From owner-freebsd-pf@FreeBSD.ORG Sun May 18 07:19:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC18E1065671; Sun, 18 May 2008 07:19:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 219028FC1F; Sun, 18 May 2008 07:19:36 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m4I7JPia047593; Sun, 18 May 2008 08:19:31 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.5 smtp.infracaninophile.co.uk m4I7JPia047593 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1211095171; bh=iWyqktAVywGpDc U0NcrxG8hB86FP9xRqEpWwTqbmoGA=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<482FD877.6050707@infracaninophile.co.uk>|Date:=20Sun,=2 018=20May=202008=2008:19:19=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.14=20(X11/20080503)|MIME-Version:=201 .0|To:=20=3D?ISO-8859-1?Q?Johan_Str=3DF6m?=3D=20 |CC:=20Alex=20Trull=20,=20freebsd-net@freebsd.org,= 20=0D=0A=20freebsd-stable=20,=0D=0A=20f reebsd-pf@freebsd.org|Subject:=20Re:=20connect():=20Operation=20not =20permitted|References:=20<678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@st romnet.se>=09<1211037564.6326.27.camel@porksoda>=20<679DB462-75D6-4 5CC-949C-1BE8E12C22CD@stromnet.se>|In-Reply-To:=20<679DB462-75D6-45 CC-949C-1BE8E12C22CD@stromnet.se>|X-Enigmail-Version:=200.95.6|Cont ent-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20pr otocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"------- -----enig220B22B21812B7D67D58F6E8"; b=w7qPpxsaWqz6TEKv4DfNfAWG1f4BY NvqZJ+Qxop7l87WoCeipBz42/rDtdapiWN0z7aEv8sZGHWTSfDPSjHJXbCHbR/LLxwL 2fdEMrNW6bWWbmhZmRMKM5FWEMzXypFj9Fksze1EcodyIrj1CcNKRlUZNCBksI/4QyB egiOx4kE= Message-ID: <482FD877.6050707@infracaninophile.co.uk> Date: Sun, 18 May 2008 08:19:19 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.14 (X11/20080503) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Johan_Str=F6m?= References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> In-Reply-To: <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig220B22B21812B7D67D58F6E8" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 18 May 2008 08:19:31 +0100 (BST) X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: Alex Trull , freebsd-pf@freebsd.org, freebsd-stable , freebsd-net@freebsd.org Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 07:19:37 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig220B22B21812B7D67D58F6E8 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Johan Str=F6m wrote: > drop all traffic)? A check with pfctl -vsr reveals that the actual rule= =20 > inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123=20 > flags S/SA keep state". Where did that "keep state" come from? 'flags S/SA keep state' is the default now for tcp filter rules -- that was new in 7.0 reflecting the upstream changes made between the 4.0 and 4= =2E1 releases of OpenBSD. If you want a stateless rule, append 'no state'. http://www.openbsd.org/faq/pf/filter.html#state Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig220B22B21812B7D67D58F6E8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkgv2HwACgkQ8Mjk52CukIwjCwCfa/ntbIVtKQwooaR/j8aLxKPF ukEAni24eJYNJRCwOLZUQFCd2A1kf+tO =2vt+ -----END PGP SIGNATURE----- --------------enig220B22B21812B7D67D58F6E8-- From owner-freebsd-pf@FreeBSD.ORG Sun May 18 10:33:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27502106564A; Sun, 18 May 2008 10:33:58 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from core.stromnet.se (core.stromnet.se [83.218.84.131]) by mx1.freebsd.org (Postfix) with ESMTP id CF7038FC1E; Sun, 18 May 2008 10:33:57 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from localhost (core.stromnet.se [83.218.84.131]) by core.stromnet.se (Postfix) with ESMTP id CA17FF5B078; Sun, 18 May 2008 12:33:55 +0200 (CEST) X-Virus-Scanned: amavisd-new at stromnet.se X-Spam-Flag: NO X-Spam-Score: 0.176 X-Spam-Level: X-Spam-Status: No, score=0.176 tagged_above=0 required=6.2 tests=[AWL=1.982, BAYES_00=-2.599, RDNS_DYNAMIC=0.1, SPF_FAIL=0.693] Received: from core.stromnet.se ([83.218.84.131]) by localhost (core.stromnet.se [83.218.84.131]) (amavisd-new, port 10024) with ESMTP id lvorf6evv2oD; Sun, 18 May 2008 12:33:52 +0200 (CEST) Received: from johan-mp.stromnet.se (90-224-172-102-no129.tbcn.telia.com [90.224.172.102]) by core.stromnet.se (Postfix) with ESMTP id 48A7AF5AFF5; Sun, 18 May 2008 12:33:52 +0200 (CEST) Message-Id: From: =?ISO-8859-1?Q?Johan_Str=F6m?= To: Matthew Seaman In-Reply-To: <482FD877.6050707@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sun, 18 May 2008 12:33:51 +0200 References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> X-Mailer: Apple Mail (2.919.2) Cc: Alex Trull , freebsd-pf@freebsd.org, freebsd-stable , freebsd-net@freebsd.org Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 10:33:58 -0000 On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: > Johan Str=F6m wrote: > >> drop all traffic)? A check with pfctl -vsr reveals that the actual =20= >> rule inserted is "pass on lo0 inet from 123.123.123.123 to =20 >> 123.123.123.123 flags S/SA keep state". Where did that "keep state" =20= >> come from? > > 'flags S/SA keep state' is the default now for tcp filter rules -- =20 > that > was new in 7.0 reflecting the upstream changes made between the 4.0 =20= > and 4.1 > releases of OpenBSD. If you want a stateless rule, append 'no state'. > > http://www.openbsd.org/faq/pf/filter.html#state Thanks! I was actually looking around in the pf.conf manpage but =20 failed to find it yesterday, but looking closer today I now saw it. Applied the no state (and quick) to the rule, and now no state is =20 created. And the problem I had in the first place seems to have been resolved =20 too now, even though it didn't look like a state problem.. (started to =20= deny new connections much earlier than the states was full, altough =20 maybee i wasnt looking for updates fast enough or something). Anyways, thanks to all helping me out, and of course thanks to =20 everybody involved in FreeBSD/pf and all for great products! Cannot be =20= said enough times ;)= From owner-freebsd-pf@FreeBSD.ORG Sun May 18 16:59:45 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C07C106566B; Sun, 18 May 2008 16:59:45 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D8E898FC0C; Sun, 18 May 2008 16:59:44 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4IGxiMi085250; Sun, 18 May 2008 16:59:44 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4IGxisL085246; Sun, 18 May 2008 16:59:44 GMT (envelope-from vwe) Date: Sun, 18 May 2008 16:59:44 GMT Message-Id: <200805181659.m4IGxisL085246@freefall.freebsd.org> To: vwe@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-pf@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/123726: [panic] [altq] page fault after ppp restart and pf resync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 16:59:45 -0000 Old Synopsis: page fault after ppp restart and pf resync New Synopsis: [panic] [altq] page fault after ppp restart and pf resync Responsible-Changed-From-To: freebsd-net->freebsd-pf Responsible-Changed-By: vwe Responsible-Changed-When: Sun May 18 16:57:03 UTC 2008 Responsible-Changed-Why: altq is Max' territory - reassign also please note, this PR is a slightly different DUP to similar PRs (problem is caused by altq when interfaces disappear) http://www.freebsd.org/cgi/query-pr.cgi?pr=123726 From owner-freebsd-pf@FreeBSD.ORG Sun May 18 17:29:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 488EF106564A for ; Sun, 18 May 2008 17:29:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 01CF48FC0C for ; Sun, 18 May 2008 17:29:20 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so891238ywe.13 for ; Sun, 18 May 2008 10:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=QTfaQKgKefpYojHrfCXWQp6lMgu7zDIPVcdEzI/F3Zg=; b=M2jj2TJBbCz5/zup3RaSgyxVIBVrWEYBdVOBV6RKQYUkCArXwArrOX/7WuQLFRkebs6KWZeWcG6b0JBWW5xmU4piqJvbDb23OnC6mmzT2Pj9/nK1S4WgeorNDFbkX4uDa1KebSuFaHBBn8SZi9YPflcb7Q+HxJDd1pWvaVGx2Zw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EMBSg6Sc2718xODEfKjHL11TMJZphNZ4gqQofrS1BAY4OIKdTbDiKMswQzZS60x1WCTqbvMOA3Eh/ebsUZmiVXi1mKFLwfoeEyVd1Q72HuRXTt/tRpfAU4CwEspXSXKY2spZx0mHhAik7cqFBghSjMIADYdAXEf+mZE0bVYDAkY= Received: by 10.142.86.7 with SMTP id j7mr2465478wfb.78.1211131759597; Sun, 18 May 2008 10:29:19 -0700 (PDT) Received: by 10.143.195.9 with HTTP; Sun, 18 May 2008 10:29:19 -0700 (PDT) Message-ID: Date: Sun, 18 May 2008 10:29:19 -0700 From: "Kian Mohageri" To: "=?UTF-8?Q?Johan_Str=C3=B6m?=" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> Cc: Alex Trull , freebsd-net@freebsd.org, Matthew Seaman , freebsd-stable , freebsd-pf@freebsd.org Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 17:29:21 -0000 T24gU3VuLCBNYXkgMTgsIDIwMDggYXQgMzozMyBBTSwgSm9oYW4gU3Ryw7ZtIDxqb2hhbkBzdHJv bW5ldC5zZT4gd3JvdGU6Cj4gT24gTWF5IDE4LCAyMDA4LCBhdCA5OjE5IEFNLCBNYXR0aGV3IFNl YW1hbiB3cm90ZToKPgo+PiBKb2hhbiBTdHLDtm0gd3JvdGU6Cj4+Cj4+PiBkcm9wIGFsbCB0cmFm ZmljKT8gQSBjaGVjayB3aXRoIHBmY3RsIC12c3IgcmV2ZWFscyB0aGF0IHRoZSBhY3R1YWwgcnVs ZQo+Pj4gaW5zZXJ0ZWQgaXMgInBhc3Mgb24gbG8wIGluZXQgZnJvbSAxMjMuMTIzLjEyMy4xMjMg dG8gMTIzLjEyMy4xMjMuMTIzIGZsYWdzCj4+PiBTL1NBIGtlZXAgc3RhdGUiLiBXaGVyZSBkaWQg dGhhdCAia2VlcCBzdGF0ZSIgY29tZSBmcm9tPwo+Pgo+PiAnZmxhZ3MgUy9TQSBrZWVwIHN0YXRl JyBpcyB0aGUgZGVmYXVsdCBub3cgZm9yIHRjcCBmaWx0ZXIgcnVsZXMgLS0gdGhhdAo+PiB3YXMg bmV3IGluIDcuMCByZWZsZWN0aW5nIHRoZSB1cHN0cmVhbSBjaGFuZ2VzIG1hZGUgYmV0d2VlbiB0 aGUgNC4wIGFuZAo+PiA0LjEKPj4gcmVsZWFzZXMgb2YgT3BlbkJTRC4gIElmIHlvdSB3YW50IGEg c3RhdGVsZXNzIHJ1bGUsIGFwcGVuZCAnbm8gc3RhdGUnLgo+Pgo+PiBodHRwOi8vd3d3Lm9wZW5i c2Qub3JnL2ZhcS9wZi9maWx0ZXIuaHRtbCNzdGF0ZQo+Cj4gVGhhbmtzISBJIHdhcyBhY3R1YWxs eSBsb29raW5nIGFyb3VuZCBpbiB0aGUgcGYuY29uZiBtYW5wYWdlIGJ1dCBmYWlsZWQgdG8KPiBm aW5kIGl0IHllc3RlcmRheSwgYnV0IGxvb2tpbmcgY2xvc2VyIHRvZGF5IEkgbm93IHNhdyBpdC4K PiBBcHBsaWVkIHRoZSBubyBzdGF0ZSAoYW5kIHF1aWNrKSB0byB0aGUgcnVsZSwgYW5kIG5vdyBu byBzdGF0ZSBpcyBjcmVhdGVkLgo+IEFuZCB0aGUgcHJvYmxlbSBJIGhhZCBpbiB0aGUgZmlyc3Qg cGxhY2Ugc2VlbXMgdG8gaGF2ZSBiZWVuIHJlc29sdmVkIHRvbwo+IG5vdywgZXZlbiB0aG91Z2gg aXQgZGlkbid0IGxvb2sgbGlrZSBhIHN0YXRlIHByb2JsZW0uLiAoc3RhcnRlZCB0byBkZW55IG5l dwo+IGNvbm5lY3Rpb25zIG11Y2ggZWFybGllciB0aGFuIHRoZSBzdGF0ZXMgd2FzIGZ1bGwsIGFs dG91Z2ggbWF5YmVlIGkgd2FzbnQKPiBsb29raW5nIGZvciB1cGRhdGVzIGZhc3QgZW5vdWdoIG9y IHNvbWV0aGluZykuCj4KCkknZCBiZSB3aWxsaW5nIHRvIGJldCBpdCdzIGJlY2F1c2UgeW91J3Jl IHJldXNpbmcgdGhlIHNvdXJjZSBwb3J0IG9uIGEKbmV3IGNvbm5lY3Rpb24gYmVmb3JlIHRoZSBv bGQgc3RhdGUgZXhwaXJlcy4KCllvdSdsbCBrbm93IGlmIHlvdSBjaGVjayB0aGUgc3RhdGUtbWlz bWF0Y2ggY291bnRlci4KCkFueXdheSwgZ2xhZCB5b3UgZm91bmQgYSByZXNvbHV0aW9uLgoKLUtp YW4K From owner-freebsd-pf@FreeBSD.ORG Sun May 18 23:30:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69360106564A for ; Sun, 18 May 2008 23:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3FB668FC0A for ; Sun, 18 May 2008 23:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4INU3Hr018973 for ; Sun, 18 May 2008 23:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4INU3i4018970; Sun, 18 May 2008 23:30:03 GMT (envelope-from gnats) Date: Sun, 18 May 2008 23:30:03 GMT Message-Id: <200805182330.m4INU3i4018970@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/123726: [panic] [altq] page fault after ppp restart and pf resync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 23:30:04 -0000 The following reply was made to PR kern/123726; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, justinjereza@gmail.com Cc: Subject: Re: kern/123726: [panic] [altq] page fault after ppp restart and pf resync Date: Mon, 19 May 2008 01:22:21 +0200 There is patch for this here: http://people.freebsd.org/~mlaier/pf.dyn_altq.R7.diff It's been committed to RELENG_7, too. I'm not sure it warrents for a errata commit to RELENG_7_0, though. -- Max From owner-freebsd-pf@FreeBSD.ORG Sun May 18 23:42:59 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11B7E1065672; Sun, 18 May 2008 23:42:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DE4258FC0A; Sun, 18 May 2008 23:42:58 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4INgw8g021419; Sun, 18 May 2008 23:42:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4INgwIF021415; Sun, 18 May 2008 23:42:58 GMT (envelope-from linimon) Date: Sun, 18 May 2008 23:42:58 GMT Message-Id: <200805182342.m4INgwIF021415@freefall.freebsd.org> To: justinjereza@gmail.com, linimon@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/123726: [panic] [altq] page fault after ppp restart and pf resync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 23:42:59 -0000 Synopsis: [panic] [altq] page fault after ppp restart and pf resync State-Changed-From-To: open->patched State-Changed-By: linimon State-Changed-When: Sun May 18 23:42:07 UTC 2008 State-Changed-Why: Already committed to RELENG_7; may need merge to RELENG_6. http://www.freebsd.org/cgi/query-pr.cgi?pr=123726 From owner-freebsd-pf@FreeBSD.ORG Sun May 18 23:46:18 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7143E1065670; Sun, 18 May 2008 23:46:18 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 49CB48FC1F; Sun, 18 May 2008 23:46:18 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4INkIps021490; Sun, 18 May 2008 23:46:18 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4INkIso021486; Sun, 18 May 2008 23:46:18 GMT (envelope-from linimon) Date: Sun, 18 May 2008 23:46:18 GMT Message-Id: <200805182346.m4INkIso021486@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-pf@FreeBSD.org, mlaier@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/123726: [panic] [altq] page fault after ppp restart and pf resync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 23:46:18 -0000 Synopsis: [panic] [altq] page fault after ppp restart and pf resync Responsible-Changed-From-To: freebsd-pf->mlaier Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 18 23:43:02 UTC 2008 Responsible-Changed-Why: Over to committer of the patch. http://www.freebsd.org/cgi/query-pr.cgi?pr=123726 From owner-freebsd-pf@FreeBSD.ORG Mon May 19 00:08:51 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0607A106564A; Mon, 19 May 2008 00:08:51 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D25A68FC1B; Mon, 19 May 2008 00:08:50 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4J08otI022870; Mon, 19 May 2008 00:08:50 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4J08ogu022866; Mon, 19 May 2008 00:08:50 GMT (envelope-from linimon) Date: Mon, 19 May 2008 00:08:50 GMT Message-Id: <200805190008.m4J08ogu022866@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/78090: [ipf] ipf filtering on bridged packets doesn't work if ipfw is loaded X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 00:08:51 -0000 Synopsis: [ipf] ipf filtering on bridged packets doesn't work if ipfw is loaded Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon May 19 00:08:42 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=78090 From owner-freebsd-pf@FreeBSD.ORG Mon May 19 00:09:56 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C22C8106564A; Mon, 19 May 2008 00:09:56 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9B0718FC13; Mon, 19 May 2008 00:09:56 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4J09ujA022952; Mon, 19 May 2008 00:09:56 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4J09uIm022948; Mon, 19 May 2008 00:09:56 GMT (envelope-from linimon) Date: Mon, 19 May 2008 00:09:56 GMT Message-Id: <200805190009.m4J09uIm022948@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/102344: [ipf] Some packets do not pass through network interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 00:09:56 -0000 Synopsis: [ipf] Some packets do not pass through network interface Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon May 19 00:09:46 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=102344 From owner-freebsd-pf@FreeBSD.ORG Mon May 19 03:38:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96ABD106566B for ; Mon, 19 May 2008 03:38:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.168]) by mx1.freebsd.org (Postfix) with ESMTP id 6CA098FC0C for ; Mon, 19 May 2008 03:38:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so1125811wfg.7 for ; Sun, 18 May 2008 20:38:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=dWovYkDCsyTRDAcN+uG1jDj8Ou8+gQ7ptRJWWqsg80Y=; b=EHuvF2VQ+j78/6b0NVdQyrFfjSn6zWOV30Ck7KsBz1EZPioylHNDrwqxwduKT3fESh8aCEIGmGkjyONlkfLWHrvzuNpLTwMS6Wmf+P6prYRkCWyj+pRcmFf+/6i6FpqO4Rcq/KoSEq2BvvzkAu44JKRnwlbW8JCNRIMj0UrHSvw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sMh4QirAf4OngLaOtHxQfJH00jfy1JhHVGzfqWg5Ek49lKDeglYeWgVOemCzG4TCeiiiPx7P/Wlmi84wNvwvjPJ3EN//YLojkB0lkXWPS+hRx701dFQqVJn4ylRpj+gzhrLL/2nNkR4DYDNPyjBGaW9kd/6y49ghSiQV+bFHMT8= Received: by 10.142.203.13 with SMTP id a13mr2619037wfg.224.1211168300819; Sun, 18 May 2008 20:38:20 -0700 (PDT) Received: by 10.143.195.9 with HTTP; Sun, 18 May 2008 20:38:20 -0700 (PDT) Message-ID: Date: Sun, 18 May 2008 20:38:20 -0700 From: "Kian Mohageri" To: "freebsd pf" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Filtering CARP interface(s) and 'set skip on lo0' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 03:38:21 -0000 Hey all, I'm trying to clean up my PF rulesets, and I noticed today that a CARP master connecting to itself (on the CARP IP address) appears to be filtered even when 'set skip on lo0' is in effect. At first I suspected that maybe CARP Master to itself is routed differently in FreeBSD (so it wouldn't actually be on lo0), but a tcpdump seems to say otherwise. That is: > ifconfig carp0 carp0: flags=49 metric 0 mtu 1500 inet 67.201.255.210 netmask 0xffffffe0 carp: MASTER vhid 1 advbase 1 advskew 10 > sudo tcpdump -c 3 -n -i lo0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: 2673+ A? daapiak-mtv.flux.com. (38) 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673 4/9/3 CNAME[|domain] 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+ PTR? 240.189.73.209. I tried the archives but couldn't find an explanation about why 'set skip on lo0' wouldn't apply here, so I'm wondering if any of you could point me in the right direction. The simple answer would be for me to simply filter a little differently so the MASTER can talk to itself, but I figured this could be a learning experience too. Is this intended FreeBSD-specific behavior, and if so, what is the recommended way to deal with it? Thanks for any pointers, Kian From owner-freebsd-pf@FreeBSD.ORG Mon May 19 09:11:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 377E01065675 for ; Mon, 19 May 2008 09:11:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id C22298FC1E for ; Mon, 19 May 2008 09:11:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-188-225.pools.arcor-ip.net [88.64.188.225]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1Jy1Ow31JB-00079t; Mon, 19 May 2008 11:11:26 +0200 Received: (qmail 29926 invoked from network); 19 May 2008 09:09:45 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 19 May 2008 09:09:45 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 19 May 2008 11:11:18 +0200 User-Agent: KMail/1.9.9 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805191111.18113.max@love2party.net> X-Provags-ID: V01U2FsdGVkX197yGU0KX8d7IVbAmFoUTvCC5qY7TRGGkv1fBB lZPlj9p9R8Wb1ptKHSNYZ1QOIAzjgPacaqPgqKnpr2HNfX3uo6 SYzKtcXymgLEPIajp74Wg== Cc: Subject: Re: Filtering CARP interface(s) and 'set skip on lo0' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 09:11:28 -0000 On Monday 19 May 2008 05:38:20 Kian Mohageri wrote: > Hey all, > > I'm trying to clean up my PF rulesets, and I noticed today that a CARP > master connecting to itself (on the CARP IP address) appears to be > filtered even when 'set skip on lo0' is in effect. > > At first I suspected that maybe CARP Master to itself is routed > differently in FreeBSD (so it wouldn't actually be on lo0), but a > > tcpdump seems to say otherwise. That is: > > ifconfig carp0 > > carp0: flags=49 metric 0 mtu 1500 > inet 67.201.255.210 netmask 0xffffffe0 > carp: MASTER vhid 1 advbase 1 advskew 10 > > > sudo tcpdump -c 3 -n -i lo0 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode listening on lo0, link-type NULL (BSD loopback), capture size 96 > bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: > 2673+ A? daapiak-mtv.flux.com. (38) > 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673 > 4/9/3 CNAME[|domain] > 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+ > PTR? 240.189.73.209. Just because the packets show up on lo0 "sometime" doesn't mean that they won't pass through other interfaces before or after. CARP is special in that respect and needs special attention. > I tried the archives but couldn't find an explanation about why 'set > skip on lo0' wouldn't apply here, so I'm wondering if any of you could > point me in the right direction. The simple answer would be for me to > simply filter a little differently so the MASTER can talk to itself, > but I figured this could be a learning experience too. > > Is this intended FreeBSD-specific behavior, and if so, what is the > recommended way to deal with it? The usual advise on how to debug rulesets that block stuff you want to allow: 1) Add "log" to all block rules 2) Listen on pflog0 3) Generate the traffic pattern you want to pass 4) Find this offending rule (and also the interface and direction the traffic was blocked on) 5) Insert a rule to allow the traffic in question 6) Repeat until everything works as required -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon May 19 09:14:33 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC88B106566C; Mon, 19 May 2008 09:14:33 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9C6458FC12; Mon, 19 May 2008 09:14:33 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4J9EX8O000508; Mon, 19 May 2008 09:14:33 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4J9EXq8000504; Mon, 19 May 2008 09:14:33 GMT (envelope-from mlaier) Date: Mon, 19 May 2008 09:14:33 GMT Message-Id: <200805190914.m4J9EXq8000504@freefall.freebsd.org> To: mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org, freebsd-net@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/78090: [ipf] ipf filtering on bridged packets doesn't work if ipfw is loaded X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 09:14:33 -0000 Synopsis: [ipf] ipf filtering on bridged packets doesn't work if ipfw is loaded Responsible-Changed-From-To: freebsd-pf->freebsd-net Responsible-Changed-By: mlaier Responsible-Changed-When: Mon May 19 09:12:31 UTC 2008 Responsible-Changed-Why: This is not a pf problem. Also note that the old bridge implementation, to which this PR relates to, is obsolete by if_bridge(4) and likely no longer maintained. Over to freebsd-net in case somebody is still interested. http://www.freebsd.org/cgi/query-pr.cgi?pr=78090 From owner-freebsd-pf@FreeBSD.ORG Mon May 19 09:17:10 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E26291065671; Mon, 19 May 2008 09:17:10 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B29958FC29; Mon, 19 May 2008 09:17:10 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4J9HAhW000567; Mon, 19 May 2008 09:17:10 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4J9HAMx000563; Mon, 19 May 2008 09:17:10 GMT (envelope-from mlaier) Date: Mon, 19 May 2008 09:17:10 GMT Message-Id: <200805190917.m4J9HAMx000563@freefall.freebsd.org> To: read@midland.com.ua, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org, freebsd-net@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/102344: [ipf] Some packets do not pass through network interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 09:17:11 -0000 Synopsis: [ipf] Some packets do not pass through network interface State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Mon May 19 09:15:26 UTC 2008 State-Changed-Why: The submitter has been asked for configuration details over a year ago. Responsible-Changed-From-To: freebsd-pf->freebsd-net Responsible-Changed-By: mlaier Responsible-Changed-When: Mon May 19 09:15:26 UTC 2008 Responsible-Changed-Why: Not a pf problem. Reassign to freebsd-net. http://www.freebsd.org/cgi/query-pr.cgi?pr=102344 From owner-freebsd-pf@FreeBSD.ORG Mon May 19 11:06:57 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A71E4106564A for ; Mon, 19 May 2008 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8E6FA8FC1F for ; Mon, 19 May 2008 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4JB6viE011671 for ; Mon, 19 May 2008 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4JB6vf3011667 for freebsd-pf@FreeBSD.org; Mon, 19 May 2008 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 May 2008 11:06:57 GMT Message-Id: <200805191106.m4JB6vf3011667@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 11:06:57 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 19 14:27:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE4BB1065671 for ; Mon, 19 May 2008 14:27:10 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id 601F88FC18 for ; Mon, 19 May 2008 14:27:09 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so1061225ywe.13 for ; Mon, 19 May 2008 07:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=eUaOYh0mHM1v2nMulUfdJg1Q78mlu4R2a9PpwxJoY7I=; b=TkRuIxno01CZaHUpY43R37AJ4/+4GKMRRnRaQowkB4uK9O60t6K0INzUaJ4tgMXk8rJZtSGdyTPrqZE6PJyIxVAy+F6VXmH0+cYKe7HjRWPCXhST331RQzpTzxt3gagxC0nTJc/0koYJohRGbjYNrF+FVLlqFBoIUOVG6H78Cfk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MBKamOHIcPL14zW6UXIrI+jNahjtE853e6Qavz/v4GnOami03gfaflh6ZMqHJ7dm7SFzw+Nmg0cLNny3np6ioWPKWlsAAiPIf/MlUteLxBTwKM+q7x/ewCu1EjG3hdJNoQqMQV9gzt/YXBXf2PKQyfe1r8Gm9sNKtvwn34DiTtk= Received: by 10.142.127.10 with SMTP id z10mr2862948wfc.216.1211207223566; Mon, 19 May 2008 07:27:03 -0700 (PDT) Received: by 10.143.195.9 with HTTP; Mon, 19 May 2008 07:27:03 -0700 (PDT) Message-ID: Date: Mon, 19 May 2008 07:27:03 -0700 From: "Kian Mohageri" To: "Max Laier" In-Reply-To: <200805191111.18113.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200805191111.18113.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering CARP interface(s) and 'set skip on lo0' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 14:27:10 -0000 On Mon, May 19, 2008 at 2:11 AM, Max Laier wrote: > On Monday 19 May 2008 05:38:20 Kian Mohageri wrote: >> Hey all, >> >> I'm trying to clean up my PF rulesets, and I noticed today that a CARP >> master connecting to itself (on the CARP IP address) appears to be >> filtered even when 'set skip on lo0' is in effect. >> >> At first I suspected that maybe CARP Master to itself is routed >> differently in FreeBSD (so it wouldn't actually be on lo0), but a >> >> tcpdump seems to say otherwise. That is: >> > ifconfig carp0 >> >> carp0: flags=49 metric 0 mtu 1500 >> inet 67.201.255.210 netmask 0xffffffe0 >> carp: MASTER vhid 1 advbase 1 advskew 10 >> >> > sudo tcpdump -c 3 -n -i lo0 >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode listening on lo0, link-type NULL (BSD loopback), capture size 96 >> bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: >> 2673+ A? daapiak-mtv.flux.com. (38) >> 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673 >> 4/9/3 CNAME[|domain] >> 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+ >> PTR? 240.189.73.209. > > Just because the packets show up on lo0 "sometime" doesn't mean that they > won't pass through other interfaces before or after. CARP is special in > that respect and needs special attention. > Does it pass through the CARP interface or does PF just think so? Tcpdump on carp0 doesn't show anything, and tcpdump on a CARP interface that's in "backup" only shows the advertisements of the master, which is why I am/was confused. -Kian PS: Thank you for updating pf in 7.0! From owner-freebsd-pf@FreeBSD.ORG Mon May 19 18:02:34 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B81BF1065671; Mon, 19 May 2008 18:02:34 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8809C8FC13; Mon, 19 May 2008 18:02:34 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4JI2YCZ050959; Mon, 19 May 2008 18:02:34 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4JI2YLA050955; Mon, 19 May 2008 18:02:34 GMT (envelope-from linimon) Date: Mon, 19 May 2008 18:02:34 GMT Message-Id: <200805191802.m4JI2YLA050955@freefall.freebsd.org> To: james@jlauser.net, linimon@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/116645: [request] pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 18:02:34 -0000 Synopsis: [request] pfctl -k does not work in securelevel 3 State-Changed-From-To: feedback->closed State-Changed-By: linimon State-Changed-When: Mon May 19 18:02:09 UTC 2008 State-Changed-Why: Feedback indicates that this behavior is by design; no one has stepped up to disagree, so far. http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 From owner-freebsd-pf@FreeBSD.ORG Tue May 20 15:55:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3367A1065671 for ; Tue, 20 May 2008 15:55:55 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.191]) by mx1.freebsd.org (Postfix) with ESMTP id C9D2A8FC1B for ; Tue, 20 May 2008 15:55:54 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: by ti-out-0910.google.com with SMTP id d27so1299939tid.3 for ; Tue, 20 May 2008 08:55:53 -0700 (PDT) Received: by 10.150.11.1 with SMTP id 1mr7703015ybk.5.1211297459016; Tue, 20 May 2008 08:30:59 -0700 (PDT) Received: by 10.150.206.14 with HTTP; Tue, 20 May 2008 08:30:58 -0700 (PDT) Message-ID: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> Date: Tue, 20 May 2008 18:30:58 +0300 From: "Cristian Bradiceanu" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pf reply-to tcp connections stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 15:55:55 -0000 Hello, I am trying to set up split routing on two Internet links, each with one IP address: em0 = wan1, $em0_gw gateway em1 = lan, NATed on em0 and em2 em2 = wan2, default gateway pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0 flags S/SA keep state pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state wan2 connections are working correct, no pf rules for policy routing wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount of data is sent (e.g. running dmesg or cat file). States are created correctly. When ssh stalls there are some icmp packets out on lo0 with source and destination ip address of em0, which I believe is not correct (set skip on lo0 does not help). Also tried with tcp ... modulate state but same result. If I change default gateway to $em0_gw and disable pf all connections on wan1 are ok. I also tried to use route-to instead of reply-to with: pass out on em2 route-to (em0 $em0_gw) from em0 to any both with keep state and no state options - same ssh connection stall. System is FreeBSD 7.0-STABLE amd64. Kind regards, Cristian From owner-freebsd-pf@FreeBSD.ORG Tue May 20 16:20:29 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB9F9106568B for ; Tue, 20 May 2008 16:20:29 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 506598FC0C for ; Tue, 20 May 2008 16:20:29 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 3E70D1CC05B; Tue, 20 May 2008 09:20:29 -0700 (PDT) Date: Tue, 20 May 2008 09:20:29 -0700 From: Jeremy Chadwick To: Cristian Bradiceanu Message-ID: <20080520162029.GA41273@eos.sc1.parodius.com> References: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: pf reply-to tcp connections stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 16:20:30 -0000 On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote: > I am trying to set up split routing on two Internet links, each with > one IP address: > > em0 = wan1, $em0_gw gateway > em1 = lan, NATed on em0 and em2 > em2 = wan2, default gateway > > pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0 flags S/SA keep state > pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state > pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state > > wan2 connections are working correct, no pf rules for policy routing > > wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount > of data is sent (e.g. running dmesg or cat file). States are created > correctly. When ssh stalls there are some icmp packets out on lo0 with > source and destination ip address of em0, which I believe is not > correct (set skip on lo0 does not help). Also tried with tcp ... > modulate state but same result. modulate state is known to be broken: http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues Regarding the "when large amounts of data is sent, the connection breaks" issue: I've reproduced this a few times on our systems (using the exact same method you do: dmesg, cat'ing large files, or scp'ing -- anything using large TCP packets), and it's always been caused by improper pf(4) rules where state was broken. In every case, the "state mismatch" counter shown in pfctl -s info would increase. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue May 20 20:48:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3B631065677 for ; Tue, 20 May 2008 20:48:45 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 5A9A38FC15 for ; Tue, 20 May 2008 20:48:45 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4KKmhtD032941; Tue, 20 May 2008 16:48:44 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:cc:subject; b=DNxVS8Wn+PttPa7NfSBrwfu/+cIQNj8zDMfxbZBchuEdhan3JkXGDhJBmObLA0qe+ Li0eax8GkLre7DUK0a3zA== Message-ID: <4833392B.70002@uffner.com> Date: Tue, 20 May 2008 16:48:43 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-arch@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Tue, 20 May 2008 16:48:44 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7179/Tue May 20 02:13:12 2008 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: /etc/pf.conf missing from 7.0 minimal install X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 20:48:45 -0000 the sample config file /etc/pf.conf is not included in the 7.0-STABLE minimal installation. was this an accidental omission, as it appears to be since the rest of the pf files including /etc/pf.os are included, or was it done by design? tom From owner-freebsd-pf@FreeBSD.ORG Tue May 20 20:49:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F7A01065675 for ; Tue, 20 May 2008 20:49:56 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 4ABF78FC1C for ; Tue, 20 May 2008 20:49:56 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: by yw-out-2324.google.com with SMTP id 9so1410918ywe.13 for ; Tue, 20 May 2008 13:49:42 -0700 (PDT) Received: by 10.150.215.5 with SMTP id n5mr8126915ybg.73.1211316582797; Tue, 20 May 2008 13:49:42 -0700 (PDT) Received: by 10.150.206.14 with HTTP; Tue, 20 May 2008 13:49:42 -0700 (PDT) Message-ID: <2f12f40a0805201349g6ee6be5cxa6f2a029b5150bec@mail.gmail.com> Date: Tue, 20 May 2008 23:49:42 +0300 From: "Cristian Bradiceanu" To: "Jeremy Chadwick" In-Reply-To: <20080520162029.GA41273@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> <20080520162029.GA41273@eos.sc1.parodius.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf reply-to tcp connections stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 20:49:56 -0000 On Tue, May 20, 2008 at 7:20 PM, Jeremy Chadwick wrote: > On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote: >> I am trying to set up split routing on two Internet links, each with >> one IP address: >> >> em0 = wan1, $em0_gw gateway >> em1 = lan, NATed on em0 and em2 >> em2 = wan2, default gateway >> >> pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0 flags S/SA keep state >> pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state >> pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state >> >> wan2 connections are working correct, no pf rules for policy routing >> >> wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount >> of data is sent (e.g. running dmesg or cat file). States are created >> correctly. When ssh stalls there are some icmp packets out on lo0 with >> source and destination ip address of em0, which I believe is not >> correct (set skip on lo0 does not help). Also tried with tcp ... >> modulate state but same result. > > modulate state is known to be broken: > > http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues > > Regarding the "when large amounts of data is sent, the connection > breaks" issue: > > I've reproduced this a few times on our systems (using the exact same > method you do: dmesg, cat'ing large files, or scp'ing -- anything using > large TCP packets), and it's always been caused by improper pf(4) rules > where state was broken. In every case, the "state mismatch" counter > shown in pfctl -s info would increase. state-mismatch counter does not increase, all "Counters" are 0 except match (pfctl -si). When large amounts of data is sent the connection stalls and continues from time to time very slow; when it continues there are logged icmp packets out on lo0 from (em0) to (em0) which looks pretty weird to me. Cristian From owner-freebsd-pf@FreeBSD.ORG Tue May 20 21:09:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3B54106566B for ; Tue, 20 May 2008 21:09:24 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 646228FC1D for ; Tue, 20 May 2008 21:09:24 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from interactive.dnsalias.net (ppp-88-217-9-179.dynamic.mnet-online.de [88.217.9.179]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1JyYt543Uv-0004dG; Tue, 20 May 2008 22:56:48 +0200 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JyYt3-000IRr-LP for freebsd-pf@freebsd.org; Tue, 20 May 2008 22:56:45 +0200 Received: from [192.168.0.196] (core2duo.interactive.de [192.168.0.196]) by fs-inter.interactive.de; Tue, 20 May 2008 22:59:12 +0200 Message-ID: <48333B05.9090203@interactive-net.de> Date: Tue, 20 May 2008 22:56:37 +0200 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX19XqEXIcqnIJR1YCszPfhzBsWpTPXTq5QB3E/j TJqXOrhK1xaViqW2btfiZB8eEKxPNxxYjHTSZhR1HxodtNgtL3 TBDgBHL1yFwoOxiszTEEkWbbm4tU5rI6M30BzqirxBBjDAWvFs yNw== Subject: NAT problem with pppoe X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 21:09:24 -0000 Hi, I suspect pf is caching invalid outdated dynamic addresses. After this happens, all requests sent from internal hosts are sent with the previous dynamic address as source address and are ignored by our provider. Requests sent directly from our pf-box use the new dynamic address as expected. /etc/pf.conf ext_if="tun0" external_net="!192.168.0.0/16" nat on $ext_if from !($ext_if) -> ($ext_if) anchor portupgrade out on $ext_if pass out on $ext_if from ($ext_if) to $external_net tagged FORWARD pass quick proto { tcp, udp } from $dns_server to port domain tag FORWARD the anchor portupgrade is filled with the ppp-linkup script (DNS0/1) pass quick inet proto udp from (tun0) to 212.18.3.5 port = domain keep state Sending HUP to ppp does'nt eliminate the problem, pfctl -d/-e and a restart of the internal server solve it. The pf-box uses freebsd 7.0 stable, usermode-ppp is used to connect with the provider. Any suggestions? Thanks Reinhard From owner-freebsd-pf@FreeBSD.ORG Tue May 20 21:11:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B962106567E for ; Tue, 20 May 2008 21:11:28 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id DE24B8FC1D for ; Tue, 20 May 2008 21:11:27 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id 62B281B10E4E; Tue, 20 May 2008 22:54:47 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on malcho.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, J_CHICKENPOX_22 autolearn=no version=3.2.4 Received: from [10.1.1.2] (unknown [192.168.25.10]) by blah.sun-fish.com (Postfix) with ESMTP id 667B81B10CAA; Tue, 20 May 2008 22:54:44 +0200 (CEST) Message-ID: <48333A91.2030308@moneybookers.com> Date: Tue, 20 May 2008 23:54:41 +0300 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Tom Uffner References: <4833392B.70002@uffner.com> In-Reply-To: <4833392B.70002@uffner.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on blah.cmotd.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: /etc/pf.conf missing from 7.0 minimal install X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 21:11:28 -0000 Tom Uffner wrote: > the sample config file /etc/pf.conf is not included in the 7.0-STABLE > minimal installation. > > was this an accidental omission, as it appears to be since the rest > of the pf files including /etc/pf.os are included, or was it done by > design? I think it was moved in /usr/share/examples/etc/ because mergemaster can override it incidentally ... which is not the case with other pf.XX files :) > > tom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Best Wishes, Stefan Lambrev ICQ# 24134177 From owner-freebsd-pf@FreeBSD.ORG Tue May 20 21:43:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 963631065679; Tue, 20 May 2008 21:43:21 +0000 (UTC) (envelope-from brix@FreeBSD.org) Received: from solow.pil.dk (relay.pil.dk [195.41.47.164]) by mx1.freebsd.org (Postfix) with ESMTP id 5AFEF8FC13; Tue, 20 May 2008 21:43:21 +0000 (UTC) (envelope-from brix@FreeBSD.org) Received: from tirith.brixandersen.dk (0x55534f5f.adsl.cybercity.dk [85.83.79.95]) by solow.pil.dk (Postfix) with ESMTP id 7F9741CC386; Tue, 20 May 2008 23:24:47 +0200 (CEST) Received: by tirith.brixandersen.dk (Postfix, from userid 1001) id B6F7A1141D; Tue, 20 May 2008 23:24:46 +0200 (CEST) Date: Tue, 20 May 2008 23:24:46 +0200 From: Henrik Brix Andersen To: Tom Uffner Message-ID: <20080520212446.GB20926@tirith.brixandersen.dk> Mail-Followup-To: Tom Uffner , freebsd-arch@freebsd.org, freebsd-pf@freebsd.org References: <4833392B.70002@uffner.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GRPZ8SYKNexpdSJ7" Content-Disposition: inline In-Reply-To: <4833392B.70002@uffner.com> X-PGP-Key: http://www.brixandersen.dk/files/HenrikBrixAndersen.asc User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org, freebsd-arch@freebsd.org Subject: Re: /etc/pf.conf missing from 7.0 minimal install X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 21:43:21 -0000 --GRPZ8SYKNexpdSJ7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 20, 2008 at 04:48:43PM -0400, Tom Uffner wrote: > the sample config file /etc/pf.conf is not included in the 7.0-STABLE > minimal installation. >=20 > was this an accidental omission, as it appears to be since the rest > of the pf files including /etc/pf.os are included, or was it done by > design? By design. It was moved to /usr/share/examples/pf/pf.conf Brix --=20 Henrik Brix Andersen --GRPZ8SYKNexpdSJ7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) Comment: GnuPG signed iEYEARECAAYFAkgzQZ0ACgkQv+Q4flTiePiBYwCfbY0CDQdCvBPL8r/+VWeytcJV jvwAoLwrEbrCJdbi/YkEBpd4TxaibXxq =zlbC -----END PGP SIGNATURE----- --GRPZ8SYKNexpdSJ7-- From owner-freebsd-pf@FreeBSD.ORG Tue May 20 22:52:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64558106567A for ; Tue, 20 May 2008 22:52:09 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id 06D058FC12 for ; Tue, 20 May 2008 22:52:08 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: by fg-out-1718.google.com with SMTP id l26so2923435fgb.35 for ; Tue, 20 May 2008 15:52:07 -0700 (PDT) Received: by 10.82.175.7 with SMTP id x7mr1288059bue.35.1211322461934; Tue, 20 May 2008 15:27:41 -0700 (PDT) Received: by 10.82.149.9 with HTTP; Tue, 20 May 2008 15:27:41 -0700 (PDT) Message-ID: Date: Wed, 21 May 2008 01:27:41 +0300 From: "Vlad GALU" To: freebsd-pf@freebsd.org In-Reply-To: <2f12f40a0805201349g6ee6be5cxa6f2a029b5150bec@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> <20080520162029.GA41273@eos.sc1.parodius.com> <2f12f40a0805201349g6ee6be5cxa6f2a029b5150bec@mail.gmail.com> Subject: Re: pf reply-to tcp connections stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 22:52:09 -0000 On 5/20/08, Cristian Bradiceanu wrote: > On Tue, May 20, 2008 at 7:20 PM, Jeremy Chadwick wrote: > > On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote: > >> I am trying to set up split routing on two Internet links, each with > >> one IP address: > >> > >> em0 = wan1, $em0_gw gateway > >> em1 = lan, NATed on em0 and em2 > >> em2 = wan2, default gateway > >> > >> pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0 flags S/SA keep state > >> pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state > >> pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state > >> > >> wan2 connections are working correct, no pf rules for policy routing > >> > >> wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount > >> of data is sent (e.g. running dmesg or cat file). States are created > >> correctly. When ssh stalls there are some icmp packets out on lo0 with > >> source and destination ip address of em0, which I believe is not > >> correct (set skip on lo0 does not help). Also tried with tcp ... > >> modulate state but same result. > > > > modulate state is known to be broken: > > > > http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues > > > > Regarding the "when large amounts of data is sent, the connection > > breaks" issue: > > > > I've reproduced this a few times on our systems (using the exact same > > method you do: dmesg, cat'ing large files, or scp'ing -- anything using > > large TCP packets), and it's always been caused by improper pf(4) rules > > where state was broken. In every case, the "state mismatch" counter > > shown in pfctl -s info would increase. > > > state-mismatch counter does not increase, all "Counters" are 0 except > match (pfctl -si). When large amounts of data is sent the connection > stalls and continues from time to time very slow; when it continues > there are logged icmp packets out on lo0 from (em0) to (em0) which > looks pretty weird to me. > > > Cristian This may be a PMTUD issue. Make sure your ICMP packets can travel back and forth unhindered and that there are no scrub rules that may clear out the DF flag on them. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- ~/.signature: no such file or directory From owner-freebsd-pf@FreeBSD.ORG Wed May 21 01:54:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BDBD1065679 for ; Wed, 21 May 2008 01:54:28 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: from mail13.sea5.speakeasy.net (mail13.sea5.speakeasy.net [69.17.117.15]) by mx1.freebsd.org (Postfix) with ESMTP id 3C42F8FC0A for ; Wed, 21 May 2008 01:54:28 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: (qmail 9335 invoked from network); 21 May 2008 01:27:48 -0000 Received: from mxperim7.sea5.speakeasy.net ([69.17.117.72]) (envelope-sender ) by mail13.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 May 2008 01:27:48 -0000 Received: from localhost (localhost [127.0.0.1]) by mxperim7.sea5.speakeasy.net (Postfix) with ESMTP id E57FBAF5BF for ; Tue, 20 May 2008 18:27:47 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at mxperim7.sea5.speakeasy.net Received: from mxperim7.sea5.speakeasy.net ([127.0.0.1]) by localhost (mxperim7.sea5.speakeasy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRLZwhBZje04 for ; Tue, 20 May 2008 18:27:47 -0700 (PDT) Received: from w16.stradamotorsports.com (dsl081-163-120.sea1.dsl.speakeasy.net [64.81.163.120]) by mxperim7.sea5.speakeasy.net (Postfix) with ESMTP for ; Tue, 20 May 2008 18:27:47 -0700 (PDT) Message-ID: <48337A93.9090003@highperformance.net> Date: Tue, 20 May 2008 18:27:47 -0700 From: "Jason C. Wells" User-Agent: Thunderbird 2.0.0.4pre (X11/20080205) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 01:54:28 -0000 I have these rules (and others) in pf.conf: nat pass on $ext_if from $int_net to any -> ($ext_if) block in all block out all I cannot connect to websites unless I also add: pass proto { tcp, udp } from any to any port http keep state My understanding is that nat rules are inherently stateful. I also understand that a packet that matches state bypasses filter rules. A hit on a web page should generate a state on the way out and then match that state on the way back in, avoiding the block rules. By testing, I show that the pass http rule is needed to complete the connection. Would someone please explain why the nat rule is not sufficient to allow me to access a web page? I must have a gross conceptual error on how PF works. This is too simple, but I just don't get it. Regards, Jason From owner-freebsd-pf@FreeBSD.ORG Wed May 21 04:15:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CBC41065676; Wed, 21 May 2008 04:15:08 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 29EE58FC35; Wed, 21 May 2008 04:15:08 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=S2iU3ZzNxbSJDog55Dp4/G55HJg6yEXa6JlTlTDzlmG8+DpJeNWtCGYTMmffSV6lRQ7hAO31k/LyVM8Iv9I4DLjqZ8+rsawApcNlE5JABbi8nkSrqDcL76RjfqKzlZ54m0FziC84/J8eansMKxUJrNMxsCGABNawbNb7egvqxng=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JyfWO-00059j-J7; Wed, 21 May 2008 08:01:48 +0400 Date: Wed, 21 May 2008 08:01:47 +0400 From: Eygene Ryabinkin To: Tom Uffner , freebsd-arch@freebsd.org, freebsd-pf@freebsd.org Message-ID: References: <4833392B.70002@uffner.com> <20080520212446.GB20926@tirith.brixandersen.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20080520212446.GB20926@tirith.brixandersen.dk> Sender: rea-fbsd@codelabs.ru Cc: Subject: Re: /etc/pf.conf missing from 7.0 minimal install X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 04:15:08 -0000 Tue, May 20, 2008 at 11:24:46PM +0200, Henrik Brix Andersen wrote: > On Tue, May 20, 2008 at 04:48:43PM -0400, Tom Uffner wrote: > > was this an accidental omission, as it appears to be since the rest > > of the pf files including /etc/pf.os are included, or was it done by > > design? > > By design. It was moved to /usr/share/examples/pf/pf.conf ...and substantially stipped down (synced with OpenBSD examples, as commit message says). I would say that this is a step backwards, because the old /etc/pf.conf had more options and provided a better comments. -- Eygene From owner-freebsd-pf@FreeBSD.ORG Wed May 21 04:28:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67D93106564A for ; Wed, 21 May 2008 04:28:41 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 604B88FC1B for ; Wed, 21 May 2008 04:28:41 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 4EC171CC033; Tue, 20 May 2008 21:28:41 -0700 (PDT) Date: Tue, 20 May 2008 21:28:41 -0700 From: Jeremy Chadwick To: "Jason C. Wells" Message-ID: <20080521042841.GA69249@eos.sc1.parodius.com> References: <48337A93.9090003@highperformance.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48337A93.9090003@highperformance.net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 04:28:41 -0000 On Tue, May 20, 2008 at 06:27:47PM -0700, Jason C. Wells wrote: > I have these rules (and others) in pf.conf: > > nat pass on $ext_if from $int_net to any -> ($ext_if) > > block in all > block out all > > I cannot connect to websites unless I also add: > > pass proto { tcp, udp } from any to any port http keep state > > My understanding is that nat rules are inherently stateful. I also > understand that a packet that matches state bypasses filter rules. A hit > on a web page should generate a state on the way out and then match that > state on the way back in, avoiding the block rules. By testing, I show > that the pass http rule is needed to complete the connection. > > Would someone please explain why the nat rule is not sufficient to allow me > to access a web page? I must have a gross conceptual error on how PF > works. This is too simple, but I just don't get it. I believe it's because pf(4) doesn't make assumptions about what you want to filter. NAT is stateful (it has to be, because packets are being re-written, and the WAN-side port numbers are going to be different than the LAN-side), but filtering rules still apply **after** the translation has been done. What's happening is that your nat rule results in pf re-writing the packet, then the packet is immediately blocked by one of your block rules (I'm assuming "block out"). The pf.conf manpage documents this, more or less: Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated address and port number. Packets that match a translation rule are only automatically passed if the pass modifier is given, otherwise they are still subject to block and pass rules. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed May 21 05:03:35 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9ECF1065685 for ; Wed, 21 May 2008 05:03:35 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: from mail24.sea5.speakeasy.net (mail24.sea5.speakeasy.net [69.17.117.26]) by mx1.freebsd.org (Postfix) with ESMTP id C62818FC1B for ; Wed, 21 May 2008 05:03:35 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: (qmail 15968 invoked from network); 21 May 2008 05:03:35 -0000 Received: from mxperim1.sea5.speakeasy.net ([69.17.117.66]) (envelope-sender ) by mail24.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 May 2008 05:03:35 -0000 Received: from localhost (localhost [127.0.0.1]) by mxperim1.sea5.speakeasy.net (Postfix) with ESMTP id B0DA58784D; Tue, 20 May 2008 22:03:34 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at mxperim1.sea5.speakeasy.net Received: from mxperim1.sea5.speakeasy.net ([127.0.0.1]) by localhost (mxperim1.sea5.speakeasy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNrokw9MJfGY; Tue, 20 May 2008 22:03:34 -0700 (PDT) Received: from w16.stradamotorsports.com (dsl081-163-120.sea1.dsl.speakeasy.net [64.81.163.120]) by mxperim1.sea5.speakeasy.net (Postfix) with ESMTP; Tue, 20 May 2008 22:03:34 -0700 (PDT) Message-ID: <4833AD24.1040105@highperformance.net> Date: Tue, 20 May 2008 22:03:32 -0700 From: "Jason C. Wells" User-Agent: Thunderbird 2.0.0.4pre (X11/20080205) MIME-Version: 1.0 To: Jeremy Chadwick References: <48337A93.9090003@highperformance.net> <20080521042841.GA69249@eos.sc1.parodius.com> In-Reply-To: <20080521042841.GA69249@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: Re: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 05:03:36 -0000 Jeremy Chadwick wrote: > I believe it's because pf(4) doesn't make assumptions about what you > want to filter. NAT is stateful (it has to be, because packets are > being re-written, and the WAN-side port numbers are going to be > different than the LAN-side), but filtering rules still apply **after** > the translation has been done. > > What's happening is that your nat rule results in pf re-writing the > packet, then the packet is immediately blocked by one of your block > rules (I'm assuming "block out"). > > The pf.conf manpage documents this, more or less: > > Since translation occurs before filtering the filter engine will see > packets as they look after any addresses and ports have been translated. > Filter rules will therefore have to filter based on the translated > address and port number. Packets that match a translation rule are only > automatically passed if the pass modifier is given, otherwise they are > still subject to block and pass rules. I guess my misunderstanding comes in where the pass modifier is concerned. I also have a weak understand of what "state" actually means. The "automatically passsed" part of your citation isn't automatically passing. I think I'll just drop the pass modifier on the NAT rule. Then it becomes precisely clear to me that I need a filter rule after the nat rule. Regards, Jason From owner-freebsd-pf@FreeBSD.ORG Wed May 21 05:12:53 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1ACE2106567A for ; Wed, 21 May 2008 05:12:53 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 101098FC19 for ; Wed, 21 May 2008 05:12:53 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 0103B1CC038; Tue, 20 May 2008 22:12:52 -0700 (PDT) Date: Tue, 20 May 2008 22:12:52 -0700 From: Jeremy Chadwick To: "Jason C. Wells" Message-ID: <20080521051252.GA70840@eos.sc1.parodius.com> References: <48337A93.9090003@highperformance.net> <20080521042841.GA69249@eos.sc1.parodius.com> <4833AD24.1040105@highperformance.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4833AD24.1040105@highperformance.net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@FreeBSD.org Subject: Re: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 05:12:53 -0000 On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote: > Jeremy Chadwick wrote: > >> I believe it's because pf(4) doesn't make assumptions about what you >> want to filter. NAT is stateful (it has to be, because packets are >> being re-written, and the WAN-side port numbers are going to be >> different than the LAN-side), but filtering rules still apply **after** >> the translation has been done. >> >> What's happening is that your nat rule results in pf re-writing the >> packet, then the packet is immediately blocked by one of your block >> rules (I'm assuming "block out"). >> >> The pf.conf manpage documents this, more or less: >> >> Since translation occurs before filtering the filter engine will see >> packets as they look after any addresses and ports have been translated. >> Filter rules will therefore have to filter based on the translated >> address and port number. Packets that match a translation rule are only >> automatically passed if the pass modifier is given, otherwise they are >> still subject to block and pass rules. > > I guess my misunderstanding comes in where the pass modifier is concerned. > I also have a weak understand of what "state" actually means. The > "automatically passsed" part of your citation isn't automatically passing. Oh! I'm sorry, I missed the "pass" word that was in your nat rule. I don't ultimately know what that does internally to pf. There does not appear to be any actual documentation on what the "pass" entry in a nat rule actually does. This sounds like it could be a bug; even the pf examples in /usr/share/examples/pf don't use "pass" in a nat rule. I'll leave the bug comment up to the pf experts here to analyse, though. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed May 21 08:38:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DB49106566C for ; Wed, 21 May 2008 08:38:48 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id D991E8FC1B for ; Wed, 21 May 2008 08:38:47 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JyjqR-0001V8-Ig for freebsd-pf@freebsd.org; Wed, 21 May 2008 08:38:47 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JyjqL-0002ys-5f for freebsd-pf@freebsd.org; Wed, 21 May 2008 08:38:41 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 4A2AB8E298; Wed, 21 May 2008 03:38:47 -0500 (CDT) Date: Wed, 21 May 2008 03:38:47 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080521083846.GB5072@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <48337A93.9090003@highperformance.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <48337A93.9090003@highperformance.net> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 08:38:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason C. Wells wrote: > > Would someone please explain why the nat rule is not sufficient to > allow me to access a web page? I must have a gross conceptual error > on how PF works. This is too simple, but I just don't get it. The first packet arrives on $int_if and is blocked by "block in all". It never has a chance to route to $ext_if, and thus never matches the nat rule. The "nat pass" does not apply because the initial packet is not arriving on $ext_if so it can't match the rule (yet). You have to allow the connection in on $int_if first, then when it routes out $ext_if it will match the nat rule and set up state. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIM9+WFSrKRjX5eCoRAjWPAJ9+rZ6aqUVEEiRulw+nQD2swM84QACcDE5e x0MSmBXcgbFqPmUkjRIAO60= =bzw3 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed May 21 08:40:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B12861065677 for ; Wed, 21 May 2008 08:40:01 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 88C788FC17 for ; Wed, 21 May 2008 08:40:01 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1Jyjrd-0001Vk-3S for freebsd-pf@freebsd.org; Wed, 21 May 2008 08:40:01 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JyjrW-0002zl-Mp for freebsd-pf@freebsd.org; Wed, 21 May 2008 08:39:54 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id E5FDB8E298; Wed, 21 May 2008 03:40:00 -0500 (CDT) Date: Wed, 21 May 2008 03:40:00 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080521084000.GC5072@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <48333B05.9090203@interactive-net.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <48333B05.9090203@interactive-net.de> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: NAT problem with pppoe X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 08:40:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reinhard Haller wrote: > > Sending HUP to ppp does'nt eliminate the problem, pfctl -d/-e and a > restart of the internal server solve it. I suggest that your ppp "if_down" script make use of the "pfctl -k" command to kill state entries that have to do with the IP that is being removed. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIM9/gFSrKRjX5eCoRAjHFAJ9cP5HofxhWmLNKSdJu24bAKdEtXACffMr7 fxdCGLjx8AhS4NVw8foXUqY= =FD6I -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed May 21 13:19:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF5E81065670 for ; Wed, 21 May 2008 13:19:18 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 864AF8FC13 for ; Wed, 21 May 2008 13:19:18 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: by yw-out-2324.google.com with SMTP id 9so1566510ywe.13 for ; Wed, 21 May 2008 06:19:12 -0700 (PDT) Received: by 10.150.52.2 with SMTP id z2mr210492ybz.48.1211375952512; Wed, 21 May 2008 06:19:12 -0700 (PDT) Received: by 10.150.206.14 with HTTP; Wed, 21 May 2008 06:19:12 -0700 (PDT) Message-ID: <2f12f40a0805210619t4aae9fa0w43737b2098f7d042@mail.gmail.com> Date: Wed, 21 May 2008 16:19:12 +0300 From: "Cristian Bradiceanu" To: "Vlad GALU" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> <20080520162029.GA41273@eos.sc1.parodius.com> <2f12f40a0805201349g6ee6be5cxa6f2a029b5150bec@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf reply-to tcp connections stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 13:19:18 -0000 On Wed, May 21, 2008 at 1:27 AM, Vlad GALU wrote: > On 5/20/08, Cristian Bradiceanu wrote: >> On Tue, May 20, 2008 at 7:20 PM, Jeremy Chadwick wrote: >> > On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote: >> >> I am trying to set up split routing on two Internet links, each with >> >> one IP address: >> >> >> >> em0 = wan1, $em0_gw gateway >> >> em1 = lan, NATed on em0 and em2 >> >> em2 = wan2, default gateway >> >> >> >> pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0 flags S/SA keep state >> >> pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state >> >> pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state >> >> >> >> wan2 connections are working correct, no pf rules for policy routing >> >> >> >> wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount >> >> of data is sent (e.g. running dmesg or cat file). States are created >> >> correctly. When ssh stalls there are some icmp packets out on lo0 with >> >> source and destination ip address of em0, which I believe is not >> >> correct (set skip on lo0 does not help). Also tried with tcp ... >> >> modulate state but same result. >> > >> > modulate state is known to be broken: >> > >> > http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues >> > >> > Regarding the "when large amounts of data is sent, the connection >> > breaks" issue: >> > >> > I've reproduced this a few times on our systems (using the exact same >> > method you do: dmesg, cat'ing large files, or scp'ing -- anything using >> > large TCP packets), and it's always been caused by improper pf(4) rules >> > where state was broken. In every case, the "state mismatch" counter >> > shown in pfctl -s info would increase. >> >> >> state-mismatch counter does not increase, all "Counters" are 0 except >> match (pfctl -si). When large amounts of data is sent the connection >> stalls and continues from time to time very slow; when it continues >> there are logged icmp packets out on lo0 from (em0) to (em0) which >> looks pretty weird to me. >> >> >> Cristian > > This may be a PMTUD issue. Make sure your ICMP packets can travel > back and forth unhindered and that there are no scrub rules that may > clear out the DF flag on them. There's no no-df scrub flag, also no icmp filters. Cristian From owner-freebsd-pf@FreeBSD.ORG Thu May 22 01:03:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CE1E106564A for ; Thu, 22 May 2008 01:03:05 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id DFC108FC1A for ; Thu, 22 May 2008 01:03:04 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so446255pyb.10 for ; Wed, 21 May 2008 18:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; bh=848Gkyimh5eDankwm6z4RoRHFQkDTHsWDferrdlHAeQ=; b=aCTqlA+A6P+9UlIgPrEXBAXAOmghJpS318refcvj2X6rNQLIU6cGv4THekHRG9/HYt1XDzshgyYTSqaIUsryuY8H7bilScZ+zdoxb7hOxildIbgTtHaUk3mSEzvnXtBIduOTcyhVmiNNpolRQm5TKirFn5HMeAyzofQ/BNhNaGs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; b=jB6m0P8BNeT+gdYnXKqohlrU+sEKDC63mdFqP1nlPHTyusadRpd4RGCJi/UGIGq/USZvaYNzaWTqInpaJrMo/2X9jy0Lq71Dn4uQqOS8I/Int1dt3SqS3fRXjjVCHJhn/+ugnZATDMyB9nEeg4WkNZx40MTWXqEMkL8zHx4DwaY= Received: by 10.64.76.15 with SMTP id y15mr18139560qba.21.1211418183898; Wed, 21 May 2008 18:03:03 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id e16sm2782898qba.14.2008.05.21.18.03.02 (version=SSLv3 cipher=RC4-MD5); Wed, 21 May 2008 18:03:03 -0700 (PDT) From: "Ansar Mohammed" To: Date: Wed, 21 May 2008 21:02:59 -0400 Message-ID: <002d01c8bba7$96128db0$c237a910$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Aci7p5O+Wtn57M2bSeSpGIo1YOHdIg== Content-Language: en-ca Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ALTQ and bandwidth limiting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 01:03:05 -0000 Hello All, Is there a way using PF and ALTQ that I can set a policy to restrict a particular host to a maximum network speed? I would like to simulate low speed connection using pf. From owner-freebsd-pf@FreeBSD.ORG Thu May 22 04:29:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 290A81065676 for ; Thu, 22 May 2008 04:29:37 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 1E96A8FC13 for ; Thu, 22 May 2008 04:29:37 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id F2EC51CC033; Wed, 21 May 2008 21:29:36 -0700 (PDT) Date: Wed, 21 May 2008 21:29:36 -0700 From: Jeremy Chadwick To: Ansar Mohammed Message-ID: <20080522042936.GA24418@eos.sc1.parodius.com> References: <002d01c8bba7$96128db0$c237a910$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002d01c8bba7$96128db0$c237a910$@com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ and bandwidth limiting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 04:29:37 -0000 On Wed, May 21, 2008 at 09:02:59PM -0400, Ansar Mohammed wrote: > Hello All, > > Is there a way using PF and ALTQ that I can set a policy to restrict a > particular host to a maximum network speed? > > I would like to simulate low speed connection using pf. I believe ipfw dummynet has the capability you're looking for. See the ipfw manpage, section "TRAFFIC SHAPER". -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu May 22 06:20:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69C1E106566C for ; Thu, 22 May 2008 06:20:15 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id 143578FC2E for ; Thu, 22 May 2008 06:20:14 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so525506pyb.10 for ; Wed, 21 May 2008 23:20:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=9aR/0ZmI5qF7dXfKr79rs5fSi2m4XIGn06GWFnsFOJA=; b=fmWrOdiIxyLbHGhD9z1THk+2byXv+B4UXQxYdgXDpzlVdh+Vrz6tOTankipO9hi4sWMMGshR2m23qyx4G+854SNE7eOKMoKT9lKhxCjic4582D35Bj9KT+IBmndKjy1m5F29oWdv2uA+5koaCnTN7SiAEzoMTU6Egha3FqYk0xw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=o35iZcGkWBRYp36NafsyIT+1s/+zrmCE7H3hyXYB4PBLwC1F5e69zhibmqAUaMHBQAmyvwpWsUagBSuNExWr71VFptAJ6iO9ouAOV3622OdDwO5weTS7o8ATbYmUImwnZ6rvn/4yA9fKrJ8DaCZE0TwB2qEkCkouqc27ksmPXZU= Received: by 10.65.97.18 with SMTP id z18mr18650684qbl.77.1211437212514; Wed, 21 May 2008 23:20:12 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id f15sm2996409qba.28.2008.05.21.23.20.10 (version=SSLv3 cipher=RC4-MD5); Wed, 21 May 2008 23:20:11 -0700 (PDT) From: "Ansar Mohammed" To: "'Jeremy Chadwick'" References: <002d01c8bba7$96128db0$c237a910$@com> <20080522042936.GA24418@eos.sc1.parodius.com> In-Reply-To: <20080522042936.GA24418@eos.sc1.parodius.com> Date: Thu, 22 May 2008 02:20:09 -0400 Message-ID: <006601c8bbd3$e3b654d0$ab22fe70$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Aci7xHO/oQIfWlGPRoW04Z+lF9cg8AADEO0Q Content-Language: en-ca Cc: freebsd-pf@freebsd.org Subject: RE: ALTQ and bandwidth limiting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 06:20:15 -0000 Ok, I got a bit further. I compiled in ALTQ and I am using Class Based Queueing. Here is a snippet of my pf.conf altq on le1 cbq bandwidth 100Mb queue { std, cifs, http } queue std bandwidth 88.5Mb cbq(default) queue cifs bandwidth 1500Kb cbq queue http bandwidth 1Mb cbq Here is the problem, no matter what value I set for the CBQ Queue, its at least 1/4 of the actual configured maximum. So I configured http for 1Mb, the max throughput I get is 288Mb. Can anyone explain why? > -----Original Message----- > From: Jeremy Chadwick [mailto:koitsu@FreeBSD.org] > Sent: May 22, 2008 12:30 AM > To: Ansar Mohammed > Cc: freebsd-pf@freebsd.org > Subject: Re: ALTQ and bandwidth limiting > > On Wed, May 21, 2008 at 09:02:59PM -0400, Ansar Mohammed wrote: > > Hello All, > > > > Is there a way using PF and ALTQ that I can set a policy to restrict > a > > particular host to a maximum network speed? > > > > I would like to simulate low speed connection using pf. > > I believe ipfw dummynet has the capability you're looking for. See the > ipfw manpage, section "TRAFFIC SHAPER". > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri May 23 11:24:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A74791065675 for ; Fri, 23 May 2008 11:24:24 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe7.ukr.net (ffe7.ukr.net [195.214.192.26]) by mx1.freebsd.org (Postfix) with ESMTP id 5F78C8FC19 for ; Fri, 23 May 2008 11:24:24 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe7.ukr.net with local ID 1JzVNm-0003q3-9p for freebsd-pf@freebsd.org; Fri, 23 May 2008 14:24:22 +0300 MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] In-Reply-To: X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Message-Id: Date: Fri, 23 May 2008 14:24:22 +0300 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 11:24:24 -0000 Hi,all! I need specify a range IP addresses in may spamd-whitelist table, e.g. 209.85.128.0-209.85.255.255. How can I do this correctly? Thanks in advance! From owner-freebsd-pf@FreeBSD.ORG Fri May 23 13:34:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1319106567A for ; Fri, 23 May 2008 13:34:12 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe11.ukr.net (ffe11.ukr.net [195.214.192.31]) by mx1.freebsd.org (Postfix) with ESMTP id 945A48FC15 for ; Fri, 23 May 2008 13:34:12 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe11.ukr.net with local ID 1JzXPN-000NaL-MS ; Fri, 23 May 2008 16:34:09 +0300 MIME-Version: 1.0 To: Mike Tancsa From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] In-Reply-To: <200805231307.m4ND7Ip1065546@lava.sentex.ca> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Message-Id: Date: Fri, 23 May 2008 16:34:09 +0300 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re[2]: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 13:34:13 -0000 --- Original Message --- From: Mike Tancsa To: "Vitaliy Vladimirovich" , freebsd-pf@freebsd.org Date: 23 may, 16:07:12 Subject: Re: How specify range IP? At 07:24 AM 5/23/2008, Vitaliy Vladimirovich wrote: >Hi,all! >I need specify a range IP addresses in may spamd-whitelist table, >e.g. 209.85.128.0-209.85.255.255. >How can I do this correctly? Hi, Try in CIDR notation. e.g. 209.85.128.0/17 I know about CIDR notation, and what about if I need specify something similary 10.0.10.1-10.0.10.8?? From owner-freebsd-pf@FreeBSD.ORG Fri May 23 14:14:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 120561065676 for ; Fri, 23 May 2008 14:14:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id AC3838FC1F for ; Fri, 23 May 2008 14:14:46 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m4ND7IlE033455; Fri, 23 May 2008 09:07:18 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m4ND7Ip1065546 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 May 2008 09:07:18 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200805231307.m4ND7Ip1065546@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 23 May 2008 09:07:12 -0400 To: "Vitaliy Vladimirovich" , freebsd-pf@freebsd.org From: Mike Tancsa In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Subject: Re: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 14:14:47 -0000 At 07:24 AM 5/23/2008, Vitaliy Vladimirovich wrote: >Hi,all! >I need specify a range IP addresses in may spamd-whitelist table, >e.g. 209.85.128.0-209.85.255.255. >How can I do this correctly? Hi, Try in CIDR notation. e.g. 209.85.128.0/17 ---Mike > >Thanks in advance! >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri May 23 14:20:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C119106566C for ; Fri, 23 May 2008 14:20:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 32C938FC17 for ; Fri, 23 May 2008 14:20:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m4NEKIKJ059165; Fri, 23 May 2008 10:20:18 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m4NEKHrN065857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 May 2008 10:20:18 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200805231420.m4NEKHrN065857@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 23 May 2008 10:20:12 -0400 To: "Vitaliy Vladimirovich" From: Mike Tancsa In-Reply-To: References: <200805231307.m4ND7Ip1065546@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: freebsd-pf@freebsd.org Subject: Re[2]: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 14:20:23 -0000 At 09:34 AM 5/23/2008, Vitaliy Vladimirovich wrote: >Hi, >Try in CIDR notation. e.g. 209.85.128.0/17 > > >I know about CIDR notation, and what about if I need specify >something similary 10.0.10.1-10.0.10.8?? I usually do it in a series of CIDR notations when it does not match normal boundaries. I know on ports you have range operators (see pf.conf) but I am not sure there is the equiv for IP addresses. Is there some reason you dont want to use CIDR notation ? in your case, (10.0.10.0/29,10.0.10.8) ---Mike From owner-freebsd-pf@FreeBSD.ORG Fri May 23 14:46:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD8CB1065688 for ; Fri, 23 May 2008 14:46:54 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 384438FC27 for ; Fri, 23 May 2008 14:46:54 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: by ug-out-1314.google.com with SMTP id q2so878625uge.37 for ; Fri, 23 May 2008 07:46:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer; bh=Ixe6XjL49NR8RjddbonZcJtyD3zwtCo100McAEgDl3U=; b=tk7fSZTl17vtxxnPQv7RMiqi2rm629cdHyMOn1yudhV+eW2J3s1ci47HpNqFz16cy8lLuPXHigyRtvzDDG4zsom22Iw+y3uO2j34nCEWaj277b/rIo1GUGNMnfJcy855Q6ON3a1yBCJgOYgu/VwnbigQ7BMKCWBZBFiPSydzBbE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer; b=MGb6cTEBK9HFZ6G0V882rKCFZME1/EyRfLLL32yhD4coWkU+T+ZVWU+rNpdQf/rEznM2IRn+2TNfqMPU6OYPbQHiqxJCWqe9ykaHxoeHP7i04VIerrLUiL5m5igfcu36CwLagNtnzoUj/G657DDGzAX4gaMBdXaNg/aYZqHKjz0= Received: by 10.66.232.9 with SMTP id e9mr730052ugh.49.1211552467149; Fri, 23 May 2008 07:21:07 -0700 (PDT) Received: from ?127.0.0.1? ( [217.206.187.80]) by mx.google.com with ESMTPS id j8sm10543300gvb.1.2008.05.23.07.21.04 (version=SSLv3 cipher=RC4-MD5); Fri, 23 May 2008 07:21:05 -0700 (PDT) From: Tom Evans To: Vitaliy Vladimirovich In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-nSpIJUC8FsOebJxaOCIS" Date: Fri, 23 May 2008 15:21:03 +0100 Message-Id: <1211552463.10665.16.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Cc: freebsd-pf@freebsd.org Subject: Re: Re[2]: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 14:46:54 -0000 --=-nSpIJUC8FsOebJxaOCIS Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2008-05-23 at 16:34 +0300, Vitaliy Vladimirovich wrote: >=20 > --- Original Message --- =20 > From: Mike Tancsa =20 > To: "Vitaliy Vladimirovich" , freebsd-pf@freebsd.org =20 > Date: 23 may, 16:07:12 =20 > Subject: Re: How specify range IP? =20 > =20 > At 07:24 AM 5/23/2008, Vitaliy Vladimirovich wrote: =20 > =20 > >Hi,all! =20 > >I need specify a range IP addresses in may spamd-whitelist table, =20 > >e.g. 209.85.128.0-209.85.255.255. =20 > >How can I do this correctly? =20 > =20 > Hi, =20 > Try in CIDR notation. e.g. 209.85.128.0/17 =20 > I know about CIDR notation, and what about if I need specify something si= milary 10.0.10.1-10.0.10.8?? =20 > =20 10.0.10.1 - 10.0.10.8 can't be represented as a single CIDR range, therefore you would need to specify multiple addresses to represent it in CIDR notation. It would therefore be the combination of the 4 ranges 10.0.10.1/32 10.0.10.2/31 10.0.10.4/30 10.0.10.8/32 10.0.10.0 - 10.0.10.7 can be represented as the single range 10.0.10.0/29 Tom --=-nSpIJUC8FsOebJxaOCIS Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (FreeBSD) iEYEABECAAYFAkg20skACgkQlcRvFfyds/dfLQCfUxcbTG1sYSFOAqsTIPJCkD3Q TsIAnRMOCBQHJQTxCHGzjsDezWsiiiAd =aAbM -----END PGP SIGNATURE----- --=-nSpIJUC8FsOebJxaOCIS-- From owner-freebsd-pf@FreeBSD.ORG Fri May 23 15:03:29 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A220B106564A for ; Fri, 23 May 2008 15:03:29 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5CFBA8FC23 for ; Fri, 23 May 2008 15:03:29 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 0212719E023; Fri, 23 May 2008 16:44:51 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id B2C4919E019; Fri, 23 May 2008 16:44:48 +0200 (CEST) Message-ID: <4836D872.9080804@quip.cz> Date: Fri, 23 May 2008 16:45:06 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 15:03:29 -0000 Vitaliy Vladimirovich wrote: > > --- Original Message --- >>Hi,all! >>I need specify a range IP addresses in may spamd-whitelist table, >>e.g. 209.85.128.0-209.85.255.255. >>How can I do this correctly? > > > Hi, > Try in CIDR notation. e.g. 209.85.128.0/17 > I know about CIDR notation, and what about if I need specify something similary 10.0.10.1-10.0.10.8?? You can use net/tableutil from ports to convert your ranges in to CIDR. http://www.freebsd.org/cgi/url.cgi?ports/net/tableutil/pkg-descr http://expiretable.fnord.se/ Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Sat May 24 01:37:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A4DA106564A for ; Sat, 24 May 2008 01:37:36 +0000 (UTC) (envelope-from apache@austin.pins-web.net) Received: from austin.pins-web.net (austin.pins-web.net [217.194.97.84]) by mx1.freebsd.org (Postfix) with ESMTP id 0014E8FC1D for ; Sat, 24 May 2008 01:37:35 +0000 (UTC) (envelope-from apache@austin.pins-web.net) Received: by austin.pins-web.net (Postfix, from userid 48) id AD0138794E8; Fri, 23 May 2008 17:43:49 +0200 (CEST) To: freebsd-pf@freebsd.org From: Barr Daniel Obiora (ESQ) <> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20080523154349.AD0138794E8@austin.pins-web.net> Date: Fri, 23 May 2008 17:43:49 +0200 (CEST) Subject: ATTENTION X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fedex_courierbenin201@yahoo.fr List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2008 01:37:36 -0000 Hello Dear, I have Paid the fee for your Cheque Draft.but the manager of Eko Bankn Benin told me that before the check will get to you that it will expire.So i told him to cash $1.5M USA DOLLar all the necessary arrangement of delivering the $1.5M USA DOLLar in cash was made with FedEX DELIVERY COURIER COMPANY. This is the information they need to delivery your package to you.with FEDEX DELIVERY COURIER COMPANY, contact them now. NAME:FEDEX COURIER DELIVERING COMPANY. ATTANTION: PERSON: DR.JERRY LAWRENCE POSITION: FOREIGN DELIVERY DEPARTMENT. ADDRESS: COTONOU BENIN REPUBLIC E-MAIL:fedex_courierbenin201@yahoo.fr Phone number: PHONE NUMBER: +229 9374 0412 Please, Send them your contacts information to able them locate you immediately they arrived in your country with your BOX .This is what they need from you. 1.YOUR FULL NAME 2.YOUR HOME ADDRESS. 3.YOUR CURRENT HOME TELEPHONE NUMBER. 4.YOUR CURRENT OFFICE TELEPHONE. 5. YOUR CURRENT HOME TELEPHONE NUMBER. 6.A COPY OF YOUR PICTURE Note that this is there E-mail contact (fedex_courierbenin201@yahoo.fr) Please make sure you send this needed info's to the Director general of FEDEX DELIVERY COURIER COMPANY BENIN REPUBLIC,DR.JERRY Lawrence with the address given to you. Note. The Fedex Delivery Courier Company don't know the contents of the Box. I registered it as a Box of an African cloths. They don't know it contents money, this is to avoid them delaying with the Box.don't let them know that is money that is in that Box. Thanks and Remain Blessed. Barr Daniel Obiora (ESQ) From owner-freebsd-pf@FreeBSD.ORG Sat May 24 08:25:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C35F01065676 for ; Sat, 24 May 2008 08:25:03 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8D9088FC0C for ; Sat, 24 May 2008 08:25:03 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.bsdly.net.bsdly.net ident=peter) by skapet.bsdly.net with esmtp (Exim 4.69) (envelope-from ) id 1Jzp3l-0005cs-7q for freebsd-pf@freebsd.org; Sat, 24 May 2008 10:25:01 +0200 To: freebsd-pf@freebsd.org References: From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sat, 24 May 2008 10:24:59 +0200 In-Reply-To: (Vitaliy Vladimirovich's message of "Fri, 23 May 2008 14:24:22 +0300") Message-ID: <87wslkt8h0.fsf@thingy.bsdly.net> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: How specify range IP? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2008 08:25:03 -0000 "Vitaliy Vladimirovich" writes: > I need specify a range IP addresses in may spamd-whitelist table, e.g. 209.85.128.0-209.85.255.255. > How can I do this correctly? The address/netmask notation works, ie 209.85.128.0/17 -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.