From owner-freebsd-pf@FreeBSD.ORG Sun Oct 30 18:50:05 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2776916A41F for ; Sun, 30 Oct 2005 18:50:05 +0000 (GMT) (envelope-from antoine@madhouse.dreadbsd.org) Received: from barton.dreadbsd.org (madhouse.dreadbsd.org [82.67.196.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86B2B43D46 for ; Sun, 30 Oct 2005 18:50:04 +0000 (GMT) (envelope-from antoine@madhouse.dreadbsd.org) Received: from barton.dreadbsd.org (localhost [127.0.0.1]) by barton.dreadbsd.org (8.13.4/8.13.4) with ESMTP id j9UIo200021551 for ; Sun, 30 Oct 2005 19:50:03 +0100 (CET) (envelope-from antoine@madhouse.dreadbsd.org) Received: (from antoine@localhost) by barton.dreadbsd.org (8.13.4/8.13.1/Submit) id j9UIo2OM021550; Sun, 30 Oct 2005 19:50:02 +0100 (CET) (envelope-from antoine) Date: Sun, 30 Oct 2005 19:50:02 +0100 From: Antoine Brodin To: freebsd-pf@FreeBSD.org Message-Id: <20051030195002.5075e2fd.antoine.brodin@laposte.net> X-Mailer: Sylpheed version 2.0.3 (GTK+ 2.6.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: pf used as a module from buildkernel can't log in -current ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Oct 2005 18:50:05 -0000 Hi, I use pf as a module on -current and it worked well until recently. Today I noticed that pflogd didn't log anything. It worked correctly a month ago. This seems to be related to revision 1.8 of sys/modules/pf/Makefile pf says it logs packets : %%% # pfctl -sr -v | grep -A1 log ... block return-rst log inet proto tcp all [ Evaluations: 847 Packets: 8 Bytes: 408 States: 0 ] block return-icmp(port-unr) log inet proto udp all [ Evaluations: 847 Packets: 58 Bytes: 27811 States: 0 ] ... %%% but /var/log/pflog stays empty opt_pf.h is empty too (that's why I say it's probably related to revision 1.8 of sys/modules/pf/Makefile) : %%% % file /usr/obj/usr/src/sys/BARTON/opt_pf.h /usr/obj/usr/src/sys/BARTON/opt_pf.h: empty %%% If I rebuild pf.ko in /sys/modules/pf , unload the other one and reload this one pflogd does his job. Is this behaviour expected ? Cheers, Antoine From owner-freebsd-pf@FreeBSD.ORG Mon Oct 31 10:01:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4305E16A41F for ; Mon, 31 Oct 2005 10:01:23 +0000 (GMT) (envelope-from antoine@madhouse.dreadbsd.org) Received: from barton.dreadbsd.org (madhouse.dreadbsd.org [82.67.196.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8860943D6A for ; Mon, 31 Oct 2005 10:01:16 +0000 (GMT) (envelope-from antoine@madhouse.dreadbsd.org) Received: from barton.dreadbsd.org (localhost [127.0.0.1]) by barton.dreadbsd.org (8.13.4/8.13.4) with ESMTP id j9VA1FN1000790 for ; Mon, 31 Oct 2005 11:01:15 +0100 (CET) (envelope-from antoine@madhouse.dreadbsd.org) Received: (from antoine@localhost) by barton.dreadbsd.org (8.13.4/8.13.1/Submit) id j9VA1FGn000789; Mon, 31 Oct 2005 11:01:15 +0100 (CET) (envelope-from antoine) Date: Mon, 31 Oct 2005 11:01:15 +0100 From: Antoine Brodin To: freebsd-pf@freebsd.org Message-Id: <20051031110115.72765f11.antoine.brodin@laposte.net> In-Reply-To: <20051030195002.5075e2fd.antoine.brodin@laposte.net> References: <20051030195002.5075e2fd.antoine.brodin@laposte.net> X-Mailer: Sylpheed version 2.0.3 (GTK+ 2.6.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Mon__31_Oct_2005_11_01_15_+0100_fmb0J3ONBO5zGqLE" Subject: Re: pf used as a module from buildkernel can't log in -current ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 10:01:23 -0000 This is a multi-part message in MIME format. --Multipart=_Mon__31_Oct_2005_11_01_15_+0100_fmb0J3ONBO5zGqLE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit I wrote: > Hi, > > I use pf as a module on -current and it worked well until recently. > Today I noticed that pflogd didn't log anything. It worked correctly > a month ago. > > This seems to be related to revision 1.8 of sys/modules/pf/Makefile > > pf says it logs packets : > > %%% > # pfctl -sr -v | grep -A1 log > ... > block return-rst log inet proto tcp all > [ Evaluations: 847 Packets: 8 Bytes: 408 States: 0 ] > block return-icmp(port-unr) log inet proto udp all > [ Evaluations: 847 Packets: 58 Bytes: 27811 States: 0 ] > ... > %%% > > but /var/log/pflog stays empty > > opt_pf.h is empty too (that's why I say it's probably related to > revision 1.8 of sys/modules/pf/Makefile) : > > %%% > % file /usr/obj/usr/src/sys/BARTON/opt_pf.h > /usr/obj/usr/src/sys/BARTON/opt_pf.h: empty > %%% > > If I rebuild pf.ko in /sys/modules/pf , unload the other one and reload > this one pflogd does his job. > > Is this behaviour expected ? The attached patch solves this problem Cheers, Antoine --Multipart=_Mon__31_Oct_2005_11_01_15_+0100_fmb0J3ONBO5zGqLE Content-Type: text/plain; name="pf.diff" Content-Disposition: attachment; filename="pf.diff" Content-Transfer-Encoding: 7bit Index: sys/modules/pf/Makefile =================================================================== RCS file: /home/ncvs/src/sys/modules/pf/Makefile,v retrieving revision 1.8 diff -u -r1.8 Makefile --- sys/modules/pf/Makefile 14 Oct 2005 23:30:14 -0000 1.8 +++ sys/modules/pf/Makefile 31 Oct 2005 09:34:57 -0000 @@ -12,11 +12,11 @@ CFLAGS+= -I${.CURDIR}/../../contrib/pf -.if !defined(KERNBUILDDIR) opt_pf.h: echo "#define DEV_PF 1" > opt_pf.h echo "#define DEV_PFLOG 1" >> opt_pf.h +.if !defined(KERNBUILDDIR) opt_inet.h: echo "#define INET 1" > opt_inet.h --Multipart=_Mon__31_Oct_2005_11_01_15_+0100_fmb0J3ONBO5zGqLE-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 31 11:02:35 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EB7A16A41F for ; Mon, 31 Oct 2005 11:02:35 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F007343D5A for ; Mon, 31 Oct 2005 11:02:24 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9VB2ONJ009030 for ; Mon, 31 Oct 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9VB2N0u009024 for freebsd-pf@freebsd.org; Mon, 31 Oct 2005 11:02:23 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 31 Oct 2005 11:02:23 GMT Message-Id: <200510311102.j9VB2N0u009024@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 11:02:35 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency o [2005/09/13] i386/86072 pf [pf] Packet Filter rule not working prope 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 31 20:22:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1988816A420; Mon, 31 Oct 2005 20:22:27 +0000 (GMT) (envelope-from rob@ipninja.net) Received: from storm.ipninja.net (storm.ipninja.net [209.161.218.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5165143D45; Mon, 31 Oct 2005 20:22:26 +0000 (GMT) (envelope-from rob@ipninja.net) Received: from storm.ipninja.net (www@localhost [127.0.0.1]) by storm.ipninja.net (8.13.3/8.13.1) with ESMTP id j9VKMIYh005618; Mon, 31 Oct 2005 15:22:18 -0500 (EST) (envelope-from rob@ipninja.net) Received: (from www@localhost) by storm.ipninja.net (8.13.3/8.13.1/Submit) id j9VKMI3e005617; Mon, 31 Oct 2005 15:22:18 -0500 (EST) (envelope-from rob@ipninja.net) X-Authentication-Warning: storm.ipninja.net: www set sender to rob@ipninja.net using -f Received: from ::ffff:66.203.207.9 (SquirrelMail authenticated user rob) by mail.ipninja.net with HTTP; Mon, 31 Oct 2005 15:22:18 -0500 (EST) Message-ID: <41765.::ffff:66.203.207.9.1130790138.squirrel@mail.ipninja.net> In-Reply-To: <1130514267.81705.101.camel@localhost> References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> Date: Mon, 31 Oct 2005 15:22:18 -0500 (EST) From: "Rob Viau" To: "Corey Smith" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.3 X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on storm.ipninja.net Cc: G Bryant , freebsd-pf@freebsd.org, FreeBSD , freebsd-net@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 20:22:27 -0000 > On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: >> Daniel Dias Gonçalves wrote: >> >> > >> > It is possible to make this balancing with the PF ? Exists some >> > software that I make this ? Zebra can help me? >> > This type of balancing gives to problems with the navigation of the >> > user of NAT or IP valid ? >> > If it is possible, wanted to see examples with rules. >> > > > It would be much better to do per flow load balancing then per packet. > With per packet your TCP flows will arrive out of order which is a bad > situation since it will lead to a large number of retransmissions and > zero-window acknowledgments. > > The only tunable to help correct that is to allow selective > acknowledgments. > > You are going to get much higher utilization on your load balanced lines > by using per flow with multiple TCP connections. > > Anybody know how to implement per flow load balancing in FreeBSD? Are > multiple default routes supported? > > It would be beautiful if you could put multiple routes with the same > metric into the kernel and then the kernel would enable per flow load > balancing of the routes... > > -Corey Smith > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I believe pf is per-flow. If it was not, then not only would your packets arrive out-of-order, but also with different source IPs when you were NATing to different interfaces on different ISPs (without your own block) which is something I was able to do with 3 links (with three different IP addresses) from 2 different providers. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 31 21:07:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8001B16A420; Mon, 31 Oct 2005 21:07:21 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7E0443D4C; Mon, 31 Oct 2005 21:07:20 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id E2C567058; Mon, 31 Oct 2005 21:24:53 +0100 (CET) Received: from (165.146.246.21 [165.146.246.21]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 31 Oct 2005 21:44:25 +0100 Message-ID: <436680D0.8070307@roamingsolutions.net> Date: Mon, 31 Oct 2005 22:38:40 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en To: Rob Viau References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> <41765.::ffff:66.203.207.9.1130790138.squirrel@mail.ipninja.net> In-Reply-To: <41765.::ffff:66.203.207.9.1130790138.squirrel@mail.ipninja.net> Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0544-0, 2005/10/31), Outbound message X-Antivirus-Status: Clean MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, FreeBSD , freebsd-pf@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 21:07:21 -0000 Rob Viau wrote: On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: Daniel Dias Gonçalves wrote: It is possible to make this balancing with the PF ? Exists some software that I make this ? Zebra can help me? This type of balancing gives to problems with the navigation of the user of NAT or IP valid ? If it is possible, wanted to see examples with rules. It would be much better to do per flow load balancing then per packet. With per packet your TCP flows will arrive out of order which is a bad situation since it will lead to a large number of retransmissions and zero-window acknowledgments. The only tunable to help correct that is to allow selective acknowledgments. You are going to get much higher utilization on your load balanced lines by using per flow with multiple TCP connections. Anybody know how to implement per flow load balancing in FreeBSD? Are multiple default routes supported? It would be beautiful if you could put multiple routes with the same metric into the kernel and then the kernel would enable per flow load balancing of the routes... -Corey Smith _______________________________________________ [1]freebsd-pf@freebsd.org mailing list [2]http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to [3]"freebsd-pf-unsubscribe@freebsd.org" I believe pf is per-flow. If it was not, then not only would your packets arrive out-of-order, but also with different source IPs when you were NATing to different interfaces on different ISPs (without your own block) which is something I was able to do with 3 links (with three different IP addresses) from 2 different providers. The scripts I attached with previous email provide per-flow load sharing using ipfw and natd. System is currently live. Regards, Graham References 1. mailto:freebsd-pf@freebsd.org 2. http://lists.freebsd.org/mailman/listinfo/freebsd-pf 3. mailto:freebsd-pf-unsubscribe@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Tue Nov 1 20:30:21 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08BFC16A420; Tue, 1 Nov 2005 20:30:21 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB51643D46; Tue, 1 Nov 2005 20:30:20 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA1KUKf1052528; Tue, 1 Nov 2005 20:30:20 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA1KUKq5052524; Tue, 1 Nov 2005 20:30:20 GMT (envelope-from linimon) Date: Tue, 1 Nov 2005 20:30:20 GMT From: Mark Linimon Message-Id: <200511012030.jA1KUKq5052524@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/88362: [pf] [panic] carp with pfsync causing system crash, dump debug attached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Nov 2005 20:30:22 -0000 Old Synopsis: carp with pfsync causing system crash, dump debug attached New Synopsis: [pf] [panic] carp with pfsync causing system crash, dump debug attached Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Nov 1 20:29:03 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=88362 From owner-freebsd-pf@FreeBSD.ORG Tue Nov 1 20:40:22 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 022C916A41F for ; Tue, 1 Nov 2005 20:40:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC87C43D45 for ; Tue, 1 Nov 2005 20:40:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA1KeLfg054046 for ; Tue, 1 Nov 2005 20:40:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA1KeLhV054045; Tue, 1 Nov 2005 20:40:21 GMT (envelope-from gnats) Date: Tue, 1 Nov 2005 20:40:21 GMT Message-Id: <200511012040.jA1KeLhV054045@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/88362: carp with pfsync causing system crash, dump debug attached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Nov 2005 20:40:22 -0000 The following reply was made to PR kern/88362; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, neon@ne6.net Cc: Subject: Re: kern/88362: carp with pfsync causing system crash, dump debug attached Date: Tue, 1 Nov 2005 21:37:18 +0100 Should be fixed in RELENG_5, RELENG_6 and HEAD, but hasn't been MFCed to RELENG_5_4. It is genereally suggested to us sys/contrib/pf from RELENG_5 instead of the RELENG_5_4 version. Can you confirm that going to RELENG_5 fixes your problem? -- Max From owner-freebsd-pf@FreeBSD.ORG Fri Nov 4 04:22:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26E9F16A41F for ; Fri, 4 Nov 2005 04:22:56 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8D1A43D45 for ; Fri, 4 Nov 2005 04:22:55 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-43-91.woh.res.rr.com [65.31.43.91]) by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id jA44MpWY028658 for ; Thu, 3 Nov 2005 23:22:52 -0500 (EST) Message-ID: <003301c5e0f6$6ce6d150$0900a8c0@satellite> From: "Dave" To: Date: Thu, 3 Nov 2005 23:15:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf and dhcp client or isp? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2005 04:22:56 -0000 Hello, I've got an issue with dhcp, my pf firewall or my isp, not sure which. My ISP, roadrunner cable, does anyone else use it, has changed my IP twice today. Now i know they do this, but my box does not pick up on the new IP, for example it changed from 1.2.3.4 to 4.5.6.7 needless to say those are ficticious but my box hung on to 1.2.3.4, and i couldn't do a thing, from behind the firewall or from the router. I had to log in to the router then run: dhclient -r and then dhclient xl0 which gave me 4.5.6.7 So, then i had to reload my pf rules with pfctl -Rf /etc/pf.conf which got me back up. I've got some output, it looks from my /var/log/messages as if some dhcp traffic is being blocked, but it should all be going through, and this has to do with my lan, echorequest icmp from my lan-facing nic, nothing on the internet-facing nic about dropped anything, dhclient shows that it was successful in obtaining the new IP, but didn't show any failed atempts or failed connections. Has anyone seen this? Am i dealing with a problem with my firewall, dhcp, or my isp? Here's my /var/log/messages relevant output just saying packet denied and my pf.conf file. Some urgency! Thanks. Dave. Oct 29 13:04:33 guardian dhcpd: icmp_echorequest 192.168.0.9: Operation not permitted pf.conf # pf.conf # for use on gateway box # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # define the two network interfaces ext_if = "xl0" int_if = "xl1" rr_up = 700Kb rr_down = 1.5Mb int_bw = 100Mb tcp_state="flags S/SA modulate state" udp_state="keep state" int_net = $int_if:network # define some address macros lan_server = "192.168.95.3" # define services int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 8000 }" lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 4000, 4661, 4662, 4711, 4821, 5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }" lan_to_fw_services = "{ ssh }" fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }" nameservers = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }" isp_dhcp_server = "xxx.xxx.xxx.xxx" InICMP = "{ 3,11 }" OutTracerouteUDP="{ 33434 >< 33525 }" # options set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # normalize packets to prevent fragmentation attacks scrub all fragment reassemble reassemble tcp no-df random-id max-mss 1400 # translate lan client addresses to that of the external interface nat on gre inet from any to any -> ($ext_if) nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services -> $lan_server rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port 1194 # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021 # redirect gre traffic rdr on $ext_if inet proto gre from any to any -> $lan_server # block by default block all # block badguy e-mail/web accesses block in quick on $ext_if inet proto tcp from { 209.208.75.130 } to any # pass all loopback traffic pass quick on lo0 all # gre passing pass on gre all $udp_state # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all # prevent lan originated spoofing from occurring antispoof for $ext_if inet # allow WAN requests from the internet to enter EXT # in order to contact our web server (keep state on this connection) pass in on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services $tcp_state # Enable a synproxy #pass in on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA synproxy state # UDP 1194 for openvpn pass in on $ext_if inet proto udp from any to $lan_server port 1194 $udp_state # Gre traffic for mpd pass in on $ext_if inet proto gre from any to $lan_server $udp_state # Allow dhcp in pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 255.255.255.255 port bootpc $udp_state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 >< 57000 user proxy $tcp_state # [traceroute to internal host 2nd stage: receiving error code of icmp-type 3 # (destination unreachable) and icmp-type 11 (time exceeded)] pass in quick on $ext_if inet proto icmp from any to any icmp-type $InICMP $udp_state # block everything from exiting EXT #block out log on $ext_if all # allow UDP requests to port 53 from firewall to exit EXT # in order to contact internet nameservers (keep state on this connection) pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port 53 $udp_state # allow UDP requests to port 123 from firewall to exit ext_if_if # in order to contact internet ntp servers # (keep state on this connection) pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port 123 $udp_state # Allow UDP requests to port 67 from firewall to exit ext_if # in order to contact internet dhcp servers (keep state on this connection) pass out quick on $ext_if inet proto udp from $ext_if to any port bootps $udp_state # allow lan requests from lan clients to exit EXT # (after natting is performed) in order to contact internet servers # (keep state on this connection) pass out quick on $ext_if inet proto tcp from $ext_if to any port $lan_to_int_services $tcp_state # for dcc servers pass out quick on $ext_if inet proto udp from $ext_if to any port 6277 $udp_state # for razor servers pass out quick on $ext_if inet proto tcp from $ext_if to any port { 7, 2703 } $tcp_state # [traceroute to outside world 1st stage: probing...man traceroute(8)] pass out quick on $ext_if inet proto udp from any to any port $OutTracerouteUDP $udp_state # allow ICMP requests from firewall to exit EXT (after natting is performed) # in order to ping/traceroute internet hosts on the behalf of lan clients pass out quick on $ext_if inet proto icmp from $ext_if to any icmp-type 8 code 0 $udp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall (keep state on this connection) pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if port 53 $udp_state # allow UDP requests to ports 67, 68, and 123 from int_if clients to enter int_if # in order to perform dhcp and ntp queries on the firewall # ( Keep state on this connection) pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if port { 67, 68, 123 } $udp_state # allow LAN requests from lan clients to enter LAN # in order to contact internet servers (keep state on this connection) pass in quick on $int_if inet proto tcp from $int_net to any port $lan_to_int_services $tcp_state # for allowing mail transmissions to dcc servers pass in quick on $int_if inet proto udp from 192.168.0.3 to any port 6277 $udp_state # for allowing mail transmissions to razor servers pass in quick on $int_if inet proto tcp from 192.168.0.3 to any port { 7, 2703 } $tcp_state # lan admin connects to firewall via ssh for administrative purposes pass in quick on $int_if inet proto tcp from $int_net to $int_if port $lan_to_fw_services $tcp_state # allow requests from lan admin to enter LAN # in order to ping/traceroute any system (firewall, dmz server, and internet hosts) pass in quick on $int_if inet proto icmp from $int_net to any icmp-type 8 code 0 $udp_state # allow lan broadcasts pass in quick on $int_if proto { tcp, udp } from $int_net to $int_if:broadcast $udp_state # allow squid connections from lan to proxy pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state # block everything from exiting LAN #block out log on $int_if all # allow WAN requests from the internet to exit LAN # in order to contact our lan server (keep state on this connection) pass out quick on $int_if inet proto tcp from any to $lan_server port $int_to_lan_services $tcp_state # add in synproxy #pass out quick on $int_if inet proto tcp from $lan_server to any port $int_to_lan_services flags S/SA synproxy state # UDP 1194 pass out quick on $int_if inet proto udp from any to $lan_server port 1194 $udp_state # GRE traffic out pass out quick on $int_if inet proto gre from any to $lan_server $udp_state # firewall connects to the lan server via scp/ssh for backup purposes pass out quick on $int_if inet proto tcp from $int_if to $lan_server port $fw_to_lan_services $tcp_state From owner-freebsd-pf@FreeBSD.ORG Fri Nov 4 14:11:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09F6B16A41F for ; Fri, 4 Nov 2005 14:11:21 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id D597343D45 for ; Fri, 4 Nov 2005 14:11:16 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id jA4EBA1L050320; Fri, 4 Nov 2005 17:11:10 +0300 (MSK) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id jA4EB77D050319; Fri, 4 Nov 2005 17:11:07 +0300 (MSK) (envelope-from yar) Date: Fri, 4 Nov 2005 17:11:07 +0300 From: Yar Tikhiy To: Antoine Brodin Message-ID: <20051104141106.GA38897@comp.chem.msu.su> References: <20051030195002.5075e2fd.antoine.brodin@laposte.net> <20051031110115.72765f11.antoine.brodin@laposte.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051031110115.72765f11.antoine.brodin@laposte.net> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: pf used as a module from buildkernel can't log in -current ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2005 14:11:21 -0000 On Mon, Oct 31, 2005 at 11:01:15AM +0100, Antoine Brodin wrote: > I wrote: > > Hi, > > > > I use pf as a module on -current and it worked well until recently. > > Today I noticed that pflogd didn't log anything. It worked correctly > > a month ago. > > > > This seems to be related to revision 1.8 of sys/modules/pf/Makefile > > > > pf says it logs packets : > > > > %%% > > # pfctl -sr -v | grep -A1 log > > ... > > block return-rst log inet proto tcp all > > [ Evaluations: 847 Packets: 8 Bytes: 408 States: 0 ] > > block return-icmp(port-unr) log inet proto udp all > > [ Evaluations: 847 Packets: 58 Bytes: 27811 States: 0 ] > > ... > > %%% > > > > but /var/log/pflog stays empty > > > > opt_pf.h is empty too (that's why I say it's probably related to > > revision 1.8 of sys/modules/pf/Makefile) : > > > > %%% > > % file /usr/obj/usr/src/sys/BARTON/opt_pf.h > > /usr/obj/usr/src/sys/BARTON/opt_pf.h: empty > > %%% > > > > If I rebuild pf.ko in /sys/modules/pf , unload the other one and reload > > this one pflogd does his job. > > > > Is this behaviour expected ? > > The attached patch solves this problem > > Cheers, > > > Antoine > Index: sys/modules/pf/Makefile > =================================================================== > RCS file: /home/ncvs/src/sys/modules/pf/Makefile,v > retrieving revision 1.8 > diff -u -r1.8 Makefile > --- sys/modules/pf/Makefile 14 Oct 2005 23:30:14 -0000 1.8 > +++ sys/modules/pf/Makefile 31 Oct 2005 09:34:57 -0000 > @@ -12,11 +12,11 @@ > > CFLAGS+= -I${.CURDIR}/../../contrib/pf > > -.if !defined(KERNBUILDDIR) > opt_pf.h: > echo "#define DEV_PF 1" > opt_pf.h > echo "#define DEV_PFLOG 1" >> opt_pf.h > > +.if !defined(KERNBUILDDIR) > opt_inet.h: > echo "#define INET 1" > opt_inet.h > This patch just masks the real problem. As I've told here already, the problem is having a single module for 2 devices, pf and pflog. -- Yar From owner-freebsd-pf@FreeBSD.ORG Sat Nov 5 13:37:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FAAF16A420 for ; Sat, 5 Nov 2005 13:37:44 +0000 (GMT) (envelope-from vijay_shrivastav@hotmail.com) Received: from hotmail.com (bay109-dav12.bay109.hotmail.com [64.4.19.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CAF743D48 for ; Sat, 5 Nov 2005 13:37:44 +0000 (GMT) (envelope-from vijay_shrivastav@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 5 Nov 2005 05:37:44 -0800 Message-ID: Received: from 64.221.255.178 by BAY109-DAV12.phx.gbl with DAV; Sat, 05 Nov 2005 13:37:43 +0000 X-Originating-IP: [64.221.255.178] X-Originating-Email: [vijay_shrivastav@hotmail.com] X-Sender: vijay_shrivastav@hotmail.com From: "Vijay Shrivastav" To: Date: Sat, 5 Nov 2005 05:36:13 -0800 Message-ID: <44a501c5e20d$e3e512e0$1501010a@coaxialnetworks.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcXiDeOnGQtGRjaYS3K/Js5VITJ0RA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 05 Nov 2005 13:37:44.0055 (UTC) FILETIME=[19D22870:01C5E20E] Subject: Ftp-proxy trouble with load balancing NAT using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Nov 2005 13:37:44 -0000 Hello, I am having trouble having ftp-proxy to be called in my dual WAN with NAT Setup. I have included my setup files. The dual WAN sharing works great But I have to make the ftp-proxy work in order to let ftp go across The NAT. I am using FreeBSD 5.3-RELEASE. Thanks in advance. xfire# pfctl -ss | grep 127.0.0.1 self tcp 127.0.0.1:8021 <- 208.55.68.52:21 <- 10.71.0.255:4694 CLOSED:SYN_SENT I enabled logging for inetd and do not see it getting called to fork Ftp-proxy when I try to FTP from a PC on the lan_net. If I "telnet localhost 8021" I can see inetd starting ftp-proxy, but since this is not a Nat connection ftp-proxy logs this message. Nov 5 01:27:49 xfire inetd[528]: ftp-proxy from 127.0.0.1 Nov 5 01:27:49 xfire ftp-proxy[564]: pf nat lookup failed 127.0.0.1:53204 (No such file or directory) xfire# pfctl -ss | grep 127.0.0.1 self tcp 127.0.0.1:8021 <- 208.55.68.52:21 <- 10.71.0.255:4694 CLOSED:SYN_SENT Netstat -an shows ---------------- tcp4 0 0 *.8021 *.* LISTEN /etc/inetd.conf has this line ---------------- ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n My /etc/pf.conf ------------------ lan_net = "10.71.0.1/16" int_if = "fxp1" ext_if1 = "fxp0" ext_if2 = "fxp2" ext_gw1 = "78.222.255.177" ext_gw2 = "10.1.1.254" scrub in all # nat outgoing connections on each internet interface nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port ftp-proxy # default deny #block in from any to any #block out from any to any pass in all pass out all pass quick on lo0 all # pass all outgoing packets on internal interface pass out on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # FTP-PROXY Loading Blance #pass in quick on $int_if proto tcp from any to 127.0.0.1 port = 8021 keep state label ftp-proxy pass log quick proto tcp from $lan_net to 127.0.0.1 port 8021 keep state # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass in on $ext_if1 inet proto tcp from port 20 to ($ext_if1) \ user proxy flags S/SA keep state pass in on $ext_if2 inet proto tcp from port 20 to ($ext_if2) \ user proxy flags S/SA keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state From owner-freebsd-pf@FreeBSD.ORG Sat Nov 5 14:13:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEA3F16A41F for ; Sat, 5 Nov 2005 14:13:05 +0000 (GMT) (envelope-from bacardicoke+sender+38c70d@gmail.com) Received: from ssdd.xs4all.nl (ssdd.xs4all.nl [195.64.89.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D96843D48 for ; Sat, 5 Nov 2005 14:13:02 +0000 (GMT) (envelope-from bacardicoke+sender+38c70d@gmail.com) Received: from localhost (localhost [127.0.0.1]) by imhotep.yuckfou.org (Postfix) with ESMTP id 10C77A06 for ; Sat, 5 Nov 2005 15:13:18 +0100 (CET) Received: from ssdd.xs4all.nl ([127.0.0.1]) by localhost (imhotep.yuckfou.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79082-08 for ; Sat, 5 Nov 2005 15:12:59 +0100 (CET) Received: by imhotep.yuckfou.org (Postfix, from userid 1000) id C50CDA03; Sat, 5 Nov 2005 15:12:58 +0100 (CET) Received: from [192.168.2.239] (turbata-xp.gondel.local [192.168.2.239]) by localhost.yuckfou.org (tmda-ofmipd) with ESMTP; Sat, 05 Nov 2005 15:12:49 +0100 (CET) Message-ID: <436CBDCA.4050309@gmail.com> Date: Sat, 05 Nov 2005 15:12:26 +0100 User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit From: Nils Vogels X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) X-TMDA-Fingerprint: b+l3vwM0JGetZq96gRSq3QdOjiU X-Virus-Scanned: amavisd-new at yuckfou.org X-Spam-Status: No, score=-4.399 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599] X-Spam-Score: -4.399 X-Spam-Level: Subject: PF, reply-to and synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nils Vogels List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Nov 2005 14:13:06 -0000 Hi there, I currently have the situation where I use the pf route-to and reply-to statements, to direct traffic the right way in my network. My firewall has two ISP's connected to it, the default route is set to ISP1. Their interfaces are called if_isp1 and if_isp2. I want to have a webserver (server1) that is behind my firewall to be reachable using both ISPs. What I have seen, is that when I take the following ruleset: rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http -> $ipv4_imhotep port $http rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http -> $ipv4_imhotep port $http pass in quick on $if_isp1 proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA synproxy state queue (q_def_1, q_pri_1) pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA synproxy state queue (q_def_2, q_pri_2) Traffic from $if_isp2 to my webserver seems to drop in my FreeBSD 5.3-RELEASE-p2 firewall, traffic from $if_isp1 works fine, whereas when I use rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http -> $ipv4_imhotep port $http rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http -> $ipv4_imhotep port $http pass in quick on $if_isp1 proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA synproxy state queue (q_def_1, q_pri_1) pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA keep state queue (q_def_2, q_pri_2) Both ISP interfaces can access my webserver. I've tried altering everything else, but for some reason, only disabling synproxy and going back to keep state gives me the result I want. Did I in some way run into a bug, or is this documented somewhere ? (I couldn't find it) Thanks, Nils -- Those who desire to give up freedom in order to gain security, will not have, nor do they deserve, either one. ~Benjamin Franklin (American Statesman, Scientist, Philosopher, Printer, Writer and Inventor. 1706-1790) From owner-freebsd-pf@FreeBSD.ORG Sat Nov 5 21:43:38 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 689A916A41F; Sat, 5 Nov 2005 21:43:38 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from nu.cuk.nu (tm.213.143.78.60.lc.telemach.net [213.143.78.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4E1543D45; Sat, 5 Nov 2005 21:43:36 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from localhost (localhost.cuk.nu [127.0.0.1]) by nu.cuk.nu (Postfix) with ESMTP id 5E13AE0431; Sat, 5 Nov 2005 22:43:34 +0100 (CET) Received: from nu.cuk.nu ([127.0.0.1]) by localhost (nu.cuk.nu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33613-04; Sat, 5 Nov 2005 22:43:31 +0100 (CET) Received: from [192.168.6.60] (unknown [192.168.6.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by nu.cuk.nu (Postfix) with ESMTP id 27CC8E0436; Sat, 5 Nov 2005 22:43:31 +0100 (CET) Message-ID: <436D27DB.40205@cuk.nu> Date: Sat, 05 Nov 2005 22:44:59 +0100 From: Marko Cuk Organization: NetInet User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary="------------060201030205000008050804" X-Virus-Scanned: amavisd-new at NetInet.si Cc: Subject: [Fwd: Tun] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Nov 2005 21:43:38 -0000 This is a multi-part message in MIME format. --------------060201030205000008050804 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Max obvious didn't have time to answer... Any ideas ? Tnx, Marko Cuk -- NetInet d.o.o. http://www.NetInet.si Private: http://cuk.nu MountainBikeSlovenia team: http://mtb.si Slovenian FreeBSD mirror admin http://www2.si.freebsd.org --------------060201030205000008050804 Content-Type: message/rfc822; name="Tun" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Tun" Message-ID: <436A6A3A.2080305@cuk.nu> Date: Thu, 03 Nov 2005 20:51:22 +0100 From: Marko Cuk Organization: NetInet User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier Subject: Tun References: <20050815154642.GD91135@nevermind.kiev.ua> <200508151756.19109.max@love2party.net> In-Reply-To: <200508151756.19109.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello Max ! Please, do you have any ideas... What is the status of the tun0 driver and ALTQ ? I have FreeBSD 6.0-RELEASE and have tried it without success. Why 6.0 ? Don't know... curious maybe... if you think, that 5.4 will work better, I'll reinstall it. The tun0 is because od xDSL ( PPPoE ) It seems like packets won't match queue. Look at the pfctl output ( look at the "bucy" rules -- he is a huge consumer and the primary uplink is out for a week, xDSL is only backup and he consumes all the avail bandwidth ) THIS IFACE IS TUN0 ( pppoe ) queue root_em0 bandwidth 1Gb priority 0 cbq( wrr root ) {std_ext, bucy_out} [ pkts: 76053 bytes: 7390221 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 199.0 packets/s, 146.71Kb/s ] queue std_ext bandwidth 384Kb cbq( default ) [ pkts: 76053 bytes: 7390221 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 59 ] [ measured: 199.0 packets/s, 146.71Kb/s ] THIS ONE IS PROBLEMATIC - Won't match queue bucy_out bandwidth 128Kb [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue root_em1 bandwidth 1Gb priority 0 cbq( wrr root ) {std_int, bucy_in} [ pkts: 91920 bytes: 100394990 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 260.4 packets/s, 2.37Mb/s ] queue std_int bandwidth 2Mb cbq( default ) [ pkts: 50302 bytes: 58076735 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 2359 ] [ measured: 194.6 packets/s, 1.89Mb/s ] queue bucy_in bandwidth 900Kb [ pkts: 41618 bytes: 42318255 dropped pkts: 446 bytes: 433317 ] [ qlength: 0/ 50 borrows: 0 suspends: 7440 ] [ measured: 65.8 packets/s, 475.89Kb/s ] queue root_dc0 bandwidth 10Mb priority 0 cbq( wrr root ) {std_int_wifi_in} [ pkts: 3967 bytes: 1730908 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 2.6 packets/s, 4.17Kb/s ] queue std_int_wifi_in bandwidth 5Mb cbq( default ) [ pkts: 3967 bytes: 1730908 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 2.6 packets/s, 4.17Kb/s ] This are the rules: ########################################################################################## # QUEUEING: rule-based bandwidth control. ########################################################################################### # TOLE JE NAS ODHODNI PROMET VEN - UPLOAD altq on em0 cbq bandwidth 100% queue { std_ext,bucy_out } queue std_ext bandwidth 384Kb cbq(default) queue bucy_out bandwidth 128Kb ######################################################################################### # TOLE JE NAS DOHODNI PROMER NOTRI - DOWNLOAD altq on em1 cbq bandwidth 100% queue { std_int,bucy_in } queue std_int bandwidth 2Mb cbq(default) queue bucy_in bandwidth 900Kb # QUEUE rule pass in log on em1 from 10.0.100.0/24 to any queue bucy_out pass out log on em1 from any to 10.0.100.0/24 queue bucy_in Many thanks for any informations. I have changed the various eth cards, from dc cards to em gigabit cards, etc, etc. Without success. I know, that there has been some issues with tun0 on OpenBSD, but that was a little time ago. Bye, Marko p.s. I have a very huge sistem, dualhomed , all based on pf and there is one issue too, but we'll discuss it later. I have managed it with ipf ( only that source routing issue ). Anyway, your work is very good and thanks for porting pf to FreeBSD. -- NetInet d.o.o. http://www.NetInet.si Private: http://cuk.nu MountainBikeSlovenia team: http://mtb.si Slovenian FreeBSD mirror admin http://www2.si.freebsd.org --------------060201030205000008050804--