From owner-freebsd-pf@FreeBSD.ORG Sun Feb 11 14:54:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C992416A400 for ; Sun, 11 Feb 2007 14:54:07 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id 5DD2D13C49D for ; Sun, 11 Feb 2007 14:54:07 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.116]) by farris.bafirst.com with esmtp; Sun, 11 Feb 2007 08:54:05 -0600 id 0006D41F.45CF2E0D.00015EE0 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Sun, 11 Feb 2007 08:54:04 -0600 id 0004AC20.45CF2E0C.00002C2C Received: from dsl-189-129-2-116.prod-infinitum.com.mx (dsl-189-129-2-116.prod-infinitum.com.mx [189.129.2.116]) by correo.encontacto.net (Horde MIME library) with HTTP; Sun, 11 Feb 2007 08:54:03 -0600 Message-ID: <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> X-Priority: 3 (Normal) Date: Sun, 11 Feb 2007 08:54:03 -0600 From: "eculp@encontacto.net" To: Volker References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com> In-Reply-To: <45CC707C.5030608@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Cc: freebsd-pf@freebsd.org Subject: Re: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Feb 2007 14:54:07 -0000 Quoting Volker : > Ed, > Hi Volker, I just set up a machine using your suggestions, correctly I hope ;) > Nope, that's the wrong way. You let pass smtp (by a quick rule) but > the block rule is after that. That is rendering your blocklist > useless as all traffic is passing by the first rule. > > AFAIK the first connection causing an overload is being dropped but > subsequent connections are still passing (as long as they don't > overload). > > It should look like: > > block drop in quick on $ext_if from to any > > pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp > keep state ( max-src-conn [ANYVAL], max-src-conn-rate > [ANYVAL]/[ANYTIME], overload flush global ) I have set it up as: block drop in quick on $ext_if from to any pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp =20 keep state \ ( max-src-conn 5, max-src-conn-rate 80/90, overload =20 flush global ) I'm still not flushing the table with tableexpire as I do with my =20 bruteforce ssh table from crontab. I want to evaluate the entries for =20 a while first. I chose max-src-conn 5 because that is the max number of connections =20 per IP in courier. I assume that should work and if I change it, I =20 would think that I should probably change the courier esmtpd =20 configuration also. Time will tell I guess. > Whenever any host is overloading ssh or smtp access, I'm loading > their IP address into the blockhosts table and so the machine will > never again talk to that IP address (forever!). You may want to do > it different (for example flushing the table once a week or at > midnight). One machine running this for months has already blocked > 1400 IP addresses and as far as I've checked, all have been dynamic > zombies (no regular mail clients have been blocked by that). > I haven't found a way to use that mechanism to block such hosts for, > say 120 minutes (which would be a great feature). For my ssh-bruteforce table I am using a crontab entry to expire the =20 entries every 30 minutes. Just in case I shoot myself in the foot, =20 the pain is reduced to half an hour. ;) */30 * * * * root \ /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 Thanks so much for sharing your configuration and advice. ed > >> Could it work and be controlable or would it make a bad situation worse? > > You may use a blocking mechanism like that for any other host > service, too. If you're going to use that for UDP "connections" you > should be aware that they're connectionless and so options like " > max-src-connXXX" don't match here. > > HTH, > > Volker > From owner-freebsd-pf@FreeBSD.ORG Sun Feb 11 16:56:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA19916A401 for ; Sun, 11 Feb 2007 16:56:12 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 767E513C478 for ; Sun, 11 Feb 2007 16:56:11 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d91.q.ppp-pool.de [89.53.125.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 43789128841; Sun, 11 Feb 2007 17:56:05 +0100 (CET) Received: from [192.168.18.3] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 20BBA2E568; Sun, 11 Feb 2007 17:55:45 +0100 (CET) Message-ID: <45CF4A96.9030304@vwsoft.com> Date: Sun, 11 Feb 2007 17:55:50 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "eculp@encontacto.net" References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com> <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> In-Reply-To: <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Feb 2007 16:56:12 -0000 Ed, On 02/11/07 15:54, eculp@encontacto.net wrote: > Quoting Volker : > > I just set up a machine using your suggestions, correctly I hope ;) > I have set it up as: > > block drop in quick on $ext_if from to any > > pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep > state \ > ( max-src-conn 5, max-src-conn-rate 80/90, overload flush > global ) > > I'm still not flushing the table with tableexpire as I do with my > bruteforce ssh table from crontab. I want to evaluate the entries for a > while first. > > I chose max-src-conn 5 because that is the max number of connections per > IP in courier. I assume that should work and if I change it, I would > think that I should probably change the courier esmtpd configuration > also. Time will tell I guess. Your rules are looking good so far. For the max-src-conn value you have to check what value will be best for you. If you're using any other server as a backup MX and you're final destination, a value of 5 may be bad as postfix (for example) is using 5 as a concurrency destination limit per default which might easily blow your overload rule and your backup MX might get blocked. You should check if that value really works for you so as to have not legitimate hosts being blocked. >> I haven't found a way to use that mechanism to block such hosts for, >> say 120 minutes (which would be a great feature). > > For my ssh-bruteforce table I am using a crontab entry to expire the > entries every 30 minutes. Just in case I shoot myself in the foot, the > pain is reduced to half an hour. ;) > > */30 * * * * root \ > /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 It's ok if it does fit your needs but remember if a host is being blocked by your overload rules at 12:29 it's getting unblocked at 12:30. I haven't checked expiretable (really had it forgotten) which might be a better solution as far as I remember expiretable right from the ML discussion. > Thanks so much for sharing your configuration and advice. You're welcome! I've just written a small periodic script to have newly blocked IP addresses being visible in the daily security report. If you'll want to use it, change the table name and copy the file to /usr/local/etc/periodic/security/... and chmod it executable: /usr/local/etc/periodic/security/710.blockedhosts: #!/bin/sh # show changes in IP addresses being blocked by pf # If there is a global system configuration file, suck it in. if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions rc=0 blocktable=${blocktable-"blockhosts"} cmd=${cmd-"pfctl -t ${blocktable} -Ts"} nc=`${cmd} | wc -l` ${cmd} | check_diff blockhosts - "${host} blocking host changes (total ${nc} IP):" #EOF Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Mon Feb 12 10:09:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13ECC16A408 for ; Mon, 12 Feb 2007 10:09:29 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8CE8A13C4A5 for ; Mon, 12 Feb 2007 10:09:28 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.116]) by farris.bafirst.com with esmtp; Mon, 12 Feb 2007 04:09:26 -0600 id 0006D415.45D03CD6.00005494 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Mon, 12 Feb 2007 04:09:25 -0600 id 0004AC20.45D03CD5.000060A7 Received: from dsl-189-129-2-116.prod-infinitum.com.mx (dsl-189-129-2-116.prod-infinitum.com.mx [189.129.2.116]) by correo.encontacto.net (Horde MIME library) with HTTP; Mon, 12 Feb 2007 04:09:24 -0600 Message-ID: <20070212040924.dspc2grhgkggwo00@correo.encontacto.net> X-Priority: 3 (Normal) Date: Mon, 12 Feb 2007 04:09:24 -0600 From: "eculp@encontacto.net" To: Volker References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com> <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> <45CF4A96.9030304@vwsoft.com> In-Reply-To: <45CF4A96.9030304@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Cc: freebsd-pf@freebsd.org Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 10:09:29 -0000 Quoting Volker : > Ed, > > On 02/11/07 15:54, eculp@encontacto.net wrote: >> Quoting Volker : >> >> I just set up a machine using your suggestions, correctly I hope ;) >> I have set it up as: >> >> block drop in quick on $ext_if from to any >> >> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep >> state \ >> ( max-src-conn 5, max-src-conn-rate 80/90, overload flush >> global ) >> >> I'm still not flushing the table with tableexpire as I do with my >> bruteforce ssh table from crontab. I want to evaluate the entries for a >> while first. >> >> I chose max-src-conn 5 because that is the max number of connections per >> IP in courier. I assume that should work and if I change it, I would >> think that I should probably change the courier esmtpd configuration >> also. Time will tell I guess. > > Your rules are looking good so far. For the max-src-conn value you > have to check what value will be best for you. If you're using any > other server as a backup MX and you're final destination, a value of > 5 may be bad as postfix (for example) is using 5 as a concurrency > destination limit per default which might easily blow your overload > rule and your backup MX might get blocked. You should check if that > value really works for you so as to have not legitimate hosts being > blocked. Hi Volker, I'm keeping my eye on that, thanks, >>> I haven't found a way to use that mechanism to block such hosts for, >>> say 120 minutes (which would be a great feature). >> >> For my ssh-bruteforce table I am using a crontab entry to expire the >> entries every 30 minutes. Just in case I shoot myself in the foot, the >> pain is reduced to half an hour. ;) >> >> */30 * * * * root \ >> /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 > > It's ok if it does fit your needs but remember if a host is being > blocked by your overload rules at 12:29 it's getting unblocked at > 12:30. I haven't checked expiretable (really had it forgotten) which > might be a better solution as far as I remember expiretable right > from the ML discussion. It was/is a bit confusing but according to the examples in the manual =20 and in my testing a few months ago for ssh bruteforce, it seems to =20 work as the EXAMPLES The following removes any entries in table int.users older than one hour= : # expiretable -v -t 3600 int.users This example removes any entries in table int.users older than one and a half hour: # expiretable -v -t 1h30m int.users I'm not using it yet for smtp but probably will eventually but with a =20 minimum of a few days, > >> Thanks so much for sharing your configuration and advice. > > You're welcome! > > I've just written a small periodic script to have newly blocked IP > addresses being visible in the daily security report. > > If you'll want to use it, change the table name and copy the file to > /usr/local/etc/periodic/security/... and chmod it executable: > > > /usr/local/etc/periodic/security/710.blockedhosts: > #!/bin/sh > # show changes in IP addresses being blocked by pf > > # If there is a global system configuration file, suck it in. > if [ -r /etc/defaults/periodic.conf ] > then > . /etc/defaults/periodic.conf > source_periodic_confs > fi > > . /etc/periodic/security/security.functions > > rc=3D0 > > blocktable=3D${blocktable-"blockhosts"} > cmd=3D${cmd-"pfctl -t ${blocktable} -Ts"} > nc=3D`${cmd} | wc -l` > > ${cmd} | check_diff blockhosts - "${host} blocking host changes > (total ${nc} IP):" > #EOF > I was still missing the script and am going to install it now. Thanks ed P.S. The smtp settings seem to be working as expected so far. > Greetings, > > Volker > > > > From owner-freebsd-pf@FreeBSD.ORG Mon Feb 12 11:10:42 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5062F16A409 for ; Mon, 12 Feb 2007 11:10:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3CBAC13C481 for ; Mon, 12 Feb 2007 11:10:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1CBAgge098702 for ; Mon, 12 Feb 2007 11:10:42 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1CBAd5X098698 for freebsd-pf@FreeBSD.org; Mon, 12 Feb 2007 11:10:39 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Feb 2007 11:10:39 GMT Message-Id: <200702121110.l1CBAd5X098698@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 11:10:42 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 12 21:48:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4058B16A402 for ; Mon, 12 Feb 2007 21:48:50 +0000 (UTC) (envelope-from chip@2bithacker.net) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id CCE2B13C49D for ; Mon, 12 Feb 2007 21:48:49 +0000 (UTC) (envelope-from chip@2bithacker.net) Received: by ug-out-1314.google.com with SMTP id 71so638158ugh for ; Mon, 12 Feb 2007 13:48:45 -0800 (PST) Received: by 10.78.149.15 with SMTP id w15mr38160hud.1171309831316; Mon, 12 Feb 2007 11:50:31 -0800 (PST) Received: by 10.78.37.16 with HTTP; Mon, 12 Feb 2007 11:50:31 -0800 (PST) Message-ID: <1240af8c0702121150k52fad621q9e5899f99cf2b8e6@mail.gmail.com> Date: Mon, 12 Feb 2007 14:50:31 -0500 From: "Chip Marshall" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Trying to setup DSR load balancing with pf route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 21:48:50 -0000 I've been trying to get a Direct Server Return (DSR) load balancing arrangment set up using FreeBSD 6.2's pf and the route-to option. The arrangement looks something like this Router | /---------+-------\ | | | +--------+ | +--------+ +-0| lb 1 |1----+----0| web 1 |lo0--(x.100) | +--------+ | +--------+ | | | +--------+ | +--------+ \-0| lb 2 |1----+----0| web 2 |lo0--(x.100) +--------+ | +--------+ | | +--------+ +----0| web n |lo0--(x.100) +--------+ Where x.100 is the routable IP address of the website. The Router has a route to x.100 via interface 0 of the load balancers, which use pf's route-to option to redirect the packets to one of the web servers, keeping state so further packets for the same connection go to the same web server. The web servers then sent the returning packets directly to the router. The problem I'm having is that the load balancers aren't actually passing packets. I have the following in their pf.conf: pass in on fxp0 route-to { web1, web2, webn } from any to x.100 keep state and that's it. Using tcpdump, I see packets coming into the load balancers, and I see state rules being setup according to that rule, but I never see packets leaving the load balancers, and definitely never see them hitting the web farm. Any ideas for what I'm doing wrong here? -- Chip Marshall From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 00:46:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13B1816A400 for ; Tue, 13 Feb 2007 00:46:18 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id EF90E13C494 for ; Tue, 13 Feb 2007 00:46:17 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 68B5E17026; Mon, 12 Feb 2007 16:46:17 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V+HIDWi4a2-1; Mon, 12 Feb 2007 16:46:13 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id 376B717020; Mon, 12 Feb 2007 16:46:13 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id D742EB8CE; Mon, 12 Feb 2007 19:46:12 -0500 (EST) From: "Dan Langille" To: "Kian Mohageri" Date: Mon, 12 Feb 2007 19:46:12 -0500 MIME-Version: 1.0 Message-ID: <45D0C404.27182.257AAE28@dan.langille.org> Priority: normal In-reply-to: References: <45CDED58.2056.1A642A00@dan.langille.org>, X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 00:46:18 -0000 On 10 Feb 2007 at 13:53, Kian Mohageri wrote: > On 2/10/07, Dan Langille wrote: > > > > Hi folks, > > > > Yesterday I rebooted a server to load a new kernel. After the > > reboot, the firewall rules were not loaded. > > > > $ grep pf /etc/rc.conf > > pf_enable="YES" > > pflog_enable="YES" > > pf_rules="/etc/pf.rules" > > > > I never checked for the rules until today and found this: > > > > > > > > [dan@nyi:~] $ sudo pfctl -sa | less > > Password: > > No ALTQ support in kernel > > ALTQ related functions disabled > > FILTER RULES: > > > > INFO: > > Status: Enabled for 0 days 19:59:39 Debug: None > > > > Hostid: 0x36eae8cf > > > > State Table Total Rate > > current entries 0 > > searches 5515422 76.6/s > > > > etc... > > > > Loading the rules manually works: > > > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > > No ALTQ support in kernel > > ALTQ related functions disabled > > [dan@nyi:~] $ > > > > After loading, pfctl -sa shows the output I would expect. > > > > Ideas? Suggestions? > > > > Is anyone else using PF with a pf_rules specified? > > > > FWIW, I notice I have one host identified by FQDN in my rules. > > > > I had this problem as well, and it is because at the time the pf rules are > loaded, the FQDN cannot be resolved. I believe that is because of the > "BEFORE: routing" dependency in /etc/rc.d/pf. Interesting... I just tried to reproduce the problem on a test server, and was unable to. I'll keep trying. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/ From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 06:45:11 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AAFA116A420 for ; Tue, 13 Feb 2007 06:45:11 +0000 (UTC) (envelope-from j_baggs@comcast.net) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [63.240.77.83]) by mx1.freebsd.org (Postfix) with ESMTP id 76F8013C4B4 for ; Tue, 13 Feb 2007 06:45:11 +0000 (UTC) (envelope-from j_baggs@comcast.net) Received: from [10.0.10.5] (c-67-177-200-161.hsd1.co.comcast.net[67.177.200.161]) by comcast.net (sccrmhc13) with ESMTP id <2007021306305801300o6mbie>; Tue, 13 Feb 2007 06:30:58 +0000 Message-ID: <45D15B22.5090408@comcast.net> Date: Mon, 12 Feb 2007 23:30:58 -0700 From: Jeremy Baggs User-Agent: Thunderbird 1.5.0.9 (X11/20070206) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: DHCP no-route X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 06:45:11 -0000 Hello all, I have a FreeBSD /pf firewall setup between my network and the outside world. The firewall box gets an IP address from my ISP through DHCP. When a lease expires, my firewall successfully obtains a new address from one server at my ISP. There is however a second server that comes into play when I issue a request using dhclient. This second server gets blocked by the rule: block drop log quick from no-route to any I can ping both servers. I could add a pass rule for the second server but am wondering under what conditions a server would behave like this in the first place. Any thoughts? Jeremy From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 11:49:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 92FF816A406 for ; Tue, 13 Feb 2007 11:49:22 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id 31AF413C494 for ; Tue, 13 Feb 2007 11:49:21 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id m19so235436nfc for ; Tue, 13 Feb 2007 03:49:20 -0800 (PST) Received: by 10.82.136.4 with SMTP id j4mr12935759bud.1171367359842; Tue, 13 Feb 2007 03:49:19 -0800 (PST) Received: by 10.49.66.8 with HTTP; Tue, 13 Feb 2007 03:49:19 -0800 (PST) Message-ID: <6e6841490702130349n54860aacm185792e37127e762@mail.gmail.com> Date: Tue, 13 Feb 2007 09:49:19 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <1240af8c0702121150k52fad621q9e5899f99cf2b8e6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1240af8c0702121150k52fad621q9e5899f99cf2b8e6@mail.gmail.com> Subject: Re: Trying to setup DSR load balancing with pf route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 11:49:22 -0000 Try to use round-robin like that: pass in on fxp0 route-to { web1, web2, webn } round-robin from any to x.100 keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com On 12/02/07, Chip Marshall wrote: > I've been trying to get a Direct Server Return (DSR) load balancing > arrangment set up using FreeBSD 6.2's pf and the route-to option. > > The arrangement looks something like this > > Router > | > /---------+-------\ > | | > | +--------+ | +--------+ > +-0| lb 1 |1----+----0| web 1 |lo0--(x.100) > | +--------+ | +--------+ > | | > | +--------+ | +--------+ > \-0| lb 2 |1----+----0| web 2 |lo0--(x.100) > +--------+ | +--------+ > | > | +--------+ > +----0| web n |lo0--(x.100) > +--------+ > > Where x.100 is the routable IP address of the website. The Router has a > route to x.100 via interface 0 of the load balancers, which use pf's route-to > option to redirect the packets to one of the web servers, keeping state > so further packets for the same connection go to the same web server. > > The web servers then sent the returning packets directly to the router. > > The problem I'm having is that the load balancers aren't actually > passing packets. I have the following in their pf.conf: > > pass in on fxp0 route-to { web1, web2, webn } from any to x.100 keep state > > and that's it. > > Using tcpdump, I see packets coming into the load balancers, and I see > state rules being setup according to that rule, but I never see > packets leaving the load balancers, and definitely never see them > hitting the web farm. > > Any ideas for what I'm doing wrong here? > > -- > Chip Marshall > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 12:21:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B200A16A407 for ; Tue, 13 Feb 2007 12:21:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 414AE13C48E for ; Tue, 13 Feb 2007 12:21:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.18.21] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1HGwf212M3-0002av; Tue, 13 Feb 2007 13:21:29 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 13 Feb 2007 13:21:08 +0100 User-Agent: KMail/1.9.5 References: <45CDED58.2056.1A642A00@dan.langille.org> In-Reply-To: <45CDED58.2056.1A642A00@dan.langille.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3854547.1VjC9hEsdI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702131321.18333.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX1+kT0OESDJm9SuCL3tZ/nF+ApeipeYsa42lOltBK3ykHfoSxaXVdi4JrrGIA0ccu9fAJt5BfASFsqdW1ZiJhYGn8rNIVxMqCM+Gfi1zCbfptw== Cc: Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 12:21:43 -0000 --nextPart3854547.1VjC9hEsdI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 10 February 2007 22:05, Dan Langille wrote: > Hi folks, > > Yesterday I rebooted a server to load a new kernel. After the > reboot, the firewall rules were not loaded. > > $ grep pf /etc/rc.conf > pf_enable=3D"YES" > pflog_enable=3D"YES" > pf_rules=3D"/etc/pf.rules" > > I never checked for the rules until today and found this: > > > > [dan@nyi:~] $ sudo pfctl -sa | less > Password: > No ALTQ support in kernel > ALTQ related functions disabled > FILTER RULES: > > INFO: > Status: Enabled for 0 days 19:59:39 Debug: None > > Hostid: 0x36eae8cf > > State Table Total Rate > current entries 0 > searches 5515422 76.6/s > > etc... > > Loading the rules manually works: > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > No ALTQ support in kernel > ALTQ related functions disabled > [dan@nyi:~] $ > > After loading, pfctl -sa shows the output I would expect. > > Ideas? Suggestions? > > Is anyone else using PF with a pf_rules specified? > > FWIW, I notice I have one host identified by FQDN in my rules. Check "dmesg -a" for error messages. The FQDN is indeed one possible=20 cause. Other causes include dynamically created interfaces used in "set=20 loginterface" or "set skip on" or as an address, but not surrounded=20 with "()". One possible sollution that has been suggested would be to use a simple=20 deny all but ssh/dns ruleset in the first stage and load the real ruleset=20 once all interfaces are there and the resolver is working. I'm willing=20 to commit patches, though this is probably something best discussed on=20 freebsd-rc@ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3854547.1VjC9hEsdI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF0a0+XyyEoT62BG0RAqxzAJ9NVasSNpRtMCTVAFwpvgmArdH8ugCePYmn +mkm4ILkx/56JD86a8fi9Qo= =0rxD -----END PGP SIGNATURE----- --nextPart3854547.1VjC9hEsdI-- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 17:43:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 635B216A402 for ; Tue, 13 Feb 2007 17:43:47 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id 538CC13C4AA for ; Tue, 13 Feb 2007 17:43:47 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 1095517026; Tue, 13 Feb 2007 09:43:47 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBGmK7kqdOic; Tue, 13 Feb 2007 09:43:39 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id B9C6117020; Tue, 13 Feb 2007 09:43:39 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 5A9BFB84D; Tue, 13 Feb 2007 12:43:39 -0500 (EST) From: "Dan Langille" To: Max Laier Date: Tue, 13 Feb 2007 12:43:39 -0500 MIME-Version: 1.0 Message-ID: <45D1B27B.5615.291E28A7@dan.langille.org> Priority: normal In-reply-to: <200702131321.18333.max@love2party.net> References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702131321.18333.max@love2party.net> X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 17:43:47 -0000 On 13 Feb 2007 at 13:21, Max Laier wrote: > On Saturday 10 February 2007 22:05, Dan Langille wrote: > > Hi folks, > > > > Yesterday I rebooted a server to load a new kernel. After the > > reboot, the firewall rules were not loaded. > > > > $ grep pf /etc/rc.conf > > pf_enable="YES" > > pflog_enable="YES" > > pf_rules="/etc/pf.rules" > > > > I never checked for the rules until today and found this: > > > > > > > > [dan@nyi:~] $ sudo pfctl -sa | less > > Password: > > No ALTQ support in kernel > > ALTQ related functions disabled > > FILTER RULES: > > > > INFO: > > Status: Enabled for 0 days 19:59:39 Debug: None > > > > Hostid: 0x36eae8cf > > > > State Table Total Rate > > current entries 0 > > searches 5515422 76.6/s > > > > etc... > > > > Loading the rules manually works: > > > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > > No ALTQ support in kernel > > ALTQ related functions disabled > > [dan@nyi:~] $ > > > > After loading, pfctl -sa shows the output I would expect. > > > > Ideas? Suggestions? > > > > Is anyone else using PF with a pf_rules specified? > > > > FWIW, I notice I have one host identified by FQDN in my rules. > > Check "dmesg -a" for error messages. The FQDN is indeed one possible > cause. Other causes include dynamically created interfaces used in "set > loginterface" or "set skip on" or as an address, but not surrounded > with "()". > > One possible sollution that has been suggested would be to use a simple > deny all but ssh/dns ruleset in the first stage and load the real ruleset > once all interfaces are there and the resolver is working. I'm willing > to commit patches, though this is probably something best discussed on > freebsd-rc@ Noted. Agreed.. But personally, if I cannot reproduce it here, it's hard for me to test I have a fix. ;) My plan to was to empty the table of the FQDN, then add the FQDN into the table with an rc script later in thr process. I don't really want to test this on the production machine. I'll keep trying to reproduce it as I get the chance. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/ From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 20:36:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E86B416A400 for ; Tue, 13 Feb 2007 20:36:54 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id DE38613C481 for ; Tue, 13 Feb 2007 20:36:54 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1HH3w0-0000c0-LV for freebsd-pf@freebsd.org; Tue, 13 Feb 2007 12:07:28 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 1088-1171397256; Tue, 13 Feb 2007 14:07:39 -0600 Date: Tue, 13 Feb 2007 14:07:36 -0600 (CST) From: "Jeremy C. Reed" To: freebsd-pf@freebsd.org In-Reply-To: <45D1B27B.5615.291E28A7@dan.langille.org> Message-ID: References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702131321.18333.max@love2party.net> <45D1B27B.5615.291E28A7@dan.langille.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 20:36:55 -0000 > > One possible sollution that has been suggested would be to use a simple > > deny all but ssh/dns ruleset in the first stage and load the real ruleset > > once all interfaces are there and the resolver is working. I'm willing > > to commit patches, though this is probably something best discussed on > > freebsd-rc@ By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or /etc/defaults/pf.boot.conf which contains: # Default deny. block all # Don't block loopback. pass on lo0 # Allow outgoing dns, needed by pfctl to resolve names. pass out proto { tcp, udp } from any to any port 53 keep state # Allow outgoing ping request, might be needed by dhclient to validate # old (but valid) leases in /var/db/dhclient.leases in case it needs to # fall back to such a lease (the dhcp server can be down or not responding). pass out inet proto icmp all icmp-type echoreq keep state # Allow IPv6 router/neighbor solicitation and advertisement. pass out inet6 proto icmp6 all icmp6-type neighbrsol pass in inet6 proto icmp6 all icmp6-type neighbradv pass out inet6 proto icmp6 all icmp6-type routersol pass in inet6 proto icmp6 all icmp6-type routeradv The regular /etc/rc.d/pf requires networking to be done first. On OpenBSD, it loads rules like: block all pass on lo0 pass in proto tcp from any to any port 22 keep state pass out proto { tcp, udp } from any to any port 53 keep state pass out inet proto icmp all icmp-type echoreq keep state pass out inet6 proto icmp6 all icmp6-type neighbrsol pass in inet6 proto icmp6 all icmp6-type neighbradv pass out inet6 proto icmp6 all icmp6-type routersol pass in inet6 proto icmp6 all icmp6-type routeradv pass proto { pfsync, carp } scrub in all no-df pass in proto udp from any port { 111, 2049 } to any pass out proto udp from any to any port { 111, 2049 } (Note it only loads some of these if the inet6 and if NFS is enabled.) Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 21:26:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EA49216A401 for ; Tue, 13 Feb 2007 21:26:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 7CBDE13C478 for ; Tue, 13 Feb 2007 21:26:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.18.67] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HH5Ag1nNh-0000dZ; Tue, 13 Feb 2007 22:26:47 +0100 From: Max Laier Organization: FreeBSD To: freebsd-rc@freebsd.org Date: Tue, 13 Feb 2007 22:26:31 +0100 User-Agent: KMail/1.9.5 References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1759747.WEUhr5MdpF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702132226.40415.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX19ZFKVena0iHpKg8cSDWrJTxmyea7ZF/4J7oIxMQyoFJQIVUqOdqIzd2gVrVNj5oOw1uVP3X1WmffdSCIxHn8LeiHr22O62tX5xYcP1rFGnRg== Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 21:26:50 -0000 --nextPart1759747.WEUhr5MdpF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Does anyone have time to get something like this going for FreeBSD as=20 well? On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote: > > > One possible sollution that has been suggested would be to use a > > > simple deny all but ssh/dns ruleset in the first stage and load the > > > real ruleset once all interfaces are there and the resolver is > > > working. I'm willing to commit patches, though this is probably > > > something best discussed on freebsd-rc@ > > By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot > that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or > /etc/defaults/pf.boot.conf which contains: > > # Default deny. > block all > > # Don't block loopback. > pass on lo0 > > # Allow outgoing dns, needed by pfctl to resolve names. > pass out proto { tcp, udp } from any to any port 53 keep state > > # Allow outgoing ping request, might be needed by dhclient to validate > # old (but valid) leases in /var/db/dhclient.leases in case it needs to > # fall back to such a lease (the dhcp server can be down or not > responding). > pass out inet proto icmp all icmp-type echoreq keep state > > # Allow IPv6 router/neighbor solicitation and advertisement. > pass out inet6 proto icmp6 all icmp6-type neighbrsol > pass in inet6 proto icmp6 all icmp6-type neighbradv > pass out inet6 proto icmp6 all icmp6-type routersol > pass in inet6 proto icmp6 all icmp6-type routeradv > > > The regular /etc/rc.d/pf requires networking to be done first. > > On OpenBSD, it loads rules like: > > block all > pass on lo0 > pass in proto tcp from any to any port 22 keep state > pass out proto { tcp, udp } from any to any port 53 keep state > pass out inet proto icmp all icmp-type echoreq keep state > pass out inet6 proto icmp6 all icmp6-type neighbrsol > pass in inet6 proto icmp6 all icmp6-type neighbradv > pass out inet6 proto icmp6 all icmp6-type routersol > pass in inet6 proto icmp6 all icmp6-type routeradv > pass proto { pfsync, carp } > scrub in all no-df > pass in proto udp from any port { 111, 2049 } to any > pass out proto udp from any to any port { 111, 2049 } > > (Note it only loads some of these if the inet6 and if NFS is enabled.) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1759747.WEUhr5MdpF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF0i0QXyyEoT62BG0RAifxAJ49n3mzIuoZmd7XvqRS+dmngU9yHQCdEphQ IHnP7znB/oCQ3lW7B8fF3Hw= =ow0e -----END PGP SIGNATURE----- --nextPart1759747.WEUhr5MdpF-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 05:37:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 83E5C16A407 for ; Wed, 14 Feb 2007 05:37:15 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0E15913C442 for ; Wed, 14 Feb 2007 05:37:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so566803nfc for ; Tue, 13 Feb 2007 21:37:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=HxGkO5k4OROYZY1hEmm4giLjvqPwE5WPVMZWQjc0To8flpD/gmu8OKmN4CYc5vgYxZwXpL8WAZ6jnhQikaCEKpwVU4IQUJxCvQHboX6wr/hG+6OUxCcL7SIkS7hSISe2NSClAwn7PthoI07wSZ+YsV0GwuCtTFiw0sqjCpq0v/o= Received: by 10.82.118.2 with SMTP id q2mr9861064buc.1171431433877; Tue, 13 Feb 2007 21:37:13 -0800 (PST) Received: by 10.82.150.17 with HTTP; Tue, 13 Feb 2007 21:37:13 -0800 (PST) Message-ID: Date: Tue, 13 Feb 2007 21:37:13 -0800 From: "Kian Mohageri" To: "Max Laier" In-Reply-To: <200702132226.40415.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_53114_15089019.1171431433759" References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <200702132226.40415.max@love2party.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 05:37:15 -0000 ------=_Part_53114_15089019.1171431433759 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline On 2/13/07, Max Laier wrote: > > Does anyone have time to get something like this going for FreeBSD as > well? I tested out some solutions. I'm not sure if this is what you guys were looking to do, but NetBSD's solution seems fine. I'm not thrilled about using another rc-script to solve this issue, but I couldn't think of a simpler/more elegant solution. Diff is against CURRENT, and I don't currently have any boxes running CURRENT, but I tested it as much as I could. I'll get a box up to CURRENT later to test other patches. I couldn't decide what to pass in this initial ruleset. Passing SSH seems safe/smart, but surely not everyone will agree. Sorry if this is way off :) -- Kian Mohageri ------=_Part_53114_15089019.1171431433759 Content-Type: application/octet-stream; name=pf_early.diff Content-Transfer-Encoding: base64 X-Attachment-Id: f_ey5byb1p Content-Disposition: attachment; filename="pf_early.diff" ZGlmZiAtcnVOIGV0Yy9kZWZhdWx0cy9NYWtlZmlsZSBldGMubmV3L2RlZmF1bHRzL01ha2VmaWxl Ci0tLSBldGMvZGVmYXVsdHMvTWFrZWZpbGUJRnJpIERlYyAgOSAwNzoxOTozMSAyMDA1CisrKyBl dGMubmV3L2RlZmF1bHRzL01ha2VmaWxlCVR1ZSBGZWIgMTMgMjA6MDg6MjUgMjAwNwpAQCAtMSw2 ICsxLDYgQEAKICMgJEZyZWVCU0Q6IHNyYy9ldGMvZGVmYXVsdHMvTWFrZWZpbGUsdiAxLjcgMjAw NS8xMi8wOSAxNToxOTozMSBydSBFeHAgJAogCi1GSUxFUz0JYmx1ZXRvb3RoLmRldmljZS5jb25m IGRldmZzLnJ1bGVzIHBjY2FyZC5jb25mIHBlcmlvZGljLmNvbmYgcmMuY29uZgorRklMRVM9CWJs dWV0b290aC5kZXZpY2UuY29uZiBkZXZmcy5ydWxlcyBwY2NhcmQuY29uZiBwZXJpb2RpYy5jb25m IHBmLmVhcmx5LmNvbmYgcmMuY29uZgogTk9fT0JKPQogRklMRVNESVI9IC9ldGMvZGVmYXVsdHMK IApkaWZmIC1ydU4gZXRjL2RlZmF1bHRzL3BmLmVhcmx5LmNvbmYgZXRjLm5ldy9kZWZhdWx0cy9w Zi5lYXJseS5jb25mCi0tLSBldGMvZGVmYXVsdHMvcGYuZWFybHkuY29uZglXZWQgRGVjIDMxIDE2 OjAwOjAwIDE5NjkKKysrIGV0Yy5uZXcvZGVmYXVsdHMvcGYuZWFybHkuY29uZglUdWUgRmViIDEz IDIwOjA4OjAxIDIwMDcKQEAgLTAsMCArMSwyMiBAQAorIyAkRnJlZUJTRDogc3JjL2V0Yy9kZWZh dWx0cy9wZi5lYXJseS5jb25mJAorCisjIERlZmF1bHQgZGVueQorYmxvY2sgYWxsCisKKyMgRG9u J3QgZmlsdGVyIGxvb3BiYWNrIGludGVyZmFjZShzKSAKK3NldCBza2lwIG9uIGxvCisKKyMgQWxs b3cgaW5jb21pbmcgU1NICitwYXNzIGluIHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkgcG9ydCBz c2gga2VlcCBzdGF0ZQorCisjIEFsbG93IG91dGdvaW5nIEROUywgbmVlZGVkIGJ5IHBmY3RsIHRv IHJlc29sdmUgYW55IEZRRE5zCitwYXNzIG91dCBwcm90byB7IHRjcCwgdWRwIH0gZnJvbSBhbnkg dG8gYW55IHBvcnQgNTMga2VlcCBzdGF0ZQorCisjIEFsbG93IG91dGdvaW5nIHBpbmcKK3Bhc3Mg b3V0IGluZXQgcHJvdG8gaWNtcCBhbGwgaWNtcC10eXBlIGVjaG9yZXEga2VlcCBzdGF0ZQorCisj IEFsbG93IElQdjYgcm91dGVyL25laWdoYm9yIHNvbGljaXRhdGlvbiBhbmQgYWR2ZXJ0aXNlbWVu dAorcGFzcyBvdXQgaW5ldDYgcHJvdG8gaWNtcDYgYWxsIGljbXA2LXR5cGUgbmVpZ2hicnNvbAor cGFzcyBpbiBpbmV0NiBwcm90byBpY21wNiBhbGwgaWNtcDYtdHlwZSBuZWlnaGJyYWR2CitwYXNz IG91dCBpbmV0NiBwcm90byBpY21wNiBhbGwgaWNtcDYtdHlwZSByb3V0ZXJzb2wKK3Bhc3MgaW4g aW5ldDYgcHJvdG8gaWNtcDYgYWxsIGljbXA2LXR5cGUgcm91dGVyYWR2CmRpZmYgLXJ1TiBldGMv ZGVmYXVsdHMvcmMuY29uZiBldGMubmV3L2RlZmF1bHRzL3JjLmNvbmYKLS0tIGV0Yy9kZWZhdWx0 cy9yYy5jb25mCUZyaSBGZWIgIDkgMDQ6MTE6MjcgMjAwNworKysgZXRjLm5ldy9kZWZhdWx0cy9y Yy5jb25mCVR1ZSBGZWIgMTMgMjA6MzY6MjkgMjAwNwpAQCAtMTQ1LDYgKzE0NSwxMCBAQAogcGZf cnVsZXM9Ii9ldGMvcGYuY29uZiIJCSMgcnVsZXMgZGVmaW5pdGlvbiBmaWxlIGZvciBwZgogcGZf cHJvZ3JhbT0iL3NiaW4vcGZjdGwiCSMgd2hlcmUgdGhlIHBmY3RsIHByb2dyYW0gbGl2ZXMKIHBm X2ZsYWdzPSIiCQkJIyBhZGRpdGlvbmFsIGZsYWdzIGZvciBwZmN0bAorcGZfZWFybHlfZW5hYmxl PSJZRVMiCQkjIExvYWQgbWluaW1hbCBydWxlc2V0IHdoZW4gcGZfZW5hYmxlPSJZRVMiCisJCQkJ IyBiZWZvcmUgcm91dGluZyBpcyBlbmFibGVkLCBhZnRlciB3aGljaCB0aGUgCisJCQkJIyByZWFs IHJ1bGVzZXQgd2lsbCBiZSBsb2FkZWQKK3BmX2Vhcmx5X3J1bGVzPSIvZXRjL2RlZmF1bHRzL3Bm LmVhcmx5LmNvbmYiCSMgRGVmYXVsdCBtaW5pbWFsIHJ1bGVzZXQKIHBmbG9nX2VuYWJsZT0iTk8i CQkjIFNldCB0byBZRVMgdG8gZW5hYmxlIHBhY2tldCBmaWx0ZXIgbG9nZ2luZwogcGZsb2dfbG9n ZmlsZT0iL3Zhci9sb2cvcGZsb2ciCSMgd2hlcmUgcGZsb2dkIHNob3VsZCBzdG9yZSB0aGUgbG9n ZmlsZQogcGZsb2dfcHJvZ3JhbT0iL3NiaW4vcGZsb2dkIgkjIHdoZXJlIHRoZSBwZmxvZ2QgcHJv Z3JhbSBsaXZlcwpkaWZmIC1ydU4gZXRjL3JjLmQvTWFrZWZpbGUgZXRjLm5ldy9yYy5kL01ha2Vm aWxlCi0tLSBldGMvcmMuZC9NYWtlZmlsZQlTdW4gT2N0IDE1IDA3OjE5OjA2IDIwMDYKKysrIGV0 Yy5uZXcvcmMuZC9NYWtlZmlsZQlUdWUgRmViIDEzIDIwOjQyOjA5IDIwMDcKQEAgLTI3LDcgKzI3 LDcgQEAKIAluZXR3b3JrX2lwdjYgbmV3c3lzbG9nIG5mc2NsaWVudCBuZnNkIFwKIAluZnNsb2Nr aW5nIG5mc3NlcnZlciBuaXNkb21haW4gbnNzd2l0Y2ggbnRwZCBudHBkYXRlIFwKIAlvdGhlcm10 YSBcCi0JcGYgcGZsb2cgcGZzeW5jIFwKKwlwZiBwZl9lYXJseSBwZmxvZyBwZnN5bmMgXAogCXBv d2VyZCBwb3dlcl9wcm9maWxlIHBwcCBwcHBvZWQgcHdjaGVjayBcCiAJcXVvdGEgXAogCXJhbmRv bSByYXJwZCByZXNvbHYgcm9vdCBcCmRpZmYgLXJ1TiBldGMvcmMuZC9wZiBldGMubmV3L3JjLmQv cGYKLS0tIGV0Yy9yYy5kL3BmCVN1biBEZWMgMzEgMDI6Mzc6MTggMjAwNgorKysgZXRjLm5ldy9y Yy5kL3BmCVR1ZSBGZWIgMTMgMjA6MDk6MzMgMjAwNwpAQCAtNCw4ICs0LDcgQEAKICMKIAogIyBQ Uk9WSURFOiBwZgotIyBSRVFVSVJFOiByb290IG1vdW50Y3JpdGxvY2FsIG5ldGlmIHBmbG9nIHBm c3luYwotIyBCRUZPUkU6ICByb3V0aW5nCisjIFJFUVVJUkU6IHJvb3QgbW91bnRjcml0bG9jYWwg bmV0aWYgcGZsb2cgcGZzeW5jIHBmX2Vhcmx5CiAjIEtFWVdPUkQ6IG5vamFpbAogCiAuIC9ldGMv cmMuc3VicgpkaWZmIC1ydU4gZXRjL3JjLmQvcGZfZWFybHkgZXRjLm5ldy9yYy5kL3BmX2Vhcmx5 Ci0tLSBldGMvcmMuZC9wZl9lYXJseQlXZWQgRGVjIDMxIDE2OjAwOjAwIDE5NjkKKysrIGV0Yy5u ZXcvcmMuZC9wZl9lYXJseQlUdWUgRmViIDEzIDIwOjM1OjE4IDIwMDcKQEAgLTAsMCArMSwzNCBA QAorIyEvYmluL3NoCisjCisjICRGcmVlQlNEOiBzcmMvZXRjL3JjLmQvcGZfZWFybHksdiAxLjcu Mi40IDIwMDYvMDEvMjIgMTM6NDU6MjggeWFyIEV4cCAkCisjCisKKyMgUFJPVklERTogcGZfZWFy bHkKKyMgUkVRVUlSRTogcm9vdCBtb3VudGNyaXRsb2NhbCBuZXRpZiBwZmxvZyBwZnN5bmMKKyMg QkVGT1JFOiAgcm91dGluZworIyBLRVlXT1JEOiBub2phaWwKKworLiAvZXRjL3JjLnN1YnIKKwor bmFtZT0icGZfZWFybHkiCityY3Zhcj1gc2V0X3JjdmFyYAorbG9hZF9yY19jb25maWcgJG5hbWUK K3N0YXJ0X2NtZD0icGZfZWFybHlfc3RhcnQiCitzdG9wX2NtZD0iOiIKK3JlcXVpcmVkX2ZpbGVz PSIkcGZfZWFybHlfcnVsZXMiCityZXF1aXJlZF9tb2R1bGVzPSJwZiIKKworcGZfZWFybHlfc3Rh cnQoKQoreworCWVjaG8gIkVuYWJsaW5nIG1pbmltYWwgcGYgcnVsZXNldC4iCisJJHBmX3Byb2dy YW0gLUZhbGwgPiAvZGV2L251bGwgMj4mMQorCSRwZl9wcm9ncmFtIC1mICIkcGZfZWFybHlfcnVs ZXMiCisJaWYgISAkcGZfcHJvZ3JhbSAtcyBpbmZvIHwgZ3JlcCAtcSAiRW5hYmxlZCIgOyB0aGVu CisJCSRwZl9wcm9ncmFtIC1lCisJZmkKK30KKworIyBEb24ndCBkbyBhbnl0aGluZyB1bmxlc3Mg cGZfZW5hYmxlPSJZRVMiCitpZiBjaGVja3llc25vIHBmX2VuYWJsZTsgdGhlbgorCXJ1bl9yY19j b21tYW5kICIkMSIKK2ZpCg== ------=_Part_53114_15089019.1171431433759-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 05:48:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1EE2816A401 for ; Wed, 14 Feb 2007 05:48:38 +0000 (UTC) (envelope-from snklusov@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id AA02213C4A3 for ; Wed, 14 Feb 2007 05:48:37 +0000 (UTC) (envelope-from snklusov@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so77347ugh for ; Tue, 13 Feb 2007 21:48:36 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:reply-to:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=YHS+6JpGWawe/Wj5TGYUEvkb5OSN/iOpyGz/6Tu23m1I++c+Pjv397+PPWmVYvcZBoJ8brJh3cAiq4BuzZfnBOsS3zdjNhv8WTrcMqoAvKpqesoYDGpX+kUrzN/6fdoVHLSUAcN6ec1OYVmT4atJ9JQuxMzz4vxSOZS753jARPE= Received: by 10.67.96.14 with SMTP id y14mr11321745ugl.1171432116568; Tue, 13 Feb 2007 21:48:36 -0800 (PST) Received: from w-uit-oa-01.ards.local ( [212.76.164.162]) by mx.google.com with ESMTP id 53sm313921ugn.2007.02.13.21.48.35; Tue, 13 Feb 2007 21:48:36 -0800 (PST) Date: Fri, 9 Feb 2007 13:14:52 +0500 From: Sergey Klusov X-Priority: 3 (Normal) Message-ID: <603063073.20070209131452@gmail.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: netgraph X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sergey Klusov List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 05:48:38 -0000 Hi Is there some way to tag packets via netgraph and then filter them with pf rules, based on this tags? What i want to do exactly is to mark IM logon packets with ng_bpf and then allow only some users to procceed. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 10:04:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8146416A401 for ; Wed, 14 Feb 2007 10:04:16 +0000 (UTC) (envelope-from F.Haarman@giessen.nl) Received: from mail02.net.giessen.nl (mail.giessen.nl [213.53.114.21]) by mx1.freebsd.org (Postfix) with SMTP id 7082313C4AC for ; Wed, 14 Feb 2007 10:04:15 +0000 (UTC) (envelope-from F.Haarman@giessen.nl) Received: (qmail 21067 invoked from network); 14 Feb 2007 11:17:15 -0000 Received: from unknown (HELO dg-exch1.giessen.nl) (172.16.10.11) by 0 with SMTP; 14 Feb 2007 11:17:15 -0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826 Content-Class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 14 Feb 2007 10:37:32 +0100 Message-ID: <2DC959620A73E842969792F5B47FCA01037D42A5@dg-exch1.giessen.nl> X-MS-Has-Attach: Importance: normal Priority: normal X-MS-TNEF-Correlator: Thread-Topic: question about logging thread-index: AcdQG8GbogJEuxGXSAydiWC/Aj2j8g== From: "Frans Haarman" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: question about logging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 10:04:16 -0000 Hello, I am wondering if the following setup is possible: -- 10.100.1.1:8080 --> [ PF BOX ] [ rdr on bge0 10.100.1.1 --> 192.168.1.1 ] [ pass out on bge0 route-to tun0 to 10.100.1.1 ] [ tun0 ] < --------- ipsec -------> [ Ohter Box ] -----> [ 192.168.1.1 ] I want to setup varius tunnels so I can connect to multiple networks (which share private ip space). So basicly I want to redirect/rewrite the Destination Adress. Something like: 1) pass in on bge0 2) route 10.100.x.x to tun0 3) rdr on tun0 10.100.1.1 -> 192.168.1.1 Maybe I can use vlan's as well..... anybody have an idea how to achieve this ? Frans Haarman De Giessen Automatisering B.V. Technische Dienst Telefoon : (0184) 67 53 75 Fax : (0184) 61 12 46 E-mail : servicedesk@giessen.nl Website : www.giessen.nl Algemeen Tel : (0184) 67 54 00 d u i d e l i j k e t a a l ! From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 11:38:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35EFF16A408 for ; Wed, 14 Feb 2007 11:38:16 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx33.mail.ru (mx33.mail.ru [194.67.23.194]) by mx1.freebsd.org (Postfix) with ESMTP id E87DF13C4B9 for ; Wed, 14 Feb 2007 11:38:15 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=60977 helo=VLADIMIR) by mx33.mail.ru with asmtp id 1HHISj-000FbX-00 for freebsd-pf@freebsd.org; Wed, 14 Feb 2007 14:38:13 +0300 X-Nat-Received: from [192.168.1.110]:3189 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1171452921.27113 Date: Wed, 14 Feb 2007 14:38:18 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <1763754894.20070214143818@mail.ru> To: freebsd-pf@freebsd.org References: 45CC707C.5030608@vwsoft.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 11:38:16 -0000 >I have set it up as: > >block drop in quick on $ext_if from to any > >pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp >keep state \ > ( max-src-conn 5, max-src-conn-rate 80/90, overload >flush global ) Strange thing, this rules don't whant to work on FreeBSD 6.0, but work on 6.2 From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 12:47:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 90D6216A4FE for ; Wed, 14 Feb 2007 12:47:55 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id 74C9213C4B9 for ; Wed, 14 Feb 2007 12:47:55 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 54BFE17026; Wed, 14 Feb 2007 04:47:55 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAOQfIS2VgYI; Wed, 14 Feb 2007 04:47:51 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id 57FCF17020; Wed, 14 Feb 2007 04:47:51 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 07D78B8CE; Wed, 14 Feb 2007 07:47:51 -0500 (EST) From: "Dan Langille" To: "Kian Mohageri" Date: Wed, 14 Feb 2007 07:47:50 -0500 MIME-Version: 1.0 Message-ID: <45D2BEA7.12150.2D35AEAB@dan.langille.org> Priority: normal In-reply-to: References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702132226.40415.max@love2party.net>, X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 12:47:58 -0000 On 13 Feb 2007 at 21:37, Kian Mohageri wrote: > On 2/13/07, Max Laier wrote: > > > > Does anyone have time to get something like this going for FreeBSD as > > well? > > > > I tested out some solutions. I'm not sure if this is what you guys were > looking to do, but NetBSD's solution seems fine. I'm not thrilled about > using another rc-script to solve this issue, but I couldn't think of a > simpler/more elegant solution. > > Diff is against CURRENT, and I don't currently have any boxes running > CURRENT, but I tested it as much as I could. I'll get a box up to CURRENT > later to test other patches. > > I couldn't decide what to pass in this initial ruleset. Passing SSH seems > safe/smart, but surely not everyone will agree. So long as the initial ruleset can be specified in the config, I see no problem. For example: pf_rules_initial="/etc/pf_intial.rules -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/ From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 15:36:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7D7F16A408; Wed, 14 Feb 2007 15:36:29 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx33.mail.ru (mx33.mail.ru [194.67.23.194]) by mx1.freebsd.org (Postfix) with ESMTP id 71D9013C48D; Wed, 14 Feb 2007 15:36:29 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=7229 helo=VLADIMIR) by mx33.mail.ru with asmtp id 1HHMBG-000DLd-00; Wed, 14 Feb 2007 18:36:27 +0300 X-Nat-Received: from [192.168.1.110]:3843 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1171467214.12688 Date: Wed, 14 Feb 2007 18:36:25 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <1024498861.20070214183625@mail.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-isp@FreeBSD.ORG, freebsd-net@freebsd.org, freebsd-performance@FreeBSD.ORG Subject: How to optimize ruleset for gateway? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 15:36:29 -0000 Hi, all! I have such a problem when configuring the gateway for my LAN: I want to minimize the number of rules, and for this purpose I chose PF, but, as I wrote earlyer: http://lists.freebsd.org/pipermail/freebsd-pf/2007-January/002958.html and found some mails of other people: http://lists.freebsd.org/pipermail/freebsd-pf/2006-October/002681.html if I want to configure connection speed for each user on PF, I must configure the number of queues equal to the number of users, i.e. if I configure one queue and allow the table of users go to the Internet through this queue, I see, that all of them share the bandwidth of this queue. I don't think this is a good idea, and now I choosing some other variants of optimization, such as: 1. Configure PF for major rules and SPAM filtering and IPFW+DUMMYNET for queueing. I've read somewhere, that IPFW-shaper supports tables the way I need. I'm afraid that two firewalls should significantly decrease perfomance. 2. Configure only IPFW. But this means that I have to read full documentation about it, and find the way to protect the Internet from SPAM going from my local NET. The ruleset looks like: 0. Binat for real IP. 1. Block NetBIOS 2. Pass all from table-1 3. Pass all from table-128kbps queue 1(128kbps) 4. ..................... 5. Pass all from table-1024kbps queue 4(1024kbps) 6. Some spam-protection tool (like spamd) 7. Block all Could somebody give me some advice what way to go? P.S. Now my gateway works on 2-processor Xeon router with Redhat and iptables. It has 100 Mbps Internet channel, and in the time of maximum charge it processes 10-20 kpps. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 15:51:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CB13816A401 for ; Wed, 14 Feb 2007 15:51:37 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id B9B3A13C461 for ; Wed, 14 Feb 2007 15:51:37 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1HHMPu-0002zg-LX; Wed, 14 Feb 2007 07:51:35 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 19651-1171468292; Wed, 14 Feb 2007 09:51:33 -0600 Date: Wed, 14 Feb 2007 09:51:32 -0600 (CST) From: "Jeremy C. Reed" To: Vladimir Kapustin In-Reply-To: <1024498861.20070214183625@mail.ru> Message-ID: References: <1024498861.20070214183625@mail.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: How to optimize ruleset for gateway? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 15:51:37 -0000 On Wed, 14 Feb 2007, Vladimir Kapustin wrote: > 2. Configure only IPFW. But this means that I have to read full documentation > about it, and find the way to protect the Internet from SPAM going from my > local NET. I only replied to one list. Just to let you know, spamd works with IPFW. I haven't used it myself with IPFW, but the spamd port can be built with "WITH_IPFW". The manpage from the port has a "If compiled with IPFW" section. > The ruleset looks like: ... > 6. Some spam-protection tool (like spamd) Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Thu Feb 15 08:18:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7E9D716A407 for ; Thu, 15 Feb 2007 08:18:07 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 14F6713C471 for ; Thu, 15 Feb 2007 08:18:06 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so1036328nfc for ; Thu, 15 Feb 2007 00:18:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=h8r3YAWgwT3hatOuav8RGsXEMinuaidPaXHtRlkapI4TZzoud1nRq1amvPQpmTKTvRh/MKkGdFF0mWopJz0a07rXODPwBEa6XOvPNSYCgUqNq3qFVzTkPDJOCwgleJEHdHsUXpDaelZ+DmGNQLocbEpWzgWY11wLc1/Ra2zcocc= Received: by 10.82.111.8 with SMTP id j8mr2259730buc.1171527485593; Thu, 15 Feb 2007 00:18:05 -0800 (PST) Received: by 10.82.150.17 with HTTP; Thu, 15 Feb 2007 00:18:05 -0800 (PST) Message-ID: Date: Thu, 15 Feb 2007 00:18:05 -0800 From: "Kian Mohageri" To: "Dan Langille" In-Reply-To: <45D2BEA7.12150.2D35AEAB@dan.langille.org> MIME-Version: 1.0 References: <45CDED58.2056.1A642A00@dan.langille.org> <200702132226.40415.max@love2party.net> <45D2BEA7.12150.2D35AEAB@dan.langille.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2007 08:18:07 -0000 On 2/14/07, Dan Langille wrote: > > > So long as the initial ruleset can be specified in the config, I see > no problem. For example: pf_rules_initial="/etc/pf_intial.rules As with other startup scripts, the overrides for /etc/defaults/rc.conf can be placed in /etc/rc.conf. -- Kian Mohageri From owner-freebsd-pf@FreeBSD.ORG Fri Feb 16 19:27:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7FF8516A400; Fri, 16 Feb 2007 19:27:24 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.freebsd.org (Postfix) with ESMTP id C76AA13C441; Fri, 16 Feb 2007 19:27:23 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.4) with ESMTP id l1GJB5TR068280; Fri, 16 Feb 2007 22:11:05 +0300 (MSK) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.4/Submit) id l1GJB4Wh068278; Fri, 16 Feb 2007 22:11:04 +0300 (MSK) (envelope-from yar) Date: Fri, 16 Feb 2007 22:11:03 +0300 From: Yar Tikhiy To: Max Laier Message-ID: <20070216191103.GB64983@comp.chem.msu.su> References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <200702132226.40415.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200702132226.40415.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Feb 2007 19:27:24 -0000 On Tue, Feb 13, 2007 at 10:26:31PM +0100, Max Laier wrote: > Does anyone have time to get something like this going for FreeBSD as > well? IMHO it's a restricted solution to a more general problem. Other firewall types can suffer from it, too. While there is no single cure for using DNS names in firewall rules, the problem of cloned interfaces is common. Once I thought of a sysctl with the following semantics: 0 (default) means just drop any network traffic, 1 means process it as usual. Then a host could set up all its interfaces first, still being immune to attacks, then load firewall rules, and finally enable the network stack. Am I delirious? :-) > On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote: > > > > One possible sollution that has been suggested would be to use a > > > > simple deny all but ssh/dns ruleset in the first stage and load the > > > > real ruleset once all interfaces are there and the resolver is > > > > working. I'm willing to commit patches, though this is probably > > > > something best discussed on freebsd-rc@ > > > > By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot > > that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or > > /etc/defaults/pf.boot.conf which contains: > > > > # Default deny. > > block all > > > > # Don't block loopback. > > pass on lo0 > > > > # Allow outgoing dns, needed by pfctl to resolve names. > > pass out proto { tcp, udp } from any to any port 53 keep state > > > > # Allow outgoing ping request, might be needed by dhclient to validate > > # old (but valid) leases in /var/db/dhclient.leases in case it needs to > > # fall back to such a lease (the dhcp server can be down or not > > responding). > > pass out inet proto icmp all icmp-type echoreq keep state > > > > # Allow IPv6 router/neighbor solicitation and advertisement. > > pass out inet6 proto icmp6 all icmp6-type neighbrsol > > pass in inet6 proto icmp6 all icmp6-type neighbradv > > pass out inet6 proto icmp6 all icmp6-type routersol > > pass in inet6 proto icmp6 all icmp6-type routeradv > > > > > > The regular /etc/rc.d/pf requires networking to be done first. > > > > On OpenBSD, it loads rules like: > > > > block all > > pass on lo0 > > pass in proto tcp from any to any port 22 keep state > > pass out proto { tcp, udp } from any to any port 53 keep state > > pass out inet proto icmp all icmp-type echoreq keep state > > pass out inet6 proto icmp6 all icmp6-type neighbrsol > > pass in inet6 proto icmp6 all icmp6-type neighbradv > > pass out inet6 proto icmp6 all icmp6-type routersol > > pass in inet6 proto icmp6 all icmp6-type routeradv > > pass proto { pfsync, carp } > > scrub in all no-df > > pass in proto udp from any port { 111, 2049 } to any > > pass out proto udp from any to any port { 111, 2049 } > > > > (Note it only loads some of these if the inet6 and if NFS is enabled.) > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News -- Yar From owner-freebsd-pf@FreeBSD.ORG Sat Feb 17 12:32:09 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4C44516A400 for ; Sat, 17 Feb 2007 12:32:09 +0000 (UTC) (envelope-from johan@terrettaz.ch) Received: from vz-linux-01-vps-245.datacomm.ch (vz-linux-01-vps-245.datacomm.ch [212.40.19.245]) by mx1.freebsd.org (Postfix) with ESMTP id DCCE813C46B for ; Sat, 17 Feb 2007 12:32:08 +0000 (UTC) (envelope-from johan@terrettaz.ch) Received: (qmail 27350 invoked by uid 0); 17 Feb 2007 13:05:23 +0100 Date: 17 Feb 2007 13:05:23 +0100 Message-ID: <20070217120523.27349.qmail@vz-linux-01-vps-245.datacomm.ch> From: johan@terrettaz.ch To: freebsd-pf@freebsd.org CC: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Content-Disposition: inline Subject: Re: freebsd-pf Digest, Vol 125, Issue 5 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Feb 2007 12:32:09 -0000 Cette adresse email n'existe plus, vous pouvez contacter Johan Tornay à sa nouvelle adresse : johan.tornay@terrettaz.ch Merci de votre compréhension Terrettaz Informatique http://www.terrettaz.ch info@terrettaz.ch