From owner-freebsd-pf@FreeBSD.ORG Sun Mar 27 12:15:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D888F16A4CE for ; Sun, 27 Mar 2005 12:15:10 +0000 (GMT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66FF343D39 for ; Sun, 27 Mar 2005 12:15:10 +0000 (GMT) (envelope-from mvetsalo@mail.ru) Received: from [193.138.84.70] (port=58951 helo=mx.msu1) by mx1.mail.ru with esmtp id 1DFWfc-000G7Q-00; Sun, 27 Mar 2005 16:15:09 +0400 Date: Sun, 27 Mar 2005 15:15:15 +0300 From: Maxim Vetsalo X-Mailer: The Bat! (v2.00.6) Personal X-Priority: 3 (Normal) Message-ID: <15812886429.20050327151515@mail.ru> To: Didier Rwitura In-Reply-To: References: <20050326075043.6561f419@mx.msu1> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected cc: freebsd-pf@freebsd.org Subject: Re[2]: SSH hanging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Maxim Vetsalo List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2005 12:15:11 -0000 Hello Didier, Saturday, March 26, 2005, 2:35:30 PM, you wrote: DR> Sorry Maxim... DR> I added DR> UseDNS no DR> in my sshd_config ... restarted the the deamon but still no luck. I even DR> activated DR> VerifyReverseMapping no DR> Still no luck. DR> By the way I am running Prelease FreeBSD 5.4 DR> OpenSSH_3.8.1p1 Take a look at http://www.snailbook.com/faq/ (Miscellaneous section and rest page). Perhaps you will find an answer there. Also try tcpdump looking for ssh-port connections. DR> Thanx DR> On Sat, 26 Mar 2005, Maxim Vetsalo wrote: >> On Fri, 25 Mar 2005 19:25:50 -0500 (EST) >> Didier Rwitura wrote: >> >> > >> > I am installing PF >> > >> [ skipped ] >> >> > https } flags S/SA keep state >> > >> > I am getting >> > >> > Hello didier, You are authenticated from host "10.0.0.33" >> > >> > when I connect with ssh but it hangs ... I don't get the prompt >> > >> > any help will be appreciated >> >> I had same problem when my pf enabled server was unable to send DNS request. Setting >> UseDNS -> no in /etc/ssh/sshd_config help will help in this case. >> >> Best regards, >> Maxim. >> -- >> mailto:mvetsalo@mail.ru >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to >> "freebsd-pf-unsubscribe@freebsd.org" >> DR> -- DR> ------------------------------------------ DR> Didier Rwitura DR> Technical Support Technique DR> Primus Telecommunications Inc DR> Tel: 1-800-370-0015 Residential DR> 1-888-222-8577 Commercial DR> Ext :8628 DR> "injustice anywhere is a threat to justice everywhere" DR> Martin Luther King Jr -- Best regards, Maxim mailto:mvetsalo@mail.ru From owner-freebsd-pf@FreeBSD.ORG Sun Mar 27 19:19:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8748B16A4CE; Sun, 27 Mar 2005 19:19:47 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 053A943D55; Sun, 27 Mar 2005 19:19:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DFdIX-0006UU-00; Sun, 27 Mar 2005 21:19:45 +0200 Received: from [217.227.148.212] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DFdIX-000132-00; Sun, 27 Mar 2005 21:19:45 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sun, 27 Mar 2005 20:19:24 +0100 User-Agent: KMail/1.7.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1211256.PxSY9e7dnT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503272119.32390.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-stable@freebsd.org Subject: Re: SSH hanging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2005 19:19:47 -0000 --nextPart1211256.PxSY9e7dnT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sorry for replying late ... On Saturday 26 March 2005 01:25, Didier Rwitura wrote: > /etc/shell ---> /usr/sbin/authpf <...> > I am getting > > Hello didier, You are authenticated from host "10.0.0.33" > > when I connect with ssh but it hangs ... I don't get the prompt This is intentional. authpf is not an interactive shell, it is simply for= =20 authentication purposes. The codeportion in question: | while (1) { | printf("\r\nHello %s, ", luser); | printf("You are authenticated from host \"%s\"\r\n", ipsr= c); | setproctitle("%s@%s", luser, ipsrc); | print_message(PATH_MESSAGE); | while (1) { | sleep(10); | if (want_death) | do_death(1); | } | } =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1211256.PxSY9e7dnT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCRwdEXyyEoT62BG0RAqOwAJ973WEHboL60ZGQpRW+EZKBIt7rXwCfXNNe 5na9jr7AEa064Lmyd7pGSso= =BEHM -----END PGP SIGNATURE----- --nextPart1211256.PxSY9e7dnT-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 29 11:13:41 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E489416A4CE for ; Tue, 29 Mar 2005 11:13:41 +0000 (GMT) Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95DFD43D62 for ; Tue, 29 Mar 2005 11:13:41 +0000 (GMT) (envelope-from ask@develooper.com) Received: (qmail 5408 invoked from network); 29 Mar 2005 11:13:41 -0000 Received: from george.develooper.com (HELO ?64.81.84.114?) (ask@cleverpeople.org@64.81.84.114) by smtp.develooper.com with (RC4-SHA encrypted) SMTP; 29 Mar 2005 11:13:41 -0000 Mime-Version: 1.0 (Apple Message framework v619.2) Content-Transfer-Encoding: 7bit Message-Id: <8741d07f84d6eb674ebeb7ec99d9a3cc@develooper.com> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= Date: Tue, 29 Mar 2005 03:13:40 -0800 X-Mailer: Apple Mail (2.619.2) Subject: altq blocking all traffic (bridging problem?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2005 11:13:42 -0000 Hi, With the following simple ruleset pf is not letting any traffic in or out (it's a much much simplified version of the real ruleset I had prepared). What am I doing wrong? int_if = "sis0" altq on $int_if cbq bandwidth 1200Kb queue { std_in } queue std_in bandwidth 1.2Mb priority 2 cbq(default) pass quick on lo0 all pass in on $int_if all queue std_in pass out on $int_if all queue std_in If I take out the altq and queue lines it's working fine (as far as I can tell), but that's not much fun. :-) My end goal is to set this Soekris 4801 box up with bridging to get a bridge doing packet shaping. (I have a handful of real IPs at home, but they are bridged to my DSL provider rather than routed). Hopefully I can also make it do NAT and IPsec of the internal net to our internal net at the datacenter. I'm using 5.3 as of a few days ago and the bridging patch[1] mentioned in http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000744.html Speaking of that: What's holding that patch back from going into a the FreeBSD cvs repository? - ask [1] http://www.pfsense.org/downloads/bridge.patch.041215 -- http://www.askbjoernhansen.com/ From owner-freebsd-pf@FreeBSD.ORG Wed Mar 30 10:15:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F07FD16A4CE for ; Wed, 30 Mar 2005 10:15:58 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [193.30.224.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C99843D3F for ; Wed, 30 Mar 2005 10:15:58 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from pouet.in.mat.cc (pouet.in.mat.cc [193.30.224.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 8FA48A24043 for ; Wed, 30 Mar 2005 12:15:56 +0200 (CEST) Date: Wed, 30 Mar 2005 12:15:52 +0200 From: Mathieu Arnold To: pf@freebsd.org Message-ID: <6E8799443E93F542BABC3B82@[192.168.1.5]> X-Mailer: Mulberry/4.0.0a5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: route-to and nat :-) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 10:15:59 -0000 Hello, I have my home network with 2 subnets : PRIV : 192.168.1.0/24 PUB : 193.30.224.120/29. I have a dsl router, and a freebsd gw. so, it could look like that : +-----+ | DSL +-- internet +-----+ | 192.168.1.1/24 | | +---------+ +---------------| freebsd | | dc0 +---------+ | 192.168.1.3/24, 193.30.224.121/29 | | other boxes, some in PRIV, some other in PUB. boxes in PRIV have 192.168.1.1 as their gateway, box in PUB have 193.30.224.121. I have a tun0 on the freebsd box which brings me back the trafic for PUB. my dsl router is nice enough to only nat the trafic from PRIV, and not for PUB, so, packets coming from PRIV and going out are natted, the other, no, it works because the packets come back through tun0. the default gw is on tun0. Now, I have that : int_if="dc0" int_gw="192.168.1.1" int_addr="192.168.1.3" ext_if="tun0" pub="193.30.224.120/29" priv="192.168.1.0/24" no nat on $int_if from any to { $pub, $priv } no nat on $int_if from { $priv } to any nat on $int_if from any to any -> $int_addr works nice, if I : route add xx.xx.xx.xx 192.168.1.1 the packets get out on dc0 and are natted nicely and it works. but, but, I wanted to do some finer grained routing, so I tried : pass in quick on $int_if route-to ($int_if $int_gw) proto tcp from $pub to any port 25 The packets are going out via dc0 like I want, but they don't seem to go through nat. I tried also : pass out quick on $ext_if route-to ($int_if $int_gw) proto tcp from $pub to any port 25 The paquets are taken out nicely to dc0, are natted, but something strange happens when they come back, and the originating box never sees the packets. here is what is seen on the remote smtp server : 12:06:00.738633 i01v-41-206.d4.club-internet.fr.61540 > plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 (DF) 12:06:00.738678 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) 12:06:03.736622 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) 12:06:09.736298 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) 12:06:21.735650 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) here is what's seen on my freebsd gw : 12:06:00.662626 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 12:06:00.663018 IP 192.168.1.3.58512 > plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 12:06:00.693868 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:00.694097 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:00.694274 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 12:06:03.691499 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:03.691771 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:03.694103 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 12:06:09.718270 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:09.718987 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:09.719179 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 12:06:21.135016 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: F 1:1(0) ack 1 win 64492 12:06:21.690741 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:21.690955 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:21.691106 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 If someone understand what this is all about, I'd be glad to know :-) -- Mathieu Arnold From owner-freebsd-pf@FreeBSD.ORG Thu Mar 31 06:18:56 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF0AB16A4CE for ; Thu, 31 Mar 2005 06:18:56 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E64C43D46 for ; Thu, 31 Mar 2005 06:18:56 +0000 (GMT) (envelope-from jarthel@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so303164rng for ; Wed, 30 Mar 2005 22:18:55 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=tp+XxoCxlQHOYBE4t7xQ9vncI6pRGXrXJ1qF9b96RwJ5nvO7FD931/rDxLk5uONNZYsyyg39s4YOP4VmFWk6Bh1nQ7914SSg+uJDb7c39ctsIRaRPFs4UecxtpJ1rSKaWnFxFmW8YBZusWHuV+IQ06TdJYxvIbFEYzu7j9wtryE= Received: by 10.38.160.52 with SMTP id i52mr1259774rne; Wed, 30 Mar 2005 22:18:55 -0800 (PST) Received: by 10.38.151.8 with HTTP; Wed, 30 Mar 2005 22:18:55 -0800 (PST) Message-ID: Date: Thu, 31 Mar 2005 16:18:55 +1000 From: Jayel Villamin To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: weird PF behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jayel Villamin List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 06:18:56 -0000 Here's a rough sketch of the home network FBSD 5.3 box ===>>> xl0 ===>>> ADSL modem ===>>> xl1 ===>>> 10/100 Mbps switch ===>>> several Windows PC are connected to the switch ===>>> xl2 ===>>> Windows PC (via x-over cable). This is the FTP server. I have an FTP server running in a windows box with IP = 192.168.2.2 here's a snippet of my rules ========== ext_if = "tun0" elayne_ftp_service = "19985:19989" elayne = "192.168.2.2/32" rdr on $ext_if proto tcp from any to ($ext_if) port $elayne_ftp_service -> $elayne block log all #This is the very first rule after the nat/rdr rules pass in quick on $ext_if inet proto tcp from any to $elayne port { $elayne_ftp_service } flags S/SA keep state ============ Looking at the PF FAQ in openbsd.org, this seem to be correct. But when I try to connect from work to the FTP, I get the following tcpdump entries: ===================== 15:44:38.009604 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 > TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win 49640 15:44:41.423697 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 > TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win 49640 =================== If I change the last rule in the snippet to: =========== pass in quick inet proto tcp from any to $elayne port { $elayne_ftp_service } flags S/SA keep state =========== it works. Well I thought that having "on $ext_if" is correctly as well as the traffic from work to home FTP server must pass thru $ext_if. Any ideas for this behavior? Thanks From owner-freebsd-pf@FreeBSD.ORG Thu Mar 31 07:31:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3FB016A4D0 for ; Thu, 31 Mar 2005 07:31:11 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C587D43D46 for ; Thu, 31 Mar 2005 07:31:10 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1DGu8y-0003jR-So; Thu, 31 Mar 2005 09:31:09 +0200 Date: Thu, 31 Mar 2005 09:31:07 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1571611907.20050331093107@hexren.net> To: Jayel Villamin In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: weird PF behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 07:31:12 -0000 > Here's a rough sketch of the home network FBSD 5.3 box ===>>>> xl0 ===>>> ADSL modem > ===>>> xl1 ===>>> 10/100 Mbps switch ===>>> > several Windows PC are connected to the switch > ===>>> xl2 ===>>> Windows PC (via x-over cable). > This is the FTP server. > I have an FTP server running in a windows box with IP = 192.168.2.2 > here's a snippet of my rules > ========== > ext_if = "tun0" > elayne_ftp_service = "19985:19989" > elayne = "192.168.2.2/32" > rdr on $ext_if proto tcp from any to ($ext_if) port > $elayne_ftp_service -> $elayne > block log all #This is the very first rule after the nat/rdr rules > pass in quick on $ext_if inet proto tcp from any to $elayne port { > $elayne_ftp_service } flags S/SA keep state > ============ > Looking at the PF FAQ in openbsd.org, this seem to be correct. > But when I try to connect from work to the FTP, I get the following > tcpdump entries: > ===================== > 15:44:38.009604 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 > > TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win > 49640 > 15:44:41.423697 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 > > TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win > 49640 > =================== > If I change the last rule in the snippet to: > =========== > pass in quick inet proto tcp from any to $elayne port { > $elayne_ftp_service } flags S/SA keep state > =========== > it works. > Well I thought that having "on $ext_if" is correctly as well as the > traffic from work to home FTP server must pass thru $ext_if. > Any ideas for this behavior? > Thanks --------------------------------------------- Guessing I would say that: The traffic comes in on $ext_if a state for it is created and it then tries to leave over $int_if. At that point it is catched by "block log all #This is the very first rule after the nat/rdr rules" as obviously "on $ext_if" in the pass rule. Is not true for a packet traversing $int_if. Imho a rule alog the lines of "pass on $int_if from any to $elayne port { $elayne_ftp_service } keep state" should fix the problem. Try it I am not dead sure. Regards Hexren From owner-freebsd-pf@FreeBSD.ORG Thu Mar 31 22:54:23 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 406CB16A4CE for ; Thu, 31 Mar 2005 22:54:23 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id D394543D54 for ; Thu, 31 Mar 2005 22:54:22 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so699325wri for ; Thu, 31 Mar 2005 14:54:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=LCVFkmTTyWKsBLHnMQHEmneVSUKjatJqRhC4Qf5tXhB1hGTpMGIudN0U5Sa+EsYf1OFh3BIgVBuhb+R0jVozw3MiupIiCorG9SO9jeMeT9kTCDTkftAVclyiycQmc7OrDwD5CoCPPLnz+6vwC6Y7bZB1E5Tm0pkqY/DV/lChmSI= Received: by 10.54.3.35 with SMTP id 35mr1439610wrc; Thu, 31 Mar 2005 14:54:22 -0800 (PST) Received: by 10.54.42.28 with HTTP; Thu, 31 Mar 2005 14:54:22 -0800 (PST) Message-ID: <810a540e0503311454589ae1cc@mail.gmail.com> Date: Thu, 31 Mar 2005 15:54:22 -0700 From: Pat Maddox To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Problem with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 22:54:23 -0000 I just got a new server with FreeBSD 5.3 installed, tried to set up PF, and am getting an error when I try to parse the file. I updated to patch release 6, hoping that might solve things, but I still get the error. Here's the error itself: pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor And now for pf.conf: # ------- pf.conf skeleton for server # # --------------- MACRO Section ----------------- EXT_IF="rl0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ ssh }" #UDP_IN = "{ }" # --- allowed services initiated by server TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }" UDP_OUT = "{ domain, ntp }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF # --------- TRAFFIC NORMALIZATION ---------------- scrub in all # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pf.conf From owner-freebsd-pf@FreeBSD.ORG Thu Mar 31 23:42:02 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCF7D16A4CE for ; Thu, 31 Mar 2005 23:42:01 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C5F743D1D for ; Thu, 31 Mar 2005 23:42:01 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so709962wri for ; Thu, 31 Mar 2005 15:42:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=B1WNQQjWQ/OwWBlI0tjQH+OctT7JJn23lscRCFRahcrp8YH3eJLNoEouo6cvxTtVKPHz5ehLfmVVcS/WfR1ShgMk0vVyaMA6c024WuTJzuzWaVdD6XNHdCJarM2i01ri9yQ2FHnC7C3kRXpI4K/+UyoMGmkUHLZArsvDZZRW8Gg= Received: by 10.54.89.14 with SMTP id m14mr409289wrb; Thu, 31 Mar 2005 15:41:37 -0800 (PST) Received: by 10.54.42.28 with HTTP; Thu, 31 Mar 2005 15:41:37 -0800 (PST) Message-ID: <810a540e050331154129ebc703@mail.gmail.com> Date: Thu, 31 Mar 2005 16:41:37 -0700 From: Pat Maddox To: freebsd-pf@freebsd.org In-Reply-To: <810a540e0503311454589ae1cc@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <810a540e0503311454589ae1cc@mail.gmail.com> Subject: Re: Problem with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 23:42:02 -0000 It looks like the error happens as soon as I reference an interface. Even if I just make my config file: pass quick on lo0 all I get the error. So something's messed up...I've just got no idea what. Here are the results of ifconfig, to hopefully provide some more info: rl0: flags=8843 mtu 1500 options=8 inet 69.61.54.162 netmask 0xfffffff8 broadcast 69.61.54.167 inet6 fe80::20c:6eff:fe44:4391%rl0 prefixlen 64 scopeid 0x1 ether 00:0c:6e:44:43:91 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 On Thu, 31 Mar 2005 15:54:22 -0700, Pat Maddox wrote: > I just got a new server with FreeBSD 5.3 installed, tried to set up > PF, and am getting an error when I try to parse the file. I updated > to patch release 6, hoping that might solve things, but I still get > the error. Here's the error itself: > > pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor > > And now for pf.conf: > > # ------- pf.conf skeleton for server > # > # --------------- MACRO Section ----------------- > > EXT_IF="rl0" > > PING = "echoreq" > > # --- allowed incoming services initiated by clients > > TCP_IN = "{ ssh }" > #UDP_IN = "{ }" > > # --- allowed services initiated by server > > TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }" > UDP_OUT = "{ domain, ntp }" > > # ------------------ TABLE Section -------------- > > # ------------------ OPTIONS Section > set loginterface $EXT_IF > > # --------- TRAFFIC NORMALIZATION ---------------- > scrub in all > # ---------- TRANSLATION Section (NAT/RDR) > > # ---------- FILTER section > > # --- DEFAULT POLICY > block log all > > # --- LOOPBACK > pass quick on lo0 all > > # ======================= INCOMING ================ > # ----------- EXTERNAL INTERFACE > > # --- TCP > pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port > $TCP_IN flags S/SA keep state > > # --- UDP > #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port > $UDP_IN keep state > > # --- ICMP > pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type > $PING keep state > > # ======================= OUTGOING ================ > # ----------- EXTERNAL INTERFACE > > # --- TCP > pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port > $TCP_OUT flags S/SA keep state > > # --- UDP > pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port > $UDP_OUT keep state > > # --- ICMP > pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any > icmp-type $PING keep state > > # ----------------- end of pf.conf > From owner-freebsd-pf@FreeBSD.ORG Fri Apr 1 06:45:29 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2D8916A4CE for ; Fri, 1 Apr 2005 06:45:29 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BD9C43D62 for ; Fri, 1 Apr 2005 06:45:28 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j316jLYk009603 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 1 Apr 2005 08:45:22 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j316jLJO019248; Fri, 1 Apr 2005 08:45:21 +0200 (MEST) Date: Fri, 1 Apr 2005 08:45:19 +0200 From: Daniel Hartmeier To: Pat Maddox Message-ID: <20050401064519.GD10667@insomnia.benzedrine.cx> References: <810a540e0503311454589ae1cc@mail.gmail.com> <810a540e050331154129ebc703@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <810a540e050331154129ebc703@mail.gmail.com> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: Problem with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 06:45:29 -0000 On Thu, Mar 31, 2005 at 04:41:37PM -0700, Pat Maddox wrote: > It looks like the error happens as soon as I reference an interface. > Even if I just make my config file: > pass quick on lo0 all Looks like a generic problem with ioctl on /dev/pf. Does "pfctl -si" work? What does "ls -al /dev/pf" show? Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Apr 1 14:24:07 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D049C16A4CE for ; Fri, 1 Apr 2005 14:24:07 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73A4843D58 for ; Fri, 1 Apr 2005 14:24:07 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so871208wri for ; Fri, 01 Apr 2005 06:24:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=tQEHkZas0/WrcqeHAwlj8srtTvsizVlaGxDOQeOWEXtx1jVaPiPcwwqdyZSSPiVs0GuOpSGXFu+uaRqAEOh+9bHLeoGs5AUPdZoBLQeIl9WOHiQySbVgF7gE4MItp1ai8bniTlJprN39zUjltICXbclNhVpOAmMLqpBmFO4OPiQ= Received: by 10.54.95.16 with SMTP id s16mr1851247wrb; Fri, 01 Apr 2005 06:24:02 -0800 (PST) Received: by 10.54.42.28 with HTTP; Fri, 1 Apr 2005 06:24:01 -0800 (PST) Message-ID: <810a540e050401062479c08743@mail.gmail.com> Date: Fri, 1 Apr 2005 07:24:01 -0700 From: Pat Maddox To: freebsd-pf@freebsd.org In-Reply-To: <20050401064519.GD10667@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <810a540e0503311454589ae1cc@mail.gmail.com> <810a540e050331154129ebc703@mail.gmail.com> <20050401064519.GD10667@insomnia.benzedrine.cx> Subject: Re: Problem with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 14:24:07 -0000 I found it out, just didn't have pf.ko loaded up. On Mar 31, 2005 11:45 PM, Daniel Hartmeier wrote: > On Thu, Mar 31, 2005 at 04:41:37PM -0700, Pat Maddox wrote: > > > It looks like the error happens as soon as I reference an interface. > > Even if I just make my config file: > > pass quick on lo0 all > > Looks like a generic problem with ioctl on /dev/pf. > > Does "pfctl -si" work? What does "ls -al /dev/pf" show? > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Fri Apr 1 23:23:43 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0754F16A4CF for ; Fri, 1 Apr 2005 23:23:43 +0000 (GMT) Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5038D43D45 for ; Fri, 1 Apr 2005 23:23:42 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from [192.168.1.160] (evilbit.resnet.tamu.edu [128.194.4.186]) (authenticated bits=0) by smtp-relay.tamu.edu (8.12.10/8.12.10) with ESMTP id j31NNasA080071 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Fri, 1 Apr 2005 17:23:38 -0600 (CST) From: "R. Tyler Ballance" To: freebsd-pf@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-rzbC+B0PD69yvpg/qCOG" Date: Fri, 01 Apr 2005 17:26:15 -0600 Message-Id: <1112397975.25570.80.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 Subject: Upgrading pf in time for 5.4? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 23:23:43 -0000 --=-rzbC+B0PD69yvpg/qCOG Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I'm about halfway through with slugging through the changes from OPENBSD_3_5 -> OPENBSD_3_6 to packet filter code, and i'm wondering if (a) i'm going about it the "right" way, and (b) if it's worth devoting more time to (my employer (texas A&M) is allowing me to work on it at work ;)) to get some patches done before 5.4-RELEASE =46rom our standpoint, we'd stand a good bit to gain if the code was updated, given the rule optimizations that have been added to pf from 3_5->3_6 and a few other changes (i'm still hoping for if_bridge.* to be ported over soon ;))=20 So, how long might I have to wrap it up, and any suggestions on how the "right way" would be (just to make sure i'm not wasting a lot of time here ;))=20 Cheers, -R. Tyler Ballance --=-rzbC+B0PD69yvpg/qCOG Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iQIVAwUAQk3YlYBeTbTGPYVBAQKltRAAg+QLDTy1iCAHrlJGtaKyuTV9By6AX9bh 44svMh977HDqBY7UDt5LihIaIU2Ms17ooNSa6sjuMhCa8I5YTIJ6EjLIlZU7kfZl +aDiE3BU2IC+KxORrrvLh7IAOio5H34EOoOfqGLco+C8FG6lqRHaI/kzvTNCecbp SatJwiYBWpM5ryhbP89ac0i0nVfd1KjGW41qs56EgEyxz5/QIITdJbcOIyyzjJlI SlNKImr92r2y3X8HSYV+yRIGXqBxwhFzr7eiwcY9Y9BWOHluZoZnOhfdmUmMk1qt iA/fQX+qL5Y0BEE8G4XOdV+gHltTj9Uj3NzuK5sy0AHqgbtlVddFGDQO2r8CBSro MQFaqD4DNnMK0h2GvNr16W5NQ4kT6JwCWhDEWXklaAs16BcII4IrmL3SCuqyZ90b 3km1Ew90r6m5n2ACjOrEidk93AQ41mo/YR9AaOF289u00ngF8dAmQCOP87OgwfX+ Pe7hzJBX8A877cPswTpmPeO3Ql4+WhmAFOwRTe1Caf6fK7Ra/aJ1Mv22REFfUrzW awp6NboL5cAfPWfux0l446yJF7ONN9FJZG+CrPJiFbgXIpGXrCeko1Dop5KZcCrN +Yla6xaz2cGN7j1UCUmeYIx1ABqi2oCRXVIbxR6vyDR236GLmN8n9O003hVJYr3D O6LKrZu2zD4= =GWpi -----END PGP SIGNATURE----- --=-rzbC+B0PD69yvpg/qCOG-- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 1 23:44:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2715C16A4CE for ; Fri, 1 Apr 2005 23:44:26 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ACE043D55 for ; Fri, 1 Apr 2005 23:44:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DHVoO-0001Pe-00; Sat, 02 Apr 2005 01:44:24 +0200 Received: from [217.227.151.221] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DHVoN-0006MM-00; Sat, 02 Apr 2005 01:44:24 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 2 Apr 2005 01:43:59 +0200 User-Agent: KMail/1.7.2 References: <1112397975.25570.80.camel@localhost.localdomain> In-Reply-To: <1112397975.25570.80.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1286842.aROsGkjEgh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504020144.06555.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Upgrading pf in time for 5.4? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 23:44:26 -0000 --nextPart1286842.aROsGkjEgh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 02 April 2005 01:26, R. Tyler Ballance wrote: > I'm about halfway through with slugging through the changes from > OPENBSD_3_5 -> OPENBSD_3_6 to packet filter code, and i'm wondering if > (a) i'm going about it the "right" way, and (b) if it's worth devoting > more time to (my employer (texas A&M) is allowing me to work on it at > work ;)) to get some patches done before 5.4-RELEASE I don't think there is much gain in doing the 3.6 pull-up now, with 3.7=20 branched and almost out of the door. I am going to look at pulling 3.7 int= o=20 =46reeBSD-CURRENT by the time 3.7 is official (May, 1st as of now). > From our standpoint, we'd stand a good bit to gain if the code was > updated, given the rule optimizations that have been added to pf from > 3_5->3_6 and a few other changes (i'm still hoping for if_bridge.* to be > ported over soon ;)) The latter is certainly a more pushing project - IMO. If your employer wou= ld=20 sponsor you some time for that - that'd be perfect. Talk to Bruce (bms@) w= ho=20 has been working with some people to get this in. What is needed the most = at=20 this point is *proper* testing and performance analysis wrt. the current=20 bridge.c implementation. Could you dig up some resources for that? > So, how long might I have to wrap it up, and any suggestions on how the > "right way" would be (just to make sure i'm not wasting a lot of time > here ;)) Judging from my experience (and provided you are reasonably familiar with t= he=20 code) you can do an import in <1week. You should spend another week fixing= =20 the apparent bugs and introducing infrastructure that is required. The=20 "right way" to go - IMHO - would be to get a cvsrepo and import the OpenBSD= =20 vendor source into it (some CVS-foo required for this step). This will hel= p=20 you with the trivia. Then you start working from there ... get back to me = on=20 private mail on/after Tuesday, I will then start the dance with the current= ly=20 available 3.7 code to see what issues we are looking at and I can sure use = a=20 second pair of eyes - if you are up for that. As for 5.4R - that's done and over. No new code (esp. as big as a pf pull-= up)=20 will go into it anymore. And - as a pf pull-up will mess with API/ABI - it= =20 won't even go to RELENG_5 afterwards. However, as I said several times=20 before, I plan to make it easy to do a pull-up from FreeBSD-CURRENT to=20 RELENG_5 and am committed to support this option if it proves easy enough. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1286842.aROsGkjEgh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCTdzGXyyEoT62BG0RAkfRAJ97h4kwgy3mY407SJrzmfb3vo+avACeLBcg nwlIhiramVVcSW9qXWIDTnc= =NNet -----END PGP SIGNATURE----- --nextPart1286842.aROsGkjEgh--