From owner-freebsd-pf@FreeBSD.ORG Sun Jan 6 17:31:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5571C16A419 for ; Sun, 6 Jan 2008 17:31:48 +0000 (UTC) (envelope-from lumiwa@gmail.com) Received: from hs-out-2122.google.com (hs-out-0708.google.com [64.233.178.243]) by mx1.freebsd.org (Postfix) with ESMTP id 1E50F13C448 for ; Sun, 6 Jan 2008 17:31:47 +0000 (UTC) (envelope-from lumiwa@gmail.com) Received: by hs-out-2122.google.com with SMTP id j58so5973148hsj.11 for ; Sun, 06 Jan 2008 09:31:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; bh=di1Q9CeXJhKUq6ffDBQPYEZwEjmQ4mHNQi2wuLaQ+hc=; b=htGBlFwC1w4p+vszqFSZmVxRVIRGyABuQwPvVpzfplTvwczeTZoB+CseLLz8glLw4XJC7+yWWHn1CqJkPzAzWX/nMrVV7Ryy/DmhYRn/FZrDBYh1ZjfSTtv2x5jL9aag5epXkaNquGh+2vgm/dgFFv2WD1tovPsLA0/AKSnmBOM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=tdkE4r/tWNTedtga1dbyYnwwTagY2+klChKBjz7dQW4nOsb6uHH4a2HvtdIZjz2uN7E12K1PP/86PV/2XxaT3NA13uze5lGmg9KCJgl6Dw5fPHjO3VQiX5cv3KMp8tLanzdiv8WlReq9fJY1YpQUeRsbgvHL8/3vbOj7hqJQzVo= Received: by 10.150.201.13 with SMTP id y13mr5159585ybf.53.1199640707203; Sun, 06 Jan 2008 09:31:47 -0800 (PST) Received: from ?192.168.0.100? ( [65.30.212.174]) by mx.google.com with ESMTPS id 3sm7751194nzf.34.2008.01.06.09.31.39 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 06 Jan 2008 09:31:44 -0800 (PST) From: aJTiM To: freebsd-pf@freebsd.org Date: Sun, 6 Jan 2008 11:31:21 -0600 User-Agent: KMail/1.9.7 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801061131.21401.lumiwa@gmail.com> Subject: midi X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2008 17:31:48 -0000 Hi! I have : emu10kx0@pci0:2:10:0: class=0x040100 card=0x80671102 chip=0x00021102 rev=0x0a hdr=0x00 vendor = 'Creative Technology LTD.' device = 't4780010004541 Sound Blaster Live! (Also Live! 5.1) - OEM from DELL - CT4780' class = multimedia subclass = audio none1@pci0:2:10:1: class=0x098000 card=0x00201102 chip=0x70021102 rev=0x0a hdr=0x00 vendor = 'Creative Technology LTD.' device = 'EMU10000 Game Port' class = input device Does FreebSD 7 beta support midi or final version will support, please? I don't have /dev/sequencer . Thanks. -- A bad marriage is like a horse with a broken leg, you can shoot the horse, but it don't fix the leg. From owner-freebsd-pf@FreeBSD.ORG Sun Jan 6 18:04:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7DA616A468 for ; Sun, 6 Jan 2008 18:04:12 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 49F0D13C447 for ; Sun, 6 Jan 2008 18:04:12 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 0346A7C163B; Sun, 6 Jan 2008 18:36:46 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id MfykOMWKldkj; Sun, 6 Jan 2008 18:36:46 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 149077C1048; Sun, 6 Jan 2008 18:36:45 +0100 (CET) Date: Sun, 6 Jan 2008 18:36:45 +0100 From: Gergely CZUCZY To: aJTiM Message-ID: <20080106173645.GA48659@harmless.hu> References: <200801061131.21401.lumiwa@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline In-Reply-To: <200801061131.21401.lumiwa@gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: midi X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2008 18:04:12 -0000 --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Sorry, but I fail to see how this problem/question of your's is related to the OpenBSD pf packet filter's FreeBSD port. This is is dedicated to pf. On Sun, Jan 06, 2008 at 11:31:21AM -0600, aJTiM wrote: > Hi! >=20 > I have : > emu10kx0@pci0:2:10:0: class=3D0x040100 card=3D0x80671102 chip=3D0x00021= 102=20 > rev=3D0x0a hdr=3D0x00 > vendor =3D 'Creative Technology LTD.' > device =3D 't4780010004541 Sound Blaster Live! (Also Live! 5.1) -= OEM=20 > from DELL - CT4780' > class =3D multimedia > subclass =3D audio > none1@pci0:2:10:1: class=3D0x098000 card=3D0x00201102 chip=3D0x70021= 102=20 > rev=3D0x0a hdr=3D0x00 > vendor =3D 'Creative Technology LTD.' > device =3D 'EMU10000 Game Port' > class =3D input device >=20 > Does FreebSD 7 beta support midi or final version will support, please? I= =20 > don't have /dev/sequencer . >=20 > Thanks. > --=20 > A bad marriage is like a horse with a broken leg, you can shoot > the horse, but it don't fix the leg. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) owG9Vb9vHEUUNokspFVAckv1nMaB3O7Nnn/ceaNL7PiM42BjJB+KEAXM7b69HXl3 ZjMza/vS0VEghGihSMlvUSAh/gHK0PEPQIWEUBANgoI3u3fxUVDQZIvTzHvffO/N N++9++C5ywuXlh59/c2b19/78KNnvlx8PLpeVNbKsV9wfSqkHzIW+mu9jfVNf9Nf Zd1wM91IVzsJ9jj29t5Z+mJHSYvS+sNJiRFYPLftMudC3oA449qg7Vc29XveDDcQ plRGWKFkBELmQuIT31BzaVLU/q6MVSLkOIL7lbKY+KUW0vJRjp53rLSetGBUWdiH lIscrAKDCJk6A5sJA6VWhCza9ys0Lg6oFCaq0isGhPE05pwo3SmbIRyVKG8fD6BM oeTxCVpIRW7RgV/WiLVLaRvA0FHTefpNMBHxjKRMA887knBcyRbc5RLYRgs6jPWA WwjDaDWMOuH2Ifhsg7EW8LtDcQhnmq4VeTfhjlj2bvY7jJb7kPFTBGfFogrZyTnb KmPBok4UsohFABDn3Jj+6oCdszVGTwMx10m977GNbhiyDqkuygbBWCfse2Rr6DWe NnYOWaKnELK77xRlonS9JAes7GjkVlAyQ4wzqXI1nsDBcBCsTPEJnooYL/B2rdtj LiG2tr4WwrGqZAK3KVkSEg6IaBmubedGTdfrQfgi+H0PjnYPm+RSrQoY7B4cgA87 Q8c2C1VfGZ6EKqrcioL051O/qUYziPPzKhGKXFJJDOfkCyO4oGsuv0kpzylIcrF/ K9h9igruHr7u5GOwxwuE16ji/kMAIUuq/Ob4rHIGCptqHVG1dmGElpMupatbKEQi gDJLheQ5pamN64gzkeczSAvKHLnBW7Df9xrCRMkV25Rjm0K1DVIvyZgeM5jFHGZc nhjagu83lm0Y8QRobmjBx0itArk4QSCxFM0BCmkz2oy0OkEJOY5brilJfwkmU8oS g+vHGty0t7DTRFJxXvvokAv41v/76vIibQyNkXRrugyUHlOugubPmPI0LnxmbRm1 225ngjlc2+EKLmuPkKlqX/A5JRRUksrQxFqMKHVDpQBcTmp6NyGuXsD9OeR8Kldp rgknMOaTluftoR7TCnYeVPGDieeIrIpg3JiDuDZv0XwtcjQmyCrPa17hHqIUVAyW Jl8Ae7SpDG2Nyukpp3ORvBmNJq6FwcB799blxQU3yGf/AkuXvvtj4eH78Q+/f36l /PTxL89feeXnn37789qrby88/OSFvxb//urRj298v/zSvTvPZt/++vFn/wA= =EE7z -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- From owner-freebsd-pf@FreeBSD.ORG Mon Jan 7 11:07:05 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 757D016A515 for ; Mon, 7 Jan 2008 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6960713C469 for ; Mon, 7 Jan 2008 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m07B75P8061860 for ; Mon, 7 Jan 2008 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m07B74hl061856 for freebsd-pf@FreeBSD.org; Mon, 7 Jan 2008 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Jan 2008 11:07:04 GMT Message-Id: <200801071107.m07B74hl061856@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2008 11:07:05 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] kernel panic with pf and ng 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [RFE] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t 8 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 9 00:42:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A212316A468 for ; Wed, 9 Jan 2008 00:42:45 +0000 (UTC) (envelope-from pawciobiel@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id EC1A113C45D for ; Wed, 9 Jan 2008 00:42:44 +0000 (UTC) (envelope-from pawciobiel@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so60254pyb.10 for ; Tue, 08 Jan 2008 16:42:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=CyPejpFd5MsDAmuNQF2rAP5h5Or/BV4qbgqrQI0odUg=; b=Arh6/wOXkBOjMINiTM5EAgumIIeLqet50NeQuyYx+UwBhk1ZE5i3MSVpL/hYR3PxB9xNcv2Xu7N7VqLF5cbN88ykKpdriJSmJ0frkcjgCXvaC8n8MNCxNYo+gX9TAtRTwnkzKm6wnK/D3GHPkfkpyb8j+my6cQ//5vNleAgG22I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pIDfcok/pAUjSLfITtyFT/eyHTBmcjC50Z2rW4+DaLqGc/rA5EFbxWOv6UTCcomPgp6sfCqqmSPcIJ9XsLdnLchBsMyW6KPH3FQ35dWKegLCva+gXEltj4szKL6+uW+or/5d9u83yiuFCHyNBVeeFF5djddwcibWW5+nWD/Ge0Q= Received: by 10.35.84.9 with SMTP id m9mr74368pyl.6.1199837803552; Tue, 08 Jan 2008 16:16:43 -0800 (PST) Received: by 10.35.72.16 with HTTP; Tue, 8 Jan 2008 16:16:43 -0800 (PST) Message-ID: <2e420cc20801081616w7c8c75e5x3091f38a1f59b665@mail.gmail.com> Date: Wed, 9 Jan 2008 00:16:43 +0000 From: "P Bielecki" To: freebsd-pf@freebsd.org In-Reply-To: <2e420cc20711211559r46d374e6n23f75710415cede2@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2e420cc20711211559r46d374e6n23f75710415cede2@mail.gmail.com> Subject: Re: How to set up a queue for each host in the network? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 00:42:45 -0000 Hi, Documentation is not clear how many queues you can set up and if it make sense to create queue for every host in /22 network at all. pf FAQ doesn't say anything about creating large number of queues and the way of setting it up. I was hoping that configuration with HFSC would solve my issues but it didn't. In altq_cbq.h and altq_hfsc.h it I found CBQ_MAX_CLASSES 256 HFSC_MAX_CLASSES 64 So, what is the best way to share link in large LAN where users use p2p a lot? -- Paul From owner-freebsd-pf@FreeBSD.ORG Wed Jan 9 11:37:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3038816A417 for ; Wed, 9 Jan 2008 11:37:09 +0000 (UTC) (envelope-from guntis@rixtel.com) Received: from bute.rixtel.com (bute.rixtel.com [159.148.78.40]) by mx1.freebsd.org (Postfix) with ESMTP id D648213C4CC for ; Wed, 9 Jan 2008 11:37:08 +0000 (UTC) (envelope-from guntis@rixtel.com) Received: from localhost (localhost.rixtel.com [127.0.0.1]) by bute.rixtel.com (Postfix) with ESMTP id 6745D1CC2F for ; Wed, 9 Jan 2008 13:18:19 +0200 (EET) X-Virus-Scanned: amavisd-new at rixtel.com Received: from bute.rixtel.com ([127.0.0.1]) by localhost (bute.rixtel.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7CKUSZ70Whb for ; Wed, 9 Jan 2008 13:18:16 +0200 (EET) Received: from [192.168.10.105] (localhost.rixtel.com [127.0.0.1]) (Authenticated sender: guntis@rixtel.com) by bute.rixtel.com (Postfix) with ESMTP id D39651CC28 for ; Wed, 9 Jan 2008 13:18:16 +0200 (EET) From: Guntis Bumburs Organization: Rixtel To: freebsd-pf@freebsd.org Date: Wed, 9 Jan 2008 13:18:15 +0200 User-Agent: KMail/1.9.7 References: <2e420cc20711211559r46d374e6n23f75710415cede2@mail.gmail.com> <2e420cc20801081616w7c8c75e5x3091f38a1f59b665@mail.gmail.com> In-Reply-To: <2e420cc20801081616w7c8c75e5x3091f38a1f59b665@mail.gmail.com> X-Face: $dO4505L-bM3\Iz"(=?utf-8?q?V=3Dy=2EbL/75=7B5ys3=3AB=5B-aPBQvs*Z=25fdBqFhvc85hmZN4j1kwRzwvY*?= =?utf-8?q?R=0A=094nvQ/=23/+kWXH?=((aXWh\%mvG1V()Z0k:NwZAIu\S0d1%,nv`^ MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801091318.16041.guntis@rixtel.com> Subject: Re: How to set up a queue for each host in the network? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 11:37:09 -0000 On Wednesday 09 January 2008 02:16:43 P Bielecki wrote: > Hi, > Documentation is not clear how many queues you can set up and if it > make sense to create queue for every host in /22 network at all. > pf FAQ doesn't say anything about creating large number of queues and > the way of setting it up. > > I was hoping that configuration with HFSC would solve my issues but it >didn't. > > In altq_cbq.h and altq_hfsc.h it I found > CBQ_MAX_CLASSES 256 > HFSC_MAX_CLASSES 64 > > So, what is the best way to share link in large LAN where users use p2p a >lot? > > -- > Paul > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, I have seen a lot of similar posts about queues and pf. In PF there is no automagicly creating queues like in IPFW, so there is no other way to do it differently than creating queue for each host. I think that best solution is to use L2 switches where you can set speed limits for each port. Drawback is that you cant set limit less than 1Mbit and borrow from main queue. Good thing is that you can do ARP filtering on same port. In my experience static arp on freebsd is easy to fool. you can change CBQ_MAX_CLASSES to someting bigger but it will limit pf performance -- Best Regards, Guntis From owner-freebsd-pf@FreeBSD.ORG Wed Jan 9 15:41:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA2EA16A46D for ; Wed, 9 Jan 2008 15:41:07 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.freebsd.org (Postfix) with ESMTP id 5C46613C4EB for ; Wed, 9 Jan 2008 15:41:07 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so454888pyb.10 for ; Wed, 09 Jan 2008 07:41:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=xhaLi0otXGtOQJld1jGUW88b1sg/aoZPTYhkkzOYKWs=; b=mLS0RnDZcQydX2nz4wayxnep6JAYSiabItz/4mF6c0mRzLvoudBw8o/SGTuNmViHnutE6BgMhKK+yv2OhSMcrcnge0NHyCbATYLUC/sUz/IzJmE/lalotLK2/JZKrt3l1jib20Hf8ROtTSZuGuhKkSaWEohx/bv/E0KnG242IMI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JKbXDPM8k3pvFwk/jFx+cmQaUI4QrDnsk/01G9u0VcZocn8EBx9juIjGDKhSAM9nXwPQjdDJ90HeGYBs2Z4faQSCgerk87m8rpZwiCZCi8gNLRLAjk7gPOwkt+hAHUUgQr46nT8udCOQItCQYh1/YrAWtSUF7YRGAY7vtun1Pa8= Received: by 10.65.126.16 with SMTP id d16mr1794372qbn.64.1199893265613; Wed, 09 Jan 2008 07:41:05 -0800 (PST) Received: by 10.64.184.9 with HTTP; Wed, 9 Jan 2008 07:41:05 -0800 (PST) Message-ID: <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> Date: Wed, 9 Jan 2008 13:41:05 -0200 From: "Alexandre Biancalana" To: "Max Laier" In-Reply-To: <200712091835.33608.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200710272311.09059.max@love2party.net> <8e10486b0712041257p6a54c50by4c340bba9c4a39b3@mail.gmail.com> <200712051432.29703.max@love2party.net> <200712091835.33608.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 15:41:07 -0000 On 12/9/07, Max Laier wrote: > > Please report in case of failure *and* success! Thanks. Hi Max ! Yesterday put one firewall running pf with this patch and everything worked perfect ! (until now). I just tested the running config with carp (real network interface without ip address and using ifconfig carpdev option to associate carp interface with real network interface) if nothing bad happened until tomorrow, I will put another machine to test all carp faillover features and let you know. Thank you Max for your great work !! Regards, From owner-freebsd-pf@FreeBSD.ORG Wed Jan 9 17:00:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8AB416A469 for ; Wed, 9 Jan 2008 17:00:15 +0000 (UTC) (envelope-from swygue@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.230]) by mx1.freebsd.org (Postfix) with ESMTP id 7515B13C461 for ; Wed, 9 Jan 2008 17:00:15 +0000 (UTC) (envelope-from swygue@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so140742nzf.13 for ; Wed, 09 Jan 2008 09:00:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:user-agent:mime-version:to:subject:content-type:content-transfer-encoding:from; bh=yCMB83rhDAC/FafzvfPuj2JPbAq56YM8gmezMtDkMbQ=; b=IvzHV83HnnumAxAK1XDhdame55wWe4y17c+ZOk9fkl4Eh3ez4Qe+1BY2fEUHxidpFWnpLhJUrudVTSk3rsCphSTHnYrnpMCYhpK2+MbJ6L0wFfYLBZgJ6utqPGG4Ktfjtrw2v+ahqjlQsy9mCqqkde1vnJ+25MPCe315737EMBU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:user-agent:mime-version:to:subject:content-type:content-transfer-encoding:from; b=q8PjTGvG3/hcdj40eDX02FTfV8CJuerNuvh26/UTt+tuRj804dKvy0k6+XaZDU2zxkndruYjwKF4065a9CsBxIOst1uVnRqGZhy1uZfqKkKzCMAdiMhjmGObrcDNI5JHHGo1AGr//tlUTP5AmYLReWSjPSoSmXIaOQ5YE7smK2M= Received: by 10.110.26.10 with SMTP id 10mr297848tiz.54.1199896551127; Wed, 09 Jan 2008 08:35:51 -0800 (PST) Received: from pushkin.local ( [150.210.151.82]) by mx.google.com with ESMTPS id i19sm3168682wxd.33.2008.01.09.08.35.49 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 09 Jan 2008 08:35:49 -0800 (PST) Message-ID: <4784F7E3.3060508@rodhouse.org> Date: Wed, 09 Jan 2008 11:35:47 -0500 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit From: Rodrique Heron Subject: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 17:00:15 -0000 Good Day- I'm running FreeBSD 6.2 and I want to know if forwarding to a external host is supported by PF. I want to forward all incoming traffic to port 22 to another host, but it does not work, forwarding to a Jail works though. Here are my configs: ### /etc/rc.conf ifconfig_em0="inet 192.168.2.14 netmask 255.255.255.0" defaultrouter="192.168.2.1" ifconfig_em0_alias0="inet 192.168.2.18 netmask 255.255.255.255" ## JAIL IP gateway_enable="YES" pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup ### /etc/pf.conf ext_if = "em0" int_if = "lo0" host_ip = "192.168.2.14" jail_ip = "192.168.2.18" external_host = "192.168.2.27" rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port 22 rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22 pass in quick all pass out quick all Thanks From owner-freebsd-pf@FreeBSD.ORG Wed Jan 9 23:18:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82B8616A419 for ; Wed, 9 Jan 2008 23:18:46 +0000 (UTC) (envelope-from varga.michal@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id 198EA13C45B for ; Wed, 9 Jan 2008 23:18:45 +0000 (UTC) (envelope-from varga.michal@gmail.com) Received: by fg-out-1718.google.com with SMTP id 16so456343fgg.35 for ; Wed, 09 Jan 2008 15:18:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:organization:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=5iBlb3U+/dqb/hQUVRVqealyY2WyUJrW+oBNH/V1/Hg=; b=Mh4/qONLZr5ZCI3L7+Gs1BmD3lErUnUS0xTdwh3+Wm/x+VWiRSWO98rALMsQkKFoXpS/VVDCEFR1i/Abc4CG3dxhz9ktEV1Ol/yGk75AE7aOfTmED4wj96zkchTDFsdMXgn8skzEH1F1gdDdyi/P5qrJQi2j4fBLmMNGs8Xk71g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:organization:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=SDEC3sP8gDkAJ1g8TrqeGvcOMc5ILqApSyD4GS20/EhYkGnh9CmZ4i/1HYzDAynC9dxGW5C1SWFjUXuRZFpBPbV+oQb26SkOnziNMa7mdnTyWDgUhpCRVVUsXbvXYJR1cuvd4NKFCcWd/cAOL9Kuk7VfzqQnB/Pm5XVUL5QDyDQ= Received: by 10.86.73.17 with SMTP id v17mr1114853fga.74.1199919116917; Wed, 09 Jan 2008 14:51:56 -0800 (PST) Received: from ?10.0.100.2? ( [82.208.39.180]) by mx.google.com with ESMTPS id 12sm1371195fgg.6.2008.01.09.14.51.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 09 Jan 2008 14:51:55 -0800 (PST) From: Michal Varga To: Rodrique Heron In-Reply-To: <4784F7E3.3060508@rodhouse.org> References: <4784F7E3.3060508@rodhouse.org> Content-Type: text/plain Organization: Stonehenge Date: Wed, 09 Jan 2008 23:51:54 +0100 Message-Id: <1199919114.59461.10.camel@xenon> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 23:18:46 -0000 On Wed, 2008-01-09 at 11:35 -0500, Rodrique Heron wrote: > Good Day- > > I'm running FreeBSD 6.2 and I want to know if forwarding to a external > host is supported by PF. I want to forward all incoming traffic to port > 22 to another host, but it does not work, forwarding to a Jail works > though. Here are my configs: > rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host > port 22 This surely works, I've been using it for years (I think everyone does). Maybe your $external_host is blocking incoming traffic, or doesn't have a clean route to reply? m. -- Michal Varga Stonehenge From owner-freebsd-pf@FreeBSD.ORG Thu Jan 10 00:11:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0771816A420 for ; Thu, 10 Jan 2008 00:11:54 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id DD24013C43E for ; Thu, 10 Jan 2008 00:11:53 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JCl1V-00040b-Ev for freebsd-pf@freebsd.org; Thu, 10 Jan 2008 00:11:53 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JCl1V-0007F3-A6 for freebsd-pf@freebsd.org; Thu, 10 Jan 2008 00:11:53 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id ACE368E296; Wed, 9 Jan 2008 18:11:52 -0600 (CST) Date: Wed, 9 Jan 2008 18:11:52 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080110001152.GI17784@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4784F7E3.3060508@rodhouse.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <4784F7E3.3060508@rodhouse.org> User-Agent: Mutt/1.5.9i Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2008 00:11:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrique Heron wrote: > > I'm running FreeBSD 6.2 and I want to know if forwarding to a external > host is supported by PF. I want to forward all incoming traffic to > port 22 to another host, but it does not work, forwarding to a Jail > works though. Here are my configs: This is a classic NAT problem. Picture what happens each step of the way: Your firewall = A.B.C.D External Host = E.F.G.H External Client = W.X.Y.Z Packet (src = W.X.Y.Z dst = A.B.C.D) goes to the firewall. Firewall applies NAT, so packet is now (src = W.X.Y.Z, dst = E.F.G.H). Firewall routes the packet back out to the external network that it came from. External host receives packet (src = W.X.Y.Z, dst = E.F.G.H). External host sends back a reply packet (src = E.F.G.H, dst = W.X.Y.Z). This reply goes straight back over the internet; it does not ever come back to your firewall, but goes directly back to the client. Firewall does not see reply, so there is no chance to apply reverse NAT. Client receives packet (src = E.F.G.H, dst = W.X.Y.Z). The packet is unrecognized, however, because the packet that the client originally sent was for (src = W.X.Y.Z dst = A.B.C.D). Client sends a RST. Connection fails. The way I have solved this problem in other environments is with "double NAT" where the firewall translates both the Source and Destination IP for internally-receive traffic. The firewall applies the correct destination NAT, but also applies NAT to the source IP, giving its own IP. This causes the external server to reply back to the firewall so that the traffic can be de-NAT'd correctly. However, I am unaware of the ability to perform Double NAT using FreeBSD tools. There is no reason the kernel could not do it; it is just a missing feature in the toolset. Offhand I am not sure why you would want to forward traffic from your host over to some external host. If you really must do this, the only way that comes to mind would be using a proxy of some sort, opening a secondary connection to the external host on behalf of the client. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHhWLIFSrKRjX5eCoRAu2dAJ48q+buSKrw7W3tlS1OMrgbHa/rlQCfaRtt 9FQyd2Mn9fwdQMD3f7LfRI8= =oxGv -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Thu Jan 10 13:24:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3728D16A417 for ; Thu, 10 Jan 2008 13:24:49 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.190]) by mx1.freebsd.org (Postfix) with ESMTP id 53C9613C469 for ; Thu, 10 Jan 2008 13:24:48 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: by mu-out-0910.google.com with SMTP id w9so284146mue.6 for ; Thu, 10 Jan 2008 05:24:47 -0800 (PST) Received: by 10.78.183.8 with SMTP id g8mr2080046huf.55.1199969957467; Thu, 10 Jan 2008 04:59:17 -0800 (PST) Received: by 10.78.146.17 with HTTP; Thu, 10 Jan 2008 04:59:17 -0800 (PST) Message-ID: <1a5f1a2d0801100459s242813a8kc8d3fb8bf209d19@mail.gmail.com> Date: Thu, 10 Jan 2008 07:59:17 -0500 From: "Rodrique Heron" To: freebsd-pf@freebsd.org In-Reply-To: <20080110001152.GI17784@verio.net> MIME-Version: 1.0 References: <4784F7E3.3060508@rodhouse.org> <20080110001152.GI17784@verio.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2008 13:24:49 -0000 On 1/9/08, David DeSimone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rodrique Heron wrote: > > > > I'm running FreeBSD 6.2 and I want to know if forwarding to a external > > host is supported by PF. I want to forward all incoming traffic to > > port 22 to another host, but it does not work, forwarding to a Jail > > works though. Here are my configs: > > This is a classic NAT problem. Picture what happens each step of the > way: > > Your firewall = A.B.C.D > > External Host = E.F.G.H > > External Client = W.X.Y.Z > > Packet (src = W.X.Y.Z dst = A.B.C.D) goes to the firewall. > > Firewall applies NAT, so packet is now (src = W.X.Y.Z, dst = > E.F.G.H). Firewall routes the packet back out to the external > network that it came from. > > External host receives packet (src = W.X.Y.Z, dst = E.F.G.H). > > External host sends back a reply packet (src = E.F.G.H, dst = > W.X.Y.Z). This reply goes straight back over the internet; it > does not ever come back to your firewall, but goes directly back > to the client. Firewall does not see reply, so there is no > chance to apply reverse NAT. > > Client receives packet (src = E.F.G.H, dst = W.X.Y.Z). The packet > is unrecognized, however, because the packet that the client > originally sent was for (src = W.X.Y.Z dst = A.B.C.D). Client > sends a RST. Connection fails. > > The way I have solved this problem in other environments is with "double > NAT" where the firewall translates both the Source and Destination IP > for internally-receive traffic. The firewall applies the correct > destination NAT, but also applies NAT to the source IP, giving its own > IP. This causes the external server to reply back to the firewall so > that the traffic can be de-NAT'd correctly. > > However, I am unaware of the ability to perform Double NAT using FreeBSD > tools. There is no reason the kernel could not do it; it is just a > missing feature in the toolset. > > Offhand I am not sure why you would want to forward traffic from your > host over to some external host. If you really must do this, the only > way that comes to mind would be using a proxy of some sort, opening a > secondary connection to the external host on behalf of the client. I have a immediate need to relocate my Web server from the DMZ to inside the network. The problem is, my content contributors login to the server via SSH and the IP address of the Web server will change after the move. I am placing a Apache reverse proxy in place of the Web server and the proxy will use the Web server's IP address. To make this a seamless move, I wanted to forward all incoming SSH traffic to the proxy, to the Web server's new IP. If this can't be done with PF, what other method is available ? Thanks - -- > David DeSimone == Network Admin == fox@verio.net > "This email message is intended for the use of the person to whom > it has been sent, and may contain information that is confidential > or legally protected. If you are not the intended recipient or have > received this message in error, you are not authorized to copy, dis- > tribute, or otherwise use this message or its attachments. Please > notify the sender immediately by return e-mail and permanently delete > this message and any attachments. Verio, Inc. makes no warranty that > this email is error or virus free. Thank you." --Lawyer Bot 6000 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFHhWLIFSrKRjX5eCoRAu2dAJ48q+buSKrw7W3tlS1OMrgbHa/rlQCfaRtt > 9FQyd2Mn9fwdQMD3f7LfRI8= > =oxGv > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jan 10 17:53:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E65B716A417 for ; Thu, 10 Jan 2008 17:53:19 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id B653F13C461 for ; Thu, 10 Jan 2008 17:53:19 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1JD1ah-0006KY-1P for freebsd-pf@freebsd.org; Thu, 10 Jan 2008 17:53:19 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1JD1ag-0003WX-UM for freebsd-pf@freebsd.org; Thu, 10 Jan 2008 17:53:18 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id DFDD08E296; Thu, 10 Jan 2008 11:53:17 -0600 (CST) Date: Thu, 10 Jan 2008 11:53:17 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080110175317.GC18918@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4784F7E3.3060508@rodhouse.org> <20080110001152.GI17784@verio.net> <1a5f1a2d0801100459s242813a8kc8d3fb8bf209d19@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <1a5f1a2d0801100459s242813a8kc8d3fb8bf209d19@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2008 17:53:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrique Heron wrote: > > I have a immediate need to relocate my Web server from the DMZ to > inside the network. When you originally described this problem you stated that you wanted to forward incoming traffic to an "external host". To me, that means a host not located anywhere on your internal network. The discussion I gave related to that scenario. Now it appears you are describing a problem that is completely different (and that PF should be able to handle without any trouble). Perhaps you should more accurately diagram the current network layout and your desired layout so that we can tell you whether it will work. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHhluNFSrKRjX5eCoRAoSrAKCKEjO0wcxfkP37klqDdfyDBClbXQCfc92H +6PCZR+LZkWeaNQM6qrZ8rI= =ShYC -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 02:37:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5062216A418 for ; Fri, 11 Jan 2008 02:37:51 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id CAECB13C43E for ; Fri, 11 Jan 2008 02:37:50 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: by fg-out-1718.google.com with SMTP id 16so978879fgg.35 for ; Thu, 10 Jan 2008 18:37:49 -0800 (PST) Received: by 10.78.204.1 with SMTP id b1mr3232964hug.73.1200019069037; Thu, 10 Jan 2008 18:37:49 -0800 (PST) Received: by 10.78.146.17 with HTTP; Thu, 10 Jan 2008 18:37:49 -0800 (PST) Message-ID: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> Date: Thu, 10 Jan 2008 21:37:49 -0500 From: "Rodrique Heron" To: "Michal Varga" In-Reply-To: <1200009515.36543.27.camel@xenon> MIME-Version: 1.0 References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 02:37:51 -0000 On 1/10/08, Michal Varga wrote: > > > On Thu, 2008-01-10 at 12:10 -0500, Rodrique Heron wrote: > > > > Thanks > > > > FreeBSD syntax for log all is "log-all", I have no block rules. I am > > passing everything with. > > > > pass in quick all > > pass out qick all > > > ah, I think this may be another problem. Syntax for log (all) really > *was* log-all, in PF 3.7, that is approximately the version used in > FreeBSD 6.x. I somehow forgot about this from your first mail. As > FreeBSD 7 incporporates PF 3.9, things behave a little differently here > and there. anyway, can you show me the exact PF config you are using > now, one that you think should work and doesn't? > > > > > > Sorry for the duplicate, I forgot to CC the list. Both host are in the same broadcast domain,connected to the same switch. INTERNET | | PIX Firewall | | SWITCH*---*HOSTA 192.168.2.14 * | | * HOSTB 192.168.2.27 ### /etc/pf.conf ext_if = "em0" int_if = "lo0" host_ip = " 192.168.2.14" jail_ip = "192.168.2.18" external_host = "192.168.2.27" rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port 22 rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22 pass in quick all pass out quick all From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 03:07:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7B2816A418 for ; Fri, 11 Jan 2008 03:07:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 72A9E13C43E for ; Fri, 11 Jan 2008 03:07:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-014-183.pools.arcor-ip.net [88.66.14.183]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1JDAFH3j9y-00061Z; Fri, 11 Jan 2008 04:07:48 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 11 Jan 2008 04:07:36 +0100 User-Agent: KMail/1.9.7 References: <4784F7E3.3060508@rodhouse.org> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> In-Reply-To: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4486391.os118DlasU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200801110407.45454.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+rgie6WbYJ1K02HvkJh4iHH+L++CNN96Kby8Z 6scijh+iWcj3F3BhzLv5B8qhc5avASNePvTcYmnG2gygSnMXyA WFFxu5mCmLhtX7TY9S7AGguxFHB4tfghjS68VzX4lE= Cc: Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 03:07:50 -0000 --nextPart4486391.os118DlasU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 11 January 2008, Rodrique Heron wrote: > On 1/10/08, Michal Varga wrote: > > On Thu, 2008-01-10 at 12:10 -0500, Rodrique Heron wrote: > > > Thanks > > > > > > FreeBSD syntax for log all is "log-all", I have no block rules. I > > > am passing everything with. > > > > > > pass in quick all > > > pass out qick all > > > > ah, I think this may be another problem. Syntax for log (all) really > > *was* log-all, in PF 3.7, that is approximately the version used in > > FreeBSD 6.x. I somehow forgot about this from your first mail. As > > FreeBSD 7 incporporates PF 3.9, things behave a little differently > > here and there. anyway, can you show me the exact PF config you are > > using now, one that you think should work and doesn't? > > Sorry for the duplicate, I forgot to CC the list. > > Both host are in the same broadcast domain,connected to the same > switch. Sounds like you are looking for some kind of reflection rather than just=20 redirection. If resources on the pf box are plenty and you don't mind=20 running network daemons on it, something like net/rinetd might do the=20 trick. > INTERNET > > > PIX Firewall > > > SWITCH*---*HOSTA 192.168.2.14 > * > > > * > HOSTB 192.168.2.27 > > > ### /etc/pf.conf > ext_if =3D "em0" > int_if =3D "lo0" > > host_ip =3D " 192.168.2.14" > jail_ip =3D "192.168.2.18" > external_host =3D "192.168.2.27" > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host > port 22 > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port > 22 > > pass in quick all > pass out quick all > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4486391.os118DlasU Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHht2BXyyEoT62BG0RAuULAJ9XuK3RlEEnF9Wx1NS0NhR/iSYySACeLfO4 mVU7heqwqsczK/lT8skBCwo= =/hju -----END PGP SIGNATURE----- --nextPart4486391.os118DlasU-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 03:08:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D6A416A417 for ; Fri, 11 Jan 2008 03:08:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id DC7D713C45D for ; Fri, 11 Jan 2008 03:08:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-014-183.pools.arcor-ip.net [88.66.14.183]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JDAFs1RhV-0004Aq; Fri, 11 Jan 2008 04:08:24 +0100 From: Max Laier Organization: FreeBSD To: "Alexandre Biancalana" Date: Fri, 11 Jan 2008 04:08:21 +0100 User-Agent: KMail/1.9.7 References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> In-Reply-To: <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2375607.sDNu1ieOUy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200801110408.22724.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19WSl0/vYchUaFh3Kwvi6pZa2Vfuqa46lfoIDS ihlopQA1QpK4GioAgNauLWoSuYQiCsMODV1TbVrGLj8pIHYMio cmM0MWbzSlDuGMD1FOBwCPGjnWAHBgqFYu66yNllhw= Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 03:08:27 -0000 --nextPart2375607.sDNu1ieOUy Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 January 2008, Alexandre Biancalana wrote: > On 12/9/07, Max Laier wrote: > > Please report in case of failure *and* success! Thanks. > > Hi Max ! > > Yesterday put one firewall running pf with this patch and everything > worked perfect ! (until now). I just tested the running config with > carp (real network interface without ip address and using ifconfig > carpdev option to associate carp interface with real network > interface) if nothing bad happened until tomorrow, I will put another > machine to test all carp faillover features and let you know. > > Thank you Max for your great work !! That's good to hear, keep us up to date! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2375607.sDNu1ieOUy Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHht2mXyyEoT62BG0RAsFbAJ0W9oK2794X4smREZRnyIEefZSY5ACdEEq0 7Vfn3cT5RpAlImIcS/TbIc4= =8rAy -----END PGP SIGNATURE----- --nextPart2375607.sDNu1ieOUy-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 03:08:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A556A16A41A for ; Fri, 11 Jan 2008 03:08:27 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 8651613C4CC for ; Fri, 11 Jan 2008 03:08:27 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JDAFu-0000We-Vx for freebsd-pf@freebsd.org; Fri, 11 Jan 2008 03:08:26 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JDAFu-00015M-R8 for freebsd-pf@freebsd.org; Fri, 11 Jan 2008 03:08:26 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id AFDD68E296; Thu, 10 Jan 2008 21:08:26 -0600 (CST) Date: Thu, 10 Jan 2008 21:08:26 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080111030826.GP19089@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 03:08:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrique Heron wrote: > > INTERNET > | > PIX Firewall > | > SWITCH*---*HOSTA 192.168.2.14 > * > | > * > HOSTB 192.168.2.27 > > ### /etc/pf.conf > ext_if = "em0" > int_if = "lo0" > > host_ip = " 192.168.2.14" > jail_ip = "192.168.2.18" > external_host = "192.168.2.27" > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port 22 > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22 > > pass in quick all > pass out quick all NAT is always a two-way street. PF must not only translate packets sent to another host, it must also receive and translate the REPLY packets from that host. In the scenario you paint above, HOSTB will receive packets from HOSTA, but when generating a reply, the reply will beypass HOSTA and go directly back to the PIX firewall. It works in a jail because the jail is "inside" HOSTA and so all reply traffic from the jail gets seen by HOSTA before going to the network. Seems to me it would be easier to get the PIX firewall to send traffic to HOSTB instead of HOSTA. If that device is outside your control, probably the easiest thing for you to do is set up a generic proxy, like "redir" or similar, to copy traffic over secondary connection to HOSTB. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHht2qFSrKRjX5eCoRAiclAJ4o6K2FlPi2E0JzV6j8oMlAMa9ApACeNIOi MvV4FUbvBEejzzCLhzEPpf8= =L3iu -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 03:17:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1459616A41A for ; Fri, 11 Jan 2008 03:17:20 +0000 (UTC) (envelope-from varga.michal@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id 99A8B13C448 for ; Fri, 11 Jan 2008 03:17:19 +0000 (UTC) (envelope-from varga.michal@gmail.com) Received: by fg-out-1718.google.com with SMTP id 16so991164fgg.35 for ; Thu, 10 Jan 2008 19:17:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:organization:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=gxicKM7GRQwjTE+/nzgUYVhGvRIccZ5bdgBOhFOpOuA=; b=mInWfAIbPBsn3ll6dVFrZlt66pQ8gBWHt9wIejTnb3B4YtjpfI/hchjYG/Htp5lxWj1Mi30hdtEN43WI8FVHgHJ971EnoJ28i7IiJ+wqE8wGPlHh9xH/1aCoJNCrjkYhBzUOpOH7LsYDQQMv/oExOSmJfyL8lF7d6kD+RgjFxIA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:organization:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=kbc3fcXPmBdcIrtntg+arhoYT+AGLcvcuOaqFke5m7gN6KAL1ITrBw5ZtDdXm5wp9bXAzCj06MVX5e6EJIF2oUE2Jzu+8Eq9+0mOBaFmw4nK+OKP/PeH0P1W8CpdsSPj+fBe8pGgBqB8X+dBjnyVk6057K26I2Qh53IO1LmXsLk= Received: by 10.86.77.5 with SMTP id z5mr2480551fga.77.1200021438205; Thu, 10 Jan 2008 19:17:18 -0800 (PST) Received: from ?10.0.100.2? ( [89.176.79.57]) by mx.google.com with ESMTPS id e20sm2694813fga.1.2008.01.10.19.17.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 10 Jan 2008 19:17:17 -0800 (PST) From: Michal Varga To: Rodrique Heron In-Reply-To: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> Content-Type: text/plain Organization: Stonehenge Date: Fri, 11 Jan 2008 04:17:16 +0100 Message-Id: <1200021436.36543.40.camel@xenon> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 03:17:20 -0000 On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote: > > Sorry for the duplicate, I forgot to CC the list. > > Both host are in the same broadcast domain,connected to the same > switch. > > INTERNET > | > | > PIX Firewall > | > | > SWITCH*---*HOSTA 192.168.2.14 > * > | > | > * > HOSTB 192.168.2.27 > > > ### /etc/pf.conf > ext_if = "em0" > int_if = "lo0" > > host_ip = "192.168.2.14" > jail_ip = "192.168.2.18" > external_host = "192.168.2.27" > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> > $external_host port 22 > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port > 22 > > pass in quick all > pass out quick all > Ok, so if I understand this correctly, you are trying to redirect incoming connections from the internet through HOSTA to HOSTB. The problem I see is that you don't translate your packets on the way back, so something like this happens (we will call the INTERNET/PIX as HOST-X): 1. HOST-X sends ssh request to HOST-A 2. HOST-A redirects the request to HOST-B 3. HOST-B sees that there is a request to ssh from HOST-X (remember, the packet was redirected, not translated to look as if it originated from HOST-A) 4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm ready. 5. HOST-X now sees that HOST-B is replying with "here is your ssh", but HOST-X contacted HOST-A in the first place, no HOST-B, so it discards this connection, he doesn't know why some HOST-B is sending him anything. It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this is the case, I think your problem is obvious.. m. > -- Michal Varga Stonehenge From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 04:18:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E92A916A420 for ; Fri, 11 Jan 2008 04:18:19 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id CAC8B13C458 for ; Fri, 11 Jan 2008 04:18:19 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1613212waf.3 for ; Thu, 10 Jan 2008 20:18:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=f8mmFnIa91D/LALnaGVLzd1FJf5WvrWaKFvTtHf5EkQ=; b=q79nG9wsz590uYvC+ohimpwlj9WST1vEGBWX1UhatQRsZaUSk6raraX9ksSE6OUybbkCujUI8Vi9uajmsSYj6JhHiTaVi5LiQ3TF3aYWAJtW7eQH+N/kE0y81EADRUkuQxrl5DBZa7ZWzDcGCx3q7xHGv2063x+4NGUGEpXnaFk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hvDwRMZ8jU4EnAf+EcD7a9ymFPPNjvnalo2qpwlHXiapArMxuJd4Zg5FfRfwav/gIt7bOAnIftjjy4CwPnC+TZaR8oNCFwBmmDm88pit2/48OIr1prMqB/WFB91gwrqLf7GjsKzQC0PKo6odRM67w0NfJLUazLrKLGhpWmmeMQo= Received: by 10.115.108.1 with SMTP id k1mr3178079wam.42.1200025099386; Thu, 10 Jan 2008 20:18:19 -0800 (PST) Received: by 10.114.27.7 with HTTP; Thu, 10 Jan 2008 20:18:19 -0800 (PST) Message-ID: <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> Date: Fri, 11 Jan 2008 02:18:19 -0200 From: "Alexandre Biancalana" To: "Max Laier" In-Reply-To: <200801110408.22724.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 04:18:20 -0000 On 1/11/08, Max Laier wrote: > > That's good to hear, keep us up to date! The neverending history finish here !! haahahah Everything work as expected, carp with failover is awesome !! The only thing that i noted is that the active conections is being broken during failover (master -> slave transition). ie: a download running during master reboot/failure is interrupted. But this is my first carp setup, so I will review all configuration and read more about. Thanks a lot for your work Max ! Best Regards, Alexandre From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 09:32:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A09A16A418 for ; Fri, 11 Jan 2008 09:32:20 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id C772F13C442 for ; Fri, 11 Jan 2008 09:32:19 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so1536341pyb.10 for ; Fri, 11 Jan 2008 01:32:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=rLXBOKHXKKtK0ZIAicnSlq/yvdiUv3n283J53lJHHC0=; b=hU+PrCVOlWta/E4TFUXVMg1JZufAkPwW7EOYE7CTN1L+fbjvrINol6jOYjukAfWFknuKmFljTFMbVckAkLKaVWxcqbT3RfJvoPM0AJfmKLDWMewXZ6R1vSPdZfxW3YdMsqJJIJAf7wdX5liY/jSEZGJJLXpxb+4oOGVFnjFkLw0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pb+ruCDPGJ/RnUBigEXRWxEZg/tKXmoq0o+YNlfuoy/w17OEvyp8Db3CTirL7o66cEGuu/3SiZFJgjPwNQQFDkSreOmyreKsoqzSg4b5Wtqx5J3QhlIjCOLKa0S1i3sUCSiyqH5XU//+cB5PK9hku7T4VIO4aK2b6YLQDviU0zw= Received: by 10.64.148.8 with SMTP id v8mr6536609qbd.91.1200043938631; Fri, 11 Jan 2008 01:32:18 -0800 (PST) Received: by 10.65.122.4 with HTTP; Fri, 11 Jan 2008 01:32:18 -0800 (PST) Message-ID: Date: Fri, 11 Jan 2008 01:32:18 -0800 From: "Kian Mohageri" To: "Alexandre Biancalana" In-Reply-To: <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 09:32:20 -0000 On Jan 10, 2008 8:18 PM, Alexandre Biancalana wrote: > On 1/11/08, Max Laier wrote: > > > > That's good to hear, keep us up to date! > > The neverending history finish here !! haahahah > > Everything work as expected, carp with failover is awesome !! The only > thing that i noted is that the active conections is being broken > during failover (master -> slave transition). > > ie: a download running during master reboot/failure is interrupted. > > But this is my first carp setup, so I will review all configuration > and read more about. > Are you using pfsync? -Kian From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 10:52:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43F4316A41A for ; Fri, 11 Jan 2008 10:52:32 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id D1A3A13C457 for ; Fri, 11 Jan 2008 10:52:31 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so1568126pyb.10 for ; Fri, 11 Jan 2008 02:52:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=wHhWbtfAUUVfrbORT3AJ6ii60F9iuWAeR06CnuYYOd4=; b=qaW0CYbFAL2RIrr8D9bCww9+/B9AkRgcd0+gcgEJVCyKY4E88W2Gpv6+/E9/448OwqvEEyN45yB39ectA5HQVd+kFmpXQRPIT5UbZtol9uwfii6d4UL6R3MUUh1ge168GJDKEa4k6sfPIHZC3pvX7XRHQc/I6kLxThgPZZlkX4Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qR7AN3X/6bZwSNO+n0EPlQ93x7tkkCP8ooZsPV594DgGzAmPebeMGPPBoVWpu68ne66bTmr+zfLfloBiY+SFt/MYFEESJAzAraqYcsRb+zm8sIRtsiUtOPpaOzz9KvBJPY0fDGTi611guMqNXIcz+BNoi5pQyqCmK343ZJpHZZI= Received: by 10.65.213.4 with SMTP id p4mr6782974qbq.7.1200048750368; Fri, 11 Jan 2008 02:52:30 -0800 (PST) Received: by 10.64.184.9 with HTTP; Fri, 11 Jan 2008 02:52:30 -0800 (PST) Message-ID: <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> Date: Fri, 11 Jan 2008 08:52:30 -0200 From: "Alexandre Biancalana" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 10:52:32 -0000 On 1/11/08, Kian Mohageri wrote: > On Jan 10, 2008 8:18 PM, Alexandre Biancalana wrote: > > On 1/11/08, Max Laier wrote: > > > > > > That's good to hear, keep us up to date! > > > > The neverending history finish here !! haahahah > > > > Everything work as expected, carp with failover is awesome !! The only > > thing that i noted is that the active conections is being broken > > during failover (master -> slave transition). > > > > ie: a download running during master reboot/failure is interrupted. > > > > But this is my first carp setup, so I will review all configuration > > and read more about. > > > > Are you using pfsync? Yes, I have one interface on each machine dedicated to pfsync. From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 13:18:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1C0C16A417 for ; Fri, 11 Jan 2008 13:18:37 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id 618D813C4D3 for ; Fri, 11 Jan 2008 13:18:36 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: by fk-out-0910.google.com with SMTP id b27so992932fka.11 for ; Fri, 11 Jan 2008 05:18:35 -0800 (PST) Received: by 10.78.142.14 with SMTP id p14mr3732938hud.75.1200057515497; Fri, 11 Jan 2008 05:18:35 -0800 (PST) Received: by 10.78.146.17 with HTTP; Fri, 11 Jan 2008 05:18:35 -0800 (PST) Message-ID: <1a5f1a2d0801110518i398793a9u84a4c8924f62bcde@mail.gmail.com> Date: Fri, 11 Jan 2008 08:18:35 -0500 From: "Rodrique Heron" To: "Michal Varga" In-Reply-To: <1200021436.36543.40.camel@xenon> MIME-Version: 1.0 References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> <1200021436.36543.40.camel@xenon> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 13:18:38 -0000 On 1/10/08, Michal Varga wrote: > > > On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote: > > > > > > > Sorry for the duplicate, I forgot to CC the list. > > > > Both host are in the same broadcast domain,connected to the same > > switch. > > > > INTERNET > > | > > | > > PIX Firewall > > | > > | > > SWITCH*---*HOSTA 192.168.2.14 > > * > > | > > | > > * > > HOSTB 192.168.2.27 > > > > > > ### /etc/pf.conf > > ext_if = "em0" > > int_if = "lo0" > > > > host_ip = "192.168.2.14" > > jail_ip = "192.168.2.18" > > external_host = "192.168.2.27" > > > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> > > $external_host port 22 > > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port > > 22 > > > > pass in quick all > > pass out quick all > > > Ok, so if I understand this correctly, you are trying to redirect > incoming connections from the internet through HOSTA to HOSTB. The > problem I see is that you don't translate your packets on the way back, > so something like this happens (we will call the INTERNET/PIX as > HOST-X): > > 1. HOST-X sends ssh request to HOST-A > > 2. HOST-A redirects the request to HOST-B > > 3. HOST-B sees that there is a request to ssh from HOST-X (remember, the > packet was redirected, not translated to look as if it originated from > HOST-A) > > 4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm > ready. > > 5. HOST-X now sees that HOST-B is replying with "here is your ssh", but > HOST-X contacted HOST-A in the first place, no HOST-B, so it discards > this connection, he doesn't know why some HOST-B is sending him > anything. > > > It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this > is the case, I think your problem is obvious.. Yep! I understand perfectly, now is there anything I can do on the pix side to allow the traffic back to HOST-A ? Thanks m. > > > > -- > Michal Varga > Stonehenge > > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 14:15:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A65F16A421 for ; Fri, 11 Jan 2008 14:15:09 +0000 (UTC) (envelope-from varga.michal@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id C07CF13C442 for ; Fri, 11 Jan 2008 14:15:08 +0000 (UTC) (envelope-from varga.michal@gmail.com) Received: by fg-out-1718.google.com with SMTP id 16so1207713fgg.35 for ; Fri, 11 Jan 2008 06:15:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:organization:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=BaTt4EIBmXYzSByHycU7J7rLphEv5gzZwpLXGJ18Brk=; b=tkb+XRX8A8R5upqo3GTRGkycwA977p4yJj9111jCHDGYk9Jj973SiJVJiAgdqjfCIi8owJSfVr/CrZFGMcuniohwknZq53ODkSBo1Tszo3skQujWdQDtzuq5Vl25lebidqN1z5s8RXI/gKCdIFvO2lS1Wc5N5xgt3LoFT4LgV4U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:organization:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=bWPB7yVKQ/73vPEk4T6Wi1Tty2Zq9rFviuYcLUp6TV9W77IC1vbSyuBNcbHcBXzCFOXkw/q/gIHIZGJ0VQWQpHLt5znVfqzM712AVJl5X8MDgeLDf2VO4CwPqD1eWW0Ee0Zp7DVZBBNPdnckXhx+cCz+Vl3b7d1Ivncz8oJBiFU= Received: by 10.86.4.2 with SMTP id 2mr3004650fgd.43.1200060907699; Fri, 11 Jan 2008 06:15:07 -0800 (PST) Received: from ?10.0.100.2? ( [89.176.79.57]) by mx.google.com with ESMTPS id e20sm3176808fga.1.2008.01.11.06.15.06 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 11 Jan 2008 06:15:06 -0800 (PST) From: Michal Varga To: Rodrique Heron In-Reply-To: <1a5f1a2d0801110518i398793a9u84a4c8924f62bcde@mail.gmail.com> References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> <1200021436.36543.40.camel@xenon> <1a5f1a2d0801110518i398793a9u84a4c8924f62bcde@mail.gmail.com> Content-Type: text/plain Organization: Stonehenge Date: Fri, 11 Jan 2008 15:15:05 +0100 Message-Id: <1200060905.36543.106.camel@xenon> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 14:15:09 -0000 On Fri, 2008-01-11 at 08:18 -0500, Rodrique Heron wrote: > Ok, so if I understand this correctly, you are trying to > redirect > incoming connections from the internet through HOSTA to HOSTB. > The > problem I see is that you don't translate your packets on the > way back, > so something like this happens (we will call the INTERNET/PIX > as > HOST-X): > > 1. HOST-X sends ssh request to HOST-A > > 2. HOST-A redirects the request to HOST-B > > 3. HOST-B sees that there is a request to ssh from HOST-X > (remember, the > packet was redirected, not translated to look as if it > originated from > HOST-A) > > 4. So HOST-B opens the ssh connection and sends a reply to > HOST-X - I'm > ready. > > 5. HOST-X now sees that HOST-B is replying with "here is your > ssh", but > HOST-X contacted HOST-A in the first place, no HOST-B, so it > discards > this connection, he doesn't know why some HOST-B is sending > him > anything. > > > It's 4.15 AM here so I hope I didn't get the scenario wrong, > but if this > is the case, I think your problem is obvious.. > > Yep! I understand perfectly, now is there anything I can do on the pix > side to allow the traffic back to HOST-A ? > > Thanks > On the PIX side probably nothing, it's the HOST-B that decides who to reply. But there is a number of solutions. For example, if you will ever care only for one or two (or just a few) ports to forward, I'd go for "redir" (port net/redir) solution. Attach it on HOST-A, let it redirect (actually, what it does is really a TCP proxy) traffic to HOST-B, create a rc/cron script to check and restart the service in case it crashes, and forget. But for a much cleaner infrastructure, I'd personally put HOST-B somewhere behind the HOST-A. If HOST-A already acts as the intermediate points between your business clients (HOST-X) and ssh server (HOST-B), you probably do not want them (or will not want to let them at some point in time) to be able to directly access HOST-B from HOST-X. So I'd put HOST-B physically behind HOST-A, this way you can redirect traffic to HOST-B as you're trying to do now, set HOST-A as HOST-B's gateway and let HOST-A NAT the HOST-B's traffic out. Then the flow will be: [HOST-X] <--> SWITCH <--> iface1[HOST-A]iface2 <--> SWITCH |--> [HOST-B] |--> [HOST-C..] +--> [HOST-D..] 1. HOST-X contacts HOST-A for ssh. 2. HOST-A redirects (PF rdr) packet to HOST-B. 3. HOST-B gets the packet and sends a reply to HOST-X, but: 4. HOST-A (PF nat) is a gateway for HOST-B, so HOST-B sends the packet there 5. NAT on HOST-A translates the packet, now the packet looks like it came from HOST-A and continues to HOST-X 6. HOST-X gets the packet, it contacted HOST-A for ssh, the ssh reply came from HOST-A, everything is ok, connection estabilished. This also has some additional benefits that later if you decide, you can use HOST-A for better security, internal network partitioning (everyting from the internet will talk to HOST-A and it will decide who to contact on the local network, etc.), you can use HOST-A for traffic shaping, and many other things. Of course there are other alternatives, you can use HOST-A as a gateway even if you don't move HOST-B and leave them both in the same switch, as they are now. The only major point is that if HOST-X contacts HOST-A for ssh, it doesn't care what will HOST-A do with that packet and where it sends it, but it will always expect reply originating from HOST-A. So you can't let HOST-B to reply directly. It must send its reply back through HOST-A and HOST-A must rewrite the packet originator, so HOST-X sees it is talking to ssh on HOST-A. m. > -- Michal Varga Stonehenge From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 16:44:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E81616A41B for ; Fri, 11 Jan 2008 16:44:54 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 801AC13C448 for ; Fri, 11 Jan 2008 16:44:53 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so149344nfb.33 for ; Fri, 11 Jan 2008 08:44:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=0hyL615/aQlOMUewe5vFWkysZVXLdOMyoYG/sIJBcV4=; b=hCnB3u4R7Mf+9usEpKxoApZiKpHPIOmsXwFn+6mf/ruesFKSAT9NHwdiMqPckyQTbw2lsDXlj7B/EQVeW5dg+vcOGRLhPzcjMmdjhCnwd5WdbmNkKtRaBQ7ZTq1rgddRkfM/2BURDTvi+Dwwpm/HnU8inZ0+ftN1B5FQYDs7//c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=BCFEqgresNlfa9BJFK2gDt1WVsMBE5ZGfPUYxMxoUZpWkdHtIvf10boC0ZQn38noij2LQd6xJZAXKWgoUktJpLmGqt8YwiQuLZTQilR7HzcsX9kR54+ib6Yhm85IF5K3g6iPJJUALW273bi29qdMpYSQt7rbySA/qlKtC4voBfw= Received: by 10.78.159.7 with SMTP id h7mr4148823hue.17.1200069891806; Fri, 11 Jan 2008 08:44:51 -0800 (PST) Received: by 10.78.161.18 with HTTP; Fri, 11 Jan 2008 08:44:51 -0800 (PST) Message-ID: Date: Fri, 11 Jan 2008 11:44:51 -0500 From: "Scott Ullrich" To: "Alexandre Biancalana" In-Reply-To: <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> MIME-Version: 1.0 References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 16:44:54 -0000 On 1/11/08, Alexandre Biancalana wrote: > > Yes, I have one interface on each machine dedicated to pfsync. Can you show us the output of ifconfig pfsync0 on each host? Scott From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 17:49:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21DE616A418 for ; Fri, 11 Jan 2008 17:49:05 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.freebsd.org (Postfix) with ESMTP id B719C13C45A for ; Fri, 11 Jan 2008 17:49:04 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so1754044pyb.10 for ; Fri, 11 Jan 2008 09:49:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=QX0z051wBr2GPL9UfIzM7XnCLJZkGDIsoHeuQDT6lH4=; b=PqU3zNvLnG11NBs4sNxn0M3KCGc1lPAP0yTwsqXw3kqHsaXDcFUGlIAbh3uSEiPwpmT31301JPCVXlMaGxYpVmxaobwSLHx4CwIBMajh0QC/1cpMJteBvntHVMRMWU9IzIus7kPqIU5GduIt11LRXcOnOJuy4vJ65hvZVy6LHDc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kMWiYX8g8QqrMEnnVdn3pfmHGDM4IBPu67Qmb/j4Tt9tvqrz8QNWyxPzmRoS5OF3DNa8Dx4UmByqHCy98sZR1PlNNwxAxv0NzqUlAEcpIa8OPLb5Fv9QDf6wJemwb0AYxg5PTg2LqwFHd5dy7P3lHXZSXF3No8Q8h+N7VVGj5lQ= Received: by 10.140.161.11 with SMTP id j11mr2175979rve.134.1200073743000; Fri, 11 Jan 2008 09:49:03 -0800 (PST) Received: by 10.64.184.9 with HTTP; Fri, 11 Jan 2008 09:49:02 -0800 (PST) Message-ID: <8e10486b0801110949u1593e427wc24493b98d0003d2@mail.gmail.com> Date: Fri, 11 Jan 2008 15:49:02 -0200 From: "Alexandre Biancalana" To: "Scott Ullrich" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 17:49:05 -0000 On 1/11/08, Scott Ullrich wrote: > > > On 1/11/08, Alexandre Biancalana wrote: > > Yes, I have one interface on each machine dedicated to pfsync. > > Can you show us the output of ifconfig pfsync0 on each host? FW1:/usr/home/ale $ ifconfig pfsync0 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: interconnect syncpeer: 224.0.0.240 maxupd: 128 FW1:/usr/home/ale $ ifconfig interconnect interconnect: flags=8843 metric 0 mtu 1500 options=8 ether 00:16:76:24:23:25 inet 10.0.0.1 netmask 0xfffffffc broadcast 10.0.0.3 media: Ethernet autoselect (100baseTX ) status: active FW2:/root # ifconfig pfsync0 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: interconnect syncpeer: 224.0.0.240 maxupd: 128 FW2:/root # ifconfig interconnect interconnect: flags=8843 metric 0 mtu 1500 options=19b ether 00:13:20:c4:7f:ca inet 10.0.0.2 netmask 0xfffffffc broadcast 10.0.0.3 media: Ethernet autoselect (100baseTX ) status: active From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 18:05:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F09D16A419 for ; Fri, 11 Jan 2008 18:05:13 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.191]) by mx1.freebsd.org (Postfix) with ESMTP id 0F70213C458 for ; Fri, 11 Jan 2008 18:05:12 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so699727mue.6 for ; Fri, 11 Jan 2008 10:05:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=Tj+wxNYp8R4Xv/w3YT3QjVneYYk2NWCFwHkpQZfEv+k=; b=kVRYvu8LzdBc1kficI4qky/gfqs1AwcN8TcyBWrIIVwGsqM+YcQEGGbQAXRitgfa5O6szRwhf0f4BcQYO24DWUnP4xS9YMHvu4kyLQYmrze6ouXGwbQpUTL9SHOsrWcGSVU93IcrSi5ZZaknENv0fYY0FNpJXQ7iTsG2IICO+1s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ko4oJvz5aqBLgcjGAzI2E5wgzNwzbXu+GMtEJBit7ADaX2A+mmOYlTO6RotUbiYplcyrYHE84AuOiymiMegadxxp2Mj91fIoXuEI60VIE0xU3lIumIsXIkT43ivnrv7YT+WOg/RpcmfgswTPkJXpQyUPlmRJi+a+bxDChMvpK88= Received: by 10.78.138.6 with SMTP id l6mr1747018hud.32.1200074711366; Fri, 11 Jan 2008 10:05:11 -0800 (PST) Received: by 10.78.161.18 with HTTP; Fri, 11 Jan 2008 10:05:11 -0800 (PST) Message-ID: Date: Fri, 11 Jan 2008 13:05:11 -0500 From: "Scott Ullrich" To: "Alexandre Biancalana" In-Reply-To: <8e10486b0801110949u1593e427wc24493b98d0003d2@mail.gmail.com> MIME-Version: 1.0 References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> <8e10486b0801110949u1593e427wc24493b98d0003d2@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 18:05:13 -0000 On 1/11/08, Alexandre Biancalana wrote: > > FW1:/usr/home/ale $ ifconfig pfsync0 > pfsync0: flags=41 metric 0 mtu 1460 > pfsync: syncdev: interconnect syncpeer: 224.0.0.240 maxupd: 128 > > FW1:/usr/home/ale $ ifconfig interconnect > interconnect: flags=8843 > metric 0 mtu 1500 > options=8 > ether 00:16:76:24:23:25 > inet 10.0.0.1 netmask 0xfffffffc broadcast 10.0.0.3 > media: Ethernet autoselect (100baseTX ) > status: active > > > > FW2:/root # ifconfig pfsync0 > pfsync0: flags=41 metric 0 mtu 1460 > pfsync: syncdev: interconnect syncpeer: 224.0.0.240 maxupd: 128 > FW2:/root # ifconfig interconnect > interconnect: flags=8843 > metric 0 mtu 1500 > > options=19b > ether 00:13:20:c4:7f:ca > inet 10.0.0.2 netmask 0xfffffffc broadcast 10.0.0.3 > media: Ethernet autoselect (100baseTX ) > status: active > Thank you. Do you see the states on the backup machine when it is in the backup status mode? pfctl -ss You should see a similar output on the backup machine as the primary. BTW: I did not know about ifconfig interconnect... Cool stuff!! Scott From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 18:53:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B508216A468 for ; Fri, 11 Jan 2008 18:53:16 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog14.obsmtp.com (s200aog14.obsmtp.com [207.126.144.128]) by mx1.freebsd.org (Postfix) with SMTP id 0FBD013C4CE for ; Fri, 11 Jan 2008 18:53:13 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob014.postini.com ([207.126.147.11]) with SMTP; Fri, 11 Jan 2008 18:53:12 UTC Received: from bill.mintel.co.uk (bill.mintel.co.uk [10.0.0.89]) by rodney.mintel.co.uk (Postfix) with ESMTP id 572BE181420; Fri, 11 Jan 2008 18:53:12 +0000 (GMT) Message-ID: <4787BB17.70504@tomjudge.com> Date: Fri, 11 Jan 2008 18:53:11 +0000 From: Tom Judge User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Scott Ullrich References: <200710272311.09059.max@love2party.net> <200712091835.33608.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> <8e10486b0801110949u1593e427wc24493b98d0003d2@mail.gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 18:53:16 -0000 Scott Ullrich wrote: > On 1/11/08, Alexandre Biancalana wrote: > > BTW: I did not know about ifconfig interconnect... Cool stuff!! > This would appear to be as the result of a command such as: ifconfig em0 name interconnect And as such you can rename any interface on your system. I'm not sure how PF state entries deal with this situation (i.e if there is a state associated with interconnect does the state store the interface name as em0 or interconnect). If the latter is true then it would make using disparate hardware for HA firewalls much simpler, and attainable. Tom From owner-freebsd-pf@FreeBSD.ORG Sat Jan 12 07:23:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1AA016A419 for ; Sat, 12 Jan 2008 07:23:10 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id BE87B13C448 for ; Sat, 12 Jan 2008 07:23:10 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1JDahy-0005s5-8e for freebsd-pf@freebsd.org; Sat, 12 Jan 2008 07:23:10 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1JDahy-0000Rx-5J for freebsd-pf@freebsd.org; Sat, 12 Jan 2008 07:23:10 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id E50598E296; Sat, 12 Jan 2008 01:23:07 -0600 (CST) Date: Sat, 12 Jan 2008 01:23:07 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080112072307.GB25623@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> <1200021436.36543.40.camel@xenon> <1a5f1a2d0801110518i398793a9u84a4c8924f62bcde@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <1a5f1a2d0801110518i398793a9u84a4c8924f62bcde@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jan 2008 07:23:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrique Heron wrote: > > Yep! I understand perfectly, now is there anything I can do on the pix side > to allow the traffic back to HOST-A ? This seems the wrong question to ask. Shouldn't you instead be wondering, how can you get the PIX to forward connections to HOST-B instead of to HOST-A? The PIX is a full firewall with NAT features, so it can perform the NAT instead of your BSD box, and since it is the default gateway for return traffic, will have no trouble applying the translation in both directions. I realize this is a FreeBSD mailng list, but you should go for the simplest solution, because complex solutions tend to fail in complex ways. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHiGrbFSrKRjX5eCoRAma/AJwJUY1t0WL7C0b1S5M+IDAvFdODTwCdGcH/ nVtNURikbji5A9RMtPI3DoE= =S5sQ -----END PGP SIGNATURE-----