From owner-freebsd-pf@FreeBSD.ORG Mon Jul 9 11:07:17 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F35AE1065670 for ; Mon, 9 Jul 2012 11:07:16 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DD3438FC1B for ; Mon, 9 Jul 2012 11:07:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q69B7GwH075510 for ; Mon, 9 Jul 2012 11:07:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q69B7GXd075508 for freebsd-pf@FreeBSD.org; Mon, 9 Jul 2012 11:07:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jul 2012 11:07:16 GMT Message-Id: <201207091107.q69B7GXd075508@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 11:07:17 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 01:47:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C05F41065672 for ; Tue, 10 Jul 2012 01:47:12 +0000 (UTC) (envelope-from hbcheng@berkeley.edu) Received: from cm04fe.IST.Berkeley.EDU (cm04fe.IST.Berkeley.EDU [169.229.218.145]) by mx1.freebsd.org (Postfix) with ESMTP id A9D3E8FC12 for ; Tue, 10 Jul 2012 01:47:12 +0000 (UTC) Received: from cm04ws.ist.berkeley.edu ([169.229.218.166] helo=calmail.berkeley.edu) by cm04fe.ist.berkeley.edu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (auth plain:hbcheng@berkeley.edu) (envelope-from ) id 1SoPIx-00017M-FD for freebsd-pf@freebsd.org; Mon, 09 Jul 2012 18:31:56 -0700 MIME-Version: 1.0 Received: from wifi-87-20.ResHall.Berkeley.EDU ([169.229.87.20]) by calmail.berkeley.edu with HTTP (HTTP/1.1 POST); Mon, 09 Jul 2012 18:31:55 -0700 Date: Mon, 09 Jul 2012 18:31:55 -0700 From: Hao Bryan Cheng To: Message-ID: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> X-Sender: hbcheng@berkeley.edu User-Agent: RoundCube Webmail/0.3.1.UCB1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Question regarding packet forwarding and Squid X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2012 01:47:12 -0000 Hello all, I am working on converting a captive portal system from ipfw to pf (in order to support port-block allocation in many-to-one NAT) on systems currently running FreeBSD 8.2. Most of the firewall rewrite went without incident. However, I am having trouble replicating the fwd functionality of ipfw in pf. Our ipfw firewall uses the fwd rule to send packets from the private side of the portal to a squid instance running on 127.0.0.1:3128. From there, squid runs our url_rewrite script. The nice thing about this setup is that the fwd rule does not rewrite either the destination IP or port of the packet, meaning that the url_rewrite script can easily extract this information from the input line that squid provides (myip corresponding to the destination IP address of the original HTTP request). We then add the IP address to a firewall table to grant HTTPS access to the destination host bypassing squid entirely. I was able to get traffic into squid via pf using a rdr rule. However this rule rewrites the destination IP and port of the request which means that the url_rewrite script is no longer aware of the original destination IP. While there are several options for changing the url_rewrite script to accommodate this change, I would like to avoid unnecessary (and redundant) nameserver lookups. Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have heard mentions of a divert-to rule, but I was unsuccessful in finding any official documentation on the subject anywhere online. Any help would be greatly appreciated. Thanks, Hao Bryan Cheng From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 20:49:45 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B22B4106566B for ; Tue, 10 Jul 2012 20:49:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6AC728FC14 for ; Tue, 10 Jul 2012 20:49:45 +0000 (UTC) Received: by yenl8 with SMTP id l8so562476yen.13 for ; Tue, 10 Jul 2012 13:49:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=P2Wp/qaGAhDcTBBKhYpbBP8m9+BV/V/stUnurAdHtgk=; b=Grx54eynFaB7NgiEXWWxoMOLKNyHPVyZRIThZ+GHXINbJU1kPRRsP5NixSKJ/cxAM+ keFexDRoEntIvwvEWajmEQaeZPh8qzNrcJfJdwJNiVO33PzcArR8cBkU+mdMi0W7Gbv1 LQ7L/fMAK06P1V/7u99Skc6OryvnLgm6QlrtJTrVHSzJcsQnKEDUtTGgVmnH2c8iKGgW iu9S5dqqchIvqXD/VdKR3tepIrUvzcEtVR3nJZHebXJAX5c76K8FcPYpWZXg51tnjbP4 F66HVFyer9eBqHOTkRQXHAaaFKj2ccnqdJmc53hn95OkvtmmKFnNpTmi9gftoyplMuZS /2dw== MIME-Version: 1.0 Received: by 10.50.203.98 with SMTP id kp2mr12629207igc.42.1341953384586; Tue, 10 Jul 2012 13:49:44 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.244.7 with HTTP; Tue, 10 Jul 2012 13:49:44 -0700 (PDT) In-Reply-To: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> References: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> Date: Tue, 10 Jul 2012 22:49:44 +0200 X-Google-Sender-Auth: jxxFNUVKCGzkMndBasRi8cZ98AU Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Hao Bryan Cheng Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Question regarding packet forwarding and Squid X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2012 20:49:45 -0000 On Tue, Jul 10, 2012 at 3:31 AM, Hao Bryan Cheng wrote: > Hello all, > > I am working on converting a captive portal system from ipfw to pf (in > order to support port-block allocation in many-to-one NAT) on systems > currently running FreeBSD 8.2. > > Most of the firewall rewrite went without incident. However, I am having > trouble replicating the fwd functionality of ipfw in pf. > > Our ipfw firewall uses the fwd rule to send packets from the private side > of the portal to a squid instance running on 127.0.0.1:3128. From there, > squid runs our url_rewrite script. The nice thing about this setup is that > the fwd rule does not rewrite either the destination IP or port of the > packet, meaning that the url_rewrite script can easily extract this > information from the input line that squid provides (myip corresponding to > the destination IP address of the original HTTP request). We then add the > IP address to a firewall table to grant HTTPS access to the destination > host bypassing squid entirely. > > I was able to get traffic into squid via pf using a rdr rule. However this > rule rewrites the destination IP and port of the request which means that > the url_rewrite script is no longer aware of the original destination IP. > While there are several options for changing the url_rewrite script to > accommodate this change, I would like to avoid unnecessary (and redundant) > nameserver lookups. > > Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have > heard mentions of a divert-to rule, but I was unsuccessful in finding any > official documentation on the subject anywhere online. > > Any help would be greatly appreciated. > You will not find such a functionality easily or without tricky requirements. > Thanks, > > Hao Bryan Cheng > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Jul 11 07:22:11 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B5C22106564A for ; Wed, 11 Jul 2012 07:22:11 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 414908FC08 for ; Wed, 11 Jul 2012 07:22:10 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q6B7M0SV006689 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 11 Jul 2012 09:22:00 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q6B7M03R024782; Wed, 11 Jul 2012 09:22:00 +0200 (MEST) Date: Wed, 11 Jul 2012 09:22:00 +0200 From: Daniel Hartmeier To: Hao Bryan Cheng Message-ID: <20120711072200.GD9145@insomnia.benzedrine.cx> References: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Question regarding packet forwarding and Squid X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2012 07:22:11 -0000 On Mon, Jul 09, 2012 at 06:31:55PM -0700, Hao Bryan Cheng wrote: > Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have > heard mentions of a divert-to rule, but I was unsuccessful in finding any > official documentation on the subject anywhere online. No, there's no generic rule in pf to solve this for every proxy, but there is a solution for squid specifically: When you build the Squid port (www/squid) there is an option [ ] SQUID_PF Enable transparent proxying with PF This enables a function specifically to deal with your case: when squid, listening on 127.0.0.1:3128, receives a connection rdr'd by pf src original dst rewritten dst 10.1.2.3:61234 -> 62.65.1.2:80 -> 127.0.0.1:3128 squid will use a pf-specific ioctl() call to figure out the original destination, and use it for url_rewrite, too, AFAIK. HTH, Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jul 13 13:50:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A83E91065673 for ; Fri, 13 Jul 2012 13:50:30 +0000 (UTC) (envelope-from info@infoaxe.net) Received: from mail6.infoaxe.net (mail6.infoaxe.net [174.37.119.118]) by mx1.freebsd.org (Postfix) with ESMTP id 75AA38FC19 for ; Fri, 13 Jul 2012 13:50:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=infoaxe.net; h=Date:From:To:Subject:MIME-Version:Content-Type:Message-ID; i=info@infoaxe.net; bh=O5+Sngw3/otEH0aQWKGiNd/GJfs=; b=mPTRdZt61zwGvGHKKjzUXXrTBmiFy5qam+MpECdYxPypESz1ASioVQXx+xKLDnUaYeA3V8bOYLFo L3Q8qXU2dQ== DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=infoaxe.net; b=n96e5xk5vMD64Q/jzLtpRkWfCDztZwkpg90bz+oKCkPB2GGUyQlWgQAj8ci2ddJ4gDWVmVFLWk4Z vrioA57T6g==; Received: from megan.pmta.infoaxe.com (127.0.0.1) by mail6.infoaxe.net (PowerMTA(TM) v3.5r14) id h00jqc0sdckt for ; Fri, 13 Jul 2012 08:39:40 -0500 (envelope-from ) Date: Fri, 13 Jul 2012 08:39:40 -0500 From: Mohd Khairi To: freebsd-pf@freebsd.org X-Reference_Id: 569157266 MIME-Version: 1.0 Message-ID: <0.0.37.537.1CD60FCF3D78B90.16D8@mail6.infoaxe.net> Content-Type: text/plain; charset=utf-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Mohd Khairi wants to follow you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 13:50:30 -0000 Hi, Mohd Khairi wants to follow you. ****** Is Mohd Khairi you friend? ****** If Yes please follow the link below: http://invites.infoaxe.net/signup_e.html?fullname=&email=freebsd-pf@freebsd.org&invitername=mohd khairi&inviterid=8702854&emailid=569157266&uie=0 If No please follow the link below: http://invites.infoaxe.net/signup_e_no.html?fullname=&email=freebsd-pf@freebsd.org&invitername=mohd khairi&inviterid=8702854&emailid=569157266&uie=0 Follow the link below to unsubscribe from all emails from Flipora, 440 N.Wolfe Rd MS #153, Sunnyvale, CA. 94085 http://invites.infoaxe.net/unsubscribe.jsp?email=freebsd-pf@freebsd.org&iid=569157266