From owner-freebsd-pf@FreeBSD.ORG Sun Mar 25 17:59:26 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E841616A406 for ; Sun, 25 Mar 2007 17:59:26 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id 796E113C46A for ; Sun, 25 Mar 2007 17:59:26 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2PHxP7W010855; Sun, 25 Mar 2007 19:59:25 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2PHxPAq014655; Sun, 25 Mar 2007 19:59:25 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2PHxOjl011370; Date: Sun, 25 Mar 2007 19:59:24 +0200 From: Andre Albsmeier To: Volker Message-ID: <20070325175924.GA51473@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46052572.9070402@vwsoft.com> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Mar 2007 17:59:27 -0000 On Sat, 24-Mar-2007 at 14:19:46 +0100, Volker wrote: > Andre, > > On 12/23/-58 20:59, Andre Albsmeier wrote: > > [Retrying on -pf...] > > > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > > > Yesterday I started to play around with enc0 in pf. I hoped I > > could now control IPSEC traffic in the standard way with pf rules > > but it seems that only outgoing packets hit enc0. I added a > > > > pass quick log on enc0 all > > Do you really use that rule? If you're using a 'keep state' option For playing around, yes. > this would give the behavior you're experiencing. That's why I didn't use 'keep state' :-). > > > on top of all pf rules. When sending a single ping packet to > > the remote side everything works but the only thing I see is > > > > Mar 18 10:20:11 gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo) > > > > (192.168.164.81 is my local gif0 address and 10.0.1.32 the remote). > > > > However, when running a tcpdump on enc0 we see the answer as well: > > > > listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes > > 10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4) > > 10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4) > > > > (A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote). > > > > Just to make things clear: IPSEC works (as it did for years), I'm > > just not able to control the incoming packets with enc0 in pf. > > Not really what you're asking for but... I think you won't like to > see _every_ packet in the firewall logs. Instead you really want to Yes, for now I want to see every packet :-). Later, of course, there will be one outgoing state-keeping rule and and another incoming one to allow specific things additionally. -Andre -- "Regression testing? What's that? If it compiles, it is good, if it boots up, it is perfect." - Linus Torvalds From owner-freebsd-pf@FreeBSD.ORG Sun Mar 25 18:19:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 178B416A401 for ; Sun, 25 Mar 2007 18:19:34 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id 67DEA13C45E for ; Sun, 25 Mar 2007 18:19:33 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2PIJWlB019892; Sun, 25 Mar 2007 20:19:32 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2PIJVpx022412; Sun, 25 Mar 2007 20:19:31 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2PIJVpK011429; Date: Sun, 25 Mar 2007 20:19:31 +0200 From: Andre Albsmeier To: Andrew Thompson Message-ID: <20070325181931.GA51689@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Volker , Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Mar 2007 18:19:34 -0000 On Sun, 25-Mar-2007 at 06:59:28 +1200, Andrew Thompson wrote: > On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote: > > Andre, > > > > On 12/23/-58 20:59, Andre Albsmeier wrote: > > > [Retrying on -pf...] > > > > > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > > > > > Just to make things clear: IPSEC works (as it did for years), I'm > > > just not able to control the incoming packets with enc0 in pf. > > > > On the other side, I've played with device enc a few weeks ago and > > was asking for clarification on net@ but didn't get any reply. > > > > What's really strange is packets coming through an IPSec tunnel can > > be seen by pf on device enc but packets are still passing through > > even if device enc0 is down. > > The code does check if the interface is running but if its not then just > passes the packet through unhindered. Do you think it should behave like > you describe where the packets are dropped? > > See line 204, change the check to this > if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { > m_freem(*mp); > return (-1); > } > > > So from my experience device enc currently is a bit strange in > > behavior (at least on -STABLE). Also AFAIR I haven't been able to > > block packets on device enc0 using pf. I suspect device enc is > > currently a bit of a hack and currently probably only useful for > > packet / connection logging but not for real firewalling. You might > > check out if you're able to block anything on enc0 (my memories > > might be wrong) and play with it a bit. > > This should work as you say and if its not then thats a bug. Can you log > the packets with pflog to check they are being blocked. Not being Volker :-) but I just added block out log quick on enc0 to pf.conf, sent out a single ping packet and while it was properly blocked it also appeared in the logs: Mar 25 20:01:32 gate pflogd: @7 block out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (ech o) So, yes, you can control outgoing packets using enc0 with pf but not incoming ones. -Andre From owner-freebsd-pf@FreeBSD.ORG Sun Mar 25 20:04:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D83D416A404; Sun, 25 Mar 2007 20:04:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 6DE7013C459; Sun, 25 Mar 2007 20:04:25 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cc7.q.ppp-pool.de [89.53.124.199]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id DF35212883F; Sun, 25 Mar 2007 22:04:18 +0200 (CEST) Received: from [192.168.18.3] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 74BC63F4E8; Sun, 25 Mar 2007 22:04:10 +0200 (CEST) Message-ID: <4606D5B8.5000000@vwsoft.com> Date: Sun, 25 Mar 2007 22:04:08 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andrew Thompson References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Mar 2007 20:04:27 -0000 On 03/24/07 19:59, Andrew Thompson wrote: > On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote: >> Andre, >> >> On 12/23/-58 20:59, Andre Albsmeier wrote: >>> [Retrying on -pf...] >>> >>> (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) >>> >>> Just to make things clear: IPSEC works (as it did for years), I'm >>> just not able to control the incoming packets with enc0 in pf. >> On the other side, I've played with device enc a few weeks ago and >> was asking for clarification on net@ but didn't get any reply. >> >> What's really strange is packets coming through an IPSec tunnel can >> be seen by pf on device enc but packets are still passing through >> even if device enc0 is down. > > The code does check if the interface is running but if its not then just > passes the packet through unhindered. Do you think it should behave like > you describe where the packets are dropped? > > See line 204, change the check to this > if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { > m_freem(*mp); > return (-1); > } > >> So from my experience device enc currently is a bit strange in >> behavior (at least on -STABLE). Also AFAIR I haven't been able to >> block packets on device enc0 using pf. I suspect device enc is >> currently a bit of a hack and currently probably only useful for >> packet / connection logging but not for real firewalling. You might >> check out if you're able to block anything on enc0 (my memories >> might be wrong) and play with it a bit. > > This should work as you say and if its not then thats a bug. Can you log > the packets with pflog to check they are being blocked. > > > Andrew Andrew & Andre, Ok, I've checked it and am able to confirm Andre's experience. I've added the following rule to block ICMP traffic on the enc0 interface: if_ipsec="enc0" block quick log on $if_ipsec proto icmp from any to any Then tried to create outgoing ICMP traffic and tcpdump showed it's being blocked: # tcpdump -netvli pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes rule 42/0(match): block out on enc0: (tos 0x0, ttl 64, id 49563, offset 0, flags [none], proto: ICMP (1), length: 84) 10.1.1.1 > 10.2.1.1: ICMP echo request, id 35622, seq 0, length 64 But incoming traffic still passes: rule 29/0(match): pass in on enc0: (tos 0x0, ttl 64, id 58618, offset 0, flags [none], proto: ICMP (1), length: 84) 194.180.156.137 > 10.1.1.1: ICMP echo request, id 26909, seq 0, length 64 This example has been created on two peers acting as tunnel endpoints. The ICMP traffic has been generated _AT_ the tunnel endpoint machines (this traffic doesn't involve any other machine except the tunnel endpoints). What's really looking ugly, is another test... In another scenario I blocked ICMP traffic at one tunnel endpoint (on the enc0 interface), tried to create traffic from another machine in the LAN to the remote tunnel endpoint. This time it gives: rule 40/0(match): block out on enc0: (tos 0x0, ttl 64, id 13524, offset 0, flags [none], proto: ICMP (1), length: 84) 10.2.1.3 > 10.1.1.1: ICMP echo request, id 1811, seq 5, length 64 rule 40/0(match): block in on enc0: (tos 0x0, ttl 64, id 33495, offset 0, flags [none], proto: ICMP (1), length: 84) 10.1.1.1 > 10.2.1.1: ICMP echo request, id 60966, seq 0, length 64 So there is a difference if the machine is receiving traffic through the IPSec tunnel and being the destination for that traffic or just a router. When acting as a router, traffic in both directions (in and out) may be blocked using enc0. If the tunnel endpoint is the final destination for the traffic, the packets don't get blocked. This is looking like a bug. Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 00:32:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 432B616A407; Mon, 26 Mar 2007 00:32:50 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 03CBC13C489; Mon, 26 Mar 2007 00:32:49 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cee.q.ppp-pool.de [89.53.124.238]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 201CB12883F; Mon, 26 Mar 2007 02:32:43 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 48DDC3F4E8; Mon, 26 Mar 2007 02:32:36 +0200 (CEST) Message-ID: <460714A2.3090703@vwsoft.com> Date: Mon, 26 Mar 2007 02:32:34 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andrew Thompson References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 00:32:50 -0000 Sorry... my experimental setup has had a mistake. I've re-read my posting and checked everything. What did get my attention was: > But incoming traffic still passes: > rule 29/0(match): pass in on enc0: (tos 0x0, ttl 64, id 58618, > offset 0, flags [none], proto: ICMP (1), length: 84) 194.180.156.137 >> > 10.1.1.1: ICMP echo request, id 26909, seq 0, length 64 Which means, rule 29 was letting this packet pass. I've checked rule 29 and found the mistake. This is letting (on one tunnel endpoint) traffic through by a table of IP addresses and mistakenly the internal IP address of the remote tunnel endpoint is in there. Will correct that and do another test. Volker From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 00:58:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C0C1616A401; Mon, 26 Mar 2007 00:58:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 8060313C45B; Mon, 26 Mar 2007 00:58:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cee.q.ppp-pool.de [89.53.124.238]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6A9A412883F; Mon, 26 Mar 2007 02:58:33 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 386523F4E8; Mon, 26 Mar 2007 02:58:22 +0200 (CEST) Message-ID: <46071AAC.2020101@vwsoft.com> Date: Mon, 26 Mar 2007 02:58:20 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andrew Thompson References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 00:58:39 -0000 Andrew, Andre & all, I've checked it out once more (with a corrected setup) and now have been able to block traffic on enc0 in both directions (no matter if the tunnel endpoint is final destination or not). Sorry for my first false posting. In this test case both machines (tunnel endpoints) are: FreeBSD ... 6.2-RELEASE-p1 FreeBSD 6.2-RELEASE-p1 #0: Sun Feb 11 22:35:18 CET 2007 root@...:/usr/obj/usr/src/sys/GwMbg i386 One machine is using racoon (ipsec-tools), the other is using racoon2. `ifconfig enc0': enc0: flags=41 mtu 1536 relevant kernconf parts: options FAST_IPSEC device random device enc device crypto Andre: If you still have trouble getting IPSec + enc0 + pf to work, please post me a private message. I know it's hard to find someone who has a working IPSec setup and is willing to help. At least my test setup shows it is not just possible to block traffic on device enc0 using pf, but to see all traffic in the pf logs (if being configured to do so). Probably you're willing to show us your pf rules to have a look at it? Have pfun! ;) Volker From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 05:07:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B618A16A403 for ; Mon, 26 Mar 2007 05:07:48 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id 6073413C484 for ; Mon, 26 Mar 2007 05:07:48 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 068151CC58; Mon, 26 Mar 2007 17:07:47 +1200 (NZST) Date: Mon, 26 Mar 2007 17:07:47 +1200 From: Andrew Thompson To: Volker Message-ID: <20070326050747.GC68655@heff.fud.org.nz> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46071AAC.2020101@vwsoft.com> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 05:07:48 -0000 On Mon, Mar 26, 2007 at 02:58:20AM +0200, Volker wrote: > Andrew, Andre & all, > > I've checked it out once more (with a corrected setup) and now have > been able to block traffic on enc0 in both directions (no matter if > the tunnel endpoint is final destination or not). Great. Thanks for looking into it anyway. Andrew From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 07:11:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0EB6416A402; Mon, 26 Mar 2007 07:11:18 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by mx1.freebsd.org (Postfix) with ESMTP id 91DC713C48A; Mon, 26 Mar 2007 07:11:17 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail1.siemens.de (localhost [127.0.0.1]) by thoth.sbs.de (8.12.6/8.12.6) with ESMTP id l2Q6l7T8028026; Mon, 26 Mar 2007 08:47:07 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail1.siemens.de (8.12.6/8.12.6) with ESMTP id l2Q6l7Xl012377; Mon, 26 Mar 2007 08:47:07 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2Q6l7HW013758; Date: Mon, 26 Mar 2007 08:47:07 +0200 From: Andre Albsmeier To: Volker Message-ID: <20070326064707.GA83792@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46071AAC.2020101@vwsoft.com> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Andre Albsmeier , Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 07:11:18 -0000 On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote: > Andrew, Andre & all, > > I've checked it out once more (with a corrected setup) and now have > been able to block traffic on enc0 in both directions (no matter if > the tunnel endpoint is final destination or not). Does that mean that a rule block in log quick on enc0 on top of all rules actually blocks anything (assuming you don't have another state-keeping outgoing rule for enc0)? -Andre > > Sorry for my first false posting. > > In this test case both machines (tunnel endpoints) are: > > FreeBSD ... 6.2-RELEASE-p1 FreeBSD 6.2-RELEASE-p1 #0: Sun Feb 11 > 22:35:18 CET 2007 root@...:/usr/obj/usr/src/sys/GwMbg i386 > > One machine is using racoon (ipsec-tools), the other is using racoon2. > > `ifconfig enc0': > enc0: flags=41 mtu 1536 > > relevant kernconf parts: > options FAST_IPSEC > device random > device enc > device crypto > > Andre: > > If you still have trouble getting IPSec + enc0 + pf to work, please > post me a private message. I know it's hard to find someone who has > a working IPSec setup and is willing to help. > > At least my test setup shows it is not just possible to block > traffic on device enc0 using pf, but to see all traffic in the pf > logs (if being configured to do so). > > Probably you're willing to show us your pf rules to have a look at it? > > Have pfun! ;) > > Volker -- Jeder Projektmanager, der glaubt, Projekte zu managen, der glaubt auch, dass Zitronenfalter Zitronen falten. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 09:12:45 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BE3E416A403; Mon, 26 Mar 2007 09:12:45 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 9699813C4C9; Mon, 26 Mar 2007 09:12:45 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2Q9Cj4i032325; Mon, 26 Mar 2007 09:12:45 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2Q9CjxL032321; Mon, 26 Mar 2007 09:12:45 GMT (envelope-from remko) Date: Mon, 26 Mar 2007 09:12:45 GMT From: Remko Lodder Message-Id: <200703260912.l2Q9CjxL032321@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: conf/110838: tagged parameter on nat not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 09:12:45 -0000 Synopsis: tagged parameter on nat not working Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Mon Mar 26 09:11:58 UTC 2007 Responsible-Changed-Why: Over to maintainer group, although this might not be fixed in the 5_branch since (from what I recall) we run a different version in 6.x. http://www.freebsd.org/cgi/query-pr.cgi?pr=110838 From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 11:08:23 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2FD3A16A46F for ; Mon, 26 Mar 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 19CCA13C487 for ; Mon, 26 Mar 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2QB8Mnu049369 for ; Mon, 26 Mar 2007 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2QB8Laa049365 for freebsd-pf@FreeBSD.org; Mon, 26 Mar 2007 11:08:21 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Mar 2007 11:08:21 GMT Message-Id: <200703261108.l2QB8Laa049365@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 11:08:23 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf nat rule of pf without "on" clause causes invalid pack 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t o conf/110838 pf tagged parameter on nat not working 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 12:40:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF9B316A403; Mon, 26 Mar 2007 12:40:08 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id AD27D13C468; Mon, 26 Mar 2007 12:40:08 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cee.q.ppp-pool.de [89.53.124.238]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id E500A128829; Mon, 26 Mar 2007 14:40:00 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 153BB3F4E8; Mon, 26 Mar 2007 14:39:53 +0200 (CEST) Message-ID: <4607BF16.7010408@vwsoft.com> Date: Mon, 26 Mar 2007 14:39:50 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andre Albsmeier References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> <20070326064707.GA83792@curry.mchp.siemens.de> In-Reply-To: <20070326064707.GA83792@curry.mchp.siemens.de> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 12:40:09 -0000 On 03/26/07 08:47, Andre Albsmeier wrote: > On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote: >> Andrew, Andre & all, >> >> I've checked it out once more (with a corrected setup) and now have >> been able to block traffic on enc0 in both directions (no matter if >> the tunnel endpoint is final destination or not). > > Does that mean that a rule > > block in log quick on enc0 > > on top of all rules actually blocks anything (assuming you don't > have another state-keeping outgoing rule for enc0)? Yes, that's what it does. I've restricted traffic on the enc interface for ICMP only in and out (I've tested in a production environment, so I needed not to disturb any other legitimate traffic) but I've been able to block that traffic. As I've written in a private message (this goes for the archives here...) I've had trouble blocking traffic on enc0 with a version pre 6.2-RELEASE. Now (with 6.2-RELEASE and up) enc(4) does seem to work properly. There should go just one simple note into man for the fact, that enc will unconditionally pass all traffic if the interface is down. Also, currently enc is not even in NOTES. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 16:02:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4CC9416A40A for ; Mon, 26 Mar 2007 16:02:47 +0000 (UTC) (envelope-from silencer@free-4ever.net) Received: from orthosie.free-4ever.net (orthosie.free-4ever.net [88.191.27.106]) by mx1.freebsd.org (Postfix) with ESMTP id 1381A13C44C for ; Mon, 26 Mar 2007 16:02:46 +0000 (UTC) (envelope-from silencer@free-4ever.net) Received: from localhost (localhost.localdomain [127.0.0.1]) by orthosie.free-4ever.net (Postfix) with ESMTP id B6DF369787 for ; Mon, 26 Mar 2007 17:44:16 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at free-4ever.net Received: from orthosie.free-4ever.net ([127.0.0.1]) by localhost (orthosie.free-4ever.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pwy0myGOhm1i for ; Mon, 26 Mar 2007 17:44:14 +0200 (CEST) Received: from [192.168.48.187] (unknown [83.145.94.46]) (Authenticated sender: silencer@free-4ever.net) by orthosie.free-4ever.net (Postfix) with ESMTP id 1CA6169781 for ; Mon, 26 Mar 2007 17:44:14 +0200 (CEST) Message-ID: <4607EA4D.1020304@free-4ever.net> Date: Mon, 26 Mar 2007 17:44:13 +0200 From: Guillaume User-Agent: IceDove 1.5.0.10 (X11/20070307) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Pass through packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 16:02:47 -0000 Hi, I just want to know how to handle properly packets which pass through the firewall... I can handle for all packets coming to all interface of my firewall and the same with outgoing packets by using in/out with statement "on $interface" But what about forwarding packets ? With iptables we can set a rule: iptables -t filter -A FORWARD -i eth0 -o eth1 etc.... With packet filter how can I have a such way of processing my packet ? If a setup a rule pass in on $if_internal inet proto tcp \ from $internal_networks to any \ flags S/SA modulate state The packet from my internal networks can also exit on my DMZ interfaces ! Is the only way to setup that is to specify a destination with ! { $dmz_networks1, $dmz_networks2 } ? Thx for any help. Regards Guillaume -- Guillaume E-mail: silencer__free-4ever__net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 18:21:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A51416A401 for ; Mon, 26 Mar 2007 18:21:12 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5499113C459 for ; Mon, 26 Mar 2007 18:21:12 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from d620 (84-12-29-39.dyn.gotadsl.co.uk [84.12.29.39]) by smtp.nildram.co.uk (Postfix) with ESMTP id A113B2BC2E6; Mon, 26 Mar 2007 19:21:07 +0100 (BST) From: "Greg Hennessy" To: "'Guillaume'" , Date: Mon, 26 Mar 2007 19:22:12 +0100 Message-ID: <000001c76fd3$ac9ad7c0$0301a8c0@d620> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcdvxCPnHxLQjVAITJ6PPwdvOB1fPQACuKIg In-Reply-To: <4607EA4D.1020304@free-4ever.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: Subject: RE: Pass through packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 18:21:12 -0000 > Hi, > > I just want to know how to handle properly packets which pass > through the firewall... That depends on what you're trying to do exactly. > > I can handle for all packets coming to all interface of my > firewall and the same with outgoing packets by using in/out > with statement "on $interface" > > But what about forwarding packets ? Properly configured routing is your best friend. If you need some form of policy based routing, rdr & route-to http://www.openbsd.org/faq/pf/pools.html#outgoing will facilitate that. > With iptables > we can set a rule: iptables -t filter -A FORWARD -i eth0 -o > eth1 etc.... > > With packet filter how can I have a such way of processing my packet ? > > If a setup a rule pass in on $if_internal inet proto tcp \ > from $internal_networks to any \ > flags S/SA modulate state > > The packet from my internal networks can also exit on my DMZ > interfaces ! Not if you run a default block policy it wont. The 1st packet filtering rule of every pf policy should be block log all >From there only permitted ingress & egress flows will be permitted. > > Is the only way to setup that is to specify a destination > with ! { $dmz_networks1, $dmz_networks2 } ? There's a number of ways to skin this particular cat. I am partial to using generic egress rules in combination with tagging myself. My personal PF policy style is to code '1st' match by using 'quick' on every rule. Whether that's a consequence of being infected with the Checkpoint and Pix virus at an early age, I know not :-). I would also counsel against the use of 'any'. Negation is a mite more logical and less error prone on larger policies IMHO. Tables will also reduce macro expansion. Greg > > Thx for any help. > > Regards > Guillaume > > -- > Guillaume > E-mail: silencer__free-4ever__net > Blog: http://guillaume.free-4ever.net > ---- > Site: http://www.free-4ever.net > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.446 / Virus Database: 268.18.18/733 - Release > Date: 25/03/2007 11:07 > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 25/03/2007 11:07 From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 19:31:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5F12C16A402; Mon, 26 Mar 2007 19:31:15 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id E1C9513C45A; Mon, 26 Mar 2007 19:31:14 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2QJVDGG004277; Mon, 26 Mar 2007 21:31:13 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2QJVC3D008627; Mon, 26 Mar 2007 21:31:12 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2QJVCjj016878; Date: Mon, 26 Mar 2007 21:31:11 +0200 From: Andre Albsmeier To: Andrew Thompson Message-ID: <20070326193111.GA97943@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> <20070326050747.GC68655@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070326050747.GC68655@heff.fud.org.nz> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Volker , Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 19:31:15 -0000 On Mon, 26-Mar-2007 at 17:07:47 +1200, Andrew Thompson wrote: > On Mon, Mar 26, 2007 at 02:58:20AM +0200, Volker wrote: > > Andrew, Andre & all, > > > > I've checked it out once more (with a corrected setup) and now have > > been able to block traffic on enc0 in both directions (no matter if > > the tunnel endpoint is final destination or not). > > Great. Thanks for looking into it anyway. Volker was so kind to send me his rules. They didn't contain any surprises but there is one difference: While my IPSec setup uses a GIF-tunnel, his doesn't. Unfortunately, I can't easily switch to a setup without GIF but I did some more tests: First I added these two rules on top of the whole pf ruleset: pass in log quick on enc0 pass out log quick on enc0 These two rules should handle all of the IPSec traffic. They don't use 'keep state' which means we won't have any secretly created rules. They use the 'quick' option which means they are executed immediatley and no subsequent rules will interfere. (Please correct me if anything I said is wrong.) Then I sent a single ICMP Packet from the remote side to my local tunnel endpoint box. This should have produced two log entries: First the incoming ICMP echo request (by the first rule) than the outgoing ICMP echo reply (by the second rule). The only thing that appeared in the logs was: rule 1/0(match): pass out on enc0: 192.168.164.81 > 10.0.1.32: ICMP echo request, id 32773, seq 0, length 64 which is the reply. Concurrently I also checked the state table to be absolutely sure the first packet couldn't slip through by any automatically created rule. Then I tried to connect from the remote side to my local tunnel endpoint on port 26273 (which has nothing listening on it). Again we would expect to see first the SYN coming in through the first rule and then the reply going out through the second rule. Unfortunately, the SYN is missing in the logs but the reply can be found. rule 1/0(match): pass out on enc0: 192.168.164.81.26273 > 10.0.1.32.53599: R 0:0(0) ack 24550328 21 win 0 Next thing was to do the same tests using a kernel on my local side without the IPSEC_FILTERGIF option (in case this would interfere somehow) but the test results were the same :-(. While I have no doubt that Volker really had success in filtering IPSec traffic with enc0 in both directions, I can't confirm that this works when using GIF-based tunnels. In this case incoming packets seems to slip away silently (w.r.t. enc0). I think the best would be to clarify if: - My above setup (with these two rules on top of all others) should have produced log entries in BOTH directions (I am pretty sure they should). - enc0 should also work for IPSec setups which use GIF tunnels. - Maybe someone else who uses IPSec through GIF-tunnels can confirm that he can (or cannot) filter incoming traffic with enc0. -Andre From owner-freebsd-pf@FreeBSD.ORG Tue Mar 27 13:20:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF62716A40A for ; Tue, 27 Mar 2007 13:20:46 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id D787713C4B8 for ; Tue, 27 Mar 2007 13:20:45 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so2963701nfc for ; Tue, 27 Mar 2007 06:20:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=n3DPYMFzKTZbZirfKnGh7GHAxBjCwDpVd2X/nsS8oRwj1w0mVmGRJg3Cwa1A1ST60QrDskdjPz6EG8dCvqtl+NZQDiCdZupyuhOVLdtBm8BuuNsM6OgvnB97ndqRw04d7E1/ea1fnZ5wchq36JTg75WexCAEn24nkoFd0OelsnA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=MrlV22w8fY3BbQYrPi64/dTYBOi8K+0eZZyKOov4u5DPg05NGizAjuI4rctRzWZFYqDrEcwhJLHZrmfTbKOInGfUfQtgVkKZJQO6LelEn8vc04MyXp4KzYWu/y71pC+Y3OwCurWX078HfVscL1esDQz44IMuD4O5/mF3SB6Kkdk= Received: by 10.82.188.15 with SMTP id l15mr16316506buf.1175001643288; Tue, 27 Mar 2007 06:20:43 -0700 (PDT) Received: by 10.82.174.10 with HTTP; Tue, 27 Mar 2007 06:20:43 -0700 (PDT) Message-ID: Date: Tue, 27 Mar 2007 10:20:43 -0300 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: How to balance my own outgoing traffic? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 13:20:46 -0000 Hello, I have a multihomed squid box with two direct-to-internet cable links. however they come from different telecoms, so, no way to use advanced routing since I am not an AS. The deal is to make policy routing. However, besides doing route-to on a NAT box for whole networks, I have no idea on how to route-to my own traffic, which is what I need now. I can set my squid outgoing_ip to whatever I want. How can I balance my own outgoing traffic? Suggestions? -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Tue Mar 27 13:38:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B005D16A4CB for ; Tue, 27 Mar 2007 13:38:53 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 3EEDB13C4B9 for ; Tue, 27 Mar 2007 13:38:52 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so2969522nfc for ; Tue, 27 Mar 2007 06:38:52 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VSRZU+mDl3aiT0/MbpaSnujzZ0r3J+7zD88QY7FIV7yzsKRfVyEGu8MJwV+VyeMSup1xERdheIvMvwM9amDgLVsDTOwiMzjG9e0xMRdWmcNXluFnZ1mssgwk3nijAD1tIKj3AcA2Q7k9FmP/SPn5ak7d02fVUgu7FJPUsTzOeHg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=InVSucFUz0KVbWqfiZbjtGTGhznlKGxgFxHyY82+lFlfpev3YjCC9nZhqZVJU9RhaL9TD3ReDOQi2u48qVV/wTmycjHq0ZIQCH5bYz61jjfuiN3vKIKV8m5oRCUJc1JeCaRozFSw8Ck9WD4Oj/HUDu8dMaqyqS37WN3nGyj0agM= Received: by 10.82.163.13 with SMTP id l13mr16321456bue.1175002731366; Tue, 27 Mar 2007 06:38:51 -0700 (PDT) Received: by 10.82.174.10 with HTTP; Tue, 27 Mar 2007 06:38:51 -0700 (PDT) Message-ID: Date: Tue, 27 Mar 2007 10:38:51 -0300 From: "Eduardo Meyer" To: "Joe Holden" , freebsd-pf@freebsd.org In-Reply-To: <46091B41.4020307@joeholden.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46091B41.4020307@joeholden.co.uk> Cc: Subject: Re: How to balance my own outgoing traffic? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 13:38:53 -0000 Yes, round-robin will do. My problem is how to do this, I have tried the following kiind of approach: On 3/27/07, Joe Holden wrote: > Eduardo Meyer wrote: > > Hello, > > > > I have a multihomed squid box with two direct-to-internet cable links. > > however they come from different telecoms, so, no way to use advanced > > routing since I am not an AS. The deal is to make policy routing. > > > > However, besides doing route-to on a NAT box for whole networks, I > > have no idea on how to route-to my own traffic, which is what I need > > now. > > > > I can set my squid outgoing_ip to whatever I want. > > > > How can I balance my own outgoing traffic? Suggestions? > > > You can use PF in a round-robin style configuration to balance it, > although as far as I am aware, it isn't exactly 50/50. > > Not sure what else to suggest pass out on $ext_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $myown to any flags S/SA modulate state However I can not, say, route-to $ext_gw2 traffic from $ext_ifi1's IP address. I need to combine it with NAT, right? How to do this is what I am confused. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 27 13:42:30 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 141E616A406 for ; Tue, 27 Mar 2007 13:42:30 +0000 (UTC) (envelope-from joe@joeholden.co.uk) Received: from gabriella.ber.rewt.org.uk (gabriella.ber.rewt.org.uk [87.106.72.109]) by mx1.freebsd.org (Postfix) with ESMTP id BF6EE13C44C for ; Tue, 27 Mar 2007 13:42:29 +0000 (UTC) (envelope-from joe@joeholden.co.uk) Received: from localhost (localhost [127.0.0.1]) by gabriella.ber.rewt.org.uk (Postfix) with ESMTP id 7039A2DE8A; Tue, 27 Mar 2007 14:25:27 +0100 (BST) X-Virus-Scanned: amavisd-new at gabriella.ber.rewt.org.uk Received: from gabriella.ber.rewt.org.uk ([127.0.0.1]) by localhost (gabriella.ber.rewt.org.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJKWafPKHIm4; Tue, 27 Mar 2007 14:25:22 +0100 (BST) Received: from joanna.local (unknown [192.168.254.1]) by gabriella.ber.rewt.org.uk (Postfix) with ESMTP id 8E01B2DE89; Tue, 27 Mar 2007 14:25:21 +0100 (BST) Received: from [192.168.10.147] (jwh.local [192.168.10.147]) by joanna.local (Postfix) with ESMTP id D8F485C32; Tue, 27 Mar 2007 14:25:20 +0100 (BST) Message-ID: <46091B41.4020307@joeholden.co.uk> Date: Tue, 27 Mar 2007 14:25:21 +0100 From: Joe Holden User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Eduardo Meyer References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: How to balance my own outgoing traffic? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 13:42:30 -0000 Eduardo Meyer wrote: > Hello, > > I have a multihomed squid box with two direct-to-internet cable links. > however they come from different telecoms, so, no way to use advanced > routing since I am not an AS. The deal is to make policy routing. > > However, besides doing route-to on a NAT box for whole networks, I > have no idea on how to route-to my own traffic, which is what I need > now. > > I can set my squid outgoing_ip to whatever I want. > > How can I balance my own outgoing traffic? Suggestions? > You can use PF in a round-robin style configuration to balance it, although as far as I am aware, it isn't exactly 50/50. Not sure what else to suggest HTH, Joe From owner-freebsd-pf@FreeBSD.ORG Tue Mar 27 17:24:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8230716A403 for ; Tue, 27 Mar 2007 17:24:23 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id 8DE4513C4F5 for ; Tue, 27 Mar 2007 17:24:22 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so3172031muf for ; Tue, 27 Mar 2007 10:24:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=S4NTwueiUtFopFJ6RdK+Tup0USOgrfnNU1BA8ZyQYwauXlIX+ICdcsQbC+W7wRaDM+EZshh9Q/qeF9/OJdkURzWbmz18pXl/oQ27SF/GQUVdl3O0w+n7uxN0701Rkgqc4FYCSuh9VttYr0EvMl7cAkn9P31giodo6A7qP52Rctc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OjnrrB+No9yUCZr0fM0VDKnS5VdOwCAO/MO4J+5QKp+L0+rEIo1FSEJzfhMhukLh4lA8GJYhF7ZYvK+tQdlhwxOtrwrQiIsAidwFw7RkerscZvW66OEEH19wIIhD8jgqyMoOtCJJdNEnhFPshYouDTrNq3mBI0kSmtWNic+2XHc= Received: by 10.82.114.3 with SMTP id m3mr16702675buc.1175016260427; Tue, 27 Mar 2007 10:24:20 -0700 (PDT) Received: by 10.82.174.10 with HTTP; Tue, 27 Mar 2007 10:24:20 -0700 (PDT) Message-ID: Date: Tue, 27 Mar 2007 14:24:20 -0300 From: "Eduardo Meyer" To: "Bill Marquette" , freebsd-pf@freebsd.org In-Reply-To: <55e8a96c0703271009o19bcb3dfp29929357516292f9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46091B41.4020307@joeholden.co.uk> <55e8a96c0703271009o19bcb3dfp29929357516292f9@mail.gmail.com> Cc: Subject: Re: How to balance my own outgoing traffic? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 17:24:23 -0000 On 3/27/07, Bill Marquette wrote: > On 3/27/07, Eduardo Meyer wrote: > > Yes, round-robin will do. My problem is how to do this, I have tried > > the following kiind of approach: > > > > pass out on $ext_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > > $ext_gw2) } round-robin proto tcp from $myown to any flags S/SA > > modulate state > > route-to tends to work better inbound on your internal interfaces. > > pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin proto tcp from $myown to any flags S/SA > modulate state There will never be internal interface. That's just me with two outgoing interfaces. I generate all traffic. Inbound traffic is just what I get back from the external interface. Anyone else have any idea? What I am considering now is adding myself to a RFC1928 network and NAT to myself. But I believe this is something technically UGLY. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Tue Mar 27 17:35:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5827416A406 for ; Tue, 27 Mar 2007 17:35:17 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id D866613C4B0 for ; Tue, 27 Mar 2007 17:35:16 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so1986333ugh for ; Tue, 27 Mar 2007 10:35:15 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JvtHew+EqsaELf2p34vI5wVbhuIgmdWYrdw8W5tQ+UhplhmCMQonmfSBSkm8gA3NpWszT9cfWXoezJ8uHa79tEDS9JF86KTpbHIJnr8QYFwymK0Fhg4kmRvQC8AtYE7vUtpB+g3EM9nMspdWwk64IpjQtEdAC0DcpZU4fiQtTe8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ml9imSuAoe9Jy2zPnuWbxuAIDnMqf0DdRvCG0FcEHuyX3AhAp9D/vQ1R0i8sKxNo+Ks+pYrznQ9HQ8z1oLL55ZQovvLWCe1etlHdCEFWKYx+ud3Igye5Hco6WfceL/jeqWwekoTaJWXWyCqOegZGM0UR9L+/8d5ng44/XlcHWhQ= Received: by 10.67.19.20 with SMTP id w20mr1223593ugi.1175015392377; Tue, 27 Mar 2007 10:09:52 -0700 (PDT) Received: by 10.67.65.11 with HTTP; Tue, 27 Mar 2007 10:09:52 -0700 (PDT) Message-ID: <55e8a96c0703271009o19bcb3dfp29929357516292f9@mail.gmail.com> Date: Tue, 27 Mar 2007 12:09:52 -0500 From: "Bill Marquette" To: "Eduardo Meyer" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46091B41.4020307@joeholden.co.uk> Cc: freebsd-pf@freebsd.org Subject: Re: How to balance my own outgoing traffic? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 17:35:17 -0000 On 3/27/07, Eduardo Meyer wrote: > Yes, round-robin will do. My problem is how to do this, I have tried > the following kiind of approach: > > pass out on $ext_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin proto tcp from $myown to any flags S/SA > modulate state route-to tends to work better inbound on your internal interfaces. pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $myown to any flags S/SA modulate state > > However I can not, say, route-to $ext_gw2 traffic from $ext_ifi1's IP > address. I need to combine it with NAT, right? > > How to do this is what I am confused. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 06:59:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9034316A402; Wed, 28 Mar 2007 06:59:00 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id 1E6AF13C4C3; Wed, 28 Mar 2007 06:58:59 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2S6wwpN026302; Wed, 28 Mar 2007 08:58:58 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2S6wwqI009192; Wed, 28 Mar 2007 08:58:58 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2S6wwgv001580; Date: Wed, 28 Mar 2007 08:58:58 +0200 From: Andre Albsmeier To: Andrew Thompson Message-ID: <20070328065858.GA8788@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> <20070326050747.GC68655@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070326050747.GC68655@heff.fud.org.nz> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Volker , Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 06:59:00 -0000 On Mon, 26-Mar-2007 at 17:07:47 +1200, Andrew Thompson wrote: > On Mon, Mar 26, 2007 at 02:58:20AM +0200, Volker wrote: > > Andrew, Andre & all, > > > > I've checked it out once more (with a corrected setup) and now have > > been able to block traffic on enc0 in both directions (no matter if > > the tunnel endpoint is final destination or not). > > Great. Thanks for looking into it anyway. Andrew, I can now confirm Volkers findings for non-GIF-based IPSec tunnels. On GIF-based setups only outgoing packets can be controlled in pf on enc0. I have filed a PR regarding this issue: http://www.freebsd.org/cgi/query-pr.cgi?pr=110959 Thanks to all for their help so far, -Andre From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 08:37:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8830F16A400 for ; Wed, 28 Mar 2007 08:37:22 +0000 (UTC) (envelope-from silencer@free-4ever.net) Received: from orthosie.free-4ever.net (orthosie.free-4ever.net [88.191.27.106]) by mx1.freebsd.org (Postfix) with ESMTP id 28D6413C45A for ; Wed, 28 Mar 2007 08:37:22 +0000 (UTC) (envelope-from silencer@free-4ever.net) Received: from localhost (localhost.localdomain [127.0.0.1]) by orthosie.free-4ever.net (Postfix) with ESMTP id 2AFB469787 for ; Wed, 28 Mar 2007 10:37:21 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at free-4ever.net Received: from orthosie.free-4ever.net ([127.0.0.1]) by localhost (orthosie.free-4ever.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOlNb-GgYkWf for ; Wed, 28 Mar 2007 10:37:20 +0200 (CEST) Received: from [192.168.48.187] (unknown [83.145.94.46]) (Authenticated sender: silencer@free-4ever.net) by orthosie.free-4ever.net (Postfix) with ESMTP id 417B369781 for ; Wed, 28 Mar 2007 10:37:20 +0200 (CEST) Message-ID: <460A293F.4030701@free-4ever.net> Date: Wed, 28 Mar 2007 10:37:19 +0200 From: Guillaume User-Agent: IceDove 1.5.0.10 (X11/20070307) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <000001c76fd3$ac9ad7c0$0301a8c0@d620> In-Reply-To: <000001c76fd3$ac9ad7c0$0301a8c0@d620> Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: 7bit Subject: Re: Pass through packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 08:37:22 -0000 >> With iptables >> we can set a rule: iptables -t filter -A FORWARD -i eth0 -o >> eth1 etc.... >> >> With packet filter how can I have a such way of processing my packet ? >> >> If a setup a rule pass in on $if_internal inet proto tcp \ >> from $internal_networks to any \ >> flags S/SA modulate state >> >> The packet from my internal networks can also exit on my DMZ >> interfaces ! > > Not if you run a default block policy it wont. > I've seen my problem I have a rule with is something like opendoor for outgoing packet from the firewall... And NAT rules are applied before filtering rules. SO for traffic going from internal to external, I only have to setup a pass rule on the internal interface ! But for packet going from internal to dmz I have to setup 2 rules.... one with pass in on the internal interface and another one with pass out on the dmz interface ! > The 1st packet filtering rule of every pf policy should be > > block log all > > From there only permitted ingress & egress flows will be permitted. > Yep... that's what I have done now. So if I want a very accurate filtering for forwarding packets, I must setup 2 rules every time... one pass in on the incoming interface and another with pass out on the outgoing interface... >> Is the only way to setup that is to specify a destination >> with ! { $dmz_networks1, $dmz_networks2 } ? > > > There's a number of ways to skin this particular cat. > > I am partial to using generic egress rules in combination with tagging > myself. > I'll check the egress rules... > My personal PF policy style is to code '1st' match by using 'quick' on every > rule. Mee too > Whether that's a consequence of being infected with the Checkpoint and Pix > virus at an early age, I know not :-). > LOL i'm infected with Linux netfilter/iptables... :-) > I would also counsel against the use of 'any'. > Negation is a mite more logical and less error prone on larger policies > IMHO. Ok... I'll think about that too > Tables will also reduce macro expansion. > Ok... the same :-) Thanks > > Greg > Guillaume -- Guillaume E-mail: silencer__free-4ever__net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 09:33:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D26F16A403 for ; Wed, 28 Mar 2007 09:33:00 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 535A713C45A for ; Wed, 28 Mar 2007 09:32:59 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 09D622BC4BF for ; Wed, 28 Mar 2007 10:32:57 +0100 (BST) From: "Greg Hennessy" To: "'Guillaume'" , References: <000001c76fd3$ac9ad7c0$0301a8c0@d620> <460A293F.4030701@free-4ever.net> In-Reply-To: <460A293F.4030701@free-4ever.net> Date: Wed, 28 Mar 2007 10:32:38 +0100 Message-ID: <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdxF5+mXn4kcaVzRnKO13HhEZ3TyQAANeKw Content-Language: en-gb X-Antivirus: avast! (VPS 000728-1, 27/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Pass through packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 09:33:00 -0000 > > > > Not if you run a default block policy it wont. > > > I've seen my problem > > I have a rule with is something like opendoor for outgoing packet from > the firewall... Ahhh, that wouldn't help :-). > And NAT rules are applied before filtering rules. > SO for traffic going from internal to external, I only have to setup a > pass rule on the internal interface ! That depends whether you use 'nat pass' or not. I tend not to, as the PF port on FreeBSD doesn't support logging for 'nat pass' presently. A default block policy with just 'nat' requires an egress rule. > > From there only permitted ingress & egress flows will be permitted. > > > Yep... that's what I have done now. > > So if I want a very accurate filtering for forwarding packets, I must > setup 2 rules every time... one pass in on the incoming interface and > another with pass out on the outgoing interface... Not necessarily :-). If you don't need to address translate the flow, one can use pass rules without direction on interface groups combined with anti spoofing. e.g dmz1="em1" inside="em2" antispoof log quick on em1 for ..... antispoof log quick on em2 for ..... pass log quick on em $UDP from to port snmp $KS pass log quick on em $TCP from $DMZHost to $InsideHost port something $KSF One rule per flow, state created on both interfaces as not specifying direction will match both ingress and egress flows. PF on FreeBSD is currently @ the revision level of OpenBSD 3.7. Later versions of PF on OpenBSD have greatly expanded the use of interface groups and provide some interesting ways of making policies even more concise and readable. I am sure when Max Laier et al find the time we'll enjoy the benefit of it too on FreeBSD. > > I am partial to using generic egress rules in combination with > tagging > > myself. > > > I'll check the egress rules... Generic tagged egress rules will make the policy a lot more readable. As with a PIX, one then just becomes concerned with the ingress interface. > > Whether that's a consequence of being infected with the Checkpoint > and Pix > > virus at an early age, I know not :-). > > > LOL > > i'm infected with Linux netfilter/iptables... :-) You have my deepest sympathies :-). Greg From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 12:40:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D998E16A407 for ; Wed, 28 Mar 2007 12:40:39 +0000 (UTC) (envelope-from silencer@free-4ever.net) Received: from orthosie.free-4ever.net (orthosie.free-4ever.net [88.191.27.106]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC6213C483 for ; Wed, 28 Mar 2007 12:40:39 +0000 (UTC) (envelope-from silencer@free-4ever.net) Received: from localhost (localhost.localdomain [127.0.0.1]) by orthosie.free-4ever.net (Postfix) with ESMTP id D16D369787 for ; Wed, 28 Mar 2007 14:40:38 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at free-4ever.net Received: from orthosie.free-4ever.net ([127.0.0.1]) by localhost (orthosie.free-4ever.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VV60anCewFBD for ; Wed, 28 Mar 2007 14:40:38 +0200 (CEST) Received: from [192.168.48.187] (unknown [83.145.94.46]) (Authenticated sender: silencer@free-4ever.net) by orthosie.free-4ever.net (Postfix) with ESMTP id 32DED69781 for ; Wed, 28 Mar 2007 14:40:38 +0200 (CEST) Message-ID: <460A6245.9010802@free-4ever.net> Date: Wed, 28 Mar 2007 14:40:37 +0200 From: Guillaume User-Agent: IceDove 1.5.0.10 (X11/20070307) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <000001c76fd3$ac9ad7c0$0301a8c0@d620> <460A293F.4030701@free-4ever.net> <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net> In-Reply-To: <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Pass through packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 12:40:40 -0000 >>> Not if you run a default block policy it wont. >>> >> I've seen my problem >> >> I have a rule with is something like opendoor for outgoing packet from >> the firewall... > > Ahhh, that wouldn't help :-). > hhhmmm :-) This rule with source the ip of the external interface.... but NAT is applied before filtering... So all my outgoing traffic which needs to be nated was accepted on outbound ! >> And NAT rules are applied before filtering rules. >> SO for traffic going from internal to external, I only have to setup a >> pass rule on the internal interface ! > > That depends whether you use 'nat pass' or not. I tend not to, as the PF > port on FreeBSD doesn't support logging for 'nat pass' presently. > I use nat without pass > A default block policy with just 'nat' requires an egress rule. > Yep... >>> From there only permitted ingress & egress flows will be permitted. >>> >> Yep... that's what I have done now. >> >> So if I want a very accurate filtering for forwarding packets, I must >> setup 2 rules every time... one pass in on the incoming interface and >> another with pass out on the outgoing interface... > > Not necessarily :-). > In my case.... it seems ! :-( > If you don't need to address translate the flow, one can use pass rules > without direction on interface groups combined with anti spoofing. > My internal networks is 192.168.x.x I have a dmz with public IP and another with private IP... > e.g > > dmz1="em1" > inside="em2" > > antispoof log quick on em1 for ..... > antispoof log quick on em2 for ..... > > pass log quick on em $UDP from to port snmp > $KS > pass log quick on em $TCP from $DMZHost to $InsideHost port > something $KSF > > One rule per flow, state created on both interfaces as not specifying > direction will match both ingress and egress flows. > I'll keep that in mind :-) >>> Whether that's a consequence of being infected with the Checkpoint >> and Pix >>> virus at an early age, I know not :-). >>> >> LOL >> >> i'm infected with Linux netfilter/iptables... :-) > > You have my deepest sympathies :-). > Thx :-) > > > Greg > > > Guillaume -- Guillaume E-mail: silencer__free-4ever__net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 17:54:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4435B16A405 for ; Wed, 28 Mar 2007 17:54:50 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 29C1913C468 for ; Wed, 28 Mar 2007 17:54:50 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 5662 invoked from network); 28 Mar 2007 10:28:08 -0700 Received: by simscan 1.1.0 ppid: 5639, pid: 5640, t: 5.7756s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 28 Mar 2007 10:28:03 -0700 Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 56CE41648D2 for ; Wed, 28 Mar 2007 10:27:46 -0700 (PDT) Message-ID: <460AA59C.2000704@mykitchentable.net> Date: Wed, 28 Mar 2007 10:27:56 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Subject: Why Does This Packet Match This Rule? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 17:54:50 -0000 I am having a heck of a time understanding how pf works and getting it to behave the way I want with my home network and ADSL connection. Basically I want to use ALTQ to prioritize traffic going out the interface connected to my ADSL modem. Here's my network: internal --- dc0 - FBSD router - dc1 --- ADSL So I created a rule set and now I'm trying to watch it and figure out what is happening. In watching the log, I capture this smtp transaction ( I numbered each entry for reference): 1. 2007-03-28 08:57:48.143830 rule 55/0(match): pass in on dc1: 196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 65535 2. 2007-03-28 08:57:48.143892 rule 86/0(match): pass out on dc0: 196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 65535 3. 2007-03-28 08:57:48.144212 rule 85/0(match): pass in on dc0: 192.168.1.4.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 377431783 win 65535 4. 2007-03-28 08:57:48.144247 rule 55/0(match): pass out on dc1: 66.205.146.210.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 377431783 win 65535 5. 2007-03-28 08:57:50.811908 rule 55/0(match): pass in on dc1: 196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535 6. 2007-03-28 08:57:50.811938 rule 86/0(match): pass out on dc0: 196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535 7. 2007-03-28 08:57:51.352988 rule 85/0(match): pass in on dc0: 192.168.1.4.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370 8. 2007-03-28 08:57:51.353032 rule 55/0(match): pass out on dc1: 66.205.146.210.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370 and so on... The currently loaded relevant rules are: @55 pass in log-all on dc1 inet proto tcp from any to 192.168.1.4 port = smtp @84 pass out log-all quick on dc1 inet from 66.205.146.210 to any modulate state queue(std_out, ack_out) @85 pass in log on dc0 inet from 192.168.1.0/24 to any @86 pass out log on dc0 inet all In the above tcpdump output, I understand why entries 1-3 and 5-7 match the rules they match. However I do not understand entry number 4 or 8. Instead of matching rule 55, I would expect them to match rule 84. Then the only traffic I should see passing through the pf rule set would be entries 1-4 as when 4 matches rule 84, a state entry would be made and further matches would occur in the state table, eliminating entries 5-8 (and the rest). What am I missing? If it helps, I also posted my complete pf.conf and the rules to which it expands at http://drew.mykitchentable.net/Temp/pf.conf.htm Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 19:59:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0CD5616A400 for ; Wed, 28 Mar 2007 19:59:01 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id C7A3F13C48C for ; Wed, 28 Mar 2007 19:59:00 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id F0F082BD051 for ; Wed, 28 Mar 2007 20:58:53 +0100 (BST) From: "Greg Hennessy" To: "'Drew Tomlinson'" , References: <460AA59C.2000704@mykitchentable.net> In-Reply-To: <460AA59C.2000704@mykitchentable.net> Date: Wed, 28 Mar 2007 20:58:52 +0100 Message-ID: <000301c77173$8265dd00$87319700$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdxYw5cABzBj6GfSGeIqvVdj/7DqQADveDA Content-Language: en-gb X-Antivirus: avast! (VPS 000728-2, 28/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Why Does This Packet Match This Rule? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 19:59:01 -0000 > (and the rest). What am I missing? >From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes to mind. You should endeavour to keep state on each and every rule and only establish tcp state on the 3 way handshake. > > If it helps, I also posted my complete pf.conf and the rules to which > it > expands at http://drew.mykitchentable.net/Temp/pf.conf.htm Not seeing this, connection times out. What exactly are you trying to do with what looks like a SoHo policy expanding into > 80 rules ? Greg From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 21:26:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC04916A404 for ; Wed, 28 Mar 2007 21:26:20 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp4.yandex.ru (smtp4.yandex.ru [213.180.223.136]) by mx1.freebsd.org (Postfix) with ESMTP id 10B8113C44C for ; Wed, 28 Mar 2007 21:26:19 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from 243-221-124-91.pool.ukrtel.net ([91.124.221.243]:14596 "EHLO [127.0.0.1]" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S7768266AbXC1VNh (ORCPT ); Thu, 29 Mar 2007 01:13:37 +0400 X-Comment: RFC 2476 MSA function at smtp4.yandex.ru logged sender identity as: kes-kes Date: Thu, 29 Mar 2007 00:13:33 +0300 From: KES X-Mailer: The Bat! (v3.62.12) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <868144293.20070329001333@yandex.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: pf BUG? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 21:26:20 -0000 Hello I start to use ADSL My net work has next sturcture: CPU -iIP---- rl0 -SERVER -tun0--- >>>>> INET I have next pf rules 1) drop all 2) pass in quick on tun0 all 3) pass out quick on tun0 all 4) pass in on rl0 from $iIp to any 5) pass out on rl0 from any to $iIp Next thing is wrong: If I ping inet from CPU 2) pass in log-all on tun0 all 3) pass out quick on tun0 all tpcdump pflog0 shows nothing But 2) pass in on tun0 all 3) pass out log-all quick on tun0 all tpcdump pflog0 shows in and out traffic on tun0 interface!!! System was builded from 2007-03-27 sources architecture is sparc64 From owner-freebsd-pf@FreeBSD.ORG Thu Mar 29 13:16:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A81416A405 for ; Thu, 29 Mar 2007 13:16:08 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2DE9913C44C for ; Thu, 29 Mar 2007 13:16:05 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7caa.q.ppp-pool.de [89.53.124.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 621E9128829 for ; Thu, 29 Mar 2007 15:15:59 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 551BE3F9E1; Thu, 29 Mar 2007 15:15:43 +0200 (CEST) Message-ID: <460BBBFC.3080501@vwsoft.com> Date: Thu, 29 Mar 2007 15:15:40 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: KES References: <868144293.20070329001333@yandex.ru> In-Reply-To: <868144293.20070329001333@yandex.ru> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf BUG? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 13:16:08 -0000 On 12/23/-58 20:59, KES wrote: > Hello > > I start to use ADSL > My net work has next sturcture: > CPU -iIP---- rl0 -SERVER -tun0--- >>>>> INET > > I have next pf rules > > 1) drop all > 2) pass in quick on tun0 all > 3) pass out quick on tun0 all > 4) pass in on rl0 from $iIp to any > 5) pass out on rl0 from any to $iIp > > Next thing is wrong: > If I ping inet from CPU > > 2) pass in log-all on tun0 all > 3) pass out quick on tun0 all > > tpcdump pflog0 shows nothing > But > 2) pass in on tun0 all > 3) pass out log-all quick on tun0 all > > tpcdump pflog0 shows in and out traffic on tun0 interface!!! > > System was builded from 2007-03-27 sources > architecture is sparc64 This is not a pf bug. I'm wondering why you're using a firewall at all? Your firewall is nothing but just wide open (tm) and effectively useless. Anyway, I really don't understand your problem. Do you really want to have a firewall which does nothing but logging like crazy? BTW, the log-all option does not make sense when not being used in conjunction with stateful inspection. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Thu Mar 29 17:17:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9409416A481 for ; Thu, 29 Mar 2007 17:17:35 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 7684613C44B for ; Thu, 29 Mar 2007 17:17:35 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 23412 invoked from network); 29 Mar 2007 10:17:35 -0700 Received: by simscan 1.1.0 ppid: 23361, pid: 23363, t: 7.5842s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 29 Mar 2007 10:17:27 -0700 Received: from [165.107.42.123] (unknown [198.135.224.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id BC0971648AA; Thu, 29 Mar 2007 10:17:11 -0700 (PDT) Message-ID: <460BF4A0.1090502@mykitchentable.net> Date: Thu, 29 Mar 2007 10:17:20 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Greg Hennessy References: <460AA59C.2000704@mykitchentable.net> <000301c77173$8265dd00$87319700$@Hennessy@nviz.net> In-Reply-To: <000301c77173$8265dd00$87319700$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_WEB autolearn=no version=3.0.3 Cc: freebsd-pf@freebsd.org Subject: Re: Why Does This Packet Match This Rule? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 17:17:35 -0000 On 3/28/2007 12:58 PM Greg Hennessy wrote: >> (and the rest). What am I missing? >> > > From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes > to mind. > > You should endeavour to keep state on each and every rule and only establish > tcp state on the 3 way handshake. > Thank you for your reply. I have been unsuccessful in getting queuing to work the way I want. I want to queue outbound traffic to the ADSL modem so I can prioritize my packets. Specifically, I have a VoIP phone from SunRocket. It's traffic should be able to use bandwidth before any other. Then beyond that, I'd like second priority to go to interactive traffic such as http and ssh. Third priority would be a standard queue where most traffic ends up. Finally I'd like to have a low priority queue for file transfers like FTP and bittornet. To this end, I attempted to queue only traffic leaving my router on dc1 and keep state there so the queue will continue to be used. When I add keep state to traffic entering the router, it seems that state is matched there and thus the traffic never gets queued. Thus this is why only rule 84 has keep state as it's the rule that should match packets as they leave the router destined for the Internet. But I must admit that I am quite confused about how all of this should work. Thus I am very open to suggestions on better ways to accomplish my goals. I am willing to rewrite my whole conf file to get it right. In fact I'm working on my latest rewrite now. :) >> If it helps, I also posted my complete pf.conf and the rules to which >> it >> expands at http://drew.mykitchentable.net/Temp/pf.conf.htm >> > > Not seeing this, connection times out. > My apologies. You can see it now as I reverted to my old conf file (not the one on which I am currently working). > What exactly are you trying to do with what looks like a SoHo policy > expanding into > 80 rules ? > Basically: 1. Allow all outbound traffic from my internal net (dc0) to the Internet (dc1). 2. Allow traffic from the Internet to services hosted on my internal net. 3. Allow traffic between a OpenVPN connection on tun0 and my internal net 4. Prioritize traffic as described above. 5. And if possible, get pf to work with Snort to block packets matching Snort rules I specify. However I am trying to just get pf working to my liking at this point. I will investigate Snort integration later. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Thu Mar 29 21:33:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0748D16A400 for ; Thu, 29 Mar 2007 21:33:16 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87]) by mx1.freebsd.org (Postfix) with ESMTP id 417BA13C4C3 for ; Thu, 29 Mar 2007 21:33:14 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from 187-107-124-91.pool.ukrtel.net ([91.124.107.187]:15876 "EHLO [127.0.0.1]" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S2077124AbXC2VdL (ORCPT ); Fri, 30 Mar 2007 01:33:11 +0400 X-Comment: RFC 2476 MSA function at smtp1.yandex.ru logged sender identity as: kes-kes Date: Fri, 30 Mar 2007 00:33:07 +0300 From: KES X-Mailer: The Bat! (v3.62.12) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <1245620767.20070330003307@yandex.ru> To: freebsd-pf@freebsd.org In-Reply-To: <460BBBFC.3080501@vwsoft.com> References: <868144293.20070329001333@yandex.ru> <460BBBFC.3080501@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Subject: Re[2]: pf BUG? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 21:33:16 -0000 You wrote 29 ìàðòà 2007 ã., 16:15:40: V> On 12/23/-58 20:59, KES wrote: >> Hello >> >> I start to use ADSL >> My net work has next sturcture: >> CPU -iIP---- rl0 -SERVER -tun0--- >>>>> INET >> >> I have next pf rules >> >> 1) drop all >> 2) pass in quick on tun0 all >> 3) pass out quick on tun0 all >> 4) pass in on rl0 from $iIp to any >> 5) pass out on rl0 from any to $iIp >> >> Next thing is wrong: >> If I ping inet from CPU >> >> 2) pass in log-all on tun0 all >> 3) pass out quick on tun0 all >> >> tpcdump pflog0 shows nothing >> But >> 2) pass in on tun0 all >> 3) pass out log-all quick on tun0 all >> >> tpcdump pflog0 shows in and out traffic on tun0 interface!!! >> >> System was builded from 2007-03-27 sources >> architecture is sparc64 V> This is not a pf bug. V> I'm wondering why you're using a firewall at all? Your firewall is V> nothing but just wide open (tm) and effectively useless. V> Anyway, I really don't understand your problem. Do you really want V> to have a firewall which does nothing but logging like crazy? BTW, V> the log-all option does not make sense when not being used in V> conjunction with stateful inspection. V> HTH, V> Volker 1) Post full firewall rules to postlist is useless. I post only that part I have the problem with 2) the problem is that that rule #2 pass in quick on tun0 all has no effect. All traffic that goes through tun0 goes through rule #3 pass out quick on tun0 all Else more I can delete rule #2 and get internet WORKING!!! Despite on no rules to allow in traffic through tun0 3) You can change log-all to log if you want. Log is used only to sniff traffic which goes through rule: #2 in case one and #3 in case two In the reality I have problem with this: pass out log quick route-to ($adslIf $adslGate) from ($adslIf) to any all incoming traffic routes again to internet. I saw it when trace route to myself from internet ....... 15 provider 16 sparc 17 provider 18 sparc The same firewall in the same environment but FreeBSD 6.0 Intel platform works well What is wrong: the new sparc64 kenel configuration or there are mistake in new kernel sources? Thanks -- KES mailto:kes-kes@yandex.ru From owner-freebsd-pf@FreeBSD.ORG Fri Mar 30 05:14:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1D9616A402 for ; Fri, 30 Mar 2007 05:14:49 +0000 (UTC) (envelope-from unixtools@hotmail.com) Received: from bay0-omc3-s14.bay0.hotmail.com (bay0-omc3-s14.bay0.hotmail.com [65.54.246.214]) by mx1.freebsd.org (Postfix) with ESMTP id CE5B313C459 for ; Fri, 30 Mar 2007 05:14:49 +0000 (UTC) (envelope-from unixtools@hotmail.com) Received: from hotmail.com ([65.54.250.37]) by bay0-omc3-s14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Thu, 29 Mar 2007 22:02:49 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 29 Mar 2007 22:02:49 -0700 Message-ID: Received: from 65.54.250.200 by by115fd.bay115.hotmail.msn.com with HTTP; Fri, 30 Mar 2007 05:02:49 GMT X-Originating-IP: [67.81.51.9] X-Originating-Email: [unixtools@hotmail.com] X-Sender: unixtools@hotmail.com In-Reply-To: <55e8a96c0703271009o19bcb3dfp29929357516292f9@mail.gmail.com> From: "Sunil Sunder Raj" To: bill.marquette@gmail.com, dudu.meyer@gmail.com Date: Fri, 30 Mar 2007 05:02:49 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 30 Mar 2007 05:02:49.0487 (UTC) FILETIME=[A9E5B1F0:01C77288] Cc: freebsd-pf@freebsd.org Subject: Re: How to balance my own outgoing traffic? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2007 05:14:50 -0000 Hi, Load balancing outgoing traffic will not be a problem in any setup. But the biggest problems you will face is ssh sessions and websites like rapidshare. You will start the session with 1 ip address and suddenly the round robin rule will take your traffic out with another ip address. This will cause problems when communicating with an ssh server and servers like rapidshare which generate download tickets based on source ip address. Sunil Sunder Raj http://daemon.in >From: "Bill Marquette" >To: "Eduardo Meyer" >CC: freebsd-pf@freebsd.org >Subject: Re: How to balance my own outgoing traffic? >Date: Tue, 27 Mar 2007 12:09:52 -0500 > >On 3/27/07, Eduardo Meyer wrote: >>Yes, round-robin will do. My problem is how to do this, I have tried >>the following kiind of approach: >> >>pass out on $ext_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 >>$ext_gw2) } round-robin proto tcp from $myown to any flags S/SA >>modulate state > >route-to tends to work better inbound on your internal interfaces. > >pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 >$ext_gw2) } round-robin proto tcp from $myown to any flags S/SA >modulate state > >> >>However I can not, say, route-to $ext_gw2 traffic from $ext_ifi1's IP >>address. I need to combine it with NAT, right? >> >>How to do this is what I am confused. >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _________________________________________________________________ i'm making a difference. Make every IM count for the cause of your choice. Join Now. http://clk.atdmt.com/MSN/go/msnnkwme0080000001msn/direct/01/?href=http://im.live.com/messenger/im/home/?source=hmtagline From owner-freebsd-pf@FreeBSD.ORG Sat Mar 31 23:20:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 86F4D16A403 for ; Sat, 31 Mar 2007 23:20:43 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id 2A88A13C45B for ; Sat, 31 Mar 2007 23:20:43 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so812925wxc for ; Sat, 31 Mar 2007 16:20:42 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=KqVxQXUmPqsPPFiMFbHMT8BD4inkcLJCOE72gdQdR6n86M5K/nUtVIV7GMcsCmFLV50AW7GRNmOLrcq31czI0RP2IWLiCHRBCHPQ39G2k1AAKZqVe643ue9ZhvVbUaUn31ZHm3lHqZT4CBHM32B43BkfRRckgEjxdKRszox9lPA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Pv8bK6pW7sMbuZ7+7A0KmqGssChUCMTm56S8cyW0YGow78OoNB/nSuy8Y9FNSd0Q9rlfjrNwn3ATFNw/0TIVLUg29um88mgQr4ztWNMpF3o5yv0RHSy/9JDBT0vKp+5OlmL8zPq9EPXdT3hbV+JjnKFcZsA5x2nTLzEl2Xu+Uqs= Received: by 10.70.131.19 with SMTP id e19mr6281722wxd.1175381745008; Sat, 31 Mar 2007 15:55:45 -0700 (PDT) Received: from d600 ( [72.73.17.59]) by mx.google.com with ESMTP id i35sm1797812wxd.2007.03.31.15.55.44; Sat, 31 Mar 2007 15:55:44 -0700 (PDT) Message-ID: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> From: "Vadym Chepkov" To: Date: Sat, 31 Mar 2007 18:55:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: packet filter and amanda X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2007 23:20:43 -0000 Hello everybody, I finally gave up, maybe somebody can help me. I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld kernel: device pf # PF OpenBSD packet-filter firewall device pflog # logging support interface for PF I am using amanda to backup a client which is behind router with pf running amanda server - FreeBSD pf - amanda client I compiled amanda with tcp/udp port ranges but I can get that far. I expect this rule to allow amanda server to connect to amanda client: pass out quick on $dmz_if proto udp from $amanda_server to any port 10080 keep state Unfortunately, not all packets match this rule. When I added this rule below, it works fine,, but it's too permissive pass out log quick on $dmz_if from $amanda_server to any These are packets that I can see in the log and I can't understand, why it doesn't match my rule. 18:27:38.740741 IP (tos 0x0, ttl 63, id 61548, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.17.2.859 > 192.168.16.2.10080: UDP, length 1892 18:27:38.740752 IP (tos 0x0, ttl 63, id 61548, offset 1480, flags [none], proto: UDP (17), length: 440) 192.168.17.2 > 192.168.160.2: udp Could you tell me, what I am doing wrong, please. Thank you, Vadym Chepkov From owner-freebsd-pf@FreeBSD.ORG Sat Mar 31 23:37:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6599216A405 for ; Sat, 31 Mar 2007 23:37:58 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 2642713C45D for ; Sat, 31 Mar 2007 23:37:58 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so815212wxc for ; Sat, 31 Mar 2007 16:37:57 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=RbblWyLCV/rGHMUCx1h2SoXAE4hJ9T0dEHHYzi8fI6b7iG3PnQh++mhnNRz9xqoCZ0Kq/rP/UxvRdKfYqdVBJ9jPstvITwiYFWGdPczda2kyRDWwyYOgwBadjTaorKx7jI6ZpSljSvwBbZsZtjaV51dz8+IpS8Fnf6cfeV1nHR4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=ZrajpqrfDJe/FLfR6AUb/iv7jympVdo+UqtdMJDScotDn1htHdqoQCSvTTf68M9etZEnKPUANdKJVi2DUo9LIARxSzUN0ZVj6cSVOUHDetu8Cs3llYV4Y9tO+RW14t4AsuX/BdvqDdOn0Z21PL+uSBIaV/YyfHjspt9TC+I6GEA= Received: by 10.70.61.1 with SMTP id j1mr6349338wxa.1175384277640; Sat, 31 Mar 2007 16:37:57 -0700 (PDT) Received: from d600 ( [72.73.17.59]) by mx.google.com with ESMTP id i34sm6296171wxd.2007.03.31.16.37.57; Sat, 31 Mar 2007 16:37:57 -0700 (PDT) Message-ID: <00f801c773ed$96fbb470$0610a8c0@chepkov.lan> From: "Vadym Chepkov" To: Date: Sat, 31 Mar 2007 19:37:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: Re: packet filter and amanda X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2007 23:37:58 -0000 I forgot to mention, I see those packets in log only when I comment out scrub If scrub in all option is on, packets just disappear :( > Hello everybody, > > I finally gave up, maybe somebody can help me. > I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld kernel: > > device pf # PF OpenBSD packet-filter firewall > device pflog # logging support interface for PF > > I am using amanda to backup a client which is behind router with pf > running > > amanda server - FreeBSD pf - amanda client > > I compiled amanda with tcp/udp port ranges but I can get that far. > I expect this rule to allow amanda server to connect to amanda client: > > pass out quick on $dmz_if proto udp from $amanda_server to any port 10080 > keep state > > Unfortunately, not all packets match this rule. > When I added this rule below, it works fine,, but it's too permissive > > pass out log quick on $dmz_if from $amanda_server to any > > These are packets that I can see in the log and I can't understand, why it > doesn't match my rule. > > 18:27:38.740741 IP (tos 0x0, ttl 63, id 61548, offset 0, flags [+], > proto: UDP (17), length: 1500) 192.168.17.2.859 > 192.168.16.2.10080: UDP, > length 1892 > 18:27:38.740752 IP (tos 0x0, ttl 63, id 61548, offset 1480, flags [none], > proto: UDP (17), length: 440) 192.168.17.2 > 192.168.160.2: udp > > Could you tell me, what I am doing wrong, please. > > Thank you, > Vadym Chepkov