From owner-freebsd-pf@FreeBSD.ORG Mon Nov 22 11:03:53 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BA5D16A4CE for ; Mon, 22 Nov 2004 11:03:53 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43F6C43D1D for ; Mon, 22 Nov 2004 11:03:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iAMB3rwD077674 for ; Mon, 22 Nov 2004 11:03:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iAMB3qOm077668 for pf@freebsd.org; Mon, 22 Nov 2004 11:03:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 Nov 2004 11:03:52 GMT Message-Id: <200411221103.iAMB3qOm077668@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 11:03:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2004/10/08] kern/72444 pf PF can't properly detect interface after 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Mon Nov 22 19:46:00 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 351D316A4CE for ; Mon, 22 Nov 2004 19:46:00 +0000 (GMT) Received: from brugere.aub.dk (fw.aub.dk [195.24.1.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0312E43D1F for ; Mon, 22 Nov 2004 19:45:55 +0000 (GMT) (envelope-from jmp@alvorlig.dk) Received: by brugere.aub.dk (Postfix, from userid 1858) id 224BEC33B; Mon, 22 Nov 2004 20:45:53 +0100 (CET) Received: from proxy.aub.dk (proxy.aub.dk [10.10.10.12]) by mail.aub.dk (IMP) with HTTP for ; Mon, 22 Nov 2004 20:45:53 +0100 Message-ID: <1101152753.41a241f113332@mail.aub.dk> Date: Mon, 22 Nov 2004 20:45:53 +0100 From: "J. Martin Petersen" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 10.10.10.12 Subject: Problems with active FTP and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 19:46:00 -0000 Hi We've recently set up a FreeBSD 5.3 with pf as NAT-gateway and firewall for our local network with 800-1000 users. Most things, including prioritizing traffic, works just fine, but I can't get active ftp from internal clients to work. I've added the rules noted at http://www.openbsd.org/faq/pf/ftp.html, but it doesn't really work. I can see from the debug log output from ftp-proxy, that it proxies the ftp connection, and I can see from netstat, that it actually listens on the port, it claims to listen on. I can also see with tcpdump, that the ftp-server also responds to that port. But ftp-proxy still times out a bit later with the error "cannot connect data channel (Operation timed out)". Here are snippets of the relevant logs and configuration files: --tcpdump pflog0-- rule 153/0(match): pass in on em0: IP 10.1.4.50.2767 > 127.0.0.1.8021: S 2138343662:2138343662(0) win 65535 rule 155/0(match): pass in on fxp0: IP 195.41.131.10.21 > 195.24.1.195.53620: S 3860699189:3860699189(0) ack 3533547730 win 5792 rule 155/0(match): pass in on fxp0: IP 195.41.131.10.20 > 195.24.1.195.51169: S 3863458569:3863458569(0) win 5840 --the relevant rules-- @153 pass log on em0 inet from 10.1.4.50 to any modulate state @155 pass in log on fxp0 inet proto tcp from any to 195.24.1.195 user = 62 keep state --netstat -an-- [netstat -an] tcp4 0 0 195.24.1.195.57875 10.1.4.50.5001 SYN_SENT tcp4 185 0 195.24.1.195.51169 195.41.131.10.20 CLOSE_WAIT tcp4 54 0 195.24.1.195.53620 195.41.131.10.21 ESTABLISHED --log output from ftp-proxy-- Nov 22 20:00:40 fw ftp-proxy[56849]: accepted connection from 10.1.4.50:2767 to 195.41.131.10:21 Nov 22 20:00:40 fw ftp-proxy[56849]: local socket is 195.24.1.195:53620 Nov 22 20:00:40 fw ftp-proxy[56849]: server: 220 ProFTPD 1.2.9rc3 Server (linux1.unoeuro.com) [linux1.unoeuro.com]^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: USER rxd.dk^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 331 Password required for rxd.dk.^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: PASS XXXX Nov 22 20:00:40 fw ftp-proxy[56849]: server: 230 User rxd.dk logged in.^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: SYST^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 215 UNIX Type: L8^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: FEAT^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 211-Features:^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: MDTM^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: REST STREAM^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: SIZE^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 211 End^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: PWD^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 257 "/" is current directory.^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: TYPE A^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 200 Type set to A^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: PORT 10,1,4,50,19,137^M Nov 22 20:00:40 fw ftp-proxy[56849]: Got a PORT command Nov 22 20:00:40 fw ftp-proxy[56849]: client wants us to use 10.1.4.50:5001 Nov 22 20:00:40 fw ftp-proxy[56849]: we want server to use 195.24.1.195:51169 Nov 22 20:00:40 fw ftp-proxy[56849]: to server (modified): PORT 195,24,1,195,199,225^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 200 PORT command successful^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: LIST^M Nov 22 20:00:40 fw ftp-proxy[56849]: server listen socket ready Nov 22 20:01:55 fw ftp-proxy[56849]: cannot connect data channel (Operation timed out) --inetd.conf-- [inetd.conf] ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -V -D 2 -n -a 195.24.1.195 --excerpts from pf.conf-- ext_if0="fxp0" ext_gw0="195.24.1.193" int_if="em0" loo_if="lo0" scrub all nat on $ext_if0 from $int_if:network to any -> ($ext_if0) nat on $ext_if1 from $int_if:network to any -> ($ext_if1) rdr on $ext_if0 proto $www_proto from any to any port $www_ports -> $www rdr on $ext_if0 proto $dns_proto from any to any port $dns_ports -> $dns rdr on $int_if proto tcp from "10.1.4.50" to any port ftp -> $loo_if port ftp-proxy antispoof for $int_if inet antispoof for $ext_if0 inet pass on $int_if all pass quick on $loo_if all pass log on $int_if from "10.1.4.50" modulate state pass out on $ext_if0 user proxy pass in log on $ext_if0 inet proto tcp from any to $ext_if0 user proxy keep state Passive ftp works just fine. Both with and without the "-n" flag for ftp-proxy. "10.1.4.50" is the test machine I'm testing from, and it doesn't work either if I substitute it for "any". Do you any suggestions? /Martin From owner-freebsd-pf@FreeBSD.ORG Tue Nov 23 01:11:57 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2235116A4CE for ; Tue, 23 Nov 2004 01:11:57 +0000 (GMT) Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D6C743D55 for ; Tue, 23 Nov 2004 01:11:56 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from [192.168.1.161] (evilbit.resnet.tamu.edu [128.194.4.200]) (authenticated bits=0) by smtp-relay.tamu.edu (8.12.10/8.12.10) with ESMTP id iAN1BqcO091164 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 22 Nov 2004 19:11:54 -0600 (CST) From: "R. Tyler Ballance" To: freebsd-pf@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-ddupGMgihND7nhL/fhzV" Message-Id: <1101172253.28304.44.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 22 Nov 2004 19:10:53 -0600 Subject: pf on FreeBSD 4,5,6,etc ;) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 01:11:57 -0000 --=-ddupGMgihND7nhL/fhzV Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Howdy there,=20 I'm slightly curious about running packet filter on FreeBSD 4.10-RELEASE.=20 Now, before I get flamed about just upgrading to 5.3-STABLE, let me just say that, that won't be happening until the uniprocessor performance improves (but that's another can 'o' beans) Anyways, I'm developing an application for my university (Texas A&M), and I can support packet filter on NetBSD-current, and OpenBSD 3.5,6, but I'm a bigger fan of FreeBSD, not to mention, the university runs it's main firewalls on Drawbridge (http://drawbridge.tamu.edu) on FreeBSD 4.xx-STABLE.=20 It'd be much easier to convince them to switch the internal bridges from slackware to FreeBSD 4.10-STABLE than FreeBSD 5.3-STABLE ;) Can it be done, or am I barking up the wrong tree? -R. Tyler Ballance --=-ddupGMgihND7nhL/fhzV Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQIVAwUAQaKOHOgkwzi+drJUAQL7rg/9F0Dn/R+jhy8CYdFn1oSLftWMvov3XY1D z1iia3H7B75NCn8aMNPRHV/o6uT+OLrZlenzPsKMqJCMvmSynipicWOA2Clz+m8Q +Rjo90396e9YwAB5kj8tztoVRnxhHjuCoBiP0raus1Ffk0VMymnw8myIvH8mkmIq NFZl/zqa7n0rVjbhw95LqnybaD0s5rDr+KRBaKpnznnceltFk1agW1KtLa9mgey4 1z42dvF8/FG1E4wai8YEj/TgvtAGP6edjjA6GbAsWpdEgisaumJVP/RbBkGrjknm mwf442E1JE3y8twlVTFETGBXl7iZk3QvKO0jiKaMcg5LPcUUSYKowX7iEejV726E UyJBdZ63dffYD0R5+q5tcUZsU6+5yZYdWCptNav2shvUB17Gf0DMGC/FVhi1vOvu EoaE4aKaYTJECHtLcN0cpUG9uwntKbCR3M9DbRffNFX+SChjGQHjiWmpZLdrjGjy 0y9ef08LWKh0scDKs7xhNVE1IGKgSQvFSO/rrQHy3Myx3GHtf8qOnC224PJH66Yf Udtn/QpJID8t7cYeB3Dm4RCRgTk+zEdCkyG3m93U+2GONHb+dv+Tr0eKlKtDBRYM wFJjpwi+zrnRTLoHfEO7ObaCH4JGhVzdTU3YPY8k/Z6Tt+OvqkVf+AiCkLfVYFc3 vWUtftWTVlQ= =uyI/ -----END PGP SIGNATURE----- --=-ddupGMgihND7nhL/fhzV-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 23 01:27:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D897716A4CE for ; Tue, 23 Nov 2004 01:27:54 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6587443D2D for ; Tue, 23 Nov 2004 01:27:54 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CWPTF-0004HQ-00; Tue, 23 Nov 2004 02:27:53 +0100 Received: from [217.83.10.145] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CWPTF-00061b-00; Tue, 23 Nov 2004 02:27:53 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 23 Nov 2004 02:28:15 +0100 User-Agent: KMail/1.7.1 References: <1101172253.28304.44.camel@localhost.localdomain> In-Reply-To: <1101172253.28304.44.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1832909.IXUJUikOm9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411230228.21316.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf on FreeBSD 4,5,6,etc ;) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 01:27:55 -0000 --nextPart1832909.IXUJUikOm9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 November 2004 02:10, R. Tyler Ballance wrote: > Howdy there, > > I'm slightly curious about running packet filter on FreeBSD > 4.10-RELEASE. > > Now, before I get flamed about just upgrading to 5.3-STABLE, let me just > say that, that won't be happening until the uniprocessor performance > improves (but that's another can 'o' beans) > > Anyways, I'm developing an application for my university (Texas A&M), > and I can support packet filter on NetBSD-current, and OpenBSD 3.5,6, > but I'm a bigger fan of FreeBSD, not to mention, the university runs > it's main firewalls on Drawbridge (http://drawbridge.tamu.edu) on > FreeBSD 4.xx-STABLE. > > It'd be much easier to convince them to switch the internal bridges from > slackware to FreeBSD 4.10-STABLE than FreeBSD 5.3-STABLE ;) > > Can it be done, or am I barking up the wrong tree? There is pf in KAME and it should be able to get it out of the KAME snapsho= ts.=20 I, myself, don't use 4.x and rather work on improving 5/6 ... It can be done. KAME should be a good starting point. I'd be happy to see=20 it. ... BUT I won't do it. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1832909.IXUJUikOm9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBopI1XyyEoT62BG0RAl2nAJ9Ioz4ryJxiJjdQz1nVrZzOGvhwmgCfWltu S+f3U9t59ti/xEdFCYLZj+A= =XscA -----END PGP SIGNATURE----- --nextPart1832909.IXUJUikOm9-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 24 16:59:43 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C218D16A4CF; Wed, 24 Nov 2004 16:59:43 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D00843D54; Wed, 24 Nov 2004 16:59:43 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iAOGxhOc016281; Wed, 24 Nov 2004 16:59:43 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iAOGxhLn016277; Wed, 24 Nov 2004 16:59:43 GMT (envelope-from mlaier) Date: Wed, 24 Nov 2004 16:59:43 GMT From: Max Laier Message-Id: <200411241659.iAOGxhLn016277@freefall.freebsd.org> To: ed@il.fontys.nl, mlaier@FreeBSD.org, pf@FreeBSD.org Subject: Re: kern/72444: PF can't properly detect interface after 'ifconfig XXX name YYY' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 16:59:43 -0000 Synopsis: PF can't properly detect interface after 'ifconfig XXX name YYY' State-Changed-From-To: patched->closed State-Changed-By: mlaier State-Changed-When: Wed Nov 24 16:58:12 GMT 2004 State-Changed-Why: The fix has been MFCed to RELENG_5. Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=72444 From owner-freebsd-pf@FreeBSD.ORG Wed Nov 24 17:14:23 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 287DC16A4CE for ; Wed, 24 Nov 2004 17:14:23 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB2543D4C for ; Wed, 24 Nov 2004 17:14:22 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CX0ii-0007wf-00; Wed, 24 Nov 2004 18:14:20 +0100 Received: from [84.128.135.252] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CX0ih-0002cC-00; Wed, 24 Nov 2004 18:14:20 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 24 Nov 2004 18:14:38 +0100 User-Agent: KMail/1.7.1 References: <419EA38B.4000907@cuk.nu> In-Reply-To: <419EA38B.4000907@cuk.nu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3600262.3W7UDktdrk"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411241814.50964.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf multipath nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 17:14:23 -0000 --nextPart3600262.3W7UDktdrk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Marko, [ Please line-wrap your mail ] On Saturday 20 November 2004 02:53, Marko Cuk wrote: > I have a question regarding this... > > What happen, if one of the uplinks goes down ? What does pf knows about > states of interfaces and availiability ? Nothing. In OpenBSD there is a daemon called ifstated(8) which monitors the= =20 interface states and can take action if one link goes down. For instance, i= t=20 could remove the related rules from an anchor. =46ortunately, Matthew George has just recently ported ifstated(8) and it h= as=20 been included into the ports collection ad net/ifstated: http://www.freshports.org/net/ifstated/ > I'd like to know also, how to configure FreeBSD, to send out packet with > proper source IP and what is the default route in that case ? Can anyone > speak a little about that ? That depends on what you want. For traffic from your LAN you explicitly set= =20 the source IP in the NAT rules. For traffic originating from the gateway=20 itself, you have to decide where you want it to go and how it should get=20 there. You can always ask pf to pickup that traffic as well and transform i= t=20 in the same ways you do it for traffic originated from your LAN/DMZ. > Tnx, Marko Cuk > > On Tuesday 16 November 2004 13:08, =C5=81ukasz Dudek wrote: > >/ Dnia Wto, Lis 09, 2004 o godzinie 02:13:34 +0100, =C5=81ukasz Dudek > > napisa=C5=82(a): > > />/ > Dnia Pon, Lis 08, 2004 o godzinie 04:21:39 +0100, Max Laier > napisa=C5=82(a): />/ > > On Monday 08 November 2004 15:30, =C5=81ukasz Du= dek wrote: > />/ > > > i've tried to configure multipath nat using RELENG_5 box > />/ > > > (when it was current and now when it became stable) > />/ > />/ this is full ruleset > / > Okay sorry for the delay, but I was (and in fact still am) very busy with > real life these days. Will hopefully resume to full working speed soon. > > Nontheless, I finally found some time to rig a test-setup for this ruleset > with two Soekris boxes. Unfortunately I wasn't able to see any problem. No > hang, no stalling, nothing! Can you please try to get more information > about the problem in your setup? > > I need to know what kind of "hang" it is. Deadlock, lifelock, etc? Try to > break into the debugger via serial console or Crtl + ALt + Esc etc. I > cannot reproduce it, sorry. > > Does anybody successfully run more than one uplink in this way? What > hardware do you have? > > Same question to =C5=81ukasz, what kind of box is this? Are we looking at= an SMP > box? > > >/ can i provide any more information or is there anything anything i can > > />/ do to help resolv this issue, have anyone been able to reproduce this > />/ behaviour, i would really like to utilize second link using freebsd b= ox > />/ moving every service from free to open will be performance lost and > />/ services, network downtime. this box without configuring second link > />/ is 100% stable > / > I really need some definite description of the problem. "It seems to hang" > is way too imprecise, sorry. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3600262.3W7UDktdrk Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBpMGKXyyEoT62BG0RAvisAJ0carU0FYwIjGIn4DPozYH1yPKSZgCfVoSU y+9k7u/3+mrzczo0AvvTQS8= =9opC -----END PGP SIGNATURE----- --nextPart3600262.3W7UDktdrk-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 25 12:48:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40D0316A4CE for ; Thu, 25 Nov 2004 12:48:25 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9C2743D31 for ; Thu, 25 Nov 2004 12:48:22 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CXJ2r-0004Nh-00 for freebsd-pf@freebsd.org; Thu, 25 Nov 2004 13:48:21 +0100 Received: from [217.83.1.97] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CXJ2p-00007Y-00 for freebsd-pf@freebsd.org; Thu, 25 Nov 2004 13:48:20 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 25 Nov 2004 13:48:46 +0100 User-Agent: KMail/1.7.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2661007.TDHCXldNb2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411251348.52188.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: RFC: CARP - what's (not) working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2004 12:48:25 -0000 --nextPart2661007.TDHCXldNb2 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, I know that quite a few of you are running my CARP patches and some have=20 already told me that they have it working "well enough". I'd like to use th= is=20 weekend to do a (hopefully) final round of read-through and OpenBSD import= =20 and hope to get things on track afterwards. For this task to be successful = I=20 need *YOUR* input. Please send me a short note (off-list) if you have it working. I am *not*=20 interested in build errors (because I know it can be build)! But I am=20 interested in your problems with the running setup. If you experienced any= =20 problems, please let me know. If you already use it successfully, please le= t=20 me know as well. Describe your setup with a few words. To make it easier for me, it'd be great if your could keep it short and to = the=20 point, but better write two lines more if you have to. I'd also like to ask= =20 you to prepend your *descriptive* subject line with "[CARP]". As in: [CARP] Working - VLAN woes Please also re-report everything that has not yet been addressed. I had bus= y=20 times and most likely just lost track of your mail. Many thanks in advance. More good news on monday - I hope! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2661007.TDHCXldNb2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBpdS0XyyEoT62BG0RArrcAJ9T18WOKiiX9/+3fYP0D0CiuyxV0wCeLR77 xQkCsOsnXVKQWKQGUVtqcsk= =KDOs -----END PGP SIGNATURE----- --nextPart2661007.TDHCXldNb2-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 25 22:13:24 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA6B816A4CE for ; Thu, 25 Nov 2004 22:13:24 +0000 (GMT) Received: from smtpc.itss.auckland.ac.nz (mailhost.auckland.ac.nz [130.216.190.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0815E43D48 for ; Thu, 25 Nov 2004 22:13:24 +0000 (GMT) (envelope-from bobby@cs.auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtpc.itss.auckland.ac.nz (Postfix) with ESMTP id 120C8347EA for ; Fri, 26 Nov 2004 11:13:23 +1300 (NZDT) Received: from smtpc.itss.auckland.ac.nz ([127.0.0.1])port 10024) with ESMTP id 18450-10 for ; Fri, 26 Nov 2004 11:13:22 +1300 (NZDT) Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpc.itss.auckland.ac.nz (Postfix) with ESMTP id EFCBD347DD for ; Fri, 26 Nov 2004 11:13:22 +1300 (NZDT) Received: from [130.216.39.121] (bobby-121.cs.auckland.ac.nz [130.216.39.121]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id EAC3D37746 for ; Fri, 26 Nov 2004 11:13:22 +1300 (NZDT) Message-ID: <41A65902.10903@cs.auckland.ac.nz> Date: Fri, 26 Nov 2004 11:13:22 +1300 From: bobby cheema User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Subject: Pf on freebsd 5.3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2004 22:13:24 -0000 Hi all I am running freebsd 5.3 and trying to run pf on it , I added these lines to /etc/rc.conf pf_enable="YES" pf_rules="/etc/pf.conf" pf_program="/sbin/pfctl" Before writing any rule I tried to test if i can enable pf, Running the /etc/rc.d/pf and pfctl -e returns No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCSTART: Operation not permitted Well if we dont care about ALTQ at this stage why DIOCSTART fails Iam new to BSD and PF , Your help or any pointer is greatly appriciated Regards -Bobby From owner-freebsd-pf@FreeBSD.ORG Thu Nov 25 23:16:41 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 056FF16A4CE for ; Thu, 25 Nov 2004 23:16:41 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9199A43D41 for ; Thu, 25 Nov 2004 23:16:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CXSqt-0006RT-00; Fri, 26 Nov 2004 00:16:39 +0100 Received: from [217.83.1.97] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CXSqs-0005On-00; Fri, 26 Nov 2004 00:16:39 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 26 Nov 2004 00:17:03 +0100 User-Agent: KMail/1.7.1 References: <41A65902.10903@cs.auckland.ac.nz> In-Reply-To: <41A65902.10903@cs.auckland.ac.nz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1177704.IgfupMsuKn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411260017.10260.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: bobby cheema Subject: Re: Pf on freebsd 5.3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2004 23:16:41 -0000 --nextPart1177704.IgfupMsuKn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 25 November 2004 23:13, bobby cheema wrote: > Hi all > > I am running freebsd 5.3 and trying to run pf on it , I added these > lines to /etc/rc.conf > pf_enable=3D"YES" > pf_rules=3D"/etc/pf.conf" > pf_program=3D"/sbin/pfctl" > > Before writing any rule I tried to test if i can enable pf, Running the > /etc/rc.d/pf and pfctl -e returns > > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSTART: Operation not permitted > > Well if we dont care about ALTQ at this stage why DIOCSTART fails > Iam new to BSD and PF , Your help or any pointer is greatly appriciated You have /dev/pf available and write permission to it, right? Might you be= =20 running with a securelevel >=3D 2, by chance? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1177704.IgfupMsuKn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBpmf2XyyEoT62BG0RAjdnAJ9DTs0sVbrNIyan4lusbJePOetN9wCeIk4n 4gtWcOGVM0VkXNSsicgKsog= =w+Vg -----END PGP SIGNATURE----- --nextPart1177704.IgfupMsuKn-- From owner-freebsd-pf@FreeBSD.ORG Fri Nov 26 19:31:33 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C26EB16A4CE for ; Fri, 26 Nov 2004 19:31:33 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B06443D1F for ; Fri, 26 Nov 2004 19:31:33 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CXloZ-0005Ti-00; Fri, 26 Nov 2004 20:31:31 +0100 Received: from [217.83.1.237] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CXloZ-0004Pt-00; Fri, 26 Nov 2004 20:31:31 +0100 From: Max Laier To: Jonathan Weiss Date: Fri, 26 Nov 2004 20:31:49 +0100 User-Agent: KMail/1.7.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1121198.aamq6dRQhY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411262032.04809.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: Strange behaviour with PF on FreeBSD 5.3-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2004 19:31:34 -0000 --nextPart1121198.aamq6dRQhY Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 26 November 2004 19:05, Jonathan Weiss wrote: > Hi Max, > > > You are supposed to have a NAT rule somewhere. Please let us know the > > complete ruleset (including translation rules) and include match counte= rs > > so that people can figure if a certain rule is matched at all (pfctl -vv > > -sn -sr). > > This was my complete ruleset, as I switched from my default ruleset in > order to debug the problem. > > ext_if=3D"ed0" > int_if=3D"vr0" > tun_if=3D"tun0" > internal_net=3D"192.168.0.0/24" > > set loginterface $tun_if > > #nat on $tun_if from $internal_net to any -> ($tun_if) > > #default block > block return log-all > > pass on $tun_if > pass on $ext_if > pass on $int_if > > -------------------------------------- > pfctl -vv -sn -sr > @0 block return log-all all > [ Evaluations: 2171 Packets: 1130 Bytes: 69021 States: 0 > @1 pass on tun0 all > [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 Hmmm ... tun0 is never matched against. Can I have a look at $ifconfig and= =20 $pfctl -vvsI ? Also try to watch pflog ($ifconfig pflog0 up && tcpdump=20 =2Dvvvnei pflog0) What does it say? > @2 pass on ed0 all > [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 > @3 pass on vr0 all > [ Evaluations: 2171 Packets: 1041 Bytes: 65738 States: 0 > > > Make sure that the NAT rule has dynamic address tracking (as I think you > > get a dynamic IP from you ISP). The rule should look something like: > > nat on tun0 from $internalnet to any -> (tun0) > > I use the NAT from ppp, but I think that this is not related, as the > problem occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STAB= LE > of yesterday). The firewall itself (and everything behind it) cannot > connect over ppp to external servers when the default block rule is > activated. Hmmm - strange. Might be realted to the pf_if.c changes. What version are y= ou=20 running? RELENG_5? RELENG_5_3? HEAD? Did you (src-)update your kernel befor= e=20 the symptoms occurred? pf_if.c: 1.5.2.2 (RELENG_5) or 1.7 (HEAD)? > When I deactivate the rule, everything runs smoothly. > > > Also note, that we have a pf related mailinglist on FreeBSD, called > > freebsd-pf@freebsd.org. You might want to subscribe and take the > > discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > Thanks, I will suscribe. Should we change with this discussion the > freebsd-centrinc mailinglist? I just did. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1121198.aamq6dRQhY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBp4S0XyyEoT62BG0RAnVvAJ4tns+dbfbhbB2+RgzNu/X1A2yG/QCfWDie zYMPvwBWcU7Z3x13lH+d2+o= =vqEG -----END PGP SIGNATURE----- --nextPart1121198.aamq6dRQhY-- From owner-freebsd-pf@FreeBSD.ORG Sat Nov 27 02:43:33 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 893ED16A4CE for ; Sat, 27 Nov 2004 02:43:33 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7316B43D5D for ; Sat, 27 Nov 2004 02:43:32 +0000 (GMT) (envelope-from tomonage2@gmx.de) Received: (qmail 13496 invoked by uid 65534); 27 Nov 2004 02:43:30 -0000 Received: from pD95696F9.dip.t-dialin.net (EHLO [192.168.0.196]) (217.86.150.249) by mail.gmx.net (mp024) with SMTP; 27 Nov 2004 03:43:30 +0100 X-Authenticated: #7843803 User-Agent: Microsoft-Entourage/11.1.0.040913 Date: Sat, 27 Nov 2004 03:43:26 +0100 From: Jonathan Weiss To: Max Laier Message-ID: In-Reply-To: <200411262032.04809.max@love2party.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re:Strange behaviour with PF on FreeBSD 5.3-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2004 02:43:33 -0000 Hi Max, I just found out what the problem was, somehow, ppp created tun1 and tun0 and used tun1 for the ppp-connection. tun1 was not in the pass-rules, so it got blocked. I never had a tun1 before, so it did not came to my mind to include it in the rule-set and when looking at ifconfig I overlooked the one-liner tun0 and just saw that tun1 got an ip. Thank you for your help, Jonathan > On Friday 26 November 2004 19:05, Jonathan Weiss wrote: >> Hi Max, >> >>> You are supposed to have a NAT rule somewhere. Please let us know the >>> complete ruleset (including translation rules) and include match counters >>> so that people can figure if a certain rule is matched at all (pfctl -vv >>> -sn -sr). >> >> This was my complete ruleset, as I switched from my default ruleset in >> order to debug the problem. >> >> ext_if="ed0" >> int_if="vr0" >> tun_if="tun0" >> internal_net="192.168.0.0/24" >> >> set loginterface $tun_if >> >> #nat on $tun_if from $internal_net to any -> ($tun_if) >> >> #default block >> block return log-all >> >> pass on $tun_if >> pass on $ext_if >> pass on $int_if >> >> -------------------------------------- >> pfctl -vv -sn -sr >> @0 block return log-all all >> [ Evaluations: 2171 Packets: 1130 Bytes: 69021 States: 0 >> @1 pass on tun0 all >> [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 > > Hmmm ... tun0 is never matched against. Can I have a look at $ifconfig and > $pfctl -vvsI ? Also try to watch pflog ($ifconfig pflog0 up && tcpdump > -vvvnei pflog0) What does it say? > >> @2 pass on ed0 all >> [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 >> @3 pass on vr0 all >> [ Evaluations: 2171 Packets: 1041 Bytes: 65738 States: 0 >> >>> Make sure that the NAT rule has dynamic address tracking (as I think you >>> get a dynamic IP from you ISP). The rule should look something like: >>> nat on tun0 from $internalnet to any -> (tun0) >> >> I use the NAT from ppp, but I think that this is not related, as the >> problem occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STABLE >> of yesterday). The firewall itself (and everything behind it) cannot >> connect over ppp to external servers when the default block rule is >> activated. > > Hmmm - strange. Might be realted to the pf_if.c changes. What version are you > running? RELENG_5? RELENG_5_3? HEAD? Did you (src-)update your kernel before > the symptoms occurred? > > pf_if.c: 1.5.2.2 (RELENG_5) or 1.7 (HEAD)? > >> When I deactivate the rule, everything runs smoothly. >> >>> Also note, that we have a pf related mailinglist on FreeBSD, called >>> freebsd-pf@freebsd.org. You might want to subscribe and take the >>> discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> >> Thanks, I will suscribe. Should we change with this discussion the >> freebsd-centrinc mailinglist? > > I just did.