From owner-freebsd-pf@FreeBSD.ORG Sun Jan 15 22:50:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3580716A41F for ; Sun, 15 Jan 2006 22:50:28 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: from pluto.phpwebhosting.com (pluto.phpwebhosting.com [69.0.209.128]) by mx1.FreeBSD.org (Postfix) with SMTP id 5EAEE43D49 for ; Sun, 15 Jan 2006 22:50:27 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: (qmail 30265 invoked from network); 15 Jan 2006 22:50:22 -0000 Received: from unknown (HELO Stile) (keith%barkinglizards.com@209.117.233.18) by pluto.phpwebhosting.com with SMTP; Sun, 15 Jan 2006 17:50:22 -0500 From: "Keith Bottner" To: Date: Sun, 15 Jan 2006 16:50:22 -0600 Organization: Barking Lizards Technologies Message-ID: <001901c61a26$11e7c840$0e01a8c0@Stile> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcYaJhDt8g5qdwmHRfGVgQaiZ9beEQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: client FTP using NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 22:50:28 -0000 I am having trouble allowing clients that are inside the PacketFilter firewall to retrieve data from external FTP sites. Connection works fine but a simple ls on the remote server returns a "Connection closed by remote host." My pf.conf is below, any help would be appreciated. Thanks in advance, Keith ########## # MACROS # ########## # External (Internet) (5 externally addressable IPs) # 17(gw) # 18 NAT # 19 company.com # 20 UNUSED # 21 UNUSED # 22 OTHER ext_if="xl1" #ext_net="xxx.yyy.zzz.0/29" ext_gw_addr="xxx.yyy.zzz.17" ext_nat_addr="xxx.yyy.zzz.18" ext_http_addr="xxx.yyy.zzz.19" ext_ftp_addr="xxx.yyy.zzz.19" ext_unused1_addr="xxx.yyy.zzz.20" ext_unused2_addr="xxx.yyy.zzz.21" ext_other_addr="xxx.yyy.zzz.22" # Internal (Intranet) int_if="xl0" int_net="192.168.1.0/24" # DMZ dmz_if="vr0" dmz_net="10.11.13.0/24" dmz_http_addr="10.11.13.100" dmz_ftp_addr="10.11.13.100" dmz_perforce_addr="10.11.13.106" dmz_cerebro_addr="10.11.13.103" ########## # TABLES # ########## table const { 127/8, 10/8, 172.16/12, 192.168/16 } table const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20, xxx.yyy.zzz.21} ########### # OPTIONS # ########### ################# # NORMALIZATION # ################# scrub in all fragment reassemble ############ # QUEUEING # ############ ############### # TRANSLATION # ############### # NAT workstations nat on $ext_if from $int_net to any -> $ext_nat_addr # NAT servers external requests nat on $ext_if from $dmz_net to any -> $ext_nat_addr ############### # REDIRECTION # ############### # Outgoing FTP requests to the ftp-proxy # # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used to handle an # FTP SERVER behind a PF filter. rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # WWW server access rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr port http # FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp servers then modify) rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr port 21 rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> $dmz_ftp_addr port 30000:30999 ############# # FILTERING # ############# block in log all block out log all pass quick on lo0 all block in log quick on $ext_if from to any block out quick on $ext_if from any to antispoof quick for { $int_if, $dmz_if } inet pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA synproxy state # FTP Client active connections working with ftp-proxy pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state # Enables FTP active mode connections. See the redirection section for the line that enables # FTP passive. # # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used to handle an # FTP SERVER behind a PF filter. #pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user proxy flags S/SA keep state # FTP Server specific rules pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state # Pass all traffic to and from the Internal Network pass in on $int_if from $int_net to any keep state #pass out on $int_if from any to $int_net keep state # Pass all traffic to and from the DMZ Network pass in on $dmz_if from $dmz_net to any keep state pass out on $dmz_if from any to $dmz_net keep state # Pass TCP, UDP, and ICMP out on the external (Internet) interface. # keep state on udp and icmp and moduleate state on tcp pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state From owner-freebsd-pf@FreeBSD.ORG Mon Jan 16 08:14:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AACB016A41F for ; Mon, 16 Jan 2006 08:14:47 +0000 (GMT) (envelope-from iskander@apple-park.kiev.ua) Received: from mail.apple-park.kiev.ua (mail.apple-park.kiev.ua [212.82.221.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C07343D45 for ; Mon, 16 Jan 2006 08:14:46 +0000 (GMT) (envelope-from iskander@apple-park.kiev.ua) Received: from localhost (localhost [127.0.0.1]) by mail.apple-park.kiev.ua (Postfix) with ESMTP id 97D7411417 for ; Mon, 16 Jan 2006 10:14:45 +0200 (EET) Received: from mail.apple-park.kiev.ua ([127.0.0.1]) by localhost (mail.apple-park.kiev.ua [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59163-04 for ; Mon, 16 Jan 2006 10:14:44 +0200 (EET) Received: from [10.10.0.20] (sysadmin.main.smk [10.10.0.20]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.apple-park.kiev.ua (Postfix) with ESMTP id B9FC811412 for ; Mon, 16 Jan 2006 10:14:44 +0200 (EET) Mime-Version: 1.0 (Apple Message framework v746.2) Content-Transfer-Encoding: 7bit Message-Id: <4007E994-E349-44D4-9356-9DF1A5E1098E@apple-park.kiev.ua> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Alexander Vyrlanovich Date: Mon, 16 Jan 2006 10:14:55 +0200 X-Mailer: Apple Mail (2.746.2) X-Virus-Scanned: by amavisd-new at apple-park.kiev.ua Subject: pf and pptp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 08:14:47 -0000 Hi All! Last week I moved my firewall from ipfw to pf on a gateway (FreeBSD RELENG_6_0 i386). All work fine except nat'ed pptp connections. Only one PC client can establish pptp VPT at the same time. After some google search I found this article: http://www.benzedrine.cx/pf/msg04961.html. Can anybody confirm, that situation with nating GRE packets with PF still persist or there is something wrong with my firewall rules? Sincerely, Alexander Vyrlanovich From owner-freebsd-pf@FreeBSD.ORG Mon Jan 16 10:18:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38DBF16A41F for ; Mon, 16 Jan 2006 10:18:24 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail06.syd.optusnet.com.au (mail06.syd.optusnet.com.au [211.29.132.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52C1843D46 for ; Mon, 16 Jan 2006 10:18:23 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-70-138.dsl.nsw.optusnet.com.au [220.236.70.138]) by mail06.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k0GAILPN026802 for ; Mon, 16 Jan 2006 21:18:21 +1100 Message-ID: <025201c61a86$2e7383e0$0600a8c0@delta> From: "Josh Finlay" To: Date: Mon, 16 Jan 2006 20:18:22 +1000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 10:18:24 -0000 Hi, My scenario: Originally started out with 512Kbps SDSL, this wasn't enough bandwidth. = We have no access to anything faster than this (except 1.5Mbps ADSL, but = then our upstream drops to 256kbps - not acceptable), so we have had 4 = additional lines installed... So what I now need to know, is how do I go about sharing these = connections evenly to the rest of the network? the SDSL lines live on: de0, de1, de2, de3, de4, de5 each interface is connected to an ADSL modem, with an established = connection to the provider de6 is the interface to provide connectivity to the rest of the network. Can I use a "round-robin" NAT or something similar? I am extremely lost as how to properly share these connections... Regards, Josh Finlay From owner-freebsd-pf@FreeBSD.ORG Mon Jan 16 11:02:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63D5016A422 for ; Mon, 16 Jan 2006 11:02:47 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC00943D7B for ; Mon, 16 Jan 2006 11:02:37 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0GB2aWp084956 for ; Mon, 16 Jan 2006 11:02:36 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0GB2ZhN084950 for freebsd-pf@freebsd.org; Mon, 16 Jan 2006 11:02:35 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 16 Jan 2006 11:02:35 GMT Message-Id: <200601161102.k0GB2ZhN084950@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 11:02:47 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 16 16:14:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0266916A41F for ; Mon, 16 Jan 2006 16:14:10 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B40F43D48 for ; Mon, 16 Jan 2006 16:14:09 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so1225461wra for ; Mon, 16 Jan 2006 08:14:08 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pQaUujAeVQEHE3EnR/iEwxOjX47uJlu8N7nCWnlIO9qBFpVRnY7vX2uDEBaBFxv38JBfwYxv4RL57O1pIvW/x7wBz8BzxL4vQJBLuCbSR/pQhTvKCwbcHffN1bi6eZGpEN1Ehcinec4dNo0fm9L1eczctVniNmcxVqIVJ7eaBZs= Received: by 10.65.183.7 with SMTP id k7mr3016926qbp; Mon, 16 Jan 2006 08:14:08 -0800 (PST) Received: by 10.64.181.18 with HTTP; Mon, 16 Jan 2006 08:14:08 -0800 (PST) Message-ID: Date: Mon, 16 Jan 2006 11:14:08 -0500 From: Scott Ullrich To: Alexander Vyrlanovich In-Reply-To: <4007E994-E349-44D4-9356-9DF1A5E1098E@apple-park.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4007E994-E349-44D4-9356-9DF1A5E1098E@apple-park.kiev.ua> Cc: freebsd-pf@freebsd.org Subject: Re: pf and pptp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 16:14:10 -0000 On 1/16/06, Alexander Vyrlanovich wrote: > Last week I moved my firewall from ipfw to pf on a gateway (FreeBSD > RELENG_6_0 i386). > All work fine except nat'ed pptp connections. Only one PC client can > establish > pptp VPT at the same time. After some google search I found this > article: http://www.benzedrine.cx/pf/msg04961.html. > > Can anybody confirm, that situation with nating GRE packets with PF > still > persist or there is something wrong with my firewall rules? Yep, this is a known limitation. We've been looking around for a PPTP proxy helper to no avail. Frickin PPTP seems about the closest match but would require some modifications to make it work correctly. We see the same problems with pfSense often. Scott From owner-freebsd-pf@FreeBSD.ORG Mon Jan 16 16:16:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D5416A41F for ; Mon, 16 Jan 2006 16:16:45 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id E93A343D62 for ; Mon, 16 Jan 2006 16:16:38 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so1143803wra for ; Mon, 16 Jan 2006 08:16:38 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BXCkHnnqdlAP2Qh0mY6Wj7rM7nTS2D4hQMDKsTEQuEXAZFpNEnAp8ZNcudef67UxfzK5egzNg7G8h+dNoVlkla1zv2wF8smf4KhU2ryRr+6Z7arnlP+xM/A9QhUfRveyiQpOBaNdsotHkkKjA3DWtjPIn8n2uJDHrhtcNVrqftk= Received: by 10.64.210.10 with SMTP id i10mr2992740qbg; Mon, 16 Jan 2006 08:16:37 -0800 (PST) Received: by 10.64.181.18 with HTTP; Mon, 16 Jan 2006 08:16:37 -0800 (PST) Message-ID: Date: Mon, 16 Jan 2006 11:16:37 -0500 From: Scott Ullrich To: Josh Finlay In-Reply-To: <025201c61a86$2e7383e0$0600a8c0@delta> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <025201c61a86$2e7383e0$0600a8c0@delta> Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 16:16:45 -0000 On 1/16/06, Josh Finlay wrote: [...snip...] > Can I use a "round-robin" NAT or something similar? Sure, you can use round-robin to send the traffic out. Take a look at http://www.openbsd.org/faq/pf/pools.html which helped me out quite a bit when building multiple WAN support into pfSense. Scott From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 05:40:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1789D16A41F for ; Tue, 17 Jan 2006 05:40:15 +0000 (GMT) (envelope-from derth@wbs.co.za) Received: from mail-02.jhb.wbs.co.za (mail-02.jhb.wbs.co.za [196.30.31.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 607DE43D5C for ; Tue, 17 Jan 2006 05:40:08 +0000 (GMT) (envelope-from derth@wbs.co.za) Received: from localhost ([127.0.0.1] helo=webmail.wbs.co.za) by mail-02.jhb.wbs.co.za with esmtp (Exim 4.50) id 1EyjZb-00057Z-9K for freebsd-pf@freebsd.org; Tue, 17 Jan 2006 07:40:04 +0200 Received: from 196.2.148.70 (SquirrelMail authenticated user derth@wbs.co.za) by webmail.wbs.co.za with HTTP; Tue, 17 Jan 2006 07:40:03 +0200 (SAST) Message-ID: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> Date: Tue, 17 Jan 2006 07:40:03 +0200 (SAST) From: derth@wbs.co.za To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Original-Subject: PF + PPPoE Subject: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 05:40:15 -0000 Good day, I am using freebsd 6.0 with PF and running a ADSL PPPoE internet connection. My PF ruleset uses tun0 for the external interface but sometimes the ppp dialler does not start in time and the PF rules fail to load. Then after a few seconds the PPPoE connection get's established and I have no firewall. Does anyone know of a way around this problem? Thanks Rudi From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 06:21:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E80616A420 for ; Tue, 17 Jan 2006 06:21:36 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AE2543D70 for ; Tue, 17 Jan 2006 06:21:31 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so1005051wxc for ; Mon, 16 Jan 2006 22:21:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QaoYwx1ZeFNwukd7E487B47IVXkczEDbecis6BQaLWhaCFgVgytKO8NHpcHiJZ+PV5HWdC9+UtP/KkK2LmlclZAjmunIllU2L+NXkV8ySV7r5S2upAeDCMEBxPmqKxMykhX0C2mlk4P56du0Ob2fBK5Rn5RmnmD9yf48toUlLs0= Received: by 10.70.110.9 with SMTP id i9mr8600136wxc; Mon, 16 Jan 2006 22:21:30 -0800 (PST) Received: by 10.70.109.8 with HTTP; Mon, 16 Jan 2006 22:21:30 -0800 (PST) Message-ID: <55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com> Date: Tue, 17 Jan 2006 00:21:30 -0600 From: Bill Marquette To: "derth@wbs.co.za" In-Reply-To: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> Cc: freebsd-pf@freebsd.org Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 06:21:36 -0000 On 1/16/06, derth@wbs.co.za wrote: > Good day, > > I am using freebsd 6.0 with PF and running a ADSL PPPoE internet connecti= on. > > My PF ruleset uses tun0 for the external interface but sometimes the ppp > dialler does not start in time and the PF rules fail to load. Then after > a few seconds the PPPoE connection get's established and I have no > firewall. > > Does anyone know of a way around this problem? Without the ruleset it's going to be kind of difficult to help. This does work, which means there's something wrong with your rules. --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 06:32:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD73B16A429 for ; Tue, 17 Jan 2006 06:32:57 +0000 (GMT) (envelope-from derth@wbs.co.za) Received: from mail-02.jhb.wbs.co.za (mail-02.jhb.wbs.co.za [196.30.31.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9238B43DF4 for ; Tue, 17 Jan 2006 06:32:28 +0000 (GMT) (envelope-from derth@wbs.co.za) Received: from localhost ([127.0.0.1] helo=webmail.wbs.co.za) by mail-02.jhb.wbs.co.za with esmtp (Exim 4.50) id 1EykNM-00069B-6y for freebsd-pf@freebsd.org; Tue, 17 Jan 2006 08:31:33 +0200 Received: from 196.2.148.70 (SquirrelMail authenticated user derth@wbs.co.za) by webmail.wbs.co.za with HTTP; Tue, 17 Jan 2006 08:31:28 +0200 (SAST) Message-ID: <16246.196.2.148.70.1137479488.squirrel@webmail.wbs.co.za> Date: Tue, 17 Jan 2006 08:31:28 +0200 (SAST) From: derth@wbs.co.za To: "freebsd-pf@freebsd.org" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Original-Subject: Re: PF + PPPoE Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 06:32:58 -0000 >Without the ruleset it's going to be kind of difficult to help. This >does work, which means there's something wrong with your rules. > >--Bill My apologies, here is my pf.conf file: #define Macros ext_if = "tun0" int_if = "fxp0" tcp_services = "22" priv_net = "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }" secure_mail ="196.*.*.*" tech_net ="196.*.*.*/24" admin_mweb ="196.*.*.*" allow_web ="{ 196.*.*.*, 196.*.*.*, 196.*.*.*, 196.*.*.*, tun0 }" #options set block-policy return set loginterface $ext_if #Scrubs scrub in all #Nat nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 6161 #Rules pass in log quick on $int_if inet proto tcp from any to 127.0.0.1 port 6161 keep state # immediately prevent IPv6 traffic from entering or leaving all interfaces block log quick inet6 all #default to deny block in log all block out log all # Block bad tcp flags from malicious people and nmap scans block in log quick on $ext_if proto tcp from any to any flags /S block in log quick on $ext_if proto tcp from any to any flags /SFRA block in log quick on $ext_if proto tcp from any to any flags /SFRAU block in log quick on $ext_if proto tcp from any to any flags A/A block in log quick on $ext_if proto tcp from any to any flags F/SFRA block in log quick on $ext_if proto tcp from any to any flags U/SFRAU block in log quick on $ext_if proto tcp from any to any flags SF/SF block in log quick on $ext_if proto tcp from any to any flags SF/SFRA block in log quick on $ext_if proto tcp from any to any flags SR/SR block in log quick on $ext_if proto tcp from any to any flags FUP/FUP block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP block in log quick on $ext_if proto tcp all flags FUP/FUP #allow loopback pass quick on lo0 all #block private networks from inside out block drop in log quick on $ext_if from $priv_net to any block drop out log quick on $ext_if from any to $priv_net #allow interal network out pass in log on $int_if from $int_if:network to any keep state #VPN out from internal network pass in log on $int_if proto gre keep state pass in log on $int_if proto tcp from any to any port 1723 keep state pass out log on $ext_if proto gre keep state pass out log on $ext_if proto tcp from any to any port 1723 keep state #allow admin.mweb.net inside pass in log on $ext_if proto tcp from $admin_mweb to $ext_if port 22 keep state pass in log on $ext_if proto tcp from $tech_net to $ext_if port 22 keep state #allow mweb staff web inside pass in log on $ext_if proto tcp from $allow_web to $ext_if port 80 keep state pass out log on $ext_if from $int_if:network to any keep state #allow from fw to out pass out on $ext_if inet proto tcp from any to any port www keep state pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 07:20:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21D0416A41F for ; Tue, 17 Jan 2006 07:20:04 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id A61BE43D55 for ; Tue, 17 Jan 2006 07:20:03 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so1010703wxc for ; Mon, 16 Jan 2006 23:20:02 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ObGI8rUUSYMoA90abKQcJzpLpMEMU/olyY6SgaTgd2DCv32+9CIqSghf9A57CaKWK6QiwutaLeDFpwMJ1+MIbp92m39JCFe30iUyq2RlMW7dYQz1xsGXlPcyTzGfN7zF4zzVOW2fcDUqxjeR2P6XtDMeowJVxxDw2vblkKaGevA= Received: by 10.70.122.14 with SMTP id u14mr8862486wxc; Mon, 16 Jan 2006 23:20:02 -0800 (PST) Received: by 10.70.109.8 with HTTP; Mon, 16 Jan 2006 23:20:02 -0800 (PST) Message-ID: <55e8a96c0601162320u43488aefqd6bb35c2fe689205@mail.gmail.com> Date: Tue, 17 Jan 2006 01:20:02 -0600 From: Bill Marquette To: "derth@wbs.co.za" In-Reply-To: <16246.196.2.148.70.1137479488.squirrel@webmail.wbs.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <16246.196.2.148.70.1137479488.squirrel@webmail.wbs.co.za> Cc: "freebsd-pf@freebsd.org" Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 07:20:04 -0000 On 1/17/06, derth@wbs.co.za wrote: > > > >Without the ruleset it's going to be kind of difficult to help. This > >does work, which means there's something wrong with your rules. > > > >--Bill > > My apologies, here is my pf.conf file: > > #define Macros > ext_if =3D "tun0" > int_if =3D "fxp0" > tcp_services =3D "22" > priv_net =3D "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }" > secure_mail =3D"196.*.*.*" > tech_net =3D"196.*.*.*/24" > admin_mweb =3D"196.*.*.*" > allow_web =3D"{ 196.*.*.*, 196.*.*.*, 196.*.*.*, 196.*.*.*, tun0 }" Interesting. After replacing the 196.* addresses with fake addresses, pfctl parses this just fine on my FreeBSD 6 box. I did wrap tun0 in the allow_web macro with paren's but pfctl -nf was happy with the ruleset before and after and I've got no tun0. What's the error you're getting? --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 11:14:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 289D716A41F for ; Tue, 17 Jan 2006 11:14:58 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 586F143D48 for ; Tue, 17 Jan 2006 11:14:57 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by zproxy.gmail.com with SMTP id l1so1172526nzf for ; Tue, 17 Jan 2006 03:14:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=B60KpVSvwXeuAOWTtKcpdN33Vnehf3tKYU4AgxOTWviXFyidkA0URW+jwt6m4lfR4Dq7blo48kjz1iB/wZhnBCmjmaWYmM7A30POSvnQfCeJ5dWUBZ/GhjObcrarziyPVLCcSbN7VO079oSCpRD2ADzQNhKdpL+NNFj9F5q+xak= Received: by 10.36.9.16 with SMTP id 16mr5792221nzi; Tue, 17 Jan 2006 03:14:56 -0800 (PST) Received: by 10.36.250.66 with HTTP; Tue, 17 Jan 2006 03:14:56 -0800 (PST) Message-ID: Date: Tue, 17 Jan 2006 13:14:56 +0200 From: stephen To: "derth@wbs.co.za" In-Reply-To: <55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> <55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 11:14:58 -0000 what rudi means to say is, in his rc.conf he has stuck instructions for his ppp to start on boot, and for pf to load on boot. problem is freebsd creates tun0 when ppp runs for the first time, not when the machine boots up, and as his pf.conf refers to tun0, pf won't start if it runs before ppp has started as there is no tun0 device and pf bombs out saying 'no such device'. (i know cause i had similar issue ;-) what i did was make a start script in /usr/local/etc/rc.d/ that runs ppp, sleeps for 30 seconds (should be more than enough - i use telkom's adsl which takes about 10 seconds, and i think my mate's iburst connects in less than 30 seconds) and -then- runs pf -f /etc/pf.conf that should do the trick stephen On 1/16/06, derth@wbs.co.za wrote: > Good day, > > I am using freebsd 6.0 with PF and running a ADSL PPPoE internet connecti= on. > > My PF ruleset uses tun0 for the external interface but sometimes the ppp > dialler does not start in time and the PF rules fail to load. Then after > a few seconds the PPPoE connection get's established and I have no > firewall. > > Does anyone know of a way around this problem? > > Without the ruleset it's going to be kind of difficult to help. This > does work, which means there's something wrong with your rules. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 19:06:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92B9D16A41F for ; Tue, 17 Jan 2006 19:06:21 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF4DF43D62 for ; Tue, 17 Jan 2006 19:06:14 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so1107483wxc for ; Tue, 17 Jan 2006 11:06:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pk7ly3MZojmGoR5AGHqMaklejxowsF7nkehxQF0SM0ArzdYqu4PITN2aH7YV6vMkFPESyoVLM+OULcf/HBtrkX/BxrsY9QbzyRclFEy+uCIQafAEnswBXo7s42eMEl66IaZE52MOPYKsM3p7AfO606+d6+jaJeLbBvU7oCK9wd4= Received: by 10.70.111.12 with SMTP id j12mr9574268wxc; Tue, 17 Jan 2006 11:06:14 -0800 (PST) Received: by 10.70.109.8 with HTTP; Tue, 17 Jan 2006 11:06:13 -0800 (PST) Message-ID: <55e8a96c0601171106h497a091du91ba3f5ea2465e33@mail.gmail.com> Date: Tue, 17 Jan 2006 13:06:13 -0600 From: Bill Marquette To: stephen In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> <55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 19:06:21 -0000 On 1/17/06, stephen wrote: > what rudi means to say is, in his rc.conf he has stuck instructions > for his ppp to start on boot, and for pf to load on boot. problem is > freebsd creates tun0 when ppp runs for the first time, not when the > machine boots up, and as his pf.conf refers to tun0, pf won't start if > it runs before ppp has started as there is no tun0 device and pf bombs > out saying 'no such device'. (i know cause i had similar issue ;-) > > what i did was make a start script in /usr/local/etc/rc.d/ that runs > ppp, sleeps for 30 seconds (should be more than enough - i use > telkom's adsl which takes about 10 seconds, and i think my mate's > iburst connects in less than 30 seconds) and -then- runs pf -f > /etc/pf.conf > > that should do the trick And yet pf doesn't care about interfaces that don't exist if your syntax is correct. # cat f nat on tun0 from lo0:network to any -> (tun0) pass in on tun0 from any to (tun0) # pfctl -f f # pfctl -sr pass in on tun0 from any to (tun0) # ifconfig tun0 ifconfig: interface tun0 does not exist There's numerous syntax errors in his config - mainly all around not surrounding interfaces with parens. The following parses and loads just fine on my box (which has neither tun0 or fxp0). Note that I had to comment out the set loginterface which can't possibly work if tun0 doesn't exist. --Bill #define Macros ext_if =3D "tun0" int_if =3D "fxp0" tcp_services =3D "22" priv_net =3D "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }" secure_mail =3D"196.1.1.1" tech_net =3D"196.1.1.1/24" admin_mweb =3D"196.1.1.1" allow_web =3D"{ 196.1.1.1, 196.2.2.2, 196.2.2.2, 196.3.3.3, (tun0) }" #options set block-policy return #set loginterface $ext_if #Scrubs scrub in all #Nat nat on $ext_if from ($int_if:network) to any -> ($ext_if) rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 61= 61 #Rules pass in log quick on $int_if inet proto tcp from any to 127.0.0.1 port 6161 keep state # immediately prevent IPv6 traffic from entering or leaving all interfaces block log quick inet6 all #default to deny block in log all block out log all # Block bad tcp flags from malicious people and nmap scans block in log quick on $ext_if proto tcp from any to any flags /S block in log quick on $ext_if proto tcp from any to any flags /SFRA block in log quick on $ext_if proto tcp from any to any flags /SFRAU block in log quick on $ext_if proto tcp from any to any flags A/A block in log quick on $ext_if proto tcp from any to any flags F/SFRA block in log quick on $ext_if proto tcp from any to any flags U/SFRAU block in log quick on $ext_if proto tcp from any to any flags SF/SF block in log quick on $ext_if proto tcp from any to any flags SF/SFRA block in log quick on $ext_if proto tcp from any to any flags SR/SR block in log quick on $ext_if proto tcp from any to any flags FUP/FUP block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP block in log quick on $ext_if proto tcp all flags FUP/FUP #allow loopback pass quick on lo0 all #block private networks from inside out block drop in log quick on $ext_if from $priv_net to any block drop out log quick on $ext_if from any to $priv_net #allow interal network out pass in log on $int_if from ($int_if:network) to any keep state #VPN out from internal network pass in log on $int_if proto gre keep state pass in log on $int_if proto tcp from any to any port 1723 keep state pass out log on $ext_if proto gre keep state pass out log on $ext_if proto tcp from any to any port 1723 keep state #allow admin.mweb.net inside pass in log on $ext_if proto tcp from $admin_mweb to ($ext_if) port 22 keep state pass in log on $ext_if proto tcp from $tech_net to ($ext_if) port 22 keep = state #allow mweb staff web inside pass in log on $ext_if proto tcp from $allow_web to ($ext_if) port 80 keep = state pass out log on $ext_if from ($int_if:network) to any keep state #allow from fw to out pass out on $ext_if inet proto tcp from any to any port www keep state pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 21:10:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B0E616A41F for ; Tue, 17 Jan 2006 21:10:20 +0000 (GMT) (envelope-from js.lists@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78E0B43D79 for ; Tue, 17 Jan 2006 21:10:12 +0000 (GMT) (envelope-from js.lists@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so1125154wxc for ; Tue, 17 Jan 2006 13:10:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=sZcUqz4hZ1dA+/nYcwxbuQzAfDK1037cY9c6b23JhjdqoYc5fu9xT78lwD1vg9qh3r+RZDXbxlXguAx70rFjVQ1AqK57eN8TMo7HwMz1XbXoN2k+n6zXtiOFU8qltV4WSsUVPfnjrHL4w3tmv1vdcQcku5hTt3mpf2CEHFFuajU= Received: by 10.70.69.10 with SMTP id r10mr9679907wxa; Tue, 17 Jan 2006 13:10:11 -0800 (PST) Received: from ?10.100.58.33? ( [204.176.49.44]) by mx.gmail.com with ESMTP id i34sm9677384wxd.2006.01.17.13.10.10; Tue, 17 Jan 2006 13:10:11 -0800 (PST) Message-ID: <43CD5D2D.8080208@gmail.com> Date: Tue, 17 Jan 2006 13:10:05 -0800 From: Joe S User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: derth@wbs.co.za References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> In-Reply-To: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 21:10:20 -0000 Easy. In the file /etc/ppp/ppp.linkup add these 2 lines MYADDR: ! sh -c "/sbin/pfctl -ef /etc/pf.conf" This will enable your pf rules every time the link comes up. derth@wbs.co.za wrote: > Good day, > > I am using freebsd 6.0 with PF and running a ADSL PPPoE internet connection. > > My PF ruleset uses tun0 for the external interface but sometimes the ppp > dialler does not start in time and the PF rules fail to load. Then after > a few seconds the PPPoE connection get's established and I have no > firewall. > > Does anyone know of a way around this problem? > > Thanks > Rudi > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 08:52:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DDE916A41F for ; Wed, 18 Jan 2006 08:52:20 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au [211.29.132.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DFD243D45 for ; Wed, 18 Jan 2006 08:52:19 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-168-125.dsl.nsw.optusnet.com.au [220.236.168.125]) by mail16.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k0I8qHP4015923; Wed, 18 Jan 2006 19:52:17 +1100 Message-ID: <006801c61c0c$7e1aaae0$0600a8c0@delta> From: "Josh Finlay" To: "Scott Ullrich" References: <025201c61a86$2e7383e0$0600a8c0@delta> Date: Wed, 18 Jan 2006 18:52:19 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 08:52:20 -0000 Hi, Took a good look at that link, sounds like it might do the trick. However I am curious about something... We have 5x 512kbps SDSL lines. Totalling 2560kbps. Is there any possible way to "bind" these lines together to make use of a full 2560kbps at once? Because with the round-robin method, it will pick a random address from the pool (in this case, one of the 5 lines) and utilize that which will only achieve 512kbps at a maximum. I have heard of extremely expensive cisco solutions to do similar to this, but we've already forked out enough on hardware and connections so we're trying to do this part a bit cheaper. Look forward to hearing any ideas you might have. Regards, Josh Finlay ----- Original Message ----- From: "Scott Ullrich" To: "Josh Finlay" Cc: Sent: Tuesday, January 17, 2006 2:16 AM Subject: Re: Multiple DSL lines, load sharing / shaping > On 1/16/06, Josh Finlay wrote: > [...snip...] >> Can I use a "round-robin" NAT or something similar? > > Sure, you can use round-robin to send the traffic out. Take a look at > http://www.openbsd.org/faq/pf/pools.html which helped me out quite a > bit when building multiple WAN support into pfSense. > > Scott > From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 10:17:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A614616A422 for ; Wed, 18 Jan 2006 10:17:07 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFDC043D48 for ; Wed, 18 Jan 2006 10:17:04 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.9.8] (gw1.arcticwireless.no [80.203.184.14]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.4/8.13.4) with ESMTP id k0IAH3nQ027937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Jan 2006 11:17:03 +0100 Message-ID: <43CE159D.6070000@wm-access.no> Date: Wed, 18 Jan 2006 11:17:01 +0100 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Josh Finlay References: <025201c61a86$2e7383e0$0600a8c0@delta> <006801c61c0c$7e1aaae0$0600a8c0@delta> In-Reply-To: <006801c61c0c$7e1aaae0$0600a8c0@delta> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=D6F56A9B Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB607EE19A3CE250B4AAD545E" Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 10:17:07 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB607EE19A3CE250B4AAD545E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Josh Finlay wrote: > Hi, >=20 > Took a good look at that link, sounds like it might do the trick. >=20 > However I am curious about something... > We have 5x 512kbps SDSL lines. > Totalling 2560kbps. > Is there any possible way to "bind" these lines together to make use of= > a full 2560kbps at once? Because with the round-robin method, it will > pick a random address from the pool (in this case, one of the 5 lines) > and utilize that which will only achieve 512kbps at a maximum. I have > heard of extremely expensive cisco solutions to do similar to this, but= I used ipfw's "fwd" with "prob" to max out 2 x 2mbit lines back when v4.8/9/10 was released . It takes some effort to get Just Right (tm) but it can be done. Tips: Do not use keep-state on the fwd rules (infact you might want to try to avoid ipfw for the actual filtering), NAT or multiple providers breaks things too. I had to avoid using fast-forwarding but this might be better now. > we've already forked out enough on hardware and connections so we're > trying to do this part a bit cheaper. Oh haven't we all, that's why we started saving up for the luxury of testing configurations before rolling them, even with something so comfortably flexible as FreeBSD. :P~~ --=20 Sten Daniel S=F8rsdal --------------enigB607EE19A3CE250B4AAD545E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDzhWdMvOF8Nb1apsRApYVAJwL9jZwGEQcn6LgXXNan8U3JSh01ACfWKl0 LTT92fQocNvPyI3PhbOnBmc= =EEEF -----END PGP SIGNATURE----- --------------enigB607EE19A3CE250B4AAD545E-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 10:19:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D5A516A41F for ; Wed, 18 Jan 2006 10:19:32 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C3AF43D46 for ; Wed, 18 Jan 2006 10:19:31 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by zproxy.gmail.com with SMTP id l1so1400858nzf for ; Wed, 18 Jan 2006 02:19:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AQ/9RgVKB+ghZ71rVh/cflTPHKR9cMlGRnhLGYzQcvEUNbmez6kUT4xFSlxwxSlH9ormuo7cznvB446674ZOlcoSNxM/M8M+pQmmvdk5tyqfhYH99gNfTZHaKal/8Zmbt/He37Jek+d9lq5z7hWsYB9dcV16xwHU4rJCDE+cIso= Received: by 10.36.77.8 with SMTP id z8mr6795535nza; Wed, 18 Jan 2006 02:19:31 -0800 (PST) Received: by 10.36.250.66 with HTTP; Wed, 18 Jan 2006 02:19:31 -0800 (PST) Message-ID: Date: Wed, 18 Jan 2006 12:19:31 +0200 From: stephen To: Bill Marquette In-Reply-To: <55e8a96c0601171106h497a091du91ba3f5ea2465e33@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> <55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com> <55e8a96c0601171106h497a091du91ba3f5ea2465e33@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 10:19:32 -0000 On 1/17/06, Bill Marquette wrote: > And yet pf doesn't care about interfaces that don't exist if your > syntax is correct. > Note that I had > to comment out the set loginterface which can't possibly work if tun0 > doesn't exist. so pretty much it won't load at start time if the device doesn't exist? i'll restart my 5.3 freebsd gateway box after work today and see what error it spits out, but i know for sure it doesn't load my ruleset. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 11:26:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B293A16A41F for ; Wed, 18 Jan 2006 11:26:50 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail20.syd.optusnet.com.au (mail20.syd.optusnet.com.au [211.29.132.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2901D43D75 for ; Wed, 18 Jan 2006 11:26:46 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-168-125.dsl.nsw.optusnet.com.au [220.236.168.125]) by mail20.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k0IBQiCT022971; Wed, 18 Jan 2006 22:26:45 +1100 Message-ID: <007b01c61c22$120ebf60$0600a8c0@delta> From: "Josh Finlay" To: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= References: <025201c61a86$2e7383e0$0600a8c0@delta> <006801c61c0c$7e1aaae0$0600a8c0@delta> <43CE159D.6070000@wm-access.no> Date: Wed, 18 Jan 2006 21:26:47 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 11:26:50 -0000 Hi Sten, Ahh.. well that will be something for me to look into then. Give me a starting point anyway. Don't suppose you've had experience doing it in PF? ;-) Now here is what I don't get We have 5x512=2560kbps (note: each line has a seperate IP address, same provider though). We want to download a file over HTTP Browser sends "GET /path/to/file HTTP/1.1", etc.. from IP1 And Web server sends headers and file contents back to IP1 and since IP1 is only a 512kbps line, it would seem to me that it wouldn't be possible to achieve anything higher than 512kbps or attempt to incorporate any of the other lines into the transfer because that would just confuse the server. My only thought was that if you received over a proxy (or used a download manager with segmentation features, like that horrible windows program GetRight) and the proxy would get the file size, divide it into how many lines/ips I had (in this case, 5) and then ask for bytes 0 -> first part, and start concurrent connections for first part -> second part, third -> forth, etc. In a similar way that a resume would work.. Does this make sense? Or is there an extremely easier way of doing things that I just wasn't aware of yet? Look forward to hearing some responses... Regards, Josh Finlay ----- Original Message ----- From: "Sten Daniel Sørsdal" To: "Josh Finlay" Cc: Sent: Wednesday, January 18, 2006 8:17 PM Subject: Re: Multiple DSL lines, load sharing / shaping From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 11:29:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C06A16A41F for ; Wed, 18 Jan 2006 11:29:36 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail14.syd.optusnet.com.au (mail14.syd.optusnet.com.au [211.29.132.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86DB143D75 for ; Wed, 18 Jan 2006 11:29:32 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-168-125.dsl.nsw.optusnet.com.au [220.236.168.125]) by mail14.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k0IBTUmx023620; Wed, 18 Jan 2006 22:29:30 +1100 Message-ID: <008201c61c22$74a34240$0600a8c0@delta> From: "Josh Finlay" To: "Josh Finlay" , =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= References: <025201c61a86$2e7383e0$0600a8c0@delta> <006801c61c0c$7e1aaae0$0600a8c0@delta><43CE159D.6070000@wm-access.no> <007b01c61c22$120ebf60$0600a8c0@delta> Date: Wed, 18 Jan 2006 21:29:32 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 11:29:36 -0000 I should also mention that each downloaded part would come from a different IP address so part 1 would be from IP1 part 2 from IP2 part 3 from IP3, etc etc All downloading concurrently, each part utilizing the 512kbps of each line... Then being possible to utilize the overall bandwidth of all available connections... From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 12:09:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96F3F16A41F for ; Wed, 18 Jan 2006 12:09:12 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id E09BA43D48 for ; Wed, 18 Jan 2006 12:09:11 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.9.8] (gw1.arcticwireless.no [80.203.184.14]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.4/8.13.4) with ESMTP id k0IC98cF010194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Jan 2006 13:09:08 +0100 Message-ID: <43CE2FE1.3020303@wm-access.no> Date: Wed, 18 Jan 2006 13:09:05 +0100 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Josh Finlay References: <025201c61a86$2e7383e0$0600a8c0@delta> <006801c61c0c$7e1aaae0$0600a8c0@delta> <43CE159D.6070000@wm-access.no> <007b01c61c22$120ebf60$0600a8c0@delta> In-Reply-To: <007b01c61c22$120ebf60$0600a8c0@delta> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=D6F56A9B Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig258283286F62E0536657B7F1" Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 12:09:12 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig258283286F62E0536657B7F1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Josh Finlay wrote: > Hi Sten, >=20 > Ahh.. well that will be something for me to look into then. Give me a > starting point anyway. >=20 > Don't suppose you've had experience doing it in PF? ;-) Is it even possible in PF? > Now here is what I don't get > We have 5x512=3D2560kbps (note: each line has a seperate IP address, sa= me > provider though). > We want to download a file over HTTP > Browser sends "GET /path/to/file HTTP/1.1", etc.. from IP1 > And Web server sends headers and file contents back to IP1 > and since IP1 is only a 512kbps line, it would seem to me that it > wouldn't be possible to achieve anything higher than 512kbps or attempt= > to incorporate any of the other lines into the transfer because that > would just confuse the server. Are you talking about a webserver on your end and IP1 meaning an user from the internet? Or the other way around? And are you using NAT? >=20 > My only thought was that if you received over a proxy (or used a > download manager with segmentation features, like that horrible windows= > program GetRight) and the proxy would get the file size, divide it into= > how many lines/ips I had (in this case, 5) and then ask for bytes 0 -> > first part, and start concurrent connections for first part -> second > part, third -> forth, etc. In a similar way that a resume would work.. > Does this make sense? That can be accomplished if you want. What do you prefer? "packet perfect" forwarding for maximum throughput on your uploads or stream friendly balancing - and perhaps better overall performance - for many users? > Or is there an extremely easier way of doing things that I just wasn't > aware of yet? Have you ever considered multilink ppp? --=20 Sten Daniel S=F8rsdal --------------enig258283286F62E0536657B7F1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDzi/hMvOF8Nb1apsRAlIJAJ9/ga15gwyCVDBPhp5titQQOsL70ACeLVcI 4rl1I40epG4M6bVPIAo4VW4= =vbWF -----END PGP SIGNATURE----- --------------enig258283286F62E0536657B7F1-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 12:17:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EA3716A41F for ; Wed, 18 Jan 2006 12:17:59 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail21.syd.optusnet.com.au (mail21.syd.optusnet.com.au [211.29.133.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78FE443D49 for ; Wed, 18 Jan 2006 12:17:58 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-168-125.dsl.nsw.optusnet.com.au [220.236.168.125]) by mail21.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k0ICHtnD019736; Wed, 18 Jan 2006 23:17:55 +1100 Message-ID: <009101c61c29$38736000$0600a8c0@delta> From: "Josh Finlay" To: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= References: <025201c61a86$2e7383e0$0600a8c0@delta> <006801c61c0c$7e1aaae0$0600a8c0@delta> <43CE159D.6070000@wm-access.no> <007b01c61c22$120ebf60$0600a8c0@delta> <43CE2FE1.3020303@wm-access.no> Date: Wed, 18 Jan 2006 22:17:57 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 12:17:59 -0000 > Is it even possible in PF? I have no idea ;-) > Are you talking about a webserver on your end and IP1 meaning an user > from the internet? Or the other way around? No sorry the other way around. IP1 is one of our lines, and by web server I mean any webserver on the internet. > And are you using NAT? Yes. I was hoping to implement a round-robin NAT as described by another reply to my original post. Providing it all works as I would like it to. > That can be accomplished if you want. > What do you prefer? "packet perfect" forwarding for maximum throughput > on your uploads or stream friendly balancing - and perhaps better > overall performance - for many users? Better overall performance for end users. There is a network of 30 workstations, all in active use about 16hrs of each day. > Have you ever considered multilink ppp? multilink ppp? hmm that is definately something I may have to look into. Infact from memory of waht I know about it, it could possibly be exactly what I am looking for. Do you have much experience with multilink ppp that you could pass on before I jump in blindfolded and bring my whole network down? ;-) Regards, Josh Finlay ----- Original Message ----- From: "Sten Daniel Sørsdal" To: "Josh Finlay" Cc: Sent: Wednesday, January 18, 2006 10:09 PM Subject: Re: Multiple DSL lines, load sharing / shaping From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 12:42:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BED3016A41F for ; Wed, 18 Jan 2006 12:42:21 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1173843D4C for ; Wed, 18 Jan 2006 12:42:20 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.9.8] (gw1.arcticwireless.no [80.203.184.14]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.4/8.13.4) with ESMTP id k0ICgJjw013267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Jan 2006 13:42:20 +0100 Message-ID: <43CE37A9.1000707@wm-access.no> Date: Wed, 18 Jan 2006 13:42:17 +0100 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Josh Finlay References: <025201c61a86$2e7383e0$0600a8c0@delta> <006801c61c0c$7e1aaae0$0600a8c0@delta> <43CE159D.6070000@wm-access.no> <007b01c61c22$120ebf60$0600a8c0@delta> <43CE2FE1.3020303@wm-access.no> <009101c61c29$38736000$0600a8c0@delta> In-Reply-To: <009101c61c29$38736000$0600a8c0@delta> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=D6F56A9B Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA0EAF6066DE33511360C67B2" Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 12:42:21 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA0EAF6066DE33511360C67B2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Moving to private only. >> Is it even possible in PF? >=20 > I have no idea ;-) I don't think it is. >=20 >> Are you talking about a webserver on your end and IP1 meaning an user >> from the internet? Or the other way around? >=20 > No sorry the other way around. IP1 is one of our lines, and by web > server I mean any webserver on the internet. >=20 >> And are you using NAT? >=20 > Yes. I was hoping to implement a round-robin NAT as described by anothe= r > reply to my original post. Providing it all works as I would like it to= =2E Aha! Then you should instead either prefer to use PF or IPFW fwd with keep-state. What you need is to make sure all traffic from one session leaves the right pipe. I mentioned that NAT breaks packet perfect forwarding. >=20 >> That can be accomplished if you want. >> What do you prefer? "packet perfect" forwarding for maximum throughput= >> on your uploads or stream friendly balancing - and perhaps better >> overall performance - for many users? >=20 > Better overall performance for end users. There is a network of 30 > workstations, all in active use about 16hrs of each day. I'd say PF or IPFW with fwd + keepstate will be the way you want to go. Not the way i initially mentioned. >=20 >> Have you ever considered multilink ppp? >=20 > multilink ppp? hmm that is definately something I may have to look into= =2E > Infact from memory of waht I know about it, it could possibly be exactl= y > what I am looking for. > Do you have much experience with multilink ppp that you could pass on > before I jump in blindfolded and bring my whole network down? ;-) Not really. --=20 Sten Daniel S=F8rsdal --------------enigA0EAF6066DE33511360C67B2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDzjepMvOF8Nb1apsRAtkXAJwJakXxIwmkcL18dXroHlnH/QpQ4QCeI8Se TrlwNxYzFHwZ94Q7GFiChG0= =ypam -----END PGP SIGNATURE----- --------------enigA0EAF6066DE33511360C67B2-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 13:23:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBCEF16A41F for ; Wed, 18 Jan 2006 13:23:08 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 216BF43D45 for ; Wed, 18 Jan 2006 13:23:07 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.252]) by smtp.nildram.co.uk (Postfix) with ESMTP id 545FE257369 for ; Wed, 18 Jan 2006 13:23:00 +0000 (GMT) From: "Greg Hennessy" To: "'Josh Finlay'" , =?iso-8859-1?Q?'Sten_Daniel_S=F8rsdal'?= Date: Wed, 18 Jan 2006 12:30:14 -0000 Message-ID: <000001c61c2a$eeed4890$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcYcIq36lvn35AveQz+jcebie2kPFwABy9Ag In-Reply-To: <008201c61c22$74a34240$0600a8c0@delta> Cc: freebsd-pf@freebsd.org Subject: RE: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 13:23:08 -0000 > I should also mention that each downloaded part would come > from a different IP address > > so part 1 would be from IP1 > part 2 from IP2 > part 3 from IP3, etc etc > > All downloading concurrently, each part utilizing the 512kbps > of each line... > Then being possible to utilize the overall bandwidth of all > available connections... > I would have thought that packet based LB would require some form of multilink ppp/lacp between you and the internet service provider to work properly. Some ISPs here in the UK do offer that facility as an option on their DSL services. IIRC one provides a PC + DSL cards + custom Linux build which does the multilink goodness over the multiple lines back to their head end. Outbound, flow based connectivity over multiple egress points isn't that hard to do. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 16:41:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EC2F16A41F for ; Wed, 18 Jan 2006 16:41:20 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail22.syd.optusnet.com.au (mail22.syd.optusnet.com.au [211.29.133.160]) by mx1.FreeBSD.org (Postfix) with ESMTP id B619243D58 for ; Wed, 18 Jan 2006 16:41:19 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-168-125.dsl.nsw.optusnet.com.au [220.236.168.125]) by mail22.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id k0IGfHsM017096 for ; Thu, 19 Jan 2006 03:41:17 +1100 Message-ID: <013d01c61c4e$02f8e290$0600a8c0@delta> From: "Josh Finlay" To: Date: Thu, 19 Jan 2006 02:41:20 +1000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 16:41:20 -0000 ----- Original Message -----=20 From: "Greg Hennessy" To: "'Josh Finlay'" ; "'Sten Daniel = S=F8rsdal'"=20 Cc: Sent: Wednesday, January 18, 2006 10:30 PM Subject: RE: Multiple DSL lines, load sharing / shaping > >> I should also mention that each downloaded part would come >> from a different IP address >> >> so part 1 would be from IP1 >> part 2 from IP2 >> part 3 from IP3, etc etc >> >> All downloading concurrently, each part utilizing the 512kbps >> of each line... >> Then being possible to utilize the overall bandwidth of all >> available connections... >> > > I would have thought that packet based LB would require some form of > multilink ppp/lacp between you and the internet service provider to = work > properly. > > Some ISPs here in the UK do offer that facility as an option on their = DSL > services. Ah, so its not just a matter configuring it all, firing it up and = crossing=20 your fingers? ;-) So it actually needs to be supported by the ISP? I'll contact the ISP in the next few days and see what they can tell me=20 about multilink ppp > > IIRC one provides a PC + DSL cards + custom Linux build which does the > multilink goodness over the multiple lines back to their head end. > > Outbound, flow based connectivity over multiple egress points isn't = that > hard to do. > > > > Greg > > >=20 From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 16:45:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7FA416A41F for ; Wed, 18 Jan 2006 16:45:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C80943D48 for ; Wed, 18 Jan 2006 16:45:14 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.218.203] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1EzGQr1Cde-0008Kn; Wed, 18 Jan 2006 17:45:14 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 18 Jan 2006 17:45:48 +0100 User-Agent: KMail/1.8.3 References: <025201c61a86$2e7383e0$0600a8c0@delta> <009101c61c29$38736000$0600a8c0@delta> <43CE37A9.1000707@wm-access.no> In-Reply-To: <43CE37A9.1000707@wm-access.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart19310134.0PA6jljft0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200601181745.54922.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Sten Daniel =?iso-8859-1?q?S=F8rsdal?= Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 16:45:15 -0000 --nextPart19310134.0PA6jljft0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 18 January 2006 13:42, Sten Daniel S=F8rsdal wrote: > Moving to private only. > > >> Is it even possible in PF? > > > > I have no idea ;-) > > I don't think it is. http://www.openbsd.org/faq/pf/pools.html#outgoing Works for FreeBSD 6x ... 5x with some restrictions. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart19310134.0PA6jljft0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDznDCXyyEoT62BG0RAoo1AJ9epMtPi6lKqALdgxGeijOZ1SszcACdHgKF iSn2GMSCdntksgmEs8T8Jos= =AhfK -----END PGP SIGNATURE----- --nextPart19310134.0PA6jljft0-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 17:12:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D76A216A422 for ; Wed, 18 Jan 2006 17:12:32 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: from pluto.phpwebhosting.com (pluto.phpwebhosting.com [69.0.209.128]) by mx1.FreeBSD.org (Postfix) with SMTP id A046C43D9D for ; Wed, 18 Jan 2006 17:12:13 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: (qmail 30470 invoked from network); 18 Jan 2006 17:11:51 -0000 Received: from unknown (HELO Stile) (keith%barkinglizards.com@209.117.233.18) by pluto.phpwebhosting.com with SMTP; Wed, 18 Jan 2006 12:11:51 -0500 From: "Keith Bottner" To: Date: Wed, 18 Jan 2006 11:11:52 -0600 Organization: Barking Lizards Technologies Message-ID: <02ce01c61c52$47119b30$0e01a8c0@Stile> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcYaJhDt8g5qdwmHRfGVgQaiZ9beEQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: client FTP using NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 17:12:33 -0000 I am having trouble allowing clients that are inside the PacketFilter firewall to retrieve data from external FTP sites. Connection works fine but a simple ls on the remote server returns a "Connection closed by remote host." My pf.conf is below, any help would be appreciated. Thanks in advance, Keith ########## # MACROS # ########## # External (Internet) (5 externally addressable IPs) # 17(gw) # 18 NAT # 19 company.com # 20 UNUSED # 21 UNUSED # 22 OTHER ext_if="xl1" #ext_net="xxx.yyy.zzz.0/29" ext_gw_addr="xxx.yyy.zzz.17" ext_nat_addr="xxx.yyy.zzz.18" ext_http_addr="xxx.yyy.zzz.19" ext_ftp_addr="xxx.yyy.zzz.19" ext_unused1_addr="xxx.yyy.zzz.20" ext_unused2_addr="xxx.yyy.zzz.21" ext_other_addr="xxx.yyy.zzz.22" # Internal (Intranet) int_if="xl0" int_net="192.168.1.0/24" # DMZ dmz_if="vr0" dmz_net="10.11.13.0/24" dmz_http_addr="10.11.13.100" dmz_ftp_addr="10.11.13.100" dmz_perforce_addr="10.11.13.106" dmz_cerebro_addr="10.11.13.103" ########## # TABLES # ########## table const { 127/8, 10/8, 172.16/12, 192.168/16 } table const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20, xxx.yyy.zzz.21} ########### # OPTIONS # ########### ################# # NORMALIZATION # ################# scrub in all fragment reassemble ############ # QUEUEING # ############ ############### # TRANSLATION # ############### # NAT workstations nat on $ext_if from $int_net to any -> $ext_nat_addr # NAT servers external requests nat on $ext_if from $dmz_net to any -> $ext_nat_addr ############### # REDIRECTION # ############### # Outgoing FTP requests to the ftp-proxy # # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used to handle an # FTP SERVER behind a PF filter. rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # WWW server access rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr port http # FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp servers then modify) rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr port 21 rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> $dmz_ftp_addr port 30000:30999 ############# # FILTERING # ############# block in log all block out log all pass quick on lo0 all block in log quick on $ext_if from to any block out quick on $ext_if from any to antispoof quick for { $int_if, $dmz_if } inet pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA synproxy state # FTP Client active connections working with ftp-proxy pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state # Enables FTP active mode connections. See the redirection section for the line that enables # FTP passive. # # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used to handle an # FTP SERVER behind a PF filter. #pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user proxy flags S/SA keep state # FTP Server specific rules pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state # Pass all traffic to and from the Internal Network pass in on $int_if from $int_net to any keep state #pass out on $int_if from any to $int_net keep state # Pass all traffic to and from the DMZ Network pass in on $dmz_if from $dmz_net to any keep state pass out on $dmz_if from any to $dmz_net keep state # Pass TCP, UDP, and ICMP out on the external (Internet) interface. # keep state on udp and icmp and moduleate state on tcp pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 17:18:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D66CB16A41F for ; Wed, 18 Jan 2006 17:18:31 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CA5743D46 for ; Wed, 18 Jan 2006 17:18:30 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wproxy.gmail.com with SMTP id i14so212709wra for ; Wed, 18 Jan 2006 09:18:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EeEeXIAIB0gWdMGCV64ErBmcWMnzo4aQ5p8tZEOaxcKzBTk0+nMZgYvC44P2oyd4M+sCgVyd9bwriMZNIeYvJRZ8fYy644jAdfz2OlEGi920Z3S/gGb5YhokcFzR9rxK3YtDI32LX4/IkOcGGYFKT7kzRtQUK2zYzo5ywz76LEQ= Received: by 10.65.15.15 with SMTP id s15mr4930680qbi; Wed, 18 Jan 2006 09:18:29 -0800 (PST) Received: by 10.64.181.18 with HTTP; Wed, 18 Jan 2006 09:18:29 -0800 (PST) Message-ID: Date: Wed, 18 Jan 2006 12:18:29 -0500 From: Scott Ullrich To: Keith Bottner In-Reply-To: <02ce01c61c52$47119b30$0e01a8c0@Stile> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <02ce01c61c52$47119b30$0e01a8c0@Stile> Cc: freebsd-pf@freebsd.org Subject: Re: client FTP using NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 17:18:32 -0000 On 1/18/06, Keith Bottner wrote: > I am having trouble allowing clients that are inside the PacketFilter > firewall to retrieve data from external FTP sites. Connection works fine = but > a simple ls on the remote server returns a "Connection closed by remote > host." My pf.conf is below, any help would be appreciated. > > Thanks in advance, > > Keith > > ########## > # MACROS # > ########## > > # External (Internet) (5 externally addressable IPs) > # 17(gw) > # 18 NAT > # 19 company.com > # 20 UNUSED > # 21 UNUSED > # 22 OTHER > ext_if=3D"xl1" > #ext_net=3D"xxx.yyy.zzz.0/29" > > ext_gw_addr=3D"xxx.yyy.zzz.17" > ext_nat_addr=3D"xxx.yyy.zzz.18" > ext_http_addr=3D"xxx.yyy.zzz.19" > ext_ftp_addr=3D"xxx.yyy.zzz.19" > ext_unused1_addr=3D"xxx.yyy.zzz.20" > ext_unused2_addr=3D"xxx.yyy.zzz.21" > ext_other_addr=3D"xxx.yyy.zzz.22" > > # Internal (Intranet) > int_if=3D"xl0" > int_net=3D"192.168.1.0/24" > > # DMZ > dmz_if=3D"vr0" > dmz_net=3D"10.11.13.0/24" > > > dmz_http_addr=3D"10.11.13.100" > dmz_ftp_addr=3D"10.11.13.100" > dmz_perforce_addr=3D"10.11.13.106" > dmz_cerebro_addr=3D"10.11.13.103" > > > ########## > # TABLES # > ########## > table const { 127/8, 10/8, 172.16/12, 192.168/16 } > table const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20, > xxx.yyy.zzz.21} > > ########### > # OPTIONS # > ########### > > > ################# > # NORMALIZATION # > ################# > scrub in all fragment reassemble > > ############ > # QUEUEING # > ############ > > > ############### > # TRANSLATION # > ############### > > # NAT workstations > nat on $ext_if from $int_net to any -> $ext_nat_addr > > # NAT servers external requests > nat on $ext_if from $dmz_net to any -> $ext_nat_addr > > > ############### > # REDIRECTION # > ############### > # Outgoing FTP requests to the ftp-proxy > # > # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT us= ed > to handle an > # FTP SERVER behind a PF filter. > rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > > # WWW server access > rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr > port http > > > # FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp serv= ers > then modify) > rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_ad= dr > port 21 > rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> > $dmz_ftp_addr port 30000:30999 > > > ############# > # FILTERING # > ############# > block in log all > block out log all > > pass quick on lo0 all > > block in log quick on $ext_if from to any > block out quick on $ext_if from any to > > antispoof quick for { $int_if, $dmz_if } inet > > pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S= /SA > synproxy state > > > # FTP Client active connections working with ftp-proxy > pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user prox= y > flags S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > > # Enables FTP active mode connections. See the redirection section for th= e > line that enables > # FTP passive. > # > # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT us= ed > to handle an > # FTP SERVER behind a PF filter. > #pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr us= er > proxy flags S/SA keep state > > > # FTP Server specific rules > pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep > state > pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999 > keep state > pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 kee= p > state > pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 2999= 9 > keep state > > > # Pass all traffic to and from the Internal Network > pass in on $int_if from $int_net to any keep state > #pass out on $int_if from any to $int_net keep state > > # Pass all traffic to and from the DMZ Network > pass in on $dmz_if from $dmz_net to any keep state > pass out on $dmz_if from any to $dmz_net keep state > > # Pass TCP, UDP, and ICMP out on the external (Internet) interface. > # keep state on udp and icmp and moduleate state on tcp > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state (my apologies, I forgot to reply-all) I cannot remember if the base FreeBSD is the old ftp-proxy or the "newer" proxy derived from pftpx but in the newer version of ftp-proxy, ftpsesame, etc you need to have a helper anchor. Perhaps try the newer ftp-proxy derived from pftpx that I have recently ported: http://www.pfsense.com/~sullrich/ported_software/ Stick a ftp-proxy anchor above all you're other rdr rules and you should be= set. Scott From owner-freebsd-pf@FreeBSD.ORG Thu Jan 19 19:33:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1177C16A422 for ; Thu, 19 Jan 2006 19:33:46 +0000 (GMT) (envelope-from dyma_p@mail.ru) Received: from mx6.mail.ru (mx6.mail.ru [194.67.23.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C6E343D48 for ; Thu, 19 Jan 2006 19:33:45 +0000 (GMT) (envelope-from dyma_p@mail.ru) Received: from [87.248.167.219] (port=37167 helo=neon) by mx6.mail.ru with esmtp id 1EzfXT-0005Jt-00 for freebsd-pf@freebsd.org; Thu, 19 Jan 2006 22:33:43 +0300 From: "neon" To: Date: Thu, 19 Jan 2006 21:33:50 +0200 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcYdL0YvOEi8JVaqSoyjA13UoZ2XPQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Multiple DSL lines, load sharing / shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2006 19:33:46 -0000 Hey Josh! Your question is a really good one. I am trying to find an answer to the same question (the limitation that comes over a single DSL line). I've read that you need to fire up the BGP protocol on both sides. Maybe zebra under freeBSD. but that's too complicated, and not every ISP will provide you the BGP protocol.. You know what, though I'm still in a great need for that, if you find anything interesting on the matter how to solve this, just drop a few lines in the conference. Thanks a lot! Best regards, Dyma Popovich From owner-freebsd-pf@FreeBSD.ORG Fri Jan 20 13:04:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1955116A41F for ; Fri, 20 Jan 2006 13:04:56 +0000 (GMT) (envelope-from gobbledegeek@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id A65B943D45 for ; Fri, 20 Jan 2006 13:04:55 +0000 (GMT) (envelope-from gobbledegeek@gmail.com) Received: by wproxy.gmail.com with SMTP id i31so455077wra for ; Fri, 20 Jan 2006 05:04:55 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=J0ajty8wHa0r1t9Vlea3ESSO4H6nl+epWO8c64O1rbbpmgeJEf59alezIdqu+u9PPCWg17pv3kZMR4M8xbQWH34GuhN0It3OLyVhust5+NoHv57ga0JnqGNgH4MV68G+G+hMKRP36bah7GCXcEgXTUJLCs852a2GIg88FIoKhSc= Received: by 10.65.35.14 with SMTP id n14mr1328249qbj; Fri, 20 Jan 2006 05:04:54 -0800 (PST) Received: by 10.64.251.12 with HTTP; Fri, 20 Jan 2006 05:04:54 -0800 (PST) Message-ID: <463aea570601200504h1ba1eb0bvc0cb7513237cf4ff@mail.gmail.com> Date: Fri, 20 Jan 2006 18:34:54 +0530 From: Gobbledegeek To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: Multiple DSL lines, load sharing / shaping (neon) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2006 13:04:56 -0000 BPF should help you share multiple dsl lines from multiple isp's without bg= p. Check out the bpf docs on the net... Rgrds > > > ---------------------------------------------------------------------- > > Hey Josh! > > Your question is a really good one. > > I am trying to find an answer to the same question (the limitation that > comes over a single DSL line). > > I've read that you need to fire up the BGP protocol on both sides. Maybe > zebra under freeBSD. but that's too complicated, and not every > > ISP will provide you the BGP protocol.. > > You know what, though I'm still in a great need for that, if you find > anything interesting on the matter how to solve this, just drop a few lin= es > in the conference. > > > > Thanks a lot! > > Best regards, Dyma Popovich > > > > ------------------------------ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > End of freebsd-pf Digest, Vol 70, Issue 4 > ***************************************** > -- Nonchalantly yours GobbledeGeek [Everything but Gobbledegook.. !!]