From owner-freebsd-pf@FreeBSD.ORG Sun Dec 6 09:19:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 314D91065672 for ; Sun, 6 Dec 2009 09:19:14 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe7.ukr.net (ffe7.ukr.net [195.214.192.26]) by mx1.freebsd.org (Postfix) with ESMTP id BBFCC8FC08 for ; Sun, 6 Dec 2009 09:19:13 +0000 (UTC) Received: from mail by ffe7.ukr.net with local ID 1NHDGp-000JaE-OD ; Sun, 06 Dec 2009 11:19:11 +0200 MIME-Version: 1.0 To: Nico De Dobbeleer From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.6.1-current X-Originating-Ip: [194.0.148.10] In-Reply-To: <6783768.102251260022192330.JavaMail.root@zimbra-store> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Message-Id: Date: Sun, 06 Dec 2009 11:19:11 +0200 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doens't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2009 09:19:14 -0000 --- Original Message --- From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Date: 5 december, 16:09:52 Subject: Limit connections doens't work Hello, As most of the public ip's my servers are constantly under bruteforce attack see example: Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2 Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2 Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226 Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2 Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226 Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2 Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226 Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2 Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226 Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2 Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2 Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2 Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226 Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2 Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226 Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2 Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226 Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2 Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226 Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2 Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2 Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2 Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2 Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that. ------------------------------------------------------------------------------------------------------------------ #Tables table persist file "/etc/pf.abusive_ips.block.list" table persist # Rules block quick from block quick from # Limit connections per IP pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) -------------------------------------------------------------------------------------------------------------------- The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the table. Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15? With kind regards, Nico De Dobbeleer _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"     I think you should specify source-track rule (rule or lobal) in your rulesLike this: pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max 10, source-track rule, max-src-conn 10, max-src-conn-rate 3/15, overload flush) See in PF FAQ Stateful Tracking Options. From owner-freebsd-pf@FreeBSD.ORG Sun Dec 6 13:18:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 010A01065694 for ; Sun, 6 Dec 2009 13:18:25 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 738E68FC19 for ; Sun, 6 Dec 2009 13:18:24 +0000 (UTC) Received: (qmail invoked by alias); 06 Dec 2009 13:18:22 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp023) with SMTP; 06 Dec 2009 14:18:22 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/XK4oVFQDXlyQ9lrysEO1G4px1suHKEGDkZz3+hi 10gKikYRRALEcI Message-ID: <4B1BAF1D.9070105@gmx.de> Date: Sun, 06 Dec 2009 14:18:21 +0100 From: olli hauer User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Nico De Dobbeleer References: <6783768.102251260022192330.JavaMail.root@zimbra-store> In-Reply-To: <6783768.102251260022192330.JavaMail.root@zimbra-store> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.42 Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doens't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2009 13:18:25 -0000 Nico De Dobbeleer wrote: > Hello, > > As most of the public ip's my servers are constantly under bruteforce attack see example: > > Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2 > Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 > Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2 ... > > Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that. > ------------------------------------------------------------------------------------------------------------------ > #Tables > table persist file "/etc/pf.abusive_ips.block.list" > table persist > > # Rules > > block quick from > block quick from > > > # Limit connections per IP > > pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state > (max-src-conn 10, max-src-conn-rate 3/15, overload flush) > pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state > (max-src-conn 10, max-src-conn-rate 3/15, overload flush) > pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state > (max-src-conn 10, max-src-conn-rate 3/15, overload flush) > -------------------------------------------------------------------------------------------------------------------- > > The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the table. > > Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15? - which FreeBSD version is this 6.x 7.x/8.x? - avoid the quick keyword in the rules with overload - pf can preload IP's from file specified in "table ... file "/filename" but does not write IP's into the file. I use the script below to do this on a OpenBSD machine. - rewrite your rule and avoid the any keyword pass in on { $ext_if, $int_if, $mng_if } inet proto tcp \ from ! to xx.xx.xx.xx port ssh flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/15, overload flush) hint: - look for the additional keyword global (flush global) - If the IP in your rule is your base IP on $ext_if write it with as $ext_if:0 this script writes IP's from the bf_* tables into a file so you can preload them next time pf rules are installed or the machine reboots. additional it can send you a mail with IP's added to the table and if GeoIP is installed you get the GeoIP info. With a little modification of the script/rules It will work for you #!/bin/sh ################################################################## # $Source: RCS/pftable_to_file.sh,v $ # OS: OpenBSD # # olli hauer # ################################################################## # sample rule for pf # --------------------------- # block in log quick proto { tcp, udp } from \ # to any port ssh label BRUTFORCE-SSH # table for overload connections # # pass in log on $if_ext inet proto tcp from ! to $if_ext \ # port = ssh flags S/SA keep state \ # (source-track rule, max-src-conn 10, \ # max-src-conn-rate 3/90, overload \ # flush global, if-bound, src.track 90) \ # label "SSH" umask 077 PF_TABLES="bf_mail bf_ssh bf_web" OUTDIR="/etc/pf" GEOIP=/usr/local/bin/geoiplookup # hold the output from pfctl -tx -Ts TMP_PFCTL=`mktemp /tmp/.tmp_pf_table.XXXXXXXXXX` || exit 1 # hold the diff between old and new TMP_DIFF=`mktemp /tmp/.tmp_diff.XXXXXXXXXX` || exit 1 trap 'rm -f ${TMP_PFCTL} ${TMP_DIFF}' 0 1 2 3 13 15 [ -d ${OUTDIR} ] || mkdir -p ${OUTDIR} for TABLE in ${PF_TABLES}; do # make sure the output file exists [ -f ${OUTDIR}/${TABLE} ] || /usr/bin/touch ${OUTDIR}/${TABLE} # extraxt IP's from table /sbin/pfctl -t${TABLE} -Ts | awk '{print $1}' > ${TMP_PFCTL} # we need only the '+diff' to grep for this later /usr/bin/diff -bu ${OUTDIR}/${TABLE} ${TMP_PFCTL} > ${TMP_DIFF} RETVAL=$? case ${RETVAL} in 0) continue ;; 1) # save the old file if [ -f ${OUTDIR}/${TABLE} ]; then cp ${OUTDIR}/${TABLE} ${OUTDIR}/${TABLE}.old fi # mail message header date echo "change in table: ${TABLE}" echo "------------------------------------" # lookup the IP in the GeoIP database if [ -x ${GEOIP} ]; then for IP in `egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+`; do # print the IP wo. linefeed printf "%-20s # " ${IP} # strip netmask if we add NET by hand IPT=`echo ${IP} | sed 's/\/[[:digit:]]*//g'` # make a short GeoIP output ${GEOIP} ${IPT} | sed 's/ Country Edition//g' done else egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+ fi mv ${TMP_PFCTL} ${OUTDIR}/${TABLE} ;; *) echo "error in diff" ;; esac done small snippet from my bf_ssh file (places with IP rangees I don't visit in near time) snippet from file:/etc/pf/bf_ssh 12.0.0.0/8 21.0.0.0/8 24.0.0.0/8 25.0.0.0/8 26.0.0.0/8 28.0.0.0/8 29.0.0.0/8 30.0.0.0/8 32.0.0.0/8 33.0.0.0/8 38.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 61.0.0.0/8 62.0.0.0/8 63.0.0.0/8 64.0.0.0/8 ... 216.0.0.0/8 217.0.0.0/8 218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 From owner-freebsd-pf@FreeBSD.ORG Sun Dec 6 16:17:48 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF68010656AA for ; Sun, 6 Dec 2009 16:17:48 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.195]) by mx1.freebsd.org (Postfix) with ESMTP id 04F498FC23 for ; Sun, 6 Dec 2009 16:17:47 +0000 (UTC) Received: (qmail 21438 invoked by uid 90); 6 Dec 2009 16:17:46 +0000 Received: from 78-105-9-127.zone3.bethere.co.uk (torsten@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 82) with qmail-scanner-2.05st (clamdscan: 0.95.1/9472. perlscan: 2.06st. Clear:RC:1(78.105.9.127):. Processed in 0.068089 secs); 06 Dec 2009 16:17:46 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenpc) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 6 Dec 2009 16:17:45 +0000 From: "Torsten Kersandt" To: References: <6783768.102251260022192330.JavaMail.root@zimbra-store> <4B1BAF1D.9070105@gmx.de> In-Reply-To: <4B1BAF1D.9070105@gmx.de> Date: Sun, 6 Dec 2009 16:17:42 -0000 Message-ID: <015501ca768f$a42353e0$ec69fba0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acp2dqPPj+iM0gBtQpKR1qs5cYW4mgAFs8zw Content-Language: en-gb Subject: RE: Limit connections doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2009 16:17:48 -0000 HI=20 I personally have all ssh and alike ports closed on my servers. If I want to connect to the server per ssh or whatever function, I login = to a hidden php which adds my current IP to a sql table. I use sql because I'm not the only one using this and want to keep track = which admin is logging in. A cron job is running every minute looking in the table and adding the = new ip addresses to the pf include file and reloading PF Every night at 4am, I empty the text file and reload pf. I know that this could be done more elegant but KISS is what I like. In addition I have tcpserver running a perl script on a non privileged = port to add a IP to the sql tables if apache fails. #!/bin/sh ### MySQL Setup ### MUSER=3D"username" MPASS=3D"password" MHOST=3D"localhost" MYSQL=3D"/usr/local/bin/mysql" # ### Get all new IP addresses ### DBS=3D"$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from = intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')" for ip in $DBS do ## this bit is emailed to me over cron run-output if a new IP address = was found echo $ip >> /usr/local/etc/pf/pf.VNCallow echo "Added $ip to VNC Access from MYSQL Table" /etc/rc.d/pf reload done From owner-freebsd-pf@FreeBSD.ORG Sun Dec 6 23:01:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4755D106566C for ; Sun, 6 Dec 2009 23:01:27 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (uffner.com [66.208.243.25]) by mx1.freebsd.org (Postfix) with ESMTP id 01B7F8FC16 for ; Sun, 6 Dec 2009 23:01:26 +0000 (UTC) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id nB6N3UYA083932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 6 Dec 2009 18:03:35 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <4B1C37BC.1010104@uffner.com> Date: Sun, 06 Dec 2009 18:01:16 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090925 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Torsten Kersandt References: <6783768.102251260022192330.JavaMail.root@zimbra-store> <4B1BAF1D.9070105@gmx.de> <015501ca768f$a42353e0$ec69fba0$@net> In-Reply-To: <015501ca768f$a42353e0$ec69fba0$@net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2009 23:01:27 -0000 Torsten Kersandt wrote: > HI > I personally have all ssh and alike ports closed on my servers. > If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table. > I use sql because I'm not the only one using this and want to keep track which admin is logging in. > A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF > > Every night at 4am, I empty the text file and reload pf. > > I know that this could be done more elegant but KISS is what I like. that script is horribly inefficient and disruptive to your firewall throughput. you could save a lot of unnecessary cpu cycles and speed up your connections a bit by simply replacing the reloads with pfctl commands that manipulate the table directly. > #!/bin/sh > ### MySQL Setup ### > MUSER="username" > MPASS="password" > MHOST="localhost" > MYSQL="/usr/local/bin/mysql" > # > ### Get all new IP addresses ### > DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')" > for ip in $DBS > do > ## this bit is emailed to me over cron run-output if a new IP address was found > echo $ip >> /usr/local/etc/pf/pf.VNCallow > echo "Added $ip to VNC Access from MYSQL Table" > /etc/rc.d/pf reload > done that loop at the end is anything but KISS. select the new addresses and add them to the table with something like pfctl -t VNCallow -T add $DBS instead of that do loop. for persistence across reboots, select all the address in your SQL table & add them to the pf table when pf starts. clear the table with pfctl -t VNCallow -T flush From owner-freebsd-pf@FreeBSD.ORG Mon Dec 7 09:43:00 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6CEE106568B for ; Mon, 7 Dec 2009 09:43:00 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.195]) by mx1.freebsd.org (Postfix) with ESMTP id 3AC1F8FC08 for ; Mon, 7 Dec 2009 09:42:59 +0000 (UTC) Received: (qmail 43498 invoked by uid 90); 7 Dec 2009 09:42:56 +0000 Received: from 78-105-9-127.zone3.bethere.co.uk (torsten@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 82) with qmail-scanner-2.05st (clamdscan: 0.95.1/9472. perlscan: 2.06st. Clear:RC:1(78.105.9.127):. Processed in 0.040681 secs); 07 Dec 2009 09:42:56 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenpc) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 7 Dec 2009 09:42:56 +0000 From: "Torsten Kersandt" To: "'Tom Uffner'" References: <6783768.102251260022192330.JavaMail.root@zimbra-store> <4B1BAF1D.9070105@gmx.de> <015501ca768f$a42353e0$ec69fba0$@net> <4B1C37BC.1010104@uffner.com> In-Reply-To: <4B1C37BC.1010104@uffner.com> Date: Mon, 7 Dec 2009 09:42:53 -0000 Message-ID: <017601ca7721$a69550f0$f3bff2d0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acp2yAfOogA83/unTNKMmoNWW+5MsAAWPuSA Content-Language: en-gb Cc: freebsd-pf@freebsd.org Subject: RE: Limit connections doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 09:43:00 -0000 HI tom I know, and this is what I said. Yes you right and can replace the reload and put it into the a table with the pf command. But the server is on a 1mb/10mb ADSL line and trough put does not really matter. It was send as an example only not as a must do. This script have done 5 years ago as a quick hack And because I'm not a expert with PF, I'm subscribed to this list so I can learn without prejudice Torsten -----Original Message----- From: Tom Uffner [mailto:tom@uffner.com] Sent: 06 December 2009 23:01 To: Torsten Kersandt Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doesn't work Torsten Kersandt wrote: > HI > I personally have all ssh and alike ports closed on my servers. > If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table. > I use sql because I'm not the only one using this and want to keep track which admin is logging in. > A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF > > Every night at 4am, I empty the text file and reload pf. > > I know that this could be done more elegant but KISS is what I like. that script is horribly inefficient and disruptive to your firewall throughput. you could save a lot of unnecessary cpu cycles and speed up your connections a bit by simply replacing the reloads with pfctl commands that manipulate the table directly. > #!/bin/sh > ### MySQL Setup ### > MUSER="username" > MPASS="password" > MHOST="localhost" > MYSQL="/usr/local/bin/mysql" > # > ### Get all new IP addresses ### > DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')" > for ip in $DBS > do > ## this bit is emailed to me over cron run-output if a new IP address was found > echo $ip >> /usr/local/etc/pf/pf.VNCallow > echo "Added $ip to VNC Access from MYSQL Table" > /etc/rc.d/pf reload > done that loop at the end is anything but KISS. select the new addresses and add them to the table with something like pfctl -t VNCallow -T add $DBS instead of that do loop. for persistence across reboots, select all the address in your SQL table & add them to the pf table when pf starts. clear the table with pfctl -t VNCallow -T flush From owner-freebsd-pf@FreeBSD.ORG Mon Dec 7 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 250721065692 for ; Mon, 7 Dec 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BB1E98FC0C for ; Mon, 7 Dec 2009 11:07:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB7B70E4068564 for ; Mon, 7 Dec 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB7B70XZ068562 for freebsd-pf@FreeBSD.org; Mon, 7 Dec 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Dec 2009 11:07:00 GMT Message-Id: <200912071107.nB7B70XZ068562@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 37 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 11 12:04:05 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85B6F1065692 for ; Fri, 11 Dec 2009 12:04:05 +0000 (UTC) (envelope-from gdakos@enovation.gr) Received: from server.8com.gr (server.8com.gr [213.163.64.14]) by mx1.freebsd.org (Postfix) with ESMTP id DABBB8FC1B for ; Fri, 11 Dec 2009 12:04:04 +0000 (UTC) Received: from john ([83.235.249.6]) by server.8com.gr (IceWarp 9.1.0) with ASMTP id SYP40621 for ; Fri, 11 Dec 2009 14:04:21 +0200 From: "John Dakos [ Enovation Technologies ]" To: Date: Fri, 11 Dec 2009 14:04:07 +0200 Message-ID: <4AEC4A6F65A84D258332A61EF5980850@john> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-7" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acp5g202sHo0JVGFSk2wYrEGSzvTyAA1oIDg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Subject: FW: clientNatLookup: PF open failed: (13) Permission denied X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 12:04:05 -0000 Hello all. I'm running Squid =A0Version 3.0.STABLE20 on FreeBSD 8 Release=A0 with = PF=A0=A0 and =A0.. =A0--enable-pf-transparent' Squid is worked but in my cashe.log=A0=A0 I have =A0=A0clientNatLookup: = PF open failed: (13) Permission denied every time... I have=A0=A0=A0 in rc.conf=A0=A0=A0=A0 squid_enable=3D"YES" Any idea for that ? =A0 =A0 =A0Thanks =20 =20 =20 __________ Information from ESET NOD32 Antivirus, version of virus = signature database 4678 (20091211) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com =20 From owner-freebsd-pf@FreeBSD.ORG Fri Dec 11 12:10:04 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0DE3106566B for ; Fri, 11 Dec 2009 12:10:04 +0000 (UTC) (envelope-from hrauch@empic.de) Received: from ox.heitec.net (ox.heitec.net [93.93.253.50]) by mx1.freebsd.org (Postfix) with SMTP id 3936E8FC1D for ; Fri, 11 Dec 2009 12:10:03 +0000 (UTC) Received: from ox.heitec.net ([10.100.1.50]) by eSafe SMTP Relay 1260439757; Fri, 11 Dec 2009 12:59:01 +0100 Received: by ox.heitec.net (Postfix, from userid 110) id 5A5BC1A002; Fri, 11 Dec 2009 12:59:01 +0100 (CET) Received: from siena.er.heitec.net (unknown [10.64.150.150]) by ox.heitec.net (Postfix) with ESMTPSA id 535831A001 for ; Fri, 11 Dec 2009 12:59:01 +0100 (CET) Received: by siena.er.heitec.net (Postfix, from userid 1000) id 976DC1F2E; Fri, 11 Dec 2009 12:59:01 +0100 (CET) Date: Fri, 11 Dec 2009 12:59:01 +0100 From: Holger Rauch To: freebsd-pf@freebsd.org Message-ID: <20091211115900.GC31375@heitec.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="O3RTKUHj+75w1tg5" Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Organization: EMPIC GmbH, Werner-von-Siemens-Str. 61, 91052 Erlangen, Germany, Reg. No: 2873 / Fuerth / Germany, CEO / Managing Director: Joerg K. Kottenbrink, WWW: http://www.empic.eu X-ESAFE-STATUS: [esafe] Mail clean X-ESAFE-DETAILS: [esafe] Subject: Transition from IPFW: PF flags for IPFW "setup" and "established" keywords X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 12:10:04 -0000 --O3RTKUHj+75w1tg5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi to everybody, what are the correct combinations of flags for the IPFW "setup" and "established" keywords? I googled for this but found no real mapping to pf flags. Any hints/links are welcome. Thanks in advance & kind regards, Holger --O3RTKUHj+75w1tg5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksiNAQACgkQbiVtWpZdKQIxUQCgji13vDiKe3MTpo2nWzbcEGaL HtgAnjaVLr8RzCkXye+WMSx+Iv+gj34D =hQfK -----END PGP SIGNATURE----- --O3RTKUHj+75w1tg5-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 11 12:40:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6161A106568B for ; Fri, 11 Dec 2009 12:40:36 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f204.google.com (mail-yw0-f204.google.com [209.85.211.204]) by mx1.freebsd.org (Postfix) with ESMTP id 19CA98FC16 for ; Fri, 11 Dec 2009 12:40:35 +0000 (UTC) Received: by ywh42 with SMTP id 42so839743ywh.28 for ; Fri, 11 Dec 2009 04:40:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=/Kok4YH3tdzGUvE/ekjvKCFIqS/zQo9SB0hJPUJUHRM=; b=q7NEvtm2DKm9tXINRtPRPH5Lf4m8jII2vcYo1MM8LmUvOhZqZxRGxt+n9YwD2xBX9k YPznuvEEmixhxkJW9iyjXjosUJpCtNA9xKW8a10AGA86f6sg5IZLDq+e9QtQ/WVLK3ok 1WuayabbSJwxwI6iH6Z4YfXVB1YkyShQTTkUk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=Mbz0X1yg/tdS+BTAP1hJy4rez8BpaCqLSjbOc9XLNlmiqtPJKmiWEgGsnSe54sx7Gc kxAohShTzFBGmKAZGQ6/zb7gR5roJ2j+jw0/C+rP4TeMFZERuL4TZ9AO7iN+eykEh4RR kDuTbQXDCbmsoikf/EpFax7rQHXGNF+BkgTww= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.150.247.29 with SMTP id u29mr2337438ybh.90.1260533487543; Fri, 11 Dec 2009 04:11:27 -0800 (PST) In-Reply-To: <4AEC4A6F65A84D258332A61EF5980850@john> References: <4AEC4A6F65A84D258332A61EF5980850@john> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Fri, 11 Dec 2009 13:11:07 +0100 X-Google-Sender-Auth: 9e6d01eff9211161 Message-ID: <9a542da30912110411g6d332409h9db4664b73ee1153@mail.gmail.com> To: "John Dakos [ Enovation Technologies ]" Content-Type: text/plain; charset=ISO-8859-7 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: FW: clientNatLookup: PF open failed: (13) Permission denied X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 12:40:36 -0000 2009/12/11 John Dakos [ Enovation Technologies ] > > Hello all. > > I'm running Squid Version 3.0.STABLE20 on FreeBSD 8 Release with PF and > .. > > --enable-pf-transparent' > > Squid is worked but in my cashe.log I have clientNatLookup: PF open > failed: (13) Permission denied every time... > > I have in rc.conf squid_enable="YES" > > Any idea for that ? > Just allow the user with which you run squid permission of read(write?) to /dev/pf. -- Ermal From owner-freebsd-pf@FreeBSD.ORG Sat Dec 12 01:25:11 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E6EB106566B for ; Sat, 12 Dec 2009 01:25:11 +0000 (UTC) (envelope-from zion@x96.org) Received: from x96.org (astellm-1-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:754::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4EFEC8FC16 for ; Sat, 12 Dec 2009 01:25:11 +0000 (UTC) Received: from x96.org (unknown [10.10.10.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by x96.org (Postfix) with ESMTPSA id 780EE4C240 for ; Fri, 11 Dec 2009 17:25:10 -0800 (PST) Date: Fri, 11 Dec 2009 17:25:08 -0800 From: Aaron Stellman To: freebsd-pf@freebsd.org Message-ID: <20091212012507.GD27716@x96.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: IPv6, PF problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 01:25:11 -0000 Hello there, Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1 machine. What works: pass in on $ext_if proto tcp to port 21 What doesn't work: pass in on $ext_if proto tcp to ($ext_if) port 21 here is what's logged when it doesn't work: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 1515 bytes 00:00:00.000000 rule 0/0(match): block in on bge0: 2001:1938:235:beef:21b:21ff:fe37:d799.11220 > 2001:1938:235:dead:226:b9ff:fe75:6e5e.21: Flags [S], seq 413041093, win 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 1,nop,nop,TS val 3435338387 ecr 0], length 0 ext_if="bge0" epsilon# ifconfig -a bge0: flags=8843 metric 0 mtu 1500 options=9b ether 00:26:b9:75:6e:5e inet 10.10.11.5 netmask 0xffffffe0 broadcast 10.10.11.31 inet6 fe80::226:b9ff:fe75:6e5e%bge0 prefixlen 64 scopeid 0x1 inet 10.10.11.8 netmask 0xffffffe0 broadcast 10.10.11.31 inet6 2001:1938:235:dead:226:b9ff:fe75:6e5e prefixlen 64 autoconf media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=3 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 pflog0: flags=0<> metric 0 mtu 33152 Notice, that it works as expected with IPv4; meaning that when I use "to ($ext_if)" and use ipv4 to connect, connection passes through, unlike IPv6. Also, OpenBSD pf works as expected with both IPv{4,6} From owner-freebsd-pf@FreeBSD.ORG Sat Dec 12 13:58:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79411106566C for ; Sat, 12 Dec 2009 13:58:23 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from alf.aws-net.org.ua (unknown [IPv6:2001:15c0:6605:1:20e:cff:feb1:7f05]) by mx1.freebsd.org (Postfix) with ESMTP id 0E96F8FC08 for ; Sat, 12 Dec 2009 13:58:22 +0000 (UTC) Received: from [192.168.32.1] (aws.aws-net.org.ua [192.168.32.1]) by alf.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id nBCDwD9P068280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 12 Dec 2009 15:58:19 +0200 (EET) (envelope-from artem@aws-net.org.ua) Message-ID: <4B23A179.9070004@aws-net.org.ua> Date: Sat, 12 Dec 2009 15:58:17 +0200 From: Artyom Viklenko Organization: Art&Co. User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Holger Rauch References: <20091211115900.GC31375@heitec.de> In-Reply-To: <20091211115900.GC31375@heitec.de> Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.95.3 at alf.aws-net.org.ua X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Transition from IPFW: PF flags for IPFW "setup" and "established" keywords X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 13:58:23 -0000 Holger Rauch ÐÉÛÅÔ: > Hi to everybody, > > what are the correct combinations of flags for the IPFW "setup" and > "established" keywords? PF's equivalent of IPFW's "setup" is 'flags S/SA'. Also, you have to include 'keep state' in the same rule (for FreeBSD versions up to 6.4, in 7.x and 8.x - it's a default behavior). If connection is established, PF create state and match thraffic "internally" whithout special dedicated rules. E.g., pass in on fxp0 inet proto tcp from any to any port 80 flags S/SA keep state will pass TCP traffic to port 80 if it starts as it should beginning from the firts packet with only SYN-bit set of two bits SYN and ACK. State will be created for this flow if rest packets will follow usual three-way handshake. After this all packets in this flow will pass automatically untill connection will be closed (packets with FIN bits seen by PF) or timed out. Something like this. :) -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Sat Dec 12 20:37:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88C7B106566B for ; Sat, 12 Dec 2009 20:37:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id 04FBE8FC17 for ; Sat, 12 Dec 2009 20:37:27 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-002-219.pools.arcor-ip.net [88.66.2.219]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0MNvNj-1NPIwy2QaB-007dza; Sat, 12 Dec 2009 21:37:26 +0100 Received: (qmail 80774 invoked from network); 12 Dec 2009 20:37:20 -0000 Received: from f8x64.laiers.local (192.168.4.188) by ns1.laiers.local with SMTP; 12 Dec 2009 20:37:20 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 12 Dec 2009 21:37:19 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE; KDE/4.3.4; amd64; ; ) References: <20091212012507.GD27716@x96.org> In-Reply-To: <20091212012507.GD27716@x96.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200912122137.19258.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1//P8ZAXEd7IYD5Fpetyw9LB1jryHEYiUSsyri Z2gyxLKNq+mHUGKsTdBjqXWu6rfIMf2mIy0bm+1WqW7nnAHf+w kk5zQ3tNDlzmOxh+gvIJw== Cc: Subject: Re: IPv6, PF problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 20:37:28 -0000 On Saturday 12 December 2009 02:25:08 Aaron Stellman wrote: > Hello there, > Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1 > machine. > > What works: > pass in on $ext_if proto tcp to port 21 > > What doesn't work: > pass in on $ext_if proto tcp to ($ext_if) port 21 > > here is what's logged when it doesn't work: > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 1515 bytes > 00:00:00.000000 rule 0/0(match): block in on bge0: > 2001:1938:235:beef:21b:21ff:fe37:d799.11220 > > 2001:1938:235:dead:226:b9ff:fe75:6e5e.21: Flags [S], seq 413041093, win > 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 1,nop,nop,TS val > 3435338387 ecr 0], length 0 What does "pfctl -vvsr" give you for the rule? It should include the number of addresses assigned to the interface in the braces - e.g. "... (bge0:4) ..." In addition, can you try to add separate rules for inet and inet6 - i.e. pass in on $ext_if inet proto tcp to ($ext_if) port 21 pass in on $ext_if inet6 proto tcp to ($ext_if) port 21 and check the number of addresses with pfctl -vvsr? > ext_if="bge0" > > epsilon# ifconfig -a > bge0: flags=8843 metric 0 mtu > 1500 > options=9b > ether 00:26:b9:75:6e:5e > inet 10.10.11.5 netmask 0xffffffe0 broadcast 10.10.11.31 > inet6 fe80::226:b9ff:fe75:6e5e%bge0 prefixlen 64 scopeid 0x1 > inet 10.10.11.8 netmask 0xffffffe0 broadcast 10.10.11.31 > inet6 2001:1938:235:dead:226:b9ff:fe75:6e5e prefixlen 64 > autoconf > media: Ethernet autoselect (1000baseT ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=3 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > pflog0: flags=0<> metric 0 mtu 33152 > > > Notice, that it works as expected with IPv4; meaning that when I use "to > ($ext_if)" and use ipv4 to connect, connection passes through, unlike > IPv6. > Also, OpenBSD pf works as expected with both IPv{4,6} > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > !DSPAM:4b22f113621191134040011! > From owner-freebsd-pf@FreeBSD.ORG Sat Dec 12 21:11:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96E66106568B for ; Sat, 12 Dec 2009 21:11:34 +0000 (UTC) (envelope-from zion@x96.org) Received: from x96.org (astellm-1-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:754::2]) by mx1.freebsd.org (Postfix) with ESMTP id 75F1A8FC08 for ; Sat, 12 Dec 2009 21:11:34 +0000 (UTC) Received: from x96.org (unknown [192.168.69.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by x96.org (Postfix) with ESMTPSA id 2D8854C240 for ; Sat, 12 Dec 2009 13:11:32 -0800 (PST) Date: Sat, 12 Dec 2009 13:11:28 -0800 From: Aaron Stellman To: freebsd-pf@freebsd.org Message-ID: <20091212211128.GA28@x96.org> References: <20091212012507.GD27716@x96.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091212012507.GD27716@x96.org> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: IPv6, PF problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 21:11:34 -0000 Hello there, > What does "pfctl -vvsr" give you for the rule? It should include the number > of addresses assigned to the interface in the braces - e.g. "... (bge0:4) ..." @8 pass in on bge0 proto tcp from any to (bge0:4) port = ftp flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 79900 ] > In addition, can you try to add separate rules for inet and inet6 - i.e. > > pass in on $ext_if inet proto tcp to ($ext_if) port 21 > pass in on $ext_if inet6 proto tcp to ($ext_if) port 21 @8 pass in on bge0 inet proto tcp from any to (bge0:2) port = ftp flags S/SA keep state [ Evaluations: 1 Packets: 17 Bytes: 916 States: 1 ] [ Inserted: uid 0 pid 80198 ] @9 pass in on bge0 inet6 proto tcp from any to (bge0:2) port = ftp flags S/SA keep state [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 80198 ] and it passes inet6 connection with these two rules. Do you consider it a bug? This essentially forces me to have 2 separate rules for inet and inet6. Thanks