From owner-freebsd-pf@freebsd.org Sun Oct 11 11:16:10 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB115A11186 for ; Sun, 11 Oct 2015 11:16:10 +0000 (UTC) (envelope-from milosz.kaniewski@gmail.com) Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 69B4368F for ; Sun, 11 Oct 2015 11:16:10 +0000 (UTC) (envelope-from milosz.kaniewski@gmail.com) Received: by vkat63 with SMTP id t63so73415707vka.1 for ; Sun, 11 Oct 2015 04:16:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RBDrdNaLsoD8OJGQTrdQqDCfoL1pq+nUuCJDJ7Xtjcc=; b=DNOIMqlqEpsMIrWrARs7qxXE+QyGOMdnEKeW7jryIj50NnOLrqJTiKUuNcit66wSF7 T0bIUh+E6TXsI586Oe10OcDtC1y5FzozbqCUg2Fu+ZIXstNeq79wSi/hCjrKw4fhfB8Y 0louQtRcgUIxKKltjNJ7ib6hCClJyCD4JYfsqMMfnUqhZIdQ7mrstAuStZDPfEAD8UAr MLb9CwjxfN+jOAbg9Rjh3V98GtdgQ/YUK5730dlrJC/Rtj6qkLEd6EgTxnn+zjJ/wZRk SmAmKyQmuBo24UoGbDxyYKbVH0AFUlk3ai8FwWouY0bHfPuZMjHNHSz1/Z3J1df82QFT kf8w== MIME-Version: 1.0 X-Received: by 10.31.49.67 with SMTP id x64mr14902858vkx.133.1444562168743; Sun, 11 Oct 2015 04:16:08 -0700 (PDT) Received: by 10.31.232.197 with HTTP; Sun, 11 Oct 2015 04:16:08 -0700 (PDT) Date: Sun, 11 Oct 2015 13:16:08 +0200 Message-ID: Subject: Creating span interface using 'dup-to' option From: =?UTF-8?Q?Mi=C5=82osz_Kaniewski?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Oct 2015 11:16:10 -0000 uname -a: FreeBSD freebsd11_master.kvm 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285616: Thu Jul 16 02:21:59 UTC 2015 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 +----------+ +-----------+ +----------+ | | em0| |em1 | | | host1 +--------+ FreeBSD +--------+ host2 | | | | | | | +----------+ +-----------+ +----------+ |em2 | | v Hi, I have FreeBSD machine which forwards packets between host1 and host2. This machine has also an additional interface (em2) which act as span interface - all traffic between host1 and host2 is copied into it. To achieve this scenario I can set bridge with em0 and em1 as members and em2 as span interface. But I would like to get same result using pf instead. So I tried to use this rules: pass out on em0 dup-to em2 no state pass out on em1 dup-to em2 no state But it doesn't work. No packets appear on interface em2. I've checked same configuration on OpenBSD and everything worked well. Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf? Thanks for help. Best regards. From owner-freebsd-pf@freebsd.org Sun Oct 11 21:19:43 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 544F39B1612 for ; Sun, 11 Oct 2015 21:19:43 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1B08C838 for ; Sun, 11 Oct 2015 21:19:42 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 5DB7B1924C; Sun, 11 Oct 2015 23:19:38 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id 56120740C; Sun, 11 Oct 2015 23:19:38 +0200 (CEST) Date: Sun, 11 Oct 2015 23:19:38 +0200 From: Kristof Provost To: =?utf-8?Q?Mi=C5=82osz?= Kaniewski Cc: freebsd-pf@freebsd.org Subject: Re: Creating span interface using 'dup-to' option Message-ID: <20151011211938.GD10055@vega.codepro.be> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Oct 2015 21:19:43 -0000 On 2015-10-11 13:16:08 (+0200), MiƂosz Kaniewski wrote: > I have FreeBSD machine which forwards packets between host1 and host2. This > machine has also an additional interface (em2) which act as span interface > - all traffic between host1 and host2 is copied into it. > To achieve this scenario I can set bridge with em0 and em1 as members and > em2 as span interface. But I would like to get same result using pf > instead. So I tried to use this rules: > > pass out on em0 dup-to em2 no state > pass out on em1 dup-to em2 no state > > But it doesn't work. No packets appear on interface em2. I've checked same > configuration on OpenBSD and everything worked well. > Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf? > >From a quick test, yes, it looks like something's broken, or we're both misunderstanding something. My system complains 'arpresolve: can't allocate llinfo for 8.8.8.8 on vtnet1'. I think the issue is that we still try to resolve the destination MAC on 'em2'. Can you open a bug? I'll add this to my TODO list. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Oct 12 09:02:16 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 973AF9D2CA4 for ; Mon, 12 Oct 2015 09:02:16 +0000 (UTC) (envelope-from milosz.kaniewski@gmail.com) Received: from mail-vk0-x232.google.com (mail-vk0-x232.google.com [IPv6:2607:f8b0:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F00F153 for ; Mon, 12 Oct 2015 09:02:16 +0000 (UTC) (envelope-from milosz.kaniewski@gmail.com) Received: by vkaw128 with SMTP id w128so26343680vka.0 for ; Mon, 12 Oct 2015 02:02:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=dt0ejJqFEFRdSv4mKd1W+cv53VFzH1YchkwQmpfLupg=; b=mOLXeR6ETdfLVxhC6oB+FfudcOVXCJwHS8eZscMh96ea/4zrTsXi3unV4Hy4vPwPMt wOfIx2VcgFXhho239aUFSnIOFmwh7I2TQKMPxYh3XM8G3ol8iKon2ERo3EDbsptSVHSp KRdLuiu9MdlU0mWLDPmUUARtWkYvb3/3dl0mxeZYsKJHmCSUx+oUtWGtPf+HZPRyL2+y TsY+LEszB04+f+h4/njE6uMyXlCCOhk3I9c+FPA5VTLv3Uhh+dCA0uWdN8yByCzJsA3/ yP+n5QfJVym+oJMdLRoBhk9egH7HQvp9hILe0ZRLu6dxIb/szfeGvGOAU3//ChamRgHb d8NQ== MIME-Version: 1.0 X-Received: by 10.31.183.77 with SMTP id h74mr17907786vkf.43.1444640534871; Mon, 12 Oct 2015 02:02:14 -0700 (PDT) Received: by 10.31.232.197 with HTTP; Mon, 12 Oct 2015 02:02:14 -0700 (PDT) In-Reply-To: <20151011211938.GD10055@vega.codepro.be> References: <20151011211938.GD10055@vega.codepro.be> Date: Mon, 12 Oct 2015 11:02:14 +0200 Message-ID: Subject: Re: Creating span interface using 'dup-to' option From: =?UTF-8?Q?Mi=C5=82osz_Kaniewski?= Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2015 09:02:16 -0000 2015-10-11 23:19 GMT+02:00 Kristof Provost : > > From a quick test, yes, it looks like something's broken, or we're both > misunderstanding something. > > My system complains 'arpresolve: can't allocate llinfo for 8.8.8.8 on > vtnet1'. > I think the issue is that we still try to resolve the destination MAC on > 'em2'. > > Can you open a bug? I'll add this to my TODO list. > > Regards, > Kristof > Thank you for your response. I added bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D203715 Mi=C5=82osz Kaniewski From owner-freebsd-pf@freebsd.org Mon Oct 12 14:29:10 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27174A11B5D for ; Mon, 12 Oct 2015 14:29:10 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0085.outbound.protection.outlook.com [157.56.111.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BFC61A6D for ; Mon, 12 Oct 2015 14:29:09 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from SN1PR08MB1821.namprd08.prod.outlook.com (10.162.134.27) by SN1PR08MB1440.namprd08.prod.outlook.com (10.162.1.25) with Microsoft SMTP Server (TLS) id 15.1.293.16; Mon, 12 Oct 2015 14:29:01 +0000 Received: from SN1PR08MB1821.namprd08.prod.outlook.com (10.162.134.27) by SN1PR08MB1821.namprd08.prod.outlook.com (10.162.134.27) with Microsoft SMTP Server (TLS) id 15.1.293.16; Mon, 12 Oct 2015 14:28:59 +0000 Received: from SN1PR08MB1821.namprd08.prod.outlook.com ([10.162.134.27]) by SN1PR08MB1821.namprd08.prod.outlook.com ([10.162.134.27]) with mapi id 15.01.0293.007; Mon, 12 Oct 2015 14:28:59 +0000 From: David DeSimone To: =?iso-8859-2?Q?Mi=B3osz_Kaniewski?= CC: "freebsd-pf@freebsd.org" Subject: RE: Creating span interface using 'dup-to' option Thread-Topic: Creating span interface using 'dup-to' option Thread-Index: AQHRBBZBj6sHygwHgUak+P25r9gNgJ5n6ycQ Date: Mon, 12 Oct 2015 14:28:58 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=ddesimone@verio.net; x-originating-ip: [173.71.11.10] x-microsoft-exchange-diagnostics: 1; SN1PR08MB1821; 5:FHG77Izud4EbQJtjKcqFErV43OI3hZz3O6W2DCPt1E0jTbfqQaGF9FBWtCZB9Kwpwy4X95+4MUL4mY/oqFYiCv+nJd2JbmHP1FHsSRMdRks1zCg5dnes9cUSRFT0eETo2cl0HpG+1VGPaztLTINiBw==; 24:g9LRJ5f66ZHlxzYFMtxANJ66lLhV1d5Se2w53af0QRFYrXOukFyCI3FhVJJp4MfwEWUXoUh1BXi8o3/91eOqzkepGDD00Z7rQbAFF+lNYk4=; 20:gtlFvalj+BpEiaz67Feoreah2nCfwMcE+eJvCBjkn65bfGilbp4hAYfyPcTirA0kYkinogWnI9EFCa/IClgIJw== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:SN1PR08MB1821; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(520078)(5005006)(3002001); SRVR:SN1PR08MB1821; BCL:0; PCL:0; RULEID:; SRVR:SN1PR08MB1821; x-forefront-prvs: 0727122FC6 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(13464003)(199003)(189002)(19580405001)(101416001)(2900100001)(5007970100001)(40100003)(46102003)(5004730100002)(5001960100002)(11100500001)(122556002)(54356999)(64706001)(19580395003)(92566002)(5008740100001)(81156007)(33656002)(2950100001)(50986999)(97736004)(66066001)(76176999)(74316001)(86362001)(99286002)(76576001)(106356001)(10400500002)(77096005)(87936001)(15975445007)(110136002)(5890100001)(5003600100002)(189998001)(5002640100001)(102836002)(106116001)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR08MB1821; H:SN1PR08MB1821.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: verio.net does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2015 14:28:58.9650 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 281c3918-264a-4db4-ab20-2dafa1dca324 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR08MB1821 X-Microsoft-Exchange-Diagnostics: 1; SN1PR08MB1440; 2:OxU4LgdlbOzn9PmFDDZbTJh+pUSY5qJfXQJg1vS1swDZ52StwIlno6AVIITBWJcuSVJCeSoUKjcyziz0vbqpTuug+/NF4SUuPyPX50KKXfqTK0hC/NAeZ6y+HWazs+zzEG/FRtDNBnE27Ol7u+V29kzkGYWL25NssbYB2SiQhq0=; 23:xq8baTmWbEoSWhCQhtux7pwx2UQfEKhLmKvhr04sQvrYsDuWP9pePM7yiKnPbTmyhjZkCg56MbGZFiKtq2v/h9teKXHEaNKxmVyFoM/75ZJBoLJ5cLPZ6XOKbEXN0Q9SE+sMaG76WowKSWbRgmubwQhKU513qEKvVgzqnlgBOnkBCtMK2i0ADI4NEplcYD0z X-OriginatorOrg: verio.net X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2015 14:29:10 -0000 The man page makes it clear that "dup-to" acts just like "route-to", except= that the original packet still routes the way it would have. The implicat= ion being that "dup-to" needs to determine where to route the new packet. This means that the more useful form of this is likely to be: pass out on em0 dup-to ( em2 X.X.X.X ) no state Where "X.X.X.X" is the IP of the host connected via em2 that will be receiv= ing the duplicated packet. The difference between using a bridge to accomplish this, vs. pf, is that p= f operates at layer 3 and will not preserve the layer 2 mac headers, wherea= s bridge will preserve these. Hopefully this will fit your requirements. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On= Behalf Of Milosz Kaniewski Sent: Sunday, October 11, 2015 6:16 AM To: freebsd-pf@freebsd.org Subject: Creating span interface using 'dup-to' option uname -a: FreeBSD freebsd11_master.kvm 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285616: Thu Jul 16 02:21:59 UTC 2015 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 +----------+ +-----------+ +----------+ | | em0| |em1 | | | host1 +--------+ FreeBSD +--------+ host2 | | | | | | | +----------+ +-----------+ +----------+ |em2 | | v Hi, I have FreeBSD machine which forwards packets between host1 and host2. This machine has also an additional interface (em2) which act as span interface - all traffic between host1 and host2 is copied into it. To achieve this scenario I can set bridge with em0 and em1 as members and em2 as span interface. But I would like to get same result using pf instead. So I tried to use this rules: pass out on em0 dup-to em2 no state pass out on em1 dup-to em2 no state But it doesn't work. No packets appear on interface em2. I've checked same configuration on OpenBSD and everything worked well. Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf? Thanks for help. Best regards. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" ________________________________ This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. makes no warr= anty that this email is error or virus free. Thank you. ________________________________ This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. NTT America m= akes no warranty that this email is error or virus free. Thank you. ________________________________ From owner-freebsd-pf@freebsd.org Tue Oct 13 03:51:49 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C2BFA11CB6 for ; Tue, 13 Oct 2015 03:51:49 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9EA78BA0 for ; Tue, 13 Oct 2015 03:51:48 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by wieq12 with SMTP id q12so11127316wie.1 for ; Mon, 12 Oct 2015 20:51:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=CYG1ua1s8WHQZ9XHWoF7aGfvsG3QhL1+g4DnVz6JlTU=; b=FOXdP2JS1cBEkwwc0Jtwxy9KfZk8Tw3B+G5AbrdSa0Tn3j6Zx/9Q3ETWz/4PvTNB1T 4W107XAE890RqI4pFZyBsMXdE4uYzx2oe+r/KDCvnA8nSdqkfuGmNipIeOq8boxzy4EW 3g8jan8/3xt2Yy8ydVQZsUGUS5F/3sdO/SITOWbedtghS6ZujeQVuvMjFZfUWFNE322R QA0I0y4IaEYHbPLCMbqHx8l5Z/N/l/dsKLvoQsn4pS70ZAaMJIa+olkrlDaoEFqtuVCy PL4cXp+30Yihg9sdiI1WJbgz779G/lAF9cHyV63mjJ7pVLMdzZLHsoQHp93Kr8gYLRBh y7QA== MIME-Version: 1.0 X-Received: by 10.180.189.12 with SMTP id ge12mr4314024wic.73.1444708307244; Mon, 12 Oct 2015 20:51:47 -0700 (PDT) Received: by 10.194.162.100 with HTTP; Mon, 12 Oct 2015 20:51:47 -0700 (PDT) Date: Mon, 12 Oct 2015 23:51:47 -0400 Message-ID: Subject: Rules sanity check From: David Mehler To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary=001a11c23d16751d490521f45dae X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 03:51:49 -0000 --001a11c23d16751d490521f45dae Content-Type: text/plain; charset=UTF-8 Hello, I'm back to pf after a number of years with mainly Linux servers. I'm running FreeBSD 10 on a machine with pf. I'm hoping someone can give my rules such as they are a sanity check? Some things I know definitely aren't working is the ipv6 allowing of ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the machine the data connection doesn't come through, i'm assuming i'll have that same problem when I set up a jailed ftp server as well. Sanity check appreciated. Thanks. Dave. --001a11c23d16751d490521f45dae Content-Type: application/octet-stream; name="pf.conf" Content-Disposition: attachment; filename="pf.conf" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 IwojIHBmLmNvbmYgcnVsZXMKIyBFc3RhYmxpc2ggYSBibG9jayBieSBkZWZhdWx0IGZpcmV3YWxs LCBhbGxvdyBhbGwgb3V0Ym91bmQgdHJhZmZpYywgYiB1dCBvbmx5IGFsbG93IHBvcnRzIG9uIHRo ZSBsaXN0IGluYm91bmQKIwoKIyBkZWZpbmUgdGhlIGV4dGVybmFsIGludGVyZmFjZQpleHRfaWY9 InZ0bmV0MCIKCiMgU2V0IG9wdGlvbnMKIyBibG9jay1wb2xpY3kgY2FuIGJlIGVpdGhlciBkcm9w IG9yIHJldHVybgpzZXQgYmxvY2stcG9saWN5IGRyb3AKCiMgQXZvaWQgZG9pbmcgYW55dGhpbmcg d2l0aCB0aGUgbG8wIGxvb3BiYWNrIGludGVyZmFjZQpzZXQgc2tpcCBvbiBsbzAKc2NydWIgb24g JGV4dF9pZiBhbGwgcmVhc3NlbWJsZSB0Y3Agbm8tZGYgcmFuZG9tLWlkIG1heC1tc3MgMTQ0MAph bnRpc3Bvb2YgcXVpY2sgZm9yICgkZXh0X2lmKQoKIyBTZXQgdXAgdGFibGVzIGZvciBJUCBibG9j a2luZwp0YWJsZSA8Y2hpbGRyZW5zPiBwZXJzaXN0CnRhYmxlIDxjaHV1Z29rdT4gcGVyc2lzdCBm aWxlICIvZXRjL3BmL3pvbmVzL2NuLnpvbmUiCnRhYmxlIDxydT4gcGVyc2lzdCBmaWxlICIvZXRj L3BmL3pvbmVzL3J1LnpvbmUiCmljbXBfdHlwZXMgPSAiZWNob3JlcSIKaWNtcDZfdHlwZXMgPSAi aXB2Ni1pY21wIgoKIyBEZWZpbmUgc2VydmljZXMgd2Ugd2FudCB0byBhbGxvdyAgb3V0CnRjcF9z ZXJ2aWNlcyA9ICJ7IGZ0cC1kYXRhLCBmdHAsIG50cCwgYm9vdHBjLCBkb21haW4sIHNzaCwgc210 cCwgd3d3LCBodHRwcywgaW1hcCwgaW1hcHMgfSIKdWRwX3NlcnZpY2VzID0gInsgYm9vdHBjLCBk b21haW4sIG50cCB9IgoKIyBibG9jayBieSBkZWZhdWx0CmJsb2NrIGFsbAoKIyBCbG9jayBhbnl0 aGluZyBpbiB0aGUgY2hpbGRyZW5zIHRhYmxlCmJsb2NrIGluIHF1aWNrIHByb3RvIHRjcCBmcm9t IDxjaGlsZHJlbnM+IHRvIGFueQpibG9jayBpbiBxdWljayBwcm90byB0Y3AgZnJvbSA8Y2h1dWdv a3U+IHRvIGFueSBwb3J0IHsgODAgMjIgMjUgfQpibG9jayBpbiBxdWljayBwcm90byB0Y3AgZnJv bSA8cnU+IHRvIGFueSBwb3J0IHsgODAgMjIgMjUgfQoKIyBwYXNzIG91dCBhbnkgdHJhZmZpYyBm cm9tIHRoZSBob3N0CnBhc3Mgb3V0IHByb3RvIHRjcCB0byBhbnkgcG9ydCAkdGNwX3NlcnZpY2Vz IGtlZXAgc3RhdGUKcGFzcyBwcm90byB1ZHAgdG8gYW55IHBvcnQgJHVkcF9zZXJ2aWNlcyBrZWVw IHN0YXRlCgogIyBBbGxvdyBzc2ggY29ubmVjdGlvbnMgaW4gZnJvbSB0aGUgaW50ZXJuZXQKcGFz cyBpbiBpbmV0IHByb3RvIHRjcCB0byAkZXh0X2lmIHBvcnQgc3NoIGZsYWdzIFMvU0Ega2VlcCBz dGF0ZSAobWF4LXNyYy1jb25uIDUsIG1heC1zcmMtY29ubi1yYXRlIDUvNSwgb3ZlcmxvYWQgPGNo aWxkcmVucz4gZmx1c2ggZ2xvYmFsKQoKIyBQYXNzIGluIGh0dHAgdHJhZmZpYyBmcm9tIHRoZSBp bnRlcm5ldApwYXNzIGluIGluZXQgcHJvdG8gdGNwIHRvICRleHRfaWYgcG9ydCA4MCBmbGFncyBT L1NBIGtlZXAgc3RhdGUgKG1heC1zcmMtY29ubiA1LCBtYXgtc3JjLWNvbm4tcmF0ZSA1LzUsIG92 ZXJsb2FkIDxjaGlsZHJlbnM+IGZsdXNoIGdsb2JhbCkKCiMgQWxsb3cgc2VsZWN0ZWQgaWNtcCB0 eXBlcwojcGFzcyBpbiBpbmV0IHByb3RvIGljbXAgYWxsIGljbXAtdHlwZSAkaWNtcF90eXBlcyBr ZWVwIHN0YXRlCiMgQWxsb3cgcGluZ3Mgb3V0CnBhc3Mgb3V0IGluZXQgcHJvdG8gaWNtcCBhbGwg aWNtcC10eXBlICRpY21wX3R5cGVzIGtlZXAgc3RhdGUKIyBhbmQgZm9yIGlwdjYKI3Bhc3Mgb3V0 IGluZXQ2IHByb3RvIGljbXB2Ni1pY21wIGFsbCBpY21wLXR5cGUgJGljbXA2X3R5cGVzIGtlZXAg c3RhdGUKCg== --001a11c23d16751d490521f45dae-- From owner-freebsd-pf@freebsd.org Tue Oct 13 10:32:26 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53C4BA12024 for ; Tue, 13 Oct 2015 10:32:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1B8DE82A for ; Tue, 13 Oct 2015 10:32:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [IPv6:2a02:1811:2419:4e02:f868:3baa:f735:70fe] (unknown [IPv6:2a02:1811:2419:4e02:f868:3baa:f735:70fe]) by venus.codepro.be (Postfix) with ESMTPSA id 210E820D83; Tue, 13 Oct 2015 12:32:22 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3096.1\)) Subject: Re: Rules sanity check From: Kristof Provost In-Reply-To: Date: Tue, 13 Oct 2015 12:32:21 +0200 Cc: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: David Mehler X-Mailer: Apple Mail (2.3096.1) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 10:32:26 -0000 > On 13 Oct 2015, at 05:51, David Mehler wrote: > Some things I know definitely aren't working is the ipv6 allowing of > ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the > machine the data connection doesn't come through, i'm assuming i'll > have that same problem when I set up a jailed ftp server as well. >=20 You really, really want to allow ICMPv6. Without ICMPv6 critical things like path MTU (remember, there=E2=80=99s no router fragmentation in = IPv6, you *need* path MTU discovery) and router advertisements. It=E2=80=99s still possible to filter out undesirable ICMPv6 types, but = I=E2=80=99d start out just allowing everything. I=E2=80=99ve not looked at the rest of it in any depth, but the ICMPv6 = thing probably explains all of the IPv6 issues you=E2=80=99ve had. Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Oct 13 15:00:05 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC5AF9D2C73 for ; Tue, 13 Oct 2015 15:00:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 98AC2627 for ; Tue, 13 Oct 2015 15:00:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9DF05Mn068064 for ; Tue, 13 Oct 2015 15:00:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic Date: Tue, 13 Oct 2015 15:00:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 15:00:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |freebsd-net@FreeBSD.org Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Tue Oct 13 15:00:19 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A492C9D2CDC for ; Tue, 13 Oct 2015 15:00:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 91EF37E8 for ; Tue, 13 Oct 2015 15:00:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9DF0J2C072423 for ; Tue, 13 Oct 2015 15:00:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 203715] [pf] 'dup-to' option doesn't duplicate packets Date: Tue, 13 Oct 2015 15:00:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 15:00:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203715 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Tue Oct 13 16:59:50 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93A59A12B5C for ; Tue, 13 Oct 2015 16:59:50 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2679DEAC; Tue, 13 Oct 2015 16:59:50 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by wicgb1 with SMTP id gb1so97166507wic.1; Tue, 13 Oct 2015 09:59:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=hgch8FLtn1MWhIC91/ocH18NdG5ho4jzkI5O/ITXs1Q=; b=YoxDCK12yxYlWBo7Jiq+Hf3l5WRWduSTGPToIAX+vkXmZDCB2J94+kPwkjrL6cAX5m xPd1Y94RcvweQADiSDrCMaVDY9xIUbVFdGVEe8xWZBREG0csyKzTY7R/29Iyu1REdaco 36VhWwxgYRpNc6LpXY4KXR1HNnMubvAFVUDs83nh10tm/jFdoEbyigJafFDg6zO/KZsk U8aSI4lixMjHPRSisz/CZG5/J1RuU+57om1YWADXoF9X9auQ7L/g6Ou0k8XNRGtilz71 5NiowgJEvYo6WwrN/s+t615DRT0Wjwy5nAUR3MT+5Fe72GqeDchuLDPVTvALGMS3Wk3A 9AHg== MIME-Version: 1.0 X-Received: by 10.180.102.230 with SMTP id fr6mr20814925wib.66.1444755588232; Tue, 13 Oct 2015 09:59:48 -0700 (PDT) Received: by 10.194.162.100 with HTTP; Tue, 13 Oct 2015 09:59:48 -0700 (PDT) In-Reply-To: References: Date: Tue, 13 Oct 2015 12:59:48 -0400 Message-ID: Subject: Re: Rules sanity check From: David Mehler To: Kristof Provost Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 16:59:50 -0000 Hello, Thanks. How do I get icmpv6 going? That is certainly a problem I'm having. Thanks. Dave. On 10/13/15, Kristof Provost wrote: > >> On 13 Oct 2015, at 05:51, David Mehler wrote: >> Some things I know definitely aren't working is the ipv6 allowing of >> ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the >> machine the data connection doesn't come through, i'm assuming i'll >> have that same problem when I set up a jailed ftp server as well. >> > You really, really want to allow ICMPv6. Without ICMPv6 critical things > like path MTU (remember, there=E2=80=99s no router fragmentation in IPv6,= you > *need* path MTU discovery) and router advertisements. > > It=E2=80=99s still possible to filter out undesirable ICMPv6 types, but I= =E2=80=99d start > out just allowing everything. > > I=E2=80=99ve not looked at the rest of it in any depth, but the ICMPv6 th= ing > probably > explains all of the IPv6 issues you=E2=80=99ve had. > > Regards, > Kristof > > From owner-freebsd-pf@freebsd.org Tue Oct 13 17:01:56 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16C5FA12D2E for ; Tue, 13 Oct 2015 17:01:56 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D4C4D12D0 for ; Tue, 13 Oct 2015 17:01:55 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [IPv6:2a02:1811:2419:4e02:f868:3baa:f735:70fe] (unknown [IPv6:2a02:1811:2419:4e02:f868:3baa:f735:70fe]) by venus.codepro.be (Postfix) with ESMTPSA id 818D3202CE; Tue, 13 Oct 2015 19:01:52 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3096.1\)) Subject: Re: Rules sanity check From: Kristof Provost In-Reply-To: Date: Tue, 13 Oct 2015 19:01:50 +0200 Cc: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <68795E25-8206-4AE0-87A6-6584896F6AF6@FreeBSD.org> References: To: David Mehler X-Mailer: Apple Mail (2.3096.1) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 17:01:56 -0000 > On 13 Oct 2015, at 18:59, David Mehler wrote: > Thanks. How do I get icmpv6 going? That is certainly a problem I'm = having. >=20 I=E2=80=99d start off simply allowing all icmpv6 traffic: pass in inet6 proto icmp6 Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Oct 14 16:22:17 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1A75A13D48 for ; Wed, 14 Oct 2015 16:22:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D126BADF for ; Wed, 14 Oct 2015 16:22:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9EGMGT9008520 for ; Wed, 14 Oct 2015 16:22:16 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 198868] pf brakes tcp checksum if enabled for ue adapter Date: Wed, 14 Oct 2015 16:22:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2015 16:22:17 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198868 --- Comment #3 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Wed Oct 14 16:21:42 UTC 2015 New revision: 289316 URL: https://svnweb.freebsd.org/changeset/base/289316 Log: pf: Fix TSO issues In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Reviewed by: sbruno MFC after: 1 week Relnotes: yes Sponsored by: RootBSD Differential Revision: https://reviews.freebsd.org/D3779 Changes: head/sys/net/pfvar.h head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf_ioctl.c head/sys/netpfil/pf/pf_norm.c -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Thu Oct 15 00:04:39 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EE03A15715 for ; Thu, 15 Oct 2015 00:04:39 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D36CD11EB for ; Thu, 15 Oct 2015 00:04:38 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by wicgb1 with SMTP id gb1so250780850wic.1 for ; Wed, 14 Oct 2015 17:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Ah/eU0Qj3Ixe8PAVa9y1ApmUHVyA/7gjSAKDs5yunr8=; b=0p4xhFbIPBjSeYti+QjzAkF6/IzP944rFTXI3jZMcw973MPZEF29P6XmSGDEP/AM2r NhxxJwQDhD9cpXCyOmL+B+EEl/ADo1bCJuVM6zD8mnymTrcJKQcsWxkNxUdLEiLKU79m OR3ZCE0JZF2C7PVG77f5dv5T565uocOM4yAVA84mH2n4bXv7eB1jV6dzq3FU4Oe45v2p yyhvGYzFjrPScIrQhHKBfAjzRE1fXbF99COYXAmHhh2lzOiXSOAU9AIlcpAq2hmsxF9L O4Bqj4KHUKqKxTOSr6lpzfJdKSUnMAAalugWV2xqHj8ppxxXW/Pwr4GzY8d6x0eY4xur J1RQ== MIME-Version: 1.0 X-Received: by 10.180.189.12 with SMTP id ge12mr17405929wic.73.1444867477013; Wed, 14 Oct 2015 17:04:37 -0700 (PDT) Received: by 10.194.162.100 with HTTP; Wed, 14 Oct 2015 17:04:36 -0700 (PDT) Date: Wed, 14 Oct 2015 20:04:36 -0400 Message-ID: Subject: FreeBSD 10, pf and ftp From: David Mehler To: freebsd-pf Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2015 00:04:39 -0000 Hello, I've got pf and ftp-proxy loading, the latter is listening on 127.0.0.1:8021 and I've got the below rules. Any ftp traffic from the host to an ftp server is not working. Can someone tell me where I messed up with the proxy? Thanks. Dave. # # pf.conf rules # Establish a block by default firewall, allow all outbound traffic, b ut only allow ports on the list inbound # # define the external interface ext_if="vtnet0" # Set options # block-policy can be either drop or return set block-policy drop # Avoid doing anything with the lo0 loopback interface set skip on lo0 scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440 # for the ftp proxy nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if inet from !($ext_if) -> ($ext_if:0) rdr pass on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 antispoof quick for ($ext_if) # Set up tables for IP blocking table persist table persist file "/etc/pf/zones/cn.zone" table persist file "/etc/pf/zones/ru.zone" icmp_types = "echoreq" icmp6_types = "ipv6-icmp" # Define services we want to allow out tcp_services = "{ ftp-data, ftp, ntp, bootpc, bootps, domain, ssh, smtp, www, https, imap, imaps }" udp_services = "{ bootpc, bootps, domain, ntp }" # block by default block all # Block anything in the childrens table block in quick proto tcp from to any block in quick proto tcp from to any port { 80 22 25 } block in quick proto tcp from to any port { 80 22 25 } # pass out any traffic from the host pass out quick proto tcp to any port $tcp_services keep state pass out quick proto udp to any port $udp_services keep state # Allow ssh connections in from the internet pass in quick inet proto tcp to $ext_if port ssh flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Pass in http traffic from the internet pass in quick inet proto tcp to $ext_if port 80 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Pass in https traffic from the internet pass in quick inet proto tcp to $ext_if port 443 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Pass in smtp traffic from the internet pass in quick inet proto tcp to $ext_if port 25 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Allow selected icmp types #pass quick inet proto icmp all icmp-type $icmp_types keep state #pass quick inet6 proto ipv6-icmp all icmp-type $icmp6_types keep state # Allow pings out #pass out inet proto icmp all icmp-type $icmp_types keep state # and for ipv6 #pass out inet6 proto icmpv6-icmp all icmp-type $icmp6_types keep state # The above icmp rules aren't working so just allow all of them pass quick inet proto icmp all icmp-type $icmp_types keep state pass quick inet6 proto ipv6-icmp all keep state # For traffic from the ftp proxy anchor "ftp-proxy/*" pass out proto tcp from 127.0.0.1 to any port ftp