From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 02:23:06 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D00B16A4DD
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 02:23:06 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 04DC343D45
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 02:23:05 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id c59so528758pyc
	for <freebsd-pf@freebsd.org>; Sat, 12 Aug 2006 19:23:05 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=pnYqS7fi6VMr/fFPLJxpncRPcOJLryC7L3wOqduEjsF9wINmCn/kgdHsKj5H1NPyfQml4tCX/X9tyvtnhyP83uH2IpXaz+eeL9JGn3VGmHT1RR8o8r5k7VR7bJbwJDWsWlAG9unDFYx5e3edzmON4ZW6nvIulxRHGPny1kDOti0=
Received: by 10.35.63.2 with SMTP id q2mr9751116pyk;
	Sat, 12 Aug 2006 19:23:04 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Sat, 12 Aug 2006 19:23:04 -0700 (PDT)
Message-ID: <d4f1333a0608121923m4a1554bbt7636478bde57da55@mail.gmail.com>
Date: Sat, 12 Aug 2006 21:23:04 -0500
From: "Travis H." <solinym@gmail.com>
To: "Bill Marquette" <bill.marquette@gmail.com>
In-Reply-To: <55e8a96c0608120657j68242447nb247b7fa44c7ac67@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060812040200.F7HM8VPAHU@priv-edtnaa05.telusplanet.net>
	<55e8a96c0608120657j68242447nb247b7fa44c7ac67@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: firewall
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 02:23:06 -0000

As I remember it, the only feature IPFilter had that I used that pf
doesn't have was the ability to simulate throwing packets at it and
see what their disposition is.  I wrote a test harness to check the
sanity of my firewalls, before committing them to CVS.

I highly recommend switching to pf.  I haven't followed ipfilter, but
it's encumbered and last I checked (a _long_ time ago), it didn't have
packet scrubbing or nearly 50% of the features of pf.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 02:25:57 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6DC3116A4DD
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 02:25:57 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9B13F43D49
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 02:25:56 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id c59so529656pyc
	for <freebsd-pf@freebsd.org>; Sat, 12 Aug 2006 19:25:56 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=Pl7EOG4y/X9uZCC6iWfRQc/g/hTqUkAI9/ZkTmiD+ZCD08rqZGZWRx8XUXUk4yFVnOXdeQm/cCJU4wKQIiSuMIxYAfhDAs5/xVpXhL+kBA1+XJO5CfL4Wt47DSAYUyG/TGrzl9EnCaEY35NxAjRilvxJNX1AbOyOAHBLf/mJn2Y=
Received: by 10.35.113.12 with SMTP id q12mr9721716pym;
	Sat, 12 Aug 2006 19:25:56 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Sat, 12 Aug 2006 19:25:55 -0700 (PDT)
Message-ID: <d4f1333a0608121925u39589603uaccc08bd78237e4a@mail.gmail.com>
Date: Sat, 12 Aug 2006 21:25:55 -0500
From: "Travis H." <solinym@gmail.com>
To: "Bill Marquette" <bill.marquette@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: freebsd-pf@freebsd.org
Subject: OT: Re: firewall
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 02:25:57 -0000

On 8/12/06, Bill Marquette <bill.marquette@gmail.com> wrote:
> That's kind of like asking which shoes are the best, Nike or Adidas.
> It's a preference, both are good.  You'll need to figure out which one
> feels best to you.

This is not true.

Nikes fall apart the day you buy them, and assume you have really
narrow feet like most runners.  Adidas on the other hand have a wider
toe box and last about four times as long.

So, Nikes suck. :-)  But New Balanace ueber alles.  I've had the same
pair for... over four years now, wear them virtually every day, run
track in the gym, no signs of wear!
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 02:30:34 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1264616A4DE
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 02:30:34 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 81D4943D46
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 02:30:33 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id c59so531035pyc
	for <freebsd-pf@freebsd.org>; Sat, 12 Aug 2006 19:30:32 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=ka2p58mVP4mfd0IUoenB01at9a+8x0m//QEJtop9qeZT547bCw57l01+ZKBE2UY+nUNxEPUAxxqgUZt7w0BJ+2EtzgZh4GOK+ulWRZPXSemZZt3zLT8V2X21Rop3aOSFUUokUaSbQ1Z7j7VaWMsAXvVbfJoMZq5DHOpUY2mUFz0=
Received: by 10.35.8.1 with SMTP id l1mr7109577pyi;
	Sat, 12 Aug 2006 19:30:32 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Sat, 12 Aug 2006 19:30:32 -0700 (PDT)
Message-ID: <d4f1333a0608121930p4b0217ep3d7ea639d2e8a40@mail.gmail.com>
Date: Sat, 12 Aug 2006 21:30:32 -0500
From: "Travis H." <solinym@gmail.com>
To: "Max Laier" <max@love2party.net>
In-Reply-To: <200608121849.25139.max@love2party.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <44DE0291.8060705@2012.vi> <200608121849.25139.max@love2party.net>
Cc: freebsd-pf@freebsd.org
Subject: Re: IP Address List
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 02:30:34 -0000

Read http://catb.org/~esr/faqs/smart-questions.html
Then see the pf FAQ.
Try loading it, then displaying the rules it loaded.
This mlist is for questions that can't be answered by simple things
like that.  Actually, all mailing lists have that characteristic, save
perhaps those meant for novices.
And the specification style he used was called CIDR, another thing to wikipedia.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 11:42:38 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9400016A4DA
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 11:42:38 +0000 (UTC)
	(envelope-from zope@2012.vi)
Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A0CFD43D45
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 11:42:32 +0000 (GMT)
	(envelope-from zope@2012.vi)
Received: from [192.168.0.6] (dpc67143135132.direcpc.com [67.143.135.132]) by 
	efit.xs4all.nl (Weasel v1.73); 13 Aug 2006 13:38:49 
Message-ID: <44DF1004.9060706@2012.vi>
Date: Sun, 13 Aug 2006 07:41:56 -0400
From: beno <zope@2012.vi>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: "Travis H." <solinym@gmail.com>,  freebsd-pf@freebsd.org
References: <44DE0291.8060705@2012.vi> <200608121849.25139.max@love2party.net>
	<d4f1333a0608121930p4b0217ep3d7ea639d2e8a40@mail.gmail.com>
In-Reply-To: <d4f1333a0608121930p4b0217ep3d7ea639d2e8a40@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: IP Address List
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 11:42:38 -0000

Travis H. wrote:
> Read http://catb.org/~esr/faqs/smart-questions.html
> Then see the pf FAQ.
> Try loading it, then displaying the rules it loaded.
> This mlist is for questions that can't be answered by simple things
> like that.  Actually, all mailing lists have that characteristic, save
> perhaps those meant for novices.
> And the specification style he used was called CIDR, another thing to 
> wikipedia.
Travis, if I had known what a CIDR was, then I wouldn't have bothered 
with the question. Since I didn't know what a CIDR was, how can you say 
my question wasn't *smart*? How could I possibly have found the answer 
when I didn't know the question? You're being most unfair. I'm doing the 
best I can here.
beno

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 11:44:41 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6364916A4DD
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 11:44:41 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BA3A343D46
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 11:44:40 +0000 (GMT)
	(envelope-from volker@vwsoft.com)
Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de
	[212.23.126.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by frontmail.ipactive.de (Postfix) with ESMTP id C1AF033D21
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 13:44:33 +0200 (CEST)
Received: from [192.168.18.3] (unknown [192.168.18.3])
	by mail.vtec.ipme.de (Postfix) with ESMTP id 11B982E538;
	Sun, 13 Aug 2006 13:44:23 +0200 (CEST)
Message-ID: <44DF10A8.9000009@vwsoft.com>
Date: Sun, 13 Aug 2006 13:44:40 +0200
From: Volker <volker@vwsoft.com>
User-Agent: Thunderbird 1.5.0.5 (X11/20060806)
MIME-Version: 1.0
To: James Seward <jamesoff@gmail.com>
References: <44DC8709.1050605@2012.vi>
	<720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com>
In-Reply-To: <720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-VWSoft-MailScanner: Found to be clean
X-MailScanner-From: volker@vwsoft.com
X-ipactive-MailScanner-Information: Please contact the ISP for more information
X-ipactive-MailScanner: Found to be clean
X-ipactive-MailScanner-From: volker@vwsoft.com
Cc: freebsd-pf@freebsd.org
Subject: Re: Re: "Reset" Script, Anyone?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 11:44:41 -0000

On 12/23/-58 20:59, James Seward wrote:
> <div class="moz-text-flowed">On 8/11/06, beno <zope@2012.vi> wrote:
>> I am half a world away from my console. If I make a mistake entering my
>> PF rules, I could lock myself out. It would be nice if I had a script I
>> could activate by cron that automatically flushed out my rc.conf that
>> I'm experimenting with and loaded the original. That way, I could set
>> the cron, load my experimental rc.conf, reboot and see if I could still
>> connect to my box. If I couldn't, then all I'd have to do is wait a few
>> minutes and then I could try again. Surely I'm not the first person to
>> have thought of this. Anyone have a script that does this?
> 
> I do this by having a screen session running, and a known-good
> pf.conf.safe:
> 
> # pfctl -f pf.conf && sleep 60 && pfctl -f pf.conf.safe
> 
> Then I detach my screen and try to login again, or test whatever I
> wanted to. If it's all good and I haven't locked myself out, I just
> have to get back into screen before 60 seconds pass and hit ^C. If I
> don't do that in time, it'll load my safe ruleset.
> 
> /JMS
> 
> </div>

Wait! That might render your box unaccessible.

What if your terminal session dies? Then the pfctl command after
sleep will never be executed. It's better to do something like:

echo "pfctl -f whateveryoursavedpf.confis" | at + 5 minutes

or you may just use `echo "pfctl -d" | at + 5 minutes' which would
just disable pf and your box will be accessible if something has
gone wrong within 5 minutes.

If you're happy with your new rules, you may `atrm' the job.

Greetings,

Volker

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 12:32:50 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8BD3916A4DD
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 12:32:50 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2C06943D46
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 12:32:49 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from gw2.local.net (unknown [62.3.210.251])
	by smtp.nildram.co.uk (Postfix) with ESMTP id 591462733D4
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 13:32:46 +0100 (BST)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
To: "'Volker'" <volker@vwsoft.com>,
	"'James Seward'" <jamesoff@gmail.com>
Date: Sun, 13 Aug 2006 13:31:31 +0100
Keywords: freebsd-pf
Message-ID: <000001c6bed4$680fd4d0$0a00a8c0@thebeast>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <44DF10A8.9000009@vwsoft.com>
Thread-Index: Aca+0CbLTQwmAsv0TxG0UYvy9424OgABA0wg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-OriginalArrivalTime: 13 Aug 2006 12:31:31.0501 (UTC)
	FILETIME=[681245D0:01C6BED4]
Cc: freebsd-pf@freebsd.org
Subject: RE: Re: "Reset" Script, Anyone?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 12:32:50 -0000

 
> 
> Wait! That might render your box unaccessible.
> 
> What if your terminal session dies? Then the pfctl command 
> after sleep will never be executed. 

Quite, for long distance management of any device like this, a 2[56]11
plumbed into com0 configured as the console is not optional. 


Greg
 


From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 14:15:33 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3CFB916A4E5
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 14:15:33 +0000 (UTC)
	(envelope-from bill.marquette@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 803DF43D49
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 14:15:32 +0000 (GMT)
	(envelope-from bill.marquette@gmail.com)
Received: by py-out-1112.google.com with SMTP id c59so732840pyc
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 07:15:31 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=bUSrCpF4VwuvoNUOHsQAmAFMuxGw45ASVDlaAhv9L4VJh9niC3yf8DHyt/TaWY5YieSywS+580+m15x/yNZBdEWjLrZiNwmDYH0MBH/XrgL2nKKAts8o/DfXv9dE0lJkFxqC+keQ5qflb4mXWyeRKh8OZPQ7zyfVCBqc5799CBQ=
Received: by 10.35.114.16 with SMTP id r16mr10915343pym;
	Sun, 13 Aug 2006 07:15:31 -0700 (PDT)
Received: by 10.35.131.17 with HTTP; Sun, 13 Aug 2006 07:15:31 -0700 (PDT)
Message-ID: <55e8a96c0608130715q39516086hf8fe309115af4b0@mail.gmail.com>
Date: Sun, 13 Aug 2006 09:15:31 -0500
From: "Bill Marquette" <bill.marquette@gmail.com>
To: beno <zope@2012.vi>
In-Reply-To: <44DF1004.9060706@2012.vi>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <44DE0291.8060705@2012.vi> <200608121849.25139.max@love2party.net>
	<d4f1333a0608121930p4b0217ep3d7ea639d2e8a40@mail.gmail.com>
	<44DF1004.9060706@2012.vi>
Cc: freebsd-pf@freebsd.org
Subject: Re: IP Address List
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 14:15:33 -0000

On 8/13/06, beno <zope@2012.vi> wrote:
> Travis H. wrote:
> > Read http://catb.org/~esr/faqs/smart-questions.html
> > Then see the pf FAQ.
> > Try loading it, then displaying the rules it loaded.
> > This mlist is for questions that can't be answered by simple things
> > like that.  Actually, all mailing lists have that characteristic, save
> > perhaps those meant for novices.
> > And the specification style he used was called CIDR, another thing to
> > wikipedia.
> Travis, if I had known what a CIDR was, then I wouldn't have bothered
> with the question. Since I didn't know what a CIDR was, how can you say
> my question wasn't *smart*? How could I possibly have found the answer
> when I didn't know the question? You're being most unfair. I'm doing the
> best I can here.
> beno

That's funny considering if you read the pf.conf man page or even
tried it you wouldn't have asked the question.  The BNF syntax at the
bottom of that page is quite explicit about what is and isn't allowed.
 For example, the host syntax:
host	    = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )

Sure doesn't look like it takes a range to me...but hmmm, what's that
funny mask-bits thing?  And what's the reference to CIDR addresses
here:

     from _source_ port _source_ os _source_ to _dest_ port _dest_
	   This rule applies only to packets with the specified source and
	   destination addresses and ports.

	   Addresses can be specified in CIDR notation (matching netblocks),
	   as symbolic host names or interface names, or as any of the follow-
	   ing keywords:

No, if you'd read the man page, you'd have questions that you good
have googled for, or at least had a smart question such as "what does
mask-bits mean?"  Further, _trying_ the syntax you asked about would
have given you the answer to your question on whether it works or not.

--Bill

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 14:23:09 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C082016A4E1
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 14:23:09 +0000 (UTC)
	(envelope-from bill.marquette@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2F9A943D45
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 14:23:09 +0000 (GMT)
	(envelope-from bill.marquette@gmail.com)
Received: by py-out-1112.google.com with SMTP id c59so735100pyc
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 07:23:08 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=r5YZT6/FMzA/0f0ldgCxSnkHz8I65vvv2DK/F+rnzUZkeI6pvtA5D5b7LlpKTQACkBgXiN1U9tAUbKwUnnDmPN66Cy4/VxmTt+KVshGmdmmInu79O2GiRKgpTz7eTw3xxD5hApvQIm1UU8/BxbEjVdHGRNmr/Zqz5RTZe7wWojE=
Received: by 10.35.114.16 with SMTP id r16mr10928631pym;
	Sun, 13 Aug 2006 07:23:08 -0700 (PDT)
Received: by 10.35.131.17 with HTTP; Sun, 13 Aug 2006 07:23:07 -0700 (PDT)
Message-ID: <55e8a96c0608130723o760378a2o4a894ff6112fb994@mail.gmail.com>
Date: Sun, 13 Aug 2006 09:23:07 -0500
From: "Bill Marquette" <bill.marquette@gmail.com>
To: Volker <volker@vwsoft.com>
In-Reply-To: <44DF10A8.9000009@vwsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <44DC8709.1050605@2012.vi>
	<720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com>
	<44DF10A8.9000009@vwsoft.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Re: "Reset" Script, Anyone?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 14:23:09 -0000

On 8/13/06, Volker <volker@vwsoft.com> wrote:
> On 12/23/-58 20:59, James Seward wrote:
> > <div class="moz-text-flowed">On 8/11/06, beno <zope@2012.vi> wrote:
> >> I am half a world away from my console. If I make a mistake entering my
> >> PF rules, I could lock myself out. It would be nice if I had a script I
> >> could activate by cron that automatically flushed out my rc.conf that
> >> I'm experimenting with and loaded the original. That way, I could set
> >> the cron, load my experimental rc.conf, reboot and see if I could still
> >> connect to my box. If I couldn't, then all I'd have to do is wait a few
> >> minutes and then I could try again. Surely I'm not the first person to
> >> have thought of this. Anyone have a script that does this?
> >
> > I do this by having a screen session running, and a known-good
> > pf.conf.safe:
> >
> > # pfctl -f pf.conf && sleep 60 && pfctl -f pf.conf.safe
> >
> > Then I detach my screen and try to login again, or test whatever I
> > wanted to. If it's all good and I haven't locked myself out, I just
> > have to get back into screen before 60 seconds pass and hit ^C. If I
> > don't do that in time, it'll load my safe ruleset.
> >
> > /JMS
> >
> > </div>
>
> Wait! That might render your box unaccessible.
>
> What if your terminal session dies? Then the pfctl command after
> sleep will never be executed. It's better to do something like:

I imagine that's why it's running in screen.

> echo "pfctl -f whateveryoursavedpf.confis" | at + 5 minutes
>
> or you may just use `echo "pfctl -d" | at + 5 minutes' which would
> just disable pf and your box will be accessible if something has
> gone wrong within 5 minutes.
>
> If you're happy with your new rules, you may `atrm' the job.

This of course is a "safer" solution and allows the user to use only
software that came with the system and not have to learn how to use
screen :)

You could also get fancy and use source code control (rcs, cvs, svn,
etc) to control the rule file and revert the change easily.  This also
makes it easier to diff the change allowing you one last eyeball
before commiting it.

--Bill

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 15:11:36 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 28D8F16A4DA
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 15:11:36 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A733543D45
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 15:11:35 +0000 (GMT)
	(envelope-from volker@vwsoft.com)
Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de
	[212.23.126.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by frontmail.ipactive.de (Postfix) with ESMTP id AAFF233D21
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 17:11:29 +0200 (CEST)
Received: from [192.168.18.3] (unknown [192.168.18.3])
	by mail.vtec.ipme.de (Postfix) with ESMTP id 9ADFD2E538;
	Sun, 13 Aug 2006 17:11:20 +0200 (CEST)
Message-ID: <44DF4125.6060009@vwsoft.com>
Date: Sun, 13 Aug 2006 17:11:33 +0200
From: Volker <volker@vwsoft.com>
User-Agent: Thunderbird 1.5.0.5 (X11/20060806)
MIME-Version: 1.0
To: Greg Hennessy <Greg.Hennessy@nviz.net>
References: <000001c6bed4$680fd4d0$0a00a8c0@thebeast>
In-Reply-To: <000001c6bed4$680fd4d0$0a00a8c0@thebeast>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-VWSoft-MailScanner: Found to be clean
X-MailScanner-From: volker@vwsoft.com
X-ipactive-MailScanner-Information: Please contact the ISP for more information
X-ipactive-MailScanner: Found to be clean
X-ipactive-MailScanner-From: volker@vwsoft.com
Cc: freebsd-pf@freebsd.org
Subject: Re: "Reset" Script, Anyone?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 15:11:36 -0000

On 08/13/06 14:31, Greg Hennessy wrote:
>  
>> Wait! That might render your box unaccessible.
>>
>> What if your terminal session dies? Then the pfctl command 
>> after sleep will never be executed. 
> 
> Quite, for long distance management of any device like this, a 2[56]11
> plumbed into com0 configured as the console is not optional. 
> 
> 
> Greg

Probably I was misinterpreting the term 'screen' as a terminal (ssh)
session. Probably you're lucky to have one but I don't have it on
several machines (yes, it's optional but even a good choice if you
can use one).

I guess (and even after re-reading the original post) the original
poster doesn't have a com terminal session. Doing things like that
in a ssh session is a bad idea. Just wanted to note this without
going into a fundamental discussion. ;)

Volker

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 19:36:05 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 46DE616A4EE
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 19:36:05 +0000 (UTC)
	(envelope-from levchenko.i@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3383E43D6B
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 19:35:59 +0000 (GMT)
	(envelope-from levchenko.i@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so450980uge
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 12:35:58 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type;
	b=T9aIhLIrZs9JB6pYejUj9VKLkxm6UNia269vJ2+fyiWVzsx4r+CGfFcDRXoSZrNnKYiuL8puZKKY0GSopyaxVE1ZplDlmUnY7ukUgYkYAEYmTs7040NCp7pGrwPou88/7rGfTtvV8/EZSGbabzGTCuZQO8sGZ35O6wxyP7QGlXA=
Received: by 10.67.100.17 with SMTP id c17mr7139514ugm;
	Sun, 13 Aug 2006 12:35:58 -0700 (PDT)
Received: by 10.66.239.8 with HTTP; Sun, 13 Aug 2006 12:35:58 -0700 (PDT)
Message-ID: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com>
Date: Sun, 13 Aug 2006 22:35:58 +0300
From: "Ivan Levchenko" <levchenko.i@gmail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_111755_16371201.1155497758324"
Subject: ftp-proxy with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 19:36:05 -0000

------=_Part_111755_16371201.1155497758324
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi everybody,

having some troubles with ftp-proxy on my gateway at home: the darn
thing gets me connected to an outside ftp server, but won't let me do
anything else with it.

the gateway computer is freebsd (it is running pf with nat to share
and secure a pppoe connection); the client computer is running kubuntu
6.06.

here is what i get when trying to connect to a ftp server behind the nat:

$ ftp ftp.freebsd.org
Connected to ftp.freebsd.org.
220 ftp.FreeBSD.org NcFTPd Server (licensed copy) ready.
Name (ftp.freebsd.org:ivan): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230-You are user #112 of 1000 simultaneous users allowed.
230-
230 Logged in anonymously.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
550 Data connection must go to same host as control connection.
ftp: bind: Address already in use
ftp>

or i get this error when connecting to a different ftp server (vsftpd):
500 Illegal PORT command.
ftp: bind: Address already in use.

i read the ftp-proxy and pf.conf man pages and have google-ed more
than my brain can comprehend but still no answer for this.

i attached the conf files for pf.conf and inetd.conf

any help (the right keyword to google with will be nice too!!!) will be great!

--
Best Regards,

Ivan Levchenko
levchenko.i@gmail.com

------=_Part_111755_16371201.1155497758324
Content-Type: application/octet-stream; name=inetd.conf
Content-Transfer-Encoding: base64
X-Attachment-Id: f_eqtthlfh
Content-Disposition: attachment; filename="inetd.conf"

IyAkRnJlZUJTRDogc3JjL2V0Yy9pbmV0ZC5jb25mLHYgMS43MC4yLjEgMjAwNi8wMy8yOCAxNTo1
MTo0NCBjZXJpIEV4cCAkCiMKIyBJbnRlcm5ldCBzZXJ2ZXIgY29uZmlndXJhdGlvbiBkYXRhYmFz
ZQojCiMgRGVmaW5lICpib3RoKiBJUHY0IGFuZCBJUHY2IGVudHJpZXMgZm9yIGR1YWwtc3RhY2sg
c3VwcG9ydC4KIyBUbyBkaXNhYmxlIGEgc2VydmljZSwgY29tbWVudCBpdCBvdXQgYnkgcHJlZml4
aW5nIHRoZSBsaW5lIHdpdGggJyMnLgojIFRvIGVuYWJsZSBhIHNlcnZpY2UsIHJlbW92ZSB0aGUg
JyMnIGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIGxpbmUuCiMKZnRwCXN0cmVhbQl0Y3AJbm93YWl0
CXJvb3QJL3Vzci9saWJleGVjL2Z0cGQJZnRwZCAtbAojZnRwCXN0cmVhbQl0Y3A2CW5vd2FpdAly
b290CS91c3IvbGliZXhlYy9mdHBkCWZ0cGQgLWwKI3NzaAlzdHJlYW0JdGNwCW5vd2FpdAlyb290
CS91c3Ivc2Jpbi9zc2hkCQlzc2hkIC1pIC00CiNzc2gJc3RyZWFtCXRjcDYJbm93YWl0CXJvb3QJ
L3Vzci9zYmluL3NzaGQJCXNzaGQgLWkgLTYKI3RlbG5ldAlzdHJlYW0JdGNwCW5vd2FpdAlyb290
CS91c3IvbGliZXhlYy90ZWxuZXRkCXRlbG5ldGQKI3RlbG5ldAlzdHJlYW0JdGNwNglub3dhaXQJ
cm9vdAkvdXNyL2xpYmV4ZWMvdGVsbmV0ZAl0ZWxuZXRkCiNzaGVsbAlzdHJlYW0JdGNwCW5vd2Fp
dAlyb290CS91c3IvbGliZXhlYy9yc2hkCXJzaGQKI3NoZWxsCXN0cmVhbQl0Y3A2CW5vd2FpdAly
b290CS91c3IvbGliZXhlYy9yc2hkCXJzaGQKI2xvZ2luCXN0cmVhbQl0Y3AJbm93YWl0CXJvb3QJ
L3Vzci9saWJleGVjL3Jsb2dpbmQJcmxvZ2luZAojbG9naW4Jc3RyZWFtCXRjcDYJbm93YWl0CXJv
b3QJL3Vzci9saWJleGVjL3Jsb2dpbmQJcmxvZ2luZAojZmluZ2VyCXN0cmVhbQl0Y3AJbm93YWl0
LzMvMTAgbm9ib2R5IC91c3IvbGliZXhlYy9maW5nZXJkCWZpbmdlcmQgLXMKI2ZpbmdlcglzdHJl
YW0JdGNwNglub3dhaXQvMy8xMCBub2JvZHkgL3Vzci9saWJleGVjL2ZpbmdlcmQJZmluZ2VyZCAt
cwojCiMgcnVuIGNvbXNhdCBhcyByb290IHRvIGJlIGFibGUgdG8gcHJpbnQgcGFydGlhbCBtYWls
Ym94IGNvbnRlbnRzIHcvIGJpZmYsCiMgb3IgdXNlIHRoZSBzYWZlciB0dHk6dHR5IHRvIGp1c3Qg
cHJpbnQgdGhhdCBuZXcgbWFpbCBoYXMgYmVlbiByZWNlaXZlZC4KI2NvbXNhdAlkZ3JhbQl1ZHAJ
d2FpdAl0dHk6dHR5CS91c3IvbGliZXhlYy9jb21zYXQJY29tc2F0CiMKIyBudGFsayBpcyByZXF1
aXJlZCBmb3IgdGhlICd0YWxrJyB1dGlsaXR5IHRvIHdvcmsgY29ycmVjdGx5CiNudGFsawlkZ3Jh
bQl1ZHAJd2FpdAl0dHk6dHR5CS91c3IvbGliZXhlYy9udGFsa2QJbnRhbGtkCiN0ZnRwCWRncmFt
CXVkcAl3YWl0CXJvb3QJL3Vzci9saWJleGVjL3RmdHBkCXRmdHBkIC1sIC1zIC90ZnRwYm9vdAoj
dGZ0cAlkZ3JhbQl1ZHA2CXdhaXQJcm9vdAkvdXNyL2xpYmV4ZWMvdGZ0cGQJdGZ0cGQgLWwgLXMg
L3RmdHBib290CiNib290cHMJZGdyYW0JdWRwCXdhaXQJcm9vdAkvdXNyL2xpYmV4ZWMvYm9vdHBk
CWJvb3RwZAojCiMgIlNtYWxsIHNlcnZlcnMiIC0tIHVzZWQgdG8gYmUgc3RhbmRhcmQgb24sIGJ1
dCB3ZSdyZSBtb3JlIGNvbnNlcnZhdGl2ZQojIGFib3V0IHRoaW5ncyBkdWUgdG8gSW50ZXJuZXQg
c2VjdXJpdHkgY29uY2VybnMuICBPbmx5IHR1cm4gb24gd2hhdCB5b3UKIyBuZWVkLgojCiNkYXl0
aW1lIHN0cmVhbQl0Y3AJbm93YWl0CXJvb3QJaW50ZXJuYWwKI2RheXRpbWUgc3RyZWFtCXRjcDYJ
bm93YWl0CXJvb3QJaW50ZXJuYWwKI2RheXRpbWUgZGdyYW0JdWRwCXdhaXQJcm9vdAlpbnRlcm5h
bAojZGF5dGltZSBkZ3JhbQl1ZHA2CXdhaXQJcm9vdAlpbnRlcm5hbAojdGltZQlzdHJlYW0JdGNw
CW5vd2FpdAlyb290CWludGVybmFsCiN0aW1lCXN0cmVhbQl0Y3A2CW5vd2FpdAlyb290CWludGVy
bmFsCiN0aW1lCSBkZ3JhbQl1ZHAJd2FpdAlyb290CWludGVybmFsCiN0aW1lCSBkZ3JhbQl1ZHA2
CXdhaXQJcm9vdAlpbnRlcm5hbAojZWNobwlzdHJlYW0JdGNwCW5vd2FpdAlyb290CWludGVybmFs
CiNlY2hvCXN0cmVhbQl0Y3A2CW5vd2FpdAlyb290CWludGVybmFsCiNlY2hvCWRncmFtCXVkcAl3
YWl0CXJvb3QJaW50ZXJuYWwKI2VjaG8JZGdyYW0JdWRwNgl3YWl0CXJvb3QJaW50ZXJuYWwKI2Rp
c2NhcmQgc3RyZWFtCXRjcAlub3dhaXQJcm9vdAlpbnRlcm5hbAojZGlzY2FyZCBzdHJlYW0JdGNw
Nglub3dhaXQJcm9vdAlpbnRlcm5hbAojZGlzY2FyZCBkZ3JhbQl1ZHAJd2FpdAlyb290CWludGVy
bmFsCiNkaXNjYXJkIGRncmFtCXVkcDYJd2FpdAlyb290CWludGVybmFsCiNjaGFyZ2VuIHN0cmVh
bQl0Y3AJbm93YWl0CXJvb3QJaW50ZXJuYWwKI2NoYXJnZW4gc3RyZWFtCXRjcDYJbm93YWl0CXJv
b3QJaW50ZXJuYWwKI2NoYXJnZW4gZGdyYW0JdWRwCXdhaXQJcm9vdAlpbnRlcm5hbAojY2hhcmdl
biBkZ3JhbQl1ZHA2CXdhaXQJcm9vdAlpbnRlcm5hbAojCiMgQ1ZTIHNlcnZlcnMgLSBmb3IgbWFz
dGVyIENWUyByZXBvc2l0b3JpZXMgb25seSEgIFlvdSBtdXN0IHNldCB0aGUKIyAtLWFsbG93LXJv
b3QgcGF0aCBjb3JyZWN0bHkgb3IgeW91IG9wZW4gYSB0cml2aWFsIHRvIGV4cGxvaXQgYnV0CiMg
ZGVhZGx5IHNlY3VyaXR5IGhvbGUuCiMKI2N2c3BzZXJ2ZXIJc3RyZWFtCXRjcAlub3dhaXQJcm9v
dAkvdXNyL2Jpbi9jdnMJY3ZzIC0tYWxsb3ctcm9vdD0veW91ci9jdnNyb290L2hlcmUgcHNlcnZl
cgojY3ZzcHNlcnZlcglzdHJlYW0JdGNwCW5vd2FpdAlyb290CS91c3IvYmluL2N2cwljdnMgLS1h
bGxvdy1yb290PS95b3VyL2N2c3Jvb3QvaGVyZSBrc2VydmVyCiMKIyBSUEMgYmFzZWQgc2Vydmlj
ZXMgKHlvdSBNVVNUIGhhdmUgcnBjYmluZCBydW5uaW5nIHRvIHVzZSB0aGVzZSkKIwojcnN0YXRk
LzEtMwlkZ3JhbSBycGMvdWRwIHdhaXQgcm9vdAkvdXNyL2xpYmV4ZWMvcnBjLnJzdGF0ZAkgcnBj
LnJzdGF0ZAojcnVzZXJzZC8xLTIJZGdyYW0gcnBjL3VkcCB3YWl0IHJvb3QJL3Vzci9saWJleGVj
L3JwYy5ydXNlcnNkIHJwYy5ydXNlcnNkCiN3YWxsZC8xCWRncmFtIHJwYy91ZHAgd2FpdCByb290
CS91c3IvbGliZXhlYy9ycGMucndhbGxkCSBycGMucndhbGxkCiNwY25mc2QvMS0yCWRncmFtIHJw
Yy91ZHAgd2FpdCByb290CS91c3IvbG9jYWwvbGliZXhlYy9ycGMucGNuZnNkCSBycGMucGNuZnNk
CiNycXVvdGFkLzEJZGdyYW0gcnBjL3VkcCB3YWl0IHJvb3QJL3Vzci9saWJleGVjL3JwYy5ycXVv
dGFkIHJwYy5ycXVvdGFkCiNzcHJheWQvMQlkZ3JhbSBycGMvdWRwIHdhaXQgcm9vdAkvdXNyL2xp
YmV4ZWMvcnBjLnNwcmF5ZAkgcnBjLnNwcmF5ZAojCiMgZXhhbXBsZSBlbnRyeSBmb3IgdGhlIG9w
dGlvbmFsIHBvcDMgc2VydmVyCiMKI3BvcDMJc3RyZWFtCXRjcAlub3dhaXQJcm9vdAkvdXNyL2xv
Y2FsL2xpYmV4ZWMvcG9wcGVyCXBvcHBlcgojCiMgZXhhbXBsZSBlbnRyeSBmb3IgdGhlIG9wdGlv
bmFsIGltYXA0IHNlcnZlcgojCiNpbWFwNAlzdHJlYW0JdGNwCW5vd2FpdAlyb290CS91c3IvbG9j
YWwvbGliZXhlYy9pbWFwZAlpbWFwZAojCiMgZXhhbXBsZSBlbnRyeSBmb3IgdGhlIG9wdGlvbmFs
IG5udHAgc2VydmVyCiMKI25udHAJc3RyZWFtCXRjcAlub3dhaXQJbmV3cwkvdXNyL2xvY2FsL2xp
YmV4ZWMvbm50cGQJbm50cGQKIwojIGV4YW1wbGUgZW50cnkgZm9yIHRoZSBvcHRpb25hbCB1dWNw
ZCBzZXJ2ZXIKIwojdXVjcGQJc3RyZWFtCXRjcAlub3dhaXQJcm9vdAkvdXNyL2xvY2FsL2xpYmV4
ZWMvdXVjcGQJdXVjcGQKIwojIFJldHVybiBlcnJvciBmb3IgYWxsICJpZGVudCIgcmVxdWVzdHMK
IwojYXV0aAlzdHJlYW0JdGNwCW5vd2FpdAlyb290CWludGVybmFsCiNhdXRoCXN0cmVhbQl0Y3A2
CW5vd2FpdAlyb290CWludGVybmFsCiMKIyBQcm92aWRlIGludGVybmFsbHkgYSByZWFsICJpZGVu
dCIgc2VydmljZSB3aGljaCBwcm92aWRlcyB+Ly5mYWtlaWQgc3VwcG9ydCwKIyBwcm92aWRlcyB+
Ly5ub2lkZW50IHN1cHBvcnQsIHJlcG9ydHMgVU5LTk9XTiBhcyB0aGUgb3BlcmF0aW5nIHN5c3Rl
bSB0eXBlCiMgYW5kIHRpbWVzIG91dCBhZnRlciAzMCBzZWNvbmRzLgojCiNhdXRoCXN0cmVhbQl0
Y3AJbm93YWl0CXJvb3QJaW50ZXJuYWwJYXV0aCAtciAtZiAtbiAtbyBVTktOT1dOIC10IDMwCiNh
dXRoCXN0cmVhbQl0Y3A2CW5vd2FpdAlyb290CWludGVybmFsCWF1dGggLXIgLWYgLW4gLW8gVU5L
Tk9XTiAtdCAzMAojCiMgRXhhbXBsZSBlbnRyeSBmb3IgYW4gZXh0ZXJuYWwgaWRlbnQgc2VydmVy
CiMKI2F1dGgJc3RyZWFtCXRjcAl3YWl0CXJvb3QJL3Vzci9sb2NhbC9zYmluL2lkZW50ZAlpZGVu
dGQgLXcgLXQxMjAKIwojIEV4YW1wbGUgZW50cnkgZm9yIHRoZSBvcHRpb25hbCBxbWFpbCBNVEEK
IyAgTk9URTogVGhpcyBpcyBubyBsb25nZXIgdGhlIGNvcnJlY3Qgd2F5IHRvIGhhbmRsZSBpbmNv
bWluZyBTTVRQCiMgICAgICAgIGNvbm5lY3Rpb25zIGZvciBxbWFpbC4gIFVzZSB0Y3BzZXJ2ZXIg
KGh0dHA6Ly9jci55cC50by91Y3NwaS10Y3AuaHRtbCkKIyAgICAgICAgaW5zdGVhZC4KIwojc210
cAlzdHJlYW0JdGNwCW5vd2FpdAlxbWFpbGQJL3Zhci9xbWFpbC9iaW4vdGNwLWVudgl0Y3AtZW52
IC92YXIvcW1haWwvYmluL3FtYWlsLXNtdHBkCiMKIyBFbmFibGUgdGhlIGZvbGxvd2luZyB0d28g
ZW50cmllcyB0byBlbmFibGUgc2FtYmEgc3RhcnR1cCBmcm9tIGluZXRkCiMgKGZyb20gdGhlIFNh
bWJhIGRvY3VtZW50YXRpb24pLiAgRW5hYmxlIHRoZSB0aGlyZCBlbnRyeSB0byBlbmFibGUgdGhl
IHN3YXQKIyBzYW1iYSBjb25maWd1cmF0aW9uIHRvb2wuCiMKI25ldGJpb3Mtc3NuIHN0cmVhbSB0
Y3AJbm93YWl0CQlyb290CS91c3IvbG9jYWwvc2Jpbi9zbWJkCXNtYmQKI25ldGJpb3MtbnMgZGdy
YW0gdWRwCXdhaXQJCXJvb3QJL3Vzci9sb2NhbC9zYmluL25tYmQJbm1iZAojc3dhdAlzdHJlYW0J
dGNwCW5vd2FpdC80MDAJcm9vdAkvdXNyL2xvY2FsL3NiaW4vc3dhdAlzd2F0CiMKIyBFbmFibGUg
dGhlIGZvbGxvd2luZyBlbnRyeSB0byBlbmFibGUgZnRwLXByb3h5IHRvIE5BVCBmdHAgc2Vzc2lv
bnMgd2l0aCBwZgojIE4uQi46IGluZXRkIGJpbmRzIHRvICogaW4gdGhlIGRlZmF1bHQgaW5zdGFs
bGF0aW9uIHNvIHlvdSBzaG91bGQgYWRkCiMJYW4gYXBwcm9wcmlhdGUgYmxvY2sgcnVsZSB0byB5
b3VyIHBmLmNvbmYKI2Z0cC1wcm94eSBzdHJlYW0gdGNwIG5vd2FpdCByb290IC91c3IvbGliZXhl
Yy9mdHAtcHJveHkgZnRwLXByb3h5CjEyNy4wLjAuMTo4MDIxIHN0cmVhbSB0Y3Agbm93YWl0IHJv
b3QgL3Vzci9saWJleGVjL2Z0cC1wcm94eSBmdHAtcHJveHkgLW4K
------=_Part_111755_16371201.1155497758324
Content-Type: application/octet-stream; name=pf.conf
Content-Transfer-Encoding: base64
X-Attachment-Id: f_eqtthypu
Content-Disposition: attachment; filename="pf.conf"

IwkkRnJlZUJTRDogc3JjL2V0Yy9wZi5jb25mLHYgMS4yLjIuMSAyMDA2LzA0LzA0IDIwOjMxOjIw
IG1sYWllciBFeHAgJAojCSRPcGVuQlNEOiBwZi5jb25mLHYgMS4yMSAyMDAzLzA5LzAyIDIwOjM4
OjQ0IGRhdmlkIEV4cCAkCiAKIwojIFNlZSBwZi5jb25mKDUpIGFuZCAvdXNyL3NoYXJlL2V4YW1w
bGVzL3BmIGZvciBzeW50YXggYW5kIGV4YW1wbGVzLgojIFJlcXVpcmVkIG9yZGVyOiBvcHRpb25z
LCBub3JtYWxpemF0aW9uLCBxdWV1ZWluZywgdHJhbnNsYXRpb24sIGZpbHRlcmluZy4KIyBNYWNy
b3MgYW5kIHRhYmxlcyBtYXkgYmUgZGVmaW5lZCBhbmQgdXNlZCBhbnl3aGVyZS4KIyBOb3RlIHRo
YXQgdHJhbnNsYXRpb24gcnVsZXMgYXJlIGZpcnN0IG1hdGNoIHdoaWxlIGZpbHRlciBydWxlcyBh
cmUgbGFzdCBtYXRjaC4KCiMgTWFjcm9zOiBkZWZpbmUgY29tbW9uIHZhbHVlcywgc28gdGhleSBj
YW4gYmUgcmVmZXJlbmNlZCBhbmQgY2hhbmdlZCBlYXNpbHkuCmV4dF9pZj0idHVuMCIJIyByZXBs
YWNlIHdpdGggYWN0dWFsIGV4dGVybmFsIGludGVyZmFjZSBuYW1lIGkuZS4sIGRjMAppbnRfaWY9
InJsMCIJIyByZXBsYWNlIHdpdGggYWN0dWFsIGludGVybmFsIGludGVyZmFjZSBuYW1lIGkuZS4s
IGRjMQppY21wX3R5cGVzPSJ7IGVjaG9yZXEsIGVjaG9yZXAsIHVucmVhY2ggfSIKaW50X25ldD0i
MTkyLjE2OC4wLjAvMjQiCgojIFRhYmxlczogc2ltaWxhciB0byBtYWNyb3MsIGJ1dCBtb3JlIGZs
ZXhpYmxlIGZvciBtYW55IGFkZHJlc3Nlcy4KdGFibGUgPG5vdHJvdXRhYmxlPiB7IDEwLjAuMC4w
LzgsIDE5Mi4xNjguMC4wLzI0LCAxOTIuMTY4LjEuMTgsIDEyNy4wLjAuMS84LCAxNjkuMjU0LjAu
MC8xNiwgMTkyLjAuMi4wLzI0LCAwLjAuMC4wLzgsIDI0MC4wLjAuMC80LCAxNzIuMTYuMC4wLzEy
IH0KdGFibGUgPGFsbG93ZWQ+IHsgMTkyLjE2OC4wLjE5NC8yNCwgMTkyLjE2OC4wLjIzMy8yNCB9
CgoKIyBPcHRpb25zOiB0dW5lIHRoZSBiZWhhdmlvciBvZiBwZiwgZGVmYXVsdCB2YWx1ZXMgYXJl
IGdpdmVuLgpzZXQgb3B0aW1pemF0aW9uIG5vcm1hbApzZXQgYmxvY2stcG9saWN5IHJldHVybiAK
c2V0IHNraXAgb24gbG8wCgoKIyBOb3JtYWxpemF0aW9uOiByZWFzc2VtYmxlIGZyYWdtZW50cyBh
bmQgcmVzb2x2ZSBvciByZWR1Y2UgdHJhZmZpYyBhbWJpZ3VpdGllcy4Kc2NydWIgaW4gYWxsCgoK
IyBUcmFuc2xhdGlvbjogc3BlY2lmeSBob3cgYWRkcmVzc2VzIGFyZSB0byBiZSBtYXBwZWQgb3Ig
cmVkaXJlY3RlZC4KIyBuYXQ6IHBhY2tldHMgZ29pbmcgb3V0IHRocm91Z2ggJGV4dF9pZiB3aXRo
IHNvdXJjZSBhZGRyZXNzICRpbnRlcm5hbF9uZXQgd2lsbAojIGdldCB0cmFuc2xhdGVkIGFzIGNv
bWluZyBmcm9tIHRoZSBhZGRyZXNzIG9mICRleHRfaWYsIGEgc3RhdGUgaXMgY3JlYXRlZCBmb3IK
IyBzdWNoIHBhY2tldHMsIGFuZCBpbmNvbWluZyBwYWNrZXRzIHdpbGwgYmUgcmVkaXJlY3RlZCB0
byB0aGUgaW50ZXJuYWwgYWRkcmVzcy4KbmF0IG9uICRleHRfaWYgZnJvbSA8YWxsb3dlZD4gdG8g
YW55IC0+ICgkZXh0X2lmKQpubyBuYXQgb24gJGludF9pZiBwcm90byB0Y3AgZnJvbSAkaW50X2lm
IHRvICRpbnRfbmV0CgoKIyByZHI6IHBhY2tldHMgY29taW5nIGluIG9uICRleHRfaWYgd2l0aCBk
ZXN0aW5hdGlvbiAkZXh0ZXJuYWxfYWRkcjoxMjM0IHdpbGwKIyBiZSByZWRpcmVjdGVkIHRvIDEw
LjEuMS4xOjU2NzguIEEgc3RhdGUgaXMgY3JlYXRlZCBmb3Igc3VjaCBwYWNrZXRzLCBhbmQKIyBv
dXRnb2luZyBwYWNrZXRzIHdpbGwgYmUgdHJhbnNsYXRlZCBhcyBjb21pbmcgZnJvbSB0aGUgZXh0
ZXJuYWwgYWRkcmVzcy4KI3JkciBvbiAkZXh0X2lmIHByb3RvIHRjcCBmcm9tIGFueSB0byAkZXh0
ZXJuYWxfYWRkci8zMiBwb3J0IDEyMzQgLT4gMTAuMS4xLjEgcG9ydCA1Njc4CgpubyByZHIgb24g
JGludF9pZiBwcm90byB0Y3AgZnJvbSA8YWxsb3dlZD4gdG8gJGludF9pZiBwb3J0IDIxCnJkciBv
biAkaW50X2lmIHByb3RvIHRjcCBmcm9tICRpbnRfaWYgdG8gJGV4dF9pZiBwb3J0IDIxIC0+IDEy
Ny4wLjAuMSBwb3J0IDgwMjEKCiMgc3BhbWQtc2V0dXAgcHV0cyBhZGRyZXNzZXMgdG8gYmUgcmVk
aXJlY3RlZCBpbnRvIHRhYmxlIDxzcGFtZD4uCiN0YWJsZSA8c3BhbWQ+IHBlcnNpc3QKI25vIHJk
ciBvbiB7IGxvMCwgbG8xIH0gZnJvbSBhbnkgdG8gYW55CiNyZHIgaW5ldCBwcm90byB0Y3AgZnJv
bSA8c3BhbWQ+IHRvIGFueSBwb3J0IHNtdHAgLT4gMTI3LjAuMC4xIHBvcnQgODAyNQoKCiMgRmls
dGVyaW5nOiB0aGUgaW1wbGljaXQgZmlyc3QgdHdvIHJ1bGVzIGFyZQojcGFzcyBpbiBvbiAkZXh0
X2lmIGFsbAojcGFzcyBvdXQgb24gJGV4dF9pZiBhbGwKCgojV2Ugd2FudCB0byBibG9jayBldmVy
eXRoaW5nIGZpcnN0CmJsb2NrIGluIGxvZyBvbiAkZXh0X2lmIGFsbApibG9jayBpbiBvbiAkaW50
X2lmIGFsbAoKCiNFbmFibGUgYW50aXNwb29mIGZvciB0aGUgaW50ZXJuZXQgYW5kIG91dCBpbnRl
cm5hbHMKI2FudGlzcG9vZiBmb3IgJGV4dF9pZgojYW50aXNwb29mIGZvciAkaW50X2lmCgoKI2xl
dCBldmVyeXRoaW5nIHBhc3Mgb3V0IGludG8gdGhlIGludGVybmV0IHRoYXQgc3RhcnRzIGEgY29u
ZW5jdGlvbiBhbmQga2VlcCBzdGF0ZSBmb3IgaXQKcGFzcyBvdXQgb24gJGV4dF9pZiBwcm90byB7
IHRjcCwgdWRwIH0gYWxsIGtlZXAgc3RhdGUKcGFzcyBvdXQgb24gJGludF9pZiBwcm90byB7IHRj
cCwgdWRwIH0gYWxsIGtlZXAgc3RhdGUgIyBQYXNzIGV2ZXJ5dGhpbmcgb3V0IGZyb20gdGhpcyBj
b21wdXRlciB0byB0aGUgaW50ZXJuYWwgbmV0d29yawoKI0hlcmUgZ28gdGhlIHF1aWNrIHJ1bGVz
CnBhc3MgaW4gcXVpY2sgb24gJGV4dF9pZiBwcm90byB7IHRjcCwgdWRwIH0gZnJvbSBhbnkgdG8g
KCRleHRfaWYpIHBvcnQgMjIga2VlcCBzdGF0ZSAjIGFsbG93IHNzaCBmb3IgdGhlIG91dHNpZGUg
YW5kIGtlZXAgc3RhdGUKYmxvY2sgZHJvcCBpbiBsb2cgcXVpY2sgb24gJGV4dF9pZiBmcm9tIDxu
b3Ryb3V0YWJsZT4gdG8gYW55ICNCbG9jayBpbiBzaGl0IGZyb20gc21hcnQgYXNzZXMKICAKCiMg
YmxvY2sgYWxsIGluY29taW5nIHBhY2tldHMgYnV0IGFsbG93IHNzaCwgcGFzcyBhbGwgb3V0Z29p
bmcgdGNwIGFuZCB1ZHAKIyBjb25uZWN0aW9ucyBhbmQga2VlcCBzdGF0ZS4KcGFzcyBpbiBvbiAk
aW50X2lmIHByb3RvIHsgdGNwLCB1ZHAgfSBmcm9tIDxhbGxvd2VkPiB0byBhbnkgcG9ydCB7IHd3
dywgZnRwLCBmdHAtZGF0YSwgZG9tYWluLCBwb3AzLCBzbXRwLCBzc2gsIDIyLCA4MDgwLCBudHAs
IDQ0MywgMzcyNCwgMjAgfSBrZWVwIHN0YXRlIAoKI0lDTVAgcnVsZXMKcGFzcyBpbmV0IHByb3Rv
IGljbXAgYWxsIGljbXAtdHlwZSAkaWNtcF90eXBlcyBrZWVwIHN0YXRlCgoKIyBhbGxvdyBvdXQg
dGhlIGRlZmF1bHQgcmFuZ2UgZm9yIHRyYWNlcm91dGUoOCk6CiMgImJhc2UrbmhvcHMqbnF1ZXJp
ZXMtMSIgKDMzNDM0KzY0KjMtMSkKcGFzcyBvdXQgb24gJGV4dF9pZiBpbmV0IHByb3RvIHVkcCBm
cm9tIGFueSB0byBhbnkgcG9ydCAzMzQzMyA+PCAzMzYyNiBrZWVwIHN0YXRlCgoKI1J1bGVzIGZv
ciBmdHAgYW5kIGZycC1wcm94eQpwYXNzIGluIG9uICRleHRfaWYgaW5ldCBwcm90byB0Y3AgZnJv
bSBwb3J0IGZ0cC1kYXRhIHRvICRleHRfaWYgdXNlciBwcm94eSBmbGFncyBTL1NBIGtlZXAgc3Rh
dGUKcGFzcyBpbiBvbiAkZXh0X2lmIGluZXQgcHJvdG8gdGNwIGZyb20gcG9ydCA+IDQ5MTUxIHRv
IGFueSBrZWVwIHN0YXRlCnBhc3MgaW4gb24gJGludF9pZiBpbmV0IHByb3RvIHRjcCBmcm9tIHBv
cnQgPiA0OTE1MSB0byBhbnkga2VlcCBzdGF0ZQoK
------=_Part_111755_16371201.1155497758324--

From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 13 21:59:29 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8759B16A4DA
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 21:59:29 +0000 (UTC)
	(envelope-from levchenko.i@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CCA9143D58
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 21:59:28 +0000 (GMT)
	(envelope-from levchenko.i@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so471375uge
	for <freebsd-pf@freebsd.org>; Sun, 13 Aug 2006 14:59:27 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
	b=WkR+8q9ANsjwLaluYjx2ciT9cODqVOl96uXuVeYBh6d7JnzHmIHaBY8CRFqRpCbwKMqCcNs+KAxuVSISPgbeaOj/5wXkFG4pLCrmngcLZGVzbyV3Z8GrCLH0PHrlu0nH7vbdB57KqkiNIOnNPiQLSkhnioaDcY9tEREOWi0eYso=
Received: by 10.66.244.10 with SMTP id r10mr7302230ugh;
	Sun, 13 Aug 2006 14:59:27 -0700 (PDT)
Received: by 10.66.239.8 with HTTP; Sun, 13 Aug 2006 14:59:27 -0700 (PDT)
Message-ID: <e39dd5bb0608131459j666e1b7cr70cfbde80dad86cc@mail.gmail.com>
Date: Mon, 14 Aug 2006 00:59:27 +0300
From: "Ivan Levchenko" <levchenko.i@gmail.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_113345_29156405.1155506367335"
References: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com>
Subject: ftp-proxy with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2006 21:59:29 -0000

------=_Part_113345_29156405.1155506367335
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi everybody,

having some troubles with ftp-proxy on my gateway at home: the darn
thing gets me connected to an outside ftp server, but won't let me do
anything else with it.

the gateway computer is freebsd (it is running pf with nat to share
and secure a pppoe connection); the client computer is running kubuntu
6.06.

here is what i get when trying to connect to a ftp server behind the nat:

$ ftp ftp.freebsd.org
Connected to ftp.freebsd.org.
220 ftp.FreeBSD.org NcFTPd Server (licensed copy) ready.
Name (ftp.freebsd.org:ivan): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230-You are user #112 of 1000 simultaneous users allowed.
230-
230 Logged in anonymously.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
550 Data connection must go to same host as control connection.
ftp: bind: Address already in use
ftp>

or i get this error when connecting to a different ftp server (vsftpd):
500 Illegal PORT command.
ftp: bind: Address already in use.

i read the ftp-proxy and pf.conf man pages and have google-ed more
than my brain can comprehend but still no answer for this.

i attached the conf files for pf.conf and inetd.conf

any help (the right keyword to google with will be nice too!!!) will be great!

--
Best Regards,

Ivan Levchenko
levchenko.i@gmail.com

------=_Part_113345_29156405.1155506367335
Content-Type: application/octet-stream; name=inetd.conf
Content-Transfer-Encoding: base64
X-Attachment-Id: f_eqtthlfh
Content-Disposition: attachment; filename="inetd.conf"

IyAkRnJlZUJTRDogc3JjL2V0Yy9pbmV0ZC5jb25mLHYgMS43MC4yLjEgMjAwNi8wMy8yOCAxNTo1
MTo0NCBjZXJpIEV4cCAkCiMKIyBJbnRlcm5ldCBzZXJ2ZXIgY29uZmlndXJhdGlvbiBkYXRhYmFz
ZQojCiMgRGVmaW5lICpib3RoKiBJUHY0IGFuZCBJUHY2IGVudHJpZXMgZm9yIGR1YWwtc3RhY2sg
c3VwcG9ydC4KIyBUbyBkaXNhYmxlIGEgc2VydmljZSwgY29tbWVudCBpdCBvdXQgYnkgcHJlZml4
aW5nIHRoZSBsaW5lIHdpdGggJyMnLgojIFRvIGVuYWJsZSBhIHNlcnZpY2UsIHJlbW92ZSB0aGUg
JyMnIGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIGxpbmUuCiMKZnRwCXN0cmVhbQl0Y3AJbm93YWl0
CXJvb3QJL3Vzci9saWJleGVjL2Z0cGQJZnRwZCAtbAojZnRwCXN0cmVhbQl0Y3A2CW5vd2FpdAly
b290CS91c3IvbGliZXhlYy9mdHBkCWZ0cGQgLWwKI3NzaAlzdHJlYW0JdGNwCW5vd2FpdAlyb290
CS91c3Ivc2Jpbi9zc2hkCQlzc2hkIC1pIC00CiNzc2gJc3RyZWFtCXRjcDYJbm93YWl0CXJvb3QJ
L3Vzci9zYmluL3NzaGQJCXNzaGQgLWkgLTYKI3RlbG5ldAlzdHJlYW0JdGNwCW5vd2FpdAlyb290
CS91c3IvbGliZXhlYy90ZWxuZXRkCXRlbG5ldGQKI3RlbG5ldAlzdHJlYW0JdGNwNglub3dhaXQJ
cm9vdAkvdXNyL2xpYmV4ZWMvdGVsbmV0ZAl0ZWxuZXRkCiNzaGVsbAlzdHJlYW0JdGNwCW5vd2Fp
dAlyb290CS91c3IvbGliZXhlYy9yc2hkCXJzaGQKI3NoZWxsCXN0cmVhbQl0Y3A2CW5vd2FpdAly
b290CS91c3IvbGliZXhlYy9yc2hkCXJzaGQKI2xvZ2luCXN0cmVhbQl0Y3AJbm93YWl0CXJvb3QJ
L3Vzci9saWJleGVjL3Jsb2dpbmQJcmxvZ2luZAojbG9naW4Jc3RyZWFtCXRjcDYJbm93YWl0CXJv
b3QJL3Vzci9saWJleGVjL3Jsb2dpbmQJcmxvZ2luZAojZmluZ2VyCXN0cmVhbQl0Y3AJbm93YWl0
LzMvMTAgbm9ib2R5IC91c3IvbGliZXhlYy9maW5nZXJkCWZpbmdlcmQgLXMKI2ZpbmdlcglzdHJl
YW0JdGNwNglub3dhaXQvMy8xMCBub2JvZHkgL3Vzci9saWJleGVjL2ZpbmdlcmQJZmluZ2VyZCAt
cwojCiMgcnVuIGNvbXNhdCBhcyByb290IHRvIGJlIGFibGUgdG8gcHJpbnQgcGFydGlhbCBtYWls
Ym94IGNvbnRlbnRzIHcvIGJpZmYsCiMgb3IgdXNlIHRoZSBzYWZlciB0dHk6dHR5IHRvIGp1c3Qg
cHJpbnQgdGhhdCBuZXcgbWFpbCBoYXMgYmVlbiByZWNlaXZlZC4KI2NvbXNhdAlkZ3JhbQl1ZHAJ
d2FpdAl0dHk6dHR5CS91c3IvbGliZXhlYy9jb21zYXQJY29tc2F0CiMKIyBudGFsayBpcyByZXF1
aXJlZCBmb3IgdGhlICd0YWxrJyB1dGlsaXR5IHRvIHdvcmsgY29ycmVjdGx5CiNudGFsawlkZ3Jh
bQl1ZHAJd2FpdAl0dHk6dHR5CS91c3IvbGliZXhlYy9udGFsa2QJbnRhbGtkCiN0ZnRwCWRncmFt
CXVkcAl3YWl0CXJvb3QJL3Vzci9saWJleGVjL3RmdHBkCXRmdHBkIC1sIC1zIC90ZnRwYm9vdAoj
dGZ0cAlkZ3JhbQl1ZHA2CXdhaXQJcm9vdAkvdXNyL2xpYmV4ZWMvdGZ0cGQJdGZ0cGQgLWwgLXMg
L3RmdHBib290CiNib290cHMJZGdyYW0JdWRwCXdhaXQJcm9vdAkvdXNyL2xpYmV4ZWMvYm9vdHBk
CWJvb3RwZAojCiMgIlNtYWxsIHNlcnZlcnMiIC0tIHVzZWQgdG8gYmUgc3RhbmRhcmQgb24sIGJ1
dCB3ZSdyZSBtb3JlIGNvbnNlcnZhdGl2ZQojIGFib3V0IHRoaW5ncyBkdWUgdG8gSW50ZXJuZXQg
c2VjdXJpdHkgY29uY2VybnMuICBPbmx5IHR1cm4gb24gd2hhdCB5b3UKIyBuZWVkLgojCiNkYXl0
aW1lIHN0cmVhbQl0Y3AJbm93YWl0CXJvb3QJaW50ZXJuYWwKI2RheXRpbWUgc3RyZWFtCXRjcDYJ
bm93YWl0CXJvb3QJaW50ZXJuYWwKI2RheXRpbWUgZGdyYW0JdWRwCXdhaXQJcm9vdAlpbnRlcm5h
bAojZGF5dGltZSBkZ3JhbQl1ZHA2CXdhaXQJcm9vdAlpbnRlcm5hbAojdGltZQlzdHJlYW0JdGNw
CW5vd2FpdAlyb290CWludGVybmFsCiN0aW1lCXN0cmVhbQl0Y3A2CW5vd2FpdAlyb290CWludGVy
bmFsCiN0aW1lCSBkZ3JhbQl1ZHAJd2FpdAlyb290CWludGVybmFsCiN0aW1lCSBkZ3JhbQl1ZHA2
CXdhaXQJcm9vdAlpbnRlcm5hbAojZWNobwlzdHJlYW0JdGNwCW5vd2FpdAlyb290CWludGVybmFs
CiNlY2hvCXN0cmVhbQl0Y3A2CW5vd2FpdAlyb290CWludGVybmFsCiNlY2hvCWRncmFtCXVkcAl3
YWl0CXJvb3QJaW50ZXJuYWwKI2VjaG8JZGdyYW0JdWRwNgl3YWl0CXJvb3QJaW50ZXJuYWwKI2Rp
c2NhcmQgc3RyZWFtCXRjcAlub3dhaXQJcm9vdAlpbnRlcm5hbAojZGlzY2FyZCBzdHJlYW0JdGNw
Nglub3dhaXQJcm9vdAlpbnRlcm5hbAojZGlzY2FyZCBkZ3JhbQl1ZHAJd2FpdAlyb290CWludGVy
bmFsCiNkaXNjYXJkIGRncmFtCXVkcDYJd2FpdAlyb290CWludGVybmFsCiNjaGFyZ2VuIHN0cmVh
bQl0Y3AJbm93YWl0CXJvb3QJaW50ZXJuYWwKI2NoYXJnZW4gc3RyZWFtCXRjcDYJbm93YWl0CXJv
b3QJaW50ZXJuYWwKI2NoYXJnZW4gZGdyYW0JdWRwCXdhaXQJcm9vdAlpbnRlcm5hbAojY2hhcmdl
biBkZ3JhbQl1ZHA2CXdhaXQJcm9vdAlpbnRlcm5hbAojCiMgQ1ZTIHNlcnZlcnMgLSBmb3IgbWFz
dGVyIENWUyByZXBvc2l0b3JpZXMgb25seSEgIFlvdSBtdXN0IHNldCB0aGUKIyAtLWFsbG93LXJv
b3QgcGF0aCBjb3JyZWN0bHkgb3IgeW91IG9wZW4gYSB0cml2aWFsIHRvIGV4cGxvaXQgYnV0CiMg
ZGVhZGx5IHNlY3VyaXR5IGhvbGUuCiMKI2N2c3BzZXJ2ZXIJc3RyZWFtCXRjcAlub3dhaXQJcm9v
dAkvdXNyL2Jpbi9jdnMJY3ZzIC0tYWxsb3ctcm9vdD0veW91ci9jdnNyb290L2hlcmUgcHNlcnZl
cgojY3ZzcHNlcnZlcglzdHJlYW0JdGNwCW5vd2FpdAlyb290CS91c3IvYmluL2N2cwljdnMgLS1h
bGxvdy1yb290PS95b3VyL2N2c3Jvb3QvaGVyZSBrc2VydmVyCiMKIyBSUEMgYmFzZWQgc2Vydmlj
ZXMgKHlvdSBNVVNUIGhhdmUgcnBjYmluZCBydW5uaW5nIHRvIHVzZSB0aGVzZSkKIwojcnN0YXRk
LzEtMwlkZ3JhbSBycGMvdWRwIHdhaXQgcm9vdAkvdXNyL2xpYmV4ZWMvcnBjLnJzdGF0ZAkgcnBj
LnJzdGF0ZAojcnVzZXJzZC8xLTIJZGdyYW0gcnBjL3VkcCB3YWl0IHJvb3QJL3Vzci9saWJleGVj
L3JwYy5ydXNlcnNkIHJwYy5ydXNlcnNkCiN3YWxsZC8xCWRncmFtIHJwYy91ZHAgd2FpdCByb290
CS91c3IvbGliZXhlYy9ycGMucndhbGxkCSBycGMucndhbGxkCiNwY25mc2QvMS0yCWRncmFtIHJw
Yy91ZHAgd2FpdCByb290CS91c3IvbG9jYWwvbGliZXhlYy9ycGMucGNuZnNkCSBycGMucGNuZnNk
CiNycXVvdGFkLzEJZGdyYW0gcnBjL3VkcCB3YWl0IHJvb3QJL3Vzci9saWJleGVjL3JwYy5ycXVv
dGFkIHJwYy5ycXVvdGFkCiNzcHJheWQvMQlkZ3JhbSBycGMvdWRwIHdhaXQgcm9vdAkvdXNyL2xp
YmV4ZWMvcnBjLnNwcmF5ZAkgcnBjLnNwcmF5ZAojCiMgZXhhbXBsZSBlbnRyeSBmb3IgdGhlIG9w
dGlvbmFsIHBvcDMgc2VydmVyCiMKI3BvcDMJc3RyZWFtCXRjcAlub3dhaXQJcm9vdAkvdXNyL2xv
Y2FsL2xpYmV4ZWMvcG9wcGVyCXBvcHBlcgojCiMgZXhhbXBsZSBlbnRyeSBmb3IgdGhlIG9wdGlv
bmFsIGltYXA0IHNlcnZlcgojCiNpbWFwNAlzdHJlYW0JdGNwCW5vd2FpdAlyb290CS91c3IvbG9j
YWwvbGliZXhlYy9pbWFwZAlpbWFwZAojCiMgZXhhbXBsZSBlbnRyeSBmb3IgdGhlIG9wdGlvbmFs
IG5udHAgc2VydmVyCiMKI25udHAJc3RyZWFtCXRjcAlub3dhaXQJbmV3cwkvdXNyL2xvY2FsL2xp
YmV4ZWMvbm50cGQJbm50cGQKIwojIGV4YW1wbGUgZW50cnkgZm9yIHRoZSBvcHRpb25hbCB1dWNw
ZCBzZXJ2ZXIKIwojdXVjcGQJc3RyZWFtCXRjcAlub3dhaXQJcm9vdAkvdXNyL2xvY2FsL2xpYmV4
ZWMvdXVjcGQJdXVjcGQKIwojIFJldHVybiBlcnJvciBmb3IgYWxsICJpZGVudCIgcmVxdWVzdHMK
IwojYXV0aAlzdHJlYW0JdGNwCW5vd2FpdAlyb290CWludGVybmFsCiNhdXRoCXN0cmVhbQl0Y3A2
CW5vd2FpdAlyb290CWludGVybmFsCiMKIyBQcm92aWRlIGludGVybmFsbHkgYSByZWFsICJpZGVu
dCIgc2VydmljZSB3aGljaCBwcm92aWRlcyB+Ly5mYWtlaWQgc3VwcG9ydCwKIyBwcm92aWRlcyB+
Ly5ub2lkZW50IHN1cHBvcnQsIHJlcG9ydHMgVU5LTk9XTiBhcyB0aGUgb3BlcmF0aW5nIHN5c3Rl
bSB0eXBlCiMgYW5kIHRpbWVzIG91dCBhZnRlciAzMCBzZWNvbmRzLgojCiNhdXRoCXN0cmVhbQl0
Y3AJbm93YWl0CXJvb3QJaW50ZXJuYWwJYXV0aCAtciAtZiAtbiAtbyBVTktOT1dOIC10IDMwCiNh
dXRoCXN0cmVhbQl0Y3A2CW5vd2FpdAlyb290CWludGVybmFsCWF1dGggLXIgLWYgLW4gLW8gVU5L
Tk9XTiAtdCAzMAojCiMgRXhhbXBsZSBlbnRyeSBmb3IgYW4gZXh0ZXJuYWwgaWRlbnQgc2VydmVy
CiMKI2F1dGgJc3RyZWFtCXRjcAl3YWl0CXJvb3QJL3Vzci9sb2NhbC9zYmluL2lkZW50ZAlpZGVu
dGQgLXcgLXQxMjAKIwojIEV4YW1wbGUgZW50cnkgZm9yIHRoZSBvcHRpb25hbCBxbWFpbCBNVEEK
IyAgTk9URTogVGhpcyBpcyBubyBsb25nZXIgdGhlIGNvcnJlY3Qgd2F5IHRvIGhhbmRsZSBpbmNv
bWluZyBTTVRQCiMgICAgICAgIGNvbm5lY3Rpb25zIGZvciBxbWFpbC4gIFVzZSB0Y3BzZXJ2ZXIg
KGh0dHA6Ly9jci55cC50by91Y3NwaS10Y3AuaHRtbCkKIyAgICAgICAgaW5zdGVhZC4KIwojc210
cAlzdHJlYW0JdGNwCW5vd2FpdAlxbWFpbGQJL3Zhci9xbWFpbC9iaW4vdGNwLWVudgl0Y3AtZW52
IC92YXIvcW1haWwvYmluL3FtYWlsLXNtdHBkCiMKIyBFbmFibGUgdGhlIGZvbGxvd2luZyB0d28g
ZW50cmllcyB0byBlbmFibGUgc2FtYmEgc3RhcnR1cCBmcm9tIGluZXRkCiMgKGZyb20gdGhlIFNh
bWJhIGRvY3VtZW50YXRpb24pLiAgRW5hYmxlIHRoZSB0aGlyZCBlbnRyeSB0byBlbmFibGUgdGhl
IHN3YXQKIyBzYW1iYSBjb25maWd1cmF0aW9uIHRvb2wuCiMKI25ldGJpb3Mtc3NuIHN0cmVhbSB0
Y3AJbm93YWl0CQlyb290CS91c3IvbG9jYWwvc2Jpbi9zbWJkCXNtYmQKI25ldGJpb3MtbnMgZGdy
YW0gdWRwCXdhaXQJCXJvb3QJL3Vzci9sb2NhbC9zYmluL25tYmQJbm1iZAojc3dhdAlzdHJlYW0J
dGNwCW5vd2FpdC80MDAJcm9vdAkvdXNyL2xvY2FsL3NiaW4vc3dhdAlzd2F0CiMKIyBFbmFibGUg
dGhlIGZvbGxvd2luZyBlbnRyeSB0byBlbmFibGUgZnRwLXByb3h5IHRvIE5BVCBmdHAgc2Vzc2lv
bnMgd2l0aCBwZgojIE4uQi46IGluZXRkIGJpbmRzIHRvICogaW4gdGhlIGRlZmF1bHQgaW5zdGFs
bGF0aW9uIHNvIHlvdSBzaG91bGQgYWRkCiMJYW4gYXBwcm9wcmlhdGUgYmxvY2sgcnVsZSB0byB5
b3VyIHBmLmNvbmYKI2Z0cC1wcm94eSBzdHJlYW0gdGNwIG5vd2FpdCByb290IC91c3IvbGliZXhl
Yy9mdHAtcHJveHkgZnRwLXByb3h5CjEyNy4wLjAuMTo4MDIxIHN0cmVhbSB0Y3Agbm93YWl0IHJv
b3QgL3Vzci9saWJleGVjL2Z0cC1wcm94eSBmdHAtcHJveHkgLW4K
------=_Part_113345_29156405.1155506367335
Content-Type: application/octet-stream; name=pf.conf
Content-Transfer-Encoding: base64
X-Attachment-Id: f_eqtthypu
Content-Disposition: attachment; filename="pf.conf"

IwkkRnJlZUJTRDogc3JjL2V0Yy9wZi5jb25mLHYgMS4yLjIuMSAyMDA2LzA0LzA0IDIwOjMxOjIw
IG1sYWllciBFeHAgJAojCSRPcGVuQlNEOiBwZi5jb25mLHYgMS4yMSAyMDAzLzA5LzAyIDIwOjM4
OjQ0IGRhdmlkIEV4cCAkCiAKIwojIFNlZSBwZi5jb25mKDUpIGFuZCAvdXNyL3NoYXJlL2V4YW1w
bGVzL3BmIGZvciBzeW50YXggYW5kIGV4YW1wbGVzLgojIFJlcXVpcmVkIG9yZGVyOiBvcHRpb25z
LCBub3JtYWxpemF0aW9uLCBxdWV1ZWluZywgdHJhbnNsYXRpb24sIGZpbHRlcmluZy4KIyBNYWNy
b3MgYW5kIHRhYmxlcyBtYXkgYmUgZGVmaW5lZCBhbmQgdXNlZCBhbnl3aGVyZS4KIyBOb3RlIHRo
YXQgdHJhbnNsYXRpb24gcnVsZXMgYXJlIGZpcnN0IG1hdGNoIHdoaWxlIGZpbHRlciBydWxlcyBh
cmUgbGFzdCBtYXRjaC4KCiMgTWFjcm9zOiBkZWZpbmUgY29tbW9uIHZhbHVlcywgc28gdGhleSBj
YW4gYmUgcmVmZXJlbmNlZCBhbmQgY2hhbmdlZCBlYXNpbHkuCmV4dF9pZj0idHVuMCIJIyByZXBs
YWNlIHdpdGggYWN0dWFsIGV4dGVybmFsIGludGVyZmFjZSBuYW1lIGkuZS4sIGRjMAppbnRfaWY9
InJsMCIJIyByZXBsYWNlIHdpdGggYWN0dWFsIGludGVybmFsIGludGVyZmFjZSBuYW1lIGkuZS4s
IGRjMQppY21wX3R5cGVzPSJ7IGVjaG9yZXEsIGVjaG9yZXAsIHVucmVhY2ggfSIKaW50X25ldD0i
MTkyLjE2OC4wLjAvMjQiCgojIFRhYmxlczogc2ltaWxhciB0byBtYWNyb3MsIGJ1dCBtb3JlIGZs
ZXhpYmxlIGZvciBtYW55IGFkZHJlc3Nlcy4KdGFibGUgPG5vdHJvdXRhYmxlPiB7IDEwLjAuMC4w
LzgsIDE5Mi4xNjguMC4wLzI0LCAxOTIuMTY4LjEuMTgsIDEyNy4wLjAuMS84LCAxNjkuMjU0LjAu
MC8xNiwgMTkyLjAuMi4wLzI0LCAwLjAuMC4wLzgsIDI0MC4wLjAuMC80LCAxNzIuMTYuMC4wLzEy
IH0KdGFibGUgPGFsbG93ZWQ+IHsgMTkyLjE2OC4wLjE5NC8yNCwgMTkyLjE2OC4wLjIzMy8yNCB9
CgoKIyBPcHRpb25zOiB0dW5lIHRoZSBiZWhhdmlvciBvZiBwZiwgZGVmYXVsdCB2YWx1ZXMgYXJl
IGdpdmVuLgpzZXQgb3B0aW1pemF0aW9uIG5vcm1hbApzZXQgYmxvY2stcG9saWN5IHJldHVybiAK
c2V0IHNraXAgb24gbG8wCgoKIyBOb3JtYWxpemF0aW9uOiByZWFzc2VtYmxlIGZyYWdtZW50cyBh
bmQgcmVzb2x2ZSBvciByZWR1Y2UgdHJhZmZpYyBhbWJpZ3VpdGllcy4Kc2NydWIgaW4gYWxsCgoK
IyBUcmFuc2xhdGlvbjogc3BlY2lmeSBob3cgYWRkcmVzc2VzIGFyZSB0byBiZSBtYXBwZWQgb3Ig
cmVkaXJlY3RlZC4KIyBuYXQ6IHBhY2tldHMgZ29pbmcgb3V0IHRocm91Z2ggJGV4dF9pZiB3aXRo
IHNvdXJjZSBhZGRyZXNzICRpbnRlcm5hbF9uZXQgd2lsbAojIGdldCB0cmFuc2xhdGVkIGFzIGNv
bWluZyBmcm9tIHRoZSBhZGRyZXNzIG9mICRleHRfaWYsIGEgc3RhdGUgaXMgY3JlYXRlZCBmb3IK
IyBzdWNoIHBhY2tldHMsIGFuZCBpbmNvbWluZyBwYWNrZXRzIHdpbGwgYmUgcmVkaXJlY3RlZCB0
byB0aGUgaW50ZXJuYWwgYWRkcmVzcy4KbmF0IG9uICRleHRfaWYgZnJvbSA8YWxsb3dlZD4gdG8g
YW55IC0+ICgkZXh0X2lmKQpubyBuYXQgb24gJGludF9pZiBwcm90byB0Y3AgZnJvbSAkaW50X2lm
IHRvICRpbnRfbmV0CgoKIyByZHI6IHBhY2tldHMgY29taW5nIGluIG9uICRleHRfaWYgd2l0aCBk
ZXN0aW5hdGlvbiAkZXh0ZXJuYWxfYWRkcjoxMjM0IHdpbGwKIyBiZSByZWRpcmVjdGVkIHRvIDEw
LjEuMS4xOjU2NzguIEEgc3RhdGUgaXMgY3JlYXRlZCBmb3Igc3VjaCBwYWNrZXRzLCBhbmQKIyBv
dXRnb2luZyBwYWNrZXRzIHdpbGwgYmUgdHJhbnNsYXRlZCBhcyBjb21pbmcgZnJvbSB0aGUgZXh0
ZXJuYWwgYWRkcmVzcy4KI3JkciBvbiAkZXh0X2lmIHByb3RvIHRjcCBmcm9tIGFueSB0byAkZXh0
ZXJuYWxfYWRkci8zMiBwb3J0IDEyMzQgLT4gMTAuMS4xLjEgcG9ydCA1Njc4CgpubyByZHIgb24g
JGludF9pZiBwcm90byB0Y3AgZnJvbSA8YWxsb3dlZD4gdG8gJGludF9pZiBwb3J0IDIxCnJkciBv
biAkaW50X2lmIHByb3RvIHRjcCBmcm9tICRpbnRfaWYgdG8gJGV4dF9pZiBwb3J0IDIxIC0+IDEy
Ny4wLjAuMSBwb3J0IDgwMjEKCiMgc3BhbWQtc2V0dXAgcHV0cyBhZGRyZXNzZXMgdG8gYmUgcmVk
aXJlY3RlZCBpbnRvIHRhYmxlIDxzcGFtZD4uCiN0YWJsZSA8c3BhbWQ+IHBlcnNpc3QKI25vIHJk
ciBvbiB7IGxvMCwgbG8xIH0gZnJvbSBhbnkgdG8gYW55CiNyZHIgaW5ldCBwcm90byB0Y3AgZnJv
bSA8c3BhbWQ+IHRvIGFueSBwb3J0IHNtdHAgLT4gMTI3LjAuMC4xIHBvcnQgODAyNQoKCiMgRmls
dGVyaW5nOiB0aGUgaW1wbGljaXQgZmlyc3QgdHdvIHJ1bGVzIGFyZQojcGFzcyBpbiBvbiAkZXh0
X2lmIGFsbAojcGFzcyBvdXQgb24gJGV4dF9pZiBhbGwKCgojV2Ugd2FudCB0byBibG9jayBldmVy
eXRoaW5nIGZpcnN0CmJsb2NrIGluIGxvZyBvbiAkZXh0X2lmIGFsbApibG9jayBpbiBvbiAkaW50
X2lmIGFsbAoKCiNFbmFibGUgYW50aXNwb29mIGZvciB0aGUgaW50ZXJuZXQgYW5kIG91dCBpbnRl
cm5hbHMKI2FudGlzcG9vZiBmb3IgJGV4dF9pZgojYW50aXNwb29mIGZvciAkaW50X2lmCgoKI2xl
dCBldmVyeXRoaW5nIHBhc3Mgb3V0IGludG8gdGhlIGludGVybmV0IHRoYXQgc3RhcnRzIGEgY29u
ZW5jdGlvbiBhbmQga2VlcCBzdGF0ZSBmb3IgaXQKcGFzcyBvdXQgb24gJGV4dF9pZiBwcm90byB7
IHRjcCwgdWRwIH0gYWxsIGtlZXAgc3RhdGUKcGFzcyBvdXQgb24gJGludF9pZiBwcm90byB7IHRj
cCwgdWRwIH0gYWxsIGtlZXAgc3RhdGUgIyBQYXNzIGV2ZXJ5dGhpbmcgb3V0IGZyb20gdGhpcyBj
b21wdXRlciB0byB0aGUgaW50ZXJuYWwgbmV0d29yawoKI0hlcmUgZ28gdGhlIHF1aWNrIHJ1bGVz
CnBhc3MgaW4gcXVpY2sgb24gJGV4dF9pZiBwcm90byB7IHRjcCwgdWRwIH0gZnJvbSBhbnkgdG8g
KCRleHRfaWYpIHBvcnQgMjIga2VlcCBzdGF0ZSAjIGFsbG93IHNzaCBmb3IgdGhlIG91dHNpZGUg
YW5kIGtlZXAgc3RhdGUKYmxvY2sgZHJvcCBpbiBsb2cgcXVpY2sgb24gJGV4dF9pZiBmcm9tIDxu
b3Ryb3V0YWJsZT4gdG8gYW55ICNCbG9jayBpbiBzaGl0IGZyb20gc21hcnQgYXNzZXMKICAKCiMg
YmxvY2sgYWxsIGluY29taW5nIHBhY2tldHMgYnV0IGFsbG93IHNzaCwgcGFzcyBhbGwgb3V0Z29p
bmcgdGNwIGFuZCB1ZHAKIyBjb25uZWN0aW9ucyBhbmQga2VlcCBzdGF0ZS4KcGFzcyBpbiBvbiAk
aW50X2lmIHByb3RvIHsgdGNwLCB1ZHAgfSBmcm9tIDxhbGxvd2VkPiB0byBhbnkgcG9ydCB7IHd3
dywgZnRwLCBmdHAtZGF0YSwgZG9tYWluLCBwb3AzLCBzbXRwLCBzc2gsIDIyLCA4MDgwLCBudHAs
IDQ0MywgMzcyNCwgMjAgfSBrZWVwIHN0YXRlIAoKI0lDTVAgcnVsZXMKcGFzcyBpbmV0IHByb3Rv
IGljbXAgYWxsIGljbXAtdHlwZSAkaWNtcF90eXBlcyBrZWVwIHN0YXRlCgoKIyBhbGxvdyBvdXQg
dGhlIGRlZmF1bHQgcmFuZ2UgZm9yIHRyYWNlcm91dGUoOCk6CiMgImJhc2UrbmhvcHMqbnF1ZXJp
ZXMtMSIgKDMzNDM0KzY0KjMtMSkKcGFzcyBvdXQgb24gJGV4dF9pZiBpbmV0IHByb3RvIHVkcCBm
cm9tIGFueSB0byBhbnkgcG9ydCAzMzQzMyA+PCAzMzYyNiBrZWVwIHN0YXRlCgoKI1J1bGVzIGZv
ciBmdHAgYW5kIGZycC1wcm94eQpwYXNzIGluIG9uICRleHRfaWYgaW5ldCBwcm90byB0Y3AgZnJv
bSBwb3J0IGZ0cC1kYXRhIHRvICRleHRfaWYgdXNlciBwcm94eSBmbGFncyBTL1NBIGtlZXAgc3Rh
dGUKcGFzcyBpbiBvbiAkZXh0X2lmIGluZXQgcHJvdG8gdGNwIGZyb20gcG9ydCA+IDQ5MTUxIHRv
IGFueSBrZWVwIHN0YXRlCnBhc3MgaW4gb24gJGludF9pZiBpbmV0IHByb3RvIHRjcCBmcm9tIHBv
cnQgPiA0OTE1MSB0byBhbnkga2VlcCBzdGF0ZQoK
------=_Part_113345_29156405.1155506367335--

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 07:28:15 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C4CAB16A617
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 07:28:15 +0000 (UTC)
	(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 527BC43D77
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 07:28:02 +0000 (GMT)
	(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7E7S2uK038542
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 07:28:02 GMT
	(envelope-from owner-bugmaster@freebsd.org)
Received: (from linimon@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7E7S1Pa038535
	for freebsd-pf@FreeBSD.org; Mon, 14 Aug 2006 07:28:01 GMT
	(envelope-from owner-bugmaster@freebsd.org)
Date: Mon, 14 Aug 2006 07:28:01 GMT
Message-Id: <200608140728.k7E7S1Pa038535@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: linimon set sender to
	owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: freebsd-pf@FreeBSD.org
Cc: 
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 07:28:15 -0000

Current FreeBSD problem reports
Critical problems
Serious problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/82271   pf         [pf] cbq scheduler cause bad latency
f kern/86072   pf         [pf] Packet Filter rule not working properly (with SYN
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o sparc/93530  pf         Incorrect checksums when using pf's route-to on sparc6

4 problems total.

Non-critical problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o conf/81042   pf         [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4
o kern/93825   pf         [pf] pf reply-to doesn't work
o kern/94992   pf         [pf] [patch] pfctl complains about ALTQ missing

3 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 12:41:46 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D93A616A4E8
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 12:41:46 +0000 (UTC)
	(envelope-from zope@2012.vi)
Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BE00E43D8A
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 12:41:22 +0000 (GMT)
	(envelope-from zope@2012.vi)
Received: from [10.0.0.172] (244puntacana97.codetel.net.do [200.88.97.244]) by
	efit.xs4all.nl (Weasel v1.73); 14 Aug 2006 14:37:45 
Message-ID: <44E06F71.2060101@2012.vi>
Date: Mon, 14 Aug 2006 08:41:21 -0400
From: zope@2012.vi
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: Bill Marquette <bill.marquette@gmail.com>,  freebsd-pf@freebsd.org
References: <44DE0291.8060705@2012.vi> <200608121849.25139.max@love2party.net>	
	<d4f1333a0608121930p4b0217ep3d7ea639d2e8a40@mail.gmail.com>	
	<44DF1004.9060706@2012.vi>
	<55e8a96c0608130715q39516086hf8fe309115af4b0@mail.gmail.com>
In-Reply-To: <55e8a96c0608130715q39516086hf8fe309115af4b0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: IP Address List
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 12:41:46 -0000

Bill, I stand corrected. Please forgive my imperfections. I only studied 
and restudied this material 10 hours a day for 4 days. I must be blind! 
Again, forgive me for not being as perfect as I should be, and for 
missing this point. You are quite right to criticise me, and I accept 
your judgment, no matter how harsh.
beno

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 13:38:14 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EEECA16A4DD
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 13:38:14 +0000 (UTC)
	(envelope-from clacroix@cegep-ste-foy.qc.ca)
Received: from missive.cegep-ste-foy.qc.ca (missive.cegep-ste-foy.qc.ca
	[199.202.105.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87D7643D45
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 13:38:14 +0000 (GMT)
	(envelope-from clacroix@cegep-ste-foy.qc.ca)
Received: from LOCALHOST (LOCALHOST [127.0.0.1])
	by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id 4A61A141A1E
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 09:38:13 -0400 (EDT)
Received: from sti-test.cegep-ste-foy.qc.ca (sti-test.cegep-ste-foy.qc.ca
	[199.202.105.98])
	by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id 1DFD9141A1D
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 09:38:13 -0400 (EDT)
From: Charles Lacroix <clacroix@cegep-ste-foy.qc.ca>
To: freebsd-pf@freebsd.org
Date: Mon, 14 Aug 2006 09:38:11 -0400
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200608140938.11880.clacroix@cegep-ste-foy.qc.ca>
X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.16; VAE: 6.30.0.2;
	VDF: 6.30.0.16; host: missive.cegep-ste-foy.qc.ca)
Subject: ICMP traffic
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 13:38:15 -0000

Hi,

i was wondering which icmp type packets people accepted on there production=
=20
servers. I would just like to have feedback on this to see what people do=20
about these. At the moment i allow all of the icmp type traffic but i wante=
d=20
to disable some of the less used types.

Thanks
Charles
=2D-=20
Charles Lacroix, Administrateur UNIX.
Service des t=E9l=E9communications et des technologies
C=E9gep de Sainte-Foy
(418) 659-6600 # 4266

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 13:42:28 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 56D2316A4DA
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 13:42:28 +0000 (UTC)
	(envelope-from cristiano.deana@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F37F443D6D
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 13:42:22 +0000 (GMT)
	(envelope-from cristiano.deana@gmail.com)
Received: by nf-out-0910.google.com with SMTP id g2so85751nfe
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 06:42:21 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=E6bjq48TXzqARqPSxFh1p9bA0OyVcaC2DEFBXMJ7oUpS5dknHgEFqPsDEMim8ajVyKY6WCFqZ8W8oEl8nxIMppp5CsuTLYN9NzGHSkgs1p1r61qXfy09JWRZgnLOzIpyRPSoHtrIOZkcarTQr7r66yeedAVrUbKOIe6SZCz8UTY=
Received: by 10.78.157.8 with SMTP id f8mr3261158hue;
	Mon, 14 Aug 2006 06:42:21 -0700 (PDT)
Received: by 10.78.117.6 with HTTP; Mon, 14 Aug 2006 06:42:21 -0700 (PDT)
Message-ID: <d8a4930a0608140642m6bf114c5jae32a1b7f4fa8a27@mail.gmail.com>
Date: Mon, 14 Aug 2006 15:42:21 +0200
From: "Cristiano Deana" <cristiano.deana@gmail.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <200608140938.11880.clacroix@cegep-ste-foy.qc.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <200608140938.11880.clacroix@cegep-ste-foy.qc.ca>
Subject: Re: ICMP traffic
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 13:42:28 -0000

2006/8/14, Charles Lacroix <clacroix@cegep-ste-foy.qc.ca>:

> i was wondering which icmp type packets people accepted on there
> production servers.

did you read firewall(7) ?


-- 
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 14:28:38 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 69F0516A4DF
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 14:28:38 +0000 (UTC)
	(envelope-from clacroix@cegep-ste-foy.qc.ca)
Received: from missive.cegep-ste-foy.qc.ca (missive.cegep-ste-foy.qc.ca
	[199.202.105.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8EC5043D58
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 14:28:37 +0000 (GMT)
	(envelope-from clacroix@cegep-ste-foy.qc.ca)
Received: from LOCALHOST (LOCALHOST [127.0.0.1])
	by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id C0641141A0B
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 10:28:36 -0400 (EDT)
Received: from sti-test.cegep-ste-foy.qc.ca (sti-test.cegep-ste-foy.qc.ca
	[199.202.105.98])
	by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id 5BE65141A2F
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 09:56:15 -0400 (EDT)
From: Charles Lacroix <clacroix@cegep-ste-foy.qc.ca>
To: freebsd-pf@freebsd.org
Date: Mon, 14 Aug 2006 09:56:14 -0400
User-Agent: KMail/1.9.3
References: <200608140938.11880.clacroix@cegep-ste-foy.qc.ca>
	<d8a4930a0608140642m6bf114c5jae32a1b7f4fa8a27@mail.gmail.com>
In-Reply-To: <d8a4930a0608140642m6bf114c5jae32a1b7f4fa8a27@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200608140956.14645.clacroix@cegep-ste-foy.qc.ca>
X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.16; VAE: 6.30.0.2;
	VDF: 6.30.0.16; host: missive.cegep-ste-foy.qc.ca)
Subject: Re: ICMP traffic
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 14:28:38 -0000

On Monday 14 August 2006 09:42, Cristiano Deana wrote:
> 2006/8/14, Charles Lacroix <clacroix@cegep-ste-foy.qc.ca>:
> > i was wondering which icmp type packets people accepted on there
> > production servers.
>
> did you read firewall(7) ?

I just checked it and it's talking about ipfw, i searched the man page for=
=20
icmp rules and found this little block.

Thanks for the hint.

     # It is important to allow certain ICMP types through, here is a list
     # of general ICMP types.  Note that it is important to let ICMP type 3
     # through.
     #
     #       0       Echo Reply
     #       3       Destination Unreachable (used by TCP MTU discovery, aka
     #                                       packet-too-big)
     #       4       Source Quench (typically not allowed)
     #       5       Redirect (typically not allowed - can be dangerous!)
     #       8       Echo
     #       11      Time Exceeded
     #       12      Parameter Problem
     #       13      Timestamp
     #       14      Timestamp Reply
     #
     # Sometimes people need to allow ICMP REDIRECT packets, which is
     # type 5, but if you allow it make sure that your Internet router
     # disallows it.



=2D-=20
Charles Lacroix, Administrateur UNIX.
Service des t=E9l=E9communications et des technologies
C=E9gep de Sainte-Foy
(418) 659-6600 # 4266

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 16:39:40 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7EF6F16A4E2
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 16:39:40 +0000 (UTC)
	(envelope-from sullrich@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 395FA43D55
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 16:39:38 +0000 (GMT)
	(envelope-from sullrich@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so113496uge
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 09:39:38 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=dSqqa1H1UG5P1jywsF6XeORmAB4PB/za+1H96HCz9plwKZaNlYC8pkbJvjCx5aL00ejefwCs6uP0mvJv99tSb2541Zjgvwc4aul0KDF/K4LHwOv8ZBAv35znoVMJZ7hSzyBNhgMEpAMtYHFQ/c5IuwQ+JR1aGuTqf82wSrwhdbw=
Received: by 10.67.93.7 with SMTP id v7mr8379830ugl;
	Mon, 14 Aug 2006 09:39:38 -0700 (PDT)
Received: by 10.67.28.14 with HTTP; Mon, 14 Aug 2006 09:39:32 -0700 (PDT)
Message-ID: <d5992baf0608140939u5cd4ca8docd7730132095f7fb@mail.gmail.com>
Date: Mon, 14 Aug 2006 12:39:32 -0400
From: "Scott Ullrich" <sullrich@gmail.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: CARP panics on RELENG_6 when destroying a CARP interface
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 16:39:40 -0000

Hello!

I am testing out CARP on RELENG_6 as of yesterday and I am seeing a
panic when attempting to destory a CARP interface:

# ifconfig carp0 delete
# ifconfig carp0 destroy
# panic: thread 100049(ifconfig):0 holds carp_if but isn't blocked on a lock

KDB: enter: panic
[thread pid 12 tid 100004 ]
Stopped at      kdb_enter+0x2b: nop
db> bt
Tracing pid 12 tid 100004 td 0xc14d6900
kdb_enter(c08690a0) at kdb_enter+0x2b
panic(c086c2f3,186d6,c1630bc4,0,c0876fc4) at panic+0xbb
propagate_priority(c14d6900,c0948fd0,c15a7e90,c14d6900,c1575000) at propagate_pr
iority+0x137
turnstile_wait(c15a7e90,c1632000,c15a7e90,2,c0868048,225) at turnstile_wait+0x2f
0
_mtx_lock_sleep(c15a7e90,c14d6900,0,c0876cbe,283) at _mtx_lock_sleep+0x102
_mtx_lock_flags(c15a7e90,0,c0876cbe,283,0) at _mtx_lock_flags+0x72
carp_input_c(c15e8500,c15e8544,2,c15e8544,c172100e) at carp_input_c+0x30
carp_input(c16eb700,14,c15fa940,0,0) at carp_input+0x216
ip_input(c16eb700) at ip_input+0x7ad
netisr_processqueue(c094a958) at netisr_processqueue+0x6e
swi_net(0) at swi_net+0xc6
ithread_execute_handlers(c14d5830,c14d3580) at ithread_execute_handlers+0xe6
ithread_loop(c14bd760,c796cd38,c14bd760,c05f76a8,0) at ithread_loop+0x66
fork_exit(c05f76a8,c14bd760,c796cd38) at fork_exit+0xa0
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xc796cd6c, ebp = 0 ---
db>

Please let me know if I can supply more information.

Thanks!

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 17:47:11 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 75CCA16A4E1;
	Mon, 14 Aug 2006 17:47:11 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.186])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 91B3243D4C;
	Mon, 14 Aug 2006 17:47:10 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from [88.64.179.209] (helo=amd64.laiers.local)
	by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis),
	id 0ML21M-1GCgWr0AmE-0005n8; Mon, 14 Aug 2006 19:47:09 +0200
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: freebsd-pf@freebsd.org
Date: Mon, 14 Aug 2006 19:46:59 +0200
User-Agent: KMail/1.9.3
References: <d5992baf0608140939u5cd4ca8docd7730132095f7fb@mail.gmail.com>
In-Reply-To: <d5992baf0608140939u5cd4ca8docd7730132095f7fb@mail.gmail.com>
X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGd<hB5S>u+2];
	R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1904646.CP09JMkUbh";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200608141947.06724.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	login:61c499deaeeba3ba5be80f48ecc83056
Cc: 
Subject: Re: CARP panics on RELENG_6 when destroying a CARP interface
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 17:47:11 -0000

--nextPart1904646.CP09JMkUbh
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Monday 14 August 2006 18:39, Scott Ullrich wrote:
> I am testing out CARP on RELENG_6 as of yesterday and I am seeing a
> panic when attempting to destory a CARP interface:
>
> # ifconfig carp0 delete
> # ifconfig carp0 destroy
> # panic: thread 100049(ifconfig):0 holds carp_if but isn't blocked on a
> lock
>
> KDB: enter: panic
> [thread pid 12 tid 100004 ]
> Stopped at      kdb_enter+0x2b: nop
> db> bt
> Tracing pid 12 tid 100004 td 0xc14d6900
> kdb_enter(c08690a0) at kdb_enter+0x2b
> panic(c086c2f3,186d6,c1630bc4,0,c0876fc4) at panic+0xbb
> propagate_priority(c14d6900,c0948fd0,c15a7e90,c14d6900,c1575000) at
> propagate_pr iority+0x137
> turnstile_wait(c15a7e90,c1632000,c15a7e90,2,c0868048,225) at
> turnstile_wait+0x2f 0
> _mtx_lock_sleep(c15a7e90,c14d6900,0,c0876cbe,283) at
> _mtx_lock_sleep+0x102 _mtx_lock_flags(c15a7e90,0,c0876cbe,283,0) at
> _mtx_lock_flags+0x72
> carp_input_c(c15e8500,c15e8544,2,c15e8544,c172100e) at
> carp_input_c+0x30 carp_input(c16eb700,14,c15fa940,0,0) at
> carp_input+0x216
> ip_input(c16eb700) at ip_input+0x7ad

Looks like a race between the check in ip_carp.c:502
   m->m_pkthdr.rcvif->if_carp =3D=3D NULL
and the actual use of that interface pointer.  I'm afraid we need some=20
form of synchronization for access to ifnet.if_carp  From a quick glance=20
we could either use IFADDR_LOCK() or the global IFNET_{W,R}LOCK  I will=20
look at producing a patch later tonight.

> netisr_processqueue(c094a958) at netisr_processqueue+0x6e
> swi_net(0) at swi_net+0xc6
> ithread_execute_handlers(c14d5830,c14d3580) at
> ithread_execute_handlers+0xe6
> ithread_loop(c14bd760,c796cd38,c14bd760,c05f76a8,0) at
> ithread_loop+0x66 fork_exit(c05f76a8,c14bd760,c796cd38) at
> fork_exit+0xa0
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip =3D 0, esp =3D 0xc796cd6c, ebp =3D 0 ---
> db>
>
> Please let me know if I can supply more information.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1904646.CP09JMkUbh
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQBE4LcaXyyEoT62BG0RAhR5AJ9ba1t2RJnBCIleuz/zJJ7EhPqTRwCfZlIO
zNsLiKMzIpNSpjz7L7DrBOg=
=HE7c
-----END PGP SIGNATURE-----

--nextPart1904646.CP09JMkUbh--

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 14 20:02:08 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9B60A16A4DA
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 20:02:08 +0000 (UTC)
	(envelope-from kian.mohageri@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1E55543D46
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 20:02:06 +0000 (GMT)
	(envelope-from kian.mohageri@gmail.com)
Received: by nf-out-0910.google.com with SMTP id n15so61821nfc
	for <freebsd-pf@freebsd.org>; Mon, 14 Aug 2006 13:02:05 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
	b=DUatSfZOrejJoAIGgrg0FlU/1n5qokAS4BKy1hFTe6a+sqQ03ascqRYcRFg/I3jVJPEoXgOdF7+73/CQ1+7WyIPhKr/t+Z2AJGX+wiI/LjiyOr1Yzgkb5s1NgIhBQzr6UpqjCtTvhyDWfDlkzIhnp2kJ5S+xekYg3NISAfQfTAU=
Received: by 10.78.183.8 with SMTP id g8mr3459027huf;
	Mon, 14 Aug 2006 13:00:22 -0700 (PDT)
Received: by 10.78.23.10 with HTTP; Mon, 14 Aug 2006 13:00:22 -0700 (PDT)
Message-ID: <fee88ee40608141300g22f01639yc180a43536478311@mail.gmail.com>
Date: Mon, 14 Aug 2006 13:00:22 -0700
From: "Kian Mohageri" <kian.mohageri@gmail.com>
To: "Charles Lacroix" <clacroix@cegep-ste-foy.qc.ca>
In-Reply-To: <200608140956.14645.clacroix@cegep-ste-foy.qc.ca>
MIME-Version: 1.0
References: <200608140938.11880.clacroix@cegep-ste-foy.qc.ca>
	<d8a4930a0608140642m6bf114c5jae32a1b7f4fa8a27@mail.gmail.com>
	<200608140956.14645.clacroix@cegep-ste-foy.qc.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-pf@freebsd.org
Subject: Re: ICMP traffic
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 20:02:08 -0000

On 8/14/06, Charles Lacroix <clacroix@cegep-ste-foy.qc.ca> wrote:
>
> On Monday 14 August 2006 09:42, Cristiano Deana wrote:
> > 2006/8/14, Charles Lacroix <clacroix@cegep-ste-foy.qc.ca>:
> > > i was wondering which icmp type packets people accepted on there
> > > production servers.
> >


Just echo (echo-req) from anywhere.  pf keep state passes some other traffic
too, if it is part of a state.

From owner-freebsd-pf@FreeBSD.ORG  Tue Aug 15 17:54:37 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AAA1D16A4DA
	for <freebsd-pf@freebsd.org>; Tue, 15 Aug 2006 17:54:37 +0000 (UTC)
	(envelope-from reed@reedmedia.net)
Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com
	[38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2850043D8B
	for <freebsd-pf@freebsd.org>; Tue, 15 Aug 2006 17:53:57 +0000 (GMT)
	(envelope-from reed@reedmedia.net)
Received: from pool-72-64-101-227.dllstx.fios.verizon.net ([72.64.101.227]
	helo=reedmedia.net)
	by ca.pugetsoundtechnology.com with esmtp (Exim 4.54)
	id 1GD32Q-0002lo-Td; Tue, 15 Aug 2006 10:49:15 -0700
Received: by glacier.reedmedia.net (Postfix, from userid 1000)
	id 6E6B64DD86; Tue, 15 Aug 2006 12:52:52 -0500 (CDT)
Date: Tue, 15 Aug 2006 12:52:51 -0500 (CDT)
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: Ivan Levchenko <levchenko.i@gmail.com>
In-Reply-To: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com>
Message-ID: <Pine.NEB.4.64.0608151247490.2856@glacier.reedmedia.net>
References: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-pf@freebsd.org
Subject: Re: ftp-proxy with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2006 17:54:37 -0000

>From a quick look, your configs look correct.

I don't know if it will help, but maybe you can add the following to your 
inetd.conf for the "ftp-proxy -n -V -D 3" and setup your syslogger to log 
for daemon.debug and looks at the log results.

From owner-freebsd-pf@FreeBSD.ORG  Thu Aug 17 08:16:43 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AC67916A4DD
	for <freebsd-pf@freebsd.org>; Thu, 17 Aug 2006 08:16:43 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E04C243D6A
	for <freebsd-pf@freebsd.org>; Thu, 17 Aug 2006 08:16:40 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id c59so699460pyc
	for <freebsd-pf@freebsd.org>; Thu, 17 Aug 2006 01:16:40 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=RcWTikcVue/X6sbMVuMtgLRGtrK9MDRtx5rVmpfzgk2NgsRIim7qdvJh44JpwI+4FNbSR6oeXRN9Q1o2oH5bJT8NrMIKZqDXkxaSDZZoRANJub24aq8ZQKJywFgrYse2mCnZK2Dle/TNLshJB5k3JxDoYZP3FhI2If0+Lf81QQ0=
Received: by 10.35.29.6 with SMTP id g6mr3164413pyj;
	Thu, 17 Aug 2006 01:16:40 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Thu, 17 Aug 2006 01:16:39 -0700 (PDT)
Message-ID: <d4f1333a0608170116j5e6d331awf92214125049fcc7@mail.gmail.com>
Date: Thu, 17 Aug 2006 03:16:39 -0500
From: "Travis H." <solinym@gmail.com>
To: Volker <volker@vwsoft.com>
In-Reply-To: <44DF4125.6060009@vwsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <000001c6bed4$680fd4d0$0a00a8c0@thebeast>
	<44DF4125.6060009@vwsoft.com>
Cc: Greg Hennessy <Greg.Hennessy@nviz.net>, freebsd-pf@freebsd.org
Subject: Re: "Reset" Script, Anyone?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2006 08:16:43 -0000

Back when NetBSD was using ipfilter, there was a way to simulate
throwing packets at a packet filter.  I wrote a regression test
harness around it, to make sure that a new config file would allow
certain basic operations and prevent a few basic operations, as a kind
of sanity check, before even loading it.

It sure would be nice if pf had something like it.  I suppose with
some preprocessing judo, you could remap the interfaces to some
temporary interface aliases you set up, but that's not a particularly
easy or comprehensive way of testing your rules.  Although I seem to
recall someone suggesting a way to do something similar... anyone have
any suggestions?
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 08:45:11 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8870016A4DF
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 08:45:11 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A84443D46
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 08:45:10 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id o67so1042093pye
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 01:45:10 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=RRhZDSZuNsiFyLx0G+ILpQ1Waw/lUSZTJyoKbrBFkNRJsJMf5mos3Vj4Laal8Fay+MPj6WT3Ug4RrRyzs0oybA1pUI0K4VNrnM7PTv05qBYW3Yjea0k3o8UD+PuynBcp2H2u4d4sHjrOrdNKlduuVGHYCY2qMmmiENLLN9BHPtQ=
Received: by 10.35.45.1 with SMTP id x1mr5366359pyj;
	Fri, 18 Aug 2006 01:45:10 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Fri, 18 Aug 2006 01:45:10 -0700 (PDT)
Message-ID: <d4f1333a0608180145sbe3930ama1309a0c3c488abe@mail.gmail.com>
Date: Fri, 18 Aug 2006 03:45:10 -0500
From: "Travis H." <solinym@gmail.com>
To: "Kian Mohageri" <kian.mohageri@gmail.com>
In-Reply-To: <fee88ee40608141300g22f01639yc180a43536478311@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <200608140938.11880.clacroix@cegep-ste-foy.qc.ca>
	<d8a4930a0608140642m6bf114c5jae32a1b7f4fa8a27@mail.gmail.com>
	<200608140956.14645.clacroix@cegep-ste-foy.qc.ca>
	<fee88ee40608141300g22f01639yc180a43536478311@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: ICMP traffic
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 08:45:11 -0000

I allow this out:
"squench", "echoreq", "timereq", "trace", "skip", "photuris"

I block this out:
"echorep", "unreach", "redir", "althost", "routeradv" "routersol",
"timex", "paramprob", "timerep", "inforeq", "maskreq", "maskrep",
"dataconv", "mobredir", "ipv6-where",
"ipv6-here", "mobregreq", "mobregrep"

This is a little large because some of the ICMPs I wasn't familiar
with, but blocking them hasn't hurt me (that I know).

Anything coming in has to match a state.

I'm not paranoid, it's just that people keep trying to gain my
confidence so they can steal my magic bag. :-P
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 14:18:29 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 879AC16A4FF
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 14:18:29 +0000 (UTC)
	(envelope-from purabachata@yahoo.com)
Received: from web33913.mail.mud.yahoo.com (web33913.mail.mud.yahoo.com
	[209.191.69.191])
	by mx1.FreeBSD.org (Postfix) with SMTP id 561CF43D66
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 14:18:24 +0000 (GMT)
	(envelope-from purabachata@yahoo.com)
Received: (qmail 55553 invoked by uid 60001); 18 Aug 2006 14:18:23 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=q6hwf+R3Ahjw9OrlGJJMHJyDNDtPO4xsnCUqRXRUs6Ld2Sg3XvIcul+ah4dcImmRbYUK0mcOBOC8FAyTdA/T2q2EsljN1CCUPaMw814CipMlsMrbO+5Tknqyt0KvhtxMQo5kqcvPOVzerME74v1rA8XIVHgHqOLQbJrrJlq0zrs=
	; 
Message-ID: <20060818141823.55551.qmail@web33913.mail.mud.yahoo.com>
Received: from [200.88.97.251] by web33913.mail.mud.yahoo.com via HTTP;
	Fri, 18 Aug 2006 07:18:23 PDT
Date: Fri, 18 Aug 2006 07:18:23 -0700 (PDT)
From: beno - <purabachata@yahoo.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Easy Question From Newbie
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 14:18:29 -0000

Hi;
What does this error mean?

server167# pfctl -f /etc/pf.conf
pfctl: /dev/pf: No such file or directory

All the "pfctl" files I have are binaries, so of course I can't study them. There's no reference to "dev" in my pf.conf file. What do I do to satisfy this error?
TIA,
beno3
 		
---------------------------------
Do you Yahoo!?
 Get on board. You're invited to try the new Yahoo! Mail Beta.

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 14:27:00 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 852B816A4DE
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 14:27:00 +0000 (UTC)
	(envelope-from levchenko.i@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87D0343D64
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 14:26:59 +0000 (GMT)
	(envelope-from levchenko.i@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so935350uge
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 07:26:58 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=G+DrXFlCpsQlpr6WzW7AXz+z6FeR2TTluFde9MMbWRfe9888g0zgNKNHYnJSkxXwM633wp9xhdpE7Fx8ZtwwDHXwckkrEZd1jUxqFsYlnweBgozIjHo73oTKKyd6HABY9v0qFcTtpB+LUZCZkx7Y0pA5WMCFgGsBipiiw5Gkzsc=
Received: by 10.66.240.12 with SMTP id n12mr1774850ugh;
	Fri, 18 Aug 2006 07:26:58 -0700 (PDT)
Received: by 10.66.239.8 with HTTP; Fri, 18 Aug 2006 07:26:57 -0700 (PDT)
Message-ID: <e39dd5bb0608180726n7d4adfd7y66906788cb965252@mail.gmail.com>
Date: Fri, 18 Aug 2006 17:26:57 +0300
From: "Ivan Levchenko" <levchenko.i@gmail.com>
To: "beno -" <purabachata@yahoo.com>
In-Reply-To: <20060818141823.55551.qmail@web33913.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060818141823.55551.qmail@web33913.mail.mud.yahoo.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Easy Question From Newbie
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 14:27:00 -0000

You need to either load the pf kernel module, which can be done by adding
pf_load="YES" to /boot/loader.conf (you may also load the module
without rebooting like this:
kldload pf) If you use the module, then altq will not work for you.

Or you may build a new kernel with the following options:
device pf
device pflog
device pfsync

and for altq:
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

You should remove the things that you don't need.

For more info (probably should have started with this) go to
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

happy packet filtering!

On 8/18/06, beno - <purabachata@yahoo.com> wrote:
> Hi;
> What does this error mean?
>
> server167# pfctl -f /etc/pf.conf
> pfctl: /dev/pf: No such file or directory
>
> All the "pfctl" files I have are binaries, so of course I can't study them. There's no reference to "dev" in my pf.conf file. What do I do to satisfy this error?
> TIA,
> beno3
>
> ---------------------------------
> Do you Yahoo!?
>  Get on board. You're invited to try the new Yahoo! Mail Beta.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>


-- 
Best Regards,

Ivan Levchenko
levchenko.i@gmail.com

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 16:17:39 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8650116A4E1
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 16:17:39 +0000 (UTC)
	(envelope-from zope@2012.vi)
Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B3FCC43D4C
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 16:17:36 +0000 (GMT)
	(envelope-from zope@2012.vi)
Received: from [10.0.0.172] (251puntacana97.codetel.net.do [200.88.97.251]) by
	efit.xs4all.nl (Weasel v1.73) for <freebsd-pf@freebsd.org>; 
	18 Aug 2006 18:13:49 
Message-ID: <44E5E816.1030304@2012.vi>
Date: Fri, 18 Aug 2006 12:17:26 -0400
From: beno <zope@2012.vi>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 16:17:39 -0000

Hi;
For some reason the parser likes this syntax in certain places but not 
in others:

1. # SETTING THE STAGE
2. # macros
3. ext_if="vr0"
4. int_if="lo0"
5. http_ports="80 8080 7080"
6. ssh_ports="22"
7. ftp_ports="21 8021 7021"
8. smtp_ports="25"
9. pop3_ports="110"
10. https_ports="443"
11. imap_ssl_ports="993 143"
12. squid_ports="3128"
13. mysql_ports="3306"
14. email_ports="{" $smtp_ports $pop3_ports "}"
15. all_http_ports="{" $http_ports $https_ports "}"
16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}"
17. int_ports="{" $squid_ports $mysql_ports "}"
18. tcp_services="ssh, ftp, http"
20. web_server="202.71.106.119"
21. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
22. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 
202.71.106.118 202.71.106.188 203.142.1.8"
23. directv_ip_addresses="69.19.0.0/17"
24. shadday_ip_addresses="70.19.0.0/17"
25. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses 
$shadday_ip_addresses "}"

server167# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f /etc/pf.conf_BAK
/etc/pf.conf:16: syntax error
/etc/pf.conf:24: syntax error
pfctl: Syntax error in config file: pf rules not loaded

It appears to not like my using "$all_http_ports" in line 16 and one of 
the three in the last line (which the machine chooses to call 24 but it 
is actually referring to 25). Why?
beno

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 17:05:21 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F3AC716A4DD
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 17:05:20 +0000 (UTC)
	(envelope-from reed@reedmedia.net)
Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com
	[38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB8C443DD1
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 17:04:09 +0000 (GMT)
	(envelope-from reed@reedmedia.net)
Received: from pool-72-64-101-227.dllstx.fios.verizon.net ([72.64.101.227]
	helo=reedmedia.net)
	by ca.pugetsoundtechnology.com with esmtp (Exim 4.54)
	id 1GE7gZ-0005Au-Sp; Fri, 18 Aug 2006 09:59:08 -0700
Received: by glacier.reedmedia.net (Postfix, from userid 1000)
	id 3960D4DD86; Fri, 18 Aug 2006 12:03:14 -0500 (CDT)
Date: Fri, 18 Aug 2006 12:03:14 -0500 (CDT)
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: beno <zope@2012.vi>
In-Reply-To: <44E5E816.1030304@2012.vi>
Message-ID: <Pine.NEB.4.64.0608181140320.298@glacier.reedmedia.net>
References: <44E5E816.1030304@2012.vi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-pf@freebsd.org
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 17:05:21 -0000

> For some reason the parser likes this syntax in certain places but not in
> others:
> 
> 1. # SETTING THE STAGE
> 2. # macros
> 3. ext_if="vr0"
> 4. int_if="lo0"
> 5. http_ports="80 8080 7080"
> 6. ssh_ports="22"
> 7. ftp_ports="21 8021 7021"
> 8. smtp_ports="25"
> 9. pop3_ports="110"
> 10. https_ports="443"
> 11. imap_ssl_ports="993 143"
> 12. squid_ports="3128"
> 13. mysql_ports="3306"
> 14. email_ports="{" $smtp_ports $pop3_ports "}"
> 15. all_http_ports="{" $http_ports $https_ports "}"
> 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}"

I don't think you can  put a list inside of another list.

> 17. int_ports="{" $squid_ports $mysql_ports "}"
> 18. tcp_services="ssh, ftp, http"
> 20. web_server="202.71.106.119"
> 21. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
> 22. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30
> 202.71.106.118 202.71.106.188 203.142.1.8"
> 23. directv_ip_addresses="69.19.0.0/17"
> 24. shadday_ip_addresses="70.19.0.0/17"
> 25. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses
> $shadday_ip_addresses "}"

I don't know why the list doesn't allow the macro with the /netmask. If 
the macros don't have a /netmask the list works (but not what you want).

> server167# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f /etc/pf.conf_BAK
> /etc/pf.conf:16: syntax error
> /etc/pf.conf:24: syntax error
> pfctl: Syntax error in config file: pf rules not loaded
> 
> It appears to not like my using "$all_http_ports" in line 16 and one of the
> three in the last line (which the machine chooses to call 24 but it is
> actually referring to 25). Why?

Because you are missing line #19 above so it is off by one.

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 17:06:38 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED15816A4DE
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 17:06:37 +0000 (UTC)
	(envelope-from purabachata@yahoo.com)
Received: from web33910.mail.mud.yahoo.com (web33910.mail.mud.yahoo.com
	[209.191.69.188])
	by mx1.FreeBSD.org (Postfix) with SMTP id 498BC43E42
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 17:05:16 +0000 (GMT)
	(envelope-from purabachata@yahoo.com)
Received: (qmail 15781 invoked by uid 60001); 18 Aug 2006 17:05:11 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=Hv7z8WvQnlGSpkcEODWEl86MdaAPpcHIH+94a7mIznqepOxZESwDvCZdd0E8qgH51Cr6AYqUnH0xVae/RGm15yPGx7RNQBa7vyVD3uoaEey5acOy/vPhoTnLlF4/zyxTvlPvLpEkSAdKhG8e1xM4TcyxrVfaKGFMUAnW2E9FZHc=
	; 
Message-ID: <20060818170511.15779.qmail@web33910.mail.mud.yahoo.com>
Received: from [200.88.97.251] by web33910.mail.mud.yahoo.com via HTTP;
	Fri, 18 Aug 2006 10:05:11 PDT
Date: Fri, 18 Aug 2006 10:05:11 -0700 (PDT)
From: beno - <purabachata@yahoo.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 17:06:38 -0000

Hi; 
For some reason the parser likes this syntax in certain places but not  in others: 
 
1. # SETTING THE STAGE 
2. # macros 
3. ext_if="vr0" 
4. int_if="lo0" 
5. http_ports="80 8080 7080" 
6. ssh_ports="22" 
7. ftp_ports="21 8021 7021" 
8. smtp_ports="25" 
9. pop3_ports="110" 
10. https_ports="443" 
11. imap_ssl_ports="993 143" 
12. squid_ports="3128" 
13. mysql_ports="3306" 
14. email_ports="{" $smtp_ports $pop3_ports "}" 
15. all_http_ports="{" $http_ports $https_ports "}" 
16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" 
17. int_ports="{" $squid_ports $mysql_ports "}" 
18. tcp_services="ssh, ftp, http" 
20. web_server="202.71.106.119" 
21. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" 
22. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30  202.71.106.118 202.71.106.188 203.142.1.8" 
23. directv_ip_addresses="69.19.0.0/17" 
24. shadday_ip_addresses="70.19.0.0/17" 
25. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses  $shadday_ip_addresses "}" 
 
server167# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f /etc/pf.conf_BAK 
/etc/pf.conf:16: syntax error 
/etc/pf.conf:24: syntax error 
pfctl: Syntax error in config file: pf rules not loaded 
 
It appears to not like my using "$all_http_ports" in line 16 and one of  the three in the last line (which the machine chooses to call 24 but it  is actually referring to 25). Why? 
beno 
 3
 			
---------------------------------
Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail Beta.
 		
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 18:26:28 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F203916A4E1
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 18:26:27 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.187])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1C99243D70
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 18:26:22 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from [88.64.182.202] (helo=amd64.laiers.local)
	by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis),
	id 0MKwh2-1GE92z3I4Y-0004Wv; Fri, 18 Aug 2006 20:26:22 +0200
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: freebsd-pf@freebsd.org
Date: Fri, 18 Aug 2006 20:26:09 +0200
User-Agent: KMail/1.9.3
References: <44E5E816.1030304@2012.vi>
	<Pine.NEB.4.64.0608181140320.298@glacier.reedmedia.net>
In-Reply-To: <Pine.NEB.4.64.0608181140320.298@glacier.reedmedia.net>
X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGd<hB5S>u+2];
	R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart5645583.fD7C6EE6X4";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200608182026.19006.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	login:61c499deaeeba3ba5be80f48ecc83056
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 18:26:28 -0000

--nextPart5645583.fD7C6EE6X4
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Friday 18 August 2006 19:03, Jeremy C. Reed wrote:
> > For some reason the parser likes this syntax in certain places but
> > not in others:
> >
> > 1. # SETTING THE STAGE
> > 2. # macros
> > 3. ext_if=3D"vr0"
> > 4. int_if=3D"lo0"
> > 5. http_ports=3D"80 8080 7080"
> > 6. ssh_ports=3D"22"
> > 7. ftp_ports=3D"21 8021 7021"
> > 8. smtp_ports=3D"25"
> > 9. pop3_ports=3D"110"
> > 10. https_ports=3D"443"
> > 11. imap_ssl_ports=3D"993 143"
> > 12. squid_ports=3D"3128"
> > 13. mysql_ports=3D"3306"
> > 14. email_ports=3D"{" $smtp_ports $pop3_ports "}"
> > 15. all_http_ports=3D"{" $http_ports $https_ports "}"
> > 16. tcp_ports=3D "{" $ssh_ports $ftp_ports $all_http_ports
> > $imap_ssl_ports "}"
>
> I don't think you can  put a list inside of another list.
>
> > 17. int_ports=3D"{" $squid_ports $mysql_ports "}"
> > 18. tcp_services=3D"ssh, ftp, http"
> > 20. web_server=3D"202.71.106.119"
> > 21. NoRouteIPs =3D "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12
> > 10.0.0.0/8" 22. shinjiru_ip_addresses=3D"202.71.102.114 202.71.100.126
> > 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8"
> > 23. directv_ip_addresses=3D"69.19.0.0/17"
> > 24. shadday_ip_addresses=3D"70.19.0.0/17"
> > 25. ssh_ip_addresses=3D"{" $shinjiru_ip_addresses $directv_ip_addresses
> > $shadday_ip_addresses "}"
>
> I don't know why the list doesn't allow the macro with the /netmask. If
> the macros don't have a /netmask the list works (but not what you
> want).

That's a well-known problem in the pfctl-parser.  Patches have been=20
proposed but never made it to the tree - afaik.  Look in the archives of=20
this and the original ML for reasons and detailed discussion.

> > server167# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f
> > /etc/pf.conf_BAK /etc/pf.conf:16: syntax error
> > /etc/pf.conf:24: syntax error
> > pfctl: Syntax error in config file: pf rules not loaded
> >
> > It appears to not like my using "$all_http_ports" in line 16 and one
> > of the three in the last line (which the machine chooses to call 24
> > but it is actually referring to 25). Why?
>
> Because you are missing line #19 above so it is off by one.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart5645583.fD7C6EE6X4
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQBE5gZKXyyEoT62BG0RAhj/AJ9cAR1SlSGJzujrOwDLudvzWemxpQCfVqoj
+Ako9WiAkJY+G45XoqtrFeQ=
=ZXX8
-----END PGP SIGNATURE-----

--nextPart5645583.fD7C6EE6X4--

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 18:42:17 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9030816A4DA
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 18:42:17 +0000 (UTC)
	(envelope-from purabachata@yahoo.com)
Received: from web33911.mail.mud.yahoo.com (web33911.mail.mud.yahoo.com
	[209.191.69.189])
	by mx1.FreeBSD.org (Postfix) with SMTP id 665EB43D69
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 18:42:16 +0000 (GMT)
	(envelope-from purabachata@yahoo.com)
Received: (qmail 17551 invoked by uid 60001); 18 Aug 2006 18:42:12 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=zmFrL3hgrHJGb1lWPPCR6DI58Ey/zl8ez8iDcaVt0er3tqf3lQw2tCtAYaQAtlwSodtFqhdxmML3fiDGCxbBSuti382sdBgxWcYXB3w4UYlr3DlvdJ1YoJgrGpdt2chhAM/HRM16lOJFwjL3NP2iTQX5VtuC+pDVQOLz7E/u1C8=
	; 
Message-ID: <20060818184212.17549.qmail@web33911.mail.mud.yahoo.com>
Received: from [200.88.97.251] by web33911.mail.mud.yahoo.com via HTTP;
	Fri, 18 Aug 2006 11:42:12 PDT
Date: Fri, 18 Aug 2006 11:42:12 -0700 (PDT)
From: beno - <purabachata@yahoo.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <200608182026.19006.max@love2party.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 18:42:17 -0000

33

Max Laier <max@love2party.net> wrote:> > 5. http_ports="80 8080 7080"
> > 6. ssh_ports="22"
> > 7. ftp_ports="21 8021 7021"
> > 8. smtp_ports="25"
> > 9. pop3_ports="110"
> > 10. https_ports="443"
> > 11. imap_ssl_ports="993 143"
> > 12. squid_ports="3128"
> > 13. mysql_ports="3306"
> > 14. email_ports="{" $smtp_ports $pop3_ports "}"
> > 15. all_http_ports="{" $http_ports $https_ports "}"
> > 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports
> > $imap_ssl_ports "}"
>
> I don't think you can  put a list inside of another list.

You most certainly can nest lists. It works in several examples above. For some reason--and I would like to know that reason--it doesn't work in line #16. Please help.

That's a well-known problem in the pfctl-parser.  Patches have been 
proposed but never made it to the tree - afaik.  Look in the archives of 
this and the original ML for reasons and detailed discussion.

In other words, using CIDR blocks in nested lists doesn't work? I'll research that. I hope there's a work-around!
Thanks,
beno

 		
---------------------------------
Stay in the know. Pulse on the new Yahoo.com.  Check it out. 

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 18:53:25 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0132916A4DA
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 18:53:25 +0000 (UTC)
	(envelope-from reed@reedmedia.net)
Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com
	[38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBD1243D45
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 18:53:24 +0000 (GMT)
	(envelope-from reed@reedmedia.net)
Received: from pool-72-64-101-227.dllstx.fios.verizon.net ([72.64.101.227]
	helo=reedmedia.net)
	by ca.pugetsoundtechnology.com with esmtp (Exim 4.54)
	id 1GE9ON-0007JJ-2f; Fri, 18 Aug 2006 11:48:27 -0700
Received: by glacier.reedmedia.net (Postfix, from userid 1000)
	id 5879A4DD86; Fri, 18 Aug 2006 13:52:34 -0500 (CDT)
Date: Fri, 18 Aug 2006 13:52:34 -0500 (CDT)
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: beno - <purabachata@yahoo.com>
In-Reply-To: <20060818184212.17549.qmail@web33911.mail.mud.yahoo.com>
Message-ID: <Pine.NEB.4.64.0608181345470.298@glacier.reedmedia.net>
References: <20060818184212.17549.qmail@web33911.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-pf@freebsd.org
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 18:53:25 -0000

On Fri, 18 Aug 2006, beno - wrote:

> > > 6. ssh_ports="22"
> > > 7. ftp_ports="21 8021 7021"
> > > 8. smtp_ports="25"
> > > 9. pop3_ports="110"
> > > 10. https_ports="443"
> > > 11. imap_ssl_ports="993 143"
> > > 12. squid_ports="3128"
> > > 13. mysql_ports="3306"
> > > 14. email_ports="{" $smtp_ports $pop3_ports "}"
> > > 15. all_http_ports="{" $http_ports $https_ports "}"
> > > 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports
> > > $imap_ssl_ports "}"
> >
> > I don't think you can  put a list inside of another list.
> 
> You most certainly can nest lists. It works in several examples above. 
> For some reason--and I would like to know that reason--it doesn't work 
> in line #16. Please help.

What examples?

You only have one example above of putting a list in a list (and it is 
your error).

You have several examples of putting macros in a list.

I think you are confusing the terminology or usage of "lists" versus 
"macros".


---------------------------------
Coming soon: PF Book http://www.reedmedia.net/book/pf-book/
greytrapping :) fun@reedmedia.net 

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 19:02:39 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B25DD16A4F1
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 19:02:39 +0000 (UTC)
	(envelope-from levchenko.i@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2F04943D6E
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 19:02:29 +0000 (GMT)
	(envelope-from levchenko.i@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so1020342uge
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 12:02:29 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=uYEeDnd3j6kGpPGwDoWjh0Ag3X8Y4QkJBmo1xSgtIteqVbM0wxcSQMUsz1lj2/cHqDTX0Is31KzlM+hS/rOs7POg0TuhejCP3p4mU0wanpnZM+OzAUuU85BCN/tWrUh8L6KwtsJbT3msAaj82QWmem/BFr+ZU8Jb94eOdb8XGiQ=
Received: by 10.66.252.4 with SMTP id z4mr1949456ugh;
	Fri, 18 Aug 2006 12:02:28 -0700 (PDT)
Received: by 10.66.239.8 with HTTP; Fri, 18 Aug 2006 12:02:28 -0700 (PDT)
Message-ID: <e39dd5bb0608181202l4e5dc064jb853774eda3ac5c1@mail.gmail.com>
Date: Fri, 18 Aug 2006 22:02:28 +0300
From: "Ivan Levchenko" <levchenko.i@gmail.com>
To: "Jeremy C. Reed" <reed@reedmedia.net>
In-Reply-To: <Pine.NEB.4.64.0608181345470.298@glacier.reedmedia.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060818184212.17549.qmail@web33911.mail.mud.yahoo.com>
	<Pine.NEB.4.64.0608181345470.298@glacier.reedmedia.net>
Cc: freebsd-pf@freebsd.org
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 19:02:39 -0000

look in the openbsd faq for pf, there was an example on how to nest a
list inside of a list or something like that.

On 8/18/06, Jeremy C. Reed <reed@reedmedia.net> wrote:
> On Fri, 18 Aug 2006, beno - wrote:
>
> > > > 6. ssh_ports="22"
> > > > 7. ftp_ports="21 8021 7021"
> > > > 8. smtp_ports="25"
> > > > 9. pop3_ports="110"
> > > > 10. https_ports="443"
> > > > 11. imap_ssl_ports="993 143"
> > > > 12. squid_ports="3128"
> > > > 13. mysql_ports="3306"
> > > > 14. email_ports="{" $smtp_ports $pop3_ports "}"
> > > > 15. all_http_ports="{" $http_ports $https_ports "}"
> > > > 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports
> > > > $imap_ssl_ports "}"
> > >
> > > I don't think you can  put a list inside of another list.
> >
> > You most certainly can nest lists. It works in several examples above.
> > For some reason--and I would like to know that reason--it doesn't work
> > in line #16. Please help.
>
> What examples?
>
> You only have one example above of putting a list in a list (and it is
> your error).
>
> You have several examples of putting macros in a list.
>
> I think you are confusing the terminology or usage of "lists" versus
> "macros".
>
>
> ---------------------------------
> Coming soon: PF Book http://www.reedmedia.net/book/pf-book/
> greytrapping :) fun@reedmedia.net
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>


-- 
Best Regards,

Ivan Levchenko
levchenko.i@gmail.com

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 19:19:10 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 123C716A4DE
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 19:19:10 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 525ED43D49
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 19:19:08 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k7IJJ8XP027656
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Fri, 18 Aug 2006 21:19:08 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k7IJJ8BX029794;
	Fri, 18 Aug 2006 21:19:08 +0200 (MEST)
Date: Fri, 18 Aug 2006 21:19:07 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: beno - <purabachata@yahoo.com>
Message-ID: <20060818191907.GD20788@insomnia.benzedrine.cx>
References: <200608182026.19006.max@love2party.net>
	<20060818184212.17549.qmail@web33911.mail.mud.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060818184212.17549.qmail@web33911.mail.mud.yahoo.com>
User-Agent: Mutt/1.5.10i
Cc: freebsd-pf@freebsd.org
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 19:19:10 -0000

On Fri, Aug 18, 2006 at 11:42:12AM -0700, beno - wrote:

> > I don't think you can  put a list inside of another list.
> 
> You most certainly can nest lists. It works in several examples above. For some reason--and I would like to know that reason--it doesn't work in line #16. Please help.

No, you can't nest lists, as in

  pass ... from { { 10.1.2.3, 10.2.3.4 }, { 10.3.4.5 } }

i.e. {} within {}.

I think a recent commit to -current makes that valid, but it's not in
any release yet, and I doubt there are any examples of it online yet.

If what you meant was building a macro defining a {} list based on other
macros (i.e. nesting macros, not nesting {} lists), see the thread

  http://marc.theaimsgroup.com/?t=114842643500002&r=1&w=2

The syntax is hairy, and duplicating some literals might be the lesser
of two evils.

Daniel

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 18 19:23:54 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7EF1C16A4DF
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 19:23:54 +0000 (UTC)
	(envelope-from purabachata@yahoo.com)
Received: from web33905.mail.mud.yahoo.com (web33905.mail.mud.yahoo.com
	[209.191.69.183])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5CDED43D49
	for <freebsd-pf@freebsd.org>; Fri, 18 Aug 2006 19:23:53 +0000 (GMT)
	(envelope-from purabachata@yahoo.com)
Received: (qmail 35682 invoked by uid 60001); 18 Aug 2006 19:23:53 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=KI3q4ywL6l4UgaluW0pky2aljJmqdQ7qdckNfYZk+kyHE7AprY8aTjV3oDjaWRLVjD46Igz8NRMG1S8MnnliOo23+bCcQXmVPpgpVHZpjpOQQBwlTFNGVT5WMoF5XfIcREAOo9vBsp9i+7uUkAF3jhCJvMGm/TePa+oXfz+oy5U=
	; 
Message-ID: <20060818192353.35680.qmail@web33905.mail.mud.yahoo.com>
Received: from [200.88.97.251] by web33905.mail.mud.yahoo.com via HTTP;
	Fri, 18 Aug 2006 12:23:53 PDT
Date: Fri, 18 Aug 2006 12:23:53 -0700 (PDT)
From: beno - <purabachata@yahoo.com>
To: "Jeremy C. Reed" <reed@reedmedia.net>, freebsd-pf@freebsd.org
In-Reply-To: <Pine.NEB.4.64.0608181345470.298@glacier.reedmedia.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 19:23:54 -0000

You're right, I did confuse the terms "macro" and "list". However, I believe you're wrong on your assessment. Here's the complete code again:

1. # SETTING THE STAGE
2. # macros
3. ext_if="vr0"
4. int_if="lo0"
5. http_ports="80 8080 7080"
6. ssh_ports="22"
7. ftp_ports="21 8021 7021"
8. smtp_ports="25"
9. pop3_ports="110"
10. https_ports="443"
11. imap_ssl_ports="993 143"
12. squid_ports="3128"
13. mysql_ports="3306"
14. email_ports="{" $smtp_ports $pop3_ports "}" 
15. all_http_ports="{" $http_ports $https_ports "}"
16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}"
17. int_ports="{" $squid_ports $mysql_ports "}"
18. tcp_services="ssh, ftp, http" 
19. web_server="202.71.106.119"
20. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
21. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8"
22. directv_ip_addresses="69.19.0.0/17"
23. shadday_ip_addresses="" 
24. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses "}"
3
* The first error is thrown from the $all_http_ports macro in line #16. That is a macro with two other macros nested inside it, not lists.
* The second error is thrown from the CIDR block which is nested as the macro $directv_ip_addresses in line #24. An earlier respondent indicated I should research that subject in the archives, since it was a known problem, but searching for "CIDR" in both this and the main list turned up nothing :(

Hoping for answers,
beno
"Jeremy C. Reed" <reed@reedmedia.net> wrote: On Fri, 18 Aug 2006, beno - wrote:

> > > 6. ssh_ports="22"
> > > 7. ftp_ports="21 8021 7021"
> > > 8. smtp_ports="25"
> > > 9. pop3_ports="110"
> > > 10. https_ports="443"
> > > 11. imap_ssl_ports="993 143"
> > > 12. squid_ports="3128"
> > > 13. mysql_ports="3306"
> > > 14. email_ports="{" $smtp_ports $pop3_ports "}"
> > > 15. all_http_ports="{" $http_ports $https_ports "}"
> > > 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports
> > > $imap_ssl_ports "}"
> >
> > I don't think you can  put a list inside of another list.
> 
> You most certainly can nest lists. It works in several examples above. 
> For some reason--and I would like to know that reason--it doesn't work 
> in line #16. Please help.

What examples?

You only have one example above of putting a list in a list (and it is 
your error).

You have several examples of putting macros in a list.

I think you are confusing the terminology or usage of "lists" versus 
"macros".


---------------------------------
Coming soon: PF Book http://www.reedmedia.net/book/pf-book/
greytrapping :) fun@reedmedia.net 


 		
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
 		
---------------------------------
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.

From owner-freebsd-pf@FreeBSD.ORG  Sat Aug 19 07:04:38 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6050016A4DA
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 07:04:38 +0000 (UTC)
	(envelope-from ozgur.ozdemircili@gmail.com)
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.225])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E6B1943D4C
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 07:04:37 +0000 (GMT)
	(envelope-from ozgur.ozdemircili@gmail.com)
Received: by wx-out-0506.google.com with SMTP id i27so906483wxd
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 00:04:37 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding;
	b=UlhJd+S282b8AvLeZZq4QwhZqG0btlo+CBRA6Ao4vcQuqq8zXcbTiPZQa+G53t7NdXYUTYAmUTA2BffBzUnUm2zqhnF2lkmMXnC9XXHAs+f4Qo60pW0+rYLez1zcsDj3Vsp99eWvwwUvY1Ju2R0SzL9xc0BR8GwYhXEbPM2N7DU=
Received: by 10.70.69.11 with SMTP id r11mr6074783wxa;
	Sat, 19 Aug 2006 00:04:36 -0700 (PDT)
Received: from ?192.168.10.102? ( [212.156.215.120])
	by mx.gmail.com with ESMTP id 8sm15306wra.2006.08.19.00.04.32;
	Sat, 19 Aug 2006 00:04:35 -0700 (PDT)
Message-ID: <44E6FD75.1050205@gmail.com>
Date: Sat, 19 Aug 2006 10:00:53 -0200
From: Ozgur Ozdemircili <ozgur.ozdemircili@gmail.com>
User-Agent: Debian Thunderbird 1.0.2 (X11/20060423)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Divert
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Aug 2006 07:04:38 -0000

Hello,

As an old ipfw user Im trying to switch my firewalls to pf.My network is
as shown below:



                   
    
Clientnetwork ------  Freebsd fw ----- modem
                                      l                         l
                                      l                         l
                                      l                         l
                                      w2003 Rras-------

 I normally have rule on ipfw that lets my divert a port(for example
1863 ) into a win 2003 server machine which  has routing and remote
access enabled. This gives me the chance to sniff  the copy of all the
all the conversations in the network as a part of company policy.
In ipfw I used:

ipfw add divert $w2003 tcp from $clients to me eq 1863

How can I get this done in Pf?

Thank you.

From owner-freebsd-pf@FreeBSD.ORG  Sat Aug 19 09:49:44 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A906016A4DE
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 09:49:44 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD8C43D70
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 09:49:40 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id o67so1510299pye
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 02:49:40 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=sNwQdZetsQ4x8vWQJ/InxvLDzCUhb5RdHMSM1Ata99+et9ht86gWvCOdkN0EUF6zGBvJqxoCwWUGPynwDXeVpKqKGgduV6GRht+3tOrpfjn6L31/eZ7MdPELoP8NOl0F005hOQDeHYTbjPcVrQI2BdBSoSOVGwol/spuhyy8DQk=
Received: by 10.35.22.17 with SMTP id z17mr7984743pyi;
	Sat, 19 Aug 2006 02:49:40 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Sat, 19 Aug 2006 02:49:39 -0700 (PDT)
Message-ID: <d4f1333a0608190249t4ec3d61fv1eeb35a98cb5137e@mail.gmail.com>
Date: Sat, 19 Aug 2006 04:49:40 -0500
From: "Travis H." <solinym@gmail.com>
To: "beno -" <purabachata@yahoo.com>
In-Reply-To: <20060818170511.15779.qmail@web33910.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060818170511.15779.qmail@web33910.mail.mud.yahoo.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Syntax Error
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Aug 2006 09:49:44 -0000

On 8/18/06, beno - <purabachata@yahoo.com> wrote:
> 14. email_ports="{" $smtp_ports $pop3_ports "}"
> 15. all_http_ports="{" $http_ports $https_ports "}"
> 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}"

You're trying to nest lists, which doesn't work.

> 24. shadday_ip_addresses="70.19.0.0/17"
> 25. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses  $shadday_ip_addresses "}"

> It appears to not like my using "$all_http_ports" in line 16 and one of  the three in the last line (which the machine chooses to call 24 but it  is actually referring to 25). Why?

This is just a guess, but perhaps the error on line 16 meant it didn't
increment the line counter, so the last line number is off-by-one.  In
any case, you did the same thing here.  Get rid of the nested braces
(remember, this is textual expansion) and you should be fine.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Sat Aug 19 12:42:59 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 86B4816A4E6
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 12:42:59 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EBAEB43D7C
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 12:42:56 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id o67so1568593pye
	for <freebsd-pf@freebsd.org>; Sat, 19 Aug 2006 05:42:56 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=LAgD9ieKnaK3vgeZDteyQatG79AMISZNYELRYPGyvqVuocaD0sax1yeSadoEoETJ4PtDXj9xJgl9rfOpgCeRzsfrk15ShOaVnjyWiIxDXiW6LVQJiBd8xUZJp7iuOk0P4QUORJP6Wpx/r4LaddR7T5jDRcmytk2Hb9JY7EWP4bo=
Received: by 10.35.78.9 with SMTP id f9mr8252437pyl;
	Sat, 19 Aug 2006 05:42:56 -0700 (PDT)
Received: by 10.35.34.13 with HTTP; Sat, 19 Aug 2006 05:42:56 -0700 (PDT)
Message-ID: <d4f1333a0608190542n5cff698ey9b56729a5b93705@mail.gmail.com>
Date: Sat, 19 Aug 2006 07:42:56 -0500
From: "Travis H." <solinym@gmail.com>
To: "Ozgur Ozdemircili" <ozgur.ozdemircili@gmail.com>
In-Reply-To: <44E6FD75.1050205@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <44E6FD75.1050205@gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Divert
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Aug 2006 12:42:59 -0000

On 8/19/06, Ozgur Ozdemircili <ozgur.ozdemircili@gmail.com> wrote:
> How can I get this done in Pf?

dup-to
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484