From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 11:06:59 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0E591065675 for ; Mon, 28 Jun 2010 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CF5FE8FC15 for ; Mon, 28 Jun 2010 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5SB6wT3086603 for ; Mon, 28 Jun 2010 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5SB6wNe086601 for freebsd-pf@FreeBSD.org; Mon, 28 Jun 2010 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Jun 2010 11:06:58 GMT Message-Id: <201006281106.o5SB6wNe086601@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 21:12:29 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AF90106566C for ; Mon, 28 Jun 2010 21:12:29 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id C67E38FC16 for ; Mon, 28 Jun 2010 21:12:28 +0000 (UTC) Received: by wwb28 with SMTP id 28so735834wwb.13 for ; Mon, 28 Jun 2010 14:12:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.129.7 with SMTP id m7mr4595095wbs.137.1277759542340; Mon, 28 Jun 2010 14:12:22 -0700 (PDT) Received: by 10.216.178.134 with HTTP; Mon, 28 Jun 2010 14:12:22 -0700 (PDT) Date: Mon, 28 Jun 2010 21:12:22 +0000 Message-ID: From: "Luiz Gustavo S. Costa" To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 21:12:29 -0000 Hi all. I know there is a problem in using rdr with the reply-to, I usually use some software to "rdr", as the rinetd, but it's not a pretty solution. Is there any alternative? Below is an example of what I'm talking about. # Nat section rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> 192.168.1.100 # Rules section pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to 200.x.x.x port 80 the "reply-to" not working with rdr rule. Thanks -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (21) 2642-3799 / 7582-0594 Blog: http://www.luizgustavo.pro.br From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 21:26:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F26EF106566B for ; Mon, 28 Jun 2010 21:26:58 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9350A8FC13 for ; Mon, 28 Jun 2010 21:26:57 +0000 (UTC) Received: by wyb34 with SMTP id 34so1529022wyb.13 for ; Mon, 28 Jun 2010 14:26:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.129.7 with SMTP id m7mr4609719wbs.137.1277760417094; Mon, 28 Jun 2010 14:26:57 -0700 (PDT) Sender: luizgustavo@luizgustavo.pro.br Received: by 10.216.178.134 with HTTP; Mon, 28 Jun 2010 14:26:56 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Jun 2010 21:26:56 +0000 X-Google-Sender-Auth: hfl0RPZdF9tCBDh2TiqMGmefUYs Message-ID: From: "Luiz Gustavo S. Costa" To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 21:26:59 -0000 Hi all. I know there is a problem in using rdr with the reply-to, I usually use some software to "rdr", as the rinetd, but it's not a pretty solution. Is there any alternative? Below is an example of what I'm talking about. # Nat section rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> 192.168.1.100 # Rules section pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to 200.x.x.x port 80 the "reply-to" not working with rdr rule. Thanks -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (21) 2642-3799 / 7582-0594 Blog: http://www.luizgustavo.pro.br From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 21:33:30 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D41FB106566C for ; Mon, 28 Jun 2010 21:33:30 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6CFE38FC20 for ; Mon, 28 Jun 2010 21:33:30 +0000 (UTC) Received: by wwb28 with SMTP id 28so753507wwb.13 for ; Mon, 28 Jun 2010 14:33:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=+LGvVglX58Sg9GfwVmOtyos6USQzzw6qYvhUdo1/POg=; b=GX0h6SZWhVfvLCOD67xA5GlNtKAjDxljT1505GtwoDgfbAHnwuFf/oIPtPl0MWpKKi I4gt+fRteCGBxVoVEl1nZe9AazeAGIXvVPNFKtDsjFkoGNFfPHLlEQXa5kzYXNfZLzk5 LuhsmqjJTj9RbF/g2D143qF8ns6OTgPGgtcVg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=sPZsexpMvh+tN8qrKBeW7bwGOwiUKKJ6kz0XUH2A1/a/W9ZzE8K10wwS0ravGbcjd6 j/pSxTwR7q2YSzb3jyipxz23K+vC3R58GEcDuUmP8OotBJJqpzluixWw/VqZrGabhyN4 Wle3zdqyNZ6QDVC+p1Cn06bIBPlh8kX9u3yzk= MIME-Version: 1.0 Received: by 10.216.161.11 with SMTP id v11mr8667717wek.31.1277760806844; Mon, 28 Jun 2010 14:33:26 -0700 (PDT) Received: by 10.216.134.201 with HTTP; Mon, 28 Jun 2010 14:33:26 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Jun 2010 17:33:26 -0400 Message-ID: From: Chris Buechler To: "Luiz Gustavo S. Costa" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 21:33:30 -0000 On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa wrote: > Hi all. > > I know there is a problem in using rdr with the reply-to, I usually > use some software to "rdr", as the rinetd, but it's not a pretty > solution. > > Is there any alternative? > > Below is an example of what I'm talking about. > > # Nat section > rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> 192.168.1.100 > # Rules section > pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to > 200.x.x.x port 80 > That rule won't match traffic from that rdr. The dest has to be the 192.168.1.100 IP. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 22:24:28 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A17C1065670 for ; Mon, 28 Jun 2010 22:24:28 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3C8E38FC12 for ; Mon, 28 Jun 2010 22:24:27 +0000 (UTC) Received: by wwb28 with SMTP id 28so791185wwb.13 for ; Mon, 28 Jun 2010 15:24:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.86.198 with SMTP id w48mr4086338wee.37.1277763859035; Mon, 28 Jun 2010 15:24:19 -0700 (PDT) Received: by 10.216.178.134 with HTTP; Mon, 28 Jun 2010 15:24:18 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Jun 2010 22:24:18 +0000 Message-ID: From: "Luiz Gustavo S. Costa" To: Chris Buechler Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 22:24:28 -0000 hi Chris ! how are you? as it says here in Brazil: "I eat ball" :). pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to 192.168.1.100 port 80 but still, the combination does not work thanks 2010/6/28 Chris Buechler : > On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa > wrote: >> Hi all. >> >> I know there is a problem in using rdr with the reply-to, I usually >> use some software to "rdr", as the rinetd, but it's not a pretty >> solution. >> >> Is there any alternative? >> >> Below is an example of what I'm talking about. >> >> # Nat section >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> 192.168.1.100 >> # Rules section >> pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to >> 200.x.x.x port 80 >> > > That rule won't match traffic from that rdr. The dest has to be the > 192.168.1.100 IP. > -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (21) 2642-3799 / 7582-0594 Blog: http://www.luizgustavo.pro.br From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 23:30:38 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBFE8106566C for ; Mon, 28 Jun 2010 23:30:38 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 822C28FC0A for ; Mon, 28 Jun 2010 23:30:38 +0000 (UTC) Received: by wwb28 with SMTP id 28so828767wwb.13 for ; Mon, 28 Jun 2010 16:30:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=UR+JoVQP04DTgOjGykssXSMybA8zJ2bxhzfYgzXTKtc=; b=fdQyMuDEWepCYOldQbZGCkoZABjCFzli7WgEWUyYpuS4JBharWZXfFO8owkkFyZGF/ zCkwGKMM2fT+LqnqYualCqgeI1102zY7t3cxHOD1MAw6yIsHLU29gO5dLn1lM+Sbmw7h JIE2t6cQbh3/pKUKRFmhVP/t2Wage6zzzYQFY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=SyV8yzlhEqzm2Tibch7C/OcLu9oHkpZV/hnreoM94BByksoU8R4oVgI5X41sp4nloy F3/MbiF0EFzfNuuQWLb6+ELFgxF+z2RpA8+r7POj1sQhPFb381imAp+Cnrl3ZtBiocFv 1uakoZf8tFSOgf+KXlPe2/NWkXg+E0FMCPfTs= MIME-Version: 1.0 Received: by 10.216.93.2 with SMTP id k2mr4382047wef.56.1277767831431; Mon, 28 Jun 2010 16:30:31 -0700 (PDT) Received: by 10.216.134.201 with HTTP; Mon, 28 Jun 2010 16:30:31 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Jun 2010 19:30:31 -0400 Message-ID: From: Chris Buechler To: "Luiz Gustavo S. Costa" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 23:30:39 -0000 On Mon, Jun 28, 2010 at 6:24 PM, Luiz Gustavo S. Costa wrote: > hi Chris ! how are you? > > as it says here in Brazil: "I eat ball" :). > > pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to > 192.168.1.100 port 80 > > but still, the combination does not work > Then that's not the rule that's matching the traffic. Presuming it worked previously when that rule wouldn't match the traffic, there must be some other rule matching. You may need 'quick' there as well depending on the rest of your ruleset and your intent. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 28 23:37:18 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7E221065670 for ; Mon, 28 Jun 2010 23:37:18 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 582688FC14 for ; Mon, 28 Jun 2010 23:37:17 +0000 (UTC) Received: by wwb28 with SMTP id 28so832277wwb.13 for ; Mon, 28 Jun 2010 16:37:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.91.80 with SMTP id g58mr8718017wef.112.1277768229442; Mon, 28 Jun 2010 16:37:09 -0700 (PDT) Received: by 10.216.178.134 with HTTP; Mon, 28 Jun 2010 16:37:09 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Jun 2010 23:37:09 +0000 Message-ID: From: "Luiz Gustavo S. Costa" To: Gabriel Fonseca Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 23:37:18 -0000 PERFECT !!!!! This is it ! (tribute to MJ) worked perfectly, had not really thought about using tag, perfect. thank you (valeu !) goodbye rinetd/redir ! 2010/6/28 Gabriel Fonseca : > 2010/6/28 Luiz Gustavo S. Costa >> >> hi Chris ! how are you? >> >> as it says here in Brazil: "I eat ball" :). >> >> pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to >> 192.168.1.100 port 80 >> >> but still, the combination does not work >> >> thanks >> >> >> 2010/6/28 Chris Buechler : >> > On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa >> > wrote: >> >> Hi all. >> >> >> >> I know there is a problem in using rdr with the reply-to, I usually >> >> use some software to "rdr", as the rinetd, but it's not a pretty >> >> solution. >> >> >> >> Is there any alternative? >> >> >> >> Below is an example of what I'm talking about. >> >> >> >> # Nat section >> >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> >> >> 192.168.1.100 >> >> # Rules section >> >> pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to >> >> 200.x.x.x port 80 >> >> >> > >> > That rule won't match traffic from that rdr. The dest has to be the >> > 192.168.1.100 IP. >> > >> >> >> >> -- >> Luiz Gustavo Costa (Powered by BSD) >> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ >> mundoUnix - Consultoria em Software Livre >> http://www.mundounix.com.br >> ICQ: 2890831 / MSN: contato@mundounix.com.br >> Tel: 55 (21) 2642-3799 / 7582-0594 >> Blog: http://www.luizgustavo.pro.br >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > Hi, Luiz "gugaBSD" Gustavo. > I don't exactly what your need, but I'll try help. > > Try this: > rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 tag LINK2 -> > 192.168.1.100 > pass in quick on $if_ext2 reply-to ( $if_ext2 $gw_ext2=A0 ) tagged LINK2 > > I hope that helps. > > Gabriel "ethX" Fonseca > > > > > --=20 Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (21) 2642-3799 / 7582-0594 Blog: http://www.luizgustavo.pro.br From owner-freebsd-pf@FreeBSD.ORG Wed Jun 30 16:38:33 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05D6C106566C for ; Wed, 30 Jun 2010 16:38:33 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe9.ukr.net (ffe9.ukr.net [195.214.192.28]) by mx1.freebsd.org (Postfix) with ESMTP id 928FD8FC1B for ; Wed, 30 Jun 2010 16:38:32 +0000 (UTC) Received: from mail by ffe9.ukr.net with local ID 1OU0Iv-000JKp-95 ; Wed, 30 Jun 2010 19:38:29 +0300 MIME-Version: 1.0 To: "Luiz Gustavo S. Costa" From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.6.1-current X-Originating-Ip: [91.145.198.61] In-Reply-To: X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Message-Id: Date: Wed, 30 Jun 2010 19:38:29 +0300 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re[2]: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2010 16:38:33 -0000        Hi Luiz!      Can you post here your working final ruleset with rdr + replye-to? Only rdr + reply-to section.   Thank you! PERFECT !!!!! This is it ! (tribute to MJ) worked perfectly, had not really thought about using tag, perfect. thank you (valeu !) goodbye rinetd/redir ! 2010/6/28 Gabriel Fonseca : > 2010/6/28 Luiz Gustavo S. Costa >> >> hi Chris ! how are you? >> >> as it says here in Brazil: "I eat ball" :). >> >> pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to >> 192.168.1.100 port 80 >> >> but still, the combination does not work >> >> thanks >> >> >> 2010/6/28 Chris Buechler : >> > On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa >> > wrote: >> >> Hi all. >> >> >> >> I know there is a problem in using rdr with the reply-to, I usually >> >> use some software to "rdr", as the rinetd, but it's not a pretty >> >> solution. >> >> >> >> Is there any alternative? >> >> >> >> Below is an example of what I'm talking about. >> >> >> >> # Nat section >> >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> >> >> 192.168.1.100 >> >> # Rules section >> >> pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to >> >> 200.x.x.x port 80 >> >> >> > >> > That rule won't match traffic from that rdr. The dest has to be the >> > 192.168.1.100 IP. >> > >> >> >> >> -- >> Luiz Gustavo Costa (Powered by BSD) >> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ >> mundoUnix - Consultoria em Software Livre >> http://www.mundounix.com.br >> ICQ: 2890831 / MSN: contato@mundounix.com.br >> Tel: 55 (21) 2642-3799 / 7582-0594 >> Blog: http://www.luizgustavo.pro.br >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > Hi, Luiz "gugaBSD" Gustavo. > I don't exactly what your need, but I'll try help. > > Try this: > rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 tag LINK2 -> > 192.168.1.100 > pass in quick on $if_ext2 reply-to ( $if_ext2 $gw_ext2  ) tagged LINK2 > > I hope that helps. > > Gabriel "ethX" Fonseca > > > > > -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (21) 2642-3799 / 7582-0594 Blog: http://www.luizgustavo.pro.br _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Jun 30 16:50:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BD7D106566B for ; Wed, 30 Jun 2010 16:50:26 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0BFB88FC0A for ; Wed, 30 Jun 2010 16:50:25 +0000 (UTC) Received: by wyb34 with SMTP id 34so1225470wyb.13 for ; Wed, 30 Jun 2010 09:50:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.154.76 with SMTP id g54mr11617260wek.36.1277916616069; Wed, 30 Jun 2010 09:50:16 -0700 (PDT) Received: by 10.216.178.134 with HTTP; Wed, 30 Jun 2010 09:50:15 -0700 (PDT) In-Reply-To: References: Date: Wed, 30 Jun 2010 13:50:15 -0300 Message-ID: From: "Luiz Gustavo S. Costa" To: Vitaliy Vladimirovich Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Re[2]: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2010 16:50:26 -0000 Hi, Yep! # Nat section rdr on $if_ext2 proto tcp from any to $ip_ext2 port http tag http_link2 -> $dmz_http # Rule section pass in quick on $if_ext2 reply-to ($if_ext2 $gw_ext2) tagged http_link2 The reply-to is apply on the tag match. Thanks for Gabriel ! 2010/6/30 Vitaliy Vladimirovich : > > =A0=A0=A0=A0=A0=A0 Hi Luiz! > > =A0=A0 Can you post here your working final ruleset with rdr + replye-to?= Only > rdr + reply-to section. > > =A0 Thank you! > > > PERFECT !!!!! > > This is it ! (tribute to MJ) > > worked perfectly, had not really thought about using tag, perfect. > > thank you (valeu !) > > goodbye rinetd/redir ! > > 2010/6/28 Gabriel Fonseca : >> 2010/6/28 Luiz Gustavo S. Costa >>> >>> hi Chris ! how are you? >>> >>> as it says here in Brazil: "I eat ball" :). >>> >>> pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to >>> 192.168.1.100 port 80 >>> >>> but still, the combination does not work >>> >>> thanks >>> >>> >>> 2010/6/28 Chris Buechler : >>> > On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa >>> > wrote: >>> >> Hi all. >>> >> >>> >> I know there is a problem in using rdr with the reply-to, I usually >>> >> use some software to "rdr", as the rinetd, but it's not a pretty >>> >> solution. >>> >> >>> >> Is there any alternative? >>> >> >>> >> Below is an example of what I'm talking about. >>> >> >>> >> # Nat section >>> >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> >>> >> 192.168.1.100 >>> >> # Rules section >>> >> pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to >>> >> 200.x.x.x port 80 >>> >> >>> > >>> > That rule won't match traffic from that rdr. The dest has to be the >>> > 192.168.1.100 IP. >>> > >>> >>> >>> >>> -- >>> Luiz Gustavo Costa (Powered by BSD) >>> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ >>> mundoUnix - Consultoria em Software Livre >>> http://www.mundounix.com.br >>> ICQ: 2890831 / MSN: contato@mundounix.com.br >>> Tel: 55 (21) 2642-3799 / 7582-0594 >>> Blog: http://www.luizgustavo.pro.br >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> Hi, Luiz "gugaBSD" Gustavo. >> I don't exactly what your need, but I'll try help. >> >> Try this: >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 tag LINK2 -> >> 192.168.1.100 >> pass in quick on $if_ext2 reply-to ( $if_ext2 $gw_ext2=A0 ) tagged LINK2 >> >> I hope that helps. >> >> Gabriel "ethX" Fonseca >> >> >> >> >> > > -- > Luiz Gustavo Costa (Powered by BSD) > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > mundoUnix - Consultoria em Software Livre > http://www.mundounix.com.br > ICQ: 2890831 / MSN: contato@mundounix.com.br > Tel: 55 (21) 2642-3799 / 7582-0594 > Blog: http://www.luizgustavo.pro.br > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > --=20 Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (21) 2642-3799 / 7582-0594 Blog: http://www.luizgustavo.pro.br From owner-freebsd-pf@FreeBSD.ORG Wed Jun 30 17:40:04 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E01C01065670 for ; Wed, 30 Jun 2010 17:40:04 +0000 (UTC) (envelope-from gabriel@ethx.com.br) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9E04A8FC13 for ; Wed, 30 Jun 2010 17:40:04 +0000 (UTC) Received: by gyf3 with SMTP id 3so739394gyf.13 for ; Wed, 30 Jun 2010 10:39:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.184.130 with SMTP id ck2mr5278084qcb.119.1277918118431; Wed, 30 Jun 2010 10:15:18 -0700 (PDT) Received: by 10.229.189.68 with HTTP; Wed, 30 Jun 2010 10:15:18 -0700 (PDT) In-Reply-To: References: Date: Wed, 30 Jun 2010 14:15:18 -0300 Message-ID: From: Gabriel Fonseca To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Re[2]: rdr + reply-to, some solution ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2010 17:40:05 -0000 2010/6/30 Luiz Gustavo S. Costa > Hi, > > Yep! > > # Nat section > rdr on $if_ext2 proto tcp from any to $ip_ext2 port http tag > http_link2 -> $dmz_http > > # Rule section > pass in quick on $if_ext2 reply-to ($if_ext2 $gw_ext2) tagged http_link2 > > The reply-to is apply on the tag match. > > Thanks for Gabriel ! > > 2010/6/30 Vitaliy Vladimirovich : > > > > Hi Luiz! > > > > Can you post here your working final ruleset with rdr + replye-to? > Only > > rdr + reply-to section. > > > > Thank you! > > > > > > PERFECT !!!!! > > > > This is it ! (tribute to MJ) > > > > worked perfectly, had not really thought about using tag, perfect. > > > > thank you (valeu !) > > > > goodbye rinetd/redir ! > > > > 2010/6/28 Gabriel Fonseca : > >> 2010/6/28 Luiz Gustavo S. Costa > >>> > >>> hi Chris ! how are you? > >>> > >>> as it says here in Brazil: "I eat ball" :). > >>> > >>> pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to > >>> 192.168.1.100 port 80 > >>> > >>> but still, the combination does not work > >>> > >>> thanks > >>> > >>> > >>> 2010/6/28 Chris Buechler : > >>> > On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa > >>> > wrote: > >>> >> Hi all. > >>> >> > >>> >> I know there is a problem in using rdr with the reply-to, I usually > >>> >> use some software to "rdr", as the rinetd, but it's not a pretty > >>> >> solution. > >>> >> > >>> >> Is there any alternative? > >>> >> > >>> >> Below is an example of what I'm talking about. > >>> >> > >>> >> # Nat section > >>> >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> > >>> >> 192.168.1.100 > >>> >> # Rules section > >>> >> pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to > >>> >> 200.x.x.x port 80 > >>> >> > >>> > > >>> > That rule won't match traffic from that rdr. The dest has to be the > >>> > 192.168.1.100 IP. > >>> > > >>> > >>> > >>> > >>> -- > >>> Luiz Gustavo Costa (Powered by BSD) > >>> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > >>> mundoUnix - Consultoria em Software Livre > >>> http://www.mundounix.com.br > >>> ICQ: 2890831 / MSN: contato@mundounix.com.br > >>> Tel: 55 (21) 2642-3799 / 7582-0594 > >>> Blog: http://www.luizgustavo.pro.br > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > >> > >> Hi, Luiz "gugaBSD" Gustavo. > >> I don't exactly what your need, but I'll try help. > >> > >> Try this: > >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 tag LINK2 -> > >> 192.168.1.100 > >> pass in quick on $if_ext2 reply-to ( $if_ext2 $gw_ext2 ) tagged LINK2 > >> > >> I hope that helps. > >> > >> Gabriel "ethX" Fonseca > >> > >> > >> > >> > >> > > > > -- > > Luiz Gustavo Costa (Powered by BSD) > > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > > mundoUnix - Consultoria em Software Livre > > http://www.mundounix.com.br > > ICQ: 2890831 / MSN: contato@mundounix.com.br > > Tel: 55 (21) 2642-3799 / 7582-0594 > > Blog: http://www.luizgustavo.pro.br > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > > > -- > Luiz Gustavo Costa (Powered by BSD) > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > mundoUnix - Consultoria em Software Livre > http://www.mundounix.com.br > ICQ: 2890831 / MSN: contato@mundounix.com.br > Tel: 55 (21) 2642-3799 / 7582-0594 > Blog: http://www.luizgustavo.pro.br > With the tag you can specify that traffic must suffer the "reply-to" traffic is the redirected. Remembering that the "reply-to" routes packets that pass in the opposite direction to the specified interface, like is specified in the man pf.conf pages: *reply-to* The *reply-to* option is similar to *route-to*, but routes packets that pass in the opposite direction (replies) to the specified interface. Opposite direction is only defined in the context of a state entry, and *reply-to* is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforcement). The "reply-to" facilitate the maintenance of filtering rules, without having to create "pass out" rules to outbound traffic on the return of the redirect. Sorry for my english, I'm not good at that. Gabriel "ethX" Fonseca From owner-freebsd-pf@FreeBSD.ORG Sat Jul 3 11:16:59 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22F6D1065726; Sat, 3 Jul 2010 11:16:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EEF688FC19; Sat, 3 Jul 2010 11:16:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o63BGwbO062823; Sat, 3 Jul 2010 11:16:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o63BGwAA062819; Sat, 3 Jul 2010 11:16:58 GMT (envelope-from linimon) Date: Sat, 3 Jul 2010 11:16:58 GMT Message-Id: <201007031116.o63BGwAA062819@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/148290: [pf] "sticky-address" option of Packet Filter (PF) blocks connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jul 2010 11:16:59 -0000 Old Synopsis: "sticky-address" option of Packet Filter (PF) blocks connection New Synopsis: [pf] "sticky-address" option of Packet Filter (PF) blocks connection Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Jul 3 11:16:43 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=148290 From owner-freebsd-pf@FreeBSD.ORG Sat Jul 3 11:18:02 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5FE0106566B; Sat, 3 Jul 2010 11:18:02 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9E4A38FC16; Sat, 3 Jul 2010 11:18:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o63BI2Ir062881; Sat, 3 Jul 2010 11:18:02 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o63BI2dj062877; Sat, 3 Jul 2010 11:18:02 GMT (envelope-from linimon) Date: Sat, 3 Jul 2010 11:18:02 GMT Message-Id: <201007031118.o63BI2dj062877@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/148260: [pf] [patch] pf rdr incompatible with dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jul 2010 11:18:02 -0000 Old Synopsis: pf rdr incompatible with dummynet New Synopsis: [pf] [patch] pf rdr incompatible with dummynet Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Jul 3 11:17:25 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=148260 From owner-freebsd-pf@FreeBSD.ORG Sat Jul 3 13:42:15 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6E8F106567A for ; Sat, 3 Jul 2010 13:42:15 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id 4B1CC8FC17 for ; Sat, 3 Jul 2010 13:42:15 +0000 (UTC) Received: from interactive.dnsalias.net (ppp-88-217-10-123.dynamic.mnet-online.de [88.217.10.123]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MWvXU-1OhAGb2JkK-00WIlh; Sat, 03 Jul 2010 15:29:37 +0200 Received: from scalix.interactive.de ([fd08:e8a3:4825:0:20c:29ff:feaa:3622]) by interactive.dnsalias.net with esmtp (Exim 4.71 (FreeBSD)) (envelope-from ) id 1OV2mm-0000Bd-PS for freebsd-pf@freebsd.org; Sat, 03 Jul 2010 15:29:36 +0200 Received: from scalix.interactive.de (localhost.localdomain [127.0.0.1]) by scalix.interactive.de (8.13.8/8.13.8) with ESMTP id o63DTafb011107 for ; Sat, 3 Jul 2010 15:29:36 +0200 Received: from [127.0.0.1] (Core2Duo.interactive.de [192.168.0.196]) by scalix.interactive.de (Scalix SMTP Relay 11.4.5.13150) via ESMTP; Sat, 03 Jul 2010 15:29:35 +0200 (CEST) Date: Sat, 3 Jul 2010 15:29:33 +0200 From: Reinhard Haller To: freebsd-pf@freebsd.org Message-ID: <4C2F3B3D.70306@interactive-net.de> x-scalix-Hops: 1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Lightning/1.0b1 Thunderbird/3.0.5 MIME-Version: 1.0 X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V02:K0:92weWeMyxixSfm8EXT+yYEthxf4oERejAXobnp5xdbC W/Ru1aD60irlNuyKgczZK3OwBo/wpgwWNqgqm67/Tp6sJi6UaZ MFJVc9o5WoPHpev2IvjlEMqOf9WtRoLbUgbYEbKoFSnOv43UwN B+jivgcd5mUWlTKqOrQOVyseB2EkJNAtyE3+VT9KzfiJ0Et/jq iQTF9dWneB/rMNHy7BqMTPgpoiUkiCjbKgCcX/VC8yFLqEDFPV 4oe10Aq9ADGC9 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: urpf-failed & ipv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jul 2010 13:42:15 -0000 Hi, I recently discovered a strange behavior on my border router. In the following ruleset: block log all block in log quick from urpf-failed to any pass quick on $int_if inet6 proto udp from any to any port ripng block drop on !$int_if inet6 proto udp from any to any port ripng all occurrences of fe80::%$int_if -> ff02::9 were blocked by the urpf-failed rule. Any suggestuions why this happens? Thanks Reinhard