From owner-freebsd-pf@FreeBSD.ORG Sun Jan 16 16:08:15 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AEBD16A4CE for ; Sun, 16 Jan 2005 16:08:15 +0000 (GMT) Received: from sparky.gotobg.net (sparky.gotobg.net [212.36.9.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C76E243D2F for ; Sun, 16 Jan 2005 16:08:13 +0000 (GMT) (envelope-from mzk@anti-offline.net) Received: from [83.228.114.66] (helo=mzk) by sparky.gotobg.net with esmtpa (Exim 4.43 (FreeBSD)) id 1CqCwW-000CZG-36 for freebsd-pf@freebsd.org; Sun, 16 Jan 2005 18:07:56 +0200 From: mzk To: X-Mailer: PocoMail 3.2 (2000) - Licensed Version Date: Sun, 16 Jan 2005 18:11:53 +0200 Message-ID: <2005116181153.945997@mzk> Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sparky.gotobg.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - anti-offline.net X-Source: X-Source-Args: X-Source-Dir: Subject: Ingress + outgress traffic shape X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jan 2005 16:08:15 -0000 Hello. Have anyone made ingress + outgress traffic shape? I am doing altq on= $int_if and $ext_if, then pass in from $user to any queue user_up (this queue is on altq $ext_if),= then pass out from any to $user queue user_down (this queue is on altq $int_if).= As i know (not 100% sure), i could shape only `outgoing` traffic, therefore my= rules have this look. With or without using keep state every time only one rule is= used (user_up or user_down). The traffic, which does not go through the= queue, is going though the default queue for the interface. I tried with= (respective without, and combinations) quick, keep state, removing and changing `in` and= `out` rule directions. Second i want to ask wether i can use only one rule for several computers= (like ipfw + dummynet, 1 pipe used for every different host in the network,= different queue is created for different flows). Hope someone could help ;) Thank's in= advance! From owner-freebsd-pf@FreeBSD.ORG Mon Jan 17 08:08:23 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D0916A4CE for ; Mon, 17 Jan 2005 08:08:23 +0000 (GMT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id C311243D2D for ; Mon, 17 Jan 2005 08:08:22 +0000 (GMT) (envelope-from johnc909@comcast.net) Received: from [192.168.0.3] (c-24-6-105-190.client.comcast.net[24.6.105.190]) by comcast.net (sccrmhc12) with ESMTP id <20050117080819012000s44me>; Mon, 17 Jan 2005 08:08:19 +0000 Message-ID: <41EB7268.7090802@comcast.net> Date: Mon, 17 Jan 2005 00:08:08 -0800 From: johnc User-Agent: Mozilla Thunderbird 0.7.3 (Macintosh/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Looking for docs on installing pf with FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 08:08:23 -0000 Hi, I'm running FreeBSD 5.2.1, and can't seem to find any comprihensive docs on getting pf running on it. I've followed what's in the handbook, but the kernel config file doesn't recognize the device statements for pf. I really would like to avoid upgrading the system to 5.3+, if possible. Any pointers? -John From owner-freebsd-pf@FreeBSD.ORG Mon Jan 17 08:21:55 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0840416A4CE for ; Mon, 17 Jan 2005 08:21:55 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 846C043D49 for ; Mon, 17 Jan 2005 08:21:54 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so53124wri for ; Mon, 17 Jan 2005 00:21:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=T3Yo+Aw5RjmS/OMoqPd31xCpfndd3E55ZxpFM1cXX3awut4KykWLUaxBHO4HeTuBVAnNAqOriZKPy6kxuHBtxJ7MnOa1L9EemBW2K43KTnGVPLbU5uldELVjfgjePSy2M4UVMc6R2UV1RerpuEsfSY+Fw17Wg/JcvCJd/w7XH+4= Received: by 10.54.57.77 with SMTP id f77mr308613wra; Mon, 17 Jan 2005 00:21:53 -0800 (PST) Received: by 10.54.21.16 with HTTP; Mon, 17 Jan 2005 00:21:53 -0800 (PST) Message-ID: Date: Mon, 17 Jan 2005 10:21:53 +0200 From: Claudiu Dragalina-Paraipan To: johnc In-Reply-To: <41EB7268.7090802@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <41EB7268.7090802@comcast.net> cc: freebsd-pf@freebsd.org Subject: Re: Looking for docs on installing pf with FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 08:21:55 -0000 Hi, there is a port: /usr/ports/security/pf. Installing PF from there is pretty straightforward. I use it on several FreeBSD 5.2.1 machines. cheers, On Mon, 17 Jan 2005 00:08:08 -0800, johnc wrote: > Hi, > > I'm running FreeBSD 5.2.1, and can't seem to find any comprihensive docs > on getting pf running on it. I've followed what's in the handbook, but > the kernel config file doesn't recognize the device statements for pf. > I really would like to avoid upgrading the system to 5.3+, if possible. > > Any pointers? > > -John > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com From owner-freebsd-pf@FreeBSD.ORG Mon Jan 17 18:23:22 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D623B16A4CE for ; Mon, 17 Jan 2005 18:23:22 +0000 (GMT) Received: from mail.fluidhosting.com (mail1.fluidhosting.com [66.150.201.101]) by mx1.FreeBSD.org (Postfix) with SMTP id 40F9E43D54 for ; Mon, 17 Jan 2005 18:23:22 +0000 (GMT) (envelope-from pf-r@solarflux.org) Received: (qmail 62973 invoked by uid 398); 17 Jan 2005 18:23:18 -0000 Received: from 68.235.173.153 ([68.235.173.153]) by mail.fluidhosting.com (IMP) with HTTP for ; Mon, 17 Jan 2005 13:23:18 -0500 Message-ID: <1105986198.41ec0296e22ae@mail.fluidhosting.com> Date: Mon, 17 Jan 2005 13:23:18 -0500 From: pf-r@solarflux.org To: freebsd-pf@freebsd.org References: <41EB7268.7090802@comcast.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.6 X-Originating-IP: 68.235.173.153 Subject: Re: Looking for docs on installing pf with FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 18:23:22 -0000 > > I'm running FreeBSD 5.2.1, and can't seem to find any comprihensive docs > > on getting pf running on it. I've followed what's in the handbook, but > > the kernel config file doesn't recognize the device statements for pf. > > I really would like to avoid upgrading the system to 5.3+, if possible. > > > > Any pointers? The best and easiest way to have the most secure system and recent pf code is to cvsup your FreeBSD 5.2.1 system to a patched 5.3-RELEASE, IMO. Not sure if -STABLE or -CURRENT would offer newer pf code, but if this is a production box, neither -STABLE nor -CURRENT are recommended anyway. There are plenty of comprehensive docs on updating (via cvsup) your 5.2.1 system to the latest security branch (RELENG_5_3). Then you'll have pf as a loadable kernel module already in the system. I believe the pf-enabling instructions in the handbook are for 5.3. Quick and dirty cvsup steps (see Appendix A.5 in the handbook): Create a supfile referencing RELENG_5_3 Cvsup Make buildworld Add appropriate pf* lines in kernel config (copy of GENERIC) Make buildkernel Make installkernel Reboot to single user mode (optional) Make installworld Mergemaster Exit to multiuser (only if you are in single user mode) Play with PF I've built PF and ALTQ the manual way (on 5.0/5.1) and longed for the day when I could just cvsup my system and be done with it. > there is a port: /usr/ports/security/pf. > Installing PF from there is pretty straightforward. > I use it on several FreeBSD 5.2.1 machines. The ports version is based on OpenBSD 3.4 code, so it's fairly dated. Not saying it's bad, but it doesn't have many of the newer features that the recent/latest code provides. HTH From owner-freebsd-pf@FreeBSD.ORG Mon Jan 17 20:37:42 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF82216A4CE for ; Mon, 17 Jan 2005 20:37:41 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2C9643D54 for ; Mon, 17 Jan 2005 20:37:41 +0000 (GMT) (envelope-from johnc909@comcast.net) Received: from [172.16.1.34] (postini-internal3.postinicorp.com[12.158.40.254]) by comcast.net (rwcrmhc11) with ESMTP id <200501172037410130080pqne>; Mon, 17 Jan 2005 20:37:41 +0000 Message-ID: <41EC2215.7080303@comcast.net> Date: Mon, 17 Jan 2005 12:37:41 -0800 From: johnc User-Agent: Mozilla Thunderbird 0.7.3 (Macintosh/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <41EB7268.7090802@comcast.net> <1105986198.41ec0296e22ae@mail.fluidhosting.com> In-Reply-To: <1105986198.41ec0296e22ae@mail.fluidhosting.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Looking for docs on installing pf with FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 20:37:42 -0000 Hmm, yeah, given the state of documentation, etc, on 5.2.1 for pf, patching up to 5.3 is probably the way to go. I do run a low volume web server/NAT gateway at home, and was just hoping to get it up with a minimum of perturbing the core of my system. But if I really want pf, I guess that's inevitable, it seems. Well, time to try my hand at cvsup :) Thanks, -John pf-r@solarflux.org wrote: >>>I'm running FreeBSD 5.2.1, and can't seem to find any comprihensive docs >>>on getting pf running on it. I've followed what's in the handbook, but >>>the kernel config file doesn't recognize the device statements for pf. >>>I really would like to avoid upgrading the system to 5.3+, if possible. >>> >>>Any pointers? >>> >>> > >The best and easiest way to have the most secure system and recent pf code is to >cvsup your FreeBSD 5.2.1 system to a patched 5.3-RELEASE, IMO. Not sure if >-STABLE or -CURRENT would offer newer pf code, but if this is a production box, >neither -STABLE nor -CURRENT are recommended anyway. > >There are plenty of comprehensive docs on updating (via cvsup) your 5.2.1 system >to the latest security branch (RELENG_5_3). Then you'll have pf as a loadable >kernel module already in the system. I believe the pf-enabling instructions in >the handbook are for 5.3. > >Quick and dirty cvsup steps (see Appendix A.5 in the handbook): > >Create a supfile referencing RELENG_5_3 >Cvsup >Make buildworld >Add appropriate pf* lines in kernel config (copy of GENERIC) >Make buildkernel >Make installkernel >Reboot to single user mode (optional) >Make installworld >Mergemaster >Exit to multiuser (only if you are in single user mode) >Play with PF > >I've built PF and ALTQ the manual way (on 5.0/5.1) and longed for the day when I >could just cvsup my system and be done with it. > > > >>there is a port: /usr/ports/security/pf. >>Installing PF from there is pretty straightforward. >>I use it on several FreeBSD 5.2.1 machines. >> >> > >The ports version is based on OpenBSD 3.4 code, so it's fairly dated. Not >saying it's bad, but it doesn't have many of the newer features that the >recent/latest code provides. > >HTH >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 00:49:37 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8467716A4CE for ; Tue, 18 Jan 2005 00:49:37 +0000 (GMT) Received: from web53904.mail.yahoo.com (web53904.mail.yahoo.com [206.190.36.214]) by mx1.FreeBSD.org (Postfix) with SMTP id 0016643D45 for ; Tue, 18 Jan 2005 00:49:36 +0000 (GMT) (envelope-from stheg_olloydson@yahoo.com) Received: (qmail 10294 invoked by uid 60001); 18 Jan 2005 00:49:36 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=fF8uL0zz7TyORe7pEui6xxiXkbm45/kniKCeYsGJtH+xqnaJvHG8HrZlZ8xWLkWDuLkEfcSlcn2o7kJtIsdtf5pmdU7G+lhVRX/7NBEDZXUZ7OBfZwnW9O71j1D9ivlkOrTGsTnQUFpIM8KVFYR/JU2uIJcc49+VQgUrHVNV/Go= ; Message-ID: <20050118004936.10292.qmail@web53904.mail.yahoo.com> Received: from [68.18.53.121] by web53904.mail.yahoo.com via HTTP; Mon, 17 Jan 2005 16:49:36 PST Date: Mon, 17 Jan 2005 16:49:36 -0800 (PST) From: stheg olloydson To: johnc909@comcast.net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-pf@freebsd.org Subject: Re: Looking for docs on installing pf with FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 00:49:37 -0000 it was said: >Hi, >I'm running FreeBSD 5.2.1, and can't seem to find any comprihensive docs >on getting pf running on it. I've followed what's in the handbook, but >the kernel config file doesn't recognize the device statements for pf. >I really would like to avoid upgrading the system to 5.3+, if possible. > >Any pointers? > >-John Hello, In today's FBSD Stat Report, Max Laier said, in part: >FreeBSD 5.3 is the first release to include PF. It went out okay, but > some bugs were discovered too late to make it on the CD. It is > recommend to update `src/sys/contrib/pf' to RELENG_5. The specific > issues addressed are: > * Possible NULL-deref with user/group rules. > * Crash with binat on dynamic interfaces. > * Silent dropping of IPv6 packets with option headers. > * Endless loops with `static-port' rules. Because everything seems to be fine with my ruleset on 5.3p2, I won't be moving to -STABLE, but I won't reformat my (currently mothballed) former OBSD firewall box for a while longer. HTH, stheg __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 09:29:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C5D216A4CE; Tue, 18 Jan 2005 09:29:11 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61F0243D2F; Tue, 18 Jan 2005 09:29:10 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id B054A62DA3; Tue, 18 Jan 2005 10:29:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1])B216BC1A4; Tue, 18 Jan 2005 10:29:06 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01298-09; Tue, 18 Jan 2005 10:29:01 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 19957C151; Tue, 18 Jan 2005 10:29:01 +0100 (CET) To: Max Laier In-Reply-To: <200501172327.13677.max@love2party.net> (Max Laier's message of "Mon, 17 Jan 2005 23:27:03 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501172327.13677.max@love2party.net> From: Eric Masson Mail-Followup-To: Mailing List FreeBSD PF X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Tue, 18 Jan 2005 10:29:00 +0100 Message-ID: <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: Mailing List FreeBSD Network cc: Mailing List FreeBSD PF Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 09:29:11 -0000 >>>>> "Max" == Max Laier writes: Hi Max, Max> Just guessing, but I assume you forgot to use round brackets Max> around your NAT and from/to addresses. It should look like the Max> following: Don't think so but maybe, I'm wrong : # macros int_if = "xl0" ext_if = "ppp0" tun_if = "ppp1" tcp_services = "{ 22 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) # filter rules block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in quick on $int_if all pass out quick on $int_if all pass in quick on $tun_if all pass out quick on $tun_if all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Max> If you have it this way, you should send more details about your Max> ruleset, maybe to the freebsd-pf mailinglist. I've just subscribed to this list, followup there, so. Éric Masson -- Alors, une bonne fois pour toutes : le 1er janvier 2000 à 00h00h01s, on aura déjà entamé 2001, année qui sera entièrement révolue le 1er janvier 2001 à 00h00m00s. -+- JCM in GNU: toujours un an d'avance sur la concurrence -+- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 12:31:53 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C89316A4CE for ; Tue, 18 Jan 2005 12:31:53 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id B66F443D39 for ; Tue, 18 Jan 2005 12:31:52 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id 3C3FB62DB1 for ; Tue, 18 Jan 2005 13:31:50 +0100 (CET) Received: from localhost (localhost [127.0.0.1])30BAEC237 for ; Tue, 18 Jan 2005 13:31:49 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00994-07 for ; Tue, 18 Jan 2005 13:31:45 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id EDCFEC20C; Tue, 18 Jan 2005 13:31:44 +0100 (CET) To: Mailing List FreeBSD PF From: Eric Masson In-Reply-To: <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> (Eric Masson's message of "Tue, 18 Jan 2005 10:29:00 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501172327.13677.max@love2party.net> <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Tue, 18 Jan 2005 13:31:44 +0100 Message-ID: <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 12:31:53 -0000 >>>>> "Eric" == Eric Masson writes: Followup to myself. A refinement in the problem description : Trafic from the host where pf runs flows fine, but I need to issue a pfctl -F all -f /etc/pf.conf to make traffic from/to hosts on the network. Regards Éric Masson -- > Désolé. Ta gueule. -+- LC in : Guide du Neuneu Usenet - Neuneu exaspère le dino -+- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 12:50:32 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91FF816A4CE for ; Tue, 18 Jan 2005 12:50:32 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DCFB43D1F for ; Tue, 18 Jan 2005 12:50:32 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CqsoY-0003yt-00; Tue, 18 Jan 2005 13:50:30 +0100 Received: from [217.227.152.169] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CqsoY-0004CS-00; Tue, 18 Jan 2005 13:50:30 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 18 Jan 2005 13:50:13 +0100 User-Agent: KMail/1.7.2 References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2295971.Ipr9692xHU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200501181350.21488.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 12:50:32 -0000 --nextPart2295971.Ipr9692xHU Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 18 January 2005 13:31, Eric Masson wrote: > >>>>> "Eric" =3D=3D Eric Masson writes: > > Followup to myself. > > A refinement in the problem description : > Trafic from the host where pf runs flows fine, but I need to issue a > pfctl -F all -f /etc/pf.conf to make traffic from/to hosts on the > network. Okay, that hints that the NAT-rule is to blame. Can you check the output o= f=20 "$pfctl -vvsn" after a reconnect, but before issuing a ruleset reload? Thi= s=20 looks a bit like PR kern/69954, in which case you might want to try to writ= e=20 your nat-rule as: nat on $ext_if from $int_if:network to any -> ($ext_if:0) Please let me know if that helps and - if not - send in the output of -vvsn. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2295971.Ipr9692xHU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB7QYNXyyEoT62BG0RAmhXAJ9/wiVJBerG4tv2yx74vaF4eLiPAwCeMaTJ jYxmSt+cwJB0TBR+37CACPM= =Z9aQ -----END PGP SIGNATURE----- --nextPart2295971.Ipr9692xHU-- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 15:01:00 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70A9116A4CE for ; Tue, 18 Jan 2005 15:01:00 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94ECD43D55 for ; Tue, 18 Jan 2005 15:00:57 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id 6618C62DB1; Tue, 18 Jan 2005 16:00:54 +0100 (CET) Received: from localhost (localhost [127.0.0.1])C3525C21B; Tue, 18 Jan 2005 16:00:53 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00926-06; Tue, 18 Jan 2005 16:00:47 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 8809BC1F0; Tue, 18 Jan 2005 16:00:47 +0100 (CET) To: Max Laier From: Eric Masson In-Reply-To: <200501181350.21488.max@love2party.net> (Max Laier's message of "Tue, 18 Jan 2005 13:50:13 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501181350.21488.max@love2party.net> X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Tue, 18 Jan 2005 16:00:47 +0100 Message-ID: <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: freebsd-pf@freebsd.org Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 15:01:00 -0000 >>>>> "Max" == Max Laier writes: Max> Okay, that hints that the NAT-rule is to blame. Seems to. Max> Can you check the output of "$pfctl -vvsn" after a reconnect, but Max> before issuing a ruleset reload? This looks a bit like PR Max> kern/69954, in which case you might want to try to write your Max> nat-rule as: Max> nat on $ext_if from $int_if:network to any -> ($ext_if:0) Ok, further refinement, on machine boot, pf refuses to load rules because interface ppp0 doesn't exist (Thanks to dmesg -a, this box is headless) Once pppd has started pfctl -vvsn gives the following results : No ALTQ support in kernel ALTQ related functions disabled Result expected as no nat rules reference ppp0 interface, sigh... After pfctl -F all -f /etc/pf.conf, pfctl -vvsn gives the following results : No ALTQ support in kernel ALTQ related functions disabled @0 nat on ppp0 inet from 192.168.1.0/24 to any -> (ppp0:0) [ Evaluations: 209 Packets: 236 Bytes: 149822 States: 3 ] After that, shutdown of pppd processes, removal of pppX interfaces and startup of pppd processes, then traffic flows fine and is correctly nat'ed. So, your fix seems to be fine :) The next question concerns PF support for clonable interfaces that do not exist at pf startup. Is this a feature that could be added or do I need to mess with anchors in ip-up/ip-down scripts ? Éric -- Pourquoi les internautes français ce mobiliseraient pas pour se regrouper un société ou association pour pouvoir avoir des numéro vert Il faudrait que louer les lignes téléphoniques à FT et on ne paierai qu'un abonnement -+- BT in : Guide du Neuneu Usenet - Neuneu se met au vert -+- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 15:54:41 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D254316A4CE for ; Tue, 18 Jan 2005 15:54:41 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8766843D41 for ; Tue, 18 Jan 2005 15:54:41 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id 7275462D7D; Tue, 18 Jan 2005 16:54:38 +0100 (CET) Received: from localhost (localhost [127.0.0.1])3D456C2C2; Tue, 18 Jan 2005 16:54:38 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00875-07; Tue, 18 Jan 2005 16:54:33 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 1CC32C237; Tue, 18 Jan 2005 16:54:33 +0100 (CET) To: Max Laier From: Eric Masson In-Reply-To: <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com> (Eric Masson's message of "Tue, 18 Jan 2005 16:00:47 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501181350.21488.max@love2party.net> <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com> X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Tue, 18 Jan 2005 16:54:32 +0100 Message-ID: <86brbmu407.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: freebsd-pf@freebsd.org Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 15:54:42 -0000 >>>>> "Eric" == Eric Masson writes: Followup to myself once more. Eric> The next question concerns PF support for clonable interfaces Eric> that do not exist at pf startup. Is this a feature that could be Eric> added or do I need to mess with anchors in ip-up/ip-down scripts Eric> ? Ok, seems there's no absolute need to mess with anchors as the faulty startup rule is the following : set loginterface $ext_if If this line is removed from pf.conf, startup initialization works fine. I can live with missing statistics :/ Thanks for your help. If you need help testing patches in this area... Regards Éric -- je vous rappelle qu'il est fréquenté par une moyenne d'âge plus faible que la moyenne. C'est facile de mettre des lois abscons, qui n'évoluent pas à la vitesse du net, et de dire "eh ben vous n'aviez qu'à lire" -+- DP in : - Si ya plus moyen de moyenner -+- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 20:12:24 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EE2D16A4CE for ; Tue, 18 Jan 2005 20:12:24 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id D375343D48 for ; Tue, 18 Jan 2005 20:12:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CqziA-0007IO-00; Tue, 18 Jan 2005 21:12:22 +0100 Received: from [217.227.152.169] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cqzi9-0001hh-00; Tue, 18 Jan 2005 21:12:22 +0100 From: Max Laier To: Eric Masson Date: Tue, 18 Jan 2005 21:12:11 +0100 User-Agent: KMail/1.7.2 References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com> <86brbmu407.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <86brbmu407.fsf@srvbsdnanssv.interne.kisoft-services.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1340012.nyuWAlLC9D"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200501182112.19452.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 20:12:24 -0000 --nextPart1340012.nyuWAlLC9D Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 18 January 2005 16:54, Eric Masson wrote: > >>>>> "Eric" =3D=3D Eric Masson writes: > > Followup to myself once more. > > Eric> The next question concerns PF support for clonable interfaces > Eric> that do not exist at pf startup. Is this a feature that could be > Eric> added or do I need to mess with anchors in ip-up/ip-down scripts > Eric> ? > > Ok, seems there's no absolute need to mess with anchors as the faulty > startup rule is the following : > set loginterface $ext_if Hum, I have to look at that. Can you send in a PR, please. I won't have a= =20 chance to get to it right now. > If this line is removed from pf.conf, startup initialization works fine. > I can live with missing statistics :/ You don't have to. Try $pfctl -vvsI -i ppp0 > Thanks for your help. > > If you need help testing patches in this area... > > Regards > > =C9ric =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1340012.nyuWAlLC9D Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB7W2jXyyEoT62BG0RAu3KAJ9UQ6lzNtaCc+2WOPi+YdzxBDbiAgCfZl3v OkupIb717rOzhLS0Wh0oQUA= =NK7V -----END PGP SIGNATURE----- --nextPart1340012.nyuWAlLC9D-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 19 15:16:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1041216A4CE for ; Wed, 19 Jan 2005 15:16:47 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-103-wednesday.noc.nerim.net [62.4.17.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 949F943D39 for ; Wed, 19 Jan 2005 15:16:46 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id 2714562D52; Wed, 19 Jan 2005 16:16:43 +0100 (CET) Received: from localhost (localhost [127.0.0.1])DE9E3C165; Wed, 19 Jan 2005 16:16:41 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08231-06; Wed, 19 Jan 2005 16:16:33 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 738A6C1AE; Wed, 19 Jan 2005 16:16:33 +0100 (CET) To: Max Laier From: Eric Masson In-Reply-To: <200501182112.19452.max@love2party.net> (Max Laier's message of "Tue, 18 Jan 2005 21:12:11 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com> <86brbmu407.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501182112.19452.max@love2party.net> X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Wed, 19 Jan 2005 16:16:33 +0100 Message-ID: <86brbl30vi.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: freebsd-pf@freebsd.org Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 15:16:47 -0000 >>>>> "Max" == Max Laier writes: Max> Hum, I have to look at that. Can you send in a PR, please. I won't Max> have a chance to get to it right now. http://www.freebsd.org/cgi/query-pr.cgi?pr=76464 Max> You don't have to. Try $pfctl -vvsI -i ppp0 Ok, great :) Regards Éric -- Je propose que chacun de nous expose le problème (et dénoncent les fufeurs, cf liste des votants, ceux qui ont voté NNO sont les fufeurs) à son FAI. -+- Rocou In GNU - Comment tu écris Kommandantur ? -+- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 21 14:52:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1727016A4CE for ; Fri, 21 Jan 2005 14:52:47 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D43743D39 for ; Fri, 21 Jan 2005 14:52:46 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id A6D50BC024; Fri, 21 Jan 2005 16:52:42 +0200 (EET) Received: from R3B (vdp3061.ath03.dsl.hol.gr [62.38.162.62])by smtp.freemail.gr (Postfix) with ESMTP id 63BB7BC023for ; Fri, 21 Jan 2005 16:52:41 +0200 (EET) Message-ID: <001401c4ffc8$c15965a0$0100000a@R3B> From: "Chris Dionissopoulos" To: Date: Fri, 21 Jan 2005 16:51:54 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain;charset="iso-8859-7" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: PF+Bridge. A solution with ng_bridge. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jan 2005 14:52:47 -0000 Hi list, Reading these issues(*1) for pf enabled bridge, I found an=20 pf+bridge (aka transparent firewall) solution which seems=20 to works. Its based on netgraph bridge module (ng_bridge). Just try these steps , and send me a feedback: 1/ Load kernel modules: # kldload pf.ko # kldload ng_ether.ko # kldload ng_eiface.ko # kldload ng_bridge.ko 2/ Clean ipmask definitions from interfaces : # ifconfig $lan delete # ifconfig $wan delete 3/ Make a bridge with $wan,$lan interfaces:=20 (change $lan,$wan to comply your hardware) # ngctl mkpeer $lan: bridge lower link0 # ngctl name $lan:lower br0 # ngctl connect $lan: br0 upper link1 # ngctl connect $wan: br0 lower link2 # ngctl connect $wan: br0 upper link3 4/ Enable your rules: vi /etc/pf.conf: ~~~~~~~~~~ pass in on rl0 all pass out on rl0 all pass in on rl1 all pass out on rl1 all **Of course you can be more restrictive here with or without states. # pfctl -evf /etc/pf.rules Cheers, Chris. (*1): http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000734.html http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000744.html ____________________________________________________________________ http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 06:25:49 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AB2D16A4CE for ; Sat, 22 Jan 2005 06:25:49 +0000 (GMT) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94AF243D2F for ; Sat, 22 Jan 2005 06:25:48 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (dhcp024-209-068-120.woh.rr.com [24.209.68.120]) j0M6PkJl027810 for ; Sat, 22 Jan 2005 01:25:46 -0500 (EST) Message-ID: <006e01c5004b$08924cc0$7844d118@satellite> From: "dave" To: Date: Sat, 22 Jan 2005 01:24:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: external connections give error 619 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 06:25:49 -0000 Hello, I've got a FreeBSD vpn server with mpd going behind a pf firewall/nat setup. All works when internal machines connect, yet whenever i try to connect from an external address that is outside my network i get an error 619 "The specified port is not connected." Googling shows that i should pass both tcp port 1723 and gre traffic, this i do. My vpn box is 192.168.1.3, server logs show the verification of the username/password and the atempt to establish the connection, but then it fails, just goes down. Any ideas? Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 15:38:17 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F18FC16A4CE for ; Sat, 22 Jan 2005 15:38:17 +0000 (GMT) Received: from mail.3gne.com (ded191-fbsd-174-39.netsonic.net [66.180.174.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C053243D2F for ; Sat, 22 Jan 2005 15:38:17 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from localhost (localhost.3gne.com [127.0.0.1]) by mail.3gne.com (Postfix) with ESMTP id 6A921D564A for ; Sat, 22 Jan 2005 09:44:16 -0600 (CST) Received: from [192.168.209.9] (12-221-108-48.client.insightBB.com [12.221.108.48]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.3gne.com (Postfix) with ESMTP id 98A38D56A3 for ; Sat, 22 Jan 2005 09:44:13 -0600 (CST) Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: <9C9381CC-6C8B-11D9-A44C-000D93B6DEE8@buraglio.com> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Nick Buraglio Date: Sat, 22 Jan 2005 09:38:06 -0600 X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new at 3gne.com Subject: qtype not configured X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 15:38:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm trying to get pf/altq working under freebsd 5.3-stable aving some issues. I have compiled the kernel with: options ALTQ device pf device pflog device pfsync and using a rulebase that I have been using for a long time with openbsd. I'm pretty familiar with pf, having used it since it's inception under openbsd, but I've never seen this error (I'm brand new to running it on freebsd). while trying to apply the rulebase I get: pfctl: qtype not configured Am I missing something simple? Any help appreciated. nb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) iD8DBQFB8nNhFOm2Sy5bRPQRArTyAJ9kC70RAuieq2r6QvFM60IK0bqDygCcDhVT Ei1uH7tD2CA5fys5p9OPjpc= =4/st -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 17:57:33 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 800B316A4CE for ; Sat, 22 Jan 2005 17:57:33 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id D472743D31 for ; Sat, 22 Jan 2005 17:57:32 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CsPVr-00066i-00; Sat, 22 Jan 2005 18:57:31 +0100 Received: from [84.128.136.1] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CsPVq-0008Il-00; Sat, 22 Jan 2005 18:57:31 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 22 Jan 2005 18:57:16 +0100 User-Agent: KMail/1.7.2 References: <9C9381CC-6C8B-11D9-A44C-000D93B6DEE8@buraglio.com> In-Reply-To: <9C9381CC-6C8B-11D9-A44C-000D93B6DEE8@buraglio.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5576150.XRpHCtil4d"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200501221857.24657.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: qtype not configured X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 17:57:33 -0000 --nextPart5576150.XRpHCtil4d Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 22 January 2005 16:38, Nick Buraglio wrote: > I'm trying to get pf/altq working under freebsd 5.3-stable aving some > issues. I have compiled the kernel with: > > options ALTQ > device pf > device pflog > device pfsync > > and using a rulebase that I have been using for a long time with > openbsd. I'm pretty familiar with pf, having used it since it's > inception under openbsd, but I've never seen this error (I'm brand new > to running it on freebsd). > > while trying to apply the rulebase I get: > pfctl: qtype not configured > > Am I missing something simple? Any help appreciated. =46rom src/conf/NOTES: | # altq(9). Enable the base part of the hooks with the ALTQ option. | # Individual disciplines must be built into the base system and can not be ^-------------------------------------------------------^ | # loaded as modules at this point. In order to build a SMP kernel you must | # also have the ALTQ_NOPCC option. | options ALTQ | options ALTQ_CBQ # Class Bases Queueing | options ALTQ_RED # Random Early Drop | options ALTQ_RIO # RED In/Out | options ALTQ_HFSC # Hierarchical Packet Scheduler | options ALTQ_CDNR # Traffic conditioner | options ALTQ_PRIQ # Priority Queueing | options ALTQ_NOPCC # Required for SMP build =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart5576150.XRpHCtil4d Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB8pQEXyyEoT62BG0RAmUhAJ9TBSzDT5EgyZwtY6Bm0J/zLWtDwwCfX8FQ Zi1Qzqvg0PAcmsHDyqOc3E0= =JUrC -----END PGP SIGNATURE----- --nextPart5576150.XRpHCtil4d-- From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 17:57:43 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A297816A4CE for ; Sat, 22 Jan 2005 17:57:43 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id CEA9B43D46 for ; Sat, 22 Jan 2005 17:57:42 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 72260 invoked by uid 1002); 22 Jan 2005 18:00:26 -0000 Date: Sat, 22 Jan 2005 12:00:25 -0600 From: Jay To: freebsd-pf@freebsd.org Message-ID: <20050122180025.GC64096@mail.meangrape.com> Mail-Followup-To: Jay , freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: [jay@meangrape.com: Re: qtype not configured] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 17:57:43 -0000 Oops. Should've sent this to the list as well. ----- Forwarded message from Jay ----- Subject: Re: qtype not configured To: Nick Buraglio On Sat, Jan 22, 2005 at 09:38:06AM -0600, Nick Buraglio wrote: > I'm trying to get pf/altq working under freebsd 5.3-stable aving some > issues. I have compiled the kernel with: > > options ALTQ > device pf > device pflog > device pfsync Additional kernel options confiqure which type of queues that ALTQ can handle. options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build options ALTQ_DEBUG Check out the man pages; pick the ones you want, or just throw them all in. -- Jay. ----- End forwarded message ----- -- Jay. From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 19:34:36 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32EEB16A4CE for ; Sat, 22 Jan 2005 19:34:36 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id B01A443D49 for ; Sat, 22 Jan 2005 19:34:35 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CsR1m-0006IS-00; Sat, 22 Jan 2005 20:34:34 +0100 Received: from [84.128.136.1] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CsR1l-0003dn-00; Sat, 22 Jan 2005 20:34:34 +0100 From: Max Laier To: freebsd-pf@freebsd.org, dave Date: Sat, 22 Jan 2005 20:34:23 +0100 User-Agent: KMail/1.7.2 References: <006e01c5004b$08924cc0$7844d118@satellite> In-Reply-To: <006e01c5004b$08924cc0$7844d118@satellite> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4354311.1ppqai3QvL"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200501222034.32014.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: external connections give error 619 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 19:34:36 -0000 --nextPart4354311.1ppqai3QvL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 22 January 2005 07:24, dave wrote: > Hello, > I've got a FreeBSD vpn server with mpd going behind a pf firewall/nat > setup. All works when internal machines connect, yet whenever i try to > connect from an external address that is outside my network i get an error > 619 "The specified port is not connected." Googling shows that i should > pass both tcp port 1723 and gre traffic, this i do. My vpn box is > 192.168.1.3, server logs show the verification of the username/password a= nd > the atempt to establish the connection, but then it fails, just goes down. > Any ideas? Not without a bit more detail about your setup. For instance, how do exter= nal=20 clients talk to the vpn server on it's private IP? Do you use rdr for this= ? =20 Is the vpn server aware that it sits behind a NAT firewall? Also make sure that you log blocked traffic. See pflog(4)::EXAMPLES for=20 details on how to watch blocked traffic. This is the easiest way to ensure= =20 that you really pass everything that is required. If nothing suspicious=20 turns up there, you can try to raise the debug level of pf by issueing:=20 "$pfctl -x misc". Watch your console log for BAD state messages. If=20 anything pops up there, please let us know. In any case, if you are stuck please reply with more details such as a=20 detailed setup description and pf.conf. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4354311.1ppqai3QvL Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB8qrHXyyEoT62BG0RAuhyAKCAQqcsK5a2Mfx9yQvI6gpZ61TCQQCdGi/9 wBE1sVWNw/2Hwk2B0m5t0fw= =fHOR -----END PGP SIGNATURE----- --nextPart4354311.1ppqai3QvL-- From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 19:44:34 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F83616A4CE for ; Sat, 22 Jan 2005 19:44:34 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 316E443D53 for ; Sat, 22 Jan 2005 19:44:34 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id c16so200454rne for ; Sat, 22 Jan 2005 11:44:33 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=asoY2KcXpOs9nJ92QReTasHmUVfShYYej8umdT8okifv5PNeZPxBxVSYSTL2L+V48K5tKXtW4z/rNLlO1icaM76Ag4jOitG4nlbOOclMcJ4EDfZCXO8Uwom/dzit0v0f7+YeXYdTlj0Ogwp5QC2gLfdYWivUX4mSztdEQpFMsKY= Received: by 10.38.207.70 with SMTP id e70mr184256rng; Sat, 22 Jan 2005 11:44:31 -0800 (PST) Received: by 10.38.162.30 with HTTP; Sat, 22 Jan 2005 11:43:41 -0800 (PST) Message-ID: Date: Sat, 22 Jan 2005 14:43:41 -0500 From: Scott Ullrich To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: IP Packet Length / ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Scott Ullrich List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 19:44:34 -0000 Hello list! I am in the process of porting m0n0wall's (http://m0n0.ch) Magic Shaper to pfSense (pf/altq) and most of everything works great except I cannot find any options in pf's rule matching syntax that support IP Packet Lengths (dummynet). Is this option available in the rule syntax or do I need to do something radical such as using tables? Thanks in advance! From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 19:44:35 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A6E16A4CE for ; Sat, 22 Jan 2005 19:44:35 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8993243D1D for ; Sat, 22 Jan 2005 19:44:35 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id c16so200456rne for ; Sat, 22 Jan 2005 11:44:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=OseJHQYHllDB3E1d9vTPB+A9AB6SsiHrfX3iKN1oytkZWr6uDFrO0SrzV/4QZCQPeVQGsHrenPDDag6pFK40Cj2Qkjwk1HFlV1AfVQmiQ8de38IFLUQ6gTZrs/EWvFOYmj4O2Zq8AdeqFdIWgm0p5ai9kqC5Kpkt6gnhDjaiQpg= Received: by 10.38.165.33 with SMTP id n33mr181491rne; Sat, 22 Jan 2005 11:44:32 -0800 (PST) Received: by 10.38.162.30 with HTTP; Sat, 22 Jan 2005 11:43:41 -0800 (PST) Message-ID: Date: Sat, 22 Jan 2005 14:43:41 -0500 From: Scott Ullrich To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: IP Packet Length / ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Scott Ullrich List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 19:44:36 -0000 Hello list! I am in the process of porting m0n0wall's (http://m0n0.ch) Magic Shaper to pfSense (pf/altq) and most of everything works great except I cannot find any options in pf's rule matching syntax that support IP Packet Lengths (dummynet). Is this option available in the rule syntax or do I need to do something radical such as using tables? Thanks in advance! From owner-freebsd-pf@FreeBSD.ORG Sat Jan 22 19:47:50 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEC3216A4CE for ; Sat, 22 Jan 2005 19:47:50 +0000 (GMT) Received: from mail.3gne.com (ded191-fbsd-174-39.netsonic.net [66.180.174.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B21C43D41 for ; Sat, 22 Jan 2005 19:47:50 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from localhost (localhost.3gne.com [127.0.0.1]) by mail.3gne.com (Postfix) with ESMTP id 07353D42EB; Sat, 22 Jan 2005 13:53:49 -0600 (CST) Received: from [192.168.209.9] (12-221-108-48.client.insightBB.com [12.221.108.48]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.3gne.com (Postfix) with ESMTP id E701ED415E; Sat, 22 Jan 2005 13:53:44 -0600 (CST) In-Reply-To: <200501221857.24657.max@love2party.net> References: <9C9381CC-6C8B-11D9-A44C-000D93B6DEE8@buraglio.com> <200501221857.24657.max@love2party.net> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <788CF2C6-6CAE-11D9-B222-000D93B6DEE8@buraglio.com> Content-Transfer-Encoding: 7bit From: Nick Buraglio Date: Sat, 22 Jan 2005 13:47:38 -0600 To: Max Laier X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new at 3gne.com cc: freebsd-pf@freebsd.org Subject: Re: qtype not configured X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 19:47:50 -0000 Thanks, I found that RIGHT after posting (I know, I should have RTFM). Kernel just finished building, time to reboot and away we go! Thanks for the quick follow up! nb On Jan 22, 2005, at 11:57 AM, Max Laier wrote: > On Saturday 22 January 2005 16:38, Nick Buraglio wrote: >> I'm trying to get pf/altq working under freebsd 5.3-stable aving some >> issues. I have compiled the kernel with: >> >> options ALTQ >> device pf >> device pflog >> device pfsync >> >> and using a rulebase that I have been using for a long time with >> openbsd. I'm pretty familiar with pf, having used it since it's >> inception under openbsd, but I've never seen this error (I'm brand new >> to running it on freebsd). >> >> while trying to apply the rulebase I get: >> pfctl: qtype not configured >> >> Am I missing something simple? Any help appreciated. > > From src/conf/NOTES: > > | # altq(9). Enable the base part of the hooks with the ALTQ option. > | # Individual disciplines must be built into the base system and can > not be > ^-------------------------------------------------------^ > > | # loaded as modules at this point. In order to build a SMP kernel > you must > | # also have the ALTQ_NOPCC option. > | options ALTQ > | options ALTQ_CBQ # Class Bases Queueing > | options ALTQ_RED # Random Early Drop > | options ALTQ_RIO # RED In/Out > | options ALTQ_HFSC # Hierarchical Packet Scheduler > | options ALTQ_CDNR # Traffic conditioner > | options ALTQ_PRIQ # Priority Queueing > | options ALTQ_NOPCC # Required for SMP build > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News