From owner-freebsd-pf@FreeBSD.ORG Sun Jun 8 21:08:54 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 818DF1065676; Sun, 8 Jun 2008 21:08:54 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 540368FC1B; Sun, 8 Jun 2008 21:08:54 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m58L8siD054241; Sun, 8 Jun 2008 21:08:54 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m58L8sIK054237; Sun, 8 Jun 2008 21:08:54 GMT (envelope-from linimon) Date: Sun, 8 Jun 2008 21:08:54 GMT Message-Id: <200806082108.m58L8sIK054237@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-i386@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/124364: [pf] [panic] Kernel panic with pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2008 21:08:54 -0000 Old Synopsis: Kernel panic with pf + bridge New Synopsis: [pf] [panic] Kernel panic with pf + bridge Responsible-Changed-From-To: freebsd-i386->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jun 8 21:08:36 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=124364 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 9 11:07:03 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF58510656DF for ; Mon, 9 Jun 2008 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D64858FC2A for ; Mon, 9 Jun 2008 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m59B73dt070830 for ; Mon, 9 Jun 2008 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m59B73ve070826 for freebsd-pf@FreeBSD.org; Mon, 9 Jun 2008 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jun 2008 11:07:03 GMT Message-Id: <200806091107.m59B73ve070826@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 11:07:04 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 9 12:50:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 044751065674 for ; Mon, 9 Jun 2008 12:50:57 +0000 (UTC) (envelope-from z.szalbot@lc-words.com) Received: from relay.lc-words.com (relay.lc-words.com [62.121.130.110]) by mx1.freebsd.org (Postfix) with ESMTP id 958688FC0C for ; Mon, 9 Jun 2008 12:50:56 +0000 (UTC) (envelope-from z.szalbot@lc-words.com) Received: from localhost (localhost [127.0.0.1]) by relay.lc-words.com (Postfix) with ESMTP id 8D0DAC941F for ; Mon, 9 Jun 2008 14:30:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lc-words.com; s=mainlcwords; t=1213014604; bh=7JYodc6vFM7TIZdUMdzAj254vtgUXzQYW6k y3MZIQug=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject: Content-Type:Content-Transfer-Encoding; b=I5qTf5/NewPhbuOcPHwZyDx0 mTUPxHDocOG56SNV+7k8xKHGC3bVHeE5l9w8HpqnfdJxFwWE0xxMaZnI1E2LYcA6qdQ ZwFCk5DJnLrGGX0xXzoFH8p5uUBbBqKtFUR0/o4jL2h2/ZN1Q+oPTaZ35rfIvrJoA+f R6wfTlMfeDqMY= Received: from relay.lc-words.com ([127.0.0.1]) by localhost (relay.lc-words.com [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 63667-03 for ; Mon, 9 Jun 2008 14:30:04 +0200 (CEST) Received: from [127.0.0.1] (aejv181.neoplus.adsl.tpnet.pl [79.186.255.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: z.szalbot@lc-words.com) by relay.lc-words.com (Postfix) with ESMTPSA id 02760C941E for ; Mon, 9 Jun 2008 14:30:03 +0200 (CEST) Message-ID: <484D2288.4040901@lc-words.com> Date: Mon, 09 Jun 2008 14:31:04 +0200 From: Zbigniew Szalbot User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Subject: altq / priorty queing / limiting rsync bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: z.szalbot@lc-words.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 12:50:57 -0000 Hello, Many thanks for suggestions how to limit the bandwidth taken up by rsync. I am using pf with priority queuing. Thank you in advance! -- Zbigniew Szalbot www.lc-words.com From owner-freebsd-pf@FreeBSD.ORG Mon Jun 9 15:50:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7CC91065678 for ; Mon, 9 Jun 2008 15:50:45 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8C22C8FC16 for ; Mon, 9 Jun 2008 15:50:45 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 939A519E023; Mon, 9 Jun 2008 17:50:44 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 61D8E19E019; Mon, 9 Jun 2008 17:50:42 +0200 (CEST) Message-ID: <484D5165.4090706@quip.cz> Date: Mon, 09 Jun 2008 17:51:01 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: z.szalbot@lc-words.com References: <484D2288.4040901@lc-words.com> In-Reply-To: <484D2288.4040901@lc-words.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: altq / priorty queing / limiting rsync bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 15:50:45 -0000 Zbigniew Szalbot wrote: > Hello, > > Many thanks for suggestions how to limit the bandwidth taken up by > rsync. I am using pf with priority queuing. Why not use rsync option? --bwlimit=KBPS limit I/O bandwidth; KBytes per second Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Mon Jun 9 23:00:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E85191065670 for ; Mon, 9 Jun 2008 23:00:04 +0000 (UTC) (envelope-from thomas.kinsey@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 9CCF88FC0A for ; Mon, 9 Jun 2008 23:00:04 +0000 (UTC) (envelope-from thomas.kinsey@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so1184536ywe.13 for ; Mon, 09 Jun 2008 15:59:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:mime-version:content-type; bh=olgWR3Ni9nxBjIEYvDddjsqdBmnSrW0UV2obeTtzzN8=; b=Azff5GJQt7LkzuE3f3AWo8wyg8xHKxbLiIbc0K+LINUXXC8FI4DOd+j6qsciVJLsF6 QxpXHNWuNJ9pEVfZKxxZ8sn+eZfkYmScPq8O+Wz5/HHPH0Ea7xFtEck6QLH96l4M2wgq Nmwyz2LYzQ8GqPf8Kw0nrSdV8+MITn165yrVI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:mime-version:content-type; b=KR27jInrjoHAp0+GKlv9bmQ2JJ9ZGsg37naxeuCW2g2OV382WKwAQ3mxjqhk1m9p6h v+0GVGUOrk/ugbWWi6Gy2BlneZWW05sBivCz2TLLBEgimk5tfOuQTptLa4ZumELqB+/O RN60X8ZdaehoIgqKh/Nl6umnVYxc7PMLC7GuM= Received: by 10.150.92.12 with SMTP id p12mr7097733ybb.237.1213050750097; Mon, 09 Jun 2008 15:32:30 -0700 (PDT) Received: by 10.151.82.14 with HTTP; Mon, 9 Jun 2008 15:32:30 -0700 (PDT) Message-ID: <8c29c6720806091532h49ab27c9t101081279e5138af@mail.gmail.com> Date: Mon, 9 Jun 2008 15:32:30 -0700 From: "Thomas Kinsey" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: prioritizing outbound traffic from internal services X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: thomas.kinsey@pmg-ca.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 23:00:05 -0000 Hello List, This is my first time, so be gentle. I want to prioritize outbound traffic from an ssh server behind my pf box. My ADSL connection is almost always flooded, so when I connect to the ssh server from work, there is a lot of lag. Connections originating from the lan hit the outbound queue on the external interface, and all goes well, however packets from the externally initiated connection don't seem to be being queued. Is there any way to do this? I googled around a bit and found rules that did something like this: altq on $ext priq bandwidth 350Kb queue { fast, slow } queue fast priority 7 priq(red) queue slow priority 1 priq(default red) And then applied that to an INBOUND filter rule on the same interface, like this: pass in on $ext proto tcp from any to ($ext) port 22 keep state queue fast But that doesn't seem to work for me. Am I doing something wrong here? The box running pf is a soekris net4521, running FreeBSD 6.3-RELEASE. Maybe the older version of pf is relevant? Thanks in advance, TK From owner-freebsd-pf@FreeBSD.ORG Tue Jun 10 00:56:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C0FC1065682 for ; Tue, 10 Jun 2008 00:56:53 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by mx1.freebsd.org (Postfix) with ESMTP id 834088FC15 for ; Tue, 10 Jun 2008 00:56:50 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id A712E9C481 for ; Tue, 10 Jun 2008 12:56:48 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRUTivUYeemy for ; Tue, 10 Jun 2008 12:56:47 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id B4BDF9C446 for ; Tue, 10 Jun 2008 12:56:46 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Tue, 10 Jun 2008 12:56:45 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Tue, 10 Jun 2008 12:55:17 +1200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF: See packet errors on external interface Thread-Index: AcjKlKZouyQH984RRPiX2qXAbFEThQ== From: "Mark Pagulayan" To: X-OriginalArrivalTime: 10 Jun 2008 00:56:45.0027 (UTC) FILETIME=[DA866330:01C8CA94] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF: See packet errors on external interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 00:56:53 -0000 Hi Guys,=20 =20 I was just wondering if you could help me with my problem.=20 =20 Before going to the details here is my setup: =20 OS: FreeBSD 7.0-RELEASE i386 Firewall:PF Interface: em1(external interface) and em0(internal interface) Setup: The 2 interfaces above are setup as a bridge so we are using PF as a layer2 FW.=20 Use altq to define queues on em1 and em0 ( default, unlimited, sponsored, premium, standard) =20 =20 Doing a netstat -d -I em1. I can see that there incoming packet errors but no outgoing packet errors. A number of drops but no collision. =20 Doing a netstat -d -I em0. I can see that there are no errors on the incoming and outgoing packets. A number of drops but no collision. =20 Doing a netstat -d -l bridge0. don't see any errors on the incoming and outgoing packets. No drops and collision. =20 Looking at my ruleset I can see that I have=20 =20 scrub in on em1=20 =20 Does this rule cause the packet errors? Or presumably because of the speed of the network? We are running at around 8000 packet/s for incoming and outgoing traffic.=20 There was plan of removing this rule? If we do that? What would the implications be?=20 =20 Also using the tool pftop, the default queue has packet drops and suspensions QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S default 134M cbq 1326370 775902K 138 102128 0 0 2798 8182 4340435 =20 Do you think the scrub rule is the causing pf to suspend some packets? I also wish to understand how pftop works to be able to debug the problem.=20 =20 The reason that I am asking this questions is that we get connectivity issues with some external sites that we connect to. It might be the uplink that has problems but I hope I could gather information on what might be causing this, or things might be or not related to this issue.=20 =20 Your help would be greatly appreciated. =20 Thanks =20 Mark Pagulayan University of Auckland From owner-freebsd-pf@FreeBSD.ORG Tue Jun 10 04:22:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0A7E106567D for ; Tue, 10 Jun 2008 04:22:22 +0000 (UTC) (envelope-from granzon.li@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id AE39D8FC16 for ; Tue, 10 Jun 2008 04:22:22 +0000 (UTC) (envelope-from granzon.li@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2908081rvf.43 for ; Mon, 09 Jun 2008 21:22:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=CIqouo9OhCCmvStVMeaKkvzg+7KcV0T5yj5YkGBosY4=; b=SpuVjkU8sW1Vsl1pvvKodnXeqWa60Zbd9XxXn3AvqZ2ESVC8Mx0wHrn3quU+ceMu35 7bcPtvwWdTBuVBrp/zhZfw43zxQTDThHObKXy9vsU/WVYJOyy75TOp4yENBIJn8vU1Qb WpNmzff0vl/tEPJb8TGY0hoULSt/TES8AYHzM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=Fepet0+dms2kdGrmgjIBcbrl7l5wL8o7bJgOfDqqIxzNrDWQAkLoFBOOoVGpMkMT1B X0EFOKiWg3rnm5Vcc6N7EB9sCpA3eJjVRVgcOlc1NsGM850ysbprIenyUj9Gm1gPP4vu 59BQEUiOgcCXZsW/oUwMh8cG6MYtSQU80eljI= Received: by 10.141.74.18 with SMTP id b18mr2683763rvl.95.1213070182375; Mon, 09 Jun 2008 20:56:22 -0700 (PDT) Received: by 10.140.127.8 with HTTP; Mon, 9 Jun 2008 20:56:22 -0700 (PDT) Message-ID: <54b5397b0806092056y187d44d0nc054f9c9673d474c@mail.gmail.com> Date: Tue, 10 Jun 2008 11:56:22 +0800 From: "Granzon Li" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf with bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 04:22:23 -0000 Hi all! I would like to build a transparente proxy with pf+squid3.0, in bridge mode.But it seems that I can't make pf and bridge work properly. Here is my enviroment: myLan->FreeBSD(pf+squid3.0)->gateway->Internet I just follow the steps building the bridge which were discribed in hankbook,using these commands: # ifconfig bridge create # ifconfig bridge0 addm fxp0 addm fxp1 up # ifconfig fxp0 up # ifconfig fxp1 up but I can't ping the Internet without ip,so I try # ifconfig fxp0 192.168.1.5/24 # route add default 192.168.1.1(my gateway's ip) and after that, I can ping the Internet in myLan,then I think my bridge can work! then I add these to my pf.conf: int_if="fxp0" ext_if="fxp1" rdr pass on $int_if inet proto tcp from any to any port www->127.0.0.1 port 3128(my squid) pass in all pass out all but myLan pc can't surf the webpages using my proxy. And when I turn off pf,myLan pc can surf again! while using pfctl -ss, I can see self tcp 127.0.0.1:3128<-x.x.x.x:80-< but I can't see any requests in my squid,and then I made some tests: rdr pass on $int_if inet proto tcp from any to any port www->www.google.comport 80 It works! rdr pass on $int_if inet proto tcp from any to any port www->192.168.1.121port 80(I just build an apache in one of my lan pc) It didn't work. So I guess maybe there is something wrong with my pf and bridge. Is anybody know what's the problem?Any idea will be appreciated,thanks! From owner-freebsd-pf@FreeBSD.ORG Tue Jun 10 10:13:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EE5A1065673 for ; Tue, 10 Jun 2008 10:13:46 +0000 (UTC) (envelope-from roslisukri@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by mx1.freebsd.org (Postfix) with ESMTP id 745618FC1D for ; Tue, 10 Jun 2008 10:13:46 +0000 (UTC) (envelope-from roslisukri@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so2407317wfg.7 for ; Tue, 10 Jun 2008 03:13:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+AE5ZxA6wOTZg5kLycnhortExXsQ+u7z3ic/aPNkOKs=; b=JBhZiAhnHM6j6HhIi6QTuaGpeHiJNrM1LhgKWZyOZRJNx30xfUPtcIJtwea5EigE5Q lpaH1Wp4sTDjT1nAw2vTqsiSMdvKB2szkNAIe3pbH9TvUxVjWWcpW/+KZEmjBgDGHhVd VQVsJVYLQiq9QLVU4PJBmioxmCkAxRt408oHg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=REp68OFSh9BU/JwcY1SIQsGOaK7q+gYx2uoSWhRApHcyy0oVpyt7LeZlO/oGeOQQ9T eGgRqj1ho5lX7NgUHMTXSIRZv0T1oyjQogXr4PvdOGhrAyDgtvbQqQRQPtqGyfWw3sDy l8O9+UsV6/F4S6ypNW5vnRMXaxwg/Ai81Q6kI= Received: by 10.142.80.14 with SMTP id d14mr1955384wfb.62.1213091171569; Tue, 10 Jun 2008 02:46:11 -0700 (PDT) Received: by 10.143.158.10 with HTTP; Tue, 10 Jun 2008 02:46:11 -0700 (PDT) Message-ID: Date: Tue, 10 Jun 2008 17:46:11 +0800 From: "Rosli Sukri" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: multi gateways setup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 10:13:46 -0000 hi scenario: users---->[lan]freebsdpf[wan]----->{gw1,gw2} where gw1 goes to isp1, and gw2 goes to isp2. requirements: ftp, http, https traffic goes to gw1 telnet, ssh, mail and pop goes to gw2 can freebsdpf do this? From owner-freebsd-pf@FreeBSD.ORG Tue Jun 10 10:42:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E683106567B for ; Tue, 10 Jun 2008 10:42:57 +0000 (UTC) (envelope-from arossihin@nora.no-ip.org) Received: from relay.eburg.etm.ru (relay.eburg.etm.ru [81.91.38.195]) by mx1.freebsd.org (Postfix) with ESMTP id 995FE8FC0A for ; Tue, 10 Jun 2008 10:42:54 +0000 (UTC) (envelope-from arossihin@nora.no-ip.org) Received: from rossikhin.etme.ru ([192.168.1.78]) by relay.eburg.etm.ru (Lotus Domino Release 6.5.4FP3) with ESMTP id 2008061014174038-168484 ; Tue, 10 Jun 2008 14:17:40 +0400 Message-ID: <484E5581.5000100@nora.no-ip.org> Date: Tue, 10 Jun 2008 16:20:49 +0600 From: Rossikhin Aleksey User-Agent: Thunderbird 2.0.0.14 (X11/20080508) MIME-Version: 1.0 To: Rosli Sukri References: In-Reply-To: X-MIMETrack: Itemize by SMTP Server on EBURGRCU/EKATERINBURG/etm(Release 6.5.4FP3|January 09, 2006) at 10.06.2008 14:17:40, Serialize by Router on EBURGRCU/EKATERINBURG/etm(Release 6.5.4FP3|January 09, 2006) at 10.06.2008 14:41:15, Serialize complete at 10.06.2008 14:41:15 X-TM-AS-Product-Ver: -<3.0.1.3446>-<5.5.1027>-<15962> X-TM-AS-Result: -<-6.843>-<4.5>-<99000> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=UTF-8; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: multi gateways setup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 10:42:57 -0000 Rosli Sukri wrote: > hi > > scenario: > users---->[lan]freebsdpf[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 > > can freebsdpf do this? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > yes, it can look for "reply-to" and "route-to" options in pass rules. for example: pass out route-to ($wan_if $gw1) from $wan_if to any port http keep state here all http traffic from freebsd host goes to gw1 From owner-freebsd-pf@FreeBSD.ORG Tue Jun 10 10:49:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 433691065678 for ; Tue, 10 Jun 2008 10:49:10 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 040838FC22 for ; Tue, 10 Jun 2008 10:49:09 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by marvin.harmless.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1K61Au-000JYL-6b; Tue, 10 Jun 2008 12:34:00 +0200 Date: Tue, 10 Jun 2008 12:33:57 +0200 From: CZUCZY Gergely To: "Rosli Sukri" Message-ID: <20080610123357.63ba499b@twoflower.in.publishing.hu> In-Reply-To: References: Organization: Harmless Digital X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.9; i386-portbld-freebsd6.3) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/woxjbO=IXzY4IIxqFbKoiTq"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: multi gateways setup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 10:49:10 -0000 --Sig_/woxjbO=IXzY4IIxqFbKoiTq Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Yes. On Tue, 10 Jun 2008 17:46:11 +0800 "Rosli Sukri" wrote: > hi >=20 > scenario: > users---->[lan]freebsdpf[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. >=20 >=20 > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 >=20 > can freebsdpf do this? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/woxjbO=IXzY4IIxqFbKoiTq Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFITliXzrC0WyuMkpsRAohCAJ9OS9OhPU2WGCl/q7zfS09yWP9NfgCfU4Tk bLUIfiOMHSUM4OejMGTCgyY= =2QSH -----END PGP SIGNATURE----- --Sig_/woxjbO=IXzY4IIxqFbKoiTq-- From owner-freebsd-pf@FreeBSD.ORG Tue Jun 10 15:07:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE703106566C for ; Tue, 10 Jun 2008 15:07:46 +0000 (UTC) (envelope-from swp@swp.pp.ru) Received: from mx1-ttk.uni-altai.ru (mx1-ttk.uni-altai.ru [81.1.237.194]) by mx1.freebsd.org (Postfix) with ESMTP id E007E8FC16 for ; Tue, 10 Jun 2008 15:07:45 +0000 (UTC) (envelope-from swp@swp.pp.ru) Received: from bspu.secna.ru (mail2.uni-altai.ru [10.250.2.12]) by mx1-ttk.uni-altai.ru (8.14.2/8.14.2) with ESMTP id m5AEb8AT041061 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 10 Jun 2008 21:37:09 +0700 (NOVST) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (swp-bb0.uni-altai.ru [10.250.10.5]) by bspu.secna.ru (8.14.2/8.14.2) with ESMTP id m5AEi0IC026183 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 10 Jun 2008 21:44:01 +0700 (NOVST) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (localhost [127.0.0.1]) by swp.pp.ru (8.14.2/8.14.2) with ESMTP id m5AEb7Pw099092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 10 Jun 2008 21:37:07 +0700 (NOVST) (envelope-from swp@swp.pp.ru) Received: (from swp@localhost) by swp.pp.ru (8.14.2/8.14.2/Submit) id m5AEb74t099091 for freebsd-pf@freebsd.org; Tue, 10 Jun 2008 21:37:07 +0700 (NOVST) (envelope-from swp) Date: Tue, 10 Jun 2008 21:37:07 +0700 From: "mitrohin a.s." To: freebsd-pf@freebsd.org Message-ID: <20080610143707.GA99039@swp.pp.ru> Mail-Followup-To: freebsd-pf@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on main.uni-altai.ru X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on bspu.secna.ru X-Virus-Status: Clean X-Milter: Spamilter (Reciever: ns1.uni-altai.ru; Sender-ip: 10.250.2.12; Sender-helo: bspu.secna.ru; ) Subject: Re: multi gateways setup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: swp@swp.pp.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 15:07:46 -0000 On Tue, Jun 10, 2008 at 05:46:11PM +0800, Rosli Sukri wrote: > hi > > scenario: > users---->[lan]freebsdpf[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 > > can freebsdpf do this? > nat from any to any port = { ftp http https } tag W1 -> (wan1) nat from any to any port = { telnet ssh mail pop } tag W2 -> (wan2) set skip on lan0 pass quick on wan1 tagged W1 keep state pass quick route-to (wan1 gw1) tagged W1 keep state pass quick on wan2 tagged W2 keep state pass quick route-to (wan2 gw2) tagged W2 keep state /swp From owner-freebsd-pf@FreeBSD.ORG Thu Jun 12 21:54:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 575111065676 for ; Thu, 12 Jun 2008 21:54:28 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from c-0500.emailmediator.com (c-0500.emailmediator.com [64.85.162.118]) by mx1.freebsd.org (Postfix) with ESMTP id 31F568FC1A for ; Thu, 12 Jun 2008 21:54:28 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-170-155.dllstx.dsl-w.verizon.net ([71.123.170.155] helo=reedmedia.net) by c-0500.emailmediator.com with esmtpa (Exim 4.67) (envelope-from ) id 1K6uJa-0001oQ-PD for freebsd-pf@freebsd.org; Thu, 12 Jun 2008 17:26:39 -0400 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 9617-1213306000; Thu, 12 Jun 2008 16:26:40 -0500 Date: Thu, 12 Jun 2008 16:26:39 -0500 (CDT) From: "Jeremy C. Reed" To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: random nat source ports not always random X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 21:54:28 -0000 I have nat on iwi0 from 192.168.19.4 port 2222 to any port 3333 -> 192.168.19.4 \ port 5000:55000 random 1) I noticed by using a port 5000:55000 range that my random numbers were in a larger pool. I don't know if that is true or not but it appeared that way from a few tests (and not looking at source). Do you know what the default port range is for "random"? 2) Also I did this without "random" and it appeared to be random at first, but then started using same port numbers. I then added "random". From looking at PF FAQ, it seems to say it "might be ... replaced with randomly chosen, unused port", but man page doesn't. Do you know if it defaults to "random"? 3) When using "random", it is mostly random, but when I do multiple requests to same destination (within a short period of time), it uses the same new source port. I can easily repeat this and see this with both tcpdump and pfctl -s state which shows MULTIPLE:MULTIPLE (instead of MULTIPLE:SINGLE). I am trying to find a setting that will disable that, so it will use a new random port each time. It is acting like "sticky-address" option is used. pfctl -s timeouts shows that src.track is 0s (default). Any suggestions on ignoring that state so each connection with identical original source/destination IP/port will be randomized? (By the way, this is not on FreeBSD. But I think this list should be a good help anyways. I am using PF 3.7 on NetBSD.) Thanks From owner-freebsd-pf@FreeBSD.ORG Fri Jun 13 14:00:07 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11CCE106567E for ; Fri, 13 Jun 2008 14:00:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E525F8FC1B for ; Fri, 13 Jun 2008 14:00:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m5DE06Ab073951 for ; Fri, 13 Jun 2008 14:00:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m5DE06oA073950; Fri, 13 Jun 2008 14:00:06 GMT (envelope-from gnats) Date: Fri, 13 Jun 2008 14:00:06 GMT Message-Id: <200806131400.m5DE06oA073950@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Peter Jeremy Cc: Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Peter Jeremy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 14:00:07 -0000 The following reply was made to PR bin/116610; it has been noted by GNATS. From: Peter Jeremy To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output Date: Fri, 13 Jun 2008 07:08:30 +1000 --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This PR seems to have been obsoleted by the import of tcpdump 3.9.8 in October 2007. --=20 Peter Jeremy --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhRkE4ACgkQ/opHv/APuIdc9gCgpRDgmA5uGW09UkSyDBOyzT/A sVoAoJVMFrUerBILjpG+e8DKa4DKJdoC =dbTA -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 13 14:06:51 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C5BD106567E; Fri, 13 Jun 2008 14:06:51 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 594EB8FC0C; Fri, 13 Jun 2008 14:06:51 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from freefall.freebsd.org (gavin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m5DE6oB2075642; Fri, 13 Jun 2008 14:06:50 GMT (envelope-from gavin@freefall.freebsd.org) Received: (from gavin@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m5DE6ohn075638; Fri, 13 Jun 2008 14:06:50 GMT (envelope-from gavin) Date: Fri, 13 Jun 2008 14:06:50 GMT Message-Id: <200806131406.m5DE6ohn075638@freefall.freebsd.org> To: rea-fbsd@codelabs.ru, gavin@FreeBSD.org, freebsd-pf@FreeBSD.org, gavin@FreeBSD.org From: gavin@FreeBSD.org Cc: Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 14:06:51 -0000 Synopsis: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output State-Changed-From-To: open->feedback State-Changed-By: gavin State-Changed-When: Fri Jun 13 14:05:10 UTC 2008 State-Changed-Why: To submitter: it looks like this PR is no longer relevent to RELENG_7 after the import of tcpdump 3.9.8 in October 2007. Can you confirm that this now works for you on 7.0-RELEASE please? Note that it has not been MFC'd to RELENG_6 so won't work there yet. Responsible-Changed-From-To: freebsd-pf->gavin Responsible-Changed-By: gavin Responsible-Changed-When: Fri Jun 13 14:05:10 UTC 2008 Responsible-Changed-Why: Track http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 13 18:20:20 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 356A31065678 for ; Fri, 13 Jun 2008 18:20:20 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id D62448FC19 for ; Fri, 13 Jun 2008 18:20:19 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=U92rjoIsGBnIcOHbHHUO9bxRFU9e+9Y0ddx8TeZhjHYx9rrK44B7SsTUdG1qaq/1NCOl7g/paHqvzJ0EqdHTpCPrcdEviQcEXyufViXxbPrcxS3ubuGoq89mMXZdAB1kIZYu2rvqmncYRwPqPSmoN4rEmZm/93QLm7i4Y36k/Tw=; Received: from amnesiac.at.no.dns ([91.78.118.69]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1K7Dso-000Cll-Ve; Fri, 13 Jun 2008 22:20:19 +0400 Date: Fri, 13 Jun 2008 22:20:16 +0400 From: Eygene Ryabinkin To: gavin@FreeBSD.org Message-ID: <+CtBBnY+dN1BoopFCZb8HoiTdFk@esBrgYnXz2HPkkYsz5tbRsK74kk> References: <200806131406.m5DE6ohn075638@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200806131406.m5DE6ohn075638@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: freebsd-pf@FreeBSD.org Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 18:20:20 -0000 Gavin, good day. Fri, Jun 13, 2008 at 02:06:50PM +0000, gavin@FreeBSD.org wrote: > Synopsis: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output > > State-Changed-From-To: open->feedback > State-Changed-By: gavin > State-Changed-When: Fri Jun 13 14:05:10 UTC 2008 > State-Changed-Why: > To submitter: it looks like this PR is no longer relevent to > RELENG_7 after the import of tcpdump 3.9.8 in October 2007. Can > you confirm that this now works for you on 7.0-RELEASE please? Yes, it works. Thanks for the reminder! -- Eygene From owner-freebsd-pf@FreeBSD.ORG Sat Jun 14 00:50:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2E66106564A for ; Sat, 14 Jun 2008 00:50:14 +0000 (UTC) (envelope-from mszathmar@gmail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.238]) by mx1.freebsd.org (Postfix) with ESMTP id 2D5748FC13 for ; Sat, 14 Jun 2008 00:50:13 +0000 (UTC) (envelope-from mszathmar@gmail.com) Received: by hu-out-0506.google.com with SMTP id 34so6219142hue.8 for ; Fri, 13 Jun 2008 17:50:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Au/Ie+HE8eoEabcjIfVhkzIfLJbNIflYoJMBC3vZEfs=; b=Qa4iYIPbiQxKtDQX8ffj37HIzKn3rCFgJ+6+OEQdXY7tKBCf6GI5Wh/sOpuoo4EvFF lEwfgBTgWSnGnfE/6s4TEVpqxzrYASWDWGy1VMOY3vCJf3XlKpr94KAwMZuznm6Hmal8 c4h9kjuzWljvroZf9tyOXcOVFArTgSRjkUEPw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=F8TwZjMse/7QutOQ4evBaiFdbYubF2kILOMOoIxfWcBMAczY0xPT3pDWGVW+cejxUb LPVGW4qpU1Es0zTDjPKXIpvRQeGCFRUnce+/FvUk71eKOCtbviRf5Zx81tRdWefYYOXy NV7/YaHGz+MNo0jUpjl/8ILyQ4TEC53xjYZPI= Received: by 10.103.213.10 with SMTP id p10mr194580muq.46.1213403656965; Fri, 13 Jun 2008 17:34:16 -0700 (PDT) Received: by 10.125.136.4 with HTTP; Fri, 13 Jun 2008 17:34:16 -0700 (PDT) Message-ID: Date: Fri, 13 Jun 2008 17:34:16 -0700 From: "=?ISO-8859-1?Q?Margo_Szathm=E1r?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: rdr rules with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2008 00:50:14 -0000 Hello everyone, I'm trying to set up jails behind a NAT on my FreeBSD 7.0 box here as I've only got one IP to play with. I'm currently using pf with the following configuration: ext_if="rl0" external_addr="x.x.x.x" internal_net="192.168.222.0/24" nat on $ext_if from $internal_net to any -> $external_addr rdr on rl0 proto tcp from any to any port 5223 -> 192.168.222.2 pass in all pass out all The jail in question is sitting on 192.168.222.2 and is able to connect out. The only problem I'm having is that the rdr statement doesn't seem to be working. The examples I've been able to find so far encompass only situations in which the box has more than one nic (see a lot of ext_if and int_if) and I haven't been able to find anything concrete. The box is also running ipfw which I suspect may be causing some conflicts ... to bypass these, however, I've added rule 1 as "allow ip from any to any" Can anyone point out my error? I realize that this question is probably asked near constantly and there's probably some link I simply haven't consulted yet and for that I apologize. Thanks for your input! With love, Margo S.