From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 20:08:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EA7216A417 for ; Sat, 11 Nov 2006 20:08:00 +0000 (UTC) (envelope-from kimimeister@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8678E43D77 for ; Sat, 11 Nov 2006 20:07:54 +0000 (GMT) (envelope-from kimimeister@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so700142uge for ; Sat, 11 Nov 2006 12:07:44 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=D/Y921Ou6u7wNkjdKI5ZD5kjcKRzpJo6DTp5CvsiNxHhLdtWFoSvKHEEwtR94wqTF9H//J31NnCJ9utdHDKVra54bviWwMc8gzp9NyAUqW+kUjgVH5Uq1mdlNJmtCedfcIcCr2XT1g0iA878TQkWZeQstO3CkNvg21/lu3opJHo= Received: by 10.67.26.7 with SMTP id d7mr5488799ugj.1163275663820; Sat, 11 Nov 2006 12:07:43 -0800 (PST) Received: by 10.67.86.17 with HTTP; Sat, 11 Nov 2006 12:07:43 -0800 (PST) Message-ID: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> Date: Sat, 11 Nov 2006 20:07:43 +0000 From: "Kimi Ostro" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 20:08:00 -0000 Hi folks, I'm having two issues, first one is lots of these: pf: loose state match: TCP IiP.IiP.IiP.8:52621 XiP.XiP.XiP.199:62555 80.91.229.5:119 [l o=3269014705 high=3269020496 win=32844 modulator=4099273154 wscale=1] [lo=141076 3470 high=1410829151 win=5792 modulator=37226129 wscale=0] 9:4 R seq=3269014705 ack=1410763470 len=0 ackskew=0 pkts=87:65 sprinkeled with a few of these: pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398 83.143.169.1:80 [lo=408513 2808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 high =172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R seq=4085132808 ack=1720 73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd pf: State failure on: | Also my other issue is FTP. I had FTP working before I lost my current ruleset due to a HD crash and decided to use ftp/pftpx from ports. in /var/log/messages I get a few of these show up: Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot connect to server 64.39.2.174: Operation not permitted Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot connect to server 192.35.244.50: Operation not permitted Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot connect to server 213.135.44.35: Operation not permitted Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot connect to server 212.14.28.36: Operation not permitted Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot connect to server 212.101.4.244: Operation not permitted Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot connect to server 193.206.140.34: Operation not permitted Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot connect to server 66.98.251.159: Operation not permitted which if think is related to the next part.. tcpdump -net -s0 -i pflog0 shows the packet's blocked. Can anyone help? I'm a little rusty :( -- % cat /etc/pf.conf ext_if = "tun0" prv_if = "fxp0" lpb_if = "lo0" #set loginterface $prv_if set state-policy if-bound #set skip on $lpb_if #set debug misc scrub in on $ext_if \ all \ min-ttl 100 \ no-df \ fragment drop-ovl scrub out on $ext_if \ all \ min-ttl 10 \ random-id altq on $ext_if priq bandwidth 1Mb \ queue { Realtime High AboveNormal Normal BelowNormal Low } queue Realtime priority 15 priq queue High priority 12 priq queue AboveNormal priority 9 priq queue Normal priority 6 priq( default ) queue BelowNormal priority 3 priq queue Low priority 0 priq no nat on $ext_if \ inet \ from $prv_if:network \ to $prv_if:network nat on $ext_if \ inet proto { tcp udp } \ from $prv_if:network \ to any \ tag prv_natted \ -> ($ext_if:0) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $prv_if \ inet proto tcp \ from $prv_if:network \ to any port = ftp \ -> $lpb_if:0 port ftp-proxy block drop log on $ext_if block return log on ! $ext_if pass quick on $lpb_if pass in quick on $prv_if \ inet proto udp \ from 0.0.0.0 port dhcpc \ to 255.255.255.255 port dhcps pass quick on $prv_if \ from $prv_if:network \ to $prv_if:network pass in on $prv_if \ inet proto { tcp udp } \ from $prv_if:network \ to ! $prv_if:network \ flags S/SA modulate state pass out on $ext_if \ inet proto udp \ from ($ext_if:0) \ to any port = domain \ keep state \ queue High \ tagged prv_natted pass out on $ext_if \ inet proto udp \ from ($ext_if:0) \ to any port = ntp \ keep state \ queue High anchor "pftpx/*" pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { http https 8008 8080 } \ flags S/SA modulate state \ queue Normal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { 1863 5050 5222:5223 } \ flags S/SA modulate state \ queue BelowNormal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { smtp pop3 imap nntp smtps pop3s imaps nntps } \ flags S/SA modulate state \ queue BelowNormal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port { cvsup cvspserver } \ flags S/SA modulate state \ queue BelowNormal \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any port = ssh \ flags S/SA modulate state \ queue (BelowNormal High) \ tagged prv_natted pass out on $ext_if \ inet proto tcp \ from ($ext_if:0) \ to any \ flags S/SA modulate state \ tagged prv_natted antispoof for { $ext_if $prv_if $lpb_if } # EOF Help? I tend to think the real problem is the object between the screen and the chair.. -- Kimi