From owner-freebsd-pf@FreeBSD.ORG Mon Jan 22 00:27:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0105A16A400 for ; Mon, 22 Jan 2007 00:27:53 +0000 (UTC) (envelope-from jarthel@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.236]) by mx1.freebsd.org (Postfix) with ESMTP id A8F7F13C428 for ; Mon, 22 Jan 2007 00:27:52 +0000 (UTC) (envelope-from jarthel@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1126858wxc for ; Sun, 21 Jan 2007 16:27:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KVGVKZvS8wDWONNjvX78W0T4conkj5QhBa3yrmYXm9D4tKoEKdwpDs/ySmU0HHXnp6fn/a7urHCSce921KuuJJiLbeiF1jq+mfAfmI1Y0LQNJPP/BhLOQd57SAg4B+3VnAKAjgiDzyO4Hgf1gL8Fk57k/cKFNayvgjdMq/iTBzE= Received: by 10.70.21.4 with SMTP id 4mr9472733wxu.1169423969594; Sun, 21 Jan 2007 15:59:29 -0800 (PST) Received: by 10.70.37.20 with HTTP; Sun, 21 Jan 2007 15:59:29 -0800 (PST) Message-ID: Date: Mon, 22 Jan 2007 10:29:29 +1030 From: "Jayel Villamin" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: help with traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 00:27:53 -0000 not sure if this is the right place to ask about this but pf and altq are interconnected so... ==================== I am downloading something via FTP (usings socks5) and HTTP browsing (via squid) at the same time. Web browsing is going slow. I thought I have given HTTP higher priority than socks. So I am under the impression that web browsing should be very responsive. Can some please check my pf.conf? This is my pf.conf. thanks for the help ===================== #copy to /etc ######################################################################### #macros ############################################## #interfaces ext_if = "tun0" sakaki_nic2_if = "fxp1" loopback_if = "lo0" ############################################## sakaki_nic2_if_in_tcp_to_others = "{ gmail_pop3 gmail_smtp chikka 5050 }" tomo_only_voip = "{ 5060, 16384:16482 }" ######################################################################### #Tables table persist { 192.168.0.2/32 } table persist { 192.168.0.3/32 } ######################################################################### #PF options set limit { frags 20000, states 20000 } set loginterface $ext_if set optimization normal set block-policy drop ######################################################################### #Scrub packets scrub all reassemble tcp fragment reassemble ######################################################################### #ALTQ altq on $ext_if priq bandwidth 82Kb queue { q_default, q_ssh, q_apache, q_udp, q_tcp_ack } queue q_default priq (default) queue q_ssh priority 3 priq(red) queue q_apache priority 5 queue q_udp priority 12 queue q_tcp_ack priority 14 altq on $sakaki_nic2_if cbq bandwidth 100% queue { q2_out, q2_local } queue q2_out bandwidth 452Kb { q2_out_socks, q2_out_default, q2_out_squid } queue q2_out_socks bandwidth 148Kb priority 1 cbq (borrow) queue q2_out_default bandwidth 41Kb priority 4 cbq (default borrow) queue q2_out_squid bandwidth 263Kb priority 7 cbq (borrow) queue q2_local bandwidth 97% cbq (red borrow) ######################################################################### #NAT #pass in quick on $ext_if inet proto udp from any port voip_proxy to keep state queue q_udp nat on $ext_if from $sakaki_nic2_if:network to any -> ($ext_if) ######################################################################### #Redirection #rdr on $ext_if proto udp from any port voip_proxy -> rdr on $ext_if proto { tcp udp } from any to ($ext_if) port bittorrent -> ######################################################################### #Packet filtering ############################################## #Default block block log all ############################################## #Outbound rules for ext_if pass out quick on $ext_if inet proto udp all keep state queue q_udp pass out quick on $ext_if inet proto tcp all keep state queue (q_default_out, q_tcp_ack) pass out quick on $ext_if inet proto icmp all keep state #Inbound rules for ext_if pass in quick on $ext_if inet proto tcp from any to ($ext_if) port apache_squid flags S/SA keep state queue q_apache pass in quick on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state queue (q_default, q_ssh) pass in quick on $ext_if inet proto tcp from any to ($ext_if) port ident flags S/SA keep state queue (q_default, q_tcp_ack) pass in quick on $ext_if inet proto tcp from any port squid to any queue (q_default_out, q_tcp_ack_out) #for the redirect rules above pass in quick on $ext_if inet proto { tcp udp} from any to port bittorrent flags S/SA keep state queue q_default ############################################## #Inbound rules for sakaki_nic2_if pass in quick on $sakaki_nic2_if proto udp from $sakaki_nic2_if:network to ($sakaki_nic2_if) keep state queue q2_local pass in quick on $sakaki_nic2_if proto tcp from $sakaki_nic2_if:network to ($sakaki_nic2_if) flags S/SA keep state queue q2_local pass in quick on $sakaki_nic2_if proto tcp from $sakaki_nic2_if:network to ($sakaki_nic2_if) port socks flags S/SA keep state queue q2_out_socks pass in quick on $sakaki_nic2_if proto tcp from $sakaki_nic2_if:network to ($sakaki_nic2_if) port squid flags S/SA keep state queue q2_out_squid pass in quick on $sakaki_nic2_if proto tcp from $sakaki_nic2_if:network to any port $sakaki_nic2_if_in_tcp_to_others flags S/SA keep state queue q2_out_default #Outbound rules for sakaki_nic2_if pass out quick on $sakaki_nic2_if all keep state queue q2_local ############################################## #Allow loopback connections pass quick on $loopback_if all ############################################## #Antispoof all interfaces antispoof log quick for { $ext_if, $sakaki_nic2_if } From owner-freebsd-pf@FreeBSD.ORG Mon Jan 22 11:08:42 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 56C1916A41F for ; Mon, 22 Jan 2007 11:08:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 46D2613C448 for ; Mon, 22 Jan 2007 11:08:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0MB8fMQ037014 for ; Mon, 22 Jan 2007 11:08:41 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0MB8eZo037010 for freebsd-pf@FreeBSD.org; Mon, 22 Jan 2007 11:08:40 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Jan 2007 11:08:40 GMT Message-Id: <200701221108.l0MB8eZo037010@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 11:08:42 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 22 15:04:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9EB9E16A401 for ; Mon, 22 Jan 2007 15:04:40 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx28.mail.ru (mx28.mail.ru [194.67.23.67]) by mx1.freebsd.org (Postfix) with ESMTP id 1F0C913C448 for ; Mon, 22 Jan 2007 15:04:40 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from f98.mail.ru (f98.mail.ru [194.67.57.8]) by mx28.mail.ru (mPOP.Fallback_MX) with ESMTP id 8235C10F89B for ; Mon, 22 Jan 2007 17:08:19 +0300 (MSK) Received: from mail by f98.mail.ru with local id 1H8zqL-000Ao5-00 for freebsd-pf@freebsd.org; Mon, 22 Jan 2007 17:08:17 +0300 Received: from [82.114.107.25] by win.mail.ru with HTTP; Mon, 22 Jan 2007 17:08:17 +0300 From: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [82.114.107.25] Date: Mon, 22 Jan 2007 17:08:17 +0300 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: PF+ALTQ - how not to share bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 15:04:40 -0000 Hi all! I want to make a list of rules for my localnet gateway and I desided to choose a PF to use its tables so as not to generate so many rules, equal to the number of users. There is the part of my pfctl -s all output: TRANSLATION RULES: nat on xl0 inet from to any -> 192.168.1.21 nat on xl0 inet from to any -> 192.168.1.21 nat on xl0 inet from to any -> 192.168.1.21 nat on xl0 inet from to any -> 192.168.1.21 FILTER RULES: anchor "real_ip" all block drop on xl0 all block drop on rl0 all pass quick on lo0 all pass inet from any to 192.168.0.2 queue shape_256_in pass inet from any to 192.168.0.3 queue shape_256_in pass inet from 192.168.0.2 to any queue shape_256_out pass inet from 192.168.0.3 to any queue shape_256_out pass quick inet from 192.168.1.21 to any pass quick inet from any to 192.168.1.21 pass in quick on rl0 inet proto tcp from to 192.168.1.21 pass in quick on rl0 inet proto udp from to 192.168.1.21 pass out quick on rl0 inet proto tcp from 192.168.1.21 to pass out quick on rl0 inet proto udp from 192.168.1.21 to ALTQ: queue root_xl0 bandwidth 20Mb priority 0 cbq( wrr root ) {not_shape_out, shape_64_out, shape_128_out, shape_256_out} queue not_shape_out bandwidth 64Kb cbq( borrow default ) queue shape_64_out bandwidth 64Kb queue shape_128_out bandwidth 128Kb queue shape_256_out bandwidth 256Kb queue root_rl0 bandwidth 20Mb priority 0 cbq( wrr root ) {not_shape_in, shape_64_in, shape_128_in, shape_256_in} queue not_shape_in bandwidth 64Kb cbq( borrow default ) queue shape_64_in bandwidth 64Kb queue shape_128_in bandwidth 128Kb queue shape_256_in bandwidth 256Kb TABLES: admins not_shape shape_128 shape_256 shape_64 I must say that this is a test configuration and IP 192.168.1.21 is the prototype of my future real Internet IP. The question is: My two local IPs { 192.168.0.2, 192.168.0.3 } share the same internet channel, but I want them to have the same bandwidth (equal to the queue). What is the way to use the minimal number of rules and tables (as many as tariffs) and then to apply these rules to all the users in the tables accordingly to the contents of the tables? here is the part of my test pf.conf : ext_if = "xl0" int_if = "rl0" LAN_IP = "192.168.0.1" WAN_IP = "192.168.1.21" table file "/pf/admins" table file "/pf/not_shape" table file "/pf/shape_64" table file "/pf/shape_128" table file "/pf/shape_256" ## ## QUEUEING ## altq on $ext_if cbq bandwidth 20Mb queue { not_shape_out, shape_64_out, shape_128_out, shape_256_out } queue not_shape_out bandwidth 64Kb cbq(default borrow) queue shape_64_out bandwidth 64Kb queue shape_128_out bandwidth 128Kb queue shape_256_out bandwidth 256Kb altq on $int_if cbq bandwidth 20Mb queue { not_shape_in, shape_64_in, shape_128_in, shape_256_in } queue not_shape_in bandwidth 64Kb cbq(default borrow) queue shape_64_in bandwidth 64Kb queue shape_128_in bandwidth 128Kb queue shape_256_in bandwidth 256Kb ## ## NAT ## nat on $ext_if from { , , , } to any -> 192.168.1.21 anchor real_ip ## ## Default DENY policy ## block on { $ext_if, $int_if } all ## ## Pass loopback ## pass quick on lo0 all ## ## Test rules ## pass quick from 192.168.1.110 to any pass quick from any to 192.168.1.110 pass from any to { 192.168.0.2 192.168.0.3 } queue shape_256_in pass from { 192.168.0.2 192.168.0.3 } to any queue shape_256_out pass quick from 192.168.1.21 to any pass quick from any to 192.168.1.21 From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 12:38:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2CD6616A404 for ; Tue, 23 Jan 2007 12:38:07 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242]) by mx1.freebsd.org (Postfix) with ESMTP id D9C2113C461 for ; Tue, 23 Jan 2007 12:38:06 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so591040ana for ; Tue, 23 Jan 2007 04:38:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=p3iMEN7lRLIOluniI+eSeYy8jRdvgU3wtEd+2UIW0C0nRZAYU8/jn4qC9HwewFEbKoBr3U+jbDnEIdwGhaT5wWoFKSx/FVATTKwdE9Sql31CoqZqumsl37tw8zFpH6joh6eL5ZXFsT38w8daR8BOdFTR86nC5QW2nFBH/MKAI54= Received: by 10.49.64.18 with SMTP id r18mr873283nfk.1169554163571; Tue, 23 Jan 2007 04:09:23 -0800 (PST) Received: by 10.66.220.12 with HTTP; Tue, 23 Jan 2007 04:09:23 -0800 (PST) Message-ID: Date: Tue, 23 Jan 2007 10:09:23 -0200 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 12:38:07 -0000 Hello, I have some doubts. First let me introduce you my problem. Sometimes, using pf route-to, the machines behind my NAT box can't start new sessions/connections, and on the box itself I get "Operation not permitted" when this problem happens. I suspected it was a limit on the number of states. Since the problem happens whenever it wants, I tried to reproduce the behavior lowing down the states limits, and for my surprise, I get a number of states way too higher than the limit. Please, see: # pfctl -s memory states hard limit 5000 src-nodes hard limit 10000 frags hard limit 2500 # pfctl -s info | grep "current entries" current entries 13770 What am I confusing here, or this really should not happen? -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 13:02:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 17FC516A401 for ; Tue, 23 Jan 2007 13:02:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9D5E913C45E for ; Tue, 23 Jan 2007 13:02:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.187.246] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1H9LI52BXN-0004fE; Tue, 23 Jan 2007 14:02:35 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 23 Jan 2007 14:02:11 +0100 User-Agent: KMail/1.9.5 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3413411.SS1ACKQBHa"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701231402.20264.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX19ZTBgiT9mW+oB6oeOvkdWGP/rIWwo9kygpYVkTHmt+CTtpfRm6mIyf1OeVaoXUc/BcpB9UiATRdGm2aMtqvYR8TSLHA1wNzB5o5Y9BdaO0rA== Cc: Subject: Re: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 13:02:38 -0000 --nextPart3413411.SS1ACKQBHa Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > I have some doubts. First let me introduce you my problem. Sometimes, > using pf route-to, the machines behind my NAT box can't start new > sessions/connections, and on the box itself I get "Operation not > permitted" when this problem happens. I suspected it was a limit on > the number of states. Since the problem happens whenever it wants, I > tried to reproduce the behavior lowing down the states limits, and for > my surprise, I get a number of states way too higher than the limit. > > Please, see: > > # pfctl -s memory > states hard limit 5000 > src-nodes hard limit 10000 > frags hard limit 2500 > > # pfctl -s info | grep "current entries" > current entries 13770 > > What am I confusing here, or this really should not happen? What does "vmstat -z | grep ^pf" give? A quick check here suggests that=20 this might be a problem in the zone(9) allocator as the limit is=20 correctly propergated to the the uma zone in question, but not enforced=20 it seems. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3413411.SS1ACKQBHa Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFtgdcXyyEoT62BG0RAprEAJ9kAvZW2yTuyVW5vPzRRXYpkM2SmgCcCp/2 H6IsTPGv4uTv/2VezfpIAIA= =YkN8 -----END PGP SIGNATURE----- --nextPart3413411.SS1ACKQBHa-- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 13:18:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A626616A400 for ; Tue, 23 Jan 2007 13:18:14 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 37AA013C45E for ; Tue, 23 Jan 2007 13:18:14 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so224539nfc for ; Tue, 23 Jan 2007 05:18:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TNOfI0QoeCCyVmg26utCfWQsTQYVyagOucNZEIf8EfQOnwjRBgEQSu9gqQXU7GsNfZTouBjKuoVAr+4uAIQh06W/QpC85UNGJXnWiB7SxCpvLp7z7hTUNvwYDkG4AFzuHVs7OtdNOnCPRuZA6OHlqhYjSvGn35ymaG+baJ+Wx2o= Received: by 10.48.48.13 with SMTP id v13mr651742nfv.1169558292222; Tue, 23 Jan 2007 05:18:12 -0800 (PST) Received: by 10.66.220.12 with HTTP; Tue, 23 Jan 2007 05:18:12 -0800 (PST) Message-ID: Date: Tue, 23 Jan 2007 11:18:12 -0200 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org In-Reply-To: <200701231402.20264.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200701231402.20264.max@love2party.net> Subject: Re: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 13:18:14 -0000 On 1/23/07, Max Laier wrote: > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > > Please, see: > > > > # pfctl -s memory > > states hard limit 5000 > > src-nodes hard limit 10000 > > frags hard limit 2500 > > > > # pfctl -s info | grep "current entries" > > current entries 13770 > > > > What am I confusing here, or this really should not happen? > > What does "vmstat -z | grep ^pf" give? A quick check here suggests that > this might be a problem in the zone(9) allocator as the limit is > correctly propergated to the the uma zone in question, but not enforced > it seems. Max, thanks for asking. Here it's what the command returns # vmstat -z | grep ^pf pfsrctrpl: 100, 10023, 0, 78, 77 pfrulepl: 604, 0, 140, 88, 17555 pfstatepl: 260, 5010, 8096, 1879, 38569766 pfaltqpl: 128, 0, 0, 0, 0 pfpooladdrpl: 68, 0, 72, 152, 8534 pfrktable: 1240, 0, 5, 4, 89 pfrkentry: 156, 0, 10, 40, 481 pfrkentry2: 156, 0, 0, 0, 0 pffrent: 16, 2639, 0, 0, 0 pffrag: 48, 0, 0, 0, 0 pffrcache: 48, 10062, 0, 0, 0 pffrcent: 12, 50141, 0, 0, 0 pfstatescrub: 28, 0, 0, 0, 0 pfiaddrpl: 92, 0, 12, 114, 260 pfospfen: 108, 0, 345, 51, 22770 pfosfp: 28, 0, 188, 193, 12408 Right now I have some fewer sessions: # pfctl -s info | grep "current entries" current entries 8306 But way higher than the configured limit of 5k. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 14:41:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 03D5616A400 for ; Tue, 23 Jan 2007 14:41:34 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id 86A2F13C455 for ; Tue, 23 Jan 2007 14:41:33 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so253659nfc for ; Tue, 23 Jan 2007 06:41:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eSP7vmB9Bk0RmD1N50J+voyQdMlIajP1GMpFXppf67PdBlZ0jPEeLs0SGi7B961AzJSUm0FNBLZtt+nyZM7WB6x1LzmQEtFqMqtQLkkQlOZiyPoZEYCvTU/VKTVWChLZoR9/OW9t2X2TftKC0cQirDWyCGqxKGHzyB5Mk4scNVM= Received: by 10.49.91.6 with SMTP id t6mr1217209nfl.1169563288606; Tue, 23 Jan 2007 06:41:28 -0800 (PST) Received: by 10.66.220.12 with HTTP; Tue, 23 Jan 2007 06:41:28 -0800 (PST) Message-ID: Date: Tue, 23 Jan 2007 12:41:28 -0200 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200701231402.20264.max@love2party.net> Subject: Re: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 14:41:34 -0000 Fixed after upgrading to 6.2-STABLE. Now it works just fine - I had 6.1-PRERELEASE before. Thank you. > # vmstat -z | grep ^pf > pfsrctrpl: 100, 10023, 0, 78, 77 > pfrulepl: 604, 0, 140, 88, 17555 > pfstatepl: 260, 5010, 8096, 1879, 38569766 > pfaltqpl: 128, 0, 0, 0, 0 > pfpooladdrpl: 68, 0, 72, 152, 8534 > pfrktable: 1240, 0, 5, 4, 89 > pfrkentry: 156, 0, 10, 40, 481 > pfrkentry2: 156, 0, 0, 0, 0 > pffrent: 16, 2639, 0, 0, 0 > pffrag: 48, 0, 0, 0, 0 > pffrcache: 48, 10062, 0, 0, 0 > pffrcent: 12, 50141, 0, 0, 0 > pfstatescrub: 28, 0, 0, 0, 0 > pfiaddrpl: 92, 0, 12, 114, 260 > pfospfen: 108, 0, 345, 51, 22770 > pfosfp: 28, 0, 188, 193, 12408 > > Right now I have some fewer sessions: > > # pfctl -s info | grep "current entries" > current entries 8306 > > But way higher than the configured limit of 5k. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 16:01:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DFAF16A402 for ; Tue, 23 Jan 2007 16:01:18 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id EC86E13C465 for ; Tue, 23 Jan 2007 16:01:17 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.187.246] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1H9O5E2dCR-0000HT; Tue, 23 Jan 2007 17:01:17 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 23 Jan 2007 17:03:30 +0100 User-Agent: KMail/1.9.5 References: <200701231402.20264.max@love2party.net> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1805854.FCOYtcqJNn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701231703.38758.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 16:01:18 -0000 --nextPart1805854.FCOYtcqJNn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 14:18, Eduardo Meyer wrote: > On 1/23/07, Max Laier wrote: > > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > > > Please, see: > > > > > > # pfctl -s memory > > > states hard limit 5000 > > > src-nodes hard limit 10000 > > > frags hard limit 2500 > > > > > > # pfctl -s info | grep "current entries" > > > current entries 13770 > > > > > > What am I confusing here, or this really should not happen? > > > > What does "vmstat -z | grep ^pf" give? A quick check here suggests > > that this might be a problem in the zone(9) allocator as the limit is > > correctly propergated to the the uma zone in question, but not > > enforced it seems. > > Max, thanks for asking. Here it's what the command returns > > # vmstat -z | grep ^pf > pfsrctrpl: 100, 10023, 0, 78, 77 > pfrulepl: 604, 0, 140, 88, 17555 > #vmstat -z | head -1 > ITEM SIZE LIMIT USED FREE REQUESTS > pfstatepl: 260, 5010, 8096, 1879, 38569766 ^-----------^ The problem was here. Seems there was indeed something wrong with uma=20 before release. In case this shows up again, be sure to check vmstat=20 again. What pfctl reports is merely a wrapper around this. > pfaltqpl: 128, 0, 0, 0, 0 > pfpooladdrpl: 68, 0, 72, 152, 8534 > pfrktable: 1240, 0, 5, 4, 89 > pfrkentry: 156, 0, 10, 40, 481 > pfrkentry2: 156, 0, 0, 0, 0 > pffrent: 16, 2639, 0, 0, 0 > pffrag: 48, 0, 0, 0, 0 > pffrcache: 48, 10062, 0, 0, 0 > pffrcent: 12, 50141, 0, 0, 0 > pfstatescrub: 28, 0, 0, 0, 0 > pfiaddrpl: 92, 0, 12, 114, 260 > pfospfen: 108, 0, 345, 51, 22770 > pfosfp: 28, 0, 188, 193, 12408 > > Right now I have some fewer sessions: > > # pfctl -s info | grep "current entries" > current entries 8306 > > But way higher than the configured limit of 5k. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1805854.FCOYtcqJNn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFtjHaXyyEoT62BG0RAtmKAJ9DkKnshMFHrxwavsfcC0xa/Cs8vgCfQD4Q wBimiELRoXDxLswtQRaFLCM= =sDzg -----END PGP SIGNATURE----- --nextPart1805854.FCOYtcqJNn-- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 19:51:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8604E16A400 for ; Tue, 23 Jan 2007 19:51:27 +0000 (UTC) (envelope-from isaac.grover@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 20C0213C45A for ; Tue, 23 Jan 2007 19:51:26 +0000 (UTC) (envelope-from isaac.grover@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so1228982uge for ; Tue, 23 Jan 2007 11:51:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=q26bmBSBoKV1Q3dT7x5Y1g89Xt5pZgVMGzwQ81H2X9arzpgOzNwkE4oLpOJ8odFF38XV9MrMg4X1zyHvAdWmL8d/w3+bk1yeFQinF1w7RBmwRZF2d5qJPYIbL0p1YhHTilOM/91sVOxXCeRlomedzV3c1Bawf7ZaV5zV1YDREb0= Received: by 10.82.120.15 with SMTP id s15mr228317buc.1169576606519; Tue, 23 Jan 2007 10:23:26 -0800 (PST) Received: by 10.82.141.18 with HTTP; Tue, 23 Jan 2007 10:23:26 -0800 (PST) Message-ID: Date: Tue, 23 Jan 2007 12:23:26 -0600 From: "Isaac Grover" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Incoming ssh doesn't quite work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 19:51:27 -0000 Good afternoon, I have a FreeBSD 6.1 box providing authentication services for a local wireless hotspot. "ext_if" (xl2) connects to the DSL modem, "wireless_if" (xl1) connects to the wireless router. Outbound http and https work just fine, but outbound ssh and inbound ssh don't work at all. Port forwarding on the DSL modem has been enabled, and I can see the inbound SSH requests on ext_if, sshd is actively listening on the required port, but the sshd logs say about connection attempts. Is there something else that needs to be configured in pf.conf for inbound ssh to function correctly? ---8<--- ext_if="xl2" ext_addr="172.16.1.33" wireless_if="xl1" wireless_net="192.168.100.0/24" proxy_addr="192.168.100.1" nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if rdr on $wireless_if inet proto tcp from any to any port 80 -> $proxy_addr port 3080 rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) pass in on $wireless_if inet proto tcp from $wireless_net to any port { 22, 25, 110, 443, 3080 } keep state pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 } flags S/SA synproxy state pass out on $wireless_if inet proto tcp from $wireless_net to any port { 22, 25, 110, 443, 3080 } keep state pass out on $ext_if inet proto tcp from any to any port { 22, 80 } flags S/SA synproxy state ---8<--- Thank you, -- Isaac Grover, Owner Quality Computer Services of River Falls, Wisconsin Affordable I. T. Consulting, Web Design, and Web Hosting. Commercial and Residential Inquiries Welcomed. Web: http://www.qcs-rf.com From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 22:23:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7019D16A400 for ; Tue, 23 Jan 2007 22:23:33 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.229]) by mx1.freebsd.org (Postfix) with ESMTP id 373E013C47E for ; Tue, 23 Jan 2007 22:23:33 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: by nz-out-0506.google.com with SMTP id i11so897501nzh for ; Tue, 23 Jan 2007 14:23:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=krsiKOybMOuOORT92Vp4LLTHdyyXn5t5BGzk7n7ZotwUmDvBWxAcNi6hRV8V3TCpTsxPO9SC21fzJMr8fbzgs5PkK7/uj0glr+FFfOPNKY2aIVIhmZbCeL+/mQ8ell+pt6ebFF8bCYYFxu+7KPpACHRcdLa037K+sYEI7woFTI0= Received: by 10.65.154.10 with SMTP id g10mr10621805qbo.1169589436085; Tue, 23 Jan 2007 13:57:16 -0800 (PST) Received: from ?192.168.0.200? ( [69.70.75.162]) by mx.google.com with ESMTP id 1sm9704882qbh.2007.01.23.13.57.15; Tue, 23 Jan 2007 13:57:15 -0800 (PST) Message-ID: <45B684BD.8090706@gmail.com> Date: Tue, 23 Jan 2007 16:57:17 -0500 From: Martin Turgeon User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 22:23:33 -0000 Hi all! I would like to start a debate on this subject. Which method of enabling PF is the more secure (buffer overflow for example), the fastest, the most stable, etc. I searched the web for some info but without result. So I would like to know your opinion on the pros and cons of each method. Thank you, Martin Turgeon From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 23:54:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 199C616A402 for ; Tue, 23 Jan 2007 23:54:31 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id DEE5513C4C6 for ; Tue, 23 Jan 2007 23:54:30 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 90D75559F5 for ; Tue, 23 Jan 2007 23:34:50 +0000 (GMT) From: "Greg Hennessy" To: "'Martin Turgeon'" References: <45B684BD.8090706@gmail.com> In-Reply-To: <45B684BD.8090706@gmail.com> Date: Tue, 23 Jan 2007 23:34:24 -0000 Message-ID: <000001c73f47$041659b0$0c430d10$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acc/PqHkR1HdBTomS/uGkZF9PoXPuAAByhOA Content-Language: en-gb Cc: freebsd-pf@freebsd.org Subject: RE: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 23:54:31 -0000 > Hi all! > > I would like to start a debate on this subject. Which method of > enabling > PF is the more secure (buffer overflow for example), the fastest, the > most stable, etc. I searched the web for some info but without result. > So I would like to know your opinion on the pros and cons of each > method. For production Freebsd based firewalls I have always built the kernel with PF. The idea being that if something does go pear shaped, there's a good chance that at least the packet filter will stay operational. OpenBSDs standard pre loaded /etc/rc filter (which drops everything except ssh & IIRC dns) would also be nice, but my understanding is that to implement it on Free would break the startup elsewhere. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Jan 24 00:53:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F63716A400 for ; Wed, 24 Jan 2007 00:53:33 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id DAA7613C45A for ; Wed, 24 Jan 2007 00:53:32 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.177.213] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1H9WOJ2mB1-0004XR; Wed, 24 Jan 2007 01:53:32 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 24 Jan 2007 01:53:25 +0100 User-Agent: KMail/1.9.5 References: <45B684BD.8090706@gmail.com> In-Reply-To: <45B684BD.8090706@gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1993469.oDF9YYB5g8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701240153.30454.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX19cM0mmeq90n9pt8YcfVqmd2Q6OivNQ8x7JF0/AC6a/VrsugxIojBM3xnHM9G+mgLcYR10v711ZoFG+WL7zzqrYACPh/cORhiInkhll6gAyBg== Cc: Subject: Re: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 00:53:33 -0000 --nextPart1993469.oDF9YYB5g8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: > I would like to start a debate on this subject. Which method of > enabling PF is the more secure (buffer overflow for example), the > fastest, the most stable, etc. I searched the web for some info but > without result. So I would like to know your opinion on the pros and > cons of each method. Kernel module - loaded via loader.conf - is as secure as built in. There=20 is a slight chance, that somebody might be able to compromise the module=20 on disk, but then they are likely to be able to write to the kernel (in=20 the same location) as well. An additional plus is the possibility of=20 freebsd-update if you do not have to build a custom kernel. Note that some features are only available when built in: pfsync and=20 altq - this is not going to change for technical reasons. Performance wise there should be no difference. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1993469.oDF9YYB5g8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFtq4KXyyEoT62BG0RAmp1AJ9dGZiP04BGnWbQMEFA3OpIid1V5QCdGCpN 9GLlTYgbqoVENsH7CiVWPG4= =rEVm -----END PGP SIGNATURE----- --nextPart1993469.oDF9YYB5g8-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 24 14:05:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C42B616A401 for ; Wed, 24 Jan 2007 14:05:45 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 6323213C4BA for ; Wed, 24 Jan 2007 14:05:45 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id m19so569711nfc for ; Wed, 24 Jan 2007 06:05:44 -0800 (PST) Received: by 10.49.107.8 with SMTP id j8mr2900667nfm.1169645946735; Wed, 24 Jan 2007 05:39:06 -0800 (PST) Received: by 10.49.69.20 with HTTP; Wed, 24 Jan 2007 05:39:06 -0800 (PST) Message-ID: <6e6841490701240539j5c403f9dr5a3171fa7716bf3e@mail.gmail.com> Date: Wed, 24 Jan 2007 11:39:06 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Incoming ssh doesn't quite work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 14:05:45 -0000 Lets see your rules: > ---8<--- > ext_if="xl2" > ext_addr="172.16.1.33" > wireless_if="xl1" > wireless_net="192.168.100.0/24" > proxy_addr="192.168.100.1" > > nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if > > rdr on $wireless_if inet proto tcp from any to any port 80 -> > $proxy_addr port 3080 I didn't understand this rule, maybe without that rule, can work. > rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) > > pass in on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 > } flags S/SA synproxy state > This rule is wrong!!! > pass out on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state The right is: pass out on $wireless_if inet proto tcp from any to $wireless_net port { 22, 25, 110, 443, 3080 } keep state > pass out on $ext_if inet proto tcp from any to any port { 22, 80 } > flags S/SA synproxy state > ---8<--- Gilberto 2007/1/23, Isaac Grover : > Good afternoon, > > I have a FreeBSD 6.1 box providing authentication services for a local > wireless hotspot. "ext_if" (xl2) connects to the DSL modem, > "wireless_if" (xl1) connects to the wireless router. Outbound http > and https work just fine, but outbound ssh and inbound ssh don't work > at all. Port forwarding on the DSL modem has been enabled, and I can > see the inbound SSH requests on ext_if, sshd is actively listening on > the required port, but the sshd logs say about connection attempts. > > Is there something else that needs to be configured in pf.conf for > inbound ssh to function correctly? > > ---8<--- > ext_if="xl2" > ext_addr="172.16.1.33" > wireless_if="xl1" > wireless_net="192.168.100.0/24" > proxy_addr="192.168.100.1" > > nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if > > rdr on $wireless_if inet proto tcp from any to any port 80 -> > $proxy_addr port 3080 > rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) > > pass in on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 > } flags S/SA synproxy state > > pass out on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass out on $ext_if inet proto tcp from any to any port { 22, 80 } > flags S/SA synproxy state > ---8<--- > > Thank you, > -- > Isaac Grover, Owner > Quality Computer Services of River Falls, Wisconsin > Affordable I. T. Consulting, Web Design, and Web Hosting. > Commercial and Residential Inquiries Welcomed. > Web: http://www.qcs-rf.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 26 13:54:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C09B116A401 for ; Fri, 26 Jan 2007 13:54:38 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 85C6013C483 for ; Fri, 26 Jan 2007 13:54:38 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so357363ana for ; Fri, 26 Jan 2007 05:54:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=t/lZDB8OwcjglFIAJ+GbtntMZtXkDfxDqbQi1JyggB9AG4MbJFv/wXyQJqylfpFF8up/B7IB3cYZ5V2Ln6Pwiy8f4rBkIBNZ7b2wWZBPQh7ECwvX6KIwQmPT8cdSQrU0uQYIgisGsMnJls0orja3l3Zjj7WB6yanXApGqmXl8zk= Received: by 10.65.154.4 with SMTP id g4mr5034706qbo.1169819675743; Fri, 26 Jan 2007 05:54:35 -0800 (PST) Received: from ?192.168.0.101? ( [70.81.169.115]) by mx.google.com with ESMTP id f16sm4441037qba.2007.01.26.05.54.33; Fri, 26 Jan 2007 05:54:34 -0800 (PST) Message-ID: <45BA0815.80708@gmail.com> Date: Fri, 26 Jan 2007 08:54:29 -0500 From: Martin Turgeon User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) To: Max Laier References: <45B684BD.8090706@gmail.com> <200701240153.30454.max@love2party.net> In-Reply-To: <200701240153.30454.max@love2party.net> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2007 13:54:38 -0000 Max Laier a écrit : On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: I would like to start a debate on this subject. Which method of enabling PF is the more secure (buffer overflow for example), the fastest, the most stable, etc. I searched the web for some info but without result. So I would like to know your opinion on the pros and cons of each method. Kernel module - loaded via loader.conf - is as secure as built in. There is a slight chance, that somebody might be able to compromise the module on disk, but then they are likely to be able to write to the kernel (in the same location) as well. An additional plus is the possibility of freebsd-update if you do not have to build a custom kernel. Note that some features are only available when built in: pfsync and altq - this is not going to change for technical reasons. Performance wise there should be no difference. Thanks a lot, that's exactly the type of answer I wanted. I'm always surprised to see how much knowledge the FreeBSD mailinglists are sharing. Thank you for your effort Martin Turgeon From owner-freebsd-pf@FreeBSD.ORG Fri Jan 26 14:24:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 20AD716A400 for ; Fri, 26 Jan 2007 14:24:17 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx4.magma.ca (mx4-3.spamtrap.magma.ca [209.217.78.178]) by mx1.freebsd.org (Postfix) with ESMTP id D39C813C458 for ; Fri, 26 Jan 2007 14:24:14 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail4.magma.ca (mail4.internal.magma.ca [10.0.10.14]) by mx4-3.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l0QE6YZc010063 for ; Fri, 26 Jan 2007 09:06:34 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail4.magma.ca (Magma's Mail Server) with ESMTP id l0QE6W1I008983 for ; Fri, 26 Jan 2007 09:06:33 -0500 From: "Kevin K." To: References: <45B684BD.8090706@gmail.com> <200701240153.30454.max@love2party.net> <45BA0815.80708@gmail.com> In-Reply-To: <45BA0815.80708@gmail.com> Date: Fri, 26 Jan 2007 09:06:34 -0500 Message-ID: <000301c74153$30d86ed0$92894c70$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdBUYkABpCGSZ9pQLKpI1HseUsaywAAXH9A Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Subject: RE: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2007 14:24:17 -0000 I'm curious if there has been some benchmarking done to compare the two methods of enabling PF. The security debate could be argued to be circumstantial, but I'd like = to hear from people who use it in production via loaded module, as my only experience with PF is building it into the kernel. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On Behalf Of Martin Turgeon Sent: Friday, January 26, 2007 8:54 AM To: Max Laier Cc: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module Max Laier a =E9crit : On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: =20 I would like to start a debate on this subject. Which method of enabling PF is the more secure (buffer overflow for example), the fastest, the most stable, etc. I searched the web for some info but without result. So I would like to know your opinion on the pros and cons of each method. =20 Kernel module - loaded via loader.conf - is as secure as built in. = There=20 is a slight chance, that somebody might be able to compromise the module = on disk, but then they are likely to be able to write to the kernel (in=20 the same location) as well. An additional plus is the possibility of=20 freebsd-update if you do not have to build a custom kernel. Note that some features are only available when built in: pfsync and=20 altq - this is not going to change for technical reasons. Performance wise there should be no difference. =20 Thanks a lot, that's exactly the type of answer I wanted. I'm always surprised to see how much knowledge the FreeBSD mailinglists are sharing. Thank you for your effort Martin Turgeon _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Jan 27 15:22:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5DC7716A405 for ; Sat, 27 Jan 2007 15:22:18 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 22B9A13C48A for ; Sat, 27 Jan 2007 15:22:17 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (unknown [89.53.125.4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 8BB3512882E for ; Sat, 27 Jan 2007 15:55:03 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 41E6D2E56B for ; Sat, 27 Jan 2007 15:54:55 +0100 (CET) Message-ID: <45BB67C0.1070004@vwsoft.com> Date: Sat, 27 Jan 2007 15:54:56 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: ALTQ support for usb NICs? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jan 2007 15:22:18 -0000 Hi! I'm wondering about the following: Are there any technical reasons for not having ALTQ support for most (all?) usb NICs? Or did just too less people ask for it? Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Sat Jan 27 15:22:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6337016A406 for ; Sat, 27 Jan 2007 15:22:18 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 26C7A13C48C for ; Sat, 27 Jan 2007 15:22:17 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (unknown [89.53.125.4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id E306012882A; Sat, 27 Jan 2007 15:49:30 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 8EDF02E56B; Sat, 27 Jan 2007 15:49:24 +0100 (CET) Message-ID: <45BB6675.2040609@vwsoft.com> Date: Sat, 27 Jan 2007 15:49:25 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "Kevin K." References: <45B684BD.8090706@gmail.com> <200701240153.30454.max@love2party.net> <45BA0815.80708@gmail.com> <000301c74153$30d86ed0$92894c70$@ca> In-Reply-To: <000301c74153$30d86ed0$92894c70$@ca> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: RE: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jan 2007 15:22:18 -0000 On 12/23/-58 20:59, Kevin K. wrote: > I'm curious if there has been some benchmarking done to compare the two > methods of enabling PF. > > The security debate could be argued to be circumstantial, but I'd like to > hear from people who use it in production via loaded module, as my only > experience with PF is building it into the kernel. I'm managing a bunch of machines all using pf (5.x, 6.x) as a kld module. I never experienced any problems. As I want to have b/w control I've compiled ALTQ into the kernel but kldload'ing pf (don't ask why, it's probably historic from the 5.2 days). Never done any benchmarking but on the other side I never experienced any performance problems. Greetings, Volker