From owner-freebsd-pf@FreeBSD.ORG Mon Dec 8 11:07:00 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EF361065675 for ; Mon, 8 Dec 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8C6458FC18 for ; Mon, 8 Dec 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mB8B70vJ014350 for ; Mon, 8 Dec 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mB8B709G014346 for freebsd-pf@FreeBSD.org; Mon, 8 Dec 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Dec 2008 11:07:00 GMT Message-Id: <200812081107.mB8B709G014346@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 14:53:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1D0E1065672 for ; Tue, 9 Dec 2008 14:53:10 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 821E28FC1B for ; Tue, 9 Dec 2008 14:53:10 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id 486881EE91B for ; Tue, 9 Dec 2008 15:41:00 +0100 (CET) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.449 X-Spam-Level: ** X-Spam-Status: No, score=2.449 tagged_above=-999 required=4.2 tests=[AWL=-0.720, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Mblc3UThe3pf for ; Tue, 9 Dec 2008 15:40:50 +0100 (CET) Received: from bljbsd01.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id 4548C1EE94F for ; Tue, 9 Dec 2008 15:37:31 +0100 (CET) Message-ID: <493E82B3.5090002@eskk.nu> Date: Tue, 09 Dec 2008 15:37:39 +0100 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.18 (X11/20081125) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Personal firewall with two interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2008 14:53:10 -0000 Hello I'm running pf as my personal firewall on my laptop. I've got one ethernet and one wifi interface, both are configured during boot. I usually make a change pf.conf where I change # ext_if="em0" ext_if="rum0" or vice versa. My problem is that if the "wrong" interface is active in pf.conf there'll be some waiting for ntpd sshd and bsdstats to time out. I would like to configure pf so that both interfaces are treathed the same, only one active interface at the time, but to remove the need for a manual change of pf.conf at startup. Any hints are appreciated. Thank you /Leslie From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 16:11:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65856106564A for ; Tue, 9 Dec 2008 16:11:12 +0000 (UTC) (envelope-from greg@bestnet.kharkov.ua) Received: from relay.bestnet.ua (relay.bestnet.ua [193.124.57.92]) by mx1.freebsd.org (Postfix) with ESMTP id 1F6338FC08 for ; Tue, 9 Dec 2008 16:11:12 +0000 (UTC) (envelope-from greg@bestnet.kharkov.ua) Received: from relay.bestnet.ua (db.bestnet.ua [127.0.0.1]) by relay.bestnet.ua (Postfix) with ESMTP id D1339FB0066; Tue, 9 Dec 2008 17:48:08 +0200 (EET) Received: from greg.bestnet.kharkov.ua (greg.bestnet.kharkov.ua [80.92.224.11]) by relay.bestnet.ua (Postfix) with ESMTP id 1A22BFB0063; Tue, 9 Dec 2008 17:48:07 +0200 (EET) Message-ID: <493E9335.9020500@bestnet.kharkov.ua> Date: Tue, 09 Dec 2008 17:48:05 +0200 From: Gregory Edigarov User-Agent: Thunderbird 2.0.0.16 (X11/20080812) MIME-Version: 1.0 To: Leslie Jensen References: <493E82B3.5090002@eskk.nu> In-Reply-To: <493E82B3.5090002@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-pf@freebsd.org Subject: Re: Personal firewall with two interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2008 16:11:12 -0000 Leslie Jensen wrote: > Hello > > I'm running pf as my personal firewall on my laptop. > > I've got one ethernet and one wifi interface, both are configured > during boot. > > I usually make a change pf.conf where I change > > # ext_if="em0" > ext_if="rum0" > > or vice versa. > > My problem is that if the "wrong" interface is active in pf.conf > there'll be some waiting for ntpd sshd and bsdstats to time out. > > I would like to configure pf so that both interfaces are treathed the > same, only one active interface at the time, but to remove the need > for a manual change of pf.conf at startup. seems like you'll be done by using the rules without an interface pointer... -- With best regards, Gregory Edigarov From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 21:48:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE61B1065675 for ; Tue, 9 Dec 2008 21:48:21 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 69C508FC16 for ; Tue, 9 Dec 2008 21:48:21 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1LAARD-0000O8-Ec for freebsd-pf@freebsd.org; Tue, 09 Dec 2008 21:48:15 +0000 Received: from mulderlab.f5.com ([205.229.151.151]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 09 Dec 2008 21:48:15 +0000 Received: from atkin901 by mulderlab.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 09 Dec 2008 21:48:15 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Mark Atkinson Date: Tue, 09 Dec 2008 13:48:02 -0800 Lines: 34 Message-ID: References: <493E82B3.5090002@eskk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: mulderlab.f5.com User-Agent: KNode/0.10.9 Sender: news Subject: Re: Personal firewall with two interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2008 21:48:21 -0000 Leslie Jensen wrote: > I usually make a change pf.conf where I change > > # ext_if="em0" > ext_if="rum0" > > or vice versa. > > My problem is that if the "wrong" interface is active in pf.conf > there'll be some waiting for ntpd sshd and bsdstats to time out. > > I would like to configure pf so that both interfaces are treathed the > same, only one active interface at the time, but to remove the need for > a manual change of pf.conf at startup. > > Any hints are appreciated. You should leave your pf.conf alone and rename your interfaces (based on which one is inserted -- maybe via devd). You could also code something up in like /etc/rc.d/early.sh to figure out which one is available and rename it. for example: ifconfig msk0 name external ifconfig xl0 name internal ifconfig sk0 name wireless and just leave ext_if="external" in your pf.conf. -- Mark Atkinson atkin901@yahoo.com (!wired)?(coffee++):(wired); From owner-freebsd-pf@FreeBSD.ORG Wed Dec 10 10:58:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35DF9106567C for ; Wed, 10 Dec 2008 10:58:33 +0000 (UTC) (envelope-from sa@mbg.se) Received: from server6.mbg.se (vxj-4-202-233-83.3.cust.bredband2.com [83.233.202.4]) by mx1.freebsd.org (Postfix) with ESMTP id B3E528FC43 for ; Wed, 10 Dec 2008 10:58:32 +0000 (UTC) (envelope-from sa@mbg.se) Received: from dator6.hbg.mbg.se (interngate [83.233.202.1]) by server6.mbg.se (8.14.2/8.14.2) with ESMTP id mBAAb0DK090793 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 10 Dec 2008 11:37:20 +0100 (CET) (envelope-from sa@mbg.se) Message-ID: <493F9BCC.7000703@mbg.se> Date: Wed, 10 Dec 2008 11:37:00 +0100 From: =?ISO-8859-1?Q?Sven-=C5ke_Svensson?= User-Agent: Thunderbird 2.0.0.18 (X11/20081202) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <493E82B3.5090002@eskk.nu> In-Reply-To: <493E82B3.5090002@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on server6.mbg.se Subject: Re: Personal firewall with two interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2008 10:58:33 -0000 Hi I use the following in my pf.conf # Macros ext_if="{ em0 iwi0 }" Sven-Åke Leslie Jensen skrev: > Hello > > I'm running pf as my personal firewall on my laptop. > > I've got one ethernet and one wifi interface, both are configured during > boot. > > I usually make a change pf.conf where I change > > # ext_if="em0" > ext_if="rum0" > > or vice versa. > > My problem is that if the "wrong" interface is active in pf.conf > there'll be some waiting for ntpd sshd and bsdstats to time out. > > I would like to configure pf so that both interfaces are treathed the > same, only one active interface at the time, but to remove the need for > a manual change of pf.conf at startup. > > Any hints are appreciated. > > Thank you > > /Leslie > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Dec 10 12:31:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F845106564A for ; Wed, 10 Dec 2008 12:31:33 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1]) by mx1.freebsd.org (Postfix) with ESMTP id F29848FC1A for ; Wed, 10 Dec 2008 12:31:32 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from sysadmin.itdep.smk (sysadmin.itdep.smk [10.1.0.20]) by smtp.apple-park.kiev.ua (Postfix) with ESMTP id C43899B428; Wed, 10 Dec 2008 14:12:03 +0200 (EET) Message-Id: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua> From: Alexander Vyrlanovich To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Wed, 10 Dec 2008 14:12:02 +0200 X-Mailer: Apple Mail (2.929.2) Subject: Dose pfsync work with route-ro/reply-to rules? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2008 12:31:33 -0000 Hello All I have two firewalls with CARP + pfsync for failover #uname -mrs: FreeBSD 7.1-PRERELEASE i386 sources from Nov 24 Three ISPs are connected, default route points to ISP1 I use pf "route-to" option to forward some traffic via ISP2 and ISP3 The problem: When backup firewall becomes a master, all packets forwarded via ISP2 and ISP3 which has a state in state table, go to the ISP1 (default route) and of course are blocked by pf on outgoing interface. More over, those packets bypass nat rules and try to go out as is. Looks like pfsync loses routing information. Can somebody confirm this? Alexander Vyrlanovich System Administrator From owner-freebsd-pf@FreeBSD.ORG Thu Dec 11 08:10:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DF981065679 for ; Thu, 11 Dec 2008 08:10:04 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1]) by mx1.freebsd.org (Postfix) with ESMTP id DEAC88FC18 for ; Thu, 11 Dec 2008 08:10:03 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from sysadmin.itdep.smk (sysadmin.itdep.smk [10.1.0.20]) by smtp.apple-park.kiev.ua (Postfix) with ESMTP id DD9709B428 for ; Thu, 11 Dec 2008 10:10:02 +0200 (EET) Message-Id: <254A0CF2-6152-4E23-8FFC-48344F4EC66C@apple-park.kiev.ua> From: Alexander Vyrlanovich To: freebsd-pf@freebsd.org In-Reply-To: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Thu, 11 Dec 2008 10:10:01 +0200 References: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua> X-Mailer: Apple Mail (2.929.2) Subject: Re: Dose pfsync work with route-ro/reply-to rules? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2008 08:10:04 -0000 On 10 Dec 2008, at 14:12, Alexander Vyrlanovich wrote: > Hello All > > I have two firewalls with CARP + pfsync for failover > #uname -mrs: > FreeBSD 7.1-PRERELEASE i386 > sources from Nov 24 > > Three ISPs are connected, default route points to ISP1 > I use pf "route-to" option to forward some traffic via ISP2 and ISP3 > > The problem: > When backup firewall becomes a master, all packets forwarded via > ISP2 and ISP3 > which has a state in state table, go to the ISP1 (default route) and > of course > are blocked by pf on outgoing interface. > More over, those packets bypass nat rules and try to go out as is. Please ignore my sentence about nat - it was incorrect. > Looks like pfsync loses routing information. Can somebody confirm > this? Alexander Vyrlanovich System Administrator