From owner-freebsd-pf@FreeBSD.ORG Sun Sep 10 19:03:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA43916A403 for ; Sun, 10 Sep 2006 19:03:43 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4679843D46 for ; Sun, 10 Sep 2006 19:03:41 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id A0481218FA85 for ; Sun, 10 Sep 2006 21:03:39 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07078-10 for ; Sun, 10 Sep 2006 21:03:38 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id C56E3218FA84; Sun, 10 Sep 2006 21:03:38 +0200 (CEST) Date: Sun, 10 Sep 2006 21:03:38 +0200 To: freebsd-pf@freebsd.org Message-ID: <20060910190338.GA6666@marvin.harmless.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Subject: ftp-proxy in reverse mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Sep 2006 19:03:43 -0000 --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hello i've got a bit of trouble with ftp-proxy in reverse mode. it doesn't connects to the service. the setup is: external interface: em0 with address 10.1.0.6 The FTP server is running in a jail. jail interface: lo1, ftp-jail address: 192.168.0.3 I don't have any blocking rules for the incoming connectin =66rom em0->lo1(192.168.0.3) in my firewall,. The ftp-proxy is being run this way from inetd.conf: ftp stream tcp nowait root /usr/libexec/ftp-proxy -R 1= 92.168.0.3:21 -D 3 -u root -v i've tried without the :21, without -u root, with -u proxy, and also had tr= ied with the argumetns "-R -R 192.168.0.3 ftp-proxy" however, i was unable to find out that /ftp-proxy$/ what does mean at the end of the inetd.conf line, neither manuals helped. tcpdump on lo1 (the jail if) doesn't report any incoming packets. tcpdump on em0 (the external if) reports the following: --- chop with axe here --- 20:32:16.033946 IP 10.1.0.1.54394 > 10.1.0.6.21: S 2387744030:2387744030(0)= win 65535 20:32:16.034024 IP 10.1.0.6.21 > 10.1.0.1.54394: S 2368841291:2368841291(0)= ack 2387744031 win 65535 20:32:16.034189 IP 10.1.0.1.54394 > 10.1.0.6.21: . ack 1 win 33304 20:32:16.036771 IP 10.1.0.6.21 > 10.1.0.1.54394: F 1:1(0) ack 1 win 33304 <= nop,nop,timestamp 7498509 44584937> 20:32:16.036944 IP 10.1.0.1.54394 > 10.1.0.6.21: . ack 2 win 33304 20:32:16.037063 IP 10.1.0.1.54394 > 10.1.0.6.21: F 1:1(0) ack 2 win 33304 <= nop,nop,timestamp 44584939 7498509> 20:32:16.037091 IP 10.1.0.6.21 > 10.1.0.1.54394: . ack 2 win 33303 --- chop with axe here --- as you see on the inetd.conf line, i asked ftp-proxy to be verbose, but i don't see any messages in debug.log i've tried to ktrace the inetd process and after it, connect to the service: --- chop with axe here --- # ktrace -d -f inetd.tr -p 17261 # kdump -f inetd.tr | less 17261 inetd RET select 1 17261 inetd CALL ioctl(0x6,FIONBIO,0xbfbfd5dc) 17261 inetd RET ioctl 0 17261 inetd CALL accept(0x6,0,0) 17261 inetd RET accept 8 17261 inetd CALL ioctl(0x6,FIONBIO,0xbfbfd5dc) 17261 inetd RET ioctl 0 17261 inetd CALL ioctl(0x8,FIONBIO,0xbfbfd5dc) 17261 inetd RET ioctl 0 17261 inetd CALL sigprocmask(0x1,0xbfbfd560,0xbfbfd550) 17261 inetd RET sigprocmask 0 17261 inetd CALL gettimeofday(0x8064124,0) 17261 inetd RET gettimeofday 0 17261 inetd CALL fork 17261 inetd RET fork 17294/0x438e 17261 inetd CALL sigprocmask(0x3,0xbfbfd560,0xbfbfd550) 17261 inetd RET sigprocmask 0 17261 inetd PSIG SIGCHLD caught handler=3D0x804a288 mask=3D0x0 code=3D= 0x0 17261 inetd CALL write(0x7,0xbfbfd207,0x1) 17261 inetd GIO fd 7 wrote 1 byte "C" 17261 inetd RET write 1 17261 inetd CALL sigreturn(0xbfbfd230) 17261 inetd RET sigreturn JUSTRETURN 17261 inetd CALL close(0x8) 17261 inetd RET close 0 17261 inetd CALL select(0x8,0xbfbfe2d0,0,0,0) 17261 inetd RET select 1 17261 inetd CALL ioctl(0x4,FIONREAD,0xbfbfd5e4) 17261 inetd RET ioctl 0 17261 inetd CALL read(0x4,0xbfbfd5e3,0x1) 17261 inetd GIO fd 4 read 1 byte "C" 17261 inetd RET read 1 17261 inetd CALL wait4(0xffffffff,0xbfbfd568,0x1,0) 17261 inetd RET wait4 17294/0x438e 17261 inetd CALL wait4(0xffffffff,0xbfbfd568,0x1,0) 17261 inetd RET wait4 -1 errno 10 No child processes 17261 inetd CALL select(0x8,0xbfbfe2d0,0,0,0) --- chop with axe here --- i had asked ktrace to follow the child proceses, but as i see it is missing from here. So, ftp proxy doesn't forward any connections to the running ftp service. what am i doing wrong here? Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFBGGKbBsEN0U7BV0RAiaaAKDWJXir+9InTiOomvwbMiB4kSKz7ACfX8bO GtwTUbE9I+vcDAgD1qwqkRM= =BXJO -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V-- From owner-freebsd-pf@FreeBSD.ORG Mon Sep 11 00:32:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C81116A47C for ; Mon, 11 Sep 2006 00:32:26 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81BCC43D73 for ; Mon, 11 Sep 2006 00:32:20 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-012.eplus-online.de [212.23.126.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 99FB833D21 for ; Mon, 11 Sep 2006 02:32:12 +0200 (CEST) Received: from [127.0.0.1] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 325282E546 for ; Mon, 11 Sep 2006 02:31:57 +0200 (CEST) Message-ID: <4504AE93.3020203@vwsoft.com> Date: Mon, 11 Sep 2006 02:32:19 +0200 From: Volker User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: altq on ng0 sometimes causing system panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 00:32:26 -0000 Hi folks, two or three weeks ago I've switched from userland ppp to mpd for my internet connection. While using ng0 as the public interface I'm also using altq (cbq) for bw management. Everything works (haven't yet measured for queue effectiveness) but when issuing a `pfctl -gf mypf.conf' sometimes the system will panic. I need to reload my ruleset as soon as the internet connection has been set up because I've been lazy and am not using anchors so I'm just reloading my complete ruleset by a link-up script. I've been able to panic the machine just by reloading the ruleset manually several times in a row. As I currently don't have a serial console setup I'm unable to post any dumps or panic messages. Has anyone else experienced that? I've had queue statements in my pf rules before (even while using ppp and knowing about the problems with altq and tun) I've never experienced any panics. This is really just since changing from a tun to an ng device. If no one else has experienced panics like this I'll go and hook up the serial console and try to get a panic again. Current workaround is not to use altq on ng0 so I don't get panics ATM. Running RELENG_6, almost recently csup'ed. Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Mon Sep 11 11:08:23 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A64D16A403 for ; Mon, 11 Sep 2006 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D60E343D53 for ; Mon, 11 Sep 2006 11:08:22 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8BB8MkX063262 for ; Mon, 11 Sep 2006 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8BB8KTC063258 for freebsd-pf@FreeBSD.org; Mon, 11 Sep 2006 11:08:20 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Sep 2006 11:08:20 GMT Message-Id: <200609111108.k8BB8KTC063258@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 11:08:23 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 11 11:38:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E47216A595 for ; Mon, 11 Sep 2006 11:38:12 +0000 (UTC) (envelope-from wiqd@codelounge.org) Received: from mx1.codelounge.co.za (mx1.codelounge.co.za [196.14.172.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id E240443D73 for ; Mon, 11 Sep 2006 11:38:04 +0000 (GMT) (envelope-from wiqd@codelounge.org) Received: from localhost (mx1.codelounge.co.za [196.14.172.107]) by mx1.codelounge.co.za (Postfix) with ESMTP id 60F0076FB94 for ; Mon, 11 Sep 2006 13:42:07 +0200 (SAST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (FreeBSD) at localhost Received: from mx1.codelounge.co.za ([196.14.172.107]) by localhost (mx1.codelounge.co.za [196.14.172.107]) (amavisd-new, port 10024) with ESMTP id dE2TiZbP77ue for ; Mon, 11 Sep 2006 13:41:57 +0200 (SAST) Received: from codelounge.org (c1-98-3.nngy.isadsl.co.za [196.209.18.98]) by mx1.codelounge.co.za (Postfix) with ESMTP id 34ED776FB92 for ; Mon, 11 Sep 2006 13:41:56 +0200 (SAST) Received: by codelounge.org (nbSMTP-1.00) for uid 1000 wiqd@codelounge.org; Mon, 11 Sep 2006 13:34:59 +0200 (SAST) Date: Mon, 11 Sep 2006 13:34:58 +0200 From: Greg Armer To: freebsd-pf@freebsd.org Message-ID: <20060911113458.GA10659@gentoo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 Subject: Block Skype with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Greg Armer List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 11:38:13 -0000 Good day list, I was just wondering if any of you have a running 'receipe' using PF that can block Skype. What I have found out is the following: - Skype picks a random port to use when it is installed - It can switch over to port 80 / 443 if a firewall is too restrictive - It appears UDP ports above 1024 are used aswell So what I was thinking of doing is blocking all outgoing UDP above port 1024, and trying to identify and block the port 80 / 442 traffic with squid and a transparent proxy. Does anyone have any better solutions to this which do not involve expensive layer 7 inspection hardware ? Many thanks for your comments / ideas. Regards, -- Greg Armer From owner-freebsd-pf@FreeBSD.ORG Mon Sep 11 12:22:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B1AB16A492 for ; Mon, 11 Sep 2006 12:22:33 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbmarshal.mweb.com (mwbmarshal.mweb.com [196.2.141.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13F6143D49 for ; Mon, 11 Sep 2006 12:22:31 +0000 (GMT) (envelope-from rkramer@mweb.com) Received: from mwbfes1.mweb.com (Not Verified[196.2.141.73]) by mwbmarshal.mweb.com with NetIQ MailMarshal 6.0 Service Pack 1 (v6, 0, 3, 28) id ; Mon, 11 Sep 2006 14:22:26 +0200 Received: from MWBEXCH.mweb.com ([196.2.141.75]) by mwbfes1.mweb.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 11 Sep 2006 14:22:26 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Mon, 11 Sep 2006 14:22:26 +0200 Message-ID: <39DC135F7F0571489196E0B6F5D58B4A01B26FE2@MWBEXCH.mweb.com> In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A01B26FDF@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Block Skype with PF Thread-Index: AcbVltQ9/VjnVLYVRsW9bojKAN4K2wAAM6lQAAFVpbA= From: "Rudi Kramer" To: X-OriginalArrivalTime: 11 Sep 2006 12:22:26.0989 (UTC) FILETIME=[F17F15D0:01C6D59C] Subject: RE: Block Skype with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 12:22:33 -0000 Hey Greg, I found this article which should help a bit. http://www.net- security.org/dl/articles/Blocking_Skype.pdf#search=3D%22net%20squid%20sky= p e%20blocking%22 =20 Rudi -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Greg Armer Sent: 11 September 2006 01:35 PM To: freebsd-pf@freebsd.org Subject: Block Skype with PF Good day list, I was just wondering if any of you have a running 'receipe' using PF that can block Skype. What I have found out is the following: - Skype picks a random port to use when it is installed - It can switch over to port 80 / 443 if a firewall is too restrictive - It appears UDP ports above 1024 are used aswell So what I was thinking of doing is blocking all outgoing UDP above port 1024, and trying to identify and block the port 80 / 442 traffic with=20 squid and a transparent proxy. Does anyone have any better solutions to this which do not involve expensive layer 7 inspection hardware ? Many thanks for your comments / ideas. Regards, -- Greg Armer _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Sep 13 06:07:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95B5016A416 for ; Wed, 13 Sep 2006 06:07:14 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbmarshal.mweb.com (mwbmarshal.mweb.com [196.2.141.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A6D343D46 for ; Wed, 13 Sep 2006 06:07:12 +0000 (GMT) (envelope-from rkramer@mweb.com) Received: from mwbfes2.mweb.com (Not Verified[196.2.141.74]) by mwbmarshal.mweb.com with NetIQ MailMarshal 6.0 Service Pack 1 (v6, 0, 3, 28) id ; Wed, 13 Sep 2006 08:07:10 +0200 Received: from MWBEXCH.mweb.com ([196.2.141.75]) by mwbfes2.mweb.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 13 Sep 2006 08:07:10 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Wed, 13 Sep 2006 08:07:10 +0200 Message-ID: <39DC135F7F0571489196E0B6F5D58B4A01B27011@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: fwanalog on FreeBSD & PF Thread-Index: AcbW+u0Z9wgoiYwYTu23Mka2zfOlLg== From: "Rudi Kramer" To: X-OriginalArrivalTime: 13 Sep 2006 06:07:10.0736 (UTC) FILETIME=[D9970900:01C6D6FA] Subject: fwanalog on FreeBSD & PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 06:07:14 -0000 Good Morning, I'm busy trying to setup fwanalog on FreeBSD 6.1 using PF but I receive = the following error message: tcpdump: bad dump file format C: 846592 rule 0/0(match): block in on fxp0: 196.2.148.19.137 > = 196.2.148.63.137: UDP, length 50 C: * C: 594470 rule 0/0(match): block in on fxp0: 196.2.148.19.137 > = 196.2.148.63.137: UDP, length 50 C: * C: 343338 rule 0/0(match): block in on fxp0: 196.2.148.19.137 > = 196.2.148.63.137: UDP, length 50 C: * C: 558290 rule 0/0(match): block in on fxp0: 196.2.148.12.138 > = 196.2.148.63.138: UDP, length 201 C: * analog: Warning L: Large number of corrupt lines in logfile /root/fwanalog.out/fwanalog.all.log: turn debugging on or try = different LOGFORMAT (For help on all errors and warnings, see docs/errors.html) Current logfile format: %S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f" "%j" %t = %v\n It seems like the tcpdump format used in FreebSD differs from openBSD.=20 Does anyone have a working config that I can try? =A0=20 Thanks Rudi From owner-freebsd-pf@FreeBSD.ORG Thu Sep 14 15:51:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83BF216A407 for ; Thu, 14 Sep 2006 15:51:06 +0000 (UTC) (envelope-from M.Keith.Thompson.ctr@hurlburt.af.mil) Received: from shepherd2.hurlburt.af.mil (shepherd2.hurlburt.af.mil [151.166.15.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F21943D72 for ; Thu, 14 Sep 2006 15:50:57 +0000 (GMT) (envelope-from M.Keith.Thompson.ctr@hurlburt.af.mil) Received: from HRT-CS-ML11.hurlburt.afsoc.ds.af.mil (hrt-cs-ml11.hurlburt.afsoc.ds.af.mil [151.166.24.72]) by shepherd2.hurlburt.af.mil with ESMTP id k8EFotTg028700 for ; Thu, 14 Sep 2006 10:50:55 -0500 (CDT) Received: from HRT-CS-ML05V.hurlburt.afsoc.ds.af.mil ([151.166.24.26]) by HRT-CS-ML11.hurlburt.afsoc.ds.af.mil with Microsoft SMTPSVC(6.0.3790.1830); Thu, 14 Sep 2006 10:50:55 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 14 Sep 2006 10:50:55 -0500 Message-ID: <38D3FDBCF1FA88419208A6C9602ECADD01FF2901@HRT-CS-ML05V.hurlburt.afsoc.ds.af.mil> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Pf features Thread-Index: AcbYFZAa5146vJkzSx6h5PKqX+4chQ== From: "Thompson M Keith Contractor 16CS/SCBB" To: X-OriginalArrivalTime: 14 Sep 2006 15:50:55.0661 (UTC) FILETIME=[907C35D0:01C6D815] Subject: Pf features X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 15:51:06 -0000 Does the version of pf in 6.1 release support the new ftp-proxy from OpenBSD 3.9 or newer? From owner-freebsd-pf@FreeBSD.ORG Thu Sep 14 16:03:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE5F816A416 for ; Thu, 14 Sep 2006 16:03:07 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B7DA43D62 for ; Thu, 14 Sep 2006 16:03:06 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so114766uge for ; Thu, 14 Sep 2006 09:03:06 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=G/U0pgHnQwOZgBFpXF2zuQhkrAiJ9PlBa+9Kxpo+omI8GyQw4PuFzB2MYHfIuXEwWigRVd3uIKblndm/ZqvzvNGCftYndwmnqxtD41fUxVSv9hdFN1QcrY7b1HO3XhyNOk1AKBw9m47sJzvwTLLOwPTNuva8C+9msSRYngd/fEg= Received: by 10.67.100.17 with SMTP id c17mr4871548ugm; Thu, 14 Sep 2006 09:03:06 -0700 (PDT) Received: by 10.67.105.8 with HTTP; Thu, 14 Sep 2006 09:03:06 -0700 (PDT) Message-ID: Date: Thu, 14 Sep 2006 12:03:06 -0400 From: "Scott Ullrich" To: "Thompson M Keith Contractor 16CS/SCBB" In-Reply-To: <38D3FDBCF1FA88419208A6C9602ECADD01FF2901@HRT-CS-ML05V.hurlburt.afsoc.ds.af.mil> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <38D3FDBCF1FA88419208A6C9602ECADD01FF2901@HRT-CS-ML05V.hurlburt.afsoc.ds.af.mil> Cc: freebsd-pf@freebsd.org Subject: Re: Pf features X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 16:03:07 -0000 On 9/14/06, Thompson M Keith Contractor 16CS/SCBB wrote: > Does the version of pf in 6.1 release support the new ftp-proxy from > OpenBSD 3.9 or newer? Yes, it should work fine. I ported the version from OpenBSD recently. You can find it at http://www.pfsense.com/~sullrich/ported_software/ftp-proxy.tgz However, I have been using pftpx with pretty good results. FTP-Proxy was forked from pftpx at some point in the last year if memory serves me correctly. Also, we have a version of PFTPX that works with multiple wan connections as well if someone needs such a beast. Scott From owner-freebsd-pf@FreeBSD.ORG Thu Sep 14 16:20:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C348D16A403 for ; Thu, 14 Sep 2006 16:20:16 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33D4C43D45 for ; Thu, 14 Sep 2006 16:20:16 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id BF14A218F62B; Thu, 14 Sep 2006 18:20:14 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23669-02; Thu, 14 Sep 2006 18:20:14 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 2FC1A218F629; Thu, 14 Sep 2006 18:20:14 +0200 (CEST) Date: Thu, 14 Sep 2006 18:20:14 +0200 To: Scott Ullrich Message-ID: <20060914162014.GA9625@marvin.harmless.hu> References: <38D3FDBCF1FA88419208A6C9602ECADD01FF2901@HRT-CS-ML05V.hurlburt.afsoc.ds.af.mil> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: Thompson M Keith Contractor 16CS/SCBB , freebsd-pf@freebsd.org Subject: Re: Pf features X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 16:20:16 -0000 --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 14, 2006 at 12:03:06PM -0400, Scott Ullrich wrote: > On 9/14/06, Thompson M Keith Contractor 16CS/SCBB > wrote: > >Does the version of pf in 6.1 release support the new ftp-proxy from > >OpenBSD 3.9 or newer? >=20 > Yes, it should work fine. I ported the version from OpenBSD recently. > You can find it at > http://www.pfsense.com/~sullrich/ported_software/ftp-proxy.tgz >=20 > However, I have been using pftpx with pretty good results. FTP-Proxy > was forked from pftpx at some point in the last year if memory serves > me correctly. >=20 > Also, we have a version of PFTPX that works with multiple wan > connections as well if someone needs such a beast. i'm using both at the moment, and i find pftpx pretty good, it can functionally replace ftp-proxy. it's easier to use, more trivial, well documented, and so on. i suggest using pftpx, you can find it in the ports tree. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFCYE+bBsEN0U7BV0RAsOjAJ4smsf83EiAW/sL03qDajimpMHBcACcCJ8w Mngg+VqJ9bapFg0EOCFPACc= =fSMS -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 15 10:52:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D767D16A403 for ; Fri, 15 Sep 2006 10:52:54 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DE3043D68 for ; Fri, 15 Sep 2006 10:52:46 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-016.eplus-online.de [212.23.126.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 23D1C33D21 for ; Fri, 15 Sep 2006 12:52:38 +0200 (CEST) Received: from [127.0.0.1] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B588D2E548 for ; Fri, 15 Sep 2006 12:52:06 +0200 (CEST) Message-ID: <450A85F1.1030207@vwsoft.com> Date: Fri, 15 Sep 2006 12:52:33 +0200 From: Volker User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: queue to nonexistent? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 10:52:55 -0000 Hi folks, I'm not quite sure what's up but it seems like a bug. Try the following (example, non-real world) example .conf: if_int="vr0" if_ext="ng0" altq on $if_ext cbq bandwidth 64Kb queue { q_low} queue q_low cbq( borrow rio default ) pass quick on $if_int all pass quick on $if_ext proto icmp all queue ( nonexistent ) pass quick on $if_ext all queue ( q_low ) Why's pf not claiming about the nonexistent queue? It silently accepts that. bellona# pfctl -gf test1.conf bellona# pfctl -sa FILTER RULES: pass quick on vr0 all pass quick on ng0 proto icmp all queue nonexistent pass quick on ng0 all queue q_low ALTQ: queue root_ng0 bandwidth 64Kb priority 0 cbq( wrr root ) {q_low} queue q_low bandwidth 64Kb cbq( rio borrow default ) Huh? Queueing to a nonexistent queue? Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Fri Sep 15 14:30:06 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D76F16A403 for ; Fri, 15 Sep 2006 14:30:06 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDBA443D46 for ; Fri, 15 Sep 2006 14:30:05 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.4/8.13.3) with ESMTP id k8FEU4iC080859 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 15 Sep 2006 18:30:04 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.4/8.13.1/Submit) id k8FEU3eg080858; Fri, 15 Sep 2006 18:30:03 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 15 Sep 2006 18:30:03 +0400 From: Gleb Smirnoff To: Volker Message-ID: <20060915143003.GT27667@FreeBSD.org> References: <4504AE93.3020203@vwsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4504AE93.3020203@vwsoft.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: altq on ng0 sometimes causing system panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 14:30:06 -0000 On Mon, Sep 11, 2006 at 02:32:19AM +0200, Volker wrote: V> two or three weeks ago I've switched from userland ppp to mpd for my V> internet connection. While using ng0 as the public interface I'm V> also using altq (cbq) for bw management. V> V> Everything works (haven't yet measured for queue effectiveness) but V> when issuing a `pfctl -gf mypf.conf' sometimes the system will V> panic. I need to reload my ruleset as soon as the internet V> connection has been set up because I've been lazy and am not using V> anchors so I'm just reloading my complete ruleset by a link-up V> script. I've been able to panic the machine just by reloading the V> ruleset manually several times in a row. V> V> As I currently don't have a serial console setup I'm unable to post V> any dumps or panic messages. Has anyone else experienced that? I've V> had queue statements in my pf rules before (even while using ppp and V> knowing about the problems with altq and tun) I've never experienced V> any panics. This is really just since changing from a tun to an ng V> device. V> V> If no one else has experienced panics like this I'll go and hook up V> the serial console and try to get a panic again. Current workaround V> is not to use altq on ng0 so I don't get panics ATM. V> V> Running RELENG_6, almost recently csup'ed. Please *show* the panic message and the backtrace. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Fri Sep 15 14:47:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF53216A417; Fri, 15 Sep 2006 14:47:08 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id E337043D68; Fri, 15 Sep 2006 14:47:05 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-016.eplus-online.de [212.23.126.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 7C40533D21; Fri, 15 Sep 2006 16:46:58 +0200 (CEST) Received: from [127.0.0.1] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 7EDB22E54F; Fri, 15 Sep 2006 16:46:30 +0200 (CEST) Message-ID: <450ABCE0.7030707@vwsoft.com> Date: Fri, 15 Sep 2006 16:46:56 +0200 From: Volker User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Gleb Smirnoff References: <4504AE93.3020203@vwsoft.com> <20060915143003.GT27667@FreeBSD.org> In-Reply-To: <20060915143003.GT27667@FreeBSD.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@FreeBSD.org Subject: Re: altq on ng0 sometimes causing system panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 14:47:08 -0000 On 2006-09-15 16:30, Gleb Smirnoff wrote: > (snip) > V> If no one else has experienced panics like this I'll go and hook up > V> the serial console and try to get a panic again. Current workaround > V> is not to use altq on ng0 so I don't get panics ATM. > V> > V> Running RELENG_6, almost recently csup'ed. > > Please *show* the panic message and the backtrace. > Gleb, yes I know a bt would be useful. I've csup'ed, recompiled world+kernel yesterday and was trying to get the machine panicing today but haven't been able to do so. I really tried hard to panic it. I guess it has been a temporary side effect which disappeared 'magically' by any other recent source changes. I'll try again to panic the machine later today with my original ruleset. So if I don't post another message over the weekend, I haven't been able to recreate the problem again. Greetings, Volker