From owner-freebsd-pf@FreeBSD.ORG Sun Mar 4 18:13:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BF02616A401 for ; Sun, 4 Mar 2007 18:13:21 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 8977E13C48D for ; Sun, 4 Mar 2007 18:13:19 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 85121544D0 for ; Sun, 4 Mar 2007 18:13:13 +0000 (GMT) From: "Greg Hennessy" To: "'Tom Judge'" References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> In-Reply-To: <45E81AC3.5020304@tomjudge.com> Date: Sun, 4 Mar 2007 18:13:05 -0000 Message-ID: <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdcyuDrS5GPjXJMTDque3/xyJy76ABvbh3A Content-Language: en-gb X-Antivirus: avast! (VPS 000721-1, 03/03/2007), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: RE: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2007 18:13:21 -0000 > I have the following rules on lo0: > Have you tried an set skip with a default block log all ? Greg From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 05:02:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B8C7116A401 for ; Mon, 5 Mar 2007 05:02:32 +0000 (UTC) (envelope-from rance@frontiernet.net) Received: from relay03.roc.ny.frontiernet.net (relay03.roc.ny.frontiernet.net [66.133.182.166]) by mx1.freebsd.org (Postfix) with ESMTP id 7E59113C46B for ; Mon, 5 Mar 2007 05:02:32 +0000 (UTC) (envelope-from rance@frontiernet.net) X-Virus-Scanned: by amavisd-new-2.4.1 at filter06.roc.ny.frontiernet.net X-Trace: 53616c7465645f5fad722aa47e18d238fcdd9d5d2a52d9b21a105b3a9e57d698fc9d10e90b353ac927dd0cc05464dbb2e235c1a349694b36dad833dec11e1898f8340958c398dd03977ee3942dd9c35e5872d0c909ee72e07edf38f51ae53396 Received: from localhost (webmail02.roc.ny.frontiernet.net [66.133.182.101]) by relay03.roc.ny.frontiernet.net (Postfix) with ESMTP id C9C82D22F for ; Mon, 5 Mar 2007 04:39:22 +0000 (UTC) X-Received: from 74-38-129-65.dsl1.kea.ne.frontiernet.net (74-38-129-65.dsl1.kea.ne.frontiernet.net [74.38.129.65]) by webmail.frontiernet.net (Horde MIME library) with HTTP; Mon, 05 Mar 2007 04:39:22 +0000 Message-ID: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> Date: Mon, 05 Mar 2007 04:39:22 +0000 From: "rance@frontiernet.net" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4-cvs) Subject: home router with internal services available question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 05:02:32 -0000 Hello everyone, I'm a new freebsd user (been a linux user for some =20 time, so I'm comfortable with unix-like os structures and the cli) I'm trying to build a freebsd home router with the pf firewall, all =20 the documentation I'm reading suggests that this is quite possible. in fact, there are faq-example files in /usr/share/examples/pf that =20 give you MOST of the basic setup stuff that you would need to do this. I had a basic NAT setup that was almost working. dhcp requests on my =20 lan were not getting answered by the gateway host. I looked at the firewall rules and figured it was because there wasn't =20 a specific way to handle port 67 data (if should be handled by the internal interface of =20 the freebsd box. With the firewall disabled Lan machines can get an IP address, but =20 cant surf the net, with the firewall enabled they can surf the net, but cant get a dhcp address= . I've googled and can't find anything that specifically addresses this issue. I searched the list archives and found nothing there. I'm sure the answer to my question is an exception to the NAT routing rule. Ive tried to work on one of my own, but I keep breaking the whole firewall My setup is like this internet--->isp dsl modem with built in firewall---> freebsd box (as =20 gateway)--> LAN right now I'm working with the limited protection of the dsl modem. =20 but want to get the freebsd box working so I can do away with the other router and give =20 the freebsd box my public ip address. Assume that the pf.conf is a copy of /usr/share/examples/faq-example1 =20 but I don't need the ftp proxy rule, so I commented that out. I've specified the inernal and external interfaces correctly and I've added a "me" macro for use with the routing rule for dns/dhcp =20 services. could someone please explain the "right" way to do this, or point me =20 to the right doc, I'm willing to learn if I can find the right teacher. Thanks all for your help From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 07:54:30 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7436C16A403 for ; Mon, 5 Mar 2007 07:54:30 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3FF7713C46B for ; Mon, 5 Mar 2007 07:54:30 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id C56822B61A9 for ; Mon, 5 Mar 2007 07:54:27 +0000 (GMT) From: "Greg Hennessy" To: , References: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> In-Reply-To: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> Date: Mon, 5 Mar 2007 07:54:20 -0000 Message-ID: <000301c75efb$7b8bf300$72a3d900$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acde53ZijISPB/VDQxmk6GCY+s+Q/wAEyACA Content-Language: en-gb X-Antivirus: avast! (VPS 000721-1, 03/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: home router with internal services available question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 07:54:30 -0000 > could someone please explain the "right" way to do this, or point me > to the right doc, > I'm willing to learn if I can find the right teacher. Make the 1st packet filtering rule block log all and from there read the firewall logs in real time with tcpdump -s 96 -nleti pflog0 which will tell you what traffic is being dropped by the firewall. Add the relevant rules, et voila. By DHCP I assume you're running ISC dhcpd on the firewall itself ? Otherwise you will need to relay the dhcp requests through the firewall. Greg From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 09:25:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DC2CD16A400 for ; Mon, 5 Mar 2007 09:25:12 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog12.obsmtp.com (s200aog12.obsmtp.com [207.126.144.126]) by mx1.freebsd.org (Postfix) with SMTP id 58DAD13C474 for ; Mon, 5 Mar 2007 09:25:06 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob012.postini.com ([207.126.147.11]) with SMTP; Mon, 05 Mar 2007 09:25:05 UTC Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79]) by rodney.mintel.co.uk (Postfix) with ESMTP id 9C017181439; Mon, 5 Mar 2007 09:25:04 +0000 (GMT) Message-ID: <45EBE118.1010602@tomjudge.com> Date: Mon, 05 Mar 2007 09:21:28 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Greg Hennessy References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> In-Reply-To: <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 09:25:13 -0000 Greg Hennessy wrote: >> I have the following rules on lo0: >> > > Have you tried an set skip with a default block log all ? > > > Greg > > The packet is not getting filtered it leaves the host and passes on the wire to the default gateway. There are no issues with the traffic being filtered by the originating hosts firewall, the problem is that the ESP packets next hop is not being modified by the source routing rule and is therefore being sent to the incorrect gateway, where the ISP filters the packet. It is only the ESP traffic that fails to be routed correctly, all other traffic is fine. It is almost as if the ESP packet never enters PF and is transmitted straight out onto the network, hence me starting this thread about being able to trace the packet through the stack. Tom From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 11:08:18 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6CE0016A485 for ; Mon, 5 Mar 2007 11:08:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 55E3113C46B for ; Mon, 5 Mar 2007 11:08:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l25B8IX2037551 for ; Mon, 5 Mar 2007 11:08:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l25B8G2r037547 for freebsd-pf@FreeBSD.org; Mon, 5 Mar 2007 11:08:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Mar 2007 11:08:16 GMT Message-Id: <200703051108.l25B8G2r037547@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 11:08:18 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 13:40:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A8C3316A401 for ; Mon, 5 Mar 2007 13:40:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 6DAC313C442 for ; Mon, 5 Mar 2007 13:40:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cf0.q.ppp-pool.de [89.53.124.240]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A16D3128841; Mon, 5 Mar 2007 14:40:31 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 99FA62E56D; Mon, 5 Mar 2007 14:40:26 +0100 (CET) Message-ID: <45EC1DCA.3080001@vwsoft.com> Date: Mon, 05 Mar 2007 14:40:26 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "rance@frontiernet.net" References: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> In-Reply-To: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: home router with internal services available question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 13:40:39 -0000 On 12/23/-58 20:59, rance@frontiernet.net wrote: > I had a basic NAT setup that was almost working. dhcp requests on my > lan were not > getting answered by the gateway host. > > I looked at the firewall rules and figured it was because there wasn't a > specific way to > handle port 67 data (if should be handled by the internal interface of > the freebsd box. > > With the firewall disabled Lan machines can get an IP address, but cant > surf the net, > with the firewall enabled they can surf the net, but cant get a dhcp > address. That's an easy one if you know what's going on on the wire: - let udp/bootps and udp/bootpc pass your fw rules - DO NOT filter for IP address ranges for these rules! A DHCP request arrives at your machine w/o any IP address assigned or it may arrive with an IP address not known to your machine (169.anything - Windows does this for example). So you should not filter like: pass on $int_if proto udp from 192.168.1.0/24 to self port bootps keep state but instead: pass in log on $int_if proto udp from any to self port bootps keep state In my rules I'm additionally using these rules: pass in log on $int_if proto udp from any to any port bootpc keep state pass in log on $int_if proto udp from any port bootpc to any keep state but I don't think they're necessary as the very first rule ("...to self port bootps...") should match. That should be all. You should watch the packet flow using tcpdump (either on pflog0 or your real network NIC). HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 14:18:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2CBED16A405 for ; Mon, 5 Mar 2007 14:18:58 +0000 (UTC) (envelope-from vwerth@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id B75DB13C4B3 for ; Mon, 5 Mar 2007 14:18:57 +0000 (UTC) (envelope-from vwerth@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cf0.q.ppp-pool.de [89.53.124.240]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 4537D128841 for ; Mon, 5 Mar 2007 14:46:49 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 89B422E56D; Mon, 5 Mar 2007 14:46:41 +0100 (CET) Message-ID: <45EC1F41.2060202@vwsoft.com> Date: Mon, 05 Mar 2007 14:46:41 +0100 From: Volker Werth Organization: Volker Werth Software User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: Tom Judge References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> <45EBE118.1010602@tomjudge.com> In-Reply-To: <45EBE118.1010602@tomjudge.com> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020103030504010201030201" X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: vwerth@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: vwerth@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Re: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 14:18:58 -0000 This is a cryptographically signed message in MIME format. --------------ms020103030504010201030201 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 12/23/-58 20:59, Tom Judge wrote: > The packet is not getting filtered it leaves the host and passes on the > wire to the default gateway. There are no issues with the traffic being > filtered by the originating hosts firewall, the problem is that the ESP > packets next hop is not being modified by the source routing rule and is > therefore being sent to the incorrect gateway, where the ISP filters the > packet. It is only the ESP traffic that fails to be routed correctly, > all other traffic is fine. It is almost as if the ESP packet never > enters PF and is transmitted straight out onto the network, hence me > starting this thread about being able to trace the packet through the > stack. > > Tom Tom, could you describe a bit more in detail what you're doing with IPSec and what you're trying to do using pf? I've not followed the whole thread as I've had no time to read email over the weekend. If you already posted all infos, please forgive me and point me to that message. I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and have also seen strange behaviour of ESP data not passing the firewall. Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are you using ENC? Could you please give us your routing table (partially)? Thanks, Volker --------------ms020103030504010201030201 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFaDCC ArAwggIZoAMCAQICAQowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEVMBMGA1UEChMMaXBhY3RpdmUgR2JSMRQwEgYD VQQLEwtpcGFjdGl2ZSBDQTEUMBIGA1UEAxMLaXBhY3RpdmUgQ0ExHjAcBgkqhkiG9w0BCQEW D25pY0BpcGFjdGl2ZS5kZTAeFw0wNDEyMjAxMzU4MzBaFw0xNDEyMTgxMzU4MzBaMDkxFTAT BgNVBAMTDFZvbGtlciBXZXJ0aDEgMB4GCSqGSIb3DQEJARYRdm9sa2VyQHZ3c29mdC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu82QnprFsHMmIi9wwoM8q365C5ue4gAGYu KeT36Pro/fwR9tHQ60OnYGWPy1J2m7XHtQ08ZgxhqDXlpBM7jW996i5jKNWEb2KZQiJAoTyF Px4vHkvom6QDq5jE7TvmUlc78qnwVN5Ik5pCyogDoj1J6O0R+1NAFQAxXr6OI52TAgMBAAGj bjBsMBwGA1UdEQQVMBOBEXZvbGtlckB2d3NvZnQuY29tMAwGA1UdEwEB/wQCMAAwHwYDVR0j BBgwFoAUQH2+rQy8vJf6Vm4vxyVQMYeoKdYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMA0GCSqGSIb3DQEBBAUAA4GBADWUd++2DHePzHGBHu+zpbrykdc9c6JpXKbv2y8PzoHV G2VEf7XD13fgQvp/vmOqoMfRlqFemJQ7bXXl8g6BZSQ/xC9lLnPiBHMuwQ0JeIdP2DX1W471 tLPJERYvizlWGsyD+WXI6mQQVrKZWb3Qe++plK4ktXP9noaarOwUrD9kMIICsDCCAhmgAwIB AgIBCjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEP MA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwxpcGFjdGl2ZSBHYlIxFDASBgNVBAsTC2lwYWN0 aXZlIENBMRQwEgYDVQQDEwtpcGFjdGl2ZSBDQTEeMBwGCSqGSIb3DQEJARYPbmljQGlwYWN0 aXZlLmRlMB4XDTA0MTIyMDEzNTgzMFoXDTE0MTIxODEzNTgzMFowOTEVMBMGA1UEAxMMVm9s a2VyIFdlcnRoMSAwHgYJKoZIhvcNAQkBFhF2b2xrZXJAdndzb2Z0LmNvbTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAq7zZCemsWwcyYiL3DCgzyrfrkLm57iAAZi4p5Pfo+uj9/BH2 0dDrQ6dgZY/LUnabtce1DTxmDGGoNeWkEzuNb33qLmMo1YRvYplCIkChPIU/Hi8eS+ibpAOr mMTtO+ZSVzvyqfBU3kiTmkLKiAOiPUno7RH7U0AVADFevo4jnZMCAwEAAaNuMGwwHAYDVR0R BBUwE4ERdm9sa2VyQHZ3c29mdC5jb20wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRAfb6t DLy8l/pWbi/HJVAxh6gp1jAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI hvcNAQEEBQADgYEANZR377YMd4/McYEe77OluvKR1z1zomlcpu/bLw/OgdUbZUR/tcPXd+BC +n++Y6qgx9GWoV6YlDttdeXyDoFlJD/EL2Uuc+IEcy7BDQl4h0/YNfVbjvW0s8kRFi+LOVYa zIP5ZcjqZBBWsplZvdB776mUriS1c/2ehpqs7BSsP2QxggNOMIIDSgIBATCBmDCBkjELMAkG A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwxp cGFjdGl2ZSBHYlIxFDASBgNVBAsTC2lwYWN0aXZlIENBMRQwEgYDVQQDEwtpcGFjdGl2ZSBD QTEeMBwGCSqGSIb3DQEJARYPbmljQGlwYWN0aXZlLmRlAgEKMAkGBSsOAwIaBQCgggILMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDMwNTEzNDY0MVow IwYJKoZIhvcNAQkEMRYEFPpQ98EQsYb+qUC188OKEDMTe+aBMFIGCSqGSIb3DQEJDzFFMEMw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G CCqGSIb3DQMCAgEoMIGpBgkrBgEEAYI3EAQxgZswgZgwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEVMBMGA1UEChMMaXBhY3RpdmUgR2JSMRQw EgYDVQQLEwtpcGFjdGl2ZSBDQTEUMBIGA1UEAxMLaXBhY3RpdmUgQ0ExHjAcBgkqhkiG9w0B CQEWD25pY0BpcGFjdGl2ZS5kZQIBCjCBqwYLKoZIhvcNAQkQAgsxgZuggZgwgZIxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEVMBMGA1UEChMMaXBh Y3RpdmUgR2JSMRQwEgYDVQQLEwtpcGFjdGl2ZSBDQTEUMBIGA1UEAxMLaXBhY3RpdmUgQ0Ex HjAcBgkqhkiG9w0BCQEWD25pY0BpcGFjdGl2ZS5kZQIBCjANBgkqhkiG9w0BAQEFAASBgJFW YiVW9deONYRUo7gBWOhjKwisCbh+lX/nbcqG4NUMaSqBl0+PR8M2VuoHII3XmgpMQt26jJFc 0zFfObYyIv45flxu9VSVFA4LViGuGI3ECSrpVD82rI9z2mECG23qOlt8My9FUbNgJihjVaPI ZLzPaySOSBVe7ONH8NYGFiXgAAAAAAAA --------------ms020103030504010201030201-- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 14:37:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2A9A316A404 for ; Mon, 5 Mar 2007 14:37:19 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog11.obsmtp.com (s200aog11.obsmtp.com [207.126.144.125]) by mx1.freebsd.org (Postfix) with SMTP id 85FC913C4B3 for ; Mon, 5 Mar 2007 14:37:14 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob011.postini.com ([207.126.147.11]) with SMTP; Mon, 05 Mar 2007 14:37:13 UTC Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79]) by rodney.mintel.co.uk (Postfix) with ESMTP id BFB60181421; Mon, 5 Mar 2007 14:37:12 +0000 (GMT) Message-ID: <45EC2A3F.3040208@tomjudge.com> Date: Mon, 05 Mar 2007 14:33:35 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Volker Werth References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> <45EBE118.1010602@tomjudge.com> <45EC1F41.2060202@vwsoft.com> In-Reply-To: <45EC1F41.2060202@vwsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 14:37:19 -0000 Volker Werth wrote: > On 12/23/-58 20:59, Tom Judge wrote: >> The packet is not getting filtered it leaves the host and passes on the >> wire to the default gateway. There are no issues with the traffic being >> filtered by the originating hosts firewall, the problem is that the ESP >> packets next hop is not being modified by the source routing rule and is >> therefore being sent to the incorrect gateway, where the ISP filters the >> packet. It is only the ESP traffic that fails to be routed correctly, >> all other traffic is fine. It is almost as if the ESP packet never >> enters PF and is transmitted straight out onto the network, hence me >> starting this thread about being able to trace the packet through the >> stack. >> >> Tom > > Tom, > > could you describe a bit more in detail what you're doing with IPSec > and what you're trying to do using pf? I've not followed the whole > thread as I've had no time to read email over the weekend. If you > already posted all infos, please forgive me and point me to that > message. > > I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and > have also seen strange behaviour of ESP data not passing the firewall. > > Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are > you using ENC? Could you please give us your routing table (partially)? > > Thanks, > > Volker Here is a simplified diagram of the network layout: http://www.tomjudge.com/tmp/tunnels.png The following configurations are from host A, host be is configured in an identical fashion with the changes made in the obvious places. The routing of the networks at each end of the tunnel is controlled by OSPF (using quagga). Racoon successfully negotiates the IPSEC connection with the remote host (all traffic during this stage passes through the firewall correctly). The problem appears when traffic is sent across the link and IPSEC is sending the ESP packets which fail to pass through PF (or that is what it would seem). Kernel Config (Relevent sections): device gif # IPv6 and IPv4 tunneling device carp device pf device pflog device pfsync options IPSEC options IPSEC_ESP options IPSEC_FILTERGIF options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build ifconfig: bge0: flags=8943 mtu 1500 options=1b inet 10.0.0.46 netmask 0xff000000 broadcast 10.255.255.255 ether 00:11:43:37:2e:2e media: Ethernet autoselect (1000baseTX ) status: active bge1: flags=8843 mtu 1500 options=1b inet 111.0.0.2 netmask 0xffffffe0 broadcast 111.0.0.31 inet 112.0.0.2 netmask 0xffffffe0 broadcast 112.0.0.31 ether 00:11:43:37:2e:2f media: Ethernet autoselect (1000baseTX ) status: active gif0: flags=8051 mtu 1280 tunnel inet 111.0.0.2 --> 113.0.0.2 inet 192.168.174.1 --> 192.168.174.2 netmask 0xfffffffc gif1: flags=8051 mtu 1280 tunnel inet 112.0.0.2 --> 114.0.0.2 inet 192.168.174.5 --> 192.168.174.6 netmask 0xfffffffc netstat -rn with excess entries removed: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 111.0.0.1 UGS 6 1107473272 bge1 10 link#1 UC 0 0 bge0 111.0.0.0/27 link#2 UC 0 0 bge1 112.0.0.0/27 link#2 UC 0 0 bge1 /etc/ipsec.conf: spdadd 111.0.0.2/32 113.0.0.2/32 ipencap -P out ipsec esp/tunnel/111.0.0.2-113.0.0.2/require; spdadd 113.0.0.2/32 111.0.0.2/32 ipencap -P in ipsec esp/tunnel/113.0.0.2-111.0.0.2/require; spdadd 112.0.0.2/32 114.0.0.2/32 ipencap -P out ipsec esp/tunnel/112.0.0.2-114.0.0.2/require; spdadd 114.0.0.2/32 112.0.0.2/32 ipencap -P in ipsec esp/tunnel/114.0.0.2-112.0.0.2/require; /usr/local/etc/racoon/racoon.conf (Appropriate sections): path pre_shared_key "/usr/local/etc/racoon/psk.conf"; remote 113.0.0.2 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; nonce_size 16; initial_contact on; proposal_check obey; # obey, strict, or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } remote 114.0.0.2 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; nonce_size 16; initial_contact on; proposal_check obey; # obey, strict, or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 18:36:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D159916A408 for ; Mon, 5 Mar 2007 18:36:48 +0000 (UTC) (envelope-from aseelye-lists@eltopia.com) Received: from mailscan2.sslisp.com (lb.sslisp.com [209.213.12.74]) by mx1.freebsd.org (Postfix) with ESMTP id AC5BF13C4B5 for ; Mon, 5 Mar 2007 18:36:48 +0000 (UTC) (envelope-from aseelye-lists@eltopia.com) Received: from Seelye (unverified [71.115.192.102]) by mailscan2.sslisp.com (Vircom SMTPRS 4.4.568.0) with ESMTP id for ; Mon, 5 Mar 2007 10:26:31 -0800 X-Modus-BlackList: 71.115.192.102=OK;aseelye-lists@eltopia.com=OK X-Modus-RBL: 71.115.192.102=OK X-Modus-Trusted: 71.115.192.102=NO X-Modus-Audit: FALSE;0;0;0 Message-ID: <008001c75f53$c9dd3430$a001a8c0@Seelye> From: "Aaron Seelye" To: Date: Mon, 5 Mar 2007 10:26:26 -0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: shaping bittorrent? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 18:36:48 -0000 Hello, I'm wondering if there are any easy or at least documented ways to shape bittorrent traffic with pf. If not, is there any way without writing software to do it? I've searched the mailing list, and google, it would seem that it's all port based, and more and more clients are using non-standard BT ports now. Cisco and others have methods of doing actual packet inspection which allows you to truly shape/throttle this traffic, but I'm wondering what the free/open community has, as I'd much prefer a bsd solution to a cisco one. Thank you, Aaron Seelye From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 18:44:09 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2610916A405 for ; Mon, 5 Mar 2007 18:44:09 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64]) by mx1.freebsd.org (Postfix) with ESMTP id 8DAEF13C4B5 for ; Mon, 5 Mar 2007 18:44:08 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=53840 helo=VLADIMIR) by mx27.mail.ru with asmtp id 1HOIAF-000GId-00 for freebsd-pf@freebsd.org; Mon, 05 Mar 2007 21:44:04 +0300 X-Nat-Received: from [192.168.1.110]:4021 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1173120044.791 Date: Mon, 5 Mar 2007 21:43:57 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <547560513.20070305214357@mail.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Troubles with anchors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 18:44:09 -0000 Hi all! Making a script for turning on/off Internet for our clients I have the following trouble: Some of our clients may need a real IP-adress. Sometimes pairs of internal/external IP may change. For these needs i put in pf.conf the following strings: #nat on $ext_if from to any -> 192.168.1.21 #binat-anchor real_ip In the case of "real_ip" field, the script must make BINAT on the IP that we have in that field, but it doesn't do it! Originally the rules were: #ifconfig xl0 $ip_ext netmask 255.255.255.0 alias #echo "binat on xl0 from $ip_int to any -> $ip_ext" | pfctl -a real_ip:$ip_ext -f - Anchor with the complex name real_ip:$ip_ext is necessary so as, in case of turning off the Internet on that IP we were able to turn off binat rules only for that particular IP. But in practice when we add the following rule: #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip:192.168.1.26 -f - we have: #pfctl -sn -a real_ip/192.168.1.26 #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 But actually we were masked by 192.168.1.21 But if: #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip -f - we have: #pfctl -sn -a real_ip #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 And now we were masked by 192.168.1.26 - that's what we need! But we can't do this that way. That's why We desided to use subanchors: #echo "anchor 192.168.1.26" | pfctl -a real_ip -f - #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip/192.168.1.26 -f - #pfctl -vsA real_ip real_ip/192.168.1.26 #pfctl -sn -a real_ip/192.168.1.26 #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 And now we again were masked by 192.168.1.21 How can i solve this problem? We have no ability to statically write binat rules in pf.conf. FreeBSD 6.2-Release From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 15:41:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9629C16A402 for ; Tue, 6 Mar 2007 15:41:28 +0000 (UTC) (envelope-from rance@frontiernet.net) Received: from relay03.roc.ny.frontiernet.net (relay03.roc.ny.frontiernet.net [66.133.182.166]) by mx1.freebsd.org (Postfix) with ESMTP id 6CBF413C471 for ; Tue, 6 Mar 2007 15:41:28 +0000 (UTC) (envelope-from rance@frontiernet.net) X-Virus-Scanned: by amavisd-new-2.4.1 at filter01.roc.ny.frontiernet.net X-Trace: 53616c7465645f5fcd4696c959684c86037afc1df5cac96264bf12fcb9e716912602dca746afaf9288b918bddc040fc562297e75c79e5ba831a05d06ca3c4f134e9dcf93e0a0b8cf4f28e04c2f81d4d30ce1964554421679e58998acac0bfd8c Received: from localhost (webmail04.roc.ny.frontiernet.net [66.133.182.103]) by relay03.roc.ny.frontiernet.net (Postfix) with ESMTP id E65A3BB44 for ; Tue, 6 Mar 2007 15:41:19 +0000 (UTC) X-Received: from mail.nebraskaturkey.com (mail.nebraskaturkey.com [207.68.218.164]) by webmail.frontiernet.net (Horde MIME library) with HTTP; Tue, 06 Mar 2007 15:41:19 +0000 Message-ID: <20070306154119.f54neym2pom8kgo4@webmail.frontiernet.net> Date: Tue, 06 Mar 2007 15:41:19 +0000 From: "rance@frontiernet.net" To: freebsd-pf@freebsd.org References: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> <45EC1DCA.3080001@vwsoft.com> In-Reply-To: <45EC1DCA.3080001@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4-cvs) Subject: Re: home router with internal services available question [SOLVED] - followup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 15:41:28 -0000 Tirst Thanks to Volker and Greg I did find an answer I want to summarize it and then ask a second question. Volker was right it was pass in proto udp rule that was needed but as =20 near as I could figure the bootps rule was not working for me. so I added this rule to my firewall script pass in log on $int_if proto udp from any to self keep state This rule allows dhcp to work, but as I understand it would also allow =20 tftp and network boot to work as well as in all those cases tcp stack =20 has not been configured yet. Thanks for the hint Volker. Greg suggested that I do a tcpdump -s 96 -nleti pflog0 to see what was =20 going on. I tried that and got no data captured, not a single entry. one of my /etc/rc.conf variables is a pflog_path=3D"/var/log/pflog" and that file has data in it, but it is hex data I'm assuming as ascii =20 tools didn't work to read the file. ok so my network is working, thank you but the tools that have been suggested to trouble shoot don't seem to work. And I honestly don't know enough here to ask a good question, tcpdump =20 found the pflog0 interface and warned that no ip address was =20 configured, something that makes some sense so didn't really concern me. Once again, can you point me in the right direction please. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 16:42:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3EC4E16A401 for ; Tue, 6 Mar 2007 16:42:56 +0000 (UTC) (envelope-from rance@frontiernet.net) Received: from relay03.roc.ny.frontiernet.net (relay03.roc.ny.frontiernet.net [66.133.182.166]) by mx1.freebsd.org (Postfix) with ESMTP id 1A0C013C4AC for ; Tue, 6 Mar 2007 16:42:56 +0000 (UTC) (envelope-from rance@frontiernet.net) X-Virus-Scanned: by amavisd-new-2.4.1 at filter15.roc.ny.frontiernet.net X-Trace: 53616c7465645f5ff0a2a301d4b4b32d6201c1e9d86ff61b7c67abb6c9a0a51a6fbe8abc1454fc6a0ff83986b72a3b405bf5ea06576c6d542b3ee09c727c343ceb84a2eb31d17f8bbec6dd756be0e5ba6215e3580ba79341f5a67fadb53740db Received: from localhost (webmail04.roc.ny.frontiernet.net [66.133.182.103]) by relay03.roc.ny.frontiernet.net (Postfix) with ESMTP id BE9BCC5DF for ; Tue, 6 Mar 2007 16:42:50 +0000 (UTC) X-Received: from mail.nebraskaturkey.com (mail.nebraskaturkey.com [207.68.218.164]) by webmail.frontiernet.net (Horde MIME library) with HTTP; Tue, 06 Mar 2007 16:42:50 +0000 Message-ID: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> Date: Tue, 06 Mar 2007 16:42:50 +0000 From: "rance@frontiernet.net" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.4-cvs) Subject: adding to pf rules dynamically via a script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 16:42:56 -0000 could someone be so kind as to point to an example I can study as to how to add pf rules via a log monitoring script Im trying to port from linux. I know it can be done, but none of the docs I'm reading show how. I think I'm understanding that this is done with an anchor. but I'm having trouble finding a documented example I can study and learn from. Anybody know of a good doc on this, or have a well documented example they woulnt mind sharing? From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 17:23:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26A8B16A404 for ; Tue, 6 Mar 2007 17:23:32 +0000 (UTC) (envelope-from stom@free.fr) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id DD2E113C4A6 for ; Tue, 6 Mar 2007 17:23:31 +0000 (UTC) (envelope-from stom@free.fr) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by postfix1-g20.free.fr (Postfix) with ESMTP id D82B1B080A0 for ; Tue, 6 Mar 2007 17:58:21 +0100 (CET) Received: from btn.mine.nu (tok69-1-82-67-36-224.fbx.proxad.net [82.67.36.224]) by smtp2-g19.free.fr (Postfix) with ESMTP id E917E8BF64; Tue, 6 Mar 2007 17:58:19 +0100 (CET) Received: from localhost (localhost.localdomain [127.0.0.1]) by btn.mine.nu (Postfix) with ESMTP id 3EB3047EE6; Tue, 6 Mar 2007 17:57:48 +0100 (CET) Received: from btn.mine.nu ([127.0.0.1]) by localhost (btn.mine.nu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16279-06; Tue, 6 Mar 2007 17:57:48 +0100 (CET) Received: from [192.168.1.200] (windows.donblas.lan [192.168.1.200]) by btn.mine.nu (Postfix) with ESMTP id 1825747EE5; Tue, 6 Mar 2007 17:57:48 +0100 (CET) Message-ID: <45ED9DAB.6000306@free.fr> Date: Tue, 06 Mar 2007 17:58:19 +0100 From: Philippe Laquet User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: "rance@frontiernet.net" References: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> In-Reply-To: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at btn.mine.nu Cc: freebsd-pf@freebsd.org Subject: Re: adding to pf rules dynamically via a script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 17:23:32 -0000 Hi You can probably use anchors and / or tables to do that under PF If you need some help to port your Linux IPTables' script to PF do not hesitate! For further info & doc : http://www.openbsd.org/faq/pf/ :P Kind Regards, Philippe Laquet. rance@frontiernet.net wrote: > could someone be so kind as to point to an example I can study as to > how to add pf rules via a log monitoring script Im trying to port from > linux. > > I know it can be done, but none of the docs I'm reading show how. > > I think I'm understanding that this is done with an anchor. > > but I'm having trouble finding a documented example I can study and > learn from. > > Anybody know of a good doc on this, or have a well documented example > they woulnt mind sharing? > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 17:25:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C28A416A402 for ; Tue, 6 Mar 2007 17:25:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 5010F13C461 for ; Tue, 6 Mar 2007 17:25:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.190.186] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1HOdPs1i0Z-00053i; Tue, 06 Mar 2007 18:25:36 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 6 Mar 2007 18:25:28 +0100 User-Agent: KMail/1.9.5 References: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> In-Reply-To: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1526897.5Nf1FJnaQd"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703061825.34463.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX1+zonOC9eSZPS2nKmASFKN/NCvsefx4HcEa2Pm PO/aQfgTcS1gzm/6kYGEVqr1lLP9yYf4/9l93qL6S5EjWhUIKy 9A/dZt78wkcES+wSqAirg== Cc: Subject: Re: adding to pf rules dynamically via a script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 17:25:40 -0000 --nextPart1526897.5Nf1FJnaQd Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 06 March 2007 17:42, rance@frontiernet.net wrote: > could someone be so kind as to point to an example I can study as to > how to add pf rules via a log monitoring script Im trying to port from > linux. > > I know it can be done, but none of the docs I'm reading show how. > > I think I'm understanding that this is done with an anchor. > > but I'm having trouble finding a documented example I can study and > learn from. > > Anybody know of a good doc on this, or have a well documented example > they woulnt mind sharing? What's wrong with http://www.openbsd.org/faq/pf/anchors.html or the=20 pf.conf(5) and pfctl(8) manpages? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1526897.5Nf1FJnaQd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF7aQOXyyEoT62BG0RAr7XAJ4/hbe2K7nehPrLREMd97cqWLhDLACfTIU0 6OrP0Ld74DEtp86N+2gG2jg= =9ldb -----END PGP SIGNATURE----- --nextPart1526897.5Nf1FJnaQd-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 18:01:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 39EFE16A400 for ; Tue, 6 Mar 2007 18:01:47 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64]) by mx1.freebsd.org (Postfix) with ESMTP id ED3C013C4A7 for ; Tue, 6 Mar 2007 18:01:46 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=45704 helo=VLADIMIR) by mx27.mail.ru with asmtp id 1HOdyq-0003ov-00 for freebsd-pf@freebsd.org; Tue, 06 Mar 2007 21:01:44 +0300 X-Nat-Received: from [192.168.1.110]:1227 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1173203907.30171 Date: Tue, 6 Mar 2007 21:01:41 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <8035201.20070306210141@mail.ru> To: freebsd-pf@freebsd.org References: 20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: adding to pf rules dynamically via a script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 18:01:47 -0000 >> could someone be so kind as to point to an example I can study as to >> how to add pf rules via a log monitoring script Im trying to port from >> linux. >> >> I know it can be done, but none of the docs I'm reading show how. >> >> I think I'm understanding that this is done with an anchor. >> >> but I'm having trouble finding a documented example I can study and >> learn from. >> >> Anybody know of a good doc on this, or have a well documented example >> they woulnt mind sharing? > >What's wrong with http://www.openbsd.org/faq/pf/anchors.html or the >pf.conf(5) and pfctl(8) manpages? I'll tell you what's wrong: http://lists.freebsd.org/pipermail/freebsd-pf/2007-March/003114.html From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 18:23:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3813D16A402 for ; Tue, 6 Mar 2007 18:23:29 +0000 (UTC) (envelope-from ronw@bals.org) Received: from bal.bals.org (bal.bals.org [65.122.161.147]) by mx1.freebsd.org (Postfix) with ESMTP id ED40D13C4A3 for ; Tue, 6 Mar 2007 18:23:28 +0000 (UTC) (envelope-from ronw@bals.org) Received: from [192.168.0.35] (ronw.bals.org [192.168.0.35]) (authenticated bits=0) by bal.bals.org (8.14.0/8.14.0) with ESMTP id l26I1fTt072860; Tue, 6 Mar 2007 13:01:44 -0500 (EST) (envelope-from ronw@bals.org) Message-ID: <45EDAC38.2080300@bals.org> Date: Tue, 06 Mar 2007 13:00:24 -0500 From: Ron Wilhoite Organization: Bay Area Legal Services, Inc. User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: "rance@frontiernet.net" References: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> In-Reply-To: <20070306164250.n8w9y8c39x204cs0@webmail.frontiernet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (bal.bals.org [192.168.0.2]); Tue, 06 Mar 2007 13:01:44 -0500 (EST) Cc: freebsd-pf@freebsd.org Subject: Re: adding to pf rules dynamically via a script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ronw@bals.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 18:23:29 -0000 On 03/06/2007 11:42 AM, rance@frontiernet.net wrote: > could someone be so kind as to point to an example I can study as to > how to add pf rules via a log monitoring script Im trying to port from > linux. > > I know it can be done, but none of the docs I'm reading show how. > > I think I'm understanding that this is done with an anchor. > > but I'm having trouble finding a documented example I can study and > learn from. > > Anybody know of a good doc on this, or have a well documented example > they woulnt mind sharing? Not sure if this is helpful as an example, but I use this script to update a table stored in pf.badhosts then reload tables: #!/bin/sh # # pfblock - add a host or network to pf.badhosts so pf will block it # if [ $# -eq 0 ] then echo "pfblock usage: pfblock ip.add.re.ss/cidr" exit fi # echo "$*" >> /etc/pf.badhosts pfctl -T load -f /etc/pf.conf Ron Wilhoite From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 18:31:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B666516A401 for ; Tue, 6 Mar 2007 18:31:29 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 4496413C441 for ; Tue, 6 Mar 2007 18:31:29 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.190.186] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HOeRZ2B41-0004Nv; Tue, 06 Mar 2007 19:31:26 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org, Vladimir Kapustin Date: Tue, 6 Mar 2007 19:31:01 +0100 User-Agent: KMail/1.9.5 References: <547560513.20070305214357@mail.ru> In-Reply-To: <547560513.20070305214357@mail.ru> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3155056.XCeQaLufDg"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703061931.17835.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX1+8WE55pX/J1o6Bjz0bj0RSZk2SbouP0K/i0mq jHFILUfo2Rs81jT2HMGoBKSlklJZLefH9ubhblWIWdWCzrZXfh 9z3mJ+7nwCT2+gGlapTvA== Cc: Subject: Re: Troubles with anchors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 18:31:29 -0000 --nextPart3155056.XCeQaLufDg Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 05 March 2007 19:43, Vladimir Kapustin wrote: > Hi all! > > Making a script for turning on/off Internet for our clients I have > the following trouble: > > Some of our clients may need a real IP-adress. Sometimes pairs of > internal/external IP may change. For these needs i put in pf.conf > the following strings: > > #nat on $ext_if from to any -> 192.168.1.21 > #binat-anchor real_ip This combined with ... > In the case of "real_ip" field, the script must make BINAT on the > IP that we have in that field, but it doesn't do it! > > Originally the rules were: > > #ifconfig xl0 $ip_ext netmask 255.255.255.0 alias > #echo "binat on xl0 from $ip_int to any -> $ip_ext" | pfctl -a > real_ip:$ip_ext -f - =2E. this is wrong. According to the pf.conf(5) manpage: Anchors may end with the asterisk (`*') character, which signifies that all anchors attached at that point should be evaluated in the alphabeti- cal ordering of their anchor name. For example, anchor "spam/*" will evaluate each rule in each anchor attached to the spam anchor. Note that it will only evaluate anchors that are directly attached to the spam anchor, and will not descend to evaluate anchors recursively. So what you want is 'binat-anchor "real_ip/*"' and 'real_ip/$ip_ext'. > Anchor with the complex name real_ip:$ip_ext is necessary so as, > in case of turning off the Internet on that IP we were able to > turn off binat rules only for that particular IP. > > But in practice when we add the following rule: > > #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl > -a real_ip:192.168.1.26 -f - > > we have: > > #pfctl -sn -a real_ip/192.168.1.26 > #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 > > But actually we were masked by 192.168.1.21 > > But if: > > #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl > -a real_ip -f - > > we have: > > #pfctl -sn -a real_ip > #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 > > And now we were masked by 192.168.1.26 - that's what we need! > > But we can't do this that way. That's why > > We desided to use subanchors: > > #echo "anchor 192.168.1.26" | pfctl -a real_ip -f - > #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl > -a real_ip/192.168.1.26 -f - > > #pfctl -vsA > > real_ip > real_ip/192.168.1.26 > > #pfctl -sn -a real_ip/192.168.1.26 > #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 > > And now we again were masked by 192.168.1.21 > > How can i solve this problem? > We have no ability to statically write binat rules in pf.conf. > > FreeBSD 6.2-Release =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3155056.XCeQaLufDg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF7bN1XyyEoT62BG0RAgLPAJ9lHCl2lEnGCa3fazX6Ypt15Y3o4QCeKVUX 0REB2tI/eirkjTASMhPvigo= =wY3Y -----END PGP SIGNATURE----- --nextPart3155056.XCeQaLufDg-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 6 19:50:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8982A16A400 for ; Tue, 6 Mar 2007 19:50:32 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 5233D13C474 for ; Tue, 6 Mar 2007 19:50:31 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id EDC2F4E45F for ; Tue, 6 Mar 2007 19:50:27 +0000 (GMT) From: "Greg Hennessy" To: , References: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> <45EC1DCA.3080001@vwsoft.com> <20070306154119.f54neym2pom8kgo4@webmail.frontiernet.net> In-Reply-To: <20070306154119.f54neym2pom8kgo4@webmail.frontiernet.net> Date: Tue, 6 Mar 2007 19:50:23 -0000 Message-ID: <001801c76028$add9f810$098de830$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdgCMjnGxsru4NJTsCxWPi404MrBAAHzHuA Content-Language: en-gb X-Antivirus: avast! (VPS 000722-0, 06/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: home router with internal services available question [SOLVED] - followup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 19:50:32 -0000 > Greg suggested that I do a tcpdump -s 96 -nleti pflog0 to see what was > going on. Do you have pflog_enable="YES" Set in /etc/rc.conf ? Is pflog0 visible as up and running in the output of ifconfig -a ? > > I tried that and got no data captured, not a single entry. > > one of my /etc/rc.conf variables is a pflog_path="/var/log/pflog" > > and that file has data in it, but it is hex data I'm assuming as ascii > tools didn't work to read the file. That's in raw tcpdump packet capture format, you can view the contents using tcpdump with the '-r' rather than the '-I' option. > And I honestly don't know enough here to ask a good question, tcpdump > found the pflog0 interface and warned that no ip address was > configured, something that makes some sense so didn't really concern > me. > > Once again, can you point me in the right direction please. Easily done :-) http://www.openbsd.org/faq/pf/logging.html greg From owner-freebsd-pf@FreeBSD.ORG Wed Mar 7 10:05:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A8FB16A402 for ; Wed, 7 Mar 2007 10:05:03 +0000 (UTC) (envelope-from F.Haarman@giessen.nl) Received: from mail02.net.giessen.nl (mail.giessen.nl [213.53.114.21]) by mx1.freebsd.org (Postfix) with SMTP id C82FF13C48D for ; Wed, 7 Mar 2007 10:05:02 +0000 (UTC) (envelope-from F.Haarman@giessen.nl) Received: (qmail 58747 invoked from network); 7 Mar 2007 11:42:52 -0000 Received: from unknown (HELO dg-exch1.giessen.nl) (172.16.10.11) by 0 with SMTP; 7 Mar 2007 11:42:52 -0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Importance: normal Priority: normal Date: Wed, 7 Mar 2007 11:05:00 +0100 Message-ID: <2DC959620A73E842969792F5B47FCA01037D4369@dg-exch1.giessen.nl> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: dynamicly adding labels/rules Thread-Index: AcdgoBudblaaHyDUSc+CmMql8enWUg== From: "Frans Haarman" To: Subject: dynamicly adding labels/rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 10:05:03 -0000 I am also having some troubles with labels, it seems I can't add more then one label per anchor rule! DEVEL# pfctl -qa tun0-rules -s l 10.200.2 35 0 0 DEVEL# echo 'pass in from any to 10.200.4.0/24 label "10.200.4"' | pfctl -qa tun0-rules -f - DEVEL# pfctl -qa tun0-rules -s l 10.200.4 15 0 0 DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' | pfctl -qa tun0-rules -f - DEVEL# pfctl -qa tun0-rules -s l 10.200.2 14 0 0 DEVEL# uname -a FreeBSD DEVEL 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:42:56 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 So the label gets overwritten. Is this normal/expected behaviour ? Frans Haarman De Giessen Automatisering B.V. Technische Dienst Telefoon : (0184) 67 53 75 Fax : (0184) 61 12 46 E-mail : servicedesk@giessen.nl Website : www.giessen.nl Algemeen Tel : (0184) 67 54 00 d u i d e l i j k e t a a l ! From owner-freebsd-pf@FreeBSD.ORG Wed Mar 7 10:23:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D95916A402 for ; Wed, 7 Mar 2007 10:23:20 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: from palm.hoeg.nl (palm.hoeg.nl [83.98.131.212]) by mx1.freebsd.org (Postfix) with ESMTP id 46F4213C4B3 for ; Wed, 7 Mar 2007 10:23:20 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: by palm.hoeg.nl (Postfix, from userid 1000) id 9C6071CC8B; Wed, 7 Mar 2007 10:54:14 +0100 (CET) Date: Wed, 7 Mar 2007 10:54:14 +0100 From: Ed Schouten To: freebsd-pf@freebsd.org, chip@2bithacker.net Message-ID: <20070307095414.GG75767@hoeg.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="v2/QI0iRXglpx0hK" Content-Disposition: inline User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Subject: Re: Trying to setup DSR load balancing with pf route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 10:23:20 -0000 --v2/QI0iRXglpx0hK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I have the same problem as well. The route-to doesn't seem to be able to emit packets at all. I have a setup like this: -----+----------+----- <- 10.0.0.0/24 - outside | | +----+---+ +---+----+ | PF box | | Router | +--------+ +---+----+ | ----------------+----- <- 192.168.0.0/24 - inside I'm able to reproduce this issue with this really simple pf.conf: | pass in log on xl0 route-to (xl0 10.0.0.7) to 192.168.0.0/24 When packets from the outside to 192.168.0.0/24 arrive at the PF box, the above rule will match the packets. `tcpdump -i pflog0 -n -e' will match the packets, but they are not routed to the router. They just get trashed. dup-to will also only route the packet to the default route. This means that routing packets to a specific address is broken right now. Yours, --=20 Ed Schouten WWW: http://g-rave.nl/ --v2/QI0iRXglpx0hK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF7ovG52SDGA2eCwURAnntAJ9NIWhwXIkBnHh13jf7OfcJYxKCswCeJj1g u1NJf0z6peet3Os2U2jAN0I= =/duX -----END PGP SIGNATURE----- --v2/QI0iRXglpx0hK-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 7 10:25:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CAE8116A401 for ; Wed, 7 Mar 2007 10:25:34 +0000 (UTC) (envelope-from F.Haarman@giessen.nl) Received: from mail02.net.giessen.nl (mail.giessen.nl [213.53.114.21]) by mx1.freebsd.org (Postfix) with SMTP id 3855C13C467 for ; Wed, 7 Mar 2007 10:25:34 +0000 (UTC) (envelope-from F.Haarman@giessen.nl) Received: (qmail 63178 invoked from network); 7 Mar 2007 12:03:24 -0000 Received: from unknown (HELO dg-exch1.giessen.nl) (172.16.10.11) by 0 with SMTP; 7 Mar 2007 12:03:24 -0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Importance: normal Priority: normal Date: Wed, 7 Mar 2007 11:25:30 +0100 Message-ID: <2DC959620A73E842969792F5B47FCA01037D436B@dg-exch1.giessen.nl> In-Reply-To: <20070307095414.GG75767@hoeg.nl> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Trying to setup DSR load balancing with pf route-to Thread-Index: Acdgorn0lo0GvSbGQ/ihiV2NhXpeCgAACURw From: "Frans Haarman" To: "Ed Schouten" , Cc: Subject: RE: Trying to setup DSR load balancing with pf route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 10:25:34 -0000 This rule works fine: echo "pass in quick log on bge0 route-to $TUNDEV tagged $TUNDEV keep state" Perhaps you forgot the keep state ? Frans Haarman De Giessen Automatisering B.V. Technische Dienst Telefoon : (0184) 67 53 75 Fax : (0184) 61 12 46 E-mail : servicedesk@giessen.nl Website : www.giessen.nl Algemeen Tel : (0184) 67 54 00 d u i d e l i j k e t a a l ! -----Oorspronkelijk bericht----- Van: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] Namens Ed Schouten Verzonden: woensdag 7 maart 2007 10:54 Aan: freebsd-pf@freebsd.org; chip@2bithacker.net Onderwerp: Re: Trying to setup DSR load balancing with pf route-to Hello, I have the same problem as well. The route-to doesn't seem to be able to emit packets at all. I have a setup like this: -----+----------+----- <- 10.0.0.0/24 - outside | | +----+---+ +---+----+ | PF box | | Router | +--------+ +---+----+ | ----------------+----- <- 192.168.0.0/24 - inside I'm able to reproduce this issue with this really simple pf.conf: | pass in log on xl0 route-to (xl0 10.0.0.7) to 192.168.0.0/24 When packets from the outside to 192.168.0.0/24 arrive at the PF box, the above rule will match the packets. `tcpdump -i pflog0 -n -e' will match the packets, but they are not routed to the router. They just get trashed. dup-to will also only route the packet to the default route. This means that routing packets to a specific address is broken right now. Yours, -- Ed Schouten WWW: http://g-rave.nl/ From owner-freebsd-pf@FreeBSD.ORG Wed Mar 7 11:09:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 75ED516A405 for ; Wed, 7 Mar 2007 11:09:47 +0000 (UTC) (envelope-from racerx@makeworld.com) Received: from omr7.networksolutionsemail.com (omr7.networksolutionsemail.com [205.178.146.57]) by mx1.freebsd.org (Postfix) with ESMTP id 37FFE13C478 for ; Wed, 7 Mar 2007 11:09:47 +0000 (UTC) (envelope-from racerx@makeworld.com) Received: from mail.networksolutionsemail.com (ns-omr7.mgt.hosting.dc2.netsol.com [10.49.6.70]) by omr7.networksolutionsemail.com (8.13.6/8.13.6) with SMTP id l27AeWBJ022643 for ; Wed, 7 Mar 2007 05:40:32 -0500 Received: (qmail 16135 invoked by uid 78); 7 Mar 2007 10:40:32 -0000 Received: from unknown (HELO ?192.168.15.200?) (racerx@makeworld.com@71.113.184.254) by ns-omr7.lb.hosting.dc2.netsol.com with SMTP; 7 Mar 2007 10:40:32 -0000 Message-ID: <45EE969B.5080603@makeworld.com> Date: Wed, 07 Mar 2007 04:40:27 -0600 From: Chris User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Ed Schouten References: <20070307095414.GG75767@hoeg.nl> In-Reply-To: <20070307095414.GG75767@hoeg.nl> X-Enigmail-Version: 0.94.2.0 OpenPGP: id=C01BC363 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Trying to setup DSR load balancing with pf route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: racerx@makeworld.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 11:09:47 -0000 Ed Schouten wrote: > Hello, > > I have the same problem as well. The route-to doesn't seem to be able to > emit packets at all. I have a setup like this: > > -----+----------+----- <- 10.0.0.0/24 - outside > | | > +----+---+ +---+----+ > | PF box | | Router | > +--------+ +---+----+ > | > ----------------+----- <- 192.168.0.0/24 - inside > > I'm able to reproduce this issue with this really simple pf.conf: > > | pass in log on xl0 route-to (xl0 10.0.0.7) to 192.168.0.0/24 > > When packets from the outside to 192.168.0.0/24 arrive at the PF box, > the above rule will match the packets. `tcpdump -i pflog0 -n -e' will > match the packets, but they are not routed to the router. They just get > trashed. dup-to will also only route the packet to the default route. > This means that routing packets to a specific address is broken right > now. > > Yours, Shouldn't the diagram look like this - based on your wording. OR, perhaps what you really mean is that the PF box and router ought to be reversed? ----------------+----- <- 10.0.0.0/24 - outside | +---+----+ | PF box | +---+----+ | +---+----+ | Router | +---+----+ | ----------------+----- <- 192.168.0.0/24 - inside -- Best regards, Chris Nothing is ever so bad that it can't get worse. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 7 15:36:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF0CF16A40B for ; Wed, 7 Mar 2007 15:36:38 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id E1ED413C47E for ; Wed, 7 Mar 2007 15:36:37 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so207030nfc for ; Wed, 07 Mar 2007 07:36:36 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SIXaa8vXCGAsEvA+Ewc/btiGu3LzvfmaWV6zRlhZxCLzsLKhmI5vdhIG6IZA3YbpICJjyA347U888kW6L4+UsnMpdQcoXCq/rT9KxyshsJgw31B/FKh+SizdpNzFw0YxOHolaeuQipzwU9i2ZLzRjZvpG+vxGuIW9Lj4EU6Daf0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SPVDXFY6m6++neI0E2pvH+hE852ExxkT1yo5p62fRRrMhI4YSGoKWmZHMyKu1t+oPy0xmoiHgQW/VKgkmgbtxjK60anoXBcopraux5UW+xDLiFnlh2mEyCM/B5Oa0ZjaLDhlfTcrnTZilz0qFpwqAe9wiRYF+q2LS6Hzz4uvtGo= Received: by 10.82.148.7 with SMTP id v7mr9417385bud.1173281796348; Wed, 07 Mar 2007 07:36:36 -0800 (PST) Received: by 10.82.155.14 with HTTP; Wed, 7 Mar 2007 07:36:36 -0800 (PST) Message-ID: Date: Wed, 7 Mar 2007 12:36:36 -0300 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org In-Reply-To: <20070301083627.GA16493@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070301083627.GA16493@insomnia.benzedrine.cx> Subject: Re: flags tcp and abscence of flag X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 15:36:38 -0000 On 3/1/07, Daniel Hartmeier wrote: > On Wed, Feb 28, 2007 at 04:48:37PM -0300, Eduardo Meyer wrote: > > > Translating to human lang, what I want is "look everywhere and match > > only packets with fin set but syn, rst and ack unset. > > > > How can I do the "unset" evaluation? > > "flags F/FSRA" does precisely that. It is not the same as "flags F/F", > which would only test whether FIN is set. > > Daniel > Thank you Daniel, this is what I wanted to understand. I wish I could read "check within flags if flags are set. The ones present in but not in shall be unset for the rule to match." on man page, since now I see I lacked on good interpretation of the man page. Thanks everyone who pointed me only to trust the "scrub" action, but in my situation I can't just cast a spell and hope things get automagically done. I need independant and accounted rules for a number of invalid flags combination. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Wed Mar 7 17:02:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 729D116A400 for ; Wed, 7 Mar 2007 17:02:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 0554413C441 for ; Wed, 7 Mar 2007 17:02:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.19.17] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HOzWd3itX-0001da; Wed, 07 Mar 2007 18:02:04 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 7 Mar 2007 18:01:51 +0100 User-Agent: KMail/1.9.5 References: <2DC959620A73E842969792F5B47FCA01037D4369@dg-exch1.giessen.nl> In-Reply-To: <2DC959620A73E842969792F5B47FCA01037D4369@dg-exch1.giessen.nl> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2835303.UnZI5EnXx1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703071801.57721.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX1/FLP9OYuSr4WXh/BcQdCSh9ZpRGuy2rXjqIVr pSbfeKdYBCN5FPyuNajbKR4QQoQrW/5Obbqn3FpfX9SV/URKH+ FD5JOouxA/b8vQIw/CdtQ== Cc: Frans Haarman Subject: Re: dynamicly adding labels/rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 17:02:07 -0000 --nextPart2835303.UnZI5EnXx1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 07 March 2007 11:05, Frans Haarman wrote: > I am also having some troubles with labels, it seems I can't add more > then > one label per anchor rule! > > DEVEL# pfctl -qa tun0-rules -s l > 10.200.2 35 0 0 > > DEVEL# echo 'pass in from any to 10.200.4.0/24 label "10.200.4"' | > pfctl -qa tun0-rules -f - > DEVEL# pfctl -qa tun0-rules -s l > 10.200.4 15 0 0 > > DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' | > pfctl -qa tun0-rules -f - > DEVEL# pfctl -qa tun0-rules -s l > 10.200.2 14 0 0 The problem is that you don't add to the anchor as you seem to belive, you= =20 *replace* the ruleset in the anchor. I think you also want to use=20 the "name/*" syntax to be able to add more than one ruleset to the anchor=20 point. Then you can issue commands like: DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' |=20 pfctl -qa tun0-rules/10.200.2 -f - DEVEL# echo 'pass in from any to 10.200.3.0/24 label "10.200.3"' |=20 pfctl -qa tun0-rules/10.200.3 -f - DEVEL# pfctl -vsA tun0-rules tun0-rules/10.200.2 tun0-rules/10.200.3 DEVEL# pfctl -qa tun0-rules/10.200.2 -s l 10.200.2 14 0 0 DEVEL# pfctl -qa tun0-rules/10.200.3 -s l 10.200.3 14 0 0 > DEVEL# uname -a > FreeBSD DEVEL 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:42:56 > UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 > > So the label gets overwritten. Is this normal/expected behaviour ? No, the *ruleset* is overwritten. And: Yes, this is expected behavior. =20 Anchors work exactly like the main ruleset. echo "pass all" | pfctl -f- echo "block all" | pfctl -f- pfctl -vsr =2E.. No different from: echo "pass all" | pfctl -a foo -f- echo "block all" | pfctl -a foo -f- pfctl -a foo -vsr =2E.. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2835303.UnZI5EnXx1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF7vAFXyyEoT62BG0RAoBdAJ9a+W6Y4lXTi39fa9w2wySp/12zrgCfeiMn 7Z0lw3OEAGMDdNDIpeF+jB4= =xiuh -----END PGP SIGNATURE----- --nextPart2835303.UnZI5EnXx1--