From owner-freebsd-pf@FreeBSD.ORG Sun May 13 15:28:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45A6716A400 for ; Sun, 13 May 2007 15:28:58 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id 0628B13C447 for ; Sun, 13 May 2007 15:28:57 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1346405wxc for ; Sun, 13 May 2007 08:28:57 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=t5t5xWKI4Eltx8+4mNt7AYS2PiD75SX00xfMPzGF2rQ5/XFYlsMy+RFZOlgc+wiG1gHFTPbL+hXKoMJmce7ki4eVTk7s0i1jU8TwtbRmBYRxtZ32SLB8DzFuO9eBy9fvHo8dKBTSre1Gh2b6eKSUlmMy6WUxZ1Y7TNNz2tc1/UE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=Ujh5rgmtVqqrJ/hEX54zFcrWEI13J/IUAnqoimJqcUEZweAhycYlI2+wPUX6tcn3lY+cT18PeTAShFE8IDFj0LS6P/x0I+rL9GaiV9+Fr8sb1AsABqq21H1j7UbQACPSD1JSwf2TzVQmtlks0XncRt8EKHfmqvcZGQIPrniTqWQ= Received: by 10.90.99.20 with SMTP id w20mr4178794agb.1179070137232; Sun, 13 May 2007 08:28:57 -0700 (PDT) Received: by 10.90.96.14 with HTTP; Sun, 13 May 2007 08:28:57 -0700 (PDT) Message-ID: <70f41ba20705130828m62960520p26ebd4410729e6c1@mail.gmail.com> Date: Sun, 13 May 2007 08:28:57 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 897a65d906e2ff00 Subject: latest spamd not logging "(BLACK)"; older version ok X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2007 15:28:58 -0000 hi, i've freebsd 6.2-RELEASE + spamd-4.1.1 (yes, latest pre-release, _not_ the current port @ v3.7 ...). spamd's stuttering & greylisting as I'd expect/hope. it's currently started with (in /etc/rc.conf), obspamd_enable="YES" obspamd_flags="-v -l127.0.0.1 -G15:6:864 -4 -s5 -S10 -w1 -c 300 -B 200 -h mail.mydomain.com -n labrea" obspamlogd_enable="YES" at the moment, even though in /etc/syslog.conf i have, !spamd daemon.* /var/log/spamd.log i _never_ seen any entries in my logs that announce a (BLACK) entry, or the accomnapnying verbose, slow-drip SMTP transaction. with v3.7 i see them regularly ... i do not know if this is a freebsd, spamd, syslogd, or 'me' problem ... can anyone help troubleshoot/clarify? thanks! From owner-freebsd-pf@FreeBSD.ORG Mon May 14 01:45:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EDB4716A400 for ; Mon, 14 May 2007 01:45:25 +0000 (UTC) (envelope-from cangak_stress@yahoo.com) Received: from web50708.mail.re2.yahoo.com (web50708.mail.re2.yahoo.com [206.190.38.106]) by mx1.freebsd.org (Postfix) with SMTP id 8773313C48C for ; Mon, 14 May 2007 01:45:25 +0000 (UTC) (envelope-from cangak_stress@yahoo.com) Received: (qmail 63152 invoked by uid 60001); 14 May 2007 01:18:45 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=zdXZzYXMOYqRigHBOA6g9cqZu+rO+J4Qspp8aCeOiQe9HiVm8ySFMvsIEAHGjwupFj0gLx1+3rCGHCjyz9a2ziCXr2lx9ew6xIXMrs2drEQGTV+64era2V6UVTTH1j66PdsJb12vbcBnyVCvzmjRsilqUQqEMxFH1Gy5aw+mzwE=; X-YMail-OSG: RweoK2AVM1mI_AfKFe_4ChwChW_nMjzYNjo1xqZoYDCBJjh02yLjmvX0tNbb8R_kqdzsliP.PhzJ0MRXu6FPDX.qLy6BsMEn8aBOozp28_0x2a34jfEPp09XDDgRMQ-- Received: from [222.124.180.107] by web50708.mail.re2.yahoo.com via HTTP; Sun, 13 May 2007 18:18:45 PDT Date: Sun, 13 May 2007 18:18:45 -0700 (PDT) From: cangak To: freebsd-pf@freebsd.org In-Reply-To: <46449028.8010507@mykitchentable.net> MIME-Version: 1.0 Message-ID: <793939.62234.qm@web50708.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: mrtg for pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 01:45:26 -0000 hallo all are there any body know how to load pf log i mean pf activity to mrtg. please give the step to step how to install it. thaks --------------------------------- Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. From owner-freebsd-pf@FreeBSD.ORG Mon May 14 06:52:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A11016A406 for ; Mon, 14 May 2007 06:52:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id C1F6313C469 for ; Mon, 14 May 2007 06:52:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.184.190] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HnUQO44P9-0002gL; Mon, 14 May 2007 08:52:53 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 14 May 2007 08:53:34 +0200 User-Agent: KMail/1.9.6 References: <793939.62234.qm@web50708.mail.re2.yahoo.com> In-Reply-To: <793939.62234.qm@web50708.mail.re2.yahoo.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1192547.gztaNpnBRy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200705140853.40709.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+dXThu0EReZhRwE0Xku91HSnXHGOooOHtlL0J ajdntGkLw/pkDMPJb81SAxYaDc555SEZCj/KGt+SsxAbWavQDQ 8fR/RdqNCFa3ADNTZltHg== Cc: Subject: Re: mrtg for pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 06:52:55 -0000 --nextPart1192547.gztaNpnBRy Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 14 May 2007, cangak wrote: > hallo all are there any body know how to load pf log i mean pf activity > to mrtg. please give the step to step how to install it. thaks I suggest looking at http://www.benzedrine.cx/pfstat.html=20 (sysutils/pfstat) instead. But there are plenty of references on google=20 e.g. Remko has the first hit here:=20 http://www.evilcoder.org/content/view/545/33/ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1192547.gztaNpnBRy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBGSAdvXyyEoT62BG0RAq+DAJ49RGoe2rFJ6YiN7UczRhv7IQ6wkgCfapzF HiQ98oDxTGifVtw6jJvK6VM= =kre2 -----END PGP SIGNATURE----- --nextPart1192547.gztaNpnBRy-- From owner-freebsd-pf@FreeBSD.ORG Mon May 14 11:08:43 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8076116A40F for ; Mon, 14 May 2007 11:08:43 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2FE13C457 for ; Mon, 14 May 2007 11:08:43 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4EB8htw033087 for ; Mon, 14 May 2007 11:08:43 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4EB8gwZ033083 for freebsd-pf@FreeBSD.org; Mon, 14 May 2007 11:08:42 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 May 2007 11:08:42 GMT Message-Id: <200705141108.l4EB8gwZ033083@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 11:08:43 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 14 16:07:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8BDE16A403 for ; Mon, 14 May 2007 16:07:29 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.236]) by mx1.freebsd.org (Postfix) with ESMTP id 8A32D13C45E for ; Mon, 14 May 2007 16:07:29 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1624898wxc for ; Mon, 14 May 2007 09:07:28 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=sLDHCvAW4V2I36SE4acn3pBtdcFCPTjAgScuJeKIU7HqY4o8KDaS8cHzF+CuP6KPYeGfZJkYVkJM4pfkfi2VqyZFwCVv5wIk8Wezc+fSSSk0jEWGD4aLJKoqfZrwcec6BUYbuaxMaUl2e5f9KuwRFET652rgfVzCe1SziZgJego= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=BS3nDq7jSRLCyEwso2sUgxnW0/kqh+gQRws/BgYU8LMAmnNVaBUnnDVhbrBPwj5pBeiA4NTXim/d0y+1JrD6+LsOJdRfHzZS01vO0QAzVCYtf1E4L9UFudzyjiWvL+AFDPHnQY2WlC06vTIyaUXwnQPcL5bCu7lqInd/y5YyJt0= Received: by 10.70.91.16 with SMTP id o16mr10009526wxb.1179157218748; Mon, 14 May 2007 08:40:18 -0700 (PDT) Received: by 10.70.73.1 with HTTP; Mon, 14 May 2007 08:40:18 -0700 (PDT) Message-ID: <9a542da30705140840y549de4cl23894803db5c44d2@mail.gmail.com> Date: Mon, 14 May 2007 17:40:18 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: rajkumars@gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-pf@freebsd.org Subject: Re: Load balancing with ratio X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 16:07:29 -0000 You can use tagging for that with prob rules and then use route-to on tags. Since PF will use route-to only if the rule when route-to is matched you can do like pass bla.. prob 30% ..bla tag ROUTE1 pass bla.. prob 70% ..bla tag ROUTE2 pass bla route-to ($whatever1) tagged ROUTE1 pass bla route-to ($whatever2) tagged ROUTE2 Sorry about the syntax not being correct but you can use the man page to do that. I have not tested that but anyway it should work. > Hi, > > pf can do outbound load balancing using route-to and provide the ext > interface and gateway ip like { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin. But the algorithm is only round-robin which > may not be appropriate if the two links are asymmetric, say an 1MB > line and 256kbps line. > > Is there any way to provide some ratio like 1:4 where out of 5 > packets/bytes 4 will be via one link and one via other link? > > I have gone through the docs and this feature does not seem to exist > any where, so if some one can give a starting place to look, where I > can do some hacking, that would also be fine. > > raj > > From owner-freebsd-pf@FreeBSD.ORG Tue May 15 23:09:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ACC9D16A400 for ; Tue, 15 May 2007 23:09:57 +0000 (UTC) (envelope-from henry@stmpd.net) Received: from mta1.srv.hcvlny.cv.net (mta1.srv.hcvlny.cv.net [167.206.4.196]) by mx1.freebsd.org (Postfix) with ESMTP id 8188E13C44B for ; Tue, 15 May 2007 23:09:57 +0000 (UTC) (envelope-from henry@stmpd.net) Received: from [192.168.3.100] (ool-18b951e2.dyn.optonline.net [24.185.81.226]) by mta1.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTP id <0JI300LDXTMJSNR0@mta1.srv.hcvlny.cv.net> for freebsd-pf@freebsd.org; Tue, 15 May 2007 18:39:56 -0400 (EDT) Date: Tue, 15 May 2007 18:39:56 -0400 From: Henry To: freebsd-pf@freebsd.org Message-id: MIME-version: 1.0 X-Mailer: Apple Mail (2.752.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Trouble getting IP Phone to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2007 23:09:57 -0000 - I'm running PF. - I have an IP Phone here that uses the 3com NBX phone system. - Residential cable broadband connection with dynamic IP. When I use binat, the phone works 100%. When I use NAT with redirects to forward, the phone works partially. Some features don't work at all, and the others work sometimes. To further test, I had NAT on, redirect all traffic to the $phone and passed all traffic and it still doesn't work 100%. Example: ---------------------- nat on $ext_if from !($ext_if) -> ($ext_if:0) rdr on $ext_if proto {tcp udp icmp} from any to ($ext_if) -> $phone block log all pass log all keep state ---------------------- I see nothing being blocked, everything is passing and all incoming traffic should be going to the phone. So I'm kind of stumped. Any ideas? From owner-freebsd-pf@FreeBSD.ORG Wed May 16 12:40:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 66B0D16A401 for ; Wed, 16 May 2007 12:40:33 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2BAFA13C457 for ; Wed, 16 May 2007 12:40:32 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d6b.q.ppp-pool.de [89.53.125.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6CED612883F; Wed, 16 May 2007 14:40:24 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id A11E13F9E1; Wed, 16 May 2007 14:39:58 +0200 (CEST) Message-ID: <464AFB9D.7080101@vwsoft.com> Date: Wed, 16 May 2007 14:39:57 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Henry References: In-Reply-To: X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Trouble getting IP Phone to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 12:40:33 -0000 On 12/23/-58 20:59, Henry wrote: > I'm running PF. > - I have an IP Phone here that uses the 3com NBX phone system. > - Residential cable broadband connection with dynamic IP. > > When I use binat, the phone works 100%. > > When I use NAT with redirects to forward, the phone works partially. > Some features don't work at all, and the others work sometimes. > > To further test, I had NAT on, redirect all traffic to the $phone and > passed all traffic and it still doesn't work 100%. > > Example: > ---------------------- > nat on $ext_if from !($ext_if) -> ($ext_if:0) > rdr on $ext_if proto {tcp udp icmp} from any to ($ext_if) -> $phone > block log all > pass log all keep state > ---------------------- > > I see nothing being blocked, everything is passing and all incoming > traffic should be going to the phone. So I'm kind of stumped. Any > ideas? Henry, sounds like a routing problem. How's the default gateway (router) being set on the phone? If it's correct, is variable $phone being set right? Do you see something in the pf logs? Does pf modify the destination address as you expect it (to be the one of the phone)? Anyway, I really hope the ruleset shown is not your production ruleset. It's a damned wide open firewall... ;) Are we talking about a SIP phone or what does the protocol look like? If it's SIP, I can provide configuration examples, as I've finished hacking pf rules for a snom 300 SIP phone, redirect connections from the public outside to it and it's working fine for some weeks now. Volker From owner-freebsd-pf@FreeBSD.ORG Wed May 16 18:27:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5585D16A404 for ; Wed, 16 May 2007 18:27:31 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog11.obsmtp.com (s200aog11.obsmtp.com [207.126.144.125]) by mx1.freebsd.org (Postfix) with SMTP id 9F59D13C48C for ; Wed, 16 May 2007 18:27:30 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob011.postini.com ([207.126.147.11]) with SMTP; Wed, 16 May 2007 18:27:29 UTC Received: from [10.0.0.89] (bill.mintel.co.uk [10.0.0.89]) by rodney.mintel.co.uk (Postfix) with ESMTP id D093618141B for ; Wed, 16 May 2007 19:06:20 +0100 (BST) Message-ID: <464B487C.1050301@tomjudge.com> Date: Wed, 16 May 2007 19:07:56 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 18:27:31 -0000 Hi, I have a question about the number of times a packet passes through pf on a router. Take the following simple configuration 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24 Does a packet being routed from em0 to em1 pass through PF twice? Would the following example work to only pass ssh connections from 172.31.0.0/24 into 172.31.1.0/41 pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state block in log inet from any to any block out log inet from any to any Or do I have to have the follwoing rules for it to work? pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state block in log inet from any to any block out log inet from any to any In the second rule this indicates that the packet passes through PF once for each interface that it passes through, is this correct? Thanks Tom From owner-freebsd-pf@FreeBSD.ORG Wed May 16 19:59:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B03A516A404 for ; Wed, 16 May 2007 19:59:53 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 87EB513C469 for ; Wed, 16 May 2007 19:59:53 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HoPf4-0006Oi-1A for freebsd-pf@freebsd.org; Wed, 16 May 2007 19:59:50 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HoPf3-0002OJ-TF for freebsd-pf@freebsd.org; Wed, 16 May 2007 19:59:49 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 23F038E131; Wed, 16 May 2007 14:59:49 -0500 (CDT) Date: Wed, 16 May 2007 14:59:49 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070516195948.GA22335@verio.net> References: <464B487C.1050301@tomjudge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <464B487C.1050301@tomjudge.com> User-Agent: Mutt/1.5.9i Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 19:59:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Judge wrote: > > I have a question about the number of times a packet passes through pf > on a router. The PF subsystem always examines every packet that passes in or out an interface. For a forwarded packet that means it will be examined twice. However, your question seems to be more in regards to whether the packet gets matched against the rulebase. That is sort of a subtly different question. > 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24 > > Does a packet being routed from em0 to em1 pass through PF twice? > > Would the following example work to only pass ssh connections from > 172.31.0.0/24 into 172.31.1.0/41 > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > block in log inet from any to any > block out log inet from any to any Because of the "keep state" qualifier, PF will build a state entry, which allows matching packets to be passed, without examining the rulebase. So, PF does indeed examine every packet, once when it comes in an interface, again when the packet goes out the opposite interface, but because a state table entry matches the packet, it is allowed to pass without examining the rulebase beyond the first packet. So, packets are "passed through" PF, but the rulebase is "passed through" only once for packets matching the rule. > Or do I have to have the following rules for it to work? > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state If you were to leave out the "keep state" qualifier, you would need rules matching the inbound and outbound packets. I think you would find, if you go ahead and tried the above, that the second rule never sees any matches, because the first rule handles them and builds state which causes the second rule to never be used. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGS2K0FSrKRjX5eCoRApIoAKCbbICHHJ3asueiJHH+ToARLW/kUQCeNveO HQDMENFXxk8GEsp/hoCWkdY= =WYco -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed May 16 20:22:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CEA8316A40A for ; Wed, 16 May 2007 20:22:43 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 91CD813C4B8 for ; Wed, 16 May 2007 20:22:43 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 94FCE2DC21B for ; Wed, 16 May 2007 21:01:39 +0100 (BST) From: "Greg Hennessy" To: "'Tom Judge'" , References: <464B487C.1050301@tomjudge.com> In-Reply-To: <464B487C.1050301@tomjudge.com> Date: Wed, 16 May 2007 21:01:40 +0100 Message-ID: <000f01c797f5$04a5b9a0$0df12ce0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AceX7KFxOg6fZaJcRWSazb+7A+ajMAABh2wA Content-Language: en-gb x-cr-hashedpuzzle: AMwR BEji B6x0 CGJx CZZz GyXe HIwt IbgE KEAH KbIo Klok N3l/ OoYe O/lg Pr/D P6pW; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AHQAbwBtAEAAdABvAG0AagB1AGQAZwBlAC4AYwBvAG0A; Sosha1_v1; 7; {B1088889-DBFC-4BAC-9A0F-D8ABD2ECC9E7}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Wed, 16 May 2007 20:01:36 GMT; UgBFADoAIABQAGEAYwBrAGUAdAAgAFAAYQB0AGgAIABUAGgAcgBvAHUAZwBoACAAUABGACAAKABvAG4AZQBjACAAZgBvAHIAIABlAGEAYwBoACAAaQBuAHQAZQByAGYAYQBjAGUAPwApAA== x-cr-puzzleid: {B1088889-DBFC-4BAC-9A0F-D8ABD2ECC9E7} X-Antivirus: avast! (VPS 000740-2, 16/05/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 20:22:43 -0000 > > Does a packet being routed from em0 to em1 pass through PF twice? > PF does both ingress and egress filtering, this explains it far better than I could. http://homepage.mac.com/quension/pf/flow.png > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port > 22 keep state > pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 > port > 22 keep state > > block in log inet from any to any > block out log inet from any to any > > > In the second rule this indicates that the packet passes through PF > once > for each interface that it passes through, is this correct? > A filtering rule without direction will match both ingress and egress flows. A PF policy will block by default if the 1st rule is. block log all One way of minimising the number of rules required is to use a tagged generic egress rule on each interface. e.g pass in quick on int1 $TCP .... $KSF tag outbound pass in quick on int2 $TCP .... $KSF state tag outbound . . . . . . pass out quick on int3 .... $KSF tagged outbound where KSF="keep state flags S/SA" TCP="inet proto tcp" Greg From owner-freebsd-pf@FreeBSD.ORG Wed May 16 20:57:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B57AD16A40D for ; Wed, 16 May 2007 20:57:04 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp811.mail.ird.yahoo.com (smtp811.mail.ird.yahoo.com [217.146.188.71]) by mx1.freebsd.org (Postfix) with SMTP id 4427C13C484 for ; Wed, 16 May 2007 20:57:04 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 86226 invoked from network); 16 May 2007 20:30:23 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.150.175 with plain) by smtp811.mail.ird.yahoo.com with SMTP; 16 May 2007 20:30:23 -0000 X-YMail-OSG: pGDADu0VM1lowrShNK._zwe0C5B6kcAcUoz0FYY0SZnPR3WXfXhXWbThbGBwf59YX2DrZffY.9PJeBa3y4l9fBlleCOtdAokMj7NZgDkJYATCpVkkcuNhuktcpqi7BxRIcWmYP2CDAAJgwY- Message-ID: <464B6A29.2020107@tomjudge.com> Date: Wed, 16 May 2007 21:31:37 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: David DeSimone References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> In-Reply-To: <20070516195948.GA22335@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Greg.Hennessy@nviz.net, freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 20:57:04 -0000 David DeSimone wrote: > Tom Judge wrote: >> I have a question about the number of times a packet passes through pf >> on a router. > > The PF subsystem always examines every packet that passes in or out an > interface. For a forwarded packet that means it will be examined twice. > > However, your question seems to be more in regards to whether the packet > gets matched against the rulebase. That is sort of a subtly different > question. > >> 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24 >> >> Does a packet being routed from em0 to em1 pass through PF twice? >> >> Would the following example work to only pass ssh connections from >> 172.31.0.0/24 into 172.31.1.0/41 >> >> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state >> block in log inet from any to any >> block out log inet from any to any > > Because of the "keep state" qualifier, PF will build a state entry, > which allows matching packets to be passed, without examining the > rulebase. So, PF does indeed examine every packet, once when it comes > in an interface, again when the packet goes out the opposite interface, > but because a state table entry matches the packet, it is allowed to > pass without examining the rulebase beyond the first packet. > > So, packets are "passed through" PF, but the rulebase is "passed > through" only once for packets matching the rule. > >> Or do I have to have the following rules for it to work? >> >> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state >> pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > > If you were to leave out the "keep state" qualifier, you would need > rules matching the inbound and outbound packets. I think you would > find, if you go ahead and tried the above, that the second rule never > sees any matches, because the first rule handles them and builds state > which causes the second rule to never be used. > According to the diagram that Greg sent a link to (http://homepage.mac.com/quension/pf/flow.png) state is checked for every interface. However is the state information tied to an interface? 172.31.0.0/24>em0-[Router 1]-|-em1<->em1-|-[Router 2]-em0<172.31.1.0/24 |-em2<->em2-| Assuming that the routes are managed a routing protocol such as ospf and em1 is the normal primary link but when em1 is down em2 should restrict certain traffic. If the state is not tied to an interface then: pass in quick on em0 tcp from 172.31.0.0/21 to 172.31.1.0/24 22 keep state This rule would allow ssh traffic across both em1 and em2. I cant see from the digram if state data is shared how one would block egress ssh traffic on em2 as it would never hit a another rule as the state would cause it to get passed straight away. Where as if there are separate state 'tables' then a second rule for egress traffic on em1 would be required and egress traffic on em2 would get caught by the default block rule. All these rules are assumed to be on Router 1. I would have thought that the state tables would be independent for the ingress and egress interfaces, could someone clarify this please? Thanks Tom From owner-freebsd-pf@FreeBSD.ORG Wed May 16 21:38:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D978E16A400 for ; Wed, 16 May 2007 21:38:40 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id B0C9613C45B for ; Wed, 16 May 2007 21:38:40 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HoRCh-0007X7-QP; Wed, 16 May 2007 21:38:39 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HoRCh-0004Wg-MQ; Wed, 16 May 2007 21:38:39 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id CDABC8E131; Wed, 16 May 2007 16:38:36 -0500 (CDT) Date: Wed, 16 May 2007 16:38:36 -0500 From: David DeSimone To: Tom Judge Message-ID: <20070516213836.GB22335@verio.net> References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <464B6A29.2020107@tomjudge.com> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 21:38:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Judge wrote: > > According to the diagram that Greg sent a link to state is checked for > every interface. However is the state information tied to an > interface? The answer is determined by the state-policy. In your configuration you can set state-policy to "if-bound" or "group-bound" or "floating". If you choose "if-bound", the state will stick to the interface chosen at time of initial evaluation of the rule. If packets start to flow through different interfaces, they will fail to match the state, and this will require a rulebase evaluation to be performed in order to determine if traffic should continue to flow. If you choose "floating" (which is the default), state is not bound to any particular interface, and it will not matter whether the packets arrive or leave on the same interfaces; only that the packet contents match the defined state. With this setting, I believe that your rule would only be evaluated once, and as long as the state entry lasts, PF will only examine the packets as far as state, and will skip the rulebase evaluation. It will perform this state evaluation TWICE, once for ingress, again for egress. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGS3ncFSrKRjX5eCoRAsjtAJ91+qND3lFpBgxw1hcBDYH0cgk6DgCgmL0V ZSTZ9yfzLoxLDW/GE97YlYA= =ZAPt -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed May 16 21:56:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1041716A415 for ; Wed, 16 May 2007 21:56:05 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp804.mail.ird.yahoo.com (smtp804.mail.ird.yahoo.com [217.146.188.64]) by mx1.freebsd.org (Postfix) with SMTP id 5C21F13C4BE for ; Wed, 16 May 2007 21:56:03 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 60217 invoked from network); 16 May 2007 21:56:02 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.150.175 with plain) by smtp804.mail.ird.yahoo.com with SMTP; 16 May 2007 21:56:02 -0000 X-YMail-OSG: n2xaizwVM1mde4rhYz1PUwAHQOjRLJVUE3JeTb_8I57PMV7Q Message-ID: <464B7E3D.1030507@tomjudge.com> Date: Wed, 16 May 2007 22:57:17 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: David DeSimone References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> <20070516213836.GB22335@verio.net> In-Reply-To: <20070516213836.GB22335@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 21:56:05 -0000 David DeSimone wrote: > Tom Judge wrote: >> According to the diagram that Greg sent a link to state is checked for >> every interface. However is the state information tied to an >> interface? > > The answer is determined by the state-policy. In your configuration you > can set state-policy to "if-bound" or "group-bound" or "floating". > > If you choose "if-bound", the state will stick to the interface chosen > at time of initial evaluation of the rule. If packets start to flow > through different interfaces, they will fail to match the state, and > this will require a rulebase evaluation to be performed in order to > determine if traffic should continue to flow. > > If you choose "floating" (which is the default), state is not bound to > any particular interface, and it will not matter whether the packets > arrive or leave on the same interfaces; only that the packet contents > match the defined state. With this setting, I believe that your rule > would only be evaluated once, and as long as the state entry lasts, PF > will only examine the packets as far as state, and will skip the > rulebase evaluation. It will perform this state evaluation TWICE, once > for ingress, again for egress. > So this introduces a new problem with my HA configuration, how is pfsync going to deal with state information that is interface bound when the interfaces on the difference boxes have different names? eg: em0-|-[Router]-|-em2 em1-| |-em3 | | pfsync | bge1-|-[Router]-|-bce0 bge0-| |-bce1 Where the following interfaces are from each box are connected to the same network. em0 and bge0 em2 and bce0 em3 and bce1 Do all the interface names have to match on the HA pair? Tom From owner-freebsd-pf@FreeBSD.ORG Thu May 17 00:06:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F2DD16A407 for ; Thu, 17 May 2007 00:06:59 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.185]) by mx1.freebsd.org (Postfix) with ESMTP id B681813C448 for ; Thu, 17 May 2007 00:06:58 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by mu-out-0910.google.com with SMTP id w8so236184mue for ; Wed, 16 May 2007 17:06:57 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mKv37zA3/N6gOPyka6z4pWoSNr6lGbisOmzN10U+QieYtSuCyTe+IJDirQOvgr/cET4/EoABMomita8dx2Uidu77hQd+xJu1DaREdKYkmklznznzHcrleDINQr3l7rmkdvopJb6wfoP29/GojeNkNVY20r9k5bLBpOECu8u31kI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HemK9tmLB/fejAXwPJBbsDIywWcbUuOqqdJ0MBeS4NCiGuO8elwb/0R0042lmSsyRfR585jDw/D4SAsNNq4H/zUJ5Ms9PEJMARWXGSWIcprKWhhLBP9DYap88zRXIcwPoHHhMw3lhRxusmlE95h5dWZZJrmq9u00CgYFcgMQDa4= Received: by 10.82.177.3 with SMTP id z3mr5921887bue.1179360416517; Wed, 16 May 2007 17:06:56 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Wed, 16 May 2007 17:06:56 -0700 (PDT) Message-ID: Date: Wed, 16 May 2007 17:06:56 -0700 From: "Kian Mohageri" To: "Tom Judge" In-Reply-To: <464B7E3D.1030507@tomjudge.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> <20070516213836.GB22335@verio.net> <464B7E3D.1030507@tomjudge.com> Cc: David DeSimone , freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 00:06:59 -0000 On 5/16/07, Tom Judge wrote: > em0 and bge0 > em2 and bce0 > em3 and bce1 > > Do all the interface names have to match on the HA pair? Yes they do - but that is only if you use an if-bound state-policy, which isn't default. Keep in mind also that states also have a direction associated with them. Take this for example from my firewalls: # pfctl -ss | grep 66.165.31.204 all tcp 66.165.31.204:22 <- 71.227.220.29:1854 ESTABLISHED:ESTABLISHED all tcp 71.227.220.29:1854 -> 66.165.31.204:22 ESTABLISHED:ESTABLISHED You should read Daniel Hartmeier's (PF developer) 3-part article on Undeadly. Maybe it will clear things up for you. http://www.undeadly.org/cgi?action=article&sid=20060927091645 Kian From owner-freebsd-pf@FreeBSD.ORG Thu May 17 14:14:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D753E16A406 for ; Thu, 17 May 2007 14:14:38 +0000 (UTC) (envelope-from llt@recol.com) Received: from mta1.recol.net (mta1.recol.net [64.207.103.6]) by mx1.freebsd.org (Postfix) with ESMTP id B3A0513C465 for ; Thu, 17 May 2007 14:14:38 +0000 (UTC) (envelope-from llt@recol.com) Received: from TRAN (lan.recol.net [207.51.84.209]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mta1.recol.net (Postfix) with ESMTP id 39B6B3A3889 for ; Thu, 17 May 2007 09:49:25 -0400 (EDT) Message-ID: <005001c7988a$2e7ed000$d101010a@recol.us> From: "Lan Tran" To: Date: Thu, 17 May 2007 09:49:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: pf+altq for bandwidth control X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 14:14:38 -0000 Hello, Is pf and altq a right combo for bandwidth limiting? What I'm trying to do is limit each IP or block of IPs to predefined bandwidth. I'm not doing traffic shaping, just wanting to prevent servers from hogging all the bandwidth. My setup is as follow: LAN {test server} -> xl1 {FreeBSD} xl0 -> router -> net xl0 and xl1 are functioning as a transparent bridge. kernel has pf and altq compiled. pf.conf: ext_if = "xl0" int_if = "xl1" pc = "any" set loginterface $ext_if # to net altq on $ext_if cbq bandwidth 100Mb queue { std_ext, test_ext } queue std_ext bandwidth 3Mb qlimit 1000 priority 5 cbq(default red ecn) queue test_ext bandwidth 2Mb priority 1 cbq(red ecn) pass out on $ext_if from $pc to any keep state queue test_ext --- The problem I'm having is that all outbound traffic from "test server" matches the "queue std_ext" instead of "queue test_ext" rule. It appears the cbq(default) child rule is overriding the other rule. What am I missing? LT From owner-freebsd-pf@FreeBSD.ORG Thu May 17 20:15:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE6AE16A400 for ; Thu, 17 May 2007 20:15:29 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id 7001113C447 for ; Thu, 17 May 2007 20:15:29 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so162657and for ; Thu, 17 May 2007 13:15:28 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Ay2Jqs0u03sEIZW+syfn47pJ84PiajSJYPDTOLIfYXjzShyuSnEBig83N3SrarG2nTpkjAQ32G0S1ZXalqpFaLDKvMhbJCCl8CvdFqZ39Pqxx2YgZMsIYXEkzsiD9PUOlbAxvhRNb7nqsSe91zPIoH1HYilH3+WBAik/3riKwh0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ImcJ5OHH0msyi6Qkulo3iwjRKUmGbg9JdUpXO7lJ8A1qzDrWwaVJWv+krhvdonlyy00XhTl5L3noWBGr28rxwEN2ML5n8KagD9avvZVCK9E7sDaRS1Iefqd0gK7rbklgtu1SaTPHInCVXLlvMKe+P0CcyLNVbGTnYR06rhFGqjU= Received: by 10.100.93.5 with SMTP id q5mr582742anb.1179432928048; Thu, 17 May 2007 13:15:28 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Thu, 17 May 2007 13:15:27 -0700 (PDT) Message-ID: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> Date: Thu, 17 May 2007 23:15:27 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 20:15:29 -0000 Hello, This isn't bandwidth issue, but filling the network buffer more than anything else, so there are no more free sockets, and I can't connect to the server via ssh, it's not syn as well. But mass connect to IRC server with small bw, and the server isn't lagged at all. Rate: 245,919 Packets Per Second What is the best way to deal with such DDoS? These msgs in in the ircd which I read when I'm opering up. *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 189.12.134.86 (3 in 5 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 80.98.165.210 (3 in 2 seconds) for 5 minutes (offense 2) *** Notice -- throttled connections from 85.66.74.255 (3 in 3 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 81.0.97.75 (3 in 9 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) for 2 minutes (offense 1) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Thu May 17 21:21:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 110B416A400 for ; Thu, 17 May 2007 21:21:16 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 8D0CD13C480 for ; Thu, 17 May 2007 21:21:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so349977ugh for ; Thu, 17 May 2007 14:21:13 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mu66yA/e/56DE35lHQg7jhRKx7OmJVdiAXcUn33H7GuPYaBVmvfn44tOo4mIw3Np/VNC9yR/xy5xG1RxV5pmbi9rJ26jXJPO1ehxbXxJ+0Bl+dlgCZnq0+OCA1t71eKA8MLNY/8/in2xvCbY0rsxdNUDROgYy4pH1bGCRX1okWU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DCXixtfi7jtt2P0A3YBXKosdALEWjkZk0MITK74cJCJQskAQ1ZZVLWZk3rHAc7wN++YlEaGUwIMAs4mCe5MbVRQeHuLONEGF1Vt34SdaicjjFgYXfDMQz5MsJ4lNdc6YB/eDbqkgtkq/8dIhCm2SCS9Uec+5TzeDn3FpMtLOws0= Received: by 10.82.187.16 with SMTP id k16mr1521372buf.1179436873340; Thu, 17 May 2007 14:21:13 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Thu, 17 May 2007 14:21:13 -0700 (PDT) Message-ID: Date: Thu, 17 May 2007 14:21:13 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 21:21:16 -0000 On 5/17/07, Abdullah Ibn Hamad Al-Marri wrote: > Hello, > > This isn't bandwidth issue, but filling the network buffer more than > anything else, so there are no more free sockets, and I can't connect > to the server via ssh, it's not syn as well. > > But mass connect to IRC server with small bw, and the server isn't > lagged at all. > > Rate: 245,919 Packets Per Second > > What is the best way to deal with such DDoS? > > These msgs in in the ircd which I read when I'm opering up. > > *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 189.12.134.86 (3 in 5 > seconds) for 2 minutes (offense 1) > *** Notice -- throttled connections from 80.98.165.210 (3 in 2 > seconds) for 5 minutes (offense 2) > *** Notice -- throttled connections from 85.66.74.255 (3 in 3 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 81.0.97.75 (3 in 9 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) > for 2 minutes (offense 1) I don't completely understand your question, but I think you're looking for stateful tracking options including max-src-conn-rate and the overload keyword. http://www.openbsd.org/faq/pf/filter.html#stateopts Kian From owner-freebsd-pf@FreeBSD.ORG Fri May 18 00:50:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5947916A404 for ; Fri, 18 May 2007 00:50:55 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.226]) by mx1.freebsd.org (Postfix) with ESMTP id 1BE1013C465 for ; Fri, 18 May 2007 00:50:54 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by nz-out-0506.google.com with SMTP id s1so1218489nze for ; Thu, 17 May 2007 17:50:54 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=UNMLiM9LUgyUolBAN84DyR3cJpf1+ztV9hy9K/Wj5tGGajrrPH+Qk4O9G9BSzRcnTvn0U3x0x4Ebdtu/TenGLZ3BxSPfJCMcETQxN1mzAqcBgRSS2t8JrR/Bi6cOeCbHZvVsOF9FrkNQQDyCSlMfwuo1Chk+1qW4OePSBbMc0y8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=MStrBmeFs1RhwdCMnYyMQ4/C4aNhiGNSVnZQXnPssvPpAgF8EF03PAqDyGnCawqFCvtZxCw4skfafNLlIHLMfxFjhSmWIsv7yaVX/8Awtnyk8+aJlXDp3DLHn4Rplo888lvdUXKnux5ETLDrwVDLWEUh+Zk+wK8qeBuVyAbqgco= Received: by 10.114.169.2 with SMTP id r2mr544138wae.1179447940656; Thu, 17 May 2007 17:25:40 -0700 (PDT) Received: by 10.114.76.12 with HTTP; Thu, 17 May 2007 17:25:35 -0700 (PDT) Message-ID: Date: Thu, 17 May 2007 17:25:35 -0700 From: "Kurt Buff" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pf, bridging, transparent proxy, dual gateways? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 00:50:55 -0000 All, Wondering if the following scenario at all rational/feasible: [fw-a]------- | | [switch]---[freebsd]---[router]---[many subnets] | | [fw-b]------- Fw-a fronts our current T1, and that ties our other two offices together with IPSec, and is our main inbound mail feed. Fw-b is soon to be installed, and will front a new T1. The lines are not bonded - they come from different vendors. I'd like to forward all individual user traffic (HTTP/FTP/other) out of the second T1, perhaps with the use of Squid/Frox, leaving our intra-corporate traffic to go in/out the current T1, and also email. Am I way off base, or is this worth the effort, and if so, how might I set something like this up? Would it make sense to make squid/frox transparent proxies, or use the virtual IP address? Docs are good - I like to rtfm if I know which m to read. I'm completely new to both pf and squid, but have installed several other apps, including ntop and maia-mailguard, etc., on freebsd, so have some base of knowledge. Thanks, Kurt From owner-freebsd-pf@FreeBSD.ORG Fri May 18 00:52:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F40D716A400 for ; Fri, 18 May 2007 00:52:56 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-07.ohiordc.rr.com (ms-smtp-07.ohiordc.rr.com [65.24.5.141]) by mx1.freebsd.org (Postfix) with ESMTP id C066B13C44B for ; Fri, 18 May 2007 00:52:56 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-07.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l4I0qtIx026636 for ; Thu, 17 May 2007 20:52:55 -0400 (EDT) Message-ID: <000301c798e6$d51bfdf0$0200a8c0@satellite> From: "Dave" To: Date: Thu, 17 May 2007 20:52:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 00:52:57 -0000 Hi, I'm trying to get ftp working from behind a pf firewall. I'm using pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my windows boxes goes passive and dies on active. I've got three questions. First, portupgrade uses fetch for retrieval correct, if so i want it to use the -p (passive option) by default whenever it tries an ftp url. Second, ncftp i'd like to specify that it should use passive mode connections by default as well. Last, is active or passive ftp better in terms of security strictly from a firewall perspective, i know the protocol isn't secure? If active ftp is better than passive does anyone have a ruleset with it? I'm using a block by default ruleset. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 01:16:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D066016A402 for ; Fri, 18 May 2007 01:16:49 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id 71B9113C448 for ; Fri, 18 May 2007 01:16:49 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 3039D1CC5A; Fri, 18 May 2007 13:04:20 +1200 (NZST) Date: Fri, 18 May 2007 13:04:20 +1200 From: Andrew Thompson To: Kurt Buff Message-ID: <20070518010420.GD64031@heff.fud.org.nz> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-pf@freebsd.org Subject: Re: pf, bridging, transparent proxy, dual gateways? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 01:16:49 -0000 On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote: > All, > > Wondering if the following scenario at all rational/feasible: > > [fw-a]------- > | > | > [switch]---[freebsd]---[router]---[many subnets] > | > | > [fw-b]------- > > Fw-a fronts our current T1, and that ties our other two offices > together with IPSec, and is our main inbound mail feed. > > Fw-b is soon to be installed, and will front a new T1. > > The lines are not bonded - they come from different vendors. > > I'd like to forward all individual user traffic (HTTP/FTP/other) out > of the second T1, perhaps with the use of Squid/Frox, leaving our > intra-corporate traffic to go in/out the current T1, and also email. The easiest why is to use the route-to option in pf. When you pass the traffic from the internal network you mark which link it should go out. pass in quick on $int_if route-to ($fw-a_if $fw-a_ip) ... (some criteria) pass in quick on $int_if route-to ($fw-b_if $fw-b_ip) ... (other criteria) If you are also accepting connections in from the internet then you may want to look at the reply-to option. regards, Andrew From owner-freebsd-pf@FreeBSD.ORG Fri May 18 07:04:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF0AC16A401 for ; Fri, 18 May 2007 07:04:46 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 96B2B13C447 for ; Fri, 18 May 2007 07:04:46 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 4F11057457 for ; Fri, 18 May 2007 08:04:44 +0100 (BST) From: "Greg Hennessy" To: "'Dave'" , References: <000301c798e6$d51bfdf0$0200a8c0@satellite> In-Reply-To: <000301c798e6$d51bfdf0$0200a8c0@satellite> Date: Fri, 18 May 2007 08:04:43 +0100 Message-ID: <000d01c7991a$cff492e0$6fddb8a0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AceY5/zUQqM+kI6WQr++aaFA4lJEjAAMXpzA Content-Language: en-gb X-Antivirus: avast! (VPS 000741-0, 17/05/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 07:04:46 -0000 > Hi, > I'm trying to get ftp working from behind a pf firewall. I'm using > pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my > windows boxes goes passive and dies on active. Command line FTP client in windows is active only. > I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use > the -p (passive option) by default whenever it tries an ftp url. gw2:~ # set | grep -i ftp FTP_PASSIVE_MODE=1 > Second, ncftp i'd like to specify that it should use passive mode connections > by default as well. gw2:~ # grep -i passive .ncftp/prefs_v3 passive=on > Last, is active or passive ftp better in terms of security > strictly from a firewall perspective, i know the protocol isn't secure? Passive is less of a PITA, (that's not saying much). One doesn't have to handle ingress traffic initiated from the server. However one either has to leave high ports open or use a L7 proxy to dynamically open the firewall for each request, hence pftpx. > If active ftp is better than passive does anyone have a ruleset with it? > I'm using a block by default ruleset. I haven't used active FTP for years TBH. I have had serious arguments with vendors and suppliers who tried to insist on its use through environments I have had responsibility for. Greg > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:29:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5CFAE16A400 for ; Fri, 18 May 2007 08:29:44 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 449DC13C43E for ; Fri, 18 May 2007 08:29:44 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1HoxZi-00021a-Rh for freebsd-pf@freebsd.org; Fri, 18 May 2007 01:12:34 -0700 Message-ID: <10678120.post@talk.nabble.com> Date: Fri, 18 May 2007 01:12:34 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com Subject: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:29:44 -0000 Dear Members! I am running cable internet and I have 1Mb DSL link now I want to restrict my user's bandwidth. e.g I want to restrict per IP bandwidth 10KB (donwload and upload) so please help me how i can mange in PF-ALTQ. my pf.conf int_inf = emo ext_inf = fxp0 local_net = 192.168.1.0/24 -- View this message in context: http://www.nabble.com/bandwidth-controlling-with-ALTQ-tf3776301.html#a10678120 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:39:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD9B216A402 for ; Fri, 18 May 2007 08:39:43 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 73B0F13C489 for ; Fri, 18 May 2007 08:39:43 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 5503C128829 for ; Fri, 18 May 2007 10:39:37 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 65CC63F4E8; Fri, 18 May 2007 10:39:14 +0200 (CEST) Message-ID: <464D6631.7000606@vwsoft.com> Date: Fri, 18 May 2007 10:39:13 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: llt@recol.com X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf+altq for bandwidth control X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:39:43 -0000 > My setup is as follow: > LAN {test server} -> xl1 {FreeBSD} xl0 -> router -> net > xl0 and xl1 are functioning as a transparent bridge. kernel has pf and altq > compiled. > > pf.conf: > ext_if = "xl0" > int_if = "xl1" > pc = "any" > set loginterface $ext_if > > # to net > altq on $ext_if cbq bandwidth 100Mb queue { std_ext, test_ext } > queue std_ext bandwidth 3Mb qlimit 1000 priority 5 cbq(default red ecn) > queue test_ext bandwidth 2Mb priority 1 cbq(red ecn) > > pass out on $ext_if from $pc to any keep state queue test_ext > --- > The problem I'm having is that all outbound traffic from "test server" > matches the "queue std_ext" instead of "queue test_ext" rule. It appears > the cbq(default) child rule is overriding the other rule. Lan, to get a clear answer, we need to see your whole ruleset, not just a snippet (will write this into a signature, soon as it's the most often used phrase). Just a few guesses: You don't 'pass quick' and another rule matches later, which does set it into a different queue. Also you're using state-policy floating and a rule is creating state when the packet comes into your box, which queues different. You may probably want to use if-bound state policy. Another thing to care about is your rules may create state in the middle of a stream as you're not creating state on SYN. Last guess: I think you've set $pc to any just for testing. If you're using NAT and setting this to anything different (any of your local IP addresses), this rule will never match as the packet is being processed _after_ NAT processing. HTH Volker PS: Does anybody know what's wrong with the mailing list? Did not receive the digest messages for the last 36 hours. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:49:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9089316A403 for ; Fri, 18 May 2007 08:49:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 5610A13C465 for ; Fri, 18 May 2007 08:49:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1B811128829 for ; Fri, 18 May 2007 10:49:34 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 9EC393F4E8; Fri, 18 May 2007 10:49:05 +0200 (CEST) Message-ID: <464D6880.2080306@vwsoft.com> Date: Fri, 18 May 2007 10:49:04 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:49:42 -0000 > This isn't bandwidth issue, but filling the network buffer more than > anything else, so there are no more free sockets, and I can't connect > to the server via ssh, it's not syn as well. > > But mass connect to IRC server with small bw, and the server isn't > lagged at all. > > Rate: 245,919 Packets Per Second > > What is the best way to deal with such DDoS? Abdullah, I'm not quite sure if I get you right. if tcp traffic arrives without a SYN set, you can easily block that by using 'pass ... flags S/SA' so the traffic never reaches your daemon. Also for tcp traffic you may want to try 'synproxy state'. The last thing you can do is to use altq, feed the traffic into a low bandwidth queue and still be able to serve other traffic. As you can't control the downstream usage that way, you're at least able to limit the response and slow down traffic that way a bit. I'm doing this for SMTP traffic and it works great (I'm slowing down all SMTP traffic from windows boxes to my home server to a maximum of 6 kBit/s - non windows boxes are getting 40 kBit/s for SMTP connections, a bit too rude, I know but it works). Keep in mind, if you're under a DDoS attack, your bandwidth may still be eaten up, but the effects on your machine will be limited when using S/SA + synproxy state + bandwidth limiting. If I get you wrong, please explain your problem a bit more detailed. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:57:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9D68616A401 for ; Fri, 18 May 2007 08:57:12 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 5FABE13C457 for ; Fri, 18 May 2007 08:57:11 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 0184D128829 for ; Fri, 18 May 2007 10:57:04 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 8553F3F4E8; Fri, 18 May 2007 10:56:40 +0200 (CEST) Message-ID: <464D6A47.10706@vwsoft.com> Date: Fri, 18 May 2007 10:56:39 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: dmehler26@woh.rr.com X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:57:12 -0000 > I'm trying to get ftp working from behind a pf firewall. I'm using pftpx > on FreeBSD 6.2 for this. I believe i have passive working, one of my windows > boxes goes passive and dies on active. I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use the -p > (passive option) by default whenever it tries an ftp url. Second, ncftp i'd > like to specify that it should use passive mode connections by default as > well. Last, is active or passive ftp better in terms of security strictly > from a firewall perspective, i know the protocol isn't secure? If active ftp > is better than passive does anyone have a ruleset with it? I'm using a block > by default ruleset. Dave, Greg already gave you some good answers, which I will not repeat. The question about passive / active being more secure is non-sense. I'm still using ftp-proxy and I think it should be easily (and clever) possible to drive active ftp through pf. As ftp-proxy is running as user 'proxy', I'm using a rule similar like: pass in log quick on $ext_if from any to ($ext_if) user "proxy" flags "S/SA" keep state in my ruleset (just made it that way last week). I still haven't checked active ftp out but I think this will also work for active ftp connections. You just need to also pass traffic in on $int_if for port 8021 (or whatever port your ftp proxy is listening on) and traffic out on $ext_if to port 21. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 18 09:25:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C0A216A400 for ; Fri, 18 May 2007 09:25:07 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id F382F13C45E for ; Fri, 18 May 2007 09:25:06 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 4F0A312883F for ; Fri, 18 May 2007 11:24:59 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 19EEB3F4E8; Fri, 18 May 2007 11:24:34 +0200 (CEST) Message-ID: <464D70D0.3000608@vwsoft.com> Date: Fri, 18 May 2007 11:24:32 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Umar References: <10678120.post@talk.nabble.com> In-Reply-To: <10678120.post@talk.nabble.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 09:25:07 -0000 On 05/18/07 10:12, Umar wrote: > Dear Members! > > I am running cable internet and I have 1Mb DSL link now I want to restrict > my user's bandwidth. e.g I want to restrict per IP bandwidth 10KB (donwload > and upload) so please help me how i can mange in PF-ALTQ. > > my pf.conf > > int_inf = emo > ext_inf = fxp0 > > local_net = 192.168.1.0/24 Umar, if you want to limit per IP address, you need to create one queue for every IP address in your internal network. The bandwidth sum of all queues must not exceed the bandwidth of the root queue. If your upstream has a b/w of 256 kBit/s (if it's asymmetric) you can only create 25 queues with 10 kBit/s. You may consider doing it different, as creating one queue for every internal IP address is a nightmare for administration. I'm using hfsc scheduler for the internal network, so every IP should be served fair and a limited cbq queue for them on the external interface and reach good results with that. If b/w is limited as other traffic passes, these stations get their traffic through limited. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 18 10:05:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF50016A404 for ; Fri, 18 May 2007 10:05:03 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id C597F13C45E for ; Fri, 18 May 2007 10:05:03 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1HozKY-0004gh-NV for freebsd-pf@freebsd.org; Fri, 18 May 2007 03:05:02 -0700 Message-ID: <10679395.post@talk.nabble.com> Date: Fri, 18 May 2007 03:05:02 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org In-Reply-To: <464D70D0.3000608@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 10:05:04 -0000 Dear Volker Thanks for your reply! I have 1mb up and 1mb down DSL and i have total 20 client at this time. >> if you want to limit per IP address, you need to create one queue for >> every IP address in your internal network. Please tell me how i create the queue i will manage 20 queues by hand. But i don't know the exact syntax in PF-ALTQ Regards, Umar Draz Volker wrote: > > On 05/18/07 10:12, Umar wrote: >> Dear Members! >> >> I am running cable internet and I have 1Mb DSL link now I want to >> restrict >> my user's bandwidth. e.g I want to restrict per IP bandwidth 10KB >> (donwload >> and upload) so please help me how i can mange in PF-ALTQ. >> >> my pf.conf >> >> int_inf = emo >> ext_inf = fxp0 >> >> local_net = 192.168.1.0/24 > > Umar, > > if you want to limit per IP address, you need to create one queue for > every IP address in your internal network. The bandwidth sum of all > queues must not exceed the bandwidth of the root queue. If your > upstream has a b/w of 256 kBit/s (if it's asymmetric) you can only > create 25 queues with 10 kBit/s. > > You may consider doing it different, as creating one queue for every > internal IP address is a nightmare for administration. > > I'm using hfsc scheduler for the internal network, so every IP should > be served fair and a limited cbq queue for them on the external > interface and reach good results with that. If b/w is limited as other > traffic passes, these stations get their traffic through limited. > > HTH > > Volker > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/bandwidth-controlling-with-ALTQ-tf3776301.html#a10679395 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 11:16:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0764916A400 for ; Fri, 18 May 2007 11:16:29 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id BFBD613C45E for ; Fri, 18 May 2007 11:16:28 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d12.q.ppp-pool.de [89.53.125.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 31B76128829 for ; Fri, 18 May 2007 13:16:21 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id D07BE3FA01; Fri, 18 May 2007 13:15:50 +0200 (CEST) Message-ID: <464D8AE8.30103@vwsoft.com> Date: Fri, 18 May 2007 13:15:52 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Umar References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> In-Reply-To: <10679395.post@talk.nabble.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 11:16:29 -0000 On 05/18/07 12:05, Umar wrote: > Dear Volker > > Thanks for your reply! > > I have 1mb up and 1mb down DSL and i have total 20 client at this time. > >>> if you want to limit per IP address, you need to create one queue for >>> every IP address in your internal network. > > Please tell me how i create the queue i will manage 20 queues by hand. But > i don't know the exact syntax in PF-ALTQ Umar, well, here your nightmare comes true! It's not just creating the queues, but have a different pass rule for every queue you're using. Let's go (assuming hfsc scheduler, cbq, priq will also do it for you): $clientIP1="192.168.0.2" $clientIP2="192.168.0.3" altq on $ext_if hfsc bandwidth 1Mb queue { qclient1, qclient2, qclient3, ... } queue qclient1 bandwdith 10Kb hfsc ( rio ) queue qclient2 bandwidth 10Kb hfsc ( rio ) ... pass in quick log on $int_if proto tcp from $clientIP1 to any \ flags "S/SA" keep state queue qclient1 pass in quick log on $int_if proto tcp from $clientIP2 to any \ flags "S/SA" keep state queue qclient2 Note: You also have to define one default queue "hfsc ( default )". Note2: You'll also want to pass other traffic (udp, icmp etc.). Happy maintenance! ;) HTH Volker PS: I suggest using a bandwidth for your root queue a bit lower than what you think your connections' upstream really is. For a 1 Mb upstream, a value of 940 Kb should be appropriate. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 11:42:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 66BB016A402 for ; Fri, 18 May 2007 11:42:29 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 3F66C13C44B for ; Fri, 18 May 2007 11:42:29 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Hp0qq-0006pO-7N for freebsd-pf@freebsd.org; Fri, 18 May 2007 04:42:28 -0700 Message-ID: <10680560.post@talk.nabble.com> Date: Fri, 18 May 2007 04:42:28 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org In-Reply-To: <464D8AE8.30103@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 11:42:29 -0000 Dear Volker Thanks again for your reply! this is my pf.conf file int_if = "xl0" ext_if = "fxp0" (DSL) ltq on $ext_if hfsc bandwidth 1Mb queue { qclient1 } queue qclient1 bandwdith 10Kb hfsc ( rio ) pass in quick log on $int_if proto tcp from 192.168.1.247 to any flags "S/SA" keep state queue qclient1 when i reload pf i got the error Reloading pf rules. /etc/pf.conf:34: syntax error /etc/pf.conf:51: bad flags S/SA on line:34 = queue qclient1 bandwdith 10Kb hfsc ( rio ) regards, Umar Draz Volker wrote: > > On 05/18/07 12:05, Umar wrote: >> Dear Volker >> >> Thanks for your reply! >> >> I have 1mb up and 1mb down DSL and i have total 20 client at this time. >> >>>> if you want to limit per IP address, you need to create one queue for >>>> every IP address in your internal network. >> >> Please tell me how i create the queue i will manage 20 queues by hand. >> But >> i don't know the exact syntax in PF-ALTQ > > Umar, > > well, here your nightmare comes true! It's not just creating the > queues, but have a different pass rule for every queue you're using. > Let's go (assuming hfsc scheduler, cbq, priq will also do it for you): > > $clientIP1="192.168.0.2" > $clientIP2="192.168.0.3" > > altq on $ext_if hfsc bandwidth 1Mb queue { qclient1, qclient2, > qclient3, ... } > queue qclient1 bandwdith 10Kb hfsc ( rio ) > queue qclient2 bandwidth 10Kb hfsc ( rio ) > ... > > pass in quick log on $int_if proto tcp from $clientIP1 to any \ > flags "S/SA" keep state queue qclient1 > pass in quick log on $int_if proto tcp from $clientIP2 to any \ > flags "S/SA" keep state queue qclient2 > > Note: You also have to define one default queue "hfsc ( default )". > Note2: You'll also want to pass other traffic (udp, icmp etc.). > > Happy maintenance! ;) > > HTH > > Volker > > PS: I suggest using a bandwidth for your root queue a bit lower than > what you think your connections' upstream really is. For a 1 Mb > upstream, a value of 940 Kb should be appropriate. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/bandwidth-controlling-with-ALTQ-tf3776301.html#a10680560 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 11:52:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D16416A405 for ; Fri, 18 May 2007 11:52:31 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id C2B3F13C44C for ; Fri, 18 May 2007 11:52:29 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d12.q.ppp-pool.de [89.53.125.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id C1521128829 for ; Fri, 18 May 2007 13:52:23 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 898423FA01; Fri, 18 May 2007 13:51:49 +0200 (CEST) Message-ID: <464D9357.6090505@vwsoft.com> Date: Fri, 18 May 2007 13:51:51 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Umar References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> In-Reply-To: <10680560.post@talk.nabble.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 11:52:31 -0000 Umar, On 05/18/07 13:42, Umar wrote: > Dear Volker > > Thanks again for your reply! You're welcome! > this is my pf.conf file > > int_if = "xl0" > ext_if = "fxp0" (DSL) > > ltq on $ext_if hfsc bandwidth 1Mb queue { qclient1 } > queue qclient1 bandwdith 10Kb hfsc ( rio ) ^^^^^^^^^ Typo: "bandwidth" > pass in quick log on $int_if proto tcp from 192.168.1.247 to any flags > "S/SA" keep state queue qclient1 To me, this seems to be correct. Do you have a hard line break there? > when i reload pf i got the error > > Reloading pf rules. > /etc/pf.conf:34: syntax error > /etc/pf.conf:51: bad flags S/SA > > on line:34 = queue qclient1 bandwdith 10Kb hfsc ( rio ) From owner-freebsd-pf@FreeBSD.ORG Fri May 18 12:02:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D255016A405 for ; Fri, 18 May 2007 12:02:44 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id B6C9113C487 for ; Fri, 18 May 2007 12:02:44 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Hp1AS-0007S2-3z for freebsd-pf@freebsd.org; Fri, 18 May 2007 05:02:44 -0700 Message-ID: <10680832.post@talk.nabble.com> Date: Fri, 18 May 2007 05:02:44 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org In-Reply-To: <464D9357.6090505@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> <464D9357.6090505@vwsoft.com> Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 12:02:44 -0000 Dear Volker! Thanks Again.!!!!!!!!! >> To me, this seems to be correct. Do you have a hard line break there? I re-typed queue qclient1 bandwidth 10Kb hfsc (rio) now its fine but S/SA error is still there here is the latest line which I typed by hand pass in quick log on $int_if proto tcp from 192.168.1.247 to any flags "S/SA" keep state queue qclient1 /etc/pf.conf:50: bad flags S/SA Regards, Umar Draz Volker wrote: > > Umar, > > On 05/18/07 13:42, Umar wrote: >> Dear Volker >> >> Thanks again for your reply! > > You're welcome! > >> this is my pf.conf file >> >> int_if = "xl0" >> ext_if = "fxp0" (DSL) >> >> ltq on $ext_if hfsc bandwidth 1Mb queue { qclient1 } >> queue qclient1 bandwdith 10Kb hfsc ( rio ) > ^^^^^^^^^ > Typo: "bandwidth" > >> pass in quick log on $int_if proto tcp from 192.168.1.247 to any flags >> "S/SA" keep state queue qclient1 > > To me, this seems to be correct. Do you have a hard line break there? > >> when i reload pf i got the error >> >> Reloading pf rules. >> /etc/pf.conf:34: syntax error >> /etc/pf.conf:51: bad flags S/SA >> >> on line:34 = queue qclient1 bandwdith 10Kb hfsc ( rio ) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/bandwidth-controlling-with-ALTQ-tf3776301.html#a10680832 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 12:27:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F3A2D16A403 for ; Fri, 18 May 2007 12:27:05 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id B4DBB13C465 for ; Fri, 18 May 2007 12:27:05 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d12.q.ppp-pool.de [89.53.125.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id E0112128829 for ; Fri, 18 May 2007 14:26:58 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id BEE943FA01; Fri, 18 May 2007 14:26:30 +0200 (CEST) Message-ID: <464D9B78.1010700@vwsoft.com> Date: Fri, 18 May 2007 14:26:32 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Umar References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> <464D9357.6090505@vwsoft.com> <10680832.post@talk.nabble.com> In-Reply-To: <10680832.post@talk.nabble.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 12:27:06 -0000 Umar, On 05/18/07 14:02, Umar wrote: > Dear Volker! > > Thanks Again.!!!!!!!!! > >>> To me, this seems to be correct. Do you have a hard line break there? > > I re-typed > > queue qclient1 bandwidth 10Kb hfsc (rio) > > now its fine but S/SA error is still there here is the latest line which I > typed by hand > > pass in quick log on $int_if proto tcp from 192.168.1.247 to any flags > "S/SA" keep state queue qclient1 > > /etc/pf.conf:50: bad flags S/SA Sorry, my mistake! Please leave away the quotes around S/SA and everything is fine. Checked with: %echo 'pass in on rl0 proto tcp from any to any flags S/SA keep state' | pfctl -gvvnf - @0 pass in on rl0 proto tcp all flags S/SA keep state HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 18 12:35:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 81FB716A404 for ; Fri, 18 May 2007 12:35:15 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 6604B13C468 for ; Fri, 18 May 2007 12:35:15 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Hp1fu-0008A4-H1 for freebsd-pf@freebsd.org; Fri, 18 May 2007 05:35:14 -0700 Message-ID: <10681289.post@talk.nabble.com> Date: Fri, 18 May 2007 05:35:14 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org In-Reply-To: <464D9B78.1010700@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> <464D9357.6090505@vwsoft.com> <10680832.post@talk.nabble.com> <464D9B78.1010700@vwsoft.com> Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 12:35:15 -0000 Dear Volker! Sorry for disturbing you again!! pfctl: should have one default queue on fxp0 pfctl: errors in altq config please help me to create default queue what will be the syntax thanks Regards, Umar Draz Volker wrote: > > Umar, > > On 05/18/07 14:02, Umar wrote: >> Dear Volker! >> >> Thanks Again.!!!!!!!!! >> >>>> To me, this seems to be correct. Do you have a hard line break there? >> >> I re-typed >> >> queue qclient1 bandwidth 10Kb hfsc (rio) >> >> now its fine but S/SA error is still there here is the latest line >> which I >> typed by hand >> >> pass in quick log on $int_if proto tcp from 192.168.1.247 to any flags >> "S/SA" keep state queue qclient1 >> >> /etc/pf.conf:50: bad flags S/SA > > Sorry, my mistake! Please leave away the quotes around S/SA and > everything is fine. > > Checked with: > > %echo 'pass in on rl0 proto tcp from any to any flags S/SA keep state' > | pfctl -gvvnf - > @0 pass in on rl0 proto tcp all flags S/SA keep state > > HTH > > Volker > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/bandwidth-controlling-with-ALTQ-tf3776301.html#a10681289 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 13:02:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BD1AD16A407 for ; Fri, 18 May 2007 13:02:15 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 7CDBC13C45A for ; Fri, 18 May 2007 13:02:15 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d12.q.ppp-pool.de [89.53.125.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id EE9FD128829 for ; Fri, 18 May 2007 15:02:08 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 813E53FA01; Fri, 18 May 2007 15:01:39 +0200 (CEST) Message-ID: <464DA3B5.9050606@vwsoft.com> Date: Fri, 18 May 2007 15:01:41 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Umar References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> <464D9357.6090505@vwsoft.com> <10680832.post@talk.nabble.com> <464D9B78.1010700@vwsoft.com> <10681289.post@talk.nabble.com> In-Reply-To: <10681289.post@talk.nabble.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 13:02:15 -0000 Umar, On 05/18/07 14:35, Umar wrote: > Dear Volker! > > Sorry for disturbing you again!! > > pfctl: should have one default queue on fxp0 > pfctl: errors in altq config > > please help me to create default queue what will be the syntax thanks that's why I was writing 'Note: You also have to define one default queue "hfsc ( default )".' queue qdefault bandwidth (any Kb not used by any other queue) [Kb|%] hfsc ( default rio ) Say, your b/w is 1 Mb (upstream), you've assigned 10 Kb queues to 20 clients (=200 Kb), you may specify the default queue as: altq... { qclient1, qclient2, ..., qdefault } queue qdefault bandwidth 740 Kb hfsc ( default rio ) You may also want to use the keyword "borrow" (for every queue). If it's low traffic on your upstream, queues allowed to borrow will get more b/w when needed. You may also want to take a look at pf.conf(5). There's a good example on queuing. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 18 13:56:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E5CA216A402 for ; Fri, 18 May 2007 13:56:05 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id A44F713C45A for ; Fri, 18 May 2007 13:56:05 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so221971and for ; Fri, 18 May 2007 06:56:05 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=W6sEi1UuqUOx4sB7k3gAeniGMLjFh4mHElm+p6iXdqKxLV0Z78H6m8UvjwkXWXegln7oirUjWZ112CPaOLDwFK7ySOnTF/uejH0JI1+7z80ATEbJa6gpCkzipo+CtWHPaZP2cxXGGIhGrJoqgrUtRGrjP1cRn86Ges2Wbvkk/ME= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uK/BtmmfoI9EPcLDscU/wSQMQsvhks3T1JxAE7Wekix3s5TdMrF/d9kx+C9D42lzAa/sAovqgOukidnA2NxEbTkOMjzf7INQ87082Qt7GgMMm8t++BtIm6UtQCNsDYwJ3yXUeMQCoObZXRN9unAYBJ0VzKeg6SELzLrm9jPRnCc= Received: by 10.100.134.2 with SMTP id h2mr1141929and.1179496565094; Fri, 18 May 2007 06:56:05 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 06:56:05 -0700 (PDT) Message-ID: <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> Date: Fri, 18 May 2007 16:56:05 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: Volker In-Reply-To: <464D6880.2080306@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 13:56:06 -0000 On 5/18/07, Volker wrote: > > This isn't bandwidth issue, but filling the network buffer more than > > anything else, so there are no more free sockets, and I can't connect > > to the server via ssh, it's not syn as well. > > > > But mass connect to IRC server with small bw, and the server isn't > > lagged at all. > > > > Rate: 245,919 Packets Per Second > > > > What is the best way to deal with such DDoS? > > Abdullah, > > I'm not quite sure if I get you right. > > if tcp traffic arrives without a SYN set, you can easily block that by > using 'pass ... flags S/SA' so the traffic never reaches your daemon. > > Also for tcp traffic you may want to try 'synproxy state'. > > The last thing you can do is to use altq, feed the traffic into a low > bandwidth queue and still be able to serve other traffic. As you can't > control the downstream usage that way, you're at least able to limit > the response and slow down traffic that way a bit. I'm doing this for > SMTP traffic and it works great (I'm slowing down all SMTP traffic > from windows boxes to my home server to a maximum of 6 kBit/s - non > windows boxes are getting 40 kBit/s for SMTP connections, a bit too > rude, I know but it works). > > Keep in mind, if you're under a DDoS attack, your bandwidth may still > be eaten up, but the effects on your machine will be limited when > using S/SA + synproxy state + bandwidth limiting. > > If I get you wrong, please explain your problem a bit more detailed. > > HTH > > Volker > Thank you for the tip. Here what I'm using which fixed the issue. pass in on $ext_if proto tcp from any to $ext_if port $tcp_services flags S/SA synproxy state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload flush global) pass out proto tcp to any keep state Comments? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Fri May 18 15:41:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EE54A16A401 for ; Fri, 18 May 2007 15:41:45 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.232]) by mx1.freebsd.org (Postfix) with ESMTP id 9A67613C458 for ; Fri, 18 May 2007 15:41:45 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by nz-out-0506.google.com with SMTP id s1so1440294nze for ; Fri, 18 May 2007 08:41:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Vi0JRPRA+jBXidLogWRrTZetDLsyPL5R2DS2ZwLIg/9W6y34NOK+f1wVUlW/OM0GHh6xWser+Y5bOyL6UucPuFavPSeb5+A2/H+6CsBZHibtMVtNeu3KyOSnnQVojnUY4wTUhakmzrzuVNP0s0LMYJYaph+vHR1jqIr3zoO9znU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XrSopdxcgerVekTFL2i78g5s823ixCB5/zwCpaHTS6u/GGuWWj5OGPNzQHFS/W1LZXDu4pFBRT6ONqWeMB8K7umcN52kZq28r9sSiE0l+jBoEyxl+NPTAxVh+9fd1txHY7Sc4CjwxrOJtmQiEWH1jUlTnbcscx33Qte2JhUjEl0= Received: by 10.114.120.1 with SMTP id s1mr897259wac.1179502903817; Fri, 18 May 2007 08:41:43 -0700 (PDT) Received: by 10.114.76.12 with HTTP; Fri, 18 May 2007 08:41:43 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 08:41:43 -0700 From: "Kurt Buff" To: "Andrew Thompson" In-Reply-To: <20070518010420.GD64031@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070518010420.GD64031@heff.fud.org.nz> Cc: freebsd-pf@freebsd.org Subject: Re: pf, bridging, transparent proxy, dual gateways? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 15:41:46 -0000 On 5/17/07, Andrew Thompson wrote: > On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote: > > All, > > > > Wondering if the following scenario at all rational/feasible: > > > > [fw-a]------- > > | > > | > > [switch]---[freebsd]---[router]---[many subnets] > > | > > | > > [fw-b]------- > > > > Fw-a fronts our current T1, and that ties our other two offices > > together with IPSec, and is our main inbound mail feed. > > > > Fw-b is soon to be installed, and will front a new T1. > > > > The lines are not bonded - they come from different vendors. > > > > I'd like to forward all individual user traffic (HTTP/FTP/other) out > > of the second T1, perhaps with the use of Squid/Frox, leaving our > > intra-corporate traffic to go in/out the current T1, and also email. > > The easiest why is to use the route-to option in pf. When you pass the > traffic from the internal network you mark which link it should go out. > > pass in quick on $int_if route-to ($fw-a_if $fw-a_ip) ... (some criteria) > pass in quick on $int_if route-to ($fw-b_if $fw-b_ip) ... (other criteria) > > If you are also accepting connections in from the internet then you may > want to look at the reply-to option. > > > regards, > Andrew If by 'accepting connections' you mean serving data to the Internet (web pages, ftp server, etc.) then no - we don't host anything but our own email, which at the moment is coming in over the original line. That does bring up an interesting point, though. If we wanted to use the new line for backup MX, would reply-to work for that? Thanks, Kurt From owner-freebsd-pf@FreeBSD.ORG Fri May 18 16:05:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C96DF16A405 for ; Fri, 18 May 2007 16:05:43 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.177]) by mx1.freebsd.org (Postfix) with ESMTP id 622A613C465 for ; Fri, 18 May 2007 16:05:43 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ik-out-1112.google.com with SMTP id c29so584146ika for ; Fri, 18 May 2007 09:05:42 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gLb6CRRzn8kl2QNeJdwLvrUMVPqaU40RdBHnU+aZ+Y1yofOQIsCK644C9GtA1a4+nAc+D2rZxvPP+VJ7Px0d5nFIZeFiTOfxMKyZxu38tMOHGOZHKSWQwMrdR3A8q2F+ozp3Dehe7JTl5xrfVShK9LctuvzslP4gOc3VwXBuDeY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rC4DpS7CjY3cfCvkuOkQ7YZSrSOufm4lAfXDMxwoVqfbV0rTtvX/koszptK+b5oUWKDCCBPRcJwZj+6g1R/qa7Qs4AoIj+RLpqna1oCNQy6MwgNRAHNSLLoeOOVVTsP8BwN3FQHXQQGMahodPosQNiczfqkMiHvmmpJW5hCXY+I= Received: by 10.82.187.16 with SMTP id k16mr3156759buf.1179504341789; Fri, 18 May 2007 09:05:41 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Fri, 18 May 2007 09:05:41 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 09:05:41 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 16:05:43 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > Thank you for the tip. > > Here what I'm using which fixed the issue. > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > flags S/SA synproxy state > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > flags S/SA keep state \ > (max-src-conn 30, max-src-conn-rate 30/3, \ > overload flush global) > pass out proto tcp to any keep state > > Comments? The first rule won't match anything (same criteria as second rule, and last match wins with pf). On the third rule, use 'flags S/SA' unless you have a good reason not to. Kian From owner-freebsd-pf@FreeBSD.ORG Fri May 18 16:54:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C910516A405 for ; Fri, 18 May 2007 16:54:20 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id 85BEC13C448 for ; Fri, 18 May 2007 16:54:20 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so237928and for ; Fri, 18 May 2007 09:54:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lfbYfgfdYpUG19HG0gHY/m6/J+5Ea7eewp2IK728XkyhOO55RSKNdomCruqFkPHyZVPMBkcvY2+JphHtonN1QNvdmlUiMNjBCbUAIoOrMeLshxbAiCHHQMpeHTrRpNcqeieM+ad/1HeAspChpeO8jY679VZ+vrvvjYZQ8bu4zh4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tthHAR7SpLcgBHuOspUK7WObGw7/NMS/BH/kOTdQXLFbOCKrjoO/8/MhFmiQdQiM7YbNtnZxnFf8EUedTgjIxnt08b6K+OVfsBaMEvFRf/QSTX+Yng6iw1UrHbjx0qn9SCvgyGfKZXw1OGccva7/u7ciU/Uv7MjSh15C55UGYk4= Received: by 10.100.207.16 with SMTP id e16mr1279539ang.1179507259686; Fri, 18 May 2007 09:54:19 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 09:54:19 -0700 (PDT) Message-ID: <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Date: Fri, 18 May 2007 19:54:19 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 16:54:20 -0000 On 5/18/07, Kian Mohageri wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > Thank you for the tip. > > > > Here what I'm using which fixed the issue. > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > flags S/SA synproxy state > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > flags S/SA keep state \ > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > overload flush global) > > pass out proto tcp to any keep state > > > > Comments? > > The first rule won't match anything (same criteria as second rule, and > last match wins with pf). On the third rule, use 'flags S/SA' unless > you have a good reason not to. > > Kian > I thought first rule will defeat syn flood. Is the second rule going to do the same job as first rule and will prevent syn flood? As for the third rule syntax, Should I make it like this? "pass out proto tcp to any flags S/SA keep state" and shall I add the same for udp? "pass out proto udp to any flags S/SA keep state" ? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Fri May 18 17:36:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 54B1816A400 for ; Fri, 18 May 2007 17:36:04 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 37A5613C45D for ; Fri, 18 May 2007 17:36:04 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 7496 invoked from network); 18 May 2007 10:36:03 -0700 Received: by simscan 1.1.0 ppid: 7458, pid: 7459, t: 4.2418s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:43/d:3122 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 18 May 2007 10:35:59 -0700 Received: from [192.168.1.3] (bigdaddy.mykitchentable.net [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 247B9164AE1; Fri, 18 May 2007 10:35:58 -0700 (PDT) Message-ID: <464DE3FD.1090808@mykitchentable.net> Date: Fri, 18 May 2007 10:35:57 -0700 From: Drew Tomlinson User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> In-Reply-To: <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 17:36:04 -0000 On 5/18/2007 9:54 AM Abdullah Ibn Hamad Al-Marri said the following: > On 5/18/07, Kian Mohageri wrote: > >> On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: >> > Thank you for the tip. >> > >> > Here what I'm using which fixed the issue. >> > >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services >> > flags S/SA synproxy state >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ >> > flags S/SA keep state \ >> > (max-src-conn 30, max-src-conn-rate 30/3, \ >> > overload flush global) >> > pass out proto tcp to any keep state >> > >> > Comments? >> >> The first rule won't match anything (same criteria as second rule, and >> last match wins with pf). On the third rule, use 'flags S/SA' unless >> you have a good reason not to. >> >> Kian >> > > I thought first rule will defeat syn flood. > > Is the second rule going to do the same job as first rule and will > prevent syn flood? > > As for the third rule syntax, Should I make it like this? > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > same for udp? > > "pass out proto udp to any flags S/SA keep state" ? AFAIK, no reason to set flags on udp traffic. Only tcp traffic has flags. Cheers, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Fri May 18 17:42:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 817B516A401 for ; Fri, 18 May 2007 17:42:22 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 3BC0B13C458 for ; Fri, 18 May 2007 17:42:22 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so242014and for ; Fri, 18 May 2007 10:42:21 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pIuUAkH5kax/NTM/UJCtX6+DweDe1GJwXHdpbuekPu9XHGNsREKVkPm7mILAxtQX7f3arGn0ftLbg2KT/1nbcfeRro/C3FRrOsI1LTLe8+37JCfCMXjDYad9ZUTiyLA84yzhfRtXF7i+InGZskNI6crQow/al9/vbfr9tT31Pxg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QgDj7W2oIh6d4TorSCUBDsgsLMotiO8wzOKjFjvyNpW/cgnZoRTpbCl4Ous3bzRJv94uHNQFgGOZG5No1JsCU4HpupA3mCtVLs6LUACoAVEQQTxyIchyLLb4A+N4hOo+tP+Wsc0WElrOKJy8acfqhmcTEc5CtFNXEQ99mSL0bfs= Received: by 10.100.195.10 with SMTP id s10mr1249349anf.1179510140288; Fri, 18 May 2007 10:42:20 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 10:42:20 -0700 (PDT) Message-ID: <499c70c0705181042p71287bebm42115abbe313b2b@mail.gmail.com> Date: Fri, 18 May 2007 20:42:20 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Drew Tomlinson" In-Reply-To: <464DE3FD.1090808@mykitchentable.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <464DE3FD.1090808@mykitchentable.net> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 17:42:22 -0000 On 5/18/07, Drew Tomlinson wrote: > On 5/18/2007 9:54 AM Abdullah Ibn Hamad Al-Marri said the following: > > > On 5/18/07, Kian Mohageri wrote: > > > >> On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > >> > Thank you for the tip. > >> > > >> > Here what I'm using which fixed the issue. > >> > > >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > >> > flags S/SA synproxy state > >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > >> > flags S/SA keep state \ > >> > (max-src-conn 30, max-src-conn-rate 30/3, \ > >> > overload flush global) > >> > pass out proto tcp to any keep state > >> > > >> > Comments? > >> > >> The first rule won't match anything (same criteria as second rule, and > >> last match wins with pf). On the third rule, use 'flags S/SA' unless > >> you have a good reason not to. > >> > >> Kian > >> > > > > I thought first rule will defeat syn flood. > > > > Is the second rule going to do the same job as first rule and will > > prevent syn flood? > > > > As for the third rule syntax, Should I make it like this? > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > same for udp? > > > > "pass out proto udp to any flags S/SA keep state" ? > > > AFAIK, no reason to set flags on udp traffic. Only tcp traffic has flags. > > Cheers, > > Drew > > -- > Be a Great Magician! > Visit The Alchemist's Warehouse > > http://www.alchemistswarehouse.com Ok, how about it now? ext_if="fxp0" int_if="lo0" tcp_services = "{ domain, www, 123, 5999, 7325, 7771, 59999 }" udp_services = "{ domain, 123, 514 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 240.0.0.0/4 }" icmp_types = "8" table persist set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface $ext_if set skip on $int_if set optimization normal set block-policy drop set require-order yes set debug loud #set fingerprints "/etc/pf.os" scrub in all #scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 #scrub in on $ext_if all no-df #scrub on $ext_if all reassemble tcp antispoof for $ext_if inet antispoof for $int_if block in log on $ext_if all block in quick on $ext_if from any to 255.255.255.255 block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block quick log from # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass proto udp to any port $udp_services keep state # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload flush global) pass out proto tcp to any flags S/SA keep state pass out proto udp to any keep state # End Is it okay now, or I shall do more tweaks? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Fri May 18 19:02:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5A5516A400 for ; Fri, 18 May 2007 19:02:27 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 38A0D13C44C for ; Fri, 18 May 2007 19:02:26 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so484017ugh for ; Fri, 18 May 2007 12:02:26 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EhzxYPsnDyAnsjJBAr5kZzD9sQD1yCtlFeUuAETVrWPJLT3MduO4RNItDsFT9ZjSmcD1yP//UGsanlMkYb4bYvopNKjrYbc9U01FF5LoLUXQU7OIR7WaS8nxoRECeMnRxM0B1ArxHy6JYtwnuy6+7lxdW7nZYMm9unX8QePHTRM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WJL8zSID3mN7DDQResIvDg2Vhr4E5og+wjzkRyOnogIM9gOwZfzFeXPC/M4kQdEkG+ld0vP5a6CvbJC3QggGlgakqys7AxnTGZWjyJXxWzofary2RHmFTD33mIW/E8XZoN2Gc266oSIPq0PlQwyuZcpa5dpqC0adfXfv4zIwZxM= Received: by 10.82.173.19 with SMTP id v19mr3412251bue.1179514945903; Fri, 18 May 2007 12:02:25 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Fri, 18 May 2007 12:02:25 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 12:02:25 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 19:02:27 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > On 5/18/07, Kian Mohageri wrote: > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > Thank you for the tip. > > > > > > Here what I'm using which fixed the issue. > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > flags S/SA synproxy state > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > flags S/SA keep state \ > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > overload flush global) > > > pass out proto tcp to any keep state > > > > > > Comments? > > > > The first rule won't match anything (same criteria as second rule, and > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > you have a good reason not to. > > > > Kian > > > > I thought first rule will defeat syn flood. > > Is the second rule going to do the same job as first rule and will > prevent syn flood? The rules are different obviously, but the criteria matches the same traffic. Because PF will apply the last matching rule by default (unless 'quick' is used), your first rule will never be applied. You could use synproxy state on the second rule, and remove the first entirely. > As for the third rule syntax, Should I make it like this? > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > same for udp? > > "pass out proto udp to any flags S/SA keep state" ? If you only want to pass UDP and TCP, then you can do something like this: pass out proto tcp to any flags S/SA keep state pass out proto udp to any keep state Kian From owner-freebsd-pf@FreeBSD.ORG Fri May 18 19:34:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B809416A403 for ; Fri, 18 May 2007 19:34:23 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-01.ohiordc.rr.com (ms-smtp-01.ohiordc.rr.com [65.24.5.135]) by mx1.freebsd.org (Postfix) with ESMTP id 81FFB13C45E for ; Fri, 18 May 2007 19:34:23 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-01.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l4IJYLGl000734; Fri, 18 May 2007 15:34:22 -0400 (EDT) Message-ID: <001e01c79983$7c572580$0200a8c0@satellite> From: "Dave" To: "Greg Hennessy" , References: <000301c798e6$d51bfdf0$0200a8c0@satellite> <000d01c7991a$cff492e0$6fddb8a0$%Hennessy@nviz.net> Date: Fri, 18 May 2007 15:34:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: Subject: Re: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 19:34:23 -0000 Hi Greg, Thanks for your informative reply. You've convince me i'm going passive, that sentence it's less of a PITA i think did it. Right now ftp is proving to be just that, it's flakey some machines are fine with it, one windows box, xpsp2 and ie6 works fine, another same config can't resolve the ftp sites. And i guess i just won't use the ftp commandline option, i don't like it anyway i'm spoiled on ncftp. I've got pftpx going on the router, and have pf set up with the appropriate anchors, but clients are as i said flakey, one works fine, some work intermitantly and some don't work at all. It is perplexing. Thanks. Dave. ----- Original Message ----- From: "Greg Hennessy" To: "'Dave'" ; Sent: Friday, May 18, 2007 3:04 AM Subject: RE: ftp, pf, passive ftp and fetch >> Hi, >> I'm trying to get ftp working from behind a pf firewall. I'm using >> pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of >> my >> windows boxes goes passive and dies on active. > > Command line FTP client in windows is active only. > >> I've got three questions. First, >> portupgrade uses fetch for retrieval correct, if so i want it to use >> the -p (passive option) by default whenever it tries an ftp url. > > gw2:~ # set | grep -i ftp > FTP_PASSIVE_MODE=1 > >> Second, ncftp i'd like to specify that it should use passive mode > connections >> by default as well. > > gw2:~ # grep -i passive .ncftp/prefs_v3 > passive=on > > >> Last, is active or passive ftp better in terms of security >> strictly from a firewall perspective, i know the protocol isn't secure? > > Passive is less of a PITA, (that's not saying much). > One doesn't have to handle ingress traffic initiated from the server. > > However one either has to leave high ports open or use a L7 proxy to > dynamically open > the firewall for each request, hence pftpx. > >> If active ftp is better than passive does anyone have a ruleset with it? >> I'm using a block by default ruleset. > > I haven't used active FTP for years TBH. I have had serious arguments with > vendors and suppliers who tried to insist on its use through environments > I > have had responsibility for. > > > > Greg > > > > >> Thanks. >> Dave. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri May 18 20:17:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2230116A401 for ; Fri, 18 May 2007 20:17:13 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 055C313C447 for ; Fri, 18 May 2007 20:17:12 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Hp8sy-0004lg-6A for freebsd-pf@freebsd.org; Fri, 18 May 2007 13:17:12 -0700 Message-ID: <10689606.post@talk.nabble.com> Date: Fri, 18 May 2007 13:17:12 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org In-Reply-To: <464DA3B5.9050606@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> <464D9357.6090505@vwsoft.com> <10680832.post@talk.nabble.com> <464D9B78.1010700@vwsoft.com> <10681289.post@talk.nabble.com> <464DA3B5.9050606@vwsoft.com> Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 20:17:13 -0000 Dear Volker! Thanks its working fine. (pass in quick log on $int_if proto tcp from 192.168.3.30 to any flags S/SA keep state queue client1) what will be the syntax if 192.168.3.30 comes through ppp means I have configured PPPoE server so i dont know the interface of 192.168.3.30 because the tun interface randomly changed e.g (tun1, tun2, tun3, tun4) etc. Regards, Umar Draz Volker wrote: > > Umar, > > On 05/18/07 14:35, Umar wrote: >> Dear Volker! >> >> Sorry for disturbing you again!! >> >> pfctl: should have one default queue on fxp0 >> pfctl: errors in altq config >> >> please help me to create default queue what will be the syntax thanks > > that's why I was writing 'Note: You also have to define one default > queue "hfsc ( default )".' > > queue qdefault bandwidth (any Kb not used by any other queue) [Kb|%] > hfsc ( default rio ) > > Say, your b/w is 1 Mb (upstream), you've assigned 10 Kb queues to 20 > clients (=200 Kb), you may specify the default queue as: > > altq... { qclient1, qclient2, ..., qdefault } > queue qdefault bandwidth 740 Kb hfsc ( default rio ) > > You may also want to use the keyword "borrow" (for every queue). If > it's low traffic on your upstream, queues allowed to borrow will get > more b/w when needed. > > You may also want to take a look at pf.conf(5). There's a good example > on queuing. > > HTH > > Volker > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/bandwidth-controlling-with-ALTQ-tf3776301.html#a10689606 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 20:53:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BA27816A400 for ; Fri, 18 May 2007 20:53:49 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 7661713C458 for ; Fri, 18 May 2007 20:53:49 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so256385and for ; Fri, 18 May 2007 13:53:49 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SuJDaOIt/8AlBSDC9dUTr2SiaLzxIoivWx8hF29cxE4fvI2WNXpc/CAN8pIsy3CGVWfTQyn8vE+v3PbocnL2mENajZfhjYa/mRYnv1X6YlezsU39Iz+cG/xirPDk6uXafiz5TrdoCFEMXDNzAVt/sFNO3ISoo053mqMNqr0x0cQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s2zYgHdUounong9zjqS1OIGYYbSNo4EJG2SzN5AzgbmwL3siUEo07tYLjxR595YosMl+wzbZCFbaqWpyrJeM/2+mBLc0w/vM4Ov4GjlfnwrppgmrZhLLNtWIu0dvlennLrCQ2R0gk9CWFSkjMoY4qdzNQp95Yre8nKOihzP7k2A= Received: by 10.100.78.19 with SMTP id a19mr1383086anb.1179521628841; Fri, 18 May 2007 13:53:48 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 13:53:48 -0700 (PDT) Message-ID: <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> Date: Fri, 18 May 2007 23:53:48 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 20:53:49 -0000 On 5/18/07, Kian Mohageri wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > On 5/18/07, Kian Mohageri wrote: > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > Thank you for the tip. > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > flags S/SA synproxy state > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > flags S/SA keep state \ > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > overload flush global) > > > > pass out proto tcp to any keep state > > > > > > > > Comments? > > > > > > The first rule won't match anything (same criteria as second rule, and > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > you have a good reason not to. > > > > > > Kian > > > > > > > I thought first rule will defeat syn flood. > > > > Is the second rule going to do the same job as first rule and will > > prevent syn flood? > > The rules are different obviously, but the criteria matches the same > traffic. Because PF will apply the last matching rule by default > (unless 'quick' is used), your first rule will never be applied. You > could use synproxy state on the second rule, and remove the first > entirely. > > > As for the third rule syntax, Should I make it like this? > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > same for udp? > > > > "pass out proto udp to any flags S/SA keep state" ? > > If you only want to pass UDP and TCP, then you can do something like this: > > pass out proto tcp to any flags S/SA keep state > pass out proto udp to any keep state > > Kian > Alright, can you give me synproxy in the first line entry? I tried to add it, and I get error. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Fri May 18 21:17:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DB57F16A413 for ; Fri, 18 May 2007 21:17:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.188]) by mx1.freebsd.org (Postfix) with ESMTP id 631D713C487 for ; Fri, 18 May 2007 21:17:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by mu-out-0910.google.com with SMTP id w8so616831mue for ; Fri, 18 May 2007 14:17:13 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s2fcbn3B3DUgvS28ixywlbdifSk9MZLWgSjklGt6kZhgX9V4phxfvGSU601AcT1p9/GTqLnFxdlrhHyhpQqwpwGRfXvAABPAhMkKJeALVpkmfomupH8aA911uQyHTRfXIR7ICN26nnJmzgy4fTxB7UA6y2wWsxP8FRdA/vcmUqc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BPPwAeEqANPFuzoVrZ7DADGc2lsPZqEaoyWNRMCXbngFvmFwojNfYW8FT+D1mOXahGXkmcrYjOkTbzjDZWG/7Oz9FMTCIyAM/W8en775v5x5DXqsUuApVpewXecOuID8r+/2DEB48Nto4x7m4lOnhEw2QegfnjQaQTiKXZwN5xk= Received: by 10.82.146.14 with SMTP id t14mr3653284bud.1179523032821; Fri, 18 May 2007 14:17:12 -0700 (PDT) Received: by 10.82.150.17 with HTTP; Fri, 18 May 2007 14:17:12 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 14:17:12 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 21:17:14 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > On 5/18/07, Kian Mohageri wrote: > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > On 5/18/07, Kian Mohageri wrote: > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > > Thank you for the tip. > > > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > > flags S/SA synproxy state > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > > flags S/SA keep state \ > > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > > overload flush global) > > > > > pass out proto tcp to any keep state > > > > > > > > > > Comments? > > > > > > > > The first rule won't match anything (same criteria as second rule, and > > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > > you have a good reason not to. > > > > > > > > Kian > > > > > > > > > > I thought first rule will defeat syn flood. > > > > > > Is the second rule going to do the same job as first rule and will > > > prevent syn flood? > > > > The rules are different obviously, but the criteria matches the same > > traffic. Because PF will apply the last matching rule by default > > (unless 'quick' is used), your first rule will never be applied. You > > could use synproxy state on the second rule, and remove the first > > entirely. > > > > > As for the third rule syntax, Should I make it like this? > > > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > > same for udp? > > > > > > "pass out proto udp to any flags S/SA keep state" ? > > > > If you only want to pass UDP and TCP, then you can do something like this: > > > > pass out proto tcp to any flags S/SA keep state > > pass out proto udp to any keep state > > > > Kian > > > > Alright, can you give me synproxy in the first line entry? I tried to > add it, and I get error. No? I'm confused about what you're asking for. Paste what you tried first. From owner-freebsd-pf@FreeBSD.ORG Fri May 18 21:37:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4217C16A40B for ; Fri, 18 May 2007 21:37:12 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id F134C13C458 for ; Fri, 18 May 2007 21:37:11 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so259026and for ; Fri, 18 May 2007 14:37:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QBuuzKPq7NXZUCJf0VodblyF/4wrS4IuYouzG+uwKdHqN9mEXg6/7krAHXdZY2RfYfnvxAnEx42OZwhQAYlBAwiQdi4T3ulgt1x1p8tDYCsxG/g8JmfTokr05IxJV/2iL5mhsJ895+ItFmUjoj9v4Gj3TbveEZhAb7k12n7CnEY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rSsVqZDeIZUf3lKm/5eLdFeQlJZgxvUOz4Uq2nOd7oGb8eSXxx2nMKzxdw+xjkB8CrHb9Qg8qbJA+ACOKnPXHAaU9vlIxHlooG71Mnt77kiyDsj8XDjh665ECPvwEemePckwxcumYygSwmr++oZGgbBAnITcPih3nezD1Rwanyo= Received: by 10.100.190.8 with SMTP id n8mr1415867anf.1179524231273; Fri, 18 May 2007 14:37:11 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 14:37:11 -0700 (PDT) Message-ID: <499c70c0705181437t719f373o2c933bba6349cc53@mail.gmail.com> Date: Sat, 19 May 2007 00:37:11 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 21:37:12 -0000 On 5/19/07, Kian Mohageri wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > On 5/18/07, Kian Mohageri wrote: > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > On 5/18/07, Kian Mohageri wrote: > > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > > > Thank you for the tip. > > > > > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > > > flags S/SA synproxy state > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > > > flags S/SA keep state \ > > > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > > > overload flush global) > > > > > > pass out proto tcp to any keep state > > > > > > > > > > > > Comments? > > > > > > > > > > The first rule won't match anything (same criteria as second rule, and > > > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > > > you have a good reason not to. > > > > > > > > > > Kian > > > > > > > > > > > > > I thought first rule will defeat syn flood. > > > > > > > > Is the second rule going to do the same job as first rule and will > > > > prevent syn flood? > > > > > > The rules are different obviously, but the criteria matches the same > > > traffic. Because PF will apply the last matching rule by default > > > (unless 'quick' is used), your first rule will never be applied. You > > > could use synproxy state on the second rule, and remove the first > > > entirely. > > > > > > > As for the third rule syntax, Should I make it like this? > > > > > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > > > same for udp? > > > > > > > > "pass out proto udp to any flags S/SA keep state" ? > > > > > > If you only want to pass UDP and TCP, then you can do something like this: > > > > > > pass out proto tcp to any flags S/SA keep state > > > pass out proto udp to any keep state > > > > > > Kian > > > > > > > Alright, can you give me synproxy in the first line entry? I tried to > > add it, and I get error. > > No? I'm confused about what you're asking for. Paste what you tried first. > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload flush global) I added synproxy after S/SA to the rule but the rules didn't load and says it's wrong. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Sat May 19 08:12:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1904116A406 for ; Sat, 19 May 2007 08:12:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id 9A3FE13C480 for ; Sat, 19 May 2007 08:12:20 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so549289ugh for ; Sat, 19 May 2007 01:12:19 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Z4VsfZSJHZL1JeSBBKYpi2xtRh5mOYonw7jAeVaOSUP6JPEs0M4U1XIHkXysRuhioUxBebl9erKUhiAbpNMQGCfxpsFAOGqpin4FHxAioFcna4mdIPhFZbDU3/Q6tW+TIdK5f6fgB5I/wjozIXssFLmMKU8voVx1IIJohhwSDqM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ogSJrU2Y0/4E/ishanSkSbPFvfrx3NCVjiZuVio08eFyFIvJ/SHc0lA9FlVmJKuuFEBF5UBLnkLL0X+MuP96+xmkCkBXPjREXe+dhDOEL7i3wjSzMzkJtKtN0ljSveu6lNcChvqHbCQLEQyvf3lrZ45Tm0m2MHkkScgy1ov0vXk= Received: by 10.82.100.1 with SMTP id x1mr4354526bub.1179562339031; Sat, 19 May 2007 01:12:19 -0700 (PDT) Received: by 10.82.150.17 with HTTP; Sat, 19 May 2007 01:12:18 -0700 (PDT) Message-ID: Date: Sat, 19 May 2007 01:12:18 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705181437t719f373o2c933bba6349cc53@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> <499c70c0705181437t719f373o2c933bba6349cc53@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 May 2007 08:12:21 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > On 5/19/07, Kian Mohageri wrote: > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > On 5/18/07, Kian Mohageri wrote: > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > > On 5/18/07, Kian Mohageri wrote: > > > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > > > > Thank you for the tip. > > > > > > > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > > > > flags S/SA synproxy state > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > > > > flags S/SA keep state \ > > > > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > > > > overload flush global) > > > > > > > pass out proto tcp to any keep state > > > > > > > > > > > > > > Comments? > > > > > > > > > > > > The first rule won't match anything (same criteria as second rule, and > > > > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > > > > you have a good reason not to. > > > > > > > > > > > > Kian > > > > > > > > > > > > > > > > I thought first rule will defeat syn flood. > > > > > > > > > > Is the second rule going to do the same job as first rule and will > > > > > prevent syn flood? > > > > > > > > The rules are different obviously, but the criteria matches the same > > > > traffic. Because PF will apply the last matching rule by default > > > > (unless 'quick' is used), your first rule will never be applied. You > > > > could use synproxy state on the second rule, and remove the first > > > > entirely. > > > > > > > > > As for the third rule syntax, Should I make it like this? > > > > > > > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > > > > same for udp? > > > > > > > > > > "pass out proto udp to any flags S/SA keep state" ? > > > > > > > > If you only want to pass UDP and TCP, then you can do something like this: > > > > > > > > pass out proto tcp to any flags S/SA keep state > > > > pass out proto udp to any keep state > > > > > > > > Kian > > > > > > > > > > Alright, can you give me synproxy in the first line entry? I tried to > > > add it, and I get error. > > > > No? I'm confused about what you're asking for. Paste what you tried first. > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > flags S/SA synproxy state \ > (max-src-conn 30, max-src-conn-rate 30/3, \ > overload flush global) > > I added synproxy after S/SA to the rule but the rules didn't load and > says it's wrong. > -- synproxy state implies S/SA I believe. Try without flags. From owner-freebsd-pf@FreeBSD.ORG Sat May 19 09:53:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E0A2716A402 for ; Sat, 19 May 2007 09:53:43 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id A1D2513C489 for ; Sat, 19 May 2007 09:53:43 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d12.q.ppp-pool.de [89.53.125.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id B7CA1128829 for ; Sat, 19 May 2007 11:53:35 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 638233FA07; Sat, 19 May 2007 11:53:02 +0200 (CEST) Message-ID: <464EC8FF.9010207@vwsoft.com> Date: Sat, 19 May 2007 11:53:03 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Umar References: <10678120.post@talk.nabble.com> <464D70D0.3000608@vwsoft.com> <10679395.post@talk.nabble.com> <464D8AE8.30103@vwsoft.com> <10680560.post@talk.nabble.com> <464D9357.6090505@vwsoft.com> <10680832.post@talk.nabble.com> <464D9B78.1010700@vwsoft.com> <10681289.post@talk.nabble.com> <464DA3B5.9050606@vwsoft.com> <10689606.post@talk.nabble.com> In-Reply-To: <10689606.post@talk.nabble.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth controlling with ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 May 2007 09:53:44 -0000 On 05/18/07 22:17, Umar wrote: > Dear Volker! > > Thanks its working fine. > > (pass in quick log on $int_if proto tcp from 192.168.3.30 to any flags > S/SA keep state queue client1) > > what will be the syntax if 192.168.3.30 comes through ppp means I have > configured PPPoE server so i dont know the interface of 192.168.3.30 because > the tun interface randomly changed e.g (tun1, tun2, tun3, tun4) etc. > Umar, if I get you right, you don't know whether 192.168.3.30 is connected by tun0, tun1, tunN or ppp0, ppp1, pppN. You may (at any time with any interface) use the 'interface group'. For example: pass in on tun all keep state ^^^^ would let pass all packets in from all tun interfaces. Please note the missing device number (tun but not tun0). I'm using it like that for clients connecting by PPTP from the outside. As I don't know how many clients will connect by PPTP at any time, I'm passing all their traffic by using the interface group. HTH Volker