From owner-freebsd-pf@FreeBSD.ORG Sun Dec 17 06:48:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 532F316A50B for ; Sun, 17 Dec 2006 06:48:49 +0000 (UTC) (envelope-from m.broeders@hublabs.nl) Received: from services.hub.nl (services.hub.nl [217.194.110.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id E801243C9E for ; Sun, 17 Dec 2006 06:48:46 +0000 (GMT) (envelope-from m.broeders@hublabs.nl) Received: from exchsrvr1.hub.local (exchsrvr1.hub.local [172.16.1.2]) by services.hub.nl (8.13.6/8.13.6) with ESMTP id kBH6mKgE006749; Sun, 17 Dec 2006 07:48:25 +0100 (CET) (envelope-from m.broeders@hublabs.nl) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Sun, 17 Dec 2006 07:48:20 +0100 Message-ID: <1DDD0EBB36ACA443BD81C8243F7051CD844C@exchsrvr1.hub.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ADSL modem in bridged mode Thread-Index: AcchaYziN2M2/Tq8SQSmEmvMYvzhfQAPEkow From: "Martijn Broeders - HUB Labs" To: "Daniel Hartmeier" X-Virus-Scanned: by amavisd-new Cc: freebsd-pf@freebsd.org Subject: RE: ADSL modem in bridged mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2006 06:48:51 -0000 > Most likely that 192.168.0.2's default route does not > point back to the pf box (192.168.0.1). > > synproxy has completed the handshake with the external=20 > client. It is now replaying the handshake with the server. > It has sent the SYN to the server and is waiting for the > SYN+ACK from the server. Which doesn't arrive. Hi Daniel, How can I so incredible stupid! I completely forgotten this. I also made this mistake severals years ago when I configured new FreeBSD boxes with ipfilter.... :-( Thanks for your input. Martijn From owner-freebsd-pf@FreeBSD.ORG Sun Dec 17 23:03:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2215116A40F for ; Sun, 17 Dec 2006 23:03:07 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB99043CA7 for ; Sun, 17 Dec 2006 23:03:05 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so752103pyh for ; Sun, 17 Dec 2006 15:03:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=q/SZketeSq92M18uxtJQC2jhC0dcRIdZAbPXUDWpFkWPWuAchxNm8UoN+UDiJIeZzgZit2HekESQPaUt6NZhFZGCMqw/8jByCN6B2CTJSBBvVUjPMHcaaFA8xUAx+N3mdn7zkD9k/kIy2vLe6NQd4A/tGQF7okCxX2dfv7kh1u4= Received: by 10.35.45.1 with SMTP id x1mr6471472pyj.1166396585150; Sun, 17 Dec 2006 15:03:05 -0800 (PST) Received: by 10.35.126.2 with HTTP; Sun, 17 Dec 2006 15:03:05 -0800 (PST) Message-ID: <9a542da30612171503r2b032072j2acd1f48537081e1@mail.gmail.com> Date: Mon, 18 Dec 2006 00:03:05 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-pf@freebsd.org Subject: PF - netgraph integration X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2006 23:03:07 -0000 Hello, i am writing a netgraph module to make PF communicate with netgraph subsystem and was wondering which method is better of handling PF tags on netgraph part, since they use strings for matching. Is it better patch ng_tag to handle strings too, like setting the type of hook to either PF tags compatible or normal(tag_id/current) one? Or just make an kinda aliasing of tag_id in ng_pf(the module i am writing) so when tags come from PF -> netgraph we assign a tag_id(consistent through netgraph) to the specified PF_tag, user configurable, and then revert to PF_tag when communicating from netgraph -> PF? Another issue is the way to handle rule parsing in PF when packets return from netgraph. Since PF cannot guarantee rule position/number to be the same after a reload of its ruleset. One i have thought about is use reinjecting the packet on the rules with one of M_PROTO[1-5] flags so we can distinguish if the packet have been sent once to netgraph(although i don't know if this is safe since other protocols/applications might use this flags)! Maybe intodruce a M_NETGRAPH_TO_PF flag like M_SKIP_FIREWALL, but i know this is not a preferable one since it inserts a special case to the kernel?! One forced solution is to create a 'static' anchor where rules about such packets can be created?! The last choice, maybe, is to pass the according rule to netgraph and refind it when sending the pakcket back to PF so it continues to the next rule, after the one we saved, but this seems really not efficent?! Please can you help out with these issues i am trying to find a good solution but ideas would be welcomed :). Thanks. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 18 02:33:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BDD8C16A403; Mon, 18 Dec 2006 02:33:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7380243CA5; Mon, 18 Dec 2006 02:33:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.57.248] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1Gw87K2dBY-0007yM; Mon, 18 Dec 2006 03:20:38 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 18 Dec 2006 03:20:30 +0100 User-Agent: KMail/1.9.4 References: <9a542da30612171503r2b032072j2acd1f48537081e1@mail.gmail.com> In-Reply-To: <9a542da30612171503r2b032072j2acd1f48537081e1@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1357570.rb6ijLCaO4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612180320.36956.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-net@freebsd.org, Ermal =?iso-8859-1?q?Lu=E7i?= Subject: Re: PF - netgraph integration X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2006 02:33:16 -0000 --nextPart1357570.rb6ijLCaO4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 18 December 2006 00:03, Ermal Lu=E7i wrote: > i am writing a netgraph module to make PF communicate with netgraph > subsystem and was wondering which method is better of handling PF tags > on netgraph part, since they use strings for matching. > > Is it better patch ng_tag to handle strings too, like setting the type > of hook to either PF tags compatible or normal(tag_id/current) one? > Or just make an kinda aliasing of tag_id in ng_pf(the module i am > writing) so when tags come from PF -> netgraph we assign a > tag_id(consistent through netgraph) to the specified PF_tag, user > configurable, and then revert to PF_tag when communicating from > netgraph -> PF? I think names are essential. pf_ioctl.c has all the tools to handle the=20 name -> u_int16_t translation and ref counting, so why not use that? > Another issue is the way to handle rule parsing in PF when packets > return from netgraph. Since PF cannot guarantee rule position/number > to be the same after a reload of its ruleset. There is a big conceptual difference between pf and ipfw in this respect. = =20 In my mind we only want to know that the packet has been through netgraph=20 and pass or deny it - we hardly want to re-evaluate the ruleset. I might=20 be missing a point here, however. > One i have thought about=20 > is use reinjecting the packet on the rules with one of M_PROTO[1-5] > flags so we can distinguish if the packet have been sent once to > netgraph(although i don't know if this is safe since other > protocols/applications might use this flags)! Maybe intodruce a > M_NETGRAPH_TO_PF flag like M_SKIP_FIREWALL, but i know this is not a > preferable one since it inserts a special case to the kernel?! > One forced solution is to create a 'static' anchor where rules about > such packets can be created?! > The last choice, maybe, is to pass the according rule to netgraph and > refind it when sending the pakcket back to PF so it continues to the > next rule, after the one we saved, but this seems really not > efficent?! This is tricky, as it taps into all kind of ref counting trouble. I think= =20 the easiest is to extend "struct pf_tag" (or what ever other m_tag we=20 will be using) to have an additional flags field which can be used to=20 carry the information that the packet has been through netgraph already. One other thing to think about is stateful filtering. I think it can be=20 interesting to pass all packets matchin a certain state to netgraph. In=20 addition you would want to be able to remove a state as netgraph=20 identifies a connection as bad (think bittorrent e.g.). Again the flag=20 field could be used to carry that kind of information. > Please can you help out with these issues i am trying to find a good > solution but ideas would be welcomed :). =46ind me off-list for more discussion, I'm very interested in this. I=20 might want to do one more vendor import before we put FreeBSD centric in,=20 but your work is almost completely orthogonal to this (% pfctl syntax,=20 maybe). =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1357570.rb6ijLCaO4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFhfr0XyyEoT62BG0RAunpAJ0YbN4avMH/KLDNtHdt6p0ommyLmQCfR77v RjBlHJ9KH9sf+ohrcuqeyMA= =a+6l -----END PGP SIGNATURE----- --nextPart1357570.rb6ijLCaO4-- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 18 05:49:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC1D516A417 for ; Mon, 18 Dec 2006 05:49:16 +0000 (UTC) (envelope-from clists@gotbrains.org) Received: from www.gotbrains.org (www2.gotbrains.org [206.180.149.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id D918843CB4 for ; Mon, 18 Dec 2006 05:49:12 +0000 (GMT) (envelope-from clists@gotbrains.org) Received: from pwn.gotbrains.org (pwn.gotbrains.org [206.180.139.71]) by www.gotbrains.org (Postfix) with ESMTP id 9EF6E7E9AA for ; Mon, 18 Dec 2006 05:23:01 +0000 (UTC) Date: Mon, 18 Dec 2006 05:23:00 +0000 From: "Stephen P. Cravey" To: freebsd-pf@freebsd.org Message-Id: <20061218052300.eee1b95b.clists@gotbrains.org> X-Mailer: Sylpheed version 2.2.10 (GTK+ 2.10.6; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: carpdev support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2006 05:49:16 -0000 I'm trying to replace several ciscos with a pair of freebsd routers running carp. The problem I'm having is that I need to be able to tie carp to a specific vlan interface. My search for carpdev led to 3 messages that didn't seem to have replies. Who, if anyone, is actively supporting carp for FreeBSD? What can I do to help get this functionality into FreeBSD 6.x? The last person to touch the ifconfig carp code was glebius almost 2 years ago for what appears to be the original MFC for carp. This tells me that no work is being done in -CURRENT to support it. There are obvious structural differences in the OpenBSD source tree that I do not understand, or I would start work on it myself. The FreeBSD side looks fairly simple. Thank you. -Stephen From owner-freebsd-pf@FreeBSD.ORG Mon Dec 18 11:08:54 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4118116A561 for ; Mon, 18 Dec 2006 11:08:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 928AA43CB5 for ; Mon, 18 Dec 2006 11:08:48 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBIB8akB089995 for ; Mon, 18 Dec 2006 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBIB8Yqg089991 for freebsd-pf@FreeBSD.org; Mon, 18 Dec 2006 11:08:34 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Dec 2006 11:08:34 GMT Message-Id: <200612181108.kBIB8Yqg089991@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2006 11:08:54 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 20 16:23:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45F3F16A4D4 for ; Wed, 20 Dec 2006 16:23:40 +0000 (UTC) (envelope-from jordan@ostreff.info) Received: from mail.classic-bg.net (87-126-29-101.btc-net.bg [87.126.29.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1575743D31 for ; Wed, 20 Dec 2006 16:23:10 +0000 (GMT) (envelope-from jordan@ostreff.info) Received: (qmail 27656 invoked by uid 1002); 20 Dec 2006 15:56:04 -0000 Received: from 212.5.128.74 by classic.classic-bg.net (envelope-from , uid 89) with qmail-scanner-1.25 (f-prot: 4.6.7/3.16.15. spamassassin: 3.1.7. Clear:RC:1(212.5.128.74):. Processed in 0.31518 secs); 20 Dec 2006 15:56:04 -0000 X-Qmail-Scanner-Mail-From: jordan@ostreff.info via classic.classic-bg.net X-Qmail-Scanner: 1.25 (Clear:RC:1(212.5.128.74):. Processed in 0.31518 secs) Received: from unknown (HELO ?212.5.128.74?) (jordan@ostreff.info@212.5.128.74) by 192.168.1.2 with ESMTPA; 20 Dec 2006 15:56:03 -0000 Message-ID: <45895D09.9000202@ostreff.info> Date: Wed, 20 Dec 2006 17:55:53 +0200 From: Jordan Ostreff User-Agent: Mozilla Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Subject: PF problems with freebsd versions 6.0/6.1 and now with 6.2-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2006 16:23:40 -0000 Dear Sirs, I'm writing this email because I believe that you really try to make FreeBSD - best free and open source operating system in the world. My problem today was with very simple installation with web server (apache-2.2.3/mysql-5.0/php4.4.2) and GENERIC kernel on machine amd64. I have enabled pf and pflog via rc.conf so on boot machine loads kernel modules. I have installed port named http_load on another machine in the same lan segment. When I have started http_load -parallel 1000 -seconds 600 some_url_on_machine_with_pf I see that machine with PF quickly goes inaccessible and I see on his console that system is totally freeze. I have problems with similar configuration in following cases: a) GENERIC kernel amd 64 SMP 6.1-RELEASE and 6.2-PRERELEASE b) pf build into kernel on i386 SMP and non-SMP, 6.0-R-p16 and 6.1-RELEASE c) pf without ALTQ into kernel on i386 SMP and non-SMP 6.0-RELEASE-p16 Today I have switched firewalls on all those systems to IPFW and it works! Please if you are interested in this case I can provide more specific information and also configuration files! Regards Jordan From owner-freebsd-pf@FreeBSD.ORG Wed Dec 20 18:16:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6CBC216A40F for ; Wed, 20 Dec 2006 18:16:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D37643CA5 for ; Wed, 20 Dec 2006 18:16:38 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.47.38] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1Gx5zW137p-0001Sn; Wed, 20 Dec 2006 19:16:37 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 20 Dec 2006 19:16:27 +0100 User-Agent: KMail/1.9.4 References: <45895D09.9000202@ostreff.info> In-Reply-To: <45895D09.9000202@ostreff.info> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1558531.ruO0FWStAr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612201916.33075.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Jordan Ostreff Subject: Re: PF problems with freebsd versions 6.0/6.1 and now with 6.2-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2006 18:16:55 -0000 --nextPart1558531.ruO0FWStAr Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 20 December 2006 16:55, Jordan Ostreff wrote: > Dear Sirs, > I'm writing this email because I believe that you really try to make > FreeBSD - best free and open source operating system in the world. > > My problem today was with very simple installation with web server > (apache-2.2.3/mysql-5.0/php4.4.2) and GENERIC kernel on machine amd64. > I have enabled pf and pflog via rc.conf so on boot machine loads kernel > modules. I have installed port named http_load on another machine in > the same lan segment. When I have started http_load -parallel 1000 > -seconds 600 some_url_on_machine_with_pf I see that machine with PF > quickly goes inaccessible and I see on his console that system is > totally freeze. Do you have user/group rules in your ruleset? > I have problems with similar configuration in following cases: > a) GENERIC kernel amd 64 SMP 6.1-RELEASE and 6.2-PRERELEASE > b) pf build into kernel on i386 SMP and non-SMP, 6.0-R-p16 and > 6.1-RELEASE c) pf without ALTQ into kernel on i386 SMP and non-SMP > 6.0-RELEASE-p16 > > Today I have switched firewalls on all those systems to IPFW and it > works! > > Please if you are interested in this case I can provide more specific > information and also configuration files! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1558531.ruO0FWStAr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFiX4BXyyEoT62BG0RAlXJAJ9KXW6BQ6dEIu05dbbbQHef5oRK+QCfVuZH f6vxJIhEJ/LnRdmtwNFLT50= =YHb4 -----END PGP SIGNATURE----- --nextPart1558531.ruO0FWStAr-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 22 08:18:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D3D216A403 for ; Fri, 22 Dec 2006 08:18:16 +0000 (UTC) (envelope-from rosti.bsd@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id B0F1613C457 for ; Fri, 22 Dec 2006 08:18:15 +0000 (UTC) (envelope-from rosti.bsd@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so2503935uge for ; Fri, 22 Dec 2006 00:18:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:to:subject:message-id:x-mailer:mime-version:content-type:content-transfer-encoding; b=eRsrph5a6CsFdqAKFrf38BMgdxuM/WJsD4dqpuwSK3XJRQ8Rnb80LMEl8NmfvM+dp7ZLOXEBw6zHSIUFnZKUm5gLEyq+a3YUpkPYQIbbMsTYWuu/t4/7aIPzI8uCPlE4qQFe2Y150yVGcymVjbU5DTO7gVzaxHcj0Et1nZqVtv4= Received: by 10.67.93.6 with SMTP id v6mr409320ugl.1166775494458; Fri, 22 Dec 2006 00:18:14 -0800 (PST) Received: from saturn.lan ( [212.143.154.227]) by mx.google.com with ESMTP id a1sm15318865ugf.2006.12.22.00.18.12; Fri, 22 Dec 2006 00:18:13 -0800 (PST) Date: Fri, 22 Dec 2006 10:17:52 +0200 From: Rostislav Krasny To: freebsd-pf@freebsd.org Message-Id: <20061222101752.b068b95c.rosti.bsd@gmail.com> X-Mailer: Sylpheed version 2.2.10 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Long ICMP echo through NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2006 08:18:16 -0000 Hi there, I've found following problem which looks like a PF bug. My router is an i386 box, running FreeBSD 6.2-PRERELEASE. I update it to the latest RELENG_6 about once in a week. It's doing NAT by following PF rule: nat on $ext_if from $int_if:network to any -> ($ext_if) Accidentally I've found following problem: This is on the router ====================================================================== mercury# ping -Ds 1472 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1472 data bytes 1480 bytes from 204.152.191.5: icmp_seq=0 ttl=52 time=360.800 ms 1480 bytes from 204.152.191.5: icmp_seq=1 ttl=52 time=359.268 ms 1480 bytes from 204.152.191.5: icmp_seq=2 ttl=52 time=357.721 ms --- 204.152.191.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 357.721/359.263/360.800/1.257 ms ====================================================================== And this is on other computer in my LAN ====================================================================== saturn# ping -Ds 1472 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1472 data bytes --- 204.152.191.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss saturn# ping -Ds 1465 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1465 data bytes --- 204.152.191.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss saturn# ping -Ds 1464 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1464 data bytes 1472 bytes from 204.152.191.5: icmp_seq=0 ttl=51 time=362.138 ms 1472 bytes from 204.152.191.5: icmp_seq=1 ttl=51 time=360.834 ms 1472 bytes from 204.152.191.5: icmp_seq=2 ttl=51 time=358.460 ms --- 204.152.191.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 358.460/360.477/362.138/1.523 ms ====================================================================== Running tcpdump on the router shows that echo requests and echo replies are always sent and received on the $ext_if but not always sent back from the the $int_if. 1472 - 1464 = 8 which is the ICMP echo header size. If on the other computer on my LAN I run ping without -D I see the same problem. The $ext_if and the $int_if are of the same hardware type: xl0: <3Com 3c905C-TX Fast Etherlink XL> port 0x1080-0x10ff mem 0xf4008000-0xf400807f irq 11 at device 13.0 on pci0 miibus0: on xl0 xlphy0: <3c905C 10/100 internal PHY> on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto xl0: Ethernet address: 00:01:02:ae:e7:fb xl1: <3Com 3c905C-TX Fast Etherlink XL> port 0x1400-0x147f mem 0xf4008400-0xf400847f irq 10 at device 15.0 on pci0 miibus1: on xl1 xlphy1: <3c905C 10/100 internal PHY> on miibus1 xlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto