From owner-freebsd-pf@FreeBSD.ORG Tue May 17 20:10:15 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7941916A4CE for ; Tue, 17 May 2005 20:10:15 +0000 (GMT) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C6D543DA3 for ; Tue, 17 May 2005 20:10:14 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-41-46.woh.res.rr.com [65.31.41.46]) j4HKA0Wa007037 for ; Tue, 17 May 2005 16:10:03 -0400 (EDT) Message-ID: <000201c55b1c$66036e80$0200a8c0@satellite> From: "dave" To: Date: Tue, 17 May 2005 15:40:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf and mpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 20:10:15 -0000 Hello, Does nyone have a pf configuration for mpd? I'm allowing port 1723 in but when i atempt a connection from outside my network i'm getting an error 619. Connections within the network work fine so i don't believe this is a mpd issue. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Tue May 17 20:15:01 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A91916A4CE for ; Tue, 17 May 2005 20:15:01 +0000 (GMT) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7EF543D77 for ; Tue, 17 May 2005 20:14:59 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.11-STABLE)) id 1DY8Sf-000LJr-Jx by authid for ; Tue, 17 May 2005 23:14:41 +0300 Date: Tue, 17 May 2005 23:14:41 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20050517201441.GB59011@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org References: <000201c55b1c$66036e80$0200a8c0@satellite> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000201c55b1c$66036e80$0200a8c0@satellite> X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.9i (2005-03-13) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.9i Subject: Re: pf and mpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 20:15:01 -0000 * dave [20050517 23:10]: wrote: > Hello, > Does nyone have a pf configuration for mpd? I'm allowing port 1723 in > but when i atempt a connection from outside my network i'm getting an error > 619. Connections within the network work fine so i don't believe this is a > mpd issue. Hi Dave, Since these folks don't have their "crystal glasses" (I know it for sure they all broke theirs!), I am 100% sure they will give you an answer only when you show them your full pf.conf, because only then can they tell where you are not doing things correctly. -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ You think Oedipus had a problem -- Adam was Eve's mother. From owner-freebsd-pf@FreeBSD.ORG Tue May 17 20:19:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D34AD16A4CE for ; Tue, 17 May 2005 20:19:59 +0000 (GMT) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52F3D43D9F for ; Tue, 17 May 2005 20:19:59 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-41-46.woh.res.rr.com [65.31.41.46]) j4HKJoXV012331; Tue, 17 May 2005 16:19:51 -0400 (EDT) Message-ID: <000701c55b1d$c422c780$0200a8c0@satellite> From: "dave" To: "Odhiambo Washington" , References: <000201c55b1c$66036e80$0200a8c0@satellite> <20050517201441.GB59011@ns2.wananchi.com> Date: Tue, 17 May 2005 16:19:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: pf and mpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 20:19:59 -0000 Hello, Thanks for your reply. Ok, below is my pf.conf file. Thanks. Dave. # pf.conf # for use on gateway box # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # define the two interface macros EXT = "ep0" LAN = "ep1 # define some address macros LAN_SERVER = "192.168.0.3" LAN_FIREWALL = "192.168.0.254" LAN_CLIENTS = "192.168.0.0/24" LAN_ADMIN = "192.168.0.0/24" # define some non-routeable addresses used in spoof attacks originating from the internet PRIVATE_BLOCKS = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 !10.40.224.1 }" # define some service macros LAN_TO_INT_SERVICES = "{ ftp-data, ftp, domain, cvsup, ssh, smtp, http, pop3, imap, https, imaps, pop3s, 8000, 8880,8080, 1793, 1794, 1795, 1790, 1791, 1792 }" INT_TO_LAN_SERVICES = "{ www, https, ssh, smtp, pop3, pop3s, 8000, 1723 }" LAN_TO_FW_SERVICES = "{ ssh }" FW_to_LAN_services = "{ ssh }" # options # expire state connections early set optimization aggressive set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # normalize packets to prevent fragmentation attacks scrub in on $EXT all # translate lan client addresses to that of EXT nat on $EXT from $LAN_CLIENTS to any -> ($EXT) # redirections rdr on $EXT proto tcp from any to any port 80 -> 192.168.0.3 port 80 rdr on $EXT inet proto tcp from any os "Windows" to any port 25 -> 127.0.0.1 port 8025 # redirect lan client active FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8081) rdr on ep1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # pass loopback traffic pass quick on lo0 all # block windows email relays block in quick on $EXT inet proto tcp from any os "Windows" to any port 25 # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all # silently block and drop broadcast cable modem noise block in quick on $EXT from any to 255.255.255.255 # Block bad tcp flags from malicious people and nmap scans block in quick on $EXT proto tcp from any to any flags /S block in quick on $EXT proto tcp from any to any flags /SFRA block in quick on $EXT proto tcp from any to any flags /SFRAU block in quick on $EXT proto tcp from any to any flags A/A block in quick on $EXT proto tcp from any to any flags F/SFRA block in quick on $EXT proto tcp from any to any flags U/SFRAU block in quick on $EXT proto tcp from any to any flags SF/SF block in quick on $EXT proto tcp from any to any flags SF/SFRA block in quick on $EXT proto tcp from any to any flags SR/SR block in quick on $EXT proto tcp from any to any flags FUP/FUP block in quick on $EXT proto tcp from any to any flags FUP/SFRAUPEW block in quick on $EXT proto tcp from any to any flags SFRAU/SFRAU block in quick on $EXT proto tcp from any to any flags SFRAUP/SFRAUP block in quick on $EXT proto tcp all flags FUP/FUP # immediately prevent packets with invalid addresses from entering or exiting EXT (anti-spoofing measure) block drop in quick on $EXT inet from $PRIVATE_BLOCKS to any #block drop out quick on $EXT inet from any to $PRIVATE_BLOCKS # prevent lan originated spoofing from occurring antispoof for $EXT inet # block everything from entering EXT block in on $EXT all # preventing invalid internet UDP and TCP requests from timing out block return in on $EXT proto { udp, tcp } all # allow internet requests to enter EXT # in order to contact our lan server (keep state on this connection pass in on $EXT \ inet proto tcp \ from any to 192.168.0.3 \ port $INT_TO_LAN_SERVICES \ flags S/AUPRFS \ synproxy state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in on $EXT \ inet proto tcp \ from any port 20 \ to $EXT port 55000 >< 57000 \ user proxy \ flags S/SA keep state # block everything from exiting EXT block out on $EXT all # allow UDP requests to port 53 from firewall to exit EXT # in order to contact internet nameservers (keep state on this connection) pass out on $EXT \ inet proto udp \ from $EXT to any \ port 53 \ keep state # Allow UDP requests to port 67/68 from firewall to exit EXT # in order to contact internet dhcp servers (keep state on this connection) pass out log on $EXT \ proto udp \ from $EXT to any \ port { 67, 68, 123 } \ keep state # allow lan traffic from internet clients to exit EXT # (after natting is performed) in order to contact internet web servers # (keep state on this connection) pass out on $EXT \ inet proto tcp \ from $EXT to any \ port $LAN_TO_INT_SERVICES \ flags S/AUPRFS modulate state # allow ICMP requests from firewall to exit EXT (after natting is performed) # in order to ping/traceroute internet hosts on the behalf of lan admin pass out on $EXT \ inet proto icmp \ from $EXT to any \ icmp-type 8 \ keep state # allow ftp active requests out pass out on $EXT \ inet proto tcp \ from $EXT to any \ port 20 \ flags S/AUPRFS modulate state # allow firewall to contact ftp server on behalf of passive ftp client # on control port 21 pass out on $EXT \ inet proto tcp \ from $EXT to any \ port 21 \ flags S/AUPRFS modulate state # allow firewall to contact ftp server on behalf of passive ftp client # on standard unprivileged port range ( > 1024 ) pass out on $EXT \ inet proto tcp \ from $EXT to any \ port > 1024 \ flags S/AUPRFS modulate state # block everything from entering LAN block in on $LAN all # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall (keep state on this connection) pass in on $LAN \ inet proto udp \ from $LAN_clients to $LAN_firewall \ port 53 \ keep state # allow lan traffic from lan clients to enter lan # in order to contact internet web servers (keep state on this connection) pass in on $LAN \ inet proto tcp \ from $LAN_clients to any \ port $LAN_TO_INT_SERVICES \ flags S/AUPRFS modulate state # lan admin connects to firewall via ssh for administrative purposes pass in on $LAN \ inet proto tcp \ from $LAN_admin to $LAN_firewall \ port $LAN_to_FW_services \ modulate state # allow requests from lan admin to enter LAN # in order to ping/traceroute any system (firewall, dmz server, and internet hosts) pass in on $LAN \ inet proto icmp \ from $LAN_admin to any \ icmp-type 8 \ keep state # block everything from exiting LAN block out on $LAN all # allow internet requests to exit lan # in order to contact our web server (keep state on this connection) pass out on $LAN \ inet proto tcp \ from any to $LAN_server \ port $INT_TO_LAN_SERVICES \ flags S/AUPRFS synproxy state # firewall connects to the lan server via scp/ssh for backup purposes pass out on $LAN \ inet proto tcp \ from $LAN_firewall to $LAN_server \ port $FW_to_LAN_services \ modulate state From owner-freebsd-pf@FreeBSD.ORG Tue May 17 21:31:15 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E25F16A4CE for ; Tue, 17 May 2005 21:31:15 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEB0D43DA7 for ; Tue, 17 May 2005 21:31:14 +0000 (GMT) (envelope-from mureninc@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so2161687wra for ; Tue, 17 May 2005 14:31:09 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=T7G98GQZK21+dG6AzlDdvi6iq2gi0uafgYh9BBDbrdY+yRC776qbX+3qhzUvAGSCmxtccGWtWLAQVosws0qfPKnxLJlIYsNryhIU+KhPwHl3rWmHMyi6CwWNnATBMU3qrU9wyv+iOPH6BSy8u12WuGN8pnoKkz3axJNqZ8jkJOw= Received: by 10.54.23.51 with SMTP id 51mr4595630wrw; Tue, 17 May 2005 14:31:09 -0700 (PDT) Received: by 10.54.83.8 with HTTP; Tue, 17 May 2005 14:31:09 -0700 (PDT) Message-ID: Date: Tue, 17 May 2005 17:31:09 -0400 From: "Constantine A. Murenin" To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: pf(4) manual page suggestion / bug-report on History section X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Constantine A. Murenin" List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 21:31:15 -0000 Hello,=20 Why the FreeBSD's man page for pf(4) does not list anything relevant to FreeBSD in the History section? I believe that in addition of saying that pf "first appeared in OpenBSD 3.0", it should say that "FreeBSD support was added in FreeBSD 5.3". :-) Cheers, Constantine. From owner-freebsd-pf@FreeBSD.ORG Tue May 17 21:39:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC30E16A4CE for ; Tue, 17 May 2005 21:39:11 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8594643DBD for ; Tue, 17 May 2005 21:39:11 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 9602F255463 for ; Tue, 17 May 2005 22:39:03 +0100 (BST) From: "Greg Hennessy" To: Date: Tue, 17 May 2005 22:38:49 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <000701c55b1d$c422c780$0200a8c0@satellite> Thread-Index: AcVbH2xbfnz7Wz+qT2uGilYyU7vQ2wABo/Vw Message-Id: <20050517213850.4C1152C@gw2.local.net> Subject: RE: pf and mpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 21:39:12 -0000 > > # options > # expire state connections early > set optimization aggressive Why ? > set block-policy drop set block-policy return # makes you a good internet citizen and helps debug problems on your own network. > # to the ftp-proxy running on the firewall host (via inetd on > port 8081) rdr on ep1 proto tcp from any to any port 21 -> > 127.0.0.1 port 8021 > > # pass loopback traffic # Stick a block log all # here, a default deny posture is the most secure. # if you cannot see whats being dropped by default # it impossible to debug. Log everything! You can always tone it # down when the policy has been debugged. > pass quick on lo0 all > > # block windows email relays > block in quick on $EXT inet proto tcp from any os "Windows" > to any port 25 You've just killed anyone using Exchange as an MTA by doing that. > > # immediately prevent IPv6 traffic from entering or leaving > all interfaces block quick inet6 all A default block policy will do that anyway. > # silently block and drop broadcast cable modem noise block > in quick on $EXT from any to 255.255.255.255 > > # Block bad tcp flags from malicious people and nmap scans A waste of time, scrub will sort that. > flags S/AUPRFS modulate state This is a *really* bad idea, use flags 'S/SA' only. Otherwise it *will* cause problems. Applying 'modulate state' to each rule is overkill, let scrub of the form scrub on $Ext reassemble tcp random-id take care of it. > > # allow firewall to contact ftp server on behalf of passive > ftp client # on control port 21 pass out on $EXT \ inet proto > tcp \ from $EXT to any \ port 21 \ flags S/AUPRFS modulate state > > # allow firewall to contact ftp server on behalf of passive > ftp client # on standard unprivileged port range ( > 1024 ) > pass out on $EXT \ inet proto tcp \ from $EXT to any \ port > > 1024 \ flags S/AUPRFS modulate state > > # block everything from entering LAN > block in on $LAN all Handled by a default block policy. > > # allow UDP requests to port 53 from lan clients to enter LAN > # in order to perform dns queries on the firewall (keep state on this > connection) > pass in on $LAN \ > inet proto udp \ > from $LAN_clients to $LAN_firewall \ > port 53 \ > keep state > > # allow lan traffic from lan clients to enter lan # in order > to contact internet web servers (keep state on this > connection) pass in on $LAN \ inet proto tcp \ from > $LAN_clients to any \ port $LAN_TO_INT_SERVICES \ flags > S/AUPRFS modulate state PPTP consists of two parts, IP protocol 47 or GRE And 1723/tcp You're not allowing in the GRE part of the traffic. When I used mpd and pf last you need a rule of the form pass in on $EXT inet proto gre to $EXT keep state. & you need to add rules to allow traffic to flow for the ng* interfaces mpd will create on the fly for each tunnel. Greg From owner-freebsd-pf@FreeBSD.ORG Wed May 18 05:49:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47C7216A4CE for ; Wed, 18 May 2005 05:49:44 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id D18E443D7D for ; Wed, 18 May 2005 05:49:42 +0000 (GMT) (envelope-from cbuechler@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so60540wri for ; Tue, 17 May 2005 22:49:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kqap5Gg1ubzHSAeEdog+3FZPIK2YF7QlUtRHCobeeXFzqlWFy33Kjp4mt/mLXphyPSE1UWxWd06cuWTKUd3pheJ1EtMXNt7Aag975A9/P0z7r8UqKGEYhdIfBUsDiNp4jFe7goJ3ApRTKaqsbSoDgNzy4hGJ+Pv+y1++SoXDkDU= Received: by 10.54.45.34 with SMTP id s34mr41150wrs; Tue, 17 May 2005 22:49:42 -0700 (PDT) Received: by 10.54.78.12 with HTTP; Tue, 17 May 2005 22:49:42 -0700 (PDT) Message-ID: Date: Wed, 18 May 2005 01:49:42 -0400 From: Chris Buechler To: dave In-Reply-To: <000201c55b1c$66036e80$0200a8c0@satellite> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000201c55b1c$66036e80$0200a8c0@satellite> cc: freebsd-pf@freebsd.org Subject: Re: pf and mpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Buechler List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 05:49:44 -0000 On 5/17/05, dave wrote: > Hello, > Does nyone have a pf configuration for mpd? I'm allowing port 1723 in > but when i atempt a connection from outside my network i'm getting an err= or > 619. Connections within the network work fine so i don't believe this is = a > mpd issue. >=20 619 (assuming you're talking Windows PPTP client), in my experience, is typical of a firewall involved somewhere breaking GRE (IP protocol 47). Permit GRE and it should work fine. If that's not the case, if the client is behind NAT, the remote side's NAT device could be at fault. -Chris From owner-freebsd-pf@FreeBSD.ORG Wed May 18 07:29:53 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B35716A4CE for ; Wed, 18 May 2005 07:29:53 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A14B43D9D for ; Wed, 18 May 2005 07:29:52 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id BF2B625300C for ; Wed, 18 May 2005 08:29:49 +0100 (BST) From: "Greg Hennessy" To: Date: Wed, 18 May 2005 08:29:38 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <000401c55b45$e5f88e30$0200a8c0@satellite> Thread-Index: AcVbRev8OBC1f5mjTua501EL0zKT3gAMs4ug Message-Id: <20050518072939.7DB132C@gw2.local.net> Subject: RE: pf and mpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 07:29:53 -0000 > Hello, > Thanks for your detailed reply. My pleasure mate. > With set optimization aggressive i read it was a performance > enhancer. For 99% of real world usage its not. > I'm having an issue with pop, either pop3 or pop3s > where locally it works fine, but if i'm on the road and > atempting to pop it goes in spurts, gets some messages, then > slows to a crawl, gets some more, and so forth. I was trying > that option to see if it'll fix it. Don't think that'll be the problem. It maybe something to do with path MTU discovery. However cleaning up the policy may help also. > I'll turn block-policy to return, see if i get anything further. Applications will not hang & wait to time out if traffic is blocked. They will tell you if communication has been prevented. > I've made the change set block all, and as for exchange i > don't know if i really want to hear from anyone running a > windows mailserver given all the worms and so forth, do i? If you have any email contact using exchange and no secondary MX setup, you most definitely do. Otherwise they will not be able to send to you. A secondary MX hosted somewhere else is always a good idea to begin with. > Thanks for the tip on the flags, and modulate state, i've > changed both of them through the file, i didn't realize those > would have that much of a performance and/or security or > compatibility hit. Every day a school day. :-) > Any other suggstions let me know, one thing, since i'm > passing gre and ng0 traffic such as: > > pass in on $EXT inet proto gre from any to $LAN_SERVER keep > state pass on ng0 from any to $LAN_SERVER keep state Recommend enabling logging on both those rules, so you see if they are being triggered. For more immediate logging rather than the default 60 seconds with pflogd, either change the relevant rc.conf entry and set pflogd flags to the minumum of 5 seconds, or use the following and log directly to syslog instead http://www.freebsdforums.org/forums/showthread.php?s=&postid=139518&highligh t=tcpdump#post139518 Personally I use the syslog route on anything which doesn't have really large volumes of traffic. Appreciating how 'quick' works will also be useful. > > do i need to have rdr rules for these as well? No, just configure MPD to listen on the external interface. As I recall, I had to put in a pass out rule for gre as well. As Chris says in the followup, the important thing with GRE is to avoid natting it. Many to one nat without some form of helper support will break GRE. > Thanks also for the tip on block all, i think that gives me > more of the effect i want. A default block policy is much easier to maintain, as you are only going to permit traffic you want. > Dave. > > From owner-freebsd-pf@FreeBSD.ORG Wed May 18 14:56:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3983616A4CE for ; Wed, 18 May 2005 14:56:25 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83DCC43D96 for ; Wed, 18 May 2005 14:56:24 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 004CE3600C9 for ; Wed, 18 May 2005 09:56:21 -0500 (CDT) Received: from mx2-out.seton.org (unknown [10.21.254.241]) by zixvpm01.seton.org (Proprietary) with ESMTP id 9158B330059 for ; Wed, 18 May 2005 09:56:20 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by mx2-out.seton.org (Postfix) with ESMTP id 388D4815 for ; Wed, 18 May 2005 08:49:06 -0500 (CDT) Received: from mx2-out.seton.org ([10.21.254.241]) by localhost (mx2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 22340-21 for ; Wed, 18 May 2005 08:49:06 -0500 (CDT) Received: from ausexfe02.seton.org (unknown [10.20.10.185]) by mx2-out.seton.org (Postfix) with ESMTP id 0E828811 for ; Wed, 18 May 2005 08:49:06 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 18 May 2005 09:56:20 -0500 Message-ID: <428B58AE.9000807@seton.org> Date: Wed, 18 May 2005 10:01:02 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2005 14:56:20.0137 (UTC) FILETIME=[C02FE990:01C55BB9] X-Virus-Scanned: by amavisd-new at seton.org Subject: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 14:56:25 -0000 I am having problems passing passive ftp traffic via ftp-proxy. Active connection work fine. I tried using the -n flag the control connection doesn't translate the server address so the client attempts to make the control channel connection itself. Unfortunately I cant open up blanket access outbound for whatever random port the ftp server chooses. Does ftp-proxy only handle active connections??? Here are the rules from pf.conf ... rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 pass in quick log on $if_int proto tcp from any to lo0 port 8021 keep state pass in quick log on $if_ext proto tcp from any to $if_ext port > 49152 keep state And here is my entry in inetd.conf .... ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -V -D 3 BTW : I haven't seen a single entry in /var/log/messages even with the -D and -V options specified. Did I not specify this correctly or is ftp-proxy just broke in the regard? Thanks in advance, -Matthew From owner-freebsd-pf@FreeBSD.ORG Wed May 18 15:54:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9954A16A4CE for ; Wed, 18 May 2005 15:54:46 +0000 (GMT) Received: from soho.g2019.net (ip-202-60-232-121.cyberec.com [202.60.232.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4063043D1D for ; Wed, 18 May 2005 15:54:45 +0000 (GMT) (envelope-from fai@g2019.net) Received: from [192.168.0.73] ([192.168.0.73]) by soho.g2019.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 18 May 2005 23:54:39 +0800 In-Reply-To: <428B58AE.9000807@seton.org> References: <428B58AE.9000807@seton.org> Mime-Version: 1.0 (Apple Message framework v730) Message-Id: From: Fai Date: Wed, 18 May 2005 23:55:03 +0800 To: Matthew Grooms X-Mailer: Apple Mail (2.730) X-OriginalArrivalTime: 18 May 2005 15:54:39.0664 (UTC) FILETIME=[E6115B00:01C55BC1] Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 15:54:46 -0000 My setup is follow this site (mine is FreeBSD 5.3 + pf) http://www.aei.ca/~pmatulis/pub/obsd_ftp.html it seems that some option of the ftp-proxy is wrong > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 should be ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m lowport -M highport -t timeout e.g. ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m 20000-M 22000 -t 180 and a fw rules pass in on $if_ext inet proto tcp from any port = ftp-data to 202.134.126.226 port 20000 >< 22000 user = 62 flags S/SA keep state hope the information help cheers, Fai On 18 May 2005, at 11:01 PM, Matthew Grooms wrote: > I am having problems passing passive ftp traffic via ftp-proxy. > Active connection work fine. I tried using the -n flag the control > connection doesn't translate the server address so the client > attempts to make the control channel connection itself. > Unfortunately I cant open up blanket access outbound for whatever > random port the ftp server chooses. Does ftp-proxy only handle > active connections??? > > Here are the rules from pf.conf ... > > rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 > pass in quick log on $if_int proto tcp from any to lo0 port 8021 > keep state > pass in quick log on $if_ext proto tcp from any to $if_ext port > > 49152 keep state > > And here is my entry in inetd.conf .... > > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 > > BTW : I haven't seen a single entry in /var/log/messages even with > the -D and -V options specified. Did I not specify this correctly > or is ftp-proxy just broke in the regard? > > Thanks in advance, > -Matthew > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed May 18 16:36:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 825CF16A4CE for ; Wed, 18 May 2005 16:36:10 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id E783843D6A for ; Wed, 18 May 2005 16:36:09 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id CA7E7360099 for ; Wed, 18 May 2005 11:36:08 -0500 (CDT) Received: from mx2-out.seton.org (unknown [10.21.254.241]) by zixvpm01.seton.org (Proprietary) with ESMTP id 52DC233005A; Wed, 18 May 2005 11:36:08 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by mx2-out.seton.org (Postfix) with ESMTP id 06EF5790; Wed, 18 May 2005 10:28:53 -0500 (CDT) Received: from mx2-out.seton.org ([10.21.254.241]) by localhost (mx2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 22713-28; Wed, 18 May 2005 10:28:52 -0500 (CDT) Received: from ausexfe02.seton.org (unknown [10.20.10.185]) by mx2-out.seton.org (Postfix) with ESMTP id CCD7B75E; Wed, 18 May 2005 10:28:52 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 18 May 2005 11:36:08 -0500 Message-ID: <428B7012.4050505@seton.org> Date: Wed, 18 May 2005 11:40:50 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fai References: <428B58AE.9000807@seton.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2005 16:36:08.0018 (UTC) FILETIME=[B13E0B20:01C55BC7] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 16:36:10 -0000 Fai, Thanks for your reply. When you use the -n flag with ftp-proxy, the client opens data connections directly to an ftp server. For this to happen, you must have a rule that allows internal clients access to anything on the internet because you can't tell what port the server will select for a data connection. I am not able to do this for political reasons. Has anyone tested ftp-proxy using PASV ftp data connections without the -n switch lately? It states at the bottom of the man page that it won't handle EPSV but eludes to the fact that it will handle PASV connections. Active connections work fine for me but passive data connections just hang ... Here are the rules from pf.conf ... rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 pass in quick log on $if_int proto tcp from any to lo0 port 8021 keep state pass in quick log on $if_ext proto tcp from any to $if_ext port > 49152 keep state And here is my entry in inetd.conf .... ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -V -D 3 -Matthew Fai wrote: > My setup is follow this site (mine is FreeBSD 5.3 + pf) > http://www.aei.ca/~pmatulis/pub/obsd_ftp.html > > it seems that some option of the ftp-proxy is wrong > From owner-freebsd-pf@FreeBSD.ORG Wed May 18 17:16:04 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C4A516A4CE for ; Wed, 18 May 2005 17:16:04 +0000 (GMT) Received: from soho.g2019.net (ip-202-60-232-121.cyberec.com [202.60.232.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC96043DAD for ; Wed, 18 May 2005 17:16:00 +0000 (GMT) (envelope-from fai@g2019.net) Received: from [192.168.0.73] ([192.168.0.73]) by soho.g2019.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 19 May 2005 01:15:59 +0800 In-Reply-To: <428B7012.4050505@seton.org> References: <428B58AE.9000807@seton.org> <428B7012.4050505@seton.org> Mime-Version: 1.0 (Apple Message framework v730) Message-Id: <9607185D-D667-4469-93EF-2253E5841E5F@g2019.net> From: Fai Date: Thu, 19 May 2005 01:16:23 +0800 To: Matthew Grooms X-Mailer: Apple Mail (2.730) X-OriginalArrivalTime: 18 May 2005 17:15:59.0511 (UTC) FILETIME=[42AEEA70:01C55BCD] Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 17:16:04 -0000 Sorry Matthew, May be something missed in my last mail should contain: ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m lowport -M highport -t timeout e.g. ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m 20000-M 22000 -t 180 and a fw rules pass in on $if_ext inet proto tcp from any port = ftp-data to 202.134.126.226 port 20000 >< 22000 user = 62 flags S/SA keep state i didn't use -n flag and i've check the netstat during download a file the ftp-proxy proxy the passive mode as well. the netstat show something like that tcp4 0 0 123.123.123.123.21861 234.234.234.234.19008 ESTABLISHED tcp4 0 724 123.123.123.123.20919 192.168.0.123.1646 ESTABLISHED tcp4 0 0 123.123.123.123.21570 234.234.234.234.21 ESTABLISHED which 123.123.123.123 is the FW, 234.234.234.234 is the ftp server, 192.168.0.123 is the client. Hope this help Fai On 19 May 2005, at 12:40 AM, Matthew Grooms wrote: > Fai, > > Thanks for your reply. When you use the -n flag with ftp-proxy, the > client opens data connections directly to an ftp server. For this > to happen, you must have a rule that allows internal clients access > to anything on the internet because you can't tell what port the > server will select for a data connection. I am not able to do this > for political reasons. > > Has anyone tested ftp-proxy using PASV ftp data connections without > the -n switch lately? It states at the bottom of the man page that > it won't handle EPSV but eludes to the fact that it will handle > PASV connections. Active connections work fine for me but passive > data connections just hang ... > > Here are the rules from pf.conf ... > > rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 > pass in quick log on $if_int proto tcp from any to lo0 port 8021 > keep state > pass in quick log on $if_ext proto tcp from any to $if_ext port > > 49152 keep state > > And here is my entry in inetd.conf .... > > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 > > -Matthew > > Fai wrote: > >> My setup is follow this site (mine is FreeBSD 5.3 + pf) >> http://www.aei.ca/~pmatulis/pub/obsd_ftp.html >> it seems that some option of the ftp-proxy is wrong > From owner-freebsd-pf@FreeBSD.ORG Wed May 18 17:36:53 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4C4716A4CE for ; Wed, 18 May 2005 17:36:53 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C25D43DBC for ; Wed, 18 May 2005 17:36:53 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id B1268360095 for ; Wed, 18 May 2005 12:36:48 -0500 (CDT) Received: from mx2-out.seton.org (unknown [10.21.254.241]) by zixvpm01.seton.org (Proprietary) with ESMTP id CCB0933005A; Wed, 18 May 2005 12:36:47 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by mx2-out.seton.org (Postfix) with ESMTP id E895C7EA; Wed, 18 May 2005 11:29:31 -0500 (CDT) Received: from mx2-out.seton.org ([10.21.254.241]) by localhost (mx2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 23035-17; Wed, 18 May 2005 11:29:31 -0500 (CDT) Received: from ausexfe02.seton.org (unknown [10.20.10.185]) by mx2-out.seton.org (Postfix) with ESMTP id BE24F7C7; Wed, 18 May 2005 11:29:31 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 18 May 2005 12:36:47 -0500 Message-ID: <428B7E49.8040204@seton.org> Date: Wed, 18 May 2005 12:41:29 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fai References: <428B58AE.9000807@seton.org> <428B7012.4050505@seton.org> <9607185D-D667-4469-93EF-2253E5841E5F@g2019.net> In-Reply-To: <9607185D-D667-4469-93EF-2253E5841E5F@g2019.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2005 17:36:47.0293 (UTC) FILETIME=[2A6B56D0:01C55BD0] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question [ FIXED ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 17:36:53 -0000 Fai, Doah! Im a goofball. I have 4 firewalls up at the moment with two different internet providers. I forgot to add routes in my core to forward traffic to the respective firewalls external interface addresses. For some reason, I assumed the ftp-proxy daemon would bind to the internal interface to the host data connections internally. I guess the old saying, "when you assume you make an ASS out of U and ME" holds water here. Or at least "An ass out of ME" in this case ;) Thanks again for your response and sorry for confusing your use of the -n switch. BTW : Congrats to Max and Gleb for all the hard work that has gone into porting pf + carp to FreeBSD. This makes my life a whole lot easier and is saving the company I work for a BUNDLE of money when compared to the proprietary firewall package it is replacing. Thanks, really!!! Matthew From owner-freebsd-pf@FreeBSD.ORG Thu May 19 08:06:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D52116A4CE for ; Thu, 19 May 2005 08:06:46 +0000 (GMT) Received: from lynx.imedia.ru (lynx-comstar.imedia.ru [212.248.32.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id D980C43DB3 for ; Thu, 19 May 2005 08:06:24 +0000 (GMT) (envelope-from eugene@imedia.ru) Received: from badger.imedia.ru (root@local.badger [172.17.0.13]) j4J86FMZ081885 for ; Thu, 19 May 2005 12:06:15 +0400 (MSD) (envelope-from eugene@imedia.ru) Received: from badger.imedia.ru (eugene@localhost [127.0.0.1]) by badger.imedia.ru (8.13.3/8.13.1) with ESMTP id j4J86EdM028068 for ; Thu, 19 May 2005 12:06:14 +0400 (MSD) (envelope-from eugene@imedia.ru) Received: from localhost (localhost [[UNIX: localhost]]) by badger.imedia.ru (8.13.3/8.13.1/Submit) id j4J86Eja028067 for freebsd-pf@freebsd.org; Thu, 19 May 2005 12:06:14 +0400 (MSD) (envelope-from eugene@imedia.ru) X-Authentication-Warning: badger.imedia.ru: eugene set sender to eugene@imedia.ru using -f From: Eugene Mitrofanov Organization: Independent Media To: freebsd-pf@freebsd.org Date: Thu, 19 May 2005 12:06:14 +0400 User-Agent: KMail/1.7.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200505191206.14685.eugene@imedia.ru> Subject: incoming traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2005 08:06:46 -0000 Hi list I have a little question. As I can understand ALTQ queueing works for outgoing packets and it was confirmed by my experiments with pf but in the '/usr/share/examples/pf/' files there are a log of lines like pass in on dc0 from $boss to any queue boss_int Is ALTQ filetring works for ingress? Thanks -- EMIT-RIPN, EVM7-RIPE From owner-freebsd-pf@FreeBSD.ORG Thu May 19 14:54:15 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51C4316A4CE for ; Thu, 19 May 2005 14:54:15 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37EA743D54 for ; Thu, 19 May 2005 14:54:14 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j4JEsBOP028335 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 19 May 2005 16:54:11 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j4JEsALp021721; Thu, 19 May 2005 16:54:10 +0200 (MEST) Date: Thu, 19 May 2005 16:54:10 +0200 From: Daniel Hartmeier To: Eugene Mitrofanov Message-ID: <20050519145410.GC20705@insomnia.benzedrine.cx> References: <200505191206.14685.eugene@imedia.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200505191206.14685.eugene@imedia.ru> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: incoming traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2005 14:54:15 -0000 On Thu, May 19, 2005 at 12:06:14PM +0400, Eugene Mitrofanov wrote: > I have a little question. As I can understand ALTQ queueing works for > outgoing packets and it was confirmed by my experiments with pf but in the > '/usr/share/examples/pf/' files there are a log of lines like > > pass in on dc0 from $boss to any queue boss_int > > Is ALTQ filetring works for ingress? No, it doesn't, can't and couldn't possibly ;) That rule was probably meant to have a 'keep state' option. On 'pass in keep state' rules, the 'queue' option is valid and affects how outgoing replies related to those connections are queued on the same interface (or how incoming packets are queued going out on another interface, when forwarded). Daniel From owner-freebsd-pf@FreeBSD.ORG Sat May 21 08:20:19 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7ADBE16A4D2 for ; Sat, 21 May 2005 08:20:19 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 194A843D5D for ; Sat, 21 May 2005 08:20:15 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1358244wra for ; Sat, 21 May 2005 01:20:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=SBjq07h1ns1mkFU7z1LSZ4KhK2VlPWQ9pJsrFVbWvN5ulzUMvpaVg1VTSymd0arecsDVCq/qlMxul0H8ZS/OUwik1RPfU5aKVtVHEryXZ0B0liKtfoS2kiIpY2QvnKJqm8XZeCla7hP3BMtQOSZZNKh/AfUZMYUscIdCw7g5Ogk= Received: by 10.54.35.68 with SMTP id i68mr2249346wri; Sat, 21 May 2005 01:20:14 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Sat, 21 May 2005 01:20:14 -0700 (PDT) Message-ID: Date: Sat, 21 May 2005 11:20:14 +0300 From: Abu Khaled To: pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline cc: questions@freebsd.org Subject: moving from ipfw/dummynet to pf/altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Abu Khaled List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2005 08:20:19 -0000 I need help moving from ipfw and dummynet to pf and altq. So far I have converted most ipfw rules to pf. Can someone tell me if there is something for altq like this for dummynet # ipfw add 1 pipe 1 config bw 64Kbit/s queue 10Kbytes mask src-ip 0xfffffff= f # ipfw add 2 pipe 2 confg bw 128Kbit/s queue 20Kbytes mask dst-ip 0xfffffff= f Or is there a better way to do it. --=20 Kind regards Abu Khaled From owner-freebsd-pf@FreeBSD.ORG Sat May 21 08:42:06 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B953016A4CE for ; Sat, 21 May 2005 08:42:06 +0000 (GMT) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id F331143D83 for ; Sat, 21 May 2005 08:42:05 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-41-46.woh.res.rr.com [65.31.41.46]) j4L8g2WY025415 for ; Sat, 21 May 2005 04:42:03 -0400 (EDT) Message-ID: <001101c55de0$f6423a00$0200a8c0@satellite> From: "dave" To: Date: Sat, 21 May 2005 04:42:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: two questions: ssh and synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2005 08:42:06 -0000 Hello, Running pf on a 5.3 box and all is working, almost. I have a requirement that if a connection is made from one host it will be directed to a different machine, all other connections go somewhere else. For example host1 makes an ssh connection and gets machine1, all other ssh connecting hosts get machine2. I've tried various rdr rules and pass rules, but all machines including host1 are getting machine2. Also, does synproxy state work on 5.3? I had a rule with it loaded but no connections were let through. If i changed that to keep state, reloaded the rules, everything worked. Thanks. Dave.