From owner-freebsd-pf@FreeBSD.ORG Mon Aug 1 11:07:13 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9ED8106564A for ; Mon, 1 Aug 2011 11:07:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 900308FC17 for ; Mon, 1 Aug 2011 11:07:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p71B7DcN014649 for ; Mon, 1 Aug 2011 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p71B7CTt014647 for freebsd-pf@FreeBSD.org; Mon, 1 Aug 2011 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Aug 2011 11:07:12 GMT Message-Id: <201108011107.p71B7CTt014647@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2011 11:07:13 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 49 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 1 16:40:01 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6ED22106566B for ; Mon, 1 Aug 2011 16:40:01 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0A3278FC20 for ; Mon, 1 Aug 2011 16:40:00 +0000 (UTC) Received: by fxe4 with SMTP id 4so6528329fxe.13 for ; Mon, 01 Aug 2011 09:40:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.16.140 with SMTP id o12mr2276658faa.89.1312215141015; Mon, 01 Aug 2011 09:12:21 -0700 (PDT) Received: by 10.223.118.79 with HTTP; Mon, 1 Aug 2011 09:12:20 -0700 (PDT) In-Reply-To: References: Date: Mon, 1 Aug 2011 12:12:20 -0400 Message-ID: From: Michael Proto To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: IPv6 config for PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2011 16:40:01 -0000 On Fri, Jul 29, 2011 at 8:11 PM, Chris wrote: > Hello, > > I'm having a heck of a time trying to get PF to work with IPv6 on a > few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a > sample ruleset they can share > for a server system that has a few services exposed? > I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but these rules might help you with your server as well (I also had a heck of a time getting all RA/NDP services working until I fixed this ruleset). The biggest gotcha for me was ensuring that link-local and multicast was allowed to/from hosts on my LAN. Here's a subset of what I had to apply in my ruleset: 6lan = "2001:1111:2222::1/64" table { fe80::/10, ff01::/8, ff02::/8 } pass in quick on $lan inet6 from { $6lan, } pass out quick on $lan inet6 to { $6lan, } As this my internal network, I allow all traffic here and then filter incoming/outgoing ports and whatnot on my WAN interface, but hopefully you get the general idea. -Proto From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 19:20:29 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3791106566B for ; Tue, 2 Aug 2011 19:20:29 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [IPv6:2607:fc50:1000:8200:216:3eff:fe2c:dc8f]) by mx1.freebsd.org (Postfix) with ESMTP id 987D98FC17 for ; Tue, 2 Aug 2011 19:20:29 +0000 (UTC) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (8.14.4/8.14.4) with ESMTP id p72JKQHi089610 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 2 Aug 2011 12:20:26 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Received: (from uucp@localhost) by orthanc.ca (8.14.4/8.14.4/Submit) with UUCP id p72JKQx4089609 for freebsd-pf@freebsd.org; Tue, 2 Aug 2011 12:20:26 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Received: from gandalf.orthanc.ca (frodo.orthanc.ca [172.16.0.3]) by legolas.orthanc.ca (8.14.4/8.14.4) with ESMTP id p72JKOdb071918 for ; Tue, 2 Aug 2011 12:20:24 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Message-ID: To: freebsd-pf@freebsd.org From: "Lyndon Nerenberg (VE6BBM/VE7TFX)" Date: Tue, 2 Aug 2011 12:20:24 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: pf rules for pptpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2011 19:20:29 -0000 I'm wondering if anyone has come up with a method of allowing pptpd and pf to get along. It seems that using the ppp interface up and down scripts to add/delete interface-specific rules to pf is the way to go. Are there any other methods people would recommend? --lyndon From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 22:14:32 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C41F106564A for ; Tue, 2 Aug 2011 22:14:32 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3F14A8FC0C for ; Tue, 2 Aug 2011 22:14:31 +0000 (UTC) Received: by gxk28 with SMTP id 28so194238gxk.13 for ; Tue, 02 Aug 2011 15:14:31 -0700 (PDT) Received: by 10.236.77.200 with SMTP id d48mr5446054yhe.137.1312323271225; Tue, 02 Aug 2011 15:14:31 -0700 (PDT) Received: from papi.localnet ([187.58.105.128]) by mx.google.com with ESMTPS id w1sm205453yhi.51.2011.08.02.15.14.29 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 02 Aug 2011 15:14:30 -0700 (PDT) From: Mario Lobo To: freebsd-pf@freebsd.org Date: Tue, 2 Aug 2011 19:14:22 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: In-Reply-To: X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201108021914.22938.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pf rules for pptpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2011 22:14:32 -0000 On Tuesday 02 August 2011 16:20:24 Lyndon Nerenberg (VE6BBM/VE7TFX) wrote: > I'm wondering if anyone has come up with a method of allowing pptpd > and pf to get along. It seems that using the ppp interface up and > down scripts to add/delete interface-specific rules to pf is the > way to go. Are there any other methods people would recommend? > > --lyndon > This was the way I went. I started using pptpd but after a while (i said while but could have been an upgrade, a new port install, etc...), somehow, it started to randomly drop the connections, no matter what form of keep-alive I used. I spent several weeks trying to find out why to no avail. I finally gave up and switched to mpd5. I solved my problem and it has been rock solid ever since. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 22:34:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2F48106564A for ; Tue, 2 Aug 2011 22:34:47 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id A6C378FC0A for ; Tue, 2 Aug 2011 22:34:47 +0000 (UTC) Received: by ywm39 with SMTP id 39so200713ywm.13 for ; Tue, 02 Aug 2011 15:34:47 -0700 (PDT) Received: by 10.150.146.16 with SMTP id t16mr2303498ybd.29.1312324485491; Tue, 02 Aug 2011 15:34:45 -0700 (PDT) Received: from papi.localnet ([187.58.105.128]) by mx.google.com with ESMTPS id a16sm1886364ybn.17.2011.08.02.15.34.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 02 Aug 2011 15:34:44 -0700 (PDT) From: Mario Lobo To: "Lyndon Nerenberg (VE6BBM/VE7TFX)" Date: Tue, 2 Aug 2011 19:34:37 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <8e39326f7157e68f3dbc7d3080fbe186@orthanc.ca> In-Reply-To: <8e39326f7157e68f3dbc7d3080fbe186@orthanc.ca> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201108021934.37477.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf rules for pptpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2011 22:34:48 -0000 On Tuesday 02 August 2011 19:17:34 you wrote: > > I finally gave up and switched to mpd5. I solved my problem and it has > > been rock solid ever since. > > I'm not wedded to pptpd. But I found mpd5 to be even more convoluted to > configure. Can you share your configuration files? Sure thing, man ! Here it is. Server side. With this config, ANY unix or Win(XP,7,Vista,whatever) closes a vpn with the FreeBSD FW. And it authenticates the user in AD (2008 R2) via AD's radius server. ### mpd.conf startup: # Setup console user, password and level set user admin password yyyyyy set console self 127.0.0.1 5005 set console open # set web self 0.0.0.0 5006 # set web open default: load pptp_server pptp_server: set ippool add pool1 172.16.3.201 172.16.3.239 create bundle template B set iface up-script /usr/local/etc/mpd5/linkup set iface down-script /usr/local/etc/mpd5/linkdown set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp set ipcp ranges 172.16.3.200/32 ippool pool1 set ipcp dns 172.16.3.133 set ipcp nbns 172.16.3.133 set bundle enable compression # set bundle enable encryption set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless ## Setup The Link Layer ## create link template L pptp set link action bundle B set link enable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 # set link mtu 1300 set link mtu 1460 set pptp self a.b.c.d # set pptp disable windowing set link enable incoming load radius radius: set radius server 172.16.3.133 password 1812 1813 set radius retries 3 set radius timeout 10 set auth acct-update 120 set auth enable radius-auth set auth enable radius-acct set radius enable message-authentic set radius me 172.16.3.1 set radius identifier xxxxxxx With those scripts bellow, I get indiviual user log files, Saying when they logged in/out, which LAN IP and ng interface they used and from what public IP they connected from. if I do an "ls /var/log/vpns/*.IN", I can see which users are connected to the vpn. ### linkup #!/usr/local/bin/bash /usr/bin/touch /var/log/vpns/rules if ! /usr/bin/grep $1 /var/log/vpns/rules 1>/dev/null 2>&1 ; then echo "pass quick on $1 all" >> /var/log/vpns/rules fi /sbin/pfctl -a vpns -f /var/log/vpns/rules USU="${5:0:11}" case ${USU} in [Aa][Ll][Ll][Ee][Nn][Rr][Ee][Cc][Ii][Ff][Ee]) USU="${5:12:20}" ;; *) USU=$5 ;; esac USUIN=${USU}"-"${4} DIA=`/bin/date "+%Y-%m-%d% %H:%M:%S"` IP=$8 if [ -f /var/log/vpns/"${USU}".log ] ; then /bin/echo "${DIA} -> ${USU} Logged IN with [ ${1}:${4} ] from [ ${IP} ]." >> /var/log/vpns/"${USU}".log else /bin/echo "${DIA} -> ${USU} Logged IN with [ ${1}:${4} ] from [ ${IP} ]." > /var/log/vpns/"${USU}".log fi /usr/bin/touch /var/log/vpns/"${USUIN}".IN /usr/sbin/arp -s "${4}" auto pub only ### linkdown #!/usr/local/bin/bash USU="${5:0:11}" case ${USU} in [Aa][Ll][Ll][Ee][Nn][Rr][Ee][Cc][Ii][Ff][Ee]) USU="${5:12:20}" ;; *) USU=$5 ;; esac DIA=`/bin/date "+%Y-%m-%d% %H:%M:%S"` USUIN=${USU}"-"${4} count=`ls -1 /var/log/vpns/${USU}*.IN | wc -l` if [ $count -eq 1 ]; then if [ -f /var/log/vpns/"${USU}".log ] ; then /bin/echo "${DIA} -> ${USU} logged OUT." >> /var/log/vpns/"${USU}".log else /bin/echo "${DIA} -> ${USU} logged OUT." > /var/log/vpns/"${USU}".log fi fi /bin/rm /var/log/vpns/"${USUIN}".IN ## END I hope this helps ! -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Wed Aug 3 12:03:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93ECD1065674 for ; Wed, 3 Aug 2011 12:03:16 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 0E2078FC13 for ; Wed, 3 Aug 2011 12:03:15 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p73BnhTx006924 for ; Wed, 3 Aug 2011 14:49:43 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p73BnhRa006923 for freebsd-pf@freebsd.org; Wed, 3 Aug 2011 14:49:43 +0300 (EEST) Date: Wed, 3 Aug 2011 14:49:43 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110803114943.GC98303@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U wOT+RcGxziJxEN0lIAAABrklEQVQokV2STXLbMAyFQaraE3a5dzSTfR1IF7CQrM3QuECn9z9DH0 gxzgSyFvr88PBD0uJxoR6BE+e8LtRgohE5ZB50sODP/REbfUnte/z12+llCekLUSKenFIMke6Be WinE8H0RJHSN71rUQp64gFDmtDDhRk0zam3FzpNVFprhwPGaFo6oY9wDBJQ9Qz6EuKyROJjDGa+ uza4VOTa8iHlN58Yv5BF9+4BGl0LA5pUD5xKXg4aQlVZm0co3NKxCGxQpu3aC352Gv3DZONmwQd tkrlaylV3YSew7bWtwAZF/zi9jblmprPoL7ktzeFSxmarVNmWRi+Bmxg7Y7tbGtR8XZUxLTo86G thANsssetjp3POuBvMBRlw6jRa5pKN7yVlP+F2lyiZGSMf5hnSU6eAVupmtfjRcxy0momwpxDnz 06hwnOWvBnUdR8U2/KX7cq26u1Jy5xFZMPOVONRbRUrwey8Qar6cWgf12xSymQuVX0DfYd4R8kN Hg0qCtLeaYZcj8B90M2N0cEX1P0vKSxw7NLy/3X8Qeriusu66jNA37P4Mn5QRTG2hz4d9D/6E3a EX852nwAAAABJRU5ErkJggg== Subject: can pf `nat before vpn'? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 12:03:16 -0000 Hi, may somebody clarify, pls: can pf do `nat before vpn' to make it is possible for LAN to access networks behind the Cisco ipsec over single ipsec tunnel ip? i talk about RELENG_8 -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 09:49:25 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4ADD106566B for ; Thu, 4 Aug 2011 09:49:25 +0000 (UTC) (envelope-from invitation@whereareyounow.net) Received: from mail136.wayn.net (mail136.wayn.net [193.169.121.136]) by mx1.freebsd.org (Postfix) with SMTP id 510E28FC16 for ; Thu, 4 Aug 2011 09:49:24 +0000 (UTC) Received: from mail136.wayn.net[127.0.0.1] by mail136.wayn.net[127.0.0.1] (SMTPD32); Thu, 4 Aug 2011 10:49:25 +0100 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; s=default;d=whereareyounow.net; h=message-id:from:to:subject:date:mime-version:content-type; bh=TLEtd3Rc2qix+55xF8s+ChEH1KE=; b=A0eVjbmGZT+Ii1Nwdq7UTN7Vs5PQbJQwKCXrSenqtjMHsC7fn4NmvJy2wC8IgRXlOSRcau+53/nk0j0l5k/o5w== DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=default;d=whereareyounow.net; h=message-id:from:to:subject:date:mime-version:content-type; b=LXNBM7m7tHmPFXkauXa/Mfy/tM+SeCIqWAIjVynwKxLQgStMJxsb0oKhK7o9rH0Tp6LRF7wI8Xo/OcINO0Jkaw==; X-WSMTPID: 3558971-110804-104922-17 X-WSMTPMK: 222958185 X-WSMTPDBTS: 2011-08-04 10:34:22 X-WSMTPRK: 585105032 X-WSMTPCK: 125 WSMTPEID: 1638072637 Message-ID: From: "WAYN" To: Date: Thu, 4 Aug 2011 10:49:22 +0100 X-Priority: 3 X-Mailer: WSMTP Mailer MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Norhanid Tongkol just scored 30733 on Map Your Friends X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2011 09:49:25 -0000 Hi, Norhanid mapped his friends and scored: 30733! See your friend map: http://www.wayn.com/invite/27110-r39kxp/hdvvk8-a0tk5fv63879p ---------------------------------------- To stop receiving invite requests from Norhanid Tongkol, click here: http://www.wayn.com/-/27111-r39kxp?m=3D19635548&c=3D585105032 To stop receiving any notification from WAYN, click here: http://www.wayn.com/-/27112-r39kxp?c=3D585105032 From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 13:47:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC7D11065689 for ; Thu, 4 Aug 2011 13:47:26 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 4B64A8FC12 for ; Thu, 4 Aug 2011 13:47:26 +0000 (UTC) Received: from bolha.lvs.iif.hu (bolha.lvs.iif.hu [193.225.14.181]) by mail.ki.iif.hu (Postfix) with ESMTP id D036187648; Thu, 4 Aug 2011 15:47:24 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at bolha.lvs.iif.hu Received: from mail.ki.iif.hu ([IPv6:::ffff:193.6.222.241]) by bolha.lvs.iif.hu (bolha.lvs.iif.hu [::ffff:193.225.14.72]) (amavisd-new, port 10024) with ESMTP id aMAyak85weaQ; Thu, 4 Aug 2011 15:47:22 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 1074C87646; Thu, 4 Aug 2011 15:47:22 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 0922787644; Thu, 4 Aug 2011 15:47:21 +0200 (CEST) Date: Thu, 4 Aug 2011 15:47:21 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Michael Proto In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 config for PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2011 13:47:26 -0000 On Mon, 1 Aug 2011, Michael Proto wrote: > On Fri, Jul 29, 2011 at 8:11 PM, Chris wrote: >> Hello, >> >> I'm having a heck of a time trying to get PF to work with IPv6 on a >> few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a >> sample ruleset they can share >> for a server system that has a few services exposed? >> > > I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but > these rules might help you with your server as well (I also had a heck > of a time getting all RA/NDP services working until I fixed this > ruleset). The biggest gotcha for me was ensuring that link-local and > multicast was allowed to/from hosts on my LAN. > > Here's a subset of what I had to apply in my ruleset: > > 6lan = "2001:1111:2222::1/64" > table { fe80::/10, ff01::/8, ff02::/8 } > > pass in quick on $lan inet6 from { $6lan, } > pass out quick on $lan inet6 to { $6lan, } > > > As this my internal network, I allow all traffic here and then filter > incoming/outgoing ports and whatnot on my WAN interface, but hopefully > you get the general idea. It can be slightly more strict: RA/NDP is using ICMPv6. Regards, Janos Mohacsi > > > -Proto > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 01:34:40 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 829AE106566C; Fri, 5 Aug 2011 01:34:40 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 595858FC24; Fri, 5 Aug 2011 01:34:40 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p751Ydpf024369; Fri, 5 Aug 2011 01:34:39 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p751YdmK024365; Fri, 5 Aug 2011 01:34:39 GMT (envelope-from linimon) Date: Fri, 5 Aug 2011 01:34:39 GMT Message-Id: <201108050134.p751YdmK024365@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/159390: [pf] [panic] mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:2029 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2011 01:34:40 -0000 Old Synopsis: panic: mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:2029 New Synopsis: [pf] [panic] mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:2029 Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Aug 5 01:34:21 UTC 2011 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=159390