From owner-freebsd-pf@FreeBSD.ORG Sun May 23 22:06:41 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C4B7106566C for ; Sun, 23 May 2010 22:06:41 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0C12C8FC13 for ; Sun, 23 May 2010 22:06:41 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4NM6eV7016851 for ; Sun, 23 May 2010 22:06:40 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4NM6eAS016850; Sun, 23 May 2010 22:06:40 GMT (envelope-from gnats) Date: Sun, 23 May 2010 22:06:40 GMT Message-Id: <201005232206.o4NM6eAS016850@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Christian Laursen Cc: Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6 addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Christian Laursen List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 May 2010 22:06:41 -0000 The following reply was made to PR kern/146832; it has been noted by GNATS. From: Christian Laursen To: bug-followup@FreeBSD.org, xi@borderworlds.dk Cc: Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6 addresses Date: Sun, 23 May 2010 15:50:16 +0200 Just to make sure I reproduced it on -CURRENT from yesterday. FreeBSD pftest.borderworlds.dk 9.0-CURRENT FreeBSD 9.0-CURRENT #1: Sat May 22 21:53:04 CEST 2010 root@pftest.borderworlds.dk:/usr/obj/usr/src/sys/GENERIC i386 If I configure IPv6 via rc.conf this line: ifconfig_em0_ipv6="RTADV" Then the problem isn't there. "(self)" matches the autoconfigured address. However, if I remove that line from rc.conf and manually run the following sequence of commands: ifconfig em0 inet6 -ifdisabled ifconfig em0 inet6 auto_linklocal ifconfig em0 inet6 accept_rtadv and then wait for the autoconfigured address to appear on the interface. Then the problem I have described manifests itself. -- Christian Laursen From owner-freebsd-pf@FreeBSD.ORG Mon May 24 11:07:00 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41E59106566C for ; Mon, 24 May 2010 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 28EE78FC16 for ; Mon, 24 May 2010 11:07:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4OB70MS004456 for ; Mon, 24 May 2010 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4OB6x6J004454 for freebsd-pf@FreeBSD.org; Mon, 24 May 2010 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 May 2010 11:06:59 GMT Message-Id: <201005241106.o4OB6x6J004454@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2010 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 44 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed May 26 05:22:55 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 507651065670; Wed, 26 May 2010 05:22:55 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 28A588FC16; Wed, 26 May 2010 05:22:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4Q5MtmA036257; Wed, 26 May 2010 05:22:55 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4Q5MtG3036253; Wed, 26 May 2010 05:22:55 GMT (envelope-from linimon) Date: Wed, 26 May 2010 05:22:55 GMT Message-Id: <201005260522.o4Q5MtG3036253@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/147000: [pf] pfctl -m option does not appear to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2010 05:22:55 -0000 Synopsis: [pf] pfctl -m option does not appear to work Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed May 26 05:22:34 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=147000 From owner-freebsd-pf@FreeBSD.ORG Thu May 27 00:55:39 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9FCB106564A; Thu, 27 May 2010 00:55:39 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 81D1F8FC12; Thu, 27 May 2010 00:55:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4R0tdKG078445; Thu, 27 May 2010 00:55:39 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4R0tdnR078441; Thu, 27 May 2010 00:55:39 GMT (envelope-from mlaier) Date: Thu, 27 May 2010 00:55:39 GMT Message-Id: <201005270055.o4R0tdnR078441@freefall.freebsd.org> To: thompsa@FreeBSD.org, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/147000: [pf] pfctl -m option does not appear to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 00:55:39 -0000 Synopsis: [pf] pfctl -m option does not appear to work State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Thu May 27 00:54:23 UTC 2010 State-Changed-Why: Not a bug - -m does merge the options. If you do not want to reload other parts of the ruleset (i.e. leave the filtering rules as-is) you need to add the -O option as well. Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=147000 From owner-freebsd-pf@FreeBSD.ORG Thu May 27 02:00:22 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C5E6106567B; Thu, 27 May 2010 02:00:22 +0000 (UTC) (envelope-from andy@fud.org.nz) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 32BFC8FC13; Thu, 27 May 2010 02:00:21 +0000 (UTC) Received: by vws18 with SMTP id 18so4104167vws.13 for ; Wed, 26 May 2010 19:00:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.59.138 with SMTP id l10mr88151vch.138.1274923847036; Wed, 26 May 2010 18:30:47 -0700 (PDT) Sender: andy@fud.org.nz Received: by 10.220.90.77 with HTTP; Wed, 26 May 2010 18:30:46 -0700 (PDT) In-Reply-To: <201005270055.o4R0tdnR078441@freefall.freebsd.org> References: <201005270055.o4R0tdnR078441@freefall.freebsd.org> Date: Thu, 27 May 2010 13:30:46 +1200 X-Google-Sender-Auth: nR-0JuX6PnlWKEigY3erfKD4RJk Message-ID: From: Andrew Thompson To: mlaier@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: kern/147000: [pf] pfctl -m option does not appear to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 02:00:22 -0000 On 27 May 2010 12:55, wrote: > Synopsis: [pf] pfctl -m option does not appear to work > > State-Changed-From-To: open->closed > State-Changed-By: mlaier > State-Changed-When: Thu May 27 00:54:23 UTC 2010 > State-Changed-Why: > Not a bug - -m does merge the options. =A0If you do not want to reload ot= her > parts of the ruleset (i.e. leave the filtering rules as-is) you need to a= dd > the -O option as well. =A0Thanks. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D147000 > Ah! Thanks Max. From owner-freebsd-pf@FreeBSD.ORG Thu May 27 11:56:56 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 480C01065674; Thu, 27 May 2010 11:56:56 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (core.vx.sk [188.40.32.143]) by mx1.freebsd.org (Postfix) with ESMTP id 7F4298FC1F; Thu, 27 May 2010 11:56:55 +0000 (UTC) Received: from core.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id 6D1E3B49AE; Thu, 27 May 2010 13:40:23 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk ([127.0.0.1]) by core.vx.sk (mail.vx.sk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id aKv4UHZvLFCZ; Thu, 27 May 2010 13:40:21 +0200 (CEST) Received: from [127.0.0.1] (chello089173000055.chello.sk [89.173.0.55]) by mail.vx.sk (Postfix) with ESMTPSA id DFF63B49A2; Thu, 27 May 2010 13:40:20 +0200 (CEST) Message-ID: <4BFE5A26.8030301@FreeBSD.org> Date: Thu, 27 May 2010 13:40:22 +0200 From: Martin Matuska User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sk; rv:1.8.1.23) Gecko/20090812 Lightning/0.9 Thunderbird/2.0.0.23 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: 7bit Subject: Base import proposal: relayd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 11:56:56 -0000 I would like to propose relayd(8) from OpenBSD for import to our base system. Relayd is closely tied to pf(4) and would be a great tool for networking and firewalls. The import is based on a CVS snapshot from OpenBSD as of Aug 13, 2009 (4.6). That was just right before importing new pf changes that make it incompatible with our current pf(4). After our pf(4) gets upgraded we can move to a newer relayd(8). It includes several backported patches from OpenBSD 4.7 and HEAD. The carp and snmp functionality is disabled (for now) because of OpenBSD specific code. Required libevent is used statically from contrib/pf and gets built only once as of usr.sbin/ftp-proxy. A working (and more or less complete) patch against HEAD and 8-STABLE can be downloaded from here: http://people.freebsd.org/~mm/patches/relayd/head-relayd.patch http://people.freebsd.org/~mm/patches/relayd/stable-8-relayd.patch The patch is based on this snapshot: http://people.freebsd.org/~mm/distfiles/relayd-4.6.20090813.tar.gz And includes backported patches from my PR ports/147122 - it can be tested as a port as well: http://www.freebsd.org/cgi/query-pr.cgi?pr=147122 The port patches from Jun Kuriyama (kuriyama@FreeBSD.org) were used as a starting point. Comments and suggestions are welcome. From owner-freebsd-pf@FreeBSD.ORG Thu May 27 13:34:30 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C5381065673 for ; Thu, 27 May 2010 13:34:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id C5DBB8FC16 for ; Thu, 27 May 2010 13:34:29 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-001-178.pools.arcor-ip.net [88.66.1.178]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0M944P-1O5mJy36Td-00CFbI; Thu, 27 May 2010 15:34:27 +0200 Received: (qmail 14459 invoked from network); 27 May 2010 13:34:27 -0000 Received: from f8x64.laiers.local (192.168.4.188) by router.laiers.local with SMTP; 27 May 2010 13:34:27 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 27 May 2010 15:34:26 +0200 User-Agent: KMail/1.13.3 (FreeBSD/8.0-RELEASE-p2; KDE/4.4.3; amd64; ; ) References: <4BFE5A26.8030301@FreeBSD.org> In-Reply-To: <4BFE5A26.8030301@FreeBSD.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="windows-1250" Content-Transfer-Encoding: 7bit Message-Id: <201005271534.27006.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18onoZm1S5zAxUC7uNwLWdA/V60HjkTshYm7JD 50JPjxNzehOE3yqC6aF8Uz1Q3eeeeXguJx6/5ZzU6ZLX1JtEoN VS5xKIWHbfrSLo1ypoZSQ== Cc: Subject: Re: Base import proposal: relayd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 13:34:30 -0000 Hello Martin, On Thursday 27 May 2010 13:40:22 Martin Matuska wrote: > Comments and suggestions are welcome. first off, thank you for your interest in pf - more hands are greatly appreciated! On the $subj, I'm not sure what the added benefit of relayd in base is. Having it in ports makes it easier to pull in new features/releases. The same could be said for (t)ftp-proxy, but it was decided that ftp NAT support is a *basic* function of any firewall and therefore should be in the base system. Can you share your reasons for wanting it in base as opposed to ports? On the nitpicking side of things - from a quick glance: The build of relayd/ctl should probably be conditional on WITHOUT_PF. Thanks, Max From owner-freebsd-pf@FreeBSD.ORG Thu May 27 14:02:29 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 377AA106579D for ; Thu, 27 May 2010 14:02:29 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (core.vx.sk [188.40.32.143]) by mx1.freebsd.org (Postfix) with ESMTP id 6E4498FC08 for ; Thu, 27 May 2010 14:02:28 +0000 (UTC) Received: from core.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id 813A6B49FC; Thu, 27 May 2010 16:02:27 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk ([127.0.0.1]) by core.vx.sk (mail.vx.sk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 3CzEzQ1htHW3; Thu, 27 May 2010 16:02:25 +0200 (CEST) Received: from [127.0.0.1] (chello089173000055.chello.sk [89.173.0.55]) by mail.vx.sk (Postfix) with ESMTPSA id 22C86B49F5; Thu, 27 May 2010 16:02:25 +0200 (CEST) Message-ID: <4BFE7B74.4050709@FreeBSD.org> Date: Thu, 27 May 2010 16:02:28 +0200 From: Martin Matuska User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sk; rv:1.8.1.23) Gecko/20090812 Lightning/0.9 Thunderbird/2.0.0.23 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Max Laier References: <4BFE5A26.8030301@FreeBSD.org> <201005271534.27006.max@love2party.net> In-Reply-To: <201005271534.27006.max@love2party.net> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Base import proposal: relayd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 14:02:29 -0000 Well, what relayd actually provides is level 3 and level 7 reverse proxy (with transparency support) and a load-balancer. We could say that this can be seen as a "frontend to pf", but also as a level 7 reverse proxy like varnish or pound. I have experience with all of these. The configuration file syntax matches pf.conf(5). People with pf(4) skills can take a benefit of it, for me it was the daemon I was searching for a long time. Why putting it in base? We could provide an out-of-the box load-blancing solution with service availability checking. This is indeed very useful when FreeBSD is used as a (load-balancing) firewall. In addition, the code is quite small and easy to integrate. On the other hand, the current port (dating december 2007) is in a very buggy state and I do not recommend using it, as it might easily confuse your pf. The bugs are major, e.g. not cleaning pf rules/tables/anchors on exit or segfault on reloading a mistyped configuration file. As an alternative I would like to maintain the port, I am already trying to get in touch with Jun Kuriyama. Cheers, mm Dňa 27. 5. 2010 15:34, Max Laier wrote / napísal(a): > Hello Martin, > > On Thursday 27 May 2010 13:40:22 Martin Matuska wrote: > >> Comments and suggestions are welcome. >> > first off, thank you for your interest in pf - more hands are greatly > appreciated! > > On the $subj, I'm not sure what the added benefit of relayd in base is. > Having it in ports makes it easier to pull in new features/releases. The same > could be said for (t)ftp-proxy, but it was decided that ftp NAT support is a > *basic* function of any firewall and therefore should be in the base system. > > Can you share your reasons for wanting it in base as opposed to ports? > > On the nitpicking side of things - from a quick glance: The build of > relayd/ctl should probably be conditional on WITHOUT_PF. > > Thanks, > Max > From owner-freebsd-pf@FreeBSD.ORG Thu May 27 14:43:44 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85E9D106566B for ; Thu, 27 May 2010 14:43:44 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 07A708FC0C for ; Thu, 27 May 2010 14:43:43 +0000 (UTC) Received: by gwj21 with SMTP id 21so15961gwj.13 for ; Thu, 27 May 2010 07:43:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=guF+rxvX/qhrpgwJ9poxlMfET5rtrIZTyxFzagQyYaM=; b=DWoMLC0f5dv1kE8F4Dvh7krtd3dwJbPEIU5bHG+7lK9J1HT9cNXOMfTTCG4Qsuq+yU Kr4UT67Az1Q0G9N+vENSFnlPe4xFoSQnO36XUQrqUjEiN9sSxz3KCL8iskqhyz33Q08/ 3/WdQZY6ZLZMmeTsBa1q7jMVndxvca/TsGBbs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=jUEFDrMLETHURrHqp0u9JBqLsi0q4tNA8frMh+IE4pYLZrG/t9WJDQFuS4QcINZ3K5 A1hWS862ohvxVi7iopr4BgQiRaSRjafrKH/vv3L7AtBlUJ/TGVk+Y4Plrp/lwpKwrktv g4wpHFSJy/rDj1rJ1Dfr3orSqvLqe/IbRbT1I= MIME-Version: 1.0 Received: by 10.150.103.12 with SMTP id a12mr278897ybc.112.1274971422450; Thu, 27 May 2010 07:43:42 -0700 (PDT) Received: by 10.151.43.13 with HTTP; Thu, 27 May 2010 07:43:42 -0700 (PDT) In-Reply-To: <4BFE7B74.4050709@FreeBSD.org> References: <4BFE5A26.8030301@FreeBSD.org> <201005271534.27006.max@love2party.net> <4BFE7B74.4050709@FreeBSD.org> Date: Thu, 27 May 2010 16:43:42 +0200 Message-ID: From: britneyfreek To: Martin Matuska Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Base import proposal: relayd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 14:43:44 -0000 hello everyone, i'm just following this thread but this actually sounds very interesting and useful. i prefer using freebsd running on key hosts in networks - like you said, firewalls, for example. having such tool ootb would be a worthy addition. - b 2010/5/27 Martin Matuska : > Well, what relayd actually provides is level 3 and level 7 reverse proxy > (with transparency support) and a load-balancer. > > We could say that this can be seen as a "frontend to pf", but also as a > level 7 reverse proxy like varnish or pound. I have experience with all > of these. The configuration file syntax matches pf.conf(5). People with > pf(4) skills can take a benefit of it, for me it was the daemon I was > searching for a long time. > > Why putting it in base? We could provide an out-of-the box load-blancing > solution with service availability checking. > This is indeed very useful when FreeBSD is used as a (load-balancing) > firewall. In addition, the code is quite small and easy to integrate. > > On the other hand, the current port (dating december 2007) is in a very > buggy state and I do not recommend using it, as it might easily confuse > your pf. The bugs are major, e.g. not cleaning pf rules/tables/anchors > on exit or segfault on reloading a mistyped configuration file. > > As an alternative I would like to maintain the port, I am already trying > to get in touch with Jun Kuriyama. > > Cheers, > mm > > D=C5=88a 27. 5. 2010 15:34, Max Laier =C2=A0wrote / nap=C3=ADsal(a): >> Hello Martin, >> >> On Thursday 27 May 2010 13:40:22 Martin Matuska wrote: >> >>> Comments and suggestions are welcome. >>> >> first off, thank you for your interest in pf - more hands are greatly >> appreciated! >> >> On the $subj, I'm not sure what the added benefit of relayd in base is. >> Having it in ports makes it easier to pull in new features/releases. =C2= =A0The same >> could be said for (t)ftp-proxy, but it was decided that ftp NAT support = is a >> *basic* function of any firewall and therefore should be in the base sys= tem. >> >> Can you share your reasons for wanting it in base as opposed to ports? >> >> On the nitpicking side of things - from a quick glance: =C2=A0The build = of >> relayd/ctl should probably be conditional on WITHOUT_PF. >> >> Thanks, >> =C2=A0 Max >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu May 27 14:57:08 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D822106567A for ; Thu, 27 May 2010 14:57:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id ED01C8FC31 for ; Thu, 27 May 2010 14:57:07 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-001-178.pools.arcor-ip.net [88.66.1.178]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0M1AGu-1NOZxa2DRQ-00tCxW; Thu, 27 May 2010 16:57:06 +0200 Received: (qmail 15960 invoked from network); 27 May 2010 14:57:05 -0000 Received: from f8x64.laiers.local (192.168.4.188) by ns1.laiers.local with SMTP; 27 May 2010 14:57:05 -0000 From: Max Laier Organization: FreeBSD To: Martin Matuska Date: Thu, 27 May 2010 16:57:05 +0200 User-Agent: KMail/1.13.3 (FreeBSD/8.0-RELEASE-p2; KDE/4.4.3; amd64; ; ) References: <4BFE5A26.8030301@FreeBSD.org> <201005271534.27006.max@love2party.net> <4BFE7B74.4050709@FreeBSD.org> In-Reply-To: <4BFE7B74.4050709@FreeBSD.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="windows-1250" Content-Transfer-Encoding: 7bit Message-Id: <201005271657.05617.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+a0r8kcVO93w2I4ujnW0f2mLsER+vIDS0ieJz 8S+fqyqDKdztNSWKVZA566sSvyhusiUtXulmj1wPlbnvm6+Kv6 G2gmT2cC7qQMdMQfTXn6g== Cc: freebsd-pf@freebsd.org Subject: Re: Base import proposal: relayd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 14:57:08 -0000 On Thursday 27 May 2010 16:02:28 Martin Matuska wrote: > Well, what relayd actually provides is level 3 and level 7 reverse proxy > (with transparency support) and a load-balancer. > > We could say that this can be seen as a "frontend to pf", but also as a > level 7 reverse proxy like varnish or pound. I have experience with all > of these. The configuration file syntax matches pf.conf(5). People with > pf(4) skills can take a benefit of it, for me it was the daemon I was > searching for a long time. > > Why putting it in base? We could provide an out-of-the box load-blancing > solution with service availability checking. > This is indeed very useful when FreeBSD is used as a (load-balancing) > firewall. In addition, the code is quite small and easy to integrate. > > On the other hand, the current port (dating december 2007) is in a very > buggy state and I do not recommend using it, as it might easily confuse > your pf. The bugs are major, e.g. not cleaning pf rules/tables/anchors > on exit or segfault on reloading a mistyped configuration file. > > As an alternative I would like to maintain the port, I am already trying > to get in touch with Jun Kuriyama. I don't mean to stop you ... it's just my opinion that a port is easier kept up-to-date and the more convenient choice for most users. I wasn't aware that the current port has issues, I don't use relayd. In any case, please go ahead with whichever solution you find the most convenient and let me know if you need any help. If you decide to go for the base import, you might want to bring it up on net@ - as I'm sure the people on there will have an opinion and it's always a good idea to have the discussion before the commit. Thanks, Max From owner-freebsd-pf@FreeBSD.ORG Thu May 27 17:32:38 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DE32106564A; Thu, 27 May 2010 17:32:38 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id B3E6F8FC19; Thu, 27 May 2010 17:32:37 +0000 (UTC) Received: from localhost (cirkusz.lvs.iif.hu [193.225.14.182]) by mail.ki.iif.hu (Postfix) with ESMTP id ABD1884FAC; Thu, 27 May 2010 19:32:36 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at cirkusz.lvs.iif.hu Received: from mail.ki.iif.hu ([IPv6:::ffff:193.6.222.241]) by localhost (cirkusz.lvs.iif.hu [::ffff:193.225.14.72]) (amavisd-new, port 10024) with ESMTP id ZWJ39RxuvKUr; Thu, 27 May 2010 19:32:33 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id BCF8884E14; Thu, 27 May 2010 19:32:33 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id BB7CF84C07; Thu, 27 May 2010 19:32:33 +0200 (CEST) Date: Thu, 27 May 2010 19:32:33 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Martin Matuska In-Reply-To: <4BFE7B74.4050709@FreeBSD.org> Message-ID: References: <4BFE5A26.8030301@FreeBSD.org> <201005271534.27006.max@love2party.net> <4BFE7B74.4050709@FreeBSD.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-568278634-1274981343=:57772" Content-ID: Cc: freebsd-pf@freebsd.org Subject: Re: Base import proposal: relayd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 17:32:38 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-568278634-1274981343=:57772 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2; FORMAT=flowed Content-Transfer-Encoding: 8BIT Content-ID: Dear All, I would appricate the fixes in ports tree first. I use relayd for a while on FreeBSD 7 stable. I have problem with the tcp checking. Janos Mohacsi Head of HBONE+ project Network Engineer, Deputy Director of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Thu, 27 May 2010, Martin Matuska wrote: > Well, what relayd actually provides is level 3 and level 7 reverse proxy > (with transparency support) and a load-balancer. > > We could say that this can be seen as a "frontend to pf", but also as a > level 7 reverse proxy like varnish or pound. I have experience with all > of these. The configuration file syntax matches pf.conf(5). People with > pf(4) skills can take a benefit of it, for me it was the daemon I was > searching for a long time. > > Why putting it in base? We could provide an out-of-the box load-blancing > solution with service availability checking. > This is indeed very useful when FreeBSD is used as a (load-balancing) > firewall. In addition, the code is quite small and easy to integrate. > > On the other hand, the current port (dating december 2007) is in a very > buggy state and I do not recommend using it, as it might easily confuse > your pf. The bugs are major, e.g. not cleaning pf rules/tables/anchors > on exit or segfault on reloading a mistyped configuration file. > > As an alternative I would like to maintain the port, I am already trying > to get in touch with Jun Kuriyama. > > Cheers, > mm > > Dňa 27. 5. 2010 15:34, Max Laier wrote / napísal(a): >> Hello Martin, >> >> On Thursday 27 May 2010 13:40:22 Martin Matuska wrote: >> >>> Comments and suggestions are welcome. >>> >> first off, thank you for your interest in pf - more hands are greatly >> appreciated! >> >> On the $subj, I'm not sure what the added benefit of relayd in base is. >> Having it in ports makes it easier to pull in new features/releases. The same >> could be said for (t)ftp-proxy, but it was decided that ftp NAT support is a >> *basic* function of any firewall and therefore should be in the base system. >> >> Can you share your reasons for wanting it in base as opposed to ports? >> >> On the nitpicking side of things - from a quick glance: The build of >> relayd/ctl should probably be conditional on WITHOUT_PF. >> >> Thanks, >> Max >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --0-568278634-1274981343=:57772--