From owner-freebsd-pf@FreeBSD.ORG Sun Jul 20 12:28:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D36DD106567C for ; Sun, 20 Jul 2008 12:28:54 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.betherenow.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with SMTP id 712748FC13 for ; Sun, 20 Jul 2008 12:28:44 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (78-86-177-183.zone2.bethere.co.uk [78.86.177.183]) by smtp1.betherenow.co.uk (Postfix) with SMTP id 8595E980C0 for ; Sun, 20 Jul 2008 13:03:37 +0100 (BST) Message-ID: <48832996.4060300@nviz.net> Date: Sun, 20 Jul 2008 13:03:34 +0100 From: Greg Hennessy User-Agent: Thunderbird 3.0a1 (Windows/2008050715) MIME-Version: 1.0 To: Angelo Turetta References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> <4881CABB.7080907@commit.it> In-Reply-To: <4881CABB.7080907@commit.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2008 12:28:54 -0000 Angelo Turetta wrote: > Rudi Kramer - MWEB wrote: >> I had the same issue and when I checked with our ms-admin team they said >> it was a Microsoft limitation. > > Quite the opposite. Since Windows2000 MS introduced, or started using, > a CallID in the GRE header. Indeed. > > Remember, many-to-one NAT has only become widely used/mandatory in > recent years, I wouldn't say that recent, trying to get address space out of RIPE for the past decade is like pulling teeth. > I remember getting a full ClassC subnet from my first provider > (128Kbps, ca. 1995-1996) without even asking. Those were the days, I can remember having a conversation with Pipex here in the UK circa 1994 where their account manager asked if a /24 would be enough for the 64k line I was connecting. His assured me that they recommended at least 2 and that 4 * /24s wouldn't be a problem. Considering I was plumbing connectivity using SCO and the TIS FWTK at the time, a /29 was overkill. Regards Greg > > Angelo Turetta > Modena - Italy > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 09:31:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA7C11065670 for ; Mon, 21 Jul 2008 09:31:56 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe4.ukr.net (ffe4.ukr.net [195.214.192.17]) by mx1.freebsd.org (Postfix) with ESMTP id 95ECB8FC0A for ; Mon, 21 Jul 2008 09:31:56 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe4.ukr.net with local ID 1KKrMR-000LUN-ID for freebsd-pf@freebsd.org; Mon, 21 Jul 2008 12:07:15 +0300 MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 Message-Id: Date: Mon, 21 Jul 2008 12:07:15 +0300 X-UkrNet-Flag: 1 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF and blocking of some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 09:31:57 -0000 Hi,  I have question about blocking some ports for LAN users.  Below a part of my pf.conf: nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> $ext_if:0 pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp 53 pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp udp} from $LAN to $int_if port 53 All works fine. But when I wish block not only 25 port and 5190 or some others ports, blocking does not occur. And I can connect to 25 port to any host in Internet from any computer in local network. Rules, which I try to use: pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if port {!=25 !=5190} tag LAN_INET_TCP_UDP Please, tell me where is my mistake? Thanks. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 10:48:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E175F1065678 for ; Mon, 21 Jul 2008 10:48:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 678B38FC0C for ; Mon, 21 Jul 2008 10:48:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-048-174.pools.arcor-ip.net [88.66.48.174]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KKswK08ip-0000gZ; Mon, 21 Jul 2008 12:48:24 +0200 Received: (qmail 76558 invoked from network); 21 Jul 2008 10:48:23 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 21 Jul 2008 10:48:23 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 21 Jul 2008 12:48:23 +0200 User-Agent: KMail/1.9.9 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200807211248.23181.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/Y3oET8dcv6gl4G31xJZIhrNrDmsnqtqn61hg 7YppIyuKS8pdUXrlMNN2vPk3BgWnPmOaz6rKzvkxHU38UFquga NG11LpshKjzWEnfUm6sZA== Cc: Subject: Re: PF and blocking of some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 10:48:27 -0000 On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote: > Hi, > > =A0I have question about blocking some ports for LAN users. > > =A0Below a part of my pf.conf: > > > nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> > $ext_if:0 > > pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP > pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp > 53 > > > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port !=3D25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp > udp} from $LAN to $int_if port 53 > > > All works fine. But when I wish block not only 25 port and 5190 or some > others ports, blocking does not occur. And I can connect to 25 port to > any host in Internet from any computer in local network. > > Rules, which I try to use: > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port {!=3D25 !=3D5190} tag LAN_INET_TCP_UDP > > Please, tell me where is my mistake? The above will expand to 4 rules: pass quick ... tcp ... to !int_if port !=3D 25 ... pass quick ... udp ... to !int_if port !=3D 25 ... pass quick ... tcp ... to !int_if port !=3D 5190 ... pass quick ... udp ... to !int_if port !=3D 5190 ... It should be obvious that the first rule will allow tcp traffic to port=20 5190 and the third to port 25. In general you should rather block unwanted traffic explicitly. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 11:07:00 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6330D106566B for ; Mon, 21 Jul 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 41A488FC1C for ; Mon, 21 Jul 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6LB70JC031960 for ; Mon, 21 Jul 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6LB6xOF031955 for freebsd-pf@FreeBSD.org; Mon, 21 Jul 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Jul 2008 11:06:59 GMT Message-Id: <200807211106.m6LB6xOF031955@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 11:07:00 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 11:44:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 207021065677 for ; Mon, 21 Jul 2008 11:44:45 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe5.ukr.net (ffe5.ukr.net [195.214.192.21]) by mx1.freebsd.org (Postfix) with ESMTP id BD2568FC20 for ; Mon, 21 Jul 2008 11:44:44 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe5.ukr.net with local ID 1KKtop-000PBV-4Y ; Mon, 21 Jul 2008 14:44:43 +0300 MIME-Version: 1.0 To: Max Laier From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] In-Reply-To: <200807211248.23181.max@love2party.net> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 Message-Id: Date: Mon, 21 Jul 2008 14:44:43 +0300 X-UkrNet-Flag: 1 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re[2]: PF and blocking of some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 11:44:45 -0000 --- Original Message --- From: Max Laier To: freebsd-pf@freebsd.org Date: 21 july, 13:48:23 Subject: Re: PF and blocking of some ports On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote: > Hi, > >  I have question about blocking some ports for LAN users. > >  Below a part of my pf.conf: > > > nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> > $ext_if:0 > > pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP > pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp > 53 > > > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp > udp} from $LAN to $int_if port 53 > > > All works fine. But when I wish block not only 25 port and 5190 or some > others ports, blocking does not occur. And I can connect to 25 port to > any host in Internet from any computer in local network. > > Rules, which I try to use: > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port {!=25 !=5190} tag LAN_INET_TCP_UDP > > Please, tell me where is my mistake? The above will expand to 4 rules: pass quick ... tcp ... to !int_if port != 25 ... pass quick ... udp ... to !int_if port != 25 ... pass quick ... tcp ... to !int_if port != 5190 ... pass quick ... udp ... to !int_if port != 5190 ... It should be obvious that the first rule will allow tcp traffic to port 5190 and the third to port 25. In general you should rather block unwanted traffic explicitly.             Ok, thanks for advice.   I have changed the rule pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port $ports tag LAN_INET_TCP_UDP   And define $ports ports= "{20 21 80 443 8000 8080}" From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 12:38:00 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EB1A106567C for ; Mon, 21 Jul 2008 12:38:00 +0000 (UTC) (envelope-from dfeustel@mindspring.com) Received: from QMTA01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [76.96.30.16]) by mx1.freebsd.org (Postfix) with ESMTP id 1C79E8FC21 for ; Mon, 21 Jul 2008 12:38:00 +0000 (UTC) (envelope-from dfeustel@mindspring.com) Received: from OMTA14.emeryville.ca.mail.comcast.net ([76.96.30.60]) by QMTA01.emeryville.ca.mail.comcast.net with comcast id sc4U1Z00A1HpZEsA1cN0CU; Mon, 21 Jul 2008 12:22:00 +0000 Received: from localhost ([69.245.196.200]) by OMTA14.emeryville.ca.mail.comcast.net with comcast id scMz1Z0024KuD458acMz9d; Mon, 21 Jul 2008 12:22:00 +0000 X-Authority-Analysis: v=1.0 c=1 a=Uvw6amnbL-qmMnMp6AMA:9 a=TYyjkHi-hHuE8GD_iPMA:9 a=6knmP7zkfowyY29pnGss-WWtX-0A:4 a=50e4U0PicR4A:10 From: Dave To: freebsd-pf@freebsd.org Message-Id: <20080721123800.1C79E8FC21@mx1.freebsd.org> Date: Mon, 21 Jul 2008 12:38:00 +0000 (UTC) Subject: BNF Syntax of pf commands X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 12:38:00 -0000 Hi! I'm looking for a BNF description of the PF ruleset. Is that available somewhere? Thanks, Dave Feustel From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 12:40:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5045B1065688 for ; Mon, 21 Jul 2008 12:40:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2FCA08FC23 for ; Mon, 21 Jul 2008 12:40:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 2CC821CC09F; Mon, 21 Jul 2008 05:40:55 -0700 (PDT) Date: Mon, 21 Jul 2008 05:40:55 -0700 From: Jeremy Chadwick To: Dave Message-ID: <20080721124055.GA33609@eos.sc1.parodius.com> References: <20080721123800.1C79E8FC21@mx1.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080721123800.1C79E8FC21@mx1.freebsd.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: BNF Syntax of pf commands X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 12:40:55 -0000 On Mon, Jul 21, 2008 at 12:38:00PM +0000, Dave wrote: > I'm looking for a BNF description of the PF ruleset. > Is that available somewhere? It's in the manpage, section GRAMMAR. http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+7.0-stable&format=html#end -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 17:01:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB32E1065672 for ; Mon, 21 Jul 2008 17:01:55 +0000 (UTC) (envelope-from dfeustel@mindspring.com) Received: from QMTA05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [76.96.62.48]) by mx1.freebsd.org (Postfix) with ESMTP id 5BF2B8FC18 for ; Mon, 21 Jul 2008 17:01:55 +0000 (UTC) (envelope-from dfeustel@mindspring.com) Received: from OMTA14.westchester.pa.mail.comcast.net ([76.96.62.60]) by QMTA05.westchester.pa.mail.comcast.net with comcast id sagy1Z0051HzFnQ55glbFg; Mon, 21 Jul 2008 16:45:35 +0000 Received: from localhost ([69.245.196.200]) by OMTA14.westchester.pa.mail.comcast.net with comcast id sglt1Z00a4KuD453aglu6P; Mon, 21 Jul 2008 16:45:54 +0000 X-Authority-Analysis: v=1.0 c=1 a=6I5d2MoRAAAA:8 a=7HFYbcmAYPFAovrW2gcA:9 a=V2VTskI_ZvxXeg8SggIA:9 a=oNgW5rQwDvJOqqxUZnAA:7 a=XMtpeOCnv6djWcomY8Yd_NiIW0wA:4 a=LY0hPdMaydYA:10 From: Dave To: Jeremy Chadwick In-Reply-To: <20080721124055.GA33609@eos.sc1.parodius.com> Message-Id: <20080721170155.5BF2B8FC18@mx1.freebsd.org> Date: Mon, 21 Jul 2008 17:01:55 +0000 (UTC) Cc: freebsd-pf@freebsd.org Subject: Re: BNF Syntax of pf commands X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 17:01:55 -0000 On Mon, Jul 21, 2008 at 05:40:55AM -0700, Jeremy Chadwick wrote: >On Mon, Jul 21, 2008 at 12:38:00PM +0000, Dave wrote: >> I'm looking for a BNF description of the PF ruleset. >> Is that available somewhere? > >It's in the manpage, section GRAMMAR. > >http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+7.0-stable&format=html#end Thanks! I had just found this myself using google and noticed that the bnf is coded up by hand instead of via yacc or bison. The reason I got interested in this is that I saw pretty clear indications on my OpenBSD 4,3 pf firewall that certain 'equivalent' rules (differing only the presence or absence of 'optional' syntactic sugar keywords ) in my pf.conf file did not produce identical behavior from pf. I've started wondering about how one would implement regression testing on pf. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 17:52:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53C7A1065686 for ; Mon, 21 Jul 2008 17:52:03 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id CDA0D8FC4B for ; Mon, 21 Jul 2008 17:52:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-048-174.pools.arcor-ip.net [88.66.48.174]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1KKzYH2fqa-0000to; Mon, 21 Jul 2008 19:52:01 +0200 Received: (qmail 55925 invoked from network); 21 Jul 2008 17:52:01 -0000 Received: from myhost.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 21 Jul 2008 17:52:01 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 21 Jul 2008 19:52:00 +0200 User-Agent: KMail/1.9.9 References: <20080721170155.5BF2B8FC18@mx1.freebsd.org> In-Reply-To: <20080721170155.5BF2B8FC18@mx1.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807211952.00497.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19n32vF4mNxWl8Tms9BBkdz/LhweNMCbwoadPe Zgu+cv11rvY385ejMU1DMlwArqynoFQ3fzKwYnYz9IOU/6fgjD hU165ZTztXCka8h0t39oA== Cc: Subject: Re: BNF Syntax of pf commands X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 17:52:03 -0000 On Monday 21 July 2008 19:01:55 Dave wrote: > On Mon, Jul 21, 2008 at 05:40:55AM -0700, Jeremy Chadwick wrote: > >On Mon, Jul 21, 2008 at 12:38:00PM +0000, Dave wrote: > >> I'm looking for a BNF description of the PF ruleset. > >> Is that available somewhere? > > > >It's in the manpage, section GRAMMAR. > > > >http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&m > >anpath=FreeBSD+7.0-stable&format=html#end > > Thanks! I had just found this myself using google and noticed that the > bnf is coded up by hand instead of via yacc or bison. The reason I got > interested in this is that I saw pretty clear indications on my OpenBSD > 4,3 pf firewall that certain 'equivalent' rules (differing only the > presence or absence of 'optional' syntactic sugar keywords ) in my > pf.conf file did not produce identical behavior from pf. I've started > wondering about how one would implement regression testing on pf. Do you have an example? It's hard to imagine how that would be possible. There are some parser regression tests in OpenBSD's source tree, but to my knowledge there is no "action" testing. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Jul 22 09:53:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0451C1065673 for ; Tue, 22 Jul 2008 09:53:23 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbmarshal.mweb.com (mwbmarshal.mweb.com [196.2.141.6]) by mx1.freebsd.org (Postfix) with ESMTP id 81FC08FC1E for ; Tue, 22 Jul 2008 09:53:20 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbfes1.mweb.com (Not Verified[196.2.141.73]) by mwbmarshal.mweb.com with NetIQ MailMarshal 6.0 Service Pack 1 (v6, 0, 3, 28) id ; Tue, 22 Jul 2008 11:52:48 +0200 Received: from MWBEXCH.mweb.com ([196.2.141.75]) by mwbfes1.mweb.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 22 Jul 2008 11:52:47 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 22 Jul 2008 11:52:47 +0200 Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45F09@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: GRE Limitation Thread-Index: Acjoi5J5N7/yX3/FS+yBGnavsPa0iQAMgD0wAAEGmXAAxtOksA== References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> <3A0AA7018522134597ED63B3B794C92A0267DBF1@STA-HQ-S001.starcomms.local> From: "Rudi Kramer - MWEB" To: "Catalin Miclaus" , "Chris Buechler" , "Ansar Mohammed" X-OriginalArrivalTime: 22 Jul 2008 09:52:48.0032 (UTC) FILETIME=[B284FA00:01C8EBE0] Cc: freebsd-pf@freebsd.org Subject: RE: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 09:53:23 -0000 Catalin Miclaus: > It is not a Microsoft limitation. > Please stop spreading wrong information on same. My apologies it was not my intent to spread disinformation regarding Microsoft, I was only relaying information that I given by a Microsoft Administrator.=20 I mean really, this must be the first time in history that the fault isn't with MS ;-) From owner-freebsd-pf@FreeBSD.ORG Tue Jul 22 10:48:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10DCA1065684 for ; Tue, 22 Jul 2008 10:48:49 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id D29FD8FC25 for ; Tue, 22 Jul 2008 10:48:48 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so652805ywe.13 for ; Tue, 22 Jul 2008 03:48:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=FuImezM+DzFNs+2yw5exVcOKdNEqYs1r4kOcBqwRfIE=; b=jzmO5j86XHFxGSVMKfyoOXODb/nsDpxJetRikrqiCh0ncOoRuJRVVwMUOaukzEr+EZ o9o4y8Nbc0Gxg1AYYaTtuIwfd4P9/e+CLkDkJisbg6JZCV9Px99N5DU2mKQi56lV+AhX fAv+CEgrbKvmOFf8aOz0kpvyXp6n44/VPKGlQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=haLGZnwUZRioEuq8xWbkuQwc6vPyNHPrP6yjQQhMiPPDOnFzaSy53B2H2Mi/uq9XNu h5VHJkG52FO3pxndKQPIBi+Hd46KCZTyOkQM7AUhV7XvGpFhCrEqkLiFm2lGloWfEY80 YArD2xZyB/5HNwBWb8n0wMGBVzKxSm9UhLD9E= Received: by 10.151.154.12 with SMTP id g12mr2429269ybo.38.1216722275284; Tue, 22 Jul 2008 03:24:35 -0700 (PDT) Received: by 10.150.219.9 with HTTP; Tue, 22 Jul 2008 03:24:35 -0700 (PDT) Message-ID: <991123400807220324s6e25e251va04cc25a6b2a23ac@mail.gmail.com> Date: Tue, 22 Jul 2008 13:24:35 +0300 From: "Odhiambo Washington" To: "Rudi Kramer - MWEB" In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45F09@MWBEXCH.mweb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> <3A0AA7018522134597ED63B3B794C92A0267DBF1@STA-HQ-S001.starcomms.local> <39DC135F7F0571489196E0B6F5D58B4A03B45F09@MWBEXCH.mweb.com> Cc: freebsd-pf@freebsd.org Subject: Re: GRE Limitation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 10:48:49 -0000 On Tue, Jul 22, 2008 at 12:52 PM, Rudi Kramer - MWEB wrote: > Catalin Miclaus: >> It is not a Microsoft limitation. >> Please stop spreading wrong information on same. > > My apologies it was not my intent to spread disinformation regarding > Microsoft, I was only relaying information that I given by a Microsoft > Administrator. > > I mean really, this must be the first time in history that the fault > isn't with MS ;-) In the old days when I used mutt as my MuA, this would be a great candidate for those fortunes:-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Oh My God! They killed init! You Bastards!" --from a /. post From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 09:29:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC8201065676 for ; Wed, 23 Jul 2008 09:29:49 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 7B24D8FC18 for ; Wed, 23 Jul 2008 09:29:49 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so371692yxb.13 for ; Wed, 23 Jul 2008 02:29:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=+d2Z5rwqSHiRvD9ddIjGwbu6c/N7RgGT3lZXzo97I8c=; b=UeVbsXCGfOJ/g/WFhPEJwN26N8VczC6L1IbfE/a4jABY/EGtsDYttlu3YYSuHHL9AU 1WmI6ZHjcjEFKXv3pzTpgQ9YZk1Alq7ALxwQbGA2xB7+XjuBnzWehtCbF0pQhA+V3XE1 sdGRZNCKPnmMGcqoLTVHtM5bs82bfWITY3qW4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=urDYtKJojn5UiRQ7OKDYCDfdAej7pZwIfXIoU6HJWOb8i4+/4eBn8/uzIeoz538aGl Hzf8Waqu6jEtPiU9xDhY8vdQiy02DAIvjFuoosoy4ACY4Ub3LmeuzF8I2Bn5BYqcrBTe 19d49TTMxC0z2TsNvmFFOGINny/IajKGuHbb4= Received: by 10.151.47.7 with SMTP id z7mr4220625ybj.111.1216803780732; Wed, 23 Jul 2008 02:03:00 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 02:03:00 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 12:03:00 +0300 From: "Ivan Petrushev" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Problems in basic usage of ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 09:29:49 -0000 Hello, I'm trying to do very simple traffic shaping on my box with ALTQ. For beginning I want just to restrict HTTP downloading speed (which is port 80) to a fixed number... lets say 100Kbps. I'm on ADSL line providing me 12Mb down / 2Mb up, (and I know every ADSL tutorial recommend limiting uploads) but for syntax learning purposes let's concentrate only on limiting downloading speed. I've read some tutorials and I've reached to the following code: [code] ### Queueing # I'm not sure what to set up for a total bandwidth - 100Mb for the carrier media (Cat5 cables) or 12Mb for the provided bandwidth altq on re0 cbq bandwidth 12Mb queue {restrict, fast} # This queue 'restrict' should get the shaped traffic queue restrict bandwidth 100Kb cbq(default) # This 'fast' queue should take some fast traffic, DNS requests for example. queue fast bandwidth 500Kb priority 4 ### Translation # This is for my other PC and I don't think it plays a role here nat pass on re0 from 192.168.0.5 to any -> 10.10.10.21 ### Filtering # Restrict traffic on port 80. This is my IP. pass in on re0 proto tcp from any port 80 to 10.10.10.21 queue restrict # Pass DNS requests on the 'fast' queue pass in on re0 proto { udp, tcp } from any port 53 to 10.10.10.21 queue fast [/code] So I see DNS resolutions are done really fast (definately faster than if they fell into the 'restricted' queue), but HTTP traffic is not going with the specified bandwidth. Instead it goes about 3Mb. First I thought it is due to wrong number here: altq on re0 cbq bandwidth *100Mb* queue {restrict, fast} But changing that did not reflected in any way - the downloads went on 3Mb. Second problem - how to build the rule for queuing the other PC's NATed bandwidth? I tried [code] pass on re0 from any to 192.168.0.5 queue restrict [/code] and variations but it just didn't passed to the queue. I.e. the effect was nothing. I'm routing over only one NIC - re0 (using aliases - 10.10.10.21 and 192.168.0.5) and maybe this is wrong? From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 13:27:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C5F9106564A for ; Wed, 23 Jul 2008 13:27:58 +0000 (UTC) (envelope-from weaseal@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.231]) by mx1.freebsd.org (Postfix) with ESMTP id 843C88FC08 for ; Wed, 23 Jul 2008 13:27:58 +0000 (UTC) (envelope-from weaseal@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2856758rvf.43 for ; Wed, 23 Jul 2008 06:27:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=ooOmFPJCpA59oHleEg9JrbC0thlSUskF5HmMjmuB/30=; b=SRnCz3/EL4+tWhtwo2i+fx76u+m2j/Ii2uxGXaxrfGBzhUVWj/4uaGiDv7S6y1WC0F L43vP13hzJQsoGLOr1Y2daAFMEIEDW0vZODoZRSdx8wFVFmRzFk+Y5lXB8r8nBriD8JP 3uvwHWkY2tdInJ7by+2mBQFVDdK9hmmqy35Fg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=b/O6thyXnnKQpO8BL5aAfU9VOU/DHsNnxyy6h78AlJconPc1qW5c4CTo0egyKFykH1 5iBqzTPISEgjCkVU4mGYcTsuyMx3LRCNkSqyt0ExGXzvg3JKjB60ViLKvPR7S5nQqitI M5vDcem0X1s9a4JkwT56JCNwD710eTB1rJhHk= Received: by 10.140.133.9 with SMTP id g9mr47583rvd.235.1216818228076; Wed, 23 Jul 2008 06:03:48 -0700 (PDT) Received: by 10.140.170.2 with HTTP; Wed, 23 Jul 2008 06:03:48 -0700 (PDT) Message-ID: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> Date: Wed, 23 Jul 2008 16:03:48 +0300 From: "Walter Venable" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Limiting client bandwidth with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 13:27:58 -0000 Hi all, I'm having some trouble getting pf to do what I want. I'm a newbie to pf, so I can't get my configuration quite right. We have a 3Mb/1Mb connection and I want to limit my clients each to 128Kbps/64Kbps. First things first, limit them to 128Kbps, but that isn't even working, as clients are still maxing at 3Mbps: $ cat /etc/pf.conf int_if="rl0" ext_if="nfe0" int_net="192.168.2.0/24" altq on $ext_if hfsc bandwidth 3Mb queue { clients } queue clients bandwidth 128Kb hfsc ( default rio ) pass in quick log on $int_if proto tcp from $int_net to any \ flags S/SA keep state queue clients $ sudo pfctl -sq queue root_nfe0 on nfe0 bandwidth 3Mb priority 0 {clients} queue clients on nfe0 bandwidth 128Kb hfsc( rio default ) Can anyone say why this isn't working? More info about the network if you need it: Internet -- Router (192.168.1.1) -- (nfe0 @ 192.168.1.200 ) FreeBSD Gateway (rl0 @ 192.168.2.1) -- switch -- Clients (192.168.2.0/24) From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 15:54:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AA101065676 for ; Wed, 23 Jul 2008 15:54:52 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from mx.sitkom.cz (mx.sitkom.cz [88.146.187.34]) by mx1.freebsd.org (Postfix) with ESMTP id 1E1998FC1E for ; Wed, 23 Jul 2008 15:54:52 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from [10.10.0.12] (manwe.buchtikov.borsice.sfn [10.10.0.12]) by mx.sitkom.cz (Postfix) with ESMTP id BC9CF1C4A10 for ; Wed, 23 Jul 2008 17:37:42 +0200 (CEST) From: Michal Buchtik Cc: freebsd-pf@freebsd.org In-Reply-To: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> References: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Date: Wed, 23 Jul 2008 17:35:49 +0200 Message-Id: <1216827349.1598.4.camel@manwe.buchtikov.borsice.sfn> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Subject: Re: Limiting client bandwidth with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 15:54:52 -0000 Walter Venable píše v st 23. 07. 2008 v 16:03 +0300: > First things first, limit them to 128Kbps, but that isn't even working, as > clients are still maxing at 3Mbps: > > $ cat /etc/pf.conf > int_if="rl0" > ext_if="nfe0" > int_net="192.168.2.0/24" > > altq on $ext_if hfsc bandwidth 3Mb queue { clients } > queue clients bandwidth 128Kb hfsc ( default rio ) > pass in quick log on $int_if proto tcp from $int_net to any \ > flags S/SA keep state queue clients > You can limit only OUTGOING traffic (from router point of view). So change the line to: altq on $int_if hfsc bandwidth 3Mb queue { clients } Michal From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 16:26:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E2FE1065672 for ; Wed, 23 Jul 2008 16:26:48 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from webmail.starcomms.com (starcomms.com [41.205.191.5]) by mx1.freebsd.org (Postfix) with SMTP id 556F18FC1D for ; Wed, 23 Jul 2008 16:26:40 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from (webmail.starcomms.com [172.16.2.31]) by webmail.starcomms.com with smtp id 68ac_5769dae2_58c7_11dd_b0d3_001143cecab4; Wed, 23 Jul 2008 15:55:09 +0100 Received: from STA-HQ-S001.starcomms.local ([172.16.2.28]) by webmail.starcomms.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:50:41 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jul 2008 15:51:12 +0100 Message-ID: <3A0AA7018522134597ED63B3B794C92A027402C3@STA-HQ-S001.starcomms.local> In-Reply-To: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: thread-topic: Limiting client bandwidth with PF thread-index: Acjs0mVI/yYcrCP4SF6/rYBKrtgo/gAAPu1Q References: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> From: "Catalin Miclaus" To: "Walter Venable" X-OriginalArrivalTime: 23 Jul 2008 14:50:41.0421 (UTC) FILETIME=[7A4D73D0:01C8ECD3] X-NAIMIME-Disclaimer: 1 X-NAIMIME-Modified: 1 Cc: freebsd-pf@freebsd.org Subject: RE: Limiting client bandwidth with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 16:26:48 -0000 Hello Walter, There are some open bugs for pf with altq. You may want to consider ipfw and pipes to achieve same. Best Regards Catalin Miclaus Network/Security ISP-Data Starcomms Ltd. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Walter Venable Sent: Wednesday, July 23, 2008 2:04 PM To: freebsd-pf@freebsd.org Subject: Limiting client bandwidth with PF Hi all, I'm having some trouble getting pf to do what I want. I'm a newbie to pf, so I can't get my configuration quite right. We have a 3Mb/1Mb connection and I want to limit my clients each to 128Kbps/64Kbps. First things first, limit them to 128Kbps, but that isn't even working, as clients are still maxing at 3Mbps: $ cat /etc/pf.conf int_if=3D"rl0" ext_if=3D"nfe0" int_net=3D"192.168.2.0/24" altq on $ext_if hfsc bandwidth 3Mb queue { clients } queue clients bandwidth 128Kb hfsc ( default rio ) pass in quick log on $int_if proto tcp from $int_net to any \ flags S/SA keep state queue clients $ sudo pfctl -sq queue root_nfe0 on nfe0 bandwidth 3Mb priority 0 {clients} queue clients on nfe0 bandwidth 128Kb hfsc( rio default ) Can anyone say why this isn't working? More info about the network if you need it: Internet -- Router (192.168.1.1) -- (nfe0 @ 192.168.1.200 ) FreeBSD Gateway (rl0 @ 192.168.2.1) -- switch -- Clients (192.168.2.0/24) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" DISCLAIMER: The information contained in this message (including any atta= chments) is confidential and may be privileged. If you have received it b= y mistake please notify the sender by return e-mail and permanently delet= e this message and any attachments from your system. Any form of dissemin= ation, use, review, distribution, printing or copying of this message in = whole or in part is strictly prohibited if you are not the intended recip= ient of this e-mail. Please note that e-mails are susceptible to change. = STARCOMMS PLC shall not be liable for the improper or incomplete transmis= sion of the information contained in this communication nor for any delay= in its receipt or damage to your system. STARCOMMS PLC does not guarante= e that the integrity of this communication has been maintained or that th= is communication is free of viruses, interceptions or interferences. STAR= COMMS PLC reserves the right to monitor all e-mail communications, whethe= r related to the business of STARCOMMS or not, through its internal or ex= ternal networks. From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 17:25:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D5461065687 for ; Wed, 23 Jul 2008 17:25:44 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 059B98FC1C for ; Wed, 23 Jul 2008 17:25:43 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so408680yxb.13 for ; Wed, 23 Jul 2008 10:25:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=2atFYAwekrmz8ReMz9NQsSmwYGamHhlb4Mv6zF+GtKw=; b=WXLbfa58MpvR4BRH+O1dDJKrcpcV91PDLn7pJrHVGxOkppfA6tmwpP59Oq/SHt0NPe BI87LYWE7zPmWtQ62pbNw/OFQTRVxbsRX2DC7fx3zNwIspGlQAz2vJFjpMDKoNjkjY5Q sIQifmFtTaEpSq/4jYe0reYs+r8T7FfG8nbqc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=it5rXfYZca1646A29DgfwolkqKXY/1O5NV5XL78BGr7jFKcNI+/T7PCZdVFIrFvajs 16nJ8hGvvmq/teCnDAFM8eJUDPmOaKWmh6rd1jsrtZeb7dpxw4dP9ky9RelTQIbESEUB fXDKr5JKuFkSUgVJpTqkAwOb2dJy6tAM5S6j8= Received: by 10.151.112.4 with SMTP id p4mr481883ybm.141.1216833943101; Wed, 23 Jul 2008 10:25:43 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 10:25:43 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 20:25:43 +0300 From: "Ivan Petrushev" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 17:25:44 -0000 Hello, I'm trying very simple 'block all, allow a few' firewall, but something doesn't seem right. As far as I remember 'the right matched rule' is taken and executed - this doesn't seem working here. Here is my firewall: ##################### #macros if = "re0" ext_ip = "10.10.10.21" tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" udp_services = "{domain, 5190, 5222, ftp}" #filter block in log on $if pass on $if proto tcp from any port $tcp_services pass on $if proto udp from any port $udp_services #################### The point here is that if a packet for some of the listed service is matching against the rules, it will match the block rule, but after that will match some of the last two and get passed. Instead it gets blocked and I see it into the log: tcpdump -n -i pflog0 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 [bad hdr length 0 - too short, < 20] (there are many of these, including on the other ports) Now, there is something different. I tried removing the block rule, and added logging for the 'pass' rules. In that case a packet traveling down the rules should match only on the 'pass' rules and get logged. #################### #filter #block in log on $if pass log on $if proto tcp from any port $tcp_services pass log on $if proto udp from any port $udp_services #################### Well, it doesn't get logged. The only thing I see into the log is: 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80... What could be wrong here - it is fairly simple ruleset? From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 18:28:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 965391065672 for ; Wed, 23 Jul 2008 18:28:06 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id 538728FC0C for ; Wed, 23 Jul 2008 18:28:06 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so241445qwb.7 for ; Wed, 23 Jul 2008 11:28:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=M0tbldVonb3AznxQV0JobycLuBtOdALqCNRCrYgkRSQ=; b=BW0gZU3wLR/meP53cNDq+C2aOkRFo7hucia/pxRD5rC5+EiMiegFITz/xecvu0QqvH j/slJq08gMzHzfD4Y/VW5IZhMS7YQ7nK0IDFy1Cft9tjRjeTZBc1sLB4pmCjNlfaQjDP ZF+UXLbpfOcxt9KAyoHGsEDpU/BSQUfxYRZAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=AneiSNvw4oFRfEX/H7r1MARXWKpSpXs6++yCDSB9KF2/n17DADyO2Ip1RCNeClS8M8 wtg29udhqlPC29J2KG3zVTX5p9QMxzvQxaVnAFq+aiXL5lErUJUsAyQgPUiQ5tkxUx2E pZ/bRUzs4F7y4AptAd9E6kWRqAisrnenOgdqs= Received: by 10.150.191.15 with SMTP id o15mr605594ybf.54.1216837685191; Wed, 23 Jul 2008 11:28:05 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 11:28:05 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 21:28:05 +0300 From: "Ivan Petrushev" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48876DAD.9080100@optiksecurite.com> Subject: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 18:28:06 -0000 Hmmm, yes I'm on FreeBSD 7 I tried these pass rules before - nothing gets logged. I thought traffic is going both TO these ports and FROM these ports. Let's take for example a simple HTTP connection. The browser communicates to the remote server trough remote port 80 and says 'GET /index.html', then closes the connection. The HTTP server on the remote side opens a connection to the local machine (on some of our local port range)... but what is the port number on his side? I think that it is again 80. About pass in/pass out - I think that in/out keyword can be dropped? PF can do without that, right? These are my current filter rules, still nothing gets logged: ############################## pass log on $if proto tcp from any port $tcp_services pass log on $if proto udp from any port $udp_services pass log on $if proto tcp from any to $ext_ip port $tcp_services pass log on $if proto udp from any to $ext_ip port $udp_services ############################# Regards, Ivan. On Wed, Jul 23, 2008 at 8:43 PM, FreeBSD wrote: > Ivan Petrushev a =E9crit : >> >> Hello, >> I'm trying very simple 'block all, allow a few' firewall, but >> something doesn't seem right. >> As far as I remember 'the right matched rule' is taken and executed - >> this doesn't seem working here. >> Here is my firewall: >> ##################### >> #macros >> if =3D "re0" >> ext_ip =3D "10.10.10.21" >> tcp_services =3D "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" >> udp_services =3D "{domain, 5190, 5222, ftp}" >> >> #filter >> block in log on $if >> pass on $if proto tcp from any port $tcp_services >> pass on $if proto udp from any port $udp_services >> #################### >> The point here is that if a packet for some of the listed service is >> matching against the rules, it will match the block rule, but after >> that will match some of the last two and get passed. Instead it gets >> blocked and I see it into the log: >> tcpdump -n -i pflog0 >> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 >> [bad hdr length 0 - too short, < 20] >> (there are many of these, including on the other ports) >> >> Now, there is something different. I tried removing the block rule, >> and added logging for the 'pass' rules. In that case a packet >> traveling down the rules should match only on the 'pass' rules and get >> logged. >> #################### >> #filter >> #block in log on $if >> pass log on $if proto tcp from any port $tcp_services >> pass log on $if proto udp from any port $udp_services >> #################### >> >> Well, it doesn't get logged. The only thing I see into the log is: >> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] >> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) = or >> 80... >> >> What could be wrong here - it is fairly simple ruleset? >> > > You should try "pass in on $if proto tcp from any to $ext_ip port > $tcp_services flags S/SA keep state" and "pass in on $if proto udp from a= ny > to $ext_ip port $udp_services keep state" > > Your rule expect the traffic to came FROM $tcp_services but it is goint T= O > those ports. > > You can omit the "flags S/SA keep state" and the "keep state" if you're > using FreeBSD 7, it is added automatically. > > I would also suggest you to use "block all log" instead of "block in log" > and specifiy rules for your outgoing traffic too. > > Good luck > > Martin > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 18:44:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E216B1065675 for ; Wed, 23 Jul 2008 18:44:32 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id CA0928FC1F for ; Wed, 23 Jul 2008 18:44:32 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [192.168.10.102] ([74.56.107.65]) by VL-MH-MR002.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0K4G00D4AZVQ5I20@VL-MH-MR002.ip.videotron.ca> for freebsd-pf@freebsd.org; Wed, 23 Jul 2008 13:43:02 -0400 (EDT) Message-id: <48876DAD.9080100@optiksecurite.com> Date: Wed, 23 Jul 2008 13:43:09 -0400 From: FreeBSD User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) To: Ivan Petrushev References: In-reply-to: Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 18:44:33 -0000 Ivan Petrushev a écrit : > Hello, > I'm trying very simple 'block all, allow a few' firewall, but > something doesn't seem right. > As far as I remember 'the right matched rule' is taken and executed - > this doesn't seem working here. > Here is my firewall: > ##################### > #macros > if = "re0" > ext_ip = "10.10.10.21" > tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" > udp_services = "{domain, 5190, 5222, ftp}" > > #filter > block in log on $if > pass on $if proto tcp from any port $tcp_services > pass on $if proto udp from any port $udp_services > #################### > The point here is that if a packet for some of the listed service is > matching against the rules, it will match the block rule, but after > that will match some of the last two and get passed. Instead it gets > blocked and I see it into the log: > tcpdump -n -i pflog0 > 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 > [bad hdr length 0 - too short, < 20] > (there are many of these, including on the other ports) > > Now, there is something different. I tried removing the block rule, > and added logging for the 'pass' rules. In that case a packet > traveling down the rules should match only on the 'pass' rules and get > logged. > #################### > #filter > #block in log on $if > pass log on $if proto tcp from any port $tcp_services > pass log on $if proto udp from any port $udp_services > #################### > > Well, it doesn't get logged. The only thing I see into the log is: > 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] > And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80... > > What could be wrong here - it is fairly simple ruleset? > You should try "pass in on $if proto tcp from any to $ext_ip port $tcp_services flags S/SA keep state" and "pass in on $if proto udp from any to $ext_ip port $udp_services keep state" Your rule expect the traffic to came FROM $tcp_services but it is goint TO those ports. You can omit the "flags S/SA keep state" and the "keep state" if you're using FreeBSD 7, it is added automatically. I would also suggest you to use "block all log" instead of "block in log" and specifiy rules for your outgoing traffic too. Good luck Martin From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 19:21:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E497C106567B for ; Wed, 23 Jul 2008 19:21:56 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id A2B198FC19 for ; Wed, 23 Jul 2008 19:21:56 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so984714ywe.13 for ; Wed, 23 Jul 2008 12:21:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=/+wZONWqGoipPPpn35s+5LRnpqCF35e+CVDAWW4BHMk=; b=Dgmu+NtG+tFABw1jQ8el6B8YbC9jb2ZqKZMuUkuVrmxzjmZs+A8cptfJulsBv4y4ll ZeJ1tN9PmdaBKmgQYFTEygRIyqqotCmjZdgSPNxIs4hNEmxEpQtCPJL8o7wiTXWmFGLi Sh3pe+rwBckEF4vp1EJ/YNfIgYu7zGsDA4noM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=MUkKWgDFXFmfq4UHAPcrEW08736OmGfFOZs2CtvyTohoxsjME7uNLyHd6pZ3xuRHdC qzOhBXpdMnwBW4GQGumoSZstp7m4f5pDq96VYOIw65uYPaiyVzfF8anBoUeMn25QtMQa 3gB8nYnBV3siPtlQbb9ld5+5uposjTg7J/P9k= Received: by 10.151.84.12 with SMTP id m12mr2110ybl.221.1216840915770; Wed, 23 Jul 2008 12:21:55 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 12:21:55 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 22:21:55 +0300 From: "Ivan Petrushev" To: "Jon Radel" In-Reply-To: <488780A6.4010807@radel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 19:21:57 -0000 Hi Jon, Aaahhh, I see now - these FROM rules must be TO rules :D Thank you both for your replies. I'm going to monitor the outbond connections as well, but I think I will be OK then. This was the little stone in the shoe. I've already managed to let ICMP trough that 'block all' ;) Btw, I like the way pflog is working - deploying tcpdump on pflog0 and track down the logged packets. Is there a way to create another pflog device and use it for some different rules? I've seen there is an option to the 'log' keyword - (to pflogX), but I didn't managed to find out how to create more pflog devices. Regards, Ivan. On Wed, Jul 23, 2008 at 10:04 PM, Jon Radel wrote: > Ivan Petrushev wrote: >> >> Hmmm, yes I'm on FreeBSD 7 >> I tried these pass rules before - nothing gets logged. >> I thought traffic is going both TO these ports and FROM these ports. >> Let's take for example a simple HTTP connection. The browser >> communicates to the remote server trough remote port 80 and says 'GET >> /index.html', then closes the connection. The HTTP server on the >> remote side opens a connection to the local machine (on some of our >> local port range)... but what is the port number on his side? I think >> that it is again 80. >> About pass in/pass out - I think that in/out keyword can be dropped? >> PF can do without that, right? >> >> These are my current filter rules, still nothing gets logged: >> ############################## >> pass log on $if proto tcp from any port $tcp_services >> pass log on $if proto udp from any port $udp_services >> pass log on $if proto tcp from any to $ext_ip port $tcp_services >> pass log on $if proto udp from any to $ext_ip port $udp_services >> ############################# > > HTTP doesn't work like that. The client opens a connection from an > arbitrary port (generally high and pseudo-random) to port 80 (or 8080, or > whatever the published port the server listens on is). The server does NOT > open a connection to you. > > Your initial packet to the web server > > from YOU port NNNN > to SERVER port 80 > > never gets through your rule set so there's never a response from the server > to get logged. > > You'd do much better, if this is a workstation on which you run a webbrowser > and other clients, rather than a router/firewall, to do something like: > > pass out on $if proto tcp to any port $tcp_services flags S/SA keep state > > This allows the initial packet from your machine out and uses the PF state > mechanism (which you really, really, really should be using for reasons of > efficiency and security) to allow all further packets for that TCP > connection both in and out on that interface. > > Unless you're offering services on this computer to which you want other > machines to establish connections, you're much better off having no, or > minimal, "pass in" rules. That way people can't send you random, possibly > nasty, packets which you accept simply because they used a source port of > 80. > > --Jon Radel > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 19:35:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA4CF1065671 for ; Wed, 23 Jul 2008 19:35:30 +0000 (UTC) (envelope-from portcitycs@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.freebsd.org (Postfix) with ESMTP id 947668FC0C for ; Wed, 23 Jul 2008 19:35:29 +0000 (UTC) (envelope-from portcitycs@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so1848116pyb.10 for ; Wed, 23 Jul 2008 12:35:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=kuYxaJ/2ZigMz3VnZ13R176BvoSTca/iO3i7WzFEtxA=; b=LJ7LQDWqXWxelq67EixZ2+L8SfkaK7jndPc+fecNjRg/Qer8gKqVNl8Q+nmJNeIfVJ 9P3WQ2YeUlPkNNi+fipGoj+Qwrk6pnVXnAKUx+nG4f2PXU86xsGBLHcg2LDyYFvGjS6e qGAaJEEH+SLhi8ejd3UA7L6TAaNGySaOgOqdg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=tLnnNohq3lQ0YgcqywfoPTVdvgfvQ0zltqbQQ6qCvnVjHg5cmd50mDQzGu2LYP+8+o 0qabp41r09Y0YOVx7KzWJaPhWn06n6fXe6VilXep4StHME2ZPQDKoqqFuVGQAqxXaLVi QtAx0kwGCYKxN9SLyc7S1PbVgVN8PhM6pS1cQ= Received: by 10.142.134.17 with SMTP id h17mr35675wfd.346.1216840248048; Wed, 23 Jul 2008 12:10:48 -0700 (PDT) Received: by 10.142.238.10 with HTTP; Wed, 23 Jul 2008 12:10:48 -0700 (PDT) Message-ID: <5a1835cd0807231210h14b580cfy51e823df486ae61f@mail.gmail.com> Date: Wed, 23 Jul 2008 15:10:48 -0400 From: "Lyle Scott III" To: freebsd-pf@freebsd.org In-Reply-To: <3A0AA7018522134597ED63B3B794C92A027402C3@STA-HQ-S001.starcomms.local> MIME-Version: 1.0 References: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> <3A0AA7018522134597ED63B3B794C92A027402C3@STA-HQ-S001.starcomms.local> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Limiting client bandwidth with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 19:35:31 -0000 I have used PF for a few years on various servers and would like to play with ALTQ functionality (finally have some time!), yet I read about quite a few 'bugs' with pf/altq ... Should I even bother? It is posts such as these that are quite discouraging! (not hating on poster :) ) I think FreeBSD is the greatest OS ever and I love the functionality (and syntax) of PF... and would love to see ALTQ throw in to the mix. On Wed, Jul 23, 2008 at 10:51 AM, Catalin Miclaus wrote: > Hello Walter, > > There are some open bugs for pf with altq. > You may want to consider ipfw and pipes to achieve same. > > > > > > > > > > Best Regards > Catalin Miclaus > Network/Security ISP-Data > Starcomms Ltd. > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On Behalf Of Walter Venable > Sent: Wednesday, July 23, 2008 2:04 PM > To: freebsd-pf@freebsd.org > Subject: Limiting client bandwidth with PF > > Hi all, I'm having some trouble getting pf to do what I want. > I'm a newbie to pf, so I can't get my configuration quite right. > > We have a 3Mb/1Mb connection and I want to limit my clients each to > 128Kbps/64Kbps. > > First things first, limit them to 128Kbps, but that isn't even working, > as > clients are still maxing at 3Mbps: > > $ cat /etc/pf.conf > int_if="rl0" > ext_if="nfe0" > int_net="192.168.2.0/24" > > altq on $ext_if hfsc bandwidth 3Mb queue { clients } > queue clients bandwidth 128Kb hfsc ( default rio ) > pass in quick log on $int_if proto tcp from $int_net to any \ > flags S/SA keep state queue clients > > $ sudo pfctl -sq > queue root_nfe0 on nfe0 bandwidth 3Mb priority 0 {clients} > queue clients on nfe0 bandwidth 128Kb hfsc( rio default ) > > Can anyone say why this isn't working? More info about the network if > you > need it: > > Internet -- Router (192.168.1.1) -- (nfe0 @ 192.168.1.200 ) FreeBSD > Gateway > (rl0 @ 192.168.2.1) -- switch -- Clients (192.168.2.0/24) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > DISCLAIMER: The information contained in this message (including any > attachments) is confidential and may be privileged. If you have received it > by mistake please notify the sender by return e-mail and permanently delete > this message and any attachments from your system. Any form of > dissemination, use, review, distribution, printing or copying of this > message in whole or in part is strictly prohibited if you are not the > intended recipient of this e-mail. Please note that e-mails are susceptible > to change. STARCOMMS PLC shall not be liable for the improper or incomplete > transmission of the information contained in this communication nor for any > delay in its receipt or damage to your system. STARCOMMS PLC does not > guarantee that the integrity of this communication has been maintained or > that this communication is free of viruses, interceptions or interferences. > STARCOMMS PLC reserves the right to monitor all e-mail communications, > whether related to the business of STARCOMMS or not, through its internal or > external networks. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Lyle Scott, III http://www.lylescott.ws From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 20:04:25 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E9BE1065676 for ; Wed, 23 Jul 2008 20:04:25 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id 275488FC08 for ; Wed, 23 Jul 2008 20:04:24 +0000 (UTC) (envelope-from jon@radel.com) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 7800671; Wed, 23 Jul 2008 15:04:24 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 7800669; Wed, 23 Jul 2008 15:04:06 -0400 Message-ID: <488780A6.4010807@radel.com> Date: Wed, 23 Jul 2008 15:04:06 -0400 From: Jon Radel User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Ivan Petrushev References: <48876DAD.9080100@optiksecurite.com> In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030602040907000308090203" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 20:04:25 -0000 This is a cryptographically signed message in MIME format. --------------ms030602040907000308090203 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Ivan Petrushev wrote: > Hmmm, yes I'm on FreeBSD 7 > I tried these pass rules before - nothing gets logged. > I thought traffic is going both TO these ports and FROM these ports. > Let's take for example a simple HTTP connection. The browser > communicates to the remote server trough remote port 80 and says 'GET > /index.html', then closes the connection. The HTTP server on the > remote side opens a connection to the local machine (on some of our > local port range)... but what is the port number on his side? I think > that it is again 80. > About pass in/pass out - I think that in/out keyword can be dropped? > PF can do without that, right? > > These are my current filter rules, still nothing gets logged: > ############################## > pass log on $if proto tcp from any port $tcp_services > pass log on $if proto udp from any port $udp_services > pass log on $if proto tcp from any to $ext_ip port $tcp_services > pass log on $if proto udp from any to $ext_ip port $udp_services > ############################# HTTP doesn't work like that. The client opens a connection from an arbitrary port (generally high and pseudo-random) to port 80 (or 8080, or whatever the published port the server listens on is). The server does NOT open a connection to you. Your initial packet to the web server from YOU port NNNN to SERVER port 80 never gets through your rule set so there's never a response from the server to get logged. You'd do much better, if this is a workstation on which you run a webbrowser and other clients, rather than a router/firewall, to do something like: pass out on $if proto tcp to any port $tcp_services flags S/SA keep state This allows the initial packet from your machine out and uses the PF state mechanism (which you really, really, really should be using for reasons of efficiency and security) to allow all further packets for that TCP connection both in and out on that interface. Unless you're offering services on this computer to which you want other machines to establish connections, you're much better off having no, or minimal, "pass in" rules. That way people can't send you random, possibly nasty, packets which you accept simply because they used a source port of 80. --Jon Radel --------------ms030602040907000308090203 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODA3MjMxOTA0MDZaMCMGCSqGSIb3DQEJBDEWBBTg6weX4LomqY6AwPTk3ahbprzayDBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAwWqI qox2GSDDzl99e9gkSVenMmu/LyEjM3P5eyahzm4UgRVcqX7vmjc5DePoA9C35HI4munxkzaz 9Ax6zjs8bEAskY+aiYRScbtIPbbuAr95TpO2+qVAz4J+2oy36fJ+XrMP7rchrQr7aOhnSs/t gTzYu2pQ0tm0PojdPk07nI2OJSZ7lCYXfzQYINPs7/Eqv5T5hOQ9kLqK4Rmce5u0MxqqNub7 kNDsz6KyQWQ3FUzr85hnmToMOacr/4KJm+EUReJ00Ym+jgazhXkcMNSoawN+wvNmowe/dTuD qvupuS+/b7F/hzB/i5NLzMEaBXWvQjgUox26rAN2n+4H8fk8EQAAAAAAAA== --------------ms030602040907000308090203-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 21:22:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52B601065676 for ; Wed, 23 Jul 2008 21:22:03 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (tyknet.dk [80.160.141.33]) by mx1.freebsd.org (Postfix) with ESMTP id 13B968FC17 for ; Wed, 23 Jul 2008 21:22:02 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (localhost [127.0.0.1]) by mail.gibfest.dk (Postfix) with ESMTP id 8F1E7B907 for ; Wed, 23 Jul 2008 22:57:26 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 Received: from [10.10.1.111] (tykling.tyknet.cn.dom [10.10.1.111]) by mail.gibfest.dk (Postfix) with ESMTP id 80B78B8A6 for ; Wed, 23 Jul 2008 22:57:26 +0200 (CEST) Message-ID: <48879B35.1060905@gibfest.dk> Date: Wed, 23 Jul 2008 22:57:25 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 21:22:03 -0000 Ivan Petrushev wrote: > Hi Jon, > Aaahhh, I see now - these FROM rules must be TO rules :D > Thank you both for your replies. > > I'm going to monitor the outbond connections as well, but I think I > will be OK then. This was the little stone in the shoe. > I've already managed to let ICMP trough that 'block all' ;) > > Btw, I like the way pflog is working - deploying tcpdump on pflog0 and > track down the logged packets. Is there a way to create another pflog > device and use it for some different rules? I've seen there is an > option to the 'log' keyword - (to pflogX), but I didn't managed to > find out how to create more pflog devices. > > Regards, > Ivan. > Hello, To create another pflog interface do: ifconfig pflog1 create And to create it at boot time add: cloned_interfaces="pflog1" to /etc/rc.conf Regards Thomas From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 11:01:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08A361065671 for ; Thu, 24 Jul 2008 11:01:02 +0000 (UTC) (envelope-from rj@shadowbots.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.190]) by mx1.freebsd.org (Postfix) with ESMTP id DB1498FC14 for ; Thu, 24 Jul 2008 11:01:00 +0000 (UTC) (envelope-from rj@shadowbots.com) Received: by fk-out-0910.google.com with SMTP id k31so2070220fkk.11 for ; Thu, 24 Jul 2008 04:00:59 -0700 (PDT) Received: by 10.180.208.5 with SMTP id f5mr38263bkg.42.1216895696605; Thu, 24 Jul 2008 03:34:56 -0700 (PDT) Received: by 10.103.192.5 with HTTP; Thu, 24 Jul 2008 03:34:56 -0700 (PDT) Message-ID: <9072a4470807240334l7829fddbudbeea941fe1b77ad@mail.gmail.com> Date: Thu, 24 Jul 2008 06:34:56 -0400 From: "Robert Jameson" Sender: rj@shadowbots.com To: freebsd-pf@freebsd.org In-Reply-To: <9072a4470807240321y59f827fdn287011c0336ae866@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_2909_22637454.1216895696594" References: <9072a4470807232259x603f46k49474f5eb309d0fa@mail.gmail.com> <20080724074919.GA36163@eos.sc1.parodius.com> <9072a4470807240255v4d3f8e72gf8bfb39999b2dcbd@mail.gmail.com> <9072a4470807240321y59f827fdn287011c0336ae866@mail.gmail.com> X-Google-Sender-Auth: 0966e4f9ed8c691f X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: network problems 7.0-p3: sendto: Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 11:01:02 -0000 ------=_Part_2909_22637454.1216895696594 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello everyone, I'm not sure about how this works, I was told to share this information with this group because of a possible issue with PF My rules are in place @ http://rj.dawnshosting.com/fbsd_ml/pf.conf If anyone has a chance and can tell me what is wrong about them, it would mean alot to me. My configuration worked fine before the update to 7.0-P3 like i said, but if we fix the rules then we can begin the process of elimanation. Thank's so much guys From: *Robert Jameson* Date: Thu, Jul 24, 2008 at 1:59 AM To: freebsd-stable Hello Everyone, Recently I upgraded to freebsd 7.0-p3 from 7.0-p2, once i upgraded i began to have problems with my network, nothing has changed configuration wise, let me show you guy's an example. (12:46 AM):(root@cube)/$ ping google.com PING google.com (72.14.207.99): 56 data bytes 64 bytes from 72.14.207.99: icmp_seq=0 ttl=240 time=64.713 ms ^C --- google.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 64.713/64.713/64.713/0.000 ms (12:46 AM):(root@cube)/$ ping google.com PING google.com (72.14.207.99): 56 data bytes 64 bytes from 72.14.207.99: icmp_seq=0 ttl=240 time=73.814 ms 64 bytes from 72.14.207.99: icmp_seq=1 ttl=240 time=64.943 ms ^C --- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 64.943/69.379/73.814/4.435 ms (12:46 AM):(root@cube)/$ ping google.com PING google.com (72.14.207.99): 56 data bytes ping: sendto: Operation not permitted ^C --- google.com ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss (12:46 AM):(root@cube)/$ As you can see above, I issued the ping command (4) times waiting for output and then doing CTRL+C to interrupt the commands quickly and send them again on the 4th try i did not intterupt it and received the operation not permitted. hitting ctrl+c on this error I can type ping again and it will work correctly. I have the same problem with almost every network command, wget, curl, fetch, lynx, ssh, nslookup, host etc. This appears to be an issue with the network. I have attached my rc.conf and sysctl.conf and pf.conf please let me know if any other information is required. Errors from /var/log/console.log: Jul 18 21:10:02 cube kernel: Jul 18 21:10:02 cube named[908]: socket: too many open file descriptors Jul 19 00:30:13 cube kernel: Jul 19 00:30:13 cube named[9748]: socket: too many open file descriptors Jul 19 00:30:54 cube kernel: Jul 19 00:30:14 cube last message repeated 28 times Initially I figured this problem was bind related and since it has been a planned project for the past few months to switch to djbdns, I took the time to switch to djbdns, so bind is no longer running. I was also receiving this in /var/log/messages: Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to 200 packets/sec Jul 20 22:15:40 cube kernel: Limiting open port RST response from 624 to 200 packets/sec Jul 20 22:15:42 cube kernel: Limiting open port RST response from 213 to 200 packets/sec Jul 20 22:15:50 cube kernel: Limiting open port RST response from 439 to 200 packets/sec Jul 20 22:15:51 cube kernel: Limiting open port RST response from 673 to 200 packets/sec Jul 20 22:15:52 cube kernel: Limiting open port RST response from 730 to 200 packets/sec Jul 20 22:15:53 cube kernel: Limiting open port RST response from 307 to 200 packets/sec Jul 20 22:16:02 cube kernel: Limiting open port RST response from 435 to 200 packets/sec Jul 20 22:16:03 cube kernel: Limiting open port RST response from 730 to 200 packets/sec Jul 20 22:16:04 cube kernel: Limiting open port RST response from 287 to 200 packets/sec Jul 20 22:16:13 cube kernel: Limiting open port RST response from 519 to 200 packets/sec Jul 20 22:16:14 cube kernel: Limiting open port RST response from 740 to 200 packets/sec Jul 20 22:16:15 cube kernel: Limiting open port RST response from 258 to 200 packets/sec Jul 20 22:16:24 cube kernel: Limiting open port RST response from 407 to 200 packets/sec Jul 20 22:16:25 cube kernel: Limiting open port RST response from 660 to 200 packets/sec After spending some time on Google i came up with: /etc/sysctl.conf net.inet.icmp.icmplim=2000 I know it seems abit high, but i kept adjusting until the error went away. (not really fixing the problem?) If your mail client or the mailing list prevents you from seeing the attached You can view them here: http://rj.dawnshosting.com/fbsd_ml/ PS: While running tcpdump I see this tcpdump -i fxp0 Neither one of these ip's exist on my system is my cable company doing something wrong? 01:47:12.135929 arp who-has 64.253.3.161.dyn-cm-pool73.pool.hargray.net tell 64.253.3.1.dyn-cm-pool73.pool.hargray.net 01:47:12.155931 arp who-has 216.16.218.141.dyn-cm-pool46.pool.hargray.nettell 216.16.218.1.dyn-cm-pool46.pool.hargray.net 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell 1.131.216.67.1.static.hargray.net tcpdump -i fxp0 | grep ICMP: Is this an attack? 01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37084, length 64 01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37085, length 64 01:55:43.285913 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37086, length 64 01:55:44.286340 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37087, length 64 01:55:45.287380 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37088, length 64 01:55:46.345843 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37089, length 64 01:55:47.346685 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37090, length 64 01:55:48.347366 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37091, length 64 01:55:49.348370 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37092, length 64 01:55:50.360130 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37093, length 64 01:55:51.596916 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37094, length 64 01:55:52.597659 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37095, length 64 01:55:53.640120 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37096, length 64 01:55:54.735275 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37097, length 64 01:55:55.735568 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37098, length 64 01:55:56.745012 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37099, length 64 01:55:57.835442 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37100, length 64 01:55:58.920583 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37101, length 64 01:56:00.022747 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37102, length 64 ---------- From: *Alex Trull* Date: Thu, Jul 24, 2008 at 3:29 AM To: Robert Jameson Robert, The config files you attached were a series of 403 forbidden htmls. The icmp pings (1 per second) do not constitute an attack. It looks like you are genuinely running out of free states or file descriptors. Had you applied any tuning that may have been lost in the upgrade ? How many packets and sessions is this host meant to be handling - and what sort of traffic ? -- Alex > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" ---------- From: *Alex Trull* Date: Thu, Jul 24, 2008 at 3:31 AM To: Robert Jameson Cc: freebsd-stable ---------- From: *Jeremy Chadwick* Date: Thu, Jul 24, 2008 at 3:49 AM To: Robert Jameson Cc: freebsd-stable Let's see if I can figure out the multitude of things you've posted about, since a bunch are unrelated and you appear to be flailing around with your arms in the air. :-) This usually indicates firewall rules on the local machine, although I believe there are some other operations where EPERM can be returned. Can you provide uname -a output? There was a "cable modem compatibility fix" applied to FreeBSD a while ago (a user informed me of such), although I do not know if it applies to you, as I do not know the original symptoms. I believe that fix was also just for TCP. This indicates a completely different/unrelated problem. This indicates a high number of ICMP packets being received. Keep in mind this can also be seen due to TCP connections which are being reset and other such things -- ICMP is at a higher layer than TCP. I don't think there's necessarily anything "wrong" with that number (you show up to 740), but it would be worthwhile investigating what's soliciting that amount of ICMP traffic. Are you seeing this 24x7x365? It's not a big high; FreeBSD's 200 default is too low for any production server, if you ask me. Setting it to 2000 is probably fine. You should discuss your firewalling rules on freebsd-pf, and not here. I believe you may have some mistakes which are inducing said problem. Nope. This is normal behaviour for a cable modem network; they constantly spam layer 2 ARP for *everyone* on the entire cable network segment. Yes, you read that right. At this rate (1 ICMP packet a second), absolutely not. You also don't mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based on your local hostname in the above. Your machine is sending out an ICMP ping packet to purple.haze.bluntroll.in every 1 second. If you don't know why, you need to investigate why. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ---------- From: *Robert Jameson* Date: Thu, Jul 24, 2008 at 5:55 AM To: Jeremy Chadwick Sorry about that, bit of a information overload, i really am flailing my arms around! Tried running with my firewall disabled/wide problem still occurs FreeBSD cube.dawnshosting.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #5: Wed Jul 16 21:55:02 EDT 2008 root@cube.dawnshosting.com:/usr/obj/usr/src/sys/CUBE i386 Was the patch applied upstream? if not and its not too much trouble can you point me in the direction of it. Ah, thought they were related, what's causing this :)! Yes its constant. let it me known i also have a 2 network cards in the machne, 1 into my cable modem and nother into a linksys 16port vpn router. the defaultrouter is set to a WAN IP (not 10.192.240.1), not that any of that matters, i dont think? I read a bit about it from the handbook, i think it's a non issue. Might be worth mentioning the only real service change to this machine was an ircd daemon w/ about 500 users. I will send them an e-mail shortly, thanks. ah, ok, nothing to see here, keep moving. Correct, cube.dawnshosting.com is the actual FreeBSD machinr. sorry for the newbish question, off the top of your head how can i see who/what is using this process? > > -- ---------- From: *Robert Jameson* Date: Thu, Jul 24, 2008 at 6:21 AM To: freebsd-stable Still don't know whats going on, im currently sitting here with no firewall between me and the internet (very nervous) seeing if it fixes the problems, as of right this moment, still seeing permission denied errors. I have fixed the 403 errors now. http://rj.dawnshosting.com/fbsd_ml/ now contains sysctl.conf rc.conf pf.conf ------=_Part_2909_22637454.1216895696594 Content-Type: application/octet-stream; name=rc.conf Content-Transfer-Encoding: base64 X-Attachment-Id: f_fj0xi4u90 Content-Disposition: attachment; filename=rc.conf PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iaXNvLTg4NTktMSI/Pgo8IURPQ1RZUEUgaHRt bCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0aW9uYWwvL0VOIgogICAgICAg ICAiaHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtdHJhbnNpdGlvbmFsLmR0 ZCI+CjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiB4bWw6bGFuZz0i ZW4iIGxhbmc9ImVuIj4KIDxoZWFkPgogIDx0aXRsZT40MDMgLSBGb3JiaWRkZW48L3RpdGxlPgog PC9oZWFkPgogPGJvZHk+CiAgPGgxPjQwMyAtIEZvcmJpZGRlbjwvaDE+CiA8L2JvZHk+CjwvaHRt bD4K ------=_Part_2909_22637454.1216895696594 Content-Type: application/octet-stream; name=sysctl.conf Content-Transfer-Encoding: base64 X-Attachment-Id: f_fj0xic0h1 Content-Disposition: attachment; filename=sysctl.conf PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iaXNvLTg4NTktMSI/Pgo8IURPQ1RZUEUgaHRt bCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0aW9uYWwvL0VOIgogICAgICAg ICAiaHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtdHJhbnNpdGlvbmFsLmR0 ZCI+CjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiB4bWw6bGFuZz0i ZW4iIGxhbmc9ImVuIj4KIDxoZWFkPgogIDx0aXRsZT40MDMgLSBGb3JiaWRkZW48L3RpdGxlPgog PC9oZWFkPgogPGJvZHk+CiAgPGgxPjQwMyAtIEZvcmJpZGRlbjwvaDE+CiA8L2JvZHk+CjwvaHRt bD4K ------=_Part_2909_22637454.1216895696594 Content-Type: application/octet-stream; name=pf.conf Content-Transfer-Encoding: base64 X-Attachment-Id: f_fj0xir4a2 Content-Disposition: attachment; filename=pf.conf PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iaXNvLTg4NTktMSI/Pgo8IURPQ1RZUEUgaHRt bCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0aW9uYWwvL0VOIgogICAgICAg ICAiaHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtdHJhbnNpdGlvbmFsLmR0 ZCI+CjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiB4bWw6bGFuZz0i ZW4iIGxhbmc9ImVuIj4KIDxoZWFkPgogIDx0aXRsZT40MDMgLSBGb3JiaWRkZW48L3RpdGxlPgog PC9oZWFkPgogPGJvZHk+CiAgPGgxPjQwMyAtIEZvcmJpZGRlbjwvaDE+CiA8L2JvZHk+CjwvaHRt bD4K ------=_Part_2909_22637454.1216895696594 Content-Type: text/plain; name=signature.asc Content-Transfer-Encoding: base64 X-Attachment-Id: 0.1 Content-Disposition: attachment; filename=signature.asc LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC42IChHTlUv TGludXgpCgppRDhEQlFCSWlDL21leTRtNi9lV3hUUVJBdm5RQUo5SDJFZWVPWWNwTnF4dDFETHdH NjlzdFRETEJBQ2dpYnZyCkZJTVA3YWh4VUhqUDE5ZjJMalROYzdrPQo9VVBvQgotLS0tLUVORCBQ R1AgU0lHTkFUVVJFLS0tLS0K ------=_Part_2909_22637454.1216895696594-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 12:57:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B32E6106572C for ; Thu, 24 Jul 2008 12:57:54 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.freebsd.org (Postfix) with ESMTP id 76A5C8FC22 for ; Thu, 24 Jul 2008 12:57:54 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so2071456pyb.10 for ; Thu, 24 Jul 2008 05:57:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=4l9nPg4/TsWZ8FOXhAmmK2xl7eIx+Q0rSbdgGrM7rUg=; b=Cbmsua2iiaAdUNniEJQAyiDc4E6+c4kdlY+vqsFFM+xNep21G3qD94qF0sINXu0WlD 5dY4tGT5y+MCCEiuyiavi9+GTQcn1W6O3ada48ABMhmymYZ2toshu7aV7lTzLbnY+M4G xQM8QLqQdils17qHjOgsFxlgxqwF0nqDtv2Os= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=fITvW2KLirnhL7+Smwvo0wI6m++X9xgzZa0pn1jq/cad4RQz2OZpsLmYqT2/PBqdIB 1BLFajplSzyp1O/LpWZCcGQ5bP1glr6cQWqf2I54hWzQEt+Up7ZxWB9N5NjjDzeIamCF b+E1k4mwog/ntFWeWMksiARoetYDNtmHcmQFs= Received: by 10.64.151.10 with SMTP id y10mr501295qbd.14.1216904273013; Thu, 24 Jul 2008 05:57:53 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Thu, 24 Jul 2008 05:57:52 -0700 (PDT) Message-ID: Date: Thu, 24 Jul 2008 15:57:52 +0300 From: "Ivan Petrushev" To: "Thomas Rasmussen" In-Reply-To: <48879B35.1060905@gibfest.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> <48879B35.1060905@gibfest.dk> Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 12:57:54 -0000 Hello Thomas, I'm recieving an error: # ifconfig plog1 create ifconfig: SIOCIFCREATE2: Invalid argument and I can't see anything in 'man ifconfig' related to the pflog device. Regards, Ivan On Wed, Jul 23, 2008 at 11:57 PM, Thomas Rasmussen wrote: > Ivan Petrushev wrote: >> >> Hi Jon, >> Aaahhh, I see now - these FROM rules must be TO rules :D >> Thank you both for your replies. >> >> I'm going to monitor the outbond connections as well, but I think I >> will be OK then. This was the little stone in the shoe. >> I've already managed to let ICMP trough that 'block all' ;) >> >> Btw, I like the way pflog is working - deploying tcpdump on pflog0 and >> track down the logged packets. Is there a way to create another pflog >> device and use it for some different rules? I've seen there is an >> option to the 'log' keyword - (to pflogX), but I didn't managed to >> find out how to create more pflog devices. >> >> Regards, >> Ivan. >> > > Hello, > > To create another pflog interface do: > ifconfig pflog1 create > > And to create it at boot time add: > cloned_interfaces="pflog1" > to /etc/rc.conf > > Regards > > Thomas > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 13:55:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B37451065682 for ; Thu, 24 Jul 2008 13:55:46 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id A3FAA8FC1B for ; Thu, 24 Jul 2008 13:55:46 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [192.168.10.102] ([74.56.107.65]) by VL-MH-MR002.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0K4I00LD6K0XXZ40@VL-MH-MR002.ip.videotron.ca> for freebsd-pf@freebsd.org; Thu, 24 Jul 2008 09:55:45 -0400 (EDT) Message-id: <488889EA.8000306@optiksecurite.com> Date: Thu, 24 Jul 2008 09:55:54 -0400 From: FreeBSD User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) To: Ivan Petrushev References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> <48879B35.1060905@gibfest.dk> In-reply-to: Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 13:55:46 -0000 Ivan Petrushev a écrit : > Hello Thomas, > I'm recieving an error: > # ifconfig plog1 create > ifconfig: SIOCIFCREATE2: Invalid argument > > and I can't see anything in 'man ifconfig' related to the pflog device. > > I think it's just a typo: you forgot the 'f' in pflog1...;) Martin > Regards, Ivan > > On Wed, Jul 23, 2008 at 11:57 PM, Thomas Rasmussen wrote: > >> Ivan Petrushev wrote: >> >>> Hi Jon, >>> Aaahhh, I see now - these FROM rules must be TO rules :D >>> Thank you both for your replies. >>> >>> I'm going to monitor the outbond connections as well, but I think I >>> will be OK then. This was the little stone in the shoe. >>> I've already managed to let ICMP trough that 'block all' ;) >>> >>> Btw, I like the way pflog is working - deploying tcpdump on pflog0 and >>> track down the logged packets. Is there a way to create another pflog >>> device and use it for some different rules? I've seen there is an >>> option to the 'log' keyword - (to pflogX), but I didn't managed to >>> find out how to create more pflog devices. >>> >>> Regards, >>> Ivan. >>> >>> >> Hello, >> >> To create another pflog interface do: >> ifconfig pflog1 create >> >> And to create it at boot time add: >> cloned_interfaces="pflog1" >> to /etc/rc.conf >> >> Regards >> >> Thomas >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 16:47:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1A2E1065675 for ; Thu, 24 Jul 2008 16:47:57 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.241]) by mx1.freebsd.org (Postfix) with ESMTP id 89B118FC18 for ; Thu, 24 Jul 2008 16:47:57 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so1028668ana.13 for ; Thu, 24 Jul 2008 09:47:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=fDz6ycUhrOzpwzDFQj7ih8b/CsKpG8TnRj+7A/YZQdI=; b=lxOhStL1/2ncjASm0WjTKIdFYWOztgGy/Jwd0eGYWZSbelRQ3/G0d+wv+wZSF0JrjX 5Iw0ZNuwUFMbniV7llfJV1fLY+FgJSRTmPUdDoQSv64oUh3znwjhH8Pak/Mrz20g1FeY 5Ud1o8+73qLo72Kj8IcwcqFEschg9/W3THw40= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=bPCRSMKFUjKbWXdV0EbTkEoH+WhwOIV7le5uG6b2/V/xLEOxw6Gm0OSxYGc6bJgPyN BVh9GPAGNBgpMA2CpWeZ30LsDpnDaa0tpF/wOVbnUjOdARcGUak9xHNee59lJOVgnkQg XAR+UZCOEgqL0huSw+1GS8UH0N8gLa09F48d4= Received: by 10.100.122.8 with SMTP id u8mr858976anc.103.1216918076797; Thu, 24 Jul 2008 09:47:56 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Thu, 24 Jul 2008 09:47:56 -0700 (PDT) Message-ID: Date: Thu, 24 Jul 2008 19:47:56 +0300 From: "Ivan Petrushev" To: FreeBSD In-Reply-To: <488889EA.8000306@optiksecurite.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> <48879B35.1060905@gibfest.dk> <488889EA.8000306@optiksecurite.com> Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 16:47:58 -0000 Omg, silly me... Thaks! On Thu, Jul 24, 2008 at 4:55 PM, FreeBSD wrote: > Ivan Petrushev a =E9crit : >> >> Hello Thomas, >> I'm recieving an error: >> # ifconfig plog1 create >> ifconfig: SIOCIFCREATE2: Invalid argument >> >> and I can't see anything in 'man ifconfig' related to the pflog device. >> >> > > I think it's just a typo: you forgot the 'f' in pflog1...;) > > Martin > >> Regards, Ivan >> >> On Wed, Jul 23, 2008 at 11:57 PM, Thomas Rasmussen >> wrote: >> >>> >>> Ivan Petrushev wrote: >>> >>>> >>>> Hi Jon, >>>> Aaahhh, I see now - these FROM rules must be TO rules :D >>>> Thank you both for your replies. >>>> >>>> I'm going to monitor the outbond connections as well, but I think I >>>> will be OK then. This was the little stone in the shoe. >>>> I've already managed to let ICMP trough that 'block all' ;) >>>> >>>> Btw, I like the way pflog is working - deploying tcpdump on pflog0 and >>>> track down the logged packets. Is there a way to create another pflog >>>> device and use it for some different rules? I've seen there is an >>>> option to the 'log' keyword - (to pflogX), but I didn't managed to >>>> find out how to create more pflog devices. >>>> >>>> Regards, >>>> Ivan. >>>> >>>> >>> >>> Hello, >>> >>> To create another pflog interface do: >>> ifconfig pflog1 create >>> >>> And to create it at boot time add: >>> cloned_interfaces=3D"pflog1" >>> to /etc/rc.conf >>> >>> Regards >>> >>> Thomas >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >>> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 25 07:23:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2995106567B for ; Fri, 25 Jul 2008 07:23:41 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbmarshal.mweb.com (mwbmarshal.mweb.com [196.2.141.6]) by mx1.freebsd.org (Postfix) with ESMTP id 2C5338FC2A for ; Fri, 25 Jul 2008 07:23:39 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbfes2.mweb.com (Not Verified[196.2.141.74]) by mwbmarshal.mweb.com with NetIQ MailMarshal 6.0 Service Pack 1 (v6, 0, 3, 28) id ; Fri, 25 Jul 2008 09:23:36 +0200 Received: from MWBEXCH.mweb.com ([196.2.141.75]) by mwbfes2.mweb.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 25 Jul 2008 09:23:36 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 25 Jul 2008 09:23:36 +0200 Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45F35@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF+ALTQ+PRIQ Thread-Index: AcjtlRjWtktch+TwTQqfH1zfJ72ujgAhjw8w References: <48876DAD.9080100@optiksecurite.com><488780A6.4010807@radel.com><48879B35.1060905@gibfest.dk> <488889EA.8000306@optiksecurite.com> From: "Rudi Kramer - MWEB" To: X-OriginalArrivalTime: 25 Jul 2008 07:23:36.0702 (UTC) FILETIME=[5A59A9E0:01C8EE27] Subject: PF+ALTQ+PRIQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2008 07:23:41 -0000 Hello, I wanted to play around with ALTQ and PRIQ queuing and I came up with the following pf config. My goal was to have TCP ACKs that have no payload having the highest priority and then cod, dns, ssh in their own queues and everything else falling in to the default queue. ################################################## #Macros ext_if =3D "tun0" cod_ports =3D "{28960:29000}" ##Tables table { 192.168.0.0/24 } ##Options ##Normalization scrub in all ##Queueing altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def, q_cod, q_domain, q_ssh } queue q_pri priority 10 queue q_cod priority 9 queue q_domain priority 8 queue q_ssh priority 7 queue q_def priority 1 priq(default) #default to deny block in log all #allow loopback pass quick on lo0 all #Setup PRIQ Rules pass out on $ext_if proto tcp from ($ext_if) to any queue (q_pri, q_def) pass in on $ext_if proto tcp from any to ($ext_if) queue (q_pri, q_def) pass out quick on $ext_if proto udp from ($ext_if) to any port $cod_ports queue q_cod pass in quick on $ext_if proto udp from any to ($ext_if) port $cod_ports queue q_cod pass out quick on $ext_if proto udp from ($ext_if) to any port domain queue q_domain pass in quick on $ext_if proto udp from any to ($ext_if) port domain queue q_domain pass out quick on $ext_if proto tcp from ($ext_if) to any port ssh queue q_ssh pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh queue q_ssh #allow from fw to ext pass out quick log on $ext_if proto tcp all pass out quick log on $ext_if proto { udp, icmp } all #allow from internal network out pass quick log on $int_if proto tcp from to any pass quick log on $int_if proto {udp, icmp } from to any ######################################### As far as I can see it is working but I was hoping to get some input from the list. Thanks Rudi