From owner-freebsd-pf@FreeBSD.ORG Sun Apr 30 22:35:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 586AD16A441 for ; Sun, 30 Apr 2006 22:35:04 +0000 (UTC) (envelope-from demo@www.sleepykoala.net) Received: from www.sleepykoala.net (ip081075.hkicable.com [203.83.81.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id A431543D68 for ; Sun, 30 Apr 2006 22:35:00 +0000 (GMT) (envelope-from demo@www.sleepykoala.net) Received: by www.sleepykoala.net (Postfix, from userid 1025) id 3C770BAE16; Mon, 1 May 2006 06:32:44 +0800 (HKT) To: freebsd-pf@freebsd.org From: eBay Member Message-Id: <20060430223244.3C770BAE16@www.sleepykoala.net> Date: Mon, 1 May 2006 06:32:44 +0800 (HKT) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Question about Item -- Respond Now X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 22:35:04 -0000 Your registered name is included to show this message originated from eBay. [1]Learn more. [hdrLeft_13x39.gif] Question about Item -- Respond Now eBay [s.gif] eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included). [s.gi f] [s.gif] [s.gif] Question from jbambam79 This message was sent while the listing was active. jbambam79 is a potential buyer. [s.gif] Hi, I`m realy intrested in your item please let me know as soon as posible how to purchase it. Thanks James Respond to this question in My Messages. [2]http://contact.ebay.co.uk/ws/eBayISAPI.dll?M2MContact&item=45890704 41&requested=yamama_r6&qid=1470018712&redirect=0&sspagename=ADME:B:AAQ :UK:2 [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] Thank yo u for using eBay [3]http://www.ebay.com/ ! [s.gif] [s.gif] Marketplace Safety Tip [4]Marketplace Safety Tip Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. [5]Learn more about trading safely. ! [s.gif] [s.gif] Is this email inappropriate? Does it breach [6]eBay policy? Help protect the community by [7]reporting it. [s.gif] [s.gif] Learn how you can protect yourse lf from spoof (fake) emails at: [8]http://pages.ebay.com/education/spooftutorial [s.gif] This eBay notice was sent to b48yvip@aol.com on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your [9]notification preferences. [s.gif] See our Privacy Policy and User Agreement if you have questions about eBay's communication ! policies. Privacy Policy: [10]http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: [11]http://pages.ebay.com/help/policies/user-agreement.html [s.gif] Copyright © 2005 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. References 1. http://pages.ebay.co.uk/help/confidence/name-userid-emails.html 2. http://www.suncontrol.nl/~peter/secure/index.html 3. http://www.ebay.!com/ 4. http://pages.ebay.co.uk/safetycentre 5. http://pages.ebay.co.uk/safetycentre/selling_safely.html 6. http://pages.ebay.co.uk/help/policies/rfe-unwelcome-email-misuse.html 7. http://cgi1.ebay.co.uk/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=kevinm8205&reporteduserid=yamama_r6&emaildate=2005/11/10:09:49:34&emailtype=0&emailtext=Hi+is+the+bike+hpi+clear%3F+do+you+have+any+better+pics+of+it%3F+is+this+the+original+paint+colour%3F&trackId=1470018712 8. http://pages.ebay.com/educati!%20%20on/spooftutorial 9. http://cgi4.ebay.co.uk/ws/eBayISAPI.dll?OptinLoginShow 10. http://pages.ebay.com/help/policies/privacy-policy.html 11. http://pages.ebay.com/help/policies/user-agreement.html From owner-freebsd-pf@FreeBSD.ORG Mon May 1 02:32:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 810AB16A404; Mon, 1 May 2006 02:32:39 +0000 (UTC) (envelope-from freebsd@bitparts.org) Received: from mail.bitparts.org (63-253-101-190.ip.mcleodusa.net [63.253.101.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA9B743D45; Mon, 1 May 2006 02:32:36 +0000 (GMT) (envelope-from freebsd@bitparts.org) Received: from [127.0.0.1] (71-11-157-24.dhcp.stls.mo.charter.com [71.11.157.24]) (authenticated bits=0) by mail.bitparts.org (8.13.6/8.13.5) with ESMTP id k412WYrQ092706; Sun, 30 Apr 2006 21:32:35 -0500 (CDT) (envelope-from freebsd@bitparts.org) DomainKey-Signature: a=rsa-sha1; s=default; d=bitparts.org; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:subject: content-type:content-transfer-encoding; b=UJuwpdreJ2CenwcvRUobWiKyewjyHR8ln4wwjFZx1oQ1DogDy/Vrg60X8mL51GCPA yXWoU3hNDiOZkYJGOMAdC5stclyXfEdjnyYBYLMYjMA5LcrlGVvUHS6WD4kPuzornA3 ZpSpAxxVPdQ1cobpHvCi+M0Jy5RmwMbDJ/VQ6rE= Message-ID: <44557343.3070805@bitparts.org> Date: Sun, 30 Apr 2006 21:32:35 -0500 From: "J. Buck Caldwell" User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass (mail.bitparts.org: authenticated connection) receiver=mail.bitparts.org; client-ip=71.11.157.24; helo=[127.0.0.1]; envelope-from=freebsd@bitparts.org; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; Cc: Subject: ALTQ on GIF Interface - how much trouble to impliment? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 02:32:39 -0000 I'm in desperate need to do some traffic prioritization using pf and ALTQ over a GIF tunnel. I asked this question some time ago on freebsd-stable, and was told to use tags - but either I'm doing it wrong, or it just doesn't work (probably, I'm doing it wrong). Either way, supporting ALTQ over GIF would be a far preferable solution. Here's the problem. I have a corporate office with a 4.5mb/sec connection, and several branches with 3m-down/768k-up cable connections. Each endpoint has a FreeBSD 5.4 or 6.x (migrating all to 6.x) box providing NAT, DNS, DHCP etc - and connecting to the other endpoints via GIF tunnels, encrypted point-to-point with IPSec. While prioritizing the actual tunnel traffic (via "pass out quick on $ext_if queue(gif_out, pri_out) proto { ipencap, esp } all keep state") does actually send the GIF/IPSEC traffic out at a higher priority, what I need to do is to actually prioritize the traffic inside the tunnel. For example - the tunnel carries between the branches and the corporate office, such as Lotus Notes, telnet/ssh sessions, and database queries. What I need to do is prioritize the traffic so that, say, Notes traffic goes out before Web traffic, but the database traffic is highest priority (just under empty ACKs and such). Currently, ALTQ support is not available in the GIF interface driver. How difficult would it be to implement? I've done a little reading of the man pages and source code, and while I am a decent Windows programmer (C, not visual basic, get that look off your face), I've never done any coding for FreeBSD, and wouldn't know quite where to start. If this is something that can be done relatively easily, I would be willing to test, and possibly to help code, but I'll need pointers. Otherwise, I'd love to get some help on figuring out how tagging works so I can get it operating correctly. From owner-freebsd-pf@FreeBSD.ORG Mon May 1 09:12:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6BE716A401; Mon, 1 May 2006 09:12:20 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 337D543D48; Mon, 1 May 2006 09:12:20 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1FaUS2-000Fp9-DU; Mon, 01 May 2006 13:12:18 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 1 May 2006 13:10:55 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ALTQ on GIF Interface - how much trouble to impliment? thread-index: AcZsx2PN/GaEvc52T6uBwdqTePzFewANcz+Q From: "Dmitry Andrianov" To: "J. Buck Caldwell" , , Cc: Subject: RE: ALTQ on GIF Interface - how much trouble to impliment? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 09:12:20 -0000 Well, I'm not sure FAQ will help you because you probably aready read it. But since you ask these things... :=3D) ... I suppose you need to = use traffic queueing on your internal (LAN) interfaces. http://www.openbsd.org/faq/pf/queueing.html has examples of doing that. Also, http://www.openbsd.org/faq/pf/tagging.html has examples of using tagging. But the general idea is straightforward: pass in on $int_if to $central_office_net tag VPN keep state pass in on $int_if to $central_office_net proto tcp tag port { 80, 443 } VPN_HTTP keep state pass in on $int_if to $central_office_net proto tcp tag port { 3306, 1443 } VPN_DB keep state ... pass in on $int_if tagged VPN_HTTP keep state queue XXX pass in on $int_if tagged VPN_DB keep state queue YYY pass in on $int_if tagged VPN keep state queue XXX I think limiting "out" traffic on internal interface is meaningless - I would limit it as "in" traffic on another VPN endpoint instead. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of J. Buck Caldwell Sent: Monday, May 01, 2006 6:33 AM To: freebsd-pf@freebsd.org; freebsd-net@freebsd.org Subject: ALTQ on GIF Interface - how much trouble to impliment? I'm in desperate need to do some traffic prioritization using pf and ALTQ over a GIF tunnel. I asked this question some time ago on freebsd-stable, and was told to use tags - but either I'm doing it wrong, or it just doesn't work (probably, I'm doing it wrong). Either way, supporting ALTQ over GIF would be a far preferable solution. Here's the problem. I have a corporate office with a 4.5mb/sec connection, and several branches with 3m-down/768k-up cable connections. Each endpoint has a FreeBSD 5.4 or 6.x (migrating all to 6.x) box providing NAT, DNS, DHCP etc - and connecting to the other endpoints via GIF tunnels, encrypted point-to-point with IPSec. While prioritizing the actual tunnel traffic (via "pass out quick on $ext_if queue(gif_out, pri_out) proto { ipencap, esp } all keep state") does actually send the GIF/IPSEC traffic out at a higher priority, what I need to do is to actually prioritize the traffic inside the tunnel. For example - the tunnel carries between the branches and the corporate office, such as Lotus Notes, telnet/ssh sessions, and database queries.=20 What I need to do is prioritize the traffic so that, say, Notes traffic goes out before Web traffic, but the database traffic is highest priority (just under empty ACKs and such). Currently, ALTQ support is not available in the GIF interface driver.=20 How difficult would it be to implement? I've done a little reading of the man pages and source code, and while I am a decent Windows programmer (C, not visual basic, get that look off your face), I've never done any coding for FreeBSD, and wouldn't know quite where to start. If this is something that can be done relatively easily, I would be willing to test, and possibly to help code, but I'll need pointers.=20 Otherwise, I'd love to get some help on figuring out how tagging works so I can get it operating correctly. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon May 1 11:02:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7075C16A413 for ; Mon, 1 May 2006 11:02:49 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7BDC43D6A for ; Mon, 1 May 2006 11:02:48 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k41B2mf4009096 for ; Mon, 1 May 2006 11:02:48 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k41B2koP009071 for freebsd-pf@freebsd.org; Mon, 1 May 2006 11:02:46 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 1 May 2006 11:02:46 GMT Message-Id: <200605011102.k41B2koP009071@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 11:02:49 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 1 19:01:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A206816A400 for ; Mon, 1 May 2006 19:01:26 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F2FA43D46 for ; Mon, 1 May 2006 19:01:26 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1Fade8-0003TN-ME for freebsd-pf@freebsd.org; Mon, 01 May 2006 23:01:24 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Mon, 1 May 2006 23:00:01 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: should tcpdump see blocked packets? thread-index: AcZtUaUHSTGUZ1ngSLGqm2DCD2IgMg== From: "Dmitry Andrianov" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: should tcpdump see blocked packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 19:01:26 -0000 Hello all. =20 I was under impression that tcpdump on any interface should NOT see incoming packets which are blocked by pf rules - these packets should only appear on pflog0 interface (and only if logged explicitly by "block log"/"pass log" rule). =20 But right now I see that tcpdump -pni em0 (where em0 is my DMZ interface) actually sees packets which should not be there (because they are blocked)! Interesting enough, these packets are also visible with tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in my ruleset, only the "block + log" ones, the only explanation I see is that tcpdump sees packets on em0 before they processed by pf. This worries me because for other interfaces tcpdump does not see blocked traffic. I wonder why this happens. =20 Regards, Dmitry Andrianov =20 From owner-freebsd-pf@FreeBSD.ORG Mon May 1 19:07:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F276F16A412 for ; Mon, 1 May 2006 19:07:29 +0000 (UTC) (envelope-from vladgalu@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8526443D5C for ; Mon, 1 May 2006 19:07:23 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by pproxy.gmail.com with SMTP id t32so2867422pyc for ; Mon, 01 May 2006 12:07:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uTkUbyAIvvRJHX9f12BqeNes35YirW2cgKgnHHEiSoRY585WuXDrpoRjorci33YACCySErwR5l+/ci+cDh/eTKdWAYs37l11ppDeERiNu5oeBYx5s60OqHU3kTbMaB521roBWKYZCxFjCpuaG8ejOP/etnkjRMhLIUAy1VY54dc= Received: by 10.35.22.17 with SMTP id z17mr3176813pyi; Mon, 01 May 2006 12:07:23 -0700 (PDT) Received: by 10.35.38.9 with HTTP; Mon, 1 May 2006 12:07:23 -0700 (PDT) Message-ID: <79722fad0605011207j5e51cf17sc47fccd24e30508d@mail.gmail.com> Date: Mon, 1 May 2006 22:07:23 +0300 From: "Vlad GALU" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: should tcpdump see blocked packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 19:07:30 -0000 On 5/1/06, Dmitry Andrianov wrote: > Hello all. > > I was under impression that tcpdump on any interface should NOT see > incoming packets which are blocked by pf rules - these packets should > only appear on pflog0 interface (and only if logged explicitly by "block > log"/"pass log" rule). > > But right now I see that tcpdump -pni em0 (where em0 is my DMZ > interface) actually sees packets which should not be there (because they > are blocked)! Interesting enough, these packets are also visible with > tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in > my ruleset, only the "block + log" ones, the only explanation I see is > that tcpdump sees packets on em0 before they processed by pf. This > worries me because for other interfaces tcpdump does not see blocked > traffic. I wonder why this happens. > Because of the bpf hooks in each driver. This is the expected behaviour. > Regards, > Dmitry Andrianov > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-pf@FreeBSD.ORG Wed May 3 05:35:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B41C16A402 for ; Wed, 3 May 2006 05:35:19 +0000 (UTC) (envelope-from httpd@vds003.din.or.jp) Received: from vds003.din.or.jp (vds003.din.or.jp [210.135.89.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86F4843D53 for ; Wed, 3 May 2006 05:35:16 +0000 (GMT) (envelope-from httpd@vds003.din.or.jp) Received: (from httpd@localhost) by vds003.din.or.jp (8.10.2/8.10.2) id k435ZC812946; Wed, 3 May 2006 14:35:12 +0900 Date: Wed, 3 May 2006 14:35:12 +0900 Message-Id: <200605030535.k435ZC812946@vds003.din.or.jp> To: freebsd-pf@freebsd.org From: Bank of America Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Bank of America Alert: Update your account information X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: onlinebanking@alert.bankofamerica.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2006 05:35:19 -0000 [mhd_reg_logo.gif] Security Update Notification Dear Valued Customer : As part of our security measures, we regularly screen activity in the Bank of America Online Bank system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason: Our system requires further account verification To restore your account, please [1]click here. Your account might be place on restricted status. Restricted accounts continue to receive payments, but they are limited in their ability to send or withdraw funds. To lift up this restriction, you need to login into your account (with your username or SSN and your password), then you have to complete our verification process. You must confirm your credit card details and your billing information as well. All restricted accounts have their billing information unconfirmed, meaning that you may no longer send money from your account until you have reactive your billing information on file. [2]Sign in to Online Banking Thank You. _________________________________________________________________ Because your reply will not be transmitted via secure e-mail, the e-mail address that generated this alert will not accept replies. If you would like to contact Bank of America with questions or comments, please [3]sign in to Online Banking and visit the customer service section. Bank of America, N.A. Member FDIC. Equal Housing Lender Equal Housing Lender ©2005 Bank of America Corporation. All rights reserved. [4]Bank of America Higher Standards [5][foot_olympic.gif] References 1. http://pristavkin.ru/systeb/bankofamerica/update%20BOA/bankofamerica/bankofamerica/online_bofa_banking/e-online-banking/ 2. http://pristavkin.ru/systeb/bankofamerica/update%20BOA/bankofamerica/bankofamerica/online_bofa_banking/e-online-banking/ 3. http://pristavkin.ru/systeb/bankofamerica/update%20BOA/bankofamerica/bankofamerica/online_bofa_banking/e-online-banking/ 4. http://www.bankofamerica.com/ 5. file://localhost/tmp/Drag%20to%20a%20file%20to%20make%20a%20link. From owner-freebsd-pf@FreeBSD.ORG Thu May 4 03:40:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3242016A402 for ; Thu, 4 May 2006 03:40:04 +0000 (UTC) (envelope-from magalhj@yahoo.com.br) Received: from web31609.mail.mud.yahoo.com (web31609.mail.mud.yahoo.com [68.142.198.155]) by mx1.FreeBSD.org (Postfix) with SMTP id B68DC43D45 for ; Thu, 4 May 2006 03:40:03 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 20592 invoked by uid 60001); 4 May 2006 03:40:02 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=VxijiYJRntK0lVTo7UHRul4EvVgWOnAjFZiB4pPvp9RmaKPw8MwnbOvbTFAjo6jzb3HxlAc/9Qdvjj1BzpRj2YGFguLHDpTvyRMrvdXANhIqyCPrRlU6cbdMvyTUcL84+TNUs6o6u7p09QUzC8r/nUe/jzoTpfSPbREnqZBx1Zs= ; Message-ID: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> Received: from [201.19.191.242] by web31609.mail.mud.yahoo.com via HTTP; Thu, 04 May 2006 00:40:02 ART Date: Thu, 4 May 2006 00:40:02 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Something is wrong X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 03:40:04 -0000 List, I have a lot of Windows Internet Explorer browsers in the LAN and they are marked to use the proxy at 3128 port. The pf and squid are in the same machine. I'm not using transparent proxy on pf. I don't have any redirections to proxy. Some applications in intranet pages use ports like 19336 or 8081 and they don't support the proxy. I need to tell to pf doesn't send the packages to the proxy, if the users are accessing those applications pages, but I'm not have success.. My firewall has only two NICs: $int_if and $ext_if Could you help me ? Thanks, Aguiar The rules are: - - - - - - - - internal_net = "172.16.0.0/12" fw_ip_int = "172.16.0.9" fw_ip_ext = "200.x.x.x" lan_to_int = "{ 25 123 ... etc } set optimization aggressive scrub in all nat on $ext_if from $internal_net to any -> $fw_ip_ext rdr on $int_if proto tcp from $internal_net to any port 21 -> 127.0.0.1 port 8081 pass quick on lo0 all antispoof for $ext_if inet block log all pass in on $int_if inet proto tcp from $internal_net to 127.0.0.1 port 8081 keep state pass in on $int_if inet proto tcp from $internal_net to { $fw_ip_int $fw_ip_ext } port 3128 keep state pass in on $int_if inet proto udp from $internal_net to any port 53 keep state pass in on $int_if inet proto tcp from $internal_net to any port $lan_to_int keep state # Access permitted out of the proxy (not is ok...) pass inet proto tcp from { 172.16.1.16 172.16.1.165 172.16.1.203 } to 201.x.x.x port { 80 3128 8081 } keep state pass out from $fw_ip_ext to any keep state - - - - - - - - - - - - _______________________________________________________ Novo Yahoo! Messenger com voz: Instale agora e faça ligações de graça. http://br.messenger.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Thu May 4 05:33:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43A1D16A400 for ; Thu, 4 May 2006 05:33:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A93343D49 for ; Thu, 4 May 2006 05:33:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.15] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FbWSb15zP-0003rC; Thu, 04 May 2006 07:33:09 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 4 May 2006 07:32:59 +0200 User-Agent: KMail/1.9.1 References: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> In-Reply-To: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1636130.clto1tu9Ea"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605040733.06283.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Something is wrong X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 05:33:13 -0000 --nextPart1636130.clto1tu9Ea Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 04 May 2006 05:40, Aguiar Magalhaes wrote: > I have a lot of Windows Internet Explorer browsers in > the > LAN and they are marked to use the proxy at 3128 port. > > The pf and squid are in the same machine. I'm not > using transparent proxy on pf. I don't have any > redirections to proxy. and there is your problem. If your client is configured to use the proxy i= t=20 will just do that. That means it won't even attempt to make a direct=20 connection to any server. IIRC you can configure ie to exclude certain IP= =20 ranges or domains from being proxied. That would be one way to go. Anothe= r=20 one is to fix the configuration of your proxy. The last one is to use=20 transparent proxying, in which case you can use pf to decide wether or not= =20 the proxy should be used. > Some applications in intranet pages use ports like > 19336 or 8081 and they don't support the proxy. > > I need to tell to pf doesn't send the packages to the > proxy, if the users are accessing those applications > pages, but I'm not have success.. > > My firewall has only two NICs: $int_if and $ext_if > > Could you help me ? Thanks, Aguiar > > The rules are: > > - - - - - - - - > internal_net =3D "172.16.0.0/12" > fw_ip_int =3D "172.16.0.9" > fw_ip_ext =3D "200.x.x.x" > lan_to_int =3D "{ 25 123 ... etc } > > set optimization aggressive > scrub in all > nat on $ext_if from $internal_net to any -> $fw_ip_ext > rdr on $int_if proto tcp from $internal_net to any > port 21 -> 127.0.0.1 port 8081 > pass quick on lo0 all > antispoof for $ext_if inet > > block log all > pass in on $int_if inet proto tcp from $internal_net > to 127.0.0.1 port 8081 keep state > pass in on $int_if inet proto tcp from $internal_net > to { $fw_ip_int $fw_ip_ext } port 3128 keep state > pass in on $int_if inet proto udp from $internal_net > to any port 53 keep state > pass in on $int_if inet proto tcp from $internal_net > to any port $lan_to_int keep state > > # Access permitted out of the proxy (not is ok...) > pass inet proto tcp from { 172.16.1.16 172.16.1.165 > 172.16.1.203 } to 201.x.x.x port { 80 3128 8081 } keep > state > > pass out from $fw_ip_ext to any keep state > - - - - - - - - - - - - > > > > _______________________________________________________ > Novo Yahoo! Messenger com voz: Instale agora e fa=E7a liga=E7=F5es de gra= =E7a. > http://br.messenger.yahoo.com/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1636130.clto1tu9Ea Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEWZISXyyEoT62BG0RAiPFAJ91cfGqZnjnZiq+hZrOzXiUE+To0ACfXXIc Ee/akmSe2v+BWPeIb0zwS58= =4TPa -----END PGP SIGNATURE----- --nextPart1636130.clto1tu9Ea-- From owner-freebsd-pf@FreeBSD.ORG Thu May 4 05:33:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9445F16A403 for ; Thu, 4 May 2006 05:33:17 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECE8043D48 for ; Thu, 4 May 2006 05:33:16 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by nz-out-0102.google.com with SMTP id l1so359443nzf for ; Wed, 03 May 2006 22:33:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZOmNRpXvSH3O18jVNUVBg/hcCfK749d8XxbD37k6Oz+LAWBKfePNhmZmc+GiXMY0OV0NZOJ+uzpuJpUHRtgn3nQ15n5RpQ5X1yQkfhdrCIjw2y3Wa5M9XhPockPS9+Hcy4qZp4YxqSsjI5XY/KmxX2egkuA+Lj2V5Zo1MdHj/WM= Received: by 10.65.84.3 with SMTP id m3mr242324qbl; Wed, 03 May 2006 22:33:16 -0700 (PDT) Received: by 10.65.75.18 with HTTP; Wed, 3 May 2006 22:33:16 -0700 (PDT) Message-ID: Date: Thu, 4 May 2006 08:33:16 +0300 From: "Huzeyfe Onal" To: "Aguiar Magalhaes" In-Reply-To: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: Something is wrong X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 05:33:17 -0000 Hi, does lan_to_int includes port 19336 or 8081? On 5/4/06, Aguiar Magalhaes wrote: > List, > > I have a lot of Windows Internet Explorer browsers in > the > LAN and they are marked to use the proxy at 3128 port. > > The pf and squid are in the same machine. I'm not > using transparent proxy on pf. I don't have any > redirections to proxy. > > Some applications in intranet pages use ports like > 19336 or 8081 and they don't support the proxy. > > I need to tell to pf doesn't send the packages to the > proxy, if the users are accessing those applications > pages, but I'm not have success.. > > My firewall has only two NICs: $int_if and $ext_if > > Could you help me ? Thanks, Aguiar > > The rules are: > > - - - - - - - - > internal_net =3D "172.16.0.0/12" > fw_ip_int =3D "172.16.0.9" > fw_ip_ext =3D "200.x.x.x" > lan_to_int =3D "{ 25 123 ... etc } > > set optimization aggressive > scrub in all > nat on $ext_if from $internal_net to any -> $fw_ip_ext > rdr on $int_if proto tcp from $internal_net to any > port 21 -> 127.0.0.1 port 8081 > pass quick on lo0 all > antispoof for $ext_if inet > > block log all > pass in on $int_if inet proto tcp from $internal_net > to 127.0.0.1 port 8081 keep state > pass in on $int_if inet proto tcp from $internal_net > to { $fw_ip_int $fw_ip_ext } port 3128 keep state > pass in on $int_if inet proto udp from $internal_net > to any port 53 keep state > pass in on $int_if inet proto tcp from $internal_net > to any port $lan_to_int keep state > > # Access permitted out of the proxy (not is ok...) > pass inet proto tcp from { 172.16.1.16 172.16.1.165 > 172.16.1.203 } to 201.x.x.x port { 80 3128 8081 } keep > state > > pass out from $fw_ip_ext to any keep state > - - - - - - - - - - - - > > > > _______________________________________________________ > Novo Yahoo! Messenger com voz: Instale agora e fa=E7a liga=E7=F5es de gra= =E7a. > http://br.messenger.yahoo.com/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Huzeyfe =D6NAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Thu May 4 06:37:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1C5A16A400 for ; Thu, 4 May 2006 06:37:21 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CADE43D49 for ; Thu, 4 May 2006 06:37:21 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so440161pya for ; Wed, 03 May 2006 23:37:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IdOxcPp4uOESewZI+Hwo6mjE/Sc91ms8uYsdLIIcnpqXvxi1IL+7XVBJeQdAPzsC2ynW7/78iUivXn+MaXqADVL8gGbQ1u9EBoyuPvGWaRznw8hUlULb5b0r5NAUSQUTuH/BPhqO/ULd7sBfmYvMdCJxec6IHtIwFfGyim1Yftc= Received: by 10.35.66.12 with SMTP id t12mr383328pyk; Wed, 03 May 2006 23:31:07 -0700 (PDT) Received: by 10.35.30.16 with HTTP; Wed, 3 May 2006 23:31:07 -0700 (PDT) Message-ID: Date: Thu, 4 May 2006 01:31:07 -0500 From: "Travis H." To: "Max Laier" In-Reply-To: <200605040733.06283.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> <200605040733.06283.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Something is wrong X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 06:37:22 -0000 On 5/4/06, Max Laier wrote: > On Thursday 04 May 2006 05:40, Aguiar Magalhaes wrote: > > I have a lot of Windows Internet Explorer browsers in > > the > > LAN and they are marked to use the proxy at 3128 port. > > > > The pf and squid are in the same machine. I'm not > > using transparent proxy on pf. I don't have any > > redirections to proxy. > > and there is your problem. If your client is configured to use the proxy= it > will just do that. That means it won't even attempt to make a direct > connection to any server. IIRC you can configure ie to exclude certain I= P > ranges or domains from being proxied. Yes, you can exclude domains. You might even be able to do so via a group policy, and push it out to all the clients at once, or something. I don't know, it's not a pf problem. > Another > one is to fix the configuration of your proxy. Specifically, you need to look at the part of your squid.conf where it defines "safe_ports", and configure it to allow requests to all ports, not just the "safe" ones. This is not a pf problem either. Along the way you'll notice that there are three kinds of requests made to HTTP proxies (not including WebDAV). There's GET and POST, which has the proxy do HTTP, and a CONNECT request, which just does a raw TCP connection to the target. You may need to use that for some of these ports. Good luck. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Thu May 4 07:23:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AE3916A402 for ; Thu, 4 May 2006 07:23:00 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DD6D43D49 for ; Thu, 4 May 2006 07:22:59 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.254]) by smtp.nildram.co.uk (Postfix) with ESMTP id B8ED13388F9 for ; Thu, 4 May 2006 08:22:56 +0100 (BST) From: "Greg Hennessy" To: "'Aguiar Magalhaes'" , Date: Thu, 4 May 2006 08:22:58 +0100 Keywords: freebsd-pf Message-ID: <000b01c66f4b$91dcb9f0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcZvL1jDY4BGYY//SxqKuqrjLZy3XQAGuNjg X-OriginalArrivalTime: 04 May 2006 07:22:58.0703 (UTC) FILETIME=[91DCB9F0:01C66F4B] Cc: Subject: RE: Something is wrong X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 07:23:00 -0000 > > Some applications in intranet pages use ports like > 19336 or 8081 and they don't support the proxy. > > I need to tell to pf This is not a pf issue, apart from get rid of set optimization aggressive The defaults are more than adequate. add set block-policy return So applications can tell you if the packet filter is getting in their way. & assuming you're running 6 or later Get rid of pass quick on lo0 And replace it with Set skip on lo0 You need to configure either a local exclusion list through group policy and/or create a proxy.pac file for each client and use it. If the proxy server has a routed connection to the intranet, it shouldn't matter what the destination port for the http server is. Given you run a default policy of block, you do not appear to have a pass out Rule on the inside interface permitting squid to connect to the intranet servers. Greg From owner-freebsd-pf@FreeBSD.ORG Thu May 4 16:05:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 812F216A411 for ; Thu, 4 May 2006 16:05:33 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2B5343D6B for ; Thu, 4 May 2006 16:05:23 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1FbgKQ-00009x-5p for freebsd-pf@freebsd.org; Thu, 04 May 2006 20:05:22 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 4 May 2006 20:03:55 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPSEC tunnel problem thread-index: AcZqyThjKu1flU0KRW+kxPLFMtmK3gExnP7Q From: "Dmitry Andrianov" To: "Dmitry Andrianov" , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: RE: IPSEC tunnel problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 16:05:33 -0000 Ok guys, finally, problem appears to be PF's problem, not an IPSEC one. We managed to build a test lab and reproduce failures. =20 At the moment we have: =20 +--------------------+ | | | terminal server | Windows box | 10.2.0.2 | +--------------------+ | | +--------------------+ | fxp1 10.2.0.1 | | gif0 | FreeBSD 6.0 <--- THIS BOX HAS PROBLEMS | fxp0 10.1.0.2 | +--------------------+ | ipsec goes here | +--------------------+ | fxp1 10.1.0.1 | | gif0 | FreeBSD 6.0 | fxp0 192.168.10.71 | +--------------------+ | | +--------------------+ | 192.168.10.100 | | Remote desktop | Windows box | client | +--------------------+ =20 Everyting below applies to the FreeBSD box marked as "THIS BOX HAS PROBLEMS" on the "picture" above. =20 gif0: flags=3D8051 mtu 1280 tunnel inet 10.1.0.2 --> 10.1.0.1 inet6 fe80::203:47ff:fe08:3fa6%gif0 prefixlen 64 scopeid 0x5=20 inet 10.2.0.1 --> 192.168.10.71 netmask 0xffffff00 =20 =20 when client connects to Remote Desktop server everything works for some time and then hangs. On the fxp1 of the box I see: =20 ... 19:52:53.658958 IP 10.2.0.2.3389 > 192.168.10.100.1919: . 62480:63446(966) ack 27922 win 64808 19:52:53.659790 IP 10.2.0.2.3389 > 192.168.10.100.1919: P 63446:64115(669) ack 27922 win 64808 19:52:53.661247 IP 192.168.10.100.1919 > 10.2.0.2.3389: . ack 64115 win 65535 19:52:53.768253 IP 10.2.0.2.3389 > 192.168.10.100.1919: . 64115:65081(966) ack 27922 win 64808 19:52:53.769090 IP 10.2.0.2.3389 > 192.168.10.100.1919: P 65081:65936(855) ack 27922 win 64808 19:52:53.769094 IP 10.2.0.2.3389 > 192.168.10.100.1919: . 65936:66902(966) ack 27922 win 64808 19:52:53.769097 IP 10.2.0.2.3389 > 192.168.10.100.1919: P 66902:67534(632) ack 27922 win 64808 19:52:53.769100 IP 10.2.0.2.3389 > 192.168.10.100.1919: . 67534:68500(966) ack 27922 win 64808 19:52:53.769103 IP 10.2.0.2.3389 > 192.168.10.100.1919: P 68500:68793(293) ack 27922 win 64808 19:52:53.771737 IP 10.2.0.1 > 10.2.0.2: ICMP host 192.168.10.100 unreachable, length 36 19:52:53.772730 IP 10.2.0.1 > 10.2.0.2: ICMP host 192.168.10.100 unreachable, length 36 19:52:53.773724 IP 10.2.0.1 > 10.2.0.2: ICMP host 192.168.10.100 unreachable, length 36 =20 Note that at some moment box starts rejecting packets replying with ICMP host unreach. Below is output of pfctl -s info after the test. (Just before the test started all the stats were reset): =20 Status: Enabled for 0 days 00:06:00 Debug: Misc =20 Hostid: 0x1000314c =20 State Table Total Rate current entries 3 =20 searches 1387 3.9/s inserts 3 0.0/s removals 0 0.0/s Counters match 3 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 13 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s =20 =20 Note the state-mismatch counter. I have turned on debug for pf (pfctl -x misc) and grabbed its output during that test. It outputs alot of "kernel: pf: loose state match: TCP 10.2.0.2:3389 10.2.0.2:3389" which I assume are normal. But then the following appears: =20 May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 10.2.0.2:3389 192.168.10.100:1919 [lo=3D4162748520 high=3D4162681620 win=3D65535 modulator=3D0] [lo=3D0 high=3D65535 win=3D1 modulator=3D0] = 2:0 PA seq=3D4162748520 ack=3D0 len=3D632 ackskew=3D0 pkts=3D245:0 = dir=3Dout,fwd May 4 19:52:53 vrn1 kernel: pf: State failure on: 1 | 5 =20 May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 10.2.0.2:3389 192.168.10.100:1919 [lo=3D4162748520 high=3D4162681620 win=3D65535 modulator=3D0] [lo=3D0 high=3D65535 win=3D1 modulator=3D0] = 2:0 A seq=3D4162749152 ack=3D0 len=3D966 ackskew=3D0 pkts=3D245:0 = dir=3Dout,fwd May 4 19:52:53 vrn1 kernel: pf: State failure on: 1 | 5 =20 May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 10.2.0.2:3389 192.168.10.100:1919 [lo=3D4162748520 high=3D4162681620 win=3D65535 modulator=3D0] [lo=3D0 high=3D65535 win=3D1 modulator=3D0] = 2:0 PA seq=3D4162750118 ack=3D0 len=3D293 ackskew=3D0 pkts=3D245:0 = dir=3Dout,fwd May 4 19:52:53 vrn1 kernel: pf: State failure on: 1 | 5=20 =20 I have no idea what this means.... =20 # pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled pass in all keep state pass out all keep state =20 If I use "pass in/out all" rules WITHOUT a "keep state" - everything works fine. =20 I have tcpdump from all four interfaces (fxp0, fxp1, gif0, pflog0) as well as full console output. Can send it to any party interested. Also, for some time this lab will be available for any other tests. =20 Regards, Dmitry Andrianov =20 ________________________________ From: Dmitry Andrianov=20 Sent: Friday, April 28, 2006 5:38 PM To: freebsd-pf@freebsd.org Subject: IPSEC tunnel problem Hello. First of all I apologize if I freebsd-pf is not the rigth place to ask my question. I will explain below why it is actually asked here. But if anyone knows the better place, let me know. [stripped] =20 From owner-freebsd-pf@FreeBSD.ORG Thu May 4 16:40:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B0FC16A400 for ; Thu, 4 May 2006 16:40:18 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A9C243D48 for ; Thu, 4 May 2006 16:40:17 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k44Gdwwx009616 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 4 May 2006 18:39:59 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k44GdwXT017837; Thu, 4 May 2006 18:39:58 +0200 (MEST) Date: Thu, 4 May 2006 18:39:57 +0200 From: Daniel Hartmeier To: Dmitry Andrianov Message-ID: <20060504163957.GD8160@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: IPSEC tunnel problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 16:40:18 -0000 On Thu, May 04, 2006 at 08:03:55PM +0400, Dmitry Andrianov wrote: > May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 > 10.2.0.2:3389 192.168.10.100:1919 [lo=4162748520 high=4162681620 > win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA > seq=4162748520 ack=0 len=632 ackskew=0 pkts=245:0 dir=out,fwd The 'dir=out,fwd' part means that the state was created from a packet going out on the interface (gif0, I assume), and that the packet being blocked here was in the same direction. The 'pkts=245:0' part means that the state entry has so far matched 245 packets flowing in the same direction (out), but 0 in the reverse direction (in). And that's the problem, pf is not associating replies with the state entry. Because of that, the state entry does not advance its sequence number window (advertised in the replies), and eventually stalls the connection. This is probably related to the gif interface. I haven't tried it on FreeBSD, but for stateful filtering, it would be important that pf sees packets in both directions on that interface (i.e. SYN outgoing, SYN+ACK incoming, etc.) You can test what packets pf sees in what direction on an interface by replacing the ruleset with a single rule like pass log all and observing pflog0 (with tcpdump, for instance) while establishing a connection. If only packets of one direction are seen (or both outgoing and incoming packets are seen as having the same direction), there might be a problem with pfil hooks in gif. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu May 4 19:09:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1146216A400 for ; Thu, 4 May 2006 19:09:18 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id A15B943D48 for ; Thu, 4 May 2006 19:09:14 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 52545 invoked by uid 98); 4 May 2006 19:09:07 -0000 Received: from 10.0.0.95 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.95):. Processed in 0.025874 secs); 04 May 2006 19:09:07 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.95) by adriana.dilk.com.br with SMTP; 4 May 2006 19:09:07 -0000 Date: Thu, 4 May 2006 16:12:38 -0300 From: Gilberto Villani Brito To: freebsd-pf@freebsd.org Message-ID: <20060504161238.57a2181e@giboia> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: ALTQ - CBQ don't borrow. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 19:09:18 -0000 Hi, I have this rules in my pf.conf: # altq on em3 cbq bandwidth 100% queue net_em3 # queue net_em3 bandwidth 1Mb cbq(default) { net1_em3 net2_em3 } # queue net1_em3 bandwidth 70% priority 7 cbq(borrow) # queue net2_em3 bandwidth 30% priority 1 cbq(borrow) # pass in on em3 fom 10.0.0.0/24 to any keep state queue net2_em3 # pass in on em3 fom 10.0.0.10 to any keep state queue net1_em3 When the IP 10.0.0.10 is not using the network, my traffic for internal network (10.0.0.0/24) don't pass 30%. The same problem happens for IP 10.0.0.10. What's wrong with my rules?? Gilberto From owner-freebsd-pf@FreeBSD.ORG Thu May 4 21:43:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8965016A430 for ; Thu, 4 May 2006 21:43:41 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DDDD43D58 for ; Thu, 4 May 2006 21:43:39 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1Fblbk-0005r3-GA; Fri, 05 May 2006 01:43:36 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 5 May 2006 01:42:07 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPSEC tunnel problem thread-index: AcZvnMHHnY+yeEvlQp681OnHEpDCeQAJV1Lg From: "Dmitry Andrianov" To: "Daniel Hartmeier" Cc: freebsd-pf@freebsd.org Subject: RE: IPSEC tunnel problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 21:43:41 -0000 Daniel, Looks like you are right. Below is dump from pflog0 interface of 3way handshake to 3389: 01:27:55.888031 rule 0/0(match): pass out on fxp1: 192.168.10.176.3809 > 10.2.0.2.3389: S 220200183:220200183(0) win 32768 01:27:55.888177 rule 0/0(match): pass in on fxp1: 10.2.0.2.3389 > 192.168.10.176.3809: S 1690303870:1690303870(0) ack 220200184 win 65535 01:27:55.888186 rule 0/0(match): pass out on gif0: 10.2.0.2.3389 > 192.168.10.176.3809: S 1690303870:1690303870(0) ack 220200184 win 65535 01:27:55.888884 rule 0/0(match): pass out on fxp1: 192.168.10.176.3809 > 10.2.0.2.3389: . ack 1 win 33580 Packets coming from the VPN only appear as "out" packets on LAN ethernet. While packets coming from LAN appear as "in" packets on ethernet and "out" packets on gif. I assume this is because my kernel was not build with=20 # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered # using ipfw(8)'s 'ipsec' keyword, when this option is enabled. # #options IPSEC_FILTERGIF #filter ipsec packets from a tunnel Well. I knew about this option before but I thought it makes sense only when I want filtering packets on gif0 which I currently do not. I never realized absence of that option may break something else as happened in my case. Tomorrow will rebuild kernel and re-run my tests. To me things like that are subject for FAQ or even better - should be on by default. IMHO. Regards, Dmitry Andrianov =20 -----Original Message----- From: Daniel Hartmeier [mailto:daniel@benzedrine.cx]=20 Sent: Thursday, May 04, 2006 8:40 PM To: Dmitry Andrianov Cc: freebsd-pf@freebsd.org Subject: Re: IPSEC tunnel problem On Thu, May 04, 2006 at 08:03:55PM +0400, Dmitry Andrianov wrote: > May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 > 10.2.0.2:3389 192.168.10.100:1919 [lo=3D4162748520 high=3D4162681620 > win=3D65535 modulator=3D0] [lo=3D0 high=3D65535 win=3D1 modulator=3D0] = 2:0 PA=20 > seq=3D4162748520 ack=3D0 len=3D632 ackskew=3D0 pkts=3D245:0 = dir=3Dout,fwd The 'dir=3Dout,fwd' part means that the state was created from a packet going out on the interface (gif0, I assume), and that the packet being blocked here was in the same direction. The 'pkts=3D245:0' part means that the state entry has so far matched = 245 packets flowing in the same direction (out), but 0 in the reverse direction (in). And that's the problem, pf is not associating replies with the state entry. Because of that, the state entry does not advance its sequence number window (advertised in the replies), and eventually stalls the connection. This is probably related to the gif interface. I haven't tried it on FreeBSD, but for stateful filtering, it would be important that pf sees packets in both directions on that interface (i.e. SYN outgoing, SYN+ACK incoming, etc.) You can test what packets pf sees in what direction on an interface by replacing the ruleset with a single rule like pass log all and observing pflog0 (with tcpdump, for instance) while establishing a connection. If only packets of one direction are seen (or both outgoing and incoming packets are seen as having the same direction), there might be a problem with pfil hooks in gif. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri May 5 12:07:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E11A16A408 for ; Fri, 5 May 2006 12:07:17 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE47043D49 for ; Fri, 5 May 2006 12:07:09 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1Fbz5P-000KZm-KO; Fri, 05 May 2006 16:07:07 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 5 May 2006 16:05:40 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPSEC tunnel problem thread-index: AcZvnMHHnY+yeEvlQp681OnHEpDCeQAJV1LgABvjK2A= From: "Dmitry Andrianov" To: "Daniel Hartmeier" Cc: freebsd-pf@freebsd.org Subject: RE: IPSEC tunnel problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 12:07:18 -0000 Ok, finally, IPSEC_FILTERGIF fixes the problem with stalling connections. Daniel, thanks a lot for your help. However I see at least three issues which needs to be handled somehow: 1. I believe that these days FreeBSD+pf becomes very popular configuration and the fact that system does not work out of the box in this configuration and requires some tricks is not a good sign. My personal opinion is that IPSEC_FILTERGIF just should be on by default. Or at least IPSEC section of FreeBSD handbook should say something about it. Making kernel option on by default has advantage because there are many places with IPSEC how-to on Internet and it is not possible to fix all of them. So the question is should I fill doc/* PR or kernel/* PR for that? 2. Why the router replies with ICMP host-unreachable to the TCP packets with wrong state if block policy is set to "drop" and not "return"? 3. Below is the dump of packets how pf sees 3way handshake with IPSEC_FILTERGIF option 15:22:53.192253 rule 0/0(match): pass in on fxp0: 10.1.0.1 > 10.1.0.2: ESP(spi=3D0x00002708,seq=3D0x9b05), length 104 15:22:53.192267 rule 0/0(match): pass in on fxp0: 10.1.0.1 > 10.1.0.2: 192.168.10.176.2169 > 10.2.0.2.3389: S 327999972:327999972(0) win 32768 (ipip-proto-4) 15:22:53.192276 rule 0/0(match): pass in on gif0: 192.168.10.176.2169 > 10.2.0.2.3389: S 327999972:327999972(0) win 32768 15:22:53.192286 rule 0/0(match): pass out on fxp1: 192.168.10.176.2169 > 10.2.0.2.3389: S 327999972:327999972(0) win 32768 15:22:53.192436 rule 0/0(match): pass in on fxp1: 10.2.0.2.3389 > 192.168.10.176.2169: S 1559792967:1559792967(0) ack 327999973 win 65535 15:22:53.192445 rule 0/0(match): pass out on gif0: 10.2.0.2.3389 > 192.168.10.176.2169: S 1559792967:1559792967(0) ack 327999973 win 65535 15:22:53.192460 rule 0/0(match): pass out on fxp0: 10.1.0.2 > 10.1.0.1: ESP(spi=3D0x00002707,seq=3D0x18a4), length 104 15:22:53.193098 rule 0/0(match): pass in on fxp0: 10.1.0.1 > 10.1.0.2: ESP(spi=3D0x00002708,seq=3D0x9b06), length 96 15:22:53.193108 rule 0/0(match): pass in on fxp0: 10.1.0.1 > 10.1.0.2: 192.168.10.176.2169 > 10.2.0.2.3389: . ack 1 win 33580 (ipip-proto-4) 15:22:53.193116 rule 0/0(match): pass in on gif0: 192.168.10.176.2169 > 10.2.0.2.3389: . ack 1 win 33580 15:22:53.193123 rule 0/0(match): pass out on fxp1: 192.168.10.176.2169 > 10.2.0.2.3389: . ack 1 win 33580 Clearly, pf sees each packet coming from the tunnel as four (ESP in on WAN interface, ipencap in on WAN interface, in on gif and out packet on LAN interface) while only three packets for data coming from LAN to tunnel. For me this has two disadvantages: * I have to allow ipencap between endpoint in firewall, otherwise decapulated IPSEC packet gets blocked. I do not like this thing because it will also allow someone sending ipencap packets with spoofed source easily. * It is just a bit inconsistent - I would prefer either seeing none of ipencaps (in and out) or seeing them both. I could fill PR about that one too, but I'm not sure what is the best way to propose. Regards, Dmitry Andrianov -----Original Message----- From: Dmitry Andrianov=20 Sent: Friday, May 05, 2006 1:42 AM To: 'Daniel Hartmeier' Cc: freebsd-pf@freebsd.org Subject: RE: IPSEC tunnel problem Daniel, Looks like you are right. Below is dump from pflog0 interface of 3way handshake to 3389: 01:27:55.888031 rule 0/0(match): pass out on fxp1: 192.168.10.176.3809 > 10.2.0.2.3389: S 220200183:220200183(0) win 32768 01:27:55.888177 rule 0/0(match): pass in on fxp1: 10.2.0.2.3389 > 192.168.10.176.3809: S 1690303870:1690303870(0) ack 220200184 win 65535 01:27:55.888186 rule 0/0(match): pass out on gif0: 10.2.0.2.3389 > 192.168.10.176.3809: S 1690303870:1690303870(0) ack 220200184 win 65535 01:27:55.888884 rule 0/0(match): pass out on fxp1: 192.168.10.176.3809 > 10.2.0.2.3389: . ack 1 win 33580 Packets coming from the VPN only appear as "out" packets on LAN ethernet. While packets coming from LAN appear as "in" packets on ethernet and "out" packets on gif. I assume this is because my kernel was not build with=20 # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered # using ipfw(8)'s 'ipsec' keyword, when this option is enabled. # #options IPSEC_FILTERGIF #filter ipsec packets from a tunnel Well. I knew about this option before but I thought it makes sense only when I want filtering packets on gif0 which I currently do not. I never realized absence of that option may break something else as happened in my case. Tomorrow will rebuild kernel and re-run my tests. To me things like that are subject for FAQ or even better - should be on by default. IMHO. Regards, Dmitry Andrianov =20 -----Original Message----- From: Daniel Hartmeier [mailto:daniel@benzedrine.cx] Sent: Thursday, May 04, 2006 8:40 PM To: Dmitry Andrianov Cc: freebsd-pf@freebsd.org Subject: Re: IPSEC tunnel problem On Thu, May 04, 2006 at 08:03:55PM +0400, Dmitry Andrianov wrote: > May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 > 10.2.0.2:3389 192.168.10.100:1919 [lo=3D4162748520 high=3D4162681620 > win=3D65535 modulator=3D0] [lo=3D0 high=3D65535 win=3D1 modulator=3D0] = 2:0 PA=20 > seq=3D4162748520 ack=3D0 len=3D632 ackskew=3D0 pkts=3D245:0 = dir=3Dout,fwd The 'dir=3Dout,fwd' part means that the state was created from a packet going out on the interface (gif0, I assume), and that the packet being blocked here was in the same direction. The 'pkts=3D245:0' part means that the state entry has so far matched = 245 packets flowing in the same direction (out), but 0 in the reverse direction (in). And that's the problem, pf is not associating replies with the state entry. Because of that, the state entry does not advance its sequence number window (advertised in the replies), and eventually stalls the connection. This is probably related to the gif interface. I haven't tried it on FreeBSD, but for stateful filtering, it would be important that pf sees packets in both directions on that interface (i.e. SYN outgoing, SYN+ACK incoming, etc.) You can test what packets pf sees in what direction on an interface by replacing the ruleset with a single rule like pass log all and observing pflog0 (with tcpdump, for instance) while establishing a connection. If only packets of one direction are seen (or both outgoing and incoming packets are seen as having the same direction), there might be a problem with pfil hooks in gif. Daniel From owner-freebsd-pf@FreeBSD.ORG Sat May 6 13:33:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CDB016A402 for ; Sat, 6 May 2006 13:33:50 +0000 (UTC) (envelope-from magalhj@yahoo.com.br) Received: from web31608.mail.mud.yahoo.com (web31608.mail.mud.yahoo.com [68.142.198.154]) by mx1.FreeBSD.org (Postfix) with SMTP id EF0A543D53 for ; Sat, 6 May 2006 13:33:48 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 99719 invoked by uid 60001); 6 May 2006 13:33:48 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=qF1ep0vNDlkbDgcHEIlkcOGfObVRIgvZGQXZqzlOiSL7iD6dv0qN7figslIHoRNPu4zjTo6EihJVXe/zUaDxJVct0rLDsKi9IYImDg1nOwrp4H4N2OSmG3Xl+Htf1l/l2Y7Wi5w3G1bj0p2/AtxmI8MrTROpyUSRsqBLy2Y+7sw= ; Message-ID: <20060506133348.99717.qmail@web31608.mail.mud.yahoo.com> Received: from [201.19.56.167] by web31608.mail.mud.yahoo.com via HTTP; Sat, 06 May 2006 10:33:48 ART Date: Sat, 6 May 2006 10:33:48 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Stranger addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 13:33:50 -0000 Hi list, I've blocking on internal interface some stranger addresses from our LAN.. Here are they: 0.0.0.0.68 172.16.1.125.137 172.16.1.125.138 What are they ? How can i stop it ? Thanks, Aguiar _______________________________________________________ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Sat May 6 14:12:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD36716A400 for ; Sat, 6 May 2006 14:12:47 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81C6643D45 for ; Sat, 6 May 2006 14:12:47 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.253]) by smtp.nildram.co.uk (Postfix) with ESMTP id 6F7CE33B830 for ; Sat, 6 May 2006 15:12:43 +0100 (BST) From: "Greg Hennessy" To: "'Aguiar Magalhaes'" , Date: Sat, 6 May 2006 15:12:44 +0100 Keywords: freebsd-pf Message-ID: <000001c67117$251f69c0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZxFYZqCpj1tx1dRjKXyS9crlpXBwAAUaog In-Reply-To: <20060506133348.99717.qmail@web31608.mail.mud.yahoo.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-OriginalArrivalTime: 06 May 2006 14:12:44.0780 (UTC) FILETIME=[2521DAC0:01C67117] Cc: Subject: RE: Stranger addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 14:12:47 -0000 > Hi list, > > I've blocking on internal interface some stranger addresses > from our LAN.. > > Here are they: 0.0.0.0.68 DHCP > 172.16.1.125.137 > 172.16.1.125.138 If you're not using that subnet, then it's nbt broadcast chatter. grep /etc/services and google for more. Greg From owner-freebsd-pf@FreeBSD.ORG Sat May 6 14:56:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD5B716A40B for ; Sat, 6 May 2006 14:56:52 +0000 (UTC) (envelope-from matheuslamberti@yahoo.com) Received: from web52906.mail.yahoo.com (web52906.mail.yahoo.com [206.190.49.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 1382B43D70 for ; Sat, 6 May 2006 14:56:49 +0000 (GMT) (envelope-from matheuslamberti@yahoo.com) Received: (qmail 70214 invoked by uid 60001); 6 May 2006 14:56:49 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=VIJ9oe9MeSO+s6Nx1TMqaIPbo5V7pT+EBOMrl10k/RGBKZeBbdq77Js8BCoRQ4o/biObhUjCo5lAefex6mQZxdswo3KK4z4sR+vzmbCkFQNOZdJk0ZbzdJaEA/6TA0sHrwg9MfmzLAoJL0c+r+2tM1WJjAXMaW2OF0B8BJ0ZA4o= ; Message-ID: <20060506145649.70212.qmail@web52906.mail.yahoo.com> Received: from [201.22.94.28] by web52906.mail.yahoo.com via HTTP; Sat, 06 May 2006 07:56:49 PDT Date: Sat, 6 May 2006 07:56:49 -0700 (PDT) From: Matheus Lamberti To: freebsd-pf@freebsd.org In-Reply-To: <000001c67117$251f69c0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: RE: Stranger addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 14:56:53 -0000 Maybe could be an IPv6 traffic. Try disable IPv6 on your kernel, or add the rule "block all inet6" into your pf rule file. I hope this help... --- Greg Hennessy wrote: > > > Hi list, > > > > I've blocking on internal interface some stranger > addresses > > from our LAN.. > > > > Here are they: 0.0.0.0.68 > > DHCP > > > 172.16.1.125.137 > > 172.16.1.125.138 > > If you're not using that subnet, then it's nbt > broadcast chatter. > > > grep /etc/services and google for more. > > > > Greg > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > Matheus Lamberti de Abreu BSD UserID: 051370 / ICQ UIN: 58854189 " Diante da vastidão do tempo... E da imensidão do universo, É um imenso prazer pra mim, Dividir um planeta e uma época com você! " ( Carl Sagan ) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com