From owner-freebsd-pf@FreeBSD.ORG Sun Oct 14 23:51:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A44A16A41B for ; Sun, 14 Oct 2007 23:51:02 +0000 (UTC) (envelope-from mdfranz@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by mx1.freebsd.org (Postfix) with ESMTP id 56CC113C468 for ; Sun, 14 Oct 2007 23:51:02 +0000 (UTC) (envelope-from mdfranz@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1151217rvb for ; Sun, 14 Oct 2007 16:51:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=33qsjABMGBPzafqGptNtWk+XaB1bsmhrKGaNvkuNHBE=; b=D0hmg36bB0MQFo2VG7RgKi4I+WTi9L14fSjQ9NAFOJhIVd38TQPOoB595WdAQU9or6Oa40J27U0CZry8Ze2yDbbqn2w7dMmFVDlViJcj1ebOTMyeYLljaXUbItgk9hPSLHiJw5FWKZGI2ElppJP3Lz6/knjwoAywSlgeHY7bKZ4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kfm4VrMwpU2/b8rU4z4NFlsHbv6exEisL0Zo8rHXN0YMCcoyqIDSJAetXihd3w+QrdCu6OaRaYQXwtc2dhMpYfrj1RajxVinY5uZhxvQxN7NAVWk7lqTQmwaFEwjnaGo/3SV/mUC5jZsH8UtXhMDAgyad7Re9AGKvH3cgG+aRIQ= Received: by 10.141.48.10 with SMTP id a10mr2434645rvk.1192404242625; Sun, 14 Oct 2007 16:24:02 -0700 (PDT) Received: by 10.141.175.4 with HTTP; Sun, 14 Oct 2007 16:24:02 -0700 (PDT) Message-ID: <33acb3db0710141624g3647ddaasf720b78c3df4a208@mail.gmail.com> Date: Sun, 14 Oct 2007 18:24:02 -0500 From: "Matthew Franz" To: "Michael Conlen" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: PF in FreeBSD 5.3 versus 6.x X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Oct 2007 23:51:02 -0000 HI Michael, You don't say whether you are running pfsync because Bill Marquette (who I work with) and Max have been discussing a pretty nasty pfsync bug (on 6.2) on this list under high loads (probably starting where you are at in terms of pps throughput but going up to 70-90kpps) where the backup is unable to clear states and there is eventually a huge discrepancy between the master and the backup. If you are seeing this with a single box. Its on my list to try to reproduce this in the lab (and test some of the patches Max has developed) with smartbits but I still haven't had time. We are definitely seeing some PF losing state entries, but sort of assumed this was a pfsync issue (or an effect thereof) but if you are seeing this without pfsync, that would point to so more fundamental problems with PF under high load. I can also share so more specific stats offline if that would be helpful. - mdf On 10/9/07, Michael Conlen wrote: > I've noticed at some point between 5.3 and 6.0 that PF seems to be > dropping more packets than with 5.3 and there is increased deviation > in latency. Using the same equipment handling about 25k PPS each way > I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1% > loss with FreeBSD 5.3. Similarly the worst case response times for > ICMP packets is much less in 5.3 than in either version of 6. > > I'm using something pretty vanilla in terms of setup. No ALTQ support > or features, no redirects, just a lot of blocking and allowing. The > firewalls are using server class 3Com and Intel Gigabit (Fiber) > cards. The changes were noticed going forward and undone by going > back to FreeBSD 5.3 so I don't suspect physical problems at the moment. > > My pf.conf is essentially a block in all followed by a block in quick > against a table with 2000 entries, many of the /24 or /16 followed by > pass rules to the various host:ports we allow. > > If I login to the firewalls themselves and run mtr in each direction > I don't see any traffic loss. It's only when crossing the firewalls. > > Usage is about 25k packets per second and 100Mbit/sec 5 minute max > traffic. The switches are Foundry SI-800g. > > Also doing about 25k/sec searches with 400 inserts a second and 270 > removals and 407 matches/sec. The state table seems to run about > 70,000 to 90,000 > > Are there issues I should be aware of and should pf be able to handle > this kind of load? > > -- > Michael Conlen > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Matthew Franz http://www.threatmind.net/ From owner-freebsd-pf@FreeBSD.ORG Mon Oct 15 01:55:19 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 092A216A41B for ; Mon, 15 Oct 2007 01:55:19 +0000 (UTC) (envelope-from m@obmail.net) Received: from unclebob.obfuscated.net (stewie.obfuscated.net [69.8.202.125]) by mx1.freebsd.org (Postfix) with ESMTP id A5E0513C44B for ; Mon, 15 Oct 2007 01:55:17 +0000 (UTC) (envelope-from m@obmail.net) Received: from [10.0.1.196] (pool-96-228-136-165.tampfl.fios.verizon.net [96.228.136.165]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by unclebob.obfuscated.net (Postfix) with ESMTP id 8C7A817085; Sun, 14 Oct 2007 21:55:16 -0400 (EDT) In-Reply-To: <33acb3db0710141624g3647ddaasf720b78c3df4a208@mail.gmail.com> References: <33acb3db0710141624g3647ddaasf720b78c3df4a208@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8B91857B-4898-41DF-ABFC-AEA53F375CF3@obmail.net> Content-Transfer-Encoding: 7bit From: Michael Conlen Date: Sun, 14 Oct 2007 17:55:09 -0400 To: "Matthew Franz" X-Mailer: Apple Mail (2.752.3) Cc: freebsd-pf@freebsd.org Subject: Re: PF in FreeBSD 5.3 versus 6.x X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2007 01:55:19 -0000 I am not using pfsync. I'm using a pair of foundry layer 7 switches to do firewall load balancing. I've since set optimization to aggressive and have seen a reduction in packet loss. One issue I've discovered is that mytraceroute 0.72 appears to be buggy with respect to statistics so I can't trust the results for standard deviation and mean response time. In particular the mean response time tends towards the minimum response time over time despite continuously higher numbers. Without an accurate mean there's no good way to get a idea of the distribution using mytraceroute, and I didn't use ping times before I made the switch. On the other hand my NTP server getting time from across the firewalls does show improvement in stability and jitter, and this tends to be the first application that shows network problems for me. The NTP server is tracking time to wtihin +300/-200 microseconds which is impossible with a unstable network. With the change the state table is running around 20k entries. Do you know if these issues are present in the betas of 7.0, which I understand is using pf 4.1? -- Michael Conlen On Oct 14, 2007, at 7:24 PM, Matthew Franz wrote: > HI Michael, > > You don't say whether you are running pfsync because Bill Marquette > (who I work with) and Max have been discussing a pretty nasty pfsync > bug (on 6.2) on this list under high loads (probably starting where > you are at in terms of pps throughput but going up to 70-90kpps) where > the backup is unable to clear states and there is eventually a huge > discrepancy between the master and the backup. > > If you are seeing this with a single box. Its on my list to try to > reproduce this in the lab (and test some of the patches Max has > developed) with smartbits but I still haven't had time. We are > definitely seeing some PF losing state entries, but sort of assumed > this was a pfsync issue (or an effect thereof) but if you are seeing > this without pfsync, that would point to so more fundamental problems > with PF under high load. I can also share so more specific stats > offline if that would be helpful. > > - mdf > > > > > On 10/9/07, Michael Conlen wrote: >> I've noticed at some point between 5.3 and 6.0 that PF seems to be >> dropping more packets than with 5.3 and there is increased deviation >> in latency. Using the same equipment handling about 25k PPS each way >> I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1% >> loss with FreeBSD 5.3. Similarly the worst case response times for >> ICMP packets is much less in 5.3 than in either version of 6. >> >> I'm using something pretty vanilla in terms of setup. No ALTQ support >> or features, no redirects, just a lot of blocking and allowing. The >> firewalls are using server class 3Com and Intel Gigabit (Fiber) >> cards. The changes were noticed going forward and undone by going >> back to FreeBSD 5.3 so I don't suspect physical problems at the >> moment. >> >> My pf.conf is essentially a block in all followed by a block in quick >> against a table with 2000 entries, many of the /24 or /16 followed by >> pass rules to the various host:ports we allow. >> >> If I login to the firewalls themselves and run mtr in each direction >> I don't see any traffic loss. It's only when crossing the firewalls. >> >> Usage is about 25k packets per second and 100Mbit/sec 5 minute max >> traffic. The switches are Foundry SI-800g. >> >> Also doing about 25k/sec searches with 400 inserts a second and 270 >> removals and 407 matches/sec. The state table seems to run about >> 70,000 to 90,000 >> >> Are there issues I should be aware of and should pf be able to handle >> this kind of load? >> >> -- >> Michael Conlen >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > -- > Matthew Franz > http://www.threatmind.net/ From owner-freebsd-pf@FreeBSD.ORG Mon Oct 15 11:06:16 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D41916A4A0 for ; Mon, 15 Oct 2007 11:06:16 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 470F713C46A for ; Mon, 15 Oct 2007 11:06:16 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l9FB6GUb080510 for ; Mon, 15 Oct 2007 11:06:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l9FB6GTN080508 for freebsd-pf@FreeBSD.org; Mon, 15 Oct 2007 11:06:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Oct 2007 11:06:16 GMT Message-Id: <200710151106.l9FB6GTN080508@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2007 11:06:16 -0000 From owner-freebsd-pf@FreeBSD.ORG Mon Oct 15 17:47:13 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54EED16A47E for ; Mon, 15 Oct 2007 17:47:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3FDD613C4B8 for ; Mon, 15 Oct 2007 17:47:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l9FHlD0R015037 for ; Mon, 15 Oct 2007 17:47:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l9FHlCJd015033 for freebsd-pf@FreeBSD.org; Mon, 15 Oct 2007 17:47:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Oct 2007 17:47:12 GMT Message-Id: <200710151747.l9FHlCJd015033@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2007 17:47:13 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works o kern/116645 pf pfctl -k does not work in securelevel 3 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 16 13:44:50 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4580516A417 for ; Tue, 16 Oct 2007 13:44:50 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53710.mail.re2.yahoo.com (web53710.mail.re2.yahoo.com [206.190.37.31]) by mx1.freebsd.org (Postfix) with SMTP id EE40D13C448 for ; Tue, 16 Oct 2007 13:44:49 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 40280 invoked by uid 60001); 16 Oct 2007 13:18:07 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=0cI+m8e1urXmgdJnaRf7M8VmEJbZB3DIYfZCp3wATu4xXJ4B28Pg4FNMA53whGywsgdA0xYjvWZdjpqK9Sj9JGq32NAjKTvndJkEzWcZmEfdobhnBkiBSg6LhCIsCq/T7TxYBTtdG54NI7XtZSQ3mSbLhg5TgUSkm1aFT5Pqlws=; X-YMail-OSG: uNGkoX4VM1kHGgRosbQP0Fh.4velboqag3KP9Dx20aJYR8tz_vENPDEC3QdPD8uBoSUFSh65cNTAUTezQMeD79PjIz8tuEqY7pLI5gpKg5_AX7MYybru0jGXImjOljd7SWFeOpXHX5.FfkSItyuNmFvO Received: from [200.189.112.13] by web53710.mail.re2.yahoo.com via HTTP; Tue, 16 Oct 2007 06:18:07 PDT X-Mailer: YahooMailRC/814.05 YahooMailWebService/0.7.134.12 Date: Tue, 16 Oct 2007 06:18:07 -0700 (PDT) From: Lorenz Helleis To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <233439.39754.qm@web53710.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF and UID X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2007 13:44:50 -0000 Hello...=0A=0A Can I create a rule using PF and UID ?=0A=0Alike this: =0A= =0A " permit uid 1005 tcp port 22 " =0A=0Athanks=0A=0A=0A=0A=0A=0A=0A=0A = Abra sua conta no Yahoo! Mail, o =FAnico sem limite de espa=E7o para arm= azenamento!=0Ahttp://br.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Oct 16 14:25:28 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C51A716A418 for ; Tue, 16 Oct 2007 14:25:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 7857213C461 for ; Tue, 16 Oct 2007 14:25:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-064-187-160.pools.arcor-ip.net [88.64.187.160]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1IhnML1R8u-0008C0; Tue, 16 Oct 2007 16:25:25 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 16 Oct 2007 16:25:09 +0200 User-Agent: KMail/1.9.7 References: <233439.39754.qm@web53710.mail.re2.yahoo.com> In-Reply-To: <233439.39754.qm@web53710.mail.re2.yahoo.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1377065.livWW0zj2I"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200710161625.22666.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/bbfp/FcE2LmLQLv23oIsnmG/niNRh7IHyWFC qRROdmg2w/HYW2UBldTzHvHnTS0mld1GUNL/RWWHHc+hl0HRZX d0zO1zmkyw2uQ03JDNx0syCDsoSqTJv7NXk7bhZ/rE= Cc: Subject: Re: PF and UID X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2007 14:25:28 -0000 --nextPart1377065.livWW0zj2I Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 16 October 2007, Lorenz Helleis wrote: > Hello... > > Can I create a rule using PF and UID ? > > like this: > > " permit uid 1005 tcp port 22 " > > thanks The syntax is very different, but yes - pf does support matching by user=20 credentials on the socket in question. The pf.conf(5) man page explains=20 in detail. Look for the "user"/"group" modifiers. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1377065.livWW0zj2I Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHFMnSXyyEoT62BG0RAr2KAJ0Vf4Xu60fwfFGUzk07B7X5jHuLtwCcCIoF 7M2zy3STPhwnX785eLh9kTw= =uf6B -----END PGP SIGNATURE----- --nextPart1377065.livWW0zj2I-- From owner-freebsd-pf@FreeBSD.ORG Fri Oct 19 01:10:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 082B016A41B for ; Fri, 19 Oct 2007 01:10:47 +0000 (UTC) (envelope-from nicolas.salvo@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id D2C7813C491 for ; Fri, 19 Oct 2007 01:10:45 +0000 (UTC) (envelope-from nicolas.salvo@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so303848nfb for ; Thu, 18 Oct 2007 18:10:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=/uJW3vfB0tbajizR8Eh2zCFr9YsBmoebFpf5Tn7cGWQ=; b=mX3UiUzrLYkCejgeGm3oQasIBTFmy5fvk4yzunQZeOkSygLfNVvAxgwEtHF8J998XcNetg8DwF3ND/WGE8o+/vJF3LUgL5OSqZr35fa9pE2Nwg6URgWvwMLf67aQs7TC8YMRDus27W3zG2UlqlLO2i6k1AkYTRF2pzDqzd3y2Qs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=O/eHiFg++P3feZaMFmR27bz7EuQ17qXPgraCGpyicqAnVATerd9E71oEdDJocabDR1DiNTLj5Wwp/SHHYSKaSUCERCgFw1EZS5WMP+sUb+Ah5VMvzX17XNtouhBl8uYalwOfEN9UG/4l0q4rxErzdwamlw2pzE1mn1gEwuFxCSQ= Received: by 10.78.159.7 with SMTP id h7mr903956hue.1192754489252; Thu, 18 Oct 2007 17:41:29 -0700 (PDT) Received: by 10.78.148.17 with HTTP; Thu, 18 Oct 2007 17:41:29 -0700 (PDT) Message-ID: Date: Thu, 18 Oct 2007 21:41:29 -0300 From: "Nicolas Salvo" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: NAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 01:10:47 -0000 Hi folks, I have a problem when trying to change the destination port number for a connection, our ISP has a transparent proxy, and we need to bypass it, we have 2 iptables firewalls, when a connection is generated to the port 80 the firewall changes the destination port to 81, and in the other side is reversed, that is done with a DNAT rule in the PREROUTING table, my problem is that I can't find how to do this with PF, we are (trying) to move our gw to FreeBSD, but this it's stacking me. This is what I did: $ext_if = "rl0" $int_if = "rl1" $int_net = "192.168.0.0/24" $proxy_bypass_needed = "xxx.xxx.xxx.xxx" nat on $ext_if from $int_net to $proxy_bypass_needed port 80 -> $ext_if port 81 This was our best effort but we only changed the source port to 81, and we need to change the destination port. I didn't find anything about this in the pf.conf man page nor in google, so I will appreciate your help. Thanks. -- Nicolas A. Salvo Capital Federal Buenos Aires - Argentina From owner-freebsd-pf@FreeBSD.ORG Fri Oct 19 06:40:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 050BD16A41A for ; Fri, 19 Oct 2007 06:40:47 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id D6B5013C447 for ; Fri, 19 Oct 2007 06:40:46 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1IilXK-0007ZX-7p for freebsd-pf@freebsd.org; Fri, 19 Oct 2007 06:40:46 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1IilXK-0002Ry-3y for freebsd-pf@freebsd.org; Fri, 19 Oct 2007 06:40:46 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 920718E296; Fri, 19 Oct 2007 01:40:42 -0500 (CDT) Date: Fri, 19 Oct 2007 01:40:42 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20071019064041.GA18889@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: NAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 06:40:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nicolas Salvo wrote: > > nat on $ext_if from $int_net to $proxy_bypass_needed port 80 -> $ext_if port 81 > > This was our best effort but we only changed the source port to 81, > and we need to change the destination port. Use "rdr" command instead of "nat". The documentation talks around and around this without actually saying it, but it is as simple as this: "nat" modifies the source IP / port. "rdr" modifies the destination IP / port. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHGFFpFSrKRjX5eCoRAjwxAJ9EEW/rwqqJzaZ0HszUTbRGmzZv0QCgl+kb HEwbLHv7Stli8/QzMCJetUg= =gDac -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Oct 19 21:24:58 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4632516A41B for ; Fri, 19 Oct 2007 21:24:58 +0000 (UTC) (envelope-from nicolas.salvo@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id B881A13C46E for ; Fri, 19 Oct 2007 21:24:57 +0000 (UTC) (envelope-from nicolas.salvo@gmail.com) Received: by ug-out-1314.google.com with SMTP id y2so849329uge for ; Fri, 19 Oct 2007 14:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=XvQq18rpVMoGBbmMPX4oKTOuimjbWeNo6UJWB5xLqKo=; b=AYHL+bVs9NnaF05EhZe3QTvpI9QyR18m/P5F24TYE3YJEXtncdeGtdio3TUQqwoQQJoDh28pGj5Q9ZUe0Q2IbrOjNOUmozoVmGFH4dQCkUzVfzybkCSnYwDQEy7iYWAmQQaCMmYHV5NRq56PSNuc++nAcJKtR5lRMMRGMwxKMc0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DcSLmQHevdq6pi/LfZ+UCifqI+neQvEgxSzlKoAUifoGbV10b0LTJMTog9zUtzgAaCrrS801Oa7paqk5xBiv9nF+YPwcbPH5CRnTaN7CH6LDVbg4gQ0UTaxD8Vj/bOTgmP3ZHdIQGXr25uVnU4ekGi27Vdx9kuYFz4vm26ix1NA= Received: by 10.78.146.11 with SMTP id t11mr1719031hud.1192829090242; Fri, 19 Oct 2007 14:24:50 -0700 (PDT) Received: by 10.78.148.17 with HTTP; Fri, 19 Oct 2007 14:24:50 -0700 (PDT) Message-ID: Date: Fri, 19 Oct 2007 18:24:50 -0300 From: "Nicolas Salvo" To: freebsd-pf@freebsd.org In-Reply-To: <20071019064041.GA18889@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20071019064041.GA18889@verio.net> Subject: Re: NAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 21:24:58 -0000 It works!, thanks! On 10/19/07, David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Nicolas Salvo wrote: > > > > nat on $ext_if from $int_net to $proxy_bypass_needed port 80 -> $ext_if port 81 > > > > This was our best effort but we only changed the source port to 81, > > and we need to change the destination port. > > Use "rdr" command instead of "nat". > > The documentation talks around and around this without actually saying > it, but it is as simple as this: "nat" modifies the source IP / port. > "rdr" modifies the destination IP / port. > > - -- > David DeSimone == Network Admin == fox@verio.net > "This email message is intended for the use of the person to whom > it has been sent, and may contain information that is confidential > or legally protected. If you are not the intended recipient or have > received this message in error, you are not authorized to copy, dis- > tribute, or otherwise use this message or its attachments. Please > notify the sender immediately by return e-mail and permanently delete > this message and any attachments. Verio, Inc. makes no warranty that > this email is error or virus free. Thank you." --Lawyer Bot 6000 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFHGFFpFSrKRjX5eCoRAjwxAJ9EEW/rwqqJzaZ0HszUTbRGmzZv0QCgl+kb > HEwbLHv7Stli8/QzMCJetUg= > =gDac > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Nicolas A. Salvo Capital Federal Buenos Aires - Argentina