From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 05:32:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBF1816A432 for ; Mon, 5 Sep 2005 05:32:19 +0000 (GMT) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D79143D64 for ; Mon, 5 Sep 2005 05:22:21 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.91] ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id j855MLBd005803 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 4 Sep 2005 22:22:21 -0700 (PDT) (envelope-from sam@errno.com) Message-ID: <431BD7AA.4040300@errno.com> Date: Sun, 04 Sep 2005 22:29:14 -0700 From: Sam Leffler User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050327) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 05:32:19 -0000 I'm converting an ipfw-based firewall to pf. The firewall runs on a soekris where there's little space. I currently redirect ipfw log msgs via syslog to another machine. Is there a similar way to do this with pf? I'm not keen on accumulating stuff to the memory disk and flushing it periodically because that leaves me open to losing stuff and also requires I run cron or something similar on the firewall. In lieu of something intelligent I tried using logger and tcpdump with something like: tcpdump -i pflog0 -n -e -ttt | logger -p local7.info -h sysloghost but that didn't work for some reason. Regardless it'd be nice to have something less klunky and with less overhead. Sam From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 07:26:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 837D816A41F for ; Mon, 5 Sep 2005 07:26:33 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E36543D48 for ; Mon, 5 Sep 2005 07:26:32 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 4912E254535 for ; Mon, 5 Sep 2005 08:26:30 +0100 (BST) From: "Greg Hennessy" To: Date: Mon, 5 Sep 2005 08:26:30 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWx33KxiPyxvA3JS1Wwy5zJF+rFmwACyg5g In-Reply-To: <431BD7AA.4040300@errno.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050905072630.664053A@gw2.local.net> Subject: RE: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 07:26:33 -0000 > > tcpdump -i pflog0 -n -e -ttt | logger -p local7.info -h sysloghost > > but that didn't work for some reason. Add the '-l' flag to tcpdump and it will. ~ # ps axww | egrep 'tcpdump|logger' 428 con- S 0:02.70 tcpdump -s 96 -l -e -t -i pflog0 429 con- S 0:00.30 logger -p local0.info -t pf > Regardless it'd be > nice to have something less klunky and with less overhead. It would :-), but it's the best I've found for logging pf to syslog. Greg From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 08:09:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5E5B16A41F for ; Mon, 5 Sep 2005 08:09:51 +0000 (GMT) (envelope-from techie@Xtrmntr.org) Received: from otaku.Xtrmntr.org (sauna.silcnet.org [147.175.66.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B1F043D45 for ; Mon, 5 Sep 2005 08:09:50 +0000 (GMT) (envelope-from techie@Xtrmntr.org) Received: by otaku.Xtrmntr.org (Postfix, from userid 213) id 2ACC64A4C; Mon, 5 Sep 2005 10:09:49 +0200 (CEST) Date: Mon, 5 Sep 2005 10:09:49 +0200 From: Vladimir Kotal To: freebsd-pf@freebsd.org Message-ID: <20050905080949.GA19145@otaku.xtrmntr.org> References: <431BD7AA.4040300@errno.com> <20050905072630.664053A@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050905072630.664053A@gw2.local.net> User-Agent: Mutt/1.4.2.1i Accept-Languages: cz, sk, en Subject: Re: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vlada@devnull.cz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 08:09:51 -0000 On Mon, Sep 05, 2005 at 08:26:30AM +0100, Greg Hennessy wrote: > > > > > tcpdump -i pflog0 -n -e -ttt | logger -p local7.info -h sysloghost > > > > but that didn't work for some reason. > > Add the '-l' flag to tcpdump and it will. > > ~ # ps axww | egrep 'tcpdump|logger' > 428 con- S 0:02.70 tcpdump -s 96 -l -e -t -i pflog0 > 429 con- S 0:00.30 logger -p local0.info -t pf > So, the following looks like what can be put into /etc/rc* script for your favorite embedded distribution: ifconfig pflog0 up tcpdump -s 96 -l -e -t -i pflog0 2>/dev/null | \ logger -p local0.info -t pf & It could be nice if pflogd supported logging to syslog directly. v. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 08:21:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9E8716A41F for ; Mon, 5 Sep 2005 08:21:24 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2143C43D46 for ; Mon, 5 Sep 2005 08:21:23 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j858LKxn003706 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 5 Sep 2005 10:21:21 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j858LKGg013889; Mon, 5 Sep 2005 10:21:20 +0200 (MEST) Date: Mon, 5 Sep 2005 10:21:20 +0200 From: Daniel Hartmeier To: Vladimir Kotal Message-ID: <20050905082120.GD27277@insomnia.benzedrine.cx> References: <431BD7AA.4040300@errno.com> <20050905072630.664053A@gw2.local.net> <20050905080949.GA19145@otaku.xtrmntr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050905080949.GA19145@otaku.xtrmntr.org> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 08:21:25 -0000 On Mon, Sep 05, 2005 at 10:09:49AM +0200, Vladimir Kotal wrote: > So, the following looks like what can be put into /etc/rc* script for your > favorite embedded distribution: > > ifconfig pflog0 up > tcpdump -s 96 -l -e -t -i pflog0 2>/dev/null | \ > logger -p local0.info -t pf & > > It could be nice if pflogd supported logging to syslog directly. It would have to duplicate (or link against, I guess) a lot of code in tcpdump, especially all the protocol-printers if you wanted to add -vvv, and then that code redundancy would have to be kept in sync, etc. One tool for one purpose, right? :) Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 08:48:04 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A749A16A41F for ; Mon, 5 Sep 2005 08:48:04 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50C3D43D46 for ; Mon, 5 Sep 2005 08:48:04 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id D9C9424E0B4 for ; Mon, 5 Sep 2005 09:47:58 +0100 (BST) From: "Greg Hennessy" To: Date: Mon, 5 Sep 2005 09:47:59 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20050905080949.GA19145@otaku.xtrmntr.org> Thread-Index: AcWx9HE+T8PQGyXnTJ2bAev8jE5pJgAAMMNA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050905084759.95B894D@gw2.local.net> Subject: RE: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 08:48:04 -0000 > So, the following looks like what can be put into /etc/rc* > script for your favorite embedded distribution: > > ifconfig pflog0 up > tcpdump -s 96 -l -e -t -i pflog0 2>/dev/null | \ > logger -p local0.info -t pf & Pretty much so ~ # grep -i pflog /etc/rc.local echo -n "pflog -> syslog" ifconfig pflog0 up tcpdump -s 96 -l -e -t -i pflog0 | logger -p local0.info -t pf & ~ # grep -i local0.info /etc/syslog.conf local0.info /var/log/pflog.txt local0.info @loghost ~ # grep -i pflog.txt /etc/newsyslog.conf /var/log/pflog.txt 600 7 * @T00 Z The '-s 96' is required, because I don't have option INET6 compiled into the kernel. > It could be nice if pflogd supported logging to syslog directly. I can see Daniels point on the complexity of replicating what tcpdump does already. TBH, I've never found the overhead to be too onerous, if you add '-n' to tcpdump it'll reduce it even more. greg From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 11:02:16 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D10A116A428 for ; Mon, 5 Sep 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B19E43D4C for ; Mon, 5 Sep 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j85B2GhV076965 for ; Mon, 5 Sep 2005 11:02:16 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j85B2Eg6076959 for freebsd-pf@freebsd.org; Mon, 5 Sep 2005 11:02:14 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 5 Sep 2005 11:02:14 GMT Message-Id: <200509051102.j85B2Eg6076959@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 11:02:17 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 15:46:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDE4616A41F for ; Mon, 5 Sep 2005 15:46:42 +0000 (GMT) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 799BC43D53 for ; Mon, 5 Sep 2005 15:46:42 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.91] ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id j85FkfBd007838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 5 Sep 2005 08:46:41 -0700 (PDT) (envelope-from sam@errno.com) Message-ID: <431C69FE.4000100@errno.com> Date: Mon, 05 Sep 2005 08:53:34 -0700 From: Sam Leffler User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050327) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 15:46:42 -0000 [folks left me off the cc so I didn't see any replies until I checked the archives...] > On Mon, Sep 05, 2005 at 10:09:49AM +0200, Vladimir Kotal wrote: > >> So, the following looks like what can be put into /etc/rc* script for your >> favorite embedded distribution: >> >> ifconfig pflog0 up >> tcpdump -s 96 -l -e -t -i pflog0 2>/dev/null | \ >> logger -p local0.info -t pf & >> >> It could be nice if pflogd supported logging to syslog directly. > > It would have to duplicate (or link against, I guess) a lot of code in > tcpdump, especially all the protocol-printers if you wanted to add -vvv, > and then that code redundancy would have to be kept in sync, etc. > > One tool for one purpose, right? :) > [Thanks for the -l response, realized it moments after posting :)] I don't want ascii logged, I want the binary data logged remotely. Installing tcpdump on the firewall just to log stuff is way overkill (though if it's there already one cares less). I build very small systems (this firewall is typically <8Mb cf and ram is typically very tight too) and requiring tcpdump just to log pf stuff is unacceptable. Guess I need to roll my own logger program that reads from pflog and dispatches to another machine. Sam From owner-freebsd-pf@FreeBSD.ORG Mon Sep 5 16:09:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF7C116A41F for ; Mon, 5 Sep 2005 16:09:07 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0838843D67 for ; Mon, 5 Sep 2005 16:09:06 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id A985924D627 for ; Mon, 5 Sep 2005 17:09:02 +0100 (BST) From: "Greg Hennessy" To: "'Sam Leffler'" , Date: Mon, 5 Sep 2005 17:09:02 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWyMwXIId0/NaAGT4C876BYhQ/RGQAAFA/Q In-Reply-To: <431C69FE.4000100@errno.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050905160903.49AA03A@gw2.local.net> Cc: Subject: RE: logging to another machine X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 16:09:07 -0000 > [Thanks for the -l response, realized it moments after posting :)] Yes, I scratched my head too until I figured out the -l rune LOL. > I don't want ascii logged, I want the binary data logged remotely. > Installing tcpdump on the firewall just to log stuff is way > overkill (though if it's there already one cares less). I > build very small systems (this firewall is typically <8Mb cf > and ram is typically very tight too) and requiring tcpdump > just to log pf stuff is unacceptable. > > Guess I need to roll my own logger program that reads from > pflog and dispatches to another machine. > ISTR a pflogd patch for OBSD 3.[34] which did something similar. /me does a google Ahh, here we go http://www.klake.org/~jt/pflogd/ Greg From owner-freebsd-pf@FreeBSD.ORG Tue Sep 6 11:53:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F81F16A41F for ; Tue, 6 Sep 2005 11:53:03 +0000 (GMT) (envelope-from leccine@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 311A743D45 for ; Tue, 6 Sep 2005 11:53:03 +0000 (GMT) (envelope-from leccine@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so817765rne for ; Tue, 06 Sep 2005 04:53:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=NJYvzKTLK8zFXF40tWkfobN7V2JWN4NkJDui3U3XU/qpedy+p1Fi4TZOg55a5ZRCMs0yMEng7dQJPPEuLUrbfvQaYsd8E89bc83tKA28ThaqpcLmcMRiJ1EXZvcSMnbztqmas10ZO1wFuDZlQ+i2yZQS0+CyAJli2GMCITBw6+Q= Received: by 10.38.11.64 with SMTP id 64mr553171rnk; Tue, 06 Sep 2005 04:53:02 -0700 (PDT) Received: from ?192.168.0.2? ( [80.99.12.241]) by mx.gmail.com with ESMTP id 70sm1855707rnc.2005.09.06.04.53.01; Tue, 06 Sep 2005 04:53:02 -0700 (PDT) Message-ID: <431D830D.1080906@gmail.com> Date: Tue, 06 Sep 2005 13:52:45 +0200 From: =?ISO-8859-2?Q?Szuk=E1cs_Istv=E1n?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.11) Gecko/20050728 Mnenhy/0.7.2.0 X-Accept-Language: hu MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: pf ruleset modify from jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2005 11:53:03 -0000 The problem is that inside the jail the root has access to pf(the outside system's pf), and can read/write the ruleset. How can i protect it? -- the sun shines for all From owner-freebsd-pf@FreeBSD.ORG Tue Sep 6 14:47:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1F4B16A420 for ; Tue, 6 Sep 2005 14:47:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B20E43D46 for ; Tue, 6 Sep 2005 14:47:20 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3DF56.dip.t-dialin.net [84.163.223.86] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1ECejC3VdG-0005E8; Tue, 06 Sep 2005 16:47:14 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 6 Sep 2005 16:47:06 +0200 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1242184.9lS3CUUf1L"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509061647.17130.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Bugfixes from OpenBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2005 14:47:21 -0000 --nextPart1242184.9lS3CUUf1L Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, I am going to import the following bugfixes from OpenBSD shortly: pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei=20 | in DIOCCHANGERULE, properly initialize table, if used in NAT rule. | from Boris Polevoy , ok mcbride@ pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei=20 | when nat'ing icmp 'connections', replace icmp id with proxy values | (similar to proxy ports for tcp/udp). not all clients use per-invokation | random ids, this allows multiple concurrent connections from such clients. | thanks for testing to Rod Whitworth, "looks ok" markus@ pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei=20 | fix rdr to bitmask replacement address pool. patch from Max Laier, | reported by Boris Polevoy, tested by Jean Debogue, ok henning@ As all three have emerged from here and patches are available, I'd like to= =20 know if anyone has seen fallout from any of these changes. Also, is there= =20 anything more that I should be looking at? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1242184.9lS3CUUf1L Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDHav1XyyEoT62BG0RApSaAJwPfh3aG8Xcr66PWvbawZOnD3uZbQCZAWTN JuYhMH7wzXeoRmMo4bWEjTQ= =JFut -----END PGP SIGNATURE----- --nextPart1242184.9lS3CUUf1L-- From owner-freebsd-pf@FreeBSD.ORG Tue Sep 6 14:50:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47C1316A436 for ; Tue, 6 Sep 2005 14:50:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE6FC43D48 for ; Tue, 6 Sep 2005 14:50:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3DF56.dip.t-dialin.net [84.163.223.86] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1ECemY3LAX-0005R1; Tue, 06 Sep 2005 16:50:42 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 6 Sep 2005 16:50:42 +0200 User-Agent: KMail/1.8.2 References: <431D830D.1080906@gmail.com> In-Reply-To: <431D830D.1080906@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4522870.qP50M8RInB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509061650.54519.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf ruleset modify from jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2005 14:50:47 -0000 --nextPart4522870.qP50M8RInB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 06 September 2005 13:52, Szuk=E1cs Istv=E1n wrote: > The problem is that inside the jail the root has access to pf(the > outside system's pf), and can read/write the ruleset. > How can i protect it? You can use devfs rulesets to hide /dev/pf from the jail's devfs. See=20 devfs(8) for more details. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4522870.qP50M8RInB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDHazOXyyEoT62BG0RAmFxAJ9eqUJ9ZY3qDz7GGtPRoNLHgiwwEACfZ95m QB2IJfBgqhsAGM1Bs8I3tM8= =J9NI -----END PGP SIGNATURE----- --nextPart4522870.qP50M8RInB-- From owner-freebsd-pf@FreeBSD.ORG Tue Sep 6 14:54:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA38816A41F for ; Tue, 6 Sep 2005 14:54:12 +0000 (GMT) (envelope-from kickdaddy@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A79143D48 for ; Tue, 6 Sep 2005 14:54:12 +0000 (GMT) (envelope-from kickdaddy@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so788920nzo for ; Tue, 06 Sep 2005 07:54:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=PKsX8A/QuH7WTEvN9KnVIFhvYN2V1TThwvVbEqMD3+O+4i6U0ACiIgB6j4np5LjcGnNYg+mn/CtkZOL1A5Dzzhqxw8GeiPuLGI5zCkcpWNa0SZwY9pxka5TUg6WYnuUGMiIHfiBceCBwm6QfI3x0h3igK5NTF9mARJeTcFOHTR0= Received: by 10.36.79.10 with SMTP id c10mr3202484nzb; Tue, 06 Sep 2005 07:54:11 -0700 (PDT) Received: by 10.36.77.6 with HTTP; Tue, 6 Sep 2005 07:54:11 -0700 (PDT) Message-ID: <456664705090607545972d483@mail.gmail.com> Date: Tue, 6 Sep 2005 07:54:11 -0700 From: Sean Leach To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: PF and load balancing outgoing connections issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2005 14:54:13 -0000 Hey all, Using FreeBSD 5.3 release #1, I am having some troubles getting outgoing load balancing working with PF. It actually works fine for NAT'd outbound connections, but when packets come IN, they get balanced going back out, which leads them to take the wrong path back to the source. I am sure it's something silly I am doing. I have some servers in the LAN I am doing 1-1 NAT'ing with with redirects.=20 Here is the setup. LAN -> FreeBSD Gateway -> cable -> DSL Here are my relevant config entries: int_net=3D"192.168.1.0/24" pass out on $int_if from any to $int_net pass in quick on $int_if from $int_net to $int_if pass in on $int_if route-to \ { ($dsl_if $dsl_gw), ($cable_if $cable_gw) } round-robin \ from $int_net to any keep state pass out on $dsl_if route-to ($cable_if $cable_gw) from $cable_if to any pass out on $cable_if route-to ($dsl_if $dsl_gw) from $dsl_if to any So if I send a web request to one of the 1-1 NAT'd machines from outside the network, it will go in the DSL interface, and half the time the reply will go out the DSL interface. Sometimes though, I see the packet go out the cable interface instead, this is when it doesn't work. Any thoughts/tips I should be aware of? This is my first time doing this so I am definately a n00b :) Thanks! From owner-freebsd-pf@FreeBSD.ORG Tue Sep 6 20:19:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58E9B16A41F for ; Tue, 6 Sep 2005 20:19:43 +0000 (GMT) (envelope-from leccine@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC4CC43D48 for ; Tue, 6 Sep 2005 20:19:42 +0000 (GMT) (envelope-from leccine@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so1043736rna for ; Tue, 06 Sep 2005 13:19:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=foRo8bifNSCCNtsms9e0wAy4QXv6a6BaoqgmNfTaSJzD8JwUvIKm8ygibmVzrQtH/f6Oc6ixjTf7c2VO4lF9cJevf6ORav107spyxzAFXkGHcrpUDWWifNBGztGrzlSfhnida44R9i6vCjzz3h2dTebgL5yBDZ4bwzuH5Kd1x/Y= Received: by 10.38.73.47 with SMTP id v47mr770878rna; Tue, 06 Sep 2005 13:19:42 -0700 (PDT) Received: from ?192.168.0.2? ( [80.99.12.241]) by mx.gmail.com with ESMTP id h17sm1079297rnb.2005.09.06.13.19.41; Tue, 06 Sep 2005 13:19:42 -0700 (PDT) Message-ID: <431DF9D9.8050809@gmail.com> Date: Tue, 06 Sep 2005 22:19:37 +0200 From: =?ISO-8859-2?Q?Szuk=E1cs_Istv=E1n?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.11) Gecko/20050728 Mnenhy/0.7.2.0 X-Accept-Language: hu MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <431D830D.1080906@gmail.com> <200509061650.54519.max@love2party.net> In-Reply-To: <200509061650.54519.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: pf ruleset modify from jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2005 20:19:43 -0000 Max Laier: >On Tuesday 06 September 2005 13:52, Szukács István wrote: > > >>The problem is that inside the jail the root has access to pf(the >>outside system's pf), and can read/write the ruleset. >>How can i protect it? >> >> > >You can use devfs rulesets to hide /dev/pf from the jail's devfs. See >devfs(8) for more details. > > > i try to use this rulesets but i am a little bit confused(there is no detailed howto) but it is not belong to this list anymore thanks anyway From owner-freebsd-pf@FreeBSD.ORG Wed Sep 7 14:31:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0BF916A41F for ; Wed, 7 Sep 2005 14:31:56 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AB7343D49 for ; Wed, 7 Sep 2005 14:31:55 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Wed, 7 Sep 2005 16:31:50 +0200 Message-ID: From: "Constant, Benjamin" To: 'Max Laier' Date: Wed, 7 Sep 2005 16:30:37 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-pf@freebsd.org Subject: RE: Bugfixes from OpenBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 14:31:56 -0000 Hi Max, It would be great if you could import atlq support on bge interface. I tested and repoted positive feedback some weeks ago but I didn't get any answer. Thanks! Regards, Benjamin Constant TI Automotive > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Max Laier > Sent: mardi 6 septembre 2005 16:47 > To: freebsd-pf@freebsd.org > Subject: Bugfixes from OpenBSD > > All, > > I am going to import the following bugfixes from OpenBSD shortly: > > pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei > | in DIOCCHANGERULE, properly initialize table, if used in NAT rule. > | from Boris Polevoy , ok mcbride@ > > pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei > | when nat'ing icmp 'connections', replace icmp id with proxy values > | (similar to proxy ports for tcp/udp). not all clients use > | per-invokation random ids, this allows multiple concurrent > connections from such clients. > | thanks for testing to Rod Whitworth, "looks ok" markus@ > > pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei > | fix rdr to bitmask replacement address pool. patch from Max Laier, > | reported by Boris Polevoy, tested by Jean Debogue, ok henning@ > > As all three have emerged from here and patches are > available, I'd like to know if anyone has seen fallout from > any of these changes. Also, is there anything more that I > should be looking at? > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 7 15:06:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1270F16A41F for ; Wed, 7 Sep 2005 15:06:07 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C6CC43D46 for ; Wed, 7 Sep 2005 15:06:03 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.52 #0 (FreeBSD 4.11-STABLE)) id 1ED1Ut-000FhV-PH by authid for ; Wed, 07 Sep 2005 18:05:59 +0300 Resent-From: wash@wananchi.com Resent-Date: Wed, 7 Sep 2005 18:05:59 +0300 Resent-Message-ID: <20050907150559.GF77162@ns2.wananchi.com> Resent-To: freebsd-pf@freebsd.org Received: from exim by ns2.wananchi.com with local (Exim 4.51 #0 (FreeBSD 4.11-STABLE)) id 1E0j3n-000OBL-Uy for ; Thu, 04 Aug 2005 19:59:11 +0300 Received: from mx2.freebsd.org ([216.136.204.119]) by ns2.wananchi.com with esmtp (Exim 4.51 #0 (FreeBSD 4.11-STABLE)) id 1E0j3e-000O2n-UB for ; Thu, 04 Aug 2005 19:59:05 +0300 Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 595485CE49; Thu, 4 Aug 2005 16:58:40 +0000 (GMT) (envelope-from owner-freebsd-questions@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A5F8016A423; Thu, 4 Aug 2005 16:58:38 +0000 (GMT) (envelope-from owner-freebsd-questions@freebsd.org) X-Original-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D323F16A420 for ; Thu, 4 Aug 2005 16:58:30 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3810E43D4C for ; Thu, 4 Aug 2005 16:58:30 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so239007nzd for ; Thu, 04 Aug 2005 09:58:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=msgjukjtlswdz/FQf3XAp5PdgxMLj056tWqD/E+va0OoLWEnl5T1zCmxTrF1NLZyDNLMLWAtbxaltdRNX0jd0H4xYqqaz1orSxNOtWO4cOYVdKSy+p9ffExCG237M6H4Ko4lsShWcrQ7WZEGVjpXpjSWNrfWBu6dcEygBoYKRSA= Received: by 10.36.247.20 with SMTP id u20mr626629nzh; Thu, 04 Aug 2005 09:58:29 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Thu, 4 Aug 2005 09:58:29 -0700 (PDT) Message-ID: <48239d390508040958265ce62@mail.gmail.com> From: Sergey Lapin To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Old-Reply-To: Sergey Lapin Sender: owner-freebsd-questions@freebsd.org Errors-To: owner-freebsd-questions@freebsd.org X-Virus_Scanned: Checked by ClamAV (http://www.clamav.net/) X-Scan-Signature: 3d9c97959b63789d332076e26c4bc4f4 X-FILTER-DSPAM: by ns2.wananchi.com on Thu, 04 Aug 2005 19:59:05 +0300 X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Aug 4 19:59:11 2005 X-DSPAM-Confidence: 0.9997 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 42f2495f929064343338786 X-Received-Path: wash@wananchi.com wash@wananchi.com freebsd-questions@freebsd.org freebsd-questions@freebsd.org freebsd-questions@freebsd.org Resent-Sender: Odhiambo Washington Resent-Date: Wed, 07 Sep 2005 18:05:59 +0300 Cc: Subject: pf problems X-BeenThere: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 07 Sep 2005 15:06:07 -0000 X-Original-Date: Thu, 4 Aug 2005 20:58:29 +0400 X-List-Received-Date: Wed, 07 Sep 2005 15:06:07 -0000 Hi, all: Configuration: (all addresses fake, 1.1.1.x - from ISP1, 2.2.2 - from ISP2) # grep ifconfig /etc/rc.conf ifconfig_xl0=3D"inet 1.1.1.254 netmask 255.255.255.128" ifconfig_xl0_alias0=3D"inet 2.2.2.2 netmask 255.255.255.128" ifconfig_xl1=3D"inet 192.168.255.1 netmask 255.255.255.255" ifconfig_vlan0=3D"inet 1.1.1.3 netmask 255.255.255.0 vlan 1001 vlandev xl1 mtu 1496" ifconfig_vlan1=3D"inet 2.2.2.174 netmask 255.255.255.252 vlan 1004 vlandev xl1 mtu 1496" # grep defaultrouter /etc/rc.conf defaultrouter=3D"62.152.84.1" # cat /etc/pf.conf # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp = $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last m= atch. ext_if1 =3D "vlan0" ext_if2 =3D "vlan1" dmz_if =3D "xl0" ext_gw1 =3D "1.1.1.1" ext_gw2 =3D "2.2.2.173" lan_net =3D "192.168.0.0/16" dmz_net1 =3D "1.1.1.128/25" dmz_net2 =3D "2.2.2.0/25" table const { $dmz_net1, $dmz_net2, $lan_net } set block-policy drop set state-policy floating # Normalize all incoming streams scrub in on $ext_if1 scrub in on $ext_if2 ###########################################################################= ###### # NAT =20 # ###########################################################################= ###### # nat outgoing connections on each internet interface nat on $ext_if1 from { $lan_net $dmz_net2 } to any -> ($ext_if1) nat on $ext_if2 from { $lan_net $dmz_net1 } to any -> ($ext_if2) ###########################################################################= ###### # Block everything by default =20 # ###########################################################################= ###### # default deny silently block drop all # block IDENT notifying sender to prevent sendmail and the like from # wasting time waiting for timeout block return in on { $ext_if1 $ext_if2 } proto { tcp, udp } to port =3D aut= h block drop log on xl0 all ###########################################################################= ###### # Traffic to gateway itself =20 # ###########################################################################= ###### # pass in quick any packets destined for the gateway itself pass in quick on $dmz_if proto tcp from any to $dmz_if flags S/SA keep stat= e pass in quick on $dmz_if inet proto { udp, icmp } from any to $dmz_if keep = state # pass multicast and IGMP traffic pass quick on $dmz_if inet from any to 224.0.0.0/4 allow-opts keep state pass quick on lo0 ###########################################################################= ###### # Classify traffic from DMZ =20 # ###########################################################################= ###### # pass traffic from DMZ to Internet pass in on $dmz_if proto udp from $dmz_net1 to any port =3D 53 keep state tag DMZ_TO_EXT1 pass in on $dmz_if proto udp from $dmz_net2 to any port =3D 53 keep state tag DMZ_TO_EXT2 # Allow all outgoing connections from DMZ pass in on $dmz_if inet proto tcp from $dmz_net1 to any flags S/SA keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet proto { udp, icmp } from $dmz_net1 to any keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet proto tcp from $dmz_net2 to any flags S/SA keep state tag DMZ_TO_EXT2 pass in on $dmz_if inet proto { udp, icmp } from $dmz_net2 to any keep state tag DMZ_TO_EXT2 # Allow gateway to route between different networks on the DMZ # DMZ nets -> DMZ nets pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } flags S/SA keep state tag DMZ_TO_DMZ pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } keep state tag DMZ_TO_DMZ # DMZ nets -> LAN net pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to $lan_net flags S/SA keep state tag DMZ_TO_LAN pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to $lan_net keep state tag DMZ_TO_LAN # LAN net -> DMZ nets pass in on $dmz_if inet proto tcp from $lan_net to { $dmz_net1, $dmz_net2 } flags S/SA keep state tag LAN_TO_DMZ pass in on $dmz_if inet from $lan_net to { $dmz_net1, $dmz_net2 } keep state tag LAN_TO_DMZ ###########################################################################= ###### # Allow classified traffic from DMZ =20 # ###########################################################################= ###### # Allow incoming packets from DMZ one more time and route them appropriate= ly # This must be done to IN packets because if we only do it for OUT packets, it happens to late - # packet is routed appropriately, but NAT rule for wrong interface gets fi= red pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto tcp tagged DMZ_TO_EXT1 flags S/SA modulate state pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto { udp, icmp } tagged DMZ_TO_EXT1 keep state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto tcp tagged DMZ_TO_EXT2 flags S/SA modulate state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto { udp, icmp } tagged DMZ_TO_EXT2 keep state # Allow OUT traffic pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp tagged DMZ_TO_EXT2 flags S/SA modulate state pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto { udp, icmp } tagged DMZ_TO_EXT2 keep state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp tagged DMZ_TO_EXT1 flags S/SA modulate state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto { udp, icmp } tagged DMZ_TO_EXT1 keep state ###########################################################################= ###### # Clasify traffic from Internet to DMZ =20 # ###########################################################################= ###### # WHISKEY pass in on vlan0 proto tcp from any to 1.1.1.144/32 port =3D 22 flags S/SA keep state tag EXT1_TO_DMZ pass in on vlan1 proto tcp from any to 2.2.2.2/32 port =3D 22 flags S/SA keep state tag EXT2_TO_DMZ ###########################################################################= ###### # Allow classified traffic from Internet to DMZ =20 # ###########################################################################= ###### # Pass to DMZ traffic already approved by earlier rules # and route replies to corresponding interface # EXT1 pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) proto tcp tagged EXT1_TO_DMZ flags S/SA keep state pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) tagged EXT1_TO_DMZ keep state # EXT2 pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) proto tcp tagged EXT2_TO_DMZ flags S/SA keep state pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) tagged EXT2_TO_DMZ keep state ###########################################################################= ###### # Other traffic =20 # ###########################################################################= ###### # general "pass out" rules for external interfaces pass out on { $ext_if1, $ext_if2, $dmz_if } proto tcp from any to any flags S/SA modulate state pass out on { $ext_if1, $ext_if2, $dmz_if } proto { udp, icmp } from any to any keep state # Zebra uses IGMP so let it work on DMZ interface pass out on $dmz_if proto igmp from any to any allow-opts Test case: (done from Linix machine from 1.1.1.128/25) tcpreplay -e 1.1.1.133:255.255.255.255 -i eth0 packet (where packet is random captured UDP packet using tcpdump -peni) or tcpreplay -e 1.1.1.133:10.2.2.2 -i eth0 packet (where packet is random captured UDP packet) kills machine. Machine hangs and doesn't react on keyboard, whatever. Only reset helps. Directly blocking addresses in pf.conf help and normal connections with UDP disabled work well. Any ideas? Thanks a lot! Sergey Lapin System Administrator _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Sep 8 15:12:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF3A016A41F for ; Thu, 8 Sep 2005 15:12:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5573C43D45 for ; Thu, 8 Sep 2005 15:12:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3EC69.dip.t-dialin.net [84.163.236.105] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1EDO4o2PFJ-0005VE; Thu, 08 Sep 2005 17:12:34 +0200 From: Max Laier To: "Constant, Benjamin" Date: Thu, 8 Sep 2005 17:12:21 +0200 User-Agent: KMail/1.8.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3003890.flZnoRuTQI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509081712.32511.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: Bugfixes from OpenBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2005 15:12:41 -0000 --nextPart3003890.flZnoRuTQI Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 07 September 2005 16:30, Constant, Benjamin wrote: > It would be great if you could import atlq support on bge interface. > I tested and repoted positive feedback some weeks ago but I didn't get any > answer. =46WIW, ALTQ is supported by bge. As per altq(4): SUPPORTED DEVICES The driver modifications described in altq(9) are required to use a ce= r- tain network card with ALTQ. They have been applied to the following hardware drivers: an(4), ath(4), awi(4), bfe(4), bge(4), dc(4), de(4), ^^^ ed(4), em(4), fxp(4), hme(4), lnc(4), re(4), rl(4), sf(4), sis(4), sk(= 4), ste(4), vr(4), wi(4), and xl(4). The ndis(4) framework also has support for ALTQ and thus all encapsula= ted drivers. The tun(4) pseudo driver also does support ALTQ and includes the requi= red modifications. The other changes/fixes are now in HEAD and will be MFCed in three days unl= ess=20 there are any problems - so please test if you have a chance. > > All, > > > > I am going to import the following bugfixes from OpenBSD shortly: > > > > pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei > > > > | in DIOCCHANGERULE, properly initialize table, if used in NAT rule. > > | from Boris Polevoy , ok mcbride@ > > > > pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei > > > > | when nat'ing icmp 'connections', replace icmp id with proxy values > > | (similar to proxy ports for tcp/udp). not all clients use > > | per-invokation random ids, this allows multiple concurrent > > > > connections from such clients. > > > > | thanks for testing to Rod Whitworth, "looks ok" markus@ > > > > pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei > > > > | fix rdr to bitmask replacement address pool. patch from Max Laier, > > | reported by Boris Polevoy, tested by Jean Debogue, ok henning@ > > > > As all three have emerged from here and patches are > > available, I'd like to know if anyone has seen fallout from > > any of these changes. Also, is there anything more that I > > should be looking at? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3003890.flZnoRuTQI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDIFTgXyyEoT62BG0RAv8AAJsFjiBN9fDorF8vIsuouuIwIRbXgwCfV70W VhYtWEUa6XvH8kkS8LOMcKo= =CGE1 -----END PGP SIGNATURE----- --nextPart3003890.flZnoRuTQI-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 07:20:10 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DFCC16A41F for ; Fri, 9 Sep 2005 07:20:10 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA1EA43D46 for ; Fri, 9 Sep 2005 07:20:09 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Fri, 9 Sep 2005 09:20:04 +0200 Message-ID: From: "Constant, Benjamin" To: 'Max Laier' Date: Fri, 9 Sep 2005 09:20:03 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-pf@freebsd.org Subject: RE: Bugfixes from OpenBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 07:20:10 -0000 I was looking for the changes in RELENG_5 so I wasn't at the right place. I'll try to test it but I'm short on time and hardware for testing but I'll give you feedback if I can. I'm not yet fully confident with FreeBSD development cycles and terminology but am I right if I think that 'MFCed' means merging from current to stable? Thanks a lot for the changes! Regards, Benjamin Constant TI Automotive > -----Original Message----- > From: Max Laier [mailto:max@love2party.net] > Sent: jeudi 8 septembre 2005 17:12 > To: Constant, Benjamin > Cc: freebsd-pf@freebsd.org > Subject: Re: Bugfixes from OpenBSD > > On Wednesday 07 September 2005 16:30, Constant, Benjamin wrote: > > It would be great if you could import atlq support on bge interface. > > I tested and repoted positive feedback some weeks ago but I > didn't get > > any answer. > > FWIW, ALTQ is supported by bge. As per altq(4): > > SUPPORTED DEVICES > The driver modifications described in altq(9) are > required to use a cer- > tain network card with ALTQ. They have been applied to > the following > hardware drivers: an(4), ath(4), awi(4), bfe(4), bge(4), > dc(4), de(4), > ^^^ > ed(4), em(4), fxp(4), hme(4), lnc(4), re(4), rl(4), > sf(4), sis(4), sk(4), > ste(4), vr(4), wi(4), and xl(4). > > The ndis(4) framework also has support for ALTQ and thus > all encapsulated > drivers. > > The tun(4) pseudo driver also does support ALTQ and > includes the required > modifications. > > The other changes/fixes are now in HEAD and will be MFCed in > three days unless there are any problems - so please test if > you have a chance. > > > > All, > > > > > > I am going to import the following bugfixes from OpenBSD shortly: > > > > > > pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei > > > > > > | in DIOCCHANGERULE, properly initialize table, if used > in NAT rule. > > > | from Boris Polevoy , ok mcbride@ > > > > > > pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei > > > > > > | when nat'ing icmp 'connections', replace icmp id with > proxy values > > > | (similar to proxy ports for tcp/udp). not all clients use > > > | per-invokation random ids, this allows multiple concurrent > > > > > > connections from such clients. > > > > > > | thanks for testing to Rod Whitworth, "looks ok" markus@ > > > > > > pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei > > > > > > | fix rdr to bitmask replacement address pool. patch from > Max Laier, > > > | reported by Boris Polevoy, tested by Jean Debogue, ok henning@ > > > > > > As all three have emerged from here and patches are > available, I'd > > > like to know if anyone has seen fallout from any of these > changes. > > > Also, is there anything more that I should be looking at? > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 18:52:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4BE016A41F for ; Fri, 9 Sep 2005 18:52:29 +0000 (GMT) (envelope-from bobself@charter.net) Received: from mxsf28.cluster1.charter.net (mxsf28.cluster1.charter.net [209.225.28.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4953243D6E for ; Fri, 9 Sep 2005 18:52:26 +0000 (GMT) (envelope-from bobself@charter.net) Received: from mxip30a.cluster1.charter.net (mxip30a.cluster1.charter.net [209.225.28.189]) by mxsf28.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id j89IqOgG017769 for ; Fri, 9 Sep 2005 14:52:24 -0400 Received: from 24-177-225-234.dhcp.spbg.sc.charter.com (HELO [127.0.0.1]) ([24.177.225.234]) by mxip30a.cluster1.charter.net with ESMTP; 09 Sep 2005 14:52:26 -0400 Message-ID: <4321D9DF.5080206@charter.net> Date: Fri, 09 Sep 2005 14:52:15 -0400 From: bob self User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: selective logging of what pf is rejecting? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 18:52:30 -0000 My pf.conf file looks something like this block in all block out all pass quick on lo0 keep state antispoof for $ext_if pass in on $ext_if from to any keep state pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA keep state label "www" #apache block in on $ext_if from to any pass out on $ext_if proto tcp from any to any flags S/SA keep state # allow any tcp setup out pass out on $ext_if proto udp all keep state # allow any udp out pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # allow echo request in or out, (man pf.conf:1618) Is there a way I can turn on (temporarily) logging of wht pf is not allowing to come in? Also, is there a real-time tool that will let you watch what pf if blocking from coming in? How could you just log what pf allows to get through? thanks, Bob Self From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 19:17:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F8C516A446 for ; Fri, 9 Sep 2005 19:17:23 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23BB443D45 for ; Fri, 9 Sep 2005 19:17:22 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so1270334wra for ; Fri, 09 Sep 2005 12:17:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=iBYOWhpXRpCqtkk6FCFsd2QDYKGG7idsv+znGdwNK8E7i+lj0BKRhVZOFjS39c86T8hLNKUScmM6CIzNj7S/sVLoFSZW4m+wMpz6gokmrV9PTH++Xn8TnaLxPJEi2gFg3lzNLfJu0wTVH6EcCOir2jCBt5l/UAG+Z9jx1NZNDH4= Received: by 10.54.121.9 with SMTP id t9mr611188wrc; Fri, 09 Sep 2005 12:17:21 -0700 (PDT) Received: by 10.54.122.18 with HTTP; Fri, 9 Sep 2005 12:17:20 -0700 (PDT) Message-ID: Date: Fri, 9 Sep 2005 12:17:20 -0700 From: Huzeyfe Onal To: bob self In-Reply-To: <4321D9DF.5080206@charter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4321D9DF.5080206@charter.net> Cc: freebsd-pf@freebsd.org Subject: Re: selective logging of what pf is rejecting? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: huzeyfe.onal@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 19:17:23 -0000 hi, you can use tcpdump to watch pf action, why it drop or accept packets. try to use=20 tcpdump -i pflog0 -e=20 ps: pflogd must be running... also read http://www.openbsd.com/faq/pf/logging.html 2005/9/9, bob self : >=20 > My pf.conf file looks something like this >=20 > block in all > block out all > pass quick on lo0 keep state > antispoof for $ext_if >=20 > pass in on $ext_if from to any keep state > pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA > keep state label "www" #apache > block in on $ext_if from to any >=20 > pass out on $ext_if proto tcp from any to any flags S/SA keep state # > allow any tcp setup out > pass out on $ext_if proto udp all keep state # allow any > udp out >=20 > pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # > allow echo request in or out, (man pf.conf:1618) >=20 >=20 > Is there a way I can turn on (temporarily) logging of wht pf is not > allowing to come in? Also, is there a real-time tool that > will let you watch what pf if blocking from coming in? >=20 > How could you just log what pf allows to get through? >=20 > thanks, > Bob Self >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 --=20 Huzeyfe =D6NAL =20 --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 19:53:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B04A416A41F for ; Fri, 9 Sep 2005 19:53:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 191AA43D46 for ; Fri, 9 Sep 2005 19:53:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E79B.dip.t-dialin.net [84.163.231.155] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1EDovm4AXE-00011V; Fri, 09 Sep 2005 21:53:02 +0200 From: Max Laier To: freebsd-pf@freebsd.org, huzeyfe.onal@gmail.com Date: Fri, 9 Sep 2005 21:52:45 +0200 User-Agent: KMail/1.8.2 References: <4321D9DF.5080206@charter.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4187704.GI4ildFU5D"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509092153.00708.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: selective logging of what pf is rejecting? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 19:53:05 -0000 --nextPart4187704.GI4ildFU5D Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 09 September 2005 21:17, Huzeyfe Onal wrote: > hi, > you can use tcpdump to watch pf action, why it drop or accept packets. > > try to use > tcpdump -i pflog0 -e right. > ps: pflogd must be running... also read > http://www.openbsd.com/faq/pf/logging.html wrong. pflogd just records the log data to disk, no need to watch the=20 livefeed. > 2005/9/9, bob self : > > My pf.conf file looks something like this > > > > block in all > > block out all > > pass quick on lo0 keep state > > antispoof for $ext_if > > > > pass in on $ext_if from to any keep state > > pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA > > keep state label "www" #apache > > block in on $ext_if from to any > > > > pass out on $ext_if proto tcp from any to any flags S/SA keep state # > > allow any tcp setup out > > pass out on $ext_if proto udp all keep state # allow any > > udp out > > > > pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # > > allow echo request in or out, (man pf.conf:1618) > > > > > > Is there a way I can turn on (temporarily) logging of wht pf is not > > allowing to come in? Also, is there a real-time tool that > > will let you watch what pf if blocking from coming in? > > > > How could you just log what pf allows to get through? You can use pcap filters to get only info you are interested in. See=20 tcpdump(1)::ifname ff. ... the "action" filter might be of special interes= t=20 for your question. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4187704.GI4ildFU5D Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDIegcXyyEoT62BG0RAqr0AJwNELh54zdeVYeMQp+yiob7owNqmACfadL2 2nfveS10rY9zt8Hi7c/Tgl8= =qWnf -----END PGP SIGNATURE----- --nextPart4187704.GI4ildFU5D-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 20:26:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8BCC16A41F for ; Fri, 9 Sep 2005 20:26:46 +0000 (GMT) (envelope-from ganick@acn.gr) Received: from mail5-static.acn.gr (mail5-static.acn.gr [213.5.41.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6659F43D73 for ; Fri, 9 Sep 2005 20:26:45 +0000 (GMT) (envelope-from ganick@acn.gr) Received: from iridium1.int.acn.gr (iridium1.acn.gr [213.5.40.19]) by mail5-static.acn.gr (Postfix) with ESMTP id DB47F389071 for ; Fri, 9 Sep 2005 23:26:18 +0300 (EEST) Received: from [192.168.1.2] ([213.5.24.191]) by iridium1.int.acn.gr (InterMail vK.4.03.03.00 201-232-128 license dc15378303309db560c988105cfc6f29) with ESMTP id <20050909202642.STTI19534.iridium1@[213.5.24.191]> for ; Fri, 9 Sep 2005 23:26:42 +0300 From: "Nikos I. Gabrielides" To: freebsd-pf@freebsd.org Content-Type: text/plain Message-Id: <1126297081.9938.25.camel@ulysses> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 (1.4.5-7) Date: Fri, 09 Sep 2005 23:18:03 +0300 Content-Transfer-Encoding: 7bit Subject: vsftpd behind NAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 20:26:47 -0000 Hi all, I am using an FTP Server behind NAT (vsftpd v1.2.0-5 on Fedora Core 1 kernel 2.4.22-1.2115.nptl). The server is behind NAT router (Zyxel Prestige 660R-61). I have problems connecting to it from a computer outside. I am looking for a way to solve this at FTP Server side. I have enabled DynDNS and port forwarding for the needed port ranges (20:21, 7727:7777) on the ADSL router. But I cannot connect from the outside. Please, somebody, tell me how can I troubleshoot the problem. (where do i look for 'syslog' ?). Or, even better, do you guys see any solution for this ? Thx in advance /ganick PS: My cofiguration is as follows: ** iptables rules ** ... -A RH-Firewall-1-INPUT -p udp -m udp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 7727:7777 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 7727:7777 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -j ACCEPT ... (probably udp holes are not needed) ** vsftpd.conf** listen=YES anonymous_enable=YES ftp_username=ftp write_enable=NO anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO anon_world_readable_only=YES anon_max_rate=10240 idle_session_timeout=300 ascii_download_enable=NO ascii_upload_enable=NO connect_from_port_20=NO port_enable=YES hide_ids=NO max_per_ip=0 local_root=/var/ftp nopriv_user=nobody # assist NAT firewall pasv_enable=YES pasv_min_port=7727 pasv_max_port=7777 log_ftp_protocol=YES syslog_enable=YES ftpd_banner=Welcome to ganick's FTP sever. Behave! From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 20:32:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D84A16A41F for ; Fri, 9 Sep 2005 20:32:11 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1755C43D6E for ; Fri, 9 Sep 2005 20:32:09 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so142677rna for ; Fri, 09 Sep 2005 13:32:09 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VwGwm00EY3wxq4xcDbYl7JKt75FeUwOgDpOuMrcC9BpXnfv1jSSA4sw64NNRyHK0xKytNSF11Qj3kCG7cr0nI9ZSb0L3TFh/w6k4i6uMk9ZhZY54dJjdFd6s2En5lrLfn5tShcDKuZIyTYonp8EZppTY05bbPdCrRuTamLSfOgo= Received: by 10.39.1.7 with SMTP id d7mr66778rni; Fri, 09 Sep 2005 13:32:09 -0700 (PDT) Received: by 10.38.207.64 with HTTP; Fri, 9 Sep 2005 13:32:09 -0700 (PDT) Message-ID: Date: Fri, 9 Sep 2005 16:32:09 -0400 From: Scott Ullrich To: "Nikos I. Gabrielides" In-Reply-To: <1126297081.9938.25.camel@ulysses> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1126297081.9938.25.camel@ulysses> Cc: freebsd-pf@freebsd.org Subject: Re: vsftpd behind NAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sullrich@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 20:32:11 -0000 On 9/9/05, Nikos I. Gabrielides wrote: > Hi all, >=20 > I am using an FTP Server behind NAT (vsftpd v1.2.0-5 on > Fedora Core 1 kernel 2.4.22-1.2115.nptl). > The server is behind NAT router (Zyxel Prestige 660R-61). > I have problems connecting to it from a computer outside. >=20 > I am looking for a way to solve this at FTP Server side. >=20 > I have enabled DynDNS and port forwarding for the needed port > ranges (20:21, 7727:7777) on the ADSL router. > But I cannot connect from the outside. >=20 > Please, somebody, tell me how can I troubleshoot the problem. > (where do i look for 'syslog' ?). > Or, even better, do you guys see any solution for this ? >=20 > Thx in advance >=20 > /ganick >=20 > PS: > My cofiguration is as follows: >=20 >=20 > ** iptables rules ** > ... > -A RH-Firewall-1-INPUT -p udp -m udp --dport 20 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 7727:7777 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 7727:7777 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -j ACCEPT > ... > (probably udp holes are not needed) >=20 > ** vsftpd.conf** > listen=3DYES > anonymous_enable=3DYES > ftp_username=3Dftp > write_enable=3DNO > anon_upload_enable=3DNO > anon_mkdir_write_enable=3DNO > anon_other_write_enable=3DNO > anon_world_readable_only=3DYES > anon_max_rate=3D10240 > idle_session_timeout=3D300 > ascii_download_enable=3DNO > ascii_upload_enable=3DNO > connect_from_port_20=3DNO > port_enable=3DYES > hide_ids=3DNO > max_per_ip=3D0 > local_root=3D/var/ftp > nopriv_user=3Dnobody > # assist NAT firewall > pasv_enable=3DYES > pasv_min_port=3D7727 > pasv_max_port=3D7777 > log_ftp_protocol=3DYES > syslog_enable=3DYES > ftpd_banner=3DWelcome to ganick's FTP sever. Behave! This is the FreeBSD pf (Packet Filter) list. Not linux! Perhaps you should post to the iptables list or the linux kernel list? I dont really know, I don't use linux. But either way, this appears to be the wrong list for what your looking for. Scott From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 21:16:10 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63EE816A41F for ; Fri, 9 Sep 2005 21:16:10 +0000 (GMT) (envelope-from bobself@charter.net) Received: from mxsf16.cluster1.charter.net (mxsf16.cluster1.charter.net [209.225.28.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF35543D46 for ; Fri, 9 Sep 2005 21:16:09 +0000 (GMT) (envelope-from bobself@charter.net) Received: from mxip03a.cluster1.charter.net (mxip03a.cluster1.charter.net [209.225.28.133]) by mxsf16.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id j89LG8mZ012620 for ; Fri, 9 Sep 2005 17:16:08 -0400 Received: from 24-177-225-234.dhcp.spbg.sc.charter.com (HELO [127.0.0.1]) ([24.177.225.234]) by mxip03a.cluster1.charter.net with ESMTP; 09 Sep 2005 17:15:53 -0400 X-IronPort-AV: i="3.96,183,1122868800"; d="scan'208"; a="1372454689:sNHT541370508" Message-ID: <4321FB84.7070909@charter.net> Date: Fri, 09 Sep 2005 17:15:48 -0400 From: bob self User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <4321D9DF.5080206@charter.net> <200509092153.00708.max@love2party.net> In-Reply-To: <200509092153.00708.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: selective logging of what pf is rejecting? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 21:16:10 -0000 Max Laier wrote: >On Friday 09 September 2005 21:17, Huzeyfe Onal wrote: > > >>hi, >>you can use tcpdump to watch pf action, why it drop or accept packets. >> >>try to use >>tcpdump -i pflog0 -e >> >> > >right. > > > >>ps: pflogd must be running... also read >>http://www.openbsd.com/faq/pf/logging.html >> >> > >wrong. pflogd just records the log data to disk, no need to watch the >livefeed. > > > >>2005/9/9, bob self : >> >> >>>My pf.conf file looks something like this >>> >>>block in all >>>block out all >>>pass quick on lo0 keep state >>>antispoof for $ext_if >>> >>>pass in on $ext_if from to any keep state >>>pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA >>>keep state label "www" #apache >>>block in on $ext_if from to any >>> >>>pass out on $ext_if proto tcp from any to any flags S/SA keep state # >>>allow any tcp setup out >>>pass out on $ext_if proto udp all keep state # allow any >>>udp out >>> >>>pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # >>>allow echo request in or out, (man pf.conf:1618) >>> >>> >>>Is there a way I can turn on (temporarily) logging of wht pf is not >>>allowing to come in? Also, is there a real-time tool that >>>will let you watch what pf if blocking from coming in? >>> >>>How could you just log what pf allows to get through? >>> >>> > >You can use pcap filters to get only info you are interested in. See >tcpdump(1)::ifname ff. ... the "action" filter might be of special interest >for your question. > > > I guess that my question is really where do I put the 'log' word(s) in pf.conf to be able to do this. I tried adding 'log' to everything in my pf.conf to see pinging from the outside and using tcpdump I don't see anything. I'm using tcpdump like this: tcpdump -l -n -e -ttt -i pflog0 From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 03:16:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 158B316A41F for ; Sat, 10 Sep 2005 03:16:28 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CDDA43D45 for ; Sat, 10 Sep 2005 03:16:27 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by rproxy.gmail.com with SMTP id b11so240940rne for ; Fri, 09 Sep 2005 20:16:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=OPEYiWEveCxXRD5uwS2v6TzUEGjDzHW6EITz1IRkLpe2EtpFb7kno5cr1UNITzA080jH+diMOlRhkwXkidkyAVToH7pljmLZDNwfgw9JUsnXpRH76CKqEBt4BUzMob6wqWheruZRoOcPVOPlIqDmTqc/C+sdTJCHcAK71zm33d8= Received: by 10.11.98.76 with SMTP id v76mr6219cwb; Fri, 09 Sep 2005 20:16:26 -0700 (PDT) Received: by 10.11.120.66 with HTTP; Fri, 9 Sep 2005 20:16:26 -0700 (PDT) Message-ID: <55e8a96c0509092016e17b2f9@mail.gmail.com> Date: Fri, 9 Sep 2005 22:16:26 -0500 From: Bill Marquette To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: synproxy state and route-to issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bill.marquette@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 03:16:28 -0000 I've got a machine setup with two internet facing interfaces that I want to= =20 do policy based routing on. FreeBSD 6 beta 4 First two octets of the IP addresses intentionally masked. dc0 =3D=3D lan (192.168.1.1/24 ) dc1 =3D=3D isp1 (192.168.186.1/24 ) dc2 =3D=3D isp2 (192.168.104.1/24 ) default route is set to go out isp1, each isp facing NIC is setup for NAT= =20 for that ISPs IP range nat on dc1 inet from 192.168.1.0/24 to any -> (dc1)= =20 round-robin nat on dc2 inet from 192.168.1.0/24 to any -> (dc2= )=20 round-robin I've got a pass in rule that sets the next hop to isp2 (dc2) for any TCP= =20 traffic coming from one machine and uses synproxy pass in quick on dc0 route-to ( dc2 192.168.104.1 )= =20 proto tcp from 192.168.1.10 to any flags S/SA synprox= y=20 state =20 all other traffic defaults to isp1 (it all works - shown, for examples sake= ) pass in quick on dc0 proto tcp from 192.168.1.0/24 to any flags S/SA synproxy state A telnet from a 192.168.104.1 to an internet facing= =20 mail server (192.168.250.25 ) creates the following= =20 state entries: dc0 tcp 192.168.250.5:25 <- 192.168.1.10:2592ESTABLISHED:ESTABLISHED [2292384068 + 65441](+4004013808) [2512296240 + 33392](+501048536) age 00:00:22, expires in 119:59:55, 7:4 pkts, 292:536 bytes, rule 98 id: 43210bb50000e5c8 creatorid: 65f15a74 dc1 tcp 192.168.1.10:2592 ->=20 192.168.186.134:61140 -> 192.168.250.5:25ESTABLISHED:ESTABLISHED [3013344771 + 33397] [2292384068 + 65441] age 00:00:22, expires in 119:59:54, 2:5 pkts, 84:580 bytes, rule 44 id: 43210bb50000e5c9 creatorid: 65f15a74 dc2 tcp 192.168.1.10:2592 ->=20 192.168.106.121:54956 -> 192.168.250.5:25SYN_SENT:CLOSED [3013344776 + 4294967293] [0 + 65441] age 00:00:22, expires in 00:14:45, 7:0 pkts, 292:0 bytes, rule 47 id: 43210bb50000e5cc creatorid: 65f15a74 Not totally surprising that synproxy state used the default route to send= =20 and create the SYN - not expected, but not surprising. You'll note that it= =20 went out isp1 instead of where the rule sent it to. I can live with this=20 semi-unexpected behaviour...however, what ends up happening (and I don't=20 have the tcpdump ready now) is that the syn, syn/ack, makes it through isp1= ,=20 and then PF appears to hand control back to the rule processing. The ack=20 from 192.168.1.10 ends up going out dc2 and getting= =20 nat'd with dc2's IP address...thus ending any chance at the connection=20 working. Summary: syn goes out dc1 with dc1's IP syn/ack comes in dc1 ack goes out dc2 with dc2's IP ack from 192.168.250.25 returns on dc1 with data an= d=20 192.168.1.10 actually gets it. Can anyone else duplicate this? I'm suspecting that synproxy happens long= =20 before route-to takes place. --Bill From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 06:19:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2870216A41F for ; Sat, 10 Sep 2005 06:19:18 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F46543D48 for ; Sat, 10 Sep 2005 06:19:17 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so1329450wra for ; Fri, 09 Sep 2005 23:19:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oKTKAS5Aa4Af+cJIvhPHYWjhAKhV6lbfTKHNcvEQrfNZXTiWHqeDTDV7JTQAUKLqD4ORyljLsozpufwwZoD+0bqMEY3zG2N5haRiSsFTW/k2iQCxLX+d6sUxCmwfXDXfY2WqAQb0LQIOMFficQjHtDEn2E4TfrPP9emvVZVXB5Q= Received: by 10.54.121.9 with SMTP id t9mr980951wrc; Fri, 09 Sep 2005 23:19:16 -0700 (PDT) Received: by 10.54.122.18 with HTTP; Fri, 9 Sep 2005 23:19:16 -0700 (PDT) Message-ID: Date: Fri, 9 Sep 2005 23:19:16 -0700 From: Huzeyfe Onal To: bob self In-Reply-To: <4321FB84.7070909@charter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4321D9DF.5080206@charter.net> <200509092153.00708.max@love2party.net> <4321FB84.7070909@charter.net> Cc: freebsd-pf@freebsd.org Subject: Re: selective logging of what pf is rejecting? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: huzeyfe.onal@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 06:19:18 -0000 Hi, do you see the packets with tcpdump with -i $ext_if options?=20 #tcpdump -ttt -n -i rl0 icmp for icmp packets.. 2005/9/9, bob self : > Max Laier wrote: >=20 > >On Friday 09 September 2005 21:17, Huzeyfe Onal wrote: > > > > > >>hi, > >>you can use tcpdump to watch pf action, why it drop or accept packets. > >> > >>try to use > >>tcpdump -i pflog0 -e > >> > >> > > > >right. > > > > > > > >>ps: pflogd must be running... also read > >>http://www.openbsd.com/faq/pf/logging.html > >> > >> > > > >wrong. pflogd just records the log data to disk, no need to watch the > >livefeed. > > > > > > > >>2005/9/9, bob self : > >> > >> > >>>My pf.conf file looks something like this > >>> > >>>block in all > >>>block out all > >>>pass quick on lo0 keep state > >>>antispoof for $ext_if > >>> > >>>pass in on $ext_if from to any keep state > >>>pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/S= A > >>>keep state label "www" #apache > >>>block in on $ext_if from to any > >>> > >>>pass out on $ext_if proto tcp from any to any flags S/SA keep state = # > >>>allow any tcp setup out > >>>pass out on $ext_if proto udp all keep state # allow an= y > >>>udp out > >>> > >>>pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # > >>>allow echo request in or out, (man pf.conf:1618) > >>> > >>> > >>>Is there a way I can turn on (temporarily) logging of wht pf is not > >>>allowing to come in? Also, is there a real-time tool that > >>>will let you watch what pf if blocking from coming in? > >>> > >>>How could you just log what pf allows to get through? > >>> > >>> > > > >You can use pcap filters to get only info you are interested in. See > >tcpdump(1)::ifname ff. ... the "action" filter might be of special inte= rest > >for your question. > > > > > > > I guess that my question is really where do I put the 'log' word(s) in > pf.conf to be able to do this. > I tried adding 'log' to everything in my pf.conf to see pinging from the > outside and using tcpdump I don't see anything. > I'm using tcpdump like this: >=20 > tcpdump -l -n -e -ttt -i pflog0 >=20 >=20 >=20 --=20 Huzeyfe =D6NAL =20 --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 10:27:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 015C016A41F for ; Sat, 10 Sep 2005 10:27:13 +0000 (GMT) (envelope-from stamper666@hotmail.com) Received: from hotmail.com (bay104-f36.bay104.hotmail.com [65.54.175.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8E7143D48 for ; Sat, 10 Sep 2005 10:27:12 +0000 (GMT) (envelope-from stamper666@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 10 Sep 2005 03:27:12 -0700 Message-ID: Received: from 65.54.175.206 by by104fd.bay104.hotmail.msn.com with HTTP; Sat, 10 Sep 2005 10:27:12 GMT X-Originating-IP: [65.54.175.206] X-Originating-Email: [stamper666@hotmail.com] X-Sender: stamper666@hotmail.com From: "Sean Dean" To: freebsd-pf@freebsd.org Date: Sat, 10 Sep 2005 06:27:12 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 10 Sep 2005 10:27:12.0588 (UTC) FILETIME=[3500B8C0:01C5B5F2] Subject: PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 10:27:13 -0000 Hello, Since I moved over from a OpenBSD bridge to a FreeBSD-6 one with the new bridge code I have been having some problems getting my pf.conf to fully work. I have tried all the combinations I could think of, but just cant get it right. When i first switched over, I used the exact copy of the pf.conf from the OpenBSD machine, just substituting the new device names. This didn't work at all, and I have made changes to it, possibly inserting an error on my part. I was wondering if someone could assist me? Here is my current pf.conf: ------------------------------------- set loginterface bridge0 # Turing on scrub in this config stops the bridge from working, this was not the case # in OpenBSD. So we comment it out. #scrub in on bridge0 all no-df block in log on bridge0 all pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22, 25 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80, 443 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80, 443 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 25 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22 } flags S/SA keep state # Bind doesn't seem to work with these rules. The request to 53 works, but # the reply, on the random, high UDP port is blocked. So we use the rule I have # further below, which allows all UDP. #pass in on bridge0 proto udp from any to 216.58.xxx.xxx port { 53 } keep state #pass in on bridge0 proto udp from any to 216.58.xxx.xxx port { 53 } keep state pass in on bridge0 proto udp from any to any keep state # The rule below doesn't seem to actually work, this might be bad placement of the # rule? I keep it in because there seems to be no negative effect. block in log on bridge0 proto udp from any to any port { 161, 514 } pass in on bridge0 inet proto icmp all icmp-type echoreq keep state pass in on bridge0 proto esp from any to any keep state # I remember seeing people saying that only "in" rules are allowed on a bridge, # although I have also seen other cases of "out" rules been applied to this new # FreeBSD bridge code. ALL TCP traffic coming from the inside is blocked, but if it originates # from the outside (example Apache, SSH login) it works fine. pass out on bridge0 proto tcp all flags S/SA keep state pass out on bridge0 proto udp all keep state pass out on bridge0 proto icmp all keep state ------------------------------------- To address the possible "in" only rule above I tried to place this in instead, but no change, outgoing traffic was blocked originating from the inside: pass in on bridge0 proto tcp from 216.58.xxx.xxx/26 to any keep state I thank you in advance for any help you can provide. I probably did something wrong above that is causing these problems, but I cant figure it out and look to you all for advise. Thanks, Sean From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 13:59:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F1A016A41F for ; Sat, 10 Sep 2005 13:59:05 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 036CD43D48 for ; Sat, 10 Sep 2005 13:59:04 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 8E13F1CCD4; Sun, 11 Sep 2005 01:59:03 +1200 (NZST) Date: Sun, 11 Sep 2005 01:59:03 +1200 From: Andrew Thompson To: Sean Dean Message-ID: <20050910135903.GA11565@heff.fud.org.nz> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 13:59:05 -0000 On Sat, Sep 10, 2005 at 06:27:12AM -0400, Sean Dean wrote: > Hello, > > Since I moved over from a OpenBSD bridge to a FreeBSD-6 one with the new > bridge code I have been having some problems getting my pf.conf to fully > work. I have tried all the combinations I could think of, but just cant get > it right. When i first switched over, I used the exact copy of the pf.conf > from the OpenBSD machine, just substituting the new device names. This > didn't work at all, and I have made changes to it, possibly inserting an > error on my part. > > # Turing on scrub in this config stops the bridge from working, this was > not the case > # in OpenBSD. So we comment it out. > #scrub in on bridge0 all no-df Using 'no-df' causes tcp connections to fail for me too, scrubbing without that option is fine. > pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22, 25 } > flags S/SA keep state Using keep state or directional rules on a bridge interface is generally a bad idea. The bridge has no notion of direction so a packet coming from either side will always appear to pf as incoming on the bridge, so reply packets on stateful connections may not be matched properly. I dont know if OpenBSD treats this as a special case. In most cases you should be packet filtering on the member interfaces, especially where direction and flow is important. Try changing the above rule to 'pass in on $ext_if ...' instead. Filtering on the bridge is good where you want to block certain traffic in any direction, such as all http. block in on bridge0 proto tcp from any to any port www Andrew