From owner-freebsd-pf@FreeBSD.ORG Sun Apr 20 13:49:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B1AA106564A for ; Sun, 20 Apr 2008 13:49:51 +0000 (UTC) (envelope-from phil@testequipmentconnection.org) Received: from mail.testequipmentconnection.net (mail.testequipmentconnection.net [65.169.170.194]) by mx1.freebsd.org (Postfix) with ESMTP id 511A88FC0A for ; Sun, 20 Apr 2008 13:49:46 +0000 (UTC) (envelope-from phil@testequipmentconnection.org) Received: from PhilTEC (unknown [65.161.131.154]) (Authenticated sender: phil@testequipmentconnection.net) by mail.testequipmentconnection.net (Postfix) with ESMTP id 7B96B8A40A5 for ; Sun, 20 Apr 2008 09:09:25 -0400 (EDT) From: "Phil" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Sender: Phil Date: Sun, 20 Apr 2008 09:07:19 -0500 X-Mailer: Eudora Message-Id: <20080420130925.7B96B8A40A5@mail.testequipmentconnection.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Refurbished Wireless Test and Repair Values X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2008 13:49:51 -0000 We Sell Worldwide Rentals and Leasing Available Renting or leasing test equipment is today’s answer. Renting test equipment allows you to acquire test equipment without the investment of ownership. Renting test equipment is an ideal solution for companies that need additional test equipment on short notice or need test equipment for short periods of time. Rent test equipment for special projects, replace failed equipment, or evaluate test equipment before purchasing and avoid long lead times. Test Equipment Connection is expanding its rental inventory and investing in the newest and most popular test equipment. Our inventory is growing and changes daily. We offer over 28,000 test instruments from over 250 manufacturers. When you rent test equipment, rental payments are treated as operating expenses and not part of your capital equipment budget. Call or Email for a Quote Today Rental Quote Request Tight Capital Budget? - No Problem! Check Out These High Quality Refurbished Equipment Specials and Maximize Your Budget. Anritsu MT8220A/40/41 Sale $8,995 Anritsu S331B Sale $3,995 Anritsu S332C Sale $6,895 Anritsu ML2437A Sale $3,995 Agilent E6380A Sale $3,500 Agilent E4436B/Options Sale $15,900 Agilent 8712ET/1EC Sale $9,800 IFR COM120B Sale $9,290 HP 4284A Sale $9,990 HP 8560EC Sale $23,000 HP 8720D with options On Sale Call R&S FSH3 On Sale Call Over 15 Years of Sales, Service and Selection Rohde & Schwarz SME03 Sale $5,490 IFR 2945A Sale 9,495 Anritsu S332C Sale $6,895 Anritsu S331C Sale $5,495 Anritsu S331A Sale $2,995 Agilent 8753ES Sale $22,000 Tektronix TVS645 Sale $2,750 Agilent 89431A Sale $6,890 Test Equipment Connection is Actively Purchasing De-installed, Excess, New-Surplus, Off-Lease and Underutilized Equipment. Click Here for a Cash Offer R&S FSH6.26/B1/Z3 Sale $19,190 JDSU SDA5000 Sale $6,990 JDSU FST2802 Sale $8,490 JDSU FST-2310 Equipped for DS1, DS3, OC-3, & OC-12 Call JDSU ANT-5 Equipped for STM-1/-4 On Sale Call Tektronix TDS3032 Sale $3,000 Tektronix TDS3034 Sale $3,895 Tektronix TDS3054B Sale $8,490 HP 8561E Sale $11,980 Marconi 2031 Sale $3,895 Agilent E4436B w/options On Sale Call HP 8720ES/10/12/400 Sale $55,000 HP 54540C Sale $2,495 HP 8648C/1E6 Sale $7,290 Our technicians are fully trained and have extensive calibration and repair expertise on the widest variety of makes & models. We provide high quality repair and calibration services at competitive prices with responsive turn around times for evaluation, repair and calibration. N.I.S.T. traceable certificates in accordance with MIL-STD 45662A and ANSI/NSCL 540-1 can be provided with all repairs. In addition, ISO 9001-2000 UL registered calibrations and ISO/IEC 17025 calibrations accredited by A2LA are available for select items. No Capital Budget? - No Problem! We Repair and Calibrate So You Can Utilize The Equipment You Already Have. Free Evaluation Coupon Below! Click Here to View This Page on the Internet Toll Free USA & Canada 800-615-8378 Direct Worldwide 407-804-1184 email phil@testequipmentconnection.org 30 Skyline Drive Lake Mary, FL 32746 This email is sent in accordance with the US CAN-SPAM Act. *Removal* requests* can be sent to this address and will be honored and respected If you want to dis-continue this mailing click on the following email address or respond with *un-subscribe* in the subject line to: phil@testequipmentconnection.org From owner-freebsd-pf@FreeBSD.ORG Sun Apr 20 19:35:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9929F1065676 for ; Sun, 20 Apr 2008 19:35:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 32FA08FC16 for ; Sun, 20 Apr 2008 19:35:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-003-174.pools.arcor-ip.net [88.66.3.174]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JnfK21tap-0001ST; Sun, 20 Apr 2008 21:35:34 +0200 Received: (qmail 73158 invoked from network); 20 Apr 2008 19:34:20 -0000 Received: from myhost.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 20 Apr 2008 19:34:20 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sun, 20 Apr 2008 21:31:58 +0200 User-Agent: KMail/1.9.9 References: <4807E452.4090304@jcornwall.me.uk> <48090340.50200@jcornwall.me.uk> In-Reply-To: <48090340.50200@jcornwall.me.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804202131.58491.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Dmm8aAbCwy1urAJKTVPZufnmHEJPyqcK+wl7 evJZRsgQVhr3376OUVnVyEkBnHFDlMOPHyDLNMPZfuax3fBQgd Iow6MSRom/VFECuIh4Y6w== Cc: Subject: Re: PF + if_bridge + NAT anomaly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2008 19:35:36 -0000 On Friday 18 April 2008 22:23:28 Jay L. T. Cornwall wrote: > Jay L. T. Cornwall wrote: > > Even without 'block out all', the simple presence of: > > pass out quick on $bridge_if > > > > Causes NAT to stop. tcpdump on vr1 shows that packets with private > > IPs are passing to the WAN (and being filtered upstream). What is > > causing NAT to stop functioning by the presence of a loose rule? Does > > the default 'pass all' have additional flags necessary for NAT to > > function correctly? > > OK, I've solved this. Kind of. > > By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default > 1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on > bridge0 is still required even though if_bridge(4) would suggest > otherwise: > > net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge > interface, set to 0 to disable it. > > OK, whatever. :) fintering on a bridge is a bit tricky. I think what happend in your scenario is that a state was created for the flow on *IN* bridge0 which would then prevent NAT from happening. Would you be up to share your complete working setup for future reference? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Sun Apr 20 23:53:00 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 517A0106566B for ; Sun, 20 Apr 2008 23:53:00 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from vps1.jcornwall.me.uk (vps1.jcornwall.me.uk [193.227.111.74]) by mx1.freebsd.org (Postfix) with ESMTP id DF0A78FC15 for ; Sun, 20 Apr 2008 23:52:59 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from [82.70.152.17] (cobra.home.jcornwall.me.uk [82.70.152.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vps1.jcornwall.me.uk (Postfix) with ESMTP id 46B0152002F; Mon, 21 Apr 2008 00:53:53 +0100 (BST) Message-ID: <480BD757.5030606@jcornwall.me.uk> Date: Mon, 21 Apr 2008 00:52:55 +0100 From: "Jay L. T. Cornwall" User-Agent: Thunderbird 2.0.0.12 (X11/20080227) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4807E452.4090304@jcornwall.me.uk> <48090340.50200@jcornwall.me.uk> <200804202131.58491.max@love2party.net> In-Reply-To: <200804202131.58491.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: PF + if_bridge + NAT anomaly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2008 23:53:00 -0000 Max Laier wrote: > I think what happend in your scenario is that a state was created for > the flow on *IN* bridge0 which would then prevent NAT from happening. > Would you be up to share your complete working setup for future > reference? Sure. Here are my modified sysctls: net.inet.ip.fw.enable=0 net.link.bridge.pfil_bridge=0 net.inet.ip.fw.dyn_keepalive=0 The last one seemed to be necessary to keep persistent connections stable. Even with a very rudimentary PF setup I had SSH and IMAPS sessions dropping like flies until I disabled dyn_keepalive. tcpdump showed the keepalive packets going out, apparently with no reply, then the connection would (rightly) die. Here's the PF script. It's a half-firewall, in that I trust outbound traffic, but I don't foresee any problems modifying it to be completely exclusive. The public address block is masked as XXX.XXX.XXX.XXX. # === Macros === int_if = "vr0" ext_if = "vr1" bridge_if = "bridge0" lan_ips = "{192.168.1.0/24 XXX.XXX.XXX.16/29}" nat_from_ips = "192.168.1.0/24" nat_to_ip = "XXX.XXX.XXX.21" bittorrent_ips = "XXX.XXX.XXX.19" ident_ips = "XXX.XXX.XXX.19" ssh_ips = "{XXX.XXX.XXX.17 XXX.XXX.XXX.18 XXX.XXX.XXX.20}" bittorrent_ports = "6881:6889" # === Tables === table persist # === Options === # Don't filter on loopback. (Not necessary and would collide with # antispoof.) set skip on lo0 # === Scrub === # Clean incoming packets on all interfaces. Scrubbing outbound packets # would be redundant, save for those originating from the firewall # itself. We assume the firewall machine is secure. scrub in all # === Queueing === # === Translation === # NAT through the external interface from a private subnet to a specific # IP bound to the bridge interface. This IP may be an alias. nat on $ext_if from $nat_from_ips to any -> $nat_to_ip # === Filter rules === # Deny inbound traffic only. Assume all outbound traffic is legimitate. block in all # Deny hosts that have been banned for connection overloading. block in quick on $ext_if from # Protect the loopback interface from spoofing. We cannot protect the # bridge interface or it would block NAT. antispoof quick for { lo0 } # Allow free inbound traffic on the LAN interface. We will do all # external-to-LAN filtering on the vr1 interface. pass in quick on $int_if # Maintain outbound state on all interfaces. pass out quick on $int_if pass out quick on $bridge_if pass out quick on $ext_if # Open holes for packets destined for LAN services. This does *not* # cover the bridge itself. pass in quick on $ext_if proto tcp from any to $bittorrent_ips port \ $bittorrent_ports pass in quick on $ext_if proto tcp from any to $ident_ips port auth pass in quick on $ext_if proto tcp from any to $ssh_ips port ssh \ flags S/SA synproxy state \ (max-src-conn-rate 5/20, overload flush global) # The bridge needs its own set of service holes, applying to both # internal and external hosts. pass in quick on $bridge_if proto udp from $lan_ips to any port domain pass in quick on $bridge_if proto tcp from any to any port ssh \ flags S/SA synproxy state \ (max-src-conn-rate 5/20, overload flush global) -- Jay L. T. Cornwall http://www.jcornwall.me.uk/ From owner-freebsd-pf@FreeBSD.ORG Mon Apr 21 11:06:53 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61823106564A for ; Mon, 21 Apr 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 506FE8FC19 for ; Mon, 21 Apr 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3LB6rTJ095255 for ; Mon, 21 Apr 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3LB6qo3095251 for freebsd-pf@FreeBSD.org; Mon, 21 Apr 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Apr 2008 11:06:52 GMT Message-Id: <200804211106.m3LB6qo3095251@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 11:06:53 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Apr 23 14:35:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77260106566B for ; Wed, 23 Apr 2008 14:35:58 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.184]) by mx1.freebsd.org (Postfix) with ESMTP id 786188FC2F for ; Wed, 23 Apr 2008 14:35:56 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by fk-out-0910.google.com with SMTP id b27so4798235fka.11 for ; Wed, 23 Apr 2008 07:35:55 -0700 (PDT) Received: by 10.82.147.6 with SMTP id u6mr1020789bud.30.1208959727908; Wed, 23 Apr 2008 07:08:47 -0700 (PDT) Received: from ?10.50.46.71? ( [213.58.102.135]) by mx.google.com with ESMTPS id y2sm387149mug.9.2008.04.23.07.08.45 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 23 Apr 2008 07:08:46 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Wed, 23 Apr 2008 09:08:25 -0500 X-Mailer: Apple Mail (2.919.2) Subject: routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2008 14:35:58 -0000 I have a ipsec/vpn on FreeBSD 6.3 from one master server to another server the one has multiple jails. each jail has is own public IP and i need to do something like this: vpn point >----------------------< master server with jails <-------> jail (75.76.78.80) 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that the jail with ip 75.76.78.80 to respond, and also from jail 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. I am trying to route trafic using PF but is not working for the tunel only for the non encrypted trafic, example: rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 but if i use the gif0 interface (the one for the tunnel) insted of em1 does not work. Any ideas ? -- > nbari From owner-freebsd-pf@FreeBSD.ORG Wed Apr 23 14:41:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4C2A106567F for ; Wed, 23 Apr 2008 14:41:07 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id 7CD058FC1B for ; Wed, 23 Apr 2008 14:34:37 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by mu-out-0910.google.com with SMTP id w9so2435248mue.3 for ; Wed, 23 Apr 2008 07:33:49 -0700 (PDT) Received: by 10.82.152.9 with SMTP id z9mr1048688bud.79.1208959716052; Wed, 23 Apr 2008 07:08:36 -0700 (PDT) Received: from ?10.50.46.71? ( [213.58.102.135]) by mx.google.com with ESMTPS id y2sm387149mug.9.2008.04.23.07.08.32 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 23 Apr 2008 07:08:35 -0700 (PDT) Message-Id: <16FDBBA6-0039-4579-B13B-B7EB3DDF06F8@k9.cx> From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Wed, 23 Apr 2008 09:03:19 -0500 X-Mailer: Apple Mail (2.919.2) Subject: routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2008 14:41:07 -0000 I have a ipsec/vpn on FreeBSD 6.3 from one master server to another server the one has multiple jails. each jail has is own public IP and i need to do something like this: vpn point >----------------------< master server with jails <-------> jail (75.76.78.80) 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that the jail with ip 75.76.78.80 to respond, and also from jail 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. I am trying to route trafic using PF but is not working for the tunel only for the non encrypted trafic, example: rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 but if i use the gif0 interface (the one for the tunnel) insted of em1 does not work. Any ideas ? -- > nbari From owner-freebsd-pf@FreeBSD.ORG Thu Apr 24 19:46:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06A6A106564A for ; Thu, 24 Apr 2008 19:46:02 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) Received: from ironport2-out.teksavvy.com (ironport2-out.pppoe.ca [206.248.154.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8A3C68FC12 for ; Thu, 24 Apr 2008 19:46:01 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjYFABqAEEhMCqa7/2dsb2JhbACBUolwoXoE X-IronPort-AV: E=Sophos;i="4.25,705,1199682000"; d="scan'208";a="19043457" Received: from mail.pppoe.ca (HELO mail.teksavvy.com) ([65.39.192.132]) by ironport2-out.teksavvy.com with ESMTP; 24 Apr 2008 15:44:58 -0400 Received: from kevin ([76.10.166.187]) by mail.teksavvy.com (Internet Mail Server v1.0) with ASMTP id EXQ89257 for ; Thu, 24 Apr 2008 15:44:57 -0400 From: "Kevin K" To: Date: Thu, 24 Apr 2008 15:43:43 -0400 Message-ID: <001801c8a643$815aa480$840fed80$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcimQ3+EhjKmlhO8SPqETfxGgxYJTg== Content-Language: en-us x-cr-hashedpuzzle: AXFm BLZw C16Z DQuX DU95 GDkJ GmxP HA6j HKTQ Hf6M Il/X IzaR I84s K8Ok LLHP LOW6; 1; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {6DEB55F2-F5CB-4D9F-84AB-59C84F2812B9}; awBrAHUAdAB6AGsAbwBAAHQAZQBrAHMAYQB2AHYAeQAuAGMAbwBtAA==; Thu, 24 Apr 2008 19:43:41 GMT; UAByAG8AYgBsAGUAbQAgAHcAaQB0AGgAIABjAG8AbgBzAGkAcwB0AGUAbgB0ACAAZABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgAgAG8AZgAgAEkAUgBDACAAcwBlAHMAcwBpAG8AbgBzAA== x-cr-puzzleid: {6DEB55F2-F5CB-4D9F-84AB-59C84F2812B9} Subject: Problem with consistent disconnection of IRC sessions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2008 19:46:02 -0000 I am running a basic freebsd 7.0 pf router/firewall for my home computer. On this same machine I am usually running an IRC (tcp 6667) session. It seems as though every 30 minutes to every several hours, my IRC session disconnects and reconnects itself. I'm passing in/out tcp 6667 w/ FLAGS S/SA keep state. I'm scrub in all + scrub out all , and basically it's a standard setup. I'm wondering if anyone can help me more. I have my PF rules if more information is needed but hopefully someone has a suggestion without requiring that. Thank you, Kevin K. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 01:53:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50665106564A for ; Fri, 25 Apr 2008 01:53:24 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id ECC5C8FC0C for ; Fri, 25 Apr 2008 01:53:23 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 99113 invoked by uid 89); 25 Apr 2008 01:53:22 -0000 Received: by simscan 1.2.0 ppid: 99108, pid: 99110, t: 0.1128s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 25 Apr 2008 01:53:22 -0000 From: Elliott Perrin To: Kevin K In-Reply-To: <001801c8a643$815aa480$840fed80$@com> References: <001801c8a643$815aa480$840fed80$@com> Content-Type: text/plain Date: Thu, 24 Apr 2008 21:53:19 -0400 Message-Id: <1209088399.1525.4.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Problem with consistent disconnection of IRC sessions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 01:53:24 -0000 On Thu, 2008-04-24 at 15:43 -0400, Kevin K wrote: > I am running a basic freebsd 7.0 pf router/firewall for my home computer. On > this same machine I am usually running an IRC (tcp 6667) session. > > It seems as though every 30 minutes to every several hours, my IRC session > disconnects and reconnects itself. > > I'm passing in/out tcp 6667 w/ FLAGS S/SA keep state. I'm scrub in all + > scrub out all , and basically it's a standard setup. > > I'm wondering if anyone can help me more. I have my PF rules if more > information is needed but hopefully someone has a suggestion without > requiring that. > > Do you have pftop installed? If so when the disconnects occur do you see a new session / new state being created along side the old one? Just want to be sure that it is a disconnect at your pf firewall and not at either the client / server. Since I know first hand that you have a pretty good handle on your rule set it may not be your pf setup. Cheers, ~e From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 04:20:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE6A21065686 for ; Fri, 25 Apr 2008 04:20:18 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 9C72B8FC2E for ; Fri, 25 Apr 2008 04:20:18 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 8AC6B1CC033; Thu, 24 Apr 2008 21:20:18 -0700 (PDT) Date: Thu, 24 Apr 2008 21:20:18 -0700 From: Jeremy Chadwick To: Kevin K Message-ID: <20080425042018.GA86451@eos.sc1.parodius.com> References: <001801c8a643$815aa480$840fed80$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001801c8a643$815aa480$840fed80$@com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: Problem with consistent disconnection of IRC sessions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 04:20:18 -0000 On Thu, Apr 24, 2008 at 03:43:43PM -0400, Kevin K wrote: > I am running a basic freebsd 7.0 pf router/firewall for my home computer. On > this same machine I am usually running an IRC (tcp 6667) session. > > It seems as though every 30 minutes to every several hours, my IRC session > disconnects and reconnects itself. There's a pretty good chance if it's a server on a popular network (EFnet, DALnet, etc.), it may be under DoS, or may have incorrect filtering rules applied to it. If you're absolutely sure your rules are OK, then it's probably not you. The reason I say this: IRC's protocol involves a PING check which the server sends to the client every few minutes (usually; the server admin can set it to any value he/she likes, but most people pick 5 minutes), and the client is required to respond to that PING. This is more or less a poor-man's TCP keepalive. This PING is not ICMP echo/echo-reply -- it's literally part of the IRC protocol. The regularity of people on public IRC networks pinging out/timing out is immense. I sit in #bsdports and see this happen to people hundreds of times a day. The issue may also be related to Internet peering, which you have absolutely no control over. Backbone providers break the Internet on a nightly basis (this is not an exaggeration), and IRC is one of the most "real-time" environments there is, so people notice. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 07:05:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08447106566C for ; Fri, 25 Apr 2008 07:05:54 +0000 (UTC) (envelope-from mortengb@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id AA3E08FC0C for ; Fri, 25 Apr 2008 07:05:53 +0000 (UTC) (envelope-from mortengb@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so5546480pyb.10 for ; Fri, 25 Apr 2008 00:05:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=tEsaUYQK5QtTmzxpNkNtuC2fnz0ShnEX9Zev8dujnAs=; b=OFNQqVlIFLHJGTksmg3UVDX1Y4ggYBRObThRi7pfZJq6KLiL8GoqzMou8o0/0/tu9bgsrbidCXpUoCjOzFldsaDtZhj7vz4gLiopXEuuBT3l0TgrF3vNIi1kch43gbltWtO51WLFGqkBfPPD1rYURf72lzTJ8Mm5Xdn/7zIyVw8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=jx2uAnLur/PzfKAfa4q5tBeb119c1aQupSneG/roau5xYokrjQ4eCxggyMiscqJhEDS6AgSLkNfRwBLc4dRn8aG2g0GAG6nGo2jfKbxrdOB4YSj1GKXwNEvJErqX7JDFlTORzwC6lh7e2VJGMCcwV+bNwsPs+zEJWjx4h5firB8= Received: by 10.35.44.16 with SMTP id w16mr6973527pyj.36.1209105508334; Thu, 24 Apr 2008 23:38:28 -0700 (PDT) Received: by 10.64.88.3 with HTTP; Thu, 24 Apr 2008 23:38:28 -0700 (PDT) Message-ID: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> Date: Fri, 25 Apr 2008 08:38:28 +0200 From: "Morten Grunnet Buhl" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pf (+ relayd?) as lvs replacement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 07:05:54 -0000 Our setup: +--------------------+ | Client | +----------+---------+ | | | +------------------------------+-------------------------------+ | The World Wide Web (TM) | +------------+-----------------+------------------+------------+ | | Ext | | +------+------+ | | | Gentoo/LVS | | | +------+------+ | | Ext | | Ext | | | | +----------+-----------+ | | | Int | | +-+------+-+ +--+------+-+ | FBSD1 | | FBSD2 | +----------+ +-----------+ GentExtif XXX.XXX.XXX.10 GentIntif 10.0.0.10 FBSD1Extif XXX.XXX.XXX.11 FBSD1lo0alias XXX.XXX.XXX.10 FBSD1Intif 10.0.0.11 FBSD2Extif XXX.XXX.XXX.12 FBSD2lo0alias XXX.XXX.XXX.10 FBSD2Intif 10.0.0.12 Gentoo/LSV manipulates the package from a client and sends it to FBSD(1|2) FBSD(1|2) then returns data directly to the client As you can see, all of our machines have external ip's. This diagram is a scaled down version of our setup. The Gentoo/LVS machine handles more 'clusters' of (more than two) machines. These machines are sending a lot more traffic than they are receiving. Its therefor not feasible to route the traffic out through one single machine as it would quickly become the bottleneck. This setup is transparent to our users and is working quite well. Motivation: All our 'back-end' machines are now running *BSD. The company's only Linux guy/defender/admin has left us. We would therefor like to completely loose linux in our setup. We have seen that IPVS has been ported to FreeBSD but have not had any luck finding people that use it on a larger scale. Furthermore we would like to make this solution more clean (if possible) using pf. Question: Is this possible with pf (maybe with relayd)? Thanks in advance for any information (positive or negative) that might help us on our way. /mgb From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 07:43:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFFE81065674 for ; Fri, 25 Apr 2008 07:43:36 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (www.ssl.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id 5E1718FC1F for ; Fri, 25 Apr 2008 07:43:36 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by marvin.harmless.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JpIKr-000Mth-Cm; Fri, 25 Apr 2008 09:27:09 +0200 Date: Fri, 25 Apr 2008 09:27:06 +0200 From: CZUCZY Gergely To: "Morten Grunnet Buhl" Message-ID: <20080425092706.2a977670@twoflower.in.publishing.hu> In-Reply-To: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> References: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> Organization: Harmless Digital X-Mailer: Claws Mail 3.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/s=wZ3M35vimV8vQ6S/l8fFF"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: pf (+ relayd?) as lvs replacement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 07:43:36 -0000 --Sig_/s=wZ3M35vimV8vQ6S/l8fFF Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello, A somewhat similar can be achived using relayd, but this kind of load balan= cing shouldn't be done on L2/L3 level. This kind of load balancing should be don= e on Layer7 with some application level load balancers. That way you can also do more then this (like sanitizing the requests before they get to the actual servers). Some projects exists out there to do this, like pound[1], or also nginx has some features for this propose, and even apache2.2 is being extended into t= his direction. [1] http://www.apsis.ch/pound/ On Fri, 25 Apr 2008 08:38:28 +0200 "Morten Grunnet Buhl" wrote: > Our setup: >=20 > +--------------------+ > | Client | > +----------+---------+ > | > | > | > +------------------------------+-------------------------------+ > | The World Wide Web (TM) | > +------------+-----------------+------------------+------------+ > | | Ext | > | +------+------+ | > | | Gentoo/LVS | | > | +------+------+ | > | Ext | | Ext > | | | > | +----------+-----------+ | > | | Int | | > +-+------+-+ +--+------+-+ > | FBSD1 | | FBSD2 | > +----------+ +-----------+ >=20 > GentExtif XXX.XXX.XXX.10 > GentIntif 10.0.0.10 >=20 > FBSD1Extif XXX.XXX.XXX.11 > FBSD1lo0alias XXX.XXX.XXX.10 > FBSD1Intif 10.0.0.11 >=20 > FBSD2Extif XXX.XXX.XXX.12 > FBSD2lo0alias XXX.XXX.XXX.10 > FBSD2Intif 10.0.0.12 >=20 > Gentoo/LSV > manipulates the package from a client and sends it to FBSD(1|2) > FBSD(1|2) then returns data directly to the client >=20 >=20 > As you can see, all of our machines have external ip's. > This diagram is a scaled down version of our setup. The Gentoo/LVS > machine handles more 'clusters' of (more than two) machines. > These machines are sending a lot more traffic than they are > receiving. Its therefor not feasible to route the traffic out > through one single machine as it would quickly become the bottleneck. >=20 > This setup is transparent to our users and is working quite well. >=20 > Motivation: > All our 'back-end' machines are now running *BSD. The company's only > Linux guy/defender/admin has left us. > We would therefor like to completely loose linux in our setup. > We have seen that IPVS has been ported to FreeBSD but have not had any > luck finding people that use it on a larger scale. Furthermore we would > like to make this solution more clean (if possible) using pf. >=20 >=20 >=20 > Question: > Is this possible with pf (maybe with relayd)? >=20 >=20 > Thanks in advance for any information (positive or negative) that might > help us on our way. >=20 > /mgb > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/s=wZ3M35vimV8vQ6S/l8fFF Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFIEYfMzrC0WyuMkpsRAjheAJ9kuEgNDD396566os6x/qVtey/I6gCgpy+C 7hd7DcS5E8vpGwKitvyQ0Xk= =0Ea5 -----END PGP SIGNATURE----- --Sig_/s=wZ3M35vimV8vQ6S/l8fFF-- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 15:06:25 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75F531065688 for ; Fri, 25 Apr 2008 15:06:25 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id C704A8FC1C for ; Fri, 25 Apr 2008 15:06:24 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id 89001848F6; Fri, 25 Apr 2008 17:06:23 +0200 (CEST) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ci0LNpqd5kS4; Fri, 25 Apr 2008 17:06:21 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 1780E84836; Fri, 25 Apr 2008 17:06:21 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 164A6844B5; Fri, 25 Apr 2008 17:06:21 +0200 (CEST) Date: Fri, 25 Apr 2008 17:06:21 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: CZUCZY Gergely In-Reply-To: <20080425092706.2a977670@twoflower.in.publishing.hu> Message-ID: <20080425170324.H16673@mignon.ki.iif.hu> References: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> <20080425092706.2a977670@twoflower.in.publishing.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: pf (+ relayd?) as lvs replacement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 15:06:25 -0000 On Fri, 25 Apr 2008, CZUCZY Gergely wrote: > Hello, > > A somewhat similar can be achived using relayd, but this kind of load > balancing shouldn't be done on L2/L3 level. This kind of load balancing > should be done on Layer7 with some application level load balancers. > That way you can also do more then this (like sanitizing the requests > before they get to the actual servers). > > Some projects exists out there to do this, like pound[1], or also nginx has > some features for this propose, and even apache2.2 is being extended into this > direction. Most of these projects don't have IPv6 support, whil pf has IPv6 support builtin. We are using pf for load balancing HTTP for more than a years now, successfully. Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 16:02:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DABE41065670 for ; Fri, 25 Apr 2008 16:02:12 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (www.ssl.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id 7D3AA8FC25 for ; Fri, 25 Apr 2008 16:02:12 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from pool-4816.adsl.interware.hu ([213.178.118.208] helo=mort.in.publishing.hu) by marvin.harmless.hu with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JpQNF-0007pG-Aa; Fri, 25 Apr 2008 18:02:09 +0200 Date: Fri, 25 Apr 2008 18:02:05 +0200 From: CZUCZY Gergely To: Mohacsi Janos Message-ID: <20080425180205.2edd4d37@mort.in.publishing.hu> In-Reply-To: <20080425170324.H16673@mignon.ki.iif.hu> References: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> <20080425092706.2a977670@twoflower.in.publishing.hu> <20080425170324.H16673@mignon.ki.iif.hu> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.1; i386-portbld-freebsd6.3) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/RYLq+W9ijaeM4BUTW=G3_XQ"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: pf (+ relayd?) as lvs replacement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 16:02:12 -0000 --Sig_/RYLq+W9ijaeM4BUTW=G3_XQ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Adding IPv6 support to a project like this is usually a trivial thing to do, nothing special. IMHO the cause of the lack of this feature in many projects is the lack of requirement. Nobody tells the developers that IPv6 support is needed. So, not a big deal. On Fri, 25 Apr 2008 17:06:21 +0200 (CEST) Mohacsi Janos wrote: >=20 >=20 >=20 > On Fri, 25 Apr 2008, CZUCZY Gergely wrote: >=20 > > Hello, > > > > A somewhat similar can be achived using relayd, but this kind of > > load balancing shouldn't be done on L2/L3 level. This kind of load > > balancing should be done on Layer7 with some application level load > > balancers. That way you can also do more then this (like sanitizing > > the requests before they get to the actual servers). > > > > Some projects exists out there to do this, like pound[1], or also > > nginx has some features for this propose, and even apache2.2 is > > being extended into this direction. >=20 > Most of these projects don't have IPv6 support, whil pf has IPv6 > support builtin. We are using pf for load balancing HTTP for more > than a years now, successfully. >=20 > Best Regards, >=20 >=20 > Janos Mohacsi > Network Engineer, Research Associate, Head of Network Planning and > Projects NIIF/HUNGARNET, HUNGARY > Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 >=20 --=20 Sincerely, Gergely CZUCZY, Harmless Digital mailto: gergely.czuczy@harmless.hu Legacy software is software that works. --Sig_/RYLq+W9ijaeM4BUTW=G3_XQ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIEgCAzrC0WyuMkpsRAmIcAJwOYVkWAIX3bJHpWqIcAZCbRuzEFwCfYw3D ZvdV4faVfNhjHj4e0YtbOnE= =AE5+ -----END PGP SIGNATURE----- --Sig_/RYLq+W9ijaeM4BUTW=G3_XQ-- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 16:46:43 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4993E1065672 for ; Fri, 25 Apr 2008 16:46:43 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 9D4638FC22 for ; Fri, 25 Apr 2008 16:46:42 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id 230EF8499F; Fri, 25 Apr 2008 18:46:41 +0200 (CEST) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PLpzz9+YAHGF; Fri, 25 Apr 2008 18:46:38 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 0EE9C84997; Fri, 25 Apr 2008 18:46:37 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id E76B58494F; Fri, 25 Apr 2008 18:46:37 +0200 (CEST) Date: Fri, 25 Apr 2008 18:46:37 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: CZUCZY Gergely In-Reply-To: <20080425180205.2edd4d37@mort.in.publishing.hu> Message-ID: <20080425184001.M16673@mignon.ki.iif.hu> References: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> <20080425092706.2a977670@twoflower.in.publishing.hu> <20080425170324.H16673@mignon.ki.iif.hu> <20080425180205.2edd4d37@mort.in.publishing.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: pf (+ relayd?) as lvs replacement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 16:46:43 -0000 On Fri, 25 Apr 2008, CZUCZY Gergely wrote: > Adding IPv6 support to a project like this is usually a trivial thing > to do, nothing special. IMHO the cause of the lack of this feature in > many projects is the lack of requirement. Nobody tells the developers > that IPv6 support is needed. So, not a big deal. I am not quite sure, that adding IPv6 is trivial: - Few years ago I had a look at squid about IPv6 support - difficult. - Adding IPv6 support to LVS - extremely complex. - Adding IPv6 support to snort - took almost 2 years! If the networking code is unreadable, or using int as a storage for IP address, then you are out of luck - better to change other software... Best Regards, Janos Mohacsi > > On Fri, 25 Apr 2008 17:06:21 +0200 (CEST) > Mohacsi Janos wrote: > >> >> >> >> On Fri, 25 Apr 2008, CZUCZY Gergely wrote: >> >>> Hello, >>> >>> A somewhat similar can be achived using relayd, but this kind of >>> load balancing shouldn't be done on L2/L3 level. This kind of load >>> balancing should be done on Layer7 with some application level load >>> balancers. That way you can also do more then this (like sanitizing >>> the requests before they get to the actual servers). >>> >>> Some projects exists out there to do this, like pound[1], or also >>> nginx has some features for this propose, and even apache2.2 is >>> being extended into this direction. >> >> Most of these projects don't have IPv6 support, whil pf has IPv6 >> support builtin. We are using pf for load balancing HTTP for more >> than a years now, successfully. >> >> Best Regards, >> >> >> Janos Mohacsi >> Network Engineer, Research Associate, Head of Network Planning and >> Projects NIIF/HUNGARNET, HUNGARY >> Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 >> > > > -- > > Sincerely, > > Gergely CZUCZY, > Harmless Digital > mailto: gergely.czuczy@harmless.hu > > Legacy software is software that works. >