From owner-freebsd-pf@FreeBSD.ORG Sun Nov 5 23:42:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC25716A415 for ; Sun, 5 Nov 2006 23:42:12 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70CD043D62 for ; Sun, 5 Nov 2006 23:42:11 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 96172BF85 for ; Sun, 5 Nov 2006 18:42:19 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 08174-07 for ; Sun, 5 Nov 2006 18:42:17 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id 31177BF16 for ; Sun, 5 Nov 2006 18:42:14 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 15FAAB854 for ; Sun, 5 Nov 2006 18:42:06 -0500 (EST) From: "Dan Langille" To: freebsd-pf@freebsd.org Date: Sun, 05 Nov 2006 18:42:05 -0500 MIME-Version: 1.0 Message-ID: <454E307D.9351.30D3616E@dan.langille.org> Priority: normal X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Subject: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Nov 2006 23:42:12 -0000 Hi folks, I'm setting up spamd with pf, and I'm finding that whitelisted IP addresses are still being greylisted. For example: $ spamdb | grep 205.150.199.217 WHITE|205.150.199.217|||1162757884|1162761340|1165871748|3|0 GREY|205.150.199.217|||11627 65339|1162779739|1162779739|1|0 Notice how the same IP address is in both WHITE and GREY. Shortly after running the above, the greylist entry disappeared: $ spamdb | grep 205.150.199.217 WHITE|205.150.199.217|||1162765339|1162769339|1165879789|2|0 That makes sense to me... that's spamlogd doing the right thing. Of note, the spamd-white table is empty: [root@nyi:~] # pfctl -t spamd-white -T show No ALTQ support in kernel ALTQ related functions disabled [root@nyi:~] # The rules etc, and most of the stuff I'm doing is documented at http://beta.freebsddiary.org/pf.php Here are some extracts from the above: table persist table persist table persist file "/usr/local/etc/spamd-mywhite" scrub in all # redirect to spamd rdr pass inet proto tcp from to $external_addr port \ smtp -> 127.0.0.1 port smtp rdr pass inet proto tcp from to $external_addr port \ smtp -> 127.0.0.1 port spamd rdr pass inet proto tcp from ! to $external_addr port \ smtp -> 127.0.0.1 port spamd # mail! pass in log inet proto tcp from any to $external_addr port smtp flags S/SA \ synproxy state pass out log inet proto tcp from $external_addr to any port smtp flags S/SA \ synproxy state It seems as if the spamd-white table is never being updated. Ideas? Suggestions? Comments? Thanks. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 01:13:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B116D16A5B9 for ; Mon, 6 Nov 2006 01:13:26 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 062FC43D55 for ; Mon, 6 Nov 2006 01:13:25 +0000 (GMT) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 1A705EB3D0F; Mon, 6 Nov 2006 09:13:22 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id OYCjGYI-G+nZ; Mon, 6 Nov 2006 09:13:17 +0800 (CST) Received: from [192.168.1.32] (unknown [61.49.184.155]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id B797BEB095F; Mon, 6 Nov 2006 09:13:16 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:x-enigmail-version:content-type; b=swBaus4RSBJS4ATqyisMn3r746nmc2Xgc4tu5wWihZlCEGaFNBH6yTq3SZFsKjyO6 lVBEpphXpEyoxXfILEEiQ== Message-ID: <454E8C2A.8090301@delphij.net> Date: Mon, 06 Nov 2006 09:13:14 +0800 From: LI Xin Organization: The FreeBSD Project User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Dan Langille References: <454E307D.9351.30D3616E@dan.langille.org> In-Reply-To: <454E307D.9351.30D3616E@dan.langille.org> X-Enigmail-Version: 0.94.1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enigDED99280DFB0216D04626107" Cc: freebsd-pf@freebsd.org Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 01:13:26 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDED99280DFB0216D04626107 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Dan Langille wrote: > Hi folks, >=20 > I'm setting up spamd with pf, and I'm finding that whitelisted IP=20 > addresses are still being greylisted. For example: Er? Have you mounted fdescfs as /dev/fd? I think this should be documented. Cheers, --=20 Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enigDED99280DFB0216D04626107 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFTowqOfuToMruuMARAwAXAJwKrbYLdyaRWRZGyCIz9VSUoJfzYQCbBMbs xZ3sFhNpVG03NJNBhgl56mE= =VSkl -----END PGP SIGNATURE----- --------------enigDED99280DFB0216D04626107-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 01:32:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DDED16A412 for ; Mon, 6 Nov 2006 01:32:01 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20A1E43D55 for ; Mon, 6 Nov 2006 01:32:01 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 41CF5BF85; Sun, 5 Nov 2006 20:32:09 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 14562-10; Sun, 5 Nov 2006 20:32:06 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id DB923BF16; Sun, 5 Nov 2006 20:32:06 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id B590EB854; Sun, 5 Nov 2006 20:31:56 -0500 (EST) From: "Dan Langille" To: LI Xin Date: Sun, 05 Nov 2006 20:31:56 -0500 MIME-Version: 1.0 Message-ID: <454E4A3C.30078.3137F1D0@dan.langille.org> Priority: normal In-reply-to: <454E8C2A.8090301@delphij.net> References: <454E307D.9351.30D3616E@dan.langille.org> X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Cc: freebsd-pf@freebsd.org Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 01:32:01 -0000 On 6 Nov 2006 at 9:13, LI Xin wrote: > Dan Langille wrote: > > Hi folks, > > > > I'm setting up spamd with pf, and I'm finding that whitelisted IP > > addresses are still being greylisted. For example: > > Er? Have you mounted fdescfs as /dev/fd? No, first I've heard of this. I found http://www.ubergeek.co.uk/howtos/sendmail-clamav-smtpauth- spamd-pop3-freebsd.html and did this: [dan@nyi:~] $ sudo mount -t fdescfs fdescfs /dev/fd Password: [dan@nyi:~] $ mount /dev/ad0s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/ad0s1d on /tmp (ufs, local, soft-updates) /dev/ad0s1f on /usr (ufs, local, soft-updates) /dev/ad0s1e on /var (ufs, local, soft-updates) fdescfs on /dev/fd (fdescfs) [dan@nyi:~] $ And now the whitelist has entries! [root@nyi:~] # pfctl -t spamd-white -T show No ALTQ support in kernel ALTQ related functions disabled 12.152.184.25 66.35.250.206 205.150.199.217 216.136.204.119 [root@nyi:~] # Thank you. :) > I think this should be documented. Do you mean I missed existing documentation? Or that is it should be documented but is not? -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 02:06:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C060616A407 for ; Mon, 6 Nov 2006 02:06:59 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9D8843D67 for ; Mon, 6 Nov 2006 02:06:57 +0000 (GMT) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 28C28EB3E94; Mon, 6 Nov 2006 10:06:57 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id 6ukL5Yq5OBId; Mon, 6 Nov 2006 10:06:52 +0800 (CST) Received: from [10.217.12.47] (sina152-194.staff.sina.com.cn [61.135.152.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id B2E22EB1658; Mon, 6 Nov 2006 10:06:51 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:x-enigmail-version:content-type; b=fm538xDaWlyZl8kATLDs3gEdzXouvGRCfe08qCdjgphkDB/Qm/S/xyooGnxg6S++C 9xbCqY8j9MvVW54nZGLiw== Message-ID: <454E98B9.7070302@delphij.net> Date: Mon, 06 Nov 2006 10:06:49 +0800 From: LI Xin Organization: The FreeBSD Project User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Dan Langille References: <454E307D.9351.30D3616E@dan.langille.org> <454E4A3C.30078.3137F1D0@dan.langille.org> In-Reply-To: <454E4A3C.30078.3137F1D0@dan.langille.org> X-Enigmail-Version: 0.94.1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enigE2B8FAA005DAE3CF42FDE9BF" Cc: freebsd-pf@freebsd.org Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 02:06:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE2B8FAA005DAE3CF42FDE9BF Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Dan Langille wrote: > On 6 Nov 2006 at 9:13, LI Xin wrote: >=20 >> Dan Langille wrote: >>> Hi folks, >>> >>> I'm setting up spamd with pf, and I'm finding that whitelisted IP=20 >>> addresses are still being greylisted. For example: >> Er? Have you mounted fdescfs as /dev/fd? >=20 > No, first I've heard of this. >=20 > I found http://www.ubergeek.co.uk/howtos/sendmail-clamav-smtpauth- > spamd-pop3-freebsd.html and did this: >=20 > [dan@nyi:~] $ sudo mount -t fdescfs fdescfs /dev/fd > Password: > [dan@nyi:~] $ mount > /dev/ad0s1a on / (ufs, local) > devfs on /dev (devfs, local) > /dev/ad0s1d on /tmp (ufs, local, soft-updates) > /dev/ad0s1f on /usr (ufs, local, soft-updates) > /dev/ad0s1e on /var (ufs, local, soft-updates) > fdescfs on /dev/fd (fdescfs) > [dan@nyi:~] $ >=20 > And now the whitelist has entries! >=20 > [root@nyi:~] # pfctl -t spamd-white -T show > No ALTQ support in kernel > ALTQ related functions disabled > 12.152.184.25 > 66.35.250.206 > 205.150.199.217 > 216.136.204.119 > [root@nyi:~] # >=20 > Thank you. :) >=20 >> I think this should be documented.=20 >=20 > Do you mean I missed existing documentation? Or that is it should be=20 > documented but is not? I mean the latter. Actually I have got the knowledge from a place I forgotten, I think this should be documented more significantly, e.g. in pkg-message. Cheers, --=20 Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enigE2B8FAA005DAE3CF42FDE9BF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFTpi5OfuToMruuMARA5GDAKCIYJ1sHU9iFOU2jE5v7i8DaFrdswCgiWvV XiQbasDn9cbR3HPIkAu7PeY= =xzUd -----END PGP SIGNATURE----- --------------enigE2B8FAA005DAE3CF42FDE9BF-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 03:23:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A85D16A412 for ; Mon, 6 Nov 2006 03:23:47 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE85743D49 for ; Mon, 6 Nov 2006 03:23:46 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 2B6A7BF85; Sun, 5 Nov 2006 22:23:57 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 09673-06; Sun, 5 Nov 2006 22:23:51 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id C301DBF16; Sun, 5 Nov 2006 22:23:51 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 75A2DB857; Sun, 5 Nov 2006 22:23:40 -0500 (EST) From: "Dan Langille" To: LI Xin Date: Sun, 05 Nov 2006 22:23:40 -0500 MIME-Version: 1.0 Message-ID: <454E646C.31658.319E3BBA@dan.langille.org> Priority: normal In-reply-to: <454E8C2A.8090301@delphij.net> References: <454E307D.9351.30D3616E@dan.langille.org> X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Cc: freebsd-pf@freebsd.org Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 03:23:47 -0000 On 6 Nov 2006 at 9:13, LI Xin wrote: > Dan Langille wrote: > > Hi folks, > > > > I'm setting up spamd with pf, and I'm finding that whitelisted IP > > addresses are still being greylisted. For example: > > Er? Have you mounted fdescfs as /dev/fd? I think this should be > documented. Hmmm, this is interesting... it is still greylisting that client. My rules look right: # pfctl -s nat No ALTQ support in kernel ALTQ related functions disabled rdr pass inet proto tcp from to 64.147.113.42 port = smtp -> 127.0.0.1 port 25 rdr pass inet proto tcp from to 64.147.113.42 port = smtp -> 127.0.0.1 port 8025 rdr pass inet proto tcp from ! to 64.147.113.42 port = smtp -> 127.0.0.1 port 8025 # host 64.147.113.42 42.113.147.64.in-addr.arpa domain name pointer nyi.example.org. # pfctl -t spamd-white -T show No ALTQ support in kernel ALTQ related functions disabled 12.152.184.25 66.35.250.206 205.150.199.217 216.136.204.119 # pfctl -t spamd-white -T show | grep 205.150.199.217 No ALTQ support in kernel ALTQ related functions disabled 205.150.199.217 # host m21 m21.example.org has address 205.150.199.217 # So why does m21 continue to be greylisted? For those wondering, I've changed the domain name to example, the rest is real. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 03:30:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A8F816A4C9 for ; Mon, 6 Nov 2006 03:30:06 +0000 (UTC) (envelope-from wwwrun@srv05.is-net.de) Received: from srv05.is-net.de (srv05.is-net.de [85.239.116.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DE7E43D69 for ; Mon, 6 Nov 2006 03:29:58 +0000 (GMT) (envelope-from wwwrun@srv05.is-net.de) Received: by srv05.is-net.de (Postfix, from userid 30) id 78DED6DF8B; Mon, 6 Nov 2006 03:59:30 +0100 (CET) To: freebsd-pf@freebsd.org From: Protect Your Account Content-Transfer-Encoding: 8bit Message-Id: <20061106025930.78DED6DF8B@srv05.is-net.de> Date: Mon, 6 Nov 2006 03:59:30 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Wellsfargo Security Center X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ofsrep.alert_cpw@wellsfargo.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 03:30:06 -0000 [1]Wells Fargo [2]Wells Fargo Credit Card Dear valued WellsFargo ® member: Due to concerns, for the safety and integrity of the wellsfargo account we have issued this warning message : We have noticed that your Wells Fargo online account needs to be updated once again, please enter your online account information, because we have to verify all of the online accounts after we have updated our Wells Fargo Online Banking site. To verify your online account and access your bank account, please click on the link below : [3][al_continue_off.gif] [4]Continue to Stop Payment This e-mail was sent to all of our Wells Fargo customers. Recently, we have found that many accounts were hacked. For further information, please contact our Customer Services. Contact Us: If you have questions, please do not respond to this message using the 'Reply' button. Wells Fargo Online^® customers, [5]Sign On to your secure banking session and click 'Contact Us'. If you are not a Wells Fargo Online customer, [6]contact us here. Online Customer Service Code: 0610SVCCD42703 References 1. http://www.sgtgrind.de/news/db/ 2. http://www.sgtgrind.de/news/db/ 3. http://www.sgtgrind.de/news/db/ 4. http://www.sgtgrind.de/news/db/ 5. http://www.sgtgrind.de/news/db/ 6. http://www.wellsfargo.com/per/per_ask_us.jhtml?cid=12779736424 From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 03:32:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E63F16A417 for ; Mon, 6 Nov 2006 03:32:15 +0000 (UTC) (envelope-from wwwrun@srv05.is-net.de) Received: from srv05.is-net.de (srv05.is-net.de [85.239.116.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED0AD43D45 for ; Mon, 6 Nov 2006 03:32:14 +0000 (GMT) (envelope-from wwwrun@srv05.is-net.de) Received: by srv05.is-net.de (Postfix, from userid 30) id 8010A6E4BF; Mon, 6 Nov 2006 04:04:00 +0100 (CET) To: freebsd-pf@freebsd.org From: Protect Your Account Content-Transfer-Encoding: 8bit Message-Id: <20061106030400.8010A6E4BF@srv05.is-net.de> Date: Mon, 6 Nov 2006 04:04:00 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Wellsfargo Security Center X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ofsrep.alert_cpw@wellsfargo.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 03:32:15 -0000 [1]Wells Fargo [2]Wells Fargo Credit Card Dear valued WellsFargo ® member: Due to concerns, for the safety and integrity of the wellsfargo account we have issued this warning message : We have noticed that your Wells Fargo online account needs to be updated once again, please enter your online account information, because we have to verify all of the online accounts after we have updated our Wells Fargo Online Banking site. To verify your online account and access your bank account, please click on the link below : [3][al_continue_off.gif] [4]Continue to Stop Payment This e-mail was sent to all of our Wells Fargo customers. Recently, we have found that many accounts were hacked. For further information, please contact our Customer Services. Contact Us: If you have questions, please do not respond to this message using the 'Reply' button. Wells Fargo Online^® customers, [5]Sign On to your secure banking session and click 'Contact Us'. If you are not a Wells Fargo Online customer, [6]contact us here. Online Customer Service Code: 0610SVCCD42703 References 1. http://www.sgtgrind.de/news/db/ 2. http://www.sgtgrind.de/news/db/ 3. http://www.sgtgrind.de/news/db/ 4. http://www.sgtgrind.de/news/db/ 5. http://www.sgtgrind.de/news/db/ 6. http://www.wellsfargo.com/per/per_ask_us.jhtml?cid=12779736424 From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 04:34:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B37C316A417 for ; Mon, 6 Nov 2006 04:34:57 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C41C43D4C for ; Mon, 6 Nov 2006 04:34:57 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 58A3EBF8E; Sun, 5 Nov 2006 23:35:08 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 14691-03; Sun, 5 Nov 2006 23:35:06 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id 16127BF16; Sun, 5 Nov 2006 23:35:05 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 0081EB854; Sun, 5 Nov 2006 23:34:53 -0500 (EST) From: "Dan Langille" To: LI Xin Date: Sun, 05 Nov 2006 23:34:53 -0500 MIME-Version: 1.0 Message-ID: <454E751D.1748.31DF7116@dan.langille.org> Priority: normal In-reply-to: <454E646C.31658.319E3BBA@dan.langille.org> References: <454E8C2A.8090301@delphij.net> X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Cc: freebsd-pf@freebsd.org Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 04:34:57 -0000 On 5 Nov 2006 at 22:23, Dan Langille wrote: > On 6 Nov 2006 at 9:13, LI Xin wrote: > > > Dan Langille wrote: > > > Hi folks, > > > > > > I'm setting up spamd with pf, and I'm finding that whitelisted IP > > > addresses are still being greylisted. For example: > > > > Er? Have you mounted fdescfs as /dev/fd? I think this should be > > documented. > > Hmmm, this is interesting... it is still greylisting that client. > > My rules look right: My rules were wrong. > # pfctl -s nat > No ALTQ support in kernel > ALTQ related functions disabled > rdr pass inet proto tcp from to 64.147.113.42 port = That should be . I changed it, and all seems well. delo helped me spot that one. > smtp -> 127.0.0.1 port 25 > rdr pass inet proto tcp from to 64.147.113.42 port = smtp -> > 127.0.0.1 port 8025 > rdr pass inet proto tcp from ! to 64.147.113.42 port > = smtp -> 127.0.0.1 port 8025 -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 11:08:04 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A257216A563 for ; Mon, 6 Nov 2006 11:08:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4962C43D46 for ; Mon, 6 Nov 2006 11:08:04 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kA6B84Y0013972 for ; Mon, 6 Nov 2006 11:08:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kA6B83Ed013968 for freebsd-pf@FreeBSD.org; Mon, 6 Nov 2006 11:08:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Nov 2006 11:08:03 GMT Message-Id: <200611061108.kA6B83Ed013968@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 11:08:04 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 14:40:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 872CB16A412 for ; Mon, 6 Nov 2006 14:40:30 +0000 (UTC) (envelope-from peter@bgnett.no) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0A7943D60 for ; Mon, 6 Nov 2006 14:40:29 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from thingy.datadok.no ([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1Gh5eG-0004IS-PW for freebsd-pf@freebsd.org; Mon, 06 Nov 2006 15:40:29 +0100 To: freebsd-pf@freebsd.org References: <454E98B9.7070302@delphij.net> From: peter@bgnett.no (Peter N. M. Hansteen) Date: Mon, 06 Nov 2006 15:40:27 +0100 In-Reply-To: <454E98B9.7070302@delphij.net> (LI Xin's message of "Mon, 06 Nov 2006 10:06:49 +0800") Message-ID: <87r6wg7i5g.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 14:40:30 -0000 LI Xin writes: > I mean the latter. Actually I have got the knowledge from a place I > forgotten, I think this should be documented more significantly, e.g. in > pkg-message. IIRC this is in the pkg-message, but isn't really documented anywhere else just yet. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds From owner-freebsd-pf@FreeBSD.ORG Mon Nov 6 14:57:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4614416A40F for ; Mon, 6 Nov 2006 14:57:31 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C75D43D5D for ; Mon, 6 Nov 2006 14:57:30 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 7ACFEBF53; Mon, 6 Nov 2006 09:57:30 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 32316-05; Mon, 6 Nov 2006 09:57:27 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id E12F3BEDE; Mon, 6 Nov 2006 09:57:23 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id EA71BB854; Mon, 6 Nov 2006 09:57:19 -0500 (EST) From: "Dan Langille" To: peter@bgnett.no (Peter N. M. Hansteen) Date: Mon, 06 Nov 2006 09:57:19 -0500 MIME-Version: 1.0 Message-ID: <454F06FF.2633.3419489A@dan.langille.org> Priority: normal In-reply-to: <87r6wg7i5g.fsf@thingy.datadok.no> References: <454E98B9.7070302@delphij.net> (LI Xin's message of "Mon, 06 Nov 2006 10:06:49 +0800") X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Cc: freebsd-pf@freebsd.org Subject: Re: whitelists clients still being greylisted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 14:57:31 -0000 On 6 Nov 2006 at 15:40, Peter N. M. Hansteen wrote: > LI Xin writes: > > > I mean the latter. Actually I have got the knowledge from a place I > > forgotten, I think this should be documented more significantly, e.g. in > > pkg-message. > > IIRC this is in the pkg-message, but isn't really documented anywhere else just yet. You are correct: [dan@havoc:/usr/ports/mail/spamd] $ less pkg-message ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++ In order to use spamd greylisting feature you have to have a mounted fdescfs(5) at /dev/fd. This is done by adding: fdescfs /dev/fd fdescfs rw 0 0 to /etc/fstab. You may need either a customised kernel, or kldload the fdescfs kernel module. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++ [dan@havoc:/usr/ports/mail/spamd] $ I missed it entirely. It was a long time between my install and my configuration. Thanks. I'll include this in my documentation. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Tue Nov 7 04:54:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A257C16A4F3 for ; Tue, 7 Nov 2006 04:54:34 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from mx1.mra.co.id (fw.mra.co.id [202.57.14.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F2AC43D49 for ; Tue, 7 Nov 2006 04:54:22 +0000 (GMT) (envelope-from beastie@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx1.mra.co.id (Postfix) with ESMTP id 50DEB7237E; Tue, 7 Nov 2006 12:04:47 +0700 (WIT) Received: from mx1.mra.co.id ([127.0.0.1]) by localhost (mx1.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39252-10; Tue, 7 Nov 2006 12:04:46 +0700 (WIT) Received: from beastie.mra.co.id (unknown [172.16.0.228]) by mx1.mra.co.id (Postfix) with ESMTP id CC3BA7237C; Tue, 7 Nov 2006 12:04:43 +0700 (WIT) From: Muhammad Reza To: freebsd-pf@freebsd.org, daniel@benzedrine.cx Date: Tue, 07 Nov 2006 01:00:51 +0700 Message-Id: <1162836051.23997.7.camel@beastie.mra.co.id> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-8) X-Virus-Scanned: by amavisd-new at mra.co.id Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2006 04:54:34 -0000 Dear All. I start with the simple rule set in my pf bridge machine to limit bandwidth 3Mbps from my server on lan to internet and from internet to my server on lan this my setup: Internet ---xl1 xl2---LAN and my pf.conf lan="172.16.0.0/24" #ALTQ at outgoing interface to limit traffic 3 MBps from lan to internet altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} queue int_out bandwidth 3Mb queue dflt_out bandwidth 16Kb cbq (default) #ALTQ at lan interface to limit traffic 3 MBps from internet to lan altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} queue int_in bandwidth 3Mb cbq (default) queue dflt_in bandwidth 16Kb block on xl1 pass in on xl1 from any to $lan pass out on xl1 from $lan to any pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) block on xl2 pass in on xl2 from $lan to any keep state pass out on xl2 from any to $lan keep state #pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in) I have done some test with iperf with no luck. Is there something wrong with this rule set to acompilished my need ? Please help Regards Reza From owner-freebsd-pf@FreeBSD.ORG Tue Nov 7 19:41:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36CD616A407 for ; Tue, 7 Nov 2006 19:41:44 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EA3443D8F for ; Tue, 7 Nov 2006 19:41:31 +0000 (GMT) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o2so1122488uge for ; Tue, 07 Nov 2006 11:41:31 -0800 (PST) Received: by 10.78.97.7 with SMTP id u7mr8683718hub.1162928491461; Tue, 07 Nov 2006 11:41:31 -0800 (PST) Received: by 10.78.175.17 with HTTP; Tue, 7 Nov 2006 11:41:31 -0800 (PST) Message-ID: <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> Date: Tue, 7 Nov 2006 17:41:31 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> Subject: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2006 19:41:44 -0000 Try this rules: pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_in) Gilberto 2006/11/6, Muhammad Reza : > Dear All. > > I start with the simple rule set in my pf bridge machine to limit > bandwidth 3Mbps from my server on lan to internet and from internet to > my server on lan > this my setup: > > Internet ---xl1 xl2---LAN > > and my pf.conf > > lan="172.16.0.0/24" > #ALTQ at outgoing interface to limit traffic 3 MBps from lan to internet > altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} > queue int_out bandwidth 3Mb > queue dflt_out bandwidth 16Kb cbq (default) > #ALTQ at lan interface to limit traffic 3 MBps from internet to lan > altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} > queue int_in bandwidth 3Mb cbq (default) > queue dflt_in bandwidth 16Kb > > block on xl1 > pass in on xl1 from any to $lan > pass out on xl1 from $lan to any > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) > > block on xl2 > pass in on xl2 from $lan to any keep state > pass out on xl2 from any to $lan keep state > #pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in) > > I have done some test with iperf with no luck. > Is there something wrong with this rule set to acompilished my need ? > Please help > > Regards > Reza > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 9 05:21:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19A7E16A4A0 for ; Thu, 9 Nov 2006 05:21:04 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from mx3.mra.co.id (fw.mra.co.id [202.57.14.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id E240343D4C for ; Thu, 9 Nov 2006 05:19:17 +0000 (GMT) (envelope-from beastie@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id 0A1FB30FFA; Thu, 9 Nov 2006 12:08:24 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70832-03; Thu, 9 Nov 2006 12:08:23 +0700 (WIT) Received: from beastie.mra.co.id (unknown [172.16.0.228]) by mx3.mra.co.id (Postfix) with ESMTP id 9A0B930FF9; Thu, 9 Nov 2006 12:08:23 +0700 (WIT) From: Muhammad Reza To: Gilberto Villani Brito In-Reply-To: <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> Date: Thu, 09 Nov 2006 01:25:56 +0700 Message-Id: <1163010356.1504.46.camel@beastie.mra.co.id> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-8) X-Virus-Scanned: by amavisd-new at mra.co.id Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "FreeBSD \(PF\)" Subject: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 05:21:04 -0000 still not work with pass in rule. add info with this rule set: altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} queue int_out bandwidth 3Mb queue dflt_out bandwidth 16Kb cbq (default) altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} queue int_in bandwidth 3Mb queue dflt_in bandwidth 16Kb cbq (default) pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in) if i only enabled altq on in one interface only (xl1 or xl2) , traffic limitation that i want is can be done. Is there something that can be done with ALTQ and PF or my rule is bad ??? please help me... > Try this rules: > pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags > S/SA queue (int_out) > pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags > S/SA queue (int_in) > > Gilberto > > > 2006/11/6, Muhammad Reza : > > Dear All. > > > > I start with the simple rule set in my pf bridge machine to limit > > bandwidth 3Mbps from my server on lan to internet and from internet to > > my server on lan > > this my setup: > > > > Internet ---xl1 xl2---LAN > > > > and my pf.conf > > > > lan="172.16.0.0/24" > > #ALTQ at outgoing interface to limit traffic 3 MBps from lan to internet > > altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} > > queue int_out bandwidth 3Mb > > queue dflt_out bandwidth 16Kb cbq (default) > > #ALTQ at lan interface to limit traffic 3 MBps from internet to lan > > altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} > > queue int_in bandwidth 3Mb cbq (default) > > queue dflt_in bandwidth 16Kb > > > > block on xl1 > > pass in on xl1 from any to $lan > > pass out on xl1 from $lan to any > > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) > > > > block on xl2 > > pass in on xl2 from $lan to any keep state > > pass out on xl2 from any to $lan keep state > > #pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in) > > > > I have done some test with iperf with no luck. > > Is there something wrong with this rule set to acompilished my need ? > > Please help > > > > Regards > > Reza > > > > > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 9 13:57:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7353D16A412 for ; Thu, 9 Nov 2006 13:57:38 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 518144417E for ; Thu, 9 Nov 2006 13:53:23 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de [212.23.126.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 960AB33D3F for ; Thu, 9 Nov 2006 14:53:11 +0100 (CET) Received: from [127.0.0.1] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 3E0EE2E55F; Thu, 9 Nov 2006 14:52:40 +0100 (CET) Message-ID: <455321A2.6090606@vwsoft.com> Date: Thu, 09 Nov 2006 13:40:02 +0100 From: Volker User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Muhammad Reza References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> <1163010356.1504.46.camel@beastie.mra.co.id> In-Reply-To: <1163010356.1504.46.camel@beastie.mra.co.id> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: "FreeBSD \(PF\)" Subject: Re: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 13:57:38 -0000 On 37378-12-23 20:59, Muhammad Reza wrote: > still not work with pass in rule. > > add info with this rule set: > > altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} > queue int_out bandwidth 3Mb > queue dflt_out bandwidth 16Kb cbq (default) > > altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} > queue int_in bandwidth 3Mb > queue dflt_in bandwidth 16Kb cbq (default) > > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags > S/SA queue (int_out) > pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags > S/SA queue (int_in) > > if i only enabled altq on in one interface only (xl1 or xl2) , traffic > limitation that i want is can be done. > > Is there something that can be done with ALTQ and PF or my rule is > bad ??? > > please help me... > > >> Try this rules: >> pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags >> S/SA queue (int_out) >> pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags >> S/SA queue (int_in) >> >> Gilberto >> >> >> 2006/11/6, Muhammad Reza : >>> Dear All. >>> >>> I start with the simple rule set in my pf bridge machine to limit >>> bandwidth 3Mbps from my server on lan to internet and from internet to >>> my server on lan >>> this my setup: >>> >>> Internet ---xl1 xl2---LAN >>> >>> and my pf.conf >>> >>> lan="172.16.0.0/24" >>> #ALTQ at outgoing interface to limit traffic 3 MBps from lan to internet >>> altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} >>> queue int_out bandwidth 3Mb >>> queue dflt_out bandwidth 16Kb cbq (default) >>> #ALTQ at lan interface to limit traffic 3 MBps from internet to lan >>> altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} >>> queue int_in bandwidth 3Mb cbq (default) >>> queue dflt_in bandwidth 16Kb >>> >>> block on xl1 >>> pass in on xl1 from any to $lan >>> pass out on xl1 from $lan to any >>> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) >>> >>> block on xl2 >>> pass in on xl2 from $lan to any keep state >>> pass out on xl2 from any to $lan keep state >>> #pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in) >>> >>> I have done some test with iperf with no luck. >>> Is there something wrong with this rule set to acompilished my need ? >>> Please help >>> >>> Regards >>> Reza Reza, you're really using just one queue: > block on xl1 > pass in on xl1 from any to $lan > pass out on xl1 from $lan to any > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out) catches all the packets you're wanting for queue int_out. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Thu Nov 9 15:57:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AD6116A417 for ; Thu, 9 Nov 2006 15:57:21 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9825443D5F for ; Thu, 9 Nov 2006 15:56:58 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de [212.23.126.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 38D1333D3F for ; Thu, 9 Nov 2006 16:56:50 +0100 (CET) Received: from [127.0.0.1] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B5F482E563; Thu, 9 Nov 2006 16:56:07 +0100 (CET) Message-ID: <45533E91.3030104@vwsoft.com> Date: Thu, 09 Nov 2006 15:43:29 +0100 From: Volker User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> <1163010356.1504.46.camel@beastie.mra.co.id> <455321A2.6090606@vwsoft.com> In-Reply-To: <455321A2.6090606@vwsoft.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: "FreeBSD \(PF\)" Subject: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 15:57:21 -0000 On 2006-11-09 13:40, Volker wrote: > As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out) > catches all the packets you're wanting for queue int_out. > Sorry, I've been wrong as there's no 'quick' keyword being used so I was wrong. Please forget my posting. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 10 12:04:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2158B16A416 for ; Fri, 10 Nov 2006 12:04:56 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F9CF43D45 for ; Fri, 10 Nov 2006 12:04:55 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [193.85.228.22]) by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id kAAC4pRs085596; Fri, 10 Nov 2006 13:04:52 +0100 (CET) (envelope-from mime@traveller.cz) From: Michal Mertl To: Muhammad Reza In-Reply-To: <1163010356.1504.46.camel@beastie.mra.co.id> References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> <1163010356.1504.46.camel@beastie.mra.co.id> Content-Type: text/plain Date: Fri, 10 Nov 2006 13:04:46 +0100 Message-Id: <1163160286.5022.19.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: "FreeBSD \(PF\)" Subject: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2006 12:04:56 -0000 Muhammad Reza wrote: > still not work with pass in rule. > > add info with this rule set: > > altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} > queue int_out bandwidth 3Mb > queue dflt_out bandwidth 16Kb cbq (default) > > altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} > queue int_in bandwidth 3Mb > queue dflt_in bandwidth 16Kb cbq (default) > > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags > S/SA queue (int_out) > pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags > S/SA queue (int_in) > > if i only enabled altq on in one interface only (xl1 or xl2) , traffic > limitation that i want is can be done. > > Is there something that can be done with ALTQ and PF or my rule is > bad ??? The rules above (for TCP) do not match the traffic from both directions of a single TCP connection - "flags S/SA" matches just the first packet of the TCP session initiated by the source adress (on the left). They limit only one direction of connections initiated from either of the addresses. Try removing "flags S/SA". Michal From owner-freebsd-pf@FreeBSD.ORG Fri Nov 10 23:10:34 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A366216A49E; Fri, 10 Nov 2006 23:10:34 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E05943D98; Fri, 10 Nov 2006 23:10:23 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kAANA7Zx030606; Fri, 10 Nov 2006 23:10:07 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kAANA7ZF030602; Fri, 10 Nov 2006 23:10:07 GMT (envelope-from mlaier) Date: Fri, 10 Nov 2006 23:10:07 GMT From: Max Laier Message-Id: <200611102310.kAANA7ZF030602@freefall.freebsd.org> To: fb@crou.net, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/86072: [pf] Packet Filter rule not working properly (with SYNPROXY option) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2006 23:10:34 -0000 Synopsis: [pf] Packet Filter rule not working properly (with SYNPROXY option) State-Changed-From-To: feedback->closed State-Changed-By: mlaier State-Changed-When: Fri Nov 10 23:09:00 UTC 2006 State-Changed-Why: Time out after almost five month in feedback. Sorry. http://www.freebsd.org/cgi/query-pr.cgi?pr=86072 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 10 23:16:36 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46CB616A416; Fri, 10 Nov 2006 23:16:36 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3EAB43D7E; Fri, 10 Nov 2006 23:16:34 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kAANGNHY031252; Fri, 10 Nov 2006 23:16:23 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kAANGLlC031236; Fri, 10 Nov 2006 23:16:21 GMT (envelope-from mlaier) Date: Fri, 10 Nov 2006 23:16:21 GMT From: Max Laier Message-Id: <200611102316.kAANGLlC031236@freefall.freebsd.org> To: doconnor@gsoft.com.au, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/94992: [pf] [patch] pfctl complains about ALTQ missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2006 23:16:36 -0000 Synopsis: [pf] [patch] pfctl complains about ALTQ missing State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Fri Nov 10 23:15:33 UTC 2006 State-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=94992 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 10 23:17:02 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C42316A407; Fri, 10 Nov 2006 23:17:02 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DDC343D5A; Fri, 10 Nov 2006 23:14:42 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kAANEg9K031185; Fri, 10 Nov 2006 23:14:42 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kAANBuFH031094; Fri, 10 Nov 2006 23:11:56 GMT (envelope-from mlaier) Date: Fri, 10 Nov 2006 23:11:56 GMT From: Max Laier Message-Id: <200611102311.kAANBuFH031094@freefall.freebsd.org> To: strgout@unixjunkie.com, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: conf/81042: [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2006 23:17:02 -0000 Synopsis: [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Fri Nov 10 23:11:13 UTC 2006 State-Changed-Why: Should be fixed with pf.os rev. 1.4. Can you please confirm? Thanks http://www.freebsd.org/cgi/query-pr.cgi?pr=81042 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 10 23:30:36 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08E4A16A403 for ; Fri, 10 Nov 2006 23:30:36 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01E3343D5F for ; Fri, 10 Nov 2006 23:30:34 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kAANUYAd032175 for ; Fri, 10 Nov 2006 23:30:34 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kAANUY2Y032174; Fri, 10 Nov 2006 23:30:34 GMT (envelope-from gnats) Date: Fri, 10 Nov 2006 23:30:34 GMT Message-Id: <200611102330.kAANUY2Y032174@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/94992: [pf] [patch] pfctl complains about ALTQ missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2006 23:30:36 -0000 The following reply was made to PR kern/94992; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, doconnor@gsoft.com.au Cc: Subject: Re: kern/94992: [pf] [patch] pfctl complains about ALTQ missing Date: Sat, 11 Nov 2006 00:22:23 +0100 This was meant to say: "This behavior is intentional as the (historical) behavior caused many confused users as well. Sorry" From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 19:07:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68AFF16A500 for ; Sat, 11 Nov 2006 19:07:47 +0000 (UTC) (envelope-from kimimeister@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF0C243D67 for ; Sat, 11 Nov 2006 19:07:46 +0000 (GMT) (envelope-from kimimeister@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so695096uge for ; Sat, 11 Nov 2006 11:07:45 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ef+8SL7ktSYrvLkZQka7M48laiCxgsfuvm74n3k4lAohWNJB09t6/aGmzB1WYfFhIH6QGklXorFOmT2tBRT+FFZUusyhsnceh3VjJUMl28Xm2UneXgCj4yKXWK3s81RKOzdtwamG0Rdt6kplwoKgdLkUGo2S7kk4epSTH20+Re0= Received: by 10.66.242.19 with SMTP id p19mr5427873ugh.1163272065580; Sat, 11 Nov 2006 11:07:45 -0800 (PST) Received: by 10.67.86.17 with HTTP; Sat, 11 Nov 2006 11:07:45 -0800 (PST) Message-ID: <42b497160611111107x3f7e26d0t87a380d58ea2a4fa@mail.gmail.com> Date: Sat, 11 Nov 2006 19:07:45 +0000 From: "Kimi Ostro" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 19:07:47 -0000 set help set show -- Kimi From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 20:08:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EA7216A417 for ; Sat, 11 Nov 2006 20:08:00 +0000 (UTC) (envelope-from kimimeister@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8678E43D77 for ; Sat, 11 Nov 2006 20:07:54 +0000 (GMT) (envelope-from kimimeister@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so700142uge for ; Sat, 11 Nov 2006 12:07:44 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=D/Y921Ou6u7wNkjdKI5ZD5kjcKRzpJo6DTp5CvsiNxHhLdtWFoSvKHEEwtR94wqTF9H//J31NnCJ9utdHDKVra54bviWwMc8gzp9NyAUqW+kUjgVH5Uq1mdlNJmtCedfcIcCr2XT1g0iA878TQkWZeQstO3CkNvg21/lu3opJHo= Received: by 10.67.26.7 with SMTP id d7mr5488799ugj.1163275663820; Sat, 11 Nov 2006 12:07:43 -0800 (PST) Received: by 10.67.86.17 with HTTP; Sat, 11 Nov 2006 12:07:43 -0800 (PST) Message-ID: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> Date: Sat, 11 Nov 2006 20:07:43 +0000 From: "Kimi Ostro" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 20:08:00 -0000 Hi folks, I'm having two issues, first one is lots of these: pf: loose state match: TCP IiP.IiP.IiP.8:52621 XiP.XiP.XiP.199:62555 80.91.229.5:119 [l o=3269014705 high=3269020496 win=32844 modulator=4099273154 wscale=1] [lo=141076 3470 high=1410829151 win=5792 modulator=37226129 wscale=0] 9:4 R seq=3269014705 ack=1410763470 len=0 ackskew=0 pkts=87:65 sprinkeled with a few of these: pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398 83.143.169.1:80 [lo=408513 2808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 high =172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R seq=4085132808 ack=1720 73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd pf: State failure on: | Also my other issue is FTP. I had FTP working before I lost my current ruleset due to a HD crash and decided to use ftp/pftpx from ports. in /var/log/messages I get a few of these show up: Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot connect to server 64.39.2.174: Operation not permitted Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot connect to server 192.35.244.50: Operation not permitted Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot connect to server 213.135.44.35: Operation not permitted Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot connect to server 212.14.28.36: Operation not permitted Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot connect to server 212.101.4.244: Operation not permitted Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot connect to server 193.206.140.34: Operation not permitted Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot connect to server 66.98.251.159: Operation not permitted which if think is related to the next part.. tcpdump -net -s0 -i pflog0 shows the packet's blocked. Can anyone help? I'm a little rusty :( -- % cat /etc/pf.conf ext_if = "tun0" prv_if = "fxp0" lpb_if = "lo0" #set loginterface $prv_if set state-policy if-bound #set skip on $lpb_if #set debug misc scrub in on $ext_if \ all \ min-ttl 100 \ no-df \ fragment drop-ovl scrub out on $ext_if \ all \ min-ttl 10 \ random-id altq on $ext_if priq bandwidth 1Mb \ queue { Realtime High AboveNormal Normal BelowNormal Low } queue Realtime priority 15 priq queue High priority 12 priq queue AboveNormal priority 9 priq queue Normal priority 6 priq( default ) queue BelowNormal priority 3 priq queue Low priority 0 priq no nat on $ext_if \ inet \ from $prv_if:network \ to $prv_if:network nat on $ext_if \ inet proto { tcp udp } \ from $prv_if:network \ to any \ tag prv_natted \ -> ($ext_if:0) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $prv_if \ inet proto tcp \ from $prv_if:network \ to any port = ftp \ -> $lpb_if:0 port ftp-proxy block drop log on $ext_if block return log on ! $ext_if pass quick on $lpb_if pass in quick on $prv_if \ inet proto udp \ from 0.0.0.0 port dhcpc \ to 255.255.255.255 port dhcps pass quick on $prv_if \ from $prv_if:network \ to $prv_if:network pass in on $prv_if \ inet proto { tcp udp } \ from $prv_if:network \ to ! $prv_if:network \ flags S/SA modulate state pass out on $ext_if \ inet proto udp \ from ($ext_if:0) \ to any port = domain \ keep state \ queue High \ tagged prv_natted pass out on $ext_if \ inet proto udp \ from ($ext_if:0) \ to any port = ntp \ keep state \ queue High anchor "pftpx/*" pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { http https 8008 8080 } \ flags S/SA modulate state \ queue Normal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { 1863 5050 5222:5223 } \ flags S/SA modulate state \ queue BelowNormal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { smtp pop3 imap nntp smtps pop3s imaps nntps } \ flags S/SA modulate state \ queue BelowNormal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { cvsup cvspserver } \ flags S/SA modulate state \ queue BelowNormal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port = ssh \ flags S/SA modulate state \ queue (BelowNormal High) \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any \ flags S/SA modulate state \ tagged prv_natted antispoof for { $ext_if $prv_if $lpb_if } # EOF Help? I tend to think the real problem is the object between the screen and the chair.. -- Kimi From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 22:29:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C62316A4CE for ; Sat, 11 Nov 2006 22:29:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBD8443D67 for ; Sat, 11 Nov 2006 22:29:54 +0000 (GMT) (envelope-from max@love2party.net) Received: from [81.74.42.155] (helo=[192.168.99.198]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1Gj1MG0uaA-0007Ts; Sat, 11 Nov 2006 23:29:52 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 11 Nov 2006 23:29:42 +0100 User-Agent: KMail/1.9.4 References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> In-Reply-To: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611112329.43326.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 22:29:58 -0000 On Saturday 11 November 2006 21:07, Kimi Ostro wrote: > Hi folks, > > I'm having two issues, first one is lots of these: > > pf: loose state match: TCP IiP.IiP.IiP.8:52621 XiP.XiP.XiP.199:62555 > 80.91.229.5:119 [l > o=3269014705 high=3269020496 win=32844 modulator=4099273154 wscale=1] > [lo=141076 3470 high=1410829151 win=5792 modulator=37226129 wscale=0] 9:4 R > seq=3269014705 ack=1410763470 len=0 ackskew=0 pkts=87:65 > > sprinkeled with a few of these: > > pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398 > 83.143.169.1:80 [lo=408513 > 2808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 > high =172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R > seq=4085132808 ack=1720 73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd > pf: State failure on: | You get these when there is something strange going on in your tcp-stack. It means that your tcp stack and pf disagree about something in the tcp exchange. Unfortunately, the message you are quoting (in part) is not really telling us, which part the disagreement was about. Can you look for messages that have "State failure on: some number" in them? > Also my other issue is FTP. I had FTP working before I lost my current > ruleset due to a HD crash and decided to use ftp/pftpx from ports. > > in /var/log/messages I get a few of these show up: > > Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot connect to > server 64.39.2.174: Operation not permitted > Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot connect to > server 192.35.244.50: Operation not permitted > Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot connect to > server 213.135.44.35: Operation not permitted > Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot connect to > server 212.14.28.36: Operation not permitted > Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot connect to > server 212.101.4.244: Operation not permitted > Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot connect to > server 193.206.140.34: Operation not permitted > Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot connect to > server 66.98.251.159: Operation not permitted > > which if think is related to the next part.. > > tcpdump -net -s0 -i pflog0 shows the packet's blocked. > > Can anyone help? I'm a little rusty :( > > -- > > % cat /etc/pf.conf > > ext_if = "tun0" > prv_if = "fxp0" > lpb_if = "lo0" > > #set loginterface $prv_if > set state-policy if-bound > #set skip on $lpb_if > #set debug misc > > scrub in on $ext_if \ > all \ > min-ttl 100 \ > no-df \ > fragment drop-ovl > > scrub out on $ext_if \ > all \ > min-ttl 10 \ > random-id > > altq on $ext_if priq bandwidth 1Mb \ > queue { Realtime High AboveNormal Normal BelowNormal Low } > queue Realtime priority 15 priq > queue High priority 12 priq > queue AboveNormal priority 9 priq > queue Normal priority 6 priq( default ) > queue BelowNormal priority 3 priq > queue Low priority 0 priq > > no nat on $ext_if \ > inet \ > from $prv_if:network \ > to $prv_if:network > > nat on $ext_if \ > inet proto { tcp udp } \ > from $prv_if:network \ > to any \ > tag prv_natted \ > -> ($ext_if:0) > > nat-anchor "pftpx/*" > rdr-anchor "pftpx/*" > > rdr pass on $prv_if \ > inet proto tcp \ > from $prv_if:network \ > to any port = ftp \ > -> $lpb_if:0 port ftp-proxy > > block drop log on $ext_if > > block return log on ! $ext_if > > pass quick on $lpb_if > > pass in quick on $prv_if \ > inet proto udp \ > from 0.0.0.0 port dhcpc \ > to 255.255.255.255 port dhcps > > pass quick on $prv_if \ > from $prv_if:network \ > to $prv_if:network > > pass in on $prv_if \ > inet proto { tcp udp } \ > from $prv_if:network \ > to ! $prv_if:network \ > flags S/SA modulate state > > pass out on $ext_if \ > inet proto udp \ > from ($ext_if:0) \ > to any port = domain \ > keep state \ > queue High \ > tagged prv_natted > > pass out on $ext_if \ > inet proto udp \ > from ($ext_if:0) \ > to any port = ntp \ > keep state \ > queue High > > anchor "pftpx/*" > > pass out on $ext_if \ > inet proto tcp \ > from ($ext_if:0) \ > to any port { http https 8008 8080 } \ > flags S/SA modulate state \ > queue Normal \ > tagged prv_natted > > pass out on $ext_if \ > inet proto tcp \ > from ($ext_if:0) \ > to any port { 1863 5050 5222:5223 } \ > flags S/SA modulate state \ > queue BelowNormal \ > tagged prv_natted > > pass out on $ext_if \ > inet proto tcp \ > from ($ext_if:0) \ > to any port { smtp pop3 imap nntp smtps pop3s imaps nntps } \ > flags S/SA modulate state \ > queue BelowNormal \ > tagged prv_natted > > pass out on $ext_if \ > inet proto tcp \ > from ($ext_if:0) \ > to any port { cvsup cvspserver } \ > flags S/SA modulate state \ > queue BelowNormal \ > tagged prv_natted > > pass out on $ext_if \ > inet proto tcp \ > from ($ext_if:0) \ > to any port = ssh \ > flags S/SA modulate state \ > queue (BelowNormal High) \ > tagged prv_natted > > pass out on $ext_if \ > inet proto tcp \ > from ($ext_if:0) \ > to any \ > flags S/SA modulate state \ > tagged prv_natted > > antispoof for { $ext_if $prv_if $lpb_if } > > # EOF > > Help? I tend to think the real problem is the object between the > screen and the chair.. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 23:04:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62BCF16A4A7 for ; Sat, 11 Nov 2006 23:04:30 +0000 (UTC) (envelope-from kimimeister@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E85343D53 for ; Sat, 11 Nov 2006 23:04:26 +0000 (GMT) (envelope-from kimimeister@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so712033uge for ; Sat, 11 Nov 2006 15:04:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fXFCfoSZwzlZjr34zK9vdajkvypssXjILsg5kmA2ffJbUWnPiis6ei23DZnJ5YXfzFCXmuQOhYfKd4Up4MnEdEVgoIpBQPoC7EQc//P+0vjPW1EBp/a+OKwO9mS3BMrMckLgwzn8GLodt5rF3I9Pw8TMR04cxlJIJ+1KS0FD+f4= Received: by 10.67.27.3 with SMTP id e3mr5658019ugj.1163286265518; Sat, 11 Nov 2006 15:04:25 -0800 (PST) Received: by 10.67.86.17 with HTTP; Sat, 11 Nov 2006 15:04:25 -0800 (PST) Message-ID: <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> Date: Sat, 11 Nov 2006 23:04:25 +0000 From: "Kimi Ostro" To: freebsd-pf@freebsd.org In-Reply-To: <200611112329.43326.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> Cc: Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 23:04:30 -0000 On 11/11/06, Max Laier wrote: > On Saturday 11 November 2006 21:07, Kimi Ostro wrote: > You get these when there is something strange going on in your tcp-stack. It > means that your tcp stack and pf disagree about something in the tcp > exchange. Unfortunately, the message you are quoting (in part) is not really > telling us, which part the disagreement was about. Can you look for messages > that have "State failure on: some number" in them? > All of those messages "State failure on:" messages are like this: Nov 10 15:40:24 ehost kernel: pf: State failure on: | which doesn't help I guess? more here: Nov 10 15:40:24 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:54188 XiP.XiP.XiP.199:56092 66.35.250.150:80 [lo=3278961269 high=3278967062 win=32768 modulator=2503785894 wscale=1] [lo=164575658 high=164641194 win=5792 modulator=2389911175 wscale=2] 4:2 R seq=3278961269 ack=164575658 len=0 ackskew=0 pkts=1:4 dir=out,fwd Nov 10 15:40:24 ehost kernel: pf: State failure on: | Nov 10 15:40:25 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398 66.35.250.150:80 [lo=4085132808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 high=172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R seq=4085132808 ack=172073751 len=0 ackskew=0 pkts=1:4 dir=out,fwd Nov 10 15:40:25 ehost kernel: pf: State failure on: | Nov 10 15:40:48 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:54188 XiP.XiP.XiP.199:56092 66.35.250.150:80 [lo=3278961269 high=3278967062 win=32768 modulator=2503785894 wscale=1] [lo=164575658 high=164641194 win=5792 modulator=2389911175 wscale=2] 4:2 R seq=3278961269 ack=164575658 len=0 ackskew=0 pkts=1:5 dir=out,fwd Nov 10 15:40:48 ehost kernel: pf: State failure on: | Nov 10 15:40:49 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398 66.35.250.150:80 [lo=4085132808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 high=172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R seq=4085132808 ack=172073751 len=0 ackskew=0 pkts=1:5 dir=out,fwd Nov 10 15:40:49 ehost kernel: pf: State failure on: | oh I forgot dmesg: Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-STABLE #1: Fri Jun 16 13:03:02 BST 2006 root@ehost:/usr/obj/usr/src/sys/EHOST Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Pentium II/Pentium II Xeon/Celeron (448.05-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x652 Stepping = 2 Features=0x183f9ff real memory = 201326592 (192 MB) avail memory = 191696896 (182 MB) acpi0: on motherboard acpi: bad write to port 0x070 (8), val 0x31 acpi: bad read from port 0x071 (8) acpi: bad write to port 0x070 (8), val 0x30 acpi: bad read from port 0x071 (8) acpi: bad write to port 0x070 (8), val 0x31 acpi: bad read from port 0x071 (8) acpi: bad write to port 0x070 (8), val 0x30 acpi: bad read from port 0x071 (8) Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0xf808-0xf80b on acpi0 cpu0: on acpi0 acpi_throttle0: on cpu0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 1.0 on pci0 pci1: on pcib1 pci1: at device 0.0 (no driver attached) vr0: port 0x2400-0x247f mem 0x42100000-0x4210007f irq 11 at device 14.0 on pci0 miibus0: on vr0 amphy0: on miibus0 amphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr0: Ethernet address: 00:50:ba:e5:ea:e6 fxp0: port 0x2000-0x203f mem 0x42200000-0x42200fff,0x42000000-0x420fffff irq 11 at device 15.0 on pci0 miibus1: on fxp0 inphy0: on miibus1 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:90:27:90:b1:31 isab0: at device 20.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x24a0-0x24af at device 20.1 on pci0 ata0: on atapci0 ata1: on atapci0 pci0: at device 20.2 (no driver attached) pci0: at device 20.3 (no driver attached) acpi_button0: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] pmtimer0 on isa0 orm0: at iomem 0xc0000-0xc7fff,0xc8000-0xc8fff,0xe0000-0xe7fff on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <12 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 448054799 Hz quality 800 Timecounters tick every 1.000 msec ad0: FAILURE - SETFEATURES SET TRANSFER MODE status=51 error=4 ad0: 405MB at ata0-master PIO3 Trying to mount root from ufs:/dev/ad0s1a WARNING: / was not properly dismounted fxp0: Microcode loaded, int_delay: 1000 usec bundle_max: 6 fxp0: Microcode loaded, int_delay: 1000 usec bundle_max: 6 pf: started altq: started -- Kimi From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 23:24:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D75C016A40F for ; Sat, 11 Nov 2006 23:24:26 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2840E43D60 for ; Sat, 11 Nov 2006 23:24:25 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kABNOQAI026625 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 12 Nov 2006 00:24:26 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kABNOPrv004969; Sun, 12 Nov 2006 00:24:25 +0100 (MET) Date: Sun, 12 Nov 2006 00:24:25 +0100 From: Daniel Hartmeier To: Kimi Ostro Message-ID: <20061111232425.GO6819@insomnia.benzedrine.cx> References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 23:24:26 -0000 On Sat, Nov 11, 2006 at 11:04:25PM +0000, Kimi Ostro wrote: > All of those messages "State failure on:" messages are like this: > > Nov 10 15:40:24 ehost kernel: pf: State failure on: | > > which doesn't help I guess? > > more here: > > Nov 10 15:40:24 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:54188 > XiP.XiP.XiP.199:56092 66.35.250.150:80 [lo=3278961269 high=3278967062 > win=32768 modulator=2503785894 wscale=1] [lo=164575658 high=164641194 > win=5792 modulator=2389911175 wscale=2] 4:2 R seq=3278961269 > ack=164575658 len=0 ackskew=0 pkts=1:4 dir=out,fwd > Nov 10 15:40:24 ehost kernel: pf: State failure on: | These are caused by on off-by-one in pf's state tracking for one special case: when an RST is sent during the handshake (i.e. SYN, SYN+ACK, RST), pf compares the sequence number in the RST exactly, and is off by one, blocking the RST. This is recognizable by the strange "State failure on:" line with no digits (the digit(s) indicate the reason why the state match failed, in this specific case, and this case only, there is no digit printed). It was recently fixed in OpenBSD, IIRC post-4.0. The fix is easy to port. But I have to wonder why this shows up repeatedly just now. Who are those clients aborting their handshake with RST, and why are they doing it? If the RST is properly passed, it's not like you end up with a working connection, it's aborted. And if they don't intend to complete the handshake, why start it? Some silly form of port scanning? WTF? :) Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 23:27:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCBBA16A40F for ; Sat, 11 Nov 2006 23:27:43 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4CAB43D77 for ; Sat, 11 Nov 2006 23:27:38 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kABNReDr022004 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 12 Nov 2006 00:27:40 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kABNRdCn003690; Sun, 12 Nov 2006 00:27:39 +0100 (MET) Date: Sun, 12 Nov 2006 00:27:39 +0100 From: Daniel Hartmeier To: Kimi Ostro Message-ID: <20061111232739.GP6819@insomnia.benzedrine.cx> References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> <20061111232425.GO6819@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061111232425.GO6819@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 23:27:43 -0000 The diff, in case you want to apply it manually, is http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.514&r2=1.515&f=h Subject: CVS: cvs.openbsd.org: src From: Markus Friedl To: source-changes@cvs.openbsd.org Date: Mon, 18 Sep 2006 03:53:05 -0600 (MDT) CVSROOT: /cvs Module name: src Changes by: markus@cvs.openbsd.org 2006/09/18 03:53:05 Modified files: sys/net : pf.c Log message: allow RST from TCP client, even if client does not send data after SYN; ok frantzen, dhartmei, henning From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 23:39:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BE7F16A47C for ; Sat, 11 Nov 2006 23:39:23 +0000 (UTC) (envelope-from kimimeister@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77F9843D5C for ; Sat, 11 Nov 2006 23:39:01 +0000 (GMT) (envelope-from kimimeister@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so714025uge for ; Sat, 11 Nov 2006 15:38:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=GLOnLcmgxjSLRGENx81RBUVUSDJ/nHxU08uGZhmuzFPdJt7Z3YsJjB9JAYb+ksRtwwXHlTOJI7aJgXmYj0w1ctDeNY3X3HMMjcxxnZmnHj7net+jmIlXXWpg791KdL4EQbNcbhm/dQWgvkyDs3PCYrFzKTqaPWEwZguENivbxuo= Received: by 10.67.19.17 with SMTP id w17mr5653948ugi.1163288334030; Sat, 11 Nov 2006 15:38:54 -0800 (PST) Received: by 10.67.86.17 with HTTP; Sat, 11 Nov 2006 15:38:53 -0800 (PST) Message-ID: <42b497160611111538g6e07d972r5d0d6a577e43efc4@mail.gmail.com> Date: Sat, 11 Nov 2006 23:38:53 +0000 From: "Kimi Ostro" To: freebsd-pf@freebsd.org In-Reply-To: <20061111232425.GO6819@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> <20061111232425.GO6819@insomnia.benzedrine.cx> Cc: Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 23:39:23 -0000 Hello, On 11/11/06, Daniel Hartmeier wrote: > > These are caused by on off-by-one in pf's state tracking for one special > case: when an RST is sent during the handshake (i.e. SYN, SYN+ACK, RST), > pf compares the sequence number in the RST exactly, and is off by one, > blocking the RST. > > This is recognizable by the strange "State failure on:" line with no > digits (the digit(s) indicate the reason why the state match failed, in > this specific case, and this case only, there is no digit printed). > > It was recently fixed in OpenBSD, IIRC post-4.0. The fix is easy to > port. But I have to wonder why this shows up repeatedly just now. > > Who are those clients aborting their handshake with RST, and why are > they doing it? If the RST is properly passed, it's not like you end up > with a working connection, it's aborted. And if they don't intend to > complete the handshake, why start it? Some silly form of port scanning? > WTF? :) > > Daniel > The clients are users of FreeBSD, KDE and Mozilla Firefox. So I guess it is harmless? am I the only one to have this issue?? I did not find much about it. Think I should have started two threads, another one for the FTP/pftpx problem, silly me. Thank you both! -- Kimi