGFibGUvc3Bvb2YuY29uZiIKPiA+ID4gdGFibGUgPGRkb3M+ IHBlcnNpc3QgZmlsZSAiL2V0Yy9wZnRhYmxlL2Rkb3MuY29uZiIKPiA+ID4gdGFibGUgPHNpbmRv PiBwZXJzaXN0IGZpbGUgIi9ldGMvcGZ0YWJsZS9zZXJ2aW5kby5jb25mIgo+ID4gPiB0YWJsZSA8 YmZkPiBwZXJzaXN0IGZpbGUgIi9ldGMvcGZ0YWJsZS9iZmQuY29uZiIKPiA+ID4gdGFibGUgPGlu dD4gcGVyc2lzdCBmaWxlICIvZXRjL3BmdGFibGUvaW50LmNvbmYiCj4gPiA+IHRhYmxlIDxpZ2g+ IHBlcnNpc3QgZmlsZSAiL2V0Yy9wZnRhYmxlL2pvc3MuY29uZiIKPiA+Cj4gPgo+ID4gPiBibG9j ayBpbiBxdWljayBvbiAkZXh0X2lmIGZyb20geyA8c3Bvb2Y+LCA8ZGRvcz4sIDxzaW5kbz4sIDxi ZmQ+LCA8aW50PiB9IHRvIGFueQo+ID4KPiA+ID4gcGFzcyBxdWljayBvbiBsbzAgYWxsCj4gPiA+ IHBhc3MgaW5ldCBwcm90byBpY21wIGZyb20gPGpvc3M+IHRvIGFueSBpY21wLXR5cGUgJGljbXBf dCBrZWVwIHN0YXRlCj4gPiA+IHF1ZXVlIHFfbWlzYwo+ID4gPiBwYXNzIG91dCBxdWljayBwcm90 byB1ZHAgZnJvbSBhbnkgdG8gYW55IHBvcnQgJHRyYWNlcnQga2VlcCBzdGF0ZSBxdWV1ZSBxX2Rl Zgo+ID4gPiBwYXNzIHF1aWNrIHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkgcG9ydCAkdGNwX3Nl cnYga2VlcCBzdGF0ZSBxdWV1ZSBxX2RlZgo+ID4KPiA+ID4gcGFzcyBpbiBxdWljayBwcm90byB0 Y3AgZnJvbSA8aWdoPiB0byBhbnkgcG9ydCAyMiBrZWVwIHN0YXRlCj4gPiA+IHBhc3MgcXVpY2sg cHJvdG8gdGNwIGZyb20gYW55IHRvIGFueSBwb3J0ICRzZWNfcG9ydHMga2VlcCBzdGF0ZSBxdWV1 ZSBxX3ByaQo+ID4KPiA+ID4gcGFzcyBxdWljayBwcm90byB1ZHAgZnJvbSBhbnkgdG8gYW55IHBv cnQgJGRuc19wb3J0cyBrZWVwIHN0YXRlIHF1ZXVlIHFfZG5zCj4gPiA+IHBhc3Mgb3V0IHF1aWNr IHByb3RvIHsgdGNwLCB1ZHAgfSBmcm9tIDxpZ2g+IHRvIGFueSBwb3J0IHsgMTYxLCAxNjIgfQo+ ID4gPiBrZWVwIHN0YXRlIHF1ZXVlIHFfZG5zCj4gPgo+ID4gPiBwYXNzIGluIHF1aWNrIHByb3Rv IHRjcCBmcm9tIGFueSB0byAkbWFpbl9pcCBwb3J0ICRodHRwX3BvcnRzIGZsYWdzCj4gPiA+IFMv U0Egc3lucHJveHkgc3RhdGUgcXVldWUgcV93ZWIKPiA+ID4gcGFzcyBvdXQgcXVpY2sgcHJvdG8g dGNwIGZyb20gJG1haW5faXAgdG8gYW55IHBvcnQgJGh0dHBfcG9ydHMga2VlcAo+ID4gPiBzdGF0 ZSBxdWV1ZSBxX3dlYgo+ID4KPiA+ID4gcGFzcyBxdWljayBwcm90byB0Y3AgZnJvbSBhbnkgdG8g YW55IHBvcnQgJGlyY19wb3J0cyBrZWVwIHN0YXRlIHF1ZXVlIHFfaXJjCj4gPgo+ID4gPiA9PT09 PT09PT09PT09PT09PT09PT09PT09PT09Cj4gPgo+ID4gPiBpIHRyeSB0byBsb2FkIHRoZSBjb25m aWd1cmF0aW9uIGNvbmYsCj4gPgo+ID4gPiAjIHBmY3RsIC1mIC9ldGMvcGYuY29uZi5hbHRxCj4g PiA+IHBmY3RsOiBiZ2UwOiBkcml2ZXIgZG9lcyBub3Qgc3VwcG9ydCBhbHRxCj4gPgo+ID4gPiBh bnkgb25lIGNhbiBoZWxwIG1lIHRvIHJlc29sdiB0aGlzIHByb2JsZW0uCj4gPgo+ID4gPiBOYjog bm8gZXJyb3IgbWVzc2VnZSBpZiB0aGUgYWx0cSBkaXNhYmxlZC4KPiA+Cj4gPiA+IFRoYW5rJ3MK PiA+ID4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPiA+ ID4gZnJlZWJzZC1wZkBmcmVlYnNkLm9yZyBtYWlsaW5nIGxpc3QKPiA+ID4gaHR0cDovL2xpc3Rz LmZyZWVic2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJlZWJzZC1wZgo+ID4gPiBUbyB1bnN1YnNj cmliZSwgc2VuZCBhbnkgbWFpbCB0byAiZnJlZWJzZC1wZi11bnN1YnNjcmliZUBmcmVlYnNkLm9y ZyIKPiA+Cj4gPiBBTFRRIGRvZW4gbm90IHN1cHBvcnQgZGV2aWNlIGJnZSBvbiA1LjQuIEl0IGRv ZXMgb24gNi4wLgo+ID4KPiA+IC0tCj4gPiBSb21hbiBHb3JvaG92Lgo+ID4KPiA+IF9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj4gPiBmcmVlYnNkLXBmQGZy ZWVic2Qub3JnIG1haWxpbmcgbGlzdAo+ID4gaHR0cDovL2xpc3RzLmZyZWVic2Qub3JnL21haWxt YW4vbGlzdGluZm8vZnJlZWJzZC1wZgo+ID4gVG8gdW5zdWJzY3JpYmUsIHNlbmQgYW55IG1haWwg dG8gImZyZWVic2QtcGYtdW5zdWJzY3JpYmVAZnJlZWJzZC5vcmciCj4K From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 17:29:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 509F716A420 for ; Mon, 30 Jan 2006 17:29:35 +0000 (GMT) (envelope-from who.kill.the.blind.dogs@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 719A843D53 for ; Mon, 30 Jan 2006 17:29:34 +0000 (GMT) (envelope-from who.kill.the.blind.dogs@gmail.com) Received: by uproxy.gmail.com with SMTP id k3so1025453ugf for ; Mon, 30 Jan 2006 09:29:33 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=GeVBNPE4B3dtNL5QqkJaxjrkq9eaXchEE/XciClwkM1eL20xyZCHmSBMawy4GiTGf0Z52ODiVzIaa0+E2HUhNg0xSJ0mBUTwjVTMs7LjBBPoDnJCPDHiJBuRtGWeLcuI6I5G9RTvcD1IJAZPU5gGZMJMu/r6f1R4hNZPtmz04uo= Received: by 10.48.232.6 with SMTP id e6mr985226nfh; Mon, 30 Jan 2006 05:51:37 -0800 (PST) Received: by 10.48.221.7 with HTTP; Mon, 30 Jan 2006 05:51:37 -0800 (PST) Message-ID: Date: Mon, 30 Jan 2006 20:51:37 +0700 From: Agus Riant To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Hi I have some problems with FreeBSD 5.4 Stable using pf and altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 17:29:35 -0000 Hi I have some problems with FreeBSD 5.4 Stable using pf and altq This my kernconf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D machine i386 cpu I686_CPU ident JOSS maxusers 512 # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for device= s. options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking ##options INET6 # IPv6 communications protocols options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big direct= ories options MD_ROOT # MD is a potential root device options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEU= DOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_GPT # GUID Partition Tables. options COMPAT_43 # Compatible with BSD 4.3 [KEEP THI= S!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. options ADAPTIVE_GIANT # Giant mutex is adaptive. device apic # I/O APIC # Bus support. Do not remove isa, even if you have no isa slots device isa device eisa device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc device agp # support several AGP chipsets # Floating point support - do not disable. device npx # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device sio # 8250, 16[45]50 based serial ports # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs= ! device miibus # MII bus support device bge # Broadcom BCM570xx Gigabit Ethernet # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" ##device gif # IPv6 and IPv4 tunneling ##device faith # IPv6-to-IPv4 relaying (translation) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # SMP options SMP # snooop device snp ## PF device pf device pflog device pfsync options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options QUOTA pf.conf + altq config =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ## set macros ext_if=3D"bge0" main_ip=3D"xx.xx.xx" < i remove :) http_ports=3D"{ 43, 80 }" sec_ports=3D"{ 22 }" tcp_serv=3D"{ 20, 21, 25, 53 }" dns_ports=3D"{ 43, 53, 123 }" irc_ports=3D"{ 113, 2000 >< 8005, 8300 >< 9000, 30000 >< 40000 }" icmp_t=3D"echoreq" tracert=3D"33434 >< 33450" ## main set options set timeout { frag 30, interval 10 } set limit { frags 5000, states 3000 } set loginterface $ext_if set block-policy drop set optimization normal scrub in all ## QUEUES - ALTQ rules altq on bge0 cbq bandwidth 100Mb queue { q_all } queue q_all bandwidth 100% cbq { q_def, q_pri, q_misc, q_web, q_dns, q_irc = } queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn) queue q_misc bandwidth 10% priority 0 cbq(red) queue q_web bandwidth 15% priority 4 cbq(borrow) queue q_dns bandwidth 25% priority 5 cbq(borrow) queue q_irc bandwidth 25% priority 6 cbq(borrow) queue q_pri priority 7 ## Default Block block in all block out all #=3D- Table table persist file "/etc/pftable/spoof.conf" table persist file "/etc/pftable/ddos.conf" table persist file "/etc/pftable/servindo.conf" table persist file "/etc/pftable/bfd.conf" table persist file "/etc/pftable/int.conf" table persist file "/etc/pftable/joss.conf" block in quick on $ext_if from { , , , , } t= o any pass quick on lo0 all pass inet proto icmp from to any icmp-type $icmp_t keep state queue q_misc pass out quick proto udp from any to any port $tracert keep state queue q_d= ef pass quick proto tcp from any to any port $tcp_serv keep state queue q_def pass in quick proto tcp from to any port 22 keep state pass quick proto tcp from any to any port $sec_ports keep state queue q_pri pass quick proto udp from any to any port $dns_ports keep state queue q_dns pass out quick proto { tcp, udp } from to any port { 161, 162 } keep state queue q_dns pass in quick proto tcp from any to $main_ip port $http_ports flags S/SA synproxy state queue q_web pass out quick proto tcp from $main_ip to any port $http_ports keep state queue q_web pass quick proto tcp from any to any port $irc_ports keep state queue q_irc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D i try to load the configuration conf, # pfctl -f /etc/pf.conf.altq pfctl: bge0: driver does not support altq any one can help me to resolv this problem. Nb: no error messege if the altq disabled. Thank's From owner-freebsd-pf@FreeBSD.ORG Mon Jan 30 20:01:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01C0816A434 for ; Mon, 30 Jan 2006 20:01:18 +0000 (GMT) (envelope-from hakuchi@www.liukuma.net) Received: from www.liukuma.net (www.liukuma.net [62.220.235.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90B1A43D4C for ; Mon, 30 Jan 2006 20:01:17 +0000 (GMT) (envelope-from hakuchi@www.liukuma.net) Received: by www.liukuma.net (Postfix, from userid 1021) id 8C9675F40; Mon, 30 Jan 2006 22:01:16 +0200 (EET) Received: from localhost (localhost [127.0.0.1]) by www.liukuma.net (Postfix) with ESMTP id 89D705A9F; Mon, 30 Jan 2006 22:01:16 +0200 (EET) Date: Mon, 30 Jan 2006 22:01:16 +0200 (EET) From: Juhana Tahvanainen To: Agus Riant In-Reply-To: Message-ID: <20060130215822.R6316@www.liukuma.net> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Hi I have some problems with FreeBSD 5.4 Stable using pf and altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 20:01:18 -0000 found this: http://www.freebsd.org/cgi/getmsg.cgi?fetch=57432+63754+/usr/local/www/db/text/2005/freebsd-pf/20050717.freebsd-pf ---J On Mon, 30 Jan 2006, Agus Riant wrote: > ============================ > > i try to load the configuration conf, > > # pfctl -f /etc/pf.conf.altq > pfctl: bge0: driver does not support altq > > any one can help me to resolv this problem. > > Nb: no error messege if the altq disabled. > > Thank's > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Jan 31 19:54:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A859B16A420 for ; Tue, 31 Jan 2006 19:54:17 +0000 (GMT) (envelope-from eduard.vopicka@i.cz) Received: from vidle.i.cz (vidle.i.cz [193.179.36.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2656243D49 for ; Tue, 31 Jan 2006 19:54:16 +0000 (GMT) (envelope-from eduard.vopicka@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id B629E2E016 for ; Tue, 31 Jan 2006 20:54:15 +0100 (CET) Received: from localhost (localhost.i.cz [127.0.0.1]) by ns.i.cz (Postfix) with SMTP id 968A4122A02; Tue, 31 Jan 2006 20:54:15 +0100 (CET) X-AV-Checked: Tue Jan 31 20:54:15 2006 ns.i.cz Received: from [192.168.1.12] (brana.i.cz [192.168.1.10]) by ns.i.cz (Postfix) with ESMTP id 98593122A01; Tue, 31 Jan 2006 20:54:12 +0100 (CET) Message-ID: <43DFC05E.5030602@i.cz> Date: Tue, 31 Jan 2006 20:54:06 +0100 From: Eduard Vopicka User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030301050501020708070502" Subject: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2006 19:54:17 -0000 This is a cryptographically signed message in MIME format. --------------ms030301050501020708070502 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Good evenig. My goal is to use pf to force (via NAT) different IP outgoing addresses depending on UID and/or GID of the program establishing the connection, for connections originating locally on machine with FreeBSD 5.4. (I do not expect this to work for setuid/setgid programs.) I realize that I can filter and tag outgoing packet based on UID/GID on the outgoing interface, but after filtering and tagging, it is too late for NAT. I believe in that it is possible to achieve my goal with pf, but probably some sort of loopback routing is required, so that the packet can first be tagged in the filtering rule dependind on the UID/GID, then somewhat routed back and then NATed based on the tag? E.g., the primary address on the outgoing ethernet interface is for example 192.168.33.11 and then for programs being run by user with UID=1004 I need to force outgoing IP address 192.168.33.14, for UID=1005 outgoing IP address 192.68.33.15 and so on. Hope this concpt can be easily extended also for use with GIDs. Thanks in advance for pointing me in the right direction and please excuse my poor English, Eduard Vopicka -- Eduard Vopicka ICZ a.s. - Oddeleni vnitrniho IT Hvezdova 1689, 140 00 Praha 4, CZ Tel: +420 244 100 248, +420 244 100 111 Fax: +420 244 100 222 http://www.i.cz --------------ms030301050501020708070502 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKOzCC AucwggJQoAMCAQICAguSMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkNaMRkwFwYDVQQK ExBJQ1ogaG9sZGluZyBhLnMuMRwwGgYDVQQDExNJQ1ogSG9sZGluZyBSb290IENBMB4XDTA1 MDkzMDA5MTU0M1oXDTA3MDkzMDA5MTU0M1owPjELMAkGA1UEBhMCQ1oxETAPBgNVBAoTCElD WiBhLnMuMRwwGgYDVQQDExNJQ1ogUHJpdmF0ZSBDQSAyMDA1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDd0m0suouMIfnJzREQmFR6S0WyN3kTbJOtwmc2gFrspr83v/xpy+pHtuid 7D+tcb4tdYRt9LmlBHHW2vB+ibrZc2Ya7QHPO2tGjjwnf71WZMZYdTGFYy/raPikeaKDIaI9 26SZDlCsCadypS3VtDslU6TAP9FiC/wFKvWQ6MSI1wIDAQABo4HrMIHoMAwGA1UdEwQFMAMB Af8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQxPVQwrZP9eqPF6Lp08T/OrpmJQjBuBgNVHSME ZzBlgBTD3wc01tYjLMM1tIVEoWJsUae1AqFKpEgwRjELMAkGA1UEBhMCQ1oxGTAXBgNVBAoT EElDWiBob2xkaW5nIGEucy4xHDAaBgNVBAMTE0lDWiBIb2xkaW5nIFJvb3QgQ0GCAQAwPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovL2NhLmkuY3ovYmluL3NjcmxfZ2V0P2lzc3Vlcl9zbl9o ZXg9MDANBgkqhkiG9w0BAQUFAAOBgQBmwtCxouxv56ikxqYLBYR4Z3rkfNKqolshhs+RVvX3 LWB3ifea+BSM2rWorPcumHMtHL9MiLu2W1jtoGo21DzesOs+42UHDZKRo77TqTd5SU0OHAj7 G/iwRXNJgwHeALI+3ja+Yp/fChrNwfDMpUGDNrAspOmfVS5M80Up+f6qajCCA6QwggMNoAMC AQICAgwzMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJQ1ogYS5z LjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAwNTAeFw0wNTEyMTkxMzU4NDJaFw0wNjEy MTkxMzU4NDJaMF8xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJQ1ogYS5zLjEPMA0GA1UECxMG UGVvcGxlMRcwFQYDVQQDEw5FZHVhcmQgVm9waWNrYTETMBEGCgmSJomT8ixkAQETA2VkYTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPCH5DN1LwSiu5ZHMkxLbGLV28FsuMrL LTWLIMGEXKe9YNe2hnlstldj+ElVCRgduzqf6sBhygPuTSqYfnkLUMGDVJjKP29eetgsEIQK l6rhgkry4hIhzAo3U41x7Onp/Zi6ecjrEo1pmEKM7s/1l+kQokA7/8mZQCAx3V8EB9dy7zSM 4fGRZDJHPV0fzvCkSAg887mbk80tY/4e/MKtJXGybkIrwbHbiZc/UU3f8W6E3lIl1Rfsm4fy 3SJRi6jOgcfC0NMNqZQ/LUEQGxsSTq6bNtnXvqBQNBIDKPVtI8L3MzHFZoIqDlBjwflxk76v EPbgXa6r3C5y2pJ1Z9ydVBkCAwEAAaOCAQowggEGMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLy iMne+0jLwwBXQfd32P6vsB1gMG8GA1UdIwRoMGaAFDE9VDCtk/16o8XounTxP86umYlCoUqk SDBGMQswCQYDVQQGEwJDWjEZMBcGA1UEChMQSUNaIGhvbGRpbmcgYS5zLjEcMBoGA1UEAxMT SUNaIEhvbGRpbmcgUm9vdCBDQYICC5IwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NhLmku Y3ovYmluL2dldENSTD9pc3N1ZXJfc25faGV4PWI5MjALBgNVHQ8EBAMCBeAwHgYDVR0RBBcw FYETZWR1YXJkLnZvcGlja2FAaS5jejANBgkqhkiG9w0BAQUFAAOBgQAm7Owov29Pk+f5dQdP fx8GUd4BIzEECd+PqSGTG0oq+H2YmFwNe/Kblrc6HglTjzJ4KQze7oUoeaqfes7Iv4n/NRQp wOwEzK+7B732zg2zntbT5cXVYEWWs3nyinf8astPsSQeH98S7/8/soLBxO8AHLydPPOaWDE1 JXtkzehSGDCCA6QwggMNoAMCAQICAgwzMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAkNa MREwDwYDVQQKEwhJQ1ogYS5zLjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAwNTAeFw0w NTEyMTkxMzU4NDJaFw0wNjEyMTkxMzU4NDJaMF8xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJ Q1ogYS5zLjEPMA0GA1UECxMGUGVvcGxlMRcwFQYDVQQDEw5FZHVhcmQgVm9waWNrYTETMBEG CgmSJomT8ixkAQETA2VkYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPCH5DN1 LwSiu5ZHMkxLbGLV28FsuMrLLTWLIMGEXKe9YNe2hnlstldj+ElVCRgduzqf6sBhygPuTSqY fnkLUMGDVJjKP29eetgsEIQKl6rhgkry4hIhzAo3U41x7Onp/Zi6ecjrEo1pmEKM7s/1l+kQ okA7/8mZQCAx3V8EB9dy7zSM4fGRZDJHPV0fzvCkSAg887mbk80tY/4e/MKtJXGybkIrwbHb iZc/UU3f8W6E3lIl1Rfsm4fy3SJRi6jOgcfC0NMNqZQ/LUEQGxsSTq6bNtnXvqBQNBIDKPVt I8L3MzHFZoIqDlBjwflxk76vEPbgXa6r3C5y2pJ1Z9ydVBkCAwEAAaOCAQowggEGMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFBLyiMne+0jLwwBXQfd32P6vsB1gMG8GA1UdIwRoMGaAFDE9VDCt k/16o8XounTxP86umYlCoUqkSDBGMQswCQYDVQQGEwJDWjEZMBcGA1UEChMQSUNaIGhvbGRp bmcgYS5zLjEcMBoGA1UEAxMTSUNaIEhvbGRpbmcgUm9vdCBDQYICC5IwPAYDVR0fBDUwMzAx oC+gLYYraHR0cDovL2NhLmkuY3ovYmluL2dldENSTD9pc3N1ZXJfc25faGV4PWI5MjALBgNV HQ8EBAMCBeAwHgYDVR0RBBcwFYETZWR1YXJkLnZvcGlja2FAaS5jejANBgkqhkiG9w0BAQUF AAOBgQAm7Owov29Pk+f5dQdPfx8GUd4BIzEECd+PqSGTG0oq+H2YmFwNe/Kblrc6HglTjzJ4 KQze7oUoeaqfes7Iv4n/NRQpwOwEzK+7B732zg2zntbT5cXVYEWWs3nyinf8astPsSQeH98S 7/8/soLBxO8AHLydPPOaWDE1JXtkzehSGDGCAswwggLIAgEBMEQwPjELMAkGA1UEBhMCQ1ox ETAPBgNVBAoTCElDWiBhLnMuMRwwGgYDVQQDExNJQ1ogUHJpdmF0ZSBDQSAyMDA1AgIMMzAJ BgUrDgMCGgUAoIIBXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wNjAxMzExOTU0MDZaMCMGCSqGSIb3DQEJBDEWBBTwoe3ybcluTYqv8yk2DjfJzPTGtjBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDBTBgkrBgEEAYI3EAQxRjBEMD4xCzAJBgNV BAYTAkNaMREwDwYDVQQKEwhJQ1ogYS5zLjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAw NQICDDMwVQYLKoZIhvcNAQkQAgsxRqBEMD4xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJQ1og YS5zLjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAwNQICDDMwDQYJKoZIhvcNAQEBBQAE ggEAmK4bo/79v5QQrt7OQvYY6Iitx5BtbPlP/cdRFvQCPwmw4TtXqFsQGdQSwsecFXXudlNu Lk2aP8rZcRM6UmM4QtTh5z75HerWoidx7YNDEBBwTsHotB31b4u3pqQPcLu1wsBTGmYufIQ8 tEH9vMNWgnGgZ2MomqntsD858BMyiwa8AF2XYxwuouN0uyA5utTGxITeMoQCVByKbZGo54bO IOO6b1SBNiKVFqie8ZXtDiQRwN/rD52mURMB4m/zi9cD7RxfpyOnV06h8dgnSRg/BpYWPvHx wiPtR6HqMRTbkItQ/uF6+1vnS1bz4Z3b7qz6wGN1aXGPo8OD37cXRKCOIQAAAAAAAA== --------------ms030301050501020708070502-- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 31 20:11:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B76AB16A420 for ; Tue, 31 Jan 2006 20:11:32 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1C5843D53 for ; Tue, 31 Jan 2006 20:11:27 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1F41qU-00080S-KR; Tue, 31 Jan 2006 23:11:22 +0300 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 31 Jan 2006 23:11:10 +0300 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Thread-Index: AcYmoCu1rMT4qhdyS5eRi+bxpoWXcgAASYGQ From: "Dmitry Andrianov" To: "Eduard Vopicka" , Cc: Subject: RE: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2006 20:11:32 -0000 Hello. To my understanding, you can apply nat rule to tagged packets only. This should do the trick. nat on $ext_if tagged TAG1 -> 192.168.33.14 nat on $ext_if tagged TAG2 -> 192.168.33.15 Moreover, nat rules can also accept uid/gid matching but I'm not sure about that. Doesn't it work? Regards, Dmitry Andrianov -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Eduard Vopicka Sent: Tuesday, January 31, 2006 10:54 PM To: freebsd-pf@freebsd.org Subject: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Good evenig. My goal is to use pf to force (via NAT) different IP outgoing addresses=20 depending on UID and/or GID of the program establishing the connection, for=20 connections originating locally on machine with FreeBSD 5.4. (I do not expect=20 this to work for setuid/setgid programs.) I realize that I can filter and tag outgoing packet based on UID/GID on the=20 outgoing interface, but after filtering and tagging, it is too late for NAT. I believe in that it is possible to achieve my goal with pf, but probably some=20 sort of loopback routing is required, so that the packet can first be tagged=20 in the filtering rule dependind on the UID/GID, then somewhat routed back and=20 then NATed based on the tag? E.g., the primary address on the outgoing ethernet interface is for example=20 192.168.33.11 and then for programs being run by user with UID=3D1004 I need to=20 force outgoing IP address 192.168.33.14, for UID=3D1005 outgoing IP address=20 192.68.33.15 and so on. Hope this concpt can be easily extended also for use=20 with GIDs. Thanks in advance for pointing me in the right direction and please excuse my=20 poor English, Eduard Vopicka --=20 Eduard Vopicka ICZ a.s. - Oddeleni vnitrniho IT Hvezdova 1689, 140 00 Praha 4, CZ Tel: +420 244 100 248, +420 244 100 111 Fax: +420 244 100 222 http://www.i.cz From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 14:01:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6040F16A420 for ; Wed, 1 Feb 2006 14:01:43 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B9A143D79 for ; Wed, 1 Feb 2006 14:01:37 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so104896wxc for ; Wed, 01 Feb 2006 06:01:36 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DSQH3+Gskzhy4EdnVLXZnShfLKk8Kx/VYixRrO6RCDkkZiKVDd/T+lw1f/nF/YZawwSgstfZesXEMxHx/19ReGkHrvgZxy3aeZyKUXRjYYZYF0S2UVkRS/cISa0N9nVaH356K5gR4iJiWEy3Zc3/HXAjXeIQturXUerX0kQlOPE= Received: by 10.70.90.20 with SMTP id n20mr2909627wxb; Wed, 01 Feb 2006 06:01:36 -0800 (PST) Received: by 10.70.89.8 with HTTP; Wed, 1 Feb 2006 06:01:36 -0800 (PST) Message-ID: <55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com> Date: Wed, 1 Feb 2006 08:01:36 -0600 From: Bill Marquette To: Dmitry Andrianov In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 14:01:43 -0000 On 1/31/06, Dmitry Andrianov wrote: > Hello. > > To my understanding, you can apply nat rule to tagged packets only. This > should do the trick. > > nat on $ext_if tagged TAG1 -> 192.168.33.14 > nat on $ext_if tagged TAG2 -> 192.168.33.15 You can apply tags to NATs, however the point of the original post was that filter policy (which accepts the 'user' syntax) is evaluated AFTER the NAT, so he can't tag a packet based on the filter policy and then have it NATd using the correct source address for that user. > > Moreover, nat rules can also accept uid/gid matching but I'm not sure > about that. > > Doesn't it work? Nope...an otherwise syntactically correct config file (note that this is from a recent OpenBSD snapshot, not FreeBSD - not that the difference changes anything): $ cat foo nat on lo0 from any to any user root -> 127.0.0.1 $ sudo pfctl -f foo foo:1: syntax error pfctl: Syntax error in config file: pf rules not loaded $ cat foo nat on lo0 from any to any -> 127.0.0.1 $ sudo pfctl -f foo $ sudo pfctl -sn nat on lo0 inet all -> 127.0.0.1 I haven't looked at the code, but I wouldn't be terribly surprised if you couldn't just copy/paste the user match code in the lexer for filter rules into the nat part of the lexer. --Bill --Bill From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 15:56:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C7D816A422 for ; Wed, 1 Feb 2006 15:56:53 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: from pluto.phpwebhosting.com (pluto.phpwebhosting.com [69.0.209.128]) by mx1.FreeBSD.org (Postfix) with SMTP id E7B2343D58 for ; Wed, 1 Feb 2006 15:56:47 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: (qmail 29619 invoked from network); 1 Feb 2006 15:56:43 -0000 Received: from unknown (HELO Stile) (keith%barkinglizards.com@209.117.233.18) by pluto.phpwebhosting.com with SMTP; Wed, 01 Feb 2006 10:56:43 -0500 From: "Keith Bottner" To: Date: Wed, 1 Feb 2006 09:58:45 -0600 Organization: Barking Lizards Technologies Message-ID: <0be301c62748$624140d0$0e01a8c0@Stile> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcYnSGFZBGI5ve14Q7WWnf4uLBSOUQ== Subject: Port redirection just not working! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 15:56:53 -0000 I am having a problem getting packet filter to redirect incoming traffic destined for a specific IP and port to an internal DMZ host. Interestingly enough I am not having a problem doing the same with SSH just with these nonstandard ports. I was originally redirecting the traffic and then placing filtering rules to pass the traffic but since I could not get that to work I just tried having the redirection rules pass the traffic directly bypassing the filtering rules, and this does NOT work either. I would appreciate any insight someone can give me to what I am doing wrong as I have read the manual several times and googled forever with no luck. Any help would be appreciated, Keith My firewall has 3 nics, 1 external, 1 dmz, and 1 internal. ########## # MACROS # ########## ext_if="xl1" ext_gw_addr="X.Y.Z.17" ext_nat_addr="X.Y.Z.18" ext_http_addr="X.Y.Z.19" ext_ftp_addr="X.Y.Z.19" ext_blits_addr="X.Y.Z.19" ext_unused1_addr="X.Y.Z.20" ext_unused2_addr="X.Y.Z.21" ext_ea_addr="X.Y.Z.22" # Internal (Intranet) int_if="xl0" int_net="192.168.1.0/24" # DMZ dmz_if="vr0" dmz_net="10.11.13.0/24" dmz_http_addr="10.11.13.100" dmz_ftp_addr="10.11.13.100" dmz_nimb_addr="10.11.13.106" dmz_clip_addr="10.11.13.103" dmz_three_addr="10.11.13.203" dmz_four_addr="10.11.13.204" dmz_five_addr="10.11.13.205" ########## # TABLES # ########## table const { 127/8, 10/8, 172.16/12, 192.168/16 } table const { X.Y.Z.18, X.Y.Z.19, X.Y.Z.20, X.Y.Z.21} ################# # NORMALIZATION # ################# scrub in all fragment reassemble ############ # QUEUEING # ############ ############### # TRANSLATION # ############### # FTP Active connnections nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # NAT workstations nat on $ext_if from $int_net to any -> $ext_nat_addr # NAT servers external requests nat on $ext_if from $dmz_net to any -> $ext_nat_addr ############### # REDIRECTION # ############### # *********** DOES NOT WORK - START *********** rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 -> $dmz_clip_addr rdr pass on $int_if proto tcp from any to $ext_http_addr port 9874 -> $dmz_clip_addr rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4030:4034 -> $dmz_three_addr rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4030:4034 -> $dmz_three_addr rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4040:4044 -> $dmz_four_addr rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4040:4044 -> $dmz_four_addr rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4050:4054 -> $dmz_five_addr rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4050:4054 -> $dmz_five_addr # *********** DOES NOT WORK - END *********** rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr port http rdr on $int_if proto tcp from any to $ext_http_addr port http -> $dmz_http_addr port http rdr on $ext_if proto tcp from any to $ext_http_addr port ssh -> $dmz_http_addr rdr on $int_if proto tcp from any to $ext_http_addr port 200 -> $dmz_http_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 1666 -> $dmz_nimb_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 1666 -> $dmz_nimb_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 220 -> $dmz_clip_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 220 -> $dmz_clip_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 223 -> $dmz_three_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 223 -> $dmz_three_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 224 -> $dmz_four_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 224 -> $dmz_four_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 225 -> $dmz_five_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 225 -> $dmz_five_addr port ssh rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr port 21 rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> $dmz_ftp_addr rdr on $int_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr port 21 rdr on $int_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> $dmz_ftp_addr ############# # FILTERING # ############# block in log all block out log all pass quick on lo0 all block in log quick on $ext_if from to any block out quick on $ext_if from any to antispoof quick for { $int_if, $dmz_if } inet pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA synproxy state pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state anchor "ftp-proxy/*" pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user proxy flags S/SA keep state pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state pass in log on $ext_if proto tcp from any to $dmz_http_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_nimb_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_clip_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_three_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_four_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_five_addr port ssh flags S/SA synproxy state # *********** HERE ARE THE OLD RULES I WAS USING BEFORE I DECIDED TO REMOVE THEM AND JUST PASS IN # *********** THE REDIRECTION RULES ABOVE. INCLUDED THEM HERE FOR COMPLETENESS. #pass in on $ext_if proto tcp from any to $dmz_clip_addr port 9874 #pass in on $ext_if proto tcp from any to $dmz_three_addr port { 4030 4031 4032 4033 4034 } flags S/SA synproxy state #pass in on $ext_if proto tcp from any to $dmz_four_addr port { 4040 4041 4042 4043 4044 } flags S/SA synproxy state #pass in on $ext_if proto tcp from any to $dmz_five_addr port { 4050 4051 4052 4053 4054 } flags S/SA synproxy state pass in on $int_if from $int_net to any keep state pass in on $dmz_if from $dmz_net to any keep state pass out on $dmz_if from any to $dmz_net keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 17:25:22 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E3C816A420 for ; Wed, 1 Feb 2006 17:25:22 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FCFD43D6E for ; Wed, 1 Feb 2006 17:25:07 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id e2so428942ugf for ; Wed, 01 Feb 2006 09:25:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=GKa8oVEqWV5yR2rq0AwOrLZOD2g6R7Wj41dmBickuH3yNe+6f/8OKxdgq7ncJvKoJpgfrJ6U9z6Enuz7hhvDl7JSy/zYN5Y/H7orneVbNZlig1MdMGLAqMRoiS5eDu26mgSciwL19BHFwdzD9hIE93Mv0dT0H2rEtRisGPHlylk= Received: by 10.66.233.11 with SMTP id f11mr3943356ugh; Wed, 01 Feb 2006 09:25:06 -0800 (PST) Received: by 10.66.223.13 with HTTP; Wed, 1 Feb 2006 09:25:06 -0800 (PST) Message-ID: <8eea04080602010925x16640e22h4fb1f121577f405c@mail.gmail.com> Date: Wed, 1 Feb 2006 09:25:06 -0800 From: Jon Simola Sender: jsimola@gmail.com To: Keith Bottner In-Reply-To: <0be301c62748$624140d0$0e01a8c0@Stile> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <0be301c62748$624140d0$0e01a8c0@Stile> Cc: freebsd-pf@freebsd.org Subject: Re: Port redirection just not working! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 17:25:22 -0000 On 2/1/06, Keith Bottner wrote: > I am having a problem getting packet filter to redirect incoming traffic > destined for a specific IP and port to an internal DMZ host. > rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 -> > $dmz_clip_addr If you use an RDR to punch traffic to a DMZ host, you also need a NAT rule in the opposite direction to make sure the traffic reappears from the same IP. What I'm doing: rdr on em0 proto tcp from any to $user_mailserver port {pop3, smtp} -> 10.188.0.7 nat on em0 proto tcp from 10.188.0.7 port {pop3, smtp} to any -> $user_mailserver rdr on vlan130 proto tcp from vlan130:network to $user_mailserver port {pop3,smtp} -> 10.188.0.7 nat on vlan130 proto tcp from 10.188.0.7 port {pop3,smtp} to vlan130:network -> $user_mailserver Of course, this leads to huge piles of rules but is working great. (2 per server per interface) -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 17:54:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8917716A420 for ; Wed, 1 Feb 2006 17:54:11 +0000 (GMT) (envelope-from nikky@mnet.bg) Received: from home.mnet.bg (home.mnet.bg [84.43.191.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13DB643D4C for ; Wed, 1 Feb 2006 17:54:10 +0000 (GMT) (envelope-from nikky@mnet.bg) Received: from localhost (home [127.0.0.1]) by home.mnet.bg (Postfix) with ESMTP id DEEBF3B33E for ; Wed, 1 Feb 2006 19:54:08 +0200 (EET) Received: from home.mnet.bg ([127.0.0.1]) by localhost (home [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 21100-02-45 for ; Wed, 1 Feb 2006 19:54:08 +0200 (EET) Received: from localhost (minus273.mnet.bg [84.43.152.216]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by home.mnet.bg (Postfix) with ESMTP id B9DAC3B330 for ; Wed, 1 Feb 2006 19:54:07 +0200 (EET) Date: Wed, 1 Feb 2006 19:54:05 +0200 From: Nickola Kolev To: freebsd-pf@freebsd.org Message-Id: <20060201195405.71628377.nikky@mnet.bg> X-Mailer: Sylpheed version 2.0.4 (GTK+ 2.8.10; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mnet.bg Subject: netflow v5 - src AS/dst AS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 17:54:11 -0000 Hello, fellow posters, As you can see from the subject, I'd like to set up a PC-based netflow v5 probe, capable of exporting information about specific source and destination ASes for the purpose of accounting. Regretfully, I didnt come to any solution, mostly because the kernel FIB, eventhough injected with a full BGP routing table, doesnt carry any BGP specific information (such as next-hop AS, src AS, dst AS, etc.). This is normal, because, at least the way I can explain it to myself, the BGP speaking daemons, be it Zebra/Quagga, Xorp or OpenBGPd are userspace programs and probably dont have a way to inject such information into the kernel FIB, that's why keep it in its own structures. My question is does any of you know of a way to achieve some sort of interaction between the BGP-speaking daemon (e.g. Quagga) and the various netflow probes to export Netflow v5 data, including src/dst AS information. Maybe some netgraph module besides ng_netflow, which I tried, but of no avail. Sorry if my question seems a bit messy. ________________________________________________________________________ Cheers, Nickola Kolev From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 18:00:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CED116A420 for ; Wed, 1 Feb 2006 18:00:41 +0000 (GMT) (envelope-from nikky@mnet.bg) Received: from home.mnet.bg (home.mnet.bg [84.43.191.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6ECF43D45 for ; Wed, 1 Feb 2006 18:00:40 +0000 (GMT) (envelope-from nikky@mnet.bg) Received: from localhost (home [127.0.0.1]) by home.mnet.bg (Postfix) with ESMTP id E06473B345 for ; Wed, 1 Feb 2006 20:00:37 +0200 (EET) Received: from home.mnet.bg ([127.0.0.1]) by localhost (home [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 18855-03-10 for ; Wed, 1 Feb 2006 20:00:31 +0200 (EET) Received: from localhost (minus273.mnet.bg [84.43.152.216]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by home.mnet.bg (Postfix) with ESMTP id 4B9CB3B330 for ; Wed, 1 Feb 2006 20:00:30 +0200 (EET) Date: Wed, 1 Feb 2006 20:00:28 +0200 From: Nickola Kolev To: freebsd-pf@freebsd.org Message-Id: <20060201200028.23d4d9cb.nikky@mnet.bg> In-Reply-To: <20060201195405.71628377.nikky@mnet.bg> References: <20060201195405.71628377.nikky@mnet.bg> X-Mailer: Sylpheed version 2.0.4 (GTK+ 2.8.10; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mnet.bg Subject: Re: netflow v5 - src AS/dst AS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 18:00:41 -0000 On Wed, 1 Feb 2006 19:54:05 +0200 Nickola Kolev wrote: : Hello, fellow posters [ cut ] Sorry, this is more appropriate for freebsd-net@. My appologies. Cheers, Nickola From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 18:09:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A327F16A422 for ; Wed, 1 Feb 2006 18:09:15 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id A38C143D78 for ; Wed, 1 Feb 2006 18:09:07 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id k11I922q030127 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 1 Feb 2006 19:09:02 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k11I91p3002710; Wed, 1 Feb 2006 19:09:01 +0100 (MET) Date: Wed, 1 Feb 2006 19:09:01 +0100 From: Daniel Hartmeier To: Keith Bottner Message-ID: <20060201180901.GC1311@insomnia.benzedrine.cx> References: <0be301c62748$624140d0$0e01a8c0@Stile> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0be301c62748$624140d0$0e01a8c0@Stile> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Port redirection just not working! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 18:09:15 -0000 On Wed, Feb 01, 2006 at 09:58:45AM -0600, Keith Bottner wrote: > I am having a problem getting packet filter to redirect incoming traffic > destined for a specific IP and port to an internal DMZ host. Interestingly > enough I am not having a problem doing the same with SSH just with these > nonstandard ports. I was originally redirecting the traffic and then placing > filtering rules to pass the traffic but since I could not get that to work I > just tried having the redirection rules pass the traffic directly bypassing > the filtering rules, and this does NOT work either. I would appreciate any > insight someone can give me to what I am doing wrong as I have read the > manual several times and googled forever with no luck. Is $dmz_clip_addr's default gateway properly set to the pf box' vr0 address? Otherwise run tcpdump on the pf box. You should see the TCP SYN with the yet-untranslated destination address arrive in on $ext_if, then pass out on $dmz_if with the destination address replaced ($dmz_clip_addr). Then you should see the TCP SYN+ACK arrive in on $dmz_if (yet-untranslated from $dmz_clip_addr), then out on $ext_if (with source address translated back). It depends on where, exactly, in this sequence things go wrong. For instance, with the wrong default gateway on $dmz_clip_addr, the pf box wouldn't get the SYN+ACK back (since it's sent to a different gateway). This assumes you're connecting from an external source. If it's an internal one, replace $ext_if with $int_if above. For a source within the DMZ, the redirection isn't supposed to work at all. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 18:28:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D36B16A420 for ; Wed, 1 Feb 2006 18:28:16 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9807C43D46 for ; Wed, 1 Feb 2006 18:28:15 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id k11IRqKI008103 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 1 Feb 2006 19:27:52 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k11IRpto011326; Wed, 1 Feb 2006 19:27:51 +0100 (MET) Date: Wed, 1 Feb 2006 19:27:51 +0100 From: Daniel Hartmeier To: Bill Marquette Message-ID: <20060201182751.GD1311@insomnia.benzedrine.cx> References: <55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 18:28:16 -0000 On Wed, Feb 01, 2006 at 08:01:36AM -0600, Bill Marquette wrote: > I haven't looked at the code, but I wouldn't be terribly surprised if > you couldn't just copy/paste the user match code in the lexer for > filter rules into the nat part of the lexer. No, the user/group options are not valid in translation rules. But making them valid there would be the most logical solution. It's not terribly complicated, and I'll try to add that. It won't be backported to 5.x, though :) I'm not sure you can do it routing tricks through loopback. You could try setting the default route through an intentionally wrong interface, pass with tag and route-to (to the right interface) there, and then nat on the right interface based on tag. But that's quite a hack. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 19:11:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F4216A420 for ; Wed, 1 Feb 2006 19:11:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6223843D4C for ; Wed, 1 Feb 2006 19:11:20 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.207.93] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu10) with ESMTP (Nemesis), id 0ML31I-1F4NNv0SWT-0001yD; Wed, 01 Feb 2006 20:11:19 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 1 Feb 2006 20:12:28 +0100 User-Agent: KMail/1.9.1 References: <43DFC05E.5030602@i.cz> In-Reply-To: <43DFC05E.5030602@i.cz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2819626.d8X9xb8gNQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200602012012.35732.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 19:11:21 -0000 --nextPart2819626.d8X9xb8gNQ Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 31 January 2006 20:54, Eduard Vopicka wrote: > My goal is to use pf to force (via NAT) different IP outgoing addresses > depending on UID and/or GID of the program establishing the connection, f= or > connections originating locally on machine with FreeBSD 5.4. (I do not > expect this to work for setuid/setgid programs.) Did you consider just useing jail(8) to jail the processes to the specific = IP. =20 This should be most performant and also easy to setup (depending on your=20 configuration requirements). If you are concerned with daemons here it's a= =20 matter of perpending "jail / hostname IP" to the startup script, if you are= =20 concerned with real useres it's a bit more complicated, but there are dozen= s=20 of tutorials on the web. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2819626.d8X9xb8gNQ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBD4QgjXyyEoT62BG0RAgAnAJ9JHxeBJVtqPKuylLjEX0zW3SExTQCfesot DSBC2Tuz46knk0D1LnskglQ= =hlE3 -----END PGP SIGNATURE----- --nextPart2819626.d8X9xb8gNQ-- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 2 12:09:03 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85ACF16A422 for ; Thu, 2 Feb 2006 12:09:03 +0000 (GMT) (envelope-from tiagocruz@b4br.net) Received: from vader.b4br.net (vader.b4br.net [200.152.202.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 172ED43D48 for ; Thu, 2 Feb 2006 12:09:02 +0000 (GMT) (envelope-from tiagocruz@b4br.net) Received: from localhost (localhost.b4br.net [127.0.0.1]) by vader.b4br.net (Postfix) with ESMTP id 8ABDA181429 for ; Thu, 2 Feb 2006 10:03:21 -0200 (BRST) Received: from vader.b4br.net ([127.0.0.1]) by localhost (vader.b4br.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46304-03-4 for ; Thu, 2 Feb 2006 10:03:15 -0200 (BRST) Received: from tuxkiller.matter.b4br.net (yoda.b4br.net [200.152.202.10]) by vader.b4br.net (Postfix) with ESMTP id 850B118146C for ; Thu, 2 Feb 2006 10:03:13 -0200 (BRST) From: Tiago Cruz To: freebsd-pf@FreeBSD.org Content-Type: text/plain Date: Thu, 02 Feb 2006 10:08:55 -0200 Message-Id: <1138882135.4561.31.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at b4br.net Cc: Subject: Rules to do VPN works when the host and client have the same network address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2006 12:09:03 -0000 Hi guys, I'm using the OpenVPN in my net 192.168.0.0/22 but, if my mobile client was in one network like me, the VPN will not work. I've founded this in the OpenVPN FAQ: ================ Does anybody know how to remap local addresses, if I want to connect two networks with an overlap in the private address range? Using iptables 1.2.7a+ and the NETMAP target: iptables -t nat -A PREROUTING -d 192.168.0.0/24 -j NETMAP --to 192.168.1.0/24 ================ Is this what I want!!! But... how can I do this in PF/FreeBSD? For more information, please: http://lists.freebsd.org/pipermail/freebsd-net/2006-February/009645.html Thank you!