From owner-freebsd-pf@FreeBSD.ORG Mon Mar 19 11:08:35 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E79B16A402 for ; Mon, 19 Mar 2007 11:08:35 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 37B1F13C487 for ; Mon, 19 Mar 2007 11:08:35 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2JB8ZD1055533 for ; Mon, 19 Mar 2007 11:08:35 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2JB8X3n055529 for freebsd-pf@FreeBSD.org; Mon, 19 Mar 2007 11:08:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Mar 2007 11:08:33 GMT Message-Id: <200703191108.l2JB8X3n055529@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 11:08:35 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 19 14:02:09 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C9B8C16A400 for ; Mon, 19 Mar 2007 14:02:09 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: from smtp107.sbc.mail.re2.yahoo.com (smtp107.sbc.mail.re2.yahoo.com [68.142.229.98]) by mx1.freebsd.org (Postfix) with SMTP id 7D39413C448 for ; Mon, 19 Mar 2007 14:02:09 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: (qmail 14532 invoked from network); 19 Mar 2007 13:35:29 -0000 Received: from unknown (HELO mail.mikestammer.com) (mikestammer@sbcglobal.net@68.249.177.115 with login) by smtp107.sbc.mail.re2.yahoo.com with SMTP; 19 Mar 2007 13:35:29 -0000 X-YMail-OSG: Fee_kaAVM1myz8CeWDNWBghHq826DNtaF2rvQF0yd36iGwIHsLMzrsK154L0bbiQPSLFM0nbKnh7BGRYiTmQ3j6DM3WVIoEYuzxfdy8bZ0PYKX2R3VHCXGewsvCdVpCd50cr7OapNWGIfjM- Received: from localhost (localhost [127.0.0.1]) by mail.mikestammer.com (Postfix) with ESMTP id 2D9C7B84E for ; Mon, 19 Mar 2007 08:34:41 -0500 (CDT) X-Virus-Scanned: amavisd-new at mikestammer.com Received: from mail.mikestammer.com ([127.0.0.1]) by localhost (gondolin.middleearth.mikestammer.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FuO-LR64xM0 for ; Mon, 19 Mar 2007 08:34:36 -0500 (CDT) Received: from [IPv6:::1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eric) by mail.mikestammer.com (Postfix) with ESMTP id 26CBDB84D for ; Mon, 19 Mar 2007 08:34:36 -0500 (CDT) Message-ID: <45FE919B.7040208@mikestammer.com> Date: Mon, 19 Mar 2007 08:35:23 -0500 From: Eric User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 14:02:09 -0000 hello all, I had a question about how pf is logging things. Here is the setup. Full pf logs can be viewed here: http://mikestammer.pastebin.ca/401536 I have a machine set up like this: Internet-->Router-->bge0 and it produces pf logs that look like this: # tcpdump -n -e -ttt -i pflog0 # tcpdump: WARNING: pflog0: no IPv4 address assigned # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode # listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes # 000000 rule 0/0(match): block in on bge0: 60.224.185.113.4461 > 72.232.135.90.80: F 1036924808:1036924808(0) ack 1855180894 win 65535 # 000346 rule 0/0(match): block in on bge0: 60.224.185.113.4462 > 72.232.135.90.80: F 838861239:838861239(0) ack 471144513 win 65535 # 771114 rule 0/0(match): block in on bge0: 209.55.5.10.50123 > 72.232.135.94.53: 41394 [1au][|domain] # 99. 474278 rule 0/0(match): block in on bge0: 202.100.109.213.1332 > 72.232.135.90.1434: UDP, length 376 # 740. 225307 rule 0/0(match): block in on bge0: 204.16.210.140.36203 > 72.232.135.90.1026: UDP, length 421 I recently set up my home server like this: Internet-->ng0-->sk0 ng0 is handled by mpd4 in this case, pf logging looks like this: # tcpdump -etttti pflog0 # tcpdump: WARNING: pflog0: no IPv4 address assigned # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode # listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 bytes # 2007-03-19 08:19:35.242979 rule 1/0(match): block in on ng0: access.savagedata.net > 68.249.177.115: [|icmp] # 2007-03-19 08:19:36.252372 rule 1/0(match): block in on ng0: access.savagedata.net > 68.249.177.115: [|icmp] # 2007-03-19 08:19:37.262760 rule 1/0(match): block in on ng0: access.savagedata.net > 68.249.177.115: [|icmp] Why is the first host producing more detailed logs? why isnt pf showing the port that was blocked or anything else like it does in the first host? Is there a way to make the ng0 interface log more or is this due to the netgraph hooks into pf? Thanks a bunch Eric From owner-freebsd-pf@FreeBSD.ORG Mon Mar 19 14:19:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 98FD116A404 for ; Mon, 19 Mar 2007 14:19:45 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id D510F13C4BE for ; Mon, 19 Mar 2007 14:19:44 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.17.40] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HTIi20VsR-00057R; Mon, 19 Mar 2007 15:19:39 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 19 Mar 2007 15:19:31 +0100 User-Agent: KMail/1.9.5 References: <45FE919B.7040208@mikestammer.com> In-Reply-To: <45FE919B.7040208@mikestammer.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1412368.xgyGZgYRZ9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703191519.37364.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+zW+O/K30NQKeHZMP6L2fGZ8q9IqgoNjy64Fg sqZ4w2kgvvfqT12hpq5Lg70Pvs5uzTqQ8BoZ/6TMrquRGNY6lr XbUyEgNLZeajrcgFdGuFA== Cc: Subject: Re: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 14:19:45 -0000 --nextPart1412368.xgyGZgYRZ9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 19 March 2007 14:35, Eric wrote: > hello all, > > I had a question about how pf is logging things. Here is the setup. > > Full pf logs can be viewed here: http://mikestammer.pastebin.ca/401536 > > I have a machine set up like this: > > Internet-->Router-->bge0 > > and it produces pf logs that look like this: > # > tcpdump -n -e -ttt -i pflog0 > # > tcpdump: WARNING: pflog0: no IPv4 address assigned > # > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode # > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 96 bytes > # > 000000 rule 0/0(match): block in on bge0: 60.224.185.113.4461 > > 72.232.135.90.80: F 1036924808:1036924808(0) ack 1855180894 win 65535 > # > 000346 rule 0/0(match): block in on bge0: 60.224.185.113.4462 > > 72.232.135.90.80: F 838861239:838861239(0) ack 471144513 win 65535 > # > 771114 rule 0/0(match): block in on bge0: 209.55.5.10.50123 > > 72.232.135.94.53: 41394 [1au][|domain] > # > 99. 474278 rule 0/0(match): block in on bge0: 202.100.109.213.1332 > > 72.232.135.90.1434: UDP, length 376 > # > 740. 225307 rule 0/0(match): block in on bge0: 204.16.210.140.36203 > > 72.232.135.90.1026: UDP, length 421 > > I recently set up my home server like this: > > Internet-->ng0-->sk0 > > ng0 is handled by mpd4 > > in this case, pf logging looks like this: > > # > tcpdump -etttti pflog0 > # > tcpdump: WARNING: pflog0: no IPv4 address assigned > # > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode # > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 68 bytes > # > 2007-03-19 08:19:35.242979 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:36.252372 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:37.262760 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > > > Why is the first host producing more detailed logs? why isnt pf showing > the port that was blocked or anything else like it does in the first > host? Is there a way to make the ng0 interface log more or is this due > to the netgraph hooks into pf? Just specify a larger snaplen. "tcpdump -s 0" to catch the whole packet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1412368.xgyGZgYRZ9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF/pv5XyyEoT62BG0RAkLzAJ4wgW+nlbVmUewyDmo/fYtlj/PQHgCdF9k0 Mz6hFovXwgus3txyq0aW7Yg= =MRWq -----END PGP SIGNATURE----- --nextPart1412368.xgyGZgYRZ9-- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 19 14:32:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B2F1616A406 for ; Mon, 19 Mar 2007 14:32:42 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: from smtp112.sbc.mail.re2.yahoo.com (smtp112.sbc.mail.re2.yahoo.com [68.142.229.93]) by mx1.freebsd.org (Postfix) with SMTP id 4B07D13C4C6 for ; Mon, 19 Mar 2007 14:32:42 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: (qmail 19169 invoked from network); 19 Mar 2007 14:32:41 -0000 Received: from unknown (HELO mail.mikestammer.com) (mikestammer@sbcglobal.net@68.249.177.115 with login) by smtp112.sbc.mail.re2.yahoo.com with SMTP; 19 Mar 2007 14:32:41 -0000 X-YMail-OSG: ey8zUtQVM1kZIvaP0raipk7ICoRkXQ38WHaeUUa.uIfFDdbr9l2ZpAmegMnWgvfKMK_bZPI4e7E3xNO0eNupk0xkUsKtom.rgd5oSCnz0pCZlL_axAEKL1cR8DEG5KazES_s_wgNR2eAq44- Received: from localhost (localhost [127.0.0.1]) by mail.mikestammer.com (Postfix) with ESMTP id 0E88FB84F; Mon, 19 Mar 2007 09:31:53 -0500 (CDT) X-Virus-Scanned: amavisd-new at mikestammer.com Received: from mail.mikestammer.com ([127.0.0.1]) by localhost (gondolin.middleearth.mikestammer.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UcAFtndEOKtc; Mon, 19 Mar 2007 09:31:51 -0500 (CDT) Received: from [IPv6:::1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eric) by mail.mikestammer.com (Postfix) with ESMTP id B3CE0B84E; Mon, 19 Mar 2007 09:31:51 -0500 (CDT) Message-ID: <45FE9F06.6060301@mikestammer.com> Date: Mon, 19 Mar 2007 09:32:38 -0500 From: Eric User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Max Laier References: <45FE919B.7040208@mikestammer.com> <200703191519.37364.max@love2party.net> In-Reply-To: <200703191519.37364.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 14:32:42 -0000 Max Laier wrote: > On Monday 19 March 2007 14:35, Eric wrote: >> >> Why is the first host producing more detailed logs? why isnt pf showing >> the port that was blocked or anything else like it does in the first >> host? Is there a way to make the ng0 interface log more or is this due >> to the netgraph hooks into pf? > > Just specify a larger snaplen. "tcpdump -s 0" to catch the whole packet. > THANK YOU! this works great. Eric From owner-freebsd-pf@FreeBSD.ORG Mon Mar 19 14:52:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4A4116A406 for ; Mon, 19 Mar 2007 14:52:10 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id A181913C457 for ; Mon, 19 Mar 2007 14:52:10 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 359A54C768 for ; Mon, 19 Mar 2007 14:52:07 +0000 (GMT) From: "Greg Hennessy" To: "'Eric'" , References: <45FE919B.7040208@mikestammer.com> In-Reply-To: <45FE919B.7040208@mikestammer.com> Date: Mon, 19 Mar 2007 14:52:00 -0000 Message-ID: <001d01c76a36$26216710$72643530$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdqM2HMtSkoq44STsS5y4PFbKDAtwAApAYA Content-Language: en-gb X-Antivirus: avast! (VPS 000725-0, 19/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 14:52:10 -0000 > > Why is the first host producing more detailed logs? why isnt pf showing > the port that was blocked or anything else like it does in the first > host? Is there a way to make the ng0 interface log more or is this due > to the netgraph hooks into pf? At a rough guess, you've not got IPV6 compiled into the 2nd system, if not tcpdump defaults to a snaplen of 64 rather than 96 bytes. Greg From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 01:38:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 210F816A400 for ; Tue, 20 Mar 2007 01:38:00 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id A2FC113C4C4 for ; Tue, 20 Mar 2007 01:37:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.188.203] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1HTTIU2QQH-0007W4; Tue, 20 Mar 2007 02:37:58 +0100 From: Max Laier Organization: FreeBSD Date: Tue, 20 Mar 2007 02:37:51 +0100 User-Agent: KMail/1.9.5 MIME-Version: 1.0 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: V01U2FsdGVkX18AV23pU4+g5oiUQzUoCsPq1WnsDrfbmBBYN1x d5xclN1Xqh4yt5yAeIhWd29/4usBggedAvs+JOfV5zs74O1hgX gH83I+DVnO8n46iFPu3tw== Cc: bsm@freebsd.org Subject: Fwd: cvs commit: src/sys/net if.c if_var.h src/sys/netgraph ng_ether.c src/sys/netinet in.c in_var.h src/sys/netinet6 mld6.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 01:38:00 -0000 --nextPart1288505.p7N6uT0eD3 Content-Type: multipart/mixed; boundary="Boundary-01=_wrz/FEK2RiEqPl8" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_wrz/FEK2RiEqPl8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline This should be interesting to people on this list. Please test Bruce's=20 changes and report back. I believe it should be possible/trival to=20 provide a patch for RELENG_6, but I don't have time right now. I will=20 provide one tomorrow - unless Bruce is quicker. I believe people seeing=20 this trouble with CARP and/or pfsync are on this list. =2D--------- Forwarded Message ---------- Subject: cvs commit: src/sys/net if.c if_var.h src/sys/netgraph ng_ether.c= =20 src/sys/netinet in.c in_var.h src/sys/netinet6 mld6.c Date: Tuesday 20 March 2007 01:36 =46rom: Bruce M Simpson To: src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org bms 2007-03-20 00:36:11 UTC FreeBSD src repository Modified files: sys/net if.c if_var.h sys/netgraph ng_ether.c sys/netinet in.c in_var.h sys/netinet6 mld6.c Log: Implement reference counting for ifmultiaddr, in_multi, and in6_multi structures. Detect when ifnet instances are detached from the network stack and perform appropriate cleanup to prevent memory leaks. This has been implemented in such a way as to be backwards ABI compatible. Kernel consumers are changed to use if_delmulti_ifma(); in_delmulti() is unable to detect interface removal by design, as it performs searches on structures which are removed with the interface. With this architectural change, the panics FreeBSD users have experienced with carp and pfsync should be resolved. Obtained from: p4 branch bms_netdev Reviewed by: andre Sponsored by: Garance A Drosehn Idea from: NetBSD MFC after: 1 month Revision Changes Path 1.267 +193 -37 src/sys/net/if.c 1.111 +2 -2 src/sys/net/if_var.h 1.62 +18 -3 src/sys/netgraph/ng_ether.c 1.97 +114 -74 src/sys/netinet/in.c 1.60 +1 -1 src/sys/netinet/in_var.h 1.29 +83 -72 src/sys/netinet6/mld6.c =2D------------------------------------------------------ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_wrz/FEK2RiEqPl8 Content-Type: text/plain; name="cvs commit: src/sys/net if.c if_var.h src/sys/netgraph ng_ether.c src/sys/netinet in.c in_var.h src/sys/netinet6 mld6.c" Content-Transfer-Encoding: quoted-printable bms 2007-03-20 00:36:11 UTC FreeBSD src repository Modified files: sys/net if.c if_var.h=20 sys/netgraph ng_ether.c=20 sys/netinet in.c in_var.h=20 sys/netinet6 mld6.c=20 Log: Implement reference counting for ifmultiaddr, in_multi, and in6_multi structures. Detect when ifnet instances are detached from the network stack and perform appropriate cleanup to prevent memory leaks. =20 This has been implemented in such a way as to be backwards ABI compatible. Kernel consumers are changed to use if_delmulti_ifma(); in_delmulti() is unable to detect interface removal by design, as it performs searches on structures which are removed with the interface. =20 With this architectural change, the panics FreeBSD users have experienced with carp and pfsync should be resolved. =20 Obtained from: p4 branch bms_netdev Reviewed by: andre Sponsored by: Garance A Drosehn Idea from: NetBSD MFC after: 1 month =20 Revision Changes Path 1.267 +193 -37 src/sys/net/if.c 1.111 +2 -2 src/sys/net/if_var.h 1.62 +18 -3 src/sys/netgraph/ng_ether.c 1.97 +114 -74 src/sys/netinet/in.c 1.60 +1 -1 src/sys/netinet/in_var.h 1.29 +83 -72 src/sys/netinet6/mld6.c --Boundary-01=_wrz/FEK2RiEqPl8-- --nextPart1288505.p7N6uT0eD3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF/zr1XyyEoT62BG0RAoSwAJ4to2OquyjbIiWeuIoZL18eFpgVJgCfXQld CHfI7MAfdG5N+cOlcZgHM5U= =y+Fh -----END PGP SIGNATURE----- --nextPart1288505.p7N6uT0eD3-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 12:17:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5388816A401 for ; Tue, 20 Mar 2007 12:17:34 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 1762013C44B for ; Tue, 20 Mar 2007 12:17:33 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c66.q.ppp-pool.de [89.53.124.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1CFCC12883F for ; Tue, 20 Mar 2007 13:17:26 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 4BBD02E7AB; Tue, 20 Mar 2007 13:17:15 +0100 (CET) Message-ID: <45FFD0C7.6030600@vwsoft.com> Date: Tue, 20 Mar 2007 13:17:11 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Eric References: <45FE919B.7040208@mikestammer.com> In-Reply-To: <45FE919B.7040208@mikestammer.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 12:17:34 -0000 On 12/23/-58 20:59, Eric wrote: > in this case, pf logging looks like this: > > # > tcpdump -etttti pflog0 > # > tcpdump: WARNING: pflog0: no IPv4 address assigned > # > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > # > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 68 bytes > # > 2007-03-19 08:19:35.242979 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:36.252372 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:37.262760 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > > > Why is the first host producing more detailed logs? why isnt pf showing > the port that was blocked or anything else like it does in the first > host? Is there a way to make the ng0 interface log more or is this due > to the netgraph hooks into pf? ICMP packets do NOT have any port numbers. The example you've shown had 3 ICMP packets being blocked. On the other side, I'm always using `tcpdump -nettttvvi ...' (the -vv parameters gives more output but might annoy you for SMB / netbios traffic). HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 14:06:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 06FE116A406 for ; Tue, 20 Mar 2007 14:06:54 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: from smtp102.sbc.mail.mud.yahoo.com (smtp102.sbc.mail.mud.yahoo.com [68.142.198.201]) by mx1.freebsd.org (Postfix) with SMTP id C022113C4D3 for ; Tue, 20 Mar 2007 14:06:53 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: (qmail 28931 invoked from network); 20 Mar 2007 13:40:12 -0000 Received: from unknown (HELO mail.mikestammer.com) (mikestammer@sbcglobal.net@68.249.177.115 with login) by smtp102.sbc.mail.mud.yahoo.com with SMTP; 20 Mar 2007 13:40:12 -0000 X-YMail-OSG: D3FGKLYVM1lrpd8b2sNU1ZX12yjJS6BsoRH4DKxmvam5MWJXcvbj7mu4gRUXSajODXo92SborvlpkpIcOq8M0obZGPAN3n3nIaSGBfc9seA1.QkshXi.jc0pNf.cALyUM3mcCJ3DNnA9hPgMihUOUNEZOler4.XiDg-- Received: from localhost (localhost [127.0.0.1]) by mail.mikestammer.com (Postfix) with ESMTP id 55832B84D; Tue, 20 Mar 2007 08:39:23 -0500 (CDT) X-Virus-Scanned: amavisd-new at mikestammer.com Received: from mail.mikestammer.com ([127.0.0.1]) by localhost (gondolin.middleearth.mikestammer.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geo4X-pImHAn; Tue, 20 Mar 2007 08:39:14 -0500 (CDT) Received: from [IPv6:::1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eric) by mail.mikestammer.com (Postfix) with ESMTP id 54DB4B84F; Tue, 20 Mar 2007 08:39:14 -0500 (CDT) Message-ID: <45FFE430.7000206@mikestammer.com> Date: Tue, 20 Mar 2007 08:40:00 -0500 From: Eric User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Volker References: <45FE919B.7040208@mikestammer.com> <45FFD0C7.6030600@vwsoft.com> In-Reply-To: <45FFD0C7.6030600@vwsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 14:06:54 -0000 Volker wrote: > On 12/23/-58 20:59, Eric wrote: >> in this case, pf logging looks like this: >> >> >> Why is the first host producing more detailed logs? why isnt pf showing >> the port that was blocked or anything else like it does in the first >> host? Is there a way to make the ng0 interface log more or is this due >> to the netgraph hooks into pf? > > ICMP packets do NOT have any port numbers. The example you've shown > had 3 ICMP packets being blocked. > > On the other side, I'm always using `tcpdump -nettttvvi ...' (the > -vv parameters gives more output but might annoy you for SMB / > netbios traffic). > > > HTH, > > Volker It does. i picked some bad examples there. the issue was not having IPv6 on the second machine and as such it was using a smaller value for the capture size (64 vs 96 I believe). Using -s 100 fixed it and things look as expected. Eric From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 17:52:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5272216A401 for ; Tue, 20 Mar 2007 17:52:55 +0000 (UTC) (envelope-from king.812@osu.edu) Received: from defang10.it.ohio-state.edu (defang10.it.ohio-state.edu [128.146.216.79]) by mx1.freebsd.org (Postfix) with ESMTP id 000DD13C4BF for ; Tue, 20 Mar 2007 17:52:54 +0000 (UTC) (envelope-from king.812@osu.edu) Received: from osu.edu (mail-store1.service.ohio-state.edu [128.146.216.22]) by defang10.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id l2KHgOHX025427 for ; Tue, 20 Mar 2007 13:42:24 -0400 Received: from [128.146.216.30] by mail1.service.ohio-state.edu (mshttpd); Tue, 20 Mar 2007 13:42:24 -0400 From: WAYNE KING To: freebsd-pf@freebsd.org Message-ID: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu> Date: Tue, 20 Mar 2007 13:42:24 -0400 X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.14 (built Mar 18 2003) MIME-Version: 1.0 Content-Language: en X-Accept-Language: en Priority: normal Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 7bit X-Spam-Score: 0.00 () [Tag at 10.00] X-CanItPRO-Stream: outbound X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.12 Subject: problem with linux kernel 2.16.18.2 and packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 17:52:55 -0000 Hello list, My subnet at Ohio State is running a BSD firewall with packet filter. It works great, but I just encountered a weird problem with the linux 2.16.18.2 kernel and packet filter. When the firewall was on I could do absolutely nothing via the web; every page would hang. As soon as I turned the firewall off, all connections worked fine. Apparently this is a known bug? and changing the tcp_window_scaling setting in the kernel to 0 fixes it. Anyway I was hoping that someone could explain to me why that setting might cause a problem with packet filter. It irritated me for weeks. By the way I'm using OpenSuse 10.2 --never had it up to and including Suse 10.1. I'm not sure if this is a problem in general with that kernel or with some distro particular. I'm running fedora core 6 on another computer and that works fine. I just discovered this fix so I haven't checked what kernel that has installed (fedora core 6) or what the tcp_window_scaling is by default. The following com mand fixed it on my computer (openSuse 10.2) echo 0 > /proc/sys/net/ipv4/tcp_window_scaling Any quick insights just for my own education? Thanks so much, Wayne King From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 17:59:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9916316A400 for ; Tue, 20 Mar 2007 17:59:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 27A0013C48C for ; Tue, 20 Mar 2007 17:59:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.188.203] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HTicc03SD-0002E2; Tue, 20 Mar 2007 18:59:49 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 20 Mar 2007 18:59:38 +0100 User-Agent: KMail/1.9.5 References: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu> In-Reply-To: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8114223.1r5BisRvIc"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703201859.44947.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+QeySd9xwlMoNRySE85f8GGvmbnuuEm+6c6Dv m6l0cGhxohoBNEG+eNNGOhm+HX+5TSJtBSDaroeBIQAkWsBd+E 6Azlrvyc6Xtt9UdHA0zqQ== Cc: WAYNE KING Subject: Re: problem with linux kernel 2.16.18.2 and packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 17:59:54 -0000 --nextPart8114223.1r5BisRvIc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 March 2007 18:42, WAYNE KING wrote: > Hello list, My subnet at Ohio State is running a BSD firewall with > packet filter. It works great, but I just encountered a weird problem > with the linux 2.16.18.2 kernel and packet filter. When the firewall > was on I could do absolutely nothing via the web; every page would > hang. As soon as I turned the firewall off, all connections worked > fine. Apparently this is a known bug? and changing the > tcp_window_scaling setting in the kernel to 0 fixes it. Anyway I was > hoping that someone could explain to me why that setting might cause a > problem with packet filter. It irritated me for weeks. By the way I'm > using OpenSuse 10.2 --never had it up to and including Suse 10.1. I'm > not sure if this is a problem in general with that kernel or with some > distro particular. I'm running fedora core 6 on another computer and > that works fine. I just discovered this fix so I haven't checked what > kernel that has installed (fedora core 6) or what the > tcp_window_scaling is by default. The following com mand fixed it on my > computer (openSuse 10.2) > > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > > Any quick insights just for my own education? Could you enable misc logging for pf (pfctl -xm) and watch the console=20 while you try to connect to the net with the affected Linux box? Also, window scaling related problems are usually caused by keep state=20 rules that do not include "flags S/SA". Under some circumstances you=20 could get pf to install a state entry for which it has not seen the=20 initial SYN and thus it is not informed about the negotiated scalling=20 factor and breaks the connection later. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8114223.1r5BisRvIc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGACEQXyyEoT62BG0RAneBAJ9qKlnZ+aJsGtyJt/gWxpdRj0QdzwCfcSvv 2HXQhIn5jkDB/ePjYnRspe0= =xTPr -----END PGP SIGNATURE----- --nextPart8114223.1r5BisRvIc-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 19:26:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A577316A401 for ; Tue, 20 Mar 2007 19:26:22 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.227]) by mx1.freebsd.org (Postfix) with ESMTP id 636D113C448 for ; Tue, 20 Mar 2007 19:26:22 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by wr-out-0506.google.com with SMTP id 36so2088653wra for ; Tue, 20 Mar 2007 12:26:21 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=t4/RGA/ZWIx1St7COnty6Xo4qAWMooQ0/h8axEBckvivzdYL+ReuyQjVhZaeI2EvQT+iRb8o2hd8fqHXz/aESHvB80yfYa0x3w+IxQKJ0WCf9VamIyGPB42ni2TPnKxxFYcq43zZQdD0aq0S4ITzYhQaBN1ljzpFoGwIUrHDVAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pY3dNn29/xR8d3raUT+eN/zTwOLk4vXFUjnXSuQrz7ioMaitn3j/P3cwPKIuf27LGal0CarqO0UCqKzhAm71zyCUgQe3eLuDHzRZhlTxT62BwqHcLNwJMGZ+1Ml6pZwTOBun6uGZPfZ5G1eOfLPzQEQ9iKsHkPPJw1ThZL9NSNc= Received: by 10.90.90.16 with SMTP id n16mr1303862agb.1174417042450; Tue, 20 Mar 2007 11:57:22 -0700 (PDT) Received: by 10.114.152.19 with HTTP; Tue, 20 Mar 2007 11:57:22 -0700 (PDT) Message-ID: <8eea04080703201157s6939c8eape3fb1cfec1433464@mail.gmail.com> Date: Tue, 20 Mar 2007 11:57:22 -0700 From: "Jon Simola" To: "WAYNE KING" In-Reply-To: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu> Cc: freebsd-pf@freebsd.org Subject: Re: problem with linux kernel 2.16.18.2 and packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 19:26:22 -0000 On 3/20/07, WAYNE KING wrote: > Hello list, My subnet at Ohio State is running a BSD firewall with packet filter. > It works great, but I just encountered a weird problem with the linux 2.16.18.2 > kernel and packet filter. > Any quick insights just for my own education? A quick search with Google turned up a great explanation by Daniel Hartmeier: http://mail-index.netbsd.org/tech-net/2006/07/12/0000.html As well as some evidence that this isn't a new problem: http://archives.neohapsis.com/archives/openbsd/2004-09/0703.html I would have to agree with Max's suggestion to check for proper "flags S/SA" on the rules. OpenBSD recently made that the default for this reason. -- Jon From owner-freebsd-pf@FreeBSD.ORG Thu Mar 22 12:48:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B429616A415 for ; Thu, 22 Mar 2007 12:48:24 +0000 (UTC) (envelope-from king.812@osu.edu) Received: from defang9.it.ohio-state.edu (defang9.it.ohio-state.edu [128.146.216.78]) by mx1.freebsd.org (Postfix) with ESMTP id 434A913C469 for ; Thu, 22 Mar 2007 12:48:24 +0000 (UTC) (envelope-from king.812@osu.edu) Received: from osu.edu (mail-store1.service.ohio-state.edu [128.146.216.22]) by defang9.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id l2MCmNW7010099 for ; Thu, 22 Mar 2007 08:48:23 -0400 Received: from [128.146.216.30] by mail1.service.ohio-state.edu (mshttpd); Thu, 22 Mar 2007 08:48:23 -0400 From: WAYNE KING To: freebsd-pf@freebsd.org Message-ID: <2dee4ea2debed2.2debed22dee4ea@osu.edu> Date: Thu, 22 Mar 2007 08:48:23 -0400 X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.14 (built Mar 18 2003) MIME-Version: 1.0 Content-Language: en X-Accept-Language: en Priority: normal Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 7bit X-Spam-Score: 0.60 () [Tag at 10.00] J_CHICKENPOX_32 X-CanItPRO-Stream: outbound X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.12 Subject: re: problem with opensuse 10.2 and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2007 12:48:24 -0000 Thanks to Max Laier and Jon Smola for helpful comments on my earlier post. I have not put the flags S/SA option in my rule set as yet. Max asked if I could enable debugging and show what happens when I try to use the internet from the linux box without first issuing the echo "0" > /proc/sys/net/ipv4/tcp_window_scaling command on the linux box. I include what happens below. pigpen is the name of the firewall. Thanks again Max and Jon for the help, wayne ## debug output follows. Linux box IP is ## 128.146.89.77 Mar 22 07:37:46 pigpen /bsd: pf: BAD state: TCP 128.146.89.77:43430 128.146.89.77:43430 212.58.240.41:80 [lo=132938052 high=132938099 win=33304 modulator=0] [lo=828478979 high=828511866 win=46 modulator=0] 4:4 PA seq=132938053 ack=828478979 len=340 ackskew=0 pkts=5 dir=in,fwd Mar 22 07:37:46 pigpen /bsd: pf: BAD state: TCP 128.146.89.77:43430 128.146.89.77:43430 212.58.240.41:80 [lo=132938052 high=132938099 win=33304 modulator=0] [lo=828478979 high=828511866 win=46 modulator=0] 4:4 PA seq=132938053 ack=828478979 len=340 ackskew=0 pkts=5 dir=in,fwd Mar 22 07:37:46 pigpen /bsd: pf: State failure on: 1 | Mar 22 07:37:46 pigpen /bsd: pf: State failure on: 1 | From owner-freebsd-pf@FreeBSD.ORG Thu Mar 22 13:13:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6C77416A46E for ; Thu, 22 Mar 2007 13:13:53 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2602C13C4B9 for ; Thu, 22 Mar 2007 13:13:52 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 89CE62B5D7C for ; Thu, 22 Mar 2007 13:13:49 +0000 (GMT) From: "Greg Hennessy" To: "'WAYNE KING'" , References: <2dee4ea2debed2.2debed22dee4ea@osu.edu> In-Reply-To: <2dee4ea2debed2.2debed22dee4ea@osu.edu> Date: Thu, 22 Mar 2007 13:13:35 -0000 Message-ID: <000001c76c83$e60a78b0$b21f6a10$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-gb Thread-Index: Acdsgi9kqRZpmIQzRMudZe6ol6eG6AAAWf8g x-cr-hashedpuzzle: Aasf DwbM Fru/ KtdQ Nfkt N4Ky Odmh O0WS PdiQ QtN/ QxCD RhtT SFrn S7UI TIGC TuhF; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AGsAaQBuAGcALgA4ADEAMgBAAG8AcwB1AC4AZQBkAHUA; Sosha1_v1; 7; {0DFD5926-3D76-4FAA-A10E-B254EE8B2C6B}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Thu, 22 Mar 2007 13:13:29 GMT; UgBFADoAIABwAHIAbwBiAGwAZQBtACAAdwBpAHQAaAAgAG8AcABlAG4AcwB1AHMAZQAgADEAMAAuADIAIABhAG4AZAAgAHAAZgA= x-cr-puzzleid: {0DFD5926-3D76-4FAA-A10E-B254EE8B2C6B} X-Antivirus: avast! (VPS 000726-1, 21/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: problem with opensuse 10.2 and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2007 13:13:53 -0000 > > Thanks to Max Laier and Jon Smola for helpful comments on my earlier > post. I have not put the flags S/SA option in my rule set as yet That's the most likely reason why it's breaking. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Mar 23 09:02:14 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1715F16A402; Fri, 23 Mar 2007 09:02:14 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id E592813C48A; Fri, 23 Mar 2007 09:02:13 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2N92D6r007243; Fri, 23 Mar 2007 09:02:13 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2N92D3I007239; Fri, 23 Mar 2007 09:02:13 GMT (envelope-from remko) Date: Fri, 23 Mar 2007 09:02:13 GMT From: Remko Lodder Message-Id: <200703230902.l2N92D3I007239@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/110698: nat rule of pf without "on" clause causes invalid packed chksum X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2007 09:02:14 -0000 Synopsis: nat rule of pf without "on" clause causes invalid packed chksum Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Fri Mar 23 09:02:04 UTC 2007 Responsible-Changed-Why: PF issue http://www.freebsd.org/cgi/query-pr.cgi?pr=110698 From owner-freebsd-pf@FreeBSD.ORG Fri Mar 23 12:09:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4896F16A407 for ; Fri, 23 Mar 2007 12:09:23 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by mx1.freebsd.org (Postfix) with ESMTP id CF85013C4D3 for ; Fri, 23 Mar 2007 12:09:22 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail2.siemens.de (localhost [127.0.0.1]) by david.siemens.de (8.12.6/8.12.6) with ESMTP id l2NBohHk010055 for ; Fri, 23 Mar 2007 12:50:43 +0100 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail2.siemens.de (8.12.6/8.12.6) with ESMTP id l2NBohs3002301 for ; Fri, 23 Mar 2007 12:50:43 +0100 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2NBohvW002323 for freebsd-pf@freebsd.org; Fri, 23 Mar 2007 12:50:43 +0100 (CET) Date: Fri, 23 Mar 2007 12:50:43 +0100 From: Andre Albsmeier To: freebsd-pf@freebsd.org Message-ID: <20070323115043.GA6991@curry.mchp.siemens.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Subject: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2007 12:09:23 -0000 [Retrying on -pf...] (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) Yesterday I started to play around with enc0 in pf. I hoped I could now control IPSEC traffic in the standard way with pf rules but it seems that only outgoing packets hit enc0. I added a pass quick log on enc0 all on top of all pf rules. When sending a single ping packet to the remote side everything works but the only thing I see is Mar 18 10:20:11 gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo) (192.168.164.81 is my local gif0 address and 10.0.1.32 the remote). However, when running a tcpdump on enc0 we see the answer as well: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes 10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4) 10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4) (A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote). Just to make things clear: IPSEC works (as it did for years), I'm just not able to control the incoming packets with enc0 in pf. Any ideas? Thanks, -Andre From owner-freebsd-pf@FreeBSD.ORG Fri Mar 23 13:05:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63E8C16A401 for ; Fri, 23 Mar 2007 13:05:23 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id 03A4B13C4D5 for ; Fri, 23 Mar 2007 13:05:22 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id k27so1837025nfc for ; Fri, 23 Mar 2007 06:05:22 -0700 (PDT) Received: by 10.82.154.2 with SMTP id b2mr6516431bue.1174653468588; Fri, 23 Mar 2007 05:37:48 -0700 (PDT) Received: by 10.82.104.11 with HTTP; Fri, 23 Mar 2007 05:37:48 -0700 (PDT) Message-ID: <6e6841490703230537h79669db8u4c831965fc398fcd@mail.gmail.com> Date: Fri, 23 Mar 2007 09:37:48 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Nat and rdr. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2007 13:05:23 -0000 Hi, I need make nat and rdr for my conections from lo0 of my firewall. I have those rules: rdr on { em0 em1 lo0 } proto icmp from any to 200.250.0.1 -> 192.168.0.2 nat on { em0 em1 lo0 } from 192.168.0.2 to any -> 200.250.0.1 When I tray ping ip 200.250.0.1 from my firewall, it tray the default gw. I would like it make a nat and ping the ip 192.168.0.2. Is it possible?? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Sat Mar 24 13:20:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 687B116A400 for ; Sat, 24 Mar 2007 13:20:22 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 04A6D13C457 for ; Sat, 24 Mar 2007 13:20:21 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d86.q.ppp-pool.de [89.53.125.134]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id B10DB12883F for ; Sat, 24 Mar 2007 14:20:08 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id E0B5B114E8; Sat, 24 Mar 2007 14:19:47 +0100 (CET) Message-ID: <46052572.9070402@vwsoft.com> Date: Sat, 24 Mar 2007 14:19:46 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andre Albsmeier References: <20070323115043.GA6991@curry.mchp.siemens.de> In-Reply-To: <20070323115043.GA6991@curry.mchp.siemens.de> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 13:20:22 -0000 Andre, On 12/23/-58 20:59, Andre Albsmeier wrote: > [Retrying on -pf...] > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > Yesterday I started to play around with enc0 in pf. I hoped I > could now control IPSEC traffic in the standard way with pf rules > but it seems that only outgoing packets hit enc0. I added a > > pass quick log on enc0 all Do you really use that rule? If you're using a 'keep state' option this would give the behavior you're experiencing. > on top of all pf rules. When sending a single ping packet to > the remote side everything works but the only thing I see is > > Mar 18 10:20:11 gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo) > > (192.168.164.81 is my local gif0 address and 10.0.1.32 the remote). > > However, when running a tcpdump on enc0 we see the answer as well: > > listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes > 10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4) > 10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4) > > (A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote). > > Just to make things clear: IPSEC works (as it did for years), I'm > just not able to control the incoming packets with enc0 in pf. Not really what you're asking for but... I think you won't like to see _every_ packet in the firewall logs. Instead you really want to see the first packet which will initiate a session and have pf keep state of it. On the other side, I've played with device enc a few weeks ago and was asking for clarification on net@ but didn't get any reply. What's really strange is packets coming through an IPSec tunnel can be seen by pf on device enc but packets are still passing through even if device enc0 is down. So from my experience device enc currently is a bit strange in behavior (at least on -STABLE). Also AFAIR I haven't been able to block packets on device enc0 using pf. I suspect device enc is currently a bit of a hack and currently probably only useful for packet / connection logging but not for real firewalling. You might check out if you're able to block anything on enc0 (my memories might be wrong) and play with it a bit. I suspect packets do not really pass device enc but are getting duplicated to enc while being processed by IPSec. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Sat Mar 24 13:33:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F32DC16A400 for ; Sat, 24 Mar 2007 13:32:59 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id B76AD13C458 for ; Sat, 24 Mar 2007 13:32:59 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d86.q.ppp-pool.de [89.53.125.134]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 366B512883F; Sat, 24 Mar 2007 14:32:53 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 6B3EF114E8; Sat, 24 Mar 2007 14:32:45 +0100 (CET) Message-ID: <4605287C.5060901@vwsoft.com> Date: Sat, 24 Mar 2007 14:32:44 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Gilberto Villani Brito References: <6e6841490703230537h79669db8u4c831965fc398fcd@mail.gmail.com> In-Reply-To: <6e6841490703230537h79669db8u4c831965fc398fcd@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: "FreeBSD \(PF\)" Subject: Re: Nat and rdr. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 13:33:00 -0000 Gilberto, On 12/23/-58 20:59, Gilberto Villani Brito wrote: > Hi, > I need make nat and rdr for my conections from lo0 of my firewall. > I have those rules: > rdr on { em0 em1 lo0 } proto icmp from any to 200.250.0.1 -> 192.168.0.2 > nat on { em0 em1 lo0 } from 192.168.0.2 to any -> 200.250.0.1 > > When I tray ping ip 200.250.0.1 from my firewall, it tray the default gw. > I would like it make a nat and ping the ip 192.168.0.2. Is it possible?? > It would help if we knew a bit more about your setup (which interface is external, which is internal). But I'm unable to imagine how useful it might be to NAT traffic on the loopback interface. Your current rdr rules will not work as you think it should. For example there should never be a packet going through lo0 with a destination address of 200.250.0.1. Also NATing on the internal interface (and lo0) with the IP address of your external interface might give you strange results. Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Sat Mar 24 19:12:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 575E416A40B for ; Sat, 24 Mar 2007 19:12:02 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id E686413C489 for ; Sat, 24 Mar 2007 19:12:01 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 0DFA01CC58; Sun, 25 Mar 2007 06:59:28 +1200 (NZST) Date: Sun, 25 Mar 2007 06:59:28 +1200 From: Andrew Thompson To: Volker Message-ID: <20070324185928.GC45070@heff.fud.org.nz> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46052572.9070402@vwsoft.com> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 19:12:02 -0000 On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote: > Andre, > > On 12/23/-58 20:59, Andre Albsmeier wrote: > > [Retrying on -pf...] > > > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > > > Just to make things clear: IPSEC works (as it did for years), I'm > > just not able to control the incoming packets with enc0 in pf. > > On the other side, I've played with device enc a few weeks ago and > was asking for clarification on net@ but didn't get any reply. > > What's really strange is packets coming through an IPSec tunnel can > be seen by pf on device enc but packets are still passing through > even if device enc0 is down. The code does check if the interface is running but if its not then just passes the packet through unhindered. Do you think it should behave like you describe where the packets are dropped? See line 204, change the check to this if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { m_freem(*mp); return (-1); } > So from my experience device enc currently is a bit strange in > behavior (at least on -STABLE). Also AFAIR I haven't been able to > block packets on device enc0 using pf. I suspect device enc is > currently a bit of a hack and currently probably only useful for > packet / connection logging but not for real firewalling. You might > check out if you're able to block anything on enc0 (my memories > might be wrong) and play with it a bit. This should work as you say and if its not then thats a bug. Can you log the packets with pflog to check they are being blocked. Andrew From owner-freebsd-pf@FreeBSD.ORG Sat Mar 24 19:35:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A48E616A402 for ; Sat, 24 Mar 2007 19:35:53 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3E7B913C4AD for ; Sat, 24 Mar 2007 19:35:53 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d44.q.ppp-pool.de [89.53.125.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 82CAB12883F; Sat, 24 Mar 2007 20:35:45 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 52A69455E1; Sat, 24 Mar 2007 20:35:37 +0100 (CET) Message-ID: <46057D88.4070305@vwsoft.com> Date: Sat, 24 Mar 2007 20:35:36 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andrew Thompson References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 19:35:53 -0000 Andrew, On 03/24/07 19:59, Andrew Thompson wrote: >> What's really strange is packets coming through an IPSec tunnel can >> be seen by pf on device enc but packets are still passing through >> even if device enc0 is down. > > The code does check if the interface is running but if its not then just > passes the packet through unhindered. Do you think it should behave like > you describe where the packets are dropped? IMHO this is ok but it should be documented at least on enc(4). A short note like "if the device is down packets are still passing the firewall unfiltered" or the like would help. Also the following (from enc(4)): "The enc interface allows an administrator to see outgoing packets..." lead me to the assumption enc is only of use for "seeing" traffic but not of any use for filtering. > > See line 204, change the check to this > if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { > m_freem(*mp); > return (-1); > } > >> So from my experience device enc currently is a bit strange in >> behavior (at least on -STABLE). Also AFAIR I haven't been able to >> block packets on device enc0 using pf. I suspect device enc is >> currently a bit of a hack and currently probably only useful for >> packet / connection logging but not for real firewalling. You might >> check out if you're able to block anything on enc0 (my memories >> might be wrong) and play with it a bit. > > This should work as you say and if its not then thats a bug. Can you log > the packets with pflog to check they are being blocked. Will try to do so but first I have to solve another issue with filesystem first. I'll setup some experimental rules and see if I'm able to block traffic on enc0. Please stay tuned. Greetings, Volker