From owner-freebsd-pf@FreeBSD.ORG Mon Apr 5 11:07:07 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DA28106566B for ; Mon, 5 Apr 2010 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4C6838FC19 for ; Mon, 5 Apr 2010 11:07:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o35B772H027888 for ; Mon, 5 Apr 2010 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o35B76ve027886 for freebsd-pf@FreeBSD.org; Mon, 5 Apr 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Apr 2010 11:07:06 GMT Message-Id: <201004051107.o35B76ve027886@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 6 18:25:46 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAFCB106564A for ; Tue, 6 Apr 2010 18:25:46 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from kazon.borderworlds.dk (kazon.borderworlds.dk [78.46.20.58]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2DC8FC13 for ; Tue, 6 Apr 2010 18:25:46 +0000 (UTC) Received: from talaxian.borderworlds.dk (localhost [127.0.0.1]) by kazon.borderworlds.dk (Postfix) with ESMTP id B4DCB5C1A for ; Tue, 6 Apr 2010 20:12:58 +0200 (CEST) Message-ID: <4BBB79AA.7040600@borderworlds.dk> Date: Tue, 06 Apr 2010 20:12:58 +0200 From: Christian Laursen Organization: The Border Worlds User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100406 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: "(self)" not always mathing all local IPv6 addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 18:25:46 -0000 Hello, I have tripped over what I believe is a bug in pf. On my test machine I have this fairly simple ruleset: =============================================== set block-policy return set skip on lo0 block in all pass out proto { tcp, udp } all keep state pass in proto {icmp,icmp6} all pass out proto {icmp,icmp6} all pass in proto tcp from any to (self) port 22 =============================================== After booting the machine ifconfig for em0 looks like this: em0: flags=8843 metric 0 mtu 1500 options=9b ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf nd6 options=23 media: Ethernet autoselect (1000baseT ) status: active The problem is that when I try to ssh to the machine the connection is not allowed through: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection refused I have tried various things when I tried to figure out what is going on here. In this case it helps to add another IPv6 address to em0: ifconfig em0 inet6 2001:6c8:6:6::2 em0: flags=8843 metric 0 mtu 1500 options=9b ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf inet6 2001:6c8:6:6::2 prefixlen 64 nd6 options=23 media: Ethernet autoselect (1000baseT ) status: active After doing this, ssh works: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 Last login: Tue Apr 6 21:56:48 2010 from 10.1.0.2 I have observed this problem on 7.3, 8.0 and -CURRENT less than a week old. I can mention that changing "(self)" to "self" in the ruleset works as expected and the problem returns when changing it back. When I see this behaviour, it can also be "fixed" by adding another interface, eg. "ifconfig gif0 create". I hope that this makes sense and that someone more familiar with the inner workings of pf is able to reproduce it. I like using "(self)" but when it doesn't work reliably I'm forced to resort to workarounds. If I need to provide more info, I'll be happy to do so. Thanks in advance. -- Christian Laursen From owner-freebsd-pf@FreeBSD.ORG Tue Apr 6 19:37:00 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A1C310656F2 for ; Tue, 6 Apr 2010 19:37:00 +0000 (UTC) (envelope-from alonasdbeckgxf@hotmail.com) Received: from blu0-omc1-s27.blu0.hotmail.com (blu0-omc1-s27.blu0.hotmail.com [65.55.116.38]) by mx1.freebsd.org (Postfix) with ESMTP id EAB8F8FC1A for ; Tue, 6 Apr 2010 19:36:59 +0000 (UTC) Received: from BLU141-DS13 ([65.55.116.9]) by blu0-omc1-s27.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2010 12:23:29 -0700 X-Originating-IP: [86.107.100.79] X-Originating-Email: [alonasdbeckgxf@hotmail.com] Message-ID: From: Evans, Nash E. To: Date: Tue, 06 Apr 2010 23:21:19 +0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8064.206 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: binary X-OriginalArrivalTime: 06 Apr 2010 19:23:29.0580 (UTC) FILETIME=[A36CCEC0:01CAD5BE] Subject: Hyip Opportunity of the year. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 19:37:00 -0000 Hi freebsd-pf@freebsd.org, I wanna tell you about a very solid investment I take part in since six month. I made 560% profit by now. This is a Hong Kong traders group, active on stock, derivatives, and Forex markets. Their performance is very consistent, their trading profit is 3% daily and they pay its members up to 2.5% daily. HYt fund is really transparent, publishing their trading performance and offering phone, chat, and email support to its members. I think they are the the group to work with in 2010. Check them out: http://texugauto.com/bo09cbbm From owner-freebsd-pf@FreeBSD.ORG Fri Apr 9 15:29:53 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFF01106566B for ; Fri, 9 Apr 2010 15:29:53 +0000 (UTC) (envelope-from andy@bribed.net) Received: from mail.padawan.org (unknown [IPv6:2001:ba8:1f1:f10e:216:5eff:fe00:18b]) by mx1.freebsd.org (Postfix) with ESMTP id 674158FC13 for ; Fri, 9 Apr 2010 15:29:53 +0000 (UTC) Received: from andy by mail.padawan.org with local (Exim 4.69) (envelope-from ) id 1O0G9X-0000nd-Mx; Fri, 09 Apr 2010 16:29:51 +0100 Date: Fri, 9 Apr 2010 16:29:51 +0100 From: Andy Coates To: freebsd-pf@freebsd.org Message-ID: <20100409152951.GA4487@mail.padawan.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.17+20080114 (2008-01-14) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: andy@bribed.net X-SA-Exim-Scanned: No (on mail.padawan.org); SAEximRunCond expanded to false Subject: Bug/Intentional issue with asymmetric routing? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 15:29:53 -0000 Hi all, About to pull my hair out debugging this problem, which I'm left believing is either a bug or intentional (but I can't find any references to the behaviour). |--- fw1 ---| server ----| (pfsync) |---- transit isp1 |--- fw2 -- | I'm using CARP on the server LAN side so it always has a gateway (fw1/fw2) to go though, but because there are multiple internal subnets involved I'm using OSPF on the transit router. The transit server sees two next-hop's for server's LAN, fw1 and fw2 (not their CARP address, their interface IPs). In this case we presume fw1 is the next-hop. If fw1 is carp master there are no issues, packets follow: server->fw1->internet->fw1->server If fw2 is carp master the issue occurs - TCP sessions fail: server->fw2->internet->fw1->server At this point if I disabled PF on fw1 everything is fine. If I enable PF on fw1, but leave pf.conf blank so no rules, TCP connections fail. Confirmed no rules with 'pfctl -s rules' and nothing listed. Even added 'pass all no state' just in case had a default block, but still fails. I can't work out why enabling PF is breaking TCP sessions. Am I missing something obvious? Running 8.0-STABLE with the GENERIC kernel on AMD64. Thanks, Andy. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 9 17:13:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B93A106566B for ; Fri, 9 Apr 2010 17:13:26 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id DD1298FC08 for ; Fri, 9 Apr 2010 17:13:25 +0000 (UTC) Received: (qmail 36468 invoked from network); 9 Apr 2010 16:46:44 -0000 Received: by simscan 1.4.0 ppid: 36411, pid: 36464, t: 0.2165s scanners: attach: 1.4.0 clamav: 0.95.3/m:52/d:10718 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 208-70-40-225.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@208.70.40.225) by ssl-smtp2.tls.net with ESMTPA; 9 Apr 2010 16:46:44 -0000 Message-ID: <4BBF59E2.80303@pixelhammer.com> Date: Fri, 09 Apr 2010 12:46:26 -0400 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 17:13:26 -0000 Good afternoon. I've been working to enable pf on all our servers in preparation for moving them outside the PIXs we currently use. The first server I tackled was our ftp server, it currently is only used to support VOIP phones via ftp, http, and tftp. I used ipfilter extensively but that was 10? years ago. Everything is working at this point except snmp. Cacti connects to the server to query snmp and gets part of a result, then snmp stops and takes 80% of the CPU. Cacti is on the network. I am at a loss to understand what is wrong with my ruleset. ### Macros ### # define common values, so they can be referenced and changed easily. ext_if="dc0" # replace with actual external interface name i.e., dc0 int_if="dc1" loop_if="lo0" ### Tables ### table persist { 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } table persist { 192.168.32.0/24, 10.0.241.0/24 } table persist ### Normalization ### # reassemble fragments and resolve or reduce traffic ambiguities. scrub all random-id ### Default Filtering ### block in log all block out log all # Lets make certain localhost and the private network is unrestricted set skip on $loop_if set skip on $int_if # Now lets start hammering anything obvious block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to block in quick on $ext_if inet proto tcp from to any port 22 label "ssh bruteforce" antispoof for $ext_if # Lets pass ssh, time and dns, we always need those. Also connections from the office and monitoring pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep state pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep state pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state pass in quick on $ext_if inet proto { tcp, udp, icmp } from to $ext_if keep state ### Server Specific rules ### # We gotta support those FTP users, that's why we are here and not a kiosk in a mall pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 65000:65500 keep state # Yep, Cisco phones still using tftp, we do not understand what internet they use at Cisco. pass in quick on $ext_if inet proto udp from any to $ext_if port 69 # We use www to serve config files as well pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state I would think the line allowing tcp,udp,icmp would allow snmp to work from the monitoring server, but snmp is certainly not behaving. here is the relevant pflog entry. 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] Thanks for any help. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org From owner-freebsd-pf@FreeBSD.ORG Fri Apr 9 19:34:45 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E374106566B for ; Fri, 9 Apr 2010 19:34:45 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-yw0-f193.google.com (mail-yw0-f193.google.com [209.85.211.193]) by mx1.freebsd.org (Postfix) with ESMTP id B97538FC16 for ; Fri, 9 Apr 2010 19:34:44 +0000 (UTC) Received: by ywh31 with SMTP id 31so507717ywh.3 for ; Fri, 09 Apr 2010 12:34:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:received:message-id:subject :from:to:cc:content-type; bh=J+UwSPcg/Fdas/Bm9ffKwVP3wkrr1FpjVswWLwvGbvU=; b=jlJl535msGBoq95BtZBsPC8CLbBr6vC8oTW+brw90Od3Xc7jgrU8tAsSGPo45IsW/6 eoAYYRB6PH+EW79qAKPsuXnnEp5JGD7vpopzjZbJv9jpt3oivznkItTEu8BNKNtqZtj1 m9tEGpQgeSCsoAEB52rmjp0MeayllVJci8GJ4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=AIbzr0NNhrHKkwyDbTWbOnvUduNGnok5bAOfZBMreBPvYq6kiMATHCQOCvOZHzOCLC FnV9M9sQZ+bjpFh8HiNz/luHyAdSWMqm9KRkPMRt0QUJxXbZ0sVsAQxjGzAfBy060pjA vK0PWG2gbDZxjs2Hj20cfS25YrpId4UFJqsX4= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.90.86.7 with HTTP; Fri, 9 Apr 2010 12:34:43 -0700 (PDT) In-Reply-To: <4BBF59E2.80303@pixelhammer.com> References: <4BBF59E2.80303@pixelhammer.com> Date: Fri, 9 Apr 2010 20:34:43 +0100 X-Google-Sender-Auth: 30ebc4795ed293f4 Received: by 10.90.17.23 with SMTP id 23mr128981agq.82.1270841683831; Fri, 09 Apr 2010 12:34:43 -0700 (PDT) Message-ID: From: Peter Maxwell To: DAve Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 19:34:45 -0000 Hi DAve, This may be a daft question, but is the destination IP in your tcpdump of 10.0.241.41 (one of) the IP address(es) assigned to dc0? The next question isn't actually related to your problem; when you say "I've been working to enable pf on all our servers in preparation for moving them outside the PIXs we currently use", does that mean the servers that have services running on them will also do their own packet filtering? If so, then your existing setup with a PIX sounds better. Your packet filters should - whenever possible - be on a separate box from the hosts running any services. The reason being if one of your daemon processes are compromised then so is your fw ;-) Best wishes, Peter " On 9 April 2010 17:46, DAve wrote: > Good afternoon. > > I've been working to enable pf on all our servers in preparation for > moving them outside the PIXs we currently use. The first server I > tackled was our ftp server, it currently is only used to support VOIP > phones via ftp, http, and tftp. I used ipfilter extensively but that was > 10? years ago. > > Everything is working at this point except snmp. Cacti connects to the > server to query snmp and gets part of a result, then snmp stops and > takes 80% of the CPU. Cacti is on the network. I am at a > loss to understand what is wrong with my ruleset. > > ### Macros ### > # define common values, so they can be referenced and changed easily. > ext_if="dc0" # replace with actual external interface name i.e., dc0 > int_if="dc1" > loop_if="lo0" > > ### Tables ### > table persist { 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, > 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } > table persist { 192.168.32.0/24, 10.0.241.0/24 } > table persist > > ### Normalization ### > # reassemble fragments and resolve or reduce traffic ambiguities. > scrub all random-id > > ### Default Filtering ### > block in log all > block out log all > > # Lets make certain localhost and the private network is unrestricted > set skip on $loop_if > set skip on $int_if > > # Now lets start hammering anything obvious > block drop in quick on $ext_if from to any > block drop out quick on $ext_if from any to > block in quick on $ext_if inet proto tcp from to any port 22 > label "ssh bruteforce" > antispoof for $ext_if > > # Lets pass ssh, time and dns, we always need those. Also connections > from the office and monitoring > pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep > state > pass out quick on $ext_if inet proto udp from $ext_if to any port 53 > keep state > pass out quick on $ext_if inet proto udp from $ext_if to any port 123 > keep state > pass in quick on $ext_if inet proto { tcp, udp, icmp } from > to $ext_if keep state > > ### Server Specific rules ### > # We gotta support those FTP users, that's why we are here and not a > kiosk in a mall > pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep > state > pass in quick on $ext_if inet proto tcp from any to $ext_if port > 65000:65500 keep state > # Yep, Cisco phones still using tftp, we do not understand what internet > they use at Cisco. > pass in quick on $ext_if inet proto udp from any to $ext_if port 69 > # We use www to serve config files as well > pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep > state > > I would think the line allowing tcp,udp,icmp would allow snmp to work > from the monitoring server, but snmp is certainly not behaving. here is > the relevant pflog entry. > > 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] > > Thanks for any help. > > DAve > > -- > "Posterity, you will know how much it cost the present generation to > preserve your freedom. I hope you will make good use of it. If you > do not, I shall repent in heaven that ever I took half the pains to > preserve it." John Adams > > http://appleseedinfo.org > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Apr 9 19:55:41 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE3FF1065672 for ; Fri, 9 Apr 2010 19:55:41 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id 693848FC1D for ; Fri, 9 Apr 2010 19:55:41 +0000 (UTC) Received: (qmail 66352 invoked from network); 9 Apr 2010 19:55:40 -0000 Received: by simscan 1.4.0 ppid: 66301, pid: 66348, t: 0.3551s scanners: attach: 1.4.0 clamav: 0.95.3/m:52/d:10718 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED, NORMAL_HTTP_TO_IP, TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 208-70-40-225.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@208.70.40.225) by ssl-smtp2.tls.net with ESMTPA; 9 Apr 2010 19:55:39 -0000 Message-ID: <4BBF8629.1090109@pixelhammer.com> Date: Fri, 09 Apr 2010 15:55:21 -0400 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4BBF59E2.80303@pixelhammer.com> In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 19:55:41 -0000 Peter Maxwell wrote: > > Hi DAve, > > This may be a daft question, but is the destination IP in your tcpdump > of 10.0.241.41 (one of) the IP address(es) assigned to dc0? Yes it is. > > The next question isn't actually related to your problem; when you say > "I've been working to enable pf on all our servers in preparation for > moving them outside the PIXs we currently use", does that mean the > servers that have services running on them will also do their own packet > filtering? If so, then your existing setup with a PIX sounds better. > Your packet filters should - whenever possible - be on a separate box > from the hosts running any services. The reason being if one of your > daemon processes are compromised then so is your fw ;-) Yea, well, I get to voice my opinions and then wait for the decision. If we do *not* move outside the PIX, I will still leave PF on each box for the layered security. So I still need to get snmp to work. I poked around the manuals for quite a while this morning and found nothing that I saw as an answer. Searching the net for anything with pf and snmp provided links to monitoring pf, not filtering snmp. I am not certain the problem is not of my own creation, but I may have to look at snmp as the issue if I cannot find anything incorrect in my pf rules. Though, cacti has been querying this server for over two years without a problem until I turned up pf. Still digging... DAve > > Best wishes, > > Peter > > > > > > " > On 9 April 2010 17:46, DAve > wrote: > > Good afternoon. > > I've been working to enable pf on all our servers in preparation for > moving them outside the PIXs we currently use. The first server I > tackled was our ftp server, it currently is only used to support VOIP > phones via ftp, http, and tftp. I used ipfilter extensively but that was > 10? years ago. > > Everything is working at this point except snmp. Cacti connects to the > server to query snmp and gets part of a result, then snmp stops and > takes 80% of the CPU. Cacti is on the network. I am at a > loss to understand what is wrong with my ruleset. > > ### Macros ### > # define common values, so they can be referenced and changed easily. > ext_if="dc0" # replace with actual external interface name i.e., dc0 > int_if="dc1" > loop_if="lo0" > > ### Tables ### > table persist { 127.0.0.0/8 , > 172.16.0.0/12 , 169.254.0.0/16 > , > 192.0.2.0/24 , 0.0.0.0/8 , > 240.0.0.0/4 } > table persist { 192.168.32.0/24 > , 10.0.241.0/24 } > table persist > > ### Normalization ### > # reassemble fragments and resolve or reduce traffic ambiguities. > scrub all random-id > > ### Default Filtering ### > block in log all > block out log all > > # Lets make certain localhost and the private network is unrestricted > set skip on $loop_if > set skip on $int_if > > # Now lets start hammering anything obvious > block drop in quick on $ext_if from to any > block drop out quick on $ext_if from any to > block in quick on $ext_if inet proto tcp from to any port 22 > label "ssh bruteforce" > antispoof for $ext_if > > # Lets pass ssh, time and dns, we always need those. Also connections > from the office and monitoring > pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep > state > pass out quick on $ext_if inet proto udp from $ext_if to any port 53 > keep state > pass out quick on $ext_if inet proto udp from $ext_if to any port 123 > keep state > pass in quick on $ext_if inet proto { tcp, udp, icmp } from > to $ext_if keep state > > ### Server Specific rules ### > # We gotta support those FTP users, that's why we are here and not a > kiosk in a mall > pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep > state > pass in quick on $ext_if inet proto tcp from any to $ext_if port > 65000:65500 keep state > # Yep, Cisco phones still using tftp, we do not understand what internet > they use at Cisco. > pass in quick on $ext_if inet proto udp from any to $ext_if port 69 > # We use www to serve config files as well > pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep > state > > I would think the line allowing tcp,udp,icmp would allow snmp to work > from the monitoring server, but snmp is certainly not behaving. here is > the relevant pflog entry. > > 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] > > Thanks for any help. > > DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org From owner-freebsd-pf@FreeBSD.ORG Sat Apr 10 00:18:19 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA4BD106566B for ; Sat, 10 Apr 2010 00:18:19 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-yw0-f193.google.com (mail-yw0-f193.google.com [209.85.211.193]) by mx1.freebsd.org (Postfix) with ESMTP id 7DFD38FC0A for ; Sat, 10 Apr 2010 00:18:19 +0000 (UTC) Received: by ywh31 with SMTP id 31so571997ywh.3 for ; Fri, 09 Apr 2010 17:18:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:received:message-id:subject :from:to:content-type; bh=izxeC1mBwlTSnyN3o0RMsso/dsMIozY9e6AvbHHkJRw=; b=NIKXTbUQkQZkMkMnoWnsY2eorgXB7kPP+N3SElXAnD8tz9GFfiqVmL21+QQQeOmhs5 K3YPeJITKy42VgICZekYfIAtuo0s1j5yM89KKWtWOlRkGdeJ+lZZCjXIIz+Jk61su92L l+kYAwLTWIdQo63Acsd97+dl7PwJJy8kgYme0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=MM/NFRjaSNbHsYG3qI+E/iGmEYSiYcCZaD2N2Ykgtn62vxs546BiJiAn4/OSVeUDal vqHETa3I6H62+74nzBzSR0u/f9sxRbNVkFEc+pIpXi7NQHFOEcclhFrdMBNyHY0RXhnt D71Ko984tqQyyZrKtUUMwUTrxipuRjs052Iyc= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.90.86.7 with HTTP; Fri, 9 Apr 2010 17:18:18 -0700 (PDT) In-Reply-To: References: <4BBF59E2.80303@pixelhammer.com> <4BBF8629.1090109@pixelhammer.com> Date: Sat, 10 Apr 2010 01:18:18 +0100 X-Google-Sender-Auth: 4748a45eda3f0b7f Received: by 10.91.165.19 with SMTP id s19mr256989ago.45.1270858698295; Fri, 09 Apr 2010 17:18:18 -0700 (PDT) Message-ID: From: Peter Maxwell To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2010 00:18:19 -0000 Hit reply in haste and forgot to send to list... ---------- Forwarded message ---------- From: Peter Maxwell Date: 10 April 2010 01:16 Subject: Re: Issues with pf and snmp To: DAve On 9 April 2010 20:55, DAve wrote: > Peter Maxwell wrote: > > > > Hi DAve, > > > > This may be a daft question, but is the destination IP in your tcpdump > > of 10.0.241.41 (one of) the IP address(es) assigned to dc0? > > Yes it is. > Darn, I thought that one would be too easy ;-) > > > > > The next question isn't actually related to your problem; when you say > > "I've been working to enable pf on all our servers in preparation for > > moving them outside the PIXs we currently use", does that mean the > > servers that have services running on them will also do their own packet > > filtering? If so, then your existing setup with a PIX sounds better. > > Your packet filters should - whenever possible - be on a separate box > > from the hosts running any services. The reason being if one of your > > daemon processes are compromised then so is your fw ;-) > > Yea, well, I get to voice my opinions and then wait for the decision. If > we do *not* move outside the PIX, I will still leave PF on each box for > the layered security. So I still need to get snmp to work. > > I poked around the manuals for quite a while this morning and found > nothing that I saw as an answer. Searching the net for anything with pf > and snmp provided links to monitoring pf, not filtering snmp. > > I am not certain the problem is not of my own creation, but I may have > to look at snmp as the issue if I cannot find anything incorrect in my > pf rules. Though, cacti has been querying this server for over two years > without a problem until I turned up pf. > Can't see anything obvious but have you tried these things in the event something strange is going on: - removing the scrub rule; - removing the antispoof rule; - add 'log' to the the pass rules and then check to see if there are any other snmp udp packets getting passed/dropped in the wrong place. > > Still digging... > > DAve > > > > Best wishes, > > > > Peter > > > > > > > > > > > > " > > On 9 April 2010 17:46, DAve > > wrote: > > > > Good afternoon. > > > > I've been working to enable pf on all our servers in preparation for > > moving them outside the PIXs we currently use. The first server I > > tackled was our ftp server, it currently is only used to support VOIP > > phones via ftp, http, and tftp. I used ipfilter extensively but that > was > > 10? years ago. > > > > Everything is working at this point except snmp. Cacti connects to > the > > server to query snmp and gets part of a result, then snmp stops and > > takes 80% of the CPU. Cacti is on the network. I am at a > > loss to understand what is wrong with my ruleset. > > > > ### Macros ### > > # define common values, so they can be referenced and changed easily. > > ext_if="dc0" # replace with actual external interface name i.e., > dc0 > > int_if="dc1" > > loop_if="lo0" > > > > ### Tables ### > > table persist { 127.0.0.0/8 , > > 172.16.0.0/12 , 169.254.0.0/16 > > , > > 192.0.2.0/24 , 0.0.0.0/8 , > > 240.0.0.0/4 } > > table persist { 192.168.32.0/24 > > , 10.0.241.0/24 } > > table persist > > > > ### Normalization ### > > # reassemble fragments and resolve or reduce traffic ambiguities. > > scrub all random-id > > > > ### Default Filtering ### > > block in log all > > block out log all > > > > # Lets make certain localhost and the private network is unrestricted > > set skip on $loop_if > > set skip on $int_if > > > > # Now lets start hammering anything obvious > > block drop in quick on $ext_if from to any > > block drop out quick on $ext_if from any to > > block in quick on $ext_if inet proto tcp from to any port > 22 > > label "ssh bruteforce" > > antispoof for $ext_if > > > > # Lets pass ssh, time and dns, we always need those. Also connections > > from the office and monitoring > > pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 > keep > > state > > pass out quick on $ext_if inet proto udp from $ext_if to any port 53 > > keep state > > pass out quick on $ext_if inet proto udp from $ext_if to any port 123 > > keep state > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from > > > to $ext_if keep state > > > > ### Server Specific rules ### > > # We gotta support those FTP users, that's why we are here and not a > > kiosk in a mall > > pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 > keep > > state > > pass in quick on $ext_if inet proto tcp from any to $ext_if port > > 65000:65500 keep state > > # Yep, Cisco phones still using tftp, we do not understand what > internet > > they use at Cisco. > > pass in quick on $ext_if inet proto udp from any to $ext_if port 69 > > # We use www to serve config files as well > > pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 > keep > > state > > > > I would think the line allowing tcp,udp,icmp would allow snmp to work > > from the monitoring server, but snmp is certainly not behaving. here > is > > the relevant pflog entry. > > > > 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > > > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] > > > > Thanks for any help. > > > > DAve > > > -- > "Posterity, you will know how much it cost the present generation to > preserve your freedom. I hope you will make good use of it. If you > do not, I shall repent in heaven that ever I took half the pains to > preserve it." John Adams > > http://appleseedinfo.org > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >