From owner-freebsd-pf@freebsd.org Sun Mar 19 21:00:15 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1937AD120FE for ; Sun, 19 Mar 2017 21:00:15 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EAD9A1CAA for ; Sun, 19 Mar 2017 21:00:14 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2JL01Z0070714 for ; Sun, 19 Mar 2017 21:00:14 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201703192100.v2JL01Z0070714@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 19 Mar 2017 21:00:14 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Mar 2017 21:00:15 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Mar 20 04:41:04 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0080FD0CF89 for ; Mon, 20 Mar 2017 04:41:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DCF801CB6 for ; Mon, 20 Mar 2017 04:41:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2K4f3tD039774 for ; Mon, 20 Mar 2017 04:41:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic Date: Mon, 20 Mar 2017 04:41:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: crash, needs-patch, needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2017 04:41:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D203735 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #7 from Kristof Provost --- The good news is this no longer panics, but it still doesn't work. This turns out to be somewhat tricky.=20 The underlying problem is one of address scope. It can be fixed on the receive side with a patch like this: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 81290f91b40..d68f81ddf15 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6538,8 +6538,12 @@ done: pd.proto =3D=3D IPPROTO_UDP) && s !=3D NULL && s->nat_rule.ptr = !=3D NULL && (s->nat_rule.ptr->action =3D=3D PF_RDR || s->nat_rule.ptr->action =3D=3D PF_BINAT) && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) - m->m_flags |=3D M_SKIP_FIREWALL; + m->m_flags |=3D M_SKIP_FIREWALL | M_FASTFWD_OURS; This tells ip6_input() to skip the scope checks, which seems appropriate. It still fails on the reply packet though, so this doesn't actually fix the whole use case. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Mar 20 13:25:49 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 608C8D14473 for ; Mon, 20 Mar 2017 13:25:49 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp-sh.infomaniak.ch (smtp-sh.infomaniak.ch [128.65.195.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infomaniak.ch", Issuer "StartCom Class 3 OV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DE5DA1E65 for ; Mon, 20 Mar 2017 13:25:48 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp5.infomaniak.ch (smtp5.infomaniak.ch [83.166.132.18]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2KDL6Hh023312 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 20 Mar 2017 14:21:07 +0100 Received: from webmail.infomaniak.ch ([10.4.23.104]) (authenticated bits=0) by smtp5.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2KDL6JC007591 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 20 Mar 2017 14:21:06 +0100 Content-Transfer-Encoding: quoted-printable Date: Mon, 20 Mar 2017 14:20:46 +0100 From: "Marin Bernard" To: freebsd-pf@freebsd.org X-Webmail2-User: MTAwMzg Reply-To: lists@olivarim.com Subject: Support for the enc(4) pseudo-interface Message-ID: <1490016046-5fb0febcc5f63c511c56aa201aef1fb5@olivarim.com> X-Mailer: Infomaniak Webmail X-Origin: Y8xgjoznB//SMiGKbu86tO+eL/TieqKX66IlzxJcW2Y MIME-Version: 1.0 X-Priority: 3 (Normal) Content-Type: text/plain; charset="iso-8859-1" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2017 13:25:49 -0000 Hi all, I've just set up IPsec between two FreeBSD 11-RELEASE hosts with=A0security/o= peniked.=20 From owner-freebsd-pf@freebsd.org Mon Mar 20 14:08:56 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9465D13593 for ; Mon, 20 Mar 2017 14:08:56 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp-sh.infomaniak.ch (smtp-sh.infomaniak.ch [128.65.195.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infomaniak.ch", Issuer "StartCom Class 3 OV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C44BD45 for ; Mon, 20 Mar 2017 14:08:55 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp5.infomaniak.ch (smtp5.infomaniak.ch [83.166.132.18]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2KE8r9E031711 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 20 Mar 2017 15:08:53 +0100 Received: from webmail.infomaniak.ch ([10.4.23.105]) (authenticated bits=0) by smtp5.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2KE8rPk020430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 20 Mar 2017 15:08:53 +0100 Content-Transfer-Encoding: quoted-printable Date: Mon, 20 Mar 2017 15:08:33 +0100 From: "Marin Bernard" To: lists@olivarim.com, freebsd-pf@freebsd.org X-Webmail2-User: MTAwMzg Reply-To: lists@olivarim.com Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <1490018913-f1619c15ef073d0f123d2a0940047986@olivarim.com> X-Mailer: Infomaniak Webmail X-Origin: Y8xgjoznB//SMiGKbu86tO+eL/TieqKX66IlzxJcW2Y MIME-Version: 1.0 X-Priority: 3 (Normal) Content-Type: text/plain; charset="iso-8859-1" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2017 14:08:56 -0000 Sorry for the noise: the webmail ate my message. Here is the full version: Hi all, I set up IPsec between several FreeBSD 11-RELEASE hosts. IKEv2 is managed by= =20 security/openiked. I use pf to filter the traffic, and the rulesets include several references= =20 to the enc0 pseudo-interface, which allow inbound traffic filtering=20 *after* IPsec decryption. So far, the whole configuration works fine. I noticed that the enc0 pseudo-interface was not shown in the output of the= =20 `ifconfig` command, whereas it is on OpenBSD. AFAIK, the GENERIC kernel=20 does not include the enc pseudo-device, since I could not fine a "device=20 enc" line in the kernel config file. The lack of such adevice would=20 explain why it is not manageable as a network interface, and why =A0 `ifconfig enc0 create` fails. Yet, it appears that pf is able to handle references to enc(4) in its ruleset= =20 even if the kernel does not support it. Is it expected behaviour? Is it=20 safe to use such a configuration on a production machine ? Thanks, Marin. 20 mars 2017 14:20 "Marin Bernard" a =E9crit: > Hi all,=20 > =20 > I've just set up IPsec between two FreeBSD 11-RELEASE hosts with=A0securit= y/openiked.=20 > =20 > =20 > _______________________________________________=20 > freebsd-pf@freebsd.org mailing list=20 > https://lists.freebsd.org/mailman/listinfo/freebsd-pf=20 > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"=20 > =20 From owner-freebsd-pf@freebsd.org Tue Mar 21 02:30:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF6D2D15853 for ; Tue, 21 Mar 2017 02:30:33 +0000 (UTC) (envelope-from kristof@sigsegv.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9AF2613BB for ; Tue, 21 Mar 2017 02:30:33 +0000 (UTC) (envelope-from kristof@sigsegv.be) Received: from [10.248.64.39] (unknown [210.160.37.27]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id B99291E574; Tue, 21 Mar 2017 03:30:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1490063431; bh=5oYV9CZngKAhGWP2uX+ktBEhbsWkL+K5W9Hw9AgPh80=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=M1AJl2wrtA0cT1afzTFdK8JiiJzcUhdEeZ9Ruq21pv0kjlT/HHzDoJOovt1aUA2Y6 C1F0dwmk6sUpW7XxxLCCXWL8Y7No3LKHg454aqaEx3w6ohBBnlfxrJ1RIHwCwqsLux vp2bi07Rza9N682Jm34lNMm5r10ccicRAr3nR2PY= From: "Kristof Provost" To: "Marin Bernard" Cc: freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Date: Tue, 21 Mar 2017 11:30:30 +0900 Message-ID: In-Reply-To: <1490018913-f1619c15ef073d0f123d2a0940047986@olivarim.com> References: <1490018913-f1619c15ef073d0f123d2a0940047986@olivarim.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 02:30:33 -0000 On 20 Mar 2017, at 23:08, Marin Bernard wrote: > Yet, it appears that pf is able to handle references to enc(4) in its > ruleset > even if the kernel does not support it. Is it expected behaviour? Is > it > safe to use such a configuration on a production machine ? > pf accepts rules for interfaces that don’t exist (yet), so this is expected, but it won’t do what you want it to do. Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Mar 21 08:04:15 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCDCDD163D4 for ; Tue, 21 Mar 2017 08:04:15 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 99553FC7 for ; Tue, 21 Mar 2017 08:04:15 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-qk0-x231.google.com with SMTP id p64so129126412qke.1 for ; Tue, 21 Mar 2017 01:04:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=GuysQU+hEeLspqx+nVPFu5dSUL9wMSpHlFN1IvhmEO0=; b=AnSeffs32v/RIlIbA/avcjsPng6abnfir85RNJaA0u5d06OnBv+llm6RWZ7ce9gBuv 5K43Qg8Kbm+GgfuH8p4DnmAOe7Exa0byJNM4xqV4yLU9ZwSkNSBL4YLaP+78q8lMlBQt qsKsBzIG3GP9ScJtNqGH30m3mwE97yHQpGNiAxNTQIqQIsPrNNiUZb1sfxTOYhnSU9q4 xhdFuTSpCu9nnvuaScKYw5/HCE+F/R+mwI2sdmv0g9WHwSSCIgNxlfgPMm8/eCVP8QJY p4qskm5enkGZgrNsV5MH374OXxox4kpnBIkCv3LGuxc2yoiVWEd90UfvMg03sjrItKBW 5gig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GuysQU+hEeLspqx+nVPFu5dSUL9wMSpHlFN1IvhmEO0=; b=t1HA/pKvThjkM9+aKc4G1Gjy2T605/TZ3E/m5XY5+TqjtjVSnO+kBOie7oE3q0IZRP 0n2NcdyEgzQ44IBwseMwcVkvWbJv1RMz5P1qQd9Iql749Dc8cikygbE2rtefWUdxebLq fkhLZvMQXrrMvoWnpoCmRMnlqGrgbBRj+dQL7PfnzDLRDILeeLTKUf3BR3a6hNe8CfBW r9Mu1RdqDc8vTmDsm/WwmTtRSxtM+MexCcrHJLWHpvqyTFjW7LjBDSnz8oHh9qSi0ONp bCMsJ+qAGQIFHHw5p+h2SCNFux35EhygVWypm7opQCtyytMbXRTMEOu7nY9nAjTxHgau o18Q== X-Gm-Message-State: AFeK/H3fh9NLlJIIVZCcTJRnxei6SCNk6R7vJeYWZxFB0Z2y/qUCH5otHPdc2gcGbNkmlXbSdQycHOkw+5/g9A== X-Received: by 10.55.109.198 with SMTP id i189mr31882915qkc.242.1490083454416; Tue, 21 Mar 2017 01:04:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.179.135 with HTTP; Tue, 21 Mar 2017 01:04:14 -0700 (PDT) From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Tue, 21 Mar 2017 11:04:14 +0300 Message-ID: Subject: ALTQ on epair not working To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 08:04:16 -0000 Hello, I'm using FreeBSD 10.3-p17 amd64. epair pseudo device is listed as supperted deviced at the Man page of altq(4). >From man page of altq : *SUPPORTED DEVICES * The driver modifications described in altq(9) are required to use a cer- tain network card with *ALTQ*. They have been applied to the followin= g hardware drivers: ae(4) , age(4) , alc(4) , ale(4) , an(4) , ath(4) , aue(4) , axe(4) , bce(4) , bfe(4) , bge(4) , bxe(4) , cas(4) , cxgbe(4) , dc(4) , de(4) , ed(4) , em(4) , ep(4) , epair(4) , .... But while trying to use it the system says that it's not suppoerted. I tried on FreeBSD 11 also. The output is below: pf.conf : altq on epair0b hfsc bandwidth 1Mb queue { ftp, ssh, icmp, other } queue ftp bandwidth 30% priority 0 hfsc (upperlimit 99%) queue ssh bandwidth 30% priority 2 hfsc (upperlimit 99%) queue icmp bandwidth 10% priority 2 hfsc (upperlimit 99%) queue other bandwidth 30% priority 1 hfsc (default upperlimit 99%) # ifconfig epair0 create # ifconfig epair0a up # ifconfig epair0b up # pfctl -f pf.conf pfctl: epair0b: driver does not support altq # sysctl -a | grep ALTQ options ALTQ_NOPCC options ALTQ_PRIQ options ALTQ_CDNR options ALTQ_HFSC options ALTQ_RIO options ALTQ_RED options ALTQ_CBQ options ALTQ I have a look on /usr/src/sys/net/if_epair.c, and found the ALTQ section: 514 #ifdef ALTQ 515 /* Support ALTQ via the clasic if_start() path. */ 516 IF_LOCK(&ifp->if_snd); 517 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 518 ALTQ_ENQUEUE(&ifp->if_snd, m, NULL, error); 519 if (error) 520 ifp->if_snd.ifq_drops++; 521 IF_UNLOCK(&ifp->if_snd); 522 if (!error) { 523 ifp->if_obytes +=3D len; 524 if (mflags & (M_BCAST|M_MCAST)) 525 ifp->if_omcasts++; 526 527 if ((ifp->if_drv_flags & IFF_DRV_OACTIVE) =3D= =3D 0) 528 epair_start_locked(ifp); 529 else 530 (void)epair_add_ifp_for_draining(ifp); 531 } 532 return (error); 533 } 534 IF_UNLOCK(&ifp->if_snd); 535 #endif I have no idea that why it says that it doesn't support altq altough the source code contains ALTQ section. Regards =C3=96zkan KIRIK From owner-freebsd-pf@freebsd.org Tue Mar 21 08:47:10 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53B3AD0A307 for ; Tue, 21 Mar 2017 08:47:10 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp-sh2.infomaniak.ch (smtp-sh2.infomaniak.ch [128.65.195.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infomaniak.ch", Issuer "StartCom Class 3 OV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E5DE5643 for ; Tue, 21 Mar 2017 08:47:08 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2L8hq6R020505 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 21 Mar 2017 09:43:53 +0100 Received: from webmail.infomaniak.ch ([10.4.23.106]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2L8hq0I017937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 21 Mar 2017 09:43:52 +0100 Content-Transfer-Encoding: quoted-printable Date: Tue, 21 Mar 2017 09:43:31 +0100 From: "Marin Bernard" To: "Kristof Provost" Cc: freebsd-pf@freebsd.org X-Webmail2-User: MTAwMzg Reply-To: lists@olivarim.com Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> X-Mailer: Infomaniak Webmail X-Origin: Y8xgjoznB//SMiGKbu86tO+eL/TieqKX66IlzxJcW2Y MIME-Version: 1.0 X-Priority: 3 (Normal) Content-Type: text/plain; charset="utf-8" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 08:47:10 -0000 Hi, Thanks for answering. Yes, I know that pf accepts rules mentioning inexistent= =20 interfaces. What puzzles me here is that my ruleset is actually working.=20 With peer0 =3D 1.2.3.4 and peer1 =3D 5.6.7.8, the following ruleset works as= =20 expected: ----- peers =3D "{1.2.3.4, 5.6.7.8}" set skip on lo block all # Allow IKE pass=C2=A0 in proto {tcp, udp} from $peers to self=C2=A0=C2=A0 port isakmp pass out proto {tcp, udp} from self=C2=A0=C2=A0 to $peers port isakmp # Allow ICMPv4 echo requests only through IPsec pass in on enc0 proto icmp from $peers to self icmp-type echoreq ----- If there is no SA, it is impossible for a peer to ping another. As soon as IKE creates a SA, however, ping starts working. As you can see, the last rule is explicitely bound to the inexistent enc0 interface, and yet is working fine. Thanks, Marin. 21 mars 2017 03:30 "Kristof Provost" a =C3=A9crit: > On 20 Mar 2017, at 23:08, Marin Bernard wrote:=20 > > Yet, it appears that pf is able to handle references to enc(4) in its= =20 > > ruleset=20 > > even if the kernel does not support it. Is it expected behaviour? Is=20 > > it=20 > > safe to use such a configuration on a production machine ?=20 > >=20 > pf accepts rules for interfaces that don=E2=80=99t exist (yet), so this is= =20 > expected,=20 > but it won=E2=80=99t do what you want it to do.=20 >=20 > Regards,=20 > Kristof=20 From owner-freebsd-pf@freebsd.org Tue Mar 21 09:26:45 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD917D14DA6 for ; Tue, 21 Mar 2017 09:26:45 +0000 (UTC) (envelope-from kristof@sigsegv.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 87DA2D30 for ; Tue, 21 Mar 2017 09:26:45 +0000 (UTC) (envelope-from kristof@sigsegv.be) Received: from [172.19.248.15] (unknown [104.153.224.169]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id A96631EC60; Tue, 21 Mar 2017 10:26:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1490088403; bh=R8R7xZeACqsNdWlqEgUo9JLY8mjbuGcZnLzVBBxBOSo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=vPOAbuFqehjg59m1SzPI0cS7RAKcBojMuOa23pxc2wLoQPvo4gt6t61iNKkwkP1PW TLQGBf790XkgwPebvZ1MKVjQtl8E9nggm8YqeNlkAea3GAXIH04fX4v/kIvXOovb3X F+yILSxXo+OGCmUNoaMq56M/18XbRF1a/xzXDd/0= From: "Kristof Provost" To: "Marin Bernard" Cc: freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Date: Tue, 21 Mar 2017 10:18:36 +0100 Message-ID: <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> In-Reply-To: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 09:26:45 -0000 On 21 Mar 2017, at 9:43, Marin Bernard wrote: > Thanks for answering. Yes, I know that pf accepts rules mentioning > inexistent > interfaces. What puzzles me here is that my ruleset is actually > working. > With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works > as > expected: > > ----- > peers = "{1.2.3.4, 5.6.7.8}" > > set skip on lo > block all > > # Allow IKE > pass  in proto {tcp, udp} from $peers to self   port isakmp > pass out proto {tcp, udp} from self   to $peers port isakmp > > # Allow ICMPv4 echo requests only through IPsec > pass in on enc0 proto icmp from $peers to self icmp-type echoreq > ----- > > If there is no SA, it is impossible for a peer to ping another. As > soon > as IKE creates a SA, however, ping starts working. As you can see, > the last rule is explicitely bound to the inexistent enc0 interface, > and > yet is working fine. > Can you try without the enc0 rule? I suspect that what’s happening here is that the IPSec traffic is bypassing the firewall altogether. If that's the case the your traffic will still flow, even without the pass on enc0 rule. If you want to filter on it it should work if you add ‘device enc’ to your kernel config. The man page suggests that should then allow you to filter IPSec traffic on enc0. Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Mar 21 09:59:41 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B0ABD158C8 for ; Tue, 21 Mar 2017 09:59:41 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp-sh.infomaniak.ch (smtp-sh.infomaniak.ch [128.65.195.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infomaniak.ch", Issuer "StartCom Class 3 OV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8F7F01C32 for ; Tue, 21 Mar 2017 09:59:40 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2L9xbHI028829 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 21 Mar 2017 10:59:37 +0100 Received: from webmail.infomaniak.ch ([10.4.23.106]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2L9xbgc018866 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 21 Mar 2017 10:59:37 +0100 Content-Transfer-Encoding: quoted-printable Date: Tue, 21 Mar 2017 10:59:16 +0100 From: "Marin Bernard" To: "Kristof Provost" Cc: freebsd-pf@freebsd.org X-Webmail2-User: MTAwMzg Reply-To: lists@olivarim.com Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <1490090356-3beb99ed533c66a1f0fe54cca1460456@olivarim.com> X-Mailer: Infomaniak Webmail X-Origin: Y8xgjoznB//SMiGKbu86tO+eL/TieqKX66IlzxJcW2Y MIME-Version: 1.0 X-Priority: 3 (Normal) Content-Type: text/plain; charset="utf-8" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 09:59:41 -0000 Hi again Kristof, It appears you were right. ICMP flows through even with no rule set. I'm afra= id I'll have to build a custom kernel. Thank you for your help, Marin. 21 mars 2017 10:18 "Kristof Provost" a =C3=A9crit: > On 21 Mar 2017, at 9:43, Marin Bernard wrote:=20 > > Thanks for answering. Yes, I know that pf accepts rules mentioning=20 > > inexistent=20 > > interfaces. What puzzles me here is that my ruleset is actually=20 > > working.=20 > > With peer0 =3D 1.2.3.4 and peer1 =3D 5.6.7.8, the following ruleset work= s=20 > > as=20 > > expected:=20 > >=20 > > -----=20 > > peers =3D "{1.2.3.4, 5.6.7.8}"=20 > >=20 > > set skip on lo=20 > > block all=20 > >=20 > > # Allow IKE=20 > > pass=C2=A0 in proto {tcp, udp} from $peers to self=C2=A0=C2=A0 port isak= mp=20 > > pass out proto {tcp, udp} from self=C2=A0=C2=A0 to $peers port isakmp= =20 > >=20 > > # Allow ICMPv4 echo requests only through IPsec=20 > > pass in on enc0 proto icmp from $peers to self icmp-type echoreq=20 > > -----=20 > >=20 > > If there is no SA, it is impossible for a peer to ping another. As=20 > > soon=20 > > as IKE creates a SA, however, ping starts working. As you can see,=20 > > the last rule is explicitely bound to the inexistent enc0 interface,=20 > > and=20 > > yet is working fine.=20 > >=20 > Can you try without the enc0 rule? I suspect that what=E2=80=99s happening= =20 > here is that=20 > the IPSec traffic is bypassing the firewall altogether. If that's the=20 > case the=20 > your traffic will still flow, even without the pass on enc0 rule.=20 > =20 > If you want to filter on it it should work if you add =E2=80=98device enc= =E2=80=99=20 > to your=20 > kernel config. The man page suggests that should then allow you to=20 > filter IPSec=20 > traffic on enc0.=20 > =20 > Regards,=20 > Kristof=20 From owner-freebsd-pf@freebsd.org Tue Mar 21 11:44:11 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9552D16FBC for ; Tue, 21 Mar 2017 11:44:11 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7E267F42 for ; Tue, 21 Mar 2017 11:44:10 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 8B1AF28485; Tue, 21 Mar 2017 12:44:02 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 65B6328422; Tue, 21 Mar 2017 12:44:01 +0100 (CET) Subject: Re: Support for the enc(4) pseudo-interface To: Kristof Provost , Marin Bernard Cc: freebsd-pf@freebsd.org References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <58D11201.1000403@quip.cz> Date: Tue, 21 Mar 2017 12:44:01 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 11:44:11 -0000 Kristof Provost wrote on 2017/03/21 10:18: > On 21 Mar 2017, at 9:43, Marin Bernard wrote: >> If there is no SA, it is impossible for a peer to ping another. As soon >> as IKE creates a SA, however, ping starts working. As you can see, >> the last rule is explicitely bound to the inexistent enc0 interface, and >> yet is working fine. >> > Can you try without the enc0 rule? I suspect that what’s happening here > is that > the IPSec traffic is bypassing the firewall altogether. If that's the > case the > your traffic will still flow, even without the pass on enc0 rule. > > If you want to filter on it it should work if you add ‘device enc’ to your > kernel config. The man page suggests that should then allow you to > filter IPSec > traffic on enc0. Shouldn't it be included in GENERIC if IPSec is now part of it? It seems illogical to build own kernel for IPsec if IPSec was included in GENERIC for 11.0 ... but without enc. Miroslav Lachman From owner-freebsd-pf@freebsd.org Tue Mar 21 11:46:36 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4394D150B7 for ; Tue, 21 Mar 2017 11:46:36 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B47EFFE for ; Tue, 21 Mar 2017 11:46:36 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1cqIFI-000HAT-4A; Tue, 21 Mar 2017 12:46:36 +0100 Date: Tue, 21 Mar 2017 12:46:36 +0100 From: Kurt Jaeger To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <20170321114636.GH64587@home.opsec.eu> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <58D11201.1000403@quip.cz> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 11:46:36 -0000 Hi! > > If you want to filter on it it should work if you add ???device enc??? to your > > kernel config. The man page suggests that should then allow you to > > filter IPSec > > traffic on enc0. > > Shouldn't it be included in GENERIC if IPSec is now part of it? Yes, please include enc in the GENERIC kernel. -- pi@opsec.eu +49 171 3101372 3 years to go ! From owner-freebsd-pf@freebsd.org Tue Mar 21 11:56:31 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2EF6D153A2 for ; Tue, 21 Mar 2017 11:56:31 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A5E5C1450 for ; Tue, 21 Mar 2017 11:56:31 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 7AADC25D389C; Tue, 21 Mar 2017 11:56:29 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id BF69FD1F80A; Tue, 21 Mar 2017 11:56:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id H3uzYm2KuoFS; Tue, 21 Mar 2017 11:56:27 +0000 (UTC) Received: from [192.168.124.1] (unknown [IPv6:fde9:577b:c1a9:31:2ef0:eeff:fe03:ee34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id E35E2D1F7EF; Tue, 21 Mar 2017 11:56:26 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Kurt Jaeger" Cc: "Miroslav Lachman" <000.fbsd@quip.cz>, freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Date: Tue, 21 Mar 2017 11:56:25 +0000 Message-ID: <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> In-Reply-To: <20170321114636.GH64587@home.opsec.eu> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 11:56:32 -0000 On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: > Hi! > >>> If you want to filter on it it should work if you add ???device >>> enc??? to your >>> kernel config. The man page suggests that should then allow you to >>> filter IPSec >>> traffic on enc0. >> >> Shouldn't it be included in GENERIC if IPSec is now part of it? > > Yes, please include enc in the GENERIC kernel. I thought the entire idea of making ipsec loadable was that we don’t have to ship it in the kernel and have it available? /bz From owner-freebsd-pf@freebsd.org Tue Mar 21 11:59:09 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CAD18D15448 for ; Tue, 21 Mar 2017 11:59:09 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FD8D15E7 for ; Tue, 21 Mar 2017 11:59:09 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1cqIRS-000HCZ-4g; Tue, 21 Mar 2017 12:59:10 +0100 Date: Tue, 21 Mar 2017 12:59:10 +0100 From: Kurt Jaeger To: "Bjoern A. Zeeb" Cc: freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <20170321115910.GI64587@home.opsec.eu> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 11:59:09 -0000 Hi! > >> Shouldn't it be included in GENERIC if IPSec is now part of it? > > Yes, please include enc in the GENERIC kernel. > I thought the entire idea of making ipsec loadable was that we don???t > have to ship it in the kernel and have it available? You are right. kldload if_enc seems to work on 12a and 11a. So ignore my plea for enc in GENERIC 8-} -- pi@opsec.eu +49 171 3101372 3 years to go ! From owner-freebsd-pf@freebsd.org Tue Mar 21 12:12:17 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71FD7D145A8 for ; Tue, 21 Mar 2017 12:12:17 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35577786 for ; Tue, 21 Mar 2017 12:12:16 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 95AB128482; Tue, 21 Mar 2017 13:12:14 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E466E28432; Tue, 21 Mar 2017 13:12:13 +0100 (CET) Subject: Re: Support for the enc(4) pseudo-interface To: "Bjoern A. Zeeb" , Kurt Jaeger Cc: freebsd-pf@freebsd.org References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <58D1189D.2050201@quip.cz> Date: Tue, 21 Mar 2017 13:12:13 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 12:12:17 -0000 Bjoern A. Zeeb wrote on 2017/03/21 12:56: > On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: > >> Hi! >> >>>> If you want to filter on it it should work if you add ???device >>>> enc??? to your >>>> kernel config. The man page suggests that should then allow you to >>>> filter IPSec >>>> traffic on enc0. >>> >>> Shouldn't it be included in GENERIC if IPSec is now part of it? >> >> Yes, please include enc in the GENERIC kernel. > > I thought the entire idea of making ipsec loadable was that we don’t > have to ship it in the kernel and have it available? Then sorry for the noise. Miroslav Lachman From owner-freebsd-pf@freebsd.org Tue Mar 21 12:22:25 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0F17D14A5C for ; Tue, 21 Mar 2017 12:22:25 +0000 (UTC) (envelope-from kristof@sigsegv.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7B3EFD12 for ; Tue, 21 Mar 2017 12:22:25 +0000 (UTC) (envelope-from kristof@sigsegv.be) Received: from [172.19.248.15] (unknown [104.153.224.169]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id B35D71EF17; Tue, 21 Mar 2017 13:22:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1490098943; bh=TpuLKZ2LJUubAoCEM/ixJeokD89CR9/abzkVWPhtCf4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=nm7S5HvE7220c0IOE3h2wIV50mGzDXXKF4VSQ6D6TX1Pfsh78IxQYLDMoxotu92Ph PGms3ZaPFWBGrGpoHAEf8lN5mwqjM4obOSZdnhmy59SlcO5Nq99wQwMwSfiCnKE5xX FQW61AKAorYkaXU9DHILw6gURch5Dd2MMDqUwPPw= From: "Kristof Provost" To: "Miroslav Lachman" <000.fbsd@quip.cz> Cc: "Marin Bernard" , freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Date: Tue, 21 Mar 2017 13:22:01 +0100 Message-ID: In-Reply-To: <58D11201.1000403@quip.cz> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 12:22:25 -0000 On 21 Mar 2017, at 12:44, Miroslav Lachman wrote: > Kristof Provost wrote on 2017/03/21 10:18: >> On 21 Mar 2017, at 9:43, Marin Bernard wrote: > >>> If there is no SA, it is impossible for a peer to ping another. As >>> soon >>> as IKE creates a SA, however, ping starts working. As you can see, >>> the last rule is explicitely bound to the inexistent enc0 interface, >>> and >>> yet is working fine. >>> >> Can you try without the enc0 rule? I suspect that what’s happening >> here >> is that >> the IPSec traffic is bypassing the firewall altogether. If that's the >> case the >> your traffic will still flow, even without the pass on enc0 rule. >> >> If you want to filter on it it should work if you add ‘device >> enc’ to your >> kernel config. The man page suggests that should then allow you to >> filter IPSec >> traffic on enc0. > > Shouldn't it be included in GENERIC if IPSec is now part of it? It > seems > illogical to build own kernel for IPsec if IPSec was included in > GENERIC for > 11.0 ... but without enc. > Yeah, perhaps it should be. I’ve not used it myself, so I don’t know if/how well it works now, but unless it breaks things or introduces significant performance regressions we should probably turn it on too. Martin, could you give us an idea of how well this works for you when you’ve got the time to set it up? Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Mar 21 12:52:45 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 424A8D16987 for ; Tue, 21 Mar 2017 12:52:45 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C38D084E for ; Tue, 21 Mar 2017 12:52:44 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x234.google.com with SMTP id u108so111327539wrb.3 for ; Tue, 21 Mar 2017 05:52:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=cHx1w9Lboo7Yl9iDVkgDCiD6gTnyTCdMzaOhv3BUzzY=; b=bfPF3ZfFBP7pabjLkAMkPSoU6Rh+WLzfj5G9PrjfJWNiRk5fxJeCSxwuQ0Y8x0/1aP vEFrKAWpQGBDohIn1SQCC+l+BsELl6rvz2u8tlzNTs1p2FvxWMFo3Gq4D86hFTznp5Zu iUXXn3DkvLkI4djTsllTR8nxeanXbHryq9J/MswEqmS/VNXMRplCb8U1CDCkxvGHKvT4 uN7LjL/D+OcXIeLjE8nes2eeTJ+TxSAqZeS5dSZ0qtWxlfCwCtQj92S/o77WLW0apnqG kiVtkyi1sY0s8MVIL7ZrHeAF7dE8K5Io60hPf5XD0j2MqaHDfB19rFfNIfQ3oPraralR pWlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=cHx1w9Lboo7Yl9iDVkgDCiD6gTnyTCdMzaOhv3BUzzY=; b=bQfbUjo3hUAK9GaT0MoiTh3BosnqvKQrl6vDtrWtu4dd+E76qUvE3taX8iyEC05y2Q IRH2XuBI8ScxmnsarXED2sQwAbb0ySHEDeOpyNofWJ35W80IpPHY0NwuI6pytL2hJufG zSnChymLKh8ielmArARFILXSTFqEylZDwKov9F3fwN1dSMU8M5+EdE80nTzW33WgPwr1 yk65OGR7cnILb0honQXDahyNDVzCe07wiCjU785/xoYmFdfDITfiNQK/1f7KxeNAz33w BR3u2EygqD9YsQF600i28ULjQYqkbtNbmLmvUuut0JaQmxAbQaM7VMDxLCokQyFNVNVx 8THw== X-Gm-Message-State: AFeK/H1NgW5pL5BA15L99i7ECuyZSfdtjO9i5poelDSxdpwK9Xhmlx6sA4ObTjxgYvmB/Bng5ZyMi8DHM9s7NA== X-Received: by 10.223.129.4 with SMTP id 4mr29277008wrm.4.1490100762754; Tue, 21 Mar 2017 05:52:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.148.35 with HTTP; Tue, 21 Mar 2017 05:52:42 -0700 (PDT) From: David Mehler Date: Tue, 21 Mar 2017 08:52:42 -0400 Message-ID: Subject: FreeBSD 10.3, pf, and rtp, definite firewall issue To: freebsd-pf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 12:52:45 -0000 Hello, I've included my firewall rules below. Can someone take a look at them and give me an assessment? They are working for the most part except with asterisk in a jail and rtp. I've got a single server a vps and one public IP. On the server (Freebsd 10.3 trying to decide whether to go 11 opinions?), it has two jai= ls running services one of which is Asterisk. I get to the point where I can connect a soft phone app zoiper it works, but I hear no audio from the Asterisk. I finally got the debugging going and determined that Asterisk is working fine. So what I did was take the line in the attached ruleset block all and changed it to pass all and removed all other rules. That worked, telling me I've got a firewall issue. I've been working on that for the last day and getting nowhere, rtp is definitely not working in my configuration, kind of like ftp thank god I don't have to do that. Anyway I was wondering if you could take a look? The pf.conf1 file is the modified file that does work, while the pf.conf file is my ruleset that i'd like to use. Thanks. Dave. non-working pf.conf: # # ################ FreeBSD pf.conf ########################## # Required order: options, normalization, queueing, translation, filtering. # Note: translation rules are first match while filter rules are last match= . # 12/27/15: added in ipv6 firewall rules ################ Macros ################################### ### Interfaces ### ext_if=3D"vtnet0" int_if =3D "lo1" jailnet =3D $int_if:network icmp_types=3D"{echoreq, unreach}" icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6) # Neighbor Discovery Protocol (NDP) (types 133-137): # Router Solicitation (RS), Router Advertisement (RA) # Neighbor Solicitation (NS), Neighbor Advertisement (NA) # Route Redirection icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }" synstate =3D"flags S/SA synproxy state" tcpstate =3D"flags S/SA modulate state" udpstate =3D"keep state" # Name and IP of jails webmail=3D"10.0.0.15" webmail2=3D"10.0.0.16" # Name and IP of jailed ssh server jssh1=3D"10.0.0.15" jssh2=3D"10.0.0.16" jssh3=3D"10.0.0.17" # The Asterisk Server asterisk=3D"10.0.0.17" voipports =3D "{ 5060, 5061, 10000:20000 }" # allowed traffic tcp_services=3D"{7, bootpc, bootps, ftp-data, ftp, ssh, smtp, domain, http, imap, https, imaps, 2703, 587, 43}" tcp6_services=3D"{ssh, smtp, domain, http, imap, https, imaps, 43}" udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}" udp6_services=3D"{domain, ntp, 546}" # Options # block-policy can be either drop or return set block-policy return set skip on lo0 set skip on lo1 #scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440 # Normalization # normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi= nd # firewall. Set random-id to help same. # Set mss to ATM network frame size for easy splitting upstream. #scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # NAT #nat on $ext_if inet from $jailnet to any -> ($ext_if) nat on $ext_if from $jailnet to any -> ($ext_if) static-port # Nat internal hosts #nat on $ext_if from !($ext_if) to any -> ($ext_if:0) #nat on $int_if from lo1:network to any -> ($int_if) # Redirect any packets requesting ports 2220, 2221, or 2222 to jailed ssh s= erver rdr pass on $ext_if inet proto tcp from any to $ext_if port 2220 -> $jssh1 port 2220 rdr pass on $ext_if inet proto tcp from any to $ext_if port 2221 -> $jssh2 port 2221 rdr pass on $ext_if inet proto tcp from any to $ext_if port 2222 -> $jssh3 port 2222 # Redirect traffic to the asterisk server # SIP on UDP port 5060, 5061 for secure signaling. # Used for signals such as "hang up" rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 -> $asterisk port 5060 rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 -> $asterisk port 5061 # RTSP ports 10000 to 20000 rdr pass on $ext_if inet proto udp from any to $ext_if port 10000:20000 -> $asterisk port 10000:20000 # IAX2- the IAX protocol # UDP 4569 #rdr pass on $ext_if inet proto udp from any to $ext_if port 4569 -> $asterisk port 4569 # IAX - old IAX protocol # port UDP 5036 #rdr pass on $ext_if inet proto udp from any to $ext_if port 5036 -> $asterisk port 5036 # Tables #table persist file "/etc/pf/badips" table persist file "/etc/pf/bruteforce" table persist file "/etc/pf.drop.lasso.conf" table persist file "/etc/pf/fail2ban" # Pass anything on the lo* interfaces #antispoof quick for lo0 inet pass quick on lo0 all #pass quick on lo1 all # Block by default block all # Try to block nmap scans block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP # Explicitly block unroutable addresses #antispoof quick for ($ext_if) #block in quick on $ext_if from to any #block out quick on $ext_if from any to # Explicitly block anything in the bruteforce table block in quick from # Explicitly block anything in the fail2ban table block in quick from # Explicitly block anything in the droplasso table block in quick from # Pass out only the desired ports from host and jails pass quick proto tcp from {self} to port $tcp_services keep state (max-src-conn 20, max-src-conn-rate 15/5, overload flush global) pass quick proto tcp from $jailnet to port $tcp_services keep state (max-src-conn 20, max-src-conn-rate 15/5, overload flush global) pass quick proto {tcp, udp} from {self} to port $udp_services keep state pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state # allow ping and host unreach pass inet proto icmp icmp-type $icmp_types keep state # Traceroute # allow out the default range for traceroute(8): # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) pass inet proto udp to port 33433:33626 # For IPv4 # tag packets in on $int_if and pass them out on $ext_if #pass in quick on $int_if from any to any tag INTNET #pass in on $ext_if proto tcp from any to $webmail port http flags S/SA synproxy state # allow https traffic out from the jails pass out proto tcp from $jailnet port https to any keep state # Allow ssh connections in from the internet pass in inet proto tcp from any to $ext_if port ssh keep state # Pass in http traffic from the internet pass in inet proto tcp to $ext_if port 80 keep state # Pass in https traffic from the internet pass in inet proto tcp to $ext_if port 443 keep state # Pass in smtp traffic from the internet pass in inet proto tcp to $ext_if port 25 keep state # Pass in submission traffic from the internet pass in inet proto tcp to $ext_if port 587 keep state # Pass in imaps traffic from the internet pass in inet proto tcp to $ext_if port 993 keep state # Pass out port 80 to the jailed web servers pass out inet proto tcp from $int_if to $webmail port 80 keep state pass out inet proto tcp from $int_if to $webmail2 port 80 keep state # pass traffic from the asterisk server pass quick inet proto udp from $asterisk to any port $voipports keep state # IPv6 # allowing in ping pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st= ate pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ), ff02::/16 } icmp6-type $icmp6_types_ext_if keep state # Allow outgoing services pass out on $ext_if inet6 proto tcp to any port $tcp_services pass out on $ext_if inet6 proto udp to any port $udp_services # Trace route out pass out on $ext_if inet6 proto udp from any to any port 33433 >< 33626 keep state # allow incoming traffic #pass in on $ext_if inet6 proto tcp from any to $http_servers6 port http keep state #pass in on $ext_if inet6 proto tcp from any to $mail_servers6 port $mail_ports keep state #pass in quick on $ext_comcast_if inet6 proto tcp from any to any port #$tcp46_services flags S/SA keep state #pass in quick on $ext_comcast_if inet6 proto tcp from any to #( $ext_comcast_if ) port $tcp46_services_ext_if flags S/SA #keep state #pass in quick on $ext_comcast_if inet6 proto udp from any to #( $ext_comcast_if ) port $udp6_services_ext_if keep state #pass quick on $jailnet all keep state working but totally open pf.conf1: ext_if=3D"vtnet0" int_if =3D "lo1" jailnet =3D $int_if:network asterisk=3D"10.0.0.17" set block-policy return set skip on lo0 nat on $ext_if inet from $jailnet to any -> ($ext_if) rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 -> $asterisk port 5060 rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 -> $asterisk port 5061 rdr pass on $ext_if inet proto udp from any to $ext_if port 10000:20000 -> $asterisk port 10000:20000 pass all From owner-freebsd-pf@freebsd.org Tue Mar 21 13:23:16 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAC5BD16317 for ; Tue, 21 Mar 2017 13:23:16 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6DFF51CCD; Tue, 21 Mar 2017 13:23:16 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id CE84525D38A4; Tue, 21 Mar 2017 13:23:05 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 1D751D1F80A; Tue, 21 Mar 2017 13:23:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 4GA0WQ3xieNo; Tue, 21 Mar 2017 13:23:03 +0000 (UTC) Received: from [192.168.124.1] (unknown [IPv6:fde9:577b:c1a9:31:2ef0:eeff:fe03:ee34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id CEEFFD1F7EF; Tue, 21 Mar 2017 13:23:03 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Miroslav Lachman" <000.fbsd@quip.cz>, "Andrey V. Elsukov" Cc: "Kurt Jaeger" , freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Date: Tue, 21 Mar 2017 13:23:03 +0000 Message-ID: In-Reply-To: <58D1189D.2050201@quip.cz> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> <58D1189D.2050201@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 13:23:16 -0000 On 21 Mar 2017, at 12:12, Miroslav Lachman wrote: > Bjoern A. Zeeb wrote on 2017/03/21 12:56: >> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: >> >>> Hi! >>> >>>>> If you want to filter on it it should work if you add ???device >>>>> enc??? to your >>>>> kernel config. The man page suggests that should then allow you to >>>>> filter IPSec >>>>> traffic on enc0. >>>> >>>> Shouldn't it be included in GENERIC if IPSec is now part of it? >>> >>> Yes, please include enc in the GENERIC kernel. >> >> I thought the entire idea of making ipsec loadable was that we don’t >> have to ship it in the kernel and have it available? > > Then sorry for the noise. well, it was a question; Cc:ing ae@ /bz From owner-freebsd-pf@freebsd.org Tue Mar 21 13:27:36 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A607CD16425 for ; Tue, 21 Mar 2017 13:27:36 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward4o.cmail.yandex.net (forward4o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::289]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 263291E62 for ; Tue, 21 Mar 2017 13:27:35 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp3p.mail.yandex.net (smtp3p.mail.yandex.net [77.88.29.86]) by forward4o.cmail.yandex.net (Yandex) with ESMTP id 4A14E20C6E; Tue, 21 Mar 2017 16:27:24 +0300 (MSK) Received: from smtp3p.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp3p.mail.yandex.net (Yandex) with ESMTP id 7C59213200C9; Tue, 21 Mar 2017 16:27:20 +0300 (MSK) Received: by smtp3p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id HReodQiapj-RKDqu0v3; Tue, 21 Mar 2017 16:27:20 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1490102840; bh=cnQFo8Btom8t5kahvHoaIiPsBV3JYplM533lnCeC/VE=; h=Subject:To:References:Cc:From:Message-ID:Date:In-Reply-To; b=YGTtmQks9KjqrGdcUOhBlAd5oLN2355Jn6GPl+6beOGYk+qgkboASluxx6BpKkdKp WfyL5K9IX0Ue49KpsXU/OIxrXBz3cXhDpLogbZbgTXQBgKMSllg7sPxw4WbJOlzh/g 9gXqbP+rTAvBS+UtGg1tJFBZFyOisZtlfSLiLih8= Authentication-Results: smtp3p.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0,1 0,1 0 Subject: Re: Support for the enc(4) pseudo-interface To: "Bjoern A. Zeeb" , Miroslav Lachman <000.fbsd@quip.cz> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> <58D1189D.2050201@quip.cz> Cc: Kurt Jaeger , freebsd-pf@freebsd.org From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <62608597-8c07-ba01-2b9d-fbfe5d47d1a3@yandex.ru> Date: Tue, 21 Mar 2017 16:27:05 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3iVtaLkeJCJTOdpsEPbk2xcTODNRstOEl" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 13:27:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3iVtaLkeJCJTOdpsEPbk2xcTODNRstOEl Content-Type: multipart/mixed; boundary="TCJOihJhFxRAcHAKSd0n298Mtg64Uwabx"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Bjoern A. Zeeb" , Miroslav Lachman <000.fbsd@quip.cz> Cc: Kurt Jaeger , freebsd-pf@freebsd.org Message-ID: <62608597-8c07-ba01-2b9d-fbfe5d47d1a3@yandex.ru> Subject: Re: Support for the enc(4) pseudo-interface References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> <58D1189D.2050201@quip.cz> In-Reply-To: --TCJOihJhFxRAcHAKSd0n298Mtg64Uwabx Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 21.03.2017 16:23, Bjoern A. Zeeb wrote: > On 21 Mar 2017, at 12:12, Miroslav Lachman wrote: >=20 >> Bjoern A. Zeeb wrote on 2017/03/21 12:56: >>> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: >>> >>>> Hi! >>>> >>>>>> If you want to filter on it it should work if you add ???device >>>>>> enc??? to your >>>>>> kernel config. The man page suggests that should then allow you to= >>>>>> filter IPSec >>>>>> traffic on enc0. >>>>> >>>>> Shouldn't it be included in GENERIC if IPSec is now part of it? >>>> >>>> Yes, please include enc in the GENERIC kernel. >>> >>> I thought the entire idea of making ipsec loadable was that we don=E2= =80=99t >>> have to ship it in the kernel and have it available? >> >> Then sorry for the noise. >=20 > well, it was a question; Cc:ing ae@ if_enc(4) was made loadable a more than 15 months ago. I don't see the need to add it into GENERIC. --=20 WBR, Andrey V. Elsukov --TCJOihJhFxRAcHAKSd0n298Mtg64Uwabx-- --3iVtaLkeJCJTOdpsEPbk2xcTODNRstOEl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljRKi4ACgkQAcXqBBDI oXrXcQf+I4Wdnns1oLmOZrHixX9AXkEHp+TKHRzIYaXaWbQiMnn6kVMoqWIH06f8 TOU5/Cow79tn8YdtyUE3qUDhe5I0dMrMq+wNJTsfnrsDMxlii8dCdjqXPogDTZAF B12sC4LiWuthge7gOnk0YcoiRF1TdS/B/gh/dSj3O5IRUYj5P3Owmwb4FqnuCOOi FIk/9YxDtb5V4k2zA+2UivSj4k4LTflwj9pncf+ynS6VOS0OpDVkShQ1pZ25DQ/s lkebegCpRYJQG5mABnWYX5siP3upGJnOlsjzIS0gb+kWkYQBzptSfVOBIOqmOloL f6YhGdN6syDoqP7IZg7sT47HsLF1/A== =UAYv -----END PGP SIGNATURE----- --3iVtaLkeJCJTOdpsEPbk2xcTODNRstOEl-- From owner-freebsd-pf@freebsd.org Tue Mar 21 13:33:38 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4C7FD16666 for ; Tue, 21 Mar 2017 13:33:38 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp-sh.infomaniak.ch (smtp-sh.infomaniak.ch [128.65.195.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infomaniak.ch", Issuer "StartCom Class 3 OV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D6A0382 for ; Tue, 21 Mar 2017 13:33:37 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2LDXT7B031421 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 21 Mar 2017 14:33:29 +0100 Received: from webmail.infomaniak.ch ([10.4.23.106]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2LDXTbe022423 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 21 Mar 2017 14:33:29 +0100 Content-Transfer-Encoding: quoted-printable Date: Tue, 21 Mar 2017 14:33:07 +0100 From: "Marin Bernard" To: "Kristof Provost" , "Miroslav Lachman" <000.fbsd@quip.cz> Cc: freebsd-pf@freebsd.org X-Webmail2-User: MTAwMzg Reply-To: lists@olivarim.com Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <1490103187-a3654e05a49f29f2d47fde8327d32619@olivarim.com> X-Mailer: Infomaniak Webmail X-Origin: Y8xgjoznB//SMiGKbu86tO+eL/TieqKX66IlzxJcW2Y MIME-Version: 1.0 X-Priority: 3 (Normal) Content-Type: text/plain; charset="utf-8" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 13:33:39 -0000 Hi, I just got it working. Here is what I have done: - Loaded the kernel module: =C2=A0=C2=A0=C2=A0 # kldload if_enc - Set the interface up: =C2=A0=C2=A0=C2=A0 # ifconfig enc0 up - Tweaked sysctl to enable tunnel filtering. Default value is 0 and=20 makes IPsec-related traffic bypass the firewall: =C2=A0=C2=A0=C2=A0 # sysctl net.inet.ipsec.filtertunnel =3D 1 - Tweaked sysctl to configure the enc(4) device. According to the man=20 page, the mechanism used by enc(4) to inject packets into packet filters is configurable with two sysctl values, one for each direction. Default=20 values are: =C2=A0=C2=A0=C2=A0 # sysctl net.enc.out.ipsec_filter_mask =C2=A0=C2=A0=C2=A0 1 =C2=A0=C2=A0=C2=A0 # sysctl net.enc.in.ipsec_filter_mask =C2=A0=C2=A0=C2=A0 1 =C2=A0=C2=A0 =C2=A0 The default value of the second sysctl leads enc(4) devices to pass=20 encrypted traffic to packet filters. As suggested by the man page, I had to set this sysctl to the recommended value of 2 to make enc(4) inject decrypted packets instead: =C2=A0=C2=A0=C2=A0 # sysctl net.enc.in.ipsec_filter_mask =3D 2 By the way, I still do not understand why the default value of this=20 sysctl is different from the suggested one. - I modified the pf ruleset to add a rule for outbound traffic on enc0: =C2=A0=C2=A0=C2=A0 # cat /etc/pf.conf =C2=A0=C2=A0=C2=A0 peers =3D "{1.2.3.4, 5.6.7.8}" =C2=A0=C2=A0=C2=A0 set skip on lo =C2=A0=C2=A0=C2=A0 block all =C2=A0=C2=A0=C2=A0 # Allow IKE =C2=A0=C2=A0=C2=A0 pass=C2=A0 in proto {tcp, udp} from $peers to self=C2=A0= =C2=A0 port isakmp =C2=A0=C2=A0=C2=A0 pass out proto {tcp, udp} from self=C2=A0=C2=A0 to $peers= =20port isakmp =C2=A0=C2=A0=C2=A0 # Allow ICMPv4 echo requests only through IPsec =C2=A0=C2=A0=C2=A0 pass=C2=A0 in on enc0 proto icmp from $peers to self=C2= =A0=C2=A0 icmp-type echoreq =C2=A0=C2=A0=C2=A0 pass out on enc0 proto icmp from self=C2=A0=C2=A0 to $peer= s icmp-type echoreq IPsec filtering seems to work fine with this config. I can confirm that ICMP traffic is encrypted. Furthermore, removing the last rules actually blocks echo requests, which is what is expected. Thanks for your help and for letting me know that the enc was available as a kernel module! Marin. 21 mars 2017 13:22 "Kristof Provost" a =C3=A9crit: > On 21 Mar 2017, at 12:44, Miroslav Lachman wrote:=20 > > Kristof Provost wrote on 2017/03/21 10:18:=20 > >> On 21 Mar 2017, at 9:43, Marin Bernard wrote:=20 > >=20 > >>> If there is no SA, it is impossible for a peer to ping another. As=20 > >>> soon=20 > >>> as IKE creates a SA, however, ping starts working. As you can see,=20 > >>> the last rule is explicitely bound to the inexistent enc0 interface,= =20 > >>> and=20 > >>> yet is working fine.=20 > >>>=20 > >> Can you try without the enc0 rule? I suspect that what=E2=80=99s happen= ing=20 > >> here=20 > >> is that=20 > >> the IPSec traffic is bypassing the firewall altogether. If that's the= =20 > >> case the=20 > >> your traffic will still flow, even without the pass on enc0 rule.=20 > >>=20 > >> If you want to filter on it it should work if you add =E2=80=98device= =20 > >> enc=E2=80=99 to your=20 > >> kernel config. The man page suggests that should then allow you to=20 > >> filter IPSec=20 > >> traffic on enc0.=20 > >=20 > > Shouldn't it be included in GENERIC if IPSec is now part of it? It=20 > > seems=20 > > illogical to build own kernel for IPsec if IPSec was included in=20 > > GENERIC for=20 > > 11.0 ... but without enc.=20 > >=20 > Yeah, perhaps it should be.=20 > =20 > I=E2=80=99ve not used it myself, so I don=E2=80=99t know if/how well it wo= rks now,=20 > but unless=20 > it breaks things or introduces significant performance regressions we=20 > should=20 > probably turn it on too.=20 > =20 > Martin, could you give us an idea of how well this works for you when=20 > you=E2=80=99ve=20 > got the time to set it up?=20 > =20 > Regards,=20 > Kristof=20 From owner-freebsd-pf@freebsd.org Tue Mar 21 14:34:01 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92E6FD16B6C for ; Tue, 21 Mar 2017 14:34:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3h.cmail.yandex.net (forward3h.cmail.yandex.net [IPv6:2a02:6b8:0:f35::13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 17A72DEA for ; Tue, 21 Mar 2017 14:34:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2h.mail.yandex.net (smtp2h.mail.yandex.net [84.201.187.145]) by forward3h.cmail.yandex.net (Yandex) with ESMTP id 599BC210A0; Tue, 21 Mar 2017 17:33:57 +0300 (MSK) Received: from smtp2h.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2h.mail.yandex.net (Yandex) with ESMTP id 6C914781189; Tue, 21 Mar 2017 17:33:53 +0300 (MSK) Received: by smtp2h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 2e1XTNPVTX-XqtOgi6m; Tue, 21 Mar 2017 17:33:52 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1490106832; bh=RmiDGi+xx4ISpCZjrWoFxoSsUEKCgCYYSPeOtg+jn50=; h=Subject:To:References:Cc:From:Message-ID:Date:In-Reply-To; b=HIrdP/a7gHf3ESr83/QXm4IdhSAJD3VNH8Wq6qBiaezeHX28j84TCeHjeiClro//2 0fJ9PX8kqjy6yM+jg7hOqKhcyqtKsNYz86cD00/T8EwdQGqrvFMe3EOpNK6P1TCHZk nqmH2X04bGBJu6w3PwgU/3l7lLNSiSWpkbCy+rJA= Authentication-Results: smtp2h.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0,1 0,1 0 Subject: Re: Support for the enc(4) pseudo-interface To: "Bjoern A. Zeeb" , Miroslav Lachman <000.fbsd@quip.cz> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> <58D1189D.2050201@quip.cz> Cc: Kurt Jaeger , freebsd-pf@freebsd.org From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <6b764484-a83c-7fab-4bdc-c1086765211b@yandex.ru> Date: Tue, 21 Mar 2017 17:33:37 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gJNKWIvqxVMfqNuhMve61DEBlsah44g8L" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 14:34:01 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gJNKWIvqxVMfqNuhMve61DEBlsah44g8L Content-Type: multipart/mixed; boundary="MdK4kjsvVwIKQTrjxChGTS6aLdC0h8vOC"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Bjoern A. Zeeb" , Miroslav Lachman <000.fbsd@quip.cz> Cc: Kurt Jaeger , freebsd-pf@freebsd.org Message-ID: <6b764484-a83c-7fab-4bdc-c1086765211b@yandex.ru> Subject: Re: Support for the enc(4) pseudo-interface References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> <58D11201.1000403@quip.cz> <20170321114636.GH64587@home.opsec.eu> <12FB978F-D222-4221-9DE9-40AFB435187C@lists.zabbadoz.net> <58D1189D.2050201@quip.cz> In-Reply-To: --MdK4kjsvVwIKQTrjxChGTS6aLdC0h8vOC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 21.03.2017 16:23, Bjoern A. Zeeb wrote: > On 21 Mar 2017, at 12:12, Miroslav Lachman wrote: >=20 >> Bjoern A. Zeeb wrote on 2017/03/21=20 >>> I thought the entire idea of making ipsec loadable was that we don=E2= =80=99t >>> have to ship it in the kernel and have it available? >> >> Then sorry for the noise. >=20 > well, it was a question; Cc:ing ae@ It seems the presence in the kernel another enc driver cam/scsi/scsi_enc.c:PERIPHDRIVER_DECLARE(enc, encdriver); prevents to automatic if_enc module loading when `ifconfig enc0 create` is invoked. --=20 WBR, Andrey V. Elsukov --MdK4kjsvVwIKQTrjxChGTS6aLdC0h8vOC-- --gJNKWIvqxVMfqNuhMve61DEBlsah44g8L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljROcEACgkQAcXqBBDI oXqxCwgAoWx5U1w/d4LlfCPjRM74I/VsZ9sEhKN9vpu88j+CxoKFvYkqbHk93XFb wOKO2nqCguN66zw4rTVbVnDFE6BV+ElMblqBJNBbbb8+rAETWEjlTtSmk446uy4h 8ZYZffLsfJxzjeGiZUJFpVxJ6LHbMuZymd4kDeYqgpRn3qVQf62aGsFU47Dqkbuo 7dYyJGHZDJLCvOw1MHPa5m5R1SJAV00P1PmOEH5B/xDzri1YhXE4Evf5CFfK4e92 qy6t7IGlG7qbkEXBizaQze4XKbP2uNbxe+krTs+uv+vSZ5F9aMoATvDdHDN8n7xV aQApnnmYBKe7etq2H1mefHqcXObmYA== =O+Bv -----END PGP SIGNATURE----- --gJNKWIvqxVMfqNuhMve61DEBlsah44g8L-- From owner-freebsd-pf@freebsd.org Thu Mar 23 21:50:57 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E236CA178B for ; Thu, 23 Mar 2017 21:50:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6E0AB1E82 for ; Thu, 23 Mar 2017 21:50:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2NLou55082090 for ; Thu, 23 Mar 2017 21:50:57 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Thu, 23 Mar 2017 21:50:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 21:50:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Mar 24 06:38:51 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0BEB7D1B3CD for ; Fri, 24 Mar 2017 06:38:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E59D41030 for ; Fri, 24 Mar 2017 06:38:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2O6cosv078359 for ; Fri, 24 Mar 2017 06:38:50 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Fri, 24 Mar 2017 06:38:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2017 06:38:51 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 Max changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maximos@als.nnov.ru --- Comment #1 from Max --- (In reply to Robert Schulze from comment #0) Hello, Robert. >The problem is, that src-track table grows until no more entries can be > inserted. Although there are no states from a sample ip-address in the st= ate=20 >table, there are still references in the src-track table: > ># pfctl -vsS | grep -A1 $example-address >$example-address -> $www-addr ( states 4, connections 0, rate 0.0/0s ) > age 01:47:25, 4808 pkts, 1713437 bytes, rdr rule 0 > ># pfctl -sS | grep $example-address >(nothing shown) "rdr rule 0". I think it is something related to "sticky-address". Do you h= ave any kernel messages? man pf.conf states: "Note that by default these associations are destroyed as soon as there are= no longer states which refer to them; in order to make the mappings last beyond the lifetime of the states, increase the global options with set timeout src.track." And do you have "expires in" counter in "pfctl -vsS" output? --=20 You are receiving this mail because: You are the assignee for the bug.=