From owner-freebsd-pf@FreeBSD.ORG Mon Mar 2 11:07:07 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 675B8106568C for ; Mon, 2 Mar 2009 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 933E88FCB5 for ; Mon, 2 Mar 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n22B6v1B057396 for ; Mon, 2 Mar 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n22B6vM9057392 for freebsd-pf@FreeBSD.org; Mon, 2 Mar 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Mar 2009 11:06:57 GMT Message-Id: <200903021106.n22B6vM9057392@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 11:07:39 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 2 17:17:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02C4210656F2 for ; Mon, 2 Mar 2009 17:17:46 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from gw.kg.com.ua (host-105-117.emplot.net [194.246.117.105]) by mx1.freebsd.org (Postfix) with ESMTP id A4CEC8FC18 for ; Mon, 2 Mar 2009 17:17:45 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from [172.17.0.1] (port=56546 helo=macserv.itt-consulting.com) by gw.kg.com.ua with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1LeBkf-0009fo-Os; Mon, 02 Mar 2009 19:16:28 +0200 Received: from localhost (localhost [127.0.0.1]) by macserv.itt-consulting.com (Postfix) with ESMTP id 7222FFD8D3E; Mon, 2 Mar 2009 19:17:40 +0200 (EET) X-Virus-Scanned: amavisd-new at itt-consulting.com Received: from macserv.itt-consulting.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zMPauVG1O4P; Mon, 2 Mar 2009 19:17:30 +0200 (EET) Received: from [172.17.20.254] (unknown [172.17.20.254]) by macserv.itt-consulting.com (Postfix) with ESMTP id BEDFDFD8D2D; Mon, 2 Mar 2009 19:17:30 +0200 (EET) Message-ID: <49AC14AA.2030808@ngc.net.ua> Date: Mon, 02 Mar 2009 19:17:30 +0200 From: Link User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Tom Uffner References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> <49A9BBF5.1060706@uffner.com> In-Reply-To: <49A9BBF5.1060706@uffner.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.7 (/) Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 17:17:46 -0000 Tom Uffner =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > Zinevich Denis wrote: >> "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not=20 >> work. But anyway question is not in syntax of rules, because nobody=20 >> touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 >> >> Network is quite simple. >> Server has 2 cards bce0 and bce1 >> bce0 - 172.20.51.10 >> bce1 - 172.20.1.130 >> default gw - 172.20.1.1 >> networks are /24 >> >> As i described before qoal of my rule is to ignore default route when=20 >> request comes on 172.20.51.10. >> Without such rule reply will go to 172.20.1.1 and with pf rule it=20 >> will go out to 172.20.51.1 via bce0. >> For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from=20 >> 172.20.51.10 to any >> >>> Link wrote: >>>> My full configuration is: >>>> >>>> if_bce0=3D"bce0" >>>> if_bce0_gw=3D"172.20.51.1" >>>> if_bce1=3D"bce1" >>>> >>>> scrub in all >>>> >>>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0=20 >>>> to any no state flags any > > I apologize for misunderstanding the part of your reply about FreeBSD 7= .1 > patchlevels. I realized my error too late after i had sent the message. > > The simplest way to do what you want doesn't involve a firewall at all. > simply configure the devices on the 172.20.51/24 network with the=20 > following > routes: > > Destination Gateway > default 172.20.51.1 > 172.20.1/24 172.20.51.10 > > if this is not possible for some reason and you must bounce them throug= h > the firewall, i think the rules you want are: > > pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 } > pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \ > from $if_bce0:network to any > > according to my understanding of pf syntax, it was probably a bug that > your ruleset ever worked. "... from $if_bce0 ..." should have matched > only packets from the local server w/ source addresses of 172.20.51.10. > > just adding :network to the $if_bce0 in the from clause in your rule > should make it do what you want, but is quite inefficient. you are=20 > checking > every outbound packet on bce1 after all of the normal processing &=20 > routing > has been done, rewriting the ones that arrived on bce0 and sending them > back through the network subsystem again. > > it would be better to check the in-bound packets on bce0, accept the on= es > destined for the local host or the 172.20.1/24 network, and re-route th= e > ones that would use the default gw. > > tom > Thanks for your reply. Tried rules you`ve listed. Does not help.... I`ve checked with tcpdump packets are still going out using default route= . From owner-freebsd-pf@FreeBSD.ORG Mon Mar 2 19:29:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D14D51065A0E for ; Mon, 2 Mar 2009 19:29:28 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 88C2A8FC15 for ; Mon, 2 Mar 2009 19:29:28 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n22JTJo9058678 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 2 Mar 2009 14:29:27 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49AC338F.8080009@uffner.com> Date: Mon, 02 Mar 2009 14:29:19 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Link References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> <49A9BBF5.1060706@uffner.com> <49AC14AA.2030808@ngc.net.ua> In-Reply-To: <49AC14AA.2030808@ngc.net.ua> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9061/Mon Mar 2 04:28:18 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 19:29:38 -0000 Link wrote: > Thanks for your reply. > Tried rules you`ve listed. > Does not help.... > I`ve checked with tcpdump packets are still going out using default route. hmm. it sounds like packets aren't matching the rules. at this point all I can suggest is adding an explicit "pass log all" as the first rule in your config, and then testing either your ruleset or my ruleset by adding "log" to all of the rules and check that packets are matching appropriately. for much more detail you can change "log" to "log (all)" to capture _every_ packet, not just the ones that create state. be careful though. running full logging will consume lots of disk if used in production rather than just while debugging. tom From owner-freebsd-pf@FreeBSD.ORG Sat Mar 7 18:36:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E32EA106568E for ; Sat, 7 Mar 2009 18:36:34 +0000 (UTC) (envelope-from bounces@apoteelia.net) Received: from mail.apoteelia.net (mail.apoteelia.net [91.184.56.170]) by mx1.freebsd.org (Postfix) with ESMTP id 877128FC14 for ; Sat, 7 Mar 2009 18:36:34 +0000 (UTC) (envelope-from bounces@apoteelia.net) Received: by mail.apoteelia.net (Postfix, from userid 0) id B014F1ECFC77; Sat, 7 Mar 2009 19:10:34 +0100 (CET) To: freebsd-pf@freebsd.org Recieved: Date: Sat, 7 Mar 2009 19:10:34 +0100 From: Bettina Schmidtberger Message-ID: X-Priority: 3 X-MessageID: 5 X-ListMember: freebsd-pf@freebsd.org Errors-To: bounces@apoteelia.net MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Subject: RE: Der versprochene Geheimtipp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 18:36:35 -0000 Hi Du! Wie ich es Dir versprochen habe, wollte ich Dir ja noch die Adresse sagen wo wir die Dinger bestellt haben. Gibt ja viele Seiten wo man echt nur übers Ohr gehauen wird. Aber bei der Adresse bekommen wir immer nur Originalware und das innheralb kürzester Zeit zugeschickt. Mit dem Zoll hatten wir da auch nie Probleme, da der Versand direkt aus Europa erfolgt. Klasse oder? Also hier nun die Adresse: http://www.apoteelia.net Viel Spass wünsch ich Dir und das es gut funktioniert! Gruß, Deine Bettina . . - . . . . . . . . . . : . Gib Acht! Man hatte dir eingeredet, du hättest es schwer, dein Leben sei verpfuscht, das Leben sei eine Schuld, sei schlecht, ohne Sinn, ohne Wert; man wollte dich ducken, dich in die große Armee der Leidenden schmuggeln, du solltest bemitleidenswert werden und bemitleiden: und du glaubtest ihnen – wie ungern! – und wieder nicht – wie gern! Denn du bist stark, aber warst krank – wo? wie? was weiß ich. Und deine Sehnsucht war, herauszukommen aus allen diesen müden Verneinungen, diesen törichten Formeln, die im Nein ihr Ja haben, diesen tönenden Wissenschaften, diesen Worten –. Deswegen sprangst du von Buch zu Buch, spieltest mit ihren Formeln und ließest sie wieder fallen, die Neins und Wenns, um selber eine zu finden, aber ein Ja! sollte sie klingen – denn du wolltest leben! Aber nicht wie der Pöbel lebt – einen Grund, ein Ziel, eine Lebensformel suchtest du. Nun, hier ist sie: Weißt du: das Himmelsweinglas, das du ausschlürfen wolltest – – nun niete dir die Formel: Die Welt schaffst du. Du vergeistigst das Chaos zur Welt; das Andere, das Noch-nicht-Du, das alte Ding an sich, ist nur das, was von dir noch nicht geschaffen, vermenschlicht, noch nicht dein Eigentum geworden ist. – Du schaffst die Welt: nun lebe, lebe! – Die kleine blaue Blume läutete so froh und stark – warum soll ich ihr nicht glauben? Und dann bin ich baden gegangen – – – und habe stundenlang im Grase gelegen; und während die weißen Wolken durch den Himmel segelten und der Fluß geruhig durch Schilfduft und Ried und schwatzendes Vogelvolk hinströmte, habe ich das Ding an sich, den Intellekt und den Willen verlacht und mir ein Ich-weiß-nicht-was? gewünscht. Gegen Abend entstiegen Schwärme von Eintagsfliegen dem Fluß, an den Gräsern, Halmen und Pfosten kletterten sie hoch und warfen aus der Hülle sich in die Luft zum kurzen Hochzeitsleben. Die Luft war weiß über den Wassern von den auf und nieder tanzenden Massen – und die sinkende Sonne in dem Höhenrauch, den der Nordwind gebracht hatte, rot wie ein Rubin: das hätte mich fast bezwungen, daß ich schon begann, die stundenkurze Existenz der Imago zu beklagen und daran sentimentale Folgerungen zu knüpfen – aber da hörte ich den Enzian läuten und ich lachte: Das Tier freut sich jahrelang seines Räuberlebens, und dieser Liebesflug ist sein taumelnder Höhepunkt. Es lebe das Leben und seine ewige Brücke: Venus genetrix! Vor acht Tagen hätte ich ihr geflucht und geklagt: Was ist das Leben? So ist das Leben: es fließt dahin wie Wellenschaum, kommt u