From owner-freebsd-pf@FreeBSD.ORG Sun Nov 12 00:16:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88CFB16A47E for ; Sun, 12 Nov 2006 00:16:07 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCA9443D64 for ; Sun, 12 Nov 2006 00:15:48 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kAC0Fjtm005016 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 12 Nov 2006 01:15:46 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kAC0FivE020084; Sun, 12 Nov 2006 01:15:44 +0100 (MET) Date: Sun, 12 Nov 2006 01:15:42 +0100 From: Daniel Hartmeier To: Kimi Ostro Message-ID: <20061112001542.GQ6819@insomnia.benzedrine.cx> References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> <20061111232425.GO6819@insomnia.benzedrine.cx> <42b497160611111538g6e07d972r5d0d6a577e43efc4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42b497160611111538g6e07d972r5d0d6a577e43efc4@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 00:16:07 -0000 On Sat, Nov 11, 2006 at 11:38:53PM +0000, Kimi Ostro wrote: > The clients are users of FreeBSD, KDE and Mozilla Firefox. > > So I guess it is harmless? am I the only one to have this issue?? I > did not find much about it. I'd say it's harmless. It could be interesting to find out why this just popped up now, after having been undetected for years before. I'm just curious about why a client would do that. Maybe it is somehow related to how client stacks react to running out of source ports under high connection establishment rates. Something like dropping one tcpcb that is not yet fully established to free up a port for another new connection? And generating a RST to the peer of the dropped tcpcb? Has something like that been added or enabled by default recently in FreeBSD? Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Nov 13 09:15:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8AD916AD67 for ; Mon, 13 Nov 2006 09:15:49 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc3-s31.bay0.hotmail.com (bay0-omc3-s31.bay0.hotmail.com [65.54.246.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3B3443D68 for ; Mon, 13 Nov 2006 09:15:48 +0000 (GMT) (envelope-from gloomygroup@hotmail.com) Received: from hotmail.com ([207.46.8.239]) by bay0-omc3-s31.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Nov 2006 00:02:03 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 13 Nov 2006 00:02:03 -0800 Message-ID: Received: from 207.46.8.251 by by118fd.bay118.hotmail.msn.com with HTTP; Mon, 13 Nov 2006 08:01:59 GMT X-Originating-IP: [202.79.53.71] X-Originating-Email: [gloomygroup@hotmail.com] X-Sender: gloomygroup@hotmail.com From: "Gloomy Group" To: freebsd-pf@freebsd.org Date: Mon, 13 Nov 2006 08:01:59 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 13 Nov 2006 08:02:03.0285 (UTC) FILETIME=[01114C50:01C706FA] Subject: Traffic shapping with pf hfsc and prioritizing based on group X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 09:15:49 -0000 Hi, As I'm new in packet filter I will like to get some help in setting my configuration for bandwidth shapping with altq hfsc. Below will be my network layout; VSAT for uplink only | Router | -|------Normal Switch------------------| | DVB for downlink | rl0 interface | Freebsd shaper/gateway | rl1 interface | Switch |---------------------|---------|---------|-------------------|----------------------------------| Dialup users Cable users webserver proxy servers Wireless users What I want to do here is rl0 interface will be used for shapping uplink traffic whereas rl1 interface will shape only downlink traffic to my network group. Cable users will get higher priority than wireless users. Has anyone got sample configuration with this network layout? _________________________________________________________________ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From owner-freebsd-pf@FreeBSD.ORG Mon Nov 13 11:08:30 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E63216A5D0 for ; Mon, 13 Nov 2006 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6AA943D5C for ; Mon, 13 Nov 2006 11:08:29 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kADB8TGh091518 for ; Mon, 13 Nov 2006 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kADB8Svb091514 for freebsd-pf@FreeBSD.org; Mon, 13 Nov 2006 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Nov 2006 11:08:28 GMT Message-Id: <200611131108.kADB8Svb091514@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 11:08:30 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 14 03:59:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B134316A40F for ; Tue, 14 Nov 2006 03:59:09 +0000 (UTC) (envelope-from joe@joeholden.co.uk) Received: from claire.ber.rewt.org.uk (claire.ber.rewt.org.uk [217.160.200.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06ABA43D4C for ; Tue, 14 Nov 2006 03:59:08 +0000 (GMT) (envelope-from joe@joeholden.co.uk) Received: from localhost (unknown [127.0.0.1]) by claire.ber.rewt.org.uk (Postfix) with ESMTP id 8E5065C21 for ; Tue, 14 Nov 2006 03:59:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at claire.ber.rewt.org.uk Received: from claire.ber.rewt.org.uk ([127.0.0.1]) by localhost (claire.ber.rewt.org.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdwJzrQfO4nx for ; Tue, 14 Nov 2006 03:59:05 +0000 (UTC) Received: from [62.84.172.67] (dsl172-67.as6911.net [62.84.172.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by claire.ber.rewt.org.uk (Postfix) with ESMTP id E30F95C20 for ; Tue, 14 Nov 2006 03:59:04 +0000 (UTC) Message-ID: <45593F08.9060708@joeholden.co.uk> Date: Tue, 14 Nov 2006 03:59:04 +0000 From: Joe Holden User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Source routing (Policy routing) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 03:59:09 -0000 Hi all, I'm having a little trouble trying to do the equivalently of ipfw fwd in my pf ruleset (i've moved everything else from ipfw and it works great), however after much googling im still not sure of the proper syntax/ruleset. Basically, I have interface1, with a routable ip on, an openvpn connection goes out via that and creates tun0, which has another routable ip on. However, I want to be able to send traffic from my end of the openvpn tunnel, back via the tunnel, however i've tried all combinations of route-to, reply-to, even copied other peoples rulesets to the "space," to no avail... Is anyone able to give me any pointers on this? I'm using -CURRENT as of this morning. (I originally moved from ipfw as it is still unusable as far as ipv6 goes) TIA, Joe From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 06:37:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25FF216A47B for ; Wed, 15 Nov 2006 06:37:57 +0000 (UTC) (envelope-from darkdll@hotmail.com) Received: from bay0-omc3-s34.bay0.hotmail.com (bay0-omc3-s34.bay0.hotmail.com [65.54.246.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFEA943D58 for ; Wed, 15 Nov 2006 06:37:56 +0000 (GMT) (envelope-from darkdll@hotmail.com) Received: from BAY120-W10 ([207.46.9.173]) by bay0-omc3-s34.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Nov 2006 22:37:56 -0800 X-Originating-IP: [203.190.250.105] X-Originating-Email: [darkdll@hotmail.com] Message-ID: From: "dll ......." To: Date: Wed, 15 Nov 2006 06:37:56 +0000 MIME-Version: 1.0 X-OriginalArrivalTime: 15 Nov 2006 06:37:56.0649 (UTC) FILETIME=[95DD4190:01C70880] Content-Type: text/plain; charset="windows-874" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: how to limit bandwidth for incoming traffic that has destination to gateway itself X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 06:37:57 -0000 With my current pf.conf I can limit bandwidth from external to internal network but I can't limit bandwidth from external to gateway (ie. connection create by gateway itself) Sorry for my english This is my pf.conf ext_if="tun0" int_if="rl1" std_ports="{ ftp, http, https }" iac_ports="{ 1863, 6111:6119 }" table { self } table { !self , !$int_if:network , 0.0.0.0/0 } set skip on lo0 set limit states 30000 set optimization normal scrub all reassemble tcp altq on $ext_if cbq bandwidth 512Kb queue { ack_out, dns_out, iac_out, std_out, p2p_out } queue ack_out bandwidth 10% priority 7 cbq(borrow) queue dns_out bandwidth 10% priority 5 cbq(borrow) queue iac_out bandwidth 20% priority 3 cbq(borrow) queue std_out bandwidth 40% priority 2 cbq(borrow) queue p2p_out bandwidth 20% priority 0 cbq(default ,borrow) altq on $int_if cbq bandwidth 100Mb queue { loc_in, ext_in } queue loc_in bandwidth 99Mb priority 5 cbq(borrow) queue ext_in bandwidth 1Mb priority 1 { iac_in, std_in, p2p_in } queue iac_in bandwidth 20% priority 5 cbq(borrow) queue std_in bandwidth 50% priority 3 cbq(borrow) queue p2p_in bandwidth 30% priority 0 cbq(default, rio ,borrow) nat on $ext_if from $int_if:network to tag INT_NAT -> ($ext_if) block log all antispoof quick for $int_if pass in on $int_if from $int_if:network to flags S/SAFR keep state queue p2p_in pass in on $int_if proto tcp from $int_if:network to port $std_ports flags S/SAFR keep state queue std_in pass in on $int_if proto tcp from $int_if:network to port $iac_ports flags S/SAFR keep state queue iac_in pass out on $ext_if from to flags S/SAFR modulate state queue(p2p_out, ack_out) pass out on $ext_if proto tcp from to port $std_ports flags S/SAFR modulate state queue(std_out, ack_out) pass out on $ext_if proto tcp from to port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass out on $ext_if proto tcp from to port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) Is there something wrong with this pf.conf Help me please Thanks dll _________________________________________________________________ Try Live.com: where your online world comes together - with news, sports, weather, and much more. http://www.live.com/getstarted From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 13:05:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67A9F16A4D2 for ; Wed, 15 Nov 2006 13:05:30 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1706E44456 for ; Wed, 15 Nov 2006 12:32:16 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so110528pyh for ; Wed, 15 Nov 2006 04:32:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=P23pmlIZlMjtN+JT4w1rk8iuqehOrlZ92T7O4FQh8iOgVjfZiTqwNcaowZsKb7mbhhbCtxOMIMku5uEFbqRBebJAXhaGWpnEt7O03yeyQGTAVf1d/HbXS//Q+4w4fy5tEdXqiOBINxFWs/LU7OZfw24G3bAbgiLbdxT17P4PJ40= Received: by 10.35.103.12 with SMTP id f12mr3043634pym.1163593569815; Wed, 15 Nov 2006 04:26:09 -0800 (PST) Received: by 10.35.126.2 with HTTP; Wed, 15 Nov 2006 04:26:09 -0800 (PST) Message-ID: <9a542da30611150426qf6bb79cu6b24fa098088d506@mail.gmail.com> Date: Wed, 15 Nov 2006 13:26:09 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: how to limit bandwidth for incoming traffic that has destination to gateway itself X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 13:05:30 -0000 You have to change from: pass out on $ext_if proto tcp from to port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass out on $ext_if proto tcp from to port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) to: pass in on $ext_if proto tcp from to port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass in on $ext_if proto tcp from to port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) Since you are tracking state with S/SAFR that rule can keep track only of connetion initiated by $gateway itself. If you use in it will track the connection generated by outside peers. Don't confuse the concept that ALTQ shapes only outgoing connections with the keep state one. Hopes it helps. From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 13:45:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFFBF16A403 for ; Wed, 15 Nov 2006 13:45:13 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80F3243D45 for ; Wed, 15 Nov 2006 13:45:13 +0000 (GMT) (envelope-from peter@bsdly.net) Received: from thingy.datadok.no ([194.54.103.97] helo=amidala.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1GkL4i-0003lQ-1p for freebsd-pf@freebsd.org; Wed, 15 Nov 2006 14:45:12 +0100 To: freebsd-pf@freebsd.org From: peter@bsdly.net (Peter N. M. Hansteen) User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) Date: Wed, 15 Nov 2006 14:45:10 +0100 Message-ID: <871wo4lt7d.fsf@amidala.datadok.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: EuroBSDCon 2006 PF tutorial online X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 13:45:14 -0000 As some of you may be aware, I presented a half day PF tutorial at EuroBSDCon in Milan. The manuscript is now online in several formats at http://home.nuug.no/~peter/pf/. This is a manuscript I've revisited on occasion over roughly the last two years, intended as a flash intro to the fun and useful things you can do with PF and related tools, and an ongoing work in progress. I intend to keep it reasonably up to date and possibly expand it somewhat. NOTE: Some of you may have seen this online earlier at bgnett.no. If you have links pointing to the bgnett.no address, please change them to point to the new address http://home.nuug.no/~peter/pf/ instead. File and subdirectory names remain the same. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 16:45:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 820D016A40F for ; Wed, 15 Nov 2006 16:45:32 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2338943D46 for ; Wed, 15 Nov 2006 16:45:32 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 803CFC374 for ; Wed, 15 Nov 2006 11:45:29 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 02604-05 for ; Wed, 15 Nov 2006 11:45:24 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id EFFE9BEDD for ; Wed, 15 Nov 2006 11:45:23 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 8E7F9B854 for ; Wed, 15 Nov 2006 11:45:23 -0500 (EST) From: "Dan Langille" To: freebsd-pf@freebsd.org Date: Wed, 15 Nov 2006 11:45:23 -0500 MIME-Version: 1.0 Message-ID: <455AFDD3.28719.62D53A13@dan.langille.org> Priority: normal X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Subject: state table filled up? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 16:45:32 -0000 Hi folks, Last night, FreshPorts et all shut down (in effect). I could still ping the box, outgoing email arrived overnight, but no incoming connections worked. e.g. http, smtp, etc. It was as if all incoming connections were ignored. I suspect this may have been my state table filling up. Rather than put my PF rules into the archives, I've posted them where they'll also be better formated: Have a look at http://www.langille.org/tmp/pf.rules Disclosure: I have removed a few rules that relate to non-publc services. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 17:11:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84F9016A47C for ; Wed, 15 Nov 2006 17:11:19 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from mx2.starman.ee (smtp-out4.starman.ee [85.253.0.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D5C843D94 for ; Wed, 15 Nov 2006 17:11:11 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from [192.168.2.101] (pc116.host1.ida.starman.ee [62.65.240.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.starman.ee (Postfix) with ESMTP id 7220332C3E5 for ; Wed, 15 Nov 2006 19:10:54 +0200 (EET) From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Wed, 15 Nov 2006 19:10:51 +0200 User-Agent: KMail/1.9.3 References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611151910.53727.antik@bsd.ee> X-Virus-Scanned: by Amavisd-New at mx2.starman.ee Subject: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 17:11:19 -0000 Hi! I am struggling here with PF firewall and just can't connect to any samba share if PF is enabled: set block-policy return set loginterface rl0 scrub in all block in log all pass out all keep state table persist file "/etc/blacklist" pass inet proto icmp from any to any antispoof for rl0 pass in on rl0 proto udp from any to (rl0) port 445 keep state pass in on rl0 proto udp from any to (rl0) port 137 keep state pass in on rl0 proto udp from any to (rl0) port 138 keep state pass in on rl0 proto udp from any to (rl0) port 139 keep state pass in on rl0 proto tcp from any to (rl0) port 22 keep state pass in on rl0 proto tcp from any to (rl0) port 80 keep state pass in on rl0 proto tcp from any to (rl0) port 445 keep state pass in on rl0 proto tcp from any to (rl0) port 137 keep state pass in on rl0 proto tcp from any to (rl0) port 138 keep state pass in on rl0 proto tcp from any to (rl0) port 139 keep state block on rl0 from to any # tcpdump -n -e -ttt -i pflog0 278062 rule 0/0(match): block in on rl0: 192.168.2.100.137 > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 17:15:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7197716A407 for ; Wed, 15 Nov 2006 17:15:01 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-4.gradwell.net (lon-mail-4.gradwell.net [193.111.201.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68E7F43D5E for ; Wed, 15 Nov 2006 17:14:48 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from 84-12-192-174.dyn.gotadsl.co.uk ([84.12.192.174] helo=vaio country=GB ident=gregh&pop3#nviz&net) by lon-mail-4.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.237) id 455b4b05.b488.273; Wed, 15 Nov 2006 17:14:45 +0000 (envelope-sender ) From: "Greg Hennessy" To: "'Dan Langille'" , Date: Wed, 15 Nov 2006 17:14:38 -0000 Message-ID: <000001c708d9$880876d0$0301a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AccI1676YpNpm82WTL2qOQ5YUcSy1gAAWGcg In-Reply-To: <455AFDD3.28719.62D53A13@dan.langille.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Cc: Subject: RE: state table filled up? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 17:15:01 -0000 > I suspect this may have been my state table filling up. > For a high traffic'd internet facing service such as Freshports, running pfstat, symon or even the pf snmp mibs loaded into something such as Cacti is not optional. They would have kept track of firewall state table utilisation over time. As a short term measure. pfctl -si will tell you how many entries are in the state table. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 10:03:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65B1416A416 for ; Thu, 16 Nov 2006 10:03:09 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAFB243D62 for ; Thu, 16 Nov 2006 10:03:08 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id 590D564F774; Thu, 16 Nov 2006 04:03:07 -0600 (CST) Date: Thu, 16 Nov 2006 04:03:07 -0600 From: "Travis H." To: Andrei Kolu Message-ID: <20061116100307.GC32666@nexus.subspacefield.org> References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> <200611151910.53727.antik@bsd.ee> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200611151910.53727.antik@bsd.ee> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 10:03:09 -0000 On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote: > I am struggling here with PF firewall and just can't connect to any samba > share if PF is enabled: That's because the SMB protocol was designed in total ignorance of firewalls (and, to be fair, is much older than the first book on firewalls). Like "talk" and other such protocols, which are virtually impossible to do safely across a firewall, it has a mishmash of connections in and out and back in again. You may find this page of mine useful; using the information here might get you up and running, but you'll be poking some serious holes in the firewall to do this. http://www.subspacefield.org/~travis/firewalls_and_protocols.html You may find this old paper interesting though: http://web.textfiles.com/hacking/cifs.txt Ack, I gave in to curiousity, read a bit, and now I need a shower. I couldn't get past the "Phase 0". Perhaps Bill Gates is a genius, not because CIFS/SMB is great, but because it is so horrible; yet he actually got people to pay for it. That counts for something. But given that MS Services for Unix is free, wouldn't you be happier using NFS than some dodgy proprietary anachronism that is so chock full of arbitrariness that it boggles and stupefies the mind? Let's just pretend IPX and SMB never existed. In a decade nobody will even remember it. Here's to hoping. -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 14:01:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68B9916A4A0 for ; Thu, 16 Nov 2006 14:01:01 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15D4043D5E for ; Thu, 16 Nov 2006 14:00:55 +0000 (GMT) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id i20so150042wra for ; Thu, 16 Nov 2006 06:00:55 -0800 (PST) Received: by 10.78.117.10 with SMTP id p10mr613008huc.1163685653601; Thu, 16 Nov 2006 06:00:53 -0800 (PST) Received: by 10.78.175.17 with HTTP; Thu, 16 Nov 2006 06:00:52 -0800 (PST) Message-ID: <6e6841490611160600t26c24559v9eb14aef1783cb@mail.gmail.com> Date: Thu, 16 Nov 2006 12:00:52 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <1163160286.5022.19.camel@genius.i.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> <1163010356.1504.46.camel@beastie.mra.co.id> <1163160286.5022.19.camel@genius.i.cz> Subject: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 14:01:01 -0000 In my firewall cbq doesn't work, but I'm using hfsc. Below is one rule: altq on em1 hfsc bandwidth 100% queue net_em1 queue net_em1 bandwidth 100Mb hfsc { link_em1 net1_em1 } queue link_em1 bandwidth 5Mb priority 2 hfsc(red realtime 4Mb upperlimit 10Mb) queue net1_em1 bandwidth 90Mb priority 1 hfsc(default) Gilberto 2006/11/10, Michal Mertl : > Muhammad Reza wrote: > > still not work with pass in rule. > > > > add info with this rule set: > > > > altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} > > queue int_out bandwidth 3Mb > > queue dflt_out bandwidth 16Kb cbq (default) > > > > altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} > > queue int_in bandwidth 3Mb > > queue dflt_in bandwidth 16Kb cbq (default) > > > > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags > > S/SA queue (int_out) > > pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags > > S/SA queue (int_in) > > > > if i only enabled altq on in one interface only (xl1 or xl2) , traffic > > limitation that i want is can be done. > > > > Is there something that can be done with ALTQ and PF or my rule is > > bad ??? > > The rules above (for TCP) do not match the traffic from both directions > of a single TCP connection - "flags S/SA" matches just the first packet > of the TCP session initiated by the source adress (on the left). They > limit only one direction of connections initiated from either of the > addresses. Try removing "flags S/SA". > > Michal > > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 17:08:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A65616A412 for ; Thu, 16 Nov 2006 17:08:33 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id DABAA43D58 for ; Thu, 16 Nov 2006 17:08:32 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 548CBBF74; Thu, 16 Nov 2006 12:08:32 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 21692-10; Thu, 16 Nov 2006 12:08:29 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id 24D86BEDC; Thu, 16 Nov 2006 12:08:28 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id A8EDEB854; Thu, 16 Nov 2006 12:08:28 -0500 (EST) From: "Dan Langille" To: "Greg Hennessy" Date: Thu, 16 Nov 2006 12:08:28 -0500 MIME-Version: 1.0 Message-ID: <455C54BC.19625.6810B25F@dan.langille.org> Priority: normal In-reply-to: <000001c708d9$880876d0$0301a8c0@vaio> References: <455AFDD3.28719.62D53A13@dan.langille.org> X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Cc: freebsd-pf@freebsd.org Subject: RE: state table filled up? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 17:08:33 -0000 On 15 Nov 2006 at 17:14, Greg Hennessy wrote: > > I suspect this may have been my state table filling up. > > > > For a high traffic'd internet facing service such as Freshports, running > pfstat, symon or even the pf snmp mibs loaded into something such as Cacti > is not optional. > > They would have kept track of firewall state table utilisation over time. I have symon and catci installed and running. symon is happily updating my .rrd files: [dan@nyi:/var/db/symon] $ ls -l total 53168 -rw-r--r-- 1 root wheel 4379264 Nov 16 12:07 cpu0.rrd -rw-r--r-- 1 root wheel 8757064 Nov 16 12:07 if_fxp0.rrd -rw-r--r-- 1 root wheel 4379264 Nov 16 12:07 io_ad0.rrd -rw-r--r-- 1 root wheel 13134864 Nov 16 12:07 mbuf.rrd -rw-r--r-- 1 root wheel 4379264 Nov 16 12:07 mem.rrd -rw-r--r-- 1 root wheel 19263784 Nov 16 12:07 pf.rrd [dan@nyi:/var/db/symon] $ I have no idea how to get Cacti to graph this data. Clues please? > As a short term measure. > > pfctl -si > > will tell you how many entries are in the state table. Seems pretty good. Opinions? $ sudo pfctl -si Password: No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 1 days 04:20:53 Debug: Urgent Hostid: 0xd61d30d4 State Table Total Rate current entries 168 searches 7301670 71.5/s inserts 175525 1.7/s removals 175357 1.7/s Counters match 221650 2.2/s bad-offset 0 0.0/s fragment 1 0.0/s short 0 0.0/s normalize 12 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 4792 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 477115 4.7/s -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 17:52:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9599816A49E for ; Thu, 16 Nov 2006 17:52:28 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-3.gradwell.net (lon-mail-3.gradwell.net [193.111.201.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id 943BC43D5D for ; Thu, 16 Nov 2006 17:52:27 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from 84-12-22-93.dyn.gotadsl.co.uk ([84.12.22.93] helo=vaio country=GB ident=gregh$pop3#nviz*net) by lon-mail-3.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.237) id 455ca1e0.13a11.77; Thu, 16 Nov 2006 17:37:36 +0000 (envelope-sender ) From: "Greg Hennessy" To: "'Dan Langille'" Date: Thu, 16 Nov 2006 17:37:25 -0000 Message-ID: <000301c709a5$e3526470$0301a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-reply-to: <455C54BC.19625.6810B25F@dan.langille.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AccJofuqzXs1iluQQlWQTDWbLw1MOQAAnDYA Cc: freebsd-pf@freebsd.org Subject: RE: state table filled up? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 17:52:28 -0000 >> > I have no idea how to get Cacti to graph this data. Clues please? IIRC there's a thread or two on the cacti forums w.r.t importing the pf mibs from bsnmpd. > > Seems pretty good. Opinions? > > $ sudo pfctl -si > Password: > No ALTQ support in kernel > ALTQ related functions disabled > Status: Enabled for 1 days 04:20:53 Debug: Urgent > > Hostid: 0xd61d30d4 > > State Table Total Rate > current entries 168 It's just ticking over FWICS. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 18:11:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BA5416A40F for ; Thu, 16 Nov 2006 18:11:27 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from a5.virtuaal.com (a5.virtuaal.com [195.222.15.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09FB243D5C for ; Thu, 16 Nov 2006 18:11:20 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from pc97.host50.starman.ee ([62.65.242.97] helo=[192.168.2.100]) by a5.virtuaal.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.52) id 1Gklhm-0008Mv-51 for freebsd-pf@freebsd.org; Thu, 16 Nov 2006 20:11:18 +0200 From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Thu, 16 Nov 2006 20:11:21 +0200 User-Agent: KMail/1.9.4 References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <200611151910.53727.antik@bsd.ee> <20061116100307.GC32666@nexus.subspacefield.org> In-Reply-To: <20061116100307.GC32666@nexus.subspacefield.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611162011.21765.antik@bsd.ee> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a5.virtuaal.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bsd.ee X-Source: X-Source-Args: X-Source-Dir: Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 18:11:27 -0000 On Thursday 16 November 2006 12:03, you wrote: > On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote: > > I am struggling here with PF firewall and just can't connect to any samba > > share if PF is enabled: > > That's because the SMB protocol was designed in total ignorance of > firewalls (and, to be fair, is much older than the first book on > firewalls). Like "talk" and other such protocols, which are virtually > impossible to do safely across a firewall, it has a mishmash of > connections in and out and back in again. > > You may find this page of mine useful; using the information here > might get you up and running, but you'll be poking some serious > holes in the firewall to do this. > > http://www.subspacefield.org/~travis/firewalls_and_protocols.html > > You may find this old paper interesting though: > http://web.textfiles.com/hacking/cifs.txt > > Ack, I gave in to curiousity, read a bit, and now I need a shower. > I couldn't get past the "Phase 0". Perhaps Bill Gates is a genius, > not because CIFS/SMB is great, but because it is so horrible; > yet he actually got people to pay for it. That counts for something. > > But given that MS Services for Unix is free, wouldn't you be > happier using NFS than some dodgy proprietary anachronism that > is so chock full of arbitrariness that it boggles and stupefies > the mind? Let's just pretend IPX and SMB never existed. In a > decade nobody will even remember it. Here's to hoping. Yes, I understand that SMB is bad, but why PF blocks port that is opened with rules? /etc/pf.conf: pass in on rl0 proto udp from any to (rl0) port 137 keep state # tcpdump -n -e -ttt -i pflog0: rule 0/0(match): block in on rl0: 192.168.2.100.137 > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 18:28:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F07B816A412 for ; Thu, 16 Nov 2006 18:28:37 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id F233A43D6E for ; Thu, 16 Nov 2006 18:28:33 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id 931F064F68C; Thu, 16 Nov 2006 12:28:32 -0600 (CST) Date: Thu, 16 Nov 2006 12:28:32 -0600 From: "Travis H." To: Andrei Kolu Message-ID: <20061116182832.GA14170@nexus.subspacefield.org> References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <200611151910.53727.antik@bsd.ee> <20061116100307.GC32666@nexus.subspacefield.org> <200611162011.21765.antik@bsd.ee> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200611162011.21765.antik@bsd.ee> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 18:28:38 -0000 On Thu, Nov 16, 2006 at 08:11:21PM +0200, Andrei Kolu wrote: > Yes, I understand that SMB is bad, but why PF blocks port that is opened with > rules? > > /etc/pf.conf: > pass in on rl0 proto udp from any to (rl0) port 137 keep state > > # tcpdump -n -e -ttt -i pflog0: > rule 0/0(match): block in on rl0: 192.168.2.100.137 > > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST Your rule passes IN packets TO *DESTINATION* port 137 The packet you are blocking is coming IN, FROM *SOURCE* port 137 If that isn't clear enough, I can't help you, you need to read a book on firewalls or TCP/IP. -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 18:33:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BEC416A412 for ; Thu, 16 Nov 2006 18:33:33 +0000 (UTC) (envelope-from freebsd-isp@epcdirect.co.uk) Received: from gunfright.epcdirect.co.uk (gunfright.epcdirect.co.uk [195.10.242.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2363E43D81 for ; Thu, 16 Nov 2006 18:33:22 +0000 (GMT) (envelope-from freebsd-isp@epcdirect.co.uk) Received: from lfarr (l-farr.int.epcdirect.co.uk [192.168.6.200]) by gunfright.epcdirect.co.uk (Postfix) with ESMTP id 1F4A06C8817; Thu, 16 Nov 2006 18:33:21 +0000 (GMT) From: "Lawrence Farr" To: , "'Andrei Kolu'" Date: Thu, 16 Nov 2006 18:33:21 -0000 Message-ID: <00b201c709ad$b1b96d20$c806a8c0@lfarr> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 In-Reply-To: <200611162011.21765.antik@bsd.ee> Thread-Index: AccJqtqaVE95Q1mgTWuO0qD718DezQAArExg Cc: Subject: RE: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 18:33:33 -0000 > /etc/pf.conf: > pass in on rl0 proto udp from any to (rl0) port 137 keep state > > # tcpdump -n -e -ttt -i pflog0: > rule 0/0(match): block in on rl0: 192.168.2.100.137 > > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; > RESPONSE; UNICAST Because that came FROM port 137 not TO port 137. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 18:39:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A20D16A403 for ; Thu, 16 Nov 2006 18:39:34 +0000 (UTC) (envelope-from dan@langille.org) Received: from m21.unixathome.org (m21.unixathome.org [205.150.199.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BEF443D5C for ; Thu, 16 Nov 2006 18:39:33 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [205.150.199.217]) by m21.unixathome.org (Postfix) with ESMTP id 01C2ABEDC; Thu, 16 Nov 2006 13:39:33 -0500 (EST) Received: from m21.unixathome.org ([205.150.199.217]) by localhost (m21.unixathome.org [205.150.199.217]) (amavisd-new, port 10024) with ESMTP id 30185-04; Thu, 16 Nov 2006 13:39:29 -0500 (EST) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by m21.unixathome.org (Postfix) with ESMTP id 7D896BF61; Thu, 16 Nov 2006 13:39:29 -0500 (EST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 0BA8BB85B; Thu, 16 Nov 2006 13:39:29 -0500 (EST) From: "Dan Langille" To: "Greg Hennessy" Date: Thu, 16 Nov 2006 13:39:28 -0500 MIME-Version: 1.0 Message-ID: <455C6A10.23672.686403B7@dan.langille.org> Priority: normal In-reply-to: <000301c709a5$e3526470$0301a8c0@vaio> References: <455C54BC.19625.6810B25F@dan.langille.org> X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unixathome.org Cc: freebsd-pf@freebsd.org Subject: RE: state table filled up? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 18:39:34 -0000 On 16 Nov 2006 at 17:37, Greg Hennessy wrote: > > >> > > I have no idea how to get Cacti to graph this data. Clues please? > > > IIRC there's a thread or two on the cacti forums w.r.t importing the pf mibs > from bsnmpd. Found it. Someone posted to my original thread: http://forums.cacti.net/viewtopic.php?t=12202 And pointed me to: http://forums.cacti.net/viewtopic.php?t=12202 It took me an hour, and some trial and error, but I got graphs. http://www.langille.org/tmp/CPU.png It looks like the values are upside down. I'll work on that. Thanks for the help. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 18:55:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E12116A403 for ; Thu, 16 Nov 2006 18:55:54 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from a5.virtuaal.com (a5.virtuaal.com [195.222.15.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id A559543D68 for ; Thu, 16 Nov 2006 18:55:50 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from pc97.host50.starman.ee ([62.65.242.97] helo=[192.168.2.100]) by a5.virtuaal.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.52) id 1GkmOm-0003T6-UB for freebsd-pf@freebsd.org; Thu, 16 Nov 2006 20:55:46 +0200 From: Andrei Kolu Date: Thu, 16 Nov 2006 20:55:48 +0200 User-Agent: KMail/1.9.4 Cc: freebsd-pf@freebsd.org References: <00b201c709ad$b1b96d20$c806a8c0@lfarr> In-Reply-To: <00b201c709ad$b1b96d20$c806a8c0@lfarr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline To: Undisclosed.Recipients: ; Message-Id: <200611162055.48636.antik@bsd.ee> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a5.virtuaal.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bsd.ee X-Source: X-Source-Args: X-Source-Dir: Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 18:55:54 -0000 On Thursday 16 November 2006 20:33, Lawrence Farr wrote: > > /etc/pf.conf: > > pass in on rl0 proto udp from any to (rl0) port 137 keep state > > > > # tcpdump -n -e -ttt -i pflog0: > > rule 0/0(match): block in on rl0: 192.168.2.100.137 > > > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; > > RESPONSE; UNICAST > > Because that came FROM port 137 not TO port 137. Oops, I thought it wants to connenct back to my port 137- silly me. Then I have to open all ports that is higher than 1024? This line is correct? pass in proto {tcp,udp} from any to any port 1024:65535 keep state From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 19:04:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4C9416A403 for ; Thu, 16 Nov 2006 19:04:32 +0000 (UTC) (envelope-from bsd782@chrissmith.org) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.200.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 060B243D75 for ; Thu, 16 Nov 2006 19:04:24 +0000 (GMT) (envelope-from bsd782@chrissmith.org) Received: from c-68-61-77-183.hsd1.mi.comcast.net ([68.61.77.183]) by comcast.net (sccrmhc11) with ESMTP id <2006111619042301100rgtg4e>; Thu, 16 Nov 2006 19:04:24 +0000 From: Chris Smith To: freebsd-pf@freebsd.org Date: Thu, 16 Nov 2006 14:04:22 -0500 References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <20061116100307.GC32666@nexus.subspacefield.org> <200611162011.21765.antik@bsd.ee> In-Reply-To: <200611162011.21765.antik@bsd.ee> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611161404.22756.bsd782@chrissmith.org> Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 19:04:32 -0000 On Thursday 16 November 2006 13:11, Andrei Kolu wrote: > pass in on rl0 proto udp from any to (rl0) port 137 keep state Maybe you're blocking some necessary broadcast packets. Try changing your rules to something more like: pass in on rl0 proto udp from any to any port 137 keep state or possibly: pass in on rl0 proto udp from any to (rl0:network) port 137 keep state Even better, use a macro to define the ports: samba_ports = "{ 137:139, 445 }" pass in on rl0 proto { tcp, udp } from any to any port $samba_ports keep state You may want to use this in your smb.conf: smb ports = 139 and then change the above pf macro to: samba_ports = "{ 137:139 }" As a note it appears that your previous log is not showing a block from "any to rl0 port 137" but from "any port 137 to rl0", assuming the rl0 address is 192.168.2.101. So unless there is some state matching the block seems valid. Chris From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 19:32:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 520A716A513 for ; Thu, 16 Nov 2006 19:32:58 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90CA843D5A for ; Thu, 16 Nov 2006 19:32:57 +0000 (GMT) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o2so485977uge for ; Thu, 16 Nov 2006 11:32:56 -0800 (PST) Received: by 10.78.128.15 with SMTP id a15mr976146hud.1163705576396; Thu, 16 Nov 2006 11:32:56 -0800 (PST) Received: by 10.78.175.17 with HTTP; Thu, 16 Nov 2006 11:32:56 -0800 (PST) Message-ID: <6e6841490611161132t4e5a0f14ne470540f86ded273@mail.gmail.com> Date: Thu, 16 Nov 2006 17:32:56 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Traffic shapping with pf hfsc and prioritizing based on group X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 19:32:58 -0000 I think somethink like this: altq on em0 hfsc bandwidth 100% queue net_em0 queue net_em0 bandwidth 14Mb hfsc(red realtime 14Mb upperlimit 14Mb) { priority7_em0 priority6_em0 priority5_em0 priority4_em0 priority3_em0 default_em0} queue priority7_em0 bandwidth 10Mb priority 7 hfsc(red realtime 10Mb upperlimit 14Mb) queue priority6_em0 bandwidth 1Mb priority 6 hfsc(red realtime 10Mb upperlimit 14Mb) queue priority5_em0 bandwidth 1Mb priority 5 hfsc(red realtime 10Mb upperlimit 14Mb) queue priority4_em0 bandwidth 1Mb priority 4 hfsc(red realtime 10Mb upperlimit 14Mb) queue default_em0 bandwidth 1Mb priority 1 hfsc(default) Can resolve your problem. Gilberto 2006/11/13, Gloomy Group : > Hi, > > As I'm new in packet filter I will like to get some help in setting > my configuration for bandwidth shapping with altq hfsc. Below will be my > network layout; > > VSAT for uplink only > | > Router > | > -|------Normal Switch------------------| > | > DVB for downlink > | > rl0 interface > | > Freebsd shaper/gateway > | > rl1 interface > | > Switch > > |---------------------|---------|---------|-------------------|----------------------------------| > Dialup users Cable users webserver proxy > servers Wireless users > > > What I want to do here is rl0 interface will be used for shapping uplink > traffic whereas rl1 interface will shape only downlink traffic to my network > group. Cable users will get higher priority than wireless users. Has anyone > got sample configuration with this network layout? > > _________________________________________________________________ > Stay in touch with old friends and meet new ones with Windows Live Spaces > http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 20:30:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B69316A47B for ; Thu, 16 Nov 2006 20:30:11 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id D45E143D62 for ; Thu, 16 Nov 2006 20:30:01 +0000 (GMT) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o2so499876uge for ; Thu, 16 Nov 2006 12:30:00 -0800 (PST) Received: by 10.78.201.10 with SMTP id y10mr1025450huf.1163708999742; Thu, 16 Nov 2006 12:29:59 -0800 (PST) Received: by 10.78.175.17 with HTTP; Thu, 16 Nov 2006 12:29:59 -0800 (PST) Message-ID: <6e6841490611161229n4392c4aame4f58fd41974b8ae@mail.gmail.com> Date: Thu, 16 Nov 2006 18:29:59 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <45593F08.9060708@joeholden.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45593F08.9060708@joeholden.co.uk> Subject: Re: Source routing (Policy routing) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 20:30:11 -0000 Try using route-to like here: http://www.openbsd.org/faq/pf/pools.html#outgoing But, put this rule at the last. Gilberto 2006/11/14, Joe Holden : > Hi all, > > I'm having a little trouble trying to do the equivalently of ipfw fwd in > my pf ruleset (i've moved everything else from ipfw and it works great), > however after much googling im still not sure of the proper syntax/ruleset. > > Basically, I have interface1, with a routable ip on, an openvpn > connection goes out via that and creates tun0, which has another > routable ip on. > > However, I want to be able to send traffic from my end of the openvpn > tunnel, back via the tunnel, however i've tried all combinations of > route-to, reply-to, even copied other peoples rulesets to the "space," > to no avail... > > Is anyone able to give me any pointers on this? > > I'm using -CURRENT as of this morning. > (I originally moved from ipfw as it is still unusable as far as ipv6 goes) > > TIA, > Joe > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 21:01:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DD9416A4A0 for ; Thu, 16 Nov 2006 21:01:03 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from mx1.starman.ee (smtp-out1.starman.ee [85.253.0.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4F6B43D70 for ; Thu, 16 Nov 2006 21:00:57 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from [192.168.2.101] (pc97.host50.starman.ee [62.65.242.97]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.starman.ee (Postfix) with ESMTP id 61DB323C49D for ; Thu, 16 Nov 2006 23:00:56 +0200 (EET) From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Thu, 16 Nov 2006 23:00:57 +0200 User-Agent: KMail/1.9.3 References: <00b201c709ad$b1b96d20$c806a8c0@lfarr> <200611162055.48636.antik@bsd.ee> In-Reply-To: <200611162055.48636.antik@bsd.ee> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611162300.58310.antik@bsd.ee> X-Virus-Scanned: by Amavisd-New at mx1.starman.ee Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 21:01:03 -0000 On Thursday 16 November 2006 20:55, Andrei Kolu wrote: > On Thursday 16 November 2006 20:33, Lawrence Farr wrote: > > > /etc/pf.conf: > > > pass in on rl0 proto udp from any to (rl0) port 137 keep state > > > > > > # tcpdump -n -e -ttt -i pflog0: > > > rule 0/0(match): block in on rl0: 192.168.2.100.137 > > > > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; > > > RESPONSE; UNICAST > > > > Because that came FROM port 137 not TO port 137. > > Oops, I thought it wants to connenct back to my port 137- silly me. Then I > have to open all ports that is higher than 1024? > > This line is correct? > > pass in proto {tcp,udp} from any to any port 1024:65535 keep state > _______________________________________________ OK, I'll answer this question myself. # Ports from 49152 to 65535 are known as Dynamic or Private Ports. # Ports between 1024 and 29151 are known as the Registered Ports. # Basically, programs are supposed to register their use of these # ports and thereby try to be careful and avoid stomping on each other. Sry, not ports from 1024 and up but starting from 49152 and up. set skip on lo0 set block-policy return set loginterface rl0 scrub in all block in log antispoof quick for lo0 inet block in from no-route to any pass out keep state table persist file "/etc/blacklist" pass inet proto icmp from any to any pass in proto {tcp,udp} from any to any port 49152:65535 keep state pass in quick on rl0 proto udp from any to (rl0) port 137 keep state pass in quick on rl0 proto udp from any to (rl0) port 138 keep state pass in quick on rl0 proto tcp from any to (rl0) port 22 keep state pass in quick on rl0 proto tcp from any to (rl0) port 445 keep state pass in quick on rl0 proto tcp from any to (rl0) port 137 keep state pass in quick on rl0 proto tcp from any to (rl0) port 139 keep state block on rl0 from to any From owner-freebsd-pf@FreeBSD.ORG Fri Nov 17 14:47:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01D6516A518 for ; Fri, 17 Nov 2006 14:47:24 +0000 (UTC) (envelope-from darkdll@hotmail.com) Received: from bay0-omc3-s9.bay0.hotmail.com (bay0-omc3-s9.bay0.hotmail.com [65.54.246.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8967943D5A for ; Fri, 17 Nov 2006 14:47:23 +0000 (GMT) (envelope-from darkdll@hotmail.com) Received: from BAY120-W2 ([207.46.9.165]) by bay0-omc3-s9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 17 Nov 2006 06:47:23 -0800 X-Originating-IP: [203.190.250.104] X-Originating-Email: [darkdll@hotmail.com] Message-ID: From: "dll ......." To: Date: Fri, 17 Nov 2006 14:47:23 +0000 MIME-Version: 1.0 X-OriginalArrivalTime: 17 Nov 2006 14:47:23.0236 (UTC) FILETIME=[4A8A5240:01C70A57] Content-Type: text/plain; charset="windows-874" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RE: how to limit bandwidth for incoming traffic that has destination to gateway itself X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2006 14:47:24 -0000 Thank for your help.After I change pf.conf I can't connect to internet from local network machine. If we want to shape incoming bandwidth it must shape on internal interface that connect to client in local network this done by limit out going bandwidth return to local network.Do I misunderstand something. But If we want shape incoming bandwidth that return to gateway machine not to local network above method will not work because it does not pass through internal interface.How to do it. Sorry for my englishThanks > Date: Wed, 15 Nov 2006 13:26:09 +0100> From: ermal.luci@gmail.com> To: freebsd-pf@freebsd.org> Subject: Re: how to limit bandwidth for incoming traffic that has destination to gateway itself> > You have to change from:> pass out on $ext_if proto tcp from to port ssh flags S/SAFR> modulate state queue(std_out, iac_out)> pass out on $ext_if proto tcp from to port $iac_ports flags> S/SAFR modulate state queue(iac_out, ack_out)> > to:> pass in on $ext_if proto tcp from to port ssh flags S/SAFR> modulate state queue(std_out, iac_out)> pass in on $ext_if proto tcp from to port $iac_ports flags S/SAFR> modulate state queue(iac_out, ack_out)> > Since you are tracking state with S/SAFR that rule can keep track only of> connetion initiated by $gateway itself.> If you use in it will track the connection generated by outside peers.> > Don't confuse the concept that ALTQ shapes only outgoing connections with> the keep state one.> > Hopes it he lps.> _______________________________________________ _________________________________________________________________ Try Live.com - your fast, personalized homepage with all the things you care about in one place. http://www.live.com/getstarted From owner-freebsd-pf@FreeBSD.ORG Sat Nov 18 17:31:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 79FF016A494 for ; Sat, 18 Nov 2006 17:31:00 +0000 (UTC) (envelope-from being@outside-unlimited.com) Received: from [195.210.225.166] (BSN-210-225-166.dial-up.dsl.siol.net [195.210.225.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id C049043D9A for ; Sat, 18 Nov 2006 17:29:35 +0000 (GMT) (envelope-from being@outside-unlimited.com) Message-ID: <000a01c70b37$1d6cb9c0$a6e1d2c3@xy40b87df0ffca> From: "must" To: freebsd-pf@freebsd.org Date: Sat, 18 Nov 2006 18:29:34 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_01C70B3F.7F29F5D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Mail Websites Hosting DAILY X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Nov 2006 17:31:00 -0000 ------=_NextPart_000_0006_01C70B3F.7F29F5D0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Stocks Quotes in attachement Leo of Virgo Libra a Scorpio Capricorn is Aquarius is. Hosting Daily of Doseninans of Crosswords Astro day is in pics Nepalese? Gallery am toi Headlines. And above Tatacorus set merger deadline match Mittal of. Titles Travel Airtickets fly a Anywhere Lowest. Horoscope Aries Taurus Gemini Cancer leo or Virgo Libra Scorpio. ------=_NextPart_000_0006_01C70B3F.7F29F5D0--