From owner-freebsd-pf@FreeBSD.ORG Sun Dec 3 04:02:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4CE3716A416 for ; Sun, 3 Dec 2006 04:02:29 +0000 (UTC) (envelope-from snb@threerings.net) Received: from smtp.earth.threerings.net (smtp1.earth.threerings.net [64.127.109.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id E068343CA2 for ; Sun, 3 Dec 2006 04:02:04 +0000 (GMT) (envelope-from snb@threerings.net) Received: from [192.168.1.101] (c-67-170-213-56.hsd1.ca.comcast.net [67.170.213.56]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.earth.threerings.net (Postfix) with ESMTP id AA62061DEC; Sat, 2 Dec 2006 20:02:28 -0800 (PST) In-Reply-To: <40CEB709-1A81-4A98-988E-24768584F984@develooper.com> References: <40CEB709-1A81-4A98-988E-24768584F984@develooper.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <0518832C-EF59-49EB-BF22-E9B401830628@threerings.net> Content-Transfer-Encoding: quoted-printable From: Nick Barkas Date: Sat, 2 Dec 2006 20:01:52 -0800 To: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= X-Mailer: Apple Mail (2.752.3) Cc: freebsd-pf@freebsd.org Subject: Re: carpdev ifconfig option? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Dec 2006 04:02:30 -0000 As far as I know, the carpdev code from OpenBSD has not yet been =20 ported. I've been wanting to have this in FreeBSD myself for awhile =20 now, and was planning to spend some time on porting the OpenBSD code =20 over, but have not had time to get to it yet. If I do get to it =20 before someone else does, I'll post to this list when I have a patch. Nick On Dec 2, 2006, at 4:15 AM, Ask Bj=F8rn Hansen wrote: > Hi, > > I see in the OpenBSD documentation that they have a "carpdev" =20 > option to specify which physical interface the redundancy group =20 > should run on. > > FreeBSD (current 6.2 code) doesn't have that option -- is there =20 > another way to accomplish the same thing? > > > - ask > > --=20 > http://develooper.com/ - http://askask.com/ > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sun Dec 3 11:25:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C3A8F16A403 for ; Sun, 3 Dec 2006 11:25:38 +0000 (UTC) (envelope-from niklassaers@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2227443CA5 for ; Sun, 3 Dec 2006 11:25:11 +0000 (GMT) (envelope-from niklassaers@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so3872764nfc for ; Sun, 03 Dec 2006 03:25:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=QVFjGSrcZ/4+7jyhpIVgIEEbmqrUVGjniorqqcPiAh0tgIRThnjfrX04RaNeNd0V7rcEaP3i7D/cXX6Azuo1f4Klp8FaozG5/iy0jWiVJvewOqm4GOWCSnR/D6p5i04EmXme1ZZFFGEkLWRVYezi2U3Qn5oj72ECmxvQypSuJ9o= Received: by 10.82.113.6 with SMTP id l6mr1313506buc.1165145136140; Sun, 03 Dec 2006 03:25:36 -0800 (PST) Received: by 10.82.139.4 with HTTP; Sun, 3 Dec 2006 03:25:36 -0800 (PST) Message-ID: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> Date: Sun, 3 Dec 2006 12:25:36 +0100 From: "Niklas Saers" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: newbie to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Dec 2006 11:25:38 -0000 Hi guys, I'm setting up a Soekris 4801 box to deal with my home network. I've been using ipfw for a very long time and took this as an opportunity to try out pf. The soekris has the interfaces sis0 (10.0.0.4) that is connected to my ADSL router, sis1 that is connected to my home computers (10.0.2.0/24) and sis2 that is connected to the computers that run my home business (10.0.3.0/24). The ADSL router is set up so that it forwards any incoming traffic to the Soekris box' sis0. I would like to set up pf so that any incoming traffic to ports 22, 443 and 3306 go to a computer on the business network (10.0.3.2) and the rest goes to 10.0.2.2 (the wireless adapter) In addition to forwarding, I need to set up nat for my internal/wireless network and for the business network so that they can reach the rest of the world. I've been reading a bit and using examples I've found good, and so far my pf.conf looks like this. Nat seems to work fine for the internal network, not for the business network. Incoming traffic to 10.0.3.2 does not work, neither does incoming to 10.0.2.2, and setting up an ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds. Do you have any suggestions on how I can solve these problems? Are there any problems with this setup that I have not discovered yet? # macros ext_if = "sis0" int_if = "sis1" bus_if = "sis2" internal_net = "10.0.2.0/24" business_net = "10.0.3.0/24" soekris = "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }" # tables table const { self } # options set block-policy drop set state-policy if-bound # scrub incoming packets scrub all reassemble tcp fragment reassemble # nat nat on $ext_if from $internal_net to any -> ($ext_if) no nat on $ext_if from $internal_net to $business_net no nat on $ext_if from $internal_net to $soekris # redirection rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } -> 10.0.3.2 rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2 # setup a default deny policy block drop log all # pass traffic on the loopback interface in either direction pass quick on lo0 all pass quick on $int_if all pass quick on $bus_if all # outgoing dns, ntp pass out quick on $ext_if inet proto udp from ($ext_if) to any port { 53, 123 } keep state # outgoing from firewall pass out log quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep state # incoming active ftp-data (this is required for active ftp to work) pass in log quick on $ext_if inet proto tcp from any port 20 to ($ext_if) port >= 1024 flags S/SA keep state # incoming tcp and udp from the internal network to the internet pass in log quick on $int_if inet proto tcp from $internal_net to ! flags S/SA modulate state pass in log quick on $int_if inet proto udp from $internal_net to ! keep state Cheers Nik From owner-freebsd-pf@FreeBSD.ORG Sun Dec 3 16:48:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 681A116A50A for ; Sun, 3 Dec 2006 16:48:38 +0000 (UTC) (envelope-from niklassaers@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3908440EC for ; Sun, 3 Dec 2006 16:38:41 +0000 (GMT) (envelope-from niklassaers@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so3927381nfc for ; Sun, 03 Dec 2006 08:39:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=a8nButcGLrGHL+ZWpj9KwkKH5riqdKQ9Dj04X3n9PEVzs1u/uS6PALRTNAyW8N2JI9ur+HNIMXpuh/tc/I9QQRwQuApiU4Iq2ZuA0PY1zyIYmpUeHL3NSB6VEM9VfKhiSMnGOexKwUG6x9dwvBrcMxR4SO+E4diJ0u1HiUE0zWc= Received: by 10.82.118.2 with SMTP id q2mr1328577buc.1165163944973; Sun, 03 Dec 2006 08:39:04 -0800 (PST) Received: by 10.82.139.4 with HTTP; Sun, 3 Dec 2006 08:39:04 -0800 (PST) Message-ID: <491ac4fb0612030839m69acf648q404311588853f8c8@mail.gmail.com> Date: Sun, 3 Dec 2006 17:39:04 +0100 From: "Niklas Saers" To: freebsd-pf@freebsd.org In-Reply-To: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> Subject: Re: newbie to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Dec 2006 16:48:38 -0000 Little d'oh regarding nat, I'd forgotten the line: nat on $ext_if from $business_net to any -> ($ext_if) But I'm still very much confused as to why my redirecting isn't working and I'd still very much appreciate feedback on the setup. :-) Cheers Nik From owner-freebsd-pf@FreeBSD.ORG Sun Dec 3 19:46:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D2D3F16A494 for ; Sun, 3 Dec 2006 19:46:04 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id E714743F4A for ; Sun, 3 Dec 2006 19:38:40 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id 438E964F780; Sun, 3 Dec 2006 13:38:58 -0600 (CST) Date: Sun, 3 Dec 2006 13:38:58 -0600 From: "Travis H." To: fwun@bigpond.net.au Message-ID: <20061203193858.GD7696@nexus.subspacefield.org> Mail-Followup-To: fwun@bigpond.net.au, freebsd-pf@freebsd.org References: <16201878.1164245885264.JavaMail.root@web03sl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <16201878.1164245885264.JavaMail.root@web03sl> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: how to route to a local server thru PF router X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Dec 2006 19:46:04 -0000 On Thu, Nov 23, 2006 at 12:38:05PM +1100, fwun@bigpond.net.au wrote: > The PF router I setup is an Internet router that allow people access the Internet. > But in the mean time, this PF router also connected to a local freebsd server. > As a user behind the PF router, i also want to ssh into the local freebsd server (10.1.10.2). > But currently I m not able to ssh into this local server thru the PF router. > > The current NAT rules in the PF router setup as: > > # pfctl -a NATRULES -sn > nat on sis0 inet from 192.168.1.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 172.17.3.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 10.1.10.0/24 to any -> (sis0) round-robin > > I m connected to the 172.17.3.0/24 network. The local freebsd server is connected to 10.1.10.0/24 network. > > And the PF router is already setup as a default gateway. > > How can I modify the PF rules so that I can login from 172.17.3.0/24 to 10.1.10.0/24 network? Are they both on the LAN side of the PF box? I assume sis0 is the WAN interface, but you don't say which is which. You will need an interface alias on each network, and you will need to do something like: pass quick on $lan_if from $lan_if:network to $lan_if:network That rule will expand to each network, so you can communicate between them through the router. -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 06:22:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B71F16A40F for ; Mon, 4 Dec 2006 06:22:01 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc5-cmbg1-0-0-cust497.cmbg.cable.ntl.com [86.6.1.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A8DA43CA2 for ; Mon, 4 Dec 2006 06:21:29 +0000 (GMT) (envelope-from danielby@slightlystrange.org) Received: by catflap.slightlystrange.org (Postfix, from userid 1001) id 0F6A8613D; Mon, 4 Dec 2006 06:21:58 +0000 (GMT) Date: Mon, 4 Dec 2006 06:21:58 +0000 From: Daniel Bye To: freebsd-pf@freebsd.org Message-ID: <20061204062158.GA57910@catflap.slightlystrange.org> Mail-Followup-To: freebsd-pf@freebsd.org References: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline In-Reply-To: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> User-Agent: Mutt/1.4.2.2i Subject: Re: newbie to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 06:22:01 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 03, 2006 at 12:25:36PM +0100, Niklas Saers wrote: >=20 > I've been reading a bit and using examples I've found good, and so far > my pf.conf looks like this. Nat seems to work fine for the internal > network, not for the business network. Incoming traffic to 10.0.3.2 > does not work, neither does incoming to 10.0.2.2, and setting up an > ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds. > Do you have any suggestions on how I can solve these problems? Are > there any problems with this setup that I have not discovered yet? >=20 > # macros > ext_if =3D "sis0" > int_if =3D "sis1" > bus_if =3D "sis2" > internal_net =3D "10.0.2.0/24" > business_net =3D "10.0.3.0/24" > soekris =3D "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }" >=20 > # tables > table const { self } >=20 > # options > set block-policy drop > set state-policy if-bound >=20 > # scrub incoming packets > scrub all reassemble tcp fragment reassemble >=20 > # nat > nat on $ext_if from $internal_net to any -> ($ext_if) > no nat on $ext_if from $internal_net to $business_net > no nat on $ext_if from $internal_net to $soekris >=20 > # redirection > rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } ->=20 > 10.0.3.2 > rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2 >=20 > # setup a default deny policy > block drop log all >=20 > # pass traffic on the loopback interface in either direction > pass quick on lo0 all > pass quick on $int_if all > pass quick on $bus_if all >=20 > # outgoing dns, ntp > pass out quick on $ext_if inet proto udp from ($ext_if) to any port { > 53, 123 } keep state >=20 > # outgoing from firewall > pass out log quick on $ext_if inet proto tcp from ($ext_if) to any > flags S/SA keep state > pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) > to any keep state >=20 > # incoming active ftp-data (this is required for active ftp to work) > pass in log quick on $ext_if inet proto tcp from any port 20 to > ($ext_if) port >=3D 1024 flags S/SA keep state >=20 > # incoming tcp and udp from the internal network to the internet > pass in log quick on $int_if inet proto tcp from $internal_net to > ! flags S/SA modulate state > pass in log quick on $int_if inet proto udp from $internal_net to > ! keep state I'm also a pf n00b, so please don't regard this as expert opinion! =46rom reading the excellent documentation at the OpenBSD site, I think you are missing a `pass' rule for your redirected traffic. You can either add a `pass' keyword to the rdr rules (which will mean they don't get filtered /at all/), or you can write dedicated `pass' rules for the redirected traffic. Remember that the filtering engine will see the redirected packets /after/ translation occurs, so take that into account if you write dedicated rules. As for your ssh problem - this may be related to a DNS timeout. Try disabling DNS in ssh (by default, it will try to look up the name of a remote host from its IP and check that it resolves back to the same address). Alternatively, you can edit your /etc/hosts, or start running a local name server. Anyway, like I said - IANAE! Dan --=20 Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFc76Gixf5fBYiFmoRAjKOAKDebvkGbsmfx121tPaIiSMjLSRshgCeKmin ZCUuTSrsixx8/EXuzQ6lWY0= =+G1D -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 11:09:03 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7555D16A521 for ; Mon, 4 Dec 2006 11:09:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id B32AB43D2D for ; Mon, 4 Dec 2006 11:08:01 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB4B8XvI045458 for ; Mon, 4 Dec 2006 11:08:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB4B8VbV045454 for freebsd-pf@FreeBSD.org; Mon, 4 Dec 2006 11:08:31 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Dec 2006 11:08:31 GMT Message-Id: <200612041108.kB4B8VbV045454@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 11:09:03 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 11:46:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 24F5516A50B for ; Mon, 4 Dec 2006 11:46:49 +0000 (UTC) (envelope-from niklassaers@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFD2343F23 for ; Mon, 4 Dec 2006 11:42:29 +0000 (GMT) (envelope-from niklassaers@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so4149505nfc for ; Mon, 04 Dec 2006 03:42:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Tq8WW4PVLjWezqTG4Q4fjBS6ee2fQ/cfckR7QGa2561nCPYS8GxkuvS+AkfL2ygd0Zb1GsMud7FHGvuVYi18Q1feRadjQnSBzP9YPoJaVU3BUCH4YWa9AkWtYU/L5HVNxpKuM8jdKdCtmnd8eYGYgNwl/GX/MrfyegfSc0WduU0= Received: by 10.82.190.2 with SMTP id n2mr1454365buf.1165232170070; Mon, 04 Dec 2006 03:36:10 -0800 (PST) Received: by 10.82.139.4 with HTTP; Mon, 4 Dec 2006 03:36:09 -0800 (PST) Message-ID: <491ac4fb0612040336t2a7d2d40xaee0be24166ad593@mail.gmail.com> Date: Mon, 4 Dec 2006 12:36:09 +0100 From: "Niklas Saers" To: "Daniel Bye" , freebsd-pf@freebsd.org In-Reply-To: <20061204062158.GA57910@catflap.slightlystrange.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> <20061204062158.GA57910@catflap.slightlystrange.org> Cc: Subject: Re: newbie to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 11:46:49 -0000 Hi guys, On 12/4/06, Daniel Bye wrote: > From reading the excellent documentation at the OpenBSD site, I think > you are missing a `pass' rule for your redirected traffic. Yes, I was. I've substituted "rdr" for "rdr pass" that I believe should work great for ssh, https and mysql. > Remember that the filtering engine will > see the redirected packets /after/ translation occurs, so take that > into account if you write dedicated rules. Thanks for the heads-up there, at the time I wrote this I didn't think of that. Been doing much reading since then, and as you point out, that's an excelent documentation. > As for your ssh problem - this may be related to a DNS timeout. It was indeed. :-) The main problem turned out to be the ADSL router, not pf. The forwarded data was not being forwarded correctly, but a flash update and reconfig later the data are coming in fine and being forwarded just fine. What I'm wondering about now is: what weaknesses are there in my setup? Is there anything I should be particularly aware of? # macros ext_if = "sis0" int_if = "sis1" bus_if = "sis2" internal_net = "10.0.2.0/24" business_net = "10.0.3.0/24" soekris = "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }" # tables table const { self } # options set block-policy drop set state-policy if-bound #set require-order yes #set fingerprints "/etc/pf.os" #set loginterface $ext_if # scrub incoming packets set skip on lo scrub all reassemble tcp fragment reassemble # redirection rdr pass on $ext_if proto tcp from any to any port 22 -> 10.0.3.2 rdr pass on $ext_if proto tcp from any to any port 443 -> 10.0.3.2 rdr pass on $ext_if proto tcp from any to any port 3306 -> 10.0.3.2 # nat nat on $ext_if from $internal_net to any -> ($ext_if) nat on $ext_if from $business_net to any -> ($ext_if) no nat on $ext_if from $internal_net to $business_net no nat on $ext_if from $internal_net to $soekris # setup a default deny policy block drop log all # pass traffic on the loopback interface in either direction pass quick on lo0 all pass quick on $int_if all pass quick on $bus_if all # outgoing dns, ntp pass out quick on $ext_if inet proto udp from ($ext_if) to any port { 53, 123 } keep state # outgoing from firewall pass out log quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep state # incoming active ftp-data (this is required for active ftp to work) pass in log quick on $ext_if inet proto tcp from any port 20 to ($ext_if) port >= 1024 flags S/SA keep state # incoming tcp and udp from the internal network to the internet pass in log quick on $int_if inet proto tcp from $internal_net to ! flags S/SA modulate state pass in log quick on $int_if inet proto udp from $internal_net to ! keep state pass in log quick on $bus_if inet proto tcp from $business_net to ! flags S/SA modulate state pass in log quick on $bus_if inet proto udp from $business_net to ! keep state Cheers Nik From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 18:10:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BA0B916A40F for ; Mon, 4 Dec 2006 18:10:53 +0000 (UTC) (envelope-from kevin@c7.ca) Received: from tor1.colo.bwlogic.com (tor1.colo.bwlogic.com [205.207.163.66]) by mx1.FreeBSD.org (Postfix) with SMTP id 369E543CA5 for ; Mon, 4 Dec 2006 18:10:18 +0000 (GMT) (envelope-from kevin@c7.ca) Received: (qmail 77953 invoked by uid 89); 4 Dec 2006 18:15:21 -0000 Received: from unknown (HELO ?192.168.1.85?) (207.61.175.180) by tor1.colo.bwlogic.com with SMTP; 4 Dec 2006 18:15:21 -0000 Message-ID: <4574647B.7090901@c7.ca> Date: Mon, 04 Dec 2006 13:10:03 -0500 From: Kevin Kutzko User-Agent: Thunderbird 1.5 (X11/20060804) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Fixing up pf for passive mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 18:10:53 -0000 I am curious how i could set my pf firewall to allow passive mode connections via random ports. I get "illegal port range" when trying to connect / directory list on an external ftp site. I have some general ideas as to how i could remedy this but i thought i'd post it here first. Thanks in advance. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 18:12:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D6DC16A403 for ; Mon, 4 Dec 2006 18:12:49 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CAF343CA2 for ; Mon, 4 Dec 2006 18:12:14 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 56ABD7BFCDC; Mon, 4 Dec 2006 19:12:47 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id i9b-YooxcLYD; Mon, 4 Dec 2006 19:12:44 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 4854C7BFCDB; Mon, 4 Dec 2006 19:12:43 +0100 (CET) Date: Mon, 4 Dec 2006 19:12:43 +0100 From: Gergely CZUCZY To: Kevin Kutzko Message-ID: <20061204181243.GA55114@harmless.hu> References: <4574647B.7090901@c7.ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: <4574647B.7090901@c7.ca> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: Fixing up pf for passive mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 18:12:49 -0000 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 04, 2006 at 01:10:03PM -0500, Kevin Kutzko wrote: > I am curious how i could set my pf firewall to allow passive mode connect= ions via random ports. I get=20 > "illegal port range" when trying to connect / directory list on an extern= al ftp site. >=20 >=20 > I have some general ideas as to how i could remedy this but i thought i'd= post it here first. Thanks=20 > in advance. use ftp-proxy(8) in base or pftpx from ports. for high number of connection i suggest pftpx. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFNU0tr1FAUHlsEueCiaxEOXfjqZJrMdPqITCu2pZRS66LQhRvvJCfJpcm98T5m mooUV1Xooogb6UL/gCDivmsXCvofdClu3XkytUUIJDnnu+d75OT46nhjbOLrh0+P po5enVx6P/anf6dw1srUK7geCOkFvh943W4QzHhz3qzf7XRwrtNvBxgH7VWL15aV tCitt12VGILFPTtd5lzIuxBlXBu0PWcTb56d41aEKZURVigZgpC5kHjR29ZcmgS1 tyojFQuZhvDEKYuxV2ohLe/nyNiWhE0lm7CCEfgzTWj7/ixwC34QBn7odx5ugud3 fb8JG0gGYMPZ/V0FQ02DQrYI68ALiJwWyhnI1BAERMrlMZBWKCooE0iExiHPc7AK 6EaYkhsjBgiFipHgUmJke4w8GBgIDqQ7VgWUSlvTIoaUbLd9IpsUeY4pz0etGpbi JAwzlGB1RQZrhn/jYBpi4o2s0hXkwlhQErgEShS17DEaktgSKDpsscXR+DOOdcg4 STOqQCKWqAkpYuQG6KL5/3vUWGBcgc2Egb6zVLeZcmlGTzfjHiOZxCssZKixjsHY FmxnXO6aMy7Kk8cDLiPS4AzWiujbqL3q1vztutnnBpnSFKIt9yDRF6GwhKqZSDOQ ruijBpWcG6cUSYdxaYpEPjrZYux+hU3G1lCnmFewvO+i/YoVXORWhWRzVG5Fo/I9 WrQiR2NamWPM82qpO4hSIPnH2sIavZBcQyHlFBUpplUqqJvR4nAtDNl5sTR+uVFv 9PnfMDF2eNx4606vTz4Njm587718fjp1cOXZz+nXjXeHv94sfV54/ODjj63Nk287 B/yL+/0X =b+lm -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 20:13:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4A15816A47E for ; Mon, 4 Dec 2006 20:13:36 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74C5243CAD for ; Mon, 4 Dec 2006 20:12:57 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id D497A64F7A0; Mon, 4 Dec 2006 14:13:31 -0600 (CST) Date: Mon, 4 Dec 2006 14:13:31 -0600 From: "Travis H." To: freebsd-pf@freebsd.org Message-ID: <20061204201331.GA25039@subspacefield.org> Mail-Followup-To: freebsd-pf@freebsd.org References: <20061130173504.CD06C43CBA@mx1.FreeBSD.org> <20061130174045.GA73984@harmless.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061130174045.GA73984@harmless.hu> X-GPG-fingerprint: A04E 557F F9A6 F0FD EFD4 0DF3 6415 6591 0326 DF47 User-Agent: Mutt/1.5.11 Subject: Re: opinion on this ruleset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 20:13:36 -0000 On Thu, Nov 30, 2006 at 06:40:45PM +0100, Gergely CZUCZY wrote: > ($ext_if) translates to an ip address of the interface, > and not to all addresses on the interface. Are you sure? To get a single address, I use ($ext_if:0). > > pass in inet proto icmp all icmp-type $icmp_types keep state > wrong. > use this: > pass in on $ext_if proto icmp > > if you wonder why, read the openbsd's FAQ on pf. or just google for it I've read the FAQ several times and don't remember this. I filter all ICMP _queries_ inbound, and ICMP _responses_ outbound, and have never had a problem. What exactly should we be googling for, other than "pf icmp"? -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 20:14:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2264616A412 for ; Mon, 4 Dec 2006 20:14:08 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc5-cmbg1-0-0-cust497.cmbg.cable.ntl.com [86.6.1.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB2E143CA6 for ; Mon, 4 Dec 2006 20:13:32 +0000 (GMT) (envelope-from danielby@slightlystrange.org) Received: by catflap.slightlystrange.org (Postfix, from userid 1001) id 6FB746122; Mon, 4 Dec 2006 20:14:06 +0000 (GMT) Date: Mon, 4 Dec 2006 20:14:06 +0000 From: Daniel Bye To: freebsd-pf@freebsd.org Message-ID: <20061204201405.GA1873@catflap.slightlystrange.org> Mail-Followup-To: freebsd-pf@freebsd.org References: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> <20061204062158.GA57910@catflap.slightlystrange.org> <491ac4fb0612040336t2a7d2d40xaee0be24166ad593@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline In-Reply-To: <491ac4fb0612040336t2a7d2d40xaee0be24166ad593@mail.gmail.com> User-Agent: Mutt/1.4.2.2i Subject: Re: newbie to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 20:14:08 -0000 --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 04, 2006 at 12:36:09PM +0100, Niklas Saers wrote: >=20 > The main problem turned out to be the ADSL router, not pf. The > forwarded data was not being forwarded correctly, but a flash update > and reconfig later the data are coming in fine and being forwarded > just fine. >=20 > What I'm wondering about now is: what weaknesses are there in my > setup? Is there anything I should be particularly aware of? I can't see any glaring holes in it, but there are a few things you can do to simplify your rules. >=20 > # macros > ext_if =3D "sis0" > int_if =3D "sis1" > bus_if =3D "sis2" > internal_net =3D "10.0.2.0/24" > business_net =3D "10.0.3.0/24" > soekris =3D "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }" >=20 > # tables > table const { self } >=20 > # options > set block-policy drop > set state-policy if-bound > #set require-order yes > #set fingerprints "/etc/pf.os" > #set loginterface $ext_if >=20 > # scrub incoming packets > set skip on lo > scrub all reassemble tcp fragment reassemble >=20 > # redirection > rdr pass on $ext_if proto tcp from any to any port 22 -> 10.0.3.2 > rdr pass on $ext_if proto tcp from any to any port 443 -> 10.0.3.2 > rdr pass on $ext_if proto tcp from any to any port 3306 -> 10.0.3.2 You can do this as one rule with a macro: office_ports=3D{ ssh https 3306 } rdr pass on $ext_if proto tcp port $office_ports -> 10.0.3.2 >=20 > # nat > nat on $ext_if from $internal_net to any -> ($ext_if) > nat on $ext_if from $business_net to any -> ($ext_if) > no nat on $ext_if from $internal_net to $business_net > no nat on $ext_if from $internal_net to $soekris >=20 > # setup a default deny policy > block drop log all >=20 > # pass traffic on the loopback interface in either direction > pass quick on lo0 all As you have `set skip on lo', above, this rule is redundant. > pass quick on $int_if all > pass quick on $bus_if all >=20 > # outgoing dns, ntp > pass out quick on $ext_if inet proto udp from ($ext_if) to any port { > 53, 123 } keep state >=20 > # outgoing from firewall > pass out log quick on $ext_if inet proto tcp from ($ext_if) to any > flags S/SA keep state > pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) > to any keep state You can specify these as one rule in pf.conf - sounds odd, but pf is smart enough to apply the flags only to TCP connections. pass out log quick on $ext_if inet proto { tcp udp icmp } from ($ext_if) \ to any flags S/SA modulate state. Load the rule, and see what pf does to it. It wil create three separate rules, one for each protocol, with only the one for tcp having the flags applied. In addition, the udp and icmp rules will end with a simple keep state, while the modulate state is applied to the tcp=20 rule. >=20 > # incoming active ftp-data (this is required for active ftp to work) > pass in log quick on $ext_if inet proto tcp from any port 20 to > ($ext_if) port >=3D 1024 flags S/SA keep state >=20 > # incoming tcp and udp from the internal network to the internet > pass in log quick on $int_if inet proto tcp from $internal_net to > ! flags S/SA modulate state > pass in log quick on $int_if inet proto udp from $internal_net to > ! keep state > pass in log quick on $bus_if inet proto tcp from $business_net to > ! flags S/SA modulate state > pass in log quick on $bus_if inet proto udp from $business_net to > ! keep state You could reduce this to two rules, as well. pass in log quick on $int_if inet proto { tcp udp } from $int_if:network \ to ! flags S/SA modulate state pass in log quick on $bus_if inet proto { tcp udp } from $bus_if:network \ to ! flags S/SA modulate state I'm sure that if I'm off the mark, someone more knowledgeable will put me right. Cheers, Dan --=20 Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFdIGNixf5fBYiFmoRAvq6AJ9pGh83i/dX0ACJRLza+ka8dUxTdACfZ/Qy QSW7e8RAO2hYXWl5V+d4jsY= =mrZD -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- From owner-freebsd-pf@FreeBSD.ORG Tue Dec 5 08:06:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 338B216A412 for ; Tue, 5 Dec 2006 08:06:02 +0000 (UTC) (envelope-from teknet8@o2.pl) Received: from rekin22.go2.pl (rekin22.go2.pl [193.17.41.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2775643CA8 for ; Tue, 5 Dec 2006 08:05:23 +0000 (GMT) (envelope-from teknet8@o2.pl) Received: from o2.pl (unknown [10.0.0.76]) by rekin22.go2.pl (Postfix) with SMTP id 558FD45C012 for ; Tue, 5 Dec 2006 09:06:00 +0100 (CET) From: =?UTF-8?Q?"teknet8"?= To: freebsd-pf@freebsd.org Mime-Version: 1.0 Message-ID: <179cfa74.46ad9551.45752868.5314d@o2.pl> Date: Tue, 05 Dec 2006 09:06:00 +0100 X-Originator: 83.13.242.82 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: load balancing and sticky address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2006 08:06:02 -0000 Hello =20 I=20would=20like=20to=20use=20smart=20sticky=20address=20fuction. The=20problem=20is: =20 table=20=20{=2010.0.0.1,=2010.0.0.2,=2010.0.0.3=20} rdr=20on=20xl0=20inet=20proto=20tcp=20from=20any=20to=20IP=5FPUBLICO=20po= rt=2080=20->=20{=20=20} round-robin=20sticky-address pass=20in=20quick=20log=20on=20xl0=20proto=20tcp=20from=20any=20to=20= =20port=2080=20flags=20S/SA modulate=20state=20(src.track=201800) =20 I=20want=20to=20remember=20old=20(finished)=20sessions=20traces=20for=203= 0=20minutes,=20and do=20the=20same=20decision=20in=20load=20balancing=20for=20that=2030=20mi= nutes. =20 Problem=20is=20when=20one=20of=20the=20destination=20hosts=20fail. If=20clientA=20is=20using=2010.0.0.2=20and=2010.0.0.2=20fails=20sticky=20= address=20option will=20force=20pf=20to=20route=20traffic=20from=20clientA=20to=2010.0.0.2= =20for=20next=2030=20minutes. =20 How=20can=20i=20solve=20such=20problem=20? =20 Is=20the=20exactly=20the=20same=20problem=20as=20described=20in: http://archives.neohapsis.com/archives/openbsd/2006-05/2815.html =20 =20=20 Thanx Michal From owner-freebsd-pf@FreeBSD.ORG Tue Dec 5 08:18:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A013716A47B for ; Tue, 5 Dec 2006 08:18:39 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FECF43CA8 for ; Tue, 5 Dec 2006 08:18:00 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kB58IbjG016529 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 5 Dec 2006 09:18:38 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kB58IbGJ000034; Tue, 5 Dec 2006 09:18:37 +0100 (MET) Date: Tue, 5 Dec 2006 09:18:37 +0100 From: Daniel Hartmeier To: teknet8 Message-ID: <20061205081837.GE29831@insomnia.benzedrine.cx> References: <179cfa74.46ad9551.45752868.5314d@o2.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <179cfa74.46ad9551.45752868.5314d@o2.pl> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: load balancing and sticky address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2006 08:18:39 -0000 On Tue, Dec 05, 2006 at 09:06:00AM +0100, teknet8 wrote: > How can i solve such problem ? > > Is the exactly the same problem as described in: > http://archives.neohapsis.com/archives/openbsd/2006-05/2815.html The solution suggested in that thread (adding pfctl -K to remove source tracking entries) has been recently implemented, see http://marc.theaimsgroup.com/?l=openbsd-cvs&m=116403344715967&w=2 It will of course take a little while to make it through. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Dec 5 22:43:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 285A016A403 for ; Tue, 5 Dec 2006 22:43:13 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79E8643CB2 for ; Tue, 5 Dec 2006 22:42:26 +0000 (GMT) (envelope-from fayerwall@gmail.com) Received: by wr-out-0506.google.com with SMTP id i28so6833wra for ; Tue, 05 Dec 2006 14:43:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=tqSVLUOF1Ncm3HvzihjYrtO7vjUp73L5oC/RrOPH8SJEXpMwdXBXXPYZcSaLsi0GRLnelqaVWdmmOr0iKNlZ2g8tMFHb4OedaDD9IMELVbS34jUtN34luf2gZwZ4+f/GSW00v3HRJFdsxZpgIBY5jwziFQl05BUTzDJ195zOfLc= Received: by 10.90.94.2 with SMTP id r2mr10205909agb.1165358586795; Tue, 05 Dec 2006 14:43:06 -0800 (PST) Received: by 10.90.55.5 with HTTP; Tue, 5 Dec 2006 14:43:06 -0800 (PST) Message-ID: Date: Tue, 5 Dec 2006 14:43:06 -0800 From: "Fire walls" To: freebsd-pf@freebsd.org In-Reply-To: <5569580.post@talk.nabble.com> MIME-Version: 1.0 References: <5540790.post@talk.nabble.com> <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> <200607290107.34701.max@love2party.net> <5569580.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2006 22:43:13 -0000 On 7/30/06, elmer wrote: > > > Hi, > > wow it works great, however how do i run this in the background? i cant > see > it under rc.d/? > > thanks > -- > View this message in context: > http://www.nabble.com/enable-passive-active-ftp-tf2015778.html#a5569580 > Sent from the freebsd-pf forum at Nabble.com. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi. I start my learning curve with PF && FreeBSD 6.1. I have some problems with my clients behind my NAT, i had read some post about PF and ftp-proxy program we have in FreeBSD, i read the manpage setup inetd, rdr && rules but my clients behind my nat still suffer went they want to access some ftp sites on Internet, win2k, FreeBSD, i had test with FTP_PASSIVE_MODE on, off but same problem. I have read this post about this case, them you recomend me to use pftpx over ftp-proxy...? thanks all for your time...!!! FreeBSD 6.1-p10 -- :-) From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 00:04:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 72CD416A51A for ; Wed, 6 Dec 2006 00:04:04 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E30943CA3 for ; Wed, 6 Dec 2006 00:03:21 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id D6DEF64F75D; Tue, 5 Dec 2006 18:04:02 -0600 (CST) Date: Tue, 5 Dec 2006 18:04:02 -0600 From: "Travis H." To: freebsd-pf@freebsd.org Message-ID: <20061206000402.GI10063@subspacefield.org> Mail-Followup-To: freebsd-pf@freebsd.org References: <5540790.post@talk.nabble.com> <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> <200607290107.34701.max@love2party.net> <5569580.post@talk.nabble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-GPG-fingerprint: A04E 557F F9A6 F0FD EFD4 0DF3 6415 6591 0326 DF47 User-Agent: Mutt/1.5.11 Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 00:04:04 -0000 On Tue, Dec 05, 2006 at 02:43:06PM -0800, Fire walls wrote: > I have read this post about this case, them you recomend me to use pftpx > over ftp-proxy...? I believe in OpenBSD that ftp-proxy has been deprecated, and that users are encouraged to start using pftpx. -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 00:57:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C17FE16A416 for ; Wed, 6 Dec 2006 00:57:39 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2A1D43CA7 for ; Wed, 6 Dec 2006 00:56:56 +0000 (GMT) (envelope-from fayerwall@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so33772wxc for ; Tue, 05 Dec 2006 16:57:38 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=p8lZ/p20Ou3UpmEOqDListitpNxD6ycwX50FnBgV3geWisAi5/Qz2ymi2uMtOZNCIhpEBUFQHXvwsRGOshPhwPHnSaDnqzAAJ3tcmoRerb6rqurVpNzkWjYVmnN7OnPfdTYEzTVt1R5c6eGT0UZsEG2oxEr/SooOfGvLMcPf5EE= Received: by 10.90.79.6 with SMTP id c6mr141774agb.1165366658363; Tue, 05 Dec 2006 16:57:38 -0800 (PST) Received: by 10.90.55.5 with HTTP; Tue, 5 Dec 2006 16:57:37 -0800 (PST) Message-ID: Date: Tue, 5 Dec 2006 16:57:37 -0800 From: "Fire walls" To: freebsd-pf@freebsd.org In-Reply-To: <20061206000402.GI10063@subspacefield.org> MIME-Version: 1.0 References: <5540790.post@talk.nabble.com> <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> <200607290107.34701.max@love2party.net> <5569580.post@talk.nabble.com> <20061206000402.GI10063@subspacefield.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 00:57:39 -0000 On 12/5/06, Travis H. wrote: > > On Tue, Dec 05, 2006 at 02:43:06PM -0800, Fire walls wrote: > > I have read this post about this case, them you recomend me to use > pftpx > > over ftp-proxy...? > > I believe in OpenBSD that ftp-proxy has been deprecated, > and that users are encouraged to start using pftpx. > -- > "Cryptography is nothing more than a mathematical framework for > discussing various paranoid delusions." -- Don Alvarez > -><- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I will try today after work!!! Thanks!!! -- :-) From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 07:46:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1C1216A40F for ; Wed, 6 Dec 2006 07:46:50 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from mx3.mra.co.id (fw.mra.co.id [202.57.14.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F5943CA2; Wed, 6 Dec 2006 07:46:04 +0000 (GMT) (envelope-from beastie@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id 46E8F30FED; Wed, 6 Dec 2006 14:33:12 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76285-27; Wed, 6 Dec 2006 14:33:12 +0700 (WIT) Received: from mail.mra.co.id (unknown [172.16.0.224]) by mx3.mra.co.id (Postfix) with ESMTP id 17AB430FE7; Wed, 6 Dec 2006 14:33:12 +0700 (WIT) Received: from intranet.mra.co.id (unknown [172.16.0.223]) by mail.mra.co.id (Postfix) with ESMTP id D0FD265EFBD2; Wed, 6 Dec 2006 14:52:08 +0700 (WIT) Message-ID: <33491508.2761165392495356.OPEN-XCHANGE.WebMail.www@intranet.mra.co.id> Date: Wed, 6 Dec 2006 15:08:15 +0700 (WIT) From: Beastie MRA To: freebsd-pf@freebsd.org, freebsd-question@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 (normal) X-Mailer: OPEN-XCHANGE 0.8.0-6 - WebMail X-Operating-System: FreeBSD 6.0-RELEASE i386 (JVM 1.4.2-p8) Organization: MRAGroup X-Virus-Scanned: by amavisd-new at mra.co.id Cc: Subject: pf queue keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 07:46:50 -0000 Dear All did=C2=A0 stateful inspection keep state in pf work with queueing ? so=C2=A0 i can avoid this rules.. pass out=C2=A0 on xl1=C2=A0 from $lan to $internet=C2=A0=C2=A0 queue (inter= net) pass out=C2=A0 on xl2=C2=A0 from $internet=C2=A0 to $iix=C2=A0 queue (inter= net) Please help me.. regards Reza From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 09:25:02 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 98A4016A49E; Wed, 6 Dec 2006 09:25:02 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BF4D43CC3; Wed, 6 Dec 2006 09:24:16 +0000 (GMT) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB69P1n2081148; Wed, 6 Dec 2006 09:25:01 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB69P1nj081144; Wed, 6 Dec 2006 09:25:01 GMT (envelope-from remko) Date: Wed, 6 Dec 2006 09:25:01 GMT From: Remko Lodder Message-Id: <200612060925.kB69P1nj081144@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 09:25:02 -0000 Synopsis: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Wed Dec 6 09:24:33 UTC 2006 Responsible-Changed-Why: This seems more like something for the pf group. http://www.freebsd.org/cgi/query-pr.cgi?pr=106400 From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 13:10:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6294016A4A0 for ; Wed, 6 Dec 2006 13:10:59 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B43743CB7 for ; Wed, 6 Dec 2006 13:09:26 +0000 (GMT) (envelope-from peter@bsdly.net) Received: from thingy.datadok.no ([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1GrwWp-0008Nh-QQ for freebsd-pf@freebsd.org; Wed, 06 Dec 2006 14:09:40 +0100 To: freebsd-pf@freebsd.org References: <20061206000402.GI10063@subspacefield.org> From: peter@bsdly.net (Peter N. M. Hansteen) In-Reply-To: <20061206000402.GI10063@subspacefield.org> (Travis H.'s message of "Tue, 5 Dec 2006 18:04:02 -0600") User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) Date: Wed, 06 Dec 2006 14:09:36 +0100 Message-ID: <87zma19nn3.fsf@thingy.datadok.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 13:10:59 -0000 "Travis H." writes: > I believe in OpenBSD that ftp-proxy has been deprecated, > and that users are encouraged to start using pftpx. actually, a 'son of pftpx' is the new ftp-proxy in OpenBSD 3.9 and newer. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 13:20:07 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 024E516A509 for ; Wed, 6 Dec 2006 13:20:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 025C643CA7 for ; Wed, 6 Dec 2006 13:19:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB6DK5ZW004939 for ; Wed, 6 Dec 2006 13:20:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB6DK5iO004938; Wed, 6 Dec 2006 13:20:05 GMT (envelope-from gnats) Date: Wed, 6 Dec 2006 13:20:05 GMT Message-Id: <200612061320.kB6DK5iO004938@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Volker Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Volker List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 13:20:07 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: Volker To: bug-followup@FreeBSD.org, bst2006@dva.dyndns.org Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Wed, 06 Dec 2006 14:16:42 +0100 First I would suggest to use ALTQ w/ mpd not on ng0 but on the real physical interface (for example fxp0, xl0) which is being used by netgraph/mpd. On the other side I also do have trouble using ALTQ with mpd but I'm using mpd for a 3G connection (based on a tty device, not a NIC). Avoiding ALTQ rules in pf.conf for the ng0 interface (not using ALTQ on ng0) doesn't produce a fatal trap 12. So disabling ALTQ in your kernel is not the only workaround. You may still use ALTQ on your internal NIC without a trap. Unlike your experience, I always do experience a kernel trap when reloading pf rules w/ ALTQ on ng0 (whether or not pf rules are reloaded by a script or manually). This also occours while the ng0 interface is still there and from my experience it's not related to a reload of mpd. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 13:38:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5333516A514 for ; Wed, 6 Dec 2006 13:38:18 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id C00AA43CBC for ; Wed, 6 Dec 2006 13:37:31 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.181.12] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1Grwy00WXK-0000iK; Wed, 06 Dec 2006 14:37:45 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org, Volker Date: Wed, 6 Dec 2006 14:37:34 +0100 User-Agent: KMail/1.9.4 References: <200612061320.kB6DK5iO004938@freefall.freebsd.org> In-Reply-To: <200612061320.kB6DK5iO004938@freefall.freebsd.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2718566.J8hy3tPz3O"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612061437.40562.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 13:38:18 -0000 --nextPart2718566.J8hy3tPz3O Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 06 December 2006 14:20, Volker wrote: > The following reply was made to PR kern/106400; it has been noted by > GNATS. > > From: Volker > To: bug-followup@FreeBSD.org, bst2006@dva.dyndns.org > Cc: > Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if > ng0 device has detached > Date: Wed, 06 Dec 2006 14:16:42 +0100 > > First I would suggest to use ALTQ w/ mpd not on ng0 but on the real > physical interface (for example fxp0, xl0) which is being used by > netgraph/mpd. > > On the other side I also do have trouble using ALTQ with mpd but I'm > using mpd for a 3G connection (based on a tty device, not a NIC). > > Avoiding ALTQ rules in pf.conf for the ng0 interface (not using ALTQ > on ng0) doesn't produce a fatal trap 12. So disabling ALTQ in your > kernel is not the only workaround. You may still use ALTQ on your > internal NIC without a trap. > > Unlike your experience, I always do experience a kernel trap when > reloading pf rules w/ ALTQ on ng0 (whether or not pf rules are > reloaded by a script or manually). > > This also occours while the ng0 interface is still there and from my > experience it's not related to a reload of mpd. Can you provide a trace for this panic? I have a good understanding of=20 the issue in the PR, but your problem seems to be quite different if the=20 ng0 device really doesn't go away meanwhile. More details would be=20 required. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2718566.J8hy3tPz3O Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFdsekXyyEoT62BG0RAqNsAJwIo5C9VGY3GEjtZ3ZuSkDmJ88KxwCfRJv8 nJsw9mt9KFFfaDTdLTDDWWM= =2A+5 -----END PGP SIGNATURE----- --nextPart2718566.J8hy3tPz3O-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 14:27:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F11516A415 for ; Wed, 6 Dec 2006 14:27:46 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1633143CA5 for ; Wed, 6 Dec 2006 14:26:59 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-001.eplus-online.de [212.23.126.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 0135E33D3F; Wed, 6 Dec 2006 15:27:34 +0100 (CET) Received: from [192.168.18.3] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id C10882E56A; Wed, 6 Dec 2006 15:26:51 +0100 (CET) Message-ID: <4576D346.8080000@vwsoft.com> Date: Wed, 06 Dec 2006 15:27:18 +0100 From: Volker User-Agent: Thunderbird 1.5.0.8 (X11/20061110) MIME-Version: 1.0 To: Max Laier References: <200612061320.kB6DK5iO004938@freefall.freebsd.org> <200612061437.40562.max@love2party.net> In-Reply-To: <200612061437.40562.max@love2party.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 14:27:46 -0000 On 12/06/06 14:37, Max Laier wrote: > On Wednesday 06 December 2006 14:20, Volker wrote: >> The following reply was made to PR kern/106400; it has been noted by >> GNATS. >> >> From: Volker >> To: bug-followup@FreeBSD.org, bst2006@dva.dyndns.org >> Cc: >> Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if >> ng0 device has detached >> Date: Wed, 06 Dec 2006 14:16:42 +0100 >> >> First I would suggest to use ALTQ w/ mpd not on ng0 but on the real >> physical interface (for example fxp0, xl0) which is being used by >> netgraph/mpd. >> >> On the other side I also do have trouble using ALTQ with mpd but I'm >> using mpd for a 3G connection (based on a tty device, not a NIC). >> >> Avoiding ALTQ rules in pf.conf for the ng0 interface (not using ALTQ >> on ng0) doesn't produce a fatal trap 12. So disabling ALTQ in your >> kernel is not the only workaround. You may still use ALTQ on your >> internal NIC without a trap. >> >> Unlike your experience, I always do experience a kernel trap when >> reloading pf rules w/ ALTQ on ng0 (whether or not pf rules are >> reloaded by a script or manually). >> >> This also occours while the ng0 interface is still there and from my >> experience it's not related to a reload of mpd. > > Can you provide a trace for this panic? I have a good understanding of > the issue in the PR, but your problem seems to be quite different if the > ng0 device really doesn't go away meanwhile. More details would be > required. > Max, sure, I can do that but please stay patient for some days. I need to setup debugging env, serial cable and get the right time to be willing to crash my server machine... ;) Just as a pre-information, here's the dmesg output of a crash occured at 2006-11-07 (taken from periodic security message): kernel trap 12 with interrupts disabled > > > Fatal trap 12: page fault while in kernel mode > cpuid = 0; apic id = 00 > fault virtual address = 0x2c352f30 > fault code = supervisor read, page not present > instruction pointer = 0x20:0xc057ae05 > stack pointer = 0x28:0xdaaa595c > frame pointer = 0x28:0xdaaa5968 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = resume, IOPL = 0 > current process = 24730 (pfctl) > trap number = 12 > panic: page fault > cpuid = 0 > KDB: stack backtrace: > kdb_backtrace(100,c3995c00,28,daaa591c,c,...) at kdb_backtrace+0x29 > panic(c07573b4,c0788e59,0,fffff,c09b,...) at panic+0x113 > trap_fatal(daaa591c,2c352f30) at trap_fatal+0x2d7 > trap(8,28,28,c3995c00,2c352e30,...) at trap+0x10e > calltrap() at calltrap+0x5 > --- trap 0xc, eip = 0xc057ae05, esp = 0xdaaa595c, ebp = 0xdaaa5968 --- > _mtx_lock_sleep(c346850c,c3995c00,0,0,0) at _mtx_lock_sleep+0xa5 > rmc_delete_class(c3c2cc04,c3723c00,c3723c00,a,daaa59c8,...) at rmc_delete_class+0x5a > cbq_class_destroy(c3c2c800,c3723c00,1,c3c2c800,0,...) at cbq_class_destroy+0x18 > cbq_clear_interface(c3c2c800) at cbq_clear_interface+0x37 > cbq_remove_altq(c3729600) at cbq_remove_altq+0x20 > altq_remove(c3729600) at altq_remove+0x3d > pf_commit_altq(4,cd858940,cd858940,c35a9c70,daaa5a30,...) at pf_commit_altq+0x10a > pfioctl(c3455300,c00c4452,c358b770,3,c3995c00,...) at pfioctl+0x3698 > devfs_ioctl_f(c35b65a0,c00c4452,c358b770,c3bd8e80,c3995c00) at devfs_ioctl_f+0xb3 > ioctl(c3995c00,daaa5d04) at ioctl+0x449 > syscall(3b,3b,3b,bfbfdd6c,0,...) at syscall+0x2cd > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x28193b0f, esp = 0xbfbfdd4c, ebp = 0xbfbfdd78 --- I'll provide you complete details and probably more debugging infos next week. Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:16:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1DD016A4A0 for ; Wed, 6 Dec 2006 15:16:45 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id D82A343CBF for ; Wed, 6 Dec 2006 15:15:53 +0000 (GMT) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.6] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 7860B86E9C for ; Wed, 6 Dec 2006 09:16:37 -0600 (CST) From: "Roger Miranda (Digital Relay)" Organization: Digital Relay Inc. To: freebsd-pf@freebsd.org Date: Wed, 6 Dec 2006 09:16:52 -0600 User-Agent: KMail/1.9.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612060916.53866.rmiranda@digitalrelay.ca> Subject: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:16:45 -0000 Hey Everyone, First time poster here. I have a freebsd 6.1 setup with if_bridge. Two nics. I am running squid on the bridge itself. I having some issues doing the routing with PF. i have: rdr on $int_if inet proto tcp from $net to any port www -> $proxy port 3128 pass in log all keep state pass out log all keep state Now fromt the workstation I type in "http://slashdot.org" and it see pass through squid, but now it is trying to connect to "http://slashdot.org:3128" is there anyone to repackage to packet to force port 80 instead of 3128 Thanks Roger From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:22:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4856916A47C for ; Wed, 6 Dec 2006 15:22:52 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id C687E43CBD for ; Wed, 6 Dec 2006 15:21:37 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id B28CC7BFCE8; Wed, 6 Dec 2006 16:22:21 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id hc7x4zV3ltPT; Wed, 6 Dec 2006 16:22:15 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 7C39F7BFCE5; Wed, 6 Dec 2006 16:22:15 +0100 (CET) Date: Wed, 6 Dec 2006 16:22:14 +0100 From: Gergely CZUCZY To: "Roger Miranda (Digital Relay)" Message-ID: <20061206152214.GA95527@harmless.hu> References: <200612060916.53866.rmiranda@digitalrelay.ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline In-Reply-To: <200612060916.53866.rmiranda@digitalrelay.ca> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:22:52 -0000 --DocE+STaALJfprDB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital Relay) wro= te: > Hey Everyone, First time poster here. >=20 > I have a freebsd 6.1 setup with if_bridge. Two nics. > I am running squid on the bridge itself. >=20 > I having some issues doing the routing with PF. > i have: >=20 > rdr on $int_if inet proto tcp from $net to any port www -> $proxy port 31= 28 is $int_if the internal or the bridged interface? what is $proxy? > pass in log all keep state > pass out log all keep state it'd be wise to specify interfaces also here. > Now fromt the workstation I type in "http://slashdot.org" and it see pass= =20 > through squid, but now it is trying to connect to "http://slashdot.org:31= 28" what is "it" that conects to :3128 ? 1) it =3D=3D the client 2) it =3D=3D the squid proxy Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFtVM+LFEcUXn8RKPQgSY6Bx7D4c7q3p2Xb2ZbZVXfWNYJJkAUJwUhN95vuYnuq 2qrX09t60KOIhxC8iKDXRBBE/B+85ZxDDvkf8g/kdY+7+YHQh65X733v+75XVT+d OLJ0+ORvb9//cP7pzy8OvTk6mJybVUQ682bSzpX2BkEw8NZWV8OLXuSFw0mUopSR TIbRWrg1//PUptGEmrydpsQYCPdopSyk0pcgyaV1SKOKpt5Q7OeNlSuNU6SMjkHp Qmk82NuxUrspWm9LJyZVOovhXmUIU6+0SpOcFCjEtxpuY9qHMSYQRH0IgyACSRCs xYMoXg2v3AQviIKgD7dMhhZuKkZNJZwZq0yRLOAWFrI5C7U1I0EYi3W4jg1szdE2 RmMfrinrCEjNEJgpMUSOFn2xPgoDTv4acjlHkDC1iBOXQuQPgHVWJdSKclDTuxOr 0gx92KkNaJU4vyuTM7CV1iwL3L1KpWA0UI6wyAZFDovpf9t0uYaJKOcqdJCaNtIW WVNR+9+1/O5a20F1xOJ9AJvatsMyG3dXTdlqJCitIQOUlEzezGC5jXFA6oalWoK6 rsFbh2XO2/sYujAYiXAolDtAatvzL1rNZhr7Lw3pIj6VCW6IOuehtGUd2AYzKqVz nAGFyUAWBewiluBIEu5vsqhP7So6ncIEWazDlq8rMVHT5p9ujiuc+TgnBvvG1J1C 6sjVxu62QHzk2Fbig9qy6OVEZbyy4grp8tSQb2zWYytYBPE8sWM0EgszKWfDs3wx uD5MmKfmHqpTSLbpxmIgMVpj0nn6Kfh4YWbvwJueoh5j84IrudC1lZwVDmFDDM62 +KMLY/46HUmh+JaI8P/xxWnqbBbiaoN9IbbRZlg0sHm/Su43YiZVQSaGbBH2ky58 mS/orEDn/LwSwvNaqbcRtWI/CR35sM2LyvHSmYLPPLfgKzhzC8rS8jh88XjjyLGl 9iXYf0VOHn72y9KrGx+OP//jzutj2y8fvNt14y+94a/l0qsfHz386vcvTm1+tpcJ nP915/sn7z7/Gw== =Jg8o -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:29:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAA7E16A509 for ; Wed, 6 Dec 2006 15:29:03 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E5D943DA4 for ; Wed, 6 Dec 2006 15:27:48 +0000 (GMT) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.6] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 2FE6D86E8F; Wed, 6 Dec 2006 09:28:32 -0600 (CST) From: "Roger Miranda (Digital Relay)" Organization: Digital Relay Inc. To: Gergely CZUCZY Date: Wed, 6 Dec 2006 09:28:47 -0600 User-Agent: KMail/1.9.4 References: <200612060916.53866.rmiranda@digitalrelay.ca> <20061206152214.GA95527@harmless.hu> In-Reply-To: <20061206152214.GA95527@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612060928.47988.rmiranda@digitalrelay.ca> Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:29:03 -0000 On Wednesday 06 December 2006 09:22, Gergely CZUCZY wrote: > On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital Relay) wrote: > > Hey Everyone, First time poster here. > > > > I have a freebsd 6.1 setup with if_bridge. Two nics. > > I am running squid on the bridge itself. > > > > I having some issues doing the routing with PF. > > i have: > > > > rdr on $int_if inet proto tcp from $net to any port www -> $proxy port > > 3128 > > is $int_if the internal or the bridged interface? > what is $proxy? Sorry about that, ext_if="em0" int_if="em1" bridge_if="bridge0" net="192.168.0.0/16" proxy="127.0.0.1" em0 = 192.168.0.74 em1 = 192.168.0.75 > > > pass in log all keep state > > pass out log all keep state > > it'd be wise to specify interfaces also here. > > > Now fromt the workstation I type in "http://slashdot.org" and it see pass > > through squid, but now it is trying to connect to > > "http://slashdot.org:3128" > > what is "it" that conects to :3128 ? > 1) it == the client > 2) it == the squid proxy It's the proxy trying to redirect it to :3128, I just see that by looking at tcpdump. > > Bye, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:31:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 978B016A407 for ; Wed, 6 Dec 2006 15:31:25 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7AD843CA5 for ; Wed, 6 Dec 2006 15:30:38 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 870447BFCE6; Wed, 6 Dec 2006 16:31:23 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id NIiYPpeBQ-02; Wed, 6 Dec 2006 16:31:20 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 17F667BFCE5; Wed, 6 Dec 2006 16:31:19 +0100 (CET) Date: Wed, 6 Dec 2006 16:31:19 +0100 From: Gergely CZUCZY To: "Roger Miranda (Digital Relay)" Message-ID: <20061206153119.GA95733@harmless.hu> References: <200612060916.53866.rmiranda@digitalrelay.ca> <20061206152214.GA95527@harmless.hu> <200612060928.47988.rmiranda@digitalrelay.ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline In-Reply-To: <200612060928.47988.rmiranda@digitalrelay.ca> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:31:25 -0000 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 06, 2006 at 09:28:47AM -0600, Roger Miranda (Digital Relay) wro= te: > On Wednesday 06 December 2006 09:22, Gergely CZUCZY wrote: > > On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital Relay)= =20 > wrote: > > > Hey Everyone, First time poster here. > > > > > > I have a freebsd 6.1 setup with if_bridge. Two nics. > > > I am running squid on the bridge itself. > > > > > > I having some issues doing the routing with PF. > > > i have: > > > > > > rdr on $int_if inet proto tcp from $net to any port www -> $proxy port > > > 3128 > > > > is $int_if the internal or the bridged interface? > > what is $proxy? >=20 > Sorry about that, >=20 > ext_if=3D"em0" > int_if=3D"em1" > bridge_if=3D"bridge0" > net=3D"192.168.0.0/16" > proxy=3D"127.0.0.1" nice. use brdige_if. i remember somewhere reading about this, the bridge interface should be used for filtering, and not the induvidual interfaces > em0 =3D 192.168.0.74 > em1 =3D 192.168.0.75 > > > > > > pass in log all keep state > > > pass out log all keep state > > > > it'd be wise to specify interfaces also here. > > > > > Now fromt the workstation I type in "http://slashdot.org" and it see = pass > > > through squid, but now it is trying to connect to > > > "http://slashdot.org:3128" > > > > what is "it" that conects to :3128 ? > > 1) it =3D=3D the client > > 2) it =3D=3D the squid proxy > It's the proxy trying to redirect it to :3128, I just see that by looking= at > tcpdump. interesting, it shouldn't. have you configured squid to act as a transproxy on that port, and have pf support built into squid? i think that you must have to use this feature. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGNVb9vHEUUNo4Q0koURvwBTydLIcrtevdsn8+HzgZsJwTJ/AhGEaGI5nbf3g7e ndnMzN5lQ4OoQFAgGgqEKKgRCKWkQdRQ0SOBaFJAjUTBm5m7sxO5oLt7M9/3vvfe 92Y/ffrSyuraL989eOfqJ5998cQ3T703vlo1xohJWDE15SJM4jgJd7d3NjfD7TDZ SgYDjHF7nA92elt4NP39+oEUBoUJT9oah2DwntmoS8bF85AWTGk0o8bk4SBY3Dvk upaaGy7FELgoucDl2YliQueowiORyoyLyRDuNtJgFtaKC8PGJQbBawJuYdaFQ0wh 7nehF8d9YAbi3WFvMNzaefEYwrgfx124KSeo4JgTa8bguUM+4YaVcBNL1l6BmZKj wOAw2ANPKVBnrCVOS43VmLCO2xL3unAd1QTLFg5uv3Vw+20L9+AF/EJFSX+43fuf ikbBqBcT4TnmPXgZWziaomqlwC5c40obMLxCoCYa4ipQYeTvzhE3oGBTBAa5Qhzr DPpRAjSHpoYZNwXw/M5Y8WyCEZzMJAie6mgJZRWoRghqPei7Dc9ACjAFgkcANxrL /IJ8DiBJFte6QQ2ZtBGLVLIx9rfL/fq1RSruVA4fYVKZsvnWadR3eE7mQAM1NUOC SWsqR1awbmMUYKKlDigDs9kMwj1Yp3v3fGhOtpn0BsGCm+slq9VEP1EJarxU56rL fDxnKe471KygIVqoI6eYn8+bUqkW2JgKIzQz3cUBeZ8yjDYPO1jFHQr4lD6Q2IBP NI/5P+4iVWUjyW4vSvqDKI7ijaRvD1xmd9TbseGIaGhiNLtGW90Zd3RRwEFh5U1r 5zCzvqAQs1u01Mp195FpLsoNdCGbMoMxWtoMcupLzks6JXSXmp2BkGbeuqyZ8qyh 5i3hOrDFVzGQUDirYWfLhZPHw9vBXnA29JppTVRQStJZlnCKWIM2zOD5C1b/xTf8 fM1lp37GqStkD11jyvP2nERCanm2LXPuV+XM+crXNpPq1PLS00SuNvSgWWGdwph6 uLGhS6aLTJpIqknH9YQb2iuEUWAlzhlNQYafFH57ujAm3YKScGcko1q3FhJSKQSm 1spz3EVZhtbDnaXchR073HSc8SwLkWhL6O6C921yxeajrtvG28LSktPz6s56j5/5 NXc+ows3zGXtwn6fzgQrzLiyirlZputSl95ttO+CEzRuaUrylDCjgF5AIqTNzZqq JoPaUaA2zlG2c85y4rKJ/HvVysbWk/NJQ7nmsuympyZgND7SQh8HL8s9SpTOrru3 p6Ooc9BN7Z6FcUP2teOXnmmfFoT8L0490CarrHKHo0t2m+x+QI7MNNYkwUstdoNg +erfb9L7bVAx4pVDmPhwlLrwC/Slq0rUOiqaIAhD+xzcQhScfGeo5og+HoJTDk3L WU5dd+lbVmmvhimybRR8uH/pyRX7SV18j9dWf/th5cu1k6/f/6P5+9s3/vng9Nd2 9d/vn3l2svLVSRB99PCVevPzj49/fpClP/7158Of/gM= =/MWx -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:37:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6991316A40F for ; Wed, 6 Dec 2006 15:37:34 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35DF643CA8 for ; Wed, 6 Dec 2006 15:36:48 +0000 (GMT) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.6] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 3885A86E9A; Wed, 6 Dec 2006 09:37:32 -0600 (CST) From: "Roger Miranda (Digital Relay)" Organization: Digital Relay Inc. To: Gergely CZUCZY Date: Wed, 6 Dec 2006 09:37:49 -0600 User-Agent: KMail/1.9.4 References: <200612060916.53866.rmiranda@digitalrelay.ca> <200612060928.47988.rmiranda@digitalrelay.ca> <20061206153119.GA95733@harmless.hu> In-Reply-To: <20061206153119.GA95733@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612060937.49554.rmiranda@digitalrelay.ca> Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:37:34 -0000 On Wednesday 06 December 2006 09:31, you wrote: > On Wed, Dec 06, 2006 at 09:28:47AM -0600, Roger Miranda (Digital Relay) wrote: > > On Wednesday 06 December 2006 09:22, Gergely CZUCZY wrote: > > > On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital Relay) > > > > wrote: > > > > Hey Everyone, First time poster here. > > > > > > > > I have a freebsd 6.1 setup with if_bridge. Two nics. > > > > I am running squid on the bridge itself. > > > > > > > > I having some issues doing the routing with PF. > > > > i have: > > > > > > > > rdr on $int_if inet proto tcp from $net to any port www -> $proxy > > > > port 3128 > > > > > > is $int_if the internal or the bridged interface? > > > what is $proxy? > > > > Sorry about that, > > > > ext_if="em0" > > int_if="em1" > > bridge_if="bridge0" > > net="192.168.0.0/16" > > proxy="127.0.0.1" > > nice. use brdige_if. > i remember somewhere reading about this, the bridge interface > should be used for filtering, and not the induvidual interfaces When i do a rdr on $bridge_if, it just seems to bypass everything. > > > em0 = 192.168.0.74 > > em1 = 192.168.0.75 > > > > > > pass in log all keep state > > > > pass out log all keep state > > > > > > it'd be wise to specify interfaces also here. > > > > > > > Now fromt the workstation I type in "http://slashdot.org" and it see > > > > pass through squid, but now it is trying to connect to > > > > "http://slashdot.org:3128" > > > > > > what is "it" that conects to :3128 ? > > > 1) it == the client > > > 2) it == the squid proxy > > > > It's the proxy trying to redirect it to :3128, I just see that by looking > > at tcpdump. > > interesting, it shouldn't. have you configured squid to act > as a transproxy on that port, and have pf support built into squid? > i think that you must have to use this feature. Yes. I do have trasparent pf compiled into squid. > > Bye, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:42:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E936C16A403 for ; Wed, 6 Dec 2006 15:42:15 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30EAA43CB2 for ; Wed, 6 Dec 2006 15:41:28 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id F2E1D7BFCE7; Wed, 6 Dec 2006 16:42:12 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id wUzNxyyxWPlh; Wed, 6 Dec 2006 16:42:06 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id AD67D7BFCE6; Wed, 6 Dec 2006 16:42:06 +0100 (CET) Date: Wed, 6 Dec 2006 16:42:06 +0100 From: Gergely CZUCZY To: "Roger Miranda (Digital Relay)" Message-ID: <20061206154206.GB95890@harmless.hu> References: <200612060916.53866.rmiranda@digitalrelay.ca> <200612060928.47988.rmiranda@digitalrelay.ca> <20061206153119.GA95733@harmless.hu> <200612060937.49554.rmiranda@digitalrelay.ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="+g7M9IMkV8truYOl" Content-Disposition: inline In-Reply-To: <200612060937.49554.rmiranda@digitalrelay.ca> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:42:16 -0000 --+g7M9IMkV8truYOl Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 06, 2006 at 09:37:49AM -0600, Roger Miranda (Digital Relay) wro= te: > On Wednesday 06 December 2006 09:31, you wrote: > > On Wed, Dec 06, 2006 at 09:28:47AM -0600, Roger Miranda (Digital Relay)= =20 > wrote: > > > On Wednesday 06 December 2006 09:22, Gergely CZUCZY wrote: > > > > On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital Re= lay) > > > > > > wrote: > > > > > Hey Everyone, First time poster here. > > > > > > > > > > I have a freebsd 6.1 setup with if_bridge. Two nics. > > > > > I am running squid on the bridge itself. > > > > > > > > > > I having some issues doing the routing with PF. > > > > > i have: > > > > > > > > > > rdr on $int_if inet proto tcp from $net to any port www -> $proxy > > > > > port 3128 > > > > > > > > is $int_if the internal or the bridged interface? > > > > what is $proxy? > > > > > > Sorry about that, > > > > > > ext_if=3D"em0" > > > int_if=3D"em1" > > > bridge_if=3D"bridge0" > > > net=3D"192.168.0.0/16" > > > proxy=3D"127.0.0.1" > > > > nice. use brdige_if. > > i remember somewhere reading about this, the bridge interface > > should be used for filtering, and not the induvidual interfaces > When i do a rdr on $bridge_if, it just seems to bypass everything. > > > > > em0 =3D 192.168.0.74 > > > em1 =3D 192.168.0.75 > > > > > > > > pass in log all keep state > > > > > pass out log all keep state > > > > > > > > it'd be wise to specify interfaces also here. > > > > > > > > > Now fromt the workstation I type in "http://slashdot.org" and it = see > > > > > pass through squid, but now it is trying to connect to > > > > > "http://slashdot.org:3128" > > > > > > > > what is "it" that conects to :3128 ? > > > > 1) it =3D=3D the client > > > > 2) it =3D=3D the squid proxy > > > > > > It's the proxy trying to redirect it to :3128, I just see that by loo= king > > > at tcpdump. > > > > interesting, it shouldn't. have you configured squid to act > > as a transproxy on that port, and have pf support built into squid? > > i think that you must have to use this feature. > Yes. I do have trasparent pf compiled into squid. please also answer the other question. have you made squid to listen on that port as a transparent proxy? and what version of squid is this at all? > > > > Bye, > > > > Gergely Czuczy > > mailto: gergely.czuczy@harmless.hu Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --+g7M9IMkV8truYOl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGNVr2PG0UUPxLRrJQiPcWTFekSsd7bte/T4Fwgl5AgBVA4lC+JMPa+tYfbndnM zJ6zKagRUAQkKorQIwRCVBRUaShIQ0GPqPgbUODNjL1nmxBdc/LNm/d7v/fxe7MP T51cOXH6yfc/3nn5sy++euHbYHUQFpUxYtQumDrkop3EcdLe2djeidvJRntjI0kG 611cX8+6O6y7denwzycXpTAoTHu/LrEHBu+btTJnXLwCwzFTGk2/Mll7O5jd2+O6 lJobLkUPuMi5wMa2r5jQGar2JTGUKRejHtyrpMG0XSouDBvkGARvC7iBaQh7OIR4 M4ROHG8CMxDv9LpbvfWd165BO96M4xCuyxEquMYJNWVwdo+PuGE5XMec1edgomQ/ MNgLzoOHFKhTVhOmhcZiQL4O2wInIdSysj7eY+bzTBqd7d761jFp9IN+JybAOeRj 8Ol0QngD1QjzGi7efu/i7VuLAM+ll2z2NjrHoNcPLEGPOMVdCnIermANlw5R1VJg CJe50gYMLxCox4Zgx6gwOro/53kVxuwQgUGmEAc6hc0oARqXqoQJN2Pg2d2B4ukI I9ifSBB8qKMFd1aAqoSgKQF9r+IpSAFmjOC9gBuNefac2M5RElWudYUaUmlPLIKS lbG/HY93Ls+H5Y5175moKlWWwxma1Ls8o9lGAyUVTIIZlpSmLOCMPaMDJmqqkDIw mUygfR7O0L379RyWM3aTznawHIfrJoLlSj9RCeqXVHPZp/48Y0PcbTwnY+q/dXfB dhca+65UqgY2oMwJhplwwUqipnj97l4Li7g1PfQk/GEyO/Thp+f+n8aBcrenyU4n Sja3oziK15LNmdFxcubOljVFHtJZqfc0BZW22aXcwfuecFBYeGXYTk7stNERs6uj SYbrcGEuZoVxCHosqzyFAVr4FDKqYsZzukEIIbUpBSHNtNBpdcjTikrdQGjCuDFG QURSamozAU0VQhpD+LAiUWjEQtvWD+qSaQ1oRUPkxCgK5gpdxEBFgKMaba03pmTZ tLHQJFdFC80F5JLyz3M4QCxBG2Zw+ZKtzf/fOpo2s+qqM+FUfWKvSxzyrJ4rASFo uajzuVhvyYmbfF/DiVQHNg7tftKgoRfDkm2NjSl7a2s6Z3qcShNJNWq52lPx+gFV bpm8GZNER2Ov+xAGlIugQNyNt1G1E7KEoRQCh1ZwcwDPitazSmv9h/5MMC1uWk4V FpEAXR+dDxypKznn6Hb3bJNsssOc05vW2DvLdr+05oQ/vXrVrGp3wZnm0lGYcmXz 4aYhEFIdZ/PlKQ5q6iu9bAfkNUWkU9pAaVWUR7PmGojauDknQC8EsWoiv5fta0fZ ZnxUUdwpWbu5hj4lRo0nbvRee5pu+VIgu7i8cBxMmYGuSrfNBhUJy8aVHm13KmEr ggPvbIMWNhvnSxet5q2CIUNmKj9it1BHlDUJzt9STJdMUaltsKEsSp77/TeNEwVl joyA3KAS4Qn6VSnpj6IPDFsFKebyLliKTcZBzuklEwsJzmc/De1Xqs3bTQ2pW9sp l9kUyA6mTYRsJLndoGnE6zWGzT/Nm/6gGj7wY1EwKpvswciboqEzXaBvqyJHraNx FQQOI1hyPo5ju22/Pm4gCk5KNlSJiDgITnXXtFLzQzeF9Nlld5fNiylaBFHw8e7J F1fs19/s2/H0iY/eX3l05ZPPf98/9cd3D38xvz7++6ebT9/8cmXl0Z1Xn96UH/zw 8z8vnf3tr/LTry88/ob9Cw== =IwQs -----END PGP SIGNATURE----- --+g7M9IMkV8truYOl-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:45:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A87FD16A403 for ; Wed, 6 Dec 2006 15:45:16 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 311A743CB2 for ; Wed, 6 Dec 2006 15:44:30 +0000 (GMT) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.6] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id B219986E79; Wed, 6 Dec 2006 09:45:14 -0600 (CST) From: "Roger Miranda (Digital Relay)" Organization: Digital Relay Inc. To: Gergely CZUCZY Date: Wed, 6 Dec 2006 09:45:29 -0600 User-Agent: KMail/1.9.4 References: <200612060916.53866.rmiranda@digitalrelay.ca> <200612060937.49554.rmiranda@digitalrelay.ca> <20061206154206.GB95890@harmless.hu> In-Reply-To: <20061206154206.GB95890@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612060945.30335.rmiranda@digitalrelay.ca> Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:45:16 -0000 On Wednesday 06 December 2006 09:42, Gergely CZUCZY wrote: > On Wed, Dec 06, 2006 at 09:37:49AM -0600, Roger Miranda (Digital Relay) wrote: > > On Wednesday 06 December 2006 09:31, you wrote: > > > On Wed, Dec 06, 2006 at 09:28:47AM -0600, Roger Miranda (Digital Relay) > > > > wrote: > > > > On Wednesday 06 December 2006 09:22, Gergely CZUCZY wrote: > > > > > On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital > > > > > Relay) > > > > > > > > wrote: > > > > > > Hey Everyone, First time poster here. > > > > > > > > > > > > I have a freebsd 6.1 setup with if_bridge. Two nics. > > > > > > I am running squid on the bridge itself. > > > > > > > > > > > > I having some issues doing the routing with PF. > > > > > > i have: > > > > > > > > > > > > rdr on $int_if inet proto tcp from $net to any port www -> $proxy > > > > > > port 3128 > > > > > > > > > > is $int_if the internal or the bridged interface? > > > > > what is $proxy? > > > > > > > > Sorry about that, > > > > > > > > ext_if="em0" > > > > int_if="em1" > > > > bridge_if="bridge0" > > > > net="192.168.0.0/16" > > > > proxy="127.0.0.1" > > > > > > nice. use brdige_if. > > > i remember somewhere reading about this, the bridge interface > > > should be used for filtering, and not the induvidual interfaces > > > > When i do a rdr on $bridge_if, it just seems to bypass everything. > > > > > > em0 = 192.168.0.74 > > > > em1 = 192.168.0.75 > > > > > > > > > > pass in log all keep state > > > > > > pass out log all keep state > > > > > > > > > > it'd be wise to specify interfaces also here. > > > > > > > > > > > Now fromt the workstation I type in "http://slashdot.org" and it > > > > > > see pass through squid, but now it is trying to connect to > > > > > > "http://slashdot.org:3128" > > > > > > > > > > what is "it" that conects to :3128 ? > > > > > 1) it == the client > > > > > 2) it == the squid proxy > > > > > > > > It's the proxy trying to redirect it to :3128, I just see that by > > > > looking at tcpdump. > > > > > > interesting, it shouldn't. have you configured squid to act > > > as a transproxy on that port, and have pf support built into squid? > > > i think that you must have to use this feature. > > > > Yes. I do have trasparent pf compiled into squid. > > please also answer the other question. have you made squid to > listen on that port as a transparent proxy? > and what version of squid is this at all? squid is listeing on port :3128 and i do have transparent proxy enabled. I am using squid 2.6 > > > > Bye, > > > > > > Gergely Czuczy > > > mailto: gergely.czuczy@harmless.hu > > Bye, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 20:02:09 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AAC2816A5C7 for ; Wed, 6 Dec 2006 20:02:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCE7543CA5 for ; Wed, 6 Dec 2006 20:01:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB6JeC8a040777 for ; Wed, 6 Dec 2006 19:40:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB6JeCMK040772; Wed, 6 Dec 2006 19:40:12 GMT (envelope-from gnats) Date: Wed, 6 Dec 2006 19:40:12 GMT Message-Id: <200612061940.kB6JeCMK040772@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris S." Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Boris S." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 20:02:09 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: "Boris S." To: bug-followup@FreeBSD.org, bst2006@dva.dyndns.org, volker@vwsoft.com, glebius@FreeBSD.org Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Wed, 06 Dec 2006 20:17:24 +0100 I use ALTQ primarily for priorizing tcp acks. Tell me if I'm wrong, but I think it is not possible to priorize TCP ACKS on encapsulated PPPoE data on the 'real' interface. Bandwidth limiting on ng0 works great if I left some bandwidth for the PPPoE overhead. Beside this, I can't currently limit the real interface, because the dsl-modem is connected in another room on the main LAN. I don't have a dedicated NIC for the modem. Boris From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 20:20:18 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B34AB16A494 for ; Wed, 6 Dec 2006 20:20:18 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E70243CAB for ; Wed, 6 Dec 2006 20:19:25 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB6KKC85044641 for ; Wed, 6 Dec 2006 20:20:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB6KKCCa044640; Wed, 6 Dec 2006 20:20:12 GMT (envelope-from gnats) Date: Wed, 6 Dec 2006 20:20:12 GMT Message-Id: <200612062020.kB6KKCCa044640@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Volker Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Volker List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 20:20:18 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: Volker To: "Boris S." Cc: bug-followup@FreeBSD.org, glebius@FreeBSD.org Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Wed, 06 Dec 2006 21:16:03 +0100 Boris, On 12/06/06 20:17, Boris S. wrote: > I use ALTQ primarily for priorizing tcp acks. > Tell me if I'm wrong, but I think it is not possible to priorize TCP > ACKS on encapsulated PPPoE data on the 'real' interface. You do this for example: altq on xl0 .... queue blabla ... pass out on ng0 all queue(blablabla) > Bandwidth limiting on ng0 works great if I left some bandwidth for the > PPPoE overhead. > > Beside this, I can't currently limit the real interface, because the > dsl-modem is connected in another room on the main LAN. I don't have a > dedicated NIC for the modem. As I understand your NAT gateway has just one NIC and you're using a PPPoE pass-thru capable router? If so, you may still be able to use one queue for local traffic and one queue for external traffic (and sub-queues of both of course) on your NIC. But that's a question of personal taste. If ALTQ works for you your way, I would not effort a change. Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 21:39:18 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02EC616A4D4 for ; Wed, 6 Dec 2006 21:39:18 +0000 (UTC) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 767674403F for ; Wed, 6 Dec 2006 21:11:40 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 22042 invoked by uid 89); 6 Dec 2006 21:12:17 -0000 Received: by simscan 1.2.0 ppid: 22036, pid: 22039, t: 0.2069s scanners: attach: 1.2.0 clamav: 0.88.4/m:40/d:1893 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with ESMTPA; 6 Dec 2006 21:12:17 -0000 Message-ID: <4577322F.3080709@wombatsweb.com> Date: Wed, 06 Dec 2006 16:12:15 -0500 From: David Pierron User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org References: <5540790.post@talk.nabble.com> <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> <200607290107.34701.max@love2party.net> <5569580.post@talk.nabble.com> <20061206000402.GI10063@subspacefield.org> In-Reply-To: <20061206000402.GI10063@subspacefield.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 21:39:18 -0000 Travis H. on 12/05/2006 7:04 PM wrote: > On Tue, Dec 05, 2006 at 02:43:06PM -0800, Fire walls wrote: > >> I have read this post about this case, them you recomend me to use pftpx >> over ftp-proxy...? >> > > I believe in OpenBSD that ftp-proxy has been deprecated, > and that users are encouraged to start using pftpx. > You guys, don't forget about those of us using routable IPs ... I am using ftpsesame: http://www.sentia.org/projects/ftpsesame/ It's old but it works ... From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 23:03:27 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5646D16A50C for ; Wed, 6 Dec 2006 23:03:27 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7F6043CD3 for ; Wed, 6 Dec 2006 22:59:56 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB6N0WiH059366 for ; Wed, 6 Dec 2006 23:00:32 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB6N0W3d059365; Wed, 6 Dec 2006 23:00:32 GMT (envelope-from gnats) Date: Wed, 6 Dec 2006 23:00:32 GMT Message-Id: <200612062300.kB6N0W3d059365@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris S." Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Boris S." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 23:03:27 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: "Boris S." To: Volker Cc: bug-followup@FreeBSD.org, glebius@FreeBSD.org Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Wed, 06 Dec 2006 23:54:28 +0100 Volker schrieb: > As I understand your NAT gateway has just one NIC and you're using a > PPPoE pass-thru capable router? nearly, it's a DSL Modem, not a router. It speaks only PPPoE on the Ethernet. (acting like a router with PPPoE pass-thru) > If so, you may still be able to use one queue for local traffic and > one queue for external traffic (and sub-queues of both of course) on > your NIC. But that's a question of personal taste. If ALTQ works for > you your way, I would not effort a change. I'll probably not change, but I'm open for alternate configuration possibilities. Boris From owner-freebsd-pf@FreeBSD.ORG Thu Dec 7 10:42:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1236116A515 for ; Thu, 7 Dec 2006 10:42:00 +0000 (UTC) (envelope-from cgi-mailer-bounces-188189862@kundenserver.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id A42E043EF5 for ; Thu, 7 Dec 2006 10:38:28 +0000 (GMT) (envelope-from cgi-mailer-bounces-188189862@kundenserver.de) Received: from [212.227.126.200] (helo=mrvnet.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1GsGel-0001o2-00 for freebsd-pf@freebsd.org; Thu, 07 Dec 2006 11:39:11 +0100 Received: from [212.227.34.97] (helo=infong427 ident=8) by mrvnet.kundenserver.de with smtp (Exim 3.35 #1) id 1GsGek-0003i8-00 for freebsd-pf@freebsd.org; Thu, 07 Dec 2006 11:39:10 +0100 Received: from [196.217.48.159](IP may be forged by CGI script) by infong427.kundenserver.de with HTTP; Thu, 7 Dec 2006 11:39:10 +0100 Date: Thu, 7 Dec 2006 11:39:10 +0100 Precedence: bulk To: freebsd-pf@freebsd.org From: Content-Transfer-Encoding: 8bit Message-Id: X-Provags-ID: kundenserver.de abuse@kundenserver.de sender-info:188189862@infong427 MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: **Updat Account** X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: PINRobot_donotreply@e-gold.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 10:42:00 -0000 Dear E-gold customer We regret to inform you that your E-gold account could be suspended if you don't re-update your account information. To resolve this problems please [1]click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 24 hours, after this period your account will be terminated. For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspension of this account, please be advised you are prohibited from using E-gold in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to E-gold. Regards,Safeharbor Department E-gold, Inc The E-gold team. This is an automatic message. Please do not reply. ______________________________________________________________________ |[2]Home |[3]Terms of Use |[4]About Us |[5]FAQ/Contact | References 1. http://e-gold-service.com/ 2. http://e-gold-service.com/ 3. http://e-gold-service.com/ 4. http://e-gold-service.com/ 5. http://e-gold-service.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Dec 7 13:32:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C1B816A403 for ; Thu, 7 Dec 2006 13:32:31 +0000 (UTC) (envelope-from roma.a.g@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD9DA43CB0 for ; Thu, 7 Dec 2006 13:31:04 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so416157uge for ; Thu, 07 Dec 2006 05:31:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=iKEbPRBzox9f0QT58wZ54DJz3GN4kbVj7Uw0NK9y9QlEfVSIo7Sy1fdzi6n85JmqiEH0Zn2Gj+rVnt5q/8efM/4CCT9yCIl1aJqKGiGoZXbBf371GR4Kb8Ck0SmkUDfok/PE4qdV2Qk/qlPUhXPSxfW6L41/Zw/kjeZKVQ1Mk1w= Received: by 10.66.244.10 with SMTP id r10mr2919966ugh.1165498311897; Thu, 07 Dec 2006 05:31:51 -0800 (PST) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.google.com with ESMTP id 55sm918336ugq.2006.12.07.05.31.51; Thu, 07 Dec 2006 05:31:51 -0800 (PST) Date: Thu, 7 Dec 2006 16:31:49 +0300 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <546388630.20061207163149@gmail.com> To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: ftp-proxy problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 13:32:31 -0000 Hello, all. We got a heavy load server with pf mostly doing nat and redirection. [root@fw]#uname -r 6.1-RELEASE [root@fw]#pfctl -sr | wc -l 546 [root@fw]#pfctl -ss | wc -l 9452 Traffic is about 8 Mb/s. /etc/inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 /etc/pf.conf: rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 Traffic is about 8 megabit/s. All working ok until we turn on ftp-proxy. After that(and some time) server suddenly hang. Just hang, no kernel trap and clear console, didn't responding for any key(I don't know how might that be, never expect it from BSD). Meanwhile I can see one event relating to that - ftp-proxy. And its not hardware issue, we got two identical server(hp dl 380, afair) working in carp, and both hanging. Last messages: Dec 7 15:14:42 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/min (limit 60/min) Dec 7 15:14:44 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/min (limit 60/min) Dec 7 15:14:45 fw ftp-proxy[64195]: xfer_data (server to client): failed (Connection reset by peer) with flags 00 Dec 7 15:14:55 fw ftp-proxy[64196]: xfer_data (server to client): failed (Connection reset by peer) with flags 00 Dec 7 15:32:31 fw syslogd: kernel boot file is /boot/kernel/kernel Are there any known issue with ftp-proxy+pf? What should we do? From owner-freebsd-pf@FreeBSD.ORG Thu Dec 7 13:38:14 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF99616A4AB for ; Thu, 7 Dec 2006 13:38:13 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id F32A943E3C for ; Thu, 7 Dec 2006 13:35:17 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 824A47BFD06; Thu, 7 Dec 2006 14:35:54 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id xB8qf5VMKBF7; Thu, 7 Dec 2006 14:35:51 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 34FEA7BFD04; Thu, 7 Dec 2006 14:35:35 +0100 (CET) Date: Thu, 7 Dec 2006 14:35:35 +0100 From: Gergely CZUCZY To: "Roman Gorohov. " Message-ID: <20061207133535.GA16219@harmless.hu> References: <546388630.20061207163149@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <546388630.20061207163149@gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@FreeBSD.org Subject: Re: ftp-proxy problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 13:38:14 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 07, 2006 at 04:31:49PM +0300, Roman Gorohov. wrot= e: > Hello, all. > We got a heavy load server with pf mostly doing nat and redirection. > [root@fw]#uname -r > 6.1-RELEASE > [root@fw]#pfctl -sr | wc -l > 546 > [root@fw]#pfctl -ss | wc -l > 9452 > Traffic is about 8 Mb/s. > /etc/inetd.conf: ftp-proxy stream tcp nowait root /usr/lib= exec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 > /etc/pf.conf: rdr on $int_if proto tcp from any to any port 21 -> 127.0.0= =2E1 port 8021=20 > Traffic is about 8 megabit/s. > All working ok until we turn on ftp-proxy.=20 > After that(and some time) server suddenly hang.=20 > Just hang, no kernel trap and clear console, didn't responding for any > key(I don't know how might that be, never expect it from BSD). > Meanwhile I can see one event relating to that - ftp-proxy. > And its not hardware issue, we got two identical server(hp dl 380, afair)= working in carp, and both hanging.=20 > Last messages: > Dec 7 15:14:42 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/= min (limit 60/min) > Dec 7 15:14:44 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/= min (limit 60/min) > Dec 7 15:14:45 fw ftp-proxy[64195]: xfer_data (server to client): failed= (Connection reset by peer) with flags 00 > Dec 7 15:14:55 fw ftp-proxy[64196]: xfer_data (server to client): failed= (Connection reset by peer) with flags 00 > Dec 7 15:32:31 fw syslogd: kernel boot file is /boot/kernel/kernel >=20 > Are there any known issue with ftp-proxy+pf? try to use pftpx instead of ftp-proxy, it's available from ports. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owG1Vc2LHEUUX7P4QYNCPIgo6AOF7LLTPd3ztTsjk+8liWRRkkAISwg13a+ni62u aqte78wE/wAPIuJRD/HmSfAgnoJ3xXjUP8CDNw+ec/BVz+zmw1zTzHTXq4/38Xu/ 9+rLV9fXTpz8/Ycf97c+/+qbF75/WU+2yppIT8NS2EOpwySOkzAZdJJh2Au3B0Mc 5jjsdLNu0h0MdudvfnfBaEJN4Y1FhSMgnFO7UkLqDyAthHVI45rycCc42ndRuso4 SdLoEUitpMbjtRtWaJejDXd1ajKppyP4pDaEWVhZqUlMFAbBRxpuFHULLmIK8XYL OnE8AEEQ90bdZNQbfrwHW3E3jltwzZRCwyVjTWEOI3jymVlD4wBHwWm4jEqZFgil IpZuIkwNgYACxeEClBEZOLSHaGEmqYAqh9I4UgvIDLsImm0LnYHFTFpMfWBezb41 hs7ms9vv1VqUCKHlyUGUhNd2r+6eu777xJYqT0lB6Cx8CrMUQsWrzdPvDZ650T21 cdjrd3jIAOa5TEE6EBNTE+zA3qTtvD9tpLTNYFMWpUbnI8ipYljNfLECxJFFUQJQ WjWyNjMhCcDb9nK7drat5IRBm2Pafuz4o2FYw2pQQr8fxzGEe9DfbgYEyU585EiV r7ywmQWj4X1O7x2Z+9NkGhdya0rGdQEs+09lLEEngfA0JJ3tKI7icTDu7CbLhZ24 k4w78bMhKHEqJpKWOJxTCmbGHvjUmQOoNUmeQKDaau/JcTDRUt+5nDjzVAja8Fl2 hnNJssTNI1K4OstQMx0KoaerQx/Wjhq5xTDCAVqNCsiKqmFKqlBY4PidUdiCTGb6 FDF/uDC0Zz3kxvqYWdEBLjauMNH8hgPOCBT8L+W0oMYlmPB5jd4NnFdMPuCMNcid v35x04e7h0LPCqkQrkDK1eAQOUoEPqO9TSXIW/Sge33hY/H74NlbSY6D8OHYbCYs MrKuZrOzZZ3QzIBkAEimQq0w2SgqyBR0d7gIRS6k3RwHx6BLzY7YqtVAMTFcUR4o eYzdVcHYleicmKLz5ekLHbYh6Y+S3qjXgXwGDY/3B7349uM8bgJP4sj/ou2YIUkR M2TADafZtcdBycY3lCwZpUHcZmnzf/p7z1l/3+s/1sk2kmGfrcy57d3JBAnYWPGK U5IqycBusg+CM5gxiBvcKvWyyXjCIDOASwPRbi6bU67E1EEcP222/wyzg+dsttvh huzNuoVTZpqNjgph4jtK7jnJRdr2Unu5svoEp1elx2SjAvntG4Cnv16Sb2X0KJqt Kj8TkG1aRe2QOzRVc86hI+TebfJHO1vM5lPcGA45MH+bLFPqOwj3hiA4v8BWEFxC O0Wu5wt36/TuIih5L5kRTJfTUdpMn+VyKBWzNCrqIAhD7/FNRC3R8SXoKIJLLLA3 jluGOkTf2dhg6ZZ1Jqx0GAWfnVl/cc3fokdX8MkT//TW7qV///nOH3fPvvT1L7fe +Pn+lQfFK6+rtXv799997e1vf33rt8tf/PVQrv/074PBw/8A =PJDe -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 7 19:10:18 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADAF116A403 for ; Thu, 7 Dec 2006 19:10:18 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5CB443CBE for ; Thu, 7 Dec 2006 19:09:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB7JABqH080286 for ; Thu, 7 Dec 2006 19:10:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB7JAB84080285; Thu, 7 Dec 2006 19:10:11 GMT (envelope-from gnats) Date: Thu, 7 Dec 2006 19:10:11 GMT Message-Id: <200612071910.kB7JAB84080285@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 19:10:18 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, bst2006@dva.dyndns.org Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Thu, 7 Dec 2006 20:00:25 +0100 --Boundary-00=_LTGeFqtfh+L0SPO Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Okay, this is highly untested and certainly needs more work, but I don't have a crashbox set up right now, so if you could give it a try we might be getting somewhere quick. Please turn on misc debugging (pfctl -xm). This also might be a way to use ALTQ on not yet created interfaces, though this needs even more work. Report back if this changes anything. If you get a crash I'd like to see a dump and dmesg if possible. Thanks a lot. -- Max --Boundary-00=_LTGeFqtfh+L0SPO Content-Type: text/x-diff; charset="us-ascii"; name="altq_remove_if.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="altq_remove_if.diff" Index: pf_ioctl.c =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.20.2.4 diff -u -r1.20.2.4 pf_ioctl.c --- pf_ioctl.c 9 Sep 2006 00:50:25 -0000 1.20.2.4 +++ pf_ioctl.c 7 Dec 2006 18:54:24 -0000 @@ -211,6 +211,8 @@ static int pf_load(void); static int pf_unload(void); +void pf_detach_ifnet_event(void * __unused, struct ifnet *); + static struct cdevsw pf_cdevsw = { .d_ioctl = pfioctl, .d_name = PF_NAME, @@ -221,6 +223,8 @@ struct mtx pf_task_mtx; pflog_packet_t *pflog_packet_ptr = NULL; +eventhandler_tag pf_detach_cookie = NULL; + void init_pf_mutex(void) { @@ -351,9 +355,52 @@ /* XXX do our best to avoid a conflict */ pf_status.hostid = arc4random(); + pf_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event, + pf_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); return (error); } + +void +pf_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) +{ +#ifdef ALTQ + struct pf_altq *altq; + int err, error = 0; + + PF_LOCK(); + TAILQ_FOREACH(altq, pf_altqs_active, entries) { + if (strncmp(ifp->if_xname, altq->ifname, IFNAMSIZ) != 0) + continue; + if (altq->qname[0] != 0) { +/* XXX: maybe later + altq->flags |= PFALTQ_FLAG_IF_REMOVED; + */ + continue; + } + KASSERT((altq->flags & PFALTQ_FLAG_IF_REMOVED) == 0, + ("flag already in use")); + /* detach and destroy the discipline */ + DPFPRINTF(PF_DEBUG_MISC, ("pf: remove altq %s.%s ...", + altq->ifname, altq->parent)); + if (pf_altq_running) + error = pf_disable_altq(altq); + DPFPRINTF(PF_DEBUG_MISC, ("%d ", error)); + err = altq_pfdetach(altq); + if (err != 0 && error == 0) + error = err; + DPFPRINTF(PF_DEBUG_MISC, ("%d ", error)); + err = altq_remove(altq); + if (err != 0 && error == 0) + error = err; + DPFPRINTF(PF_DEBUG_MISC, ("%d\n", error)); + altq->flags |= PFALTQ_FLAG_IF_REMOVED; + } + PF_UNLOCK(); +#endif +} + + #else /* !__FreeBSD__ */ void pfattach(int num) @@ -1042,7 +1089,8 @@ /* Purge the old altq list */ while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) { TAILQ_REMOVE(pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0) { + if (altq->qname[0] == 0 && + (altq->flags & PFALTQ_FLAG_IF_REMOVED) == 0) { /* detach and destroy the discipline */ error = altq_remove(altq); } else @@ -1067,7 +1115,8 @@ /* Purge the old altq list */ while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) { TAILQ_REMOVE(pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0) { + if (altq->qname[0] == 0 && + (altq->flags & PFALTQ_FLAG_IF_REMOVED) == 0) { /* detach and destroy the discipline */ error = altq_remove(altq); } else @@ -1112,7 +1161,8 @@ /* Purge the old altq list */ while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) { TAILQ_REMOVE(pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0) { + if (altq->qname[0] == 0 && + (altq->flags & PFALTQ_FLAG_IF_REMOVED) == 0) { /* detach and destroy the discipline */ if (pf_altq_running) error = pf_disable_altq(altq); @@ -1139,6 +1189,9 @@ struct tb_profile tb; int s, error = 0; + if (altq->flags & PFALTQ_FLAG_IF_REMOVED) + return (0); + if ((ifp = ifunit(altq->ifname)) == NULL) return (EINVAL); @@ -1170,6 +1223,9 @@ struct tb_profile tb; int s, error; + if (altq->flags & PFALTQ_FLAG_IF_REMOVED) + return (0); + if ((ifp = ifunit(altq->ifname)) == NULL) return (EINVAL); @@ -3548,6 +3604,7 @@ PF_LOCK(); pf_status.running = 0; PF_UNLOCK(); + EVENTHANDLER_DEREGISTER(ifnet_departure_event, pf_detach_cookie); error = dehook_pf(); if (error) { /* Index: pfvar.h =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.11.2.2 diff -u -r1.11.2.2 pfvar.h --- pfvar.h 30 Dec 2005 00:50:18 -0000 1.11.2.2 +++ pfvar.h 7 Dec 2006 18:33:46 -0000 @@ -1214,6 +1214,8 @@ u_int8_t priority; /* priority */ u_int16_t qlimit; /* queue size limit */ u_int16_t flags; /* misc flags */ +/* XXX: unused?!? */ +#define PFALTQ_FLAG_IF_REMOVED 0x8000 union { struct cbq_opts cbq_opts; struct priq_opts priq_opts; --Boundary-00=_LTGeFqtfh+L0SPO-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 8 01:50:13 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 03AB816A407 for ; Fri, 8 Dec 2006 01:50:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD9E543CAA for ; Fri, 8 Dec 2006 01:49:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB81oBVF016974 for ; Fri, 8 Dec 2006 01:50:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB81oB4A016973; Fri, 8 Dec 2006 01:50:11 GMT (envelope-from gnats) Date: Fri, 8 Dec 2006 01:50:11 GMT Message-Id: <200612080150.kB81oB4A016973@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris S." Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Boris S." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 01:50:13 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: "Boris S." To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Fri, 08 Dec 2006 02:41:30 +0100 Max Laier schrieb: > Okay, this is highly untested and certainly needs more work, but I don't > have a crashbox set up right now, so if you could give it a try we might > be getting somewhere quick. > > Please turn on misc debugging (pfctl -xm). > > This also might be a way to use ALTQ on not yet created interfaces, though > this needs even more work. > > Report back if this changes anything. If you get a crash I'd like to see > a dump and dmesg if possible. This test patch works great! I've connected, disconnected, restarted and reloaded very many times in random order and nothing bad happens! If I kill my mpd4 (without touching pf) I get the debug log: pf: remove altq ng0. ...22 22 22 I get always "22 22 22". No other numbers after serval restarts of mpd4, pf and FreeBSD. Thank you for your promptly investigation! Boris From owner-freebsd-pf@FreeBSD.ORG Fri Dec 8 14:01:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6B3F16A5B6 for ; Fri, 8 Dec 2006 14:01:01 +0000 (UTC) (envelope-from roma.a.g@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FC4544043 for ; Fri, 8 Dec 2006 13:58:43 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so705119uge for ; Fri, 08 Dec 2006 05:59:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:organization:x-priority:message-id:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; b=Lq3TC0jtI/J+LWHT7mge6UW5ZLRLjQL+2qKs80J8aRt4Ika/oSEOg8+QHpmOphShejyslbiUGef1EAkpNb6D8Cc0aEJ+6mOUfPulrgSnc2GYshVUN3oTHm7ZXG8zC7hfaKJmeX+SYRfpp2wGSw1lz5z0SkvSMuCFoO4UxGIbMwo= Received: by 10.67.26.7 with SMTP id d7mr5214456ugj.1165585995908; Fri, 08 Dec 2006 05:53:15 -0800 (PST) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.google.com with ESMTP id 55sm2909469ugq.2006.12.08.05.53.15; Fri, 08 Dec 2006 05:53:15 -0800 (PST) Date: Fri, 8 Dec 2006 16:53:02 +0300 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.62.14) Professional Organization: Acropolis X-Priority: 3 (Normal) Message-ID: <1904646577.20061208165302@gmail.com> To: Gergely CZUCZY In-Reply-To: <20061207133535.GA16219@harmless.hu> References: <546388630.20061207163149@gmail.com> <20061207133535.GA16219@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: FTP problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 14:01:02 -0000 Hello, Gergely. > try to use pftpx instead of ftp-proxy, it's available from ports. > Bye, > Gergely Czuczy I tried switch to pftpx and got same result. Last messages: Dec 7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70 Dec 7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70 Dec 7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 10.10.1.70: Operation not permitted Dec 7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70 Dec 7 17:03:15 fw-spb last message repeated 2 times Then it hang. Address 10.10.1.70 is server itself, so I don't understand whats going on... I started to think that there is some loop in pf rules, this would nicely explain why there isn't any messages at console. But I can't see any. This is all referencing to ftp in my pf.conf: rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 pass out on $ext_if inet proto tcp from $ext_if to any port 21 flags S/AUPRFS modulate state pass in on $ext_if proto tcp from any to any port 21 keep state Any suggestions? Regards, Roman. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 8 14:39:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B63516A403 for ; Fri, 8 Dec 2006 14:39:35 +0000 (UTC) (envelope-from isaac.grover@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD10043CA6 for ; Fri, 8 Dec 2006 14:38:36 +0000 (GMT) (envelope-from isaac.grover@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so1105507nfc for ; Fri, 08 Dec 2006 06:39:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=IA2k4tNKOYCX3C7p2ne4xWGl1DTMNdVWSErgDPqrdPJ9+a+Aoz1wEluLpJAbJmwvqpKdNlvFywmUwxNLHfsV+fvUK2ibOCmzL0/k3LrEXYFQbxpApekVv1EyXyLoUxKT/FcngLviaOMtcZu9XCTsePyWEyOmxS0C1G3++LYk72g= Received: by 10.82.179.9 with SMTP id b9mr397207buf.1165588770025; Fri, 08 Dec 2006 06:39:30 -0800 (PST) Received: by 10.82.141.18 with HTTP; Fri, 8 Dec 2006 06:39:29 -0800 (PST) Message-ID: Date: Fri, 8 Dec 2006 08:39:29 -0600 From: "Isaac Grover" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Help with issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 14:39:35 -0000 Good morning from Wisconsin, I have a wireless network set up as such: the gateway/proxy/firewall is a FreeBSD 6.1 box running pf and squid with three NICs (xl0 isn't used yet),xl2 connects to the outside world, xl1 connects to the wireless access point, and my laptop (192.168.100.X) should have unrestricted access to everything while all other wireless clients are restricted to tcp_services and udp_services. I built this pf.conf from the ground up using Peter's PF tutorial at http://home.nuug.no/~peter/pf/ , and I'm sure it's not a fault of Peter's fine tutorial, but that my understanding of how traffic flows through pf is somewhat lacking. I can ping from my WinXP laptop to the FreeBSD box and to the outside world, but I am not able to use any tcp or udp services. The rules involving tcp_services and udp_services seem to be correct; however, I am suspecting that the table isn't defined correctly, but I can't stay connected long enough to see where the problem is, as pfctl -f pf.conf resets my ssh connection. Could a more experienced person take a look at what I have below and point out any problems? Thanks in advance. ---8<--- ext_if="xl2" ext_net=$ext_if:network wireless_if="xl1" wireless_if_addr="192.168.100.1" wireless_net=$wireless_if:network my_laptop="192.168.100.X" table { $wireless_net, !$my_laptop } tcp_services="{ ssh, domain, smtp, pop3, auth, https }" udp_services="{ domain, ntp }" icmp_types= "echoreq" set block-policy return nat on $ext_if from to any port $tcp_services -> ($ext_if) nat on $ext_if from $my_laptop to any -> ($ext_if) rdr on $wireless_if inet proto tcp from $wireless_net to any port 80 -> $wireless_if_addr port 3080 block all pass in on $wireless_if inet proto tcp from $wireless_net to $wireless_if_addr port 3080 keep state state pass out on $ext_if inet proto tcp from $wireless_net to any port 3080 keep state pass out on $ext_if inet proto tcp from to any port $tcp_services keep state pass out on $ext_if inet proto tcp from $my_laptop to any keep state pass out on $ext_if inet proto udp from $wireless_net to any port $udp_services keep state pass inet proto icmp from any to any ---8<--- -- Isaac Grover, Owner Quality Computer Services of River Falls, Wisconsin Affordable I. T. Consulting, Web Design, and Web Hosting. Commercial and Residential Inquiries Welcomed. Web: http://www.qcs-rf.com From owner-freebsd-pf@FreeBSD.ORG Fri Dec 8 18:14:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9816016A5F6 for ; Fri, 8 Dec 2006 18:14:28 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FA6B43CC3 for ; Fri, 8 Dec 2006 18:13:20 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id B0F0E7C0088; Fri, 8 Dec 2006 19:14:18 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id 6AP9iTNKFA7f; Fri, 8 Dec 2006 19:14:12 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 4CD777C0087; Fri, 8 Dec 2006 19:14:11 +0100 (CET) Date: Fri, 8 Dec 2006 19:14:11 +0100 From: Gergely CZUCZY To: "Roman Gorohov. " Message-ID: <20061208181411.GA23064@harmless.hu> References: <546388630.20061207163149@gmail.com> <20061207133535.GA16219@harmless.hu> <1904646577.20061208165302@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <1904646577.20061208165302@gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: FTP problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 18:14:28 -0000 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 08, 2006 at 04:53:02PM +0300, Roman Gorohov. wrot= e: > Hello, Gergely. >=20 > > try to use pftpx instead of ftp-proxy, it's available from ports. >=20 >=20 > > Bye, >=20 > > Gergely Czuczy >=20 > I tried switch to pftpx and got same result. > Last messages: > Dec 7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 1= 0.10.1.70: Operation not permitted > Dec 7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:03:15 fw-spb last message repeated 2 times > Then it hang. >=20 > Address 10.10.1.70 is server itself, so I don't understand whats going on= =2E.. > I started to think that there is some loop in pf rules, this would > nicely explain why there isn't any messages at console. But I can't > see any. > This is all referencing to ftp in my pf.conf: > rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8= 021 > pass out on $ext_if inet proto tcp from $ext_if to any port 21 flags S/AU= PRFS modulate state > pass in on $ext_if proto tcp from any to any port 21 keep state if you paste a ruleset please also resolv all of the macros and include the interface definitions also. we don't even know what addresses your $int_if is having where do you recieve your ftp connections from, and with what configuration are you using for pftpx >=20 > Any suggestions? man pftpx, check the parameters. think of these while doing that: > Dec 7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 and for this, check your pf ruleset. if the sendning of the packet is disabled by a local pf rule, you might get that error message > Dec 7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 1= 0.10.1.70: Operation not permitted as a general good hint i'd suggest reading google://how+to+ask for you. it's not a joke, it's a serious suggestion. > Regards, Roman. >=20 >=20 Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owHdVs1uHEUQdhK4tMQh3LigkkAY8M54dv2zzqK1yY8dIoESHCNAUYTaMzUzzfZ0 D909Xm/EA3CIUARIQUIoDxAhIQRHhMQD8Bac4MIbUN2zs3EsJE74gL1ae7p7vqr6 6qvqevDchaXzF3/7/sc7K/e/+Obcd+zdw5WqcU4VUcXNkVBRP0n60WAt2VyP1qNB snUpP9zorw0H60me5ruzx/aqVg6Viw5mNY7A4bFbrSUX6g1IS24sunHj8miLdeeu CVtrK5zQagRCSaFwsXdguLI5mmhXpToTqhjBJ412mEW1EcrxQ4mM3VSwZ0QPrmEK yVYPBkmyCdxBsj7aWBslg1vvwEqyliQ92NcVV3BdG13qoxie/pka7cYMR2wb3kIp dQ+uoylQzmK2PR4ktLwNzszAaWgsQp27+pj8tQ55BjoHeiav9PGsB8ItW+BHXEjv IeRGV1Br42wH1eFdmWHvydPcHly916T3Zt36DbIqMAM7FS4tvfnWNFcZFNqB5RWC QdtIR/DwNrcOKrSWF2h9MJ4WGEJ/SFSMkg3Ip5GtD1uQO0NK5N0RpFIQ3SBFJRy8 Sil+jRB5WmLWo3/yxhL1MGapVgpTn6k2pn4S+088TE7bWR+ejZ2Nf47npcGlTQjJ gJQrRSzNIT19Fs0RGuiP2QJ2BDdrNDxY9KfpgTwknT1tj9S0dhZxrY36i7jkiXwS Vo2c3IIBOEGL9NpBiYoEByVXxUKpl7OMFGFPGABhu8CFsyjzHlhN2sq0WnbQqAyN dV5S05I7S8LyHms1ZuPBbhwHGdK+8baJQlcKNaFvqjJXosGArkmHUuuaioLYAdNI tD1/1MJUN9JzqUTqBY7HoSOQrdnife8GV7OFdH0FE19WS4zhSuPIAUrlsiMUi+iP xiF6QqcPl9ITTVAq9Z6Tj5Qf70k1I2diQsp9MZjMQM2JGUrBy9RBPhK514kPKa3b pHgn6Nn/8TULgz5E29AfDOOEfvvt4haJZ9AnwBaM3POA1Os8IHUwdxq12zuFnEte WLi9evm9Mbu1v3cbKp01klLs2XbYGaA4TuD/u8MTxHqOQOdnuvEwBMrbrHj3JHLq YlySCkgqWh4FDqmPUUKg4qnRlnk9CJXKJsOwTIShyXmKkGEuVOjZNmDEbIpzLeER CXKi9DRICXgrRUoouWEWpFPOSk73ScGmQQCZDm4aTAUBtGd9Bp+UjA3R9kLfo1ZY BnhfUrkomnntchNehbbgcm3aMl2UBVFkm4LUFQB3mL8OwokeXU6YTkKUNTfUUilS atet0FtWiK5pKaT3NUiMzP/P++t/2O+CtnyCfH/o2A9Z71oHuhhEK0eLKlOhIeWs zVA6IQ2ThjJh/RWbweGMxC11ymUH0AtKqERROijQhXwxNIZsznvMmV8mFDWVC3mj aF9Sk9UZkMAokuWsE6Yn0k86jHYLiaPV1VJPV5xe4XYSCKOoYhYmDA/O4WM9wW7k 8O4I3dgTKo8ZhbmPBTeZnU9AJ6cQFkYQdmr0qGh0cXpEnrYTUBqW36T5raLM2Lhs GIsi//77iEpQcTuyFtMEo0Tja903FPSkUXIq294U3AiLMfts58KzS35Q7KbMi+d/ fWbp0aH5/MEfvz/86361cePrT7/86YdXXv926dFe/CJ/CF+de/6xEdkHP/+y8+EL f/4N =V6AV -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ--