From owner-freebsd-pf@FreeBSD.ORG Mon Apr 30 11:08:21 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ACB0316A401 for ; Mon, 30 Apr 2007 11:08:21 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 99DC213C45E for ; Mon, 30 Apr 2007 11:08:21 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3UB8LF1007012 for ; Mon, 30 Apr 2007 11:08:21 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3UB8KCA007008 for freebsd-pf@FreeBSD.org; Mon, 30 Apr 2007 11:08:20 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Apr 2007 11:08:20 GMT Message-Id: <200704301108.l3UB8KCA007008@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 11:08:21 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 30 11:27:39 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6EE7F16A401; Mon, 30 Apr 2007 11:27:39 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DBE0E13C457; Mon, 30 Apr 2007 11:27:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=HfCYsdvi3mqkjDsF7vpu3K77ObEQaR6MWq37JUM0f928PxBtqmxtpjIFdxjoMCWFy7D3Xcz3n14AkLMvPl0EcbeWTz/QCZFBY9LWT0pAvQCTbSVX0WUPqhR8c4kQo4RmdynvqtfSuvGTOA1NGKdXp1HP9vR6Tyk2v15mwy5YNRU=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HiU2V-000Ihq-Qw; Mon, 30 Apr 2007 15:27:32 +0400 Date: Mon, 30 Apr 2007 15:27:26 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070430112726.GA71812@codelabs.ru> References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> <461FDD28.6030502@root.org> <20070413204237.GG49158@codelabs.ru> <461FEE6D.4030201@root.org> <20070413212742.GH49158@codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: <20070413212742.GH49158@codelabs.ru> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-current@freebsd.org, rwatson@freebsd.org, jhb@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 11:27:39 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Nate, good day. Sat, Apr 14, 2007 at 01:27:42AM +0400, Eygene Ryabinkin wrote: > I am just using the defaults for the -CURRENT. Can not verify > them now -- my -CURRENT is crashing with the modem link, so > I am either writing mails or doing the tests, sorry. OK, I had cured the modem crash and coincidently it was related to your changes: the problem was in the altq_subr.c. The behaviour of the calls to machclk_init() was "check if we have machclk_freq == 0 and invoke the machclk_init()". And the first action of machclk_init() was to initialise the tbr_callout and then the machclk_freq was set (or not, but the tbr_callout was initialized in any way). But your change introduced another way for the 'machclk_freq' to be set. And the bad thing was that the tbr_callout was not initialized and will never be: your hook set the machclk_freq to some value and machclk_init() was never called. So it gave me the uninitialized callout with the wrong (NULL) c_mtx and bad flags. And when the NULL mutex was freed in the softclock() the kernel panic'ed. There were message in -current from me about this (subject started with 'mtx_unlock(NULL)' posted at 21st Apr 2007). I just did the very rough and incorrect patch and John Baldwin kindly pointed me that it was incorrect. The patch that fixes the root of the problem is attached: it just decouples the callout initialization from machclk_freq initialization. I am CC'ing this to John Baldwin and Robert Watson, because they were involved into the discuission about my previous wrong fix. I still have a question: maybe the initialization of the tbr_callout in my patch should be protected with some mutex? I don't feel that it is the case, because for the current code is seems to be unrelevant: the worst thing will be the double initialization of the callout, but maybe the mutex will be good for the future. Any ideas? > > On the new code but without loading cpufreq and leaving the freq at 2200 > > Mhz, do you get the right numbers? Are they constant? > > Monday will reveal the things. Will post an update. Was not able to test the things on Monday. But will try to do it on this week. Sorry for it: many other tasks waited my attention :(( Maybe the weird speeds were related to the uninitialized tbr_callout(), though I am not sure. -- Eygene --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="altq-fix.diff" diff --git a/sys/contrib/altq/altq/altq_hfsc.c b/sys/contrib/altq/altq/altq_hfsc.c diff --git a/sys/contrib/altq/altq/altq_subr.c b/sys/contrib/altq/altq/altq_subr.c index 7426e75..0c6e485 100644 --- a/sys/contrib/altq/altq/altq_subr.c +++ b/sys/contrib/altq/altq/altq_subr.c @@ -383,6 +383,7 @@ tbr_set(ifq, profile) if (tbr_dequeue_ptr == NULL) tbr_dequeue_ptr = tbr_dequeue; + tbr_callout_init(); if (machclk_freq == 0) init_machclk(); if (machclk_freq == 0) { @@ -917,13 +918,26 @@ EVENTHANDLER_DEFINE(cpufreq_post_change, tsc_freq_changed, NULL, EVENTHANDLER_PRI_ANY); #endif /* __FreeBSD_version >= 700035 */ +#if (__FreeBSD_version >= 600000) +/* + * Initializes the callout. OBVIOUS: should be called before the + * first use of the tbr_callout. + */ void -init_machclk(void) +tbr_callout_init(void) { -#if (__FreeBSD_version >= 600000) - callout_init(&tbr_callout, 0); -#endif + static int called = 0; + if (!called) { + callout_init(&tbr_callout, 0); + called = 1; + } +} +#endif /* __FreeBSD_version >= 600000 */ + +void +init_machclk(void) +{ machclk_usepcc = 1; #if (!defined(__i386__) && !defined(__alpha__)) || defined(ALTQ_NOPCC) diff --git a/sys/contrib/altq/altq/altq_var.h b/sys/contrib/altq/altq/altq_var.h index 99407fb..3879a28 100644 --- a/sys/contrib/altq/altq/altq_var.h +++ b/sys/contrib/altq/altq/altq_var.h @@ -125,6 +125,11 @@ extern void init_machclk(void); extern u_int64_t read_machclk(void); /* + * Callout initializer. + */ +extern void tbr_callout_init(void); + +/* * debug support */ #ifdef ALTQ_DEBUG --zYM0uCDKw75PZbzx-- From owner-freebsd-pf@FreeBSD.ORG Wed May 2 11:42:07 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 99ED116A52C; Wed, 2 May 2007 11:42:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 4158613C458; Wed, 2 May 2007 11:42:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Resent-From:Resent-Date:Resent-Message-ID:Resent-To:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Resent-Sender:Resent-Date:X-Spam-Status:Subject; b=mN+8Ahyatys3DT+g+mqT3KXjp/cyq+A5OFiQpWhcNnX+STEHHObLavbkJVGvaEsZOJunShhac1mZP8GeB0ZTKKZ4zZZh2br4qafhbaOhhY2+R+6EuIku4wIKAOziTcu44y/5DO/7XVm3abIyO1GAUJ0Bb1GTjs/EGp83kwyza4M=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HjDDh-00049T-6h; Wed, 02 May 2007 15:42:05 +0400 Resent-From: rea-fbsd@codelabs.ru Resent-Date: Wed, 2 May 2007 15:42:00 +0400 Resent-Message-ID: <20070502114200.GO7358@codelabs.ru> Resent-To: freebsd-current@freebsd.org, max@love2party.net, pf@freebsd.org Date: Mon, 30 Apr 2007 15:27:26 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070430112726.GA71812@codelabs.ru> References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> <461FDD28.6030502@root.org> <20070413204237.GG49158@codelabs.ru> <461FEE6D.4030201@root.org> <20070413212742.GH49158@codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: <20070413212742.GH49158@codelabs.ru> Resent-Sender: rea-fbsd@codelabs.ru Resent-Date: Wed, 02 May 2007 15:42:05 +0400 X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-current@freebsd.org, rwatson@freebsd.org, jhb@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2007 11:42:07 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Nate, good day. Sat, Apr 14, 2007 at 01:27:42AM +0400, Eygene Ryabinkin wrote: > I am just using the defaults for the -CURRENT. Can not verify > them now -- my -CURRENT is crashing with the modem link, so > I am either writing mails or doing the tests, sorry. OK, I had cured the modem crash and coincidently it was related to your changes: the problem was in the altq_subr.c. The behaviour of the calls to machclk_init() was "check if we have machclk_freq == 0 and invoke the machclk_init()". And the first action of machclk_init() was to initialise the tbr_callout and then the machclk_freq was set (or not, but the tbr_callout was initialized in any way). But your change introduced another way for the 'machclk_freq' to be set. And the bad thing was that the tbr_callout was not initialized and will never be: your hook set the machclk_freq to some value and machclk_init() was never called. So it gave me the uninitialized callout with the wrong (NULL) c_mtx and bad flags. And when the NULL mutex was freed in the softclock() the kernel panic'ed. There were message in -current from me about this (subject started with 'mtx_unlock(NULL)' posted at 21st Apr 2007). I just did the very rough and incorrect patch and John Baldwin kindly pointed me that it was incorrect. The patch that fixes the root of the problem is attached: it just decouples the callout initialization from machclk_freq initialization. I am CC'ing this to John Baldwin and Robert Watson, because they were involved into the discuission about my previous wrong fix. I still have a question: maybe the initialization of the tbr_callout in my patch should be protected with some mutex? I don't feel that it is the case, because for the current code is seems to be unrelevant: the worst thing will be the double initialization of the callout, but maybe the mutex will be good for the future. Any ideas? > > On the new code but without loading cpufreq and leaving the freq at 2200 > > Mhz, do you get the right numbers? Are they constant? > > Monday will reveal the things. Will post an update. Was not able to test the things on Monday. But will try to do it on this week. Sorry for it: many other tasks waited my attention :(( Maybe the weird speeds were related to the uninitialized tbr_callout(), though I am not sure. -- Eygene --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="altq-fix.diff" diff --git a/sys/contrib/altq/altq/altq_hfsc.c b/sys/contrib/altq/altq/altq_hfsc.c diff --git a/sys/contrib/altq/altq/altq_subr.c b/sys/contrib/altq/altq/altq_subr.c index 7426e75..0c6e485 100644 --- a/sys/contrib/altq/altq/altq_subr.c +++ b/sys/contrib/altq/altq/altq_subr.c @@ -383,6 +383,7 @@ tbr_set(ifq, profile) if (tbr_dequeue_ptr == NULL) tbr_dequeue_ptr = tbr_dequeue; + tbr_callout_init(); if (machclk_freq == 0) init_machclk(); if (machclk_freq == 0) { @@ -917,13 +918,26 @@ EVENTHANDLER_DEFINE(cpufreq_post_change, tsc_freq_changed, NULL, EVENTHANDLER_PRI_ANY); #endif /* __FreeBSD_version >= 700035 */ +#if (__FreeBSD_version >= 600000) +/* + * Initializes the callout. OBVIOUS: should be called before the + * first use of the tbr_callout. + */ void -init_machclk(void) +tbr_callout_init(void) { -#if (__FreeBSD_version >= 600000) - callout_init(&tbr_callout, 0); -#endif + static int called = 0; + if (!called) { + callout_init(&tbr_callout, 0); + called = 1; + } +} +#endif /* __FreeBSD_version >= 600000 */ + +void +init_machclk(void) +{ machclk_usepcc = 1; #if (!defined(__i386__) && !defined(__alpha__)) || defined(ALTQ_NOPCC) diff --git a/sys/contrib/altq/altq/altq_var.h b/sys/contrib/altq/altq/altq_var.h index 99407fb..3879a28 100644 --- a/sys/contrib/altq/altq/altq_var.h +++ b/sys/contrib/altq/altq/altq_var.h @@ -125,6 +125,11 @@ extern void init_machclk(void); extern u_int64_t read_machclk(void); /* + * Callout initializer. + */ +extern void tbr_callout_init(void); + +/* * debug support */ #ifdef ALTQ_DEBUG --zYM0uCDKw75PZbzx-- From owner-freebsd-pf@FreeBSD.ORG Wed May 2 11:54:31 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B180616A403; Wed, 2 May 2007 11:54:31 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 61C6613C469; Wed, 2 May 2007 11:54:31 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Resent-From:Resent-Date:Resent-Message-ID:Resent-To:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Resent-Sender:Resent-Date:X-Spam-Status:Subject; b=BIs0bqfJuP8Sn6FJ2mkK1mysPffULqt5v6luRNQS5kF1De9idmV+BDWLCfWJuGLOXDtMvYLliimrJ/ZWtmHDXgAeHjZChypyJihC2a3JvXp6y0I8aCdvL6f4A9103+YAsd1cmDBxtZ8Biy/tc/7qzOUFYR0UvDVagNZsInDZtFA=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HjDPh-0005US-Ud; Wed, 02 May 2007 15:54:30 +0400 Resent-From: rea-fbsd@codelabs.ru Resent-Date: Wed, 2 May 2007 15:54:25 +0400 Resent-Message-ID: <20070502115425.GQ7358@codelabs.ru> Resent-To: freebsd-current@freebsd.org, max@love2party.net, pf@freebsd.org Date: Wed, 2 May 2007 15:40:05 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070502114005.GM7358@codelabs.ru> References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> <461FDD28.6030502@root.org> <20070413204237.GG49158@codelabs.ru> <461FEE6D.4030201@root.org> <20070413212742.GH49158@codelabs.ru> <20070430112726.GA71812@codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070430112726.GA71812@codelabs.ru> Resent-Sender: rea-fbsd@codelabs.ru Resent-Date: Wed, 02 May 2007 15:54:29 +0400 X-Spam-Status: No, score=-2.7 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_05 Cc: freebsd-current@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2007 11:54:31 -0000 Nate, *, good day. Sorry for the previous posting: I had messed the things and posted the old message to the list. Mon, Apr 30, 2007 at 03:27:26PM +0400, Eygene Ryabinkin wrote: > > > On the new code but without loading cpufreq and leaving the freq at 2200 > > > Mhz, do you get the right numbers? Are they constant? > > > > Monday will reveal the things. Will post an update. > > Was not able to test the things on Monday. But will try to do it > on this week. OK, with new code (patched with my patch) and cpufreq the download rate is more-or-less stable. But it is 4x larger than the limit I'd set in the pf.conf. And there are times when the rate goes straight to the maximal link bandwidth overriding any altq statements. But later it returns to the stable (4x larger) figure. Without cpureq I have stable rate, but it is again larger than the value specified in the pf.conf. At the time of testing I got the multiplier 33 (for the 3Kb specified in pf.conf I got 100 Kbit as measured by ifstat and fetch), but I feel that reboot or kernel recompilation will give me some other multiplier. And I still have the bumps of the bandwidth to the link-rate limit. To conclude: the frequency callback is doing its work now (with my patch). Since I have strange results with the real rates I will continue my investigations and will try to post updates when I will discover something. -- Eygene From owner-freebsd-pf@FreeBSD.ORG Wed May 2 14:00:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E13F916A402 for ; Wed, 2 May 2007 14:00:39 +0000 (UTC) (envelope-from bsd782@chrissmith.org) Received: from alnrmhc15.comcast.net (alnrmhc15.comcast.net [206.18.177.55]) by mx1.freebsd.org (Postfix) with ESMTP id BEB5F13C448 for ; Wed, 2 May 2007 14:00:39 +0000 (UTC) (envelope-from bsd782@chrissmith.org) Received: from davinci.mw.realcomputerguy.com (c-68-61-77-183.hsd1.mi.comcast.net[68.61.77.183]) by comcast.net (alnrmhc15) with ESMTP id <20070502134540b15000rt62e>; Wed, 2 May 2007 13:45:40 +0000 From: Chris Smith To: freebsd-pf@freebsd.org Date: Wed, 2 May 2007 09:45:38 -0400 References: <4619226E.1030105@mykitchentable.net> <46193097.2040303@mykitchentable.net> In-Reply-To: <46193097.2040303@mykitchentable.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200705020945.39102.bsd782@chrissmith.org> Subject: Re: pf and ALTQ - I Don't Understand X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2007 14:00:40 -0000 On Sunday 08 April 2007, Drew Tomlinson wrote: > OK, I've done some more digging and maybe I understand now. =A0I was > missing the fact that NAT occurs BEFORE filtering Why not tag the packets? Chris From owner-freebsd-pf@FreeBSD.ORG Thu May 3 21:12:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5359216A403 for ; Thu, 3 May 2007 21:12:51 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from bay0-omc3-s18.bay0.hotmail.com (bay0-omc3-s18.bay0.hotmail.com [65.54.246.218]) by mx1.freebsd.org (Postfix) with ESMTP id 4158113C448 for ; Thu, 3 May 2007 21:12:51 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from hotmail.com ([65.54.169.36]) by bay0-omc3-s18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Thu, 3 May 2007 14:00:52 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 3 May 2007 14:00:51 -0700 Message-ID: Received: from 65.54.169.200 by by114fd.bay114.hotmail.msn.com with HTTP; Thu, 03 May 2007 21:00:51 GMT X-Originating-IP: [201.41.100.162] X-Originating-Email: [rbenq@hotmail.com] X-Sender: rbenq@hotmail.com From: "Ricardo Benq" To: freebsd-pf@freebsd.org Date: Thu, 03 May 2007 21:00:51 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 03 May 2007 21:00:51.0834 (UTC) FILETIME=[221745A0:01C78DC6] X-Mailman-Approved-At: Thu, 03 May 2007 21:58:22 +0000 Subject: PF and AD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2007 21:12:51 -0000 Hello. Is it possible to make filter rules that are based on Microsoft Active Directory users? Do I have to install samba/winbind? Are there tutorials? Thanks in advance, Ben. _________________________________________________________________ MSN Messenger: instale grátis e converse com seus amigos. http://messenger.msn.com.br From owner-freebsd-pf@FreeBSD.ORG Fri May 4 08:42:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1133816A402 for ; Fri, 4 May 2007 08:42:28 +0000 (UTC) (envelope-from blacktemplares@rambler.ru) Received: from mxb.rambler.ru (mxb.rambler.ru [81.19.66.30]) by mx1.freebsd.org (Postfix) with ESMTP id 67AD413C448 for ; Fri, 4 May 2007 08:42:27 +0000 (UTC) (envelope-from blacktemplares@rambler.ru) Received: from maild.rambler.ru (maild.rambler.ru [81.19.66.33]) by mxb.rambler.ru (Postfix) with ESMTP id D53C71EE07F for ; Fri, 4 May 2007 12:26:58 +0400 (MSD) Received: from it9.gradient-alpha.local (unknown [85.91.101.85]) (Authenticated sender: blacktemplares@rambler.ru) by maild.rambler.ru (Postfix) with ESMTP id 95CAF8444B for ; Fri, 4 May 2007 12:26:58 +0400 (MSD) Date: Fri, 4 May 2007 12:26:58 +0400 From: BlackTemplares X-Mailer: The Bat! (v3.80.06) Professional X-Priority: 3 (Normal) Message-ID: <352014796.20070504122658@rambler.ru> To: "freebsd-pf-request@freebsd.org" In-Reply-To: <20070503120031.8094A16A4CF@hub.freebsd.org> References: <20070503120031.8094A16A4CF@hub.freebsd.org> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-pf Digest X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: BlackTemplares List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2007 08:42:28 -0000 =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, freebsd-pf-request. =C2=FB =EF=E8=F1=E0=EB=E8 3 =EC=E0=FF 2007 =E3., 16:00:31: > Send freebsd-pf mailing list submissions to > [1]freebsd-pf@freebsd.org= > To subscribe or unsubscribe via the World Wide = Web, visit > [2]htt= p://lists.freebsd.org/mailman/listinfo/freebsd-pf > or, via email, send a message with subject or b= ody 'help' to > [3]freebsd-pf-request= @freebsd.org > You can reach the person managing the list at > [4]freebsd-pf-owner@fre= ebsd.org > When replying, please edit your Subject line so= it is more specific > than "Re: Contents of freebsd-pf digest..." > Today's Topics: > 1. Re: pf and ALTQ - I Don't Under= stand (Chris Smith) > -----------------------------------------------= ----------------------- > Message: 1 > Date: Wed, 2 May 2007 09:45:38 -0400 > From: Chris Smith > Subject: Re: pf and ALTQ - I Don't Understand > To: [5]freebsd-pf@freebsd.org > Message-ID: <[6]200705020945.39102.bsd782= @chrissmith.org> > Content-Type: text/plain; charset=3D"iso-= 8859-1" > On Sunday 08 April 2007, Drew Tomlinson wrote:<= /span> >> OK, I've done some more digging and maybe I= understand now. I was >> missing the fact that NAT occurs BEFORE fil= tering > Why not tag the packets? > Chris > ------------------------------ > _______________________________________________= [7]> freebsd-pf@= freebsd.org mailing list [8]> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-un= subscribe@freebsd.org" > End of freebsd-pf Digest, Vol 136, Issue 3 > ****************************************** -- =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, BlackTemplares &n= bsp; [9]mailto:blacktemplares@r= ambler.ru References 1. 3D"mailto:freebsd-pf@freebsd.org" 2. 3D"http://lists.freebsd.org/mailman/listinfo/freebsd-pf" 3. 3D"mailto:freebsd-pf-request@freebsd.org" 4. 3D"mailto:freebsd-pf-owner@freebsd.org" 5. file://localhost/tmp/3D"mailto= 6. file://localhost/tmp/3D= 7. 3D"mailto:freebsd-pf@freebsd.org" 8. 3D"http://lists.freebsd.org/mailman/listinfo/freeb= 9. 3D"mailto:blacktemplares@rambler.ru" From owner-freebsd-pf@FreeBSD.ORG Fri May 4 12:18:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 07D2516A403 for ; Fri, 4 May 2007 12:18:14 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail-06.primus.ca (mail5.primus.ca [216.254.141.172]) by mx1.freebsd.org (Postfix) with ESMTP id C51D713C487 for ; Fri, 4 May 2007 12:18:13 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from ottawa-hs-64-26-170-131.d-ip.magma.ca ([64.26.170.131] helo=kevin) by mail-06.primus.ca with esmtpa (Exim 4.63) (envelope-from ) id 1HjuNS-0007zz-24; Fri, 04 May 2007 05:47:02 -0400 From: "Kevin K." To: "'Ricardo Benq'" , References: In-Reply-To: Date: Fri, 4 May 2007 07:46:55 -0400 Message-ID: <001101c78e41$ea9b8e70$bfd2ab50$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 thread-index: AceNzizv442Y/0JiTLiTn1usuAR+hAAc3rOg Content-Language: en-us X-Authenticated: freebsd-pf - ottawa-hs-64-26-170-131.d-ip.magma.ca (kevin) [64.26.170.131] Cc: Subject: RE: PF and AD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2007 12:18:14 -0000 The only thing I can think of is if maybe the firewall uses the = Microsoft server as DNS, and you should be able to resolve computer names and = write rules in PF accordingly. I am planning on implementing a couple FBSD PF boxes in front of some Windows servers, so it would be interesting if anyone else has done such = a thing. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On Behalf Of Ricardo Benq Sent: Thursday, May 03, 2007 5:01 PM To: freebsd-pf@freebsd.org Subject: PF and AD Hello. Is it possible to make filter rules that are based on Microsoft Active=20 Directory users? Do I have to install samba/winbind? Are there tutorials? Thanks in advance, Ben. _________________________________________________________________ MSN Messenger: instale gr=E1tis e converse com seus amigos.=20 http://messenger.msn.com.br _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" __________ NOD32 2237 (20070503) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com From owner-freebsd-pf@FreeBSD.ORG Fri May 4 16:37:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F72816A400 for ; Fri, 4 May 2007 16:37:08 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.237]) by mx1.freebsd.org (Postfix) with ESMTP id B5BBC13C447 for ; Fri, 4 May 2007 16:37:07 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by hu-out-0506.google.com with SMTP id 38so1867783huc for ; Fri, 04 May 2007 09:37:07 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=td3KY6d9GqPEmYJMO4wmdK/IolggsOgsFxm8XPz5ymcfyy6DYvKCOKdd1SKsXzvtMFP4tnru5FfxX2KfDouuL008dKr6GGIOSOh0NoMwV+3rJ+TWRmyhJpDABoa88usjpF6Weqi5vljXY2nh1Iv+eMojF9piODpzbXWpfFE9CGo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=IVacKmG+ji64MyOoEUYywHjiCVWUWRCpfzGmez0cadC/D0lWfvtIgqOOLYpnTKuNqEdCaovxQEh1JrNoawiO/7IiyPiYCK+7tlJ3rctAeqrkFIgZutK0NAdGEu+sX57iahG7tiogujtZsl1H2fRsVAFEYvGzJkOVipNNcilh+Yk= Received: by 10.82.184.2 with SMTP id h2mr6771805buf.1178296627252; Fri, 04 May 2007 09:37:07 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 4 May 2007 09:37:07 -0700 (PDT) Message-ID: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> Date: Fri, 4 May 2007 09:37:07 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 02de2bb433d8f996 Subject: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2007 16:37:08 -0000 hi, i've freebsd 6.2-release + pf + spamd installed. works great. i've launched spamd as, % ps -ax | grep -i spamd 989 ?? Is 0:01.42 spamd: (pf update) (spamd) 990 ?? I 0:00.44 /usr/local/libexec/spamd -v -n ESMTP -r450 -s5 -w1 -c 300 -B 200 -g -G25:4:864 -b 127.0.0.1 -p 8025 992 ?? I 0:00.01 spamd: (/var/db/spamd update) (spamd) note the"-v" for 'verbose' logging. until recently, this output what i'd expect, e.g., Apr 28 14:33:44 router spamd[985]: 218.246.32.43: connected (2/2), lists: mxblack Apr 28 14:37:38 router spamd[985]: (BLACK) 218.246.32.43: -> Apr 28 14:39:22 router spamd[985]: 218.246.32.43: From: message@51mymail.com Apr 28 14:39:22 router spamd[985]: 218.246.32.43: To: snowcrash@mydomain.com Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Subject: =?GB2312?B?MPmudzA7bXEyq6usvm0O088Dt0QUSj8mjoQjXw==?= Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: ------=_Part_38065_2690584.1174242557037 Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: Content-Type: text/html Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: Content-Transfer-Encoding: quoted-printable Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: Content-Language: gb2312 Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: =C0=B4=D7=D4=D0=D0=D2=B5=D7=A8=BC=D2=BC=B0 WebEx =BA=CF=D7=F7=BB=EF= Apr 28 14:40:05 router spamd[985]: 218.246.32.43: disconnected after 381 seconds. lists: mxblack where the verbose output includes the "BLACK" & associated smtp dialog. a few days later, in similar circumstance, i see only, May 4 09:03:02 router spamd[990]: 218.246.32.43: connected (1/1), lists: mxblack May 4 09:18:47 router spamd[990]: 218.246.32.43: disconnected after 945 seconds. lists: mxblack i.e., the verbose output is missing. clearly i've done something, but, for the life of my i can't figure out what :-/ suggestions as to 'where' my verbose output has wandered off to? happy to provide any relevant detail, of course ... thanks! From owner-freebsd-pf@FreeBSD.ORG Fri May 4 17:37:36 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 84DA416A404 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 17:37:36 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id ED60913C44B for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 17:37:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 04 May 2007 17:10:53 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.50]) [194.231.39.124] by mail.gmx.net (mp056) with SMTP; 04 May 2007 19:10:53 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX19fPwcsYMVfwypDdHmDG8W8W/3nlX7qDomUgv5C40 nhJW2qGLrT/Log From: Olli Hauer <ohauer@gmx.de> To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> References: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> Content-Type: text/plain Date: Fri, 04 May 2007 19:10:50 +0200 Message-Id: <1178298650.10053.15.camel@amd.uni.vrs> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 17:37:36 -0000 On Fri, 2007-05-04 at 09:37 -0700, snowcrash wrote: > hi, > > i've freebsd 6.2-release + pf + spamd installed. > > works great. > > i've launched spamd as, > > % ps -ax | grep -i spamd > 989 ?? Is 0:01.42 spamd: (pf <spamd-white> update) (spamd) > 990 ?? I 0:00.44 /usr/local/libexec/spamd -v -n ESMTP -r450 > -s5 -w1 -c 300 -B 200 -g -G25:4:864 -b 127.0.0.1 -p 8025 > 992 ?? I 0:00.01 spamd: (/var/db/spamd update) (spamd) > > note the"-v" for 'verbose' logging. > > until recently, this output what i'd expect, e.g., > > Apr 28 14:33:44 router spamd[985]: 218.246.32.43: connected (2/2), > lists: mxblack > Apr 28 14:37:38 router spamd[985]: (BLACK) 218.246.32.43: > <message@51mymail.com> -> <snowcrash@mydomain.com> > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: From: message@51mymail.com > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: To: snowcrash@mydomain.com > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Subject: > =?GB2312?B?MPmudzA7bXEyq6usvm0O088Dt0QUSj8mjoQjXw==?= > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: > ------=_Part_38065_2690584.1174242557037 > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: > Content-Type: text/html > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: > Content-Transfer-Encoding: quoted-printable > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: > Content-Language: gb2312 > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: <!-- saved > >from url=3D(0022)http://internet.e-mail --> > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: <html> > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: <head> > Apr 28 14:39:22 router spamd[985]: 218.246.32.43: Body: > <title>=C0=B4=D7=D4=D0=D0=D2=B5=D7=A8=BC=D2=BC=B0 WebEx > =BA=CF=D7=F7=BB=EF= > Apr 28 14:40:05 router spamd[985]: 218.246.32.43: disconnected after > 381 seconds. lists: mxblack > > where the verbose output includes the "BLACK" & associated smtp dialog. > > a few days later, in similar circumstance, i see only, > > May 4 09:03:02 router spamd[990]: 218.246.32.43: connected (1/1), > lists: mxblack > May 4 09:18:47 router spamd[990]: 218.246.32.43: disconnected after > 945 seconds. lists: mxblack > > i.e., the verbose output is missing. > > clearly i've done something, but, for the life of my i can't figure out what :-/ > > suggestions as to 'where' my verbose output has wandered off to? happy > to provide any relevant detail, of course ... > > thanks! I believe this results from a reconfigure or reload from syslogd. If you have not modified the syslog.conf try a restart of the spamd utility. olli From owner-freebsd-pf@FreeBSD.ORG Fri May 4 17:48:46 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0E93C16A407 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 17:48:46 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.235]) by mx1.freebsd.org (Postfix) with ESMTP id 918C113C459 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 17:48:45 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by hu-out-0506.google.com with SMTP id 38so1905177huc for <freebsd-pf@freebsd.org>; Fri, 04 May 2007 10:48:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=VB1jddGHR74sBgxChYSQ8epRZC3wLj5tP/MYS6f7ifwKxjKb5/I3j0S+F9J9cLyeiur+njrW1uCh6kdbND7HsnKWd4hU5DZj3QY0989o5MsUy+wLNAx5gFfurPxXSXOFDwL1c8uK2dRQHp7mGoA99NN6zfi7+qljpjBlQKssSTI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=cBJtHFkrBGPUph36ngq32kRvdXJn9tCirPaiqoVJVNnS4Gw1nxd73Mdv9MYgJceXxdao1i3bNsXk6cijbbYICiiEVhQYBqR1qnU5xY7fPgV+OmeqKYsuTlpfNtP1IYBzYxqtUvbPvZ7pocSUQhcPgtg4k/azQB8qJrb1R8YZ+r0= Received: by 10.82.191.3 with SMTP id o3mr7055116buf.1178300923140; Fri, 04 May 2007 10:48:43 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 4 May 2007 10:48:43 -0700 (PDT) Message-ID: <70f41ba20705041048x6fd586c8v4b5ed9e07ec16ee9@mail.gmail.com> Date: Fri, 4 May 2007 10:48:43 -0700 From: snowcrash <schneecrash+pf@gmail.com> Sender: schneecrash@gmail.com To: "Olli Hauer" <ohauer@gmx.de> In-Reply-To: <1178298650.10053.15.camel@amd.uni.vrs> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> <1178298650.10053.15.camel@amd.uni.vrs> X-Google-Sender-Auth: 938c5a7b431ab431 Cc: freebsd-pf@freebsd.org Subject: Re: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 17:48:46 -0000 hi olli, > I believe this results from a reconfigure or reload from syslogd. > If you have not modified the syslog.conf try a restart of the spamd > utility. i've rebooted/restarted -- both syslod & the router itself -- a number of times, with no apparent difference. fwiw, my syslog.conf, atm, is, % cat /etc/syslog.conf *.err;kern.warning;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron *.=debug /var/log/debug.log *.emerg * local0.info /var/log/pflog.txt !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log !spamd *.* /var/log/spamd.log trying to recall if/what i'd changed 'in there' :-/ spamd.log *is* logging ... just not the level of detail i'd thought. thanks. From owner-freebsd-pf@FreeBSD.ORG Fri May 4 17:18:59 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADE9016A401 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 17:18:59 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from bay0-omc1-s31.bay0.hotmail.com (bay0-omc1-s31.bay0.hotmail.com [65.54.246.103]) by mx1.freebsd.org (Postfix) with ESMTP id 9B95E13C44C for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 17:18:59 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from hotmail.com ([65.54.169.46]) by bay0-omc1-s31.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 4 May 2007 10:18:59 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 4 May 2007 10:18:59 -0700 Message-ID: <BAY114-F365394C9F95BA357613A91A5400@phx.gbl> Received: from 65.54.169.200 by by114fd.bay114.hotmail.msn.com with HTTP; Fri, 04 May 2007 17:18:58 GMT X-Originating-IP: [201.41.100.162] X-Originating-Email: [rbenq@hotmail.com] X-Sender: rbenq@hotmail.com In-Reply-To: <463AF437.3020108@bestnet.kharkov.ua> From: "Ricardo Benq" <rbenq@hotmail.com> To: freebsd-pf@freebsd.org Date: Fri, 04 May 2007 17:18:58 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 04 May 2007 17:18:59.0257 (UTC) FILETIME=[4D96FA90:01C78E70] X-Mailman-Approved-At: Fri, 04 May 2007 17:50:08 +0000 Subject: Re: PF and AD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 17:18:59 -0000 Ok, Gregory, here it goes: In our network, all users are AD domain users that have access to services/networks restricted by AD groups. We already have a SQUID/Dansguardian that filter internet access for AD user/groups via ACLs for radio, video, messenger, etc. All Active Diretory users are authenticated on SQUID , using SAMBA/Winbind. What we want is to use PF to filter access to, say, DMZ servers and internet from internal network, based on user names and AD groups. Regards, Ben. Ricardo Benq wrote: >Hello. >Is it possible to make filter rules that are based on Microsoft Active >Directory users? >Do I have to install samba/winbind? Are there tutorials? > Short answer: no. Longer answer: Not that I can really think off an example where that would be of use. Can you provide more details as of your network setup and what do you want to achieve? The moon is too cloudy today, and so is our spiritual possibilities. -- With best regards, Gregory Edigarov _________________________________________________________________ MSN Messenger: instale grátis e converse com seus amigos. http://messenger.msn.com.br From owner-freebsd-pf@FreeBSD.ORG Fri May 4 18:09:48 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0BEFB16A401 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 18:09:48 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 5024A13C44B for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 18:09:47 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 04 May 2007 18:09:45 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.50]) [194.231.39.124] by mail.gmx.net (mp008) with SMTP; 04 May 2007 20:09:45 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX18n6iRsnFYnirrDjEP1Wg86KyT78t+FE0CtybdXmM 8HafM9QXA5arXn From: Olli Hauer <ohauer@gmx.de> To: freebsd-pf <freebsd-pf@freebsd.org> In-Reply-To: <70f41ba20705041048x6fd586c8v4b5ed9e07ec16ee9@mail.gmail.com> References: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> <1178298650.10053.15.camel@amd.uni.vrs> <70f41ba20705041048x6fd586c8v4b5ed9e07ec16ee9@mail.gmail.com> Content-Type: text/plain Date: Fri, 04 May 2007 20:09:45 +0200 Message-Id: <1178302185.10053.24.camel@amd.uni.vrs> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 18:09:48 -0000 On Fri, 2007-05-04 at 10:48 -0700, snowcrash wrote: > hi olli, > > > I believe this results from a reconfigure or reload from syslogd. > > If you have not modified the syslog.conf try a restart of the spamd > > utility. > > i've rebooted/restarted -- both syslod & the router itself -- a number > of times, with no apparent difference. > > fwiw, my syslog.conf, atm, is, > > % cat /etc/syslog.conf ... > *.=debug /var/log/debug.log ... > !spamd > *.* /var/log/spamd.log > > > trying to recall if/what i'd changed 'in there' :-/ > > spamd.log *is* logging ... just not the level of detail i'd thought. > > thanks. OK, the line in syslog.conf looks fine. Verbose logging is done with facility debug and the line catch this. Do you have some entries in the /var/log/debug.log ? From owner-freebsd-pf@FreeBSD.ORG Fri May 4 18:22:24 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52FC616A400 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 18:22:24 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id 44C8613C480 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 18:22:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so585818ugh for <freebsd-pf@freebsd.org>; Fri, 04 May 2007 11:22:17 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=qQHcGYzEZo0OoIGKIjfa4udEgfFl/d7qIbs/nI9sTcwu+LucNipY6t+RmFMzkuFyKBTZ50LEdivNpuk0Ll1JJP+rtfsjzOnvBFTp8/Jjk3gF31M6JQao+/69Lhy9WrKzRgQ6jZOAU7tToJfUejan5eaHtMt9WZv2g6CG+gibjuE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=nxr4uwwng8ZEKKTvIBC0fTfP3ia65wqEPYkqg//nFAc39jtxtr3ujDRBZ4x7TCYsAO+kTeQ7QyGaXmVUf2YfQ4EEpJ1TUp1A9tDP125mmRjvD6rnOHhRiyYjZr4TxClADKPmX1NiV6MgkHnDohR7IGwl6h0A1AfQUGxkzyKCVuw= Received: by 10.82.169.4 with SMTP id r4mr7028264bue.1178302936789; Fri, 04 May 2007 11:22:16 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 4 May 2007 11:22:16 -0700 (PDT) Message-ID: <70f41ba20705041122h57a508d4r5c2f097cd19be0e7@mail.gmail.com> Date: Fri, 4 May 2007 11:22:16 -0700 From: snowcrash <schneecrash+pf@gmail.com> Sender: schneecrash@gmail.com To: "Olli Hauer" <ohauer@gmx.de> In-Reply-To: <1178302185.10053.24.camel@amd.uni.vrs> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> <1178298650.10053.15.camel@amd.uni.vrs> <70f41ba20705041048x6fd586c8v4b5ed9e07ec16ee9@mail.gmail.com> <1178302185.10053.24.camel@amd.uni.vrs> X-Google-Sender-Auth: d9fa0141d6b1183d Cc: freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 18:22:24 -0000 hi, > OK, the line in syslog.conf looks fine. > Verbose logging is done with facility debug and the line catch this. > > Do you have some entries in the /var/log/debug.log ? hmmm. interesting. in /var/log/debug.log i've a few instances of 'verbose' spamd output, e.g., ... May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <HTML><HEAD> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <STYLE></STYLE> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: </HEAD> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <xbody bgColor=#ffffff> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <DIV id=xptHeader> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <TABLE cellSpacing=0 cellPadding=0 align=center border=0> May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: ... but NO trace of that "BLACK" label, and not nearly enough correlation beween the # of these listings and the # of connections ... i'm not sure why i don't ALSO see this in the spamd.log ... the "*.*" _should_ take care of that, no? i also see in debug.log bunches of these, May 3 05:19:15 router spamd[6564]: whitelisting 64.39.1.214 in /var/db/spamd May 3 07:27:12 router spamd[6564]: whitelisting 66.211.168.230 in /var/db/spamd for whitelisting. cheers. From owner-freebsd-pf@FreeBSD.ORG Fri May 4 18:29:08 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E22C116A409 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 18:29:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 7988613C480 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 18:29:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.187.78] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1Hk2Wg1fqY-0003X2; Fri, 04 May 2007 20:29:06 +0200 From: Max Laier <max@love2party.net> Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 4 May 2007 20:28:53 +0200 User-Agent: KMail/1.9.6 References: <BAY114-F365394C9F95BA357613A91A5400@phx.gbl> In-Reply-To: <BAY114-F365394C9F95BA357613A91A5400@phx.gbl> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGd<hB5S>u+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6008933.FOT41IyrSg"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200705042028.59796.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+MW03L5B9oCBcvWLjh3wcWQlbwtkQmA8PGgts 6uy5nUNLpIQI3CvK9FOLigYzG7UucoDXneAJwe3TUZ2/aeqPCr P0u+Kmf+dsOZ2y6/YXh6g== Cc: Subject: Re: PF and AD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 18:29:09 -0000 --nextPart6008933.FOT41IyrSg Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Please don't top post - it reverses the communication flow ] On Friday 04 May 2007, Ricardo Benq wrote: > > Ricardo Benq wrote: > > >Hello. > > >Is it possible to make filter rules that are based on Microsoft > > > Active Directory users? > > >Do I have to install samba/winbind? Are there tutorials? > > > > Short answer: no. > > Longer answer: Not that I can really think off an example where that > > would be of use. Can you provide more details as of your network > > setup and what do you want to achieve? The moon is too cloudy today, > > and so is our spiritual possibilities. > > Ok, Gregory, here it goes: > In our network, all users are AD domain users that have access to > services/networks restricted by AD groups. > We already have a SQUID/Dansguardian that filter internet access for AD > user/groups via ACLs for radio, video, messenger, etc. All Active > Diretory users are authenticated on SQUID , using SAMBA/Winbind. > What we want is to use PF to filter access to, say, DMZ servers and > internet from internal network, based on user names and AD groups. So you are interested to map host-ip to authenticated user on that host,=20 correct? I think you should be able to produce a login script that=20 initiates an ssh connection to authpf, which in turn adds required rules=20 to the firewall. Note that anything that relies on host-ip as a security feature is doomed. = =20 Especially in LANs an IP is easily spoofed. So unless you have a proxy=20 that can do further authentication, you can't be sure you get what you=20 ask for. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6008933.FOT41IyrSg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBGO3tmXyyEoT62BG0RApjxAJ9PlpuToRCvReb66IZm65vSacbMYQCbBhoF XZfV4VGAhXSmFx09si9eR1o= =r0lL -----END PGP SIGNATURE----- --nextPart6008933.FOT41IyrSg-- From owner-freebsd-pf@FreeBSD.ORG Fri May 4 19:05:45 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DA0C16A400 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 19:05:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id A847613C45A for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 19:05:44 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 04 May 2007 19:05:43 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.50]) [194.231.39.124] by mail.gmx.net (mp041) with SMTP; 04 May 2007 21:05:43 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX194f7hf0qR4+1k98gKTwB/zEv8YW3VlvxwYlLue4e VHsOHRCdYuNLMm From: Olli Hauer <ohauer@gmx.de> To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20705041122h57a508d4r5c2f097cd19be0e7@mail.gmail.com> References: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> <1178298650.10053.15.camel@amd.uni.vrs> <70f41ba20705041048x6fd586c8v4b5ed9e07ec16ee9@mail.gmail.com> <1178302185.10053.24.camel@amd.uni.vrs> <70f41ba20705041122h57a508d4r5c2f097cd19be0e7@mail.gmail.com> Content-Type: text/plain Date: Fri, 04 May 2007 21:05:42 +0200 Message-Id: <1178305542.10053.54.camel@amd.uni.vrs> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 19:05:45 -0000 On Fri, 2007-05-04 at 11:22 -0700, snowcrash wrote: > hi, > > OK, the line in syslog.conf looks fine. > > Verbose logging is done with facility debug and the line catch this. > > > > Do you have some entries in the /var/log/debug.log ? > > hmmm. interesting. in /var/log/debug.log i've a few instances of > 'verbose' spamd output, e.g., > > ... > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <!DOCTYPE HTML > PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <HTML><HEAD> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <META > http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <STYLE></STYLE> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: </HEAD> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <xbody bgColor=#ffffff> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <DIV id=xptHeader> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: <TABLE > cellSpacing=0 cellPadding=0 align=center border=0> > May 3 03:47:39 router spamd[6565]: 72.3.240.53: Body: > ... > > but NO trace of that "BLACK" label, and not nearly enough correlation > beween the # of these listings and the # of connections ... > > i'm not sure why i don't ALSO see this in the spamd.log ... the "*.*" > _should_ take care of that, no? > > i also see in debug.log bunches of these, > > May 3 05:19:15 router spamd[6564]: whitelisting 64.39.1.214 in /var/db/spamd > May 3 07:27:12 router spamd[6564]: whitelisting 66.211.168.230 in /var/db/spamd > > for whitelisting. > > cheers. ahhh no i think what you mean with BLACK label, (BLACK) 85.98.220.200: <bpx@mackenzie8888.freeserve.co.uk> ... -> this line will only displayed if a trapped host connect to your spamd disconnected after 3920 seconds. lists: spamd-greytrap -> this line will only displayed if a host listed in spamd.conf setup match an entry to get the logging back to the spamd.log also do the following kill all spamd process (pkill spamd) ps -waux | grep spamd (to make it sure) adjust the parameters for spamd. from this line -v -n ESMTP -r450 -s5 -w1 -c 300 -B 200 -g -G25:4:864 -b 127.0.0.1 -p 8025 to this line (the same without defaults) -v -g -s5 -w1 -c 300 -B 200 -b 127.0.0.1 -n ESMTP no need for -p 8025 -> default value -G 25:4:864 -> default value -r 450 -> default value (dropped in 4.1.x release) restart spamd and execute spamd-setup - start spamd - /usr/local/libexec/spamd-setup olli From owner-freebsd-pf@FreeBSD.ORG Fri May 4 19:20:36 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DAD616A401 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 19:20:36 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.freebsd.org (Postfix) with ESMTP id A2D0A13C480 for <freebsd-pf@freebsd.org>; Fri, 4 May 2007 19:20:35 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so593511ugh for <freebsd-pf@freebsd.org>; Fri, 04 May 2007 12:20:34 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=bzz9YTsp0B3kEIActAU4YxhqQDEVLAW2VA1ZjMg8SxbCAq/u7kscmRM0XB33dpgS2EkB09K88TByia+buLoZ4cdNQtbgCqA3hxKYmz0NkWfczqUYuku9CaX6pbcCga8dMRXpTvBNgbK51MKGN1BrOusZGI+tHLbDpEYli4MKU9w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=abys84P4gmSZLod6zxLjo2uyb5msgYvPUCkGyyy1KfUn3y6le6HcWqornlabrWVUAL84NMaRo/0RDkTr+2zdXHUMn6vBmRXvKp2Y0EhtK6cm2sJYHr2WmBRhjzaZ5I0EOiHx/suyzWzaskeDca8ncuGQoJGklo2XDvhas3Zbxl0= Received: by 10.82.189.6 with SMTP id m6mr7215574buf.1178306434505; Fri, 04 May 2007 12:20:34 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 4 May 2007 12:20:34 -0700 (PDT) Message-ID: <70f41ba20705041220u6772cc40tca01242358c239ff@mail.gmail.com> Date: Fri, 4 May 2007 12:20:34 -0700 From: snowcrash <schneecrash+pf@gmail.com> Sender: schneecrash@gmail.com To: "Olli Hauer" <ohauer@gmx.de> In-Reply-To: <1178305542.10053.54.camel@amd.uni.vrs> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20705040937w32363fa6tc23fd3004e72c8b@mail.gmail.com> <1178298650.10053.15.camel@amd.uni.vrs> <70f41ba20705041048x6fd586c8v4b5ed9e07ec16ee9@mail.gmail.com> <1178302185.10053.24.camel@amd.uni.vrs> <70f41ba20705041122h57a508d4r5c2f097cd19be0e7@mail.gmail.com> <1178305542.10053.54.camel@amd.uni.vrs> X-Google-Sender-Auth: e41e4b200599510b Cc: freebsd-pf@freebsd.org Subject: Re: pf+spamd's 'verbosity' has gone missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 04 May 2007 19:20:36 -0000 hi, > ahhh no i think what you mean with BLACK label, > > (BLACK) 85.98.220.200: <bpx@mackenzie8888.freeserve.co.uk> ... > -> this line will only displayed if a trapped host connect to your spamd ah! missed the emphasis on 'trapped'. ok. > disconnected after 3920 seconds. lists: spamd-greytrap > -> this line will only displayed if a host listed in spamd.conf setup > match an entry got it. > to get the logging back to the spamd.log also do the following > > kill all spamd process (pkill spamd) > ps -waux | grep spamd (to make it sure) done. ps -waux | grep spamd root 2666 0.0 0.4 1544 1020 p1 R+ 12:09PM 0:00.02 grep spamd > adjust the parameters for spamd. not sure if/why including the defaults is an issue, but, per your recommendations, in /etc/rc.conf, --- pfspamd_flags="-v -n ESMTP -r450 -s5 -w1 -c300 -B200 -g -G25:4:864 -b127.0.0.1 -p8025" +++ pfspamd_flags="-v -g -s5 -w1 -c 300 -B 200 -b 127.0.0.1 -n ESMTP" then, > restart spamd and execute spamd-setup > - start spamd /usr/local/etc/rc.d/pfspamd start Starting pfspamd. ps -waux | grep spamd nobody 2845 0.0 1.6 4424 4140 ?? Ss 12:17PM 0:00.01 spamd: (pf <spamd-white> update) (spamd) nobody 2846 0.0 1.6 4424 4084 ?? S 12:17PM 0:00.02 /usr/local/libexec/spamd -v -g -s5 -w1 -c 300 -B 200 -b 127.0.0.1 -n ESMTP nobody 2848 0.0 1.6 4424 4104 ?? S 12:17PM 0:00.00 spamd: (/var/db/spamd update) (spamd) root 2853 0.0 0.4 1548 1024 p1 R+ 12:17PM 0:00.02 grep spamd > - /usr/local/libexec/spamd-setup here, /usr/local/sbin/spamd-setup then, in spamd.log, ... May 4 12:17:27 router spamd[2846]: listening for incoming connections. now to watch for that verbose output a bit ... thanks. From owner-freebsd-pf@FreeBSD.ORG Sat May 5 10:47:23 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 73BA416A400 for <freebsd-pf@freebsd.org>; Sat, 5 May 2007 10:47:23 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.freebsd.org (Postfix) with ESMTP id 31A0513C43E for <freebsd-pf@freebsd.org>; Sat, 5 May 2007 10:47:23 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.62) (envelope-from <peter@bsdly.net>) id 1HkHnO-0002qk-22 for freebsd-pf@freebsd.org; Sat, 05 May 2007 12:47:22 +0200 To: freebsd-pf@freebsd.org References: <BAY114-F263B18C2292E74052CE1DAA5410@phx.gbl> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sat, 05 May 2007 12:47:20 +0200 In-Reply-To: <BAY114-F263B18C2292E74052CE1DAA5410@phx.gbl> (Ricardo Benq's message of "Thu, 03 May 2007 21:00:51 +0000") Message-ID: <877irno8cn.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: PF and AD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sat, 05 May 2007 10:47:23 -0000 "Ricardo Benq" <rbenq@hotmail.com> writes: > Is it possible to make filter rules that are based on Microsoft Active > Directory users? If you can have the sshd on your pf equipped gateway use authentication data from your Microsoft system (which is sort of LDAPish), the next (and possibly smaller) hurdle is to set up authpf and sensible per user or per user group rules to be loaded by authpf as appropriate. > Do I have to install samba/winbind? Are there tutorials? the gateway would need to interface with the Windows kit one way or the other, and IIRC kerberos is among the basic requirements. Our friend G turns up a lot of references for "sshd Active Directory", so at least it's been tried before. It certainly sounds like useful tutorial material if there isn't one available already. That is, if anyone pf-savvy can be persuaded to dive into the AD stuff too. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Sat May 5 23:15:43 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 64CC216A401 for <freebsd-pf@FreeBSD.org>; Sat, 5 May 2007 23:15:43 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.freebsd.org (Postfix) with ESMTP id 2FCBB13C457 for <freebsd-pf@FreeBSD.org>; Sat, 5 May 2007 23:15:43 +0000 (UTC) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id B826EB867; Sun, 6 May 2007 00:48:53 +0200 (CEST) Date: Sun, 6 May 2007 00:48:53 +0200 From: Frank Steinborn <steinex@nognu.de> To: freebsd-pf@FreeBSD.org Mail-Followup-To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20070505224853.B826EB867@shodan.nognu.de> Cc: Subject: PF not started on boot (though it's in /etc/rc.conf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sat, 05 May 2007 23:15:43 -0000 Hi pf-users, I have a problem bringing up PF after a reboot of my 6.2 machine. I tried pf_enable="YES" in /etc/rc.conf, but it doesn't seem to get executed. /etc/rc.d/pf exists, also tried to declare pf_rules and even pf_program without luck. I always have to do "pfctl -e -f /etc/pf.conf" manually after the boot. Any hints on that? Thanks, Frank From owner-freebsd-pf@FreeBSD.ORG Sat May 5 23:47:48 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D94DB16A402 for <freebsd-pf@freebsd.org>; Sat, 5 May 2007 23:47:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6C51F13C45E for <freebsd-pf@freebsd.org>; Sat, 5 May 2007 23:47:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by ik-out-1112.google.com with SMTP id c29so112031ika for <freebsd-pf@freebsd.org>; Sat, 05 May 2007 16:47:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=cWEpmi6PBkDbGdkzWc78hPu47jE4lQvE7kIyf9WRfWxbO18jAhgAH2MTwcekFYFY6T4bosmcY09KMP6lT79DKsFVipfWcVU9HCiUZfZn9fG7Au8Jc1Up35fZn2xP35QvHTvsoTprHi0KOj/uA5IDHu9ArwJXd0JuDgQXPOh5CD4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=m0fsGB+mT4aODYPjAxLLnzH6PI5QsKZn/QwQ/3XxgCqaRJXMjGTtPoyGp2YOTezYSa4BlRYmP2o3H2UUGtUBFlFfIZziw2/ivaRdSzmnccpxybRuPvN826hpiMj22Qsd5DIHMy3Qy2vHo3KJEUM/ALX+sAPiOEas9llOedlIyUI= Received: by 10.82.120.14 with SMTP id s14mr9011025buc.1178408867107; Sat, 05 May 2007 16:47:47 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Sat, 5 May 2007 16:47:47 -0700 (PDT) Message-ID: <70f41ba20705051647g6d276b5fn23f4dbccb9dab1e8@mail.gmail.com> Date: Sat, 5 May 2007 16:47:47 -0700 From: snowcrash <schneecrash+pf@gmail.com> Sender: schneecrash@gmail.com To: freebsd-pf@freebsd.org In-Reply-To: <20070505224853.B826EB867@shodan.nognu.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070505224853.B826EB867@shodan.nognu.de> X-Google-Sender-Auth: 2d06704f5b2d9c5f Subject: Re: PF not started on boot (though it's in /etc/rc.conf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sat, 05 May 2007 23:47:48 -0000 hi, > I have a problem bringing up PF after a reboot of my 6.2 machine. > I tried pf_enable="YES" in /etc/rc.conf, but it doesn't seem to > get executed. /etc/rc.d/pf exists, also tried to declare pf_rules and > even pf_program without luck. I always have to do "pfctl -e -f > /etc/pf.conf" manually after the boot. this might help you track down the issue ... kill pf add/set in pf.conf, set debug urgent re-check your conf with, pfctl -vv -nf pf.conf then, restart pf, instead, with: /etc/rc.d/pf start watch your syslog & pf logs ... see anything of interest? hth! From owner-freebsd-pf@FreeBSD.ORG Sat May 5 23:55:49 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D54416A401 for <freebsd-pf@freebsd.org>; Sat, 5 May 2007 23:55:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.239]) by mx1.freebsd.org (Postfix) with ESMTP id 1C29113C44C for <freebsd-pf@freebsd.org>; Sat, 5 May 2007 23:55:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nz-out-0506.google.com with SMTP id s1so1269680nze for <freebsd-pf@freebsd.org>; Sat, 05 May 2007 16:55:48 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=WXFlwUJHn1k4fquH01Naz2Oe9VswnzPBszCWsMzB2zjj2bIGIT/uFTvWcgLy++tXkZ+t7mYbIRXsjpAZ6KtPX4eb4GjdkmI7b/0/YEVNc+I7/8iTCj60L+YmR/ilj6lFFPHo+0vi05BIjBaLoKE/HlR79LUt+Mc40tjfrDps0zI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=a0pcvG8gLxwUHIRpHRvESOkYK5N9siCBgK6TljXrl9FPE0C4kixSBxvp2o33drC3pSzpPnvpIsMaxiju/topRkohcyzN2E+EvySAQjWqbetOF+o3DKtDIXGUm3j9+77sxnL4Nbm1PMCSq7DaMmOkBRHGCwrbj7CCMC3ArcO0/do= Received: by 10.115.16.1 with SMTP id t1mr1615269wai.1178407623546; Sat, 05 May 2007 16:27:03 -0700 (PDT) Received: from ?10.1.1.51? ( [71.227.220.29]) by mx.google.com with ESMTP id q20sm6091324pog.2007.05.05.16.27.02; Sat, 05 May 2007 16:27:02 -0700 (PDT) Message-ID: <463D12DC.7000205@gmail.com> Date: Sat, 05 May 2007 16:27:24 -0700 From: Kian Mohageri <kian.mohageri@gmail.com> User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org References: <20070505224853.B826EB867@shodan.nognu.de> In-Reply-To: <20070505224853.B826EB867@shodan.nognu.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: PF not started on boot (though it's in /etc/rc.conf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sat, 05 May 2007 23:55:49 -0000 Frank Steinborn wrote: > Hi pf-users, > > I have a problem bringing up PF after a reboot of my 6.2 machine. > I tried pf_enable="YES" in /etc/rc.conf, but it doesn't seem to > get executed. /etc/rc.d/pf exists, also tried to declare pf_rules and > even pf_program without luck. I always have to do "pfctl -e -f > /etc/pf.conf" manually after the boot. > > Any hints on that? > I'm guessing you used a hostname in your ruleset, which currently results in the behavior you've described (on FreeBSD) because at the time pf comes up, DNS isn't working. -Kian