From owner-freebsd-pf@FreeBSD.ORG Mon May 12 05:55:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D80B1065671 for ; Mon, 12 May 2008 05:55:27 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n12b.bullet.mail.mud.yahoo.com (n12b.bullet.mail.mud.yahoo.com [209.191.125.179]) by mx1.freebsd.org (Postfix) with SMTP id A63F18FC17 for ; Mon, 12 May 2008 05:55:26 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [68.142.194.243] by n12.bullet.mail.mud.yahoo.com with NNFMP; 11 May 2008 22:33:20 -0000 Received: from [209.191.86.71] by t1.bullet.mud.yahoo.com with NNFMP; 12 May 2008 05:41:32 -0000 Received: from [127.0.0.1] by omp306.mail.mud.yahoo.com with NNFMP; 12 May 2008 05:41:32 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 302281.36155.bm@omp306.mail.mud.yahoo.com Received: (qmail 93914 invoked by uid 60001); 12 May 2008 05:41:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=YNWoelQdFBF3aECFHsi1erSbiG4FN+fxRWzKwTBm6GxXIhTzm3Vi/KH16BIy4A6ISxsOFnUfH98J8okqEpUwZ/yiECKTpL/9M5gJgyaR2TysQf57n96xYY6bYhBgmKSCUvSNQ2f9jFQo4k3QKFxkXhGL0MvIYl9IWXhXiIpU4AM=; X-YMail-OSG: _PU5l7oVM1mvZCxSpoMQ1uV.mMZupPYb4y6plVTe Received: from [58.71.34.138] by web76107.mail.sg1.yahoo.com via HTTP; Sun, 11 May 2008 22:41:30 PDT Date: Sun, 11 May 2008 22:41:30 -0700 (PDT) From: Diego Salvador To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <326998.93432.qm@web76107.mail.sg1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 05:55:27 -0000 To Whom It May Concerned: Hi! Is it possible to use ALTQ in FreeBSD without PF? Because what I want to achieve is to build a QoS system/machine in a Diffserv or Intserv network without firewall. It seems like ALTQ is tightly coupled with PF. I have read this http://pf4freebsd.love2party.net/altq.html that ALTQ integration in FreeBSD is in PF-Mode not in COMPAT Mode? Can someone elaborate the difference between these types of modes? The info describes FreeBSD-5, Is it still affecting FreeBSD-6.2/6.3 and FreeBSD-7.0 releases? In NetBSD, ALTQ can be used without PF or other means of firewall. Thank you very much! Diego Salvador --------------------------------- Support Victims of the Cyclone in Myanmar (Burma). Donate Now. From owner-freebsd-pf@FreeBSD.ORG Mon May 12 09:24:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D7FA106566C for ; Mon, 12 May 2008 09:24:51 +0000 (UTC) (envelope-from jille@quis.cx) Received: from istud.quis.cx (ip83-113-174-82.adsl2.versatel.nl [82.174.113.83]) by mx1.freebsd.org (Postfix) with ESMTP id 409068FC1A for ; Mon, 12 May 2008 09:24:51 +0000 (UTC) (envelope-from jille@quis.cx) Received: by istud.quis.cx (Postfix, from userid 100) id C7F483984C; Mon, 12 May 2008 11:09:22 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on istud.quis.cx X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.4 Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id 114A73981D; Mon, 12 May 2008 11:09:20 +0200 (CEST) Message-ID: <4828093D.200@quis.cx> Date: Mon, 12 May 2008 11:09:17 +0200 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Diego Salvador References: <326998.93432.qm@web76107.mail.sg1.yahoo.com> In-Reply-To: <326998.93432.qm@web76107.mail.sg1.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 09:24:51 -0000 Hello, Diego Salvador wrote: > To Whom It May Concerned: > > Hi! Is it possible to use ALTQ in FreeBSD without PF? I know it is possibly to use ALTQ with IPFW (another firewall), > Because what I want to achieve is to build a QoS system/machine in a Diffserv or Intserv network > without firewall. It seems like ALTQ is tightly coupled with PF. But not whether you can use it entirely without any firewall. > I have read this > http://pf4freebsd.love2party.net/altq.html that ALTQ integration in FreeBSD > is in PF-Mode not in COMPAT Mode? Can someone elaborate the difference > between these types of modes? The info describes FreeBSD-5, Is it still > affecting FreeBSD-6.2/6.3 and FreeBSD-7.0 releases? In NetBSD, ALTQ > can be used without PF or other means of firewall. Can't you enable PF, add some firewall rules that passes on all data, and apply the altq's ? afaik pf should not screw up your packets (if you leave all other stuff behind) -- Jille > > Thank you very much! > > Diego Salvador > > > --------------------------------- > Support Victims of the Cyclone in Myanmar (Burma). > Donate Now. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon May 12 11:07:03 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1BA7E10656F5 for ; Mon, 12 May 2008 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 096128FC12 for ; Mon, 12 May 2008 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4CB72qg038100 for ; Mon, 12 May 2008 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4CB72Tc038096 for freebsd-pf@FreeBSD.org; Mon, 12 May 2008 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 May 2008 11:07:02 GMT Message-Id: <200805121107.m4CB72Tc038096@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 11:07:03 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 12 12:37:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BFB7106568E for ; Mon, 12 May 2008 12:37:41 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n15a.bullet.mail.mud.yahoo.com (n15a.bullet.mail.mud.yahoo.com [68.142.207.125]) by mx1.freebsd.org (Postfix) with SMTP id 6720F8FC24 for ; Mon, 12 May 2008 12:37:41 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [209.191.108.96] by n15.bullet.mail.mud.yahoo.com with NNFMP; 12 May 2008 12:37:40 -0000 Received: from [209.191.119.183] by t3.bullet.mud.yahoo.com with NNFMP; 12 May 2008 12:37:40 -0000 Received: from [127.0.0.1] by omp106.mail.mud.yahoo.com with NNFMP; 12 May 2008 12:37:40 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 767763.72512.bm@omp106.mail.mud.yahoo.com Received: (qmail 79687 invoked by uid 60001); 12 May 2008 12:37:38 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=wXeAW7wW+b8G2+teJ3Fa2lYFebqKx/EOh+zx7Bkp2Jdt6V1ZMWjzeR7ylaKZjD37BJdfUKZUj3tcx2SgGTH5SxubuHaK2v5kxS+v7axDy3s1p5UroHMqOeM5ywhjqe+eMtg6Er5TROxz9R4an4RDL3P2yOGJysxzvCQgUaenpPI=; X-YMail-OSG: 9FTovVgVM1lVJGjdmDAUdbHgYeFiAbpNH2EPpPVQ Received: from [58.71.34.137] by web76106.mail.sg1.yahoo.com via HTTP; Mon, 12 May 2008 05:37:38 PDT Date: Mon, 12 May 2008 05:37:38 -0700 (PDT) From: Diego Salvador To: jille@quis.cx, freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <680753.77770.qm@web76106.mail.sg1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 12:37:41 -0000 Hi Jille, Building a DiffServ domain network will require DiffServ Code Point (DSCP) values or bits for packet marking and re-marking for QoS. PF only supports Type-of-Service (TOS) bits. Thanks, Diego Salvador Diego Salvador wrote: > To Whom It May Concerned: > > Hi! Is it possible to use ALTQ in FreeBSD without PF? I know it is possibly to use ALTQ with IPFW (another firewall), > Because what I want to achieve is to build a QoS system/machine in a Diffserv or Intserv network > without firewall. It seems like ALTQ is tightly coupled with PF. But not whether you can use it entirely without any firewall. > I have read this > http://pf4freebsd.love2party.net/altq.html that ALTQ integration in FreeBSD > is in PF-Mode not in COMPAT Mode? Can someone elaborate the difference > between these types of modes? The info describes FreeBSD-5, Is it still > affecting FreeBSD-6.2/6.3 and FreeBSD-7.0 releases? In NetBSD, ALTQ > can be used without PF or other means of firewall. Can't you enable PF, add some firewall rules that passes on all data, and apply the altq's ? afaik pf should not screw up your packets (if you leave all other stuff behind) -- Jille Diego Salvador wrote: To Whom It May Concerned: Hi! Is it possible to use ALTQ in FreeBSD without PF? Because what I want to achieve is to build a QoS system/machine in a Diffserv or Intserv network without firewall. It seems like ALTQ is tightly coupled with PF. I have read this http://pf4freebsd.love2party.net/altq.html that ALTQ integration in FreeBSD is in PF-Mode not in COMPAT Mode? Can someone elaborate the difference between these types of modes? The info describes FreeBSD-5, Is it still affecting FreeBSD-6.2/6.3 and FreeBSD-7.0 releases? In NetBSD, ALTQ can be used without PF or other means of firewall. Thank you very much! Diego Salvador --------------------------------- Support Victims of the Cyclone in Myanmar (Burma). Donate Now. --------------------------------- Support Victims of the Cyclone in Myanmar (Burma). Donate Now. From owner-freebsd-pf@FreeBSD.ORG Mon May 12 12:58:11 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F9351065670 for ; Mon, 12 May 2008 12:58:11 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id D110A8FC19 for ; Mon, 12 May 2008 12:58:10 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-005-247.pools.arcor-ip.net [88.66.5.247]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JvXbV2cTU-0007Ke; Mon, 12 May 2008 14:58:09 +0200 Received: (qmail 90423 invoked from network); 12 May 2008 12:56:34 -0000 Received: from myhost.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 12 May 2008 12:56:34 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 12 May 2008 14:53:31 +0200 User-Agent: KMail/1.9.9 References: <326998.93432.qm@web76107.mail.sg1.yahoo.com> In-Reply-To: <326998.93432.qm@web76107.mail.sg1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805121453.32022.max@love2party.net> X-Provags-ID: V01U2FsdGVkX189wYVgjg/Y19YUpMcRevsOMRVeAzDiAIq3ksM dQFrYrbrNwPiMB5PY/iajjfZpPfaYfpoROVXR0NRcFCTWC33m1 iS2i/ahEjo+pjLoXnRX+Q== Cc: Subject: Re: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 12:58:11 -0000 Hello Diego, On Monday 12 May 2008 07:41:30 Diego Salvador wrote: > Hi! Is it possible to use ALTQ in FreeBSD without PF? Because what I > want to achieve is to build a QoS system/machine in a Diffserv or > Intserv network without firewall. It seems like ALTQ is tightly coupled > with PF. I have read this http://pf4freebsd.love2party.net/altq.html > that ALTQ integration in FreeBSD is in PF-Mode not in COMPAT Mode? Can > someone elaborate the difference between these types of modes? The info > describes FreeBSD-5, Is it still affecting FreeBSD-6.2/6.3 and > FreeBSD-7.0 releases? In NetBSD, ALTQ can be used without PF or other > means of firewall. basically there are two parts to traffic shaping: 1) Classification of traffic 2) The actual queuing ALTQ used to do both, i.e. you could specify classifications based on src/dst/dscp/... in altqd and it would dig into the packets itself. This classification, however, turned out to be absolutely incompatible with the SMPng goals and when I imported ALTQ it was decided to disable it (because nobody had interest in locking it down for SMPng compliance). The classification in "PF-mode" is rather simple: any firewall (or other policy tool plugged into the pfil(9) API) can classify packets for ALTQ by adding a mbuf_tag to the packet. ALTQ only takes care of the actual queuing. Today, IPFW and PF are able to classify packets this way. IIRC, there are patches floating around to teach IPFW about DSCP (they might even be in the tree already). If neither tool meets your requirements, it should be easy enough to plug an application specific filter into pfil(9) that would do the classification. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon May 12 14:18:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB062106566C for ; Mon, 12 May 2008 14:18:37 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n7.bullet.mud.yahoo.com (n7.bullet.mud.yahoo.com [216.252.100.58]) by mx1.freebsd.org (Postfix) with SMTP id 852E08FC12 for ; Mon, 12 May 2008 14:18:37 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [209.191.108.96] by n7.bullet.mud.yahoo.com with NNFMP; 12 May 2008 14:06:18 -0000 Received: from [209.191.119.183] by t3.bullet.mud.yahoo.com with NNFMP; 12 May 2008 14:06:18 -0000 Received: from [127.0.0.1] by omp106.mail.mud.yahoo.com with NNFMP; 12 May 2008 14:06:18 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 799547.49904.bm@omp106.mail.mud.yahoo.com Received: (qmail 5259 invoked by uid 60001); 12 May 2008 14:06:16 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=3jX1eyNFAr9FkhulMDaecmrd9K8pKB2buBDPEz70GyBvSHckPPGGuMCgqEJrmOiwL186a0m8qcOYlXXCtIotBXi9ZcSfESbCbMroA/edP2J1r9Vrf4coCVFckN9FbfcaiYLSD/YuQcbcFI1HauNV2K9LF5fLcgtE3meamrPsFQQ=; X-YMail-OSG: j9xnmP8VM1l7x7d6nLZsJre3h89eypqDIHZNn1piGqJlpC98311gLfAAnFJsDi0ixw-- Received: from [58.71.34.138] by web76113.mail.sg1.yahoo.com via HTTP; Mon, 12 May 2008 07:06:16 PDT Date: Mon, 12 May 2008 07:06:16 -0700 (PDT) From: Diego Salvador To: Max Laier , freebsd-pf@freebsd.org In-Reply-To: <200805121453.32022.max@love2party.net> MIME-Version: 1.0 Message-ID: <694237.4939.qm@web76113.mail.sg1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 14:18:37 -0000 Hi Max, Thanks for your reply and explanation! I now understand why ALTQ is in PF-mode. What are the things needed to be done in order ALTQ to be SMPng compliant? What is the use of the option ALTQ_NOPCC in the kernel? This is described to be used for SMP kernels? Yes, I will look also on the pfil(9). Thanks, Diego Salvador Max Laier wrote: Hello Diego, On Monday 12 May 2008 07:41:30 Diego Salvador wrote: > Hi! Is it possible to use ALTQ in FreeBSD without PF? Because what I > want to achieve is to build a QoS system/machine in a Diffserv or > Intserv network without firewall. It seems like ALTQ is tightly coupled > with PF. I have read this http://pf4freebsd.love2party.net/altq.html > that ALTQ integration in FreeBSD is in PF-Mode not in COMPAT Mode? Can > someone elaborate the difference between these types of modes? The info > describes FreeBSD-5, Is it still affecting FreeBSD-6.2/6.3 and > FreeBSD-7.0 releases? In NetBSD, ALTQ can be used without PF or other > means of firewall. basically there are two parts to traffic shaping: 1) Classification of traffic 2) The actual queuing ALTQ used to do both, i.e. you could specify classifications based on src/dst/dscp/... in altqd and it would dig into the packets itself. This classification, however, turned out to be absolutely incompatible with the SMPng goals and when I imported ALTQ it was decided to disable it (because nobody had interest in locking it down for SMPng compliance). The classification in "PF-mode" is rather simple: any firewall (or other policy tool plugged into the pfil(9) API) can classify packets for ALTQ by adding a mbuf_tag to the packet. ALTQ only takes care of the actual queuing. Today, IPFW and PF are able to classify packets this way. IIRC, there are patches floating around to teach IPFW about DSCP (they might even be in the tree already). If neither tool meets your requirements, it should be easy enough to plug an application specific filter into pfil(9) that would do the classification. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Mon May 12 15:23:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BB5F1065672 for ; Mon, 12 May 2008 15:23:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 3A9918FC1B for ; Mon, 12 May 2008 15:23:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-005-247.pools.arcor-ip.net [88.66.5.247]) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis) id 0MKxQS-1JvZrn1lKq-0001GI; Mon, 12 May 2008 17:23:07 +0200 Received: (qmail 92015 invoked from network); 12 May 2008 15:21:32 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 12 May 2008 15:21:32 -0000 From: Max Laier Organization: FreeBSD To: Diego Salvador Date: Mon, 12 May 2008 17:18:29 +0200 User-Agent: KMail/1.9.9 References: <694237.4939.qm@web76113.mail.sg1.yahoo.com> In-Reply-To: <694237.4939.qm@web76113.mail.sg1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805121718.29589.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19MA4GREqMWrqZ3z6eyJ6gw9rUT26gbbyuQ5yA DqcosZBIsZckV6lMrNAXjeqbrXfc3MB7txum/W2HeAkxzHvdzl ItcKSGIIICtzb9MLauRyw== Cc: freebsd-pf@freebsd.org Subject: Re: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 15:23:08 -0000 Diego, please don't top post! On Monday 12 May 2008 16:06:16 Diego Salvador wrote: > Thanks for your reply and explanation! I now understand why ALTQ is in > PF-mode. What are the things needed to be done in order ALTQ to be > SMPng compliant? I haven't looked at the classifier code in a while. But IIRC it is a mess. I don't remember the details, but I'd stay away from it. That aside, what's wrong with the existing solutions? > What is the use of the option ALTQ_NOPCC in the > kernel? This is described to be used for SMP kernels? This is something completely different. It simply tells ALTQ to not use the TSC for timing directly as it might not be in sync on SMP boxes. > Yes, I will look > also on the pfil(9). This is the right solution, though I really think that either PF or IPFW can do what you need. If not, please be more specific about what your goal is. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon May 12 19:25:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C6CE1065670 for ; Mon, 12 May 2008 19:25:05 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 189928FC17 for ; Mon, 12 May 2008 19:25:04 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-005-247.pools.arcor-ip.net [88.66.5.247]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1Jvddr0sFv-000504; Mon, 12 May 2008 21:25:03 +0200 Received: (qmail 94870 invoked from network); 12 May 2008 19:23:19 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 12 May 2008 19:23:19 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 12 May 2008 21:20:14 +0200 User-Agent: KMail/1.9.9 References: In-Reply-To: MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_vhJKICminVAc+d1" Message-Id: <200805122120.15088.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/THG2Q4vOMQJeCX0bAXYV+tOtifAJ/842eFB/ Aaq6rgmL+AOkp/19BxSBNCUXyUMLg5y5K2fWXl7fl7DZz5GRS4 V1vW/G+RgW+ewd3hqOHxQ== Cc: mcbride@openbsd.org, dhartmei@openbsd.org Subject: Re: do not work nested unnamed anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 19:25:05 -0000 --Boundary-00=_vhJKICminVAc+d1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello Igor, it seems this is a general problem and I can't figure out the cause of it, ATM. It seems that it is the same in OpenBSD (and has been for quite some time, too). Daniel, Ryan, any ideas? Attached is a transcript from OpenBSD 4.3 inside of qemu trying the verbatim pf.conf(5) example. The nested anchor doesn't seem to match for some reason. While here I also discovered that it is obviously impossible to destroy/clean up after nested anchors completely. On Friday 09 May 2008 14:54:43 Igor A. Valcov wrote: > For example: > > ==== pf.conf ==== > > ext_if="xl0" > ip_world="nn.nn.nn.nn" > > # Filter rules > block log all > > anchor in on $ext_if { > pass quick proto tcp to $ip_world port 22 keep state > # SSH > pass quick proto tcp to $ip_world port 25 keep state > # SMTP > pass quick proto tcp to $ip_world port 110 keep state > # POP3 > anchor { > pass quick proto tcp to $ip_world port 995 keep state > # POP3S > } > } > > ============ > > nmap results: > > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0) > 25/tcp open smtp? > 110/tcp open pop3 Openwall popa3d > > > I can not understand what the problem... > > FreeBSD-7.0-RELEASE-p1 > i386 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-00=_vhJKICminVAc+d1 Content-Type: text/plain; charset="iso-8859-1"; name="anchors" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="anchors" Script started on Mon May 12 20:44:12 2008 # cat pf.conf anchor "external" on egress { block anchor out { pass proto tcp from any to port { 25, 80, 443 } } pass in proto tcp to any port 22 } # ifconfig ne3 ne3: flags=8863 mtu 1500 lladdr 52:54:00:12:34:56 groups: egress media: Ethernet 10baseT full-duplex inet6 fe80::5054:ff:fe12:3456%ne3 prefixlen 64 scopeid 0x1 inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255 # pfctl -vef pf.conf anchor "external" on egress all { block drop all anchor out all { pass proto tcp from any to any port = smtp flags S/SA keep state pass proto tcp from any to any port = www flags S/SA keep state pass proto tcp from any to any port = https flags S/SA keep state } pass in proto tcp from any to any port = ssh flags S/SA keep state } pf enabled # telnet 10.0.2.2 80 Trying 10.0.2.2... telnet: connect to address 10.0.2.2: No route to host # pfctl -vvvgsr @0 anchor "external" on egress all [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 1 Bytes: 64 States: 0 ] # pfctl -vvvgsr -a external @0 block drop all [ Skip steps: i=end f=end p=2 sa=end sp=end da=end dp=2 ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 1 Bytes: 64 States: 0 ] @1 anchor out all { [ Skip steps: i=end f=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] @0 pass proto tcp from any to any port = smtp flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @1 pass proto tcp from any to any port = www flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @2 pass proto tcp from any to any port = https flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] } @2 pass in proto tcp from any to any port = ssh flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] # telnet 10.0.2.2 25 Trying 10.0.2.2... telnet: connect to address 10.0.2.2: No route to host # pfctl -vvvgsr -a external @0 block drop all [ Skip steps: i=end f=end p=2 sa=end sp=end da=end dp=2 ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 2 Packets: 2 Bytes: 128 States: 0 ] @1 anchor out all { [ Skip steps: i=end f=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] @0 pass proto tcp from any to any port = smtp flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @1 pass proto tcp from any to any port = www flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @2 pass proto tcp from any to any port = https flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] } @2 pass in proto tcp from any to any port = ssh flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] # uname -a OpenBSD foo.laiers.local 4.3 GENERIC#698 i386 # ^D Script done on Mon May 12 20:45:55 2008 Script started on Mon May 12 21:03:04 2008 # pfctl -vvvsA # pfctl -vef pf.conf anchor "external" on egress all { block drop all anchor out all { pass proto tcp from any to any port = smtp flags S/SA keep state pass proto tcp from any to any port = www flags S/SA keep state pass proto tcp from any to any port = https flags S/SA keep state } pass in proto tcp from any to any port = ssh flags S/SA keep state pass out proto tcp from any to any port = smtp flags S/SA keep state } pf enabled # pfctl -vsA external external/_2 external/external external/external/_2 # pfctl -Fa rules cleared nat cleared 0 tables deleted. altq cleared 0 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset # pfctl -vsA external external/_2 external/external external/external/_2 # pfctl -Fa -a external rules cleared nat cleared 0 tables deleted. # pfctl -vsA external external/_2 # ^D Script done on Mon May 12 21:03:51 2008 --Boundary-00=_vhJKICminVAc+d1-- From owner-freebsd-pf@FreeBSD.ORG Mon May 12 22:38:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76A421065673 for ; Mon, 12 May 2008 22:38:23 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.freebsd.org (Postfix) with ESMTP id 2F05A8FC12 for ; Mon, 12 May 2008 22:38:22 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so2692800pyb.10 for ; Mon, 12 May 2008 15:38:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; bh=iBxy3cvf6Q7ur+hlkbUzrUsW/W7hy/lVSaCGPqetABM=; b=jW8ZI6rxDLhi2DHIH179CjjF0l3DNpCBlt+VDgTJxWJSydOzBnPQfuI2j/5VNZTifzv9GFIIePAB5APdqWxFZIrPPO74N5rxtsh06wK2FwE5PcTvVfeYG1c/fHFWmG6PMyfox1Dz2FW11NHVYbaudueGS2+4RuqCOXpeB0VDliU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; b=O56mg1QyEEvwgeafK/j+dxVI65AS5k9VBjjqn4+wOYpAU0PJbMpIyYx2AxsTTRkLgFKPbdsT8/BbrCGy/V5r2VLOogz7aIs3MPqkWByNGB6nh3RvsMgoIeF01L4hmQpKBpNb8ByHKiECLVY12EawaBE9kQATz5Ex4N0qfwVbt90= Received: by 10.65.210.19 with SMTP id m19mr13924723qbq.45.1210631902254; Mon, 12 May 2008 15:38:22 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id e13sm9704925qba.4.2008.05.12.15.38.20 (version=SSLv3 cipher=RC4-MD5); Mon, 12 May 2008 15:38:21 -0700 (PDT) From: "Ansar Mohammed" To: Date: Mon, 12 May 2008 18:38:19 -0400 Message-ID: <015d01c8b480$e157cb60$a4076220$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 thread-index: Aci0gOBaxgMpSvukRqCoCOey2dudgQ== Content-Language: en-ca Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf + GeoIP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 22:38:23 -0000 Hello All, Does anyone have any scripts on integrating pf with GeoIP? Is there an extension api? From owner-freebsd-pf@FreeBSD.ORG Tue May 13 02:17:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 493721065672 for ; Tue, 13 May 2008 02:17:54 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id 4F5B38FC15 for ; Tue, 13 May 2008 02:17:48 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id F267B185F7 for ; Tue, 13 May 2008 13:53:32 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QOXhj4+h2mHj for ; Tue, 13 May 2008 13:53:32 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn1.itss.auckland.ac.nz [130.216.190.118]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id BFEFF18617 for ; Tue, 13 May 2008 13:53:32 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.121]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Tue, 13 May 2008 13:53:32 +1200 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Tue, 13 May 2008 13:53:31 +1200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: smtp not working with state modulation Thread-Index: Aci0mRSLYt2QpmJwTeymuImGRf6iRwAArDcg From: "Mark Pagulayan" To: X-OriginalArrivalTime: 13 May 2008 01:53:32.0656 (UTC) FILETIME=[26104F00:01C8B49C] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: smtp not working with state modulation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2008 02:17:54 -0000 =20 =20 Hi Guys,=20 =20 OS: FreeBSD 7.0-RELEASE =20 I am having trouble Allowing external request SMTP through the firewall with "module state". But with "keep state" it is working fine.=20 Here is my rules below in pf: =20 ext_if=3D"em1" int_if=3D"em0" =20 scrub in on $ext_if =20 block in log on $ext_if all block return out log on $ext_if all =20 pass in log quick on $int_if pass out log quick on $int_if =20 pass log quick on $ext_if proto tcp from any to 192.168.1.1 port 25 modulate state flags S/SA =20 block in log quick on $ext_if proto tcp from any to any port 25 =20 =20 When I to try to telnet from my PC(192.169.1.2)=20 telnet 192.168.1.1 25 I get "Connection Failed" Error. =20 Checking on the tcpdump on interface pflog0, here is what is shows. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [root@fw4 /home/mark]# tcpdump -netti pflog0 port 25 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes =20 1210641823.095857 rule 4/0(match): pass in on em1: 192.168.1.2.2573 > 192.168.1.1.25: tcp 28 [bad hdr length 0 - too short, < 20] =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D =20 Your help would be mostly appreciated.=20 =20 Cheers,=20 =20 Mark =20 =20 From owner-freebsd-pf@FreeBSD.ORG Tue May 13 03:02:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC7C41065671 for ; Tue, 13 May 2008 03:02:51 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id C87D48FC16 for ; Tue, 13 May 2008 03:02:51 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id BFDEB1CC033; Mon, 12 May 2008 20:02:51 -0700 (PDT) Date: Mon, 12 May 2008 20:02:51 -0700 From: Jeremy Chadwick To: Mark Pagulayan Message-ID: <20080513030251.GA47608@eos.sc1.parodius.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: smtp not working with state modulation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2008 03:02:52 -0000 On Tue, May 13, 2008 at 01:53:31PM +1200, Mark Pagulayan wrote: > OS: FreeBSD 7.0-RELEASE > I am having trouble Allowing external request SMTP through the firewall > with "module state". But with "keep state" it is working fine. modulate state is known to be broken; use keep state instead. Here's the thread where I was informed of this fact: http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004223.html http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004227.html -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue May 13 03:23:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19E8B106564A for ; Tue, 13 May 2008 03:23:35 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id C69F08FC20 for ; Tue, 13 May 2008 03:23:34 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id BFCC718653; Tue, 13 May 2008 15:23:32 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMnW6i3OthDn; Tue, 13 May 2008 15:23:32 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn1.itss.auckland.ac.nz [130.216.190.118]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id A55D81864D; Tue, 13 May 2008 15:23:32 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.121]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Tue, 13 May 2008 15:23:32 +1200 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 13 May 2008 15:23:34 +1200 Message-ID: In-Reply-To: <20080513030251.GA47608@eos.sc1.parodius.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: smtp not working with state modulation Thread-Index: Aci0peQGKiTtvCd/RRGdSfrZYl13WQAAsgaA References: <20080513030251.GA47608@eos.sc1.parodius.com> From: "Mark Pagulayan" To: "Jeremy Chadwick" X-OriginalArrivalTime: 13 May 2008 03:23:32.0430 (UTC) FILETIME=[B8946EE0:01C8B4A8] Cc: freebsd-pf@freebsd.org Subject: RE: smtp not working with state modulation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2008 03:23:35 -0000 Thanks for the reply Jeremy. This is a big help.=20 Cheers,=20 Mark -----Original Message----- From: Jeremy Chadwick [mailto:koitsu@freebsd.org]=20 Sent: Tuesday, 13 May 2008 3:03 p.m. To: Mark Pagulayan Cc: freebsd-pf@freebsd.org Subject: Re: smtp not working with state modulation On Tue, May 13, 2008 at 01:53:31PM +1200, Mark Pagulayan wrote: > OS: FreeBSD 7.0-RELEASE > I am having trouble Allowing external request SMTP through the firewall > with "module state". But with "keep state" it is working fine.=20 modulate state is known to be broken; use keep state instead. Here's the thread where I was informed of this fact: http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004223.html http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004227.html --=20 | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue May 13 03:41:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 836A31065677 for ; Tue, 13 May 2008 03:41:39 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n8a.bullet.mail.mud.yahoo.com (n8a.bullet.mail.mud.yahoo.com [209.191.87.104]) by mx1.freebsd.org (Postfix) with SMTP id 3CCAD8FC0C for ; Tue, 13 May 2008 03:41:39 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [68.142.194.244] by n8.bullet.mail.mud.yahoo.com with NNFMP; 13 May 2008 03:41:38 -0000 Received: from [209.191.119.153] by t2.bullet.mud.yahoo.com with NNFMP; 13 May 2008 03:41:38 -0000 Received: from [127.0.0.1] by omp100.mail.mud.yahoo.com with NNFMP; 13 May 2008 03:41:38 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 706439.86510.bm@omp100.mail.mud.yahoo.com Received: (qmail 17410 invoked by uid 60001); 13 May 2008 03:41:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=WRc929BMvtLa73nXIqQsotR0O4l5qxIACOlKEh2W/q4ysrbVI0J5oPw6N0be3+NxxrwZk1rTuBH8E4CkavHfWu47XB9QkgFkPGwav6rb8Ur1fBVdSNvPwazDSFT6BKKnSOzl9mBwonrshcvp+CvWMk7Xmon3Uc8BXKCegasdSNM=; X-YMail-OSG: 3H.a0oYVM1nNTKKQsh1JRt9Pt_kp8HgqEQZwRASW Received: from [58.71.34.137] by web76101.mail.sg1.yahoo.com via HTTP; Mon, 12 May 2008 20:41:36 PDT Date: Mon, 12 May 2008 20:41:36 -0700 (PDT) From: Diego Salvador To: Max Laier In-Reply-To: <200805121718.29589.max@love2party.net> MIME-Version: 1.0 Message-ID: <732222.17028.qm@web76101.mail.sg1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Using ALTQ without PF in FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2008 03:41:39 -0000 Max Laier wrote: Diego, please don't top post! On Monday 12 May 2008 16:06:16 Diego Salvador wrote: > Thanks for your reply and explanation! I now understand why ALTQ is in > PF-mode. What are the things needed to be done in order ALTQ to be > SMPng compliant? I haven't looked at the classifier code in a while. But IIRC it is a mess. I don't remember the details, but I'd stay away from it. That aside, what's wrong with the existing solutions? > What is the use of the option ALTQ_NOPCC in the > kernel? This is described to be used for SMP kernels? This is something completely different. It simply tells ALTQ to not use the TSC for timing directly as it might not be in sync on SMP boxes. > Yes, I will look > also on the pfil(9). This is the right solution, though I really think that either PF or IPFW can do what you need. If not, please be more specific about what your goal is. [Diego] Okay, I really have to dig it up. The goal here is to be able to classify traffic with DSCP using ALTQ because as far as I know the ALTQ framework for QoS is originally designed to handle this. Also, from the Internet service provider (ISP) point of view, classifying traffic for services is very important especially when you provide different Internet services like data, voice and video or what we call triple-play services. Another thing, KAME snap releases kit have Weighted-Fair Queueing (WFQ) scheduler available, it might be better also if it can be integrated to FreeBSD ALTQ (PF-Mode) for hierarchical QoS aside from HFSC. Thanks, Diego Salvador -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --------------------------------- Support Victims of the Cyclone in Myanmar (Burma). Donate Now. From owner-freebsd-pf@FreeBSD.ORG Tue May 13 15:04:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15A48106567C for ; Tue, 13 May 2008 15:04:53 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id CE6D08FC12 for ; Tue, 13 May 2008 15:04:52 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so2942795pyb.10 for ; Tue, 13 May 2008 08:04:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; bh=p+s9aPdmpLUQWJTjAC5Z+r+3wkHzZyuwU+m5EmRjKJk=; b=ugUChjx8ovJ54JUfIy+4mDDyuU/fS5caA4AWYcd+l8CQE8D4LOCpE5ZgXKfKRIkYarcgdTGJ4KRIT4u//D50EpkIEwv4cuFk7KN8CESdc+Tx5SJYgGoNY+gXj5HtkWMRBdCNjcywSpwdP/Z8H/5PwoLeJVsrWt6l+Jep1tF0gec= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; b=xLR3+LEC4bmsWO+XYib4XzqlIzvk+sef1G1FzSWt0JeiGZbLzIhowuf9gZ9Ktdz3KRlEl9sldsYL/fWTSFF+1T7rC8sc90wxVIdZdho3aDpFgk387Ck7ogUiTicTZqcDHgb3/rEESKYPVT+bno3MjTnz059HloVLQoxezOMxbiI= Received: by 10.65.212.3 with SMTP id o3mr18505009qbq.95.1210691091753; Tue, 13 May 2008 08:04:51 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id q14sm10716755qbq.29.2008.05.13.08.04.50 (version=SSLv3 cipher=RC4-MD5); Tue, 13 May 2008 08:04:50 -0700 (PDT) From: "Ansar Mohammed" To: Date: Tue, 13 May 2008 11:04:49 -0400 Message-ID: <005b01c8b50a$b12d3710$1387a530$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 thread-index: Aci1CrA9Te1h7lthTd+HoBeYrcT36Q== Content-Language: en-ca Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: authpf win32 client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2008 15:04:53 -0000 Is there a win32 "client" for authpf? A simple agent to sit in the tray where the user can login and logout without having to deploy a full ssh client? From owner-freebsd-pf@FreeBSD.ORG Tue May 13 23:55:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43330106564A for ; Tue, 13 May 2008 23:55:33 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id F2AB08FC13 for ; Tue, 13 May 2008 23:55:32 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4DNtRAM002890 for ; Tue, 13 May 2008 19:55:32 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject; b=li+RbS1KTfXjuYVa5PQ4Ov9SGeoqm28268nVlpbcSXhdZxgOEDTdM/OtWUhCN2wGL RI3FDv3zUURoeC95rvB+Q== Message-ID: <482A2A6F.9060000@uffner.com> Date: Tue, 13 May 2008 19:55:27 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Tue, 13 May 2008 19:55:32 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7106/Tue May 13 04:20:52 2008 on eris.uffner.com X-Virus-Status: Clean Subject: understanding pfctl state table output X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2008 23:55:33 -0000 is there documentation somewhere (other than reading the source code) of exactly what all of the fields in the output from "pfctl -ss" (and "pfctl -vvvgss") mean, and all of the possible values. most of it seems pretty obvious, but it would still be nice to have a way to be sure i'm not misinterpreting things. thanks, tom From owner-freebsd-pf@FreeBSD.ORG Wed May 14 08:29:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC3C11065682 for ; Wed, 14 May 2008 08:29:02 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (ns2.violetlan.net [80.81.242.6]) by mx1.freebsd.org (Postfix) with ESMTP id 4B8968FC1F for ; Wed, 14 May 2008 08:29:02 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id E392E11460 for ; Wed, 14 May 2008 09:32:16 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id B127A1142B for ; Wed, 14 May 2008 09:32:16 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Wed, 14 May 2008 09:30:17 +0100 (BST) Message-ID: <52914.217.41.34.61.1210753817.squirrel@www.violetlan.net> Date: Wed, 14 May 2008 09:30:17 +0100 (BST) From: "Reinhold" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 08:29:02 -0000 Hi I'm have a few problems with pf on my FreeBSD 7 STABLE systems, I have two running 7 and 4 running 6.3 and the problems are only on my 7 systems. The first problem is that I'm plagued by bad hdr length on both my 7 systems Here are the unames for them FreeBSD host1.name.local 7.0-STABLE FreeBSD 7.0-STABLE #0: Mon May 12 20:22:55 BST 2008 edit@host1.name.local:/usr/obj/usr/src/sys/MYKERN i386 FreeBSD host.name.local 7.0-STABLE FreeBSD 7.0-STABLE #0: Mon May 12 12:45:19 BST 2008 edit@host.name.local:/usr/obj/usr/src/sys/MYKERN i386 >From both of them I see the following when I run tcpdump -n -e -tttt -r /var/log/pflog 2008-05-07 23:42:06.596965 rule 78/0(match): pass in on ng0: 89.240.55.163.3164 > 192.168.1.5.80: tcp 20 [bad hdr length 8 - too short, < 20] 2008-05-07 23:42:07.051043 rule 78/0(match): pass in on ng0: 89.240.55.163.3165 > 192.168.1.5.80: tcp 20 [bad hdr length 8 - too short, < 20] 2008-05-07 23:42:25.697087 rule 76/0(match): pass in on ng0: 80.81.242.13.51145 > 192.168.1.5.22: tcp 36 [bad hdr length 8 - too short, < 20] 2008-05-07 23:42:30.561467 rule 77/0(match): pass in on ng1: 80.81.242.14.63900 > 192.168.1.5.22: tcp 36 [bad hdr length 8 - too short, < 20] And here are the same log again tcpdump -n -e -tttt -r /var/log/pflog 2008-05-07 23:42:06.596965 rule 78/0(match): pass in on ng0: 89.240.55.163.3164 > 192.168.1.5.80: S 3008361134:3008361134(0) win 16384 2008-05-07 23:42:07.051043 rule 78/0(match): pass in on ng0: 89.240.55.163.3165 > 192.168.1.5.80: S 1482992447:1482992447(0) win 16384 2008-05-07 23:42:25.697087 rule 76/0(match): pass in on ng0: 80.81.242.13.51145 > 192.168.1.5.22: S 555277666:555277666(0) win 65535 2008-05-07 23:42:30.561467 rule 77/0(match): pass in on ng1: 80.81.242.14.63900 > 192.168.1.5.22: S 966982942:966982942(0) win 65535 I know these logs are a few days old, but I just enabled pf on host.name.local and I saw the same things on it. I've tried a few variables with my scub rules but none seems to help I've tried all of these #scrub in on $ext_if1 all fragment reassemble max-mss 1452 #scrub out on $ext_if1 all random-id fragment reassemble max-mss 1452 #scrub all random-id max-mss 1452 fragment reassemble scrub all random-id reassemble tcp max-mss 1452 #scrub on $ext_if1 all reassemble tcp Here are the ifconfig for both hosts. host1.name.local ath0: flags=8943 metric 0 mtu 2290 ether 00:0b:6b:0b:62:c8 media: IEEE 802.11 Wireless Ethernet autoselect (autoselect ) status: associated ssid somename channel 2 (2417 Mhz 11g) bssid 00:0b:6b:0b:62:c8 authmode WPA privacy MIXED deftxkey 3 TKIP 2:128-bit TKIP 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1 rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:04:a7:09:81:80 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 metric 0 mtu 1500 options=8 ether 00:04:a7:09:81:7f media: Ethernet autoselect (100baseTX ) status: active re0: flags=8943 metric 0 mtu 1500 options=3998 ether 00:04:a7:05:88:c0 media: Ethernet autoselect (1000baseTX ) status: active plip0: flags=108810 metric 0 mtu 1500 pflog0: flags=141 metric 0 mtu 33204 bridge0: flags=8843 metric 0 mtu 1500 ether b6:f6:e0:49:1a:ac inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0 flags=143 ifmaxaddr 0 port 7 priority 128 path cost 55 member: ath0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 370370 ng0: flags=88d1 metric 0 mtu 1492 inet 217.xx.yy.zz --> 217.xx.yyy.zzz netmask 0xffffffff ng1: flags=88d1 metric 0 mtu 1492 inet 217.xy.yyz.zzz --> 217.xx.xyy.zzz netmask 0xffffffff And for host.name.local em0: flags=8943 metric 0 mtu 1500 options=98 ether 00:13:72:5f:89:b9 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseTX ) status: active pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=0<> metric 0 mtu 33204 bridge0: flags=8843 metric 0 mtu 1500 ether ce:4a:be:be:bc:cc id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143 ifmaxaddr 0 port 7 priority 128 path cost 2000000 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 55 tap0: flags=8943 metric 0 mtu 1500 ether 00:bd:e8:60:52:00 Opened by PID 45164 The other weirdness is that on host.name.local /var/log/pflog is not there. tcpdump -n -e -tttt -i pflog0 tcpdump: /var/log/pflog: No such file or directory but tcpdump -n -e -tttt -i pflog0 works fine. In both systems I have the following in the kernel # PF device pf device pflog device pfsync options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ These problems only exists in my FreeBSD 7.0-STABLE machines and not in any of the 6.3-STABLE once. The last bit of help I need is to get pf to allow ssh trough to the qemu host. Any help will be appreciated Thanks Reinhold From owner-freebsd-pf@FreeBSD.ORG Wed May 14 08:39:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 115BC106564A for ; Wed, 14 May 2008 08:39:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 046778FC14 for ; Wed, 14 May 2008 08:39:09 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id DD7171CC038; Wed, 14 May 2008 01:39:09 -0700 (PDT) Date: Wed, 14 May 2008 01:39:09 -0700 From: Jeremy Chadwick To: Reinhold Message-ID: <20080514083909.GA36096@eos.sc1.parodius.com> References: <52914.217.41.34.61.1210753817.squirrel@www.violetlan.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52914.217.41.34.61.1210753817.squirrel@www.violetlan.net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 08:39:10 -0000 On Wed, May 14, 2008 at 09:30:17AM +0100, Reinhold wrote: > I'm have a few problems with pf on my FreeBSD 7 STABLE systems, I have two > running 7 and 4 running 6.3 and the problems are only on my 7 systems. > > The first problem is that I'm plagued by bad hdr length on both my 7 systems When using tcpdump with pflog, you'll need to specify a large frame size to analyse/snoop; the default size is too small. Use -s 1024 to address that. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed May 14 10:17:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3522E1065685; Wed, 14 May 2008 10:17:14 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (host-80-81-242-12.violetlan.net [80.81.242.12]) by mx1.freebsd.org (Postfix) with ESMTP id EA35B8FC2E; Wed, 14 May 2008 10:17:13 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id 7138B11460; Wed, 14 May 2008 11:20:29 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 3E7DE1142B; Wed, 14 May 2008 11:20:29 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Wed, 14 May 2008 11:18:30 +0100 (BST) Message-ID: <59126.217.41.34.61.1210760310.squirrel@www.violetlan.net> In-Reply-To: <20080514083909.GA36096@eos.sc1.parodius.com> References: <52914.217.41.34.61.1210753817.squirrel@www.violetlan.net> <20080514083909.GA36096@eos.sc1.parodius.com> Date: Wed, 14 May 2008 11:18:30 +0100 (BST) From: "Reinhold" To: "Jeremy Chadwick" User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-pf@freebsd.org Subject: Re: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 10:17:14 -0000 On Wed, May 14, 2008 09:39, Jeremy Chadwick wrote: > On Wed, May 14, 2008 at 09:30:17AM +0100, Reinhold wrote: > >> I'm have a few problems with pf on my FreeBSD 7 STABLE systems, I have >> two running 7 and 4 running 6.3 and the problems are only on my 7 >> systems. >> >> The first problem is that I'm plagued by bad hdr length on both my 7 >> systems > > When using tcpdump with pflog, you'll need to specify a large frame size > to analyse/snoop; the default size is too small. Use -s 1024 to address > that. > Here is the results using -s 1024 2008-05-14 11:09:02.375144 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 2008-05-14 11:09:02.379780 rule 6/0(match): block in on ng0: 71.226.2.26.37654 > 217.41.34.61.64166: UDP, length 20 2008-05-14 11:09:03.019599 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 2008-05-14 11:09:03.672268 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 What I've also noticed is that in pf I have this rule pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn 15, max-src-conn-rate 2/1, overload flush global) When I'm getting the bad header thingy this rule doesn't work properly. It let all the traffic trough but it never blocks the bad guys. From owner-freebsd-pf@FreeBSD.ORG Wed May 14 12:40:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53F401065685 for ; Wed, 14 May 2008 12:40:46 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (host-80-81-242-11.violetlan.net [80.81.242.11]) by mx1.freebsd.org (Postfix) with ESMTP id 17C848FC1F for ; Wed, 14 May 2008 12:40:46 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id A04F111460 for ; Wed, 14 May 2008 13:38:17 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 8072011464 for ; Wed, 14 May 2008 13:38:17 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Wed, 14 May 2008 13:36:18 +0100 (BST) Message-ID: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> Date: Wed, 14 May 2008 13:36:18 +0100 (BST) From: "Reinhold" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 12:40:46 -0000 On Wed, May 14, 2008 09:39, Jeremy Chadwick wrote: > On Wed, May 14, 2008 at 09:30:17AM +0100, Reinhold wrote: > >> I'm have a few problems with pf on my FreeBSD 7 STABLE systems, I have >> two running 7 and 4 running 6.3 and the problems are only on my 7 >> systems. >> >> The first problem is that I'm plagued by bad hdr length on both my 7 >> systems > > When using tcpdump with pflog, you'll need to specify a large frame size > to analyse/snoop; the default size is too small. Use -s 1024 to address > that. > Here is the results using -s 1024 2008-05-14 11:09:02.375144 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 2008-05-14 11:09:02.379780 rule 6/0(match): block in on ng0: 71.226.2.26.37654 > 217.41.34.61.64166: UDP, length 20 2008-05-14 11:09:03.019599 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 2008-05-14 11:09:03.672268 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 What I've also noticed is that in pf I have this rule pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn 15, max-src-conn-rate 2/1, overload flush global) When I'm getting the bad header thingy this rule doesn't work properly. It let all the traffic trough but it never blocks the bad guys. From owner-freebsd-pf@FreeBSD.ORG Wed May 14 13:51:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CD36106566C for ; Wed, 14 May 2008 13:51:44 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id 26F178FC16 for ; Wed, 14 May 2008 13:51:43 +0000 (UTC) (envelope-from jon@radel.com) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 7599758; Wed, 14 May 2008 09:51:43 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 7599756; Wed, 14 May 2008 09:51:32 -0400 Message-ID: <482AEE64.8020209@radel.com> Date: Wed, 14 May 2008 09:51:32 -0400 From: Jon Radel User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Reinhold References: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> In-Reply-To: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090207080207070808080900" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: freebsd-pf@freebsd.org Subject: Re: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 13:51:44 -0000 This is a cryptographically signed message in MIME format. --------------ms090207080207070808080900 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Reinhold wrote: > > What I've also noticed is that in pf I have this rule > pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from > any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn 15, > max-src-conn-rate 2/1, overload flush global) > > When I'm getting the bad header thingy this rule doesn't work properly. It > let all the traffic trough but it never blocks the bad guys. Which bad guys are you expecting to block? I just checked a couple day's worth of logs and the fastest rate at which somebody was trying to brute force my ssh server was 1 attempt every 2 seconds. Your rule won't trigger until 2 attempts every 1 second or faster, and I don't think those other limits are likely to get triggered either unless you see a lot more "bad guys" than I do on random addresses. I find that max-src-conn-rate 3/10 tends to cut off the more energetic ones. --Jon Radel --------------ms090207080207070808080900 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODA1MTQxMzUxMzJaMCMGCSqGSIb3DQEJBDEWBBSBwM9P3MuTXqrUV9oImSxCrWN9mjBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAHCQ+ 6fjkzkffJ+8ZrqUM318LUxygWKfNrzYofJASCYeUPHVoXJj++Z6aNJXwYQNKR2OXU2ufgzni 1WbyvBQIWjeW4vuL6eo5XrxJmMw577or5YbnjCWnWdL7dKZtmwAMk4E0wb+L73hl8obn9k3W FeROUy1XD3LiDS1EEjSJG89Lopeh/XObumGdynz2GXIf5h7lyrUGgxF3eT+C+crxfh3cOgBb zGwqmr3izaOR/wQeBfhwEGIabPgMmKy37iI+79JuReOxoWFUoqE+bIFnkjdE85QxMmJaoMXe uibnkWJOCSVDAwGosXvexAwcyrPnEDq/gujX+681aj9ChUU7pwAAAAAAAA== --------------ms090207080207070808080900-- From owner-freebsd-pf@FreeBSD.ORG Wed May 14 15:15:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 312BE106566B for ; Wed, 14 May 2008 15:15:46 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (mail.violetlan.net [80.81.242.7]) by mx1.freebsd.org (Postfix) with ESMTP id EA9678FC14 for ; Wed, 14 May 2008 15:15:45 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id D063D11460; Wed, 14 May 2008 16:12:21 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 857181142B; Wed, 14 May 2008 16:12:21 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Wed, 14 May 2008 16:10:21 +0100 (BST) Message-ID: <58644.217.41.34.61.1210777821.squirrel@www.violetlan.net> In-Reply-To: <482AEE64.8020209@radel.com> References: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> <482AEE64.8020209@radel.com> Date: Wed, 14 May 2008 16:10:21 +0100 (BST) From: "Reinhold" To: "Jon Radel" , freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: Subject: Re: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 15:15:46 -0000 On Wed, May 14, 2008 14:51, Jon Radel wrote: > Reinhold wrote: > > >> >> What I've also noticed is that in pf I have this rule >> pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp >> from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn >> 15, >> max-src-conn-rate 2/1, overload flush global) >> >> When I'm getting the bad header thingy this rule doesn't work properly. >> It >> let all the traffic trough but it never blocks the bad guys. > > Which bad guys are you expecting to block? I just checked a couple > day's worth of logs and the fastest rate at which somebody was trying to > brute force my ssh server was 1 attempt every 2 seconds. Your rule won't > trigger until 2 attempts every 1 second or faster, and I don't think those > other limits are likely to get triggered either unless you see a lot more > "bad guys" than I do on random addresses. I find that > max-src-conn-rate 3/10 tends to cut off the more energetic ones. > > --Jon Radel > > I have almost the same rule on one of my 6.3 systems with 2/1 set and yesterday it cough 6 bad guys and today 2. I've made the change as you recommended. I actually was looking at a ssh attempt earlier this week and it was connecting at about 3 to 4 per second. From owner-freebsd-pf@FreeBSD.ORG Wed May 14 22:46:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 482E01065674 for ; Wed, 14 May 2008 22:46:47 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by mx1.freebsd.org (Postfix) with ESMTP id DB93A8FC15 for ; Wed, 14 May 2008 22:46:46 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 4024F9C3D3 for ; Thu, 15 May 2008 10:46:43 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ALum8ib7r1qS for ; Thu, 15 May 2008 10:46:42 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id AF0BA9C3B5 for ; Thu, 15 May 2008 10:46:42 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 May 2008 10:45:27 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 15 May 2008 10:45:26 +1200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2FDQaucOI6eAJSEitvE2dxMhsAA== From: "Mark Pagulayan" To: X-OriginalArrivalTime: 14 May 2008 22:45:27.0990 (UTC) FILETIME=[34B46D60:01C8B614] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 22:46:47 -0000 Hi Guys,=20 =20 OS: FreeBSD 7.0-RELEASE=20 =20 Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically inserts 'Flags S/SA' to rules?=20 =20 The problem is that when it comes to this rule:=20 =20 pass in quick on $int_if =20 after loading to pf =20 pass in quick on em0 flags S/SA keep state =20 The way I see this is that this rule would be applied to udp traffic as well which will be dropped/blocked because flags only work for tcp and this might be the cause of state-mismatches that I see in the table - =20 state-mismatch 11577272 48.7/s =20 =20 How can we prevent pf from loading the flags S/SA in the rules automatically? =20 Also what is the effect of this on the block rule? =20 'block in log on $ext_if all' 'block return out log on $ext_if all' =20 =20 Cheers,=20 =20 Mark =20 From owner-freebsd-pf@FreeBSD.ORG Wed May 14 23:34:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 143E81065673 for ; Wed, 14 May 2008 23:34:52 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id C4DEC8FC26 for ; Wed, 14 May 2008 23:34:51 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4ENYP6W078230; Wed, 14 May 2008 19:34:26 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:cc:subject:references:in-reply-to; b=CwfQkWcaLAvZwsAp/iz7aTPPtPr5rApuhfM1YS+eGle1ik/hfxAHYnX/iQL7lcT5N W+uyiVVvk2Ud1XjKkJlEA== Message-ID: <482B7701.4020901@uffner.com> Date: Wed, 14 May 2008 19:34:25 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: Mark Pagulayan References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Wed, 14 May 2008 19:34:26 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7115/Tue May 13 17:19:43 2008 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 23:34:52 -0000 Mark Pagulayan wrote: > OS: FreeBSD 7.0-RELEASE > > Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically > inserts 'Flags S/SA' to rules? this is correct. > The problem is that when it comes to this rule: > > pass in quick on $int_if > > after loading to pf > > pass in quick on em0 flags S/SA keep state > > The way I see this is that this rule would be applied to udp traffic as > well which will be dropped/blocked because flags only work for tcp and > this might be the cause of state-mismatches that I see in the table - > > state-mismatch 11577272 48.7/s you are misinterpreting. Pf just does the right thing in most cases. your rule "pass in quick on $int_if" is actually interpreted as the following 3 rules: pass in quick on em0 proto tcp flags S/SA keep state pass in quick on em0 proto udp keep state pass in quick on em0 prote icmp keep state > > How can we prevent pf from loading the flags S/SA in the rules > automatically? add the phrase "flags any". you must also add "no state" now if you do not want stateful filtering for some reason. > Also what is the effect of this on the block rule? > > 'block in log on $ext_if all' > 'block return out log on $ext_if all' you shouldn't have to worry about it. in almost all cases pf will do what you mean with that. tom From owner-freebsd-pf@FreeBSD.ORG Wed May 14 23:40:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6F0F106564A for ; Wed, 14 May 2008 23:40:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id B01788FC12 for ; Wed, 14 May 2008 23:40:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so188900rvf.43 for ; Wed, 14 May 2008 16:40:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=WiPIi4JJbTOGnRZpcg4haVJ5vTA+k+gN1GmyTxxptqE=; b=inE649vl+St9jj6XV+zVDn/ztUIbMymsNViv5J8Xckyw1y/TcTf7epYsil+AbzEtqeA/ev3wYoBJB8cxxfewAodY1FbgKj85dEee8PW1kBf7OgbTjQlR+9ynGSE2bSCgD9F/S71gjKaC39szAV3eI2D0h5seIozwQpDnlfw23Dw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sETvluUYQ72RHnuIiFbCw2f/kWS7KbEC1U0ZvsyS/GLaeaBKxdUXogqp2sCdalHH6MAqp6RIxbs+KE8HEme+JK7s5Owy2zFfdPwGBbaAlEB++uSWpvmit2cFYQSMnVThIoQOa3acce5Bh4O056oHXbw6zprxDUTpuk+tZIoesks= Received: by 10.142.131.18 with SMTP id e18mr656965wfd.207.1210806831695; Wed, 14 May 2008 16:13:51 -0700 (PDT) Received: by 10.143.195.9 with HTTP; Wed, 14 May 2008 16:13:51 -0700 (PDT) Message-ID: Date: Wed, 14 May 2008 16:13:51 -0700 From: "Kian Mohageri" To: "Mark Pagulayan" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 23:40:57 -0000 On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan wrote: > Hi Guys, > > > > OS: FreeBSD 7.0-RELEASE > > > > Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically > inserts 'Flags S/SA' to rules? > > It does... actually 'flags S/SA keep state'. > > The problem is that when it comes to this rule: > > > > pass in quick on $int_if > > > > after loading to pf > > > > pass in quick on em0 flags S/SA keep state > > > > The way I see this is that this rule would be applied to udp traffic as > well which will be dropped/blocked because flags only work for tcp and > this might be the cause of state-mismatches that I see in the table - > 'flags S/SA keep state' will work OK for UDP too. Only the 'keep state' part will be applied to UDP, since no flags are involved. > state-mismatch 11577272 48.7/s > Could be caused by reloading your ruleset to include 'keep state' mid-connections, I think. PF won't be aware of where the state is (especially true if you're using TCP window scaling), so it will fail after a while and you'll see state mismatches. > > > > > How can we prevent pf from loading the flags S/SA in the rules > automatically? > Use 'no state' after the rule if it's necessary. But keep in mind stateful tracking is faster. E.g.: pass in on $ext_if no state > > > Also what is the effect of this on the block rule? > > > > 'block in log on $ext_if all' > > 'block return out log on $ext_if all' > > Not sure what you mean, but read pf.conf(5) man page. -Kian From owner-freebsd-pf@FreeBSD.ORG Wed May 14 23:55:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9225C1065670 for ; Wed, 14 May 2008 23:55:27 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 4B9278FC23 for ; Wed, 14 May 2008 23:55:27 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4ENtIVK079399; Wed, 14 May 2008 19:55:18 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:cc:subject:references:in-reply-to; b=B/u+JwF0DgbqrUn0HRDAXtqIig9FypOi2h8yD+85fWyZbWWXCOzrk0jYUFWtR08jN 4LPzpeby2Pn+ymK1ti8Xg== Message-ID: <482B7BE6.9080608@uffner.com> Date: Wed, 14 May 2008 19:55:18 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: Kian Mohageri References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Wed, 14 May 2008 19:55:19 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7115/Tue May 13 17:19:43 2008 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 23:55:27 -0000 Kian Mohageri wrote: > On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> The way I see this is that this rule would be applied to udp traffic as >> well which will be dropped/blocked because flags only work for tcp and >> this might be the cause of state-mismatches that I see in the table - > > 'flags S/SA keep state' will work OK for UDP too. Only the 'keep > state' part will be applied to UDP, since no flags are involved. > >> state-mismatch 11577272 48.7/s > > Could be caused by reloading your ruleset to include 'keep state' > mid-connections, I think. PF won't be aware of where the state is > (especially true if you're using TCP window scaling), so it will fail > after a while and you'll see state mismatches. even if reloading the ruleset to include "keep state" and/or "flags s/sa" didn't sever pre-existing connections, it shouldn't cause that large a number of mismatches. when was the last time you zeroed the statistics? is the mismatch count still increasing w/ the 7.0 stateful rules? you may need to add "log (all)" to find out where the state mismatches are coming from. From owner-freebsd-pf@FreeBSD.ORG Thu May 15 00:09:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDB101065671 for ; Thu, 15 May 2008 00:09:36 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id 8FA968FC20 for ; Thu, 15 May 2008 00:09:35 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 66C97187B7; Thu, 15 May 2008 12:09:34 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KY6P3WNeySnj; Thu, 15 May 2008 12:09:33 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id EF6C3187E7; Thu, 15 May 2008 12:09:32 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 May 2008 12:08:29 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 15 May 2008 12:08:28 +1200 Message-ID: In-Reply-To: <482B7BE6.9080608@uffner.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2HgPtOUYLH1snQFm3l8iPYPEb+AAASCgg References: <482B7BE6.9080608@uffner.com> From: "Mark Pagulayan" To: "Tom Uffner" , "Kian Mohageri" X-OriginalArrivalTime: 15 May 2008 00:08:29.0739 (UTC) FILETIME=[CE0EFFB0:01C8B61F] Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 00:09:37 -0000 Hi Tom,=20 I have just zeroed in the statistics and yes the state-mismatch is still increasing.=20 If I do enable logging, how would I know that packet is mismatched?=20 Cheers,=20 Mark -----Original Message----- From: Tom Uffner [mailto:tom@uffner.com]=20 Sent: Thursday, 15 May 2008 11:55 a.m. To: Kian Mohageri Cc: Mark Pagulayan; freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Kian Mohageri wrote: > On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> The way I see this is that this rule would be applied to udp traffic as >> well which will be dropped/blocked because flags only work for tcp and >> this might be the cause of state-mismatches that I see in the table - >=20 > 'flags S/SA keep state' will work OK for UDP too. Only the 'keep > state' part will be applied to UDP, since no flags are involved. >=20 >> state-mismatch 11577272 48.7/s >=20 > Could be caused by reloading your ruleset to include 'keep state' > mid-connections, I think. PF won't be aware of where the state is > (especially true if you're using TCP window scaling), so it will fail > after a while and you'll see state mismatches. even if reloading the ruleset to include "keep state" and/or "flags s/sa" didn't sever pre-existing connections, it shouldn't cause that large a number of mismatches. when was the last time you zeroed the statistics? is the mismatch count still increasing w/ the 7.0 stateful rules? you may need to add "log (all)" to find out where the state mismatches are coming from. From owner-freebsd-pf@FreeBSD.ORG Thu May 15 00:16:25 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B76F106567A for ; Thu, 15 May 2008 00:16:25 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp5.versatel.nl (smtp5.versatel.nl [62.58.50.96]) by mx1.freebsd.org (Postfix) with ESMTP id 06A388FC0A for ; Thu, 15 May 2008 00:16:24 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 18055 invoked by uid 0); 15 May 2008 00:16:22 -0000 Received: from ip83-113-174-82.adsl2.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp5.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 15 May 2008 00:16:22 -0000 Received: by istud.quis.cx (Postfix, from userid 100) id 7FEF53982C; Thu, 15 May 2008 02:16:22 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on istud.quis.cx X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.4 Received: from [192.168.1.10] (unknown [192.168.1.10]) by istud.quis.cx (Postfix) with ESMTP id 076C639824; Thu, 15 May 2008 02:16:19 +0200 (CEST) Message-ID: <482B80D3.4010701@quis.cx> Date: Thu, 15 May 2008 02:16:19 +0200 From: Jille User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Mark Pagulayan References: <482B7BE6.9080608@uffner.com> In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 00:16:25 -0000 Hello, Mark Pagulayan schreef: > Hi Tom, > > I have just zeroed in the statistics and yes the state-mismatch is still > increasing. > > If I do enable logging, how would I know that packet is mismatched? > If you use tcpdump, the standard flags will also show what rule it matched, so if it is an 'pass all' rule, it mismatched your other rule. -- Jille > Cheers, > > Mark > -----Original Message----- > From: Tom Uffner [mailto:tom@uffner.com] > Sent: Thursday, 15 May 2008 11:55 a.m. > To: Kian Mohageri > Cc: Mark Pagulayan; freebsd-pf@freebsd.org > Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules > > Kian Mohageri wrote: > >> On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> >>> The way I see this is that this rule would be applied to udp traffic >>> > as > >>> well which will be dropped/blocked because flags only work for tcp >>> > and > >>> this might be the cause of state-mismatches that I see in the table - >>> >> 'flags S/SA keep state' will work OK for UDP too. Only the 'keep >> state' part will be applied to UDP, since no flags are involved. >> >> >>> state-mismatch 11577272 48.7/s >>> >> Could be caused by reloading your ruleset to include 'keep state' >> mid-connections, I think. PF won't be aware of where the state is >> (especially true if you're using TCP window scaling), so it will fail >> after a while and you'll see state mismatches. >> > > even if reloading the ruleset to include "keep state" and/or "flags > s/sa" > didn't sever pre-existing connections, it shouldn't cause that large a > number of mismatches. > > when was the last time you zeroed the statistics? is the mismatch count > still increasing w/ the 7.0 stateful rules? you may need to add "log > (all)" > to find out where the state mismatches are coming from. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu May 15 00:29:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 604AE1065671 for ; Thu, 15 May 2008 00:29:33 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id 002628FC1E for ; Thu, 15 May 2008 00:29:32 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id CE749480590; Thu, 15 May 2008 12:29:31 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORMDS3KceJG7; Thu, 15 May 2008 12:29:31 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 86577480524; Thu, 15 May 2008 12:29:31 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 May 2008 12:29:16 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 15 May 2008 12:29:15 +1200 Message-ID: In-Reply-To: <482B80D3.4010701@quis.cx> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2IP9KrnKFFp6DToWIXnvjotMHhwAALjKw References: <482B7BE6.9080608@uffner.com> <482B80D3.4010701@quis.cx> From: "Mark Pagulayan" To: "Jille" X-OriginalArrivalTime: 15 May 2008 00:29:16.0723 (UTC) FILETIME=[B551A830:01C8B622] Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 00:29:33 -0000 Hi Jill,=20 I am using bridge pf: I only allow pass all on my internal interface. So there is no other rule for that interface. How do I know that states are mismatched for both internal and external?=20 Cheers,=20 Mark -----Original Message----- From: Jille [mailto:jille@quis.cx]=20 Sent: Thursday, 15 May 2008 12:16 p.m. To: Mark Pagulayan Cc: Tom Uffner; Kian Mohageri; freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Hello, Mark Pagulayan schreef: > Hi Tom,=20 > > I have just zeroed in the statistics and yes the state-mismatch is still > increasing.=20 > > If I do enable logging, how would I know that packet is mismatched?=20 > =20 If you use tcpdump, the standard flags will also show what rule it matched, so if it is an 'pass all' rule, it mismatched your other rule. -- Jille > Cheers,=20 > > Mark > -----Original Message----- > From: Tom Uffner [mailto:tom@uffner.com]=20 > Sent: Thursday, 15 May 2008 11:55 a.m. > To: Kian Mohageri > Cc: Mark Pagulayan; freebsd-pf@freebsd.org > Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules > > Kian Mohageri wrote: > =20 >> On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> =20 >>> The way I see this is that this rule would be applied to udp traffic >>> =20 > as > =20 >>> well which will be dropped/blocked because flags only work for tcp >>> =20 > and > =20 >>> this might be the cause of state-mismatches that I see in the table - >>> =20 >> 'flags S/SA keep state' will work OK for UDP too. Only the 'keep >> state' part will be applied to UDP, since no flags are involved. >> >> =20 >>> state-mismatch 11577272 48.7/s >>> =20 >> Could be caused by reloading your ruleset to include 'keep state' >> mid-connections, I think. PF won't be aware of where the state is >> (especially true if you're using TCP window scaling), so it will fail >> after a while and you'll see state mismatches. >> =20 > > even if reloading the ruleset to include "keep state" and/or "flags > s/sa" > didn't sever pre-existing connections, it shouldn't cause that large a > number of mismatches. > > when was the last time you zeroed the statistics? is the mismatch count > still increasing w/ the 7.0 stateful rules? you may need to add "log > (all)" > to find out where the state mismatches are coming from. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > =20 From owner-freebsd-pf@FreeBSD.ORG Thu May 15 01:25:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B95B51065686 for ; Thu, 15 May 2008 01:25:44 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 71BE98FC12 for ; Thu, 15 May 2008 01:25:44 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4F1Phur084351 for ; Wed, 14 May 2008 21:25:43 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject:references:in-reply-to; b=CjAfdmCeImsbPmnX37Z/0iA3SvyYkg+8YDb7l3nh6B4qK2agj1mxdDrDpS3RN42j7 2OPpDJpoGq1gl3jvDLj/Q== Message-ID: <482B9117.9070800@uffner.com> Date: Wed, 14 May 2008 21:25:43 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <482B7BE6.9080608@uffner.com> <482B80D3.4010701@quis.cx> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Wed, 14 May 2008 21:25:43 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7115/Tue May 13 17:19:43 2008 on eris.uffner.com X-Virus-Status: Clean Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 01:25:44 -0000 Mark Pagulayan wrote: > I am using bridge pf: > > I only allow pass all on my internal interface. So there is no other > rule for that interface. How do I know that states are mismatched for > both internal and external? could you post your full ruleset and a quick description of your net topology? then maybe someone can identify the most likely sources of your state mismatches. From owner-freebsd-pf@FreeBSD.ORG Thu May 15 02:54:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DCF31065670 for ; Thu, 15 May 2008 02:54:13 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id B9BFF8FC0C for ; Thu, 15 May 2008 02:54:12 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 36A8618815; Thu, 15 May 2008 14:54:10 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAuF7u+ohuIQ; Thu, 15 May 2008 14:54:09 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 0C39E18827; Thu, 15 May 2008 14:54:08 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 May 2008 14:52:32 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 15 May 2008 14:52:30 +1200 Message-ID: In-Reply-To: <482B9117.9070800@uffner.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2KrlyChPCCn9DTy2H5Ph7rjXGvAABcjqA References: <482B7BE6.9080608@uffner.com><482B80D3.4010701@quis.cx> <482B9117.9070800@uffner.com> From: "Mark Pagulayan" To: "Tom Uffner" , X-OriginalArrivalTime: 15 May 2008 02:52:32.0098 (UTC) FILETIME=[B88FCC20:01C8B636] Cc: Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 02:54:13 -0000 Hi, Sorry guys if somehow the information I post in this thread is incomplete.=20 We are using PF from FreeBSD 7.0 and using the rules we used from openbsd 4.0 PF. With the help of Jeremy chadwick, I found out that modulate state is broken in FreeBSD PF so I replaced all rules that uses modulate state to use keep state. PF runs in bridge mode where one end connects to the Border Router(connected to the internet) and the other end to a Core Switch(connected to the University network). Basically with do a layer 2 firewall with PF.=20 Unfortunately I can't post all of my rules/attach, But I could for some. Would this be helpful?=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D set limit states 150000 set timeout tcp.first 120 set timeout tcp.established 86400 set timeout { adaptive.start 90000, adaptive.end 250000} =20 ext_if =3D "em1" int_if =3D "em0" =20 set loginterface $ext_if wireless_allowed_tcp =3D "{515}" blocked_udp =3D "{7, 67, 68, 69, 111, 134><140, 199, 445, 512, 513, = 520, 1993, 2049, 1900, 5000}" blocked_tcp_in =3D "{7, 11, 15, 67, 68, 87, 111, 134><140, 144, 199, 445, 511><516, 1025, 1993, 1900, 2049, 2766, 5000, 5999><6100}" blocked_tcp_out =3D "{7, 11, 15, 67, 68, 87, 111, 134><140, 144, 199, 445, 511><516, 1993, 1900, 2049, 2766, 5000, 6000}" =20 scrub in on $ext_if =20 altq on $ext_if cbq bandwidth 200Mb queue { default, unlimited, sponsored, premium, proxy, standard } altq on $int_if cbq bandwidth 800Mb queue { default, unlimited, sponsored, premium, proxy, standard } queue default on $ext_if bandwidth 67% cbq(default) queue default on $int_if bandwidth 67% cbq(default) queue unlimited on $ext_if bandwidth 15% cbq(borrow ecn) queue unlimited on $int_if bandwidth 15% cbq(borrow ecn) queue sponsored on $ext_if bandwidth 9% cbq(borrow ecn) queue sponsored on $int_if bandwidth 9% cbq(borrow ecn) queue premium on $ext_if bandwidth 7% cbq(borrow ecn) queue premium on $int_if bandwidth 7% cbq(borrow ecn) queue standard on $ext_if bandwidth 2% priority 4 cbq(red) queue standard on $int_if bandwidth 2% priority 4 cbq(red) =20 pass in log quick on $int_if pass out log quick on $int_if =20 block in log on $ext_if all block return out log on $ext_if all pass quick on $ext_if proto ospf pass quick on $ext_if proto igmp allow-opts pass quick on $ext_if proto pim allow-opts pass in quick on $ext_if proto udp from any to 224.0.0.0/4 allow-opts keep state pass in quick on $ext_if from any to 224.0.0.0/4 allow-opts keep state pass in quick log on $ext_if from to any keep state pass out quick log on $ext_if from any to keep state pass in quick on $ext_if from any to flags S/SA keep state pass out quick on $ext_if from to any keep state pass out on $ext_if inet proto icmp all icmp-type echoreq keep state pass in on $ext_if inet proto icmp from any to icmp-type echoreq keep state pass in quick on $ext_if proto tcp from to any port $wireless_allowed_tcp =20 block in quick log on $ext_if proto udp from any to any port $blocked_udp block out quick log on $ext_if proto udp from any to any port $blocked_udp block in quick log on $ext_if proto tcp from any to any port $blocked_tcp_in block out quick log on $ext_if proto tcp from any to any port $blocked_tcp_out =20 pass in quick on $ext_if proto tcp from any to {, } port=3D25 flags S/SA keep state pass out quick on $ext_if proto tcp from {, } to any port=3D25 keep state pass out quick on $ext_if proto tcp from to any port=3D53 keep state pass out quick on $ext_if proto udp from to any port=3D53 keep state pass in quick on $ext_if from any to flags S/SA keep state pass out quick on $ext_if from to any keep state block out quick log on $ext_if proto tcp from any to any port=3D53 block out quick log on $ext_if proto udp from any to any port=3D53 block in log quick on $ext_if proto tcp from any to any port=3D25 block out quick log on $ext_if proto tcp from any to any port=3D25 block out quick on $ext_if from to any pass out quick on $ext_if from to any keep state pass out quick on $ext_if from to any keep state queue unlimited pass out quick on $ext_if from to any keep state queue sponsored pass out quick on $ext_if from to any keep state queue premium pass out quick on $ext_if from to any keep state queue standard pass in quick on $ext_if from any to flags S/SA keep state =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D And checking on the state-mismatch [mpag016@fw3 /home/mpag016]# sudo pfctl -si | grep state-mis state-mismatch 12179 3.9/s Also, I want to understand the value that "pfctl -si" command outputs, can someone point me in the right direction? Cheers,=20 Mark -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Tom Uffner Sent: Thursday, 15 May 2008 1:26 p.m. To: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Mark Pagulayan wrote: > I am using bridge pf: >=20 > I only allow pass all on my internal interface. So there is no other > rule for that interface. How do I know that states are mismatched for > both internal and external?=20 could you post your full ruleset and a quick description of your net topology? then maybe someone can identify the most likely sources of your state mismatches. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu May 15 17:18:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7726A106566B for ; Thu, 15 May 2008 17:18:45 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 288128FC14 for ; Thu, 15 May 2008 17:18:44 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4FHIETG037289; Thu, 15 May 2008 13:18:15 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:cc:subject:references:in-reply-to; b=st6eZ9cB6IzVQmkRjE24Qdq6Pv+0CimvbLdmIFd/QfDyC+4N4IN5EugaCz6yc56hQ SnErM+JbXnK+ku/e3hVLA== Message-ID: <482C7056.7010809@uffner.com> Date: Thu, 15 May 2008 13:18:14 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: Mark Pagulayan References: <482B7BE6.9080608@uffner.com><482B80D3.4010701@quis.cx> <482B9117.9070800@uffner.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Thu, 15 May 2008 13:18:15 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7125/Wed May 14 18:10:39 2008 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 17:18:45 -0000 Mark Pagulayan wrote: > We are using PF from FreeBSD 7.0 and using the rules we used from > openbsd 4.0 PF. With the help of Jeremy chadwick, I found out that > modulate state is broken in FreeBSD PF so I replaced all rules that uses > modulate state to use keep state. FreeBSD 7.0 uses PF 4.1 so a number of your rules could be expressed more compactly and a few of them were redundant even w/ pf 4.0. > PF runs in bridge mode where one end connects to the Border > Router(connected to the internet) and the other end to a Core > Switch(connected to the University network). Basically with do a layer 2 > firewall with PF. i assume you didn't change the default sysctl "net.link.bridge.pfil_member: 1" > Unfortunately I can't post all of my rules/attach, But I could for some. > Would this be helpful? not asking you to give up any sensitive / proprietary information. but obviously we can't help w/ what you don't tell us... > ======================================================================== i don't see any really obvious sources of state mismatches in the rules you have posted. as i said though, many of them could be expressed more concisely. PF will assume stuff like "to any", "from any", and now in FreeBSD 7.0 (PF 4.1) "keep state [flags S/SA]" is implicit in any filter rules that don't unset it. > set limit states 150000 > set timeout tcp.first 120 > set timeout tcp.established 86400 > set timeout { adaptive.start 90000, adaptive.end 250000} # is there a "set skip on {lo0, bridge0}" in here somewhere # or did you set net.link.bridge.pfil_bridge = 0 > ext_if = "em1" > int_if = "em0" > > set loginterface $ext_if > wireless_allowed_tcp = "{515}" > blocked_udp = "{7, 67, 68, 69, 111, 134><140, 199, 445, 512, 513, 520, > 1993, 2049, 1900, 5000}" > blocked_tcp_in = "{7, 11, 15, 67, 68, 87, 111, 134><140, 144, 199, > 445, 511><516, 1025, 1993, 1900, 2049, 2766, 5000, 5999><6100}" > blocked_tcp_out = "{7, 11, 15, 67, 68, 87, 111, 134><140, 144, 199, > 445, 511><516, 1993, 1900, 2049, 2766, 5000, 6000}" > > scrub in on $ext_if > > altq on $ext_if cbq bandwidth 200Mb queue { default, unlimited, > sponsored, premium, proxy, standard } > altq on $int_if cbq bandwidth 800Mb queue { default, unlimited, > sponsored, premium, proxy, standard } > queue default on $ext_if bandwidth 67% cbq(default) > queue default on $int_if bandwidth 67% cbq(default) > queue unlimited on $ext_if bandwidth 15% cbq(borrow ecn) > queue unlimited on $int_if bandwidth 15% cbq(borrow ecn) > queue sponsored on $ext_if bandwidth 9% cbq(borrow ecn) > queue sponsored on $int_if bandwidth 9% cbq(borrow ecn) > queue premium on $ext_if bandwidth 7% cbq(borrow ecn) > queue premium on $int_if bandwidth 7% cbq(borrow ecn) > queue standard on $ext_if bandwidth 2% priority 4 cbq(red) > queue standard on $int_if bandwidth 2% priority 4 cbq(red) > pass in log quick on $int_if > pass out log quick on $int_if pass log quick on $int_if > block in log on $ext_if all > block return out log on $ext_if all > > pass quick on $ext_if proto ospf > pass quick on $ext_if proto igmp allow-opts > pass quick on $ext_if proto pim allow-opts > pass in quick on $ext_if proto udp from any to 224.0.0.0/4 allow-opts > keep state > pass in quick on $ext_if from any to 224.0.0.0/4 allow-opts keep state # redundant unless you want to tag, log, route or queue packets differently pass in quick on $ext_if to 224.0.0.0/4 allow-opts > pass in quick log on $ext_if from to any keep state > pass out quick log on $ext_if from any to keep state pass in quick log on $ext_if from pass out quick log on $ext_if to > pass in quick on $ext_if from any to flags S/SA keep state > pass out quick on $ext_if from to any keep state pass in quick on $ext_if to pass out quick on $ext_if from > pass out on $ext_if inet proto icmp all icmp-type echoreq keep state > pass in on $ext_if inet proto icmp from any to icmp-type > echoreq keep state pass out on $ext_if inet proto icmp icmp-type echoreq pass in on $ext_if inet proto icmp to icmp-type echoreq > pass in quick on $ext_if proto tcp from to any port > $wireless_allowed_tcp > > block in quick log on $ext_if proto udp from any to any port > $blocked_udp > block out quick log on $ext_if proto udp from any to any port > $blocked_udp # redundant block quick log on $ext_if proto udp to any port $blocked_udp > block in quick log on $ext_if proto tcp from any to any port > $blocked_tcp_in > block out quick log on $ext_if proto tcp from any to any port > $blocked_tcp_out block in quick log on $ext_if proto tcp to any port $blocked_tcp_in block out quick log on $ext_if proto tcp to any port $blocked_tcp_out > pass in quick on $ext_if proto tcp from any to {, > } port=25 flags S/SA keep state > pass out quick on $ext_if proto tcp from {, } to > any port=25 keep state pass in quick on $ext_if proto tcp to {, } port=25 pass out quick on $ext_if proto tcp from {, } to any port=25 > pass out quick on $ext_if proto tcp from to any port=53 > keep state > pass out quick on $ext_if proto udp from to any port=53 > keep state pass out quick on $ext_if proto tcp from to any port=53 pass out quick on $ext_if proto udp from to any port=53 > pass in quick on $ext_if from any to flags S/SA keep state > pass out quick on $ext_if from to any keep state pass in quick on $ext_if to pass out quick on $ext_if from > block out quick log on $ext_if proto tcp from any to any port=53 > block out quick log on $ext_if proto udp from any to any port=53 # redundant block quick log on $ext_if to any port=53 > block in log quick on $ext_if proto tcp from any to any port=25 > block out quick log on $ext_if proto tcp from any to any port=25 # redundant block log quick on $ext_if proto tcp to any port=25 > block out quick on $ext_if from to any > pass out quick on $ext_if from to any keep state > pass out quick on $ext_if from to any keep state queue > unlimited > pass out quick on $ext_if from to any keep state queue > sponsored > pass out quick on $ext_if from to any keep state queue > premium > pass out quick on $ext_if from to any keep state queue > standard > pass in quick on $ext_if from any to flags S/SA keep state block out quick on $ext_if from pass out quick on $ext_if from pass out quick on $ext_if from queue unlimited pass out quick on $ext_if from queue sponsored pass out quick on $ext_if from queue premium pass out quick on $ext_if from queue standard pass in quick on $ext_if to > ======================================================================== > And checking on the state-mismatch > > [mpag016@fw3 /home/mpag016]# sudo pfctl -si | grep state-mis > state-mismatch 12179 3.9/s > > Also, I want to understand the value that "pfctl -si" command outputs, > can someone point me in the right direction? they are counts of various filter/state related actions or events since the firewall was started (or since they were last zeroed). i den't know of anywhere it is documented in detail, but most of the items should make sense after reading pf.conf and having an idea of all the things pf can do. you can probably figure out which rules cause the state-mismatches by setting misc debugging "pfctl -xm" and watching the syslog for messages like: kernel: pf: loose state match: ... or kernel: pf: BAD state: ... kernel: pf: State failure on: | From owner-freebsd-pf@FreeBSD.ORG Thu May 15 23:27:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BA3C1065672 for ; Thu, 15 May 2008 23:27:28 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id 214628FC14 for ; Thu, 15 May 2008 23:27:27 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 66E5B48088D; Fri, 16 May 2008 11:27:26 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5H0wVBengPTC; Fri, 16 May 2008 11:27:26 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id BB28E48087C; Fri, 16 May 2008 11:27:25 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Fri, 16 May 2008 11:27:25 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 16 May 2008 11:27:24 +1200 Message-ID: In-Reply-To: <482C7056.7010809@uffner.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2r80FCuXgQPSEQsCibVkMIrnhkwAMqMQg References: <482B7BE6.9080608@uffner.com><482B80D3.4010701@quis.cx> <482B9117.9070800@uffner.com> <482C7056.7010809@uffner.com> From: "Mark Pagulayan" To: "Tom Uffner" X-OriginalArrivalTime: 15 May 2008 23:27:25.0559 (UTC) FILETIME=[3BB4B870:01C8B6E3] Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 23:27:28 -0000 Hi Tom,=20 Yes I am using net.link.bridge.pfil_member: 1. What is the effect of this on the bridge interface.=20 No there is no such rules below in my ruleset # is there a "set skip on {lo0, bridge0}" in here somewhere Is PF by default doing a filter on bridge0? What is the effect of this rule on the bridge?=20 Thanks for the suggestion on the ruleset. It is much appreciated.=20 Cheers, Mark -----Original Message----- From: Tom Uffner [mailto:tom@uffner.com]=20 Sent: Friday, 16 May 2008 5:18 a.m. To: Mark Pagulayan Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Mark Pagulayan wrote: > We are using PF from FreeBSD 7.0 and using the rules we used from > openbsd 4.0 PF. With the help of Jeremy chadwick, I found out that > modulate state is broken in FreeBSD PF so I replaced all rules that uses > modulate state to use keep state. FreeBSD 7.0 uses PF 4.1 so a number of your rules could be expressed more compactly and a few of them were redundant even w/ pf 4.0. > PF runs in bridge mode where one end connects to the Border > Router(connected to the internet) and the other end to a Core > Switch(connected to the University network). Basically with do a layer 2 > firewall with PF.=20 i assume you didn't change the default sysctl "net.link.bridge.pfil_member: 1" > Unfortunately I can't post all of my rules/attach, But I could for some. > Would this be helpful?=20 not asking you to give up any sensitive / proprietary information. but=20 obviously we can't help w/ what you don't tell us... > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D i don't see any really obvious sources of state mismatches in the rules you have posted. as i said though, many of them could be expressed more concisely. PF will assume stuff like "to any", "from any", and now in FreeBSD 7.0 (PF 4.1) "keep state [flags S/SA]" is implicit in any filter rules that don't unset it. > set limit states 150000 > set timeout tcp.first 120 > set timeout tcp.established 86400 > set timeout { adaptive.start 90000, adaptive.end 250000} # is there a "set skip on {lo0, bridge0}" in here somewhere # or did you set net.link.bridge.pfil_bridge =3D 0 > ext_if =3D "em1" > int_if =3D "em0" > =20 > set loginterface $ext_if > wireless_allowed_tcp =3D "{515}" > blocked_udp =3D "{7, 67, 68, 69, 111, 134><140, 199, 445, 512, 513, 520, > 1993, 2049, 1900, 5000}" > blocked_tcp_in =3D "{7, 11, 15, 67, 68, 87, 111, 134><140, 144, = 199, > 445, 511><516, 1025, 1993, 1900, 2049, 2766, 5000, 5999><6100}" > blocked_tcp_out =3D "{7, 11, 15, 67, 68, 87, 111, 134><140, 144, = 199, > 445, 511><516, 1993, 1900, 2049, 2766, 5000, 6000}" > =20 > scrub in on $ext_if > =20 > altq on $ext_if cbq bandwidth 200Mb queue { default, unlimited, > sponsored, premium, proxy, standard } > altq on $int_if cbq bandwidth 800Mb queue { default, unlimited, > sponsored, premium, proxy, standard } > queue default on $ext_if bandwidth 67% cbq(default) > queue default on $int_if bandwidth 67% cbq(default) > queue unlimited on $ext_if bandwidth 15% cbq(borrow ecn) > queue unlimited on $int_if bandwidth 15% cbq(borrow ecn) > queue sponsored on $ext_if bandwidth 9% cbq(borrow ecn) > queue sponsored on $int_if bandwidth 9% cbq(borrow ecn) > queue premium on $ext_if bandwidth 7% cbq(borrow ecn) > queue premium on $int_if bandwidth 7% cbq(borrow ecn) > queue standard on $ext_if bandwidth 2% priority 4 cbq(red) > queue standard on $int_if bandwidth 2% priority 4 cbq(red) > pass in log quick on $int_if > pass out log quick on $int_if pass log quick on $int_if > block in log on $ext_if all > block return out log on $ext_if all >=20 > pass quick on $ext_if proto ospf > pass quick on $ext_if proto igmp allow-opts > pass quick on $ext_if proto pim allow-opts > pass in quick on $ext_if proto udp from any to 224.0.0.0/4 allow-opts > keep state > pass in quick on $ext_if from any to 224.0.0.0/4 allow-opts keep state # redundant unless you want to tag, log, route or queue packets differently pass in quick on $ext_if to 224.0.0.0/4 allow-opts > pass in quick log on $ext_if from to any keep state > pass out quick log on $ext_if from any to keep state pass in quick log on $ext_if from pass out quick log on $ext_if to > pass in quick on $ext_if from any to flags S/SA keep state > pass out quick on $ext_if from to any keep state pass in quick on $ext_if to pass out quick on $ext_if from > pass out on $ext_if inet proto icmp all icmp-type echoreq keep state > pass in on $ext_if inet proto icmp from any to icmp-type > echoreq keep state pass out on $ext_if inet proto icmp icmp-type echoreq pass in on $ext_if inet proto icmp to icmp-type echoreq > pass in quick on $ext_if proto tcp from to any port > $wireless_allowed_tcp > =20 > block in quick log on $ext_if proto udp from any to any port > $blocked_udp > block out quick log on $ext_if proto udp from any to any port > $blocked_udp # redundant block quick log on $ext_if proto udp to any port $blocked_udp > block in quick log on $ext_if proto tcp from any to any port > $blocked_tcp_in > block out quick log on $ext_if proto tcp from any to any port > $blocked_tcp_out block in quick log on $ext_if proto tcp to any port $blocked_tcp_in block out quick log on $ext_if proto tcp to any port $blocked_tcp_out > pass in quick on $ext_if proto tcp from any to {, > } port=3D25 flags S/SA keep state > pass out quick on $ext_if proto tcp from {, } to > any port=3D25 keep state pass in quick on $ext_if proto tcp to {, } = port=3D25 pass out quick on $ext_if proto tcp from {, } to any port=3D25 > pass out quick on $ext_if proto tcp from to any = port=3D53 > keep state > pass out quick on $ext_if proto udp from to any = port=3D53 > keep state pass out quick on $ext_if proto tcp from to any port=3D53 pass out quick on $ext_if proto udp from to any port=3D53 > pass in quick on $ext_if from any to flags S/SA keep state > pass out quick on $ext_if from to any keep state pass in quick on $ext_if to pass out quick on $ext_if from > block out quick log on $ext_if proto tcp from any to any port=3D53 > block out quick log on $ext_if proto udp from any to any port=3D53 # redundant block quick log on $ext_if to any port=3D53 > block in log quick on $ext_if proto tcp from any to any port=3D25 > block out quick log on $ext_if proto tcp from any to any port=3D25 # redundant block log quick on $ext_if proto tcp to any port=3D25 > block out quick on $ext_if from to any > pass out quick on $ext_if from to any keep state > pass out quick on $ext_if from to any keep state queue > unlimited > pass out quick on $ext_if from to any keep state queue > sponsored > pass out quick on $ext_if from to any keep state queue > premium > pass out quick on $ext_if from to any keep state queue > standard > pass in quick on $ext_if from any to flags S/SA keep state block out quick on $ext_if from pass out quick on $ext_if from pass out quick on $ext_if from queue unlimited pass out quick on $ext_if from queue sponsored pass out quick on $ext_if from queue premium pass out quick on $ext_if from queue standard pass in quick on $ext_if to > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > And checking on the state-mismatch >=20 > [mpag016@fw3 /home/mpag016]# sudo pfctl -si | grep state-mis > state-mismatch 12179 3.9/s >=20 > Also, I want to understand the value that "pfctl -si" command outputs, > can someone point me in the right direction? they are counts of various filter/state related actions or events since the firewall was started (or since they were last zeroed). i den't know of anywhere it is documented in detail, but most of the items should make sense after reading pf.conf and having an idea of all the things pf can do. you can probably figure out which rules cause the state-mismatches by setting misc debugging "pfctl -xm" and watching the syslog for messages like: kernel: pf: loose state match: ... or kernel: pf: BAD state: ... kernel: pf: State failure on: | From owner-freebsd-pf@FreeBSD.ORG Fri May 16 01:16:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA7C4106567D for ; Fri, 16 May 2008 01:16:36 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 82C798FC17 for ; Fri, 16 May 2008 01:16:36 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4G1GT5J062784; Thu, 15 May 2008 21:16:29 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:cc:subject:references:in-reply-to; b=Npvq/bHyvV90MKMIUK535UqWqKwJsde6obql5y/M5Ldts4vTSMHt96GSIFYoaDqdn xAMYo1oNb6zP96XaxqPgw== Message-ID: <482CE06D.7070800@uffner.com> Date: Thu, 15 May 2008 21:16:29 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: Mark Pagulayan References: <482B7BE6.9080608@uffner.com><482B80D3.4010701@quis.cx> <482B9117.9070800@uffner.com> <482C7056.7010809@uffner.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Thu, 15 May 2008 21:16:29 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7125/Wed May 14 18:10:39 2008 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2008 01:16:37 -0000 Mark Pagulayan wrote: > Yes I am using net.link.bridge.pfil_member: 1. What is the effect of > this on the bridge interface. see if_bridge(4) for full details. in short they control whether or not filtering is available on the member interfaces and/or the bridge. net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 > No there is no such rules below in my ruleset > # is there a "set skip on {lo0, bridge0}" in here somewhere > > Is PF by default doing a filter on bridge0? What is the effect of this > rule on the bridge? i realized too late that you don't need one. i expected to see such a rule due to my style of ruleset writing. i usually start w/ "block log all" to disable the default pass rule on all interfaces, then explicitly allow only the traffic i want. you didn't, so the default for interfaces you don't have any rules for is pass all. "set skip on X" has the same effect as a rule that says "pass quick on X" From owner-freebsd-pf@FreeBSD.ORG Fri May 16 02:19:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 732A8106567B for ; Fri, 16 May 2008 02:19:49 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by mx1.freebsd.org (Postfix) with ESMTP id 09FDD8FC18 for ; Fri, 16 May 2008 02:19:48 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 7A8659C434; Fri, 16 May 2008 14:19:47 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeTg8oCV-tY2; Fri, 16 May 2008 14:19:47 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 31D9B9C3ED; Fri, 16 May 2008 14:19:46 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Fri, 16 May 2008 14:19:43 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 16 May 2008 14:13:22 +1200 Message-ID: In-Reply-To: <482CE06D.7070800@uffner.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci28oIbiuQOSYiWS0W6BnZ63jzGiQABuVAg References: <482B7BE6.9080608@uffner.com><482B80D3.4010701@quis.cx> <482B9117.9070800@uffner.com> <482C7056.7010809@uffner.com> <482CE06D.7070800@uffner.com> From: "Mark Pagulayan" To: "Tom Uffner" X-OriginalArrivalTime: 16 May 2008 02:19:43.0926 (UTC) FILETIME=[4DDA5560:01C8B6FB] Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2008 02:19:49 -0000 Hi Tom, Thanks heaps for the advice I will review and reorganize our ruleset.=20 Cheers,=20 Mark -----Original Message----- From: Tom Uffner [mailto:tom@uffner.com]=20 Sent: Friday, 16 May 2008 1:16 p.m. To: Mark Pagulayan Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Mark Pagulayan wrote: > Yes I am using net.link.bridge.pfil_member: 1. What is the effect of > this on the bridge interface.=20 see if_bridge(4) for full details. in short they control whether or not filtering is available on the member interfaces and/or the bridge. net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 > No there is no such rules below in my ruleset > # is there a "set skip on {lo0, bridge0}" in here somewhere >=20 > Is PF by default doing a filter on bridge0? What is the effect of this > rule on the bridge?=20 i realized too late that you don't need one. i expected to see such a rule due to my style of ruleset writing. i usually start w/ "block log all" to disable the default pass rule on all interfaces, then explicitly allow only the traffic i want. you didn't, so the default for interfaces you don't have any rules for is pass all. "set skip on X" has the same effect as a rule that says "pass quick on X" From owner-freebsd-pf@FreeBSD.ORG Sat May 17 16:18:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91A241065675 for ; Sat, 17 May 2008 16:18:56 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from core.stromnet.se (core.stromnet.se [83.218.84.131]) by mx1.freebsd.org (Postfix) with ESMTP id 43A718FC20 for ; Sat, 17 May 2008 16:18:56 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from localhost (core.stromnet.se [83.218.84.131]) by core.stromnet.se (Postfix) with ESMTP id BBDCEF59403; Sat, 17 May 2008 18:01:16 +0200 (CEST) X-Virus-Scanned: amavisd-new at stromnet.se X-Spam-Flag: NO X-Spam-Score: 0.294 X-Spam-Level: X-Spam-Status: No, score=0.294 tagged_above=0 required=6.2 tests=[AWL=2.100, BAYES_00=-2.599, RDNS_DYNAMIC=0.1, SPF_FAIL=0.693] Received: from core.stromnet.se ([83.218.84.131]) by localhost (core.stromnet.se [83.218.84.131]) (amavisd-new, port 10024) with ESMTP id Y9G3KTO53EEo; Sat, 17 May 2008 18:01:14 +0200 (CEST) Received: from johan-mp.stromnet.se (90-224-172-102-no129.tbcn.telia.com [90.224.172.102]) by core.stromnet.se (Postfix) with ESMTP id BAEE3F58D78; Sat, 17 May 2008 18:01:12 +0200 (CEST) Message-Id: <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> From: =?ISO-8859-1?Q?Johan_Str=F6m?= To: Alex Trull In-Reply-To: <1211037564.6326.27.camel@porksoda> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sat, 17 May 2008 18:01:10 +0200 References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> X-Mailer: Apple Mail (2.919.2) Cc: freebsd-net@freebsd.org, freebsd-stable , freebsd-pf@freebsd.org Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2008 16:18:56 -0000 First of all, for freebsd-pf subscribers, I posted my original problem =20= (in the bottom) to freebsd-net earlier, but replies seems to point to =20= PF so I'll CC there too.. On May 17, 2008, at 5:19 PM, Alex Trull wrote: > Hi Johan and List, > > In my case a few months ago it was pahu. Don't give that fine fellow =20= > an > account on your precious system ! > > > But seriously, I had a pf-firewalled jail being being used for DNS > testing, with large numbers of udp "connections" hanging around in pf > state. While the default udp timeout settings in PF are lower than =20 > those > of the tcp timeouts, it is was still too high for it to to remove the > states in time before hitting the default 10k state limit! > > If this is the case with you - run 'pfctl -s state | wc -l' - when =20 > there > is traffic load you may see that hitting 10k states if you've not =20 > tuned > that variable. > > What to do next - up the state limit or lower the state timeouts. I =20= > did > both, to be safe. > > in /etc/pf.conf these must be at the very top of the file: > > # options > # 10k is insanely low, lets raise it.. > set limit { frags 16384, states 32768 } > # timeouts - see 'pfctl -s timeouts' for options - you will want to > # change the tcp ones rather than the udp ones for your smtp setup. > # but these are mine, I set them for the dns traffic. > set timeout { udp.first 15, udp.single 5, udp.multiple 30 } > > > don't forget to: > > $ /etc/rc.d/pf check && /etc/rc.d/pf reload Ok, looked over the PF states now, but I'm not quite sure thats what =20 causing it. I have default limit on 10k states, normally I seem to =20 have around ~800 states, and when I start my test script that tries to =20= send as many mails as possible (using PHP's Pear::Mail, creating a =20 connection, sending, disconnecting, creating new connection.. and so =20 on), I can clearly see the PF state counter (pfctl -vsi) increase, but =20= the script aborts with Operation not permitted way before I hit 10k, =20 its rather around 3-4k.. If I then wait a few seconds and run the script again, I can see the =20 number of states increase even more, and if I do this enough times I =20 finally hit around 9700 states. But at this point (states exhausted), =20= I don't get Operation not permitted, instead it just seems that the =20 script blocks up a few seconds while states clear up, then continues =20 running until it gets a Operation not permitted. So, from the above results, I cant say that it looks like its the =20 states? Just tried to disable the altq rule now too, no changes (not that I =20 expected one, since its on bce0 not lo0). Another thing, which might be more approriate in freebsd-pf though.. =20 Why would it create states at all for this traffic, when my pf.conf =20 rule is "pass on lo0 inet from $jail to $jail" (i have a block drop in =20= rule to drop all traffic)? A check with pfctl -vsr reveals that the =20 actual rule inserted is "pass on lo0 inet from 123.123.123.123 to =20 123.123.123.123 flags S/SA keep state". Where did that "keep state" =20 come from? Thanks for ideas :) > > > HTH, > > Alex > > On Sat, 2008-05-17 at 16:33 +0200, Johan Str=F6m wrote: >> Hello >> >> I got a FreeBSD 7 machine running mail services (among other things). >> This machine recently replaced a FreeBSD 6.2 machine doing the same >> tasks. >> Now and then I need to send alot of mail to customers (mailing list), >> and one thing i've noticed now after the change is that when I use a >> lot of connections subsequently (high connection rate, even if they >> are very shortlived) inside a jail (dunno if that has anything to do >> with it though), I start to get Operation not permitted in return to >> connect(). >> I've seen this in the PHP app that sends mail, when it tried to >> connect to localhost, as well as from postfix when it have been =20 >> trying >> to connect to amavisd on localhost, but also from postfix when it has >> tried to connect to remote SMTP servers. >> >> I do have PF for filtering, but there are no max-src-conn-rate limits >> enabled for any rules that is used for this. However, from one of the >> jail I do have a hfsc queue limiting the outgoing mail traffic from >> one jailed IP. But I'm not sure that this would be the problem, since >> I've also seen the problem when doing localhost connects in the jail, >> and also in other jails on an entierly different IP that is not >> affected. >> >> Does anyone have any clues about what I can look at and tune to fix >> this? >> >> Thanks! >> >> -- >> Johan Str=F6m >> Stromnet >> johan@stromnet.se >> http://www.stromnet.se/ >> >> >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org=20 >> "