From owner-freebsd-pf@FreeBSD.ORG Mon Jul 25 11:02:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B5D516A422 for ; Mon, 25 Jul 2005 11:02:17 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C81CD43D4C for ; Mon, 25 Jul 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6PB2GUu018472 for ; Mon, 25 Jul 2005 11:02:16 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6PB2FM2018466 for freebsd-pf@freebsd.org; Mon, 25 Jul 2005 11:02:15 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 25 Jul 2005 11:02:15 GMT Message-Id: <200507251102.j6PB2FM2018466@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 11:02:17 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/04] kern/80627 pf pf_test6: kif == NULL ... o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 25 17:10:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1062E16A431; Mon, 25 Jul 2005 17:10:28 +0000 (GMT) (envelope-from tmas@dei.uc.pt) Received: from smtp2.dei.uc.pt (smtp2.dei.uc.pt [193.137.203.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id C57C443D4C; Mon, 25 Jul 2005 17:10:22 +0000 (GMT) (envelope-from tmas@dei.uc.pt) Received: from laptop (gtDEI-Vlans2.dei.uc.pt [193.137.203.230]) (authenticated bits=0) by smtp2.dei.uc.pt (8.13.4/8.13.4) with ESMTP id j6PHA5QL007771 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Mon, 25 Jul 2005 18:10:07 +0100 Message-Id: <200507251710.j6PHA5QL007771@smtp2.dei.uc.pt> From: "Tiago Sousa" To: , Date: Mon, 25 Jul 2005 18:10:04 +0100 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWRO7HvFn9DUHgKQjqfCy5WUcn1nA== X-UC-FCT-DEI-SIC-MailScanner-Information: Please contact helpdesk@dei.uc.pt for more information X-UC-FCT-DEI-SIC-MailScanner: Found to be clean X-UC-FCT-DEI-SIC-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=-5.752, required 3, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -2.60, HTML_80_90 0.15, HTML_MESSAGE 0.00) X-UC-FCT-DEI-SIC-MailScanner-From: tmas@dei.uc.pt Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: PF with Freebsd5.4 and Altq with freebsd4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 17:10:28 -0000 Hello to all I am trying to install the diffserv model in my testbed. I have computers with freebsd4.11 and kame + altq kernel options and computers with freebsd 5.4 + kame + altq and pf kernel options. The first doubt that I have is: My border routers are those with the freebsd5.4 + pf. Can I mark the packets with pf? Someone had told me that with pf I can not use the traffic conditioners of the diffserv model (i guess I can shape but not marking). Is that true? If so, how can I mark the packets? Which restrictions have pf in comparison with altq, i.e., what are the things that altq can do but pf don't. There is any? Thanks. Tiago From owner-freebsd-pf@FreeBSD.ORG Tue Jul 26 12:58:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D4A516A41F for ; Tue, 26 Jul 2005 12:58:20 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32406.mail.mud.yahoo.com (web32406.mail.mud.yahoo.com [68.142.207.199]) by mx1.FreeBSD.org (Postfix) with SMTP id 8EC9043D48 for ; Tue, 26 Jul 2005 12:58:19 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 90824 invoked by uid 60001); 26 Jul 2005 12:58:19 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=s/KUIlfV7hD28455ZsHkMnWECtKnnKXCsg7oPxD3HVK+tesGUXFOx1Xk5emfcXmAMvhRBD5/Vm6Zniv/1KxVh7PqzpqDbTXSzOdYKdPgNWTajAQ0AgVf/E0sK25f2Dh32QcVP1yw9Pb1QYBs2PGpkvjOY8CynRzMKViCoi3Umdw= ; Message-ID: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32406.mail.mud.yahoo.com via HTTP; Tue, 26 Jul 2005 05:58:18 PDT Date: Tue, 26 Jul 2005 05:58:18 -0700 (PDT) From: Pejman Moghadam To: freebsd-pf@freebsd.org, pf@benzedrine.cx MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 12:58:20 -0000 Hi there I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT with PF. The problem is I can't ping the same machine on the internet from two or more different machines on my LAN at the same time. only one of my LAN clients can ping that target, and pinging that target from another station is possible only when i stop pinging from first client. Is there any way or any tool that ICMP portmapping allows simultaneous connections to external targets from multiple machines from the LAN? Thanks in advance __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Tue Jul 26 14:01:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA61C16A41F for ; Tue, 26 Jul 2005 14:01:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9B9D43D45 for ; Tue, 26 Jul 2005 14:01:27 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j6QE1RWw024081 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 26 Jul 2005 16:01:27 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j6QE1R1Y021992; Tue, 26 Jul 2005 16:01:27 +0200 (MEST) Date: Tue, 26 Jul 2005 16:01:26 +0200 From: Daniel Hartmeier To: Pejman Moghadam Message-ID: <20050726140126.GB20522@insomnia.benzedrine.cx> References: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> User-Agent: Mutt/1.5.6i Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 14:01:29 -0000 On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT with PF. > The problem is I can't ping the same machine on the internet from two or more different machines > on my LAN at the same time. only one of my LAN clients can ping that target, and pinging that > target from another station is possible only when i stop pinging from first client. > Is there any way or any tool that ICMP portmapping allows simultaneous connections to external > targets from multiple machines from the LAN? I don't believe you have actually tried this. >From one workstation (10.1.1.20) $ ping 199.185.137.3 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=218.693 ms 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=211.615 ms [...] At the same time, from another workstation (10.2.2.11) $ ping 199.185.137.3 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=195.604 ms 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=194.387 ms On the gateway which does NAT for both # pfctl -ss | grep icmp kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0 kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 -> 199.185.137.3:19057 0:0 What looks like port numbers in the state is the ICMP ID, a number chosen randomly for one ping invokation. pf uses this to dispatch incoming replies from the external host to the appropriate internal host. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Jul 26 15:03:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A66F416A41F for ; Tue, 26 Jul 2005 15:03:24 +0000 (GMT) (envelope-from cristiano.deana@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 312E943D48 for ; Tue, 26 Jul 2005 15:03:24 +0000 (GMT) (envelope-from cristiano.deana@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so128440wra for ; Tue, 26 Jul 2005 08:03:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oYJ5UKX0+m2eV96QGpG+e4dwr7c0oQ4+7Hx+nVrLVipAdYLhYYnhjQL7pnMEMU6vA7YAKYUmCNLaO1db6Pnrn7CCHBdTC4kpHQjb/GuBGQ9/8+Fc2xudziFM3KcB6QZSYWJd1HIBkT6dIaNgc5Td3pTGiKj+UtyByzNfOmXsgIE= Received: by 10.54.15.37 with SMTP id 37mr156919wro; Tue, 26 Jul 2005 08:03:23 -0700 (PDT) Received: by 10.54.114.6 with HTTP; Tue, 26 Jul 2005 08:03:23 -0700 (PDT) Message-ID: Date: Tue, 26 Jul 2005 17:03:23 +0200 From: Cristiano Deana To: freebsd-pf@freebsd.org In-Reply-To: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cristiano Deana List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 15:03:24 -0000 2005/7/26, Pejman Moghadam : > Is there any way or any tool that ICMP portmapping allows simultaneous co= nnections to external > targets from multiple machines from the LAN? This the standard in a normal pf configuration with nat. Paste your pf.conf, it probaly contains errors. btw: in your firewall: tcpdump -i $external_interface icmp. what does it says? --=20 Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ From owner-freebsd-pf@FreeBSD.ORG Tue Jul 26 16:55:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86EB216A41F for ; Tue, 26 Jul 2005 16:55:58 +0000 (GMT) (envelope-from dmelameth@mba-cpa.com) Received: from mail.mba-cpa.com (mail.mba-cpa.com [12.149.90.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0693E43D46 for ; Tue, 26 Jul 2005 16:55:57 +0000 (GMT) (envelope-from dmelameth@mba-cpa.com) X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 26 Jul 2005 12:55:56 -0400 Message-ID: <31BA35C490DBFC40B5C331C7987835AE6122E9@mbafmail.internal.mba-cpa.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pinging same host on the internet from two different LAN stations Thread-Index: AcWR7UhTPeL0IXekRLGxg365sK+OFwABcWYA From: "Melameth, Daniel D." To: "Pejman Moghadam" Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: RE: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 16:55:58 -0000 Daniel Hartmeier wrote: > On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT > > with PF.=20 > > The problem is I can't ping the same machine on the internet from > > two or more different machines on my LAN at the same time. only one > > of my LAN clients can ping that target, and pinging that target > > from another station is possible only when i stop pinging from > > first client. =20 > > Is there any way or any tool that ICMP portmapping allows > > simultaneous connections to external targets from multiple machines > > from the LAN?=20 >=20 > I don't believe you have actually tried this. >=20 > From one workstation (10.1.1.20) >=20 > $ ping 199.185.137.3 > 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D235 time=3D218.693 = ms > 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D235 time=3D211.615 = ms > [...] >=20 > At the same time, from another workstation (10.2.2.11) >=20 > $ ping 199.185.137.3 > 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D235 time=3D195.604 = ms > 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D235 time=3D194.387 = ms >=20 > On the gateway which does NAT for both >=20 > # pfctl -ss | grep icmp > kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0 > kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 -> > 199.185.137.3:19057 0:0=20 >=20 > What looks like port numbers in the state is the ICMP ID, a number > chosen randomly for one ping invokation. pf uses this to dispatch > incoming replies from the external host to the appropriate internal > host. FWIW, while I haven't looked into this in detail, it appears Windows clients always use the same ICMP ID--512... >echo %os% Windows_NT >ping 199.185.137.3 Pinging 199.185.137.3 with 32 bytes of data: Reply from 199.185.137.3: bytes=3D32 time=3D117ms TTL=3D242 Reply from 199.185.137.3: bytes=3D32 time=3D118ms TTL=3D242 Reply from 199.185.137.3: bytes=3D32 time=3D118ms TTL=3D242 Reply from 199.185.137.3: bytes=3D32 time=3D118ms TTL=3D242 # uname -a OpenBSD openbsdvm.internal.melameth.com 3.7 GENERIC#50 i386 # ping -c 5 199.185.137.3 PING 199.185.137.3 (199.185.137.3): 56 data bytes 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D242 time=3D129.318 ms 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D242 time=3D128.110 ms 64 bytes from 199.185.137.3: icmp_seq=3D2 ttl=3D242 time=3D100.227 ms 64 bytes from 199.185.137.3: icmp_seq=3D3 ttl=3D242 time=3D159.927 ms 64 bytes from 199.185.137.3: icmp_seq=3D4 ttl=3D242 time=3D153.973 ms --- 199.185.137.3 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 100.227/134.311/159.927/21.297 ms # uname -a OpenBSD mel.internal.melameth.com 3.7 GENERIC#50 i386 # ping -c 5 199.185.137.3 PING 199.185.137.3 (199.185.137.3): 56 data bytes 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D242 time=3D117.295 ms 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D242 time=3D124.281 ms 64 bytes from 199.185.137.3: icmp_seq=3D2 ttl=3D242 time=3D115.875 ms 64 bytes from 199.185.137.3: icmp_seq=3D3 ttl=3D242 time=3D119.523 ms 64 bytes from 199.185.137.3: icmp_seq=3D4 ttl=3D242 time=3D123.472 ms --- 199.185.137.3 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 115.875/120.089/124.281/3.320 ms ...and the output from the gateway which reflects the machines above respectively: $ sudo pfctl -ss | grep icmp self icmp 192.168.x.x:512 -> 207.224.x.x:512 -> 199.185.137.3:512 0:0 self icmp 192.168.x.x:51726 -> 207.224.x.x:51726 -> 199.185.137.3:51726 0:0 self icmp 192.168.x.x:5903 -> 207.224.x.x:5903 -> 199.185.137.3:5903 0:0 From owner-freebsd-pf@FreeBSD.ORG Wed Jul 27 04:59:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C81816A42A for ; Wed, 27 Jul 2005 04:59:11 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32406.mail.mud.yahoo.com (web32406.mail.mud.yahoo.com [68.142.207.199]) by mx1.FreeBSD.org (Postfix) with SMTP id CD40343D46 for ; Wed, 27 Jul 2005 04:59:10 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 94494 invoked by uid 60001); 27 Jul 2005 04:59:10 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=XEfXQ0PZR5a2wcZ55r3iljyotcvm/SyjngPyg314zHDRypZGkji4OIov+HhBfwPp8J6ct5PLyBfB7VOzosD1m+HBqkMXN7cR85WZfq8a8ks2fB1d4FGcAOL/vew3TBx82TrNMVYaoJ11Vj8SafiZB1xG+2a9FYJFM5JOJcSbmJo= ; Message-ID: <20050727045910.94492.qmail@web32406.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32406.mail.mud.yahoo.com via HTTP; Tue, 26 Jul 2005 21:59:10 PDT Date: Tue, 26 Jul 2005 21:59:10 -0700 (PDT) From: Pejman Moghadam To: "Melameth, Daniel D." In-Reply-To: <31BA35C490DBFC40B5C331C7987835AE6122E9@mbafmail.internal.mba-cpa.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: RE: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 04:59:11 -0000 Melameth, Daniel D. wrote : > FWIW, while I haven't looked into this in detail, it appears Windows > clients always use the same ICMP ID--512... I think this is right, beacuse of this state entry : self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 but i have not any problem with windows clients when i use ipfw in freebsd or even iptables in linux. why same ICMP ID(512) is so important for PF? how can i deal with that ? --- "Melameth, Daniel D." wrote: > Daniel Hartmeier wrote: > > On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > > > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT > > > with PF. > > > The problem is I can't ping the same machine on the internet from > > > two or more different machines on my LAN at the same time. only one > > > of my LAN clients can ping that target, and pinging that target > > > from another station is possible only when i stop pinging from > > > first client. > > > Is there any way or any tool that ICMP portmapping allows > > > simultaneous connections to external targets from multiple machines > > > from the LAN? > > > > I don't believe you have actually tried this. > > > > From one workstation (10.1.1.20) > > > > $ ping 199.185.137.3 > > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=218.693 ms > > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=211.615 ms > > [...] > > > > At the same time, from another workstation (10.2.2.11) > > > > $ ping 199.185.137.3 > > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=195.604 ms > > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=194.387 ms > > > > On the gateway which does NAT for both > > > > # pfctl -ss | grep icmp > > kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0 > > kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 -> > > 199.185.137.3:19057 0:0 > > > > What looks like port numbers in the state is the ICMP ID, a number > > chosen randomly for one ping invokation. pf uses this to dispatch > > incoming replies from the external host to the appropriate internal > > host. > > FWIW, while I haven't looked into this in detail, it appears Windows > clients always use the same ICMP ID--512... > > > >echo %os% > Windows_NT > > >ping 199.185.137.3 > > Pinging 199.185.137.3 with 32 bytes of data: > > Reply from 199.185.137.3: bytes=32 time=117ms TTL=242 > Reply from 199.185.137.3: bytes=32 time=118ms TTL=242 > Reply from 199.185.137.3: bytes=32 time=118ms TTL=242 > Reply from 199.185.137.3: bytes=32 time=118ms TTL=242 > > > # uname -a > OpenBSD openbsdvm.internal.melameth.com 3.7 GENERIC#50 i386 > > # ping -c 5 199.185.137.3 > PING 199.185.137.3 (199.185.137.3): 56 data bytes > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=242 time=129.318 ms > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=242 time=128.110 ms > 64 bytes from 199.185.137.3: icmp_seq=2 ttl=242 time=100.227 ms > 64 bytes from 199.185.137.3: icmp_seq=3 ttl=242 time=159.927 ms > 64 bytes from 199.185.137.3: icmp_seq=4 ttl=242 time=153.973 ms > --- 199.185.137.3 ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 100.227/134.311/159.927/21.297 ms > > > # uname -a > OpenBSD mel.internal.melameth.com 3.7 GENERIC#50 i386 > > # ping -c 5 199.185.137.3 > PING 199.185.137.3 (199.185.137.3): 56 data bytes > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=242 time=117.295 ms > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=242 time=124.281 ms > 64 bytes from 199.185.137.3: icmp_seq=2 ttl=242 time=115.875 ms > 64 bytes from 199.185.137.3: icmp_seq=3 ttl=242 time=119.523 ms > 64 bytes from 199.185.137.3: icmp_seq=4 ttl=242 time=123.472 ms > --- 199.185.137.3 ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 115.875/120.089/124.281/3.320 ms > > > ...and the output from the gateway which reflects the machines above > respectively: > > $ sudo pfctl -ss | grep icmp > self icmp 192.168.x.x:512 -> 207.224.x.x:512 -> 199.185.137.3:512 > 0:0 > self icmp 192.168.x.x:51726 -> 207.224.x.x:51726 -> 199.185.137.3:51726 > 0:0 > self icmp 192.168.x.x:5903 -> 207.224.x.x:5903 -> 199.185.137.3:5903 > 0:0 > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From owner-freebsd-pf@FreeBSD.ORG Wed Jul 27 05:13:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76A8B16A41F for ; Wed, 27 Jul 2005 05:13:21 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32409.mail.mud.yahoo.com (web32409.mail.mud.yahoo.com [68.142.207.202]) by mx1.FreeBSD.org (Postfix) with SMTP id ECAE043D46 for ; Wed, 27 Jul 2005 05:13:20 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 58850 invoked by uid 60001); 27 Jul 2005 05:13:20 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Sy8+tqLSIXBzbvn64cUW3OSDet2hEQLkqPCNHBxMH4GBrBfyhVDHGSnhwNCxnhx5vQGvkf8bGMffziGDAheyHilRPdIHc/dYIHyrTq7/NqrMq2V+3DG3yzEqo+kW40rcc8CcOr+Fx1wPqKCgCa6U/2oIdhRcHf9nyGbqAK7FRdI= ; Message-ID: <20050727051320.58848.qmail@web32409.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32409.mail.mud.yahoo.com via HTTP; Tue, 26 Jul 2005 22:13:20 PDT Date: Tue, 26 Jul 2005 22:13:20 -0700 (PDT) From: Pejman Moghadam To: Cristiano Deana In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 05:13:21 -0000 Cristiano Deana wrote : > Paste your pf.conf, it probaly contains errors. > tcpdump -i $external_interface icmp. This is my pf.conf extif="{ ed0 }" extip="{ (ed0) }" table { 192.168.1.0/24 } nat on $extif from to any -> $extip pass all on my clients windows: on 192.168.1.18 : C:\>echo %os% Windows_NT C:\>ping 192.9.9.3 Pinging 192.9.9.3 with 32 bytes of data: Reply from 192.9.9.3: bytes=32 time=541ms TTL=228 Reply from 192.9.9.3: bytes=32 time=540ms TTL=228 Reply from 192.9.9.3: bytes=32 time=531ms TTL=228 Reply from 192.9.9.3: bytes=32 time=671ms TTL=228 Ping statistics for 192.9.9.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 531ms, Maximum = 671ms, Average = 570ms on 192.168.1.19 : C:\>echo %os% Windows_NT C:\>ping 192.9.9.3 Pinging 192.9.9.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.9.9.3: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms on FreeBSD box that do NAT with PF: # pfctl -ss self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 # tcpdump -c 10 -i $external_interface -nq icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ed0, link-type EN10MB (Ethernet), capture size 96 bytes 10:02:42.839665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6419 10:02:42.909906 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 275 10:02:43.248794 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 275 10:02:43.841123 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6675 10:02:43.921558 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 531 10:02:44.263806 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 531 10:02:44.842665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6931 10:02:44.923035 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 787 10:02:45.262390 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 787 10:02:45.844227 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 7187 10 packets captured 12 packets received by filter 0 packets dropped by kernel # tcpdump -c 10 -i $internal_interface -nq icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 10:00:51.538006 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37394 10:00:51.671439 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43538 10:00:52.199114 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37650 10:00:52.538007 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37650 10:00:52.672876 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43794 10:00:53.210683 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37906 10:00:53.554918 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37906 10:00:53.674441 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 44050 10:00:54.212218 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 38162 10:00:54.551131 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 38162 10 packets captured 26 packets received by filter 0 packets dropped by kernel --- Cristiano Deana wrote: > 2005/7/26, Pejman Moghadam : > > > Is there any way or any tool that ICMP portmapping allows simultaneous connections to external > > targets from multiple machines from the LAN? > > This the standard in a normal pf configuration with nat. > Paste your pf.conf, it probaly contains errors. > > btw: > in your firewall: > tcpdump -i $external_interface icmp. > > what does it says? > > -- > Cris, member of G.U.F.I > Italian FreeBSD User Group > http://www.gufi.org/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From owner-freebsd-pf@FreeBSD.ORG Wed Jul 27 23:09:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 232DD16A41F for ; Wed, 27 Jul 2005 23:09:08 +0000 (GMT) (envelope-from dmelameth@mba-cpa.com) Received: from mail.mba-cpa.com (mail.mba-cpa.com [12.149.90.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C55343D53 for ; Wed, 27 Jul 2005 23:09:07 +0000 (GMT) (envelope-from dmelameth@mba-cpa.com) X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 27 Jul 2005 19:09:05 -0400 Message-ID: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pinging same host on the internet from two different LAN stations Thread-Index: AcWSaFj8BU+56juMQEyYTyki4MN9GwAlYEIg From: "Melameth, Daniel D." To: "Pejman Moghadam" Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: RE: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 23:09:08 -0000 Pejman Moghadam wrote: > Melameth, Daniel D. wrote : > > FWIW, while I haven't looked into this in detail, it appears Windows > > clients always use the same ICMP ID--512... >=20 > I think this is right, beacuse of this state entry : >=20 > self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 >=20 > but i have not any problem with windows clients when i use ipfw in > freebsd or even iptables in linux. > why same ICMP ID(512) is so important for PF? how can i deal with > that ? I don't know the specifics of any other these packet filters and haven't looked at any code, but I'd speculate that ipfw and iptables are proxying these ICMP IDs in some capacity similar to the way TCP ports are proxied and pf is just using the ICMP ID that is provided by the client. Then again, I could be very wrong. Danny From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 07:40:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6261916A41F for ; Thu, 28 Jul 2005 07:40:28 +0000 (GMT) (envelope-from mbraak@xs4all.nl) Received: from smtp-vbr9.xs4all.nl (smtp-vbr9.xs4all.nl [194.109.24.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8CB343D45 for ; Thu, 28 Jul 2005 07:40:27 +0000 (GMT) (envelope-from mbraak@xs4all.nl) Received: from [127.0.0.1] (sid.xs4all.nl [213.84.12.132]) (authenticated bits=0) by smtp-vbr9.xs4all.nl (8.13.3/8.13.3) with ESMTP id j6S7eEuX024589; Thu, 28 Jul 2005 09:40:16 +0200 (CEST) (envelope-from mbraak@xs4all.nl) Message-ID: <42E88BEC.4060007@xs4all.nl> Date: Thu, 28 Jul 2005 09:40:28 +0200 From: Marcel Braak User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Melameth, Daniel D." References: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> In-Reply-To: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 07:40:28 -0000 Melameth, Daniel D. wrote: >Pejman Moghadam wrote: > > >>Melameth, Daniel D. wrote : >> >> >>>FWIW, while I haven't looked into this in detail, it appears Windows >>>clients always use the same ICMP ID--512... >>> >>> >>I think this is right, beacuse of this state entry : >> >>self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 >> >>but i have not any problem with windows clients when i use ipfw in >>freebsd or even iptables in linux. >>why same ICMP ID(512) is so important for PF? how can i deal with >>that ? >> >> > >I don't know the specifics of any other these packet filters and haven't >looked at any code, but I'd speculate that ipfw and iptables are >proxying these ICMP IDs in some capacity similar to the way TCP ports >are proxied and pf is just using the ICMP ID that is provided by the >client. > >Then again, I could be very wrong. > >Danny > > > > I have ran into this issue two days ago also. We have a monitoring server that monitors a couple of server by sending pings, and is informing me when a server isn't reachable by sending me a sms. But when an other hosts pings one of the servers the monitoring server can't ping the server anymore and is sending me a sms. In this case the server isn't down.. Before i had a linux/iptables firewall box that doesn't have this problem. I hope there's a fix for PF cause i think this is a very anoying issue. Marcel From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 09:37:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C12E616A41F for ; Thu, 28 Jul 2005 09:37:49 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C24D43D5F for ; Thu, 28 Jul 2005 09:37:46 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j6S9bdkr008536 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 28 Jul 2005 11:37:39 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j6S9bdJi020351; Thu, 28 Jul 2005 11:37:39 +0200 (MEST) Date: Thu, 28 Jul 2005 11:37:38 +0200 From: Daniel Hartmeier To: Marcel Braak Message-ID: <20050728093738.GH15154@insomnia.benzedrine.cx> References: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> <42E88BEC.4060007@xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <42E88BEC.4060007@xs4all.nl> User-Agent: Mutt/1.5.6i Cc: "Melameth, Daniel D." , pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 09:37:50 -0000 On Thu, Jul 28, 2005 at 09:40:28AM +0200, Marcel Braak wrote: > Before i had a linux/iptables firewall box that doesn't have this problem. > I hope there's a fix for PF cause i think this is a very anoying issue. You'll have to find out and explain to me how any other product dispatches incoming ping replies (ICMP echo reply) to the appropriate client, in this case. I'm assuming you're using a single NAT replacement address (and not a pool of several of them), and that the other product was working in that same configuration (you can't expect pf to work with a single address just because iptables did with a pool, for instance, that's comparing apples and oranges). When two clients (let's call them 10.1.1.2 and 10.1.1.3) ping the same external host at the same time, the NAT device will translate both source addresses to its own (single) external address (say 87.76.7.79). Then the external peer (say 199.185.137.3) sends replies to both, which look like # tcpdump -s 1600 -nvvvpX icmp 199.185.137.3 > 87.76.7.79: icmp: echo reply (id:4466 seq:2) (ttl 233, id 48582, len 84) 0000: 4500 0054 bdc6 0000 e901 648a c7b9 8903 E..T½Æ..é.d.ǹ.. 0010: 574c 074f 0000 af3b 4466 0002 42e8 a4c6 WL.O..¯;Df..Bè¤Æ 0020: 0007 39a3 0809 0a0b 0c0d 0e0f 1011 1213 ..9£............ 0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 ............ !"# 0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0050: 3435 3637 4567 199.185.137.3 > 87.76.7.79: icmp: echo reply (id:7816 seq:1) (ttl 233, id 25729, len 84) 0000: 4500 0054 6481 0000 e901 bdcf c7b9 8903 E..Td...é.½Ïǹ.. 0010: 574c 074f 0000 af87 7816 0001 42e8 a511 WL.O..¯.x...Bè¥. 0020: 0004 0560 0809 0a0b 0c0d 0e0f 1011 1213 ...`............ 0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 ............ !"# 0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0050: 3435 3637 4567 pf must decide, for each incoming reply, whether to send it to 10.1.1.2 or 10.1.1.3. There's nothing on IP level (no IP header field) that would help make that decisions, both kinds of replies are equal on IP level. So, we peek into the ICMP header fields to find something which helps us associate replies with outgoing queries ("sessions", "connections"). The ICMP id (4466 and 7816 in the examples above) is a good candidate, as most ping tools will pick a random id per invokation. Assuming Windows ping is not doing that, you'll have to provide an alternative way to decide which client to send replies to. There's ICMP sequence numbers, but they can and will overlap for concurrent ping invokations. The ICMP echo reply quotes the ICMP payload of the query. But most ping tools will use a constant payload, so that's no distinguishing criterion. The NAT device could tamper with the payload and insert its own ID there, but that's modifying the packet in an intrusive and unexpected way. I'm curious how any NAT device would do that correctly without relying on unique/random ICMP ids. You claim some do, you'll have to provide the evidence and explanation, if you want me to do the same in pf :) Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 12:47:21 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0351F16A41F for ; Thu, 28 Jul 2005 12:47:21 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9490A43D45 for ; Thu, 28 Jul 2005 12:47:20 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id AF8D74AD6E for ; Thu, 28 Jul 2005 09:47:46 -0300 (BRT) Received: from [172.16.12.100] (unknown [201.15.55.66]) by srv-03.bs2.com.br (Postfix) with ESMTP id 5754A4AD58 for ; Thu, 28 Jul 2005 09:47:46 -0300 (BRT) Message-ID: <42E8D3D5.4030300@tirloni.org> Date: Thu, 28 Jul 2005 09:47:17 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 12:47:21 -0000 Hello, I've deployed dozens of gateways with transparent HTTP proxy but this time it isn't working and I suspect pf is somehow involved in this. Packets aren't being redirected anywhere. I've disabled filtering totally to debug this. I've a rule to redirect every connection attempt to port 80 to 127.0.0.1 port 3128: rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1 port 3128 In squid.conf I've enabled this: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on The rdr rule is being matched and with tcpdump I see packets coming into the $lan_if but nothing gets to $ext_if or loopback. They simply disappear (and the originating machine doesn't get a answer back). Running tcpdump on pflog0 doesn't show anything either (as expected since there's no filter rule). This was happening on 5.3-STABLE and I updated the system to 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces. Weird enough.. this works on every other box except this and another one. And nothing fixes it. Any way to debug this ? I've run out of ideas. Thanks in advance, -- Giovanni P. Tirloni / gpt@tirloni.org From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 12:59:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C23D716A41F for ; Thu, 28 Jul 2005 12:59:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25DF343D45 for ; Thu, 28 Jul 2005 12:59:04 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C5B5.dip.t-dialin.net [84.163.197.181] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1Dy7yT3LPP-0008Sg; Thu, 28 Jul 2005 14:58:57 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 28 Jul 2005 14:58:50 +0200 User-Agent: KMail/1.8 References: <42E8D3D5.4030300@tirloni.org> In-Reply-To: <42E8D3D5.4030300@tirloni.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1412734.mHpqiqbltI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507281458.56534.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 12:59:05 -0000 --nextPart1412734.mHpqiqbltI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 28 July 2005 14:47, Giovanni P. Tirloni wrote: > Hello, > > I've deployed dozens of gateways with transparent HTTP proxy but this > time it isn't working and I suspect pf is somehow involved in this. > Packets aren't being redirected anywhere. I've disabled filtering > totally to debug this. > > I've a rule to redirect every connection attempt to port 80 to > 127.0.0.1 port 3128: > > rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1 > port 3128 > > In squid.conf I've enabled this: > > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > > The rdr rule is being matched and with tcpdump I see packets coming > into the $lan_if but nothing gets to $ext_if or loopback. They simply > disappear (and the originating machine doesn't get a answer back). > > Running tcpdump on pflog0 doesn't show anything either (as expected > since there's no filter rule). > > This was happening on 5.3-STABLE and I updated the system to > 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces. > > Weird enough.. this works on every other box except this and another > one. And nothing fixes it. > > Any way to debug this ? I've run out of ideas. One thing comes to my mind: What does $sysctl net.inet.ip.forwarding say? > Thanks in advance, =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1412734.mHpqiqbltI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC6NaQXyyEoT62BG0RAohGAKCASdjTipKd2onO59Nol8YJkLIP1wCdEIho QNCgvs36tIsQP+HTgRS/RmY= =yxYj -----END PGP SIGNATURE----- --nextPart1412734.mHpqiqbltI-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 13:21:13 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F10516A41F for ; Thu, 28 Jul 2005 13:21:13 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id D702F43D48 for ; Thu, 28 Jul 2005 13:21:12 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id 505074AD87; Thu, 28 Jul 2005 10:21:39 -0300 (BRT) Received: from [172.16.12.100] (unknown [201.15.55.66]) by srv-03.bs2.com.br (Postfix) with ESMTP id D109C4AD86; Thu, 28 Jul 2005 10:21:38 -0300 (BRT) Message-ID: <42E8DBC6.6060907@tirloni.org> Date: Thu, 28 Jul 2005 10:21:10 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> In-Reply-To: <200507281458.56534.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 13:21:13 -0000 Max Laier wrote: > One thing comes to my mind: What does > $sysctl net.inet.ip.forwarding > say? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 I had some tweaks in /etc/sysctl but disabling them didn't help either. #net.inet.ip.check_interface=1 #net.inet.tcp.blackhole=2 #net.inet.udp.blackhole=1 -- Giovanni P. Tirloni / gpt@tirloni.org From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 13:44:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D8616A41F for ; Thu, 28 Jul 2005 13:44:42 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 916A143D45 for ; Thu, 28 Jul 2005 13:44:41 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C5B5.dip.t-dialin.net [84.163.197.181] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1Dy8gh17an-0006Cn; Thu, 28 Jul 2005 15:44:39 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 28 Jul 2005 15:44:27 +0200 User-Agent: KMail/1.8 References: <42E8D3D5.4030300@tirloni.org> In-Reply-To: <42E8D3D5.4030300@tirloni.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3465401.Pxu1IQBoJs"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507281544.37158.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 13:44:42 -0000 --nextPart3465401.Pxu1IQBoJs Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Okay ... so we have to look more closely ... On Thursday 28 July 2005 14:47, Giovanni P. Tirloni wrote: > I've deployed dozens of gateways with transparent HTTP proxy but this > time it isn't working and I suspect pf is somehow involved in this. > Packets aren't being redirected anywhere. I've disabled filtering > totally to debug this. > > I've a rule to redirect every connection attempt to port 80 to > 127.0.0.1 port 3128: > > rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1 > port 3128 What does $lan_net contain? And why do you need the "{}"? What does this= =20 rule expand to? > In squid.conf I've enabled this: > > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on Could you try to bind netcat to 127.0.0.1:3128 instead to see if it is a sq= uid=20 issue or not? > The rdr rule is being matched and with tcpdump I see packets coming > into the $lan_if but nothing gets to $ext_if or loopback. They simply > disappear (and the originating machine doesn't get a answer back). > > Running tcpdump on pflog0 doesn't show anything either (as expected > since there's no filter rule). Could you add a pass log all or pass log inet proto tcp from any to 127.0.0.1 port =3D 3128 rule to get a better look at things. Rule counters are interesting on thos= e=20 as well. > This was happening on 5.3-STABLE and I updated the system to > 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces. > > Weird enough.. this works on every other box except this and another > one. And nothing fixes it. > > Any way to debug this ? I've run out of ideas. > > Thanks in advance, =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3465401.Pxu1IQBoJs Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC6OFFXyyEoT62BG0RAglrAJ4lI2Ai/8TWqcBwo22io/+41pllgACdF6jO GasM/czCoaYeZzHonhK1vXc= =zbn+ -----END PGP SIGNATURE----- --nextPart3465401.Pxu1IQBoJs-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 15:20:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E33016A41F for ; Thu, 28 Jul 2005 15:20:52 +0000 (GMT) (envelope-from kop@meme.com) Received: from mail22.sea5.speakeasy.net (mail22.sea5.speakeasy.net [69.17.117.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B37143D46 for ; Thu, 28 Jul 2005 15:20:52 +0000 (GMT) (envelope-from kop@meme.com) Received: (qmail 27926 invoked from network); 28 Jul 2005 15:20:51 -0000 Received: from dsl093-114-095.chi2.dsl.speakeasy.net (HELO mofo.meme.com) ([66.93.114.95]) (envelope-sender ) by mail22.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 28 Jul 2005 15:20:51 -0000 Received: from mofo (localhost.localdomain [127.0.0.1]) by mofo.meme.com (Postfix) with ESMTP id E1C6D6E422; Thu, 28 Jul 2005 11:15:27 -0500 (CDT) Date: Thu, 28 Jul 2005 16:15:27 +0000 From: "Karl O. Pinc" To: pf@benzedrine.cx References: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> <42E88BEC.4060007@xs4all.nl> <20050728093738.GH15154@insomnia.benzedrine.cx> In-Reply-To: <20050728093738.GH15154@insomnia.benzedrine.cx> (from daniel@benzedrine.cx on Thu Jul 28 04:37:38 2005) X-Mailer: Balsa 2.3.0 Message-Id: <1122567327l.19571l.1l@mofo> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; DelSp=Yes; Format=Flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 15:20:52 -0000 On 07/28/2005 04:37:38 AM, Daniel Hartmeier wrote: > Assuming Windows ping is not doing that, you'll have to provide an > alternative way to decide which client to send replies to. There's > ICMP > sequence numbers, but they can and will overlap for concurrent ping > invokations. The ICMP echo reply quotes the ICMP payload of the query. > But most ping tools will use a constant payload, so that's no > distinguishing criterion. The NAT device could tamper with the payload > and insert its own ID there, but that's modifying the packet in an > intrusive and unexpected way. > > I'm curious how any NAT device would do that correctly without relying > on unique/random ICMP ids. I cannot speak to how anything is implemented anywhere, but it seems to me that the NAT device could substitute it's own ICMP ID, which it saves in a state table associated with the sending IP. When the ICMP reply returns it would then put the original ICMP id back. This scheme swaps ICMP IDs in a fashion analogous to the swapping of ports in TCP/UDP NAT port mapping. I imagine this would require another kind of pf translation declaration. Regards, Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein P.S. I remain anxious to hear whether I'd be wasting my time pursuing inbound traffic bandwidth management. The thread is: http://marc.theaimsgroup.com/?t=112139406900001&r=1&w=2 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 29 14:47:14 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBE6516A41F for ; Fri, 29 Jul 2005 14:47:14 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-03-eri0.ohiordc.rr.com (ms-smtp-03-smtplb.ohiordc.rr.com [65.24.5.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4611C43D46 for ; Fri, 29 Jul 2005 14:47:14 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-187.woh.res.rr.com [65.31.44.187]) by ms-smtp-03-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j6TElBYF001989 for ; Fri, 29 Jul 2005 10:47:11 -0400 (EDT) Message-ID: <000701c5944c$3af95010$0200a8c0@satellite> From: "dave" To: Date: Fri, 29 Jul 2005 10:45:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: referencing a dynamic external IP with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 14:47:15 -0000 Hello, I've got an IP via dhcp for my external nic, which changes periodically. I've got a macro with it hard coded, but everytime it changes i have to update it. I was wondering if there was a better way? Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 29 14:53:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E83A16A41F for ; Fri, 29 Jul 2005 14:53:40 +0000 (GMT) (envelope-from max@neuropunks.org) Received: from finn.neuropunks.org (neuropunks.org [38.117.144.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4613443D49 for ; Fri, 29 Jul 2005 14:53:39 +0000 (GMT) (envelope-from max@neuropunks.org) Received: from localhost (localhost [127.0.0.1]) by finn.neuropunks.org (Postfix) with ESMTP id 5E6C035; Fri, 29 Jul 2005 09:53:29 -0500 (EST) Received: from finn.neuropunks.org ([127.0.0.1]) by localhost (finn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56475-08; Fri, 29 Jul 2005 09:53:27 -0500 (EST) Received: by finn.neuropunks.org (Postfix, from userid 1001) id 5A5D726; Fri, 29 Jul 2005 09:53:27 -0500 (EST) Date: Fri, 29 Jul 2005 09:53:27 -0500 From: max To: dave Message-ID: <20050729145327.GA22219@neuropunks.org> References: <000701c5944c$3af95010$0200a8c0@satellite> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000701c5944c$3af95010$0200a8c0@satellite> User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: referencing a dynamic external IP with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 14:53:40 -0000 ext="hme1" nat on $ext from $local_net/24 to any -> ($ext) ($ext) refers to the actual interface, such as hme1 in my case, and will not care about the ip. On Fri, Jul 29, 2005 at 10:45:57AM -0400, dave wrote: > Hello, > I've got an IP via dhcp for my external nic, which changes periodically. > I've got a macro with it hard coded, but everytime it changes i have to > update it. I was wondering if there was a better way? > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 29 15:11:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5518916A41F for ; Fri, 29 Jul 2005 15:11:05 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB84C43D45 for ; Fri, 29 Jul 2005 15:11:04 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so969084rna for ; Fri, 29 Jul 2005 08:11:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YOsM6RlExfvN7+GmQBArmiJZMmIoPOVhkNdzY2uJqJrNyKjyJJet+WKDdb6TlHExNEs1lns2DoKbZtfzjcpv7/Th+RaVcfgxhcB/ySqXvPIxCeG6aeRzFSPCiglOSiIFTuIjF4IgTqDMYtgYWvWP/8afyl9wOozKfoaHwjm7NVo= Received: by 10.38.76.79 with SMTP id y79mr130744rna; Fri, 29 Jul 2005 08:11:01 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Fri, 29 Jul 2005 08:11:01 -0700 (PDT) Message-ID: Date: Fri, 29 Jul 2005 11:11:01 -0400 From: Scott Ullrich To: dave In-Reply-To: <000701c5944c$3af95010$0200a8c0@satellite> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000701c5944c$3af95010$0200a8c0@satellite> Cc: freebsd-pf@freebsd.org Subject: Re: referencing a dynamic external IP with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 15:11:05 -0000 How about calling your script from dhclient-exit-script ? Scott On 7/29/05, dave wrote: > Hello, > I've got an IP via dhcp for my external nic, which changes periodical= ly. > I've got a macro with it hard coded, but everytime it changes i have to > update it. I was wondering if there was a better way? > Thanks. > Dave. >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Jul 30 04:31:59 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC9EB16A41F for ; Sat, 30 Jul 2005 04:31:59 +0000 (GMT) (envelope-from relationship@handsauction.com) Received: from p54A35811.dip.t-dialin.net (p54A35811.dip.t-dialin.net [84.163.88.17]) by mx1.FreeBSD.org (Postfix) with SMTP id A68A143D45 for ; Sat, 30 Jul 2005 04:31:57 +0000 (GMT) (envelope-from relationship@handsauction.com) Received: from [80.214.83.159] (port=5344 helo=[mantlepiece]) by p54A35811.dip.t-dialin.net with esmtp id 5478515722graphics71384 for freebsd-pf@freebsd.org; Sat, 30 Jul 2005 06:31:56 +0200 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Message-Id: <9921655269.102752115024@p54A35811.dip.t-dialin.net> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Silas Date: Sat, 30 Jul 2005 06:31:55 +0200 X-Mailer: statesmen Subject: Prescription medicine through an easy, secure and confidential environment. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 04:31:59 -0000 Men are lucky, women - satisfied! http://hnoc.9ou2dsr26jrzds9.hjendozoacl.com A thing worth having is a thing worth cheating for. As a twig is bent the tree inclines. The good or ill of a man lies within his own will. From owner-freebsd-pf@FreeBSD.ORG Sat Jul 30 13:01:37 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8BEF16A41F for ; Sat, 30 Jul 2005 13:01:37 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD99643D49 for ; Sat, 30 Jul 2005 13:01:33 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id 1D5FB4B4A8 for ; Sat, 30 Jul 2005 10:02:01 -0300 (BRT) Received: from [172.16.12.100] (unknown [201.15.55.66]) by srv-03.bs2.com.br (Postfix) with ESMTP id BAFF24B496 for ; Sat, 30 Jul 2005 10:02:00 -0300 (BRT) Message-ID: <42EB7A2A.3080701@tirloni.org> Date: Sat, 30 Jul 2005 10:01:30 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@freebsd.org References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> In-Reply-To: <42E8DBC6.6060907@tirloni.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 13:01:38 -0000 Giovanni P. Tirloni wrote: > Max Laier wrote: > >> One thing comes to my mind: What does >> $sysctl net.inet.ip.forwarding >> say? > > > # sysctl net.inet.ip.forwarding > net.inet.ip.forwarding: 1 > > I had some tweaks in /etc/sysctl but disabling them didn't help either. > > #net.inet.ip.check_interface=1 > #net.inet.tcp.blackhole=2 > #net.inet.udp.blackhole=1 > I forgot to mention this box had ipfw+dummnyet (with two queues) activated. I disabled ipfw in the kernel and pf rdr worked again! Just removing the ipfw rules didn't work. Weird enough, I don't have dummynet on the other 2 machines that have the same problem. But ipfw is compiled in but disabled. I'll try to disable ipfw on the other boxes and see what happens there to confirm this. -- Giovanni P. Tirloni / gpt@tirloni.org From owner-freebsd-pf@FreeBSD.ORG Sat Jul 30 22:50:29 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BF4A16A423 for ; Sat, 30 Jul 2005 22:50:29 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0B5E43D46 for ; Sat, 30 Jul 2005 22:50:28 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id i32so761549wra for ; Sat, 30 Jul 2005 15:50:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Hhs9kpRyyzAtTF/B298IHSJI+xFZuOQ9RB5I8amOodffdzM3ajmPpG4PeW1exUCIae8bh8+Zid2BdUQWGel20+H3jWDm7Eb0SOs6GbeXz5NGGk54HDLMrO9HtjOQTtyfYddlz6tzpGIU7Yggtur2QSUgOK9Ibosd4IxYadBDOsA= Received: by 10.54.37.1 with SMTP id k1mr2072331wrk; Sat, 30 Jul 2005 15:50:28 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Sat, 30 Jul 2005 15:50:28 -0700 (PDT) Message-ID: Date: Sun, 31 Jul 2005 01:50:28 +0300 From: Abu Khaled To: "Giovanni P. Tirloni" In-Reply-To: <42EB7A2A.3080701@tirloni.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 22:50:29 -0000 On 7/30/05, Giovanni P. Tirloni wrote: > Giovanni P. Tirloni wrote: > > Max Laier wrote: > > > >> One thing comes to my mind: What does > >> $sysctl net.inet.ip.forwarding > >> say? > > > > > > # sysctl net.inet.ip.forwarding > > net.inet.ip.forwarding: 1 > > > > I had some tweaks in /etc/sysctl but disabling them didn't help either. > > > > #net.inet.ip.check_interface=3D1 > > #net.inet.tcp.blackhole=3D2 > > #net.inet.udp.blackhole=3D1 > > >=20 > I forgot to mention this box had ipfw+dummnyet (with two queues) > activated. I disabled ipfw in the kernel and pf rdr worked again! Just > removing the ipfw rules didn't work. >=20 > Weird enough, I don't have dummynet on the other 2 machines that have > the same problem. But ipfw is compiled in but disabled. >=20 > I'll try to disable ipfw on the other boxes and see what happens there > to confirm this. If ipfw is compiled in the kernel and it defaults to deny all, then you need to add rules for ipfw to allow connections to and from localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr traffic'. # ipfw add allow tcp from $lan_net to 127.0.0.1 3128 # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net Put the rules before any anti spoofing rules in ipfw. --=20 Regards. Abu Khaled