From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 03:54:08 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B902113E for ; Mon, 3 Nov 2014 03:54:08 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 794F1EB1 for ; Mon, 3 Nov 2014 03:54:07 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1Xl8iV-0007cM-JR for freebsd-pf@freebsd.org; Mon, 03 Nov 2014 14:54:07 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 591B2CD2E for ; Mon, 3 Nov 2014 14:55:50 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA33s39J005649 for ; Mon, 3 Nov 2014 14:54:04 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA33s2Mh005646 for ; Mon, 3 Nov 2014 14:54:03 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Mon, 3 Nov 2014 14:54:02 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Getting tables to work in PF Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 03:54:08 -0000 FreeBSD 8.2-RELEASE-p3 binary (yeah, I need to update, but my DVD reader is busted). After seeing an obnoxious spammer on 216.66.15.120 (it doesn't take "550 5.7.1" as a hint), I thought this would be a good time to try tables so that it doesn't clutter my reject log. /etc/pf.conf: table persist file "/etc/spammers" ... block in log quick on $ext_if from to any /etc/spammers: # netman.cust.fsi.io 216.66.15.120 and restart. File gets read, but it's not blocking. OK, add it in by hand: aneurin# pfctl -t spammers -Tadd 216.66.15.120 No ALTQ support in kernel ALTQ related functions disabled 1 table created. 1/1 addresses added. Odd. So the table is now created, but it still ain't blocking. Adding it a second time is ignored. I also tried blocking woodpeckers (those which retry *seconds* later). /etc/pf.conf: table persist ... block in log quick on $ext_if from # No more that 10/IP, or 5/minute should be plenty. pass inet proto tcp from any port smtp \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/60, \ overload flush global) Nope. Try by hand: aneurin# pfctl -t woodpeckers -T add 212.192.226.180 No ALTQ support in kernel ALTQ related functions disabled 1 table created. 1/1 addresses added. Nope. Nothing in the log, and "pfctl -t woodpeckers -T show -v" reports no matches. As a quick test, I disallow *all* SMTP. Still works. So, err, does PF actually work? Have I stuffed up somewhere? Thanks. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 07:39:56 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93D49D21 for ; Mon, 3 Nov 2014 07:39:56 +0000 (UTC) Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 67BC5657 for ; Mon, 3 Nov 2014 07:39:56 +0000 (UTC) Received: by mail-pa0-f50.google.com with SMTP id eu11so11664065pac.37 for ; Sun, 02 Nov 2014 23:39:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=fS9XtjulQ44Ieapt0n0AFZTeDNnGwZkbsT1NUqc891k=; b=rPOPQr0mas8FHSP9kbT85zgUlZddmHnOtJdgaztorzRxdxQoD9n5erlFKAtGo0qPwE 3NZ73D4I/iXnl5sseZDweVXyxQ6OfbFlVshrWAuMpGP7GI94pU1LHZBloh++g2Z0wZ4L U6fdbMtUWg8Mom8SwY5Pvs8Aeuqn2U7fLuXx2yvWvlJFbGmqiVf8A9dYYkDthibwTDRh OrEUuBvBjaLBofHnN68wJahVorPTmKtr9p9PAqEU1G2fCQx7tMCqK9bS7e4s0yhLAvaI +bnzG0uoB5lvkyLdGHo6ujIgUbuzD48GE6PB7Arzs4d5jpRKzCcZcnO9NAT5S06EY5ED oVTA== MIME-Version: 1.0 X-Received: by 10.68.135.163 with SMTP id pt3mr7626129pbb.106.1415000395497; Sun, 02 Nov 2014 23:39:55 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Sun, 2 Nov 2014 23:39:55 -0800 (PST) In-Reply-To: References: Date: Mon, 3 Nov 2014 08:39:55 +0100 X-Google-Sender-Auth: 8MSXhb6zCU38CXp4GjwIE4NPjrU Message-ID: Subject: Re: Getting tables to work in PF From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Dave Horsfall Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 07:39:56 -0000 Probably you forgot to clear the states! On Mon, Nov 3, 2014 at 4:54 AM, Dave Horsfall wrote: > FreeBSD 8.2-RELEASE-p3 binary (yeah, I need to update, but my DVD reader > is busted). > > After seeing an obnoxious spammer on 216.66.15.120 (it doesn't take "550 > 5.7.1" as a hint), I thought this would be a good time to try tables so > that it doesn't clutter my reject log. > > /etc/pf.conf: > > table persist file "/etc/spammers" > ... > block in log quick on $ext_if from to any > > /etc/spammers: > > # netman.cust.fsi.io > 216.66.15.120 > > and restart. File gets read, but it's not blocking. OK, add it in by > hand: > > aneurin# pfctl -t spammers -Tadd 216.66.15.120 > No ALTQ support in kernel > ALTQ related functions disabled > 1 table created. > 1/1 addresses added. > > Odd. So the table is now created, but it still ain't blocking. Adding it > a second time is ignored. > > I also tried blocking woodpeckers (those which retry *seconds* later). > > /etc/pf.conf: > > table persist > ... > block in log quick on $ext_if from > # No more that 10/IP, or 5/minute should be plenty. > pass inet proto tcp from any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 5/60, \ > overload flush global) > > Nope. Try by hand: > > aneurin# pfctl -t woodpeckers -T add 212.192.226.180 > No ALTQ support in kernel > ALTQ related functions disabled > 1 table created. > 1/1 addresses added. > > Nope. Nothing in the log, and "pfctl -t woodpeckers -T show -v" reports > no matches. > > As a quick test, I disallow *all* SMTP. Still works. > > So, err, does PF actually work? Have I stuffed up somewhere? > > Thanks. > > -- > Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." > http://www.horsfall.org/spam.html (and check the home page whilst you're > there) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 09:13:44 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 99A8A463 for ; Mon, 3 Nov 2014 09:13:44 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 55877145 for ; Mon, 3 Nov 2014 09:13:43 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlDhn-0005EV-0d for freebsd-pf@freebsd.org; Mon, 03 Nov 2014 20:13:43 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 44996CD2E for ; Mon, 3 Nov 2014 20:14:55 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA39D4Gj006607 for ; Mon, 3 Nov 2014 20:13:05 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA39D4Ru006604 for ; Mon, 3 Nov 2014 20:13:04 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Mon, 3 Nov 2014 20:13:04 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 09:13:44 -0000 On Mon, 3 Nov 2014, Ermal Luçi wrote: > Probably you forgot to clear the states! I was under the impression that "state" applied to "keep state" i.e. outgoing connections. Nonetheless: aneurin# pfctl -s state No ALTQ support in kernel ALTQ related functions disabled aneurin# pfctl -F s No ALTQ support in kernel ALTQ related functions disabled 0 states cleared aneurin# Still not blocking, and still not logging any such blocks. Got a working example that I can use? Do remember that I even blocked all incoming SMTP as a test, hence my question as to whether PF was actually working here. Also don't forget my other observation that wasn't created until I did so by hand. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 10:04:05 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F1AA726 for ; Mon, 3 Nov 2014 10:04:05 +0000 (UTC) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63498893 for ; Mon, 3 Nov 2014 10:04:05 +0000 (UTC) Received: by mail-pa0-f43.google.com with SMTP id eu11so11875302pac.16 for ; Mon, 03 Nov 2014 02:04:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=6U/inz7tPOyj1UCgaESgFUWdxJPM1AIliwOIwd9+9vk=; b=vY4HcoNv1AU7Gy/OdnaDmSU2howTiMXFKkG+4D3d+id+MpKz5+dcpy9IDAHZiWuSjI aOXh6js4Wwi4VIPJSZv10ZnWfEC90mTBlDe9Oh6cp2zFeigCxpMXcT337bvmzDswIOuZ nxUuTmPmJulWQyg34XDWVRflzPBd50lIBMVYHPamJfqsfhqx1N15OWVZ+uqQhclJtkXd Jj1Bp5WTG+u04FkUNSkTX0T6kjHCKhTzEBQFYo3A8IKFH6bq8Pn8ODHB3qFHRa1fD2Nw /nRX0JD704U3SBCNW0R68I8ySjHG8BfSxKbY8GbamW07QDcGwmZJD4Kq5RNQGoLHY+Qk wRpw== MIME-Version: 1.0 X-Received: by 10.66.253.102 with SMTP id zz6mr41436753pac.25.1415009044977; Mon, 03 Nov 2014 02:04:04 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Mon, 3 Nov 2014 02:04:04 -0800 (PST) In-Reply-To: References: Date: Mon, 3 Nov 2014 11:04:04 +0100 X-Google-Sender-Auth: ulSYNjI1Rfoci20cF3kZdXF3TCU Message-ID: Subject: Re: Getting tables to work in PF From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Dave Horsfall Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 10:04:05 -0000 On Mon, Nov 3, 2014 at 10:13 AM, Dave Horsfall wrote: > On Mon, 3 Nov 2014, Ermal Lu=C3=A7i wrote: > > > Probably you forgot to clear the states! > > I was under the impression that "state" applied to "keep state" i.e. > outgoing connections. > > Nonetheless: > > aneurin# pfctl -s state > No ALTQ support in kernel > ALTQ related functions disabled > aneurin# pfctl -F s > No ALTQ support in kernel > ALTQ related functions disabled > 0 states cleared > aneurin# > Well there are two things needed from your side: - Full ruleset if you can disclose - Make sure with output of pfctl -s all that pf is actually enabled to do filtering on packets. NOTE: You enable pf by running pfctl -e > > Still not blocking, and still not logging any such blocks. Got a working > example that I can use? > > Do remember that I even blocked all incoming SMTP as a test, hence my > question as to whether PF was actually working here. > > Also don't forget my other observation that wasn't created > until I did so by hand. > > -- > Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." > http://www.horsfall.org/spam.html (and check the home page whilst you're > there) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 10:41:16 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DD3A289A for ; Mon, 3 Nov 2014 10:41:15 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 8DCB3C44 for ; Mon, 3 Nov 2014 10:41:14 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlF4T-0001bO-GX for freebsd-pf@freebsd.org; Mon, 03 Nov 2014 21:41:13 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id A7FF6CD2C for ; Mon, 3 Nov 2014 21:42:41 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA3Aep2Q006897 for ; Mon, 3 Nov 2014 21:40:52 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA3AeovE006894 for ; Mon, 3 Nov 2014 21:40:50 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Mon, 3 Nov 2014 21:40:50 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1483753691-1283304627-1415011250=:1220" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 10:41:16 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1483753691-1283304627-1415011250=:1220 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: 8BIT On Mon, 3 Nov 2014, Ermal Luçi wrote: > - Full ruleset if you can disclose As attached - no secrets in it. It's somewhat loose because it's behind another firewall (the ADSL modem) that just lets SMTP/HTTP/SSH-secret-port through to it (I've masked the SSH port). > - Make sure with output of pfctl -s all that pf is actually enabled to > do filtering on packets. Attached; the empty "FILTER RULES" looks a bit suspicious... > NOTE: You enable pf by running pfctl -e I know; I was using "service pf restart" as well. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) --1483753691-1283304627-1415011250=:1220 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=spammers Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: spammers Content-Disposition: attachment; filename=spammers IyBuZXRtYW4uY3VzdC5mc2kuaW8NCjIxNi42Ni4xNS4xMjANCg== --1483753691-1283304627-1415011250=:1220 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=pf.conf Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: pf.conf Content-Disposition: attachment; filename=pf.conf Iw0KIyBTdHJpcHBlZCBkb3duIGhlYXZpbHkgZnJvbSBLRCAoT3BlbkJTRCku DQojIFRoaXMgYm94IGhhcyBubyBvdGhlciBpbnRlcmZhY2VzLCBhbmQgaXMg ZmFjaW5nIHRoZSBuZXQuDQojDQojIEluIG90aGVyIHdvcmRzLCB0aGVyZSBp cyBubyBpbnRlcm5hbCBpbnRlcmZhY2U7IHRoaXMgYm94IGlzDQojIGFsbCB0 aGF0IHRoZXJlIGlzLCBoZW5jZSBpcyBzZWxmLWZpcmV3YWxsZWQuDQojDQoN CmV4dF9pZiA9ICJmeHAwIg0KDQpzZXQgYmxvY2stcG9saWN5IGRyb3ANCnNl dCBza2lwIG9uIGxvDQpzZXQgbG9naW50ZXJmYWNlIGVncmVzcwkjIENhbid0 IHJlbWVtYmVyIHdoYXQgdGhpcyBkb2VzDQojc2V0IHJ1bGVzZXQtb3B0aW1p emF0aW9uIGJhc2ljDQoNCiMNCiMgRG9lcyB0aGlzIGFjdHVhbGx5IGNyZWF0 ZSB0aGUgdGFibGU/ICBCZWNhdXNlIGl0IHN1cmUgYXMgaGVsbCBkb2Vzbid0 DQojIGxvYWQgaXQuLi4gIEZvciB0aGF0IEkgbmVlZCAicGZjdGwgWy12XSAt dCBzcGFtbWVycyAtVGFkZCB4LngueC54Ig0KIw0KdGFibGUgPHNwYW1tZXJz PiBwZXJzaXN0IGZpbGUgIi9ldGMvc3BhbW1lcnMiDQoNCiMNCiMgU01UUCBt b3N0bHksIGJ1dCBjb3VsZCB1c2UgZm9yIHd3dywgc3NoLCBldGMuDQojDQoj IENsZWFuc2UgZXZlcnkgc28gb2Z0ZW4gd2l0aCAicGZjdGwgLXQgd29vZHBl Y2tlcnMgLVQgc2Vjb25kcy4NCiMNCnRhYmxlIDx3b29kcGVja2Vycz4gcGVy c2lzdA0KDQpzY3J1YiBpbgkjIFVuZnJhZyBwYWNrZXRzDQoNCmJsb2NrIGFs bAkjIEJ1dCB3YWl0LCB0aGVyZSdzIG1vcmUhDQoNCnBhc3Mgb3V0IHF1aWNr IGFsbCBrZWVwIHN0YXRlDQoNCmFudGlzcG9vZiBsb2cgcXVpY2sgZm9yICRl eHRfaWYgaW5ldA0KDQpibG9jayBpbiBsb2cgcXVpY2sgb24gJGV4dF9pZiBm cm9tIDxzcGFtbWVycz4gdG8gYW55DQoNCmJsb2NrIGluIGxvZyBxdWljayBv biAkZXh0X2lmIGZyb20gPHdvb2RwZWNrZXJzPg0KDQojIE5vIG1vcmUgdGhh biAxMC9JUCwgb3IgNS9taW51dGUgc2hvdWxkIGJlIHBsZW50eS4NCnBhc3Mg aW5ldCBwcm90byB0Y3AgZnJvbSBhbnkgcG9ydCBzbXRwIFwNCiAgICBmbGFn cyBTL1NBIGtlZXAgc3RhdGUgXA0KICAgIChtYXgtc3JjLWNvbm4gMTAsIG1h eC1zcmMtY29ubi1yYXRlIDUvNjAsIFwNCiAgICBvdmVybG9hZCA8d29vZHBl Y2tlcnM+IGZsdXNoIGdsb2JhbCkNCg0KIyBQcm9ibGVtIHBhY2tldCBwcmV2 ZW50aW9uDQpibG9jayBpbiBsb2cgcXVpY2sgZnJvbSBuby1yb3V0ZSB0byBh bnkNCmJsb2NrIGluIGxvZyBxdWljayBvbiAkZXh0X2lmIGZyb20gYW55IHRv IDI1NS4yNTUuMjU1LjI1NQ0KDQpibG9jayBpbiBsb2cgcXVpY2sgZnJvbSBh bnkgdG8gMC4wLjAuMC8zMg0KYmxvY2sgaW4gbG9nIHF1aWNrIGZyb20geyAy MjQuMC4wLjAvNCwgMjU1LjI1NS4yNTUuMjU1LzMyIH0gdG8gYW55DQoNCiMg V2hhdCBhYm91dCA0NC84Pw0KDQojIFRlc3RpbmcNCiNibG9jayBpbiBxdWlj ayBsb2cgb24gJGV4dF9pZiBwcm90byB0Y3AgcG9ydCBzbXRwIGZyb20gYW55 IHRvIGFueQ0KDQojIEFsbG93ZWQgc2VydmljZXMgaGFuZGxlZCBoZXJlDQoN CiMgREggLSBOTk5OIGlzIHdoZXJlIEkgcGFyayBteSBTU0hEDQpwYXNzIGlu IHF1aWNrIG9uICRleHRfaWYgcHJvdG8gdGNwIGZyb20gYW55IHRvIGFueSBw b3J0IFwNCgl7IHNtdHAsIHd3dywgZG9tYWluLCBOTk5OLCBzZnRwIH0gZmxh Z3MgUy9TQSBrZWVwIHN0YXRlDQpwYXNzIGluIHF1aWNrIG9uICRleHRfaWYg cHJvdG8gdWRwIGZyb20gYW55IHRvIGFueSBwb3J0IHsgZG9tYWluLCBudHAg fSBrZWVwIHN0YXRlDQpwYXNzIGluIHF1aWNrIG9uICRleHRfaWYgaW5ldCBw cm90byBpY21wIGZyb20gYW55IHRvIGFueSBpY21wLXR5cGUgdW5yZWFjaA0K cGFzcyBpbiBxdWljayBvbiAkZXh0X2lmIGluZXQgcHJvdG8gaWdtcCBmcm9t IGFueSB0byBhbnkNCg== --1483753691-1283304627-1415011250=:1220 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=pfctl Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Output of pfctl -s all Content-Disposition: attachment; filename=pfctl RklMVEVSIFJVTEVTOg0KDQpJTkZPOg0KU3RhdHVzOiBFbmFibGVkIGZvciAw IGRheXMgMTQ6MTA6MDkgICAgICAgICAgIERlYnVnOiBVcmdlbnQNCg0KU3Rh dGUgVGFibGUgICAgICAgICAgICAgICAgICAgICAgICAgIFRvdGFsICAgICAg ICAgICAgIFJhdGUNCiAgY3VycmVudCBlbnRyaWVzICAgICAgICAgICAgICAg ICAgICAgICAgMCAgICAgICAgICAgICAgIA0KICBzZWFyY2hlcyAgICAgICAg ICAgICAgICAgICAgICAgICAgMTE1Nzc4ICAgICAgICAgICAgMi4zL3MNCiAg aW5zZXJ0cyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMCAgICAg ICAgICAgIDAuMC9zDQogIHJlbW92YWxzICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIDAgICAgICAgICAgICAwLjAvcw0KQ291bnRlcnMNCiAgbWF0 Y2ggICAgICAgICAgICAgICAgICAgICAgICAgICAgIDExNTc3OCAgICAgICAg ICAgIDIuMy9zDQogIGJhZC1vZmZzZXQgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIDAgICAgICAgICAgICAwLjAvcw0KICBmcmFnbWVudCAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAwICAgICAgICAgICAgMC4wL3MNCiAg c2hvcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMCAgICAg ICAgICAgIDAuMC9zDQogIG5vcm1hbGl6ZSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIDAgICAgICAgICAgICAwLjAvcw0KICBtZW1vcnkgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAwICAgICAgICAgICAgMC4wL3MN CiAgYmFkLXRpbWVzdGFtcCAgICAgICAgICAgICAgICAgICAgICAgICAgMCAg ICAgICAgICAgIDAuMC9zDQogIGNvbmdlc3Rpb24gICAgICAgICAgICAgICAg ICAgICAgICAgICAgIDAgICAgICAgICAgICAwLjAvcw0KICBpcC1vcHRpb24g ICAgICAgICAgICAgICAgICAgICAgICAgICAgNDA4ICAgICAgICAgICAgMC4w L3MNCiAgcHJvdG8tY2tzdW0gICAgICAgICAgICAgICAgICAgICAgICAgICAg MCAgICAgICAgICAgIDAuMC9zDQogIHN0YXRlLW1pc21hdGNoICAgICAgICAg ICAgICAgICAgICAgICAgIDAgICAgICAgICAgICAwLjAvcw0KICBzdGF0ZS1p bnNlcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAwICAgICAgICAgICAg MC4wL3MNCiAgc3RhdGUtbGltaXQgICAgICAgICAgICAgICAgICAgICAgICAg ICAgMCAgICAgICAgICAgIDAuMC9zDQogIHNyYy1saW1pdCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIDAgICAgICAgICAgICAwLjAvcw0KICBzeW5w cm94eSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAwICAgICAgICAg ICAgMC4wL3MNCg0KVElNRU9VVFM6DQp0Y3AuZmlyc3QgICAgICAgICAgICAg ICAgICAgMTIwcw0KdGNwLm9wZW5pbmcgICAgICAgICAgICAgICAgICAzMHMN CnRjcC5lc3RhYmxpc2hlZCAgICAgICAgICAgODY0MDBzDQp0Y3AuY2xvc2lu ZyAgICAgICAgICAgICAgICAgOTAwcw0KdGNwLmZpbndhaXQgICAgICAgICAg ICAgICAgICA0NXMNCnRjcC5jbG9zZWQgICAgICAgICAgICAgICAgICAgOTBz DQp0Y3AudHNkaWZmICAgICAgICAgICAgICAgICAgIDMwcw0KdWRwLmZpcnN0 ICAgICAgICAgICAgICAgICAgICA2MHMNCnVkcC5zaW5nbGUgICAgICAgICAg ICAgICAgICAgMzBzDQp1ZHAubXVsdGlwbGUgICAgICAgICAgICAgICAgIDYw cw0KaWNtcC5maXJzdCAgICAgICAgICAgICAgICAgICAyMHMNCmljbXAuZXJy b3IgICAgICAgICAgICAgICAgICAgMTBzDQpvdGhlci5maXJzdCAgICAgICAg ICAgICAgICAgIDYwcw0Kb3RoZXIuc2luZ2xlICAgICAgICAgICAgICAgICAz MHMNCm90aGVyLm11bHRpcGxlICAgICAgICAgICAgICAgNjBzDQpmcmFnICAg ICAgICAgICAgICAgICAgICAgICAgIDMwcw0KaW50ZXJ2YWwgICAgICAgICAg ICAgICAgICAgICAxMHMNCmFkYXB0aXZlLnN0YXJ0ICAgICAgICAgICAgIDYw MDAgc3RhdGVzDQphZGFwdGl2ZS5lbmQgICAgICAgICAgICAgIDEyMDAwIHN0 YXRlcw0Kc3JjLnRyYWNrICAgICAgICAgICAgICAgICAgICAgMHMNCg0KTElN SVRTOg0Kc3RhdGVzICAgICAgICBoYXJkIGxpbWl0ICAgIDEwMDAwDQpzcmMt bm9kZXMgICAgIGhhcmQgbGltaXQgICAgMTAwMDANCmZyYWdzICAgICAgICAg aGFyZCBsaW1pdCAgICAgNTAwMA0KdGFibGVzICAgICAgICBoYXJkIGxpbWl0 ICAgICAxMDAwDQp0YWJsZS1lbnRyaWVzIGhhcmQgbGltaXQgICAyMDAwMDAN Cg0KVEFCTEVTOg0Kc3BhbW1lcnMNCndvb2RwZWNrZXJzDQoNCk9TIEZJTkdF UlBSSU5UUzoNCjY5NiBmaW5nZXJwcmludHMgbG9hZGVkDQo= --1483753691-1283304627-1415011250=:1220-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 22:01:35 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5B4D1163 for ; Mon, 3 Nov 2014 22:01:35 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 15EA211E for ; Mon, 3 Nov 2014 22:01:34 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlPgs-0006UV-BM for freebsd-pf@freebsd.org; Tue, 04 Nov 2014 09:01:34 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 8D4B0CD89 for ; Tue, 4 Nov 2014 09:03:15 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA3M1KXl009407 for ; Tue, 4 Nov 2014 09:01:21 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA3M1Kqp009404 for ; Tue, 4 Nov 2014 09:01:20 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Tue, 4 Nov 2014 09:01:19 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 22:01:35 -0000 Further to this, it's behaving as though it's parsing the rules but not actually honouring them. Ring any bells with anyone? If I had an OpenBSD box to hand then I'd swap it in, but I don't. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 22:30:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 916599E0 for ; Mon, 3 Nov 2014 22:30:43 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 4B797623 for ; Mon, 3 Nov 2014 22:30:42 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlQ8z-0003KY-Q3 for freebsd-pf@freebsd.org; Tue, 04 Nov 2014 09:30:37 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 80B1FCD2C for ; Tue, 4 Nov 2014 09:32:29 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA3MUY42009494 for ; Tue, 4 Nov 2014 09:30:35 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA3MUXox009491 for ; Tue, 4 Nov 2014 09:30:34 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Tue, 4 Nov 2014 09:30:33 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 22:30:43 -0000 On Mon, 3 Nov 2014, Doug Hardie wrote: > What happens when you run: pfctl -f /etc/pf.conf aneurin# pfctl -f /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCSETSTATUSIF > I suspect you have something in /etc/rc.conf giving a different file for > the default pf config file. Your pf.conf file has a bunch of rules, > none of which are shown in the pfctl output. That's what I thought, but: a) it flags syntax errors. b) it's reading the /etc/spammers file. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 22:34:24 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 594CEA4A for ; Mon, 3 Nov 2014 22:34:24 +0000 (UTC) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 26E4E646 for ; Mon, 3 Nov 2014 22:34:23 +0000 (UTC) Received: from [10.0.1.2] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.7/8.14.7) with ESMTP id sA3MBvvf000628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 Nov 2014 14:11:58 -0800 (PST) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\)) Subject: Re: Getting tables to work in PF From: Doug Hardie In-Reply-To: Date: Mon, 3 Nov 2014 14:11:57 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Dave Horsfall X-Mailer: Apple Mail (2.1990.1) X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org X-Virus-Status: Clean Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 22:34:24 -0000 > On 3 November 2014, at 02:40, Dave Horsfall wrote: >=20 > On Mon, 3 Nov 2014, Ermal Lu=C3=A7i wrote: >=20 >> - Full ruleset if you can disclose >=20 > As attached - no secrets in it. It's somewhat loose because it's = behind=20 > another firewall (the ADSL modem) that just lets = SMTP/HTTP/SSH-secret-port=20 > through to it (I've masked the SSH port). >=20 >> - Make sure with output of pfctl -s all that pf is actually enabled = to=20 >> do filtering on packets. >=20 > Attached; the empty "FILTER RULES" looks a bit suspicious... >=20 >> NOTE: You enable pf by running pfctl -e >=20 > I know; I was using "service pf restart" as well. What happens when you run: pfctl -f /etc/pf.conf I suspect you have something in /etc/rc.conf giving a different file for = the default pf config file. Your pf.conf file has a bunch of rules, = none of which are shown in the pfctl output.= From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 22:35:28 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6638A98 for ; Mon, 3 Nov 2014 22:35:28 +0000 (UTC) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 78DC4651 for ; Mon, 3 Nov 2014 22:35:28 +0000 (UTC) Received: from [10.0.1.2] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.7/8.14.7) with ESMTP id sA3MZRq9001122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 Nov 2014 14:35:27 -0800 (PST) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\)) Subject: Re: Getting tables to work in PF From: Doug Hardie In-Reply-To: Date: Mon, 3 Nov 2014 14:35:27 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <478A1469-F6EE-4D8D-B51F-B41C97626439@lafn.org> References: To: Dave Horsfall X-Mailer: Apple Mail (2.1990.1) X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org X-Virus-Status: Clean Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 22:35:28 -0000 Do the rules show after that? I=E2=80=99ve never seen that last line = before. I suspect it indicates an error of some sort. > On 3 November 2014, at 14:30, Dave Horsfall wrote: >=20 > On Mon, 3 Nov 2014, Doug Hardie wrote: >=20 >> What happens when you run: pfctl -f /etc/pf.conf >=20 > aneurin# pfctl -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETSTATUSIF >=20 >> I suspect you have something in /etc/rc.conf giving a different file = for=20 >> the default pf config file. Your pf.conf file has a bunch of rules,=20= >> none of which are shown in the pfctl output. >=20 > That's what I thought, but: >=20 > a) it flags syntax errors. >=20 > b) it's reading the /etc/spammers file. >=20 > --=20 > Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." > http://www.horsfall.org/spam.html (and check the home page whilst = you're there) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 23:29:04 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F9B33D3 for ; Mon, 3 Nov 2014 23:29:04 +0000 (UTC) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0084.outbound.protection.outlook.com [157.56.111.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E91F3BA3 for ; Mon, 3 Nov 2014 23:29:03 +0000 (UTC) Received: from BLUPR0801MB674.namprd08.prod.outlook.com (10.141.255.11) by BLUPR0801MB674.namprd08.prod.outlook.com (10.141.255.11) with Microsoft SMTP Server (TLS) id 15.1.11.14; Mon, 3 Nov 2014 23:12:53 +0000 Received: from BLUPR0801MB674.namprd08.prod.outlook.com ([10.141.255.11]) by BLUPR0801MB674.namprd08.prod.outlook.com ([10.141.255.11]) with mapi id 15.01.0011.000; Mon, 3 Nov 2014 23:12:53 +0000 From: David DeSimone To: Dave Horsfall Subject: RE: Getting tables to work in PF Thread-Topic: Getting tables to work in PF Thread-Index: AQHP9xnbTQHXDdnz8k+A79KsL5OFHZxOhISAgAAaBwCAAA5AAIAACkUAgADGcKGAAAqqgA== Date: Mon, 3 Nov 2014 23:12:52 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [173.74.209.33] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR0801MB674; x-exchange-antispam-report-test: UriScan:; x-forefront-prvs: 0384275935 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(24454002)(13464003)(377454003)(199003)(33646002)(110136001)(95666004)(107046002)(106116001)(50986999)(105586002)(106356001)(87936001)(15202345003)(2656002)(97736003)(77156002)(54356999)(31966008)(15975445006)(120916001)(19580395003)(76576001)(76176999)(64706001)(93886004)(122556002)(20776003)(99396003)(108616004)(92566001)(101416001)(66066001)(4396001)(40100003)(86362001)(19580405001)(21056001)(46102003)(74316001)(62966003)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR0801MB674; H:BLUPR0801MB674.namprd08.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verio.net Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 23:29:04 -0000 The message " pfctl: DIOCSETSTATUSIF" indicates that pfctl is bombing out b= efore it actually loads the rules into the kernel. It's a rather unhelpful= message, since it does not point out the source of the problem, though. A little web searching turned up that most likely your pf.conf references a= nonexistent interface name. Looking through your pf.conf, either your "fx= p0" interface doesn't exist, or more likely it's this line: set skip on lo I'm pretty sure the loopback name should be "lo0" instead of just "lo". -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On= Behalf Of Dave Horsfall Sent: Monday, November 03, 2014 4:31 PM To: FreeBSD PF List Subject: Re: Getting tables to work in PF On Mon, 3 Nov 2014, Doug Hardie wrote: > What happens when you run: pfctl -f /etc/pf.conf aneurin# pfctl -f /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCSETSTATUSIF > I suspect you have something in /etc/rc.conf giving a different file for > the default pf config file. Your pf.conf file has a bunch of rules, > none of which are shown in the pfctl output. That's what I thought, but: a) it flags syntax errors. b) it's reading the /etc/spammers file. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're th= ere) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. Verio Inc. ma= kes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 23:31:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 681A7438 for ; Mon, 3 Nov 2014 23:31:59 +0000 (UTC) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0089.outbound.protection.outlook.com [65.55.169.89]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1F231C44 for ; Mon, 3 Nov 2014 23:31:58 +0000 (UTC) Received: from BLUPR0801MB674.namprd08.prod.outlook.com (10.141.255.11) by BLUPR0801MB674.namprd08.prod.outlook.com (10.141.255.11) with Microsoft SMTP Server (TLS) id 15.1.11.14; Mon, 3 Nov 2014 23:16:07 +0000 Received: from BLUPR0801MB674.namprd08.prod.outlook.com ([10.141.255.11]) by BLUPR0801MB674.namprd08.prod.outlook.com ([10.141.255.11]) with mapi id 15.01.0011.000; Mon, 3 Nov 2014 23:16:07 +0000 From: David DeSimone To: Dave Horsfall Subject: RE: Getting tables to work in PF Thread-Topic: Getting tables to work in PF Thread-Index: AQHP9xnbTQHXDdnz8k+A79KsL5OFHZxOhISAgAAaBwCAAA5AAIAACkUAgADGcKGAAAqqgIAAAXBA Date: Mon, 3 Nov 2014 23:16:07 +0000 Message-ID: <5552f90635ae4abb8e0485ec65ac6093@BLUPR0801MB674.namprd08.prod.outlook.com> References: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [173.74.209.33] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR0801MB674; x-exchange-antispam-report-test: UriScan:; x-forefront-prvs: 0384275935 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(24454002)(13464003)(51444003)(377454003)(199003)(33646002)(110136001)(95666004)(107046002)(106116001)(50986999)(105586002)(106356001)(87936001)(15202345003)(2656002)(97736003)(77156002)(54356999)(31966008)(15975445006)(120916001)(19580395003)(76576001)(76176999)(64706001)(93886004)(122556002)(20776003)(99396003)(108616004)(92566001)(101416001)(66066001)(4396001)(40100003)(86362001)(19580405001)(21056001)(46102003)(74316001)(62966003)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR0801MB674; H:BLUPR0801MB674.namprd08.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verio.net Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 23:31:59 -0000 Also I should have looked further to see this line: set loginterface egress# Can't remember what this does I think that statement needs a real interface name, which "egress" probably= isn't. -----Original Message----- From: David DeSimone Sent: Monday, November 03, 2014 5:13 PM To: 'Dave Horsfall' Cc: FreeBSD PF List Subject: RE: Getting tables to work in PF The message " pfctl: DIOCSETSTATUSIF" indicates that pfctl is bombing out b= efore it actually loads the rules into the kernel. It's a rather unhelpful= message, since it does not point out the source of the problem, though. A little web searching turned up that most likely your pf.conf references a= nonexistent interface name. Looking through your pf.conf, either your "fx= p0" interface doesn't exist, or more likely it's this line: set skip on lo I'm pretty sure the loopback name should be "lo0" instead of just "lo". -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On= Behalf Of Dave Horsfall Sent: Monday, November 03, 2014 4:31 PM To: FreeBSD PF List Subject: Re: Getting tables to work in PF On Mon, 3 Nov 2014, Doug Hardie wrote: > What happens when you run: pfctl -f /etc/pf.conf aneurin# pfctl -f /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCSETSTATUSIF > I suspect you have something in /etc/rc.conf giving a different file for > the default pf config file. Your pf.conf file has a bunch of rules, > none of which are shown in the pfctl output. That's what I thought, but: a) it flags syntax errors. b) it's reading the /etc/spammers file. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're th= ere) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. Verio Inc. ma= kes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 00:57:07 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EAD11AF0 for ; Tue, 4 Nov 2014 00:57:07 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id A6AD45F5 for ; Tue, 4 Nov 2014 00:57:06 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlSQk-0001mr-4G for freebsd-pf@freebsd.org; Tue, 04 Nov 2014 11:57:06 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id A84F7CD2C for ; Tue, 4 Nov 2014 11:58:44 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA40ul9Q009928 for ; Tue, 4 Nov 2014 11:56:48 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA40ulRB009925 for ; Tue, 4 Nov 2014 11:56:47 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Tue, 4 Nov 2014 11:56:47 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF (fwd) Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-ID: Content-Type: TEXT/PLAIN; CHARSET=utf-8 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 00:57:08 -0000 Meant to go to list; I was interrupted by a phone call at the crucial moment... -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) ---------- Forwarded message ---------- Date: Tue, 4 Nov 2014 11:54:40 +1100 (EST) From: Dave Horsfall To: Doug Hardie Subject: Re: Getting tables to work in PF On Mon, 3 Nov 2014, Doug Hardie wrote: >Do the rules show after that? I’ve never seen that last line before. I >suspect it indicates an error of some sort. DIOCSETSTATUSIF? I thought it was part of the ALTQ stuff. net/pfvar.h only has this to say: #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) and in pf(4): DIOCSETSTATUSIF struct pfioc_if *pi Specify the interface for which statistics are accumulated. As for "ifconfig fxp0" (the only NIC on the box): fxp0: flags=8843 metric 0 mtu 1500 options=2009 ether00:08:02:c4:b4:49 inet10.0.0.3 netmask 0xffffff00 broadcast 10.0.0.255 media:Ethernet autoselect (100baseTX ) status:active The rules? Not a sausage. It's behaving as though it's reading the file (which it is), but not honouring the rules themselves (which it isn't). Here: aneurin# pfctl -s all No ALTQ support in kernel ALTQ related functions disabled FILTER RULES: INFO: Status: Enabled for 1 days 04:14:05 Debug: Urgent State Table Total Rate current entries 0 searches 209120 2.1/s inserts 0 0.0/s removals 0 0.0/s Counters match 209120 2.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 813 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: spammers woodpeckers OS FINGERPRINTS: 696 fingerprints loaded aneurin# So, if pf(4) actually known to work on: FreeBSD aneurin.horsfall.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 and if so, does anyone have a working sample pf.conf from such a box? There's no kernel source on the thing, so I cannot rebuild with ALTQ, and my DVD is busted so I cannot upgrade; if I can load up an 8GB USB stick with FreeBSD then that could be one upgrade path, I suppose, but I don't know if this thing (a Compaq Evo) will boot from USB. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html(and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 05:53:17 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9BEB678C for ; Tue, 4 Nov 2014 05:53:17 +0000 (UTC) Received: from smtp.new-ukraine.org (smtp.new-ukraine.org [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E6F038E for ; Tue, 4 Nov 2014 05:53:16 +0000 (UTC) Received: on behalf of honored client by smtp.new-ukraine.org with ESMTP id sA45rClM079741 for on Tue, 4 Nov 2014 07:53:12 +0200 (EET) Message-ID: <20141104075307.79740@smtp.new-ukraine.org> Date: Tue, 04 Nov 2014 07:53:07 +0200 From: "Zeus Panchenko" To: cc: Subject: pfctl ... driver does not support altq Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.3.1 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: http://www.ibs.dn.ua/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.600 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 05:53:17 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 greetings, I see, in list the issue appears from time to time but I was not able to find the solution for my case, please help me to get working altq on my igb(4) if it is possible at all I was trying igb(4) original OS drivers and the one from Intel but the result is the same bellow are my details: > uname -a FreeBSD 10.0-RELEASE-p11 #2 r273597 and64 > dmesg =2D ---[ quotation start ]------------------------------------------- igb3: port 0xa000-0x= a01f mem 0xf7100000-0xf717ffff,0xf7180000-0xf7183fff irq 19 at device 0.0 o= n pci7 igb3: Using MSIX interrupts with 5 vectors igb3: Ethernet address: 00:25:90:d1:dc:6b igb3: Bound queue 0 to cpu 0 igb3: Bound queue 1 to cpu 1 igb3: Bound queue 2 to cpu 2 igb3: Bound queue 3 to cpu 3 =2D ---[ quotation end ]------------------------------------------- > pciconf -l igb3@pci0:7:0:0: class=3D0x020000 card=3D0x153315d9 chip=3D0x1533808= 6 rev=3D0x03 hdr=3D0x00 vendor =3D 'Intel Corporation' device =3D 'I210 Gigabit Network Connection' class =3D network subclass =3D ethernet > /boot/loader.conf =2D ---[ quotation start ]------------------------------------------- hw.igb.rxd=3D4096 hw.igb.txd=3D4096 hw.igb.rx_process_limit=3D"-1" hw.igb.num_queues=3D0 hw.igb.max_interrupt_rate=3D32000 net.isr.defaultqlimit=3D4096 net.isr.bindthreads=3D1 net.isr.maxthreads=3D4 net.isr.maxqlimit=3D32768 =2D ---[ quotation end ]------------------------------------------- > /usr/src/sys/amd64/conf/MY_KERNEL =2D ---[ quotation start ]------------------------------------------- options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ options ALTQ_NOPCC options ALTQ_DEBUG =2D ---[ quotation end ]------------------------------------------- > /etc/pf.conf =2D ---[ quotation start ]------------------------------------------- altq on igb3 cbq bandwidth 1000Mb queue { wan_rest, wan_viber } queue wan_viber bandwidth 5Mb priority 0 queue wan_rest bandwidth 995Mb cbq(default) =2D ---[ quotation end ]------------------------------------------- > service pf check && service pf reload Checking pf rules. Reloading pf rules. pfctl: igb3: driver does not support altq =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRYacMACgkQr3jpPg/3oyp1iwCgxQCBIWoYa5b0yKAQxVODSGNb NSYAn15io3G83u46pHN+BwRcN2ywsNIZ =3DwaxI =2D----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 20:15:41 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 73B84E96 for ; Tue, 4 Nov 2014 20:15:41 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 2B86A8C9 for ; Tue, 4 Nov 2014 20:15:40 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlkVv-0000aQ-Aq for freebsd-pf@freebsd.org; Wed, 05 Nov 2014 07:15:39 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 4FA87CD2C for ; Wed, 5 Nov 2014 07:17:28 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA4KFMqH014010 for ; Wed, 5 Nov 2014 07:15:23 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA4KFLmN014007 for ; Wed, 5 Nov 2014 07:15:22 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Wed, 5 Nov 2014 07:15:21 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: <478A1469-F6EE-4D8D-B51F-B41C97626439@lafn.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 20:15:41 -0000 On Tue, 4 Nov 2014, Dave Horsfall wrote: > The rules? Not a sausage. It's behaving as though it's reading the > file (which it is), but not honouring the rules themselves (which it > isn't). A bit more progress; I finally got around to tracing it, and the salient bit is: (Many calls to set rules) (Many calls to set timeouts) 13925 pfctl CALL ioctl(0x3,DIOCSETDEBUG,0xbfbfdc84) 13925 pfctl RET ioctl 0 13925 pfctl CALL ioctl(0x3,DIOCSETSTATUSIF,0xbfbfdc5c) 13925 pfctl RET ioctl -1 errno 22 Invalid argument Aha... So, what's so invalid about it? I don't have kernel source (my installation was interrupted by a long stay in hospital), so I cannot investigate any further. And my plea as before: > So, if pf(4) actually known to work on: > > FreeBSD aneurin.horsfall.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 > > and if so, does anyone have a working sample pf.conf from such a box? Thanks. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 20:19:57 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 69B13137 for ; Tue, 4 Nov 2014 20:19:57 +0000 (UTC) Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C92EF916 for ; Tue, 4 Nov 2014 20:19:56 +0000 (UTC) Received: by mail-la0-f54.google.com with SMTP id s18so1594211lam.27 for ; Tue, 04 Nov 2014 12:19:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=deAoYQFipSNRtfN1poPt300TAbTow56Lfcb0yUDtJSo=; b=Pn47h4CwZB3l73GQOIlv+xxqHq077AEV9u2Ktwp0SfQJar/X9Sv6XkeoGMZAXu92x6 3gdlDI3/E9vyqoLKgCAgIHTd30n2GyFmjPVkGBmmmVkSbgHwRuqXMNB4AffSrPh1gvQJ zlHvKzMZWE0uYr4uIP12hA7WAE9ZUp9sH56b495SSF3xi6W0PQacJXkDzA7tVu4Ed+fa y+ZwArcdfNvPYs9e2z1p5Nj6w4rV4gfShUy7+LJaJNc3k4QA5ia2prql57PhfIlUh/QD Ro2dRENd1FlZecJSQssQztUpPgEaUX6tc1TsADTwEn2zfuSvqRsBkaSeCMb/fw3lDq1h E74A== MIME-Version: 1.0 X-Received: by 10.112.162.41 with SMTP id xx9mr61364077lbb.21.1415132393941; Tue, 04 Nov 2014 12:19:53 -0800 (PST) Received: by 10.25.15.93 with HTTP; Tue, 4 Nov 2014 12:19:53 -0800 (PST) In-Reply-To: <20141104075307.79740@smtp.new-ukraine.org> References: <20141104075307.79740@smtp.new-ukraine.org> Date: Tue, 4 Nov 2014 12:19:53 -0800 Message-ID: Subject: Re: pfctl ... driver does not support altq From: Nick Rogers Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 20:19:57 -0000 On Mon, Nov 3, 2014 at 9:53 PM, Zeus Panchenko wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > greetings, > > I see, in list the issue appears from time to time but I was not able to > find the solution for my case, please help me to get working altq on my > igb(4) if it is possible at all > > I was trying igb(4) original OS drivers and the one from Intel but the > result is the same > You have to compile the igb driver with the IGB_LEGACY_TX path enabled for ALTQ to work. see sys/modules/igb/Makefile # IGB_LEGACY_TX will override the stack if_transmit path and # instead use the older if_start non-multiqueue capable interface. # This might be desireable for testing, or to enable the use of # ALTQ. #CFLAGS += -DIGB_LEGACY_TX If you are going to rebuild the kernel and not just the module, changing CFLAGS in the module Makefile or anywhere else that I've tried will NOT work. The only way I've found to work is to add a #define to if_igb.h and if_igb.c directly. You can do this by defining IGB_LEGACY_TX in sys/dev/e1000/if_igb.c and sys/dev/e1000/if_igb.h. I use the following little shell script to do this: echo 'Performing IGB_LEGACY_TX mod' cd /usr/src/sys/dev/e1000 for ext in c h do echo '#define IGB_LEGACY_TX' > if_igb.$ext.new cat if_igb.$ext >> if_igb.$ext.new mv -v if_igb.$ext.new if_igb.$ext done echo FreeBSD really needs to add some official documentation on how to use ALTQ with igb and ixgbe, as it has been a persistent issue for myself and others since 8.x. There is a bug/PR to make the IGB_LEGACY_TX path a proper kernel option, instead of having to modify the driver directly. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194197. Maybe you would have some luck trying that patch and adding the options to your kernel conf and rebuilding. > bellow are my details: > > > > uname -a > FreeBSD 10.0-RELEASE-p11 #2 r273597 and64 > > > > dmesg > - ---[ quotation start ]------------------------------------------- > > igb3: port > 0xa000-0xa01f mem 0xf7100000-0xf717ffff,0xf7180000-0xf7183fff irq 19 at > device 0.0 on pci7 > igb3: Using MSIX interrupts with 5 vectors > igb3: Ethernet address: 00:25:90:d1:dc:6b > igb3: Bound queue 0 to cpu 0 > igb3: Bound queue 1 to cpu 1 > igb3: Bound queue 2 to cpu 2 > igb3: Bound queue 3 to cpu 3 > > - ---[ quotation end ]------------------------------------------- > > > > pciconf -l > igb3@pci0:7:0:0: class=0x020000 card=0x153315d9 chip=0x15338086 > rev=0x03 hdr=0x00 > vendor = 'Intel Corporation' > device = 'I210 Gigabit Network Connection' > class = network > subclass = ethernet > > > > /boot/loader.conf > - ---[ quotation start ]------------------------------------------- > > hw.igb.rxd=4096 > hw.igb.txd=4096 > hw.igb.rx_process_limit="-1" > hw.igb.num_queues=0 > hw.igb.max_interrupt_rate=32000 > > net.isr.defaultqlimit=4096 > net.isr.bindthreads=1 > net.isr.maxthreads=4 > net.isr.maxqlimit=32768 > > - ---[ quotation end ]------------------------------------------- > > > > /usr/src/sys/amd64/conf/MY_KERNEL > - ---[ quotation start ]------------------------------------------- > > options ALTQ > options ALTQ_CBQ > options ALTQ_RED > options ALTQ_RIO > options ALTQ_HFSC > options ALTQ_CDNR > options ALTQ_PRIQ > options ALTQ_NOPCC > options ALTQ_DEBUG > > - ---[ quotation end ]------------------------------------------- > > > > /etc/pf.conf > - ---[ quotation start ]------------------------------------------- > > altq on igb3 cbq bandwidth 1000Mb queue { wan_rest, wan_viber } > queue wan_viber bandwidth 5Mb priority 0 > queue wan_rest bandwidth 995Mb cbq(default) > > - ---[ quotation end ]------------------------------------------- > > > > service pf check && service pf reload > Checking pf rules. > Reloading pf rules. > pfctl: igb3: driver does not support altq > > - -- > Zeus V. Panchenko jid:zeus@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iEYEARECAAYFAlRYacMACgkQr3jpPg/3oyp1iwCgxQCBIWoYa5b0yKAQxVODSGNb > NSYAn15io3G83u46pHN+BwRcN2ywsNIZ > =waxI > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Nov 5 14:28:09 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EE89BD02; Wed, 5 Nov 2014 14:28:09 +0000 (UTC) Received: from olymp.kibab.com (olymp6.kibab.com [IPv6:2a01:4f8:160:84c1::2]) by mx1.freebsd.org (Postfix) with ESMTP id B16BD192; Wed, 5 Nov 2014 14:28:09 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com A90747590E DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default; t=1415197687; bh=RzIFDK8SsGi9K3Kql9teE7ZNePrbrAznqHdDgii/3g8=; h=Date:From:To:Subject; b=ao/D/ci1OQLXr2KNusLWgARKauIR1aFw+OWpJWAUKN4rW25r2uV+BO1bHWIwS0unL Y71YAimOq3FKq+vHv7CWHK7x7ciKf8kcOfgRXbeLeHyhOMVUB74SF1IrsQyCa3cBfD sHfr2cLAM2rRVnBon0FCJjh3Py2illjdXoLvNrl4= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 05 Nov 2014 15:28:07 +0100 From: Ilya Bakulin To: freebsd-pf@freebsd.org, freebsd-hackers@freebsd.org, freebsd-net@freebsd.org Subject: Checksumming outgoing packets in PF vs in =?UTF-8?Q?ip=5B=36=5D?= =?UTF-8?Q?=5Foutput?= Organization: Deglitch Networks Message-ID: X-Sender: ilya@bakulin.de X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 14:28:10 -0000 Hi all, I have been hit by this 2-year-old bug with PF and 'scrub reassemble tcp' on IPv6 connections: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172648 I have been able to trace it down to the modifications of timestamp values by timestamp modulation code [1]. If I remove those two pf_change_a() calls in the output path (pd->dir == PF_OUT) then everything works as it should, except that the timestamps are not modulated which is kinda sucks. Of course it was interesting what does the upstream PF do (@ OpenBSD). Seems they have made the decision to leave the task of recalculating the checksums for outgoing packets to ip[6]_output, because currently the code there overwrites the checksum anyway. This seems a correct way to me. pf should not longer do any checksum updates in inbound and outbound path. For inbound path, it should however check the checksum correctness and set a flag in mbuf csum flags so the tcp[6]_input doesn't try to verify it. In this case even if we modify something while applying TS modulation or sequence number modulation or something else in PF the upper-layer won't bailout because it will see that the checksum was already verified and won't try to verify it once again. OpenBSD does it this way and they seem to be happy. For now, I decided to leave the inbound path as-is and instead wanted to fix the outbound path. The patch [2] solves the problem described in [2] in the following way: 1) Hijack the last argument of pf_change_a() so that it doesn't update the checksum of the packet; 2) When updating the timestamps in pf_normalize_tcp_stateful() call pf_change_a() in "no-update-checksum" mode; 3) In pf_check_out() remove the checks for CSUM_DELAY_DATA -- don't calculate the checksum in any case. Such fix should be done in pf_check6_out() as well, but in my test setup I haven't seen that flag anyway. In future we probably should implement pf_change_a changes the same or similar way OpenBSD does it. [1] https://github.com/freebsd/freebsd/blob/49c137f7be5791eee8102395257cdf48b40c81f7/sys/netpfil/pf/pf_norm.c#L1569 [2] http://dl.bakulin.de/freebsd/pf_fix_reass_tcp_ipv6.diff From owner-freebsd-pf@FreeBSD.ORG Wed Nov 5 14:29:47 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6289EFB for ; Wed, 5 Nov 2014 14:29:47 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9D5A51CE for ; Wed, 5 Nov 2014 14:29:47 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sA5ETl5r059517 for ; Wed, 5 Nov 2014 14:29:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK Date: Wed, 05 Nov 2014 14:29:47 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-PRERELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 14:29:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172648 Kurt Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pi@FreeBSD.org --- Comment #3 from Kurt Jaeger --- See https://lists.freebsd.org/pipermail/freebsd-net/2014-November/040319.html -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 7 13:33:40 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DE4D9A7 for ; Fri, 7 Nov 2014 13:33:39 +0000 (UTC) Received: from nm16-vm5.bullet.mail.gq1.yahoo.com (nm16-vm5.bullet.mail.gq1.yahoo.com [98.137.177.253]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ABCCC3B4 for ; Fri, 7 Nov 2014 13:33:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.br; s=s2048; t=1415367213; bh=yMw/skWluYORBusLEfXlgALv4Mn7K+bw1NrqqUKh6nk=; h=Date:From:To:Subject:From:Subject; b=PwGgw9G9ch1bFEu0Ju1m2oqHQuNcIqjSuGQ/NN3h7GiQ8v6Jq5FbNagdx9OxE2f8Tlo8zyGTF944d5s9lCxdzgVL3Cu0DHGtFgUhjdlOQnRTsBsHOgyXWMWoPXPXV1Yk+z6ZZb1j48DatTlzzAzFUTgE6IZUj9ehx7EY67abcU2Ouj4305c1lBfg6VfV5teBy1yJI8a4G0DwBxJQALUa55ckmq27hKvPrXwl9LC5+J9vMDP9KteQysNq9YSVfIkmuQ6vtoHWL5ZeZidk0kOldg40MqztMelPz69P3F4I6tKt9I0j7YzJXA3yWGuLnydRBEKPiukK/gb3av/hEpQ+SA== DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com.br; b=acAXZCmgVMppyMGrMuyG9R50E21cqGYPw0q9lHNkP7+N1hGXpPAW92/8iBQPPI2FE2xvNL8C1wh7gJofLxn6clh9G19eaYM2qeU2y3WLM9hTtm1PcLnUEWwPHm5KqrIqcCbAZDJbC+X6cVqKj6VO0RbjrfmOCJzpLRmEJXzC1QcZgCX50Fk5LDiQUTwy4FqQuGnXwvfNMMFy8LKoqpZk9XaeLWVVVyyF/ZVbj/EksqLwyiapiHoHlz01JmC6t2XM8LEEeUMt1qRDALgTsdIGICZd7Q0nY0X5fhT80PKIqS+AgQl33VvIC+Ck0SHIRJvdDUbbmplgGkNNQcRWBkBetw==; Received: from [216.39.60.182] by nm16.bullet.mail.gq1.yahoo.com with NNFMP; 07 Nov 2014 13:33:33 -0000 Received: from [208.71.42.213] by tm18.bullet.mail.gq1.yahoo.com with NNFMP; 07 Nov 2014 13:33:33 -0000 Received: from [127.0.0.1] by smtp224.mail.gq1.yahoo.com with NNFMP; 07 Nov 2014 13:33:33 -0000 X-Yahoo-Newman-Id: 535662.76602.bm@smtp224.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: BXrYK5AVM1kYKTK_.SsGQBgBHTbiap.6C3O2Zj_eKaCYJpl s0yJ9Xcw9e.NtN3frrFRv0k06mh4tOe3CSio1ziJeVu2TyLpgH34kolI5q0N Vm3dNIRwEiQdy6JbrzthmjjV_Wp1qXKUjoh81OwVzEqpDcvv10mIhP46RoT3 _MQbsDMfp1s5P.qZqAYr9vbO_ZknEM5LqKFYp_hzQHdTjHGmvV6ljIPBQG8i Y5rCI5CMuT9egg75iV9XtUJVJW6Urf1P.9tf05U6iNtI0vtIdspP6n13Dsys 3KcQ3Xgaq3uzXXQfoy8zqSYxGvymvFV2.xQ0eX2ew.P4W4FQq747qPpgYYza byrlncrPoBEsGe.IaADFZarH4kMxSZjjkZ2g8imAu5mjdvo_yFTz57pObIUM Q97ZGUs26wKDxSo77nLkt_aZtyYjnHe_6d3sGJaiJ.F75X81Ag5TA5MYW8t0 VfAZc0zCv_BZk8nR.NQUP5ViqIqGPRbL_TFXgwiRAjEYlEg4Bk17j0MGQ7tc apQmNSJPB86VJOT2rO55SilrLH8Rldw-- X-Yahoo-SMTP: yVKjEg6swBAbqx17qXEUBq0TLXllzyKK Message-ID: <545CCA52.8090605@yahoo.com.br> Date: Fri, 07 Nov 2014 10:34:10 -0300 From: spiderslack User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: doubt route-to pf Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 13:33:40 -0000 Hello people. I registered on the list and hope to learn and help. I'm in an environment with pf only with valid addresses and carp and vlan.(not nat) Today I have a freebsd with three interfaces RE0 - WAN re1 - LAN alc0 - proxy (mara cache) The proxy is in transparent mode or whether the client accesses the site and leaves bound with its own IP address, not the IP address of the proxy. I'm doing an analysis the following doubts about the parameter "route-to" if it would work for a destination that is directly connected. Well let my analysis via tcpdump. Imagine a customer makes a request on port 80 destined to google for example. The proxy is in transparent mode, ie, as the squid TPROXY module works When the request going through my freebsd bound to google and destination port 80 it uses the "route-to" and redirects it to the proxy because the destination of the packet is NOT directly connected. The proxy does spoofing the ip address of google and closes the three way handshake with the client. Thereafter if the proxy does not have the cached object creates a new connection to google to find this object. The proxy sends a SYN to google with source ip address of the client and not on its own IP (navigation for this internal network not be done by just one single IP address, each cached content and to its IP address. this avoids the controls that exist on site like 4shared, etc) The google responds with a packet with the flags "SYN/ACK" to the ip address of the client (spoof) by proxy. When this packet with the flags "SYN/ACK" arrives in FreeBSD it possesses a rule to return to return to the proxy with the parameter "route-to". as an example below. pass in log quick on RE0 route-to ($ alc0 proxy) proto tcp from any port 80 to $ rede_lan My theory is that FreeBSD and pf, are directly connected to the client, then do not use the "route-to" for destination that is directly connected. The "route-to" would only be used to target not directly connected and the "SYN/ACK" packet reaches the client (because monitor arrive via tcpdump). And the client receives a packet out of context/order type he previously closed the three way handshake with google (spoof by proxy) and reaches another "SYN/ACK" when it resets the connection. Any idea where he might be going wrong? Att. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 7 19:11:23 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C221A435 for ; Fri, 7 Nov 2014 19:11:23 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5AF2DE50 for ; Fri, 7 Nov 2014 19:11:22 +0000 (UTC) Received: from [192.168.1.39] (et.uni.lodz.pl [212.191.69.197]) by mrelayeu.kundenserver.de (node=mreue105) with ESMTP (Nemesis) id 0LvkQW-1Y5jsF0W68-017RIp; Fri, 07 Nov 2014 20:11:15 +0100 Message-ID: <545D195B.2050909@kornatka.pl> Date: Fri, 07 Nov 2014 20:11:23 +0100 From: Karol Kornatka User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: pf log with keep state Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:Ffe44Ek6Gb3UFjfgdN1W7srdKlbdeXMNKQU41qeBmn0 YVLkxO3k3ZkhwPXQF0LwU8TOKbBFrJkt8h6k6ICqqGRHIMlLKm IwLc8OkLQ/bBBXoiA6SfVRAiwSLpcWXruy8dYRGYCE0ha0T02u 8kN2Cx8oYmpSKPPgGzXH582TxFfXfyS1yOdZppp2yb55uMb+OF kQHJUhYbRkPzQ8eNncwFufMbleeIf15Zpy+bqkg9FrhkLUdl8n zUpAjF93BcmZCbsojeJEjornlhT7BakpwzLeVuKBsFx5vc6VaI fOL7KxCx9TZ+TTUedKdvyPJ+yQLMyY1Ex0AwC56Kx8ApaAeU7r ZzEcgGx9BiO2k7Qztbq4= X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 19:11:23 -0000 Hello freebsd firewallers. I'm newbie with freebsd so please forgive me if i'm writeing funny things :) I have preaty big network (arround 2000 hosts) having connection threw freebsd router. Router is working on Dell poweredge r320 and freebsd 10. As firewall obviously pf with arround 50000 pf state current entries and 200Mbitps traffic. I need to pass and log forwarded traffic For now i'm using ruleset like this: pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from to any port $ds02_tcp_forward_services flags S/S keep state pass in quick on $ds02_int_if proto tcp from to any port $ds02_tcp_forward_services keep state pass in quick on $ds02_int_if proto udp from to any port $ds02_udp_forward_services keep state pass in quick on $ds02_int_if proto icmp from to any keep state I thought that the first line should log for me only SYN packets and pass it second - pass rest tcp no log third - pass udp no log fourth - pass icmp no log Logs are killing hdd space (4x1TB in raid10)- i'm rotating pflog files every hour and i have summary arround 10G per hour - 3G after gzip What i'm doing wrong ? firewall is logging all tcp traffic with all flags ... By the way - how to get real connection time from my logs ? 00:00:00.000158 rule 97..16777216/0(match): pass in on vlan4010: 10.210.4.14.62886 > 184.28.17.235.443: Flags [.], ack 1371, win 16425, length 0 Thanks for answers in advance. Karol From owner-freebsd-pf@FreeBSD.ORG Fri Nov 7 21:22:42 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B0A73A40 for ; Fri, 7 Nov 2014 21:22:42 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 65F0BE05 for ; Fri, 7 Nov 2014 21:22:41 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XmqzL-0005ky-5N for freebsd-pf@freebsd.org; Sat, 08 Nov 2014 08:22:35 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 27764CD2C for ; Sat, 8 Nov 2014 08:24:58 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA7LMJo0001233 for ; Sat, 8 Nov 2014 08:22:21 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA7LMJhj001230 for ; Sat, 8 Nov 2014 08:22:19 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 8 Nov 2014 08:22:19 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: <478A1469-F6EE-4D8D-B51F-B41C97626439@lafn.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 21:22:42 -0000 On Wed, 5 Nov 2014, Dave Horsfall wrote: > 13925 pfctl CALL ioctl(0x3,DIOCSETDEBUG,0xbfbfdc84) > 13925 pfctl RET ioctl 0 > 13925 pfctl CALL ioctl(0x3,DIOCSETSTATUSIF,0xbfbfdc5c) > 13925 pfctl RET ioctl -1 errno 22 Invalid argument > > Aha... So, what's so invalid about it? I don't have kernel source (my > installation was interrupted by a long stay in hospital), so I cannot > investigate any further. Same thing on FreeBSD 8.2-RELEASE-p9 (GENERIC); I'll summon up the courage and try 9.3 or whatever. -- Dave Horsfall DTM (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Sat Nov 8 14:52:47 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33BF5931 for ; Sat, 8 Nov 2014 14:52:47 +0000 (UTC) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BAA7991D for ; Sat, 8 Nov 2014 14:52:45 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id r20so6665135wiv.3 for ; Sat, 08 Nov 2014 06:52:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=t+WPva6Y1phGtis7ao6OcVZ/QJD8xZYEH/5fMxpoE+U=; b=jWS12f0LNscVLeMc9IjgM1aizt8djGFjB6ycFjMRWnmkdX4tj60HfZPjpwitdccPta 5uwaxftSn2K2LcUvYHLxyNCYlyRgmvjBTL63wbw05aUMWgdApp2vJo3SP618SRUj05T9 efGz2ontzImA9lDTGuvv2gth975w282XIkvEq83cr2pLKKH8ilNtMHT10NB6zvpgs1X1 fZtVy3+7mQuCMZWe5fTJbwCO9GQAj20sIH6uo040PXslYUwQBnrmwyRPMetwblhaaNvy gzGNt1HvW9PgKpYp4bDmx4qRkHkVKirmzkJRikx7JIbSXKKYhTK2NwdhKiihBnMF+nPl vDUQ== X-Gm-Message-State: ALoCoQmOg9WiC84zb6yLCEr+FwuS9RYf9YyIlRvDpCvyBBJ3FgQHq1dCAVSmZx+exBMwvEN6VK1l X-Received: by 10.181.13.20 with SMTP id eu20mr14626313wid.36.1415458356816; Sat, 08 Nov 2014 06:52:36 -0800 (PST) Received: from zvezda.localnet ([2a02:8108:1400:3c0::3]) by mx.google.com with ESMTPSA id fa16sm5944660wid.5.2014.11.08.06.52.35 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Nov 2014 06:52:35 -0800 (PST) From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Subject: Re: pf log with keep state Date: Sat, 8 Nov 2014 15:52:28 +0100 User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; ) References: <545D195B.2050909@kornatka.pl> In-Reply-To: <545D195B.2050909@kornatka.pl> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2357736.jIIlGAy4Pa"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201411081552.34839.vegeta@tuxpowered.net> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2014 14:52:47 -0000 --nextPart2357736.jIIlGAy4Pa Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dnia pi=C4=85tek, 7 listopada 2014 o 20:11:23 Karol Kornatka napisa=C5=82(a= ): > I have preaty big network (arround 2000 hosts) having connection threw > freebsd router. No, don't throw your router. It might still work after you fix your pf rule= s. > Router is working on Dell poweredge r320 and freebsd 10. > As firewall obviously pf with arround 50000 pf state current entries and > 200Mbitps traffic. > I need to pass and log forwarded traffic > For now i'm using ruleset like this: >=20 > pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from > to any port $ds02_tcp_forward_services flags S/S keep state Evey new connection (matching for S/SA flags is default thing when creating= new=20 rule, you can see that with `pfctl -sr`, so your "flags" option does not ch= ange=20 much) from to $ds02_tcp_forward_services is matched by this r= ule=20 and is not processed anymore due to quick keyword. This causes a state to b= e=20 created so any further packets belonging to this connection never hit your= =20 rules at all and are accepted instead (checking packet if it belongs to=20 existing state happens before matching it against rules). Every packet in s= uch=20 connection (matching the state) is logged due to log keyword. > pass in quick on $ds02_int_if proto tcp from to any port > $ds02_tcp_forward_services keep state No packets reach this rule as they match the previous one or a state create= d by=20 it. I understand that you want to log only fact of connections being establishe= d.=20 Then maybe the following thing would work: pass in log ( all, to pflog2) \ on $ds02_int_if proto tcp \ from \ to any port $ds02_tcp_forward_services \ flags S/S no state pass in quick ( all, to pflog2) \ on $ds02_int_if proto tcp \ from \ to any port $ds02_tcp_forward_services \ keep state In this case the 1st rule matches incoming SYN packets, logs them, is not=20 quick, so the 2nd rule has an opportunity to match them too, but it does no= t=20 perform logging but creates the state instead. Any further packets are=20 forwarded due to an existing state whose rule has no log option. I'm not sure if it will work, just a fast idea. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2357736.jIIlGAy4Pa Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlReLiwACgkQ47RQr217OhSG5ACg2TSLLkyuyHb1MLkh/Dz/TIyc upEAoNu6UO0vj+eY3OUYzEuPb5RyHhdG =dkJ3 -----END PGP SIGNATURE----- --nextPart2357736.jIIlGAy4Pa-- From owner-freebsd-pf@FreeBSD.ORG Sat Nov 8 19:50:31 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0A555509 for ; Sat, 8 Nov 2014 19:50:31 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id B45EB39F for ; Sat, 8 Nov 2014 19:50:30 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XnC1l-00023r-PZ for freebsd-pf@freebsd.org; Sun, 09 Nov 2014 06:50:29 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 449D3CD2C for ; Sun, 9 Nov 2014 06:53:13 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.7/8.14.7) with ESMTP id sA8JoKgq016234 for ; Sun, 9 Nov 2014 06:50:22 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.7/8.14.7/Submit) with ESMTP id sA8JoK6B016231 for ; Sun, 9 Nov 2014 06:50:20 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sun, 9 Nov 2014 06:50:19 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: <478A1469-F6EE-4D8D-B51F-B41C97626439@lafn.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2014 19:50:31 -0000 On Sat, 8 Nov 2014, Dave Horsfall wrote: > Same thing on FreeBSD 8.2-RELEASE-p9 (GENERIC); I'll summon up the > courage and try 9.3 or whatever. I went to 8.4-RELEASE-p19 instead (and noted a few weird things in the ports department), and it still ain't working; I disabled inbound SMTP as a test, and mail was still arriving. >From this I can only conclude that unless I've made an obscure error somewhere in my pf.conf file then pf(4) simply does not work on FreeBSD 8 (possibly with the on-board "fxp0" - yes, I spotted that DHCP bug just in time). I remain to be corrected on this point, preferably with a config that is known to work. I'll gird my loins appropriately and give FreeBSD 9.3 a bash, and also look around for another type of NIC when I can afford it. -- Dave Horsfall DTM (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Sat Nov 8 21:29:28 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 861F3A8F for ; Sat, 8 Nov 2014 21:29:28 +0000 (UTC) Received: from nskntmtas05p.mx.bigpond.com (nskntmtas05p.mx.bigpond.com [61.9.168.149]) by mx1.freebsd.org (Postfix) with ESMTP id 18F03E54 for ; Sat, 8 Nov 2014 21:29:27 +0000 (UTC) Received: from nskntcmgw07p ([61.9.169.167]) by nskntmtas05p.mx.bigpond.com with ESMTP id <20141108212920.OEZD19653.nskntmtas05p.mx.bigpond.com@nskntcmgw07p> for ; Sat, 8 Nov 2014 21:29:20 +0000 Received: from hermes.heuristicsystems.com.au ([58.173.108.194]) by nskntcmgw07p with BigPond Outbound id D9VL1p0084BhPve019VLbb; Sat, 08 Nov 2014 21:29:20 +0000 X-Authority-Analysis: v=2.0 cv=JN65Qr2b c=1 sm=1 a=4+whva0L5pAyL5dznpY5+Q==:17 a=75Mj3Gjma4sA:10 a=N659UExz7-8A:10 a=GHIR_BbyAAAA:8 a=LMAOX3s_XAOmoExi4tIA:9 a=pILNOxqGKmIA:10 a=BBo10dcLZbAA:10 a=9qhCIJFTFb8A:10 a=N1FFGOJDPtAA:10 a=4+whva0L5pAyL5dznpY5+Q==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id sA8LSwde060688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Sun, 9 Nov 2014 08:29:04 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <545E8B14.1060507@heuristicsystems.com.au> Date: Sun, 09 Nov 2014 08:28:52 +1100 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Getting tables to work in PF References: <478A1469-F6EE-4D8D-B51F-B41C97626439@lafn.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2014 21:29:28 -0000 Dave, I think that you will be better served by going straight to 10.RC4. There were a few enhancements to PF in 10, thanks to Gleb's ongoing commitment. (I'm moving production devices from ipfw, after 13 years use, to pf on 10.1R) However if you customise your kernel & ports you are likely to experience some pain with the transition from 8. Regards, Dewayne. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 8 23:44:31 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 021FAEFB for ; Sat, 8 Nov 2014 23:44:31 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id AB060D17 for ; Sat, 8 Nov 2014 23:44:30 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XnFg8-0004TC-CU for freebsd-pf@freebsd.org; Sun, 09 Nov 2014 10:44:24 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id F3408CD2C for ; Sun, 9 Nov 2014 10:46:56 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.9/8.14.9) with ESMTP id sA8Ni5lC000846 for ; Sun, 9 Nov 2014 10:44:07 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.9/8.14.9/Submit) with ESMTP id sA8Ni5Jl000843 for ; Sun, 9 Nov 2014 10:44:05 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sun, 9 Nov 2014 10:44:05 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: <545E8B14.1060507@heuristicsystems.com.au> Message-ID: References: <478A1469-F6EE-4D8D-B51F-B41C97626439@lafn.org> <545E8B14.1060507@heuristicsystems.com.au> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2014 23:44:31 -0000 On Sun, 9 Nov 2014, Dewayne Geraghty wrote: > Dave, I think that you will be better served by going straight to > 10.RC4. There were a few enhancements to PF in 10, thanks to Gleb's > ongoing commitment. (I'm moving production devices from ipfw, after 13 > years use, to pf on 10.1R) I was halfway through 9.3, and I wasn't about to cancel it :-) Anyway, PF is now working, so I can say with some degree of confidence that it does *not* work on FreeBSD 8, at least with the FXP0. When the dust settles a bit (I went 8.2 -> 8.4 -> 9.3 on this weekend alone) I'll dip my toe in the FreeBSD 10 waters. > However if you customise your kernel & ports you are likely to > experience some pain with the transition from 8. I never touch the installed stuff; I did have some trouble with the ports, though (something about Makefile errors) so I'll do what I did on my MacBook (its ports is based on FreeBSD's) i.e. blow it away and reinstall the entire ports tree. -- Dave Horsfall DTM (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there)