From owner-freebsd-pf@FreeBSD.ORG Mon Jul 14 11:07:03 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C913106564A for ; Mon, 14 Jul 2008 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 410978FC0A for ; Mon, 14 Jul 2008 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6EB739s014505 for ; Mon, 14 Jul 2008 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6EB72oH014501 for freebsd-pf@FreeBSD.org; Mon, 14 Jul 2008 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Jul 2008 11:07:02 GMT Message-Id: <200807141107.m6EB72oH014501@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 11:07:03 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 12:31:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF3E51065679 for ; Thu, 17 Jul 2008 12:31:22 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 6562D8FC1C for ; Thu, 17 Jul 2008 12:31:22 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so4064324fgb.35 for ; Thu, 17 Jul 2008 05:31:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=O/0v5RwAFKLRMBk7DmZbdEbGP2v0/6D+Ob3MfI/IVXY=; b=bLBTkds2S32f78e32jor8SqUaNDrnb+L0pyfIb9XKu1df7T+rildnM9IdFCWw7VW/+ VvkT41PVXZSFMlZ/L0pZNOErAUM7EG5E2QZLxU+AmeAokUB5rdqLQtpei/YIYzUie8M+ kI0iQhn8XNfAePqxaph9HQqD8LNuZbHcKSt4c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=gQr6j2fpPJ9AfhfRvTmozPymEu5splbNltNh6MqytywTX71ynjUY8pG9B5XEaB0Lpn bNcdo59pCDpYpLgHmKizikVfyc/MRz63/+VmIkjndNgR854/rHovZYdWx7UsznZSW4+V K6MyZxLiTa2Ho8jhV54njrEUIwoOAjVcEMrkQ= Received: by 10.86.60.14 with SMTP id i14mr3849212fga.75.1216296903350; Thu, 17 Jul 2008 05:15:03 -0700 (PDT) Received: by 10.86.73.9 with HTTP; Thu, 17 Jul 2008 05:15:03 -0700 (PDT) Message-ID: <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> Date: Thu, 17 Jul 2008 08:15:03 -0400 From: "Glen Barber" To: freebsd-pf@freebsd.org In-Reply-To: <48750381.1030004@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48750381.1030004@eskk.nu> Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 12:31:22 -0000 On Wed, Jul 9, 2008 at 2:29 PM, Leslie Jensen wrote: [:: snip ::] > > # tables > table { something.somewhere.com, somethingelse.somewhere.com, > xxx.yyy.zzz.qqq } > [:: snip ::] > > # Let the goodguys access the machine from the outside > pass in on $ext_if inet proto tcp from to ($ext_if) \ > port $tcp_services flags S/SA keep state > Hi. I'm just curious why you decided to use a table for this. I have done something similar (disallowing access to certain domains) using macros as follows: deny_sites="{ badsite.com , www.myspace.com , badsite2.com }" and didn't notice 'slowness' at boot. This was on a 6.3-RELEASE box, if that matters. Regards, -- Glen Barber http://www.dev-urandom.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 12:55:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 732731065675 for ; Thu, 17 Jul 2008 12:55:40 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6916A8FC1B for ; Thu, 17 Jul 2008 12:55:40 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 19AD61CC09B; Thu, 17 Jul 2008 05:55:40 -0700 (PDT) Date: Thu, 17 Jul 2008 05:55:40 -0700 From: Jeremy Chadwick To: Glen Barber Message-ID: <20080717125540.GA73950@eos.sc1.parodius.com> References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 12:55:40 -0000 On Thu, Jul 17, 2008 at 08:15:03AM -0400, Glen Barber wrote: > Hi. I'm just curious why you decided to use a table for this. I have > done something similar (disallowing access to certain domains) using > macros as follows: > > deny_sites="{ badsite.com , www.myspace.com , badsite2.com }" > > and didn't notice 'slowness' at boot. This was on a 6.3-RELEASE box, > if that matters. I don't think it matters if the entries are in a table or in a macro. Chances are whatever resolver you're using (e.g. an ISPs DNS server, or something upstream, versus named on the same box) had all of those entries cached, or has very good overall response time for DNS lookups. In the case of the OP, I believe he runs his own named. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 13:00:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DD391065679 for ; Thu, 17 Jul 2008 13:00:03 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id CE3BF8FC1E for ; Thu, 17 Jul 2008 13:00:02 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so4069620fgb.35 for ; Thu, 17 Jul 2008 06:00:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=vNh1lwVOkkF2DSQi0ZwFSnQeyo4gfL1uYTHbHX6hdGk=; b=gBoR6q/qxiq1x/HUwN/Y/qHInxh6W2q4YBnfbHTBzoFMXx1l4rQdzbNe73uhfP4hBB pKLN8T0encayysh4mtWMfj4FMc7Yn0xrB6Z+5jESDTuoKUzaH1rb8BWd+onKzXQ3SrCw DVAuY/7GWSA4S0eJWOlfkNHhCEetmMe74BRHU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=O/+XqYUUu8kDrIsuQb6Rbe35gMljasCQDZJyIQtMq7QVfO5lppteKPHwVTcrfg5c8W jxwl5VYRSKZ5nYMnqQ+cXUB9YgieSKxIoj5fRV9PUSI3z0YQ/ejSH1MTVOkzT78pfAz0 1pcybX1M68TvSSzWC8jWjci/jyl7k8bnwfsKk= Received: by 10.86.51.10 with SMTP id y10mr4005596fgy.6.1216299601227; Thu, 17 Jul 2008 06:00:01 -0700 (PDT) Received: by 10.86.73.9 with HTTP; Thu, 17 Jul 2008 06:00:01 -0700 (PDT) Message-ID: <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> Date: Thu, 17 Jul 2008 09:00:01 -0400 From: "Glen Barber" To: freebsd-pf@freebsd.org In-Reply-To: <20080717125540.GA73950@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> <20080717125540.GA73950@eos.sc1.parodius.com> Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 13:00:03 -0000 On Thu, Jul 17, 2008 at 8:55 AM, Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 08:15:03AM -0400, Glen Barber wrote: >> Hi. I'm just curious why you decided to use a table for this. I have >> done something similar (disallowing access to certain domains) using >> macros as follows: >> >> deny_sites="{ badsite.com , www.myspace.com , badsite2.com }" >> >> and didn't notice 'slowness' at boot. This was on a 6.3-RELEASE box, >> if that matters. > > I don't think it matters if the entries are in a table or in a macro. > > Chances are whatever resolver you're using (e.g. an ISPs DNS server, or > something upstream, versus named on the same box) had all of those > entries cached, or has very good overall response time for DNS lookups. > In the case of the OP, I believe he runs his own named. > I was under the assumption the OP runs his own DNS server, as that is how my machine was set up. Regards, -- Glen Barber http://www.dev-urandom.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 13:13:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24D3D106564A for ; Thu, 17 Jul 2008 13:13:07 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id A9E3B8FC22 for ; Thu, 17 Jul 2008 13:13:06 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so4072495fgb.35 for ; Thu, 17 Jul 2008 06:13:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=jQE+wJWh+Ao8Td3/vZ31W9HMxG8h1nN55kPWVqhU7gM=; b=nJTmab2HXjxG3waFY5xs7xKf37zTTHXEjCh9fy/y6H7b0vJAeuWzSZV8Md7uV8mEqU h6b3oLQDLFzigz1mtYHxxLHe8XreBzAwP4rYD8hymtwJ3leU4yX2GUNWNIm3Dikxewbd BsnWNQJYa3NgrS8sq6mcvRVwgzS0waX+/xLEs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=WH1YVncovrIyd+wxZku8kuU0zhO7ApKJPwHarHLvnf3FDKUvO2NQJXL7mrW+w/xsSe eJ61j/IZP6acFDSM3OpFtKRk/QfVKlnwTWpCq77qOVMSaqQ7rHg58SEQ/6JxQTx1AooJ Xhh0cHSNxrtxkrYN03cu8Oe4oXzeoHgekHcjA= Received: by 10.86.72.15 with SMTP id u15mr4004143fga.22.1216300383388; Thu, 17 Jul 2008 06:13:03 -0700 (PDT) Received: by 10.86.73.9 with HTTP; Thu, 17 Jul 2008 06:13:03 -0700 (PDT) Message-ID: <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> Date: Thu, 17 Jul 2008 09:13:03 -0400 From: "Glen Barber" To: freebsd-pf@freebsd.org In-Reply-To: <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> <20080717125540.GA73950@eos.sc1.parodius.com> <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 13:13:07 -0000 On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber wrote: > I was under the assumption the OP runs his own DNS server, as that is > how my machine was set up. > Another reason I thought about 'why' the OP used tables - aren't PF tables evaluated at boot, and macros evaluated when they are called? I think the latter negates the need for resolving at boot. Please correct me if I am wrong. Regards, -- Glen Barber http://www.dev-urandom.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 13:44:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA6941065671 for ; Thu, 17 Jul 2008 13:44:48 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 062468FC0C for ; Thu, 17 Jul 2008 13:44:47 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by marvin.harmless.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KJTXQ-0009MA-Lj; Thu, 17 Jul 2008 15:28:52 +0200 Date: Thu, 17 Jul 2008 15:28:49 +0200 From: CZUCZY Gergely To: "Glen Barber" Message-ID: <20080717152849.0e90b307@twoflower.in.publishing.hu> In-Reply-To: <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> <20080717125540.GA73950@eos.sc1.parodius.com> <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> Organization: Harmless Digital X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; i386-portbld-freebsd6.3) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/s9+jwSzJ/uxV3RJjdXfE.QX"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 13:44:48 -0000 --Sig_/s9+jwSzJ/uxV3RJjdXfE.QX Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, 17 Jul 2008 09:13:03 -0400 "Glen Barber" wrote: > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber wr= ote: > > I was under the assumption the OP runs his own DNS server, as that is > > how my machine was set up. > > >=20 > Another reason I thought about 'why' the OP used tables - aren't PF > tables evaluated at boot, and macros evaluated when they are called? > I think the latter negates the need for resolving at boot. Please > correct me if I am wrong. Macros are evaluated at pfctl-time. That means, parse-time. Tables are evaluated at runtime (that means, when a lookup is in progress). --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/s9+jwSzJ/uxV3RJjdXfE.QX Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFIf0kTzrC0WyuMkpsRAmpVAJ9yTvBB1e2SCJk+3CvAteFMyTbw6gCfbgzw wed/WgLtVCEup9F0B0kPudQ= =SH1y -----END PGP SIGNATURE----- --Sig_/s9+jwSzJ/uxV3RJjdXfE.QX-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 14:36:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AB35106564A for ; Thu, 17 Jul 2008 14:36:41 +0000 (UTC) (envelope-from opteron.delivery@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.181]) by mx1.freebsd.org (Postfix) with ESMTP id 2DF388FC18 for ; Thu, 17 Jul 2008 14:36:41 +0000 (UTC) (envelope-from opteron.delivery@gmail.com) Received: by el-out-1112.google.com with SMTP id v27so1207337ele.13 for ; Thu, 17 Jul 2008 07:36:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=AJbWRjKaOghNZMf6ltRk7H8RDuhq9fljtePJNSCpJCU=; b=i+0rBio+lsy0zwx6xkwf1dQZgjTG9QLqHrfDTCkpWEkAqwLbq6nPes6F2v2wWWRqLP nOTRxO+boPYrCp+60KD6zgLZYViJp5FyaGocKU1apD+rDluAO04bmrWXPBrEuxn2SZIJ 6wNT8GB4e3nsibto6M7fTTKXuY7NBU0gTqc/0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=X0cqkOL5liCJ940kNHE4jWFoPsIeDM8DIRtpC1Dc2lV3P7cyC2gI8chEqfxYgVcBuY 716sl89REwKywFvSz+P3zCL1L8k3Zo2Ut1j0zZncY7wIhIleca8kz8DIoD3z+ax73146 q1R8uYUMIPV+CA/vlxDOadDpbegzJqfghxXCs= Received: by 10.142.12.18 with SMTP id 18mr161928wfl.203.1216303847809; Thu, 17 Jul 2008 07:10:47 -0700 (PDT) Received: by 10.143.29.1 with HTTP; Thu, 17 Jul 2008 07:10:47 -0700 (PDT) Message-ID: <4f8a92b40807170710r7eb0bda9t234aade6ed89ca33@mail.gmail.com> Date: Thu, 17 Jul 2008 10:10:47 -0400 From: "Dave Graham" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Help with BSD7 (pf) and VMWare X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 14:36:41 -0000 All, Definitely a noob when it comes to FreeBSD but I'm trying to accomplish the following: use a BSD7 VM as a NAT device within my ESX infrastructure. I've started reading through the online man pages for pf, but I'm getting completely lost. to start with, I want to set up a simple NAT and then expand it, as need, to provide DNS services to my other VMs (all linux). can anyone point me to a good starting place? thanks! Dave Graham Flickerdown Data Systems 1207 Main St. #2 Holden, MA 01520 978.239.2489 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 15:11:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F37911065672 for ; Thu, 17 Jul 2008 15:11:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 6E1B18FC12 for ; Thu, 17 Jul 2008 15:11:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-030-033.pools.arcor-ip.net [88.66.30.33]) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis) id 0MKwh2-1KJV970ihX-0000ec; Thu, 17 Jul 2008 17:11:53 +0200 Received: (qmail 35166 invoked from network); 17 Jul 2008 15:11:52 -0000 Received: from myhost.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 17 Jul 2008 15:11:52 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 17 Jul 2008 17:11:50 +0200 User-Agent: KMail/1.9.9 References: <48750381.1030004@eskk.nu> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> <20080717152849.0e90b307@twoflower.in.publishing.hu> In-Reply-To: <20080717152849.0e90b307@twoflower.in.publishing.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807171711.51208.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/YH+KHZWbRWnMluRsX+LvgvWBeYdWuVBMHze6 JboMD9VkB7UiPIutuVIX6hGgkplv1tdXGoXfY3t9veWinratH5 LFuLUVsfmEWC8zzbkj20g== Cc: Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:11:55 -0000 On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > On Thu, 17 Jul 2008 09:13:03 -0400 > > "Glen Barber" wrote: > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber wrote: > > > I was under the assumption the OP runs his own DNS server, as that > > > is how my machine was set up. > > > > Another reason I thought about 'why' the OP used tables - aren't PF > > tables evaluated at boot, and macros evaluated when they are called? > > I think the latter negates the need for resolving at boot. Please > > correct me if I am wrong. > > Macros are evaluated at pfctl-time. That means, parse-time. Tables are > evaluated at runtime (that means, when a lookup is in progress). DNS lookups are always performed in userland at pfctl-time. It does not matter if you put your hostnames into a macro, table or rule directly - it will always be looked up by pfctl before even loading the rule/table into the kernel. If you really want to trust DNS lookups to influence your firewall rules (3 weeks till dooms day - is your resolver patched?!?) you should add an rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or whereeverelse you can be sure that your resolver is working) and fill a predefined table from that script. i.e. "pfctl -t mytable -T add foo.bar.local" -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 15:14:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54B0C10656A1 for ; Thu, 17 Jul 2008 15:14:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id E3D158FC1C for ; Thu, 17 Jul 2008 15:14:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-030-033.pools.arcor-ip.net [88.66.30.33]) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis) id 0ML21M-1KJVBZ2B8H-0000gA; Thu, 17 Jul 2008 17:14:25 +0200 Received: (qmail 35224 invoked from network); 17 Jul 2008 15:14:25 -0000 Received: from myhost.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 17 Jul 2008 15:14:25 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 17 Jul 2008 17:14:24 +0200 User-Agent: KMail/1.9.9 References: <4f8a92b40807170710r7eb0bda9t234aade6ed89ca33@mail.gmail.com> In-Reply-To: <4f8a92b40807170710r7eb0bda9t234aade6ed89ca33@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807171714.24828.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1846F8Ti37jt1VuLjUOTvvwxP81y46v5lpxe4G 9r6lk14h3zfqr0s5O8qV9Qo9laCQaTA1Et80CtRkHu/+1ykEEE b7J/loqUI2BBfxTuLEZww== Cc: Dave Graham Subject: Re: Help with BSD7 (pf) and VMWare X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:14:27 -0000 On Thursday 17 July 2008 16:10:47 Dave Graham wrote: > All, > > Definitely a noob when it comes to FreeBSD but I'm trying to accomplish > the following: > > use a BSD7 VM as a NAT device within my ESX infrastructure. I've > started reading through the online man pages for pf, but I'm getting > completely lost. > > to start with, I want to set up a simple NAT and then expand it, as > need, to provide DNS services to my other VMs (all linux). > > can anyone point me to a good starting place? http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html http://www.openbsd.org/faq/pf/index.html http://home.nuug.no/~peter/pf/en/ -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 15:19:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B7031065671 for ; Thu, 17 Jul 2008 15:19:03 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0266D8FC1E for ; Thu, 17 Jul 2008 15:19:02 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 939531CC09F; Thu, 17 Jul 2008 08:19:02 -0700 (PDT) Date: Thu, 17 Jul 2008 08:19:02 -0700 From: Jeremy Chadwick To: Max Laier Message-ID: <20080717151902.GA79577@eos.sc1.parodius.com> References: <48750381.1030004@eskk.nu> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> <20080717152849.0e90b307@twoflower.in.publishing.hu> <200807171711.51208.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807171711.51208.max@love2party.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:19:03 -0000 On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > "Glen Barber" wrote: > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > wrote: > > > > I was under the assumption the OP runs his own DNS server, as that > > > > is how my machine was set up. > > > > > > Another reason I thought about 'why' the OP used tables - aren't PF > > > tables evaluated at boot, and macros evaluated when they are called? > > > I think the latter negates the need for resolving at boot. Please > > > correct me if I am wrong. > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables are > > evaluated at runtime (that means, when a lookup is in progress). > > DNS lookups are always performed in userland at pfctl-time. It does not > matter if you put your hostnames into a macro, table or rule directly - > it will always be looked up by pfctl before even loading the rule/table > into the kernel. > > If you really want to trust DNS lookups to influence your firewall rules > (3 weeks till dooms day - is your resolver patched?!?) you should add an > rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or > whereeverelse you can be sure that your resolver is working) and fill a > predefined table from that script. i.e. "pfctl -t mytable -T add > foo.bar.local" Which induces another question (probably answered in a post a few weeks ago, knowing my luck): Does pf(4) use gethostbyname()? If so, the OP should be able to add entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS lookups. (I'm curious about this myself, since we have some pf.conf rules which refer to IPs bound to our servers, and I've always wanted to switch them over to FQDNs that are listed in /etc/hosts...) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 15:28:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5D9F106570C for ; Thu, 17 Jul 2008 15:28:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 6111F8FC12 for ; Thu, 17 Jul 2008 15:28:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-030-033.pools.arcor-ip.net [88.66.30.33]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1KJVOn0tTp-0000gx; Thu, 17 Jul 2008 17:28:05 +0200 Received: (qmail 35460 invoked from network); 17 Jul 2008 15:28:04 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 17 Jul 2008 15:28:04 -0000 From: Max Laier Organization: FreeBSD To: Jeremy Chadwick Date: Thu, 17 Jul 2008 17:28:04 +0200 User-Agent: KMail/1.9.9 References: <48750381.1030004@eskk.nu> <200807171711.51208.max@love2party.net> <20080717151902.GA79577@eos.sc1.parodius.com> In-Reply-To: <20080717151902.GA79577@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807171728.04369.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19Pq9O9sQ+A/HhoeETnoAipOUhZ0mEVZYRzOWb C6sB7p2LsT3h0vMiM3w72AC7QF6uaMMRHxZ2gyVmx96VaYm04o YTyItc9qHRNVhY7KKIC/g== Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:28:06 -0000 On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > > > "Glen Barber" wrote: > > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > > > > > > > > wrote: > > > > > I was under the assumption the OP runs his own DNS server, as > > > > > that is how my machine was set up. > > > > > > > > Another reason I thought about 'why' the OP used tables - aren't > > > > PF tables evaluated at boot, and macros evaluated when they are > > > > called? I think the latter negates the need for resolving at > > > > boot. Please correct me if I am wrong. > > > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables > > > are evaluated at runtime (that means, when a lookup is in > > > progress). > > > > DNS lookups are always performed in userland at pfctl-time. It does > > not matter if you put your hostnames into a macro, table or rule > > directly - it will always be looked up by pfctl before even loading > > the rule/table into the kernel. > > > > If you really want to trust DNS lookups to influence your firewall > > rules (3 weeks till dooms day - is your resolver patched?!?) you > > should add an rc.d that depends on NETWORKING (or hook something up > > to ppp.linkup, or whereeverelse you can be sure that your resolver is > > working) and fill a predefined table from that script. i.e. "pfctl -t > > mytable -T add foo.bar.local" > > Which induces another question (probably answered in a post a few weeks > ago, knowing my luck): > > Does pf(4) use gethostbyname()? If so, the OP should be able to add > entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS > lookups. (I'm curious about this myself, since we have some pf.conf > rules which refer to IPs bound to our servers, and I've always wanted > to switch them over to FQDNs that are listed in /etc/hosts...) gethostbyname(3), but that should - iirc - also tie into etc/hosts if your nsswitch.conf points there. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 02:25:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BABDD1065671 for ; Fri, 18 Jul 2008 02:25:12 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id 589E48FC0C for ; Fri, 18 Jul 2008 02:25:12 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so137675pyb.10 for ; Thu, 17 Jul 2008 19:25:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-cr-puzzleid :x-cr-hashedpuzzle; bh=Ms0M1hcBVpXKeVaT/T6dxjkfx7uBaK8TlbrNaFnru/g=; b=maYMgvvE80EoCGnSfVZEezKLYUYVm5zMvW0iJ5p4z5hjXnVMiGjCd2aXHrpUPcyK4M fJMNAF2Kl8+xgY1HeF5mtNsHsFann3jEPDMqDt94ImQP/jEQv7Veh/E+aoiZjMCb78lv 5Y+Wzvmh/Q4LB2OMbTivmZjo2wiwIB8cuChRU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language :x-cr-puzzleid:x-cr-hashedpuzzle; b=IdM1hBJLHT2xcS2dc1WHt1uizGo+UEkqCuT5gSm8HI+3l1uiU1Tsp1WYAJ1leQvMIT VzGzK6v+o6mzRa0a0CGTV8E/crRf4FNaIPNYU/WLEJxtBs0kLZ3f8GXIsbae2rEoEZYg jjiTsYbYTz7tNkFhz53+cRTZ9LWodLU8TA4jo= Received: by 10.65.124.7 with SMTP id b7mr3954143qbn.22.1216347911211; Thu, 17 Jul 2008 19:25:11 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id p9sm3299815qbp.16.2008.07.17.19.25.10 (version=SSLv3 cipher=RC4-MD5); Thu, 17 Jul 2008 19:25:10 -0700 (PDT) From: "Ansar Mohammed" To: Date: Thu, 17 Jul 2008 22:25:09 -0400 Message-ID: <047001c8e87d$8078b710$816a2530$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcjofX247vcgXhiiRH+TYxSifaiREw== Content-Language: en-ca x-cr-puzzleid: {46E8259D-D798-4C9F-A198-72864B1A64F0} x-cr-hashedpuzzle: I+c= AV8u A2kz BEH/ BoUi DHTK DLxW Dg9m D4EC ErsS FHEM GTxW GUVF GmqN J8Oj KQtS; 1; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {46E8259D-D798-4C9F-A198-72864B1A64F0}; YQBuAHMAYQByAG0AQABnAG0AYQBpAGwALgBjAG8AbQA=; Fri, 18 Jul 2008 02:25:05 GMT; RwBSAEUAIABMAGkAbQBpAHQAYQB0AGkAbwBuAA== Subject: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 02:25:12 -0000 Hello All, I just read the following on the pfsense website: "PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections." Is this also true for stock FreeBSD with PF or just a pfsense issue? From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 03:48:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20C41106564A for ; Fri, 18 Jul 2008 03:48:08 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id B4FEB8FC1A for ; Fri, 18 Jul 2008 03:48:07 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so154309pyb.10 for ; Thu, 17 Jul 2008 20:48:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references :in-reply-to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language; bh=q/L8yf2zvQeNTSrhjPGB63gblsltDqZhChqDta47XCA=; b=Hl6KRxfjFJQcv3l1FG8zXA9JRKN9arYU65oiGLAGntpYt62272Z5ESaZF8LazgYnlS 7k3LObrLWC+Nz4rG3OHgOsWv492dJXvY49CUWnuCLF/CvLyOqvBnqu+uG7W4qdGF0Gbh pWoOH9VaAmkSUMraRVz0RdBz1allPuCsrSgJ4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language; b=yChTsLdwdiYgydHsmvZomqkT41oD1uv01IkdL5VsSWJMyX/utJXzk+RGIy+JfDEfot D9FTzroiEitKiOIPh86XJ1JcBkV+3oTZ5gvciQOJ2xQEZkCciT9pEVe4CTTK4TM7erH8 Vxzbb88AxoTnu+CQSvg23hd9nY8cZzvqio4jE= Received: by 10.65.75.2 with SMTP id c2mr4047108qbl.13.1216352886689; Thu, 17 Jul 2008 20:48:06 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id p27sm3332443qbp.15.2008.07.17.20.48.05 (version=SSLv3 cipher=RC4-MD5); Thu, 17 Jul 2008 20:48:05 -0700 (PDT) From: "Ansar Mohammed" To: "'Chris Buechler'" References: <047001c8e87d$8078b710$816a2530$@com> In-Reply-To: Date: Thu, 17 Jul 2008 23:48:04 -0400 Message-ID: <048f01c8e889$160fffd0$422fff70$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acjoh4iY7l6ZG0D/T1GIY1Rpnl207QAAXfNA Content-Language: en-ca Cc: freebsd-pf@freebsd.org Subject: RE: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 03:48:08 -0000 Is this like "a known bug" that's being fixed or is this "by design" and we have to deal with it? > -----Original Message----- > From: Chris Buechler [mailto:cbuechler@gmail.com] > Sent: July 17, 2008 11:37 PM > To: Ansar Mohammed > Cc: freebsd-pf@freebsd.org > Subject: Re: GRE Limitation > > On Thu, Jul 17, 2008 at 10:25 PM, Ansar Mohammed > wrote: > > Hello All, > > I just read the following on the pfsense website: > > > > "PPTP and GRE Limitation - The state tracking code in pf for the GRE > > protocol can only track a single session per public IP per external > server. > > This means if you use PPTP VPN connections, only one internal machine > can > > connect simultaneously to a PPTP server on the Internet. A thousand > machines > > can connect simultaneously to a thousand different PPTP servers, but > only > > one simultaneously to a single server. The only available work around > is to > > use multiple public IPs on your firewall, one per client, or to use > multiple > > public IPs on the external PPTP server. This is not a problem with > other > > types of VPN connections." > > > > Is this also true for stock FreeBSD with PF or just a pfsense issue? > > > > That's true with every OS that runs pf, and anything based on any of > those (including pfSense). > > Chris From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 04:01:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C72E3106564A for ; Fri, 18 Jul 2008 04:01:04 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by mx1.freebsd.org (Postfix) with ESMTP id 85F838FC13 for ; Fri, 18 Jul 2008 04:01:04 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so106354wfg.7 for ; Thu, 17 Jul 2008 21:01:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=go49OPBpmy1Z5rL6PdO5mlreblBpsPOfmQSGj1FM/MU=; b=hGTc/9q0ZLAP75un0Xl26aYkS6b2I45gYk6MEIvK8y2VVGftww/SXSWqg4Nfs95YUQ AiFKPEGC0yJZvAYriCplv32dPajg0vb33pnOgm7QD7/4C85NiqrzL606ioHHfstBlpU0 shendr8CDfuxJCw3F9bOj4AR6l2XNtFZDD1kk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=mFiRM1PSHI0H5FJgjrNxnaY5z+TF1gYctmfd2KzuuiAwNaM76QCq4bnSf92F40zjJR Z1cP6tkPJiCjKOkvVZqfTxRRxhAuq8ZCSR597q3mWhflry6ssBI1loHNZ6bztOn7KQjW cqNXCnFcbNjP+yInOLwM38shegJK9/8l+XV78= Received: by 10.142.143.7 with SMTP id q7mr951857wfd.3.1216352219262; Thu, 17 Jul 2008 20:36:59 -0700 (PDT) Received: by 10.143.43.4 with HTTP; Thu, 17 Jul 2008 20:36:59 -0700 (PDT) Message-ID: Date: Thu, 17 Jul 2008 23:36:59 -0400 From: "Chris Buechler" To: "Ansar Mohammed" In-Reply-To: <047001c8e87d$8078b710$816a2530$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <047001c8e87d$8078b710$816a2530$@com> Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 04:01:04 -0000 On Thu, Jul 17, 2008 at 10:25 PM, Ansar Mohammed wrote: > Hello All, > I just read the following on the pfsense website: > > "PPTP and GRE Limitation - The state tracking code in pf for the GRE > protocol can only track a single session per public IP per external server. > This means if you use PPTP VPN connections, only one internal machine can > connect simultaneously to a PPTP server on the Internet. A thousand machines > can connect simultaneously to a thousand different PPTP servers, but only > one simultaneously to a single server. The only available work around is to > use multiple public IPs on your firewall, one per client, or to use multiple > public IPs on the external PPTP server. This is not a problem with other > types of VPN connections." > > Is this also true for stock FreeBSD with PF or just a pfsense issue? > That's true with every OS that runs pf, and anything based on any of those (including pfSense). Chris From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 04:05:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71305106566B for ; Fri, 18 Jul 2008 04:05:30 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 10B1F8FC08 for ; Fri, 18 Jul 2008 04:05:29 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so42103ywe.13 for ; Thu, 17 Jul 2008 21:05:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=cdlb402C5ATWaZLMz3N9drRB3oyN5E4q8wpBHkrczB0=; b=EAom+GmytMYGbcjEoVr1Uv78v8wkUX0yhiK5rIPl6mRtUDAkhZmcDMsFaVciJKpvqi +r7Wcz7BREBqhUmS8iDo5l3l6XSKy4AHGcsasEhktTWlBAgG6RVnWS3CmILDbPFemr4O zHzL4WKRYpi2cuU/zLWmlMnKajGq8WcBhyvRU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=xkjFoGBcY1ai5pZG81M1hUT67F6fnBqjyAttUPCh3HCoHyJ1PzKE1orxz81/iloLC/ f7UYiWXE9HLKP+8ta7pyukD83YEPSoVcOlCNB/+ZyBfIrW+qt7Bu2+xC6Wr+IdvA5OTT h/ASmGhmnhcVKimDBS8W4JR2lfPsoV568BVAk= Received: by 10.143.4.16 with SMTP id g16mr936072wfi.289.1216353928758; Thu, 17 Jul 2008 21:05:28 -0700 (PDT) Received: by 10.143.43.4 with HTTP; Thu, 17 Jul 2008 21:05:28 -0700 (PDT) Message-ID: Date: Fri, 18 Jul 2008 00:05:28 -0400 From: "Chris Buechler" To: "Ansar Mohammed" In-Reply-To: <048f01c8e889$160fffd0$422fff70$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 04:05:30 -0000 On Thu, Jul 17, 2008 at 11:48 PM, Ansar Mohammed wrote: > Is this like "a known bug" that's being fixed or is this "by design" and we > have to deal with it? > It's not a bug. If you search the OpenBSD list archives you'll find plenty of discussion on it. There are proxies that are supposed to work around this, like Frickin PPTP. It's not highly regarded by the OpenBSD community apparently (not sure why, saw that in passing in their list archives at one point), and it doesn't work right on FreeBSD (if any OS?). There may be other proxy alternatives, I'm not aware of any that work. Ermal Luci, a pfSense and FreeBSD committer, has been working on improved state tracking for GRE that would eliminate this limitation. Not sure of the status other than it's not done. If/when it's finished it'll be in pfSense development releases first, maybe integrated into the BSDs later or possibly not. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 04:30:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D78B11065673 for ; Fri, 18 Jul 2008 04:30:27 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 4F1AE8FC0C for ; Fri, 18 Jul 2008 04:30:26 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id q2so15429uge.37 for ; Thu, 17 Jul 2008 21:30:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=GG86c8yTJt1pY1Kz2aBgesKpazYn4ACsUshAW3IhzZ4=; b=IEXhrPbzLPiL9bsL3IgtQlYkD8OzKJ1PnaTt26lbeqJSCzBbL+xTJ7ASb9e51Hmwp6 DiJjZ6OTrFJOuwQ1YkGGL6DCNgm7i2grg7OuvHi1AKx4RgGA1VUQa4kvjkotStp+Jwjj 2xtg6UVeRcuWvnUdomdDz3nJhED4LScBfnJYk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=DLRKoHa5GXKIGcV/O20oBVGPtvyM+PZM48BN48WVe3IUSnl7SaT27joiuMyFQmrnI/ j/iEWU0VIKcSSP9Xw2s4J5WNKJg7nbuAEBx7heIMeK+hCGeMVxqeYHiztjvk+kphsCi9 Rh3oaXzfgGW3ZCZaURPE6/LiYX4RCFoqcwGQc= Received: by 10.125.161.1 with SMTP id n1mr175806mko.14.1216353885113; Thu, 17 Jul 2008 21:04:45 -0700 (PDT) Received: by 10.125.129.6 with HTTP; Thu, 17 Jul 2008 21:04:45 -0700 (PDT) Message-ID: Date: Fri, 18 Jul 2008 00:04:45 -0400 From: "Scott Ullrich" To: "Ansar Mohammed" In-Reply-To: <048f01c8e889$160fffd0$422fff70$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 04:30:27 -0000 On Thu, Jul 17, 2008 at 11:48 PM, Ansar Mohammed wrote: > Is this like "a known bug" that's being fixed or is this "by design" and we > have to deal with it? Ermal Luci is working on a patch. Maybe he can offer it for testing. Scott From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 10:18:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB074106567B for ; Fri, 18 Jul 2008 10:18:45 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbmarshal.mweb.com (mwbmarshal.mweb.com [196.2.141.6]) by mx1.freebsd.org (Postfix) with ESMTP id B11488FC0A for ; Fri, 18 Jul 2008 10:18:44 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbfes1.mweb.com (Not Verified[196.2.141.73]) by mwbmarshal.mweb.com with NetIQ MailMarshal 6.0 Service Pack 1 (v6, 0, 3, 28) id ; Fri, 18 Jul 2008 12:04:28 +0200 Received: from MWBEXCH.mweb.com ([196.2.141.75]) by mwbfes1.mweb.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 18 Jul 2008 12:03:23 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 18 Jul 2008 12:03:22 +0200 Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: GRE Limitation Thread-Index: Acjoi5J5N7/yX3/FS+yBGnavsPa0iQAMgD0w References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> From: "Rudi Kramer - MWEB" To: "Chris Buechler" , "Ansar Mohammed" X-OriginalArrivalTime: 18 Jul 2008 10:03:23.0323 (UTC) FILETIME=[8387B0B0:01C8E8BD] Cc: freebsd-pf@freebsd.org Subject: RE: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 10:18:45 -0000 > It's not a bug. If you search the OpenBSD list archives you'll find > plenty of discussion on it. I had the same issue and when I checked with our ms-admin team they said it was a Microsoft limitation. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 12:23:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7A161065672 for ; Fri, 18 Jul 2008 12:23:38 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 8D6C08FC16 for ; Fri, 18 Jul 2008 12:23:38 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so96717yxb.13 for ; Fri, 18 Jul 2008 05:23:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=7oeDQ55AUWJYgFQcHYhXlGHYiTrPAt3w2BLnvkEbAYY=; b=GE/5xeZoMogK7qzwh95d9xEM6KZKEDBr8q86dAGmL+rZOwYFzYTTYeb5eTiPYtwQ5I sIUq9IPI7G4t2A3vueeURBn42YYRzRz0+WJCJZ6UvI7MGJgDhIir7hjiU9DN11UiSQGd KO9653nAprTA0Kdp4W69+jLx/h1O/7ybW4nos= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=YEDnlrjhpY00ttkR7D8Hfo5PqyIQtZyttoDLxRZuLEnU400cV1UjMzGuYxktfbEnCu 1XM4wEUzevtS71wb2QcAcClWpLGZNw84S8uX9jTwz6A7/boaVRKD7glVlW9OhKI7gaYf N/etZRblMdyns7qsdol2TKlIXAFuJ+ttgTLls= Received: by 10.142.223.4 with SMTP id v4mr27490wfg.48.1216383817415; Fri, 18 Jul 2008 05:23:37 -0700 (PDT) Received: by 10.143.43.4 with HTTP; Fri, 18 Jul 2008 05:23:37 -0700 (PDT) Message-ID: Date: Fri, 18 Jul 2008 08:23:37 -0400 From: "Chris Buechler" To: "Rudi Kramer - MWEB" In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 12:23:39 -0000 On Fri, Jul 18, 2008 at 6:03 AM, Rudi Kramer - MWEB wrote: > > I had the same issue and when I checked with our ms-admin team they said > it was a Microsoft limitation. > No, it's an issue with many NAT implementations and how they handle state for the GRE protocol. pf only tracks source IP, dest IP and protocol. It has to do something more advanced, like tracking by GRE call ID in addition to src/dst, to track connections in this manner. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Jul 18 14:00:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48E691065674 for ; Fri, 18 Jul 2008 14:00:18 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from webmail.starcomms.com (webmail.starcomms.com [41.205.191.5]) by mx1.freebsd.org (Postfix) with SMTP id C671C8FC0A for ; Fri, 18 Jul 2008 14:00:16 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from (mars.starcomms.local [172.16.2.31]) by webmail.starcomms.com with smtp id 7250_a9e4a182_54b5_11dd_960a_001143cecab4; Fri, 18 Jul 2008 11:38:31 +0100 Received: from STA-HQ-S001.starcomms.local ([172.16.2.28]) by webmail.starcomms.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 18 Jul 2008 11:42:58 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 18 Jul 2008 11:43:26 +0100 Message-ID: <3A0AA7018522134597ED63B3B794C92A0267DBF1@STA-HQ-S001.starcomms.local> In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: thread-topic: GRE Limitation thread-index: Acjoi5J5N7/yX3/FS+yBGnavsPa0iQAMgD0wAAEGmXA= References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> From: "Catalin Miclaus" To: "Rudi Kramer - MWEB" , "Chris Buechler" , "Ansar Mohammed" X-OriginalArrivalTime: 18 Jul 2008 10:42:58.0109 (UTC) FILETIME=[0B0346D0:01C8E8C3] X-NAIMIME-Disclaimer: 1 X-NAIMIME-Modified: 1 Cc: freebsd-pf@freebsd.org Subject: RE: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 14:00:18 -0000 It is not a Microsoft limitation. Please stop spreading wrong information on same. Netfilter team has been able to solve it; for those who are using a Linux distribution you can apply some patches to Iptables and it will work fine. Best Regards Catalin Miclaus Network/Security ISP-Data Starcomms Ltd. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Rudi Kramer - MWEB Sent: Friday, July 18, 2008 11:03 AM To: Chris Buechler; Ansar Mohammed Cc: freebsd-pf@freebsd.org Subject: RE: GRE Limitation > It's not a bug. If you search the OpenBSD list archives you'll find > plenty of discussion on it. I had the same issue and when I checked with our ms-admin team they said it was a Microsoft limitation. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" DISCLAIMER: The information contained in this message (including any atta= chments) is confidential and may be privileged. If you have received it b= y mistake please notify the sender by return e-mail and permanently delet= e this message and any attachments from your system. Any form of dissemin= ation, use, review, distribution, printing or copying of this message in = whole or in part is strictly prohibited if you are not the intended recip= ient of this e-mail. Please note that e-mails are susceptible to change. = STARCOMMS PLC shall not be liable for the improper or incomplete transmis= sion of the information contained in this communication nor for any delay= in its receipt or damage to your system. STARCOMMS PLC does not guarante= e that the integrity of this communication has been maintained or that th= is communication is free of viruses, interceptions or interferences. STAR= COMMS PLC reserves the right to monitor all e-mail communications, whethe= r related to the business of STARCOMMS or not, through its internal or ex= ternal networks. From owner-freebsd-pf@FreeBSD.ORG Sat Jul 19 11:18:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AD571065670 for ; Sat, 19 Jul 2008 11:18:16 +0000 (UTC) (envelope-from aturetta@commit.it) Received: from mailbox.rainbownet.com (89-97-230-177.ip19.fastwebnet.it [89.97.230.177]) by mx1.freebsd.org (Postfix) with ESMTP id 015778FC25 for ; Sat, 19 Jul 2008 11:18:13 +0000 (UTC) (envelope-from aturetta@commit.it) Received: from 192.168.44.64 ([151.51.49.88]) (authenticated user aturetta@rainbownet.com) by rainbownet.com (mailbox.rainbownet.com [127.0.0.1]) (MDaemon.PRO.v6.8.6.R) with ESMTP id 11-md50000000512.tmp for ; Sat, 19 Jul 2008 13:06:38 +0200 Message-ID: <4881CABB.7080907@commit.it> Date: Sat, 19 Jul 2008 13:06:35 +0200 From: Angelo Turetta User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Rudi Kramer - MWEB References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: aturetta@rainbownet.com X-Spam-Processed: mailbox.rainbownet.com, Sat, 19 Jul 2008 13:06:38 +0200 (not processed: message from valid local sender) X-MDRemoteIP: 151.51.49.88 X-Return-Path: aturetta@commit.it X-MDaemon-Deliver-To: freebsd-pf@freebsd.org Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jul 2008 11:18:16 -0000 Rudi Kramer - MWEB wrote: > I had the same issue and when I checked with our ms-admin team they said > it was a Microsoft limitation. Quite the opposite. Since Windows2000 MS introduced, or started using, a CallID in the GRE header. Remember, many-to-one NAT has only become widely used/mandatory in recent years, I remember getting a full ClassC subnet from my first provider (128Kbps, ca. 1995-1996) without even asking. Angelo Turetta Modena - Italy