From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 08:14:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2131016A41F for ; Sun, 21 Aug 2005 08:14:12 +0000 (GMT) (envelope-from jarthel@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB38543D45 for ; Sun, 21 Aug 2005 08:14:11 +0000 (GMT) (envelope-from jarthel@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so569151nzd for ; Sun, 21 Aug 2005 01:14:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Flv7GfWWyAWFoRIw022cHkW90w7QIjHqmFn4UAFsGc50XW2s/7cUbjjszijFFnbTVw4aKbkxLQdDf7J1jjK5ePdZ6XjE2+BVjT/A/WcUeDo2QRzykeHawI+0yMEn/+X77Sh726g9gQKtBGF726tixFqH2b79YCaeSgWlcftUrAk= Received: by 10.36.39.2 with SMTP id m2mr1381480nzm; Sun, 21 Aug 2005 01:14:11 -0700 (PDT) Received: by 10.36.113.16 with HTTP; Sun, 21 Aug 2005 01:14:11 -0700 (PDT) Message-ID: Date: Sun, 21 Aug 2005 18:14:11 +1000 From: Jayel Villamin To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: bittorrent and pf (fbsd 5.4) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 08:14:12 -0000 snippets of relevent pf.conf code =3D=3D=3D=3D=3D=3D=3D ext_if =3D "tun0" tomo_bittorrent =3D "19969" tomo =3D "192.168.2.2/32" rdr on $ext_if proto tcp from any to ($ext_if) port $tomo_bittorrent -> $to= mo pass in quick on $ext_if inet proto tcp from any to $tomo port $tomo_bittorrent flags S/SA keep state =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D my problem is that I can't upload to people but I can download from them. Does anyone have any ideas? The client I'm using allows users to change the default port to a custom on= e. Thanks for the replies. :) From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 19:24:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AC5C16A41F for ; Sun, 21 Aug 2005 19:24:40 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: from web31608.mail.mud.yahoo.com (web31608.mail.mud.yahoo.com [68.142.198.154]) by mx1.FreeBSD.org (Postfix) with SMTP id 2015343D45 for ; Sun, 21 Aug 2005 19:24:40 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 16284 invoked by uid 60001); 21 Aug 2005 19:24:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=wBgRjuSzbZO3Opnq/CdAA8YVVcj90Maj3M+Q6Qy0f222YwzUAjK0LEwY/9sSrBcWu5aYgBSJ4bIoZULNDcGLHY+ErWaOXLuGpm80e070c0sJamqAIQlfVyhdszYk6neXK2At3pT9L6rgLOBgq1EaMJGTyYQQXMl6uLj7SEDCwzo= ; Message-ID: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> Received: from [200.216.238.36] by web31608.mail.mud.yahoo.com via HTTP; Sun, 21 Aug 2005 16:24:39 ART Date: Sun, 21 Aug 2005 16:24:39 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: nmap X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 19:24:40 -0000 List, How can I block nmap options using PF ?? Thanks... _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 21:18:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47D6C16A41F for ; Sun, 21 Aug 2005 21:18:33 +0000 (GMT) (envelope-from me@hexren.net) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id E666143D46 for ; Sun, 21 Aug 2005 21:18:32 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.51 using esmtpa from p548cc773.dip.t-dialin.net ([84.140.199.115] helo=hexren.steenbuck.net) id 1E6xD5-0002pE-4d; Sun, 21 Aug 2005 23:18:31 +0200 Date: Sun, 21 Aug 2005 23:18:30 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <8137830907.20050821231830@hexren.net> To: Aguiar Magalhaes In-Reply-To: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> References: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: nmap X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hexren List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 21:18:33 -0000 > List, > How can I block nmap options using PF ?? > Thanks... --------------------------------------------- block in all block out all From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 22:45:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E18316A41F for ; Sun, 21 Aug 2005 22:45:08 +0000 (GMT) (envelope-from mdonada@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 376A443D48 for ; Sun, 21 Aug 2005 22:45:08 +0000 (GMT) (envelope-from mdonada@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so580166nzo for ; Sun, 21 Aug 2005 15:45:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=PhgMKobXZTSvO3pSHvSqxmYZYo1CQM2fJkHFlYjQwZ8xpUbL6VCngdoaDYM1+qBqZ8dAxUJPeVp6Fyqo8ECTHR6D+2vKxiP7rIqiNybqu8vr7J6IAhckGhP5TMYvx8Z00ngQKkqQKQ16a4bjw40wH2S2N/Tu3aX10hFAdpK7tO0= Received: by 10.36.66.15 with SMTP id o15mr3335343nza; Sun, 21 Aug 2005 15:45:07 -0700 (PDT) Received: from ?10.1.1.172? ([201.24.99.251]) by mx.gmail.com with ESMTP id 38sm228971nzf.2005.08.21.15.45.06; Sun, 21 Aug 2005 15:45:07 -0700 (PDT) Message-ID: <43090402.2000202@gmail.com> Date: Sun, 21 Aug 2005 19:45:22 -0300 From: =?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: pt-br, pt MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> In-Reply-To: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: nmap X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 22:45:08 -0000 Aguiar Magalhaes escreveu: >List, > >How can I block nmap options using PF ?? > >Thanks... > Good Day, A good ideia is you to keep firewall total closed for out entrance and. Of this form you allow to access only the services as www and ftp, for example. With this the probability of nmap functions on its server is very small. []'s Márcio From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 02:45:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17F2F16A41F for ; Mon, 22 Aug 2005 02:45:08 +0000 (GMT) (envelope-from brad@shockwebhost.com) Received: from fed1rmmtao06.cox.net (fed1rmmtao06.cox.net [68.230.241.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD80043D45 for ; Mon, 22 Aug 2005 02:45:07 +0000 (GMT) (envelope-from brad@shockwebhost.com) Received: from 337vdub.localdomain ([24.251.130.47]) by fed1rmmtao06.cox.net (InterMail vM.6.01.04.00 201-2131-118-20041027) with ESMTP id <20050822024505.LHOG19494.fed1rmmtao06.cox.net@337vdub.localdomain> for ; Sun, 21 Aug 2005 22:45:05 -0400 From: Brad Bendy To: freebsd-pf@freebsd.org Date: Sun, 21 Aug 2005 19:34:57 -0700 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Organization: Shock Webhosting, LLC. Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200508211934.57372.brad@shockwebhost.com> Subject: Running NAT and accessing WAN IP address from NAT'ed machines X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brad@shockwebhost.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 02:45:08 -0000 Im running m0n0wall, (BSD 4.10). Does anyone know on BSD 5.x series or any version patches, that you can setup NAT ro allow machines that are on the NAT itself (private IP space) to access the WAN IP address of the firewall. I cant seem to find anything anywhere, any help would be great! Thanks Brad From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 03:12:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB3EB16A41F for ; Mon, 22 Aug 2005 03:12:46 +0000 (GMT) (envelope-from Jason@WinSE.ath.cx) Received: from winse.ath.cx (CPE-24-167-241-74.wi.res.rr.com [24.167.241.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7863543D48 for ; Mon, 22 Aug 2005 03:12:46 +0000 (GMT) (envelope-from Jason@WinSE.ath.cx) Received: from JASON (Jason [10.0.0.2]) by winse.ath.cx (Postfix) with SMTP id 92D7F61BF for ; Sun, 21 Aug 2005 22:12:42 -0500 (CDT) From: "Jason" To: Date: Sun, 21 Aug 2005 22:12:45 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Subject: Support for max-src-conn, max-src-conn-rate, overload X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 03:12:46 -0000 I have noticed that these features of PF are supported in OpenBSD's pf, but not FreeBSD's pf. Is there any patch to add them, or plan to add support for them in the future? Have I done something wrong? Thanks. max-src-conn number max-src-conn-rate number / interval overload flush [global] Example of usage from the OpenBSD PF manual: table persist block in quick from pass in on $ext_if proto tcp to $web_server \ port www flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush) From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 06:28:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A1F316A41F for ; Mon, 22 Aug 2005 06:28:09 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAC4543D45 for ; Mon, 22 Aug 2005 06:28:08 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so844940wra for ; Sun, 21 Aug 2005 23:28:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ip1rCTtC+ANxIf54cwkyTpm6dbKTYO9TMeM4ad3EWbUpNhOHt0srOU1WIRvT2AudW3kyBwUzBun+mNcUn/nukQKZZq3VpCE1frUTYOct7BmB+Roz6EC3AMdlQvjL3nfRMSarzFWV6sdzDA8dX3ltQQBHH/FbAjLRpahmPVky2sU= Received: by 10.54.40.20 with SMTP id n20mr3641926wrn; Sun, 21 Aug 2005 23:28:04 -0700 (PDT) Received: by 10.54.113.12 with HTTP; Sun, 21 Aug 2005 23:28:04 -0700 (PDT) Message-ID: Date: Mon, 22 Aug 2005 09:28:04 +0300 From: Huzeyfe Onal To: =?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?= In-Reply-To: <43090402.2000202@gmail.com> Mime-Version: 1.0 References: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> <43090402.2000202@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: nmap X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 06:28:09 -0000 hi, try to use scrub packets using scrub with options... like=20 scrub in on $ext_if On 8/22/05, M=E1rcio Luciano Donada wrote:=20 >=20 > Aguiar Magalhaes escreveu: >=20 > >List, > > > >How can I block nmap options using PF ?? > > > >Thanks... > > > Good Day, > A good ideia is you to keep firewall total closed for out entrance and. > Of this form you allow to access only the services as www and ftp, for > example. > With this the probability of nmap functions on its server is very small. >=20 > []'s > M=E1rcio > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 --=20 Huzeyfe =D6NAL=20 --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 06:53:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BDC316A41F for ; Mon, 22 Aug 2005 06:53:32 +0000 (GMT) (envelope-from jmp.lists@alvorlig.dk) Received: from cauchy.aub.dk (mail.aub.dk [195.24.1.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id B45EA43D45 for ; Mon, 22 Aug 2005 06:53:29 +0000 (GMT) (envelope-from jmp.lists@alvorlig.dk) Received: from localhost (localhost [127.0.0.1]) by cauchy.aub.dk (Postfix) with ESMTP id AD4F611508; Mon, 22 Aug 2005 08:53:27 +0200 (CEST) Received: from cauchy.aub.dk ([127.0.0.1]) by localhost (cauchy.aub.dk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21308-08; Mon, 22 Aug 2005 08:53:26 +0200 (CEST) Received: from [10.1.4.50] (jmp.aub.dk [10.1.4.50]) by cauchy.aub.dk (Postfix) with ESMTP id 498851150C; Mon, 22 Aug 2005 08:53:26 +0200 (CEST) Message-ID: <43097666.8020207@alvorlig.dk> Date: Mon, 22 Aug 2005 08:53:26 +0200 From: "J. Martin Petersen" User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at aub.dk Cc: Jason Subject: Re: Support for max-src-conn, max-src-conn-rate, overload X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 06:53:32 -0000 Jason wrote: > I have noticed that these features of PF are supported in OpenBSD's pf, but > not FreeBSD's pf. Is there any patch to add them, or plan to add support > for them in the future? Have I done something wrong? Thanks. pf in FreeBSD 5.x is based on what shipped with OpenBSD 3.5, the functionality you mention was added to pf on OpenBSD in 3.6 or 3.7. pf in FreeBSD 6.x will be based on pf from OpenBSD 3.7, so you'll probably find those features there (i.e. you could try the 6.0-BETA). -Martin From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 10:10:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBF9516A41F for ; Mon, 22 Aug 2005 10:10:22 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51D3D43D76 for ; Mon, 22 Aug 2005 10:10:10 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.51 #0 (FreeBSD 4.11-STABLE)) id 1E79Fk-00058i-6c by authid for ; Mon, 22 Aug 2005 13:10:04 +0300 Date: Mon, 22 Aug 2005 13:10:04 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20050822101004.GL71208@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org References: <43097666.8020207@alvorlig.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43097666.8020207@alvorlig.dk> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.9i (2005-03-13) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.9i Subject: OT - ugrade from 5.4 to 6.0-BETA X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 10:10:22 -0000 * On 22/08/05 08:53 +0200, J. Martin Petersen wrote: > Jason wrote: > >I have noticed that these features of PF are supported in OpenBSD's pf, but > >not FreeBSD's pf. Is there any patch to add them, or plan to add support > >for them in the future? Have I done something wrong? Thanks. > > pf in FreeBSD 5.x is based on what shipped with OpenBSD 3.5, the > functionality you mention was added to pf on OpenBSD in 3.6 or 3.7. pf > in FreeBSD 6.x will be based on pf from OpenBSD 3.7, so you'll probably > find those features there (i.e. you could try the 6.0-BETA). Is there any know big harm using CVSUP to upgrade from 5.4 to 6.x? I'd like to do this without reinstalling. Just changing the RELENG_TAG: *default release=cvs tag=RELENG_6 (??) I'd like try these new features of PF on that platform. -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Bennett's Laws of Horticulture: (1) Houses are for people to live in. (2) Gardens are for plants to live in. (3) There is no such thing as a houseplant. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 11:02:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F28616A420 for ; Mon, 22 Aug 2005 11:02:21 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9418443D53 for ; Mon, 22 Aug 2005 11:02:20 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7MB2KlS036930 for ; Mon, 22 Aug 2005 11:02:20 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7MB2Jq9036924 for freebsd-pf@freebsd.org; Mon, 22 Aug 2005 11:02:19 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 Aug 2005 11:02:19 GMT Message-Id: <200508221102.j7MB2Jq9036924@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 11:02:21 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/04] kern/80627 pf pf_test6: kif == NULL ... o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 14:05:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9270E16A441 for ; Mon, 22 Aug 2005 14:05:06 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: from web31605.mail.mud.yahoo.com (web31605.mail.mud.yahoo.com [68.142.198.151]) by mx1.FreeBSD.org (Postfix) with SMTP id 3BA4E43D62 for ; Mon, 22 Aug 2005 14:05:05 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 41788 invoked by uid 60001); 22 Aug 2005 14:05:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=sjtudouWOKJkUtRKv3SbHl3aTvMmkqdgdV64MER4Pn21OQTjwA+niUdg6lJ/94ivU29dGI8zVMvImyJeckmetFChl2bgUohNvfgJmdzQjWox6kE6lAUJMURSgPC2kahL7kTB3MQM0+kKSvKGjn971FXG8ULfevV8vMvml4uev40= ; Message-ID: <20050822140504.41786.qmail@web31605.mail.mud.yahoo.com> Received: from [200.216.238.36] by web31605.mail.mud.yahoo.com via HTTP; Mon, 22 Aug 2005 11:05:04 ART Date: Mon, 22 Aug 2005 11:05:04 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: nmap X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 14:05:06 -0000 Ok... but I´m using "scrub in all" --- Huzeyfe Onal escreveu: > hi, > try to use scrub packets using scrub with options... > like > > scrub in on $ext_if > > > > On 8/22/05, Márcio Luciano Donada > wrote: > > > > Aguiar Magalhaes escreveu: > > > > >List, > > > > > >How can I block nmap options using PF ?? > > > > > >Thanks... > > > > > Good Day, > > A good ideia is you to keep firewall total closed > for out entrance and. > > Of this form you allow to access only the services > as www and ftp, for > > example. > > With this the probability of nmap functions on its > server is very small. > > > > []'s > > Márcio > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > > > > > > -- > Huzeyfe ÖNAL > --- > First Turkish Qmail book is out! Go check it. > Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. > http://www.acikakademi.com/catalog/qmail/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 16:21:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5373D16A41F for ; Mon, 22 Aug 2005 16:21:52 +0000 (GMT) (envelope-from schoch@spamcop.net) Received: from homer.starnet.com (homer.starnet.com [204.147.189.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E11043D45 for ; Mon, 22 Aug 2005 16:21:52 +0000 (GMT) (envelope-from schoch@spamcop.net) Received: from [192.168.1.2] (homer.starnet.com [192.168.1.2]) by homer.starnet.com (8.12.11/8.12.11) with ESMTP id j7MGLS7K006294; Mon, 22 Aug 2005 09:21:28 -0700 Message-ID: <4309FB88.9080005@spamcop.net> Date: Mon, 22 Aug 2005 09:21:28 -0700 From: Steven Schoch User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Red Hat/1.7.10-1.1.3.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <43061982.2040907@spamcop.net> <20050820021302.GB31370@insomnia.benzedrine.cx> In-Reply-To: <20050820021302.GB31370@insomnia.benzedrine.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: rdr only works for some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 16:21:52 -0000 Daniel Hartmeier wrote: > There are a couple of possible explanations, the two simplest ones are: > > b) check that routing from 192.168.1.101 to external addresses goes > through the pf box (and not, for instance, through that other > NAT router you mentioned). replies from the sshd to the external > ssh client must pass back through the pf box, so it can reverse > the address translation. That was it! I actually figured this out earlier. Now I feel stupid. The default route on the 192.168.1.101 box was still pointing to the old Netgear NAT router. I didn't notice this because the Windows XP boxes, on which it worked, will periodically poll the DHCP server to get the update default router, but the Linux system only did it when booting. -- Steve From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 18:34:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7853416A41F for ; Mon, 22 Aug 2005 18:34:31 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 993B043D48 for ; Mon, 22 Aug 2005 18:34:28 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FEEF.dip.t-dialin.net [84.163.254.239] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1E7H7q1N1C-0003wE; Mon, 22 Aug 2005 20:34:26 +0200 From: Max Laier To: Sergey Lapin Date: Mon, 22 Aug 2005 20:34:09 +0200 User-Agent: KMail/1.8.2 References: <48239d390508150840481420ec@mail.gmail.com> <20050815154334.GB32151@insomnia.benzedrine.cx> In-Reply-To: <20050815154334.GB32151@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1378902.VOc6oZtyR0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508222034.24245.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Fwd: Dual-feed: PF setup troubles X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 18:34:31 -0000 --nextPart1378902.VOc6oZtyR0 Content-Type: multipart/mixed; boundary="Boundary-01=_oqhCDfP3jWLEEAk" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_oqhCDfP3jWLEEAk Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 15 August 2005 17:43, Daniel Hartmeier wrote: > Please try Max' patch, it is correct. Now I remember when we had the > same problem in OpenBSD, I simply forgot about it. Max' patch will solve > it, I'm quite sure :) I haven't seen any report (for the good or otherwise) if this really fixes = the=20 Problem. Can you please let us know if you had a chance to test it? Thank= s. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_oqhCDfP3jWLEEAk Content-Type: text/x-diff; charset="iso-8859-1"; name="routefix.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="routefix.diff" Index: if_ethersubr.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/net/if_ethersubr.c,v retrieving revision 1.196 diff -u -r1.196 if_ethersubr.c =2D-- if_ethersubr.c 9 Aug 2005 10:19:58 -0000 1.196 +++ if_ethersubr.c 15 Aug 2005 15:14:34 -0000 @@ -310,7 +310,8 @@ * on the wire). However, we don't do that here for security * reasons and compatibility with the original behavior. */ =2D if ((ifp->if_flags & IFF_SIMPLEX) && (loop_copy !=3D -1)) { + if ((ifp->if_flags & IFF_SIMPLEX) && (loop_copy !=3D -1) && + m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) =3D=3D NULL) { int csum_flags =3D 0; =20 if (m->m_pkthdr.csum_flags & CSUM_IP) --Boundary-01=_oqhCDfP3jWLEEAk-- --nextPart1378902.VOc6oZtyR0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDChqwXyyEoT62BG0RAiaxAJwKAUnm96UEEvXWCjEfhySgme1ebgCfWLuG 41s1ob08ztJo1qD07v20P/4= =WoGy -----END PGP SIGNATURE----- --nextPart1378902.VOc6oZtyR0-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:20:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B987816A41F for ; Tue, 23 Aug 2005 10:20:58 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A83243D45 for ; Tue, 23 Aug 2005 10:20:58 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so771423nzo for ; Tue, 23 Aug 2005 03:20:57 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=n0rXUayaUoSncCzgE3cZT2vfrlgQCi0NA7OF3GlT5zrX1Ci2L4uJ1MKLidw9s6RKW+4y1Ha5gjAGNsWFdQ6URd9QIWBhHXVdlO6xmTzr9g8+l5PbbqjMTsIai2HrHpOUYOBMzTpNOYCm8o+GbFj2Y8rylEDOQP4IbQ59aCh4Tvg= Received: by 10.36.25.6 with SMTP id 6mr2588373nzy; Tue, 23 Aug 2005 03:20:57 -0700 (PDT) Received: by 10.36.74.16 with HTTP; Tue, 23 Aug 2005 03:20:57 -0700 (PDT) Message-ID: Date: Tue, 23 Aug 2005 12:20:57 +0200 From: Kenneth Kalmer To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Kernel Packet Travel Guide X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 10:20:58 -0000 Guys I'm busy doing some research on replacing iptables with pf. I've asked some questions earlier and recieved some insightful answers, thanks for those. I did some googling recently, and IIRC I saw a link to a "Packet Traveling" diagram of sorts for BSD. And for the life of me I can't find it again. Does anyone now where I can find such a diagram? Regards --=20 Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dkenn= eth%2Ekalmer From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 11:05:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5EFE16A41F for ; Tue, 23 Aug 2005 11:05:44 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F9FC43D48 for ; Tue, 23 Aug 2005 11:05:43 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so158088wra for ; Tue, 23 Aug 2005 04:05:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=t7iDHLlA4q1xuuT78WYb7bOqEb3kBV+aZ0xq7o5Q5Ll+aPr4zcldpsQeqy85a7d6jumq+ZuAnVnTl1krE78YRPMu1t26AGtgAD/6FgAhgC1HLXVquGVdepuL2A56joMFeKzTi6M4DirISFzemDSPBTFu8bWTAcK6bOC970hcFYU= Received: by 10.54.36.32 with SMTP id j32mr2089058wrj; Tue, 23 Aug 2005 04:05:42 -0700 (PDT) Received: by 10.54.113.12 with HTTP; Tue, 23 Aug 2005 04:05:42 -0700 (PDT) Message-ID: Date: Tue, 23 Aug 2005 14:05:42 +0300 From: Huzeyfe Onal To: Kenneth Kalmer In-Reply-To: Mime-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Kernel Packet Travel Guide X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 11:05:45 -0000 http://homepage.mac.com/quension/pf/flow.png ? On 8/23/05, Kenneth Kalmer wrote:=20 >=20 > Guys >=20 > I'm busy doing some research on replacing iptables with pf. I've asked > some questions earlier and recieved some insightful answers, thanks > for those. >=20 > I did some googling recently, and IIRC I saw a link to a "Packet > Traveling" diagram of sorts for BSD. And for the life of me I can't > find it again. >=20 > Does anyone now where I can find such a diagram? >=20 > Regards >=20 > -- >=20 > Kenneth Kalmer > kenneth.kalmer@gmail.com >=20 > Folding@home stats >=20 > http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dke= nneth%2Ekalmer > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 --=20 Huzeyfe =D6NAL=20 --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 11:07:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64A8B16A41F for ; Tue, 23 Aug 2005 11:07:39 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBF8443D45 for ; Tue, 23 Aug 2005 11:07:38 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so775089nzo for ; Tue, 23 Aug 2005 04:07:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ohynD0dKOzLrhcUFZHCjeB7XpeUkIqOQj5lSoaw+4d6i11SS3mV3u7iH2V5Vy9cxJdlBNGpReFj4HoOndFACi4gQxBbkU0MG0NpBxjkUb7vLjZZLiZTH/MwYHmaJhDYWx4nSIjxmVWmFPxuXu6OSiJdy3prahA7vwVv+FUnIYlE= Received: by 10.36.148.16 with SMTP id v16mr4856569nzd; Tue, 23 Aug 2005 04:07:38 -0700 (PDT) Received: by 10.36.74.16 with HTTP; Tue, 23 Aug 2005 04:07:38 -0700 (PDT) Message-ID: Date: Tue, 23 Aug 2005 13:07:38 +0200 From: Kenneth Kalmer To: Huzeyfe Onal In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: Kernel Packet Travel Guide X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 11:07:39 -0000 You're a legend, thanks! On 8/23/05, Huzeyfe Onal wrote: > http://homepage.mac.com/quension/pf/flow.png ? > =20 > On 8/23/05, Kenneth Kalmer wrote:=20 > >=20 > > Guys > >=20 > > I'm busy doing some research on replacing iptables with pf. I've asked > > some questions earlier and recieved some insightful answers, thanks=20 > > for those. > >=20 > > I did some googling recently, and IIRC I saw a link to a "Packet > > Traveling" diagram of sorts for BSD. And for the life of me I can't > > find it again. > >=20 > > Does anyone now where I can find such a diagram?=20 > >=20 > > Regards > >=20 > > -- > >=20 > > Kenneth Kalmer > > kenneth.kalmer@gmail.com > >=20 > > Folding@home stats > > > http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dke= nneth%2Ekalmer > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list=20 > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org " > >=20 >=20 >=20 >=20 > --=20 > Huzeyfe =D6NAL =20 > --- > First Turkish Qmail book is out! Go check it. > Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. > http://www.acikakademi.com/catalog/qmail/ > =20 --=20 Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dkenn= eth%2Ekalmer From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 12:11:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 460B616A41F for ; Tue, 23 Aug 2005 12:11:07 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD62743D45 for ; Tue, 23 Aug 2005 12:11:06 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so823393nzd for ; Tue, 23 Aug 2005 05:11:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HfgwU6Ag1OukvDGT1O59kDav+fr2Nb08cZ4OVp0qBrG+EyoUXOZDRF2HNAJVq+DBzXLCvs2+zEAdeKRyhWVCi9BWuorCPuORBS5ASv7dS7Z0w7o7rSMhiPfEx1EN/fUUZ8VR2OGurD9zszt1n/ht9uII9ObdMFCmfSmXAh9wgYE= Received: by 10.36.43.13 with SMTP id q13mr2159208nzq; Tue, 23 Aug 2005 05:11:03 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Tue, 23 Aug 2005 05:11:01 -0700 (PDT) Message-ID: <48239d39050823051141fda3b8@mail.gmail.com> Date: Tue, 23 Aug 2005 16:11:01 +0400 From: Sergey Lapin To: Max Laier , freebsd-pf@freebsd.org In-Reply-To: <200508222034.24245.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508150840481420ec@mail.gmail.com> <20050815154334.GB32151@insomnia.benzedrine.cx> <200508222034.24245.max@love2party.net> Cc: Subject: Re: Fwd: Fwd: Dual-feed: PF setup troubles X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 12:11:07 -0000 On 8/22/05, Max Laier wrote: > On Monday 15 August 2005 17:43, Daniel Hartmeier wrote: > > Please try Max' patch, it is correct. Now I remember when we had the > > same problem in OpenBSD, I simply forgot about it. Max' patch will solv= e > > it, I'm quite sure :) >=20 > I haven't seen any report (for the good or otherwise) if this really fixe= s the > Problem. Can you please let us know if you had a chance to test it? Tha= nks. Yes, it works like a charm, thanks! From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 12:36:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7585916A41F for ; Tue, 23 Aug 2005 12:36:19 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B65043D45 for ; Tue, 23 Aug 2005 12:36:19 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id 22AFFC077; Tue, 23 Aug 2005 14:36:18 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 730ED405A; Tue, 23 Aug 2005 14:36:43 +0200 (CEST) Date: Tue, 23 Aug 2005 14:36:43 +0200 From: Jeremie Le Hen To: Aguiar Magalhaes Message-ID: <20050823123643.GO659@obiwan.tataz.chchile.org> References: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050821192439.16282.qmail@web31608.mail.mud.yahoo.com> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: nmap X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 12:36:19 -0000 > List, > > How can I block nmap options using PF ?? nmap scans are harmless. nmap could still use the connect(2) scan (-sT) and blocking such a scan would prevent valid connection attempts to be blocked as well. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 14:14:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FF8B16A41F for ; Tue, 23 Aug 2005 14:14:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DCA343D6D for ; Tue, 23 Aug 2005 14:14:41 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3DE3D.dip.t-dialin.net [84.163.222.61] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwtQ-1E7ZXx2xLW-0004dV; Tue, 23 Aug 2005 16:14:37 +0200 From: Max Laier To: Sergey Lapin Date: Tue, 23 Aug 2005 16:14:20 +0200 User-Agent: KMail/1.8.2 References: <200508222034.24245.max@love2party.net> <48239d39050823051141fda3b8@mail.gmail.com> In-Reply-To: <48239d39050823051141fda3b8@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2230361.SxxuF0U8eX"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508231614.32697.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Fwd: Dual-feed: PF setup troubles X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 14:14:46 -0000 --nextPart2230361.SxxuF0U8eX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 August 2005 14:11, Sergey Lapin wrote: > On 8/22/05, Max Laier wrote: > > On Monday 15 August 2005 17:43, Daniel Hartmeier wrote: > > > Please try Max' patch, it is correct. Now I remember when we had the > > > same problem in OpenBSD, I simply forgot about it. Max' patch will > > > solve it, I'm quite sure :) > > > > I haven't seen any report (for the good or otherwise) if this really > > fixes the Problem. Can you please let us know if you had a chance to > > test it? Thanks. > > Yes, it works like a charm, thanks! Just committed to head. Scheduled for MFC in 7 days. Thank you. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2230361.SxxuF0U8eX Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDCy9IXyyEoT62BG0RAoPKAJ9xLD/maAqTsmlI462eeKT7rNJwvwCdFTTf Ctx4anXxtGjxgd/l/DcBR4k= =ioO6 -----END PGP SIGNATURE----- --nextPart2230361.SxxuF0U8eX-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 14:26:19 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6901E16A420; Tue, 23 Aug 2005 14:26:19 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5BD443D53; Tue, 23 Aug 2005 14:26:18 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7NEQIJj045636; Tue, 23 Aug 2005 14:26:18 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7NEQH1j045632; Tue, 23 Aug 2005 14:26:18 GMT (envelope-from mlaier) Date: Tue, 23 Aug 2005 14:26:18 GMT From: Max Laier Message-Id: <200508231426.j7NEQH1j045632@freefall.freebsd.org> To: xdivac02@stud.fit.vutbr.cz, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/80627: pf_test6: kif == NULL ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 14:26:19 -0000 Synopsis: pf_test6: kif == NULL ... State-Changed-From-To: patched->closed State-Changed-By: mlaier State-Changed-When: Tue Aug 23 14:25:43 GMT 2005 State-Changed-Why: MFCed to RELENG_5 and _6 Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=80627 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 00:06:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8694916A41F for ; Wed, 24 Aug 2005 00:06:43 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E02943D45 for ; Wed, 24 Aug 2005 00:06:42 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so862868nzo for ; Tue, 23 Aug 2005 17:06:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=QnGi5VlCFTIHKJL/W198hFP8di9XjBZn+K9TkW4DAZZ5iozCkXNXgrz8RCHTYueyAu6+6mK9S1fdgCPoFPt9N/D2sFxxHjgMV+zw5Z7ckFoY2TgoqSJ2TsuvJgXt+1kbQn1jq4ECYsPKSfwqCvxDe9ZUu6wo06CcAqBLOGCUxOQ= Received: by 10.36.222.70 with SMTP id u70mr5598571nzg; Tue, 23 Aug 2005 17:06:42 -0700 (PDT) Received: by 10.36.74.16 with HTTP; Tue, 23 Aug 2005 17:06:42 -0700 (PDT) Message-ID: Date: Wed, 24 Aug 2005 02:06:42 +0200 From: Kenneth Kalmer To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Windows authpf client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 00:06:43 -0000 Guys I did some searching, and it seems I'm not the first with the question/idea= ... In the spirit of OSS I'm considering to create a C# SSH client for the purpose of acting as an authpf client... Any comments/suggestions will be appreciated... I'll keep everyone posted... --=20 Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dkenn= eth%2Ekalmer From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 12:09:38 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0A5B16A41F for ; Wed, 24 Aug 2005 12:09:38 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B63B43D45 for ; Wed, 24 Aug 2005 12:09:38 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so78959wra for ; Wed, 24 Aug 2005 05:09:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:references; b=HY+B9m/ylR5JzYfYRWOK1iYHet3YVNcelsK2csS+nsUzh1DySIhqxBbBcokQqrQfxR2BtGgEBdC0dHHqK5XjqqXdZDWzfXWS7vSv6IgS6LG8vHj/Cy8tJ8gavZR/XmlMKPfMCz5X8Yb58lFHQ5MKHXoplm/yXfpLA9JxbsXJ+1I= Received: by 10.54.67.8 with SMTP id p8mr539159wra; Wed, 24 Aug 2005 05:09:37 -0700 (PDT) Received: by 10.54.113.12 with HTTP; Wed, 24 Aug 2005 05:09:37 -0700 (PDT) Message-ID: Date: Wed, 24 Aug 2005 15:09:37 +0300 From: Huzeyfe Onal Cc: freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Windows authpf client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 12:09:39 -0000 hi, nice idea for newbie windows users..I think it's hard to teach using=20 Putty.... Think as a newbie, I want a program. -user id , password and connect button=20 -browse for certificate and connect button -Minimize system tray options.. -Disconnect button etc... On 8/24/05, Kenneth Kalmer wrote:=20 >=20 > Guys >=20 > I did some searching, and it seems I'm not the first with the=20 > question/idea... >=20 > In the spirit of OSS I'm considering to create a C# SSH client for the > purpose of acting as an authpf client... >=20 > Any comments/suggestions will be appreciated... >=20 > I'll keep everyone posted... >=20 > -- >=20 > Kenneth Kalmer > kenneth.kalmer@gmail.com >=20 > Folding@home stats >=20 > http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dke= nneth%2Ekalmer > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 --=20 Huzeyfe =D6NAL=20 --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 15:09:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84FAB16A41F for ; Wed, 24 Aug 2005 15:09:46 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD21943D45 for ; Wed, 24 Aug 2005 15:09:45 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 7DD7252CA2; Wed, 24 Aug 2005 17:09:44 +0200 (CEST) Received: from localhost (ana50.internetdsl.tpnet.pl [83.17.82.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 41BE152BC4 for ; Wed, 24 Aug 2005 17:09:36 +0200 (CEST) Date: Wed, 24 Aug 2005 17:09:14 +0200 From: Pawel Jakub Dawidek To: freebsd-pf@freebsd.org Message-ID: <20050824150914.GA1603@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng devel (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Subject: PF doesn't work with changed interfaces names. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 15:09:46 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. When we change interface name with: # ifconfig fxp0 name net0 and we add a firewall rule, restart pf, remove the rule, restart pf, we got: Fatal trap 12: page fault while in kernel mode fault virtual address =3D 0xdeadc1d7 fault code =3D supervisor read, page not present instruction pointer =3D 0x8:0xc04525e5 stack pointer =3D 0x10:0xcab5d7c4 frame pointer =3D 0x10:0xcab5d7c8 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, def32 1, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 423 (sshd) [thread 100073] Stopped at pf_state_compare_lan_ext+0x11: movzbl 0xf9(%ebx),%eax db> tr pf_state_compare_lan_ext(cab5d838,deadc0de) at pf_state_compare_lan_ext+0x11 pf_state_tree_lan_ext_RB_FIND(c11e9ec0,cab5d838) at pf_state_tree_lan_ext_R= B_FIND+0x1b pf_find_state_recurse(c11e9e00,cab5d838,0,da7a0000,da7a6400) at pf_find_sta= te_recurse+0x39 pf_test_state_tcp(cab5d97c,2,c11e9e00,c11a4400,14) at pf_test_state_tcp+0xcb pf_test(2,c1099000,cab5da70,c12bfa8c,c13325a0) at pf_test+0x37c pf_check_out(0,cab5da70,c1099000,2,c12bfa8c) at pf_check_out+0x4d pfil_run_hooks(c0708a40,cab5daec,c1099000,2,c12bfa8c) at pfil_run_hooks+0xbd ip_output(c11a4400,0,cab5dab8,0,0) at ip_output+0x736 tcp_output(c12c1380,c12bfa8c,0,40,c11a0e00) at tcp_output+0xf4b tcp_usr_send(c13c0144,0,c11a0e00,0,0) at tcp_usr_send+0x14f sosend(c13c0144,0,cab5dc88,c11a0e00,0) at sosend+0x5e7 soo_write(c11ec374,cab5dc88,c1368000,0,c13304b0) at soo_write+0x46 dofilewrite(c13304b0,c11ec374,5,807b000,40) at dofilewrite+0xa8 write(c13304b0,cab5dd14,3,8,206) at write+0x39 syscall(2f,2f,2f,806d0c8,40) at syscall+0x213 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (4, FreeBSD ELF32, write), eip =3D 0x28246af3, esp =3D 0xbfbfdd= bc, ebp =3D 0xbfbfdde8 --- db>=20 Any ideas? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDDI2aForvXbEpPzQRApGIAJ9H7jjRhxDTaJzb12zUuPTpsyveGQCdGYBZ stJJVmQoA4wf8ydSqN6tUgo= =9Slq -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 17:38:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 052A716A421; Wed, 24 Aug 2005 17:38:27 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18F7643D55; Wed, 24 Aug 2005 17:38:25 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j7OHcP8h031369 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 24 Aug 2005 19:38:25 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j7OHcPxR013210; Wed, 24 Aug 2005 19:38:25 +0200 (MEST) Date: Wed, 24 Aug 2005 19:38:24 +0200 From: Daniel Hartmeier To: Pawel Jakub Dawidek Message-ID: <20050824173824.GA25807@insomnia.benzedrine.cx> References: <20050824150914.GA1603@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050824150914.GA1603@garage.freebsd.pl> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: PF doesn't work with changed interfaces names. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 17:38:27 -0000 On Wed, Aug 24, 2005 at 05:09:14PM +0200, Pawel Jakub Dawidek wrote: > When we change interface name with: > > # ifconfig fxp0 name net0 > > and we add a firewall rule, restart pf, remove the rule, restart pf, we got: > > Fatal trap 12: page fault while in kernel mode The rule might have created an interface-bound state entry on fxp0. I don't know off-hand how 'ifconfig name' interacts with pf_if.c pfi_*() functions, but if it destroys the kif object of fxp0 (and creates a new one for net0), there might be a problem in pf_if.c pfi_maybe_destroy() #ifdef __FreeBSD__ if ((p->pfik_flags & (PFI_IFLAG_ATTACHED | PFI_IFLAG_GROUP)) || ((p->pfik_rules > 0 || p->pfik_states > 0) && (p->pfik_flags & PFI_IFLAG_PLACEHOLDER) == 0)) #else if ((p->pfik_flags & (PFI_IFLAG_ATTACHED | PFI_IFLAG_GROUP)) || p->pfik_rules > 0 || p->pfik_states > 0) #endif return (0); The non-FreeBSD version strictly returns when the pfi_kif object still contains state entries, but the FreeBSD version might be free'ing the object when it still contains state entries. Those state entries point back to the pfi_kif object that contains them. If this happens, you might see exactly the crash you describe, i.e. pf_state_compare_*() then tries to access the no-longer-existing pfi_kif object to traverse state entries in there, accessing invalid memory. I have to study the use of PFI_IFLAG_PLACEHOLDER more, maybe Max has an idea what goes wrong there on interface name changes (ifconfig name)... As a short-term workaround, I think disabling pf and flusing the state table (pfctl -d; pfctl -Fs) before the ifconfig invokation would prevent the panic. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 17:59:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B30CA16A41F; Wed, 24 Aug 2005 17:59:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03F7F43D60; Wed, 24 Aug 2005 17:59:42 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FFD5.dip.t-dialin.net [84.163.255.213] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1E7zXH1G5d-0003Sz; Wed, 24 Aug 2005 19:59:39 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 24 Aug 2005 19:59:24 +0200 User-Agent: KMail/1.8.2 References: <20050824150914.GA1603@garage.freebsd.pl> <20050824173824.GA25807@insomnia.benzedrine.cx> In-Reply-To: <20050824173824.GA25807@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1792650.bpco6GLWzn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508241959.37239.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: PF doesn't work with changed interfaces names. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 17:59:46 -0000 --nextPart1792650.bpco6GLWzn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 August 2005 19:38, Daniel Hartmeier wrote: > On Wed, Aug 24, 2005 at 05:09:14PM +0200, Pawel Jakub Dawidek wrote: > > When we change interface name with: > > > > # ifconfig fxp0 name net0 > > > > and we add a firewall rule, restart pf, remove the rule, restart pf, we > > got: > > > > Fatal trap 12: page fault while in kernel mode > > The rule might have created an interface-bound state entry on fxp0. I > don't know off-hand how 'ifconfig name' interacts with pf_if.c pfi_*() > functions, but if it destroys the kif object of fxp0 (and creates a new > one for net0), there might be a problem in pf_if.c pfi_maybe_destroy() > > #ifdef __FreeBSD__ > if ((p->pfik_flags & (PFI_IFLAG_ATTACHED | PFI_IFLAG_GROUP)) || > ((p->pfik_rules > 0 || p->pfik_states > 0) && > (p->pfik_flags & PFI_IFLAG_PLACEHOLDER) =3D=3D 0)) > #else > if ((p->pfik_flags & (PFI_IFLAG_ATTACHED | PFI_IFLAG_GROUP)) || > p->pfik_rules > 0 || p->pfik_states > 0) > #endif > return (0); > > The non-FreeBSD version strictly returns when the pfi_kif object still > contains state entries, but the FreeBSD version might be free'ing the > object when it still contains state entries. Those state entries point > back to the pfi_kif object that contains them. If this happens, you > might see exactly the crash you describe, i.e. pf_state_compare_*() then > tries to access the no-longer-existing pfi_kif object to traverse state > entries in there, accessing invalid memory. > > I have to study the use of PFI_IFLAG_PLACEHOLDER more, maybe Max has an > idea what goes wrong there on interface name changes (ifconfig name)... ifconfig name is propagated as old_name interface disappears, new_name=20 interface arrives and there should not be a problem. The concern raised=20 above is addressed by an additional: #ifdef __FreeBSD__ if (p->pfik_rules > 0 || p->pfik_states > 0) { /* move back to the dummy group */ p->pfik_parent =3D pfi_dummy; p->pfik_flags &=3D ~PFI_IFLAG_INSTANCE; pfi_dummy->pfik_addcnt++; TAILQ_INSERT_TAIL(&pfi_dummy->pfik_grouphead, p, pfik_instances); return (0); } #endif a bit further down on pfi_maybe_destroy. Moreover the trace suggests that= =20 this isn't a kif related problem, but a state tree inconsistency. Pawel, what version are you running? Can you provide $FreeBSD$ for pf.c an= d=20 if_pfsync.c [if compiled in], please? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1792650.bpco6GLWzn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDDLWJXyyEoT62BG0RAuSiAKCB+xEK9esbYzo+ptzLKGL23ZyJSQCdHsy6 /UjqqGolc6nxquukKgasUfI= =nzLO -----END PGP SIGNATURE----- --nextPart1792650.bpco6GLWzn-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 18:04:48 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D78516A420 for ; Wed, 24 Aug 2005 18:04:48 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5CB043D58 for ; Wed, 24 Aug 2005 18:04:47 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 7E13D52CA4; Wed, 24 Aug 2005 20:04:46 +0200 (CEST) Received: from localhost (djy66.neoplus.adsl.tpnet.pl [83.24.2.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 2478652CA2; Wed, 24 Aug 2005 20:04:38 +0200 (CEST) Date: Wed, 24 Aug 2005 20:04:16 +0200 From: Pawel Jakub Dawidek To: Max Laier Message-ID: <20050824180416.GC755@garage.freebsd.pl> References: <20050824150914.GA1603@garage.freebsd.pl> <20050824173824.GA25807@insomnia.benzedrine.cx> <200508241959.37239.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YD3LsXFS42OYHhNZ" Content-Disposition: inline In-Reply-To: <200508241959.37239.max@love2party.net> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng devel (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: freebsd-pf@freebsd.org Subject: Re: PF doesn't work with changed interfaces names. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 18:04:48 -0000 --YD3LsXFS42OYHhNZ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 24, 2005 at 07:59:24PM +0200, Max Laier wrote: +> Pawel, what version are you running? Can you provide $FreeBSD$ for pf.c= and=20 +> if_pfsync.c [if compiled in], please? Grr, I forgot to mention. It's 5.3-RELEASE: src/sys/contrib/pf/net/pf.c,v 1.18.2.2 src/sys/contrib/pf/net/if_pfsync.c,v 1.11.2.1 Could you point me to the exact changes which fix it? Unfortunately, I can't upgrade. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --YD3LsXFS42OYHhNZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDDLagForvXbEpPzQRAjE6AJ97uXbjoOrir4ogtFxvJndi6YnYuACeL+Ba zKuiQ5l4klqJtS1JdhU1eaM= =G4xA -----END PGP SIGNATURE----- --YD3LsXFS42OYHhNZ-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 18:20:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D72F16A41F; Wed, 24 Aug 2005 18:20:02 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id B985743D48; Wed, 24 Aug 2005 18:20:01 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E799.dip.t-dialin.net [84.163.231.153] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1E7zqr1u05-0000d3; Wed, 24 Aug 2005 20:19:53 +0200 From: Max Laier To: Pawel Jakub Dawidek Date: Wed, 24 Aug 2005 20:19:38 +0200 User-Agent: KMail/1.8.2 References: <20050824150914.GA1603@garage.freebsd.pl> <200508241959.37239.max@love2party.net> <20050824180416.GC755@garage.freebsd.pl> In-Reply-To: <20050824180416.GC755@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2881343.KAKtOFT9Eh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508242019.51397.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: PF doesn't work with changed interfaces names. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 18:20:02 -0000 --nextPart2881343.KAKtOFT9Eh Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 August 2005 20:04, Pawel Jakub Dawidek wrote: > On Wed, Aug 24, 2005 at 07:59:24PM +0200, Max Laier wrote: > +> Pawel, what version are you running? Can you provide $FreeBSD$ for pf= =2Ec > and +> if_pfsync.c [if compiled in], please? > > Grr, I forgot to mention. It's 5.3-RELEASE: > > src/sys/contrib/pf/net/pf.c,v 1.18.2.2 > src/sys/contrib/pf/net/if_pfsync.c,v 1.11.2.1 > > Could you point me to the exact changes which fix it? Depending if you use pfsync or not it's: MFC: pf_ioctl.c, 1.20 if_pfsync.h, 1.7 and if_pfsync.c, 1.16-1.19 or MFC: pf.c, 1.35 pfvar.h, 1.12 Pulling just sys/contrib/pf to RELENG_5 should work, AFAIR. > Unfortunately, I can't upgrade. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2881343.KAKtOFT9Eh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDDLpHXyyEoT62BG0RAitdAJ43zDBSO50ptBS9KlJhs8lSeACwPQCcDdkr KFcAeBye+/EOKtY/pi84A+Y= =oqu+ -----END PGP SIGNATURE----- --nextPart2881343.KAKtOFT9Eh-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 18:48:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AEDF16A41F for ; Wed, 24 Aug 2005 18:48:42 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.FreeBSD.org (Postfix) with SMTP id 6E83543D46 for ; Wed, 24 Aug 2005 18:48:40 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from 192.168.2.10 ([192.168.2.10]) by edusrv05.edu.irc.local ([192.168.44.14]) with Microsoft Exchange Server HTTP-DAV ; Wed, 24 Aug 2005 18:48:38 +0000 Received: from freebsd1.irc.local by mail1.cil.se; 24 Aug 2005 20:48:38 +0200 From: Jon Otterholm To: freebsd-pf@freebsd.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 24 Aug 2005 20:48:38 +0200 Message-Id: <1124909318.784.16.camel@freebsd1.irc.local> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port Subject: Next-Hop X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 18:48:42 -0000 Hi! I am a newbie on PF but starting to get a hang on the different options and how to make a working config. So far I am deeply impressed with the many different functions and possibilities PF can offer. I have my roots in Cisco IOS and there I have a funktion called "next hop" that one can use to route connections to another destination than the default route when, for example, sourcing from a specific address space. Can PF offer this functionality in some way? In reality we use this to route packets between 2 different Internet connections using real (non RFC1918) IP-addresses... /Jon From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 19:02:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAB8816A41F for ; Wed, 24 Aug 2005 19:02:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 598F343D46 for ; Wed, 24 Aug 2005 19:02:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E799.dip.t-dialin.net [84.163.231.153] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1E80Vd49yJ-0002bP; Wed, 24 Aug 2005 21:02:01 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 24 Aug 2005 21:01:48 +0200 User-Agent: KMail/1.8.2 References: <1124909318.784.16.camel@freebsd1.irc.local> In-Reply-To: <1124909318.784.16.camel@freebsd1.irc.local> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9082346.NDtGe2opJT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508242101.59975.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Next-Hop X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 19:02:04 -0000 --nextPart9082346.NDtGe2opJT Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 August 2005 20:48, Jon Otterholm wrote: > Hi! > > I am a newbie on PF but starting to get a hang on the different options > and how to make a working config. So far I am deeply impressed with the > many different functions and possibilities PF can offer. > > I have my roots in Cisco IOS and there I have a funktion called "next > hop" that one can use to route connections to another destination than > the default route when, for example, sourcing from a specific address > space. > > Can PF offer this functionality in some way? > > In reality we use this to route packets between 2 different Internet > connections using real (non RFC1918) IP-addresses... see pf.conf(5)::ROUTING Note that a critical problem with routing has been identified just recently= =20 and is only fixed in HEAD right now. The fix will be MFCed shortly, howeve= r. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9082346.NDtGe2opJT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDDMQnXyyEoT62BG0RAk59AJ0UTR+89ZXFhRrHBt12MFdYtnryDQCeMCUI xhoQ62DzLbxqEhCdys3HCUU= =tNBH -----END PGP SIGNATURE----- --nextPart9082346.NDtGe2opJT-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 19:08:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A226016A41F for ; Wed, 24 Aug 2005 19:08:40 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FAE843D46 for ; Wed, 24 Aug 2005 19:08:40 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 7F4412539AD for ; Wed, 24 Aug 2005 20:08:30 +0100 (BST) From: "Greg Hennessy" To: Date: Wed, 24 Aug 2005 20:08:32 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <1124909318.784.16.camel@freebsd1.irc.local> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Thread-Index: AcWo3i4gjjBWf/YfR5GFAmXAB7z/8wAAL+wg Message-Id: <20050824190832.979333A@gw2.local.net> Subject: RE: Next-Hop X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 19:08:40 -0000 > I have my roots in Cisco IOS and there I have a funktion > called "next hop" that one can use to route connections to > another destination than the default route when, for example, > sourcing from a specific address space. > > Can PF offer this functionality in some way? > Yep, for policy based routing, take at look at the 'route-to' option and use it with a 'pass out'. greg From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 21:14:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB8E916A41F for ; Wed, 24 Aug 2005 21:14:51 +0000 (GMT) (envelope-from popescu.mircea@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 668AD43D46 for ; Wed, 24 Aug 2005 21:14:51 +0000 (GMT) (envelope-from popescu.mircea@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so119926nzd for ; Wed, 24 Aug 2005 14:14:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=HI+vSKBPLkx4zJsI6QKx68puR56U17l0deC1pyPdS7EFsoluYXKvTdNMs9Fu0ssj6cI5EneVzDT7dDQuQ9aHKqi2M1Gf2s7BEe3POQFHxUmqJmDQ/vMLCS7tP6NLlZaN6ieAkUKKV1/OWWlQua+OaTVxvZdMwzAw+GgVuegnGa0= Received: by 10.37.18.38 with SMTP id v38mr569291nzi; Wed, 24 Aug 2005 14:14:50 -0700 (PDT) Received: by 10.37.18.3 with HTTP; Wed, 24 Aug 2005 14:14:50 -0700 (PDT) Message-ID: Date: Thu, 25 Aug 2005 00:14:50 +0300 From: Mircea Popescu To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Authpf and windows client(s) ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 21:14:52 -0000 Hi! I want to use authpf in order to give access to internet for some windows X= P=20 PC's. Now, I know that the client PC (using WinXP in this case) should initiate= =20 somehow a ssh conexion to the FreeBSD server. My problem would be what software to use on the XP side in order to do this= .=20 Putty is not a solution in my case. Thanks! From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 21:17:14 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF0A316A41F for ; Wed, 24 Aug 2005 21:17:14 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58AC343D46 for ; Wed, 24 Aug 2005 21:17:14 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so200535rng for ; Wed, 24 Aug 2005 14:17:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SfvCIe8aWKPhDazSrTCVdSYiBfyRgSJpoepcIOsjkpq9mzwyY4XYfGBdjscQIANc6f+x2hevbuOasyL9J8D3GCMVh/LFH3QRtZnGFrPtWurnn30SP7v0XXXwNDUSatNWMzTwsGfRl9s+7ywRpy5LAPve5CZFfx9i34wXY6LldA0= Received: by 10.11.88.76 with SMTP id l76mr5663cwb; Wed, 24 Aug 2005 14:17:13 -0700 (PDT) Received: by 10.11.120.66 with HTTP; Wed, 24 Aug 2005 14:17:13 -0700 (PDT) Message-ID: <55e8a96c05082414173089d43e@mail.gmail.com> Date: Wed, 24 Aug 2005 16:17:13 -0500 From: Bill Marquette To: Mircea Popescu In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: Authpf and windows client(s) ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 21:17:14 -0000 On 8/24/05, Mircea Popescu wrote: > Hi! >=20 > I want to use authpf in order to give access to internet for some windows= XP > PC's. >=20 > Now, I know that the client PC (using WinXP in this case) should initiate > somehow a ssh conexion to the FreeBSD server. > My problem would be what software to use on the XP side in order to do th= is. > Putty is not a solution in my case. > Thanks! Any ssh client should work just fine. putty is usually recommended because it's open source (and free). --Bill From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 21:21:37 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E61C316A41F for ; Wed, 24 Aug 2005 21:21:37 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75F0B43D46 for ; Wed, 24 Aug 2005 21:21:37 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id A185C1CCD4; Thu, 25 Aug 2005 09:21:35 +1200 (NZST) Date: Thu, 25 Aug 2005 09:21:35 +1200 From: Andrew Thompson To: Mircea Popescu Message-ID: <20050824212135.GA33414@heff.fud.org.nz> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: Authpf and windows client(s) ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 21:21:38 -0000 On Thu, Aug 25, 2005 at 12:14:50AM +0300, Mircea Popescu wrote: > Hi! > > I want to use authpf in order to give access to internet for some windows XP > PC's. > > Now, I know that the client PC (using WinXP in this case) should initiate > somehow a ssh conexion to the FreeBSD server. > My problem would be what software to use on the XP side in order to do this. > Putty is not a solution in my case. For a previous job I modified the putty source to give a different frontend to solve the same problem, unfortunately I no longer have access to my modifications so I cant pass them on. Maybe this could work for you? a little C knowledge required. Andrew From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 21:32:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7834F16A41F for ; Wed, 24 Aug 2005 21:32:06 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA54F43D53 for ; Wed, 24 Aug 2005 21:32:05 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so184721rna for ; Wed, 24 Aug 2005 14:32:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=n1xHG4ZCzMaOvJKzmKqRdPv3eqhN58fabCB3u356LgQF7wmyVLIzno1Mct4jj2teM/1YBHmxzkQfEo8n0/VBvVB007v5ZNLU0UAWUSkDzZTxFxTPZEp7MH4xWsSd+BEPQjVLPMbqIwIHZF5G8qhJrw1O5vrsJVCkTJRPQxyR3/0= Received: by 10.11.98.80 with SMTP id v80mr8153cwb; Wed, 24 Aug 2005 14:32:05 -0700 (PDT) Received: by 10.11.120.66 with HTTP; Wed, 24 Aug 2005 14:32:05 -0700 (PDT) Message-ID: <55e8a96c050824143266daa5f9@mail.gmail.com> Date: Wed, 24 Aug 2005 16:32:05 -0500 From: Bill Marquette To: Mircea Popescu In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <55e8a96c05082414173089d43e@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Authpf and windows client(s) ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 21:32:06 -0000 No, authpf is a login shell. If you don't want to use SSH, then you need to write your own client, daemon, and/or authpf-like application. --Bill On 8/24/05, Mircea Popescu wrote: > ok, but any other solution?=20 >=20 >=20 > =20 > On 8/25/05, Bill Marquette wrote:=20 > > On 8/24/05, Mircea Popescu wrote:=20 > > > Hi! > > > > > > I want to use authpf in order to give access to internet for some > windows XP > > > PC's. > > > > > > Now, I know that the client PC (using WinXP in this case) should > initiate > > > somehow a ssh conexion to the FreeBSD server.=20 > > > My problem would be what software to use on the XP side in order to d= o > this. > > > Putty is not a solution in my case. > > > Thanks! > >=20 > > Any ssh client should work just fine. putty is usually recommended=20 > > because it's open source (and free). > >=20 > > --Bill > >=20 >=20 > From owner-freebsd-pf@FreeBSD.ORG Thu Aug 25 19:28:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E94616A41F for ; Thu, 25 Aug 2005 19:28:43 +0000 (GMT) (envelope-from mike@uniserve.com) Received: from mx6.uniserve.ca (mx6.uniserve.ca [216.113.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id E091A43D46 for ; Thu, 25 Aug 2005 19:28:42 +0000 (GMT) (envelope-from mike@uniserve.com) Received: from mike.office.uniserve.ca ([204.244.161.213] helo=uniservedev) by mx6.uniserve.ca with smtp (Exim 4.22) id 1E8NP0-000EjA-1W for freebsd-pf@freebsd.org; Thu, 25 Aug 2005 12:28:42 -0700 Message-ID: <006c01c5a9aa$9e2b9d00$d5a1f4cc@uniservedev> From: "Mike Pultz" To: Date: Thu, 25 Aug 2005 12:24:31 -0700 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Scanner: OK. Scanned. Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf + pfsync + carp - FreeBSD 5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 19:28:43 -0000 Hello, I have two firewalls setup as failover using pf + pfsync and carp, and = I've been expierencing kenel panics from pfsync. It seems that every few days the machines = reboot. I noticed that the latest version of pfsync.c under the RELENG_5 branch = is 1.11.2.3, which uses the OpenBSD verison 1.26 (which I've cvs'd up to). I did some reading, and found some people having similar problems (under = OpenBSD and=20 FreeBSD RELENG_6), and it looks like some of the fixes happened under = OpenBSD version 1.46, which doesn't exist yet under the RELENG_5 branch. Is there any chance that a newer verison of pfsync.c can be promoted to = the RELENG_5 branch? Please correct me if I'm off on any of this information? Cheers, Mike From owner-freebsd-pf@FreeBSD.ORG Fri Aug 26 12:32:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF2E16A420 for ; Fri, 26 Aug 2005 12:32:43 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6726143D49 for ; Fri, 26 Aug 2005 12:32:42 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id E74BF52C93; Fri, 26 Aug 2005 14:32:38 +0200 (CEST) Received: from localhost (ana50.internetdsl.tpnet.pl [83.17.82.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id A767152BC1; Fri, 26 Aug 2005 14:32:29 +0200 (CEST) Date: Fri, 26 Aug 2005 14:32:04 +0200 From: Pawel Jakub Dawidek To: Max Laier Message-ID: <20050826123204.GE43700@garage.freebsd.pl> References: <20050824150914.GA1603@garage.freebsd.pl> <200508241959.37239.max@love2party.net> <20050824180416.GC755@garage.freebsd.pl> <200508242019.51397.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qOrJKOH36bD5yhNe" Content-Disposition: inline In-Reply-To: <200508242019.51397.max@love2party.net> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng devel (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-pf@freebsd.org Subject: Re: PF doesn't work with changed interfaces names. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2005 12:32:44 -0000 --qOrJKOH36bD5yhNe Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 24, 2005 at 08:19:38PM +0200, Max Laier wrote: +> On Wednesday 24 August 2005 20:04, Pawel Jakub Dawidek wrote: +> > On Wed, Aug 24, 2005 at 07:59:24PM +0200, Max Laier wrote: +> > +> Pawel, what version are you running? Can you provide $FreeBSD$ for= pf.c +> > and +> if_pfsync.c [if compiled in], please? +> > +> > Grr, I forgot to mention. It's 5.3-RELEASE: +> > +> > src/sys/contrib/pf/net/pf.c,v 1.18.2.2 +> > src/sys/contrib/pf/net/if_pfsync.c,v 1.11.2.1 +> > +> > Could you point me to the exact changes which fix it? +>=20 +> Depending if you use pfsync or not it's: +> MFC: pf_ioctl.c, 1.20 if_pfsync.h, 1.7 and if_pfsync.c, 1.16-1.19 +> or MFC: pf.c, 1.35 pfvar.h, 1.12 +>=20 +> Pulling just sys/contrib/pf to RELENG_5 should work, AFAIR. I took PF from RELENG_5 and it works fine. Thanks! --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --qOrJKOH36bD5yhNe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDDwvEForvXbEpPzQRAhwBAJ0WmO4JXU+w1ZrCRgaeVm/LIaXoqwCfXlLS BzhOYck5UE5nl4yg3PWqtHg= =YUEc -----END PGP SIGNATURE----- --qOrJKOH36bD5yhNe--