From owner-freebsd-pf@FreeBSD.ORG Sun Mar 26 02:58:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ECAF16A424 for ; Sun, 26 Mar 2006 02:58:28 +0000 (UTC) (envelope-from jos@catnook.com) Received: from 209-204-181-78.dsl.static.sonic.net (209-204-181-78.dsl.static.sonic.net [209.204.181.78]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F4DD43D46 for ; Sun, 26 Mar 2006 02:58:27 +0000 (GMT) (envelope-from jos@catnook.com) Received: (qmail 83032 invoked by uid 1000); 26 Mar 2006 02:58:49 -0000 Date: Sat, 25 Mar 2006 18:58:27 -0800 From: Jos Backus To: freebsd-pf@freebsd.org Message-ID: <20060326025849.GA82791@lizzy.catnook.local> Mail-Followup-To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Sun, 26 Mar 2006 03:00:44 +0000 Subject: How do IPFilter's `map' and 'rdr' translate to pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jos@catnook.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Mar 2006 02:58:28 -0000 Hi, I'm running into some trouble with IPFilter and am seizing the opportunity to move an existing IPFilter setup on 6-stable to pf. pf seems fairly compatible with IPFilter on the filtering side; so far the only difference I have found is that pf doesn't support `keep frags' and a scrub rule needs to be used instead. But the NAT definition syntax difers between the two and I haven't been able to find a migration guide (apparently it's a TODO item). So I am faced with converting the following entries from ipnat.rules. xl0 is int_if, xl1 is ext_if and 1.2.3.x is an external IP address. 1. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp In pf it looks like this needs to be done using a combination of running ftp-proxy (which I'm assuming is the `old' ftp-proxy) and rules like these: rdr on xl0 proto tcp from 192.168.10.0/24 to any port ftp \ -> 127.0.0.1 port 8021 # Data traffic pass in on xl1 inet proto tcp from port ftp-data to xl1 \ user proxy flags S/SA keep state Then there are these rules which I am not sure what to do about: 2. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 500 ipsec/udp ? 3. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 10000 ipsec/tcp ? 4. map xl1 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:65000 ? 5. map xl1 192.168.10.0/24 -> 1.2.3.4/32 ? 6. rdr xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \ 192.168.1.1 port 3000 Equivalent to rdr on xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \ 192.168.1.1 port 3000 in pf? 7. rdr xl1 1.2.3.6/32 port 6502 -> 192.168.1.101 port 6502 Equivalent to rdr on xl1 from 1.2.3.6/32 port 6502 to any -> 192.168.1.101 port 6502 in pf? I'm pretty green when it comes to firewalls and NAT. Your help is appreciated! -- Jos Backus jos at catnook.com From owner-freebsd-pf@FreeBSD.ORG Mon Mar 27 11:03:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B275316A41F for ; Mon, 27 Mar 2006 11:03:01 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 425C243D46 for ; Mon, 27 Mar 2006 11:03:01 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2RB31TP062311 for ; Mon, 27 Mar 2006 11:03:01 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2RB2xje062301 for freebsd-pf@freebsd.org; Mon, 27 Mar 2006 11:02:59 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 27 Mar 2006 11:02:59 GMT Message-Id: <200603271102.k2RB2xje062301@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Mar 2006 11:03:01 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR o [2006/03/23] kern/94877 pf [pf] packet filter blocks outgoing traffi 7 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work p [2006/02/26] kern/93849 pf pf no-df breaks IP checksum of all tcp tr 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 28 10:07:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9007616A424 for ; Tue, 28 Mar 2006 10:07:10 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0653A43D45 for ; Tue, 28 Mar 2006 10:07:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.180.83] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1FOB6T0FKP-0002GR; Tue, 28 Mar 2006 12:07:09 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 28 Mar 2006 12:05:59 +0200 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2017675.Tnfo91PqdR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200603281206.05222.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: 3.9 pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 10:07:10 -0000 --nextPart2017675.Tnfo91PqdR Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, just FYI, work on importing OpenBSD 3.9 pf has started. Don't hold your=20 breath though - it will be some weeks before testable betas are available. On a related note, OpenBSD has announced financial problems - if you like p= f=20 you should consider a donation to OpenBSD. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2017675.Tnfo91PqdR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEKQqNXyyEoT62BG0RAtH/AJ4m4glMkv34ig27NtqTDBd6hI2eogCeNraV mJcU8GJUtdV0xVbJiPMDgto= =MzE1 -----END PGP SIGNATURE----- --nextPart2017675.Tnfo91PqdR-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 28 13:02:35 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1625816A401; Tue, 28 Mar 2006 13:02:35 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C454E43D4C; Tue, 28 Mar 2006 13:02:34 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2SD2Yw8088119; Tue, 28 Mar 2006 13:02:34 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2SD2Y6I088115; Tue, 28 Mar 2006 13:02:34 GMT (envelope-from mlaier) Date: Tue, 28 Mar 2006 13:02:34 GMT From: Max Laier Message-Id: <200603281302.k2SD2Y6I088115@freefall.freebsd.org> To: norgaard@locolomo.org, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 13:02:35 -0000 Synopsis: [pf] packet filter blocks outgoing traffic after boot State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Tue Mar 28 13:01:58 UTC 2006 State-Changed-Why: Closed on request by originator. http://www.freebsd.org/cgi/query-pr.cgi?pr=94877 From owner-freebsd-pf@FreeBSD.ORG Tue Mar 28 13:10:23 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71F9616A400 for ; Tue, 28 Mar 2006 13:10:23 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2916E43D46 for ; Tue, 28 Mar 2006 13:10:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2SDAMSu088715 for ; Tue, 28 Mar 2006 13:10:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2SDAMXP088714; Tue, 28 Mar 2006 13:10:22 GMT (envelope-from gnats) Date: Tue, 28 Mar 2006 13:10:22 GMT Message-Id: <200603281310.k2SDAMXP088714@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/90148: [pf] pf_enable="YES" -> Fatal trap 12: page fault while in kernel mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 13:10:23 -0000 The following reply was made to PR kern/90148; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, tmueko@kommunity.net Cc: Subject: Re: kern/90148: [pf] pf_enable="YES" -> Fatal trap 12: page fault while in kernel mode Date: Tue, 28 Mar 2006 15:04:17 +0200 I'm unsure what to do with this PR? Is the problem fixed? Is there anything left to investigate? Thanks. -- Max From owner-freebsd-pf@FreeBSD.ORG Tue Mar 28 13:59:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E402B16A41F for ; Tue, 28 Mar 2006 13:59:58 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31AFC43D45 for ; Tue, 28 Mar 2006 13:59:57 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.0); Tue, 28 Mar 2006 15:59:50 +0200 Message-ID: <44294156.6090308@ide.resurscentrum.se> Date: Tue, 28 Mar 2006 15:59:50 +0200 From: Jon Otterholm User-Agent: Thunderbird 1.5 (X11/20060204) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Mar 2006 13:59:50.0414 (UTC) FILETIME=[E176BAE0:01C6526F] Subject: User Webgui X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 13:59:59 -0000 Hi folks. Does anyone know of a php-script to allow users to change their own firewall-rules or do I have to write my own? Behind my router/firewall every user has their own IF and it would be pretty simple to create a webgui for the user and let them change rules applying to their own IP... /J From owner-freebsd-pf@FreeBSD.ORG Tue Mar 28 15:08:02 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DA2F16A422; Tue, 28 Mar 2006 15:08:02 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0693743D62; Tue, 28 Mar 2006 15:08:02 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2SF81x3095161; Tue, 28 Mar 2006 15:08:01 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2SF81jD095157; Tue, 28 Mar 2006 15:08:01 GMT (envelope-from mlaier) Date: Tue, 28 Mar 2006 15:08:01 GMT From: Max Laier Message-Id: <200603281508.k2SF81jD095157@freefall.freebsd.org> To: tmueko@kommunity.net, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/90148: [pf] pf_enable="YES" -> Fatal trap 12: page fault while in kernel mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 15:08:02 -0000 Synopsis: [pf] pf_enable="YES" -> Fatal trap 12: page fault while in kernel mode State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Tue Mar 28 15:07:19 UTC 2006 State-Changed-Why: Problem went away according to originator. http://www.freebsd.org/cgi/query-pr.cgi?pr=90148 From owner-freebsd-pf@FreeBSD.ORG Tue Mar 28 15:10:36 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F21D16A426; Tue, 28 Mar 2006 15:10:36 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C4BD43D46; Tue, 28 Mar 2006 15:10:36 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2SFAaDF095326; Tue, 28 Mar 2006 15:10:36 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2SFAZbr095322; Tue, 28 Mar 2006 15:10:35 GMT (envelope-from mlaier) Date: Tue, 28 Mar 2006 15:10:35 GMT From: Max Laier Message-Id: <200603281510.k2SFAZbr095322@freefall.freebsd.org> To: mcdouga9@egr.msu.edu, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/93849: pf no-df breaks IP checksum of all tcp traffic through if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 15:10:36 -0000 Synopsis: pf no-df breaks IP checksum of all tcp traffic through if_bridge State-Changed-From-To: patched->closed State-Changed-By: mlaier State-Changed-When: Tue Mar 28 15:09:36 UTC 2006 State-Changed-Why: MFCed to RELENG_5 and RELENG_6. http://www.freebsd.org/cgi/query-pr.cgi?pr=93849 From owner-freebsd-pf@FreeBSD.ORG Wed Mar 29 19:14:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E2D716A41F for ; Wed, 29 Mar 2006 19:14:26 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from svarun.infrax.si (svarun.infrax.si [193.77.158.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFC6443D64 for ; Wed, 29 Mar 2006 19:14:12 +0000 (GMT) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by svarun.infrax.si (Postfix) with ESMTP id 866F4DA8D1; Wed, 29 Mar 2006 21:14:00 +0200 (CEST) Received: from svarun.infrax.si ([127.0.0.1]) by localhost (Svarun.infrax.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58267-04; Wed, 29 Mar 2006 21:13:59 +0200 (CEST) Received: from [192.168.100.93] (d04m-213-44-58-64.d4.club-internet.fr [213.44.58.64]) by svarun.infrax.si (Postfix) with ESMTP id 8545EDA8D2; Wed, 29 Mar 2006 21:13:58 +0200 (CEST) Message-ID: <442ADC6C.2030202@skoberne.net> Date: Wed, 29 Mar 2006 21:13:48 +0200 From: Nejc Skoberne User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary="------------000407020305010306020505" X-Virus-Scanned: amavisd-new at infrax.si X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: i4-dev Subject: Mysterious packet loss X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2006 19:14:26 -0000 This is a multi-part message in MIME format. --------------000407020305010306020505 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Hi folks, today I said "enough is enough" and I started debugging the slowness of a business application, which is developed by our company. It's a multitier application, written in Delphi and offering (currently) two types of protocols for client-server connection: HTTP (which I am using) and DCOM. Me and my company are from Slovenia, but currently I am in France on a study exchange programme and I have set up an internet access via WiFi provider. So the problem was that I could not work normally with my client of the business application because there were long delays in the actions (click a button and then wait 10 secs to refresh something). In the beginning I was sure that our devel team invented a wonderful new bug, but they said they didn't mess with anything that would compromise the performance. Oh, the topology: _____________ _____________ | | | | | My notebook | ( ( ( ( ( ( ( | WiFi AP | (I know nothing about this, |_____________| |_____________| I just know it's there) || || || || || ______||_____ | | | gateway | (I know nothing about this, |_____________| I just know it's there) || || {INTERNET} || || ______||_____ | | | FBSD5.3 + pf| (I administer this sweetie) |_____________| || || || || ______||_____ | | | W2003 + IIS | |_____________| So a custom port 7361 TCP is forwarded by FBSD box to the internal W2003 server, where sits the IIS listening for new connections. I fired up Ethereal (on my notebook), set up a "host fbsd.gw.box" filter and then tried to start using my client. Not everything worked as it should - here I was losing the packets somewhere and they had to be retransmitted: 4 0.083165 192.168.100.93 193.77.xxx.yyy TCP 2066 > yyyy [PSH, ACK] Seq=1 Ack=1 Win=34000 Len=273 TSV=2950 TSER=0 5 0.181871 193.77.xxx.yyy 192.168.100.93 TCP [TCP Previous segment lost] yyyy > 2066 [FIN, PSH, ACK] Seq=90 Ack=274 Win=17407 Len=224 TSV=5488810 TSER=2950 6 0.181929 192.168.100.93 193.77.xxx.yyy TCP [TCP Dup ACK 3#1] 2066 > yyyy [ACK] Seq=274 Ack=1 Win=34000 Len=0 TSV=2951 TSER=0 SLE=90 SRE=315 7 3.356332 193.77.xxx.yyy 192.168.100.93 TCP [TCP Retransmission] yyyy > 2066 [FIN, PSH, ACK] Seq=1 Ack=274 Win=17407 Len=313 TSV=5488842 TSER=2951 8 3.356418 192.168.100.93 193.77.xxx.yyy TCP 2066 > yyyy [ACK] Seq=274 Ack=315 Win=33687 Len=0 TSV=2982 TSER=5488842 Every now and then my client tried with SYN packets but the 3-second timeout occured (not only once), which is the main reason of unresponsiveness of the client (I think): 191 13.475742 192.168.100.93 193.77.xxx.yyy TCP 2179 > yyyy [ACK] Seq=396 Ack=272 Win=33730 Len=0 TSV=11950 TSER=5497809 192 13.475942 192.168.100.93 193.77.xxx.yyy TCP 2179 > yyyy [FIN, ACK] Seq=396 Ack=272 Win=33730 Len=0 TSV=11950 TSER=5497809 193 13.476830 192.168.100.93 193.77.xxx.yyy TCP 2180 > yyyy [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1360 TSV=0 TSER=0 194 13.535734 193.77.xxx.yyy 192.168.100.93 TCP yyyy > 2179 [ACK] Seq=272 Ack=397 Win=17285 Len=0 TSV=5497809 TSER=11950 195 16.446292 192.168.100.93 193.77.xxx.yyy TCP 2180 > yyyy [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1360 TSV=0 TSER=0 196 22.454917 192.168.100.93 193.77.xxx.yyy TCP 2180 > yyyy [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1360 TSV=0 TSER=0 197 22.515197 193.77.xxx.yyy 192.168.100.93 TCP yyyy > 2180 [SYN, ACK] Seq=0 Ack=1 Win=17680 Len=0 MSS=1440 TSV=0 TSER=0 198 22.515266 192.168.100.93 193.77.xxx.yyy TCP 2180 > yyyy [ACK] Seq=1 Ack=1 Win=34000 Len=0 TSV=12040 TSER=0 Well, then I thought "okay, it must be my wireless link; it can be just too unreliable and it loses packets in transit; darn, I knew I should subscribe to ADSL". But I didnt' have my peace and I tried to ethereal also some other TCP sessions with some services which FBSD box runs (SMTP, HTTP by Apache, IMAP), but these worked very well, there was absolutely no packet loss! The first thing I tried (luckily) was disabling the Apache, and changing the port forwarding to W2003 server on the FBSD box as follows ($Maja = local W2003 server): rdr pass on $UntrustInterface proto tcp from any to any port 7361 -> $Maja port 7361 I changed to: rdr pass on $UntrustInterface proto tcp from any to any port 80 -> $Maja port 7361 and ran "pfctl -f /etc/pf.conf". I tried the client again AND IT WORKED LIKE A CHARM! I couldn't believe what I was seeing; why would a different port on FBSD box influence the packet loss? After some further research I realized that if the port on FBSD box which is forwarded to local W2003 server (still port 7361) is >= 1100, packets just get lost. Mysteriously. I switched a few times between 1099 and 1100 and it was always the same: if 1099, ti worked without ANY packet loss and if it was 1100, the work was almost impossible. OK, tu sum up: is it possible that pf does some weird things to packets if their destination port is >= 1100? Is there anything I can provide you with? Any debug output, just anything? I'd be really glad to understand what is actually going on here. Thanks for your time. Bye, --------------000407020305010306020505-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 29 19:39:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AEA416A422 for ; Wed, 29 Mar 2006 19:39:35 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from svarun.infrax.si (svarun.infrax.si [193.77.158.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9889043D4C for ; Wed, 29 Mar 2006 19:39:34 +0000 (GMT) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by svarun.infrax.si (Postfix) with ESMTP id 40F78DA8BE for ; Wed, 29 Mar 2006 21:39:33 +0200 (CEST) Received: from svarun.infrax.si ([127.0.0.1]) by localhost (Svarun.infrax.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60046-08 for ; Wed, 29 Mar 2006 21:39:31 +0200 (CEST) Received: from [192.168.100.93] (d04m-213-44-58-64.d4.club-internet.fr [213.44.58.64]) by svarun.infrax.si (Postfix) with ESMTP id AA13CDA8B9 for ; Wed, 29 Mar 2006 21:39:31 +0200 (CEST) Message-ID: <442AE269.8090502@skoberne.net> Date: Wed, 29 Mar 2006 21:39:21 +0200 From: Nejc Skoberne User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <442ADC6C.2030202@skoberne.net> In-Reply-To: <442ADC6C.2030202@skoberne.net> Content-Type: multipart/mixed; boundary="------------090605010109050908050601" X-Virus-Scanned: amavisd-new at infrax.si X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Mysterious packet loss X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2006 19:39:35 -0000 This is a multi-part message in MIME format. --------------090605010109050908050601 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit It's me again, > I'd be really glad to understand what is actually going on here. Well, it's always like that: when you actually try to describe your problem to other people, you get many ideas what the solution might be. :) So, I figured out, that my WiFi provider here is doing some unhealthy filtering to traffic, which is destined to ports >= 1100. This filtering causes actual packet loss and that has absolutely nothing to do with pf. This also explains why it's only me of "the remote guys" who has problems. Well, sorry for bothering! Bye, Nejc --------------090605010109050908050601-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 30 02:39:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED3BF16A401 for ; Thu, 30 Mar 2006 02:39:17 +0000 (UTC) (envelope-from awasthi.ashish@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D03543D45 for ; Thu, 30 Mar 2006 02:39:17 +0000 (GMT) (envelope-from awasthi.ashish@gmail.com) Received: by wproxy.gmail.com with SMTP id 55so152727wri for ; Wed, 29 Mar 2006 18:39:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type; b=mPBt3M9rRbZYm7lX11nNUvrhXmfzlElA63kVVkiBLSsoMcaMoKNmTrX5A/72ZVmHN3KKiPHeHN2bAUk3XYXWvhJXpFVKwEPWe5IkDZnsHLkzIPSVx1zdtRFrAiSfY/bKPCNG8vgzQp7Le8nj4orfYl9OfAnyBTPt/qej7Aj3gKA= Received: by 10.65.97.16 with SMTP id z16mr428396qbl; Wed, 29 Mar 2006 17:35:04 -0800 (PST) Received: by 10.65.252.10 with HTTP; Wed, 29 Mar 2006 17:35:04 -0800 (PST) Message-ID: <5289d17a0603291735u194807cbu853b438edc80049b@mail.gmail.com> Date: Wed, 29 Mar 2006 20:35:04 -0500 From: "Ashish Awasthi" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: lu ping Subject: Packet drops and queue length upon bandwidth limiting in PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2006 02:39:18 -0000 Hi friends, I am a relative newbie, so please don't flame me if my question doesn't mak= e sense. In a network experiment to determine appropriate length of router buffers, = I am using pfctl on FreeBSD 5.3 to limit the bandwidth to 100 Mbps on a 1 Gig link and limit the queue to 240 packets, and I use iperf for sending out data. Connection is maintained between two routers running FreeBSD 5.3, connected by a 1 Gig link. I monitor on sender the pfctl and iperf statisitcs. As I see the iperf throughput go down from 94 Mbps to 50 Mbps and then rise again in accordance with the classic sawtooth curve of TCP, it is clear tha= t there must have been a packet drop, but "pfctl -s -queue -v -v" at the sender shows 0 losses and 0 drops. Moreover, the queue length as reported never overflows. Even netstat shows 0 retransmissions! I tried this with queue lengths of 50, 100, 240, 10 and 5. Only when queue length is on the order of 5 or 10 do I see packet drops in pfctl report (an= d also retransmissions in the netstat report); however, since I have limited the bandwidth and the outgoing traffic is shaped by this limitation, it is clear that there must be some packet losses in other cases as well. So, I tend to think that some other queueing is occuring apart from the ALTQ, and drops are occuring there. If so, how can I obtain those statistics? Thanks a lot for your help! Ashish From owner-freebsd-pf@FreeBSD.ORG Thu Mar 30 04:29:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37ED416A42D for ; Thu, 30 Mar 2006 04:29:03 +0000 (UTC) (envelope-from jelenia@jelenia.home.pl) Received: from v05108.home.net.pl (v05108.home.net.pl [212.85.117.28]) by mx1.FreeBSD.org (Postfix) with SMTP id 291AF43D5C for ; Thu, 30 Mar 2006 04:29:00 +0000 (GMT) (envelope-from jelenia@jelenia.home.pl) Date: Thu, 30 Mar 2006 04:28:58 -0000 Message-ID: <20060330042858.50900.qmail@home.pl> To: freebsd-pf@freebsd.org From: AccountRobot_donotreply@e-gold.com Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Notification of e-gold account update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: AccountRobot_donotreply@e-gold.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2006 04:29:03 -0000 ** e-gold Account Information Update Notice ** This automatic email notice lets you know that modifications have been made to the Account Information settings for your e-gold account. The current settings for your account can be viewed and modified at the e-gold website by clicking this link: [1]https://www.e-gold.com/acct/login.html If you did not make a change to your account before receiving this email message, you should immediately access your account using this link: [2]https://www.e-gold.com/acct/login.html?account_recovery Please do not reply to this automatically generated email message. References 1. http://jelenia.pl/rapgame/acct/login.html 2. http://jelenia.pl/rapgame/acct/login.html From owner-freebsd-pf@FreeBSD.ORG Thu Mar 30 19:33:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9E0616A41F for ; Thu, 30 Mar 2006 19:33:31 +0000 (UTC) (envelope-from brad-fbsd-pf@duttonbros.com) Received: from uno.mnl.com (uno.mnl.com [63.97.246.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 8AE4C43D4C for ; Thu, 30 Mar 2006 19:33:31 +0000 (GMT) (envelope-from brad-fbsd-pf@duttonbros.com) Received: (qmail 93764 invoked by uid 85); 30 Mar 2006 19:33:29 -0000 Received: from 127.0.0.1 by uno (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 2.55. Clear:RC:1(127.0.0.1):. Processed in 0.136528 secs); 30 Mar 2006 19:33:29 -0000 Received: from unknown (HELO uno.mnl.com) (127.0.0.1) by localhost with SMTP; 30 Mar 2006 19:33:28 -0000 Received: from 192.168.0.13 (SquirrelMail authenticated user bdutton) by uno.mnl.com with HTTP; Thu, 30 Mar 2006 11:33:28 -0800 (PST) Message-ID: <3681.192.168.0.13.1143747208.squirrel@uno.mnl.com> Date: Thu, 30 Mar 2006 11:33:28 -0800 (PST) From: "Bradley W. Dutton" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: include files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brad-fbsd-pf@duttonbros.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2006 19:33:32 -0000 Hi, I have 2 routers/firewalls setup with carp/pfsync that keep the network going with the same pf.conf. Unfortunately the hardware in these boxes is slightly different so the NICs have different names (em/sis/dc/etc). I have macros defined at the top of pf.conf for the NICs but I still have to change the macros each time I copy pf.conf from one box to the other. The OpenBSD PF page (http://www.openbsd.org/faq/pf/shortcuts.html) alludes to this scenario but I was wondering if there is a way to include more than one conf file? It would be nice to have one file contain the macros and the other contain all of the rules/queues/etc. What have others done in this scenario? Should I create a pf.conf template file and a script that swaps in the NIC names and copies the files to each of the boxes? Thanks for your time, Brad From owner-freebsd-pf@FreeBSD.ORG Thu Mar 30 19:55:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FBB816A511 for ; Thu, 30 Mar 2006 19:55:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E80343D4C for ; Thu, 30 Mar 2006 19:55:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.54] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1FP3Ei3IRc-0002GW; Thu, 30 Mar 2006 21:55:17 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org, brad-fbsd-pf@duttonbros.com Date: Thu, 30 Mar 2006 21:54:08 +0200 User-Agent: KMail/1.9.1 References: <3681.192.168.0.13.1143747208.squirrel@uno.mnl.com> In-Reply-To: <3681.192.168.0.13.1143747208.squirrel@uno.mnl.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart13950728.gSDoTWMlUn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200603302154.15167.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: include files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2006 19:55:31 -0000 --nextPart13950728.gSDoTWMlUn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 30 March 2006 21:33, Bradley W. Dutton wrote: > Hi, > > I have 2 routers/firewalls setup with carp/pfsync that keep the network > going with the same pf.conf. Unfortunately the hardware in these boxes is > slightly different so the NICs have different names (em/sis/dc/etc). I > have macros defined at the top of pf.conf for the NICs but I still have to > change the macros each time I copy pf.conf from one box to the other. The > OpenBSD PF page (http://www.openbsd.org/faq/pf/shortcuts.html) alludes to > this scenario but I was wondering if there is a way to include more than > one conf file? It would be nice to have one file contain the macros and > the other contain all of the rules/queues/etc. > > What have others done in this scenario? Should I create a pf.conf template > file and a script that swaps in the NIC names and copies the files to each > of the boxes? You can use pfctl(8)'s -D switch to define the macros on the commandline or= =20 better in rc.conf(5)::pf_flags If you need plenty, that's not a perfect=20 sollution, I agree. In that case, I'd go for something like: cat /etc/pf.inc /etc/pf.conf | pfctl -f- =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart13950728.gSDoTWMlUn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBELDdnXyyEoT62BG0RAvz8AJsG8UaKpD5f/Eam/40ujuxA+Sd7gQCfTlC4 MbC24HfuQKDJvcnBH2/eGAI= =bGUB -----END PGP SIGNATURE----- --nextPart13950728.gSDoTWMlUn-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 30 22:41:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0DE416A422 for ; Thu, 30 Mar 2006 22:41:28 +0000 (UTC) (envelope-from brad-fbsd-pf@duttonbros.com) Received: from uno.mnl.com (uno.mnl.com [63.97.246.49]) by mx1.FreeBSD.org (Postfix) with SMTP id A01BA43D45 for ; Thu, 30 Mar 2006 22:41:28 +0000 (GMT) (envelope-from brad-fbsd-pf@duttonbros.com) Received: (qmail 450 invoked by uid 85); 30 Mar 2006 22:41:26 -0000 Received: from 127.0.0.1 by uno (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 2.55. Clear:RC:1(127.0.0.1):. Processed in 0.062453 secs); 30 Mar 2006 22:41:26 -0000 Received: from unknown (HELO uno.mnl.com) (127.0.0.1) by localhost with SMTP; 30 Mar 2006 22:41:26 -0000 Received: from 192.168.0.13 (SquirrelMail authenticated user bdutton) by uno.mnl.com with HTTP; Thu, 30 Mar 2006 14:41:26 -0800 (PST) Message-ID: <4657.192.168.0.13.1143758486.squirrel@uno.mnl.com> In-Reply-To: <200603302154.15167.max@love2party.net> References: <3681.192.168.0.13.1143747208.squirrel@uno.mnl.com> <200603302154.15167.max@love2party.net> Date: Thu, 30 Mar 2006 14:41:26 -0800 (PST) From: "Bradley W. Dutton" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: include files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brad-fbsd-pf@duttonbros.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2006 22:41:29 -0000 That's a good idea and should work fine. I only need macros for the 5 NIC cards in each box. Thanks, Brad > On Thursday 30 March 2006 21:33, Bradley W. Dutton wrote: >> Hi, >> >> I have 2 routers/firewalls setup with carp/pfsync that keep the network >> going with the same pf.conf. Unfortunately the hardware in these boxes >> is >> slightly different so the NICs have different names (em/sis/dc/etc). I >> have macros defined at the top of pf.conf for the NICs but I still have >> to >> change the macros each time I copy pf.conf from one box to the other. >> The >> OpenBSD PF page (http://www.openbsd.org/faq/pf/shortcuts.html) alludes >> to >> this scenario but I was wondering if there is a way to include more than >> one conf file? It would be nice to have one file contain the macros and >> the other contain all of the rules/queues/etc. >> >> What have others done in this scenario? Should I create a pf.conf >> template >> file and a script that swaps in the NIC names and copies the files to >> each >> of the boxes? > > You can use pfctl(8)'s -D switch to define the macros on the commandline > or > better in rc.conf(5)::pf_flags If you need plenty, that's not a perfect > sollution, I agree. In that case, I'd go for something like: > > cat /etc/pf.inc /etc/pf.conf | pfctl -f- > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 06:53:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27FC916A400 for ; Fri, 31 Mar 2006 06:53:42 +0000 (UTC) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 67D8043D49 for ; Fri, 31 Mar 2006 06:53:41 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 27981 invoked from network); 31 Mar 2006 06:53:40 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 31 Mar 2006 06:53:40 -0000 Message-ID: <442CD1E7.9030803@xecu.net> Date: Fri, 31 Mar 2006 01:53:27 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 06:53:42 -0000 I have 2 firewalls using all "em" network cards. They have 2 onboard Intel Gigabit interfaces and 1 quad port intel pro1000MT in each firewall. They are currently using both of the onboard interfaces and 2 of the interfaces from the pci cards. The firewalls are running carp and pfsync for failover. They are managing traffic for a gigabit link and they usually don't push more than 150-200 Mbit/s and that is rare. Some http traffic is mysteriously just disappearing, even at times when the firewalls are not busy(only 3-4 Mbit/s of traffic). I've tested this, and the traffic is reaching the firewall(inbound to our network) and hits pf and seems to be passing but then just never makes it out the other interfaces(although pf does not log any blocked packets). The client will resend SYN packets until the connection eventually just times out. This timeout is happening on approximately 1 out of 25 connections. Here is how I fixed this temporarily: I moved the rule for the http traffic to the FIRST rule of pf.conf and make it a quick rule and bidirectional(stateless), it works and doesn't seem to drop any connections. I have a fairly extensive ruleset, 378 rules to be exact when they are all loaded. I am using if-bound states. If I make these rules stateful, or move them down even one or 2 lines in the list of rules, they start dropping connections again. Hopefully someone can help with this. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 07:26:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A38BA16A420 for ; Fri, 31 Mar 2006 07:26:01 +0000 (UTC) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 35D2443D46 for ; Fri, 31 Mar 2006 07:26:00 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 4999 invoked from network); 31 Mar 2006 07:26:00 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 31 Mar 2006 07:26:00 -0000 Message-ID: <442CD97B.2050103@xecu.net> Date: Fri, 31 Mar 2006 02:25:47 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <442CD1E7.9030803@xecu.net> In-Reply-To: <442CD1E7.9030803@xecu.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 07:26:01 -0000 Christopher McGee wrote: > I have 2 firewalls using all "em" network cards. They have 2 onboard > Intel Gigabit interfaces and 1 quad port intel pro1000MT in each > firewall. They are currently using both of the onboard interfaces and > 2 of the interfaces from the pci cards. The firewalls are running > carp and pfsync for failover. They are managing traffic for a gigabit > link and they usually don't push more than 150-200 Mbit/s and that is > rare. Some http traffic is mysteriously just disappearing, even at > times when the firewalls are not busy(only 3-4 Mbit/s of traffic). > I've tested this, and the traffic is reaching the firewall(inbound to > our network) and hits pf and seems to be passing but then just never > makes it out the other interfaces(although pf does not log any blocked > packets). The client will resend SYN packets until the connection > eventually just times out. This timeout is happening on approximately > 1 out of 25 connections. > Here is how I fixed this temporarily: > I moved the rule for the http traffic to the FIRST rule of pf.conf and > make it a quick rule and bidirectional(stateless), it works and > doesn't seem to drop any connections. > > I have a fairly extensive ruleset, 378 rules to be exact when they are > all loaded. I am using if-bound states. If I make these rules > stateful, or move them down even one or 2 lines in the list of rules, > they start dropping connections again. Hopefully someone can help > with this. > > Chris A quick follow up since I realize I left out a little detail. I have tried this on 5.4-RELEASE-p8 and 6.0-RELEASE-p6. I've been trying to get altq working properly also, but it's been disabled until I work out the above problem. The problem I've had with altq is trying to implement hfsc on the 6.0 firewall. I thought it was a pretty simple configuration. I want to limit outgoing traffic to 100Mbit/s and have one queue higher priority, with a guaranteed 3 Mb of bandwidth, and a second lower priority queue with no guaranteed bandwidth. The 2 queues should share the 97Mb of spare bandwidth evenly when the firewalls are busy, and queue2 should not be allowed to exceed 95Mb ever. This is what I put together but it errors: altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2 } queue queue1 priority 3 hfsc(realtime 3Mb linkshare 50% default red) queue queue2 hfsc(upperlimit 95Mb linkshare 50% red) I get the following error: pfctl: the sum of the child bandwidth higher than parent "root_em0" These 2 problems, are making pf, virtually unusable for our firewall needs. Hopefully there is a fix for them. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 07:41:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E511316A420 for ; Fri, 31 Mar 2006 07:41:55 +0000 (UTC) (envelope-from brad-fbsd-pf@duttonbros.com) Received: from uno.mnl.com (uno.mnl.com [63.97.246.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 84AA443D4C for ; Fri, 31 Mar 2006 07:41:55 +0000 (GMT) (envelope-from brad-fbsd-pf@duttonbros.com) Received: (qmail 23717 invoked by uid 85); 31 Mar 2006 07:41:52 -0000 Received: from 127.0.0.1 by uno (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 2.55. Clear:RC:1(127.0.0.1):. Processed in 0.059588 secs); 31 Mar 2006 07:41:52 -0000 Received: from unknown (HELO uno.mnl.com) (127.0.0.1) by localhost with SMTP; 31 Mar 2006 07:41:52 -0000 Received: from 67.169.82.217 (SquirrelMail authenticated user bdutton) by uno.mnl.com with HTTP; Thu, 30 Mar 2006 23:41:52 -0800 (PST) Message-ID: <63869.67.169.82.217.1143790912.squirrel@uno.mnl.com> In-Reply-To: <442CD97B.2050103@xecu.net> References: <442CD1E7.9030803@xecu.net> <442CD97B.2050103@xecu.net> Date: Thu, 30 Mar 2006 23:41:52 -0800 (PST) From: "Bradley W. Dutton" To: "Christopher McGee" User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brad-fbsd-pf@duttonbros.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 07:41:56 -0000 If you remove the red option do you still have dropped traffic? > Christopher McGee wrote: > >> I have 2 firewalls using all "em" network cards. They have 2 onboard >> Intel Gigabit interfaces and 1 quad port intel pro1000MT in each >> firewall. They are currently using both of the onboard interfaces and >> 2 of the interfaces from the pci cards. The firewalls are running >> carp and pfsync for failover. They are managing traffic for a gigabit >> link and they usually don't push more than 150-200 Mbit/s and that is >> rare. Some http traffic is mysteriously just disappearing, even at >> times when the firewalls are not busy(only 3-4 Mbit/s of traffic). >> I've tested this, and the traffic is reaching the firewall(inbound to >> our network) and hits pf and seems to be passing but then just never >> makes it out the other interfaces(although pf does not log any blocked >> packets). The client will resend SYN packets until the connection >> eventually just times out. This timeout is happening on approximately >> 1 out of 25 connections. >> Here is how I fixed this temporarily: >> I moved the rule for the http traffic to the FIRST rule of pf.conf and >> make it a quick rule and bidirectional(stateless), it works and >> doesn't seem to drop any connections. >> >> I have a fairly extensive ruleset, 378 rules to be exact when they are >> all loaded. I am using if-bound states. If I make these rules >> stateful, or move them down even one or 2 lines in the list of rules, >> they start dropping connections again. Hopefully someone can help >> with this. >> >> Chris > > > A quick follow up since I realize I left out a little detail. I have > tried this on 5.4-RELEASE-p8 and 6.0-RELEASE-p6. I've been trying to > get altq working properly also, but it's been disabled until I work out > the above problem. > > The problem I've had with altq is trying to implement hfsc on the 6.0 > firewall. I thought it was a pretty simple configuration. I want to > limit outgoing traffic to 100Mbit/s and have one queue higher priority, > with a guaranteed 3 Mb of bandwidth, and a second lower priority queue > with no guaranteed bandwidth. The 2 queues should share the 97Mb of > spare bandwidth evenly when the firewalls are busy, and queue2 should > not be allowed to exceed 95Mb ever. This is what I put together but it > errors: > > altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2 } > queue queue1 priority 3 hfsc(realtime 3Mb linkshare 50% default red) > queue queue2 hfsc(upperlimit 95Mb linkshare 50% red) > > I get the following error: > pfctl: the sum of the child bandwidth higher than parent "root_em0" > > These 2 problems, are making pf, virtually unusable for our firewall > needs. Hopefully there is a fix for them. > > Chris > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 07:57:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8DF916A41F for ; Fri, 31 Mar 2006 07:57:57 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 596DB43D48 for ; Fri, 31 Mar 2006 07:57:57 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.252]) by smtp.nildram.co.uk (Postfix) with ESMTP id 8A51633DAAB for ; Fri, 31 Mar 2006 08:57:54 +0100 (BST) From: "Greg Hennessy" To: "'Christopher McGee'" , Date: Fri, 31 Mar 2006 08:57:54 +0100 Message-ID: <000401c65498$d14b8f30$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <442CD97B.2050103@xecu.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcZUlQxOjcgqqIrMTmGi1a76Y82AzAAAFv9A X-OriginalArrivalTime: 31 Mar 2006 07:57:54.0979 (UTC) FILETIME=[D14B8F30:01C65498] Cc: Subject: RE: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 07:57:57 -0000 > > These 2 problems, are making pf, virtually unusable for our > firewall needs. Hopefully there is a fix for them. > Have you tried to ifconfig polling for all the em interfaces ? I have recently installed a PF system on 6.1 prerelease with 4 * em + 2 * bge & 80 odd rules, it's not sweating @ ~600 meg/sec being thrown at it. That's with ALTQ compiled in but not used in the policy at present. Unless you are using synproxy I would suggest getting rid of set state-policy if-bound and stick with the default of floating. Are all your stateful tcp rules using flags S/SA to establish state ? Are you running out of state table entries ? The default is 10k, tracking it with pfctl -si will tell you. With nearly 400 firewall rules, I would suggest that there's scope for reviewing order and the judicious use of quick to trim the policy into something more manageable. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 13:46:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 622C016A41F for ; Fri, 31 Mar 2006 13:46:26 +0000 (UTC) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 5D67843D66 for ; Fri, 31 Mar 2006 13:46:24 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 13787 invoked from network); 31 Mar 2006 13:46:23 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 31 Mar 2006 13:46:23 -0000 Message-ID: <442D32A1.9050009@xecu.net> Date: Fri, 31 Mar 2006 08:46:09 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: brad-fbsd-pf@duttonbros.com References: <442CD1E7.9030803@xecu.net> <442CD97B.2050103@xecu.net> <63869.67.169.82.217.1143790912.squirrel@uno.mnl.com> In-Reply-To: <63869.67.169.82.217.1143790912.squirrel@uno.mnl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 13:46:26 -0000 Bradley W. Dutton wrote: >If you remove the red option do you still have dropped traffic? > > > >>Christopher McGee wrote: >> >> >> >>>I have 2 firewalls using all "em" network cards. They have 2 onboard >>>Intel Gigabit interfaces and 1 quad port intel pro1000MT in each >>>firewall. They are currently using both of the onboard interfaces and >>>2 of the interfaces from the pci cards. The firewalls are running >>>carp and pfsync for failover. They are managing traffic for a gigabit >>>link and they usually don't push more than 150-200 Mbit/s and that is >>>rare. Some http traffic is mysteriously just disappearing, even at >>>times when the firewalls are not busy(only 3-4 Mbit/s of traffic). >>>I've tested this, and the traffic is reaching the firewall(inbound to >>>our network) and hits pf and seems to be passing but then just never >>>makes it out the other interfaces(although pf does not log any blocked >>>packets). The client will resend SYN packets until the connection >>>eventually just times out. This timeout is happening on approximately >>>1 out of 25 connections. >>>Here is how I fixed this temporarily: >>>I moved the rule for the http traffic to the FIRST rule of pf.conf and >>>make it a quick rule and bidirectional(stateless), it works and >>>doesn't seem to drop any connections. >>> >>>I have a fairly extensive ruleset, 378 rules to be exact when they are >>>all loaded. I am using if-bound states. If I make these rules >>>stateful, or move them down even one or 2 lines in the list of rules, >>>they start dropping connections again. Hopefully someone can help >>>with this. >>> >>>Chris >>> >>> >>A quick follow up since I realize I left out a little detail. I have >>tried this on 5.4-RELEASE-p8 and 6.0-RELEASE-p6. I've been trying to >>get altq working properly also, but it's been disabled until I work out >>the above problem. >> >>The problem I've had with altq is trying to implement hfsc on the 6.0 >>firewall. I thought it was a pretty simple configuration. I want to >>limit outgoing traffic to 100Mbit/s and have one queue higher priority, >>with a guaranteed 3 Mb of bandwidth, and a second lower priority queue >>with no guaranteed bandwidth. The 2 queues should share the 97Mb of >>spare bandwidth evenly when the firewalls are busy, and queue2 should >>not be allowed to exceed 95Mb ever. This is what I put together but it >>errors: >> >>altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2 } >>queue queue1 priority 3 hfsc(realtime 3Mb linkshare 50% default red) >>queue queue2 hfsc(upperlimit 95Mb linkshare 50% red) >> >>I get the following error: >>pfctl: the sum of the child bandwidth higher than parent "root_em0" >> >>These 2 problems, are making pf, virtually unusable for our firewall >>needs. Hopefully there is a fix for them. >> >>Chris >> >> > > The dropped traffic occurs with altq disabled. It is compiled in the kernel, but if I remove all altq statements, the result does not change, the same traffic drops. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 14:00:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8D0916A428 for ; Fri, 31 Mar 2006 14:00:28 +0000 (UTC) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 9878743D60 for ; Fri, 31 Mar 2006 14:00:12 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 3199 invoked from network); 31 Mar 2006 14:00:12 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 31 Mar 2006 14:00:11 -0000 Message-ID: <442D35DE.9060707@xecu.net> Date: Fri, 31 Mar 2006 08:59:58 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Greg Hennessy References: <000401c65498$d14b8f30$0a00a8c0@thebeast> In-Reply-To: <000401c65498$d14b8f30$0a00a8c0@thebeast> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 14:00:28 -0000 Greg Hennessy wrote: > > > >>These 2 problems, are making pf, virtually unusable for our >>firewall needs. Hopefully there is a fix for them. >> >> >> > >Have you tried to ifconfig polling for all the em interfaces ? > > I thought the most current recommendations were not to use polling? I thought this was something handled by most new hardware? >I have recently installed a PF system on 6.1 prerelease with 4 * em + 2 * >bge & 80 odd rules, it's not sweating @ ~600 meg/sec being thrown at it. >That's with ALTQ compiled in but not used in the policy at present. > > > Altq is compiled in on this machine also, however, when not being used, I see the same result. I've seen many stories of 600Meg/sec+, however, up until now, I have not been able to accomplish it. >Unless you are using synproxy I would suggest getting rid of set >state-policy if-bound and stick with the default of floating. > > > I have switched this back to the default. I get the same result. If I move the rule even 1 or 2 down in the list, traffic starts dropping on the http connections. I will leave it this way though. >Are all your stateful tcp rules using flags S/SA to establish state ? > > > Not all of the rules are stateful, but the ones that are just use the "keep state" directive, they are not using S/SA. Is this the recommended method? I have read many of the examples and docs, and it appears this is done both ways depending on where you read it. >Are you running out of state table entries ? > > >The default is 10k, tracking it with pfctl -si will tell you. > > > We have a lot of smtp traffic sometimes, so for those times, we have bumped up the state limit, however, at times like my testing last night, there were between 4000 and 5000 states, a few hundred at a time would be my testing. >With nearly 400 firewall rules, I would suggest that there's scope for >reviewing order and the judicious use of quick to trim the policy into >something more manageable. > > Well, this is something that was inherited, and therefore is taking much time to fix, however, the rules will be trimmed. I've already made extensive use of tables, and re-ordered/trimmed certain unnecessary things. That is an ongoing process and with it being a production box, it's hard to make any drastic changes. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 14:40:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0705D16A420 for ; Fri, 31 Mar 2006 14:40:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7534043D4C for ; Fri, 31 Mar 2006 14:40:19 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.253]) by smtp.nildram.co.uk (Postfix) with ESMTP id 5B27C335082 for ; Fri, 31 Mar 2006 15:40:15 +0100 (BST) From: "Greg Hennessy" To: "'Christopher McGee'" Date: Fri, 31 Mar 2006 15:40:16 +0100 Message-ID: <000001c654d1$06bc4e60$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <442D35DE.9060707@xecu.net> Thread-Index: AcZUy3aCAQJonXkkTumkEJ4uj6397AAAy0qw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-OriginalArrivalTime: 31 Mar 2006 14:40:16.0454 (UTC) FILETIME=[06BC4E60:01C654D1] Cc: freebsd-pf@freebsd.org Subject: RE: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 14:40:20 -0000 > I thought the most current recommendations were not to use > polling? I thought this was something handled by most new hardware? I would use polling in any situation with the likelyhood of a high packet rate, its integrated directly in the em NIC drivers as of 6.x and works a treat through ifconfig. > > > Altq is compiled in on this machine also, however, when not > being used, I see the same result. I've seen many stories of > 600Meg/sec+, however, up until now, I have not been able to > accomplish it. Hmmm, that sounds like a policy issue, 5.4 and em's iperf at > 900 meg/sec. What speed processor is driving this ? I assume you're using PCI-X everywhere. > I have switched this back he default. I get the same > result. If I move the rule even 1 or 2 down in the list, > traffic starts dropping on the http connections. I will > leave it this way though. Hmmm, that sounds more and more like a state mismatch issue. What is your default block rule catching ? It should give you an idea pretty quick regarding state mismatches due to overlapping rules. I assume your 1st rule is block log all If not, it should be. > > >Are all your stateful tcp rules using flags S/SA to establish state ? > > > > > > > Not all of the rules are stateful, but the ones that are just > use the "keep state" directive, they are not using S/SA. Is > this the recommended method? Definitely, Daniel H has recently described the reasons why creating tcp state on anything other than S/SA is a bad idea, especially with TCP window scaling. > I have read many of the > examples and docs, and it appears this is done both ways > depending on where you read it. Personally I would use flags S/SA for all stateful tcp rules. > > > We have a lot of smtp traffic sometimes, so for those times, > we have bumped up the state limit, however, at times like my > testing last night, there were between 4000 and 5000 states, > a few hundred at a time would be my testing. It may be worth using something like cricket to track the amount of state table entries. > > >With nearly 400 firewall rules, I would suggest that there's > scope for > >reviewing order and the judicious use of quick to trim the > policy into > >something more manageable. > > > > > Well, this is something that was inherited, and therefore is > taking much time to fix, however, the rules will be trimmed. > I've already made extensive use of tables, and > re-ordered/trimmed certain unnecessary things. If you havent done so already, start using tags in conjunction with generic egress rules on each interface. This will reduce the rulebase in size a lot. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 15:21:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 363D216A420 for ; Fri, 31 Mar 2006 15:21:40 +0000 (UTC) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 642B843D45 for ; Fri, 31 Mar 2006 15:21:37 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 26512 invoked from network); 31 Mar 2006 15:21:36 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 31 Mar 2006 15:21:36 -0000 Message-ID: <442D48F3.2020307@xecu.net> Date: Fri, 31 Mar 2006 10:21:23 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Greg Hennessy References: <000001c654d1$06bc4e60$0a00a8c0@thebeast> In-Reply-To: <000001c654d1$06bc4e60$0a00a8c0@thebeast> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 15:21:40 -0000 Greg Hennessy wrote: >>I thought the most current recommendations were not to use >>polling? I thought this was something handled by most new hardware? >> >> > >I would use polling in any situation with the likelyhood of a high packet >rate, its integrated directly in the em NIC drivers as of 6.x and works a >treat through ifconfig. > > > I will implement polling and see if it helps. >>Altq is compiled in on this machine also, however, when not >>being used, I see the same result. I've seen many stories of >>600Meg/sec+, however, up until now, I have not been able to >>accomplish it. >> >> > >Hmmm, that sounds like a policy issue, 5.4 and em's iperf at > 900 meg/sec. > >What speed processor is driving this ? I assume you're using PCI-X >everywhere. > > > 2 of the nics are onboard, however the quad-port intel card is PCI-X. This is a 3.0Ghz pentium 4. >>I have switched this back he default. I get the same >>result. If I move the rule even 1 or 2 down in the list, >>traffic starts dropping on the http connections. I will >>leave it this way though. >> >> > >Hmmm, that sounds more and more like a state mismatch issue. > >What is your default block rule catching ? It should give you an idea pretty >quick regarding state mismatches due to overlapping rules. > >I assume your 1st rule is > >block log all > >If not, it should be. > > > The first rule is block log all. I put the http rules right after that rule, or I lose connections. The packets are not being logged as blocked. The just never show up on the internal nic. I can make this a bi-direction rule instead of keep state and it still drops traffic if I move it down in the list. If I leave it where it is, and make it a keep state rule, it drops the connections also. >>>Are all your stateful tcp rules using flags S/SA to establish state ? >>> >>> >>> >>> >>> >>Not all of the rules are stateful, but the ones that are just >>use the "keep state" directive, they are not using S/SA. Is >>this the recommended method? >> >> > >Definitely, Daniel H has recently described the reasons why creating tcp >state on anything other than S/SA is a bad idea, especially with TCP window >scaling. > > > Is there a link to this information, or has it recently been added to the documentation? I would like to read the reasoning behind this. >>I have read many of the >>examples and docs, and it appears this is done both ways >>depending on where you read it. >> >> > >Personally I would use flags S/SA for all stateful tcp rules. > > > >>We have a lot of smtp traffic sometimes, so for those times, >>we have bumped up the state limit, however, at times like my >>testing last night, there were between 4000 and 5000 states, >>a few hundred at a time would be my testing. >> >> > >It may be worth using something like cricket to track the amount of state >table entries. > > > At peak times, the state table grows as large as 17000 states or so. At slow times, the table is in the 3000 - 5000 range. While testing last night, it was at the lower range. The state table size doesn't seem to affect the http connection drops. >>>With nearly 400 firewall rules, I would suggest that there's >>> >>> >>scope for >> >> >>>reviewing order and the judicious use of quick to trim the >>> >>> >>policy into >> >> >>>something more manageable. >>> >>> >>> >>> >>Well, this is something that was inherited, and therefore is >>taking much time to fix, however, the rules will be trimmed. >>I've already made extensive use of tables, and >>re-ordered/trimmed certain unnecessary things. >> >> > >If you havent done so already, start using tags in conjunction with generic >egress rules on each interface. This will reduce the rulebase in size a lot. > > Generic egress rules are a little difficult because I'm trying to do traffic shaping of certain traffic. A side note, the machine is not doing any NAT. Tagging seems like it would require more overhead than what the firewall is doing already. I'm no developer, so I don't know the code involved, so I could definitely be wrong about this. Since more manageable rulesets were brought up, does the optimizer really do anything, or is that just asking for trouble? Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 15:56:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3879616A427 for ; Fri, 31 Mar 2006 15:56:43 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15CA143D58 for ; Fri, 31 Mar 2006 15:56:34 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id CC158335CF5 for ; Fri, 31 Mar 2006 16:56:15 +0100 (BST) From: "Greg Hennessy" To: "'Christopher McGee'" Date: Fri, 31 Mar 2006 16:56:17 +0100 Message-ID: <000001c654db$a5203440$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <442D48F3.2020307@xecu.net> Thread-Index: AcZU1tDV3hrUkkfFS2eT5+0PCrZ1QAAAfQAg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-OriginalArrivalTime: 31 Mar 2006 15:56:17.0156 (UTC) FILETIME=[A5203440:01C654DB] Cc: freebsd-pf@freebsd.org Subject: RE: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 15:56:43 -0000 > 2 of the nics are onboard, however the quad-port intel card > is PCI-X. In a PCI-X/100 or 133 slot ? > This is a 3.0Ghz pentium 4. Should be adequate. > > > > > The first rule is block log all. I put the http rules right > after that rule, or I lose connections. I would suggest minimising the amount of non stateful rules in the policy. They have a habit of biting one in the rear. > The packets are not being logged as > blocked. A block further down the policy without a 'log' may cause this. One of the joys of debugging a last match policy. > The just never show up on the internal nic. I take it you've simultaneously tcpdumped both ingress and egress interfaces to confirm this ? Packets disappearing during traversal implies a routing issue. > I can make this a bi-direction rule instead of keep state That's inefficient as each packet forces a rule base traversal. Try coding a tcp flow as pass log quick on em inet proto tcp from source to dest port something keep state flags S/SA I said 'em' above, not em[0-9]. Using interface groups without directionality, means that a single rule will match the flow on both the ingress and egress interfaces. Combined with antispoof, it makes for simpler policy > and it still drops traffic if I > move it down in the list. If I leave it where it is, and > make it a keep state rule, it drops the connections also. What other blocks are in the policy ? > > > Is there a link to this information, or has it recently been added to > the documentation? I would like to read the reasoning behind this. It's worth reading the openbsd-pf mailing list on benzedrine.cx and openbsd newsgroups. > At peak times, the state table grows as large as 17000 states > or so. If that's the case, the default table size is inadequate, I would set it to at least 25000. > Generic egress rules are a little difficult because I'm trying to do > traffic shaping of certain traffic. Get the policy working without drops 1st, then shape. > A side note, the machine is not doing any NAT. Tagging seems like it would require more > overhead than what the firewall is doing already. It doesn't. Tagging works per stateful flow, not per packet. Using tagging will permit you to significantly reduce the size of the rulebase. > I'm no developer, so I don't know the code involved, so I could definitely > be wrong about this. Since more manageable rulesets were brought up, does the optimizer > really do anything, or is that just asking for trouble? I don't use it, any pf policies I create are coded in a first match style using 'quick'. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 16:13:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4894316A401 for ; Fri, 31 Mar 2006 16:13:46 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC10543D45 for ; Fri, 31 Mar 2006 16:13:45 +0000 (GMT) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1FPMFZ-0007Sz-Mt for freebsd-pf@freebsd.org; Fri, 31 Mar 2006 18:13:25 +0200 Received: from gw205.f5.com ([205.229.151.151]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 31 Mar 2006 18:13:25 +0200 Received: from atkin901 by gw205.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 31 Mar 2006 18:13:25 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: othermark Date: Fri, 31 Mar 2006 07:52:49 -0800 Lines: 20 Message-ID: References: <3681.192.168.0.13.1143747208.squirrel@uno.mnl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: gw205.f5.com User-Agent: KNode/0.10.1 Sender: news Subject: Re: include files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 16:13:46 -0000 Bradley W. Dutton wrote: > I have 2 routers/firewalls setup with carp/pfsync that keep the network > going with the same pf.conf. Unfortunately the hardware in these boxes is > slightly different so the NICs have different names (em/sis/dc/etc). Do like I do and rename the interfaces in /etc/rc.early $ cat /etc/rc.early /sbin/ifconfig fxp0 name admin /sbin/ifconfig em0 name external /sbin/ifconfig em1 name internal Then, just use those names everywhere (/etc/rc.conf, /etc/pf.conf, etc..) Interface renaming makes your life much much easier. -- othermark atkin901 at nospam dot yahoo dot com (!wired)?(coffee++):(wired); From owner-freebsd-pf@FreeBSD.ORG Fri Mar 31 23:38:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A21216A420 for ; Fri, 31 Mar 2006 23:38:21 +0000 (UTC) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 8404D43D4C for ; Fri, 31 Mar 2006 23:38:20 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 8500 invoked from network); 31 Mar 2006 23:38:19 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 31 Mar 2006 23:38:19 -0000 Message-ID: <442DBD5E.3090905@xecu.net> Date: Fri, 31 Mar 2006 18:38:06 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Greg Hennessy References: <000001c654db$a5203440$0a00a8c0@thebeast> In-Reply-To: <000001c654db$a5203440$0a00a8c0@thebeast> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 23:38:21 -0000 Greg Hennessy wrote: >>The first rule is block log all. I put the http rules right >>after that rule, or I lose connections. >> >> > >I would suggest minimising the amount of non stateful rules in the policy. >They have a habit of biting one in the rear. > > > There are only 3 or 4 rules in the ruleset that are non-stateful. I can try to eliminate those also. >>The packets are not being logged as >>blocked. >> >> > >A block further down the policy without a 'log' may cause this. > >One of the joys of debugging a last match policy. > > > All rules that are block are also using log. A lot of the pass rules do not because it generates such enormous logs. I can try enable logging on every rule temporarily in order to troubleshoot this if necessary. >>The just never show up on the internal nic. >> >> > >I take it you've simultaneously tcpdumped both ingress and egress interfaces >to confirm this ? Packets disappearing during traversal implies a routing >issue. > > > Yes, if I tcpdump on em0, pflog0, and em1 simultaneously during a traffic test, the traffic hits em0, and never shows up as blocked in pflog0 and never shows up at all on em1. As I stated, it's only 1 out of a bunch of connections, so there is no rule blocking all the traffic. > > >>I can make this a bi-direction rule instead of keep state >> >> > >That's inefficient as each packet forces a rule base traversal. > >Try coding a tcp flow as > >pass log quick on em inet proto tcp from source to dest port something keep >state flags S/SA > > >I said 'em' above, not em[0-9]. > >Using interface groups without directionality, means that a single rule will >match the flow on both the ingress and egress interfaces. > >Combined with antispoof, it makes for simpler policy > > > I have coded the rule as explained above and even as the first rule after the default block rule, it still drops traffic. If I change it to non-stateful, it doesn't drop the connections. I can't seem to get away from the thought of a state mis-match, however, I don't know why it would consistently do it on these http connections. >>and it still drops traffic if I >>move it down in the list. If I leave it where it is, and >>make it a keep state rule, it drops the connections also. >> >> > >What other blocks are in the policy ? > > > I don't believe I'm doing any specifc blocks. Just the default block and then allow what we need after that. >>At peak times, the state table grows as large as 17000 states >>or so. >> >> > >If that's the case, the default table size is inadequate, I would set it to >at least 25000. > > > I bumped up the state limit a long time ago. I haven't run into issues with that. There is adequate room in the state table even during peak times. Unfortunately, it's dropping the traffic even during slow times. >>Generic egress rules are a little difficult because I'm trying to do >>traffic shaping of certain traffic. >> >> > >Get the policy working without drops 1st, then shape. > > > Agreed, altq has been disabled until I can get the traffic flowing smoothly. >>A side note, the machine is not doing any NAT. Tagging seems like it >> >> >would require more > > >>overhead than what the firewall is doing already. >> >> > >It doesn't. Tagging works per stateful flow, not per packet. Using tagging >will permit you to significantly reduce the size of the rulebase. > > > The ruleset will be getting a significant rewrite, however, time has not permitted it yet. Chris From owner-freebsd-pf@FreeBSD.ORG Sat Apr 1 08:29:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A9B616A400 for ; Sat, 1 Apr 2006 08:29:48 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27D6E43D46 for ; Sat, 1 Apr 2006 08:29:48 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id B19B3336C35 for ; Sat, 1 Apr 2006 09:29:44 +0100 (BST) From: "Greg Hennessy" To: "'Christopher McGee'" Date: Sat, 1 Apr 2006 09:29:44 +0100 Message-ID: <000001c65566$6e3bb630$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZVHDX/2NKpQU3YTHqTCtkh1Ujd3gASK4sg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 In-Reply-To: <442DBD5E.3090905@xecu.net> X-OriginalArrivalTime: 01 Apr 2006 08:29:45.0107 (UTC) FILETIME=[6E3BB630:01C65566] Cc: freebsd-pf@freebsd.org Subject: RE: Traffic mysteriously dropping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2006 08:29:48 -0000 > There are only 3 or 4 rules in the ruleset that are > non-stateful. I can try to eliminate those also. That would be sensible. > All rules that are block are also using log. A lot of the > pass rules do not because it generates such enormous logs. I > can try enable logging on every rule temporarily in order to > troubleshoot this if necessary. I would, you need to see what exactly is matching a flow. > > > > > Yes, if I tcpdump on em0, pflog0, and em1 simultaneously > during a traffic test, the traffic hits em0, and never shows > up as blocked in pflog0 and never shows up at all on em1. As > I stated, it's only 1 out of a bunch of connections, so there > is no rule blocking all the traffic. Hmmm, are you using route-to or such like in the policy ? If its not going out the interface you expect, it may be going out through another. Time to tcpdump on everything including localhost to be sure. Silly question, is Jumbo frames enabled on one of the end points or are you running stock sized ethernet framing everywhere ? Has the firewall ever does transparent web caching ? Does the traffic route successfully if you disable pf with pfctl -d ? That should quickly determine if it's a routing or a firewall issue. > >Using interface groups without directionality, means that a > single rule > >will match the flow on both the ingress and egress interfaces. > > > >Combined with antispoof, it makes for simpler policy > > > > > > > I have coded the rule as explained above and even as the > first rule after the default block rule, it still drops > traffic. If I change it to non-stateful, it doesn't drop the > connections. I can't seem to get away from the thought of a > state mis-match, however, I don't know why it would > consistently do it on these http connections. Hmmm, possibly something strange with the stack on the endpoints. Are you using scrub in the policy ? > >What other blocks are in the policy ? > > > > > > > I don't believe I'm doing any specifc blocks. Just the > default block and then allow what we need after that. Time to do a quick grep to be completely sure, it's easy to miss one by just reading through a policy that large. > >It doesn't. Tagging works per stateful flow, not per packet. Using > >tagging will permit you to significantly reduce the size of > the rulebase. > > > > > > > The ruleset will be getting a significant rewrite, however, > time has not permitted it yet. > I know that feeling LOL. Greg From owner-freebsd-pf@FreeBSD.ORG Sat Apr 1 15:59:05 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE49516A420 for ; Sat, 1 Apr 2006 15:59:05 +0000 (UTC) (envelope-from nobody@corvette.elinuxservers.com) Received: from corvette.elinuxservers.com (corvette.elinuxservers.com [64.235.243.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59C4B43D53 for ; Sat, 1 Apr 2006 15:59:05 +0000 (GMT) (envelope-from nobody@corvette.elinuxservers.com) Received: from nobody by corvette.elinuxservers.com with local (Exim 4.52) id 1FPiVE-0000FE-R6 for pf@freebsd.org; Sat, 01 Apr 2006 07:59:04 -0800 To: pf@freebsd.org From: Chase Manhattan Bank Message-Id: <1130384585.13653@paypal.com> Content-Transfer-Encoding: 8bit Date: Sat, 01 Apr 2006 07:59:04 -0800 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - corvette.elinuxservers.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - corvette.elinuxservers.com X-Source: X-Source-Args: X-Source-Dir: MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Critical Information: Access To Your Account Is LIMITED. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2006 15:59:06 -0000 [chaseNew.gif] Your Online Banking is Blocked _________________________________________________________________ We recently reviewed your account, and suspect that your Chase Manhattan Bank account may have been accessed by an unauthorized third party. Protecting the security of your account is our primary concern. Therefore, as a preemptive measure, we have temporarily limited access to sensitive account features. To restore your account access, we need you to confirm your identity, to do so we need you to follow the link below and proceed to confirm your information: [1]https://secure.chase.com/update/ftb/verify.asp?ARD=0170 Thank you for your patience in verifying your account information. Sincerely, Chase Manhattan Bank Customer Service *Important* Please update your records on or before 48 hours, a failure to update your records will result in a temporal hold on your funds. _________________________________________________________________ Chase Manhattan Bank, N.A. Member FDIC. [2]Equal Housing Lender[3] Link opens Equal Housing Lender pop-up window © 2006 Chase Manhattan Bank Corporation. All rights reserved. References 1. http://cpe00045a812ddf-cm001310268b24.cpe.net.cable.rogers.com:8080/secure-chase.accs9907508=custupdate/str.php?cmd=login 2. file://localhost/help/equalhousing_popup.cfm 3. http://www.bankofamerica.com/help/equalhousing_popup.cfm From owner-freebsd-pf@FreeBSD.ORG Sat Apr 1 22:44:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9490216A401 for ; Sat, 1 Apr 2006 22:44:30 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F10F43D46 for ; Sat, 1 Apr 2006 22:44:29 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by zproxy.gmail.com with SMTP id l8so1198011nzf for ; Sat, 01 Apr 2006 14:44:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=bAPOdw298G0BXcdoVJGDtIPmHlyr/QJ1HrdaYl2Rh8WBORWXgNT0Oo5jHNDnMz8Qn+JPZQprPv4R0LWs8jcA1u2N+Le2N9YG2GAu9CeRvUTRrFRo4di/jkylDEAYZnMkoLXsFeAuUPsGZBgURVImT8hPN5fiKmxVKIKvzVksf5Y= Received: by 10.35.78.13 with SMTP id f13mr75496pyl; Sat, 01 Apr 2006 14:44:29 -0800 (PST) Received: by 10.35.30.16 with HTTP; Sat, 1 Apr 2006 14:44:29 -0800 (PST) Message-ID: Date: Sat, 1 Apr 2006 16:44:29 -0600 From: "Travis H." To: "PF List" , freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: pf help available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2006 22:44:30 -0000 Hi, If anyone has questions about pf, or wants firewall rulesets written, I know that not all questions get answered here, and I am short on cash at the moment., so I am available for consulting at reasonable rates (e.g. ~$100 for a me to write you a ruleset, perhaps $25-50/hr to grovel through the pf source or debug a malfunctioning configuration). I have been active in computer security for over 17 years, send me an email if you wish to know more about my qualifications or to retain my services. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484