From owner-freebsd-pf@FreeBSD.ORG Mon Nov 1 11:03:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF39816A4CE for ; Mon, 1 Nov 2004 11:03:47 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF91E43D39 for ; Mon, 1 Nov 2004 11:03:47 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iA1B3l7r095894 for ; Mon, 1 Nov 2004 11:03:47 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA1B3l2P095888 for pf@freebsd.org; Mon, 1 Nov 2004 11:03:47 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 1 Nov 2004 11:03:47 GMT Message-Id: <200411011103.iA1B3l2P095888@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 11:03:47 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2004/10/08] kern/72444 pf PF can't properly detect interface after 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Tue Nov 2 13:53:33 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF7CE16A4CE for ; Tue, 2 Nov 2004 13:53:33 +0000 (GMT) Received: from spoolo3.tiscali.be (spoolo3.tiscali.be [62.235.13.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D90D43D5C for ; Tue, 2 Nov 2004 13:53:32 +0000 (GMT) (envelope-from cedric@virtual-globe.net) Received: from [83.134.149.196] (helo=note01.echo.decemplex.loc) by spoolo3.tiscali.be with esmtp (Tiscali.be http://www.tiscali.be) id 1COz6J-0001fJ-94 for ; Tue, 02 Nov 2004 14:53:31 +0100 Date: Tue, 2 Nov 2004 14:53:16 +0100 From: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= X-Mailer: The Bat! (v2.11.02) X-Priority: 3 (Normal) Message-ID: <938471846.20041102145316@virtual-globe.net> To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: NAT Loopback X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 13:53:33 -0000 Hi freebsd-pf, Since 5 days, I try to install PF on my Server, to replace my old hardware router... Until now, everything was ok, better als the old router - BUT, what I miss is the NAT Loopback functionnality (so that IP packets which comes from the LAN and are destined to my WAN IP, leaves effectively the WAN interface and come back through the WAN interface => the packet is subjected to the filter rulesets for incoming packets on my WAN interface = NAT Loopback) I found this in the OpenBSD PF FAQ: http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it isn't what I search, because the packets don't leave and reentry the WAN interface. So I try following: I blocked incoming Telnet connections on my WAN interface, and start a telnet to my WAN IP from a host on my LAN, telnet was successfull... so that isn't what I want. After a tcpdump on my 2 WAN and LAN interface (fxp0 and tun0 on the FreeBSD router), I noted that the server accepts already the telnet connection at fxp0, so I can see an incoming packet to my WAN IP, but nothing more, because it's already accepted here. Why? After some researchs, I found out that the TCP/IP stack on the router compares the destination address with his own interfaces and aliases - if one agrees, he accept the connection. Next test: with the same ruleset, I start a telnet on my WAN IP from the router, here the connection was blocked, and thanks tcpdump I see that the IP packet leaves tun0, come back - and was successfully blocked (packet had the WAN IP as source AND destination address). So, in conclusion, I try a nat rule on fxp0, the LAN interface: nat on fxp0 inet from fxp0:network to (tun0) -> (tun0) So that incoming connection on this interface, out the LAN, get the WAN IP was source address... but one more time, telnet from the LAN was successfull, the packet doesn't leave tun0, and was already accepted on fxp0. I don't know if it's really possible to realize NAT Loopback with PF, if yes, do you have experience with it? Or is it possible to oblige FreeBSD/PF to only accept connections with the same destination address as the IP address from the interface where the packet comes in (so that a comparison with every interface IP does not take place)? In resume, that's what I want: 000509 rule 2/0(match): pass out on tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S 1094509118:1094509118(0) win 65535 000249 rule 0/0(match): block in on tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S 1094509118:1094509118(0) win 65535 That's from a tcpdump after a telnet connection to my WAN IP from the router... but in case of a telnet from a LAN host to the WAN IP, the only thing I was able to log was: 555257 rule 5/0(match): pass in on fxp0: IP 192.168.0.99.1547 > 83.134.149.196.23: S 377131760:377131760(0) win 16384 ... and the connection was accepted here - I wish to have the same "effect" here as above... a NAT Loopback. I hope that one will be able to help me here (and that I described it understandably), it's my last possibility I think. Sorry for my bad englisch, but I do what I can ;-) -- Best regards, Cédric Jonas Courriel : cedric@virtual-globe.net Post-Joint : . From owner-freebsd-pf@FreeBSD.ORG Wed Nov 3 17:24:53 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9178216A4CE; Wed, 3 Nov 2004 17:24:53 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D22743D1F; Wed, 3 Nov 2004 17:24:53 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) iA3HOrKJ026434; Wed, 3 Nov 2004 17:24:53 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA3HOqps026430; Wed, 3 Nov 2004 17:24:52 GMT (envelope-from mlaier) Date: Wed, 3 Nov 2004 17:24:52 GMT From: Max Laier Message-Id: <200411031724.iA3HOqps026430@freefall.freebsd.org> To: ed@il.fontys.nl, mlaier@FreeBSD.org, pf@FreeBSD.org Subject: Re: kern/72444: PF can't properly detect interface after 'ifconfig XXX name YYY' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 17:24:53 -0000 Synopsis: PF can't properly detect interface after 'ifconfig XXX name YYY' State-Changed-From-To: analyzed->patched State-Changed-By: mlaier State-Changed-When: Wed Nov 3 17:22:01 GMT 2004 State-Changed-Why: Patch committed to HEAD. Please check if it works for you. The patch from above should apply to RELENG_5(_3) without problems. Thanks for the report, sorry that the fix didn't make 5.3 http://www.freebsd.org/cgi/query-pr.cgi?pr=72444 From owner-freebsd-pf@FreeBSD.ORG Wed Nov 3 17:46:15 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBC5016A4CE for ; Wed, 3 Nov 2004 17:46:15 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 356AF43D2D for ; Wed, 3 Nov 2004 17:46:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CPPD3-0007T0-00; Wed, 03 Nov 2004 18:46:13 +0100 Received: from [217.83.7.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CPPD2-0007ln-00; Wed, 03 Nov 2004 18:46:13 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 3 Nov 2004 18:45:59 +0100 User-Agent: KMail/1.7 References: <20041027135721.C553C68004@gunfright.epcdirect.co.uk> In-Reply-To: <20041027135721.C553C68004@gunfright.epcdirect.co.uk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1135509.dVTT0hNEej"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411031846.06586.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: rdr to another machine and back X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 17:46:16 -0000 --nextPart1135509.dVTT0hNEej Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Lawrence, On Wednesday 27 October 2004 15:57, Lawrence Farr wrote: > I'm trying to work out how to get a gateway machine > to send all http requests to a separate machine and > get them back, network looks like this: [ hmm ... ASCII art killed by mail reader ] Setup understood. > So the router has 3 interfaces, one to the outside > world, one externally available network and one > internal. The proxy has 2 interfaces one to internal > and one externally available. I can redirect port 80 > to a proxy on the router without any issue, but want > to send them to the separate proxy machine. Has anyone > done this, or does anyone know of a howto? Well, it would be helpful to see tcpdumps from the proxy on the NIC connect= ed=20 with the gateway. Also if you ask questions like this, please try to includ= e=20 significant details about your ruleset. It's always helpful to check if the= =20 rules that you tried are matched at all (pfctl -vsr or -vsn in your case). Other than that, I don't know of a howto for this specific problem, the=20 pf.conf(5) manpage has some examples that redirect incoming SSH traffic to = a=20 different host, though. It should be possible to take it from there. Make=20 sure that the proxy knows how to get back (i.e. has a route to the client -= =20 remember "rdr" will not translate the source address!) > Many thanks [ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ] =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1135509.dVTT0hNEej Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBiRleXyyEoT62BG0RApfvAJ4/u8e10oItQA5WEsXV0y7ONPJH+wCcCOXv lL5AczIL4hj4sOSj7+irHXg= =QXYi -----END PGP SIGNATURE----- --nextPart1135509.dVTT0hNEej-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 3 18:22:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1397016A4CE for ; Wed, 3 Nov 2004 18:22:09 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id A236043D2F for ; Wed, 3 Nov 2004 18:22:08 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CPPln-000552-00; Wed, 03 Nov 2004 19:22:07 +0100 Received: from [217.83.7.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CPPli-0000ql-00; Wed, 03 Nov 2004 19:22:07 +0100 From: Max Laier To: freebsd-pf@freebsd.org, =?iso-8859-1?q?C=E9dric_Jonas?= Date: Wed, 3 Nov 2004 19:21:46 +0100 User-Agent: KMail/1.7 References: <938471846.20041102145316@virtual-globe.net> In-Reply-To: <938471846.20041102145316@virtual-globe.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6787904.Es3Fh4MT01"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411031921.53192.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: NAT Loopback X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 18:22:09 -0000 --nextPart6787904.Es3Fh4MT01 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ] Hi C=E9dric, On Tuesday 02 November 2004 14:53, C=E9dric Jonas wrote: > Since 5 days, I try to install PF on my Server, to replace my old > hardware router... Until now, everything was ok, better als the old > router - BUT, what I miss is the NAT Loopback functionnality (so > that IP packets which comes from the LAN and are destined to my WAN > IP, leaves effectively the WAN interface and come back through the > WAN interface =3D> the packet is subjected to the filter rulesets for > incoming packets on my WAN interface =3D NAT Loopback) > I found this in the OpenBSD PF FAQ: > http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it isn't what I > search, because the packets don't leave and reentry the WAN > interface. You can try to add a rule in the form of: pass in on $internal_if route-to ($external_if $external_ip) \ from any to $external_ip This will loopback all traffic hitting the internal interface destinated to= =20 the external IP via the external interface. Be aware of the overhead of thi= s=20 approach. Depending on your setup it might be easier to replicate the desir= ed=20 restrictions for the internal interface. > I hope that one will be able to help me here (and that I described > it understandably), it's my last > possibility I think. It's always helpful to post your ruleset, so that we can tell you where to = put=20 new rules or to explain which rules do cause the problem you are seeing.=20 Don't be too afraid to post your rulesets - fortunately *BSD and the defaul= t=20 services it provides are a whole lot more secure than seen elsewhere ;) > Sorry for my bad englisch, but I do what I can ;-) Oh c'mon - I've seen worse and that includes me sometime. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6787904.Es3Fh4MT01 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBiSHBXyyEoT62BG0RAjb3AJ9/JtLAYXZVnd7n29gUATB+b+eNjQCbBJTf w1sknnBwRzy8NxuPvedeJeA= =DQ1C -----END PGP SIGNATURE----- --nextPart6787904.Es3Fh4MT01-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 3 22:39:52 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E7D616A4D3 for ; Wed, 3 Nov 2004 22:39:52 +0000 (GMT) Received: from spoolo3.tiscali.be (spoolo3.tiscali.be [62.235.13.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CC3543D5C for ; Wed, 3 Nov 2004 22:39:51 +0000 (GMT) (envelope-from cedric@virtual-globe.net) Received: from [83.134.147.184] (helo=note01.echo.decemplex.loc) by spoolo3.tiscali.be with esmtp (Tiscali.be http://www.tiscali.be) id 1CPTnB-0008Mz-JZ; Wed, 03 Nov 2004 23:39:49 +0100 Date: Wed, 3 Nov 2004 23:39:50 +0100 From: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= X-Mailer: The Bat! (v2.11.02) X-Priority: 3 (Normal) Message-ID: <1152216131.20041103233950@virtual-globe.net> To: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= , freebsd-pf In-Reply-To: <938471846.20041102145316@virtual-globe.net> References: <938471846.20041102145316@virtual-globe.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: Re: NAT Loopback X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 22:39:52 -0000 Bonjour Cédric Jonas, Le mardi 2 novembre 2004 à 14:53:16, vous écriviez : Cédric Jonas> Hi freebsd-pf, Cédric Jonas> Since 5 days, I try to install PF on my Cédric Jonas> Server, to replace my old Cédric Jonas> hardware router... Until now, Cédric Jonas> everything was ok, better als the old Cédric Jonas> router - BUT, what I miss is the NAT Cédric Jonas> Loopback functionnality (so Cédric Jonas> that IP packets which comes from the Cédric Jonas> LAN and are destined to my WAN Cédric Jonas> IP, leaves effectively the WAN Cédric Jonas> interface and come back through the Cédric Jonas> WAN interface => the packet is Cédric Jonas> subjected to the filter rulesets for Cédric Jonas> incoming packets on my WAN interface = NAT Loopback) Cédric Jonas> I found this in the OpenBSD PF FAQ: Cédric Jonas> Cédric Jonas> http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it Cédric Jonas> isn't what I Cédric Jonas> search, because the packets don't leave and reentry the WAN Cédric Jonas> interface. Cédric Jonas> So I try following: I blocked incoming Cédric Jonas> Telnet connections on my WAN Cédric Jonas> interface, and start a telnet to my WAN Cédric Jonas> IP from a host on my LAN, Cédric Jonas> telnet was successfull... so that isn't what I want. Cédric Jonas> After a tcpdump on my 2 WAN and LAN Cédric Jonas> interface (fxp0 and tun0 on the FreeBSD Cédric Jonas> router), I noted that the server Cédric Jonas> accepts already the telnet Cédric Jonas> connection at fxp0, so I can see an Cédric Jonas> incoming packet to my WAN IP, Cédric Jonas> but nothing more, because it's already Cédric Jonas> accepted here. Why? After Cédric Jonas> some researchs, I found out that the Cédric Jonas> TCP/IP stack on the router Cédric Jonas> compares the destination address with Cédric Jonas> his own interfaces and aliases Cédric Jonas> - if one agrees, he accept the connection. Cédric Jonas> Next test: with the same ruleset, I Cédric Jonas> start a telnet on my WAN IP from Cédric Jonas> the router, here the connection was Cédric Jonas> blocked, and thanks tcpdump I Cédric Jonas> see that the IP packet leaves tun0, Cédric Jonas> come back - and was successfully Cédric Jonas> blocked (packet had the WAN IP as Cédric Jonas> source AND destination address). Cédric Jonas> So, in conclusion, I try a nat rule on Cédric Jonas> fxp0, the LAN interface: Cédric Jonas> nat on fxp0 inet from fxp0:network to (tun0) -> (tun0) Cédric Jonas> So that incoming connection on this Cédric Jonas> interface, out the LAN, get the Cédric Jonas> WAN IP was source address... but one Cédric Jonas> more time, telnet from the LAN Cédric Jonas> was successfull, the packet doesn't Cédric Jonas> leave tun0, and was already Cédric Jonas> accepted on fxp0. Cédric Jonas> I don't know if it's really possible to Cédric Jonas> realize NAT Loopback with Cédric Jonas> PF, if yes, do you have experience with it? Cédric Jonas> Or is it possible to oblige FreeBSD/PF Cédric Jonas> to only accept connections Cédric Jonas> with the same destination address as Cédric Jonas> the IP address from the Cédric Jonas> interface where the packet comes in (so Cédric Jonas> that a comparison with every Cédric Jonas> interface IP does not take place)? Cédric Jonas> In resume, that's what I want: Cédric Jonas> 000509 rule 2/0(match): pass out on Cédric Jonas> tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S Cédric Jonas> 1094509118:1094509118(0) win 65535 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp Cédric Jonas> 13450428 0> Cédric Jonas> 000249 rule 0/0(match): block in on Cédric Jonas> tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S Cédric Jonas> 1094509118:1094509118(0) win 65535 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp Cédric Jonas> 13450428 0> Cédric Jonas> That's from a tcpdump after a telnet Cédric Jonas> connection to my WAN IP from Cédric Jonas> the router... but in case of a telnet Cédric Jonas> from a LAN host to the WAN IP, Cédric Jonas> the only thing I was able to log was: Cédric Jonas> 555257 rule 5/0(match): pass in on Cédric Jonas> fxp0: IP 192.168.0.99.1547 > 83.134.149.196.23: S Cédric Jonas> 377131760:377131760(0) win 16384 1460,nop,nop,sackOK> Cédric Jonas> ... and the connection was accepted Cédric Jonas> here - I wish to have the same Cédric Jonas> "effect" here as above... a NAT Loopback. Cédric Jonas> I hope that one will be able to help me Cédric Jonas> here (and that I described Cédric Jonas> it understandably), it's my last Cédric Jonas> possibility I think. Cédric Jonas> Sorry for my bad englisch, but I do what I can ;-) The solution is: pass in on $internal_if route-to ($external_if $external_ip) \ from any to $external_ip keep state Thx to Max Laier for the excellent help ;) -- Best regards, Cédric Jonas Courriel : cedric@virtual-globe.net From owner-freebsd-pf@FreeBSD.ORG Sat Nov 6 15:31:53 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A65E216A4CE for ; Sat, 6 Nov 2004 15:31:53 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E6C143D41 for ; Sat, 6 Nov 2004 15:31:53 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CQSXg-0003Jg-00; Sat, 06 Nov 2004 16:31:52 +0100 Received: from [84.128.136.6] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CQSXf-00020L-00; Sat, 06 Nov 2004 16:31:52 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 6 Nov 2004 16:31:46 +0100 User-Agent: KMail/1.7 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5913311.6l2LW5lz6H"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411061631.52982.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: New CARP patchset against RELENG_5_3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 15:31:53 -0000 --nextPart5913311.6l2LW5lz6H Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, S=F8ren Vrist was so kind to sent me a reject resolved version of the CARP= =20 patchset now to apply cleanly against RELENG_5_3. It can be found (alongsid= e=20 with the earlier patches) at: http://people.freebsd.org/~mlaier/CARP/ Now that 5.3 is done I think that I am going to commit this till the end of= =20 2004, provided you guys help with testing and provide me with feedback! Thanks a lot to S=F8ren for standing up and doing the nasty reject resolve! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart5913311.6l2LW5lz6H Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBjO5oXyyEoT62BG0RAhGUAJ4sphoXWdHHmct36Ek64Z9ejkQ7EgCfcz+p zXFqj6O1/WZ32N9aO4hZruU= =vluq -----END PGP SIGNATURE----- --nextPart5913311.6l2LW5lz6H-- From owner-freebsd-pf@FreeBSD.ORG Sat Nov 6 15:34:14 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8703216A4CE for ; Sat, 6 Nov 2004 15:34:14 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [212.43.217.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 263F043D49 for ; Sat, 6 Nov 2004 15:34:14 +0000 (GMT) (envelope-from mat@mat.cc) Received: from cc-147.int.t-online.fr (unknown [213.44.125.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id BB00EA24000; Sat, 6 Nov 2004 16:34:12 +0100 (CET) Date: Sat, 06 Nov 2004 16:34:09 +0100 From: Mathieu Arnold To: Max Laier , freebsd-pf@freebsd.org Message-ID: <6782EF54B8D58DF4634AF91F@cc-147.int.t-online.fr> In-Reply-To: <200411061631.52982.max@love2party.net> References: <200411061631.52982.max@love2party.net> X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: New CARP patchset against RELENG_5_3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 15:34:14 -0000 +-le 06/11/2004 16:31 +0100, Max Laier =E9crivait : | Hi, |=20 | S=F8ren Vrist was so kind to sent me a reject resolved version of the CARP=20 | patchset now to apply cleanly against RELENG_5_3. It can be found | (alongside with the earlier patches) at: | http://people.freebsd.org/~mlaier/CARP/ |=20 | Now that 5.3 is done I think that I am going to commit this till the end of = | 2004, provided you guys help with testing and provide me with feedback! |=20 | Thanks a lot to S=F8ren for standing up and doing the nasty reject resolve! Yeah, you both rulez :-))) I'm going to try that as soon as I can :-) --=20 Mathieu Arnold From owner-freebsd-pf@FreeBSD.ORG Sat Nov 6 15:53:43 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F46E16A4CE for ; Sat, 6 Nov 2004 15:53:43 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [212.43.217.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD2CC43D1D for ; Sat, 6 Nov 2004 15:53:42 +0000 (GMT) (envelope-from mat@mat.cc) Received: from cc-147.int.t-online.fr (unknown [213.44.125.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 2B024A24000; Sat, 6 Nov 2004 16:53:42 +0100 (CET) Date: Sat, 06 Nov 2004 16:53:40 +0100 From: Mathieu Arnold To: Max Laier , freebsd-pf@freebsd.org Message-ID: In-Reply-To: <200411061631.52982.max@love2party.net> References: <200411061631.52982.max@love2party.net> X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: New CARP patchset against RELENG_5_3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 15:53:43 -0000 +-le 06/11/2004 16:31 +0100, Max Laier =E9crivait : | Hi, |=20 | S=F8ren Vrist was so kind to sent me a reject resolved version of the CARP=20 | patchset now to apply cleanly against RELENG_5_3. It can be found | (alongside with the earlier patches) at: | http://people.freebsd.org/~mlaier/CARP/ |=20 | Now that 5.3 is done I think that I am going to commit this till the end of = | 2004, provided you guys help with testing and provide me with feedback! |=20 | Thanks a lot to S=F8ren for standing up and doing the nasty reject resolve! Reading this, I see : diff -u -Nru /usr/src/sys/sys/mbuf.h /mnt/backup/fysio-src/sys/sys/mbuf.h --- /usr/src/sys/sys/mbuf.h Fri Oct 15 21:45:13 2004 +++ /mnt/backup/fysio-src/sys/sys/mbuf.h Thu Nov 4 14:52:52 2004 @@ -643,6 +643,7 @@ #define PACKET_TAG_RTSOCKFAM 25 /* rtsock sa family */ #define PACKET_TAG_PF_TRANSLATE_LOCALHOST 26 /* PF translate localhost */ #define PACKET_TAG_IPOPTIONS 27 /* Saved IP options */ +#define PACKET_TAG_CARP 27 /* CARP info */ =20 /* Packet tag routines. */ struct m_tag *m_tag_alloc(u_int32_t, int, int, int); which seems wrong, but it may only be me. --=20 Mathieu Arnold From owner-freebsd-pf@FreeBSD.ORG Sat Nov 6 16:25:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF35216A4CE for ; Sat, 6 Nov 2004 16:25:47 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 632DB43D31 for ; Sat, 6 Nov 2004 16:25:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CQTNf-0000Lg-00; Sat, 06 Nov 2004 17:25:35 +0100 Received: from [84.128.136.6] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CQTNe-0004SH-00; Sat, 06 Nov 2004 17:25:34 +0100 From: Max Laier To: Mathieu Arnold Date: Sat, 6 Nov 2004 17:25:32 +0100 User-Agent: KMail/1.7 References: <200411061631.52982.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1839710.zdKMzDYUI4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411061725.39373.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: New CARP patchset against RELENG_5_3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 16:25:48 -0000 --nextPart1839710.zdKMzDYUI4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 06 November 2004 16:53, Mathieu Arnold wrote: > +-le 06/11/2004 16:31 +0100, Max Laier =E9crivait : > | Hi, > | > | S=F8ren Vrist was so kind to sent me a reject resolved version of the C= ARP > | patchset now to apply cleanly against RELENG_5_3. It can be found > | (alongside with the earlier patches) at: > | http://people.freebsd.org/~mlaier/CARP/ > | > | Now that 5.3 is done I think that I am going to commit this till the end > | of 2004, provided you guys help with testing and provide me with > | feedback! > | > | Thanks a lot to S=F8ren for standing up and doing the nasty reject reso= lve! > > Reading this, I see : > diff -u -Nru /usr/src/sys/sys/mbuf.h /mnt/backup/fysio-src/sys/sys/mbuf.h > --- /usr/src/sys/sys/mbuf.h Fri Oct 15 21:45:13 2004 > +++ /mnt/backup/fysio-src/sys/sys/mbuf.h Thu Nov 4 14:52:52 2004 > @@ -643,6 +643,7 @@ > #define PACKET_TAG_RTSOCKFAM 25 /* rtsock sa family */ > #define PACKET_TAG_PF_TRANSLATE_LOCALHOST 26 /* PF translate localhost */ > #define PACKET_TAG_IPOPTIONS 27 /* Saved IP options */ > +#define PACKET_TAG_CARP 27 /* CARP info */ > > /* Packet tag routines. */ > struct m_tag *m_tag_alloc(u_int32_t, int, int, int); > > which seems wrong, but it may only be me. Ugh ... true ... I just moved it to 28 instead. I hope I didn't break the=20 patch with my manual editing. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1839710.zdKMzDYUI4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBjPsDXyyEoT62BG0RAn0LAJ9HloKJUE0jkKFGzs6FIfQWbOpxuACeM2Ar MBmV3dYKYjytmyok+hvCpJo= =Om3F -----END PGP SIGNATURE----- --nextPart1839710.zdKMzDYUI4--