From owner-freebsd-pf@FreeBSD.ORG Mon Feb 25 11:07:09 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FB5416A469 for ; Mon, 25 Feb 2008 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0E0B913C459 for ; Mon, 25 Feb 2008 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1PB784C033062 for ; Mon, 25 Feb 2008 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1PB78KN033058 for freebsd-pf@FreeBSD.org; Mon, 25 Feb 2008 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Feb 2008 11:07:08 GMT Message-Id: <200802251107.m1PB78KN033058@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2008 11:07:09 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o bin/120974 pf [patch] bsnmpd(1) snmp_pf module work incorrect when D 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 08:58:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5930A106566C for ; Wed, 27 Feb 2008 08:58:27 +0000 (UTC) (envelope-from invite@noreply.bebo.com) Received: from vmta04.bebo.com (vmta04.bebo.com [208.75.184.157]) by mx1.freebsd.org (Postfix) with ESMTP id 4C2FE13C474 for ; Wed, 27 Feb 2008 08:58:27 +0000 (UTC) (envelope-from invite@noreply.bebo.com) Received: by vmta04.bebo.com id hokj4c0c8b09 for ; Wed, 27 Feb 2008 08:28:43 +0000 (envelope-from ) Date: Wed, 27 Feb 2008 08:28:43 +0000 To: freebsd-pf@freebsd.org From: "Choco Bn" MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Message-Id: <20080227085827.4C2FE13C474@mx1.freebsd.org> Subject: New invitation from Choco Bn X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 08:58:27 -0000 You have been invited to connect as friends with Choco Bn Please accept or reject this invitation by clicking below: http://www.bebo.com/in/5904310846a147972252b135 ...................................................................... Please do not reply directly to this email. This email was sent to you at the direct request of Choco Bn . You have not been added to a mailing list. If you would prefer not to receive invitations from ANY Bebo members please click here - http://www.bebo.com/unsub/5904310846a147972252 Bebo, Inc., 795 Folsom St, 6th Floor, San Francisco, CA 94107, USA. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 12:28:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A017D1065671 for ; Wed, 27 Feb 2008 12:28:05 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 802688FC1E for ; Wed, 27 Feb 2008 12:28:05 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m1RBt76Z063107 for ; Wed, 27 Feb 2008 06:55:07 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m1RBt6U0058941 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 27 Feb 2008 06:55:06 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200802271155.m1RBt6U0058941@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 27 Feb 2008 06:53:03 -0500 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: default snaplen on tcpdump X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 12:28:05 -0000 Is there any chance of changing the default snap length of tcpdump to be a few bytes bigger ? With pf on RELENG_7, the default of 96 is too short now. So doing just a # tcpdump -nei pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 06:50:57.651128 rule 7/0(match): pass in on bge0: 190.73.138.253.2020 > xx.7.141.12.25: tcp 28 [bad hdr length 0 - too short, < 20] Going to -s100 seems to be a safe value and avoids the "bad header" errors. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 14:23:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94203106566B for ; Wed, 27 Feb 2008 14:23:28 +0000 (UTC) (envelope-from service@noreply.bebo.com) Received: from vmta01.bebo.com (vmta01.bebo.com [208.75.184.154]) by mx1.freebsd.org (Postfix) with ESMTP id 9172F8FC21 for ; Wed, 27 Feb 2008 14:23:28 +0000 (UTC) (envelope-from service@noreply.bebo.com) Received: by vmta01.bebo.com id holp760c8b0b for ; Wed, 27 Feb 2008 13:53:11 +0000 (envelope-from ) Date: Wed, 27 Feb 2008 13:53:11 +0000 (GMT+00:00) From: Bebo Service To: freebsd-pf@freebsd.org Message-ID: <1152402356.256141204120391035.JavaMail.resin@bebo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Important: Please verify your email address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 14:23:28 -0000 Peter Welcome to Bebo. IMPORTANT: Please click below to verify your email address: http://www.bebo.com/verify/5905296319a391624534 Your registration details for signing into Bebo again are: Username: PeterH8207 Email: freebsd-pf@freebsd.org Password: The password you chose during registration. If you did not register or have simply changed your mind please click below to cancel your membership: http://www.bebo.com/notmine/5905296319a391624534 ...................................................................... Please do not reply directly to this email. Questions? Contact us - http://www.bebo.com/contactus Bebo, Inc., 795 Folsom St, 6th Floor, San Francisco, CA 94107, USA. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 19:43:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35F6E1065675 for ; Wed, 27 Feb 2008 19:43:23 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id F02418FC1B for ; Wed, 27 Feb 2008 19:43:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so4457599wri.3 for ; Wed, 27 Feb 2008 11:43:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=JZ/Z1zZtjNjSU3APSZvLy8wlHonbHdSFRw8SQ+kfdGk=; b=kFTQbbhJPysNTBhvdSmAK3tjedGIO3SAr7bVyMyXst7fMd++uNyWBxJ4Dtmk4JDS9vYXYK6QbfEMbkZ47JiS91OtvPXWQZYhxmPackQjR1ESW53YUaeU3ELeFgRQn7pRy5XDki4xtuF6Da9B8y/wglx00/53AAhnbFFVTpVueAk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dU7lEZz6e3CHM/QiKDffkDzfPU8BnAZy4tTHWoEfd506V8RVbPQWfP+y32irkMn22R+SrazgdCbjq4a6vBDbbDkuf4Kf7CmWp4GPyaXGj8dFUoRhKs7k/xBZJt4zZ404DUc8keZtbMw6MhwB+mW842/ozYRf2Q2VwGxqAZ97Z2w= Received: by 10.114.195.19 with SMTP id s19mr7961148waf.58.1204141398742; Wed, 27 Feb 2008 11:43:18 -0800 (PST) Received: by 10.114.182.15 with HTTP; Wed, 27 Feb 2008 11:43:18 -0800 (PST) Message-ID: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> Date: Wed, 27 Feb 2008 14:43:18 -0500 From: "Vadym Chepkov" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 19:43:23 -0000 All, I must be doing something wrong, but I can't figure it out. I actually simplify the network structure, to keep it simple - a client and a web server are on different network segments; - all incoming connections to the client are prohibited; - client should be allowed to access web server and get a reply; Here are the rules: set state-policy floating pass in quick proto tcp to port $www_tcp_ports flags S/SA keep state block in log to In the pflog I can see that reply packet from www server is blocked on server's segment interface. I thought 'set state-policy floating' should create a rule interface independent and allow a reply? Am I wrong? Thank you, Vadym Chepkov From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 21:10:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC841106566B for ; Wed, 27 Feb 2008 21:10:41 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id A5CD88FC16 for ; Wed, 27 Feb 2008 21:10:41 +0000 (UTC) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id 68so4524068wri.3 for ; Wed, 27 Feb 2008 13:10:40 -0800 (PST) Received: by 10.142.147.15 with SMTP id u15mr5789584wfd.149.1204146639122; Wed, 27 Feb 2008 13:10:39 -0800 (PST) Received: by 10.142.179.18 with HTTP; Wed, 27 Feb 2008 13:10:38 -0800 (PST) Message-ID: <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> Date: Wed, 27 Feb 2008 18:10:38 -0300 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 21:10:42 -0000 I didnt understand this rule: pass in quick proto tcp to port $www_tcp_ports flags S/SA keep state I think is: pass in quick proto tcp from any to port $www_tcp_ports flags S/SA keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com On 27/02/2008, Vadym Chepkov wrote: > All, > > I must be doing something wrong, but I can't figure it out. > I actually simplify the network structure, to keep it simple > > - a client and a web server are on different network segments; > - all incoming connections to the client are prohibited; > - client should be allowed to access web server and get a reply; > > Here are the rules: > > set state-policy floating > pass in quick proto tcp to port $www_tcp_ports flags > S/SA keep state > block in log to > > In the pflog I can see that reply packet from www server is blocked on > server's segment interface. I thought 'set state-policy floating' > should create a rule interface independent and allow a reply? Am I > wrong? > > Thank you, > > Vadym Chepkov > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 21:46:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6896F1065672 for ; Wed, 27 Feb 2008 21:46:50 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id DC4B28FC13 for ; Wed, 27 Feb 2008 21:46:49 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so4552379wri.3 for ; Wed, 27 Feb 2008 13:46:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ZNBCagVXe/08UpRntuF1ik86wtLYPXdz1kdMFdJxzbs=; b=wARQB1vdlf1wMCRMNLY8h1QggcWxc7VSi/MW3ql7JKcD724onS7fSFMc9mCcb51bKOQz9iizNgQF0b1MZwHza5AuO2Y6uLjyZC9j3BLZCbhITNXhduvU3tWC4zvLSaqrN8X4qOl0xBYYufxmJMKuaD+6e9Hj3Y8zgjIETzCdn38= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=A+59sd7rRgbkFfSVgxaioWwEgqdpJb4FjkEX5CgpFTcWObF6te8ycEtW7lE01p6JuS7zOfRBmYHwB6JaDvTMNVxzOFMbOstWCkY5cba8H4VkyBh42cB4jCy40vmIxHERIMDtrNQqTBTLRwKr8fpfmvmmphKf/B1XKjkiN6l6WNk= Received: by 10.114.123.1 with SMTP id v1mr8135294wac.147.1204148808263; Wed, 27 Feb 2008 13:46:48 -0800 (PST) Received: by 10.114.182.15 with HTTP; Wed, 27 Feb 2008 13:46:48 -0800 (PST) Message-ID: <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> Date: Wed, 27 Feb 2008 16:46:48 -0500 From: "Vadym Chepkov" To: "Gilberto Villani Brito" In-Reply-To: <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 21:46:50 -0000 You can omit 'from any' or 'to any' as redundant if pf.conf. # pfctl -sr|grep www_servers pass in quick proto tcp from any to port = http flags S/SA keep state pass in quick proto tcp from any to port = https flags S/SA keep state On Wed, Feb 27, 2008 at 4:10 PM, Gilberto Villani Brito wrote: > I didnt understand this rule: > > pass in quick proto tcp to port $www_tcp_ports flags > S/SA keep state > > I think is: > pass in quick proto tcp from any to port $www_tcp_ports > > flags S/SA keep state > > > -- > Gilberto Villani Brito > System Administrator > Londrina - PR > Brazil > gilbertovb(a)gmail.com > > > > > > On 27/02/2008, Vadym Chepkov wrote: > > All, > > > > I must be doing something wrong, but I can't figure it out. > > I actually simplify the network structure, to keep it simple > > > > - a client and a web server are on different network segments; > > - all incoming connections to the client are prohibited; > > - client should be allowed to access web server and get a reply; > > > > Here are the rules: > > > > set state-policy floating > > pass in quick proto tcp to port $www_tcp_ports flags > > S/SA keep state > > block in log to > > > > In the pflog I can see that reply packet from www server is blocked on > > server's segment interface. I thought 'set state-policy floating' > > should create a rule interface independent and allow a reply? Am I > > wrong? > > > > Thank you, > > > > Vadym Chepkov > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 04:02:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB372106566B for ; Thu, 28 Feb 2008 04:02:09 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by mx1.freebsd.org (Postfix) with ESMTP id 2FB0B8FC1E for ; Thu, 28 Feb 2008 04:02:08 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so2281793rvb.43 for ; Wed, 27 Feb 2008 20:02:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=+LeTAu9JkMSiyGuetSR707uYaAt/0j9qZcPG1AuOD1Y=; b=TUBlEMGnVuvOlSnFebg+v621N9n1DKgx50ZOejwE9EPjiq4AQ7V1yXeZ1u9sA/ytGaDVAN76Qwdb+9DUTHfRh3SJPfNKu3cUIRyYOdFSEnS32myXUejT7JJXJ2ozF49lwZBZh/b4/9JpiW9S+gL/R39MKeynAHIGgzV1MuWNrwc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=on5Nc0zi+jvjlpcSE0OWvr6kqj83xcyPmnRn8I6MdIusD/P4mZk8667srv19G57dO3AeFv3wQULbemZSDv3d9Tj5H+Z5ZemGONdfw+d52vkfiKQ44ikvFeN10qvOTKNSOC+erPSfVusi7XJuQ8C5iPDo/+C2fUGn8zVROfKCsKs= Received: by 10.140.132.8 with SMTP id f8mr5157346rvd.198.1204171328139; Wed, 27 Feb 2008 20:02:08 -0800 (PST) Received: by 10.141.51.9 with HTTP; Wed, 27 Feb 2008 20:02:08 -0800 (PST) Message-ID: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> Date: Wed, 27 Feb 2008 23:02:08 -0500 From: "Vadym Chepkov" To: freebsd-pf@freebsd.org In-Reply-To: <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 04:02:09 -0000 I created a lab configuration with the minimum settings dns server has ip 10.10.10.1 client has ip 10.10.11.254 between them is 6.3-RELEASE-p1 with 10.10.10.6 and 10.10.11.1 interfaces here is /etc/pf.conf set block-policy return set state-policy floating pass in log quick proto udp from any to 10.10.10.1 port domain keep state block in log from any to 10.10.11.254 Now I make nslookup on the client, here is the output of tcpdump -n -l -e -i pflog0 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 > 10.10.10.1.53: 45616+[|domain] 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > 10.10.11.254.32772: 45616*-[|domain] State is #pfctl -ss self udp 10.10.10.1:53 <- 10.10.11.254:32772 NO_TRAFFIC:SINGLE My question is, why the reply packet was blocked? From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 06:31:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A07A01065670 for ; Thu, 28 Feb 2008 06:31:08 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3BCFA8FC15 for ; Thu, 28 Feb 2008 06:31:07 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id m1S6V6uV032729 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 28 Feb 2008 07:31:06 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id m1S6V6Wm016316; Thu, 28 Feb 2008 07:31:06 +0100 (MET) Date: Thu, 28 Feb 2008 07:31:06 +0100 From: Daniel Hartmeier To: Vadym Chepkov Message-ID: <20080228063105.GC32592@insomnia.benzedrine.cx> References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 06:31:08 -0000 On Wed, Feb 27, 2008 at 11:02:08PM -0500, Vadym Chepkov wrote: > My question is, why the reply packet was blocked? It seems you're misunderstanding what 'floating state' means. It does NOT mean "allow connection on all interfaces". If a connection traverses two interfaces, you need to allow it on both, creating two two separate state entries (one incoming, one outgoing). The 'floating' would come into play if you had more than two interfaces, and the same connection would traverse all three of them, due to dynamic routing. Without dynamic routing, you can pretty much forget about floating states, they do nothing. The first problem in your ruleset is that it does not block by default. Instead, the packet goes out through xl0 based on the implicit pass rule and does not create a second state. When the reply comes back in on xl0, there is no matching state (the first one created on xl1 does NOT match, as direction is reversed), and no pass rule matches on that interface in this direction. Hence the block. Add a default block, add a 'pass out ... keep state' rule, and it will work. You probably thought floating states would do that, but they don't. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 12:17:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C160E1065676 for ; Thu, 28 Feb 2008 12:17:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id 8DA998FC25 for ; Thu, 28 Feb 2008 12:17:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so2420252rvb.43 for ; Thu, 28 Feb 2008 04:17:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=HSl+SgHs/kF0aEHW4IrIgIjtSF1fpL8Ch7ziBmH0HrQ=; b=KaP8v6jBpDq7mEL7Mpo1r38fIo74tupD77hBQV1ucbEisYx4d9O3OlLpNccYLZsiytCLWUYKesbu5Uit+uE0lG8YD3u9xdGfU5iH2tEvJ9BWKDp67hrBYY+DdYo63IHL08mbBC7g5QT6eodUJH1dgtFQwcQjqsJxH8+vIfbawvg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fxHUkyzYD/C9T8iCo0KDA2j6aE+n2luighlLXTK8X2zRM37zyKrCQ+vaNYVzmR1dSsDlQgLBqtUG6CLlWHi8w4de06QIYqb4Yr4jEn0uJjINt7+Go9xcf2EhWQgu7dUdRHfaUy/8cqLrJ/Ghhd3uV/Dow18OnU1+gd1LPrwysq4= Received: by 10.141.179.5 with SMTP id g5mr5377487rvp.18.1204201041923; Thu, 28 Feb 2008 04:17:21 -0800 (PST) Received: by 10.141.51.9 with HTTP; Thu, 28 Feb 2008 04:17:21 -0800 (PST) Message-ID: <1635d77d0802280417j507e1476m1c0b7c3158156d@mail.gmail.com> Date: Thu, 28 Feb 2008 07:17:21 -0500 From: "Vadym Chepkov" To: "Daniel Hartmeier" In-Reply-To: <20080228063105.GC32592@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> <20080228063105.GC32592@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 12:17:22 -0000 I never implied that "floating" means "allow connection on all interfaces". Rules were created just to illustrate the situation, they are not part of "production" environment. In the state table you see packet going from source to destination #pfctl -ss self udp 10.10.10.1:53 <- 10.10.11.254:32772 NO_TRAFFIC:SINGLE It has word "self" in it, which I assume means "not bound to a particular interface", which is result of "floating" policy. I thought reply from destination to source would be allowed, isn't that what "state" mean? But instead, the packet was blocked by a rule 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > 10.10.11.254.32772: 45616*-[|domain] Vadym On Thu, Feb 28, 2008 at 1:31 AM, Daniel Hartmeier wrote: > On Wed, Feb 27, 2008 at 11:02:08PM -0500, Vadym Chepkov wrote: > > > My question is, why the reply packet was blocked? > > It seems you're misunderstanding what 'floating state' means. > > It does NOT mean "allow connection on all interfaces". > > If a connection traverses two interfaces, you need to allow it on both, > creating two two separate state entries (one incoming, one outgoing). > > The 'floating' would come into play if you had more than two interfaces, > and the same connection would traverse all three of them, due to dynamic > routing. Without dynamic routing, you can pretty much forget about > floating states, they do nothing. > > The first problem in your ruleset is that it does not block by default. > Instead, the packet goes out through xl0 based on the implicit pass rule > and does not create a second state. > > When the reply comes back in on xl0, there is no matching state (the > first one created on xl1 does NOT match, as direction is reversed), and > no pass rule matches on that interface in this direction. Hence the > block. > > Add a default block, add a 'pass out ... keep state' rule, and it will > work. > > You probably thought floating states would do that, but they don't. > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 13:24:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 382F0106566C for ; Thu, 28 Feb 2008 13:24:24 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id B7B6D8FC12 for ; Thu, 28 Feb 2008 13:24:23 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from interactive.dnsalias.net (ppp-88-217-19-88.dynamic.mnet-online.de [88.217.19.88]) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis) id 0MKwh2-1JUiY52sLm-0002Ut; Thu, 28 Feb 2008 14:11:46 +0100 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JUiY5-000A6Q-O0 for freebsd-pf@freebsd.org; Thu, 28 Feb 2008 14:11:45 +0100 Received: from [192.168.0.196] ([192.168.0.196]) by fs-inter.interactive.de; Thu, 28 Feb 2008 14:10:35 +0100 Message-ID: <47C6B300.4080507@interactive-net.de> Date: Thu, 28 Feb 2008 14:11:28 +0100 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX1/WAqsbPVYOOY+HvvBSq8Z0M9v9/aUGuWic7c+ XytiPDfgB5Kp8twAIQKXSpigT8uRLdPrO+7W6Rl7OXz3PNuj/B FypNWb5eWD1fjRe5PWCkVHJkTrPx6V5gMeL4kQhGc+msvWGbHx 3mg== Subject: tables in anchors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 13:24:24 -0000 Hi, the anchor rule in the following ruleset doesn't work. table const { 192.168.0.25, \ 192.168.1.0/24, \ 192.168.125.0/24 } anchor mailIn proto tcp to $mail_addr { \ #exim pass quick proto tcp from to any port smtp \ } pass quick proto tcp from to $mail_addr port smtp Checking with pfctl -t smtpHosts -T show results in "table doesn't exist", the second rule works as expected. Any suggestions? Thanks Reinhard From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 13:56:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C0C11065677 for ; Thu, 28 Feb 2008 13:56:53 +0000 (UTC) (envelope-from flo@kasimir.com) Received: from kasimir.com (kasimir.com [85.214.51.166]) by mx1.freebsd.org (Postfix) with ESMTP id 85C7E8FC1C for ; Thu, 28 Feb 2008 13:56:52 +0000 (UTC) (envelope-from flo@kasimir.com) Received: (qmail 75004 invoked from network); 28 Feb 2008 14:30:10 +0100 Received: from relay3.vistream.de (HELO nibbler.vistream.local) (87.139.10.28) by unescopgu.de with SMTP; 28 Feb 2008 14:30:10 +0100 Message-ID: <47C6B744.2050501@kasimir.com> Date: Thu, 28 Feb 2008 14:29:40 +0100 From: Florian Smeets User-Agent: Thunderbird 2.0.0.13pre (Macintosh/20080227) MIME-Version: 1.0 To: Mike Tancsa References: <200802271155.m1RBt6U0058941@lava.sentex.ca> In-Reply-To: <200802271155.m1RBt6U0058941@lava.sentex.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: default snaplen on tcpdump X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 13:56:53 -0000 Mike Tancsa wrote: > Is there any chance of changing the default snap length of tcpdump to be > a few bytes bigger ? With pf on RELENG_7, the default of 96 is too > short now. So doing just a > > # tcpdump -nei pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 96 bytes > 06:50:57.651128 rule 7/0(match): pass in on bge0: 190.73.138.253.2020 > > xx.7.141.12.25: tcp 28 [bad hdr length 0 - too short, < 20] > > Going to -s100 seems to be a safe value and avoids the "bad header" errors. > Thank you! This just saved me some time i guess. I saw this on a 7.0-RC firewall a few days ago and wondered what that could mean. I didn't have time to investigate yet and just now read your mail :-) I think others could also be confused by this, so i think increasing the snap length would make sense. Cheers, Florian From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 15:12:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B9FF1065695 for ; Thu, 28 Feb 2008 15:12:15 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.freebsd.org (Postfix) with ESMTP id D914E8FC1A for ; Thu, 28 Feb 2008 15:12:14 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so5249398wri.3 for ; Thu, 28 Feb 2008 07:12:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; bh=sIUs9/pln4FkqVhh+WMTk7W6iTw4gQbNiuW6BhS/vR4=; b=M9crejzL4FgJdopMkPSlrEHbZ+MV3KlJigyW2458Wtx/r4524ib9nspygbvOcTI0gRDi50EPCMji3LIYRw6vj+HRw31/9LPL/DnAMSWe5Ovzhh6zJVDx5Dr2X2gWC8n54LpcUG8xuzP1bUYbddxfzYwvxumdb6Rty5wQHUt9Xws= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=sEaVGvBAOB1Gs9BW6a3Fop5C7PfPzbL6uJ++j5qwiYnxyII8+R+2gyq/niyp0W4qEpMrW/CMvzVfdqeeQ5Dd5oPO51VAlpsrDsq9XSpEdoYku2vJlFUiolhtipY6NB7bGa6ydWsqMZFE9WcYgtZIczs+JtlqL3wzmyR2gzVPGPw= Received: by 10.140.251.1 with SMTP id y1mr5535700rvh.149.1204211531851; Thu, 28 Feb 2008 07:12:11 -0800 (PST) Received: from xp ( [72.86.47.124]) by mx.google.com with ESMTPS id g5sm11283525wra.31.2008.02.28.07.12.10 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Feb 2008 07:12:10 -0800 (PST) Message-ID: <002701c87a1c$51a9bad0$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Kian Mohageri" References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> Date: Thu, 28 Feb 2008 10:12:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 15:12:15 -0000 It was not my intention to argue with anybody, I was trying to understand why the packet was blocked and reply to Daniel got bounced, so I posted it in the distro. I got it now, IN packet state doesn't match IN packets, only OUT. Thank you. Vadym ----- Original Message ----- From: "Kian Mohageri" To: "Vadym Chepkov" Cc: Sent: Thursday, February 28, 2008 9:56 AM Subject: Re: floating keep state > On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov wrote: >> set block-policy return >> set state-policy floating >> pass in log quick proto udp from any to 10.10.10.1 port domain keep >> state >> block in log from any to 10.10.11.254 >> >> 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 > >> 10.10.10.1.53: 45616+[|domain] >> 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > >> 10.10.11.254.32772: 45616*-[|domain] >> > > States not only have address/port pairs in them (among other things), > but they also have a direction. > > The request packet (coming in on xl1) creates a state that will match > the following: > > 10.10.11.254:32772 ==> 10.10.10.1:53 (IN) > 10.10.10.1:53 ==> 10.10.11.254:32772 (OUT) > > The same packet is filtered again on xl0, but notice it will not match > this state because its direction is now "out". As Daniel said, it's > passed anyway because of the implicit pass rule at the end of your > ruleset (by the way this makes it difficult to troubleshoot problems). > > Server receives packet and replies: > > 10.10.10.1:53 ==> 10.10.11.254:32772 (IN) > > Notice this will not match the state created above (direction is IN, > not OUT), and it will also be blocked by your second rule. > > -Kian > > PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;) From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 15:22:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE65E106566B for ; Thu, 28 Feb 2008 15:22:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by mx1.freebsd.org (Postfix) with ESMTP id 5BC1B8FC20 for ; Thu, 28 Feb 2008 15:22:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so3772626wxd.7 for ; Thu, 28 Feb 2008 07:22:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=sOp5+c1eM3mhiRo0d8H0gLIHwSJ9alhzi8FfjXcNbP0=; b=gTEdGSoaqQd+eXE4oy0cSOqQPwgWni/NKkRAnfRCFWxZcZCHdJ1g7iuFYh/LsQF9dB4DRqxvSSXsiS5LI+usfaDkXAlftwJAU5OniUtPD2f4XG4k4yV1cvz/PtI20bRlRU+eBKUsqQQgO6vKdfrqtd4puHgw4YZcrktwP/xywv0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hLEjQPI55f1k0ezbH7+bxbCbDb4w6b2LKIhTbx3eH9SxzU6mvD9Y4vOxgsjj/ZOmJyu+gn30GBrYaYA1d6+i/c2l+06GBBhLo4l+trMqA4e4L1H0Yo5NtTC4IH1vG4svYplIaQFFaGnubuc0CmwcU7nAPALkGLHpRmdxQGgzcmA= Received: by 10.65.139.9 with SMTP id r9mr14753585qbn.71.1204210589486; Thu, 28 Feb 2008 06:56:29 -0800 (PST) Received: by 10.65.116.4 with HTTP; Thu, 28 Feb 2008 06:56:29 -0800 (PST) Message-ID: Date: Thu, 28 Feb 2008 06:56:29 -0800 From: "Kian Mohageri" To: "Vadym Chepkov" In-Reply-To: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 15:22:49 -0000 On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov wrote: > set block-policy return > set state-policy floating > pass in log quick proto udp from any to 10.10.10.1 port domain keep state > block in log from any to 10.10.11.254 > > 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 > > 10.10.10.1.53: 45616+[|domain] > 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > > 10.10.11.254.32772: 45616*-[|domain] > States not only have address/port pairs in them (among other things), but they also have a direction. The request packet (coming in on xl1) creates a state that will match the following: 10.10.11.254:32772 ==> 10.10.10.1:53 (IN) 10.10.10.1:53 ==> 10.10.11.254:32772 (OUT) The same packet is filtered again on xl0, but notice it will not match this state because its direction is now "out". As Daniel said, it's passed anyway because of the implicit pass rule at the end of your ruleset (by the way this makes it difficult to troubleshoot problems). Server receives packet and replies: 10.10.10.1:53 ==> 10.10.11.254:32772 (IN) Notice this will not match the state created above (direction is IN, not OUT), and it will also be blocked by your second rule. -Kian PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;) From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 15:33:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12A181065673 for ; Thu, 28 Feb 2008 15:33:10 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.227]) by mx1.freebsd.org (Postfix) with ESMTP id B62808FC1C for ; Thu, 28 Feb 2008 15:33:09 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so3778642wxd.7 for ; Thu, 28 Feb 2008 07:33:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Xzs4wAC1JFtf5aiJ87oQ03gXHLgauh9mEkt9SQ1P4tk=; b=OC+ZIP+kg0A60MZF0i0lS1wAJ1zuL4NkphDTkb+JNmrwLpftfjDcpmSwY9jUZoRDw4po0RkaCEAeWRblYhsio1pXoogdEw1bvhD1M/4P0w5bnJaiVASCgfZ7kdRqzrgfLfN1Lmj87m027c2QWLuZz/z2jLnNCgHSePgbqKWpD1o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QkvdRh18A+lXSfcBsZmx6e31tO8L1sDIC011bd+uzMU9TXlDM41ZPKvnoSRO8oT4wDpyv/JWcD2HSwOjJIvu/DzeZzvl8gbeFhqpBnbFHQVbLQok6xxNQlXS0BFBUeRLmLNyd1vHrYX6RaDhKxHdblh/B8yJlTW438C703DLoBM= Received: by 10.65.115.4 with SMTP id s4mr14906237qbm.1.1204212787426; Thu, 28 Feb 2008 07:33:07 -0800 (PST) Received: by 10.65.116.4 with HTTP; Thu, 28 Feb 2008 07:33:07 -0800 (PST) Message-ID: Date: Thu, 28 Feb 2008 07:33:07 -0800 From: "Kian Mohageri" To: "Vadym Chepkov" In-Reply-To: <002701c87a1c$51a9bad0$050a0a0a@chepkov.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> <002701c87a1c$51a9bad0$050a0a0a@chepkov.lan> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 15:33:10 -0000 On Thu, Feb 28, 2008 at 7:12 AM, Vadym Chepkov wrote: > It was not my intention to argue with anybody, I was trying to understand > why the packet was blocked and reply to Daniel got bounced, so I posted it > in the distro. I got it now, IN packet state doesn't match IN packets, only > OUT. Thank you. > Glad that made sense. http://undeadly.org/cgi?action=article&sid=20060928081238 Daniel's article from a while back explains it all really well (see "Debugging states"). The 2 other articles in that series are equally good. Highly recommended. -Kian