From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 11:07:09 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0DFB10656F1 for ; Mon, 17 Mar 2008 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D6D158FC34 for ; Mon, 17 Mar 2008 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2HB79os055193 for ; Mon, 17 Mar 2008 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2HB798h055189 for freebsd-pf@FreeBSD.org; Mon, 17 Mar 2008 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Mar 2008 11:07:09 GMT Message-Id: <200803171107.m2HB798h055189@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 11:07:10 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 14:17:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71BB8106566B for ; Mon, 17 Mar 2008 14:17:22 +0000 (UTC) (envelope-from yaraghchi@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.191]) by mx1.freebsd.org (Postfix) with ESMTP id EEA808FC1D for ; Mon, 17 Mar 2008 14:17:21 +0000 (UTC) (envelope-from yaraghchi@gmail.com) Received: by gv-out-0910.google.com with SMTP id n40so1058801gve.39 for ; Mon, 17 Mar 2008 07:17:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; bh=BTWni2udJq2idV2ASXfSnRcpAn/HpmGMsg5B4lSeSfQ=; b=I8s0AWMYzVAGAO43UZwiXAFXiw781h+9sfG4VxnkWOOReQze6bs0NGRxRw6E1DenKzs9HDJJebozVETj1HyZJzdOje0OnCVyT2C3KZbdiW3BAnTMCi0c0Sa6R+lfwCUsFzFrjmCPIMvwbMObbEz9kgjfeF6P6k2Smr6BaIRAR0s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=esrrTzsQRs0Kstg5jYvLkZsl7tVeU25NTEYTVplkW+9lKh0ctT2CBvZivUXskrURuzPn6UiLWNRF4BeyJVuq9HR52Aq0CMQAW7KgkG1/ZX2oDobh8mK1FnpaTOdqDi8SpfcTgxBj9mphTiUxQtT8m3oP6+4mroTIcyYwfEGs7ss= Received: by 10.150.212.14 with SMTP id k14mr136135ybg.148.1205761818546; Mon, 17 Mar 2008 06:50:18 -0700 (PDT) Received: by 10.150.182.21 with HTTP; Mon, 17 Mar 2008 06:50:18 -0700 (PDT) Message-ID: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> Date: Mon, 17 Mar 2008 14:50:18 +0100 From: "Stephan F. Yaraghchi" Sender: yaraghchi@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Google-Sender-Auth: 14f2482f9292ca5c Subject: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 14:17:22 -0000 Hi, I have a question concerning the logging of pf on FreeBSD 7.0-RELEASE. When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time I'm getting pretty brief output like: 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] When I look back into the history of the log with 'tcpdump -netttt -r /var/log/pflog' the output is much more verbose: 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P ACKET(138) 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P ACKET(138) 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P ACKET(138) 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P ACKET(138) 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P ACKET(138) 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) What do I have to do to see that much info while watching the log in real t= ime? --=20 Mit freundlichen Gr=FC=DFen / with kind regards +++ stephan f. yaraghchi +++ mail: stephan at yaraghchi dot org www.deine-stimme-gegen-armut.de From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 14:35:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1E5D106567D for ; Mon, 17 Mar 2008 14:35:45 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from mostly.harmless.hu (mostly.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id CD6828FC30 for ; Mon, 17 Mar 2008 14:35:44 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by mostly.harmless.hu with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JbGEC-000888-2O; Mon, 17 Mar 2008 15:22:16 +0100 Date: Mon, 17 Mar 2008 15:22:12 +0100 From: CZUCZY Gergely To: "Stephan F. Yaraghchi" Message-ID: <20080317152212.00227d1c@twoflower.in.publishing.hu> In-Reply-To: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> Organization: Harmless Digital X-Mailer: Claws Mail 3.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/N4dXwL/w3Kj0/Wv./VXm9xm"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 14:35:45 -0000 --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 17 Mar 2008 14:50:18 +0100 "Stephan F. Yaraghchi" wrote: > Hi, Hello, >=20 > I have a question concerning the logging of pf on FreeBSD 7.0-RELEASE. >=20 > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > I'm getting pretty brief output like: >=20 > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] [| means that it wasn't able to decode the packet farthermore, becase the snaplength is too small. Adjust it with -s, and check man tcpdmp >=20 >=20 > When I look back into the history of the log with 'tcpdump -netttt -r > /var/log/pflog' the output is much more verbose: >=20 > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) >=20 >=20 > What do I have to do to see that much info while watching the log in real > time? >=20 --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFH3n6XzrC0WyuMkpsRAvidAKCbZ5Ubq3VCfY8EODXFa8WiA1hWtwCfWFk6 3hqrmfvc7NH+q07X97YaWv4= =lb8S -----END PGP SIGNATURE----- --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm-- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 14:50:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA34D1065678 for ; Mon, 17 Mar 2008 14:50:40 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id D8B468FC36 for ; Mon, 17 Mar 2008 14:50:40 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id A3EAC1CC060; Mon, 17 Mar 2008 07:50:40 -0700 (PDT) Date: Mon, 17 Mar 2008 07:50:40 -0700 From: Jeremy Chadwick To: "Stephan F. Yaraghchi" Message-ID: <20080317145040.GA48737@eos.sc1.parodius.com> References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 14:50:41 -0000 On Mon, Mar 17, 2008 at 02:50:18PM +0100, Stephan F. Yaraghchi wrote: > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > I'm getting pretty brief output like: > > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] Choose a larger snaplen size for tcpdump to use, e.g. tcpdump -s 1024. Don't pick something absurdly large. There is a discussion as to whether or not tcpdump on FreeBSD should default to using a larger snaplen size (128 would be good). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 15:05:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BA20106564A for ; Mon, 17 Mar 2008 15:05:52 +0000 (UTC) (envelope-from yaraghchi@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188]) by mx1.freebsd.org (Postfix) with ESMTP id C55208FC33 for ; Mon, 17 Mar 2008 15:05:51 +0000 (UTC) (envelope-from yaraghchi@gmail.com) Received: by gv-out-0910.google.com with SMTP id n40so1076846gve.39 for ; Mon, 17 Mar 2008 08:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=dEKkt0POIq/F+3n+aGMtnVgz9s9emi1h+GRNFQG4Xn4=; b=B80VmE7URbNcXTcURPAwXaub596NFlh0JjqE1O57Pf4tje+Bbc7rvt34eo16oDgCbSvAobCdIMWjnoJ4KE+OErAasgZ1eDPO5EvjbHHMLAPJiAT4wCpjILaU/Kl/ClL6uSRSVs3GFeDa1JKGhpzW0qM5+J9rQTSzaUg5aOxBz0U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=OCkq1/03H+ix1PWs4jHUSdVRaocHFajP6fJO3iCJJc/CSubU7tV83eTdnkOWM52pi6lzD4dQGCY5/9HVw4WBza0z/uBBBuepBYsDo59CmxA2A+H8Xf+TOLvC/ol5EEbPCzilZ7VlMTyKQe5uSnFxaG4eanfuodMlc7SVKcPyfso= Received: by 10.150.218.10 with SMTP id q10mr201711ybg.50.1205766348712; Mon, 17 Mar 2008 08:05:48 -0700 (PDT) Received: by 10.150.182.21 with HTTP; Mon, 17 Mar 2008 08:05:48 -0700 (PDT) Message-ID: <25f52a3d0803170805g7fc3e782qfe2e85abe861a4b1@mail.gmail.com> Date: Mon, 17 Mar 2008 16:05:48 +0100 From: "Stephan F. Yaraghchi" Sender: yaraghchi@gmail.com To: "CZUCZY Gergely" In-Reply-To: <20080317152212.00227d1c@twoflower.in.publishing.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> <20080317152212.00227d1c@twoflower.in.publishing.hu> X-Google-Sender-Auth: 21ea095b6d901cf8 Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 15:05:52 -0000 Cheers mate! you solved my problem... On Mon, Mar 17, 2008 at 3:22 PM, CZUCZY Gergely wrote: > On Mon, 17 Mar 2008 14:50:18 +0100 > "Stephan F. Yaraghchi" wrote: > > > Hi, > Hello, > > > > > > I have a question concerning the logging of pf on FreeBSD 7.0-RELEASE. > > > > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > > I'm getting pretty brief output like: > > > > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] > [| means that it wasn't able to decode the packet farthermore, becase th= e > snaplength is too small. Adjust it with -s, and check man tcpdmp > > > > > > > > > > When I look back into the history of the log with 'tcpdump -netttt -r > > /var/log/pflog' the output is much more verbose: > > > > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: > > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > > ACKET(138) > > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: > > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > > ACKET(138) > > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: > > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > > ACKET(138) > > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: > > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > > ACKET(138) > > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: > > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > > ACKET(138) > > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: > > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: > > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: > > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > > > > > > What do I have to do to see that much info while watching the log in r= eal > > time? > > > > > -- > =DCdv=F6lettel, > > Czuczy Gergely > Harmless Digital Bt > mailto: gergely.czuczy@harmless.hu > Tel: +36-30-9702963 > --=20 Mit freundlichen Gr=FC=DFen / with kind regards +++ stephan f. yaraghchi +++ lychener str. 61a +++ 10437 berlin, germany +++ +++ mail stephan@yaraghchi.org +++ phone +49 30 44650068 +++ cell +49 172 3111534 www.deine-stimme-gegen-armut.de From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 15:07:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBA031065673 for ; Mon, 17 Mar 2008 15:07:28 +0000 (UTC) (envelope-from yaraghchi@gmail.com) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.191]) by mx1.freebsd.org (Postfix) with ESMTP id 3913E8FC32 for ; Mon, 17 Mar 2008 15:07:27 +0000 (UTC) (envelope-from yaraghchi@gmail.com) Received: by ti-out-0910.google.com with SMTP id j2so1643472tid.3 for ; Mon, 17 Mar 2008 08:07:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=VlwHeU86Cwa/yL6bcoG8+9inHLuUDDa1dMSHfC6fVqE=; b=FDItxd0Rjsn/gQgcmbxOrla+r6fpF6iAlixyICyOELuprYuikV0xBvMCWZiRC/PGX1uvDqPKYXGLZs6O4QtD+GJRjU5zhTF9ONvGSjrGorZpabCV4FLqnkTyd5lM8Aipa0oEXOkg11FvTXSFAWBHdBjvgN0Zy00i/RKitXXU0Yc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=JBbtcym1E0azb+DFzXkGVg7k0Lsn6mkkjYMvTJEAkRwjwpnTK8+cNZ7TFgjQLRzczYnQqipFk5MkSWEjD0crbZ0oTVrX+RbiIHAenDInfvor/v7cdoLVj/82eVW1DHqzhXVtqKTBAv2Cgj27Ee7q7BIg32yJtcyABoiuqwudefU= Received: by 10.150.148.7 with SMTP id v7mr208381ybd.26.1205766443071; Mon, 17 Mar 2008 08:07:23 -0700 (PDT) Received: by 10.150.182.21 with HTTP; Mon, 17 Mar 2008 08:07:23 -0700 (PDT) Message-ID: <25f52a3d0803170807s12de21b2n739c255f74459e11@mail.gmail.com> Date: Mon, 17 Mar 2008 16:07:23 +0100 From: "Stephan F. Yaraghchi" Sender: yaraghchi@gmail.com To: "Jeremy Chadwick" In-Reply-To: <20080317145040.GA48737@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> <20080317145040.GA48737@eos.sc1.parodius.com> X-Google-Sender-Auth: de55e9579a378746 Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 15:07:28 -0000 Thank you, too! On Mon, Mar 17, 2008 at 3:50 PM, Jeremy Chadwick wrote= : > On Mon, Mar 17, 2008 at 02:50:18PM +0100, Stephan F. Yaraghchi wrote: > > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > > I'm getting pretty brief output like: > > > > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] > > Choose a larger snaplen size for tcpdump to use, e.g. tcpdump -s 1024. > Don't pick something absurdly large. > > There is a discussion as to whether or not tcpdump on FreeBSD should > default to using a larger snaplen size (128 would be good). > > -- > | Jeremy Chadwick jdc at parodius.com= | > | Parodius Networking http://www.parodius.com/= | > | UNIX Systems Administrator Mountain View, CA, USA= | > | Making life hard for others since 1977. PGP: 4BD6C0CB= | > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Mit freundlichen Gr=FC=DFen / with kind regards +++ stephan f. yaraghchi +++ lychener str. 61a +++ 10437 berlin, germany +++ +++ mail stephan@yaraghchi.org +++ phone +49 30 44650068 +++ cell +49 172 3111534 www.deine-stimme-gegen-armut.de From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 15:15:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39DB3106567B for ; Mon, 17 Mar 2008 15:15:57 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from v-smtp-auth-relay-1.gradwell.net (v-smtp-auth-relay-1.gradwell.net [79.135.125.40]) by mx1.freebsd.org (Postfix) with ESMTP id AF9B78FC3B for ; Mon, 17 Mar 2008 15:15:56 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from crimson.gradwell.net ([193.111.200.19] helo=www.gradwell.com country=GB ident=gregh*pop3&nviz^net) by v-smtp-auth-relay-1.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.287) id 47de8b0e.3c2b.2299 for freebsd-pf@freebsd.org; Mon, 17 Mar 2008 15:15:26 +0000 (envelope-sender ) Received: from 155.140.133.253 (SquirrelMail authenticated user gregh@pop3.nviz.net) by www.gradwell.com with HTTP; Mon, 17 Mar 2008 15:15:14 -0000 (UTC) Message-ID: <25913.155.140.133.253.1205766914.squirrel@www.gradwell.com> In-Reply-To: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> Date: Mon, 17 Mar 2008 15:15:14 -0000 (UTC) From: "Greg Hennessy" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 15:15:57 -0000 On Mon, March 17, 2008 1:50 pm, Stephan F. Yaraghchi wrote: > > What do I have to do to see that much info while watching the log in real > time? Use the '-l' flag additionally with tcpdump and increase the snapsize to 96 bytes with '-s'. Regards Greg > > -- > Mit freundlichen Grüßen / with kind regards > > > > +++ stephan f. yaraghchi > > > +++ mail: stephan at yaraghchi dot org > > > www.deine-stimme-gegen-armut.de > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > From owner-freebsd-pf@FreeBSD.ORG Wed Mar 19 11:38:29 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B390106566C for ; Wed, 19 Mar 2008 11:38:29 +0000 (UTC) (envelope-from vadim@hostel.avtf.net) Received: from hostel.avtf.net (ip82-117-84-33.vpn.tomsk.net [82.117.84.33]) by mx1.freebsd.org (Postfix) with ESMTP id 9F2FC8FC2C for ; Wed, 19 Mar 2008 11:38:19 +0000 (UTC) (envelope-from vadim@hostel.avtf.net) Received: from hostel.avtf.net (localhost [127.0.0.1]) by hostel.avtf.net (8.14.1/8.14.1) with ESMTP id m2JBA48Y074948; Wed, 19 Mar 2008 17:10:04 +0600 (NOVT) (envelope-from vadim@hostel.avtf.net) Received: (from vadim@localhost) by hostel.avtf.net (8.14.1/8.14.1/Submit) id m2JBA3WV074945; Wed, 19 Mar 2008 17:10:03 +0600 (NOVT) (envelope-from vadim) Message-Id: <200803191110.m2JBA3WV074945@hostel.avtf.net> To: "Kuat Eshengazin" From: Vadim Goncharov In-Reply-To: References: X-Comment-To: Kuat Eshengazin Date: Wed, 19 Mar 2008 17:10:03 +0600 Cc: freebsd-pf@freebsd.org Subject: Re: using pf to emulate different source ip's X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 11:38:29 -0000 Hi Kuat Eshengazin! On Thu, 6 Mar 2008 00:39:01 +0600; Kuat Eshengazin wrote: > I'm testing a device with application layer firewall and one of the features > requires HTTP connection from multiple IP-addresses. > Device logs clients ip addresses and then depending on statistic calculation > tries to do smth with such kind of requests in future (block or pass for > example) > Device directly connected to machine with Freebsd 7.0 + pf > Is it possible to rewrite source ip addresses with pf? > Is it possible to pick up source ip addresses from table or list > randomly/round robin? > I.ve tried to play with nat rules like > nat on $ext_if inet from $ext_if to any -> 192.168.2.0/24 source-hash > but there was no much success. This is possible with ipfw + natd + some scripting/option playing. And you can use both pf and ipfw at the same time. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] From owner-freebsd-pf@FreeBSD.ORG Wed Mar 19 13:36:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A89C2106566C for ; Wed, 19 Mar 2008 13:36:32 +0000 (UTC) (envelope-from wcglist@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.181]) by mx1.freebsd.org (Postfix) with ESMTP id 691B48FC38 for ; Wed, 19 Mar 2008 13:36:32 +0000 (UTC) (envelope-from wcglist@gmail.com) Received: by el-out-1112.google.com with SMTP id v27so266680ele.12 for ; Wed, 19 Mar 2008 06:36:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=ee3qD46sLMK8EIAm6YVGpfBdujX7nf7z38PiE3rRbVU=; b=r1Kn1AUjKuJxEDFwkvHvq1vErNIgw9UnU3yqYtasECqlCh6BctKcZ5aq6O4lf3LWZ7Zyt0M7jBGVfqe181v8TLpRhVZNEwfbZNlaVMV1Usf2rZqA1QGy2NYJlGAmt9nGnocPp6Ph+mrLDVStqxdT5M6rzX66dVTkIv9EPuDwh8U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:mime-version:content-type; b=rScVb021SiitrLIaDrYH2JKcp638XKjAlWQ0SEBJRyobMyNrgIqhVUUfEY+//HWF72cbrk/ug6aCG102ZEd7USh11xzucQ/O1lCEo2sgMcXsSYCyPFz+9VeDAnK0djleAtxv7j0VtEPGOxjs1QxaRv0fL+y5XIw1I94U0n+4bcY= Received: by 10.140.54.6 with SMTP id c6mr83058rva.37.1205932280597; Wed, 19 Mar 2008 06:11:20 -0700 (PDT) Received: by 10.141.123.18 with HTTP; Wed, 19 Mar 2008 06:11:20 -0700 (PDT) Message-ID: Date: Wed, 19 Mar 2008 10:11:20 -0300 From: Wesley To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 13:36:32 -0000 Dear people, I have 2 links on a box, and I don't want to load balance it but, only to reply requests in the same interface that it comes. I tried to use the route-to, but it not seems to work. Could you please, give-me a help? It's my configuration: set skip on lo0 scrub on xl0 reassemble tcp no-df random-id scrub on xl1 reassemble tcp no-df random-id scrub on dc0 reassemble tcp no-df random-id nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin sticky-address antispoof quick for {xl0,dc0,xl1} block proto tcp from 172.16.0.0/24 to any port 3128 # Internal Traffic pass in quick on dc0 from any to any pass out quick on dc0 from any to any # Outgoing pass out on xl0 proto tcp all flags S/SA modulate state pass out on xl0 proto { udp, icmp } all keep state pass out on xl1 proto tcp all flags S/SA modulate state pass out on xl1 proto { udp, icmp } all keep state # Pass basic services pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep state pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep state pass in on xl0 proto udp from any to any port 53 pass in on xl1 proto udp from any to any port 53 # Pass VPN pass in quick on xl1 proto udp from any to port 1194 keep state pass quick on tun0 # Source nat route pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any # Close block return-rst in log quick on xl0 inet proto tcp from any to any block return-rst in log quick on xl1 inet proto tcp from any to any block return-icmp in log quick on xl0 proto udp from any to any block return-icmp in log quick on xl1 proto udp from any to any block in quick on xl0 all block in quick on xl1 all Best Regards, Wesley Gentine From owner-freebsd-pf@FreeBSD.ORG Wed Mar 19 17:17:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DEFA1065677 for ; Wed, 19 Mar 2008 17:17:17 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id 5DC228FC24 for ; Wed, 19 Mar 2008 17:17:17 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so186461anc.13 for ; Wed, 19 Mar 2008 10:17:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=pgcFG+O7/gYqK/ei2L29KNw+v1AtfzSU3Kq+CWe/JCg=; b=SlZZqcSn+pGnxRs+s0UyUm2eV6uDNPQX8a5nB8ifgOi54uHp2orN9/TksP1822BMitKbcO44eyGjCN82EZkDRPX9erUXUcyFIjMp7l65vKLemUVtPmm83DhQRrTzOciqMbCntk8tkeScB1rj6XMTC/ZT+RiW+a5LNDimBG3Sids= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZSxCmEDXgZP0g68ZVlxnLkqq0GWuBQTDpKmodeCWuqRX6CqP+ekEA3DhV+INSVBLCaFur7BjV9iVAiaCGcWlhNt8wYcrxeixQr6AjZqNZqM0M35bxfy1uGNQH31SkDc5jnF3aje3vTsmELtOLTo+ZUl2qlGsCc8wAC+Rs4iGGA0= Received: by 10.100.33.9 with SMTP id g9mr2292136ang.105.1205945377212; Wed, 19 Mar 2008 09:49:37 -0700 (PDT) Received: by 10.100.240.5 with HTTP; Wed, 19 Mar 2008 09:49:37 -0700 (PDT) Message-ID: <9a542da30803190949v3807fa60o5ff14ee6280d72c@mail.gmail.com> Date: Wed, 19 Mar 2008 17:49:37 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Kuat Eshengazin" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: using pf to emulate different source ip's X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 17:17:17 -0000 On Wed, Mar 5, 2008 at 7:39 PM, Kuat Eshengazin wrote: > Hi, > > > I'm testing a device with application layer firewall and one of the features > requires HTTP connection from multiple IP-addresses. > Device logs clients ip addresses and then depending on statistic calculation > tries to do smth with such kind of requests in future (block or pass for > example) > Device directly connected to machine with Freebsd 7.0 + pf > > > Is it possible to rewrite source ip addresses with pf? > Is it possible to pick up source ip addresses from table or list > randomly/round robin? > > I.ve tried to play with nat rules like > nat on $ext_if inet from $ext_if to any -> 192.168.2.0/24 source-hash Try it this way. nat on $interface from self to any -> $iptouse source-hash > but there was no much success. > > > > Please CC me when answering. > > p.s. > Currently what i.m doing is simply changing interface ip address by ifconfig > command before each HTTP request. > > > Thanks in advance > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Mar 20 20:13:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D76106567E for ; Thu, 20 Mar 2008 20:13:21 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38204.mail.mud.yahoo.com (web38204.mail.mud.yahoo.com [209.191.124.147]) by mx1.freebsd.org (Postfix) with SMTP id 704DC8FC15 for ; Thu, 20 Mar 2008 20:13:21 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 54542 invoked by uid 60001); 20 Mar 2008 19:46:40 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=0CS2pc4ETfK+VueL/AMkj5VtZz8GZrcs1q8TEbY88FvHOm/BgeLXeNQvYJh/YBeGWHwJo9h96wT3+BfpSWOh+LC46mc4ajNdfFAPJ0/XfWIvxn6OSvQHugToaTuY5Iq5dIXFlCXBpNIV1VB9KGjYMYR+vz0dAmjsqIrKkpSkJTs=; X-YMail-OSG: YUaTzrwVM1mnYqpT4UAbgjvmgN31DZjmK9WbAxHZ1C1NjpDeaDGtmW.gRSbUR0vu5GDdo0vntE1JTud4wH8SKny6okdNjlfKPn3mddq60g86CB7WAHf5W9QIG00MdWn5Y_sJvTRZwn0N6cSIIgaM.J7td4B6KVJuxIsottugg.wY5HLGA5fqcu7u Received: from [74.229.174.93] by web38204.mail.mud.yahoo.com via HTTP; Thu, 20 Mar 2008 12:46:40 PDT Date: Thu, 20 Mar 2008 12:46:40 -0700 (PDT) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <241289.54152.qm@web38204.mail.mud.yahoo.com> Subject: Re: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 20:13:21 -0000 --- Wesley wrote: > Dear people, > > I have 2 links on a box, and I don't want to load balance it but, > only to > reply requests in the same interface that it comes. > > I tried to use the route-to, but it not seems to work. > > Could you please, give-me a help? > Looking at your config, most of your traffic is blocked since pf (if i remember correctly) works on last rule matching except for "quick". You might want to read the FAQs again at http://www.openbsd.org/faq/pf/index.html It has some good examples with the detailed explanations of each part of pf configuration. As for reply to external interface, you can use something like this: pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ proto tcp from any to any port { 22, 21, 1194 } keep state However, I remember reading somewhere that reply-to is broken on FreeBSD and that I couldn't get reply-to to work properly on my box. Someone please correct me on this if I'm wrong. BTW, route-to is not only used for outbound load balancing. You can use it to route certain destinations via certain interfaces without having to mess around with routing table ;) Regards, Tommy > It's my configuration: > > set skip on lo0 > scrub on xl0 reassemble tcp no-df random-id > scrub on xl1 reassemble tcp no-df random-id > scrub on dc0 reassemble tcp no-df random-id > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > round-robin > sticky-address > antispoof quick for {xl0,dc0,xl1} > block proto tcp from 172.16.0.0/24 to any port 3128 > # Internal Traffic > pass in quick on dc0 from any to any > pass out quick on dc0 from any to any > # Outgoing > pass out on xl0 proto tcp all flags S/SA modulate state > pass out on xl0 proto { udp, icmp } all keep state > pass out on xl1 proto tcp all flags S/SA modulate state > pass out on xl1 proto { udp, icmp } all keep state > # Pass basic services > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in on xl0 proto udp from any to any port 53 > pass in on xl1 proto udp from any to any port 53 > # Pass VPN > pass in quick on xl1 proto udp from any to port 1194 keep state > pass quick on tun0 > # Source nat route > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > # Close > block return-rst in log quick on xl0 inet proto tcp from any to any > block return-rst in log quick on xl1 inet proto tcp from any to any > block return-icmp in log quick on xl0 proto udp from any to any > block return-icmp in log quick on xl1 proto udp from any to any > block in quick on xl0 all > block in quick on xl1 all > > Best Regards, > > Wesley Gentine > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Mar 20 23:43:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E995106566B for ; Thu, 20 Mar 2008 23:43:08 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 2CB658FC21 for ; Thu, 20 Mar 2008 23:43:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 86257 invoked by uid 90); 20 Mar 2008 23:14:21 +0000 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.020363 secs); 20 Mar 2008 23:14:21 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 20 Mar 2008 23:14:21 +0000 From: "Torsten @ CNC-LONDON" To: References: <241289.54152.qm@web38204.mail.mud.yahoo.com> In-Reply-To: <241289.54152.qm@web38204.mail.mud.yahoo.com> Date: Thu, 20 Mar 2008 23:16:17 -0000 Message-ID: <00a101c88ae0$67c88100$37598300$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciKxp12SUyAvEhvRZapFzPOkxXQvgAGIuVA Content-Language: en-gb Subject: RE: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 23:43:08 -0000 --- Wesley wrote: > Dear people, > > I have 2 links on a box, and I don't want to load balance it but, > only to > reply requests in the same interface that it comes. > > I tried to use the route-to, but it not seems to work. > > Could you please, give-me a help? > Looking at your config, most of your traffic is blocked since pf (if i remember correctly) works on last rule matching except for "quick". You might want to read the FAQs again at http://www.openbsd.org/faq/pf/index.html It has some good examples with the detailed explanations of each part of pf configuration. As for reply to external interface, you can use something like this: pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ proto tcp from any to any port { 22, 21, 1194 } keep state However, I remember reading somewhere that reply-to is broken on FreeBSD and that I couldn't get reply-to to work properly on my box. Someone please correct me on this if I'm wrong. BTW, route-to is not only used for outbound load balancing. You can use it to route certain destinations via certain interfaces without having to mess around with routing table ;) Regards, Tommy > It's my configuration: > > set skip on lo0 > scrub on xl0 reassemble tcp no-df random-id > scrub on xl1 reassemble tcp no-df random-id > scrub on dc0 reassemble tcp no-df random-id > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > round-robin > sticky-address > antispoof quick for {xl0,dc0,xl1} > block proto tcp from 172.16.0.0/24 to any port 3128 > # Internal Traffic > pass in quick on dc0 from any to any > pass out quick on dc0 from any to any > # Outgoing > pass out on xl0 proto tcp all flags S/SA modulate state > pass out on xl0 proto { udp, icmp } all keep state > pass out on xl1 proto tcp all flags S/SA modulate state > pass out on xl1 proto { udp, icmp } all keep state > # Pass basic services > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in on xl0 proto udp from any to any port 53 > pass in on xl1 proto udp from any to any port 53 > # Pass VPN > pass in quick on xl1 proto udp from any to port 1194 keep state > pass quick on tun0 > # Source nat route > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > # Close > block return-rst in log quick on xl0 inet proto tcp from any to any > block return-rst in log quick on xl1 inet proto tcp from any to any > block return-icmp in log quick on xl0 proto udp from any to any > block return-icmp in log quick on xl1 proto udp from any to any > block in quick on xl0 all > block in quick on xl1 all > > Best Regards, > > Wesley Gentine > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hi Wesley Here are the rules I use for that purpose on my server (I'm still in the middle of setting it up) It works best on incoming connection just need to include the outgoing to balance and figure ftp. I noticed one thing, and that I can't explain myself, if using a macro for the external IP instead of having the actual outside interface ip addresses in the "pass in" rules the whole thing blows up and stops working. example: inet proto tcp from any to 192.168.254.10 is good inet proto tcp from any to $ ext_if1_IP is bad and not working here is my config: ext_if1="rl0" ext_if2="rl1" ext_if1_IP="192.168.1.10" ext_if2_IP="192.168.254.10" ext_gw1="192.168.1.254" ext_gw2="192.168.254.254" public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }" pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ inet proto tcp from any to 192.168.1.10 port $public_services flags S/SA modulate state pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ inet proto tcp from any to 192.168.254.10 port $public_services flags S/SA modulate state pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ inet proto udp from any to 192.168.1.10 port $public_services keep state pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ inet proto udp from any to 192.168.254.10 port $public_services keep state From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 02:53:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 657981065671 for ; Fri, 21 Mar 2008 02:53:26 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38209.mail.mud.yahoo.com (web38209.mail.mud.yahoo.com [209.191.124.152]) by mx1.freebsd.org (Postfix) with SMTP id 20C0F8FC20 for ; Fri, 21 Mar 2008 02:53:25 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 93432 invoked by uid 60001); 21 Mar 2008 02:53:25 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=wzf4nzkJzqhROVDmItXRXgf0ESKI3mSn1nDVZwuNU29aVMf56WcaZAg3cVS48OpHrsxs5yJXw3jfSWQRE/1s+zycceczudhp30s7EfAnNVzuSDXmmzWcXlQAKgpsHwIZ2IURZVwDPPnCMI/5WR/W1kv9ggpG+IShbRmJoPdlGdw=; X-YMail-OSG: 1yhetBcVM1nzKlW_PscdbFwP_Y25OqfC3V1.SM0NmVJToRoPenAbo7tzOF627W.ryVgES4uD5eTRl_Z1OWjk9yU7kJQZxLIcPBMZquK_pj_y1dLlIcoTuohDN436rRjOdqcYcpw49GKyu6pXXVpw9zZL Received: from [74.229.174.93] by web38209.mail.mud.yahoo.com via HTTP; Thu, 20 Mar 2008 19:53:25 PDT Date: Thu, 20 Mar 2008 19:53:25 -0700 (PDT) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: <00a101c88ae0$67c88100$37598300$@net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <395851.92404.qm@web38209.mail.mud.yahoo.com> Subject: RE: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 02:53:26 -0000 --- "Torsten @ CNC-LONDON" wrote: > --- Wesley wrote: > > > Dear people, > > > > I have 2 links on a box, and I don't want to load balance it but, > > only to > > reply requests in the same interface that it comes. > > > > I tried to use the route-to, but it not seems to work. > > > > Could you please, give-me a help? > > > Looking at your config, most of your traffic is blocked since pf (if > i > remember correctly) works on last rule matching except for "quick". > You might want to read the FAQs again at > http://www.openbsd.org/faq/pf/index.html > > It has some good examples with the detailed explanations of each part > of pf configuration. As for reply to external interface, you can use > something like this: > > pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ > proto tcp from any to any port { 22, 21, 1194 } keep state > > However, I remember reading somewhere that reply-to is broken on > FreeBSD and that I couldn't get reply-to to work properly on my box. > Someone please correct me on this if I'm wrong. > > BTW, route-to is not only used for outbound load balancing. You can > use it to route certain destinations via certain interfaces without > having to mess around with routing table ;) > > Regards, > Tommy > > > It's my configuration: > > > > set skip on lo0 > > scrub on xl0 reassemble tcp no-df random-id > > scrub on xl1 reassemble tcp no-df random-id > > scrub on dc0 reassemble tcp no-df random-id > > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > > round-robin > > sticky-address > > antispoof quick for {xl0,dc0,xl1} > > block proto tcp from 172.16.0.0/24 to any port 3128 > > # Internal Traffic > > pass in quick on dc0 from any to any > > pass out quick on dc0 from any to any > > # Outgoing > > pass out on xl0 proto tcp all flags S/SA modulate state > > pass out on xl0 proto { udp, icmp } all keep state > > pass out on xl1 proto tcp all flags S/SA modulate state > > pass out on xl1 proto { udp, icmp } all keep state > > # Pass basic services > > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 > } > > keep > > state > > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 > } > > keep > > state > > pass in on xl0 proto udp from any to any port 53 > > pass in on xl1 proto udp from any to any port 53 > > # Pass VPN > > pass in quick on xl1 proto udp from any to port 1194 keep state > > pass quick on tun0 > > # Source nat route > > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > > # Close > > block return-rst in log quick on xl0 inet proto tcp from any to any > > block return-rst in log quick on xl1 inet proto tcp from any to any > > block return-icmp in log quick on xl0 proto udp from any to any > > block return-icmp in log quick on xl1 proto udp from any to any > > block in quick on xl0 all > > block in quick on xl1 all > > > > Best Regards, > > > > Wesley Gentine > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Hi Wesley > > Here are the rules I use for that purpose on my server (I'm still in > the > middle of setting it up) > It works best on incoming connection just need to include the > outgoing to > balance and figure ftp. > > I noticed one thing, and that I can't explain myself, if using a > macro for > the external IP instead > of having the actual outside interface ip addresses in the "pass in" > rules > the whole thing blows up and stops working. > > example: > inet proto tcp from any to 192.168.254.10 is good > inet proto tcp from any to $ ext_if1_IP is bad and not working > Is the space between $ and ext_if1_IP a bad typo or intended? If intended, thats why your rule failed. If you look at the screen log, it will tell what the error is. It should be $ext_if1_IP. Regards, Tommy > here is my config: > > ext_if1="rl0" > ext_if2="rl1" > ext_if1_IP="192.168.1.10" > ext_if2_IP="192.168.254.10" > > ext_gw1="192.168.1.254" > ext_gw2="192.168.254.254" > public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }" > > pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ > inet proto tcp from any to 192.168.1.10 port > $public_services flags S/SA modulate state > > pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ > inet proto tcp from any to 192.168.254.10 port > $public_services flags S/SA modulate state > > pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ > inet proto udp from any to 192.168.1.10 port > $public_services keep state > > pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ > inet proto udp from any to 192.168.254.10 port > $public_services keep state > > > From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 14:17:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89042106566B for ; Fri, 21 Mar 2008 14:17:37 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 199508FC17 for ; Fri, 21 Mar 2008 14:17:36 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 19782 invoked by uid 90); 21 Mar 2008 14:15:32 +0000 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.020787 secs); 21 Mar 2008 14:15:32 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 21 Mar 2008 14:15:32 +0000 From: "Torsten @ CNC-LONDON" To: References: <00a101c88ae0$67c88100$37598300$@net> <395851.92404.qm@web38209.mail.mud.yahoo.com> In-Reply-To: <395851.92404.qm@web38209.mail.mud.yahoo.com> Date: Fri, 21 Mar 2008 14:17:27 -0000 Message-ID: <00b101c88b5e$4b63fd90$e22bf8b0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciK/nk2oEFt/ufHRM2PN9nFPFrm/QAX0a2w Content-Language: en-gb Subject: RE: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 14:17:37 -0000 > --- Wesley wrote: > > > Dear people, > > > > I have 2 links on a box, and I don't want to load balance it but, > > only to > > reply requests in the same interface that it comes. > > > > I tried to use the route-to, but it not seems to work. > > > > Could you please, give-me a help? > > > Looking at your config, most of your traffic is blocked since pf (if > i > remember correctly) works on last rule matching except for "quick". > You might want to read the FAQs again at > http://www.openbsd.org/faq/pf/index.html > > It has some good examples with the detailed explanations of each part > of pf configuration. As for reply to external interface, you can use > something like this: > > pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ > proto tcp from any to any port { 22, 21, 1194 } keep state > > However, I remember reading somewhere that reply-to is broken on > FreeBSD and that I couldn't get reply-to to work properly on my box. > Someone please correct me on this if I'm wrong. > > BTW, route-to is not only used for outbound load balancing. You can > use it to route certain destinations via certain interfaces without > having to mess around with routing table ;) > > Regards, > Tommy > > > It's my configuration: > > > > set skip on lo0 > > scrub on xl0 reassemble tcp no-df random-id > > scrub on xl1 reassemble tcp no-df random-id > > scrub on dc0 reassemble tcp no-df random-id > > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > > round-robin > > sticky-address > > antispoof quick for {xl0,dc0,xl1} > > block proto tcp from 172.16.0.0/24 to any port 3128 > > # Internal Traffic > > pass in quick on dc0 from any to any > > pass out quick on dc0 from any to any > > # Outgoing > > pass out on xl0 proto tcp all flags S/SA modulate state > > pass out on xl0 proto { udp, icmp } all keep state > > pass out on xl1 proto tcp all flags S/SA modulate state > > pass out on xl1 proto { udp, icmp } all keep state > > # Pass basic services > > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 > } > > keep > > state > > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 > } > > keep > > state > > pass in on xl0 proto udp from any to any port 53 > > pass in on xl1 proto udp from any to any port 53 > > # Pass VPN > > pass in quick on xl1 proto udp from any to port 1194 keep state > > pass quick on tun0 > > # Source nat route > > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > > # Close > > block return-rst in log quick on xl0 inet proto tcp from any to any > > block return-rst in log quick on xl1 inet proto tcp from any to any > > block return-icmp in log quick on xl0 proto udp from any to any > > block return-icmp in log quick on xl1 proto udp from any to any > > block in quick on xl0 all > > block in quick on xl1 all > > > > Best Regards, > > > > Wesley Gentine > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Hi Wesley > > Here are the rules I use for that purpose on my server (I'm still in > the > middle of setting it up) > It works best on incoming connection just need to include the > outgoing to > balance and figure ftp. > > I noticed one thing, and that I can't explain myself, if using a > macro for > the external IP instead > of having the actual outside interface ip addresses in the "pass in" > rules > the whole thing blows up and stops working. > > example: > inet proto tcp from any to 192.168.254.10 is good > inet proto tcp from any to $ ext_if1_IP is bad and not working > Is the space between $ and ext_if1_IP a bad typo or intended? If intended, thats why your rule failed. If you look at the screen log, it will tell what the error is. It should be $ext_if1_IP. Regards, Tommy > here is my config: > > ext_if1="rl0" > ext_if2="rl1" > ext_if1_IP="192.168.1.10" > ext_if2_IP="192.168.254.10" > > ext_gw1="192.168.1.254" > ext_gw2="192.168.254.254" > public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }" > > pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ > inet proto tcp from any to 192.168.1.10 port > $public_services flags S/SA modulate state > > pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ > inet proto tcp from any to 192.168.254.10 port > $public_services flags S/SA modulate state > > pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ > inet proto udp from any to 192.168.1.10 port > $public_services keep state > > pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ > inet proto udp from any to 192.168.254.10 port > $public_services keep state > > > Hi Tommy It was just a typo in the email, what I noticed is that reply-to seems to interfere with route-to Which more or less knocks it out in the config I have below. I'm glad that someone has raised to issue about reply-to because I have searched the internet for day and could not find much Here is my config just for reference Thanks Torsten ############################################################################ ################### ##MACROS ############################################################################ ################### SYN_ONLY="S/FSRA" icmp_types = "echoreq" ext_if1="rl0" ext_if2="rl1" ext_if1_IP="192.168.1.10" ext_if2_IP="192.168.254.10" ext_gw1="192.168.1.254" ext_gw2="192.168.254.254" int_if="rl2" vpn_if="{ ng0, ng1, ng2, ng3, ng4 }" int_net="192.168.100.0/24" public_services = "{ 20, 21, 80, 443, 873, 1701 ,1721, 1723 }" no_balance = "{ !=21, !=37, !=53, !=443, !=80, !=873 }" ############################################################################ ################### ##TABLES AND OPTIONS ############################################################################ ################### # blacklist host table persist file "/usr/local/etc/pf/pf.blacklist" # unrestricted internal hosts table persist file "/usr/local/etc/pf/pf.savehosts" # no loadbalanced PC's table persist file "/usr/local/etc/pf/pc_no_balance" # no loadbalance to Hosts table persist file "/usr/local/etc/pf/hosts_no_balance" ## GLOBAL OPTIONS set block-policy return set loginterface $ext_if1 set loginterface $ext_if2 set loginterface $int_if set optimization normal set skip on lo0 ## TRAFFIC NORMALIZATION scrub in all no-df scrub out all no-df ############################################################################ ################### ## TRANSLATION RULES (NAT) ############################################################################ ################### # NAT for the whole office to the internet nat on $ext_if1 from $int_net to any -> $ext_if1 nat on $ext_if2 from $int_net to any -> $ext_if2 ############################################################################ ################### ## FILTER RULES ############################################################################ ################### # in general block all connections and alow later below block in log all # allow any connection from the server to go out pass out keep state # allow any connections from internal network pass in log quick on lo0 pass in log quick on $int_if pass in log quick on $vpn_if # allow public ports to connect and route back to both routers # pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto tcp from any to 192.168.1.10 port $public_services flags S/SA modulate state # pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp from any to 192.168.254.10 port $public_services flags S/SA modulate state # pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto udp from any to 192.168.1.10 port $public_services keep state # pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto udp from any to 192.168.254.10 port $public_services keep state # blacklist spam networks and so on block log from to any block log from any to # VPN GRE PROTOCALL pass in proto gre all keep state pass out proto gre all keep state # make sure no one spoofes internal addresses antispoof log for { $ext_if1 $ext_if2 } #allow ping request from anywhere but filter it pass in log inet proto icmp all icmp-type $icmp_types keep state #load balance over two routers################################################################# # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { tcp } from $int_net to any keep state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $int_net to any keep state From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 21:22:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C42E51065670 for ; Fri, 21 Mar 2008 21:22:32 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (cetus.dawnsign.com [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 9BE718FC13 for ; Fri, 21 Mar 2008 21:22:32 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 5BECA95827 for ; Fri, 21 Mar 2008 13:59:50 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Fri, 21 Mar 2008 13:59:50 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Fri, 21 Mar 2008 13:59:46 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 21:22:32 -0000 I want to back up a client running packet filter. I am using Bacula to backup this client to a Bacula server in the internal network. The Bacula client has two interfaces- one external and one internal. The client's internal IF is 192.168.1.25. The Bacula server is at 192.168.1.17. When I attempt to contact the Bacula file daemon on the client, it responds by sending packets to the Bacula server daemon at a different port. It should contact the storage daemon at port 9103 but instead it attempts to contact the storage daemon at a port address that is not 9103. Thus the backup job fails. I've tried rdr to no avail. Here's my pf.conf: mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf ext_if = "rl0" int_if = "xl0" internal_net = "192.168.1.1/24" external_addr = "xxx.xxx.xxx.xxx" vpn_net = "10.8.0.0/24" icmp_types = "echoreq" NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" webserver1 = "192.168.1.4" set skip on { lo0 } set skip on { gif0 } @0 scrub in all fragment reassemble @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin @3 rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port = http -> 192.168.1.4 port 80 table persist table persist table persist file "/usr/local/etc/spamd/spamd-mywhite" @4 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port = smtp -> 127.0.0.1 port 25 @5 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port = smtp -> 127.0.0.1 port 8025 @6 rdr pass inet proto tcp from ! to xxx.xxx.xxx.xxx port = smtp -> 127.0.0.1 port 8025 @7 block drop in log all @8 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags S/SA synproxy state @9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags S/SA synproxy state @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any @21 block drop in log quick inet from 192.168.1.25 to any @22 pass in on xl0 inet from 192.168.1.0/24 to any @23 pass out log on xl0 inet from any to 192.168.1.0/24 @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 @25 pass out on rl0 proto tcp all flags S/SA modulate state @26 pass out on rl0 proto udp all keep state @27 pass out on rl0 proto icmp all keep state @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state warning: macro 'icmp_types' not used mailfilter@/usr/local/etc# mailfilter@~# tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: S 3943875170:3943875170(0) ack 2725840709 win 65535 005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 1:63(62) ack 39 win 33304 000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 63:80(17) ack 66 win 33304 000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 80:107(27) ack 125 win 33304 002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 107:125(18) ack 142 win 33304 002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 125:203(78) ack 271 win 33304 100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: . ack 289 win 33304 000913 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 203:223(20) ack 612 win 33304 000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 223:241(18) ack 643 win 33304 099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: . ack 699 win 33304 Why is the Bacula file daemon trying to contact the Bacula storage daemon at port 54569 instead of port 9103? I'm guessing that rule 23 is responsible for these log entries but am not sure as these entries points to rule 16 as the matching rule. I am baffled by this as these entries do not use 127.0.0.1 nor the rl0 interface. What should happen is that the Bacula director daemon contacts the client's Bacula file daemon at port 9102 from port 9101. The file daemon on the client should contact the Bacula storage daemon at port 9103 using port 9102 and executes the backup routine. More details at: http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION004722000 000000000000 The section suggests using port forwarding to redirect packets to port 9103 but I have been unsuccessful. Please note that there is no firewall between the client and the server- only that the mailfilter client runs pf. My Bacula config on the server works fine as it can back up LAN clients that are not using packet filter. ~Doug From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 21:46:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 367BB106564A for ; Fri, 21 Mar 2008 21:46:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 9D1FD8FC16 for ; Fri, 21 Mar 2008 21:46:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-001-036.pools.arcor-ip.net [88.66.1.36]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1Jcp4N2wnJ-0003Ln; Fri, 21 Mar 2008 22:46:39 +0100 Received: (qmail 5383 invoked from network); 21 Mar 2008 21:45:49 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 21 Mar 2008 21:45:49 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 21 Mar 2008 22:45:14 +0100 User-Agent: KMail/1.9.7 References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803212245.14894.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Y67uCHge8uZRDorF7wUezWdbFVYmSd9/k1Vi 7F6WEIiVNVCEqE4U+zzw2gb2Uos/CBXEF5uL15klWIryAbVFzJ O21msiQVc92CPNHa1pywA== Cc: Subject: Re: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 21:46:42 -0000 On Friday 21 March 2008 21:59:46 Doug Sampson wrote: > I want to back up a client running packet filter. I am using Bacula to > backup this client to a Bacula server in the internal network. The > Bacula client has two interfaces- one external and one internal. The > client's internal IF is 192.168.1.25. The Bacula server is at > 192.168.1.17. > > When I attempt to contact the Bacula file daemon on the client, it > responds by sending packets to the Bacula server daemon at a different > port. It should contact the storage daemon at port 9103 but instead it > attempts to contact the storage daemon at a port address that is not > 9103. Thus the backup job fails. > > I've tried rdr to no avail. Here's my pf.conf: > > mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf use "pfctl -vvsr" instead of -nf to make sure you really get the rules=20 that are loaded and not those that you wanted to load. > ext_if =3D "rl0" > int_if =3D "xl0" > internal_net =3D "192.168.1.1/24" > external_addr =3D "xxx.xxx.xxx.xxx" > vpn_net =3D "10.8.0.0/24" > icmp_types =3D "echoreq" > NoRouteIPs =3D "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" > webserver1 =3D "192.168.1.4" > set skip on { lo0 } > set skip on { gif0 } > @0 scrub in all fragment reassemble > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin > @3 rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port =3D http -> > 192.168.1.4 port 80 > table persist > table persist > table persist file "/usr/local/etc/spamd/spamd-mywhite" > @4 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port > =3D smtp -> 127.0.0.1 port 25 > @5 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port =3D > smtp -> 127.0.0.1 port 8025 > @6 rdr pass inet proto tcp from ! to xxx.xxx.xxx.xxx > port =3D smtp -> 127.0.0.1 port 8025 > @7 block drop in log all > @8 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port =3D smtp > flags S/SA synproxy state > @9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port =3D smtp > flags S/SA synproxy state > @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port > =3D smtp flags S/SA synproxy state > @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 > port =3D ssh flags S/SA synproxy state > @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any > @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any > @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any > @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any > @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 > @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 > @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 > @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 > @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any > @21 block drop in log quick inet from 192.168.1.25 to any > @22 pass in on xl0 inet from 192.168.1.0/24 to any > @23 pass out log on xl0 inet from any to 192.168.1.0/24 > @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 > @25 pass out on rl0 proto tcp all flags S/SA modulate state > @26 pass out on rl0 proto udp all keep state > @27 pass out on rl0 proto icmp all keep state > @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =3D http > flags S/SA synproxy state > @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =3D ssh > keep state > warning: macro 'icmp_types' not used > mailfilter@/usr/local/etc# > > mailfilter@~# tcpdump -n -e -ttt -i pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), > capture size 96 bytes > 000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: S 3943875170:3943875170(0) ack 2725840709 win 65535 > > 005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 1:63(62) ack 39 win 33304 16163436[|tcp]> > 000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 63:80(17) ack 66 win 33304 16163436[|tcp]> > 000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 80:107(27) ack 125 win 33304 16163436[|tcp]> > 002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 107:125(18) ack 142 win 33304 16163439[|tcp]> > 002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 125:203(78) ack 271 win 33304 16163441[|tcp]> > 100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: . ack 289 win 33304 16163542[|tcp]> 000913 rule 16/0(match): pass out on xl0: > 192.168.1.25.9102 > > 192.168.1.17.54569: P 203:223(20) ack 612 win 33304 16163542[|tcp]> > 000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 223:241(18) ack 643 win 33304 16163543[|tcp]> > 099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: . ack 699 win 33304 16163643[|tcp]> > > Why is the Bacula file daemon trying to contact the Bacula storage > daemon at port 54569 instead of port 9103? I'm guessing that rule 23 is > responsible for these log entries but am not sure as these entries > points to rule 16 as the matching rule. I am baffled by this as these > entries do not use 127.0.0.1 nor the rl0 interface. See above. I doubt this is a bug in pf. > What should happen is that the Bacula director daemon contacts the > client's Bacula file daemon at port 9102 from port 9101. The file > daemon on the client should contact the Bacula storage daemon at port > 9103 using port 9102 and executes the backup routine. More details at: > > http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION0047 >22000 000000000000 > > The section suggests using port forwarding to redirect packets to port > 9103 but I have been unsuccessful. Please note that there is no > firewall between the client and the server- only that the mailfilter > client runs pf. > > My Bacula config on the server works fine as it can back up LAN clients > that are not using packet filter. =46rom the rules you quote above, I don't see why pf should interfere with= =20 ports towards your internal net, but then again you might be having other=20 rules loaded than you think you are - the pflog is a strong indication. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Sat Mar 22 14:50:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C596A106564A for ; Sat, 22 Mar 2008 14:50:39 +0000 (UTC) (envelope-from multier@mail.ru) Received: from mx4.mail.ru (fallback.mail.ru [194.67.57.14]) by mx1.freebsd.org (Postfix) with ESMTP id 8827A8FC13 for ; Sat, 22 Mar 2008 14:50:39 +0000 (UTC) (envelope-from multier@mail.ru) Received: from mx48.mail.ru (mx48.mail.ru [194.67.23.226]) by mx4.mail.ru (mPOP.Fallback_MX) with ESMTP id 7DC6A10B7603 for ; Sat, 22 Mar 2008 15:56:52 +0300 (MSK) Received: from [91.144.169.137] (port=60500 helo=localhost127.0.0.1) by mx48.mail.ru with asmtp id 1Jd3HH-0006JD-00 for freebsd-pf@freebsd.org; Sat, 22 Mar 2008 15:56:51 +0300 Date: Sat, 22 Mar 2008 18:56:09 +0600 From: PJ X-Mailer: The Bat! (v3.5.30) Professional Organization: Home X-Priority: 3 (Normal) Message-ID: <293896928.20080322185609@mail.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected Subject: altq doesn't work properly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: PJ List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2008 14:50:39 -0000 First sorry for my English. All required options in kernel are installed. The simple altq testing don't give proper results. The idea: Freebsd server is a gateway, from one net to other i trying to send mpeg video traffic(UDP) from one host of 192.168.10.0/24 net to other host of 192.168.11.0/24 net. In addition, from this net 192.168.10.0, i sending unimportant udp traffic in order to create a "bottle-neck" 10Mbit/s on one of the server NIC's. All traffic going thru "bottle-neck" to host with IP 192.168.11.2 First i tuning prioritization with priq: ext_if="fxp0" altq on $ext_if priq bandwidth 10Mb queue { video, udp, other } queue other priq (default) queue udp priority 2 queue video priority 5 pass out on $ext_if proto udp from 192.168.10.2 to 192.168.11.2 queue video pass out on $ext_if from 192.168.10.3 to 192.168.11.2 queue udp Prioritization does not working properly even when overloading happend. Then i tuning prioritization with cbq: altq on fxp0 cbq bandwidth 10Mb queue { usefull, other } queue other bandwidth 100Kb cbq(default) queue usefull bandwidth 9900Kb priority 2 { video, udp } queue video bandwidth 3000Kb priority 5 queue udp bandwidth 6900Kb priority 1 pass out on $ext_if proto udp from 192.168.10.2 to 192.168.11.2 queue video pass out on $ext_if proto udp from 192.168.10.3 to 192.168.11.2 queue udp same problem... doesn't working. What i'm doing wrong? The System is FreeBSD 6.3