From owner-freebsd-pf@FreeBSD.ORG Sun Mar 13 01:08:38 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1B7D16A4CE for ; Sun, 13 Mar 2005 01:08:38 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id BD20C43D46 for ; Sun, 13 Mar 2005 01:08:37 +0000 (GMT) (envelope-from emanuel.strobl@gmx.net) Received: (qmail invoked by alias); 13 Mar 2005 01:08:36 -0000 Received: from flb.schmalzbauer.de (EHLO cale.flintsbach.schmalzbauer.de) (62.245.232.135) by mail.gmx.net (mp016) with SMTP; 13 Mar 2005 02:08:36 +0100 X-Authenticated: #301138 From: Emanuel Strobl To: pyunyh@gmail.com Date: Sun, 13 Mar 2005 02:08:23 +0100 User-Agent: KMail/1.7.2 References: <20050212061756.GF4769@kt-is.co.kr> <200503111712.36310@harrymail> <20050312050722.GC60892@kt-is.co.kr> In-Reply-To: <20050312050722.GC60892@kt-is.co.kr> X-Birthday: 10/06/72 X-CelPhone: +49 173 9967781 X-Tel: +49 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7725314.xNGYgLQoxG"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503130208.28574@harrymail> X-Y-GMX-Trusted: 0 cc: pf@freebsd.org Subject: Re: pf panic trace X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2005 01:08:38 -0000 --nextPart7725314.xNGYgLQoxG Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Samstag, 12. M=E4rz 2005 06:07 schrieb Pyun YongHyeon: > On Fri, Mar 11, 2005 at 05:12:31PM +0100, Emanuel Strobl wrote: [...] > Hmm, Max and I had seen these kind of traces when pf porting > was in progress. But now I believe we fixed all possible > cases. > > I can't sure but your trace indicates there is a bug in > ip_fragment(). If a packet already set IP_MF flag in ip header, > we would get invalid ip_off in fragmented packet. > And it seems that there is another bug in pf. Since ip_fragment() > can change passed mbuf, we should not use saved copy of it. > Untested patch for CURRENT attached. Thank you very much for your work, unfortnately the box went in prodction=20 (authoritive Nameserver, Multihomed-Router) last week, so I can't do very=20 much testings because when nobody is in the office I can't reset the box, a= nd=20 if someone is there I can't take it down :( If the patch compiles on RELENG_5 I'll test it on monday evening. Thank you, =2DHarry --nextPart7725314.xNGYgLQoxG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCM5KMBylq0S4AzzwRAnhZAJ0ZoOivoKrYxKP4PjlJunC07mx87QCff7MG ZbQVyb4GvsqPn4C5RorAwos= =Cfdg -----END PGP SIGNATURE----- --nextPart7725314.xNGYgLQoxG-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 16 01:23:04 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4811916A4CE for ; Wed, 16 Mar 2005 01:23:04 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 992DF43D2F for ; Wed, 16 Mar 2005 01:23:03 +0000 (GMT) (envelope-from iceblaze@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so1664rne for ; Tue, 15 Mar 2005 17:23:02 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=lXihsJZzz32y2y10xjpmQF3mdey9w939dDkyRrdB1TBeUdpyLqh8yZjY2I6jxt+FpzG1l4V5q9E3+hsd4nzn6217xVL+iwGgANVxMNrKHIEcRFEAgRu7dVzE78Ht417v7kgYfg+oszw9bFcogs3lgCaPpaUu/Hi587PNydYewwI= Received: by 10.11.94.45 with SMTP id r45mr270271cwb; Tue, 15 Mar 2005 17:23:02 -0800 (PST) Received: by 10.11.94.16 with HTTP; Tue, 15 Mar 2005 17:23:02 -0800 (PST) Message-ID: <162584805031517236040bd7f@mail.gmail.com> Date: Tue, 15 Mar 2005 17:23:02 -0800 From: iceblaze To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: PF + FTP issues: syntax errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: iceblaze List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2005 01:23:04 -0000 Hello all, I am currently setting up a firewall and having a couple of issues with syntax. I've been following the openbsd.org's manual specifically setting up ftp behind firewal and nat, and here is what is posted: ftp_server = "10.0.3.21" rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server \ port 21 rdr on $ext_if proto tcp from any to any port 49152:65535 -> \ $ftp_server port 49152:65535 # in on $ext_if pass in quick on $ext_if proto tcp from any to $ftp_server \ port 21 keep state pass in quick on $ext_if proto tcp from any to $ftp_server \ port > 49151 keep state # out on $int_if pass out quick on $int_if proto tcp from any to $ftp_server \ port 21 keep state pass out quick on $int_if proto tcp from any to $ftp_server \ port > 49151 keep state for some reason i continue to get syntax errors with this setup, anybody have any ideas? i have tried taking the white space out after the \, tried removing the > and \ completely, etc. thanks -- Open source is only free if your time is worth nothing. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 16 01:37:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F7CD16A4CE for ; Wed, 16 Mar 2005 01:37:27 +0000 (GMT) Received: from tensor.xs4all.nl (tensor.xs4all.nl [194.109.160.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id D060843D31 for ; Wed, 16 Mar 2005 01:37:26 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from kilgore.dim (kilgore.dim [192.168.0.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.xs4all.nl (Postfix) with ESMTP id 4496222852; Wed, 16 Mar 2005 02:37:24 +0100 (CET) Date: Wed, 16 Mar 2005 02:37:10 +0100 From: Dimitry Andric X-Priority: 3 (Normal) Message-ID: <871652254.20050316023710@andric.com> To: iceblaze In-Reply-To: <162584805031517236040bd7f@mail.gmail.com> References: <162584805031517236040bd7f@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="----------D1D2E426B7B87C" cc: freebsd-pf@freebsd.org Subject: Re: PF + FTP issues: syntax errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2005 01:37:27 -0000 ------------D1D2E426B7B87C Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit On 2005-03-16 at 02:23:02 iceblaze wrote: > ftp_server = "10.0.3.21" > rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server \ > port 21 > rdr on $ext_if proto tcp from any to any port 49152:65535 -> \ > $ftp_server port 49152:65535 > # in on $ext_if > pass in quick on $ext_if proto tcp from any to $ftp_server \ > port 21 keep state > pass in quick on $ext_if proto tcp from any to $ftp_server \ > port > 49151 keep state > # out on $int_if > pass out quick on $int_if proto tcp from any to $ftp_server \ > port 21 keep state > pass out quick on $int_if proto tcp from any to $ftp_server \ > port > 49151 keep state > for some reason i continue to get syntax errors with this setup, > anybody have any ideas? i have tried taking the white space out after > the \, tried removing the > and \ completely, etc. Probably because you didn't specify the ext_if and int_if macro's? If I add these at the top of your example, it parses without problems here. (5.4-PRERELEASE as of Sun Mar 13 01:23:46 CET 2005). Another problem could be DOS line endings, but you didn't post your config file verbatim, so we can't verify that. :) ------------D1D2E426B7B87C Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCN43GsF6jCi4glqMRAjE3AKD/X71bP2HKBJuUQ30Sc9+ELdxOuACbBelT Mkc7cBagpsvTHkab/uZ1F00= =LJPl -----END PGP MESSAGE----- ------------D1D2E426B7B87C-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 17 10:07:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C7D316A4CE for ; Thu, 17 Mar 2005 10:07:12 +0000 (GMT) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AA9D43D68 for ; Thu, 17 Mar 2005 10:07:10 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by tiaseudtcdc01.de.eu.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 17 Mar 2005 11:07:08 +0100 Message-ID: From: "Constant, Benjamin" To: freebsd-pf@freebsd.org Date: Thu, 17 Mar 2005 11:03:58 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: Interrogation regarding pf + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 10:07:12 -0000 Hello list, I'm performing some tests with pf & ALTQ here but before going further on, they are some obscure points I would like to clear up in my mind, that's why I hope some gurus available on this list will give me some more information. Here is how I understand the assignation to queues when the bsd_box is acting as a gateway with two network interfaces: ..........int_if(in) ext_if(ou)------------ [station_a] [bsd_box] [station_b] ----------int_if(ou) ext_if(in)............ Dotted lines represent incoming traffic that can't be assigned to the queues defined on the interface (you can't shape incoming traffic). Dashed lines represent outgoing traffic that can be shaped trough the queues defined on the interface (outgoing traffic). You are already welcome to correct me if I missed something on this point! Some more details: bsd_box is not acting as a firewall, it is only doing routing and traffic shaping. int_if is the internal interface connected to a 100Mbits switch with a bandwidth of 100Mbits. ext_if is the external interface connected to a 100Mbits switch with a real bandwidth of 4Mbits (2Mbits up + 2Mbits down leased line) to the outside world. Here is what I want to do: Shape the traffic according to the maximum bandwidth available for both incoming and outgoing traffic on the leased line. What I understand: As I can't shape the traffic coming from station_b to station_a on the ext_if, the only way for me to rate limit incoming traffic is to define a queue with a maximum bandwidth of 2Mbits on the int_if but what about the outgoing traffic on the external interface ? Is it enough to define a queue with a maximum bandwidth of 2Mbits on the ext_if ? Some other interrogation: When a packet is matching a state, is it still at least evaluated for queueing ? As the bsd_box is not acting as a firewall, shoud I use a state table entry for each interface (set state-policy runtime option) ? Will it speed up the lookups in the table ? Is there any risk to drop/discard the packets even if the default behaviour is pass all and that the rule is using the quick keyword ? Are there documents that clearly describes the flow of packets crossing a bsd box running pf + ALTQ ? Are there other tools than pftop and pfctl to help in debugging pf and traffic shaping ? You'll find below one my pf file for one of my router box. I hope I was clear enough with my explanation and I want to thank for the time you may spend on my interrogation. Best Regards, Benjamin Constant PS: This message was also sent to pf@bendrezine.cx mailing list as I want to gather as much as possible information. Here is a stripped sample of what I did (I know they are difference compared to my previous explanation), feel free to comment it if you see strange things in it: # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. # Interfaces ###### # # We have two interface, int_if is connected to the local lan and also to the # firewall which is located on the local lan. # Interface ext_if is used for vpn traffic and is connected to vpn boxes on a # different logical network. # ################### int_if="em0" ext_if="em1" # Servers proxy="ip" support="ip" sla="{ ips }" # Site bandwidth available # # ################### bwdth="2048Kb" # Tables: similar to macros, but more flexible for many addresses. table persist file "/etc/pf.iprange.tiauto" table persist # Options: tune the behavior of pf, default values are given. # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub log-all on $int_if all #scrub log-all on $int_if all reassemble tcp #scrub log-all on $ext_if all #scrub log-all on $ext_if all reassemble tcp # Queueing: rule-based bandwidth control. altq on $ext_if cbq bandwidth $bwdth queue { internet, vpn, sla, dbg } # Main children queues # # We have decided to split the traffic into 3 main queues as follow: # - Internet queue is dedicated to internet traffic # - Vpn queue is used for traffic between sites (trough vpn). # - Sla queue is used as a quality of service queue for specific hosts or services. # ################### # Internet queue queue internet bandwidth 512Kb priority 1 cbq { i_default, i_high } queue i_default priority 5 cbq(borrow) queue i_high priority 6 cbq(borrow) # Default and vpn queue queue vpn bandwidth 1Mb priority 2 cbq(default, borrow) { v_low, v_mon, v_normal, v_high, v_critical, v_default } queue v_low priority 4 cbq(borrow) queue v_mon bandwidth 128Kb priority 4 cbq(ecn) queue v_normal priority 5 cbq(borrow) queue v_high priority 6 cbq(borrow) queue v_critical priority 7 cbq(borrow) queue v_default priority 5 cbq(borrow) # Sla queue queue sla bandwidth 512Kb priority 2 cbq(borrow) # Debugging queue queue dbg priority 2 { d_in, d_out } queue d_in priority 5 cbq(borrow) queue d_out priority 5 cbq(borrow) # Queue assignation # # - 'remote' means ip range <> lan # - 'local' means lan ip range # ################### # drop broadcast packets block drop in quick on $int_if from any to $int_if:broadcast block drop in quick on $ext_if from any to $ext_if:broadcast # traffic FROM remote TO local proxy (replies to local will not cross this server, this is not transparent proxy) pass in quick on $ext_if proto tcp from to $proxy port 8080 flags S/SA keep state queue i_default pass out quick on $ext_if proto tcp from $proxy port 8080 to keep state queue i_default # traffic FROM remote TO local $sla server pool pass in quick on $ext_if proto tcp from to $sla flags S/SA keep state queue sla pass out quick on $ext_if proto tcp from $sla to keep state queue sla # traffic FROM remote TO remote $support pass in quick on $ext_if proto tcp from to $support port 80 flags S/SA keep state queue sla pass out quick on $ext_if proto tcp from $support port 80 to keep state queue sla # traffic FROM local TO remote $support pass in quick on $int_if proto tcp from to $support port 80 flags S/SA keep state queue sla # traffic FROM remote TO remote OR local http servers pass in quick on $ext_if proto tcp from to port { 80, 443 } flags S/SA keep state queue v_high pass out quick on $ext_if proto tcp from port { 80, 443 } to keep state queue v_high # traffic FROM local TO remote http servers pass in quick on $int_if proto tcp from to port { 80, 443 } flags S/SA keep state queue v_high # traffic FROM remote TO remote OR local FOR mail exchange pass in quick on $ext_if proto tcp from to port { 25, 102 } flags S/SA keep state queue v_normal pass out quick on $ext_if proto tcp from port { 25, 102 } to keep state queue v_normal # traffic FROM local TO remote FOR mail exchange pass in quick on $int_if proto tcp from to port { 25, 102 } flags S/SA keep state queue v_normal # traffic FROM remote TO remote FOR unmatched traffic pass in quick on $ext_if from to flags S/SA keep state queue v_default pass out quick on $ext_if from to keep state queue v_default # traffic FROM remote TO everywhere FOR unmatched traffic (Internet is everywhere) pass in quick on $ext_if from to any flags S/SA keep state queue i_default pass out quick on $ext_if from any to keep state queue i_default # default policies pass in on $int_if from to any pass out on $int_if from any to pass on lo0 all Benjamin Constant TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 17 21:33:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 244CD16A4CE for ; Thu, 17 Mar 2005 21:33:54 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id D258443D46 for ; Thu, 17 Mar 2005 21:33:53 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [10.1.1.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j2HLXrC23603 for ; Thu, 17 Mar 2005 13:33:53 -0800 Message-ID: <4239F7B8.7020101@shelton.ca> Date: Thu, 17 Mar 2005 13:33:44 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf route-to? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 21:33:54 -0000 Hi all, I've got a little bit of an issue with pf and the route-to statement. We have 2 ISPs currently and I'd like to get both of the uplinks put on the freebsd box using pf to firewall/route for them. I have a couple route-to rules set up but they don't seem to do much. I'm sure I'm just missing some little detail here or misunderstanding exactly what route-to is doing but I can't find any examples. I've got: ISP1 ISP2 | | firewall | internal net So the internal net has hosts on both ISP1 and ISP2's subnets and therefore has traffic to/from both ISPs travelling on it. The firewall is the default router for both internal subnets (via aliases on the interface). I have the pf rules: pass in quick on $inside_int route to ( $ISP1_int $ISP1_router ) inet proto icmp from $ISP1_inside_net to any keep state pass out quick on $ISP1_int route to ( $ISP1_int $ISP1_router ) inet proto icmp from $ISP1_inside_net to any keep state It doesn't seem to work. I do a tcpdump on $ICP1_int and don't see any traffic from a host inside, though I do see the traffic on $inside_int. Something's not being routed properly. I moved these two rules up pretty far in the ruleset to make sure they're not being dropped quick by anything else, but to no avail. There are no antispoof rules here or anything, so that probably isn't a factor. Any help is greatly appreciated. I'm down to just banging my head on the box hoping it works (and it doesn't seem to be helping). Later, Ben From owner-freebsd-pf@FreeBSD.ORG Thu Mar 17 21:57:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9958616A4CE for ; Thu, 17 Mar 2005 21:57:47 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2D8243D64 for ; Thu, 17 Mar 2005 21:57:46 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1DC2zw-0004ZW-DU; Thu, 17 Mar 2005 22:57:44 +0100 Date: Thu, 17 Mar 2005 22:57:43 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <4921720352.20050317225743@hexren.net> To: Ben Shelton In-Reply-To: <4239F7B8.7020101@shelton.ca> References: <4239F7B8.7020101@shelton.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: pf route-to? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 21:57:47 -0000 > Hi all, > I've got a little bit of an issue with pf and the route-to statement. > We have 2 ISPs currently and I'd like to get both of the uplinks put on > the freebsd box using pf to firewall/route for them. I have a couple > route-to rules set up but they don't seem to do much. I'm sure I'm just > missing some little detail here or misunderstanding exactly what > route-to is doing but I can't find any examples. > I've got: > ISP1 ISP2 > | | > firewall > | > internal net > So the internal net has hosts on both ISP1 and ISP2's subnets and > therefore has traffic to/from both ISPs travelling on it. The firewall > is the default router for both internal subnets (via aliases on the > interface). I have the pf rules: > pass in quick on $inside_int route to ( $ISP1_int $ISP1_router ) inet > proto icmp from $ISP1_inside_net to any keep state > pass out quick on $ISP1_int route to ( $ISP1_int $ISP1_router ) inet > proto icmp from $ISP1_inside_net to any keep state --------------------------------------------- Many things ou cann do :) Have you read http://www.openbsd.org/faq/pf/pools.html Then try only the rule "pass in quick on $inside_int route to ( $ISP1_int $ISP1_router ) \ proto icmp from $ISP1_inside_net to any keep state" try adding log options to the rules and start listening on pflog0 to where your packets are going. Regards Hexren From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 08:36:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B5A616A4CE for ; Fri, 18 Mar 2005 08:36:27 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B7E343D48 for ; Fri, 18 Mar 2005 08:36:27 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so67282rnf for ; Fri, 18 Mar 2005 00:36:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=PdF9woPS97RYmFjBbhGcGBwoqoYDSuKbS+99H1xKyhpADJ/xv5rgs3mdsHssfh2DFqLq/C84S4ixjoTD0WBkPTyMgq3k7NWsVGYqu1QFDawJXccyMLMgrFtEAscjqeE9T7JDsrtLKUDeU8mlL4cLWBb266FUd1QOvvKcu/pC76o= Received: by 10.38.75.78 with SMTP id x78mr2552750rna; Fri, 18 Mar 2005 00:36:26 -0800 (PST) Received: by 10.38.11.55 with HTTP; Fri, 18 Mar 2005 00:36:26 -0800 (PST) Message-ID: Date: Fri, 18 Mar 2005 10:36:26 +0200 From: stephen To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2005 08:36:27 -0000 Hi all, Having a little difficulty regarding traffic counting. I have a macro ($soh) with about 30 IPs in it.. The first problem I was having was that: pass out on $ext_if from $soh to any keep state label "$srcaddr:: " was not passing traffic. (nat changing source address before reaching filtering rules) Someone then recommended having the following instead: pass in on $int_if from $soh to any keep state label "$srcaddr:: " pass out on $ext_if from any to any keep state label "total:: " which is now letting traffic out with the pass out rule, but the pass in rule is not counting traffic... whenever doing "pftcl -sl" I can see the "total::" label rising as more bandwidth is used, but all the other labels for all the private IPs remain on zero. Could someone possibly help rectify this? (they are also the last rules in the ruleset so the "last match wins" is correct) Thanks Stephen From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 08:58:31 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DD2F16A4CE for ; Fri, 18 Mar 2005 08:58:31 +0000 (GMT) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id C51CB43D2F for ; Fri, 18 Mar 2005 08:58:30 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id D64F496FF0; Fri, 18 Mar 2005 00:58:14 -0800 (PST) Message-Id: <3.0.1.32.20050318005818.00a8e2a0@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Fri, 18 Mar 2005 00:58:18 -0800 To: "Constant, Benjamin" , freebsd-pf@freebsd.org From: ray@redshift.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: Interrogation regarding pf + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2005 08:58:31 -0000 Hi Benjamin, This might help in some areas. It's a diagram I drew for myself a few months back so I could make sure I fully understood the interplay between ipf and ipnat on a FreeBSD machine which I built for use as a router on my network. This diagram shows the packet going through the router and across the two interfaces. It provides a clear picture of the state of the packet at each junction. I don't know if it will relate 100% to your specific situation, but perhaps you will find it helpful. Here is the link: http://www.redshift.com/~ray/network/packet.gif If you find it helpful, you might want to save a copy, since that link may not always be static :-) Based on my testing, as far as I know this information is accurate as far as when/where the packet is re-written, etc. Ray At 11:03 AM 3/17/2005 +0100, Constant, Benjamin wrote: | | Hello list, | | I'm performing some tests with pf & ALTQ here but before going further | on, they are some obscure points I would like to clear up in my mind, | that's why I hope some gurus available on this list will give me some | more information. | | Here is how I understand the assignation to queues when the bsd_box is | acting as a gateway with two network interfaces: | | ..........int_if(in) ext_if(ou)------------ | [station_a] [bsd_box] [station_b] | ----------int_if(ou) ext_if(in)............ | | Dotted lines represent incoming traffic that can't be assigned to the | queues defined on the interface (you can't shape incoming traffic). | Dashed lines represent outgoing traffic that can be shaped trough the | queues defined on the interface (outgoing traffic). | | You are already welcome to correct me if I missed something on this point! | | Some more details: | | bsd_box is not acting as a firewall, it is only doing routing and | traffic shaping. | int_if is the internal interface connected to a 100Mbits switch with a | bandwidth of 100Mbits. | ext_if is the external interface connected to a 100Mbits switch with a | real bandwidth of 4Mbits (2Mbits up + 2Mbits down leased line) to the | outside world. | | Here is what I want to do: | | Shape the traffic according to the maximum bandwidth available for | both incoming and outgoing traffic on the leased line. | | What I understand: | | As I can't shape the traffic coming from station_b to station_a on the | ext_if, the only way for me to rate limit incoming traffic is to | define a queue with a maximum bandwidth of 2Mbits on the int_if but | what about the outgoing traffic on the external interface ? Is it | enough to define a queue with a maximum bandwidth of 2Mbits on the | ext_if ? | | Some other interrogation: | | When a packet is matching a state, is it still at least evaluated for | queueing ? | As the bsd_box is not acting as a firewall, shoud I use a state table | entry for each interface (set state-policy runtime option) ? Will it | speed up the lookups in the table ? Is there any risk to drop/discard | the packets even if the default behaviour is pass all and that the | rule is using the quick keyword ? | Are there documents that clearly describes the flow of packets | crossing a bsd box running pf + ALTQ ? | Are there other tools than pftop and pfctl to help in debugging pf and | traffic shaping ? | | You'll find below one my pf file for one of my router box. | | I hope I was clear enough with my explanation and I want to thank for | the time you may spend on my interrogation. | | Best Regards, | | Benjamin Constant | | PS: | | This message was also sent to pf@bendrezine.cx mailing list as I want | to gather as much as possible information. | | Here is a stripped sample of what I did (I know they are difference | compared to my previous explanation), feel free to comment it if you | see strange things in it: | | # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. | # Required order: options, normalization, queueing, translation, filtering. | # Macros and tables may be defined and used anywhere. | # Note that translation rules are first match while filter rules are last | match. | | # Macros: define common values, so they can be referenced and changed | easily. | | # Interfaces ###### | # | # We have two interface, int_if is connected to the local lan and also to | the | # firewall which is located on the local lan. | # Interface ext_if is used for vpn traffic and is connected to vpn boxes on | a | # different logical network. | # | ################### | | int_if="em0" | ext_if="em1" | | # Servers | proxy="ip" | support="ip" | sla="{ ips }" | | # Site bandwidth available | # | # | ################### | bwdth="2048Kb" | | # Tables: similar to macros, but more flexible for many addresses. | table persist file "/etc/pf.iprange.tiauto" | table persist | | # Options: tune the behavior of pf, default values are given. | | # Normalization: reassemble fragments and resolve or reduce traffic | ambiguities. | #scrub log-all on $int_if all | #scrub log-all on $int_if all reassemble tcp | #scrub log-all on $ext_if all | #scrub log-all on $ext_if all reassemble tcp | | # Queueing: rule-based bandwidth control. | | altq on $ext_if cbq bandwidth $bwdth queue { internet, vpn, sla, dbg } | | # Main children queues | # | # We have decided to split the traffic into 3 main queues as follow: | # - Internet queue is dedicated to internet traffic | # - Vpn queue is used for traffic between sites (trough vpn). | # - Sla queue is used as a quality of service queue for specific hosts | or services. | # | ################### | | # Internet queue | queue internet bandwidth 512Kb priority 1 cbq { i_default, i_high } | queue i_default priority 5 cbq(borrow) | queue i_high priority 6 cbq(borrow) | | # Default and vpn queue | queue vpn bandwidth 1Mb priority 2 cbq(default, borrow) { v_low, | v_mon, v_normal, v_high, v_critical, v_default } | queue v_low priority 4 cbq(borrow) | queue v_mon bandwidth 128Kb priority 4 cbq(ecn) | queue v_normal priority 5 cbq(borrow) | queue v_high priority 6 cbq(borrow) | queue v_critical priority 7 cbq(borrow) | queue v_default priority 5 cbq(borrow) | | # Sla queue | queue sla bandwidth 512Kb priority 2 cbq(borrow) | | # Debugging queue | queue dbg priority 2 { d_in, d_out } | queue d_in priority 5 cbq(borrow) | queue d_out priority 5 cbq(borrow) | | # Queue assignation | # | # - 'remote' means ip range <> lan | # - 'local' means lan ip range | # | ################### | | # drop broadcast packets | block drop in quick on $int_if from any to $int_if:broadcast | block drop in quick on $ext_if from any to $ext_if:broadcast | | # traffic FROM remote TO local proxy (replies to local will not cross | this server, this is not transparent proxy) | pass in quick on $ext_if proto tcp from to $proxy port | 8080 flags S/SA keep state queue i_default | pass out quick on $ext_if proto tcp from $proxy port 8080 to | keep state queue i_default | | # traffic FROM remote TO local $sla server pool | pass in quick on $ext_if proto tcp from to $sla flags S/SA | keep state queue sla | pass out quick on $ext_if proto tcp from $sla to keep | state queue sla | | # traffic FROM remote TO remote $support | pass in quick on $ext_if proto tcp from to $support port | 80 flags S/SA keep state queue sla | pass out quick on $ext_if proto tcp from $support port 80 to | keep state queue sla | # traffic FROM local TO remote $support | pass in quick on $int_if proto tcp from to $support port | 80 flags S/SA keep state queue sla | | # traffic FROM remote TO remote OR local http servers | pass in quick on $ext_if proto tcp from to | port { 80, 443 } flags S/SA keep state queue v_high | pass out quick on $ext_if proto tcp from port { 80, 443 } | to keep state queue v_high | # traffic FROM local TO remote http servers | pass in quick on $int_if proto tcp from to | port { 80, 443 } flags S/SA keep state queue v_high | | # traffic FROM remote TO remote OR local FOR mail exchange | pass in quick on $ext_if proto tcp from to | port { 25, 102 } flags S/SA keep state queue v_normal | pass out quick on $ext_if proto tcp from port { 25, 102 } | to keep state queue v_normal | # traffic FROM local TO remote FOR mail exchange | pass in quick on $int_if proto tcp from to | port { 25, 102 } flags S/SA keep state queue v_normal | | # traffic FROM remote TO remote FOR unmatched traffic | pass in quick on $ext_if from to flags S/SA | keep state queue v_default | pass out quick on $ext_if from to keep state | queue v_default | | # traffic FROM remote TO everywhere FOR unmatched traffic (Internet is | everywhere) | pass in quick on $ext_if from to any flags S/SA keep state | queue i_default | pass out quick on $ext_if from any to keep state queue i_default | | # default policies | pass in on $int_if from to any | pass out on $int_if from any to | pass on lo0 all | | Benjamin Constant | TI Automotive | | The information contained in this transmission may contain privileged and | confidential information. It is intended only for the use of the | person(s) named above. If you are not the intended recipient, you are | hereby notified that any review, dissemination, distribution or | duplication of this communication is strictly prohibited. If you are not | the intended recipient, please contact the sender by reply email and | destroy all copies of the original message. This communication is from TI | Automotive. | _______________________________________________ | freebsd-pf@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-pf | To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" | | From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 09:28:31 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8D9B16A4CE for ; Fri, 18 Mar 2005 09:28:31 +0000 (GMT) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0CEA43D54 for ; Fri, 18 Mar 2005 09:28:30 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by tiaseudtcdc01.de.eu.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Fri, 18 Mar 2005 10:27:47 +0100 Message-ID: From: "Constant, Benjamin" To: ray@redshift.com, freebsd-pf@freebsd.org Date: Fri, 18 Mar 2005 10:27:41 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: RE: Interrogation regarding pf + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2005 09:28:31 -0000 Thank you for the link Ray. Backup done. Regards, Benjamin Constant. > -----Original Message----- > From: ray@redshift.com [mailto:ray@redshift.com] > Sent: vendredi 18 mars 2005 9:58 > To: Constant, Benjamin; freebsd-pf@freebsd.org > Subject: Re: Interrogation regarding pf + ALTQ > > Hi Benjamin, > > This might help in some areas. It's a diagram I drew for > myself a few months back so I could make sure I fully > understood the interplay between ipf and ipnat on a FreeBSD > machine which I built for use as a router on my network. > This diagram shows the packet going through the router and > across the two interfaces. > It provides a clear picture of the state of the packet at > each junction. I don't know if it will relate 100% to your > specific situation, but perhaps you will find it helpful. > Here is the link: > > http://www.redshift.com/~ray/network/packet.gif > > If you find it helpful, you might want to save a copy, since > that link may not always be static :-) > > Based on my testing, as far as I know this information is > accurate as far as when/where the packet is re-written, etc. > > Ray > > > At 11:03 AM 3/17/2005 +0100, Constant, Benjamin wrote: > | > | Hello list, > | > | I'm performing some tests with pf & ALTQ here but before > going further > | on, they are some obscure points I would like to clear up > in my mind, > | that's why I hope some gurus available on this list will > give me some > | more information. > | > | Here is how I understand the assignation to queues when the > bsd_box is > | acting as a gateway with two network interfaces: > | > | ..........int_if(in) ext_if(ou)------------ > | [station_a] [bsd_box] > [station_b] > | ----------int_if(ou) ext_if(in)............ > | > | Dotted lines represent incoming traffic that can't be > assigned to the > | queues defined on the interface (you can't shape incoming traffic). > | Dashed lines represent outgoing traffic that can be shaped > trough the > | queues defined on the interface (outgoing traffic). > | > | You are already welcome to correct me if I missed something > on this point! > | > | Some more details: > | > | bsd_box is not acting as a firewall, it is only doing routing and > | traffic shaping. > | int_if is the internal interface connected to a 100Mbits > switch with a > | bandwidth of 100Mbits. > | ext_if is the external interface connected to a 100Mbits > switch with a > | real bandwidth of 4Mbits (2Mbits up + 2Mbits down leased > line) to the > | outside world. > | > | Here is what I want to do: > | > | Shape the traffic according to the maximum bandwidth available for > | both incoming and outgoing traffic on the leased line. > | > | What I understand: > | > | As I can't shape the traffic coming from station_b to > station_a on the > | ext_if, the only way for me to rate limit incoming traffic is to > | define a queue with a maximum bandwidth of 2Mbits on the int_if but > | what about the outgoing traffic on the external interface ? Is it > | enough to define a queue with a maximum bandwidth of 2Mbits on the > | ext_if ? > | > | Some other interrogation: > | > | When a packet is matching a state, is it still at least > evaluated for > | queueing ? > | As the bsd_box is not acting as a firewall, shoud I use a > state table > | entry for each interface (set state-policy runtime option) > ? Will it > | speed up the lookups in the table ? Is there any risk to > drop/discard > | the packets even if the default behaviour is pass all and that the > | rule is using the quick keyword ? > | Are there documents that clearly describes the flow of packets > | crossing a bsd box running pf + ALTQ ? > | Are there other tools than pftop and pfctl to help in > debugging pf and > | traffic shaping ? > | > | You'll find below one my pf file for one of my router box. > | > | I hope I was clear enough with my explanation and I want to > thank for > | the time you may spend on my interrogation. > | > | Best Regards, > | > | Benjamin Constant > | > | PS: > | > | This message was also sent to pf@bendrezine.cx mailing list > as I want > | to gather as much as possible information. > | > | Here is a stripped sample of what I did (I know they are difference > | compared to my previous explanation), feel free to comment > it if you > | see strange things in it: > | > | # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > | # Required order: options, normalization, queueing, > translation, filtering. > | # Macros and tables may be defined and used anywhere. > | # Note that translation rules are first match while filter > rules are > | last match. > | > | # Macros: define common values, so they can be referenced > and changed > | easily. > | > | # Interfaces ###### > | # > | # We have two interface, int_if is connected to the local > lan and also > | to the # firewall which is located on the local lan. > | # Interface ext_if is used for vpn traffic and is connected to vpn > | boxes on a # different logical network. > | # > | ################### > | > | int_if="em0" > | ext_if="em1" > | > | # Servers > | proxy="ip" > | support="ip" > | sla="{ ips }" > | > | # Site bandwidth available > | # > | # > | ################### > | bwdth="2048Kb" > | > | # Tables: similar to macros, but more flexible for many addresses. > | table persist file "/etc/pf.iprange.tiauto" > | table persist > | > | # Options: tune the behavior of pf, default values are given. > | > | # Normalization: reassemble fragments and resolve or reduce traffic > | ambiguities. > | #scrub log-all on $int_if all > | #scrub log-all on $int_if all reassemble tcp #scrub log-all > on $ext_if > | all #scrub log-all on $ext_if all reassemble tcp > | > | # Queueing: rule-based bandwidth control. > | > | altq on $ext_if cbq bandwidth $bwdth queue { internet, vpn, > sla, dbg } > | > | # Main children queues > | # > | # We have decided to split the traffic into 3 main queues as follow: > | # - Internet queue is dedicated to internet traffic # - Vpn > queue is > | used for traffic between sites (trough vpn). > | # - Sla queue is used as a quality of service queue for > specific hosts > | or services. > | # > | ################### > | > | # Internet queue > | queue internet bandwidth 512Kb priority 1 cbq { i_default, i_high } > | queue i_default priority 5 cbq(borrow) queue i_high priority 6 > | cbq(borrow) > | > | # Default and vpn queue > | queue vpn bandwidth 1Mb priority 2 cbq(default, borrow) { v_low, > | v_mon, v_normal, v_high, v_critical, v_default } queue > v_low priority > | 4 cbq(borrow) queue v_mon bandwidth 128Kb priority 4 cbq(ecn) queue > | v_normal priority 5 cbq(borrow) queue v_high priority 6 cbq(borrow) > | queue v_critical priority 7 cbq(borrow) queue v_default priority 5 > | cbq(borrow) > | > | # Sla queue > | queue sla bandwidth 512Kb priority 2 cbq(borrow) > | > | # Debugging queue > | queue dbg priority 2 { d_in, d_out } > | queue d_in priority 5 cbq(borrow) > | queue d_out priority 5 cbq(borrow) > | > | # Queue assignation > | # > | # - 'remote' means ip range <> lan > | # - 'local' means lan ip range > | # > | ################### > | > | # drop broadcast packets > | block drop in quick on $int_if from any to $int_if:broadcast block > | drop in quick on $ext_if from any to $ext_if:broadcast > | > | # traffic FROM remote TO local proxy (replies to local will > not cross > | this server, this is not transparent proxy) pass in quick > on $ext_if > | proto tcp from to $proxy port 8080 flags S/SA > keep state > | queue i_default pass out quick on $ext_if proto tcp from > $proxy port > | 8080 to keep state queue i_default > | > | # traffic FROM remote TO local $sla server pool pass in quick on > | $ext_if proto tcp from to $sla flags S/SA keep > state queue > | sla pass out quick on $ext_if proto tcp from $sla to > keep > | state queue sla > | > | # traffic FROM remote TO remote $support pass in quick on $ext_if > | proto tcp from to $support port 80 flags S/SA > keep state > | queue sla pass out quick on $ext_if proto tcp from $support > port 80 to > | keep state queue sla # traffic FROM local TO remote > | $support pass in quick on $int_if proto tcp from to > | $support port 80 flags S/SA keep state queue sla > | > | # traffic FROM remote TO remote OR local http servers pass > in quick on > | $ext_if proto tcp from to port { 80, 443 } > | flags S/SA keep state queue v_high pass out quick on > $ext_if proto tcp > | from port { 80, 443 } to keep state queue > | v_high # traffic FROM local TO remote http servers pass in quick on > | $int_if proto tcp from to port { 80, 443 } > | flags S/SA keep state queue v_high > | > | # traffic FROM remote TO remote OR local FOR mail exchange pass in > | quick on $ext_if proto tcp from to > port { 25, > | 102 } flags S/SA keep state queue v_normal pass out quick > on $ext_if > | proto tcp from port { 25, 102 } to > keep state > | queue v_normal # traffic FROM local TO remote FOR mail > exchange pass > | in quick on $int_if proto tcp from to > port { > | 25, 102 } flags S/SA keep state queue v_normal > | > | # traffic FROM remote TO remote FOR unmatched traffic pass > in quick on > | $ext_if from to flags S/SA keep state queue > | v_default pass out quick on $ext_if from to > | keep state queue v_default > | > | # traffic FROM remote TO everywhere FOR unmatched traffic > (Internet is > | everywhere) > | pass in quick on $ext_if from to any flags S/SA > keep state > | queue i_default pass out quick on $ext_if from any to > keep > | state queue i_default > | > | # default policies > | pass in on $int_if from to any pass out on $int_if from > | any to pass on lo0 all > | > | Benjamin Constant > | TI Automotive > | > | The information contained in this transmission may contain > privileged > | and confidential information. It is intended only for the > use of the > | person(s) named above. If you are not the intended > recipient, you are > | hereby notified that any review, dissemination, distribution or > | duplication of this communication is strictly prohibited. > If you are > | not the intended recipient, please contact the sender by > reply email > | and destroy all copies of the original message. This > communication is > | from TI Automotive. > | _______________________________________________ > | freebsd-pf@freebsd.org mailing list > | http://lists.freebsd.org/mailman/listinfo/freebsd-pf > | To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > | > | > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 11:41:08 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3345D16A4CE for ; Fri, 18 Mar 2005 11:41:08 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id A78D943D2F for ; Fri, 18 Mar 2005 11:41:07 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id a36so117127rnf for ; Fri, 18 Mar 2005 03:41:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=VJ/h79GZcstIq6ge1XA1uruSPTIIViuc8EV8OFrzf36SmEuZfFl//yK0CoRVhIQTBRTF0Glp2qcadjdsYieTh/jBtNCdmqQfSpQfLgHhtlvypPzLLc0A20wXLFsTte+lCHOdHvRwhflYR4v9Dhyw40tSV2nA7f/TmXwG8jbd8Z4= Received: by 10.38.66.45 with SMTP id o45mr2677004rna; Fri, 18 Mar 2005 03:41:07 -0800 (PST) Received: by 10.38.11.55 with HTTP; Fri, 18 Mar 2005 03:41:07 -0800 (PST) Message-ID: Date: Fri, 18 Mar 2005 13:41:07 +0200 From: stephen To: freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: Subject: Re: traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2005 11:41:08 -0000 Hi all, Tried sending this mail earlier, if it came through twice apologies in advance. Having a little difficulty regarding traffic counting. I have a macro ($soh) with about 30 IPs in it.. The first problem I was having was that: pass out on $ext_if from $soh to any keep state label "$srcaddr:: " was not passing traffic. (nat changing source address before reaching filtering rules) Someone then recommended having the following instead: pass in on $int_if from $soh to any keep state label "$srcaddr:: " pass out on $ext_if from any to any keep state label "total:: " which is now letting traffic out with the pass out rule, but the pass in rule is not counting traffic... whenever doing "pftcl -sl" I can see the "total::" label rising as more bandwidth is used, but all the other labels for all the private IPs remain on zero. I did get a step closer earlier this morning... Managed to count traffic from the source addresses 100%, but I couldn't account for the web traffic (which is 80% of the traffic) as I have a rdr rule that redirects all traffic for port 80 via localhost port 3128 to proxy/cache webpages. Could someone possibly help rectify this? (they are also the last rules in the ruleset so the "last match wins" is correct) Thanks Stephen From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 13:03:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9891F16A4CE for ; Fri, 18 Mar 2005 13:03:12 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id C979143D54 for ; Fri, 18 Mar 2005 13:03:09 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DCH87-0007xW-00; Fri, 18 Mar 2005 14:03:07 +0100 Received: from [84.128.141.61] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DCH87-0000Yb-00; Fri, 18 Mar 2005 14:03:07 +0100 From: Max Laier To: freebsd-pf@freebsd.org, stephen Date: Fri, 18 Mar 2005 14:02:50 +0100 User-Agent: KMail/1.7.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1437888.oqFITT7Gxe"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503181403.02521.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2005 13:03:12 -0000 --nextPart1437888.oqFITT7Gxe Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 18 March 2005 12:41, stephen wrote: > Hi all, > > Tried sending this mail earlier, if it came through twice apologies in > advance. It did, but never mind. > Having a little difficulty regarding traffic counting. > > I have a macro ($soh) with about 30 IPs in it.. The first problem I > was having was that: > pass out on $ext_if from $soh to any keep state label "$srcaddr:: " > was not passing traffic. (nat changing source address before reaching > filtering rules) > > Someone then recommended having the following instead: > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > pass out on $ext_if from any to any keep state label "total:: " > > which is now letting traffic out with the pass out rule, but the pass > in rule is not counting traffic... whenever doing "pftcl -sl" I can > see the "total::" label rising as more bandwidth is used, but all the > other labels for all the private IPs remain on zero. Generally speaking, I'd think that there is a error in your ruleset that=20 prevents this rule from being evaluated. Use $pfctl -vsr and check if the= =20 rule(s) match at all. If you are dealing with 10+ IPs I'd also suggest to= =20 look at tables. They are not only quicker (by an order of magnitude) but=20 also provide per IP counters for traffic that might just give you what you= =20 want. See the FAQ for details on tables. > I did get a step closer earlier this morning... Managed to count > traffic from the source addresses 100%, but I couldn't account for the > web traffic (which is 80% of the traffic) as I have a rdr rule that > redirects all traffic for port 80 via localhost port 3128 to > proxy/cache webpages. In any case the traffic must come in from the local side first (as I think= =20 that you are only dealing with connections initiated from the clients you a= re=20 accounting for). This traffic can always be filtered and accounted for. > Could someone possibly help rectify this? > (they are also the last rules in the ruleset so the "last match wins" > is correct) "quick" might mess you up? Please post your *complete* ruleset when you wa= nt=20 help debugging it. It's only fishing in the dark if you don't give details= =2E =20 Obfuscate your static IP if you think you have to, but post the complete=20 thing or people are not able to help. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1437888.oqFITT7Gxe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCOtGGXyyEoT62BG0RAoVtAJ9r1I1rn/WFjJlDhWZjKrnKllaMagCeLeUj ksK556ikzbSGEWk1EbTKeAU= =iNcm -----END PGP SIGNATURE----- --nextPart1437888.oqFITT7Gxe-- From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 13:48:58 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69C7D16A4CE for ; Fri, 18 Mar 2005 13:48:58 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id D345743D1F for ; Fri, 18 Mar 2005 13:48:57 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so132497rnf for ; Fri, 18 Mar 2005 05:48:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=YVLkUsEBBrRpKF/PfZ7C3GCp7CftttOHhIf4QgZvIEOeLpPp7C78n4i/elBjbjhqwFBD/iQAbsXfRcPKmtjBWPVpvLatP4iXMO9s14Q8kkkXdpHsFurtPF0pijQHjciNFXZG8tb9dgJZc+6lIQxZ1O6ktpsXreWVCv9UdUrhCek= Received: by 10.39.2.13 with SMTP id e13mr2737025rni; Fri, 18 Mar 2005 05:48:57 -0800 (PST) Received: by 10.38.11.55 with HTTP; Fri, 18 Mar 2005 05:48:57 -0800 (PST) Message-ID: Date: Fri, 18 Mar 2005 15:48:57 +0200 From: stephen To: freebsd-pf@freebsd.org In-Reply-To: <200503181403.02521.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <200503181403.02521.max@love2party.net> Subject: Re: traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2005 13:48:58 -0000 On Fri, 18 Mar 2005 14:02:50 +0100, Max Laier wrote: > On Friday 18 March 2005 12:41, stephen wrote: > > Having a little difficulty regarding traffic counting. > > > > I have a macro ($soh) with about 30 IPs in it.. The first problem I > > was having was that: > > pass out on $ext_if from $soh to any keep state label "$srcaddr:: " > > was not passing traffic. (nat changing source address before reaching > > filtering rules) > > > > Someone then recommended having the following instead: > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > > pass out on $ext_if from any to any keep state label "total:: " > > > > which is now letting traffic out with the pass out rule, but the pass > > in rule is not counting traffic... whenever doing "pftcl -sl" I can > > see the "total::" label rising as more bandwidth is used, but all the > > other labels for all the private IPs remain on zero. > > Generally speaking, I'd think that there is a error in your ruleset that > prevents this rule from being evaluated. Use $pfctl -vsr and check if the > rule(s) match at all. If you are dealing with 10+ IPs I'd also suggest to > look at tables. They are not only quicker (by an order of magnitude) but > also provide per IP counters for traffic that might just give you what you > want. See the FAQ for details on tables. that's exactly what I'm after, the reason I used a macro was when i did # pfctl -sl I was just getting 0 0 0, the table wasnt expanding (changed form ipf to pf recently, so I'm a lil new to things such as tables) > > I did get a step closer earlier this morning... Managed to count > > traffic from the source addresses 100%, but I couldn't account for the > > web traffic (which is 80% of the traffic) as I have a rdr rule that > > redirects all traffic for port 80 via localhost port 3128 to > > proxy/cache webpages. > > In any case the traffic must come in from the local side first (as I think > that you are only dealing with connections initiated from the clients you are > accounting for). This traffic can always be filtered and accounted for. yes, but because of the two rules > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > > pass out on $ext_if from any to any keep state label "total:: " and the last match win story.. i think it by passes the first rule and traffic goes out on the second > > Could someone possibly help rectify this? > > (they are also the last rules in the ruleset so the "last match wins" > > is correct) > > "quick" might mess you up? Please post your *complete* ruleset when you want > help debugging it. It's only fishing in the dark if you don't give details. > Obfuscate your static IP if you think you have to, but post the complete > thing or people are not able to help. yeah thats what i thought, quick is going to stop traffic going out same as when I was doing: pass out on $ext_if from $soh to any keep state label "$srcaddr:: " it wasnt passing traffic at all. I suspect because of the nat rule (and seeing as nat is done before filtering) it was converting the private IPs into the live IP and wouldnt let it go out. heres the ruleset: # macros int_if = "rl0" ext_if = "tun0" gif_if = "gif3" tcp_services_in = "{ 21, 25, 110, 2222, 113 }" tcp_services_out = "{ 21, 22, 25, 53, 80, 110, 6667 }" udp_services_in = "{ 53 }" udp_services_out = "{ 53 }" icmp_types = "echoreq" p2p_ports = " { 6346 }" p2p_clients = "{ $studio, $stephen }" studio = "{ x.x.x.5 , x.x.x.11 , x.x.x.12 }" stephen = "x.x.x.23" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" #table persist file "/etc/soh_hosts" soh ="{ x.x.x.1 , x.x.x.2 , x.x.x.3 , x.x.x.4 , x.x.x.5 , x.x.x.6 , x.x.x.7 , x.x.x.8 , x.x.x.9 , x.x.x.10 , x.x.x.11 , x.x.x.12 , x.x.x.13 , x.x.x.14 , x.x.x.15 , x.x.x.16 , x.x.x.17 , x.x.x.18 , x.x.x.19 , x.x.x.20 , x.x.x.21 , 10.0.88.22 , x.x.x.23 , x.x.x.24 , x.x.x.25 , x.x.x.26 , x.x.x.27 , x.x.x.28 , x.x.x.29 , x.x.x.30 }" # comp3 = "x.x.x.x" # options set block-policy return set loginterface $ext_if set fingerprints "/etc/pf.os" # scrub scrub in all # nat/rdr #nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 # rdr on $ext_if proto tcp from any to any port 80 -> $comp3 # filter rules block log all pass quick on lo0 all pass quick on $int_if all # anti spoofing protection for internal interface antispoof quick for $int_if inet antispoof quick for $ext_if inet antispoof quick for lo0 pass in on $ext_if inet proto tcp from any to { $int_if, ($ext_if) } port $tcp_services_in flags S/SA keep state pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state pass in on $gif_if all pass out on $gif_if all pass in on $int_if from $soh to any keep state label "$srcaddr:: " pass out on $ext_if from any to any keep state label "total:: " once I've got the counting working as I want it too (cause I'll do a pfctl -sl and have the output mailed to me daily and reset the counter), I'll start bringing the $tcp_services_out into play to restrict access a bit more. Thanks, Stephen