From owner-freebsd-pf@FreeBSD.ORG Sun Jul 18 03:59:18 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2DDA1065670 for ; Sun, 18 Jul 2010 03:59:18 +0000 (UTC) (envelope-from thomas.elsgaard@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 85A998FC08 for ; Sun, 18 Jul 2010 03:59:18 +0000 (UTC) Received: by fxm13 with SMTP id 13so1859729fxm.13 for ; Sat, 17 Jul 2010 20:59:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:cc:content-type; bh=U1XS0+HGBMo3Fr3hr9523OltJeU7Tl1/V7ZbA6vlTxg=; b=K6LT3EFjMELU386Ea28G4d78QDggYDdblkClxKk5URovtu9teKpIpbwUXIvutiQPy/ 8OC6YgHol7Oco7KXhWHpX7LI6BhX0BF/KUmLjFkMITmbq4p26LCxvRg0V1WMxlWQyadd MGquvBLYKtj35pBhN4Tuh3k9N16gHYQvny77o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=wAzn/QnCyrPoN/DdguksHKAgYyiSPLgnrC0jF0gEHpl+4neaDXLKA8e6Vy7hukA1u+ cgQx8EoI/meqAs7fENf7Fu6DiQ8dTRIAadghvp+6AFQGbmIapKgGtaftc6+i0SPdwhDM bm7LJdRmgeZTLuhHkkK/qLvuZJvMIdCjf4CwU= MIME-Version: 1.0 Received: by 10.239.137.207 with SMTP id m15mr204362hbm.141.1279425557203; Sat, 17 Jul 2010 20:59:17 -0700 (PDT) Received: by 10.239.154.196 with HTTP; Sat, 17 Jul 2010 20:59:17 -0700 (PDT) Date: Sun, 18 Jul 2010 01:59:17 -0200 Message-ID: From: Thomas Elsgaard To: Torsten Kersandt Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: -SOLVED- Re: How to do PAT based on source IP network and port ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jul 2010 03:59:19 -0000 > HI > > I think that's a easier one > > rdr pass on $ext_if proto udp from any to $ext_if port 20000 -> 127.0.0.1 > port 69 > > > Hi I manged to solve the problem, here is the solution: pass in on em0 proto udp from 10.5.1.0/24 to port 69 rdr-to 10.0.0.11 port 200001 pass in on em0 proto udp from 10.5.2.0/24 to port 69 rdr-to 10.0.0.11 port 200002 Thanks for the advices Thomas From owner-freebsd-pf@FreeBSD.ORG Mon Jul 19 03:57:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C32D81065670 for ; Mon, 19 Jul 2010 03:57:27 +0000 (UTC) (envelope-from atmotaruno@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7A2758FC1B for ; Mon, 19 Jul 2010 03:57:27 +0000 (UTC) Received: by vws19 with SMTP id 19so5288245vws.13 for ; Sun, 18 Jul 2010 20:57:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=t5HOyV7FBs6Yo1wvrZI7Ug6ycgokIWgF4XTIZ7Nmwls=; b=g6ThFL44kxoW/8jnFFNXiKZ2QsrAHIYgN7r2SNDerzOMjPJoYMcuGcruLFybZD1SHk i5WXvycG2FisDMm0sOQaTmXXM5S8I5JKIreColkh4O7gtFMLTU8LCg0a44V7ipnLqAOR KIAAsKtTlLqFs4YJTdnrA8/OvcNHsH8zm5yWI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=cW5cXV974/zs53zbGIQ2O4G+54ro8+4m+OarvXi8hgVPcdyts9clux3CuHKJd9+qE0 82taCrKUQ5/UdDHSWBUVdXdvEgwFV9Bjc7Fqz8Ibk4BRc8ydP+p7pyel1MQ8V1Emyj5e SXegoiY29fzANsy2s5QZZ/TDIquoQjeY8Og0E= MIME-Version: 1.0 Received: by 10.220.168.10 with SMTP id s10mr2527085vcy.190.1279510414311; Sun, 18 Jul 2010 20:33:34 -0700 (PDT) Received: by 10.220.176.140 with HTTP; Sun, 18 Jul 2010 20:33:34 -0700 (PDT) Date: Mon, 19 Jul 2010 10:33:34 +0700 Message-ID: From: Nugroho Atmotaruno To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: DUMMYNET and PF rdr problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 03:57:27 -0000 Hi all, I'm using ipfw for traffic shaping (DUMMYNET) and pf for packet filter, nat, and traffic redirection. But when i'm using dummynet, pf rdr is not working anymore. Is there any solution for this problem? Currently i'm using FreeBSD 7.3-RELEASE. --- [penguasa@gtw] ~ > uname -a FreeBSD gtw.arc 7.3-RELEASE-p1 FreeBSD 7.3-RELEASE-p1 #0: Tue May 25 19:23:41 UTC 2010 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 -- leave nothing but footprints, take nothing but pictures, kill nothing but time, burn nothing but spirit From owner-freebsd-pf@FreeBSD.ORG Mon Jul 19 11:07:03 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3D8D1065673 for ; Mon, 19 Jul 2010 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E1EC28FC1D for ; Mon, 19 Jul 2010 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6JB72aH065791 for ; Mon, 19 Jul 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6JB72pM065789 for freebsd-pf@FreeBSD.org; Mon, 19 Jul 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Jul 2010 11:07:02 GMT Message-Id: <201007191107.o6JB72pM065789@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 19 23:00:36 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACAA01065675 for ; Mon, 19 Jul 2010 23:00:36 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 6C0448FC12 for ; Mon, 19 Jul 2010 23:00:36 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OazK6-000391-Mx for freebsd-pf@freebsd.org; Tue, 20 Jul 2010 01:00:34 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 20 Jul 2010 01:00:34 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 20 Jul 2010 01:00:34 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Marcin Wisnicki Date: Mon, 19 Jul 2010 23:00:27 +0000 (UTC) Lines: 22 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.132 (Waxed in Black) Subject: Re: DUMMYNET and PF rdr problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 23:00:36 -0000 On Mon, 19 Jul 2010 10:33:34 +0700, Nugroho Atmotaruno wrote: > Hi all, > > I'm using ipfw for traffic shaping (DUMMYNET) and pf for packet filter, > nat, and traffic redirection. But when i'm using dummynet, pf rdr is not > working anymore. > > Is there any solution for this problem? Currently i'm using FreeBSD > 7.3-RELEASE. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148260 > --- > > [penguasa@gtw] ~ > uname -a > FreeBSD gtw.arc 7.3-RELEASE-p1 FreeBSD 7.3-RELEASE-p1 #0: Tue May 25 > 19:23:41 UTC 2010 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 From owner-freebsd-pf@FreeBSD.ORG Tue Jul 20 03:25:40 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5C691065672 for ; Tue, 20 Jul 2010 03:25:40 +0000 (UTC) (envelope-from atmotaruno@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 786D38FC0A for ; Tue, 20 Jul 2010 03:25:40 +0000 (UTC) Received: by vws19 with SMTP id 19so6863901vws.13 for ; Mon, 19 Jul 2010 20:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=fPzHRXpTFfHoF9//A6QQ76Vmr5aq2Fg1y+kYgcbWJEo=; b=cM9kNd6VsoMYIir1rjEYT9VVwK/PXg7mzSZG3JJeQe7KkS104wJbfAex3vdBUXXYSp sLacmL4HITatkij7kZ5tEowEUUwIYiIAumdLUYBwPJ/LlOqI1NcWJAxVrJRKaIoIOPQ3 vd8ToLYbJLjUIIRDl8KLgIAKWnnB8lxIdtSSQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=FXaittVb+83eNqGHztDEl/bm1Liq7jkbmC0T4PeFGwjwBZgKbBXdaNNkUZTe/qly4t 6NmS85nchLD4R+xR+73VkPpSsAUPTLewdZXUI9KT4jIaPQIex4HUCVYbpgFIX+b7/w+9 h0YMZI0D8RWHxTb3OSV6tqtgrs98pvxQ7B0hs= MIME-Version: 1.0 Received: by 10.220.71.136 with SMTP id h8mr3554572vcj.135.1279596338482; Mon, 19 Jul 2010 20:25:38 -0700 (PDT) Received: by 10.220.176.140 with HTTP; Mon, 19 Jul 2010 20:25:38 -0700 (PDT) In-Reply-To: References: Date: Tue, 20 Jul 2010 10:25:38 +0700 Message-ID: From: Nugroho Atmotaruno To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: DUMMYNET and PF rdr problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2010 03:25:40 -0000 On Tue, Jul 20, 2010 at 6:00 AM, Marcin Wisnicki wrote: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148260 > Thanks, i will try it soon. Will it merged into 8-STABLE or 7-STABLE branch? -- leave nothing but footprints, take nothing but pictures, kill nothing but time, burn nothing but spirit From owner-freebsd-pf@FreeBSD.ORG Tue Jul 20 04:45:53 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C3C8106566C for ; Tue, 20 Jul 2010 04:45:53 +0000 (UTC) (envelope-from rush@clink.ru) Received: from hosting.clink.ru (clink.ru [194.165.18.3]) by mx1.freebsd.org (Postfix) with ESMTP id 1E59D8FC18 for ; Tue, 20 Jul 2010 04:45:52 +0000 (UTC) Received: from [192.168.50.225] (unknown [192.168.50.225]) by hosting.clink.ru (Postfix) with ESMTPA id 57D3B11E35 for ; Tue, 20 Jul 2010 10:36:06 +0600 (YEKST) Message-ID: <4C4529C8.9040201@clink.ru> Date: Tue, 20 Jul 2010 10:44:56 +0600 From: "Rushan R. Shaymardanov" User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Compiling and loading ng_pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2010 04:45:53 -0000 Hello. I'm trying to use this patch to compile ng_pf: http://lists.freebsd.org/pipermail/freebsd-bugs/2007-December/027288.html During compiling process, I have this error: cc1: warnings being treated as errors /usr/src/sys/modules/netgraph/pf/../../../netgraph/ng_pf.c: In function 'ng_pf_rcvdata': /usr/src/sys/modules/netgraph/pf/../../../netgraph/ng_pf.c:616: warning: implicit declaration of function 'pf_purge_expired_state' /usr/src/sys/modules/netgraph/pf/../../../netgraph/ng_pf.c:616: warning: nested extern declaration of 'pf_purge_expired_state' When I ignoring this by adding WERROR= to sys/modules/netgraph/pf/Makefile , kernel is successfully built. But when I try to load module, I have: kldload: can't load ng_pf: No such file or directory And a message to syslog: link_elf: symbol pf_purge_expired_state undefined File ng_pf.ko exists: # file /boot/kernel/ng_pf.ko /boot/kernel/ng_pf.ko: ELF 32-bit LSB shared object, Intel 80386, version 1 (FreeBSD), dynamically linked, not stripped P.S. Sorry for my English Shaymardanov Rushan From owner-freebsd-pf@FreeBSD.ORG Sat Jul 24 03:51:14 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 229871065675 for ; Sat, 24 Jul 2010 03:51:14 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id C56978FC12 for ; Sat, 24 Jul 2010 03:51:13 +0000 (UTC) Received: by qyk31 with SMTP id 31so799494qyk.13 for ; Fri, 23 Jul 2010 20:51:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:content-type:mime-version :subject:from:in-reply-to:date:content-transfer-encoding:message-id :references:to:x-mailer; bh=LX1aFs8Q9ReYRvf3tXgwsr1dbH6NLh/XTSf7+NmlJII=; b=kEY3hoC/Ck8QotLm8ix+BX+nrYt7GJB2U+QNbLY6MJvWqrLud4KBZ+xgoTes05x03J HRNQrcjYW2EEToDiYSXNPoVVs+aKyjNOlPGndkw/+Pdmr3ouaPQNBgsO7qQfULg7n5qM QSp8UymqGMT/l+SzDaofGTdsAO3OCCNFubds8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=PLryB7aIY9g96rJ7tVCPvAgGb6wnWvYKLW5aqVjtM5ZP3AyyAOL85a0ZgjKJm97Kif E/rkyK+YspFDkTNNikTngI3tnRDWC6tUOtaEXZfaVeOWWs93FxWlhECifRO2kdgdb63V T91zu9JN9/cQmtpm+pbr4IB+eXLaiejGS4C3w= Received: by 10.224.80.2 with SMTP id r2mr3313171qak.380.1279943472202; Fri, 23 Jul 2010 20:51:12 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-173-71-214-20.clppva.fios.verizon.net [173.71.214.20]) by mx.google.com with ESMTPS id h41sm1120372qcz.13.2010.07.23.20.51.10 (version=SSLv3 cipher=RC4-MD5); Fri, 23 Jul 2010 20:51:10 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1081) From: Vadym Chepkov In-Reply-To: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com> Date: Fri, 23 Jul 2010 23:51:09 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <15958458-2B78-4CED-9AAE-97EE1200D30A@gmail.com> References: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com> To: freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.1081) Cc: Subject: Re: tftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jul 2010 03:51:14 -0000 On Jul 17, 2010, at 5:20 PM, Vadym Chepkov wrote: > Hi, >=20 > I am unsuccessful in configuring tftp-proxy to work with my phones. > This is my configuration involved: >=20 > FreeBSD 7.3-RELEASE-p2 >=20 > # cat /etc/pf.conf > wan_if=3D"re0" > phone_if=3D"em0" >=20 > set debug urgent > set optimization normal > set block-policy return > set timeout { udp.first 300, udp.single 150, udp.multiple 900 } > set limit { states 20000, frags 20000 } > set skip on lo0 > scrub in >=20 > nat on $wan_if from $phone_if -> $wan_if > no nat on $wan_if to port tftp > nat on $wan_if proto udp from $phone_if:network to any -> $wan_if = static-port > nat on $wan_if from $phone_if:network to any -> $wan_if >=20 > rdr-anchor "tftp-proxy/*" > rdr on $phone_if proto udp from $phone_if:network to any port tftp -> = 127.0.0.1 port 6969 >=20 > anchor "tftp-proxy/*" >=20 > # grep tftp-proxy /etc/inetd.conf=20 > tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy = tftp-proxy -w 5 >=20 > # grep tftp-proxy /etc/services=20 > tftp-proxy 6969/udp >=20 > # grep inetd /etc/rc.conf=20 > inetd_enable=3D"YES" > inetd_flags=3D"-a 127.0.0.1" >=20 > I observe in the syslog the following message: > Jul 17 16:37:11 spider tftp-proxy[4675]: pf connection lookup failed = (no rdr?) > Jul 17 16:37:11 spider kernel: Jul 17 16:37:11 spider = tftp-proxy[4675]: pf connection lookup failed (no rdr?) > Jul 17 16:37:11 spider inetd[4665]: /usr/libexec/tftp-proxy[4675]: = exited, status 1 >=20 > tcpdump shows tftp reply packets are getting rejected, which I assume = means tftp-proxy is not expecting replies >=20 > 17:07:19.135743 IP spider.57874 > 204.16.177.35.tftp: 32 RRQ = "SEPXXX.cnf.xml" octet=20 > 17:07:19.167369 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:20.596097 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:21.596652 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:22.597755 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:24.142580 IP spider.58998 > 204.16.177.35.tftp: 32 RRQ = "SEPXXX.cnf.xml" octet=20 > 17:07:24.242006 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:24.242036 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:24.242465 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:25.243154 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:25.243203 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:25.243213 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:26.244089 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:26.244121 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:26.244281 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:27.245051 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:27.245091 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:27.245409 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:28.246205 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:28.246246 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:28.246292 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 >=20 > Not sure what I did wrong. The manual page of tftp-proxy has wrong = entry for inetd.conf, it has illegal syntax for FreeBSD's inetd,=20 > maybe some other nuance was lost during migration from OpenBSD? It seems I found the problem. tftp server in question answers not from = an ephemeral port, but in firewall friendly manner from tftp port. I assume this somehow breaks tftp-proxy logic though. I removed tftp = specifics rules completely and now all works fine. Sometimes less is = more. Vadym