From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 08:32:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A2CE106568A for ; Mon, 28 Apr 2008 08:32:06 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (mail.violetlan.net [80.81.242.7]) by mx1.freebsd.org (Postfix) with ESMTP id AAAC48FC2A for ; Mon, 28 Apr 2008 08:32:05 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id 95E8511460 for ; Mon, 28 Apr 2008 08:58:12 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 6379511426 for ; Mon, 28 Apr 2008 08:58:12 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Mon, 28 Apr 2008 08:57:06 +0100 (BST) Message-ID: <56784.217.41.34.61.1209369426.squirrel@www.violetlan.net> Date: Mon, 28 Apr 2008 08:57:06 +0100 (BST) From: "Reinhold" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: load balancing and bridging ath0 with re0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 08:32:06 -0000 Hi I'm having a bit of problem with getting my wlan to access the lan. I have created a bridge and its working in that both wlan and lan can access the internet perfectly well but they can't see each other. When I disable pf then they can access each other. The problem is that I'm doing load-balancing so when I disable pf my internet stops working. Here is my ifconfig rl0 -> wan1 rl1 -> wan2 re0 -> lan ath0 -> wlan ath0: flags=8943 metric 0 mtu 2290 ether 00:0b:6b:0b:62:c8 media: IEEE 802.11 Wireless Ethernet autoselect (autoselect ) status: associated ssid something channel 2 (2417 Mhz 11g) bssid 00:0b:6b:0b:62:c8 authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1 rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:04:a7:09:81:80 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 metric 0 mtu 1500 options=8 ether 00:04:a7:09:81:7f media: Ethernet autoselect (100baseTX ) status: active re0: flags=8943 metric 0 mtu 1500 options=98 ether 00:04:a7:05:88:c0 media: Ethernet autoselect (1000baseTX ) status: active plip0: flags=108810 metric 0 mtu 1500 pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843 metric 0 mtu 1500 ether 92:52:90:af:3f:07 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0 flags=143 member: ath0 flags=143 ng0: flags=88d1 metric 0 mtu 1485 inet 111.222.333.444 --> 112.221.331.441 netmask 0xffffffff ng1: flags=88d1 metric 0 mtu 1485 inet 22.333.444.555 --> 121.212.313.414 netmask 0xffffffff and here is my pf rules # pass on unfiltered interfaces # pass quick on $unfiltered # default deny # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. # block return-rst quick proto tcp all flags /S block return-rst quick proto tcp all flags A/A # block and log everything by default # block log block return-rst log inet proto tcp block return-icmp log inet proto udp # silently drop broadcasts (ADSL noise) # block in quick on $ext_if1 inet from any to 255.255.255.255 block in quick on $ext_if2 inet from any to 255.255.255.255 # bruteforce # block quick from to any # block some known-bad ports without logging # block return-rst in quick on $ext_if1 proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if1 proto udp from any to any port { 137, 138, 139, 1434 } block return-rst in quick on $ext_if2 proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if2 proto udp from any to any port { 137, 138, 139, 1434 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if1 inet from $unroutable to any block in log quick on $ext_if2 inet from $unroutable to any # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. # block out log quick on $ext_if1 inet from !(ng0) to any block out log quick on $ext_if2 inet from !(ng1) to any # OUT GOING ROUTING # # HTTS OVER WAN1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 443 keep state # SSH OVER WAN1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 4424 keep state pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 22 keep state # BLA OVER WAN1 for user1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to some-ip-address keep state # # LOAD BALANCING # # pass all outgoing packets on internal interface pass out log on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any keep state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any I also can't see why or where its blocking with tcpdump. Any help will be appreciated. Regards Reinhold From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 08:35:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25E271065675 for ; Mon, 28 Apr 2008 08:35:56 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4648FC28 for ; Mon, 28 Apr 2008 08:35:56 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 04AE31CC033; Mon, 28 Apr 2008 01:35:56 -0700 (PDT) Date: Mon, 28 Apr 2008 01:35:55 -0700 From: Jeremy Chadwick To: Reinhold Message-ID: <20080428083555.GA81953@eos.sc1.parodius.com> References: <56784.217.41.34.61.1209369426.squirrel@www.violetlan.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56784.217.41.34.61.1209369426.squirrel@www.violetlan.net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: load balancing and bridging ath0 with re0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 08:35:56 -0000 On Mon, Apr 28, 2008 at 08:57:06AM +0100, Reinhold wrote: > I'm having a bit of problem with getting my wlan to access the lan. I have > created a bridge and its working in that both wlan and lan can access the > internet perfectly well but they can't see each other. When I disable pf > then they can access each other. The problem is that I'm doing > load-balancing so when I disable pf my internet stops working. Have you tried tinkering with the sysctls mentioned in bridge(4)? There are even more available on RELENG_7, in the case you're using something older. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 11:07:07 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98BC710656B9 for ; Mon, 28 Apr 2008 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8E44D8FC1A for ; Mon, 28 Apr 2008 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3SB77DL056215 for ; Mon, 28 Apr 2008 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3SB76k1056211 for freebsd-pf@FreeBSD.org; Mon, 28 Apr 2008 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Apr 2008 11:07:06 GMT Message-Id: <200804281107.m3SB76k1056211@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 11:07:07 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 11:10:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA2A11065679 for ; Mon, 28 Apr 2008 11:10:17 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (ns1.violetlan.net [80.81.242.5]) by mx1.freebsd.org (Postfix) with ESMTP id 2EBDF8FC19 for ; Mon, 28 Apr 2008 11:10:16 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id EC08711460; Mon, 28 Apr 2008 12:12:05 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id A0C0611426; Mon, 28 Apr 2008 12:12:05 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Mon, 28 Apr 2008 12:10:58 +0100 (BST) Message-ID: <55812.217.41.34.61.1209381058.squirrel@www.violetlan.net> In-Reply-To: <20080428083555.GA81953@eos.sc1.parodius.com> References: <56784.217.41.34.61.1209369426.squirrel@www.violetlan.net> <20080428083555.GA81953@eos.sc1.parodius.com> Date: Mon, 28 Apr 2008 12:10:58 +0100 (BST) From: "Reinhold" To: "Jeremy Chadwick" User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-pf@freebsd.org Subject: Re: load balancing and bridging ath0 with re0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 11:10:17 -0000 On Mon, April 28, 2008 09:35, Jeremy Chadwick wrote: > On Mon, Apr 28, 2008 at 08:57:06AM +0100, Reinhold wrote: > >> I'm having a bit of problem with getting my wlan to access the lan. I >> have created a bridge and its working in that both wlan and lan can >> access the internet perfectly well but they can't see each other. When I >> disable pf then they can access each other. The problem is that I'm >> doing load-balancing so when I disable pf my internet stops working. > > Have you tried tinkering with the sysctls mentioned in bridge(4)? There > are even more available on RELENG_7, in the case you're using something > older. > Hi I forgot to mention that I'm using RELENG_7_0 I have played with sysctl here is what are now # sysctl net.link.bridge net.link.bridge.ipfw: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 I've changed net.link.bridge.pfil_onlyip from 1 to 0 with no affect and I tried net.link.bridge.pfil_local_phys 0 to 1 but then all access to the internet stopped so I had to change it back to 0 From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 12:50:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5ECF3106567D for ; Mon, 28 Apr 2008 12:50:01 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from hobbes.ustdmz.roe.ch (hobbes.roe.ch [213.144.141.27]) by mx1.freebsd.org (Postfix) with ESMTP id 277FC8FC0C for ; Mon, 28 Apr 2008 12:50:01 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from roe by hobbes.ustdmz.roe.ch (envelope-from ) with LOCAL id 1JqSW3-0003du-00 for freebsd-pf@freebsd.org; Mon, 28 Apr 2008 14:31:31 +0200 Date: Mon, 28 Apr 2008 14:31:31 +0200 From: Daniel Roethlisberger To: freebsd-pf@freebsd.org Message-ID: <20080428123131.GA11879@hobbes.ustdmz.roe.ch> Mail-Followup-To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: IPv6: pf drops all fragments unconditionally X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 12:50:01 -0000 Inspired by the addition of IPv6 glue to the root zone and the various IPv6 hours, I am in the process of IPv6 enabling systems and networks under my control. The only showstopper so far is the fact that pf unconditionally drops all IPv6 fragmented packets, since IPv6 fragment reassembly is not implemented yet. According to pf.conf(5): Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally. While I certainly agree with failing closed by default, not open, I'd really like to be able to have my machines handle IPv6 fragments properly, or for the time being, have some way to at least make the ``drop all fragments'' behaviour tunable without patching/recompiling. I am aware that given PMTU discovery, fragmentation is less likely to happen with IPv6 than with IPv4. What is the state of full IPv6 fragment reassembly support? Is anybody working on this, at FreeBSD or upstream? Is there a reason why fragment reassembly is any harder to implement for IPv6 than for IPv4? I don't think that pf is ready for IPv6 yet if it unconditionally drops IPv6 fragments. -Dan -- Daniel Roethlisberger From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 14:52:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F22F41065684 for ; Mon, 28 Apr 2008 14:52:41 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 9165D8FC1B for ; Mon, 28 Apr 2008 14:52:40 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by nf-out-0910.google.com with SMTP id b2so3409334nfb.33 for ; Mon, 28 Apr 2008 07:52:39 -0700 (PDT) Received: by 10.210.105.20 with SMTP id d20mr5869765ebc.38.1209394359719; Mon, 28 Apr 2008 07:52:39 -0700 (PDT) Received: from ?10.50.46.92? ( [213.58.102.135]) by mx.google.com with ESMTPS id y2sm24102112mug.9.2008.04.28.07.52.35 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 Apr 2008 07:52:38 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 28 Apr 2008 09:52:30 -0500 X-Mailer: Apple Mail (2.919.2) Cc: freebsd-jail@freebsd.org Subject: routing gif0 ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 14:52:42 -0000 Hi all, I am trying to all trafic from a gif0 interface used for a vpn to an public IP on the same server that is like an alias I have the following schema (FreeBSD 6.3) gif0: flags=8051 mtu 1280 tunnel inet 67.228.79.224 --> 74.86.163.16 inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff em1: flags=8843 mtu 1500 options=1b inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ telnet to 172.16.16.1 and get a response. The jail is running on IP 67.228.79.224 (same IP used for doing the VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not ping 172.16.16.1 currently I am trying this with pf -- nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 pass in log from any to any keep state pass out log from any to any keep state -- but is not working, from the jail (67.228.79.224) I can not ping/ telnet the VPN 172.16.16.1 there is a tool call jumpgate with the one I can redirect incoming tcp to gif0 and forward trafic to em1 with out problems, but instead I would like to use pf jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 with this i can telnet from the other end point to por 80 and i can forward the connection to the public IP of the jail through the vpn tunnel. any ideas on how to solve this issue using pf or maybe some routing rules. regards. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 17:19:00 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31AEF1065675 for ; Mon, 28 Apr 2008 17:19:00 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id C9F778FC1A for ; Mon, 28 Apr 2008 17:18:59 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by fg-out-1718.google.com with SMTP id 16so5878421fgg.35 for ; Mon, 28 Apr 2008 10:18:58 -0700 (PDT) Received: by 10.86.97.7 with SMTP id u7mr8018388fgb.39.1209403137903; Mon, 28 Apr 2008 10:18:57 -0700 (PDT) Received: from ?10.50.46.92? ( [213.58.102.135]) by mx.google.com with ESMTPS id e8sm24860820muf.8.2008.04.28.10.18.53 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 Apr 2008 10:18:56 -0700 (PDT) Message-Id: <1D3CC81F-19C9-4DAB-A2C8-3CC84C4528BD@k9.cx> From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 28 Apr 2008 12:18:47 -0500 X-Mailer: Apple Mail (2.919.2) Subject: routing gif0 ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 17:19:00 -0000 Hi all, I am trying to all trafic from a gif0 interface used for a vpn to an public IP on the same server that is like an alias I have the following schema (FreeBSD 6.3) gif0: flags=8051 mtu 1280 tunnel inet 67.228.79.224 --> 74.86.163.16 inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff em1: flags=8843 mtu 1500 options=1b inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ telnet to 172.16.16.1 and get a response. The jail is running on IP 67.228.79.224 (same IP used for doing the VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not ping 172.16.16.1 currently I am trying this with pf -- nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 pass in log from any to any keep state pass out log from any to any keep state -- but is not working, from the jail (67.228.79.224) I can not ping/ telnet the VPN 172.16.16.1 there is a tool call jumpgate with the one I can redirect incoming tcp to gif0 and forward trafic to em1 with out problems, but instead I would like to use pf jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 with this i can telnet from the other end point to por 80 and i can forward the connection to the public IP of the jail through the vpn tunnel. any ideas on how to solve this issue using pf or maybe some routing rules. regards. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 17:56:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27BAC1065672 for ; Mon, 28 Apr 2008 17:56:03 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (host-80-81-242-13.violetlan.net [80.81.242.13]) by mx1.freebsd.org (Postfix) with ESMTP id DD1138FC15 for ; Mon, 28 Apr 2008 17:56:02 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id 543FD11460 for ; Mon, 28 Apr 2008 18:57:53 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 21CA311426 for ; Mon, 28 Apr 2008 18:57:53 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Mon, 28 Apr 2008 18:56:45 +0100 (BST) Message-ID: <57429.217.41.34.61.1209405405.squirrel@www.violetlan.net> In-Reply-To: <55812.217.41.34.61.1209381058.squirrel@www.violetlan.net> References: <56784.217.41.34.61.1209369426.squirrel@www.violetlan.net> <20080428083555.GA81953@eos.sc1.parodius.com> <55812.217.41.34.61.1209381058.squirrel@www.violetlan.net> Date: Mon, 28 Apr 2008 18:56:45 +0100 (BST) From: "Reinhold" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: load balancing and bridging ath0 with re0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 17:56:03 -0000 On Mon, April 28, 2008 12:10, Reinhold wrote: > On Mon, April 28, 2008 09:35, Jeremy Chadwick wrote: > >> On Mon, Apr 28, 2008 at 08:57:06AM +0100, Reinhold wrote: >> >> >>> I'm having a bit of problem with getting my wlan to access the lan. I >>> have created a bridge and its working in that both wlan and lan can >>> access the internet perfectly well but they can't see each other. >>> When I >>> disable pf then they can access each other. The problem is that I'm >>> doing load-balancing so when I disable pf my internet stops working. >> >> Have you tried tinkering with the sysctls mentioned in bridge(4)? >> There >> are even more available on RELENG_7, in the case you're using something >> older. >> > Hi > > > I forgot to mention that I'm using RELENG_7_0 > > > I have played with sysctl here is what are now > # sysctl net.link.bridge > net.link.bridge.ipfw: 0 > net.link.bridge.log_stp: 0 > net.link.bridge.pfil_local_phys: 0 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.ipfw_arp: 0 > net.link.bridge.pfil_onlyip: 0 > > > I've changed net.link.bridge.pfil_onlyip from 1 to 0 with no affect and I > tried net.link.bridge.pfil_local_phys 0 to 1 but then all access to the > internet stopped so I had to change it back to 0 > > woot I got it working All I added was # Make wlan talk to lan pass quick on $int_lan from any to any keep state pass quick on $int_wlan from any to any keep state \o/ now I can get a good nights rest :-) From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 18:26:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB53C106564A for ; Mon, 28 Apr 2008 18:26:30 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp2.versatel.nl (smtp2.versatel.nl [62.58.50.89]) by mx1.freebsd.org (Postfix) with ESMTP id 526E48FC25 for ; Mon, 28 Apr 2008 18:26:30 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 5658 invoked by uid 0); 28 Apr 2008 17:59:44 -0000 Received: from ip83-113-174-82.adsl2.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp2.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 28 Apr 2008 17:59:44 -0000 Received: by istud.quis.cx (Postfix, from userid 100) id 825DA39844; Mon, 28 Apr 2008 19:59:43 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on istud.quis.cx X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.4 Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id 999083981D; Mon, 28 Apr 2008 19:59:40 +0200 (CEST) Message-ID: <48161085.7030002@quis.cx> Date: Mon, 28 Apr 2008 19:59:33 +0200 From: Jille User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <1D3CC81F-19C9-4DAB-A2C8-3CC84C4528BD@k9.cx> In-Reply-To: <1D3CC81F-19C9-4DAB-A2C8-3CC84C4528BD@k9.cx> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org, freebsd-pf@freebsd.org Subject: Re: routing gif0 ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 18:26:30 -0000 Hello Nicolas, Would you mind stopping to send your (same) email to all mailinglists, twice or more ? I've seen your problem in 7 mails already, I don't know a solution, but as you can see most people don't know it. It doesn't help resending it each time. I'm sorry for acting like a list-operator, but I think I speak for more people on the lists. -- Jille Nicolas de Bari Embriz Garcia Rojas schreef: > Hi all, I am trying to all trafic from a gif0 interface used for a vpn > to an public IP on the same server that is like an alias > > I have the following schema (FreeBSD 6.3) > > > gif0: flags=8051 mtu 1280 > tunnel inet 67.228.79.224 --> 74.86.163.16 > inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff > > em1: flags=8843 mtu 1500 > options=1b > inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 > inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 > > > The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/telnet > to 172.16.16.1 and get a response. > > The jail is running on IP 67.228.79.224 (same IP used for doing the > VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not ping > 172.16.16.1 > > currently I am trying this with pf > -- > nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 > rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 > > pass in log from any to any keep state > pass out log from any to any keep state > -- > but is not working, from the jail (67.228.79.224) I can not ping/telnet > the VPN 172.16.16.1 > > there is a tool call jumpgate with the one I can redirect incoming tcp > to gif0 and forward trafic to em1 with out problems, but instead I would > like to use pf > > jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 > > with this i can telnet from the other end point to por 80 and i can > forward the connection to the public IP of the jail through the vpn tunnel. > > any ideas on how to solve this issue using pf or maybe some routing rules. > > regards. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Apr 29 11:29:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 752D01065677 for ; Tue, 29 Apr 2008 11:29:46 +0000 (UTC) (envelope-from 77@starnetworks.ru) Received: from starnetworks.ru (mail2.starnetworks.ru [81.200.112.5]) by mx1.freebsd.org (Postfix) with SMTP id 97BA28FC1E for ; Tue, 29 Apr 2008 11:29:45 +0000 (UTC) (envelope-from 77@starnetworks.ru) Received: (qmail 33566 invoked from network); 29 Apr 2008 15:09:35 +0400 X-Mail-Scanner: Scanned by qSheff-II-2.1-r1 (http://www.enderunix.org/qsheff/) X-Spam-DCC: _DCCB_: _DCCR_ X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on mail.starnetworks.ru X-Spam-Level: * X-Spam-Status: No, score=1.9 required=5.0 tests=FROM_ALL_NUMS, UNPARSEABLE_RELAY autolearn=no version=3.1.3 X-Spam-Pyzor: _PYZOR_ Received: from host6-18-172-217.starnet.ru (HELO kirill.starnet.ru) by mail.starnetworks.ru with ESMTP; 29 Apr 2008 15:09:27 +0400 Date: Tue, 29 Apr 2008 15:02:18 +0400 From: =?KOI8-R?Q?=EB=D5=CC=C9=CB=CF=D7_=EB=C9=D2=C9=CC=CC_=E1=CE=C4=D2=C5?= =?KOI8-R?Q?=C5=D7=C9=DE?= <77@starnetworks.ru> To: freebsd-pf@freebsd.org Message-Id: <20080429150218.f6a02eab.77@starnetworks.ru> Organization: StarNet X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 29 Apr 2008 11:36:54 +0000 Subject: queues and tables question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 11:29:46 -0000 Hi i`m an System Administrator, FreeBSD and i need help. I have an VPN server , with forexamle 300 users, connecting in. Thouse users are separated by tarif to Intenet. Let it be, for examle 10Mb and 20Mb. 50%-10Mb and 50%-20Mb. I dont want to make 300 queues... i want tables and queues like in IPFW(ipfw pipe 1 config mask dst-addr 0xffffffff bw 10Mbits) Any suggestions? With best regards Cyril A. Kulikov From owner-freebsd-pf@FreeBSD.ORG Tue Apr 29 18:18:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ACB9106564A for ; Tue, 29 Apr 2008 18:18:15 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id BB70D8FC0A for ; Tue, 29 Apr 2008 18:18:14 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by nf-out-0910.google.com with SMTP id h3so28790nfh.33 for ; Tue, 29 Apr 2008 11:18:13 -0700 (PDT) Received: by 10.210.58.17 with SMTP id g17mr7732279eba.190.1209493093329; Tue, 29 Apr 2008 11:18:13 -0700 (PDT) Received: from ?10.50.46.92? ( [213.58.102.135]) by mx.google.com with ESMTPS id y2sm839376mug.9.2008.04.29.11.18.10 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 29 Apr 2008 11:18:11 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org, freebsd-jail@freebsd.org In-Reply-To: <48161085.7030002@quis.cx> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 29 Apr 2008 13:18:08 -0500 References: <1D3CC81F-19C9-4DAB-A2C8-3CC84C4528BD@k9.cx> <48161085.7030002@quis.cx> X-Mailer: Apple Mail (2.919.2) Cc: Subject: Re: routing gif0 ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 18:18:15 -0000 Hi all, the solution to my problem was to recompile the kernel with this option: #options IPSEC_FILTERGIF now i can route/nat trafic with pf with out any problems, hope this can help some one. regards > > > Nicolas de Bari Embriz Garcia Rojas schreef: >> Hi all, I am trying to all trafic from a gif0 interface used for a >> vpn to an public IP on the same server that is like an alias >> I have the following schema (FreeBSD 6.3) >> gif0: flags=8051 mtu 1280 >> tunnel inet 67.228.79.224 --> 74.86.163.16 >> inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff >> em1: flags=8843 mtu 1500 >> options=1b >> inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 >> inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 >> The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ >> telnet to 172.16.16.1 and get a response. >> The jail is running on IP 67.228.79.224 (same IP used for doing the >> VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not >> ping 172.16.16.1 >> currently I am trying this with pf >> -- >> nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 >> rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 >> pass in log from any to any keep state >> pass out log from any to any keep state >> -- >> but is not working, from the jail (67.228.79.224) I can not ping/ >> telnet the VPN 172.16.16.1 >> there is a tool call jumpgate with the one I can redirect incoming >> tcp to gif0 and forward trafic to em1 with out problems, but >> instead I would like to use pf >> jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 >> with this i can telnet from the other end point to por 80 and i can >> forward the connection to the public IP of the jail through the vpn >> tunnel. >> any ideas on how to solve this issue using pf or maybe some routing >> rules. >> regards. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Apr 29 22:31:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D67CB106564A for ; Tue, 29 Apr 2008 22:31:14 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 8C1968FC14 for ; Tue, 29 Apr 2008 22:31:14 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m3TL9e4h017348 for ; Tue, 29 Apr 2008 17:09:40 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject; b=nghAEENuhVj6rbR05GeWzyaYqAXnuy/o/Pv0SvYOsABXyDBsWnHaR+JgZ/92MXsaW Jj1WW+tD8cqArMYbAVY/w== Message-ID: <48179DA2.10303@uffner.com> Date: Tue, 29 Apr 2008 18:13:54 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080404 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Tue, 29 Apr 2008 17:09:40 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/6982/Tue Apr 29 03:49:34 2008 on eris.uffner.com X-Virus-Status: Clean Subject: nfs send errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 22:31:15 -0000 my kernel is logging errors like these: Apr 26 04:15:13 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music Apr 27 23:20:21 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music Apr 29 15:35:07 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music NFS does not seem to be affected. it appears to retry the send w/ a new connection. all of my nfs mounts are affected, not just the one shown above. it looks as if firewall is blocking packets due to state timeouts, but states should persist for up to 86400 seconds depending upon state table size and although i am nowhere near the max table size a state appears to have gone away in less than 2469 seconds: 14:53:58.835812 rule 45/0(match): pass out on rl0: xiombarg.uffner.com.713 > 10.69.69.21.nfsd: S 1077685507:1077685507(0) win 65535 15:35:07.667381 rule 0/0(match): block out on rl0: xiombarg.uffner.com.713 > 10.69.69.21.nfsd: P 1077857136:1077857240(104) ack 1091504052 win 16588 15:35:07.667571 rule 45/0(match): pass out on rl0: xiombarg.uffner.com.1023 > 10.69.69.21.nfsd: S 772434453:772434453(0) win 65535 this is the pf config for the firewall between my desktop (xiombarg) and a mostly trusted DMZ where the nfs server lives (10.69.69.0/24). (it also contains rules controlling traffic to & from the internet which duplicate the ones on my exterior firewall) ext_if = "rl0" local_ip = "{ 127.0.0.1 10.69.69.60 71.162.143.94 207.245.121.212 }" local_tcp_services ="{ 111 143 587 993 4949 5432 }" #sunrpc, imap, submission, imaps, munin, postgres global_tcp_services ="{ 22 25 53 80 143 443 993 }" #ssh, smtp, domain, http, imap, https, imaps local_udp_services ="{ 111 514 }" #sunrpc, syslog global_udp_services ="{ 53 123 }" #domain, ntp icmp_types = "echoreq" table persist file "/var/db/ssh-bruteforce" # options set block-policy return set loginterface $ext_if # scrub scrub in on $ext_if all fragment reassemble # filter rules block log all pass quick on lo0 all block drop in log quick proto tcp from to any port ssh pass in log on $ext_if inet proto tcp from any to ($ext_if) \ port $global_tcp_services pass in log on $ext_if inet proto tcp from $local_ip to ($ext_if) \ port $local_tcp_services pass in log on $ext_if inet proto tcp from 10.69.69.21 port 2049 to ($ext_if) pass in log on $ext_if inet proto udp from any to ($ext_if) \ port $global_udp_services pass in log on $ext_if inet proto udp from $local_ip to ($ext_if) \ port $local_udp_services pass out log on $ext_if all any suggestions on how to resolve or at least further debug this? From owner-freebsd-pf@FreeBSD.ORG Tue Apr 29 22:54:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93D611065678 for ; Tue, 29 Apr 2008 22:54:42 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 524C78FC17 for ; Tue, 29 Apr 2008 22:54:42 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 75005 invoked by uid 90); 29 Apr 2008 23:54:40 +0100 Received: from 217.36.222.219 (postmaster@217.36.222.219) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(217.36.222.219):. Processed in 0.01979 secs); 29 Apr 2008 22:54:40 -0000 Received: from host217-36-222-219.in-addr.btopenworld.com (HELO torstendev) (postmaster@217.36.222.219) by mailhost.cnc-london.net with SMTP; 29 Apr 2008 23:54:40 +0100 From: "Torsten @ CNC-LONDON" To: References: <48179DA2.10303@uffner.com> In-Reply-To: <48179DA2.10303@uffner.com> Date: Tue, 29 Apr 2008 23:54:09 +0100 Message-ID: <010601c8aa4b$f067e930$d137bb90$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciqSMBCRySzLCy1QiKvDVrae0kHvAAAmnxA Content-Language: en-gb Subject: RE: nfs send errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 22:54:42 -0000 Hi Tom The following rule sorted it on my nfs shares scrub in all no-df scrub out all no-df I've seen this mentioned on some website and that cured the same problem you had Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Tom Uffner Sent: 29 April 2008 23:14 To: freebsd-pf@freebsd.org Subject: nfs send errors my kernel is logging errors like these: Apr 26 04:15:13 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music Apr 27 23:20:21 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music Apr 29 15:35:07 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music NFS does not seem to be affected. it appears to retry the send w/ a new connection. all of my nfs mounts are affected, not just the one shown above. it looks as if firewall is blocking packets due to state timeouts, but states should persist for up to 86400 seconds depending upon state table size and although i am nowhere near the max table size a state appears to have gone away in less than 2469 seconds: 14:53:58.835812 rule 45/0(match): pass out on rl0: xiombarg.uffner.com.713 > 10.69.69.21.nfsd: S 1077685507:1077685507(0) win 65535 15:35:07.667381 rule 0/0(match): block out on rl0: xiombarg.uffner.com.713 > 10.69.69.21.nfsd: P 1077857136:1077857240(104) ack 1091504052 win 16588 15:35:07.667571 rule 45/0(match): pass out on rl0: xiombarg.uffner.com.1023 > 10.69.69.21.nfsd: S 772434453:772434453(0) win 65535 this is the pf config for the firewall between my desktop (xiombarg) and a mostly trusted DMZ where the nfs server lives (10.69.69.0/24). (it also contains rules controlling traffic to & from the internet which duplicate the ones on my exterior firewall) ext_if = "rl0" local_ip = "{ 127.0.0.1 10.69.69.60 71.162.143.94 207.245.121.212 }" local_tcp_services ="{ 111 143 587 993 4949 5432 }" #sunrpc, imap, submission, imaps, munin, postgres global_tcp_services ="{ 22 25 53 80 143 443 993 }" #ssh, smtp, domain, http, imap, https, imaps local_udp_services ="{ 111 514 }" #sunrpc, syslog global_udp_services ="{ 53 123 }" #domain, ntp icmp_types = "echoreq" table persist file "/var/db/ssh-bruteforce" # options set block-policy return set loginterface $ext_if # scrub scrub in on $ext_if all fragment reassemble # filter rules block log all pass quick on lo0 all block drop in log quick proto tcp from to any port ssh pass in log on $ext_if inet proto tcp from any to ($ext_if) \ port $global_tcp_services pass in log on $ext_if inet proto tcp from $local_ip to ($ext_if) \ port $local_tcp_services pass in log on $ext_if inet proto tcp from 10.69.69.21 port 2049 to ($ext_if) pass in log on $ext_if inet proto udp from any to ($ext_if) \ port $global_udp_services pass in log on $ext_if inet proto udp from $local_ip to ($ext_if) \ port $local_udp_services pass out log on $ext_if all any suggestions on how to resolve or at least further debug this? _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Apr 30 03:06:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29CF6106564A for ; Wed, 30 Apr 2008 03:06:31 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id D70048FC15 for ; Wed, 30 Apr 2008 03:06:30 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m3U229GS032731 for ; Tue, 29 Apr 2008 22:02:11 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject:references:in-reply-to; b=Mi1io/vyStDrxKoNk4eByJhglS1iDh9ROQVmhNqdauccaa/O8HujyBbCn1ng5SyPi gqT80KFVwpATE/TB7E5jA== Message-ID: <4817E233.5020200@uffner.com> Date: Tue, 29 Apr 2008 23:06:27 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080404 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <48179DA2.10303@uffner.com> <010601c8aa4b$f067e930$d137bb90$@net> In-Reply-To: <010601c8aa4b$f067e930$d137bb90$@net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Tue, 29 Apr 2008 22:02:12 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/6982/Tue Apr 29 03:49:34 2008 on eris.uffner.com X-Virus-Status: Clean Subject: Re: nfs send errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2008 03:06:31 -0000 Torsten @ CNC-LONDON wrote: > The following rule sorted it on my nfs shares > > scrub in all no-df > scrub out all no-df > > I've seen this mentioned on some website and that cured the same problem you > had changed my scrub rule to "scrub all no-df fragment reassemble" no effect. if it makes difference, the nfs server runs debian stable w/ linux 2.6.18 kernel, and my client is FreeBSD 8.0-CURRENT #160: Tue Apr 8 07:49:18 EDT 2008 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 30 08:19:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46D0D106564A for ; Wed, 30 Apr 2008 08:19:02 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 0639E8FC19 for ; Wed, 30 Apr 2008 08:19:01 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m3U7EdNN050138 for ; Wed, 30 Apr 2008 03:14:39 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject:references:in-reply-to; b=mUG6LyeBlln9vSFhBhF7Mu1cfX9djNQUYaXxJkxR2TuV7IESUsuYSLGg4T42Kurmc E3AI96Y64agxmajEHpvUw== Message-ID: <48182B74.3050700@uffner.com> Date: Wed, 30 Apr 2008 04:19:00 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080404 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <48179DA2.10303@uffner.com> <010601c8aa4b$f067e930$d137bb90$@net> <4817E233.5020200@uffner.com> In-Reply-To: <4817E233.5020200@uffner.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Wed, 30 Apr 2008 03:14:39 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/6982/Tue Apr 29 03:49:34 2008 on eris.uffner.com X-Virus-Status: Clean Subject: Re: nfs send errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2008 08:19:02 -0000 Tom Uffner wrote: > changed my scrub rule to "scrub all no-df fragment reassemble" > > no effect. > > if it makes difference, the nfs server runs debian stable w/ linux 2.6.18 > kernel, and my client is FreeBSD 8.0-CURRENT #160: Tue Apr 8 07:49:18 > EDT 2008 adding random-id as discussed in pf.conf under no-df does not help either. it appears that somebody is seeing a FIN followed by a timeout waiting for an ACK, because if i watch the state table i see this before the state goes away completely: all tcp 10.69.69.60:841 -> 10.69.69.21:2049 ESTABLISHED:FIN_WAIT_2 does this mean the server closed the connection? it can't mean my client did, otherwise it wouldn't be trying to send, right? is there an explanation somewhere of what all the fields in a pfctl -ss (and pfctl -vvv -ss) mean? From owner-freebsd-pf@FreeBSD.ORG Fri May 2 02:25:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A63CE1065670 for ; Fri, 2 May 2008 02:25:12 +0000 (UTC) (envelope-from holbs@real-life.tm) Received: from scud.webtrickery.com (scud.webtrickery.com [212.74.113.185]) by mx1.freebsd.org (Postfix) with ESMTP id 71D418FC0C for ; Fri, 2 May 2008 02:25:12 +0000 (UTC) (envelope-from holbs@real-life.tm) Received: (user holborn) by scud.webtrickery.com (Exim 4.66 #1 FreeBSD) with LOCAL id 1JrkeX-00042o-Vw for ; Fri, 02 May 2008 03:05:38 +0100 Date: Fri, 2 May 2008 03:05:37 +0100 From: Drav Sloan To: freebsd-pf@freebsd.org Message-ID: <20080502020537.GA70377@real-life.tm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organisation: Bongmasters Inc User-Agent: Mutt/1.5.14 (2007-02-12) Subject: a buildworld yeilds tcpdump oddness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 02:25:12 -0000 Hiya all! I'm fairly new to pf and have recently set up a firewall using it. After getting things up and running I decided to cvsup and buildworld 7.0-RELEASE branch. However odd things started appaearing with the output of tcpdump when the old 'tcpdump -n -e -ttt -i pflog0" is used. Instead of the usual output I now get: tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 bytes 000000 rule 6/0(match): block in on re0: [|ip] 000058 rule 6/0(match): block in on re0: [|ip] 300. 033021 rule 6/0(match): block in on re0: [|ip] 000056 rule 6/0(match): block in on re0: [|ip] 368. 212637 rule 6/0(match): block in on re0: [|ip] 000059 rule 6/0(match): block in on re0: [|ip] As you can see the actual traffic being blocked is not "present", so it's about as much use as Boris in a mayorial election (as I've no idea _what_ is being blocked). Has anyone come across this before? Have I done something dumb with my configs that have nuked the pflog0 output? Any ideas how I can kick this up the arse? _Strangely_ a tcpdump of the /var/log/pflog yeilds the expected behaviour: # tcpdump -n -e -ttt -r /var/log/pflog reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) . . 368. 212637 rule 6/0(match): block in on re0: 10.0.0.1.138 > 10.0.0.255.138: NBT UDP PACKET(138) 000059 rule 6/0(match): block in on re0: 10.0.0.1.138 > 10.0.0.255.138: NBT UDP PACKET(138) I'm stumped :/ Cheers in advanced for any cl00 offered :D Regards Drav. From owner-freebsd-pf@FreeBSD.ORG Fri May 2 02:25:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1D69106564A for ; Fri, 2 May 2008 02:25:13 +0000 (UTC) (envelope-from holborn-pf@real-life.tm) Received: from scud.webtrickery.com (scud.webtrickery.com [212.74.113.185]) by mx1.freebsd.org (Postfix) with ESMTP id 6D94F8FC12 for ; Fri, 2 May 2008 02:25:13 +0000 (UTC) (envelope-from holborn-pf@real-life.tm) Received: (user holborn) by scud.webtrickery.com (Exim 4.66 #1 FreeBSD) with LOCAL id 1Jrkfw-00043e-2U for ; Fri, 02 May 2008 03:07:04 +0100 Date: Fri, 2 May 2008 03:07:04 +0100 From: Drav Sloan To: freebsd-pf@freebsd.org Message-ID: <20080502020704.GB70377@real-life.tm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organisation: Bongmasters Inc User-Agent: Mutt/1.5.14 (2007-02-12) Subject: buildworld has resulted in tcpdump oddness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 02:25:13 -0000 Hiya all! I'm fairly new to pf and have recently set up a firewall using it. After getting things up and running I decided to cvsup and buildworld 7.0-RELEASE branch. However odd things started appaearing with the output of tcpdump when the old 'tcpdump -n -e -ttt -i pflog0" is used. Instead of the usual output I now get: tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 bytes 000000 rule 6/0(match): block in on re0: [|ip] 000058 rule 6/0(match): block in on re0: [|ip] 300. 033021 rule 6/0(match): block in on re0: [|ip] 000056 rule 6/0(match): block in on re0: [|ip] 368. 212637 rule 6/0(match): block in on re0: [|ip] 000059 rule 6/0(match): block in on re0: [|ip] As you can see the actual traffic being blocked is not "present", so it's about as much use as Boris in a mayorial election (as I've no idea _what_ is being blocked). Has anyone come across this before? Have I done something dumb with my configs that have nuked the pflog0 output? Any ideas how I can kick this up the arse? _Strangely_ a tcpdump of the /var/log/pflog yeilds the expected behaviour: # tcpdump -n -e -ttt -r /var/log/pflog reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) . . 368. 212637 rule 6/0(match): block in on re0: 10.0.0.1.138 > 10.0.0.255.138: NBT UDP PACKET(138) 000059 rule 6/0(match): block in on re0: 10.0.0.1.138 > 10.0.0.255.138: NBT UDP PACKET(138) I'm stumped :/ Cheers in advanced for any cl00 offered :D Regards Drav. From owner-freebsd-pf@FreeBSD.ORG Fri May 2 02:32:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCBA4106564A for ; Fri, 2 May 2008 02:32:34 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id BA0B68FC19 for ; Fri, 2 May 2008 02:32:34 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1Jrl4c-0005Ck-Be for freebsd-pf@freebsd.org; Fri, 02 May 2008 02:32:34 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1Jrl4c-0001SG-8L for freebsd-pf@freebsd.org; Fri, 02 May 2008 02:32:34 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 0FA2C8E298; Thu, 1 May 2008 21:32:23 -0500 (CDT) Date: Thu, 1 May 2008 21:32:23 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080502023222.GC25833@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20080502020537.GA70377@real-life.tm> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20080502020537.GA70377@real-life.tm> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: a buildworld yeilds tcpdump oddness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 02:32:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drav Sloan wrote: > > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 bytes > 000000 rule 6/0(match): block in on re0: [|ip] > 000058 rule 6/0(match): block in on re0: [|ip] When you see the [|xxx] syntax in tcpdump, that is its way of telling you that the packet you captured is truncated, and it cannot show you more information unless you capture a longer packet. With recent changes to PF, the default capture size (68 bytes as seen above) is insufficient. Try adding "-s128" to capture more of the packets and you should see an improvement. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIGn02FSrKRjX5eCoRApFtAJ93pVFCdW2QJx2IDX3AXVZ6M4ZowQCeMQxQ PkQ0MEWSRSbRh8W2HSHXVXI= =XsE3 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri May 2 02:45:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94EF6106564A for ; Fri, 2 May 2008 02:45:16 +0000 (UTC) (envelope-from holborn-pf@real-life.tm) Received: from scud.webtrickery.com (scud.webtrickery.com [212.74.113.185]) by mx1.freebsd.org (Postfix) with ESMTP id 5EB498FC13 for ; Fri, 2 May 2008 02:45:16 +0000 (UTC) (envelope-from holborn-pf@real-life.tm) Received: (user holborn) by scud.webtrickery.com (Exim 4.66 #1 FreeBSD) with LOCAL id 1JrlGt-0004LW-Hf for ; Fri, 02 May 2008 03:45:15 +0100 Date: Fri, 2 May 2008 03:45:15 +0100 From: Drav Sloan To: freebsd-pf@freebsd.org Message-ID: <20080502024515.GC70377@real-life.tm> References: <20080502020537.GA70377@real-life.tm> <20080502023222.GC25833@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20080502023222.GC25833@verio.net> Organisation: Bongmasters Inc User-Agent: Mutt/1.5.14 (2007-02-12) Subject: Re: a buildworld yeilds tcpdump oddness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 02:45:16 -0000 David DeSimone wrote: > When you see the [|xxx] syntax in tcpdump, that is its way of telling > you that the packet you captured is truncated, and it cannot show you > more information unless you capture a longer packet. >=20 > With recent changes to PF, the default capture size (68 bytes as seen > above) is insufficient. Try adding "-s128" to capture more of the > packets and you should see an improvement. Et volia! Been using tcpdump for years, never knew about that one!=20 Cheers Dave, (and appologies for multiple post, I thought the first one would of been rejected given it's return address...) Regards Drav. From owner-freebsd-pf@FreeBSD.ORG Fri May 2 10:20:25 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 612C710656A9; Fri, 2 May 2008 10:20:25 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 404398FC18; Fri, 2 May 2008 10:20:25 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m42AKOcV057423; Fri, 2 May 2008 10:20:24 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m42AKOxn057419; Fri, 2 May 2008 10:20:24 GMT (envelope-from vwe) Date: Fri, 2 May 2008 10:20:24 GMT Message-Id: <200805021020.m42AKOxn057419@freefall.freebsd.org> To: ino-news@spotteswoode.dnsalias.org, vwe@FreeBSD.org, freebsd-pf@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/119661: [pf] "queue (someq, empy_acks)" doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 10:20:25 -0000 Synopsis: [pf] "queue (someq, empy_acks)" doesn't work State-Changed-From-To: feedback->open State-Changed-By: vwe State-Changed-When: Fri May 2 10:20:09 UTC 2008 State-Changed-Why: Feedback has been provided. http://www.freebsd.org/cgi/query-pr.cgi?pr=119661 From owner-freebsd-pf@FreeBSD.ORG Fri May 2 12:16:25 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26EB91065671; Fri, 2 May 2008 12:16:25 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 05FC68FC1C; Fri, 2 May 2008 12:16:25 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m42CGO20068856; Fri, 2 May 2008 12:16:24 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m42CGOxV068852; Fri, 2 May 2008 12:16:24 GMT (envelope-from mlaier) Date: Fri, 2 May 2008 12:16:24 GMT Message-Id: <200805021216.m42CGOxV068852@freefall.freebsd.org> To: ino-news@spotteswoode.dnsalias.org, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/119661: [pf] "queue (someq, empy_acks)" doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 12:16:25 -0000 Synopsis: [pf] "queue (someq, empy_acks)" doesn't work State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Fri May 2 12:15:18 UTC 2008 State-Changed-Why: Sorry, but PRs are not a free "debug my ruleset"-service. There is no bug here! http://www.freebsd.org/cgi/query-pr.cgi?pr=119661 From owner-freebsd-pf@FreeBSD.ORG Fri May 2 12:20:07 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E321106566B for ; Fri, 2 May 2008 12:20:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 069518FC1D for ; Fri, 2 May 2008 12:20:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m42CK60H068979 for ; Fri, 2 May 2008 12:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m42CK62s068973; Fri, 2 May 2008 12:20:06 GMT (envelope-from gnats) Date: Fri, 2 May 2008 12:20:06 GMT Message-Id: <200805021220.m42CK62s068973@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/119661: [pf] "queue (someq, empy_acks)" doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 12:20:07 -0000 The following reply was made to PR kern/119661; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, ino-news@spotteswoode.dnsalias.org Cc: Subject: Re: kern/119661: [pf] "queue (someq, empy_acks)" doesn't work Date: Fri, 2 May 2008 14:10:37 +0200 Sorry, still works for me: %echo 'pass out log (all) proto tcp from any to any flags S/SA modulate state label "27: outbound tcp keep state" queue(interactive, tcp_ack)' | pfctl -vvvf- Loaded 696 passive OS fingerprints @0 pass out log (all) proto tcp all flags S/SA modulate state label "27: outbound tcp keep state" queue(interactive, tcp_ack) %pfctl -vvsr @0 pass out log (all) proto tcp all flags S/SA modulate state label "27: outbound tcp keep state" queue(interactive, tcp_ack) [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 1602 ] -- Max