From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 01:49:02 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9D8316A41F for ; Sun, 31 Jul 2005 01:49:02 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B34443D45 for ; Sun, 31 Jul 2005 01:49:02 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id 9C9944AEAB; Sat, 30 Jul 2005 22:49:30 -0300 (BRT) Received: from [200.181.213.227] (unknown [200.181.213.227]) by srv-03.bs2.com.br (Postfix) with ESMTP id 2EF5F4AEA7; Sat, 30 Jul 2005 22:49:30 -0300 (BRT) Message-ID: <42EC2DCE.4090009@tirloni.org> Date: Sat, 30 Jul 2005 22:47:58 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.2-1.4.1.centos4 (X11/20050323) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Abu Khaled References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 01:49:02 -0000 Abu Khaled wrote: > On 7/30/05, Giovanni P. Tirloni wrote: > >>Giovanni P. Tirloni wrote: >> >>>Max Laier wrote: >>> >>> >>>>One thing comes to my mind: What does >>>> $sysctl net.inet.ip.forwarding >>>>say? >>> >>> >>># sysctl net.inet.ip.forwarding >>>net.inet.ip.forwarding: 1 >>> >>>I had some tweaks in /etc/sysctl but disabling them didn't help either. >>> >>>#net.inet.ip.check_interface=1 >>>#net.inet.tcp.blackhole=2 >>>#net.inet.udp.blackhole=1 >>> >> >> I forgot to mention this box had ipfw+dummnyet (with two queues) >>activated. I disabled ipfw in the kernel and pf rdr worked again! Just >>removing the ipfw rules didn't work. >> >> Weird enough, I don't have dummynet on the other 2 machines that have >>the same problem. But ipfw is compiled in but disabled. >> >> I'll try to disable ipfw on the other boxes and see what happens there >>to confirm this. > > > If ipfw is compiled in the kernel and it defaults to deny all, then > you need to add rules for ipfw to allow connections to and from > localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr > traffic'. > > # ipfw add allow tcp from $lan_net to 127.0.0.1 3128 > # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net > > Put the rules before any anti spoofing rules in ipfw. > I think there's something in the code that makes it not work because I set ipfw to accept by default on every machine I have. There must be something else. -- Giovanni P. Tirloni / gpt@tirloni.org / PGP: 0xD0315C26 From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 06:18:46 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CEF16A41F for ; Sun, 31 Jul 2005 06:18:46 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A35E43D48 for ; Sun, 31 Jul 2005 06:18:44 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so865506wri for ; Sat, 30 Jul 2005 23:18:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=n5nszeexSZtpfJHDPCyEjsIzRb9caZUdGwDcmJs6TAQg2RQKTOIUsvMe6pbc99BLWVwQfSoPdoCl+5dG0cvKumyFC1mIxUAyOwyIVw1hby0pEnT2YrJ2/Y5aMv53P5GBDpZO2NBLEww1unO5GaICNNIJYzySLsxXeQejc2epjT4= Received: by 10.54.68.4 with SMTP id q4mr2189963wra; Sat, 30 Jul 2005 23:18:43 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Sat, 30 Jul 2005 23:18:43 -0700 (PDT) Message-ID: Date: Sun, 31 Jul 2005 09:18:43 +0300 From: Abu Khaled To: "Giovanni P. Tirloni" In-Reply-To: <42EC2DCE.4090009@tirloni.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> <42EC2DCE.4090009@tirloni.org> Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 06:18:46 -0000 On 7/31/05, Giovanni P. Tirloni wrote: > Abu Khaled wrote: > > On 7/30/05, Giovanni P. Tirloni wrote: > > > >>Giovanni P. Tirloni wrote: > >> > >>>Max Laier wrote: > >>> > >>> > >>>>One thing comes to my mind: What does > >>>> $sysctl net.inet.ip.forwarding > >>>>say? > >>> > >>> > >>># sysctl net.inet.ip.forwarding > >>>net.inet.ip.forwarding: 1 > >>> > >>>I had some tweaks in /etc/sysctl but disabling them didn't help either= . > >>> > >>>#net.inet.ip.check_interface=3D1 > >>>#net.inet.tcp.blackhole=3D2 > >>>#net.inet.udp.blackhole=3D1 > >>> > >> > >> I forgot to mention this box had ipfw+dummnyet (with two queues) > >>activated. I disabled ipfw in the kernel and pf rdr worked again! Just > >>removing the ipfw rules didn't work. > >> > >> Weird enough, I don't have dummynet on the other 2 machines that have > >>the same problem. But ipfw is compiled in but disabled. > >> > >> I'll try to disable ipfw on the other boxes and see what happens ther= e > >>to confirm this. > > > > > > If ipfw is compiled in the kernel and it defaults to deny all, then > > you need to add rules for ipfw to allow connections to and from > > localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr > > traffic'. > > > > # ipfw add allow tcp from $lan_net to 127.0.0.1 3128 > > # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net > > > > Put the rules before any anti spoofing rules in ipfw. > > >=20 > I think there's something in the code that makes it not work because I > set ipfw to accept by default on every machine I have. There must be > something else. >=20 Sounds confusing !!! Do you mind providing you ipfw/pf rules and the output of: # squid -v # ls -l /dev/pf Just to have a look at them while I scratch my head (to express the confused system administrator emotion). --=20 Regards. Abu Khaled From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 15:58:31 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8904516A41F for ; Sun, 31 Jul 2005 15:58:31 +0000 (GMT) (envelope-from arved@arved.at) Received: from 21322530218.direct.eti.at (21322530218.direct.eti.at [213.225.30.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 517A543D5C for ; Sun, 31 Jul 2005 15:58:29 +0000 (GMT) (envelope-from arved@arved.at) Received: from [192.168.1.24] (ische.arved.de [192.168.1.24]) by 21322530218.direct.eti.at (8.13.3/8.13.1) with ESMTP id j6VFwRxk066000; Sun, 31 Jul 2005 17:58:27 +0200 (CEST) (envelope-from arved@arved.at) Mime-Version: 1.0 (Apple Message framework v622) X-Gpgmail-State: !signed Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Tilman Linneweh Date: Sun, 31 Jul 2005 17:58:23 +0200 To: freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.622) Cc: Tilman Linneweh Subject: PF on 6.0 and ICQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 15:58:31 -0000 Hi list, I upgraded my Firewall to RELENG_6, the Firewall does NAT for an RFC1918 net, and the relevant part of the ruleset looks like this: nat on $ext_if from $internal_net to any -> ($ext_if) pass in on $int_if from {$internal_net, 224.0.0.0/4} to any keep state allow-opts pass out on $int_if from any to {$internal_net, 224.0.0.0/4} keep state allow-opts pass out on $ext_if proto { tcp, udp } all keep state With RELENG_5 ICQ from the hosts on the RFC1918 network worked, but now they are not able to connect to the ICQ Server. The logged traffic on pflog0 looks like this: 17:45:25.966685 IP (tos 0x0, ttl 62, id 63506, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S 920618149:920618149(0) win 65535 17:45:28.871854 IP (tos 0x0, ttl 62, id 63512, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S 920618149:920618149(0) win 65535 17:45:31.872076 IP (tos 0x0, ttl 62, id 63515, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S 920618149:920618149(0) win 65535 17:45:34.874595 IP (tos 0x0, ttl 62, id 63518, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: S, cksum 0x7097 (correct), 920618149:920618149(0) win 65535 17:45:37.874576 IP (tos 0x0, ttl 62, id 63520, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: S, cksum 0x7097 (correct), 920618149:920618149(0) win 65535 Anyone got an idea, why this traffic doesn't match the pass rules anymore? regards tilman From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 17:14:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E54816A41F for ; Sun, 31 Jul 2005 17:14:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D87443D45 for ; Sun, 31 Jul 2005 17:14:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3F3AB.dip.t-dialin.net [84.163.243.171] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1DzHO33nzf-0005ic; Sun, 31 Jul 2005 19:14:07 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sun, 31 Jul 2005 19:13:58 +0200 User-Agent: KMail/1.8 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3390795.jxlMpqPJV4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507311914.03774.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Tilman Linneweh Subject: Re: PF on 6.0 and ICQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 17:14:11 -0000 --nextPart3390795.jxlMpqPJV4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 31 July 2005 17:58, Tilman Linneweh wrote: > Hi list, > > I upgraded my Firewall to RELENG_6, > the Firewall does NAT for an RFC1918 net, and the relevant part of the > ruleset looks like this: > > nat on $ext_if from $internal_net to any -> ($ext_if) > pass in on $int_if from {$internal_net, 224.0.0.0/4} to any keep state > allow-opts > pass out on $int_if from any to {$internal_net, 224.0.0.0/4} keep state > allow-opts > pass out on $ext_if proto { tcp, udp } all keep state > > With RELENG_5 ICQ from the hosts on the RFC1918 network worked, but now > they are not able to connect to the ICQ > Server. > > The logged traffic on pflog0 looks like this: > 17:45:25.966685 IP (tos 0x0, ttl 62, id 63506, offset 0, flags [DF], > proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S > 920618149:920618149(0) win 65535 > 17:45:28.871854 IP (tos 0x0, ttl 62, id 63512, offset 0, flags [DF], > proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S > 920618149:920618149(0) win 65535 > 17:45:31.872076 IP (tos 0x0, ttl 62, id 63515, offset 0, flags [DF], > proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S > 920618149:920618149(0) win 65535 > 17:45:34.874595 IP (tos 0x0, ttl 62, id 63518, offset 0, flags [DF], > proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: S, > cksum 0x7097 (correct), 920618149:920618149(0) win 65535 > 17:45:37.874576 IP (tos 0x0, ttl 62, id 63520, offset 0, flags [DF], > proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: S, > cksum 0x7097 (correct), 920618149:920618149(0) win 65535 > > Anyone got an idea, why this traffic doesn't match the pass rules > anymore? Can you add a "-e" when tcpdump'ing pflog so it shows the reason for the dr= op=20 (i.e. what rule was matched etc.)? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3390795.jxlMpqPJV4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC7QbbXyyEoT62BG0RAtTPAJ9BtQ5RTflPrhTcewb6Tzz5S0SWsQCdFh+X yYxPRLXjfTTKdWKpTwFYhqw= =3fLS -----END PGP SIGNATURE----- --nextPart3390795.jxlMpqPJV4-- From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 18:36:06 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BBC316A41F for ; Sun, 31 Jul 2005 18:36:06 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1399943D48 for ; Sun, 31 Jul 2005 18:36:05 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id EFD204AE63; Sun, 31 Jul 2005 15:36:34 -0300 (BRT) Received: from webmail.bs2.com.br (srv-01-j01.bs2.com.br [200.203.183.38]) by srv-03.bs2.com.br (Postfix) with ESMTP id 9AE714AE4C; Sun, 31 Jul 2005 15:36:34 -0300 (BRT) Received: from 201.3.86.223 (SquirrelMail authenticated user gpt@tirloni.org) by webmail.bs2.com.br with HTTP; Sun, 31 Jul 2005 15:35:46 -0300 (BRT) Message-ID: <1415.201.3.86.223.1122834946.squirrel@webmail.bs2.com.br> In-Reply-To: References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> <42EC2DCE.4090009@tirloni.org> Date: Sun, 31 Jul 2005 15:35:46 -0300 (BRT) From: "Giovanni P. Tirloni" To: "Abu Khaled" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 18:36:06 -0000 Abu Khaled disse: > On 7/31/05, Giovanni P. Tirloni wrote: >> I think there's something in the code that makes it not work because I >> set ipfw to accept by default on every machine I have. There must be >> something else. >> > > Sounds confusing !!! > > Do you mind providing you ipfw/pf rules and the output of: > # squid -v > # ls -l /dev/pf > > Just to have a look at them while I scratch my head (to express the > confused system administrator emotion). 1. pf is enabled: device pf 2. ipfw is enabled and accepts by default options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT 3. I've no ipfw rules. ipfw is only compiled in and has just one rule to accept everything (implied by kernel option) ipfw was just sitting there doing nothing useful for me and pf rdr didn't work (nat and block/pass worked). I removed ipfw from my kernel config and now pf rdr works. Squid is running in transparent mode. Now everything works and I'll try to simulate this behaviour on a lab machine just not to annoy the customer anymore. I'll let the list know about the results. Sorry about confusing it all.. thanks everybody. -- Giovanni P. Tirloni From owner-freebsd-pf@FreeBSD.ORG Mon Aug 1 00:35:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BA7C16A41F for ; Mon, 1 Aug 2005 00:35:23 +0000 (GMT) (envelope-from arved@arved.at) Received: from 21322530218.direct.eti.at (21322530218.direct.eti.at [213.225.30.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B9CB43D46 for ; Mon, 1 Aug 2005 00:35:22 +0000 (GMT) (envelope-from arved@arved.at) Received: from [192.168.1.24] (ische.arved.de [192.168.1.24]) by 21322530218.direct.eti.at (8.13.3/8.13.1) with ESMTP id j710ZJ6t070380; Mon, 1 Aug 2005 02:35:19 +0200 (CEST) (envelope-from arved@arved.at) In-Reply-To: <200507311914.03774.max@love2party.net> References: <200507311914.03774.max@love2party.net> Mime-Version: 1.0 (Apple Message framework v622) X-Gpgmail-State: !signed Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Tilman Linneweh Date: Mon, 1 Aug 2005 02:35:14 +0200 To: Max Laier X-Mailer: Apple Mail (2.622) Cc: freebsd-pf@freebsd.org, Tilman Linneweh Subject: Re: PF on 6.0 and ICQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2005 00:35:23 -0000 Am 31.07.2005 um 19:13 schrieb Max Laier: >> 17:45:37.874576 IP (tos 0x0, ttl 62, id 63520, offset 0, flags [DF], >> proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: >> S, >> cksum 0x7097 (correct), 920618149:920618149(0) win 65535 >> >> Anyone got an idea, why this traffic doesn't match the pass rules >> anymore? > > Can you add a "-e" when tcpdump'ing pflog so it shows the reason for > the drop > (i.e. what rule was matched etc.)? Thanks, this helped a lot. It turns out, that the firewall was trying to connect to this specific IP via the $int_if instead of the $ext_if, although the routing table displayed by netstat -r looked sane and had no special entry for this IP. I decided to reboot the box, and now ICQ works again. regards tilman From owner-freebsd-pf@FreeBSD.ORG Mon Aug 1 11:02:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79C7016A420 for ; Mon, 1 Aug 2005 11:02:03 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D30443D49 for ; Mon, 1 Aug 2005 11:02:03 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j71B224K017258 for ; Mon, 1 Aug 2005 11:02:02 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j71B22H0017249 for freebsd-pf@freebsd.org; Mon, 1 Aug 2005 11:02:02 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 1 Aug 2005 11:02:02 GMT Message-Id: <200508011102.j71B22H0017249@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2005 11:02:03 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/04] kern/80627 pf pf_test6: kif == NULL ... o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 10:56:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FEA516A41F; Tue, 2 Aug 2005 10:56:30 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from f41.mail.ru (f41.mail.ru [194.67.57.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A600343D45; Tue, 2 Aug 2005 10:56:29 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f41.mail.ru with local id 1DzuSI-0000Lt-00; Tue, 02 Aug 2005 14:57:06 +0400 Received: from [194.190.210.150] by win.mail.ru with HTTP; Tue, 02 Aug 2005 14:57:06 +0400 From: Boris Polevoy To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.8 via proxy [194.190.210.150] Date: Tue, 02 Aug 2005 14:57:06 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: mlaier@freebsd.org Subject: PF rdr bitmask BUG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 10:56:30 -0000 Hello All! I have some problem with rdr rule in pf. Test configuration: +---------+ +---------+ +---------+ |client |192.168.3.10/24 |firewall |10.0.0.1/24 |server | | fxp0+----------------->+fxp0 fxp1+------------------>+fxp0 | | | 192.168.3.2/24| | 10.0.0.2/24| | +---------+ 192.168.3.3/24+---------+ 10.0.0.3/32+---------+ client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD 4.7-RELEASE. On firewall interface fxp0 have two aliases: 192.168.3.2/24 192.168.3.3/24, on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32 for test redirection. Rules in pf on firewall: rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask pass all Test command on client: ping -c4 192.168.3.2 Ping do not work, packets from firewall go to wrong addresses. I have add log print in pf code in function pf.c/pf_map_addr(): case PF_POOL_BITMASK: #define QUAD_ADDR(_addr) \ ((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \ ((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3] printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n", QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4), QUAD_ADDR(saddr->v4)); PF_POOLMASK(naddr, raddr, rmask, saddr, af); printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4)); break; Log output show that _naddr_ after translation is 10.0.0.10, but I think it must be 10.0.0.2. It seems wrong call of pf_map_addr() in pf_get_translation(), instead destinations address used source address: case PF_RDR: if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) return (NULL); It must be vvvvv if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn)) return (NULL); It bug or not? With best regards Boris Polevoy From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 11:51:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 113A416A41F; Tue, 2 Aug 2005 11:51:34 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D15C43D46; Tue, 2 Aug 2005 11:51:31 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E52D.dip.t-dialin.net [84.163.229.45] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1DzvIv2QdW-00063V; Tue, 02 Aug 2005 13:51:29 +0200 From: Max Laier To: freebsd-pf@freebsd.org, Boris Polevoy Date: Tue, 2 Aug 2005 13:51:15 +0200 User-Agent: KMail/1.8 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4278676.AOHhZT7JP0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508021351.22789.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: PF rdr bitmask BUG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 11:51:34 -0000 --nextPart4278676.AOHhZT7JP0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 02 August 2005 12:57, Boris Polevoy wrote: > Hello All! > > I have some problem with rdr rule in pf. > > Test configuration: > > +---------+ +---------+ +---------+ > > |client |192.168.3.10/24 |firewall |10.0.0.1/24 |server | > | fxp0+----------------->+fxp0 fxp1+------------------>+fxp0 | > | > | | 192.168.3.2/24| | 10.0.0.2/24| | > > +---------+ 192.168.3.3/24+---------+ 10.0.0.3/32+---------+ > > client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD > 4.7-RELEASE. On firewall interface fxp0 have two aliases: 192.168.3.2/24 > 192.168.3.3/24, on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32 > for test redirection. > > Rules in pf on firewall: > rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask > pass all > > Test command on client: > ping -c4 192.168.3.2 > > Ping do not work, packets from firewall go to wrong addresses. > > I have add log print in pf code in function pf.c/pf_map_addr(): > > case PF_POOL_BITMASK: > #define QUAD_ADDR(_addr) \ > ((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \ > ((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3] > > printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n= ", > QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4), > QUAD_ADDR(saddr->v4)); PF_POOLMASK(naddr, raddr, rmask, saddr, af); > printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4)); > break; > > Log output show that _naddr_ after translation is 10.0.0.10, but I think = it > must be 10.0.0.2. > > It seems wrong call of pf_map_addr() in pf_get_translation(), > instead destinations address used source address: > case PF_RDR: > if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) > return (NULL); > > It must be vvvvv > if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn)) > return (NULL); > > It bug or not? =46rom a quick first look your analysis seems to be correct - according to= =20 pf.conf(5) bitmask should use the destination address for rdr. However, th= e=20 proposed fix will not work as it breaks (at least) the sticky address optio= n. Maybe it's easiest to fix the host part in pf_get_translation after the=20 pf_map_addr call? This would require some amount of code duplication,=20 though. I will be looking for a better fix during/after the weekend. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4278676.AOHhZT7JP0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC7146XyyEoT62BG0RAnN9AJ4434ClmYYK6GIsrRDoj5fXzumV2gCfQYgb vYMZ3ktdfjaGzh64ZCM29ZQ= =oKBW -----END PGP SIGNATURE----- --nextPart4278676.AOHhZT7JP0-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 3 21:25:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E73F616A41F for ; Wed, 3 Aug 2005 21:25:00 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E97F43D48 for ; Wed, 3 Aug 2005 21:25:00 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so267476wra for ; Wed, 03 Aug 2005 14:24:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=mYZp6gSNw+qUDu9AooMJ47vUZIRk+hJaaYPRirlQszsx2Tn+gsdeDAkdcHMiSnvKSTewE1U2LX8rtacpEE7+524o6n4UAqwebMCSlkQEy55ErL7YpEREg/QFwVEnoxcQT7v7zSUuO8HAAW705SnNNVYOD5SbTAATvNsplXBcoUk= Received: by 10.54.31.63 with SMTP id e63mr948491wre; Wed, 03 Aug 2005 14:24:59 -0700 (PDT) Received: by 10.54.117.11 with HTTP; Wed, 3 Aug 2005 14:24:59 -0700 (PDT) Message-ID: <787dcac2050803142433b8d084@mail.gmail.com> Date: Wed, 3 Aug 2005 16:24:59 -0500 From: BB To: FreeBSD-pf mail list Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Can pf dynamicly close connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: BB List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2005 21:25:01 -0000 If a host is sending packets on ports that aren't even open can it=20 temporarily close all connections to this host. From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 14:40:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A4316A41F for ; Thu, 4 Aug 2005 14:40:52 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35CF943D4C for ; Thu, 4 Aug 2005 14:40:52 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j74Eem1W000012 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 4 Aug 2005 16:40:48 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j74Eel9U016014; Thu, 4 Aug 2005 16:40:47 +0200 (MEST) Date: Thu, 4 Aug 2005 16:40:47 +0200 From: Daniel Hartmeier To: "Karl O. Pinc" Message-ID: <20050804144047.GE11104@insomnia.benzedrine.cx> References: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> <42E88BEC.4060007@xs4all.nl> <20050728093738.GH15154@insomnia.benzedrine.cx> <1122567327l.19571l.1l@mofo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1122567327l.19571l.1l@mofo> User-Agent: Mutt/1.5.6i Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 14:40:53 -0000 Sorry about the mis-attribution. The idea was Karl's. Here's the implementation, just in case anyone wants to patent it, there's already prior art now :P This is against -current, test feedback welcome. Daniel Index: pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.498 diff -u -r1.498 pf.c --- pf.c 31 Jul 2005 05:20:56 -0000 1.498 +++ pf.c 4 Aug 2005 14:26:19 -0000 @@ -2161,6 +2161,11 @@ if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) return (1); + if (proto == IPPROTO_ICMP) { + low = 1; + high = 65535; + } + do { key.af = af; key.proto = proto; @@ -2172,7 +2177,8 @@ * port search; start random, step; * similar 2 portloop in in_pcbbind */ - if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { + if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || + proto == IPPROTO_ICMP)) { key.gwy.port = dport; if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) return (0); @@ -3348,7 +3354,7 @@ struct pf_ruleset *ruleset = NULL; struct pf_src_node *nsn = NULL; u_short reason; - u_int16_t icmpid; + u_int16_t icmpid, bport, nport = 0; sa_family_t af = pd->af; u_int8_t icmptype, icmpcode; int state_icmp = 0; @@ -3397,15 +3403,21 @@ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); if (direction == PF_OUT) { + bport = nport = icmpid; /* check outgoing packet for BINAT/NAT */ if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, - saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) { + saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) != + NULL) { PF_ACPY(&pd->baddr, saddr, af); switch (af) { #ifdef INET case AF_INET: pf_change_a(&saddr->v4.s_addr, pd->ip_sum, pd->naddr.v4.s_addr, 0); + pd->hdr.icmp->icmp_cksum = pf_cksum_fixup( + pd->hdr.icmp->icmp_cksum, icmpid, nport, 0); + pd->hdr.icmp->icmp_id = nport; + m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp); break; #endif /* INET */ #ifdef INET6 @@ -3421,9 +3433,11 @@ pd->nat_rule = nr; } } else { + bport = nport = icmpid; /* check incoming packet for BINAT/RDR */ if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, - saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) { + saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) != + NULL) { PF_ACPY(&pd->baddr, daddr, af); switch (af) { #ifdef INET @@ -3575,24 +3589,28 @@ s->af = af; if (direction == PF_OUT) { PF_ACPY(&s->gwy.addr, saddr, af); - s->gwy.port = icmpid; + s->gwy.port = nport; PF_ACPY(&s->ext.addr, daddr, af); - s->ext.port = icmpid; - if (nr != NULL) + s->ext.port = 0; + if (nr != NULL) { PF_ACPY(&s->lan.addr, &pd->baddr, af); - else + s->lan.port = bport; + } else { PF_ACPY(&s->lan.addr, &s->gwy.addr, af); - s->lan.port = icmpid; + s->lan.port = s->gwy.port; + } } else { PF_ACPY(&s->lan.addr, daddr, af); - s->lan.port = icmpid; + s->lan.port = nport; PF_ACPY(&s->ext.addr, saddr, af); - s->ext.port = icmpid; - if (nr != NULL) + s->ext.port = 0; + if (nr != NULL) { PF_ACPY(&s->gwy.addr, &pd->baddr, af); - else + s->gwy.port = bport; + } else { PF_ACPY(&s->gwy.addr, &s->lan.addr, af); - s->gwy.port = icmpid; + s->gwy.port = s->lan.port; + } } s->creation = time_second; s->expire = time_second; @@ -4522,13 +4540,13 @@ if (direction == PF_IN) { PF_ACPY(&key.ext.addr, pd->src, key.af); PF_ACPY(&key.gwy.addr, pd->dst, key.af); - key.ext.port = icmpid; + key.ext.port = 0; key.gwy.port = icmpid; } else { PF_ACPY(&key.lan.addr, pd->src, key.af); PF_ACPY(&key.ext.addr, pd->dst, key.af); key.lan.port = icmpid; - key.ext.port = icmpid; + key.ext.port = 0; } STATE_LOOKUP(); @@ -4537,7 +4555,7 @@ (*state)->timeout = PFTM_ICMP_ERROR_REPLY; /* translate source/destination address, if necessary */ - if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { + if (STATE_TRANSLATE(*state)) { if (direction == PF_OUT) { switch (pd->af) { #ifdef INET @@ -4545,6 +4563,14 @@ pf_change_a(&saddr->v4.s_addr, pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 0); + pd->hdr.icmp->icmp_cksum = + pf_cksum_fixup( + pd->hdr.icmp->icmp_cksum, icmpid, + (*state)->gwy.port, 0); + pd->hdr.icmp->icmp_id = + (*state)->gwy.port; + m_copyback(m, off, ICMP_MINLEN, + pd->hdr.icmp); break; #endif /* INET */ #ifdef INET6 @@ -4565,6 +4591,14 @@ pf_change_a(&daddr->v4.s_addr, pd->ip_sum, (*state)->lan.addr.v4.s_addr, 0); + pd->hdr.icmp->icmp_cksum = + pf_cksum_fixup( + pd->hdr.icmp->icmp_cksum, icmpid, + (*state)->lan.port, 0); + pd->hdr.icmp->icmp_id = + (*state)->lan.port; + m_copyback(m, off, ICMP_MINLEN, + pd->hdr.icmp); break; #endif /* INET */ #ifdef INET6 @@ -4888,13 +4922,13 @@ if (direction == PF_IN) { PF_ACPY(&key.ext.addr, pd2.dst, key.af); PF_ACPY(&key.gwy.addr, pd2.src, key.af); - key.ext.port = iih.icmp_id; + key.ext.port = 0; key.gwy.port = iih.icmp_id; } else { PF_ACPY(&key.lan.addr, pd2.dst, key.af); PF_ACPY(&key.ext.addr, pd2.src, key.af); key.lan.port = iih.icmp_id; - key.ext.port = iih.icmp_id; + key.ext.port = 0; } STATE_LOOKUP(); @@ -4939,13 +4973,13 @@ if (direction == PF_IN) { PF_ACPY(&key.ext.addr, pd2.dst, key.af); PF_ACPY(&key.gwy.addr, pd2.src, key.af); - key.ext.port = iih.icmp6_id; + key.ext.port = 0; key.gwy.port = iih.icmp6_id; } else { PF_ACPY(&key.lan.addr, pd2.dst, key.af); PF_ACPY(&key.ext.addr, pd2.src, key.af); key.lan.port = iih.icmp6_id; - key.ext.port = iih.icmp6_id; + key.ext.port = 0; } STATE_LOOKUP(); From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 17:40:11 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A000416A41F for ; Thu, 4 Aug 2005 17:40:11 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 439BB43D48 for ; Thu, 4 Aug 2005 17:40:08 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id E8C2A4B8C4; Thu, 4 Aug 2005 14:40:40 -0300 (BRT) Received: from [127.0.0.1] (unknown [201.14.1.190]) by srv-03.bs2.com.br (Postfix) with ESMTP id B09814B786; Thu, 4 Aug 2005 14:40:39 -0300 (BRT) Message-ID: <42F28B79.1030202@tirloni.org> Date: Thu, 04 Aug 2005 14:41:13 -0700 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: BB References: <787dcac2050803142433b8d084@mail.gmail.com> In-Reply-To: <787dcac2050803142433b8d084@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: Can pf dynamicly close connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 17:40:11 -0000 BB wrote: > If a host is sending packets on ports that aren't even open can it > temporarily close all connections to this host. I don't think this a task pf itself should do but you can implement something to monitor connections attemps on closed ports and then inspect the pf's state table (pfctl -s state) and remove it (pfctl -k). Do you want something like PortSentry ? Someone could spoof those attempts and create a DoS on something you don't want to block. -- Giovanni P. Tirloni From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 17:42:45 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2402316A41F for ; Thu, 4 Aug 2005 17:42:45 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [213.40.193.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AFE443D46 for ; Thu, 4 Aug 2005 17:42:43 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [127.0.0.1]) by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id j74HmOho025117; Thu, 4 Aug 2005 18:48:24 +0100 Received: (from rod@localhost) by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id j74HmNsd025116; Thu, 4 Aug 2005 18:48:23 +0100 X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to rod@supanet.net.uk using -f From: Rod To: freebsd-pf@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-nuUx3RK9CyqGPGwQyihF" Message-Id: <1123177703.24009.29.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Thu, 04 Aug 2005 18:48:23 +0100 Subject: PF, SSH closed by remote host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 17:42:45 -0000 --=-nuUx3RK9CyqGPGwQyihF Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I was wondering if anyone has come across this before.=20 I'm running FreeBSD 5.4-RELEASE running PF from rc.conf. I ssh into this box as a non-root user then su. On doing a ps -auwx I instantly get disconnect with Connection to 192.168.2.3 closed by remote host. Connection to 192.168.2.3 closed. If I disable PF everything is fine (pfctl -d. e.g. : lfs2# ps -auwx USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 11 99.0 0.0 0 8 ?? RL 4:48PM 152:49.91 [idle] root 0 0.0 0.0 0 0 ?? DLs 4:48PM 0:00.01 [swapper]Connection to 192.168.2.3 closed by remote host. Connection to 192.168.2.3 closed. rc.conf : # Packet Filtering pf_enable=3D"YES" # Enable PF (load module if required) pf_rules=3D"/etc/pf.conf" # rules definition file for pf pf_flags=3D"" # additional flags for pfctl startup pflog_enable=3D"YES" # start pflogd(8) pflog_logfile=3D"/var/log/pflog" # where pflogd should store the logfile pflog_flags=3D"" # additional flags for pflogd startup This is my pf.conf : ext_if=3D"em0" external_addr=3D"192.168.2.3" box_admins =3D "{192.168.2.8 192.168.2.9 192.168.20 192.168.45}" = = =20 set fingerprints "/etc/pf.os" set block-policy drop scrub in all block in all block out all block in log all = = #Allow Admins pass in on $ext_if from $box_admins to any #icmp, ping etc pass in on $ext_if proto icmp all = = =20 #allow outbound and keep states pass out on $ext_if proto { tcp, udp, icmp } all keep state Have tried lists,google and multiple different variations of the above pf.conf but it's still happening. Any suggests? --=-nuUx3RK9CyqGPGwQyihF Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQBC8lTmSKw3AiKIO7sRAthkAJ9tjewJu2AxNP3rjVtz1ji+hexc2ACY70Vj lRjcpfeXrQdM/qTkqhZjtQ== =Fbai -----END PGP SIGNATURE----- --=-nuUx3RK9CyqGPGwQyihF-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 17:53:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8383A16A41F for ; Thu, 4 Aug 2005 17:53:03 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEA4D43D45 for ; Thu, 4 Aug 2005 17:53:02 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j74Hr3Iw004770 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 4 Aug 2005 19:53:03 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j74Hr3Ka024350; Thu, 4 Aug 2005 19:53:03 +0200 (MEST) Date: Thu, 4 Aug 2005 19:53:03 +0200 From: Daniel Hartmeier To: Rod Message-ID: <20050804175303.GI11104@insomnia.benzedrine.cx> References: <1123177703.24009.29.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1123177703.24009.29.camel@torgau.office.netline.net.uk> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: PF, SSH closed by remote host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 17:53:03 -0000 On Thu, Aug 04, 2005 at 06:48:23PM +0100, Rod wrote: > Have tried lists,google and multiple different variations of the above > pf.conf but it's still happening. Any suggests? Enable debug logging in pf (pfctl -xm), make sure all blocked packets are logged and pflogd is running. Print the current counters values (pfctl -si). Then reproduce the connection reset. Afterwards: - check /var/log/messages for any messages from pf - check pflog for any logged packets - print the counters again (pfctl -si) and check if any of them have increased It might be neccessary to tcpdump one entire ssh connection (from establishment to the point where its reset) to fully analyze the problem, but maybe the simpler steps above will already give a hint. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 18:21:16 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D0A616A41F for ; Thu, 4 Aug 2005 18:21:16 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [213.40.193.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id E626F43D45 for ; Thu, 4 Aug 2005 18:21:15 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [127.0.0.1]) by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id j74IQuW2025232 for ; Thu, 4 Aug 2005 19:26:56 +0100 Received: (from rod@localhost) by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id j74IQuBD025231 for freebsd-pf@freebsd.org; Thu, 4 Aug 2005 19:26:56 +0100 X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to rod@supanet.net.uk using -f From: Rod To: freebsd-pf@freebsd.org In-Reply-To: <20050804175303.GI11104@insomnia.benzedrine.cx> References: <1123177703.24009.29.camel@torgau.office.netline.net.uk> <20050804175303.GI11104@insomnia.benzedrine.cx> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-X8IVMSmdrQmNJdqwD6bo" Message-Id: <1123180015.24009.45.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Thu, 04 Aug 2005 19:26:55 +0100 Subject: Re: PF, SSH closed by remote host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 18:21:16 -0000 --=-X8IVMSmdrQmNJdqwD6bo Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thanks for that here's the output, currently looking down the path that maybe it's ssh miss-behaving=20 pfctl -xm: No ALTQ support in kernel ALTQ related functions disabled debug level set to 'misc' pfctl -si: No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:36:23 Debug: Misc =20 Hostid: 0xf7895b8a =20 State Table Total Rate current entries 13 searches 61585 28.2/s inserts 322 0.1/s removals 309 0.1/s Counters match 889 0.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s ps -auwx ... disconnected .. /var/log/messages : Aug 4 20:10:09 host2 kernel: pf: BAD state: TCP 192.168.2.3:22 192.168.2.3:22 192.168.2.9:45297 [lo=3D4294559707 high=3D4294560735 win=3D33304 modulator=3D0] [lo=3D1818073202 high=3D1818106506 win=3D3140 modulator=3D0] 4:4 A seq=3D4294559707 ack=3D1818073202 len=3D1448 ackskew= =3D0 pkts=3D72:121 dir=3Dout,fwd Aug 4 20:10:09 host2 kernel: pf: State failure on: 1 | Aug 4 20:10:09 host2 sshd[94143]: fatal: Write failed: Operation not permitted pfctl -si: No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:43:20 Debug: Misc =20 Hostid: 0xf7895b8a =20 State Table Total Rate current entries 1 searches 62446 24.0/s inserts 355 0.1/s removals 354 0.1/s Counters match 951 0.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s On Thu, 2005-08-04 at 18:53, Daniel Hartmeier wrote: > On Thu, Aug 04, 2005 at 06:48:23PM +0100, Rod wrote: >=20 > > Have tried lists,google and multiple different variations of the above > > pf.conf but it's still happening. Any suggests? >=20 > Enable debug logging in pf (pfctl -xm), make sure all blocked packets > are logged and pflogd is running. Print the current counters values > (pfctl -si). Then reproduce the connection reset. Afterwards: >=20 > - check /var/log/messages for any messages from pf > - check pflog for any logged packets > - print the counters again (pfctl -si) and check if any of them > have increased >=20 > It might be neccessary to tcpdump one entire ssh connection (from > establishment to the point where its reset) to fully analyze the > problem, but maybe the simpler steps above will already give a hint. >=20 > Daniel --=-X8IVMSmdrQmNJdqwD6bo Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBC8l3uSKw3AiKIO7sRAsWbAJ4/DyYchYqO44/JsXkqQ78xYJdgvwCgi5mI UiLrUg+0MsL9FiHNIOUFSWY= =z4M8 -----END PGP SIGNATURE----- --=-X8IVMSmdrQmNJdqwD6bo-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 18:50:57 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B060716A41F for ; Thu, 4 Aug 2005 18:50:57 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AC4543D48 for ; Thu, 4 Aug 2005 18:50:57 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id E44E34B5B5; Thu, 4 Aug 2005 15:51:28 -0300 (BRT) Received: from [127.0.0.1] (unknown [201.14.1.190]) by srv-03.bs2.com.br (Postfix) with ESMTP id A64174B5B1; Thu, 4 Aug 2005 15:51:27 -0300 (BRT) Message-ID: <42F29C11.8090007@tirloni.org> Date: Thu, 04 Aug 2005 15:52:01 -0700 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Rod References: <1123177703.24009.29.camel@torgau.office.netline.net.uk> In-Reply-To: <1123177703.24009.29.camel@torgau.office.netline.net.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: PF, SSH closed by remote host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 18:50:57 -0000 Rod wrote: > Hi, > > I was wondering if anyone has come across this before. > > I'm running FreeBSD 5.4-RELEASE running PF from rc.conf. I ssh into this > box as a non-root user then su. On doing a ps -auwx I instantly get > disconnect with Connection to 192.168.2.3 closed by remote host. > Connection to 192.168.2.3 closed. > > If I disable PF everything is fine (pfctl -d. > > e.g. : > > lfs2# ps -auwx > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME > COMMAND > root 11 99.0 0.0 0 8 ?? RL 4:48PM 152:49.91 [idle] > root 0 0.0 0.0 0 0 ?? DLs 4:48PM 0:00.01 > [swapper]Connection to 192.168.2.3 closed by remote host. > Connection to 192.168.2.3 closed. > > rc.conf : > > # Packet Filtering > pf_enable="YES" # Enable PF (load module if required) > pf_rules="/etc/pf.conf" # rules definition file for pf > pf_flags="" # additional flags for pfctl startup > pflog_enable="YES" # start pflogd(8) > pflog_logfile="/var/log/pflog" # where pflogd should store the logfile > pflog_flags="" # additional flags for pflogd startup > > This is my pf.conf : > > ext_if="em0" > external_addr="192.168.2.3" > box_admins = "{192.168.2.8 192.168.2.9 192.168.20 192.168.45}" > > set fingerprints "/etc/pf.os" > set block-policy drop > scrub in all > block in all > block out all > block in log all Ok, you're blocking everything in and out. Could be only "block all". > #Allow Admins > pass in on $ext_if from $box_admins to any > > > #icmp, ping etc > pass in on $ext_if proto icmp all > > #allow outbound and keep states > pass out on $ext_if proto { tcp, udp, icmp } all keep state You are permitting the $box_admins machines to send packets but aren't keeping state on those connections. AFAIK, the last rule won't keep state for connections that arrived from outside. So I think adding "keep state" to that first pass rule would help. -- Giovanni P. Tirloni From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 18:51:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B71C616A41F for ; Thu, 4 Aug 2005 18:51:49 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [213.40.193.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3D8343D46 for ; Thu, 4 Aug 2005 18:51:48 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [127.0.0.1]) by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id j74IvSAC025332 for ; Thu, 4 Aug 2005 19:57:28 +0100 Received: (from rod@localhost) by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id j74IvSOP025331 for freebsd-pf@freebsd.org; Thu, 4 Aug 2005 19:57:28 +0100 X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to rod@supanet.net.uk using -f From: Rod To: freebsd-pf@freebsd.org In-Reply-To: <42F25EE0.50408@veldy.net> References: <1123177703.24009.29.camel@torgau.office.netline.net.uk> <42F25EE0.50408@veldy.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-odnmmYLQNE/risfvDpRr" Message-Id: <1123181847.24009.49.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Thu, 04 Aug 2005 19:57:28 +0100 Subject: Re: PF, SSH closed by remote host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 18:51:49 -0000 --=-odnmmYLQNE/risfvDpRr Content-Type: text/plain Content-Transfer-Encoding: quoted-printable > pass in on $ext_if from $box_admins to any keep state No longer getting disconnected !!!!!!!!!!!!!!! Thank you so much :)=20 On Thu, 2005-08-04 at 19:30, Thomas T. Veldhouse wrote: > Rod wrote: >=20 > >Hi, > > > >I was wondering if anyone has come across this before.=20 > > > >I'm running FreeBSD 5.4-RELEASE running PF from rc.conf. I ssh into this > >box as a non-root user then su. On doing a ps -auwx I instantly get > >disconnect with Connection to 192.168.2.3 closed by remote host. > >Connection to 192.168.2.3 closed. > > =20 > > > >=20 > Hmm ... the outbound path might need some work. Does this help (note=20 > the "keep state")? >=20 > #Allow Admins > pass in on $ext_if from $box_admins to any keep state >=20 >=20 >=20 > Tom Veldhouse >=20 --=-odnmmYLQNE/risfvDpRr Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBC8mUWSKw3AiKIO7sRAgZ5AJ0aDTuzn7GrCPn6Qz7mVfOK5jg7QQCfRe/Y UHJg/RpkMcsvKjzENn9+VOo= =dRcj -----END PGP SIGNATURE----- --=-odnmmYLQNE/risfvDpRr-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 20:59:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE39A16A41F for ; Thu, 4 Aug 2005 20:59:52 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6842243D46 for ; Thu, 4 Aug 2005 20:59:52 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so486128wra for ; Thu, 04 Aug 2005 13:59:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=DoK5jIGcZTArWCNyThEd1ZTk8nrgBg+3H3poyTap4dHxQ0pAq301kmjRUsEr3ZeJIlxcubeMm3p53rEHWcbg1LmFJxAu3kcOahd1A8kO4bhCvcQYNmopGLqP2bewe7mq82fOHHAPlwsxJIZ9xg1qyfBW8R0zDC7D96fXBJFhLJM= Received: by 10.54.30.27 with SMTP id d27mr1876989wrd; Thu, 04 Aug 2005 13:59:51 -0700 (PDT) Received: by 10.54.117.11 with HTTP; Thu, 4 Aug 2005 13:59:51 -0700 (PDT) Message-ID: <787dcac2050804135922e97d80@mail.gmail.com> Date: Thu, 4 Aug 2005 15:59:51 -0500 From: BB To: freebsd-pf@freebsd.org In-Reply-To: <42F28B79.1030202@tirloni.org> Mime-Version: 1.0 References: <787dcac2050803142433b8d084@mail.gmail.com> <42F28B79.1030202@tirloni.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Can pf dynamicly close connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: BB List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 20:59:53 -0000 One of the sites that I maintain is moving to a different firewall. WatchGuard Firebox X1000. None of the full time admins can work with vi for= =20 system changes. This is a feature on the firewall. If attempts are made on ports that are= =20 close, all ports will be blocked for about 20 minutes. Don't know if the feature mentioned above is good or bad. On 8/4/05, Giovanni P. Tirloni wrote: >=20 > BB wrote: > > If a host is sending packets on ports that aren't even open can it > > temporarily close all connections to this host. >=20 > I don't think this a task pf itself should do but you can implement > something to monitor connections attemps on closed ports and then > inspect the pf's state table (pfctl -s state) and remove it (pfctl -k). >=20 > Do you want something like PortSentry ? Someone could spoof those > attempts and create a DoS on something you don't want to block. >=20 > -- > Giovanni P. Tirloni >=20 > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 07:25:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4717D16A41F for ; Fri, 5 Aug 2005 07:25:05 +0000 (GMT) (envelope-from dexter@ambidexter.com) Received: from tortoise.way.lv (7.lmuza.lv [195.13.151.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 946D143D5C for ; Fri, 5 Aug 2005 07:25:01 +0000 (GMT) (envelope-from dexter@ambidexter.com) Received: from localhost (localhost [127.0.0.1]) by tortoise.way.lv (Postfix) with ESMTP id BE13F1FED59 for ; Fri, 5 Aug 2005 10:24:28 +0300 (EEST) Received: from tortoise.way.lv ([127.0.0.1]) by localhost (tortoise [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12113-08 for ; Fri, 5 Aug 2005 10:24:22 +0300 (EEST) Received: from [192.168.1.102] (unknown [213.175.79.146]) by tortoise.way.lv (Postfix) with ESMTP id 25F0B1FED52 for ; Fri, 5 Aug 2005 10:24:22 +0300 (EEST) Mime-Version: 1.0 Message-Id: Date: Fri, 5 Aug 2005 10:25:08 +0300 To: freebsd-pf@freebsd.org From: Michael Dexter Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at way.lv Subject: Can rdr rules include flags? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 07:25:05 -0000 Hello, This a general PF question but I am using it in the FreeBSD environment. I am using an rdr rule to forward http traffic to a jail. rdr pass on $ext_if inet proto tcp from any to $ext_if port 8080 -> $www_ad port 80 From what I can tell, an accompanying "pass" entry such as the following is not needed and is perhaps ignored. pass in on $ext_if inet proto tcp from any to $ext_if port 80 flags S/SA \ modulate state Is there any way to apply flags to rdr traffic to limit protocols or ports? Appreciated, Michael. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 09:00:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 617AD16A41F for ; Fri, 5 Aug 2005 09:00:58 +0000 (GMT) (envelope-from jorge.dionisio@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5E9C43D49 for ; Fri, 5 Aug 2005 09:00:57 +0000 (GMT) (envelope-from jorge.dionisio@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so568622wra for ; Fri, 05 Aug 2005 02:00:57 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=HUD6QunhLk/BQDMIUGa8BaqY5egvaCAn4FMMzs7YnawEq2wKRwYpTOnhhWYtur4/UPAa9+ko/yW0+e1qkFky809uDFED7qEKKhCti2RWvZf41+m//bCbTRLW3YJBsIGdHW/4/z02T9E9cTctb0OQSoCsrBTzmXLJaonY7oD1BsQ= Received: by 10.54.113.4 with SMTP id l4mr2280079wrc; Fri, 05 Aug 2005 02:00:57 -0700 (PDT) Received: from ?192.168.20.10? ([195.23.50.44]) by mx.gmail.com with ESMTP id g5sm3445485wra.2005.08.05.02.00.56; Fri, 05 Aug 2005 02:00:57 -0700 (PDT) Message-ID: <42F32C2B.5090803@gmail.com> Date: Fri, 05 Aug 2005 10:06:51 +0100 From: Jorge Dionisio User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Problem on altq rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 09:00:58 -0000 Hi, I have installed freeBSD 5.4 and built a custom kernel with the ALTQ options, the proble is when load the ruleset I get the following error: /etc/pf.conf:21: syntax error /etc/pf.conf:22: queue q_pri has no parent /etc/pf.conf:22: errors in queue definition /etc/pf.conf:23: queue q_def has no parent /etc/pf.conf:23: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded My complete ruleset is: # macros int_if = "rl1" ext_if = "rl0" tcp_services = "{ 22, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.151.0/24 }" comp3 = "192.168.0.3" # options set block-policy return set loginterface $ext_if # scrub scrub in all altq on $ext_if priq bandwith 128Kb queue { q_pri, q_dev } queue q_pri priority 7 queue q_def priority 1 priq(default) # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ port 8021 #rdr on $ext_if proto tcp from any to any port 80 -> $comp3 # filter rules block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state queue (q_def, q_pri) #pass in on $ext_if proto tcp from any to $comp3 port 80 \ flags S/SA synproxy state #pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \ user proxy flags S/SA keep state #pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto { udp, icmp } all keep state #pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ keep state queue (q_def, q_pri) pass in on $ext_if proto tcp from any to $ext_if flags S/SA \ keep state queue (q_def, q_pri) I've also run the command: -bash-2.05b# strings /boot/kernel/kernel | grep -c altq_lookup 1 and got this output. Thansk in advance for any reply, Jorge Dionisio From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 09:07:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D26A16A41F for ; Fri, 5 Aug 2005 09:07:32 +0000 (GMT) (envelope-from jorge.dionisio@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AA3943D45 for ; Fri, 5 Aug 2005 09:07:32 +0000 (GMT) (envelope-from jorge.dionisio@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so315843wra for ; Fri, 05 Aug 2005 02:07:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=jiH+UV4vyttVtn276QfyXOj1pGcUhaTepsFjQeLxRGsDGECL+oPGnsDU8QU9+nLzCnNPM5XYosdurfIlq5NuQti1jfEHGvrunaUSNC7UsHs30ESgBwpWRktn9EFVDzl4W1mZQojsemJdiY3AjhvqQQdJJJnMvXYlUjbTNhRGuG8= Received: by 10.54.49.17 with SMTP id w17mr2365066wrw; Fri, 05 Aug 2005 02:07:30 -0700 (PDT) Received: from ?192.168.20.10? ([195.23.50.44]) by mx.gmail.com with ESMTP id 44sm3630197wri.2005.08.05.02.07.30; Fri, 05 Aug 2005 02:07:30 -0700 (PDT) Message-ID: <42F32DB5.4060005@gmail.com> Date: Fri, 05 Aug 2005 10:13:25 +0100 From: Jorge Dionisio User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Problem on altq rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 09:07:32 -0000 Forget my previous e-mail, I'm stupid, just typo errors in the rules... From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 09:08:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E435E16A41F for ; Fri, 5 Aug 2005 09:08:42 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5473543D46 for ; Fri, 5 Aug 2005 09:08:41 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 41D8BBC098; Fri, 5 Aug 2005 12:08:40 +0300 (EEST) Received: from R3B (vdp1174.ath03.dsl.hol.gr [62.38.168.175])by smtp.freemail.gr (Postfix) with ESMTP id 44F72BC071; Fri, 5 Aug 2005 12:08:39 +0300 (EEST) Message-ID: <003801c5999d$4332e010$0100000a@R3B> From: "Chris Dionissopoulos" To: "Jorge Dionisio" , References: <42F32C2B.5090803@gmail.com> Date: Fri, 5 Aug 2005 12:08:34 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Cc: Subject: Re: Problem on altq rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 09:08:43 -0000 > Hi, > I have installed freeBSD 5.4 and built a custom kernel with the ALTQ > options, the proble is when load the ruleset I get the following error: > /etc/pf.conf:21: syntax error > altq on $ext_if priq bandwith 128Kb queue { q_pri, q_dev } Is "bandwidth" not "bandwith". ____________________________________________________________________ http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 11:06:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6401916A420 for ; Fri, 5 Aug 2005 11:06:25 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from f37.mail.ru (f37.mail.ru [194.67.57.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CEC143D4C for ; Fri, 5 Aug 2005 11:06:24 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f37.mail.ru with local id 1E101r-000NGc-00; Fri, 05 Aug 2005 15:06:19 +0400 Received: from [194.190.210.150] by win.mail.ru with HTTP; Fri, 05 Aug 2005 15:06:19 +0400 From: Boris Polevoy To: pf@benzedrine.cx Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.8 via proxy [194.190.210.150] Date: Fri, 05 Aug 2005 15:06:19 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: freebsd-pf@freebsd.org Subject: PF ioctl(DIOCADDADDR) possible bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 11:06:25 -0000 Hello, All! I found some possible problem in funcion pf_ioctl.c/pfioctl() in FreeBSD 5.4-RELEASE PF. To add PF rdr (nat) rule in active ruleset we have to do several steps: 1) get pool ticket with ioctl(DIOCBEGINADDRS); 2) create addresses pool with several ioctl(DIOCADDADDR); 3) get ticket for add rule with ioctl(DIOCCHANGERULE); 4) add rule with ioctl(DIOCCHANGERULE). In step 2 ioctl(DIOCADDADDR) do not check pool ticket value, and there is possible situation of malicious or failure address pool addition whithout geting pool ticket from another process. Is it bug or not? With best regards Boris Polevoy From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 11:29:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 591FD16A41F for ; Fri, 5 Aug 2005 11:29:54 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id D665543D49 for ; Fri, 5 Aug 2005 11:29:53 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so325889nzd for ; Fri, 05 Aug 2005 04:29:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LrMcAzPPSEVQBaXLasGK1w8qMdjRIkSp6Tvc2LNqiVyCqDXdSDSyKtYe05dKfrmKsQKHGlDfYRfvv1NP2Ff4piGLmoAY3TYGB9LWjmFPxw6cHbouh7C3cryEpel7bbrvIW7WKjOrTN/BSgnayyybInMg2Q8UW0BaIEacv+nugxA= Received: by 10.36.103.11 with SMTP id a11mr1459079nzc; Fri, 05 Aug 2005 04:29:51 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Fri, 5 Aug 2005 04:29:51 -0700 (PDT) Message-ID: <48239d3905080504297b3ebc89@mail.gmail.com> Date: Fri, 5 Aug 2005 15:29:51 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <48239d390508040958265ce62@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508040958265ce62@mail.gmail.com> Subject: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sergey Lapin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 11:29:54 -0000 Hi, all: Configuration: (all addresses fake, 1.1.1.x - from ISP1, 2.2.2 - from ISP2) # grep ifconfig /etc/rc.conf ifconfig_xl0=3D"inet 1.1.1.254 netmask 255.255.255.128" ifconfig_xl0_alias0=3D"inet 2.2.2.2 netmask 255.255.255.128" ifconfig_xl1=3D"inet 192.168.255.1 netmask 255.255.255.255" ifconfig_vlan0=3D"inet 1.1.1.3 netmask 255.255.255.0 vlan 1001 vlandev xl1 mtu 1496" ifconfig_vlan1=3D"inet 2.2.2.174 netmask 255.255.255.252 vlan 1004 vlandev xl1 mtu 1496" # grep defaultrouter /etc/rc.conf defaultrouter=3D"62.152.84.1" # cat /etc/pf.conf # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp = $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last m= atch. ext_if1 =3D "vlan0" ext_if2 =3D "vlan1" dmz_if =3D "xl0" ext_gw1 =3D "1.1.1.1" ext_gw2 =3D "2.2.2.173" lan_net =3D "192.168.0.0/16" dmz_net1 =3D "1.1.1.128/25" dmz_net2 =3D "2.2.2.0/25" table const { $dmz_net1, $dmz_net2, $lan_net } set block-policy drop set state-policy floating # Normalize all incoming streams scrub in on $ext_if1 scrub in on $ext_if2 ###########################################################################= ###### # NAT # ###########################################################################= ###### # nat outgoing connections on each internet interface nat on $ext_if1 from { $lan_net $dmz_net2 } to any -> ($ext_if1) nat on $ext_if2 from { $lan_net $dmz_net1 } to any -> ($ext_if2) ###########################################################################= ###### # Block everything by default # ###########################################################################= ###### # default deny silently block drop all # block IDENT notifying sender to prevent sendmail and the like from # wasting time waiting for timeout block return in on { $ext_if1 $ext_if2 } proto { tcp, udp } to port =3D aut= h block drop log on xl0 all ###########################################################################= ###### # Traffic to gateway itself # ###########################################################################= ###### # pass in quick any packets destined for the gateway itself pass in quick on $dmz_if proto tcp from any to $dmz_if flags S/SA keep stat= e pass in quick on $dmz_if inet proto { udp, icmp } from any to $dmz_if keep = state # pass multicast and IGMP traffic pass quick on $dmz_if inet from any to 224.0.0.0/4 allow-opts keep state pass quick on lo0 ###########################################################################= ###### # Classify traffic from DMZ # ###########################################################################= ###### # pass traffic from DMZ to Internet pass in on $dmz_if proto udp from $dmz_net1 to any port =3D 53 keep state tag DMZ_TO_EXT1 pass in on $dmz_if proto udp from $dmz_net2 to any port =3D 53 keep state tag DMZ_TO_EXT2 # Allow all outgoing connections from DMZ pass in on $dmz_if inet proto tcp from $dmz_net1 to any flags S/SA keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet proto { udp, icmp } from $dmz_net1 to any keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet proto tcp from $dmz_net2 to any flags S/SA keep state tag DMZ_TO_EXT2 pass in on $dmz_if inet proto { udp, icmp } from $dmz_net2 to any keep state tag DMZ_TO_EXT2 # Allow gateway to route between different networks on the DMZ # DMZ nets -> DMZ nets pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } flags S/SA keep state tag DMZ_TO_DMZ pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } keep state tag DMZ_TO_DMZ # DMZ nets -> LAN net pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to $lan_net flags S/SA keep state tag DMZ_TO_LAN pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to $lan_net keep state tag DMZ_TO_LAN # LAN net -> DMZ nets pass in on $dmz_if inet proto tcp from $lan_net to { $dmz_net1, $dmz_net2 } flags S/SA keep state tag LAN_TO_DMZ pass in on $dmz_if inet from $lan_net to { $dmz_net1, $dmz_net2 } keep state tag LAN_TO_DMZ ###########################################################################= ###### # Allow classified traffic from DMZ # ###########################################################################= ###### # Allow incoming packets from DMZ one more time and route them appropriate= ly # This must be done to IN packets because if we only do it for OUT packets, it happens to late - # packet is routed appropriately, but NAT rule for wrong interface gets fi= red pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto tcp tagged DMZ_TO_EXT1 flags S/SA modulate state pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto { udp, icmp } tagged DMZ_TO_EXT1 keep state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto tcp tagged DMZ_TO_EXT2 flags S/SA modulate state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto { udp, icmp } tagged DMZ_TO_EXT2 keep state # Allow OUT traffic pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp tagged DMZ_TO_EXT2 flags S/SA modulate state pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto { udp, icmp } tagged DMZ_TO_EXT2 keep state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp tagged DMZ_TO_EXT1 flags S/SA modulate state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto { udp, icmp } tagged DMZ_TO_EXT1 keep state ###########################################################################= ###### # Clasify traffic from Internet to DMZ # ###########################################################################= ###### # WHISKEY pass in on vlan0 proto tcp from any to 1.1.1.144/32 port =3D 22 flags S/SA keep state tag EXT1_TO_DMZ pass in on vlan1 proto tcp from any to 2.2.2.2/32 port =3D 22 flags S/SA keep state tag EXT2_TO_DMZ ###########################################################################= ###### # Allow classified traffic from Internet to DMZ # ###########################################################################= ###### # Pass to DMZ traffic already approved by earlier rules # and route replies to corresponding interface # EXT1 pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) proto tcp tagged EXT1_TO_DMZ flags S/SA keep state pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) tagged EXT1_TO_DMZ keep state # EXT2 pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) proto tcp tagged EXT2_TO_DMZ flags S/SA keep state pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) tagged EXT2_TO_DMZ keep state ###########################################################################= ###### # Other traffic # ###########################################################################= ###### # general "pass out" rules for external interfaces pass out on { $ext_if1, $ext_if2, $dmz_if } proto tcp from any to any flags S/SA modulate state pass out on { $ext_if1, $ext_if2, $dmz_if } proto { udp, icmp } from any to any keep state # Zebra uses IGMP so let it work on DMZ interface pass out on $dmz_if proto igmp from any to any allow-opts Test case: (done from Linix machine from 1.1.1.128/25) tcpreplay -e 1.1.1.133:255.255.255.255 -i eth0 packet (where packet is random captured UDP packet using tcpdump -peni) or tcpreplay -e 1.1.1.133:10.2.2.2 -i eth0 packet (where packet is random captured UDP packet) kills machine. Machine hangs and doesn't react on keyboard, whatever. Only reset helps. Directly blocking addresses in pf.conf help and normal connections with UDP disabled work well. Any ideas? Thanks a lot! Sergey Lapin System Administrator From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 11:34:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E740316A41F for ; Fri, 5 Aug 2005 11:34:15 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27C9043D53 for ; Fri, 5 Aug 2005 11:34:14 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j75BYEE4031038 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 5 Aug 2005 13:34:14 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j75BYEHP000272; Fri, 5 Aug 2005 13:34:14 +0200 (MEST) Date: Fri, 5 Aug 2005 13:34:14 +0200 From: Daniel Hartmeier To: Boris Polevoy Message-ID: <20050805113413.GR11104@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: PF ioctl(DIOCADDADDR) possible bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 11:34:16 -0000 On Fri, Aug 05, 2005 at 03:06:19PM +0400, Boris Polevoy wrote: > In step 2 ioctl(DIOCADDADDR) do not check pool ticket value, and there is possible situation of malicious or failure > address pool addition whithout geting pool ticket from another process. > > Is it bug or not? Yes, I think it's an oversight to not check the ticket in DIOCADDADDR. Depending on timing, one of two concurrent processes could add additional addresses into the temporary pool that the other process will then commit. The first one will get an error when trying to commit. There won't be any data corruption or crashes or such, just the first process has inserted one or more addresses into the pool that the second process is commiting. This is more of an issue when it happens by accident. A malicious process with privileges to /dev/pf could produce the same (and worse) results more easily without relying on this missing check, of course. With the patch below (applies to both OpenBSD -current and FreeBSD RELENG_5), this is prevented. Daniel Index: pf_ioctl.c =================================================================== RCS file: /cvs/src/sys/net/pf_ioctl.c,v retrieving revision 1.152 diff -u -r1.152 pf_ioctl.c --- pf_ioctl.c 5 Aug 2005 09:03:19 -0000 1.152 +++ pf_ioctl.c 5 Aug 2005 11:21:40 -0000 @@ -2195,6 +2195,10 @@ case DIOCADDADDR: { struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; + if(pp->ticket != ticket_pabuf) { + error = EBUSY; + break; + } #ifndef INET if (pp->af == AF_INET) { error = EAFNOSUPPORT; From owner-freebsd-pf@FreeBSD.ORG Sat Aug 6 02:01:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AFD216A41F for ; Sat, 6 Aug 2005 02:01:49 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C53D43D48 for ; Sat, 6 Aug 2005 02:01:49 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C947.dip.t-dialin.net [84.163.201.71] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1E1E0R0z2U-00018Q; Sat, 06 Aug 2005 04:01:47 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 6 Aug 2005 04:01:39 +0200 User-Agent: KMail/1.8 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1516606.NgJdkeq6XQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508060401.45433.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Michael Dexter Subject: Re: Can rdr rules include flags? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2005 02:01:49 -0000 --nextPart1516606.NgJdkeq6XQ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Michael, On Friday 05 August 2005 09:25, Michael Dexter wrote: > This a general PF question but I am using it in the FreeBSD environment. > > I am using an rdr rule to forward http traffic to a jail. > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 8080 -> > $www_ad port 80 > > From what I can tell, an accompanying "pass" entry such as the > following is not needed and is perhaps ignored. yes, unless you remove the pass option from the rdr-rule. > pass in on $ext_if inet proto tcp from any to $ext_if port 80 flags > S/SA \ modulate state > > Is there any way to apply flags to rdr traffic to limit protocols or port= s? Just like that. Don't apply the pass option on the rdr-rule and use statef= ul=20 pass/block rules to further limit down the redirection. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1516606.NgJdkeq6XQ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC9BoJXyyEoT62BG0RAu/lAJ9zW+mXTcfFPOnwOTyuLIzYlxHnBQCeMpGQ QpD2f7LuQP9xjQjPoE8v4mg= =WXsD -----END PGP SIGNATURE----- --nextPart1516606.NgJdkeq6XQ-- From owner-freebsd-pf@FreeBSD.ORG Sat Aug 6 02:11:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B3A516A41F for ; Sat, 6 Aug 2005 02:11:08 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 814A743D46 for ; Sat, 6 Aug 2005 02:11:07 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C947.dip.t-dialin.net [84.163.201.71] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1E1E9S2NY1-0007ME; Sat, 06 Aug 2005 04:11:06 +0200 From: Max Laier To: freebsd-pf@freebsd.org, Sergey Lapin Date: Sat, 6 Aug 2005 04:10:59 +0200 User-Agent: KMail/1.8 References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> In-Reply-To: <48239d3905080504297b3ebc89@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2169212.8KQ15x0YPj"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508060411.05482.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2005 02:11:08 -0000 --nextPart2169212.8KQ15x0YPj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sergey, On Friday 05 August 2005 13:29, Sergey Lapin wrote: > Hi, all: <...> > Test case: > (done from Linix machine from 1.1.1.128/25) > > tcpreplay -e 1.1.1.133:255.255.255.255 -i eth0 packet > (where packet is random captured UDP packet using tcpdump -peni) > > or > > tcpreplay -e 1.1.1.133:10.2.2.2 -i eth0 packet > (where packet is random captured UDP packet) > > kills machine. > Machine hangs and doesn't react on keyboard, whatever. > Only reset helps. > Directly blocking addresses in pf.conf help and normal connections > with UDP disabled > work well. > Any ideas? What version of FreeBSD are you running? Do you have a SMP/PREEMPTION kern= el? =20 Does setting debug.mpsafenet=3D0 in loader.conf change the situation? Do y= ou=20 have a chance to attach a remote debugger or can you try to break into the= =20 debugger from the console? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2169212.8KQ15x0YPj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC9Bw5XyyEoT62BG0RAitwAJ4g8tVEojx+KNUHten0IpLD7RKcGgCeMn3m 7G9JGHyUZiY7kUkHddULe2c= =JHgi -----END PGP SIGNATURE----- --nextPart2169212.8KQ15x0YPj-- From owner-freebsd-pf@FreeBSD.ORG Sat Aug 6 17:18:56 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B64F416A41F for ; Sat, 6 Aug 2005 17:18:56 +0000 (GMT) (envelope-from bkoenig@cs.tu-berlin.de) Received: from smtp.efacilitas.de (smtp.efacilitas.de [85.10.196.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44DB043D45 for ; Sat, 6 Aug 2005 17:18:56 +0000 (GMT) (envelope-from bkoenig@cs.tu-berlin.de) Received: from eurystheus.local (port-212-202-37-29.dynamic.qsc.de [212.202.37.29]) by smtp.efacilitas.de (Postfix) with ESMTP id 4772D5F9AE0 for ; Sat, 6 Aug 2005 19:24:34 +0000 (UTC) Received: from localhost (eurystheus.local [192.168.1.67]) by eurystheus.local (Postfix) with ESMTP id 89D8212B131 for ; Sat, 6 Aug 2005 19:18:12 +0200 (CEST) Received: from eurystheus.local ([192.168.1.67]) by localhost (eurystheus.locaL [192.168.1.67]) (amavisd-new, port 10024) with ESMTP id 43763-05 for ; Sat, 6 Aug 2005 19:18:04 +0200 (CEST) Received: from [192.168.1.67] (eurystheus.local [192.168.1.67]) by eurystheus.local (Postfix) with ESMTP id 30C8912B0FF for ; Sat, 6 Aug 2005 19:18:03 +0200 (CEST) Message-ID: <42F4F0CB.8050306@cs.tu-berlin.de> Date: Sat, 06 Aug 2005 19:18:03 +0200 From: =?ISO-8859-1?Q?Bj=F6rn_K=F6nig?= User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050517 X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at example.com Cc: Subject: pf causes freeze of amd64 machine on heavy network load X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2005 17:18:56 -0000 Hello, recently I sent a mail to the current mailing list concerning this problem, but I figured out that my problem is related to pf. I have an amd64 machine with 6.0-BETA2 that freezes totally on heavy network I/O with activated pf. I noticed that it doesn't occur with every ruleset. This is the output of dmesg; note the KDB backtraces during the attempt to load pf.ko and system shutdown: http://212.202.37.29/dateien/dmesg.txt The following ruleset is neither complete nor optimized; I stopped working on it when I noticed that pf doesn't work for me: http://212.202.37.29/dateien/pf.conf.txt Unfortunately the time-frame where I can make tests concerning this issue is from now until Monday. I hope someone is able to reproduce the error to make further investigations. Regards Björn -- Björn König (bkoenig@cs.tu-berlin.de) student at the Technische Universität Berlin http://bkoenig.alpha-tierchen.de/ From owner-freebsd-pf@FreeBSD.ORG Sat Aug 6 17:24:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3F6B16A41F for ; Sat, 6 Aug 2005 17:24:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94B0B43D46 for ; Sat, 6 Aug 2005 17:24:14 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E7E3.dip.t-dialin.net [84.163.231.227] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1E1SP62cuV-0002Hz; Sat, 06 Aug 2005 19:24:12 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 6 Aug 2005 19:24:03 +0200 User-Agent: KMail/1.8 References: <42F4F0CB.8050306@cs.tu-berlin.de> In-Reply-To: <42F4F0CB.8050306@cs.tu-berlin.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1346261.3xF0BsS1vi"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508061924.10927.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf causes freeze of amd64 machine on heavy network load X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2005 17:24:15 -0000 --nextPart1346261.3xF0BsS1vi Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 06 August 2005 19:18, Bj=F6rn K=F6nig wrote: > Hello, > > recently I sent a mail to the current mailing list concerning this > problem, but I figured out that my problem is related to pf. > > I have an amd64 machine with 6.0-BETA2 that freezes totally on heavy > network I/O with activated pf. I noticed that it doesn't occur with > every ruleset. > > This is the output of dmesg; note the KDB backtraces during the attempt > to load pf.ko and system shutdown: > > http://212.202.37.29/dateien/dmesg.txt > > The following ruleset is neither complete nor optimized; I stopped > working on it when I noticed that pf doesn't work for me: > > http://212.202.37.29/dateien/pf.conf.txt > > Unfortunately the time-frame where I can make tests concerning this > issue is from now until Monday. I hope someone is able to reproduce the > error to make further investigations. =46rom pf.conf(5): BUGS Due to a lock order reversal (LOR) with the socket layer, the use of t= he group and user filter parameter in conjuction with a Giant-free netsta= ck can result in a deadlock. If you have to use group or user you must s= et debug.mpsafenet to ``0'' from the loader(8), for the moment. This wor= k- around will still produce the LOR, but Giant will protect from the dea= d- lock. I am afraid this is what bites you. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1346261.3xF0BsS1vi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC9PI6XyyEoT62BG0RAsnPAJ4g2p9Pvnmh5ry7xmBqdRPhsvpPRQCeOOCR TD6vmcGKDSHOmHsF6E8PCiA= =ynIk -----END PGP SIGNATURE----- --nextPart1346261.3xF0BsS1vi-- From owner-freebsd-pf@FreeBSD.ORG Sat Aug 6 18:31:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A91D416A41F for ; Sat, 6 Aug 2005 18:31:00 +0000 (GMT) (envelope-from bkoenig@cs.tu-berlin.de) Received: from smtp.efacilitas.de (smtp.efacilitas.de [85.10.196.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3472143D55 for ; Sat, 6 Aug 2005 18:30:59 +0000 (GMT) (envelope-from bkoenig@cs.tu-berlin.de) Received: from eurystheus.local (port-212-202-37-29.dynamic.qsc.de [212.202.37.29]) by smtp.efacilitas.de (Postfix) with ESMTP id 286D95F9BF9; Sat, 6 Aug 2005 20:36:38 +0000 (UTC) Received: from localhost (eurystheus.local [192.168.1.67]) by eurystheus.local (Postfix) with ESMTP id 5125E12B16A; Sat, 6 Aug 2005 20:21:33 +0200 (CEST) Received: from eurystheus.local ([192.168.1.67]) by localhost (eurystheus.locaL [192.168.1.67]) (amavisd-new, port 10024) with ESMTP id 51275-01; Sat, 6 Aug 2005 20:21:27 +0200 (CEST) Received: from [192.168.1.67] (eurystheus.local [192.168.1.67]) by eurystheus.local (Postfix) with ESMTP id 1E42212B0FF; Sat, 6 Aug 2005 20:21:26 +0200 (CEST) Message-ID: <42F4FFA6.8090203@cs.tu-berlin.de> Date: Sat, 06 Aug 2005 20:21:26 +0200 From: =?ISO-8859-1?Q?Bj=F6rn_K=F6nig?= User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050517 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <42F4F0CB.8050306@cs.tu-berlin.de> <200508061924.10927.max@love2party.net> In-Reply-To: <200508061924.10927.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at example.com Cc: freebsd-pf@freebsd.org Subject: Re: pf causes freeze of amd64 machine on heavy network load X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2005 18:31:00 -0000 Max Laier wrote: > From pf.conf(5): > BUGS > Due to a lock order reversal (LOR) with the socket layer, the use of the > group and user filter parameter in conjuction with a Giant-free netstack > can result in a deadlock. If you have to use group or user you must set > debug.mpsafenet to ``0'' from the loader(8), for the moment. This work- > around will still produce the LOR, but Giant will protect from the dead- > lock. > > I am afraid this is what bites you. Many thanks for this hint. The impact on performance with debug.mpsafenet=0 is not very important to me. Björn -- Björn König (bkoenig@cs.tu-berlin.de) student at the Technische Universität Berlin http://bkoenig.alpha-tierchen.de/