From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 11:06:57 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C704D106566B for ; Mon, 1 Jun 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 954AA8FC13 for ; Mon, 1 Jun 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n51B6vpW021185 for ; Mon, 1 Jun 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n51B6vqb021181 for freebsd-pf@FreeBSD.org; Mon, 1 Jun 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Jun 2009 11:06:57 GMT Message-Id: <200906011106.n51B6vqb021181@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 15:10:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9216910656AC for ; Mon, 1 Jun 2009 15:10:39 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id 66A258FC23 for ; Mon, 1 Jun 2009 15:10:39 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.183] ([69.70.93.206]) by VL-MO-MR002.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KKK00JHKFH1D060@VL-MO-MR002.ip.videotron.ca> for freebsd-pf@freebsd.org; Mon, 01 Jun 2009 11:10:14 -0400 (EDT) Message-id: <4A23EF71.4000707@optiksecurite.com> Date: Mon, 01 Jun 2009 11:10:41 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) To: Max Laier References: <4A1EB5A0.7030206@optiksecurite.com> <4A20001E.5000407@optiksecurite.com> <52a241a292d8df1c0970d071267cb865.squirrel@mlaier.homeunix.org> In-reply-to: <52a241a292d8df1c0970d071267cb865.squirrel@mlaier.homeunix.org> Cc: freebsd-pf@freebsd.org Subject: Re: State Mismatch and tcp.closed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 15:10:41 -0000 Max Laier a écrit : > Can you please post your ruleset. I suspect there is something wrong with > it. By the way, I noticed that your are using a 127/8 addresse for your > web server. Are you - by chance - running in a jail of kinds? In that > case you might need "set skip on lo0" to avoid troubles. Depending on the > kind of filtering you are doing this might be complicated, however. > > In any case, we'd need more details about your setup to help. > I'm not too inclined to post my ruleset to the whole list, so I propose to send it only to people interested in it, in a private mail. Thanks a lot Max for your interest in my problem. I'm sending my pf.conf to you in a few moments. Yes, I'm using jails to isolate every services and they are all binded on the loopback interface. I'm using RDR and NAT to make them available from the outside. Martin > Am Fr, 29.05.2009, 17:32, schrieb Martin Turgeon: >> Martin Turgeon a écrit : >>> Hi list! >>> >>> I had a problem with state mismatch on my DB server that I solved by >>> lowering the tcp.closed timeout. I setted it to 2 instead of 90. >>> >>> I now have what looks like the same problem on the front-end web server. >>> However, when I tried to apply the same fix, I got connection problem >>> with the back-end DB, but the state mismatch disappearred. >>> >>> On the front-end web server, the state mismatch occurs on the external >>> interface, only on port 80. >>> >>> I enabled misc debugging and got this in /var/log/messages on the >>> front-end web server: >>> >>> May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 >>> 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 >>> win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 >>> modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 >>> len=0 ackskew=0 pkts=43:69 dir=in,fwd >>> May 28 05:02:19 francis kernel: pf: State failure on: | >>> May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 >>> 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 >>> win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 >>> modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 >>> len=0 ackskew=0 pkts=40:54 dir=in,fwd >>> May 28 05:02:19 francis kernel: pf: State failure on: | >>> May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 >>> 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 >>> win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 >>> modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 >>> len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd >>> May 28 05:03:06 francis kernel: pf: State failure on: 3 | >>> May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 >>> 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 >>> win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 >>> modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 >>> len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd >>> >>> This server has been up for 12 days and already got almost 600000 state >>> mismatch! >>> >>> I tried to lower tcp.finwait, no result. I tried to set optimization to >>> aggressive, no result. I tried to disable port randomization via sysctl, >>> no result either. >>> >>> I tcpdumped and there is only a few RST so I don't understand why >>> tcp.closed would solve my problem. If it's a problem with source port >>> reuse, tcp.finwait should be the timeout that would help, not >>> tcp.closed, right? >>> >>> How can a lower tcp.closed on the front-end cause mysql connection >>> problem with the back-end? I tcpdumped while there is a connection >>> problem with the DB and there is nothing that seems wrong, no RST at >>> all! The front-end web server tries to connect to the DB, wait 3 sec and >>> if it fails to establish a connection, it then tries to connect to a >>> read-only backup DB, on another server, which never fails to connect. >>> >>> The only thing I'm sure is that it's the tcp.closed that cause the DB >>> connection problem. As soon as I remove it, the state mismatch comes >>> back on the external interface but there's no DB connection problem >>> anymore. >>> >>> What am I missing? >>> >>> Martin >>> >> I forgot to mention in the starting post what version I'm using: >> >> uname -a on the front-end web server: >> FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 >> 07:18:07 UTC 2009 >> root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >> >> uname -a on the back-end MySQL server: >> FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 >> 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK >> amd64 >> >> I read about the port reuse problem when I first experienced it with the >> DB server and I saw that this wasn't going to happen with the new >> release. I were happy to build I new 7.2-Rel server so that I wasn't >> going to face the same problem. >> >> But, in fact, I'm facing what looks like the same problem... >> >> I'm all ears to any pointers/suggestions! >> >> Thanks for your precious help. >> >> Martin >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> !DSPAM:4a200026570535209328925! >> >> > > From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 19:05:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 649FD106564A for ; Mon, 1 Jun 2009 19:05:34 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id CD6B38FC22 for ; Mon, 1 Jun 2009 19:05:33 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 19854 invoked by uid 399); 1 Jun 2009 18:38:47 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 1 Jun 2009 18:38:47 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4A242035.8010101@FreeBSD.org> Date: Mon, 01 Jun 2009 11:38:45 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.21 (X11/20090423) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.7 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: bzeeb-lists@lists.zabbadoz.net, Gert Doering Subject: Moving the pf rc.d scripts to run before netif X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 19:05:34 -0000 Howdy, As you can see below, I've made a change to the order of execution of the rc.d scripts in 8-current (soon to be 8-release) to run all of the firewalls, including pf, before the network is up. However the following PR gives an example of why this might be bad: http://www.freebsd.org/cgi/query-pr.cgi?pr=130381 This leaves me with a few questions. 1. When the _kernel_ first starts, what is the condition of the pf firewall? In other words, you have pf in the kernel, and let's pretend that there is no rc.d/pf initialization script. What's going to happen to the packets when the network comes up? 2. The previous rcorder for the pf script was right after netif (the network coming up) and before routing .... why? Is this related to how pf does its work? The reason I ask this question is that in order to fix the IPv6 rcorder problem in the pr the way that Gert is suggesting the "BEFORE: routing" would have to be removed because our IPv6 startup depends on RA which depends on routing being up. (Side note, in the long term I'd like to revise this so that an IPv6-only host and/or a host with statically assigned IPv6 addresses can easily be configured within rc.d, but that's another thing altogether.) 3. Is the need to be able to use $ext_if after the network is up so overwhelmingly important that it justifies running pf after netif? Or is using ($ext_if) a reasonable solution? Anything else y'all would like to add is welcome at this point. Thanks, Doug -------- Original Message -------- Subject: Re: svn commit: r193198 - head/etc/rc.d Date: Mon, 01 Jun 2009 10:38:41 -0700 From: Doug Barton Bjoern A. Zeeb wrote: > On Mon, 1 Jun 2009, Doug Barton wrote: > >> Author: dougb Date: Mon Jun 1 05:35:03 2009 New Revision: 193198 >> URL: http://svn.freebsd.org/changeset/base/193198 >> >> Log: Make the pf and ipfw firewalls start before netif, just like >> ipfilter already does. This eliminates a logical inconsistency, >> and a small window where the system is open after the network >> comes up. > > Unfortunetaly this is contrary to a lot of PRs and requests on > mailing lists out there that actually want the netif/network_ipv6 > to be run _before_ things come up. Can you provide links to some of those PRs? I'd love to learn more about this issue. > Espescially pf really needs this to avoid rules that needs to do > per paket lookups of the interface address. Not sure what you mean here. > Further ipfw has a default option being setaable at compile time > and as TUNABLE to handle this window. And what happens if someone sets the default to accept? You could argue that they are knowingly opening a window of vulnerability but I would argue that the right thing to do is to have the firewall rules loaded before the network comes up regardless of the default. That way you avoid both the potential window of vulnerability AND the window of time between the network being loaded and the firewall allowing access to the box. To give a little more history, this patch was discussed and reviewed a while back and someone told me that they would incorporate it into some overall work they were doing to improve the way that rc.d handles networking, so I stopped paying attention to it. Last night a user pointed out to me that another patch that this same person said they would handle never got in, so I reviewed other outstanding work and found that this one had not been done either. Obviously if this change breaks something it will have to be reverted. However from the security standpoint (primary concern) it would seem to be the right thing to do, and the previous rcorder was not logically consistent in any case. Max Laier wrote: > Can you please add a note about this in UPDATING? Yes. I was on the fence about this anyways, so now you've pushed me over. :) > It might be a slight POLA violation for people who rely on the > interfaces being configured to setup the firewall. For instance > when one doesn't use dynamic address rules in pf i.e. "from/to ifX" > instead of "from/to (ifX)". I don't understand what you've written here. It seems to me that if the interfaces are always the same then the firewall rules will be fine, but if they are using dynamic rules it doesn't matter if it starts before or after the network is up. Doug -- This .signature sanitized for your protection From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 19:45:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F08E1065675 for ; Mon, 1 Jun 2009 19:45:20 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 12CC78FC12 for ; Mon, 1 Jun 2009 19:45:19 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-067-225-144.pools.arcor-ip.net [88.67.225.144]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1MBDRe288t-0001Y2; Mon, 01 Jun 2009 21:45:18 +0200 Received: (qmail 17376 invoked from network); 1 Jun 2009 19:45:18 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.187) by laiers.local with SMTP; 1 Jun 2009 19:45:18 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 1 Jun 2009 21:45:16 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.30-rc5-ARCH; KDE/4.2.3; x86_64; ; ) References: <4A242035.8010101@FreeBSD.org> In-Reply-To: <4A242035.8010101@FreeBSD.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200906012145.17315.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+q/+R63OIign9joHA34DaOJUuizEAHrYj8l9i 7hWQvBspNKLRcopqMpS2WbkqvlmAcDkovh+GIlyPvWKuEPoX25 crL/6z9aNBY3I1iMUp+3A== Cc: bzeeb-lists@lists.zabbadoz.net, Gert Doering Subject: Re: Moving the pf rc.d scripts to run before netif X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 19:45:20 -0000 On Monday 01 June 2009 20:38:45 Doug Barton wrote: > Howdy, > > As you can see below, I've made a change to the order of execution of > the rc.d scripts in 8-current (soon to be 8-release) to run all of the > firewalls, including pf, before the network is up. However the > following PR gives an example of why this might be bad: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=130381 > > This leaves me with a few questions. > > 1. When the _kernel_ first starts, what is the condition of the pf > firewall? In other words, you have pf in the kernel, and let's pretend > that there is no rc.d/pf initialization script. What's going to happen > to the packets when the network comes up? The default behavior is to pass everything unconditionally. > 2. The previous rcorder for the pf script was right after netif (the > network coming up) and before routing .... why? Is this related to how > pf does its work? The reason I ask this question is that in order to > fix the IPv6 rcorder problem in the pr the way that Gert is suggesting > the "BEFORE: routing" would have to be removed because our IPv6 > startup depends on RA which depends on routing being up. (Side note, > in the long term I'd like to revise this so that an IPv6-only host > and/or a host with statically assigned IPv6 addresses can easily be > configured within rc.d, but that's another thing altogether.) > > 3. Is the need to be able to use $ext_if after the network is up so > overwhelmingly important that it justifies running pf after netif? Or > is using ($ext_if) a reasonable solution? Traditionally pf has had some issues with startup before netif. e.g. it was not possible to configure ALTQ on interfaces before they are created. Over the years most of these restrictions have been fixed (though you still need to specify an absolute bandwidth for ALTQ if you want to configure non-existing interfaces). The last remaining issue with non- existing interfaces is the "set loginterface". In addition people seem to like to use symbolic hostnames in their pf.conf for some reason. It's a bad idea from the security perspective, but who am I to decide how one shoots oneself? Symbolic hostnames, as well as non-dynamic interface statements are evaluated at ruleset load-time in pf. Thus the resolver must work when we load a ruleset with rules like that. > Anything else y'all would like to add is welcome at this point. It might make sense to have the ability for two points to configure the firewall. One "firewall_early" to setup a minimal "block all/allow dhcp/RA/DNS/..." and "firewall_late" to setup the final thing. In any case setting up the firewall is a non-trivial task and I doubt that there really is a good "one size fits all" solution. I'd prefer your version over the previous incarnation - as it is secure by default. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 21:11:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DC4210656A8 for ; Mon, 1 Jun 2009 21:11:20 +0000 (UTC) (envelope-from aftaha@cirp.usp.br) Received: from quartzo.cirp.usp.br (quartzo.cirp.usp.br [143.107.200.45]) by mx1.freebsd.org (Postfix) with ESMTP id F1F518FC14 for ; Mon, 1 Jun 2009 21:11:19 +0000 (UTC) (envelope-from aftaha@cirp.usp.br) Received: from granito2.cirp.usp.br (granito2.cirp.usp.br [143.107.200.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by quartzo.cirp.usp.br (Postfix) with ESMTPSA id 506F733083F for ; Mon, 1 Jun 2009 17:52:41 -0300 (BRT) Message-ID: <4A2415EF.1070206@cirp.usp.br> Date: Mon, 01 Jun 2009 17:54:55 +0000 From: Ali Faiez Taha Organization: Centro de =?ISO-8859-1?Q?Inform=E1tica_-_USP_-_Ribe?= =?ISO-8859-1?Q?ir=E3o_Preto?= User-Agent: Thunderbird 2.0.0.18 (X11/20090129) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Connect to port 5432 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: aftaha@cirp.usp.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 21:11:20 -0000 Dear Sirs. What I need to redirect connections from any Internet valid IP and port 5432 to one intranet server running (PostgreSQL Database) on 5432 port ? I am using FreeBSD 7.2 with PF firewall. The rule on Linux iptables now is: iptables -t nat -A PREROUTING -p tcp -s 0/0 -d AAA.BBB.CCC.DDD --dport 5432 -j DNAT --to-destination 192.168.2.253:5432 thanks a lot From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 21:17:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21E921065670 for ; Mon, 1 Jun 2009 21:17:23 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id A8C518FC0C for ; Mon, 1 Jun 2009 21:17:22 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: by ewy8 with SMTP id 8so4701383ewy.43 for ; Mon, 01 Jun 2009 14:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=iO395PY+KRoHFZTxXkSkrvSM8LLOPFG5MwBW4NenGpA=; b=YOWJVwTmH79O1YYBdgfOnxC+6H9KTmGGC5O4g8fSdWibii23wleYf6iMCpoJ5jCHqH VvkIOemF0uVrVTf24qDe+ZhI1QbO5C7TjDdGtZhJFN8KHRGltHpNFVjv9SO+KhImf1No bzQDLWeI+XLjTbjgLI8ZQTOQa1j15BolZVuRo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=WnTjJ7IWBUAOaykLgGGO4LcamwJzj2ar6DZ6i/+oJEd4kMjMsWMMsXnj4hWZ9g5mn8 n4cXQBDwsWP6pKlaS6huutDgl4mvqN/xy8YTCt6BoLfl1BdsFV/+IDh0m+/4Gnd23xCl 4m8r9PhA6QpCwTQuz+Sc/0TFFOZ2GVrc3KXs4= MIME-Version: 1.0 Received: by 10.216.10.73 with SMTP id 51mr1921635weu.167.1243891041481; Mon, 01 Jun 2009 14:17:21 -0700 (PDT) In-Reply-To: <4A2415EF.1070206@cirp.usp.br> References: <4A2415EF.1070206@cirp.usp.br> Date: Mon, 1 Jun 2009 16:17:21 -0500 Message-ID: From: Espartano To: aftaha@cirp.usp.br Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Connect to port 5432 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 21:17:23 -0000 2009/6/1 Ali Faiez Taha : > =A0 =A0 =A0 =A0Dear Sirs. > > What I need to redirect connections from any Internet valid IP and port 5= 432 to one intranet server running (PostgreSQL Database) on > 5432 port ? > I am using =A0FreeBSD 7.2 with PF firewall. > > The rule on Linux iptables now is: > > iptables -t nat -A PREROUTING -p tcp -s 0/0 -d AAA.BBB.CCC.DDD --dport 54= 32 -j DNAT --to-destination 192.168.2.253:5432 > > > thanks a lot > Maybe you have to see this page: http://www.openbsd.org/faq/pf/rdr.html --=20 "Linux is for people who hate Windows, BSD is for people who love UNIX". "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." Sent from Veracruz, Ver, Mexico From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 22:15:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 850441065675 for ; Mon, 1 Jun 2009 22:15:29 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 45C268FC08 for ; Mon, 1 Jun 2009 22:15:29 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5B5EB19E044; Mon, 1 Jun 2009 23:56:05 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1456319E043; Mon, 1 Jun 2009 23:56:03 +0200 (CEST) Message-ID: <4A244E73.8040203@quip.cz> Date: Mon, 01 Jun 2009 23:56:03 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: aftaha@cirp.usp.br References: <4A2415EF.1070206@cirp.usp.br> In-Reply-To: <4A2415EF.1070206@cirp.usp.br> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Connect to port 5432 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 22:15:30 -0000 Ali Faiez Taha wrote: > Dear Sirs. > > What I need to redirect connections from any Internet valid IP and port 5432 to one intranet server running (PostgreSQL Database) on > 5432 port ? > I am using FreeBSD 7.2 with PF firewall. > > The rule on Linux iptables now is: > > iptables -t nat -A PREROUTING -p tcp -s 0/0 -d AAA.BBB.CCC.DDD --dport 5432 -j DNAT --to-destination 192.168.2.253:5432 It could be something like this rdr pass on $ext_if proto tcp from any to AAA.BBB.CCC.DDD port 5432 -> 192.168.2.253 but better read some docs (man pf.conf and examples on the net) Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Mon Jun 1 22:57:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9EA9106564A for ; Mon, 1 Jun 2009 22:57:14 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8C8758FC28 for ; Mon, 1 Jun 2009 22:57:14 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 9542 invoked by uid 399); 1 Jun 2009 22:57:12 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 1 Jun 2009 22:57:12 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4A245CC6.7010901@FreeBSD.org> Date: Mon, 01 Jun 2009 15:57:10 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.21 (X11/20090423) MIME-Version: 1.0 To: Max Laier References: <4A242035.8010101@FreeBSD.org> <200906012145.17315.max@love2party.net> In-Reply-To: <200906012145.17315.max@love2party.net> X-Enigmail-Version: 0.95.7 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: bzeeb-lists@lists.zabbadoz.net, Gert Doering , freebsd-pf@freebsd.org Subject: Re: Moving the pf rc.d scripts to run before netif X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 22:57:15 -0000 Max Laier wrote: > On Monday 01 June 2009 20:38:45 Doug Barton wrote: >> Howdy, >> >> As you can see below, I've made a change to the order of execution of >> the rc.d scripts in 8-current (soon to be 8-release) to run all of the >> firewalls, including pf, before the network is up. However the >> following PR gives an example of why this might be bad: >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=130381 >> >> This leaves me with a few questions. >> >> 1. When the _kernel_ first starts, what is the condition of the pf >> firewall? In other words, you have pf in the kernel, and let's pretend >> that there is no rc.d/pf initialization script. What's going to happen >> to the packets when the network comes up? > > The default behavior is to pass everything unconditionally. That's what I was afraid of. Traditionally this has been viewed as a Bad Thing(TM) and I'm surprised that it was ever set up that way to start with. >> 2. The previous rcorder for the pf script was right after netif (the >> network coming up) and before routing .... why? Is this related to how >> pf does its work? The reason I ask this question is that in order to >> fix the IPv6 rcorder problem in the pr the way that Gert is suggesting >> the "BEFORE: routing" would have to be removed because our IPv6 >> startup depends on RA which depends on routing being up. (Side note, >> in the long term I'd like to revise this so that an IPv6-only host >> and/or a host with statically assigned IPv6 addresses can easily be >> configured within rc.d, but that's another thing altogether.) >> >> 3. Is the need to be able to use $ext_if after the network is up so >> overwhelmingly important that it justifies running pf after netif? Or >> is using ($ext_if) a reasonable solution? > > Traditionally pf has had some issues with startup before netif. e.g. it > was not possible to configure ALTQ on interfaces before they are created. > Over the years most of these restrictions have been fixed (though you > still need to specify an absolute bandwidth for ALTQ if you want to > configure non-existing interfaces). The last remaining issue with non- > existing interfaces is the "set loginterface". Ok. > In addition people seem to like to use symbolic hostnames in their pf.conf > for some reason. It's a bad idea from the security perspective, but who > am I to decide how one shoots oneself? Symbolic hostnames, as well as > non-dynamic interface statements are evaluated at ruleset load-time in pf. > Thus the resolver must work when we load a ruleset with rules like that. Well the previous order had pf starting before routing anyway (and therefore also starting before IPv6, nsswitch, resolv, named, etc.) so I don't think this would have worked in any case. >> Anything else y'all would like to add is welcome at this point. > > It might make sense to have the ability for two points to configure the > firewall. One "firewall_early" to setup a minimal "block all/allow > dhcp/RA/DNS/..." and "firewall_late" to setup the final thing. I would definitely be supportive of a pf-late script that runs after the network is up. I'll even write the thing if someone can tell me what it needs to have. Would calling "/etc/rc.d/pf reload" do the right thing? And if this is the best way to handle the problem, how late should it start? (IOW, what should it REQUIRE to make sure it will have everything it needs when it is run, and what would it need to run BEFORE to make sure the system is still as secure as possible?) > In any case setting up the firewall is a non-trivial task and I doubt that > there really is a good "one size fits all" solution. I'd prefer your > version over the previous incarnation - as it is secure by default. Thanks for the well-informed response, and the note of support. :) Doug -- This .signature sanitized for your protection From owner-freebsd-pf@FreeBSD.ORG Tue Jun 2 02:30:00 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 953131065672; Tue, 2 Jun 2009 02:30:00 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6A6FA8FC1A; Tue, 2 Jun 2009 02:30:00 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n522U0mf031183; Tue, 2 Jun 2009 02:30:00 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n522U03l031179; Tue, 2 Jun 2009 02:30:00 GMT (envelope-from linimon) Date: Tue, 2 Jun 2009 02:30:00 GMT Message-Id: <200906020230.n522U03l031179@freefall.freebsd.org> To: linimon@FreeBSD.org, gnats-admin@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/135162: [pfsync] pfsync(4) not usable with GENERIC kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2009 02:30:00 -0000 Old Synopsis: pfsync(4) not usable with GENERIC kernel New Synopsis: [pfsync] pfsync(4) not usable with GENERIC kernel Responsible-Changed-From-To: gnats-admin->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Jun 2 02:28:18 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=135162 From owner-freebsd-pf@FreeBSD.ORG Tue Jun 2 15:13:31 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 852FE10656FD for ; Tue, 2 Jun 2009 15:13:31 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-ew0-f164.google.com (mail-ew0-f164.google.com [209.85.219.164]) by mx1.freebsd.org (Postfix) with ESMTP id 08D2A8FC15 for ; Tue, 2 Jun 2009 15:13:30 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: by ewy8 with SMTP id 8so5304692ewy.43 for ; Tue, 02 Jun 2009 08:13:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=EDpq9GZ6ZdelNmuI00ryw8P4ghIfZNs4K6UY+Q/kaoo=; b=QpOxd35hCw1Jza8bfKe6nb/FTxqS3SmL+MGL34LWLzCksr4CQwxWlOujzeHL6JGDTw 5CJABcPehKp2W5k3lh51Ljhl8FjHcz/ZNshK/dtuFlggRqltnNEp04Q7I02j1lXOfv4D ig4z/2SAJ1Iol7IE+mhJjArfcUx4AKsr/stn0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=EnTnsjDHe78z+FH+h23OylOBv6H55CZq7rfRisX9/HSgBHQtFodP59LnQ6nSx7Qqis bBFt+7cj724S6eB6Bt8EdAKLbCYs4hHSh4hYjftAtdLjZVvTrWZMLXZIuGTYGX/fvZcd PSKMXnS7LrFCGp4V1BXto1alvnEMONIcZsFp8= MIME-Version: 1.0 Received: by 10.216.51.202 with SMTP id b52mr2174126wec.38.1243955609565; Tue, 02 Jun 2009 08:13:29 -0700 (PDT) Date: Tue, 2 Jun 2009 17:13:29 +0200 Message-ID: From: Kevin Smith To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem: nating jails with private ip addresses. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2009 15:13:32 -0000 Hi guys, Please help if you can, I have a problem, and I can't get my config to work. I have one public ip address, and several jails with private ip addresses in the 172.20.0.0/24 area. I don't know how to make this work, maybe somewhere I blocked the traffic, but dns request are coming through, I can open (redirected)http on the jail itself inside from the internet, but i can't connect to any host on the internet from the jails, the main problem comes with installing from ports and downloading the distfiles. My System is 7.1-RELEASE.with pf,pflog,pfsync devices, and ALTQ,ALTQ_CBQ,ALTQ_RED,ALTQ_RIO,ALTQ_HFSC,ALTQ_PRIQ,ALTQ_NOPCC options compiled in the kernel! Is this possible, or should I pop in another card and bind the jails to that card? The corresponding config is here(really partial): tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, ftp, ftp-data }" ext_if = "bge0" jails = "172.20.0.0/24" nat on $ext_if proto { tcp, udp, icmp } from $jails to any -> ($ext_if) rdr pass on $ext_if inet proto tcp from any to $ext_if port http -> 172.20.0.100 pass out proto tcp to any port $tcp_services keep state pass out proto tcp from any to any keep state Thanks in advance, Best Regards, Kevin From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 03:16:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28324106566B for ; Sat, 6 Jun 2009 03:16:42 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx2.cujae.edu.cu (mx2.cujae.edu.cu [200.55.139.27]) by mx1.freebsd.org (Postfix) with ESMTP id C7D2E8FC1D for ; Sat, 6 Jun 2009 03:16:40 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx2.cujae.edu.cu (Postfix) with ESMTP id CDD821ECB3 for ; Fri, 5 Jun 2009 21:57:01 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id 841D11D520D; Fri, 5 Jun 2009 23:11:51 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id A058E1D51EB for ; Fri, 5 Jun 2009 23:11:51 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Fri, 05 Jun 2009 22:57:30 -0400 Message-ID: <20090605225730.wrvm0ae74kco0cws@correo.cujae.edu.cu> Date: Fri, 05 Jun 2009 22:57:30 -0400 From: vila@tesla.cujae.edu.cu To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Subject: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 03:16:42 -0000 Hi folks! I=B4m trying to figure out if there is a way to make connection marking =20 in a similar way as the iptables=B4s CONNMARK target does? Does pf supports this feature? My intentions are to tag an outgoing packet, transfer the tag to the =20 hole connection and then use that tag to mark incoming packets =20 belonging to the same connection. Also, i would like then to use that mark to enqueue marked packets to =20 hfsc clases. I=B4ve done all of this in linux but never on freebsd, I=B4ve searched in = =20 pf=B4s man page and the FAQ without success. thanks in advance, evelio vila ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 06:10:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF114106568D for ; Sat, 6 Jun 2009 06:10:32 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from mail-bw0-f214.google.com (mail-bw0-f214.google.com [209.85.218.214]) by mx1.freebsd.org (Postfix) with ESMTP id 685C58FC13 for ; Sat, 6 Jun 2009 06:10:31 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: by bwz10 with SMTP id 10so120549bwz.43 for ; Fri, 05 Jun 2009 23:10:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.111.134 with SMTP id s6mr2384916fap.37.1244266802055; Fri, 05 Jun 2009 22:40:02 -0700 (PDT) In-Reply-To: <20090605225730.wrvm0ae74kco0cws@correo.cujae.edu.cu> References: <20090605225730.wrvm0ae74kco0cws@correo.cujae.edu.cu> From: Vlad Galu Date: Sat, 6 Jun 2009 08:39:42 +0300 Message-ID: To: vila@tesla.cujae.edu.cu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 06:10:33 -0000 On Sat, Jun 6, 2009 at 5:57 AM, wrote: > Hi folks! > > I=B4m trying to figure out if there is a way to make connection marking i= n a > similar way as the iptables=B4s CONNMARK target does? > > Does pf supports this feature? > > My intentions are to tag an outgoing packet, transfer the tag to the hole > connection and then use that tag to mark incoming packets belonging to th= e > same connection. > > Also, i would like then to use that mark to enqueue marked packets to hfs= c > clases. > > I=B4ve done all of this in linux but never on freebsd, I=B4ve searched in= pf=B4s > man page and the FAQ without success. > > thanks in advance, > > evelio vila Hi evelio, see below: -- cut here -- tag Packets matching this rule will be tagged with the specified string. The tag acts as an internal marker that can be used to identify these packets later on. This can be used, for example,= to provide trust between interfaces and to determine if packets hav= e been processed by translation rules. Tags are "sticky", meaning that the packet will be tagged even if the rule is not the last matching rule. Further matching rules can replace the tag with = a new one but will not remove a previously applied tag. A packet = is only ever assigned one tag at a time. Packet tagging can be don= e during nat, rdr, or binat rules in addition to filter rules. Ta= gs take the same macros as labels (see above). tagged Used with filter or translation rules to specify that packets mu= st already be tagged with the given tag in order to match the rule. Inverse tag matching can also be done by specifying the ! operat= or before the tagged keyword. -- and here -- Anyway, I believe that keeping state for the desired outgoing connections should be enough all by itself. You would simply add the "queue " directive at the end of your pass out rule, even though the interface packets go out through is the "external" one, and you want to do shaping on the "internal" one but, as I understand, for that you also need floating (not if-bound) states. If I'm wrong, I'd like somebody with better pf knowledge to correct me :) From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 16:49:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 332E7106564A for ; Sat, 6 Jun 2009 16:49:59 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id CFDC18FC08 for ; Sat, 6 Jun 2009 16:49:57 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id AAE2C1AEA4 for ; Sat, 6 Jun 2009 11:34:52 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id B3B5A407B; Sat, 6 Jun 2009 13:04:18 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 3082E4078 for ; Sat, 6 Jun 2009 13:04:18 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 12:49:49 -0400 Message-ID: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 12:49:49 -0400 From: vila@tesla.cujae.edu.cu To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 16:49:59 -0000 Vlad Galu ha escrito: > On Sat, Jun 6, 2009 at 5:57 AM, wrote: >> Hi folks! >> >> I=B4m trying to figure out if there is a way to make connection marking i= n a >> similar way as the iptables=B4s CONNMARK target does? >> >> Does pf supports this feature? >> >> My intentions are to tag an outgoing packet, transfer the tag to the hole >> connection and then use that tag to mark incoming packets belonging to th= e >> same connection. >> >> Also, i would like then to use that mark to enqueue marked packets to hfs= c >> clases. >> >> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched in= pf=B4s >> man page and the FAQ without success. >> >> thanks in advance, >> >> evelio vila > > Hi evelio, see below: > -- cut here -- > tag > Packets matching this rule will be tagged with the specified > string. The tag acts as an internal marker that can be used to > identify these packets later on. This can be used, for =20 > example, to > provide trust between interfaces and to determine if packets ha= ve > been processed by translation rules. Tags are "sticky", meanin= g > that the packet will be tagged even if the rule is not the last > matching rule. Further matching rules can replace the tag with= a > new one but will not remove a previously applied tag. A packet= is > only ever assigned one tag at a time. Packet tagging can be do= ne > during nat, rdr, or binat rules in addition to filter rules. T= ags > take the same macros as labels (see above). > > tagged > Used with filter or translation rules to specify that packets m= ust > already be tagged with the given tag in order to match the rule= . > Inverse tag matching can also be done by specifying the ! opera= tor > before the tagged keyword. > -- and here -- > > Anyway, I believe that keeping state for the desired outgoing > connections should be enough all by itself. You would simply add the Indeed no, what i want is also to mark the connection to be able then to mark incoming packets beloging to the same connection. > "queue " directive at the end of your pass out rule, even > though the interface packets go out through is the "external" one, and > you want to do shaping on the "internal" one but, as I understand, for > that you also need floating (not if-bound) states. If I'm wrong, I'd i am not sure what you mean with "floating (not if-bound) states" could you please explain this. > like somebody with better pf knowledge to correct me :) > thanks for your quick answer vlad. evelio vila ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 16:55:47 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43938106564A for ; Sat, 6 Jun 2009 16:55:47 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-gx0-f207.google.com (mail-gx0-f207.google.com [209.85.217.207]) by mx1.freebsd.org (Postfix) with ESMTP id EEA748FC18 for ; Sat, 6 Jun 2009 16:55:46 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by mail-gx0-f207.google.com with SMTP id 3so2803774gxk.19 for ; Sat, 06 Jun 2009 09:55:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=OiEYXW3Sjd7Ugf7fm/LvcxP1rjf4xANCc8t2MsrF3Mo=; b=TN7iIPjTKtwRKQsMXsAFnLslGyLPiYrbw/LQ+AKC4bkYQADjnZeblSH0lEE4c2yxvf /Lm6Ih4w2+0cGTxynyBMAHDD/fJU1hSXlOp9OYWMO17VS5DPjRKlfX+7ST+f5BZbJaJb Pq0MRPDdp07ItYcFfFrz/t+xEXS0ddu9t1J8g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=YFapdV+JINSIfM96E+ZWyAsTH5N7hR3Tf+ZtI/ekubfUYocgFRdhBUbWaqtcT6tLw4 PMmE6d45LKitgZ02+92VdOIWFoy5GYZ4xCxVKA0CycWaBkU2qa16TWw0h7d8uyviWsa9 sXLfRna9mnLq17Ju5Yq7cO7XyaVwU70Fh9TWM= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.151.74.2 with SMTP id b2mr8618798ybl.68.1244307346088; Sat, 06 Jun 2009 09:55:46 -0700 (PDT) In-Reply-To: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Sat, 6 Jun 2009 18:55:26 +0200 X-Google-Sender-Auth: c2044b5aac606756 Message-ID: <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> To: vila@tesla.cujae.edu.cu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 16:55:47 -0000 On Sat, Jun 6, 2009 at 6:49 PM, wrote: > Vlad Galu ha escrito: > >> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>> >>> Hi folks! >>> >>> I=B4m trying to figure out if there is a way to make connection marking= in >>> a >>> similar way as the iptables=B4s CONNMARK target does? >>> >>> Does pf supports this feature? >>> >>> My intentions are to tag an outgoing packet, transfer the tag to the ho= le >>> connection and then use that tag to mark incoming packets belonging to >>> the >>> same connection. >>> >>> Also, i would like then to use that mark to enqueue marked packets to >>> hfsc >>> clases. >>> >>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched = in >>> pf=B4s >>> man page and the FAQ without success. >>> >>> thanks in advance, >>> >>> evelio vila >> >> =A0 Hi evelio, see below: >> -- cut here -- >> =A0 =A0 tag >> =A0 =A0 =A0 =A0 =A0 Packets matching this rule will be tagged with the s= pecified >> =A0 =A0 =A0 =A0 =A0 string. =A0The tag acts as an internal marker that c= an be used to >> =A0 =A0 =A0 =A0 =A0 identify these packets later on. =A0This can be used= , for >> example, to >> =A0 =A0 =A0 =A0 =A0 provide trust between interfaces and to determine if= packets >> have >> =A0 =A0 =A0 =A0 =A0 been processed by translation rules. =A0Tags are "st= icky", meaning >> =A0 =A0 =A0 =A0 =A0 that the packet will be tagged even if the rule is n= ot the last >> =A0 =A0 =A0 =A0 =A0 matching rule. =A0Further matching rules can replace= the tag with >> a >> =A0 =A0 =A0 =A0 =A0 new one but will not remove a previously applied tag= . =A0A packet >> is >> =A0 =A0 =A0 =A0 =A0 only ever assigned one tag at a time. =A0Packet tagg= ing can be >> done >> =A0 =A0 =A0 =A0 =A0 during nat, rdr, or binat rules in addition to filte= r rules. >> =A0Tags >> =A0 =A0 =A0 =A0 =A0 take the same macros as labels (see above). >> >> =A0 =A0 tagged >> =A0 =A0 =A0 =A0 =A0 Used with filter or translation rules to specify tha= t packets >> must >> =A0 =A0 =A0 =A0 =A0 already be tagged with the given tag in order to mat= ch the rule. >> =A0 =A0 =A0 =A0 =A0 Inverse tag matching can also be done by specifying = the ! >> operator >> =A0 =A0 =A0 =A0 =A0 before the tagged keyword. >> -- and here -- >> >> =A0Anyway, I believe that keeping state for the desired outgoing >> connections should be enough all by itself. You would simply add the > > Indeed no, =A0what i want is also to mark the connection to be able then > to mark incoming packets beloging to the same connection. > >> "queue " directive at the end of your pass out rule, even >> though the interface packets go out through is the "external" one, and >> you want to do shaping on the "internal" one but, as I understand, for >> that you also need floating (not if-bound) states. If I'm wrong, I'd > > i am not sure what you mean with "floating (not if-bound) states" > could you please explain this. >> >> like somebody with better pf knowledge to correct me :) pf(4) is not iptables. So before using it read more about it. http://home.nuug.no/~peter/pf/en/ http://www.openbsd.org/faq/pf > thanks for your quick answer vlad. > > evelio vila > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y > Educaci=F3n Energ=E9tica > 9 - 12 de Junio 2009, Palacio de las Convenciones > ...Por una cultura energ=E9tica sustentable > www.ciercuba.com_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 17:15:52 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 019F6106564A for ; Sat, 6 Jun 2009 17:15:52 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id 883948FC20 for ; Sat, 6 Jun 2009 17:15:50 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id C2E2A1AF8E; Sat, 6 Jun 2009 12:00:49 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id D13BE40A5; Sat, 6 Jun 2009 13:30:15 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 2F3F740AA; Sat, 6 Jun 2009 13:30:14 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 13:15:45 -0400 Message-ID: <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 13:15:45 -0400 From: vila@tesla.cujae.edu.cu To: Ermal =?iso-8859-1?b?THXnaQ==?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> In-Reply-To: <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 17:15:52 -0000 Ermal Lu=E7i ha escrito: > On Sat, Jun 6, 2009 at 6:49 PM, wrote: >> Vlad Galu ha escrito: >> >>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>> >>>> Hi folks! >>>> >>>> I=B4m trying to figure out if there is a way to make connection marking= in >>>> a >>>> similar way as the iptables=B4s CONNMARK target does? >>>> >>>> Does pf supports this feature? >>>> >>>> My intentions are to tag an outgoing packet, transfer the tag to the ho= le >>>> connection and then use that tag to mark incoming packets belonging to >>>> the >>>> same connection. >>>> >>>> Also, i would like then to use that mark to enqueue marked packets to >>>> hfsc >>>> clases. >>>> >>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched = in >>>> pf=B4s >>>> man page and the FAQ without success. >>>> >>>> thanks in advance, >>>> >>>> evelio vila >>> >>> =A0 Hi evelio, see below: >>> -- cut here -- >>> =A0 =A0 tag >>> =A0 =A0 =A0 =A0 =A0 Packets matching this rule will be tagged with the s= pecified >>> =A0 =A0 =A0 =A0 =A0 string. =A0The tag acts as an internal marker that c= an be used to >>> =A0 =A0 =A0 =A0 =A0 identify these packets later on. =A0This can be used= , for >>> example, to >>> =A0 =A0 =A0 =A0 =A0 provide trust between interfaces and to determine if= packets >>> have >>> =A0 =A0 =A0 =A0 =A0 been processed by translation rules. =A0Tags are "st= icky", meaning >>> =A0 =A0 =A0 =A0 =A0 that the packet will be tagged even if the rule is n= ot the last >>> =A0 =A0 =A0 =A0 =A0 matching rule. =A0Further matching rules can replace= the tag with >>> a >>> =A0 =A0 =A0 =A0 =A0 new one but will not remove a previously applied tag= . =A0A packet >>> is >>> =A0 =A0 =A0 =A0 =A0 only ever assigned one tag at a time. =A0Packet tagg= ing can be >>> done >>> =A0 =A0 =A0 =A0 =A0 during nat, rdr, or binat rules in addition to filte= r rules. >>> =A0Tags >>> =A0 =A0 =A0 =A0 =A0 take the same macros as labels (see above). >>> >>> =A0 =A0 tagged >>> =A0 =A0 =A0 =A0 =A0 Used with filter or translation rules to specify tha= t packets >>> must >>> =A0 =A0 =A0 =A0 =A0 already be tagged with the given tag in order to mat= ch the rule. >>> =A0 =A0 =A0 =A0 =A0 Inverse tag matching can also be done by specifying = the ! >>> operator >>> =A0 =A0 =A0 =A0 =A0 before the tagged keyword. >>> -- and here -- >>> >>> =A0Anyway, I believe that keeping state for the desired outgoing >>> connections should be enough all by itself. You would simply add the >> >> Indeed no, =A0what i want is also to mark the connection to be able then >> to mark incoming packets beloging to the same connection. >> >>> "queue " directive at the end of your pass out rule, even >>> though the interface packets go out through is the "external" one, and >>> you want to do shaping on the "internal" one but, as I understand, for >>> that you also need floating (not if-bound) states. If I'm wrong, I'd >> >> i am not sure what you mean with "floating (not if-bound) states" >> could you please explain this. >>> >>> like somebody with better pf knowledge to correct me :) > > pf(4) is not iptables. So before using it read more about it. > I=B4m aware of that. I think its pretty obvius that my post is simply trying to figure out =20 how to achieve with pf something that i use to do with netfilter. I=B4ve read this before but nothing comes up to me. http://www.openbsd.org/faq/pf/tagging.html thanks anyway ermal regards, evelio vila > http://home.nuug.no/~peter/pf/en/ > http://www.openbsd.org/faq/pf > > > >> thanks for your quick answer vlad. >> >> evelio vila >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Ermal > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 17:52:58 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07CCE106564A for ; Sat, 6 Jun 2009 17:52:58 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx2.cujae.edu.cu (mx2.cujae.edu.cu [200.55.139.27]) by mx1.freebsd.org (Postfix) with ESMTP id 164248FC21 for ; Sat, 6 Jun 2009 17:52:56 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx2.cujae.edu.cu (Postfix) with ESMTP id 13BCA1AD8A for ; Sat, 6 Jun 2009 12:52:37 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id B86EF1D5E64; Sat, 6 Jun 2009 14:07:19 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 0C37C1D5E5F; Sat, 6 Jun 2009 14:07:19 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 13:52:50 -0400 Message-ID: <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 13:52:50 -0400 From: vila@tesla.cujae.edu.cu To: =?iso-8859-1?b?SXN0duFu?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 17:52:58 -0000 Istv=E1n ha escrito: > Hi! > > In general it is a very bad idea to use the same way what you have been > using before when you are moving to a new platform. You wouldn't use bash = to > manage win2k8 servers, just to give you an example what I am talking about= . > > The question is: > > What do you want to do with pf. Forget about netfilter/conntrack and so on= . > What do you want to achieve? > > This is the only question. > > > Regards, > Istvan I believe you are righ istvan! this is the thing: I want to make some traffic shapping on both interfaces of a freebsd box. As u all probably know the real congestion occurs generally on the =20 downlink interface because of the asymmetric nature of some protocols =20 (eg. http) on the internal network i have some applications that puts dscp tags =20 to packets according to different classes of service. the uplink =20 shapping can be done simply by mathing the corresponding dscp field of =20 each connection and sending to different queues. (by the way the doc =20 i=B4ve read only presents TOS mathing and nothing about dscp).. anyway , the problem arises when the incoming traffic (from the =20 internet) has no dscp tags and i need to enqueue then accordingly to =20 make the downlink traffic shapping. regards, evelio vila > > > > On Sat, Jun 6, 2009 at 6:15 PM, wrote: > >> Ermal Lu=E7i ha escrito: >> >> >> On Sat, Jun 6, 2009 at 6:49 PM, wrote: >>> >>>> Vlad Galu ha escrito: >>>> >>>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>>> >>>>>> >>>>>> Hi folks! >>>>>> >>>>>> I=B4m trying to figure out if there is a way to make connection marki= ng >>>>>> in >>>>>> a >>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>> >>>>>> Does pf supports this feature? >>>>>> >>>>>> My intentions are to tag an outgoing packet, transfer the tag to the >>>>>> hole >>>>>> connection and then use that tag to mark incoming packets belonging t= o >>>>>> the >>>>>> same connection. >>>>>> >>>>>> Also, i would like then to use that mark to enqueue marked packets to >>>>>> hfsc >>>>>> clases. >>>>>> >>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searche= d in >>>>>> pf=B4s >>>>>> man page and the FAQ without success. >>>>>> >>>>>> thanks in advance, >>>>>> >>>>>> evelio vila >>>>>> >>>>> >>>>> Hi evelio, see below: >>>>> -- cut here -- >>>>> tag >>>>> Packets matching this rule will be tagged with the specified >>>>> string. The tag acts as an internal marker that can be used >>>>> to >>>>> identify these packets later on. This can be used, for >>>>> example, to >>>>> provide trust between interfaces and to determine if packets >>>>> have >>>>> been processed by translation rules. Tags are "sticky", >>>>> meaning >>>>> that the packet will be tagged even if the rule is not the >>>>> last >>>>> matching rule. Further matching rules can replace the tag >>>>> with >>>>> a >>>>> new one but will not remove a previously applied tag. A >>>>> packet >>>>> is >>>>> only ever assigned one tag at a time. Packet tagging can be >>>>> done >>>>> during nat, rdr, or binat rules in addition to filter rules. >>>>> Tags >>>>> take the same macros as labels (see above). >>>>> >>>>> tagged >>>>> Used with filter or translation rules to specify that packet= s >>>>> must >>>>> already be tagged with the given tag in order to match the >>>>> rule. >>>>> Inverse tag matching can also be done by specifying the ! >>>>> operator >>>>> before the tagged keyword. >>>>> -- and here -- >>>>> >>>>> Anyway, I believe that keeping state for the desired outgoing >>>>> connections should be enough all by itself. You would simply add the >>>>> >>>> >>>> Indeed no, what i want is also to mark the connection to be able then >>>> to mark incoming packets beloging to the same connection. >>>> >>>> "queue " directive at the end of your pass out rule, even >>>>> though the interface packets go out through is the "external" one, and >>>>> you want to do shaping on the "internal" one but, as I understand, for >>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd >>>>> >>>> >>>> i am not sure what you mean with "floating (not if-bound) states" >>>> could you please explain this. >>>> >>>>> >>>>> like somebody with better pf knowledge to correct me :) >>>>> >>>> >>> pf(4) is not iptables. So before using it read more about it. >>> >>> >> I=B4m aware of that. >> >> I think its pretty obvius that my post is simply trying to figure out how >> to achieve with pf something that i use to do with netfilter. >> >> I=B4ve read this before but nothing comes up to me. >> http://www.openbsd.org/faq/pf/tagging.html >> >> >> thanks anyway ermal >> regards, >> evelio vila >> >> >> http://home.nuug.no/~peter/pf/en/ >>> http://www.openbsd.org/faq/pf >>> >>> >>> >>> thanks for your quick answer vlad. >>>> >>>> evelio vila >>>> >>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>>> Educaci=F3n Energ=E9tica >>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>> ...Por una cultura energ=E9tica sustentable >>>> www.ciercuba.com_______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> -- >>> Ermal >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > the sun shines for all > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 18:29:47 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94ED11065673 for ; Sat, 6 Jun 2009 18:29:47 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id 6F3DB8FC0A for ; Sat, 6 Jun 2009 18:29:45 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id F1AE01AE87 for ; Sat, 6 Jun 2009 13:14:43 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id 4E5AD4104; Sat, 6 Jun 2009 14:44:09 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id AA9564103; Sat, 6 Jun 2009 14:44:09 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 14:29:40 -0400 Message-ID: <20090606142940.0c42ju9uswkg4w8s@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 14:29:40 -0400 From: vila@tesla.cujae.edu.cu To: =?iso-8859-1?b?SXN0duFu?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 18:29:48 -0000 unfortunately that would not help me because the whole traffic is all =20 originated from a single IP address (proxy) so i can not distinguish =20 between them (that is why i use dscp marks) even if i could achieved this, there is still the issue about =20 selecting incoming packets accordingly and direct them to inbound =20 queues (for downlink traffic shapping). regards, evelio vila Istv=E1n ha escrito: > I guess you might want to tag that dscp enabled packets -because pf has no > support for that at the moment, at least i cannot see- and put them into t= he > queue based on the tag. > http://www.openbsd.org/faq/pf/queueing.html#assign > > > Regards, > Istvan > > On Sat, Jun 6, 2009 at 6:52 PM, wrote: > >> Istv=E1n ha escrito: >> >> Hi! >>> >>> In general it is a very bad idea to use the same way what you have been >>> using before when you are moving to a new platform. You wouldn't use bas= h >>> to >>> manage win2k8 servers, just to give you an example what I am talking >>> about. >>> >>> The question is: >>> >>> What do you want to do with pf. Forget about netfilter/conntrack and so >>> on. >>> What do you want to achieve? >>> >>> This is the only question. >>> >>> >>> Regards, >>> Istvan >>> >> >> I believe you are righ istvan! >> >> this is the thing: >> >> I want to make some traffic shapping on both interfaces of a freebsd box. >> As u all probably know the real congestion occurs generally on the downli= nk >> interface because of the asymmetric nature of some protocols (eg. http) >> >> on the internal network i have some applications that puts dscp tags to >> packets according to different classes of service. the uplink shapping ca= n >> be done simply by mathing the corresponding dscp field of each connection >> and sending to different queues. (by the way the doc i=B4ve read only pre= sents >> TOS mathing and nothing about dscp).. >> anyway , the problem arises when the incoming traffic (from the internet) >> has no dscp tags and i need to enqueue then accordingly to make the downl= ink >> traffic shapping. >> >> regards, >> evelio vila >> >> >> >> >> >>> >>> >>> On Sat, Jun 6, 2009 at 6:15 PM, wrote: >>> >>> Ermal Lu=E7i ha escrito: >>>> >>>> >>>> On Sat, Jun 6, 2009 at 6:49 PM, wrote: >>>> >>>>> >>>>> Vlad Galu ha escrito: >>>>>> >>>>>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>>> Hi folks! >>>>>>>> >>>>>>>> I=B4m trying to figure out if there is a way to make connection mar= king >>>>>>>> in >>>>>>>> a >>>>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>>>> >>>>>>>> Does pf supports this feature? >>>>>>>> >>>>>>>> My intentions are to tag an outgoing packet, transfer the tag to th= e >>>>>>>> hole >>>>>>>> connection and then use that tag to mark incoming packets belonging >>>>>>>> to >>>>>>>> the >>>>>>>> same connection. >>>>>>>> >>>>>>>> Also, i would like then to use that mark to enqueue marked packets = to >>>>>>>> hfsc >>>>>>>> clases. >>>>>>>> >>>>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searc= hed in >>>>>>>> pf=B4s >>>>>>>> man page and the FAQ without success. >>>>>>>> >>>>>>>> thanks in advance, >>>>>>>> >>>>>>>> evelio vila >>>>>>>> >>>>>>>> >>>>>>> Hi evelio, see below: >>>>>>> -- cut here -- >>>>>>> tag >>>>>>> Packets matching this rule will be tagged with the specifie= d >>>>>>> string. The tag acts as an internal marker that can be use= d >>>>>>> to >>>>>>> identify these packets later on. This can be used, for >>>>>>> example, to >>>>>>> provide trust between interfaces and to determine if packet= s >>>>>>> have >>>>>>> been processed by translation rules. Tags are "sticky", >>>>>>> meaning >>>>>>> that the packet will be tagged even if the rule is not the >>>>>>> last >>>>>>> matching rule. Further matching rules can replace the tag >>>>>>> with >>>>>>> a >>>>>>> new one but will not remove a previously applied tag. A >>>>>>> packet >>>>>>> is >>>>>>> only ever assigned one tag at a time. Packet tagging can b= e >>>>>>> done >>>>>>> during nat, rdr, or binat rules in addition to filter rules= . >>>>>>> Tags >>>>>>> take the same macros as labels (see above). >>>>>>> >>>>>>> tagged >>>>>>> Used with filter or translation rules to specify that packe= ts >>>>>>> must >>>>>>> already be tagged with the given tag in order to match the >>>>>>> rule. >>>>>>> Inverse tag matching can also be done by specifying the ! >>>>>>> operator >>>>>>> before the tagged keyword. >>>>>>> -- and here -- >>>>>>> >>>>>>> Anyway, I believe that keeping state for the desired outgoing >>>>>>> connections should be enough all by itself. You would simply add the >>>>>>> >>>>>>> >>>>>> Indeed no, what i want is also to mark the connection to be able the= n >>>>>> to mark incoming packets beloging to the same connection. >>>>>> >>>>>> "queue " directive at the end of your pass out rule, even >>>>>> >>>>>>> though the interface packets go out through is the "external" one, a= nd >>>>>>> you want to do shaping on the "internal" one but, as I understand, f= or >>>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd >>>>>>> >>>>>>> >>>>>> i am not sure what you mean with "floating (not if-bound) states" >>>>>> could you please explain this. >>>>>> >>>>>> >>>>>>> like somebody with better pf knowledge to correct me :) >>>>>>> >>>>>>> >>>>>> pf(4) is not iptables. So before using it read more about it. >>>>> >>>>> >>>>> I=B4m aware of that. >>>> >>>> I think its pretty obvius that my post is simply trying to figure out h= ow >>>> to achieve with pf something that i use to do with netfilter. >>>> >>>> I=B4ve read this before but nothing comes up to me. >>>> http://www.openbsd.org/faq/pf/tagging.html >>>> >>>> >>>> thanks anyway ermal >>>> regards, >>>> evelio vila >>>> >>>> >>>> http://home.nuug.no/~peter/pf/en/ >>>> >>>>> http://www.openbsd.org/faq/pf >>>>> >>>>> >>>>> >>>>> thanks for your quick answer vlad. >>>>> >>>>>> >>>>>> evelio vila >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------- >>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>> >>>>>> >>>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ= =EDa y >>>>>> Educaci=F3n Energ=E9tica >>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>>> ...Por una cultura energ=E9tica sustentable >>>>>> www.ciercuba.com_______________________________________________ >>>>>> freebsd-pf@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Ermal >>>>> >>>>> >>>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>>> Educaci=F3n Energ=E9tica >>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>> ...Por una cultura energ=E9tica sustentable >>>> www.ciercuba.com_______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> -- >>> the sun shines for all >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com >> > > > > -- > the sun shines for all > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 18:43:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B02661065690 for ; Sat, 6 Jun 2009 18:43:32 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 33CAA8FC2A for ; Sat, 6 Jun 2009 18:43:30 +0000 (UTC) (envelope-from leccine@gmail.com) Received: by ewy8 with SMTP id 8so2990039ewy.43 for ; Sat, 06 Jun 2009 11:43:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=xZlZbVP80uWOMLQaww9qtlrUWqgZ2f7WsH1HDuy1lVE=; b=KxD2m2ybX9VZ97pubDZwydKkV1l6GwT9Nl8XCUmQs4mTVqeZW1giZK+cLzUhWDd15Z 1osZVbQe1C7+y2oYxk9U1R/C0df36uWmNcGbpzTqglIJdIxgF3fqI+kItcoCsbbM0b5n CW0zFDl7FibKwZXI7qcvPeyFgohWVELBrhnUY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=wmLijLX1v36WBdkLyktiuCGqY9jbq0QnzgvGnLqktZDvVA0b03oay5nIgHBo77A6s4 ootDm+Fqi3MQXbxus6t6KObNfL1haUsSNBH0AfE9MXRkpPeo55HcaMGqlZOw+BtA+aaM pwxKZ4UudlNIk3G0OO/XyxFnNtWvJkbnPV9TU= MIME-Version: 1.0 Received: by 10.210.16.17 with SMTP id 17mr2407154ebp.23.1244311895319; Sat, 06 Jun 2009 11:11:35 -0700 (PDT) In-Reply-To: <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> Date: Sat, 6 Jun 2009 19:11:35 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: vila@tesla.cujae.edu.cu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 18:43:33 -0000 I guess you might want to tag that dscp enabled packets -because pf has no support for that at the moment, at least i cannot see- and put them into th= e queue based on the tag. http://www.openbsd.org/faq/pf/queueing.html#assign Regards, Istvan On Sat, Jun 6, 2009 at 6:52 PM, wrote: > Istv=E1n ha escrito: > > Hi! >> >> In general it is a very bad idea to use the same way what you have been >> using before when you are moving to a new platform. You wouldn't use bas= h >> to >> manage win2k8 servers, just to give you an example what I am talking >> about. >> >> The question is: >> >> What do you want to do with pf. Forget about netfilter/conntrack and so >> on. >> What do you want to achieve? >> >> This is the only question. >> >> >> Regards, >> Istvan >> > > I believe you are righ istvan! > > this is the thing: > > I want to make some traffic shapping on both interfaces of a freebsd box. > As u all probably know the real congestion occurs generally on the downli= nk > interface because of the asymmetric nature of some protocols (eg. http) > > on the internal network i have some applications that puts dscp tags to > packets according to different classes of service. the uplink shapping ca= n > be done simply by mathing the corresponding dscp field of each connection > and sending to different queues. (by the way the doc i=B4ve read only pre= sents > TOS mathing and nothing about dscp).. > anyway , the problem arises when the incoming traffic (from the internet) > has no dscp tags and i need to enqueue then accordingly to make the downl= ink > traffic shapping. > > regards, > evelio vila > > > > > >> >> >> On Sat, Jun 6, 2009 at 6:15 PM, wrote: >> >> Ermal Lu=E7i ha escrito: >>> >>> >>> On Sat, Jun 6, 2009 at 6:49 PM, wrote: >>> >>>> >>>> Vlad Galu ha escrito: >>>>> >>>>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>>> >>>>>> >>>>>> >>>>>>> Hi folks! >>>>>>> >>>>>>> I=B4m trying to figure out if there is a way to make connection mar= king >>>>>>> in >>>>>>> a >>>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>>> >>>>>>> Does pf supports this feature? >>>>>>> >>>>>>> My intentions are to tag an outgoing packet, transfer the tag to th= e >>>>>>> hole >>>>>>> connection and then use that tag to mark incoming packets belonging >>>>>>> to >>>>>>> the >>>>>>> same connection. >>>>>>> >>>>>>> Also, i would like then to use that mark to enqueue marked packets = to >>>>>>> hfsc >>>>>>> clases. >>>>>>> >>>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searc= hed in >>>>>>> pf=B4s >>>>>>> man page and the FAQ without success. >>>>>>> >>>>>>> thanks in advance, >>>>>>> >>>>>>> evelio vila >>>>>>> >>>>>>> >>>>>> Hi evelio, see below: >>>>>> -- cut here -- >>>>>> tag >>>>>> Packets matching this rule will be tagged with the specifie= d >>>>>> string. The tag acts as an internal marker that can be use= d >>>>>> to >>>>>> identify these packets later on. This can be used, for >>>>>> example, to >>>>>> provide trust between interfaces and to determine if packet= s >>>>>> have >>>>>> been processed by translation rules. Tags are "sticky", >>>>>> meaning >>>>>> that the packet will be tagged even if the rule is not the >>>>>> last >>>>>> matching rule. Further matching rules can replace the tag >>>>>> with >>>>>> a >>>>>> new one but will not remove a previously applied tag. A >>>>>> packet >>>>>> is >>>>>> only ever assigned one tag at a time. Packet tagging can b= e >>>>>> done >>>>>> during nat, rdr, or binat rules in addition to filter rules= . >>>>>> Tags >>>>>> take the same macros as labels (see above). >>>>>> >>>>>> tagged >>>>>> Used with filter or translation rules to specify that packe= ts >>>>>> must >>>>>> already be tagged with the given tag in order to match the >>>>>> rule. >>>>>> Inverse tag matching can also be done by specifying the ! >>>>>> operator >>>>>> before the tagged keyword. >>>>>> -- and here -- >>>>>> >>>>>> Anyway, I believe that keeping state for the desired outgoing >>>>>> connections should be enough all by itself. You would simply add the >>>>>> >>>>>> >>>>> Indeed no, what i want is also to mark the connection to be able the= n >>>>> to mark incoming packets beloging to the same connection. >>>>> >>>>> "queue " directive at the end of your pass out rule, even >>>>> >>>>>> though the interface packets go out through is the "external" one, a= nd >>>>>> you want to do shaping on the "internal" one but, as I understand, f= or >>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd >>>>>> >>>>>> >>>>> i am not sure what you mean with "floating (not if-bound) states" >>>>> could you please explain this. >>>>> >>>>> >>>>>> like somebody with better pf knowledge to correct me :) >>>>>> >>>>>> >>>>> pf(4) is not iptables. So before using it read more about it. >>>> >>>> >>>> I=B4m aware of that. >>> >>> I think its pretty obvius that my post is simply trying to figure out h= ow >>> to achieve with pf something that i use to do with netfilter. >>> >>> I=B4ve read this before but nothing comes up to me. >>> http://www.openbsd.org/faq/pf/tagging.html >>> >>> >>> thanks anyway ermal >>> regards, >>> evelio vila >>> >>> >>> http://home.nuug.no/~peter/pf/en/ >>> >>>> http://www.openbsd.org/faq/pf >>>> >>>> >>>> >>>> thanks for your quick answer vlad. >>>> >>>>> >>>>> evelio vila >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------------------- >>>>> This message was sent using IMP, the Internet Messaging Program. >>>>> >>>>> >>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ= =EDa y >>>>> Educaci=F3n Energ=E9tica >>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>> ...Por una cultura energ=E9tica sustentable >>>>> www.ciercuba.com_______________________________________________ >>>>> freebsd-pf@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Ermal >>>> >>>> >>>> >>> >>> ---------------------------------------------------------------- >>> This message was sent using IMP, the Internet Messaging Program. >>> >>> >>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>> Educaci=F3n Energ=E9tica >>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>> ...Por una cultura energ=E9tica sustentable >>> www.ciercuba.com_______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >>> >> >> >> -- >> the sun shines for all >> >> > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y > Educaci=F3n Energ=E9tica > 9 - 12 de Junio 2009, Palacio de las Convenciones > ...Por una cultura energ=E9tica sustentable > www.ciercuba.com > --=20 the sun shines for all