From owner-freebsd-pf@FreeBSD.ORG Sun Oct 2 15:16:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5334016A41F for ; Sun, 2 Oct 2005 15:16:46 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6521043D45 for ; Sun, 2 Oct 2005 15:16:45 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j92FGh9G099632 for ; Sun, 2 Oct 2005 19:16:43 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j92FGhP5099627 for freebsd-pf@freebsd.org; Sun, 2 Oct 2005 19:16:43 +0400 (MSD) (envelope-from yar) Date: Sun, 2 Oct 2005 19:16:42 +0400 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20051002151642.GC76606@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: pf kernel module(s) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 15:16:46 -0000 All, While making an rc.d script for pfsync as I had promised here, I noticed that pf.ko didn't include support for pfsync. Closer study revealed that it would be better to split pf.ko in separate modules for pf itself, pflog, and pfsync. The reason is as follows. As MODULES_WITH_WORLD are about to depart for /dev/null soon, modules should not rely on the opt_*.h files they create with their Makefiles now: The configuration is to be obtained from the opt_*.h files in the kernel build directory. Therefore it will not be possible to include pflog or pfsync functionality in pf.ko unless it is in the main kernel file, too, which is ridiculous. OTOH, having separate pflog.ko and pfsync.ko would allow for the modules to be built irrespective of the current kernel configuration. If the separation is not possible now, the pf.ko module should include all the functionality irrespective of the DEV_PF, DEV_PFLOG, or DEV_PFSYNC values found in opt_pf.h. As a matter of fact, a modern FreeBSD device driver should rarely use DEV_FOO values in its code because the inclusion of the driver source files in the build process is the major sign of the driver being enabled, and device instances should be created dynamically. Alas, OpenBSD code doesn't seem to follow this trend, so I'd consider setting NPFLOG and NPFSYNC to 1 statically if possible. -- Yar From owner-freebsd-pf@FreeBSD.ORG Sun Oct 2 18:52:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F09A16A41F for ; Sun, 2 Oct 2005 18:52:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id C95B943D45 for ; Sun, 2 Oct 2005 18:52:24 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E18B.dip.t-dialin.net [84.163.225.139] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2ov-1EM8wY2uqC-0003zy; Sun, 02 Oct 2005 20:52:14 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sun, 2 Oct 2005 20:51:57 +0200 User-Agent: KMail/1.8.2 References: <20051002151642.GC76606@comp.chem.msu.su> In-Reply-To: <20051002151642.GC76606@comp.chem.msu.su> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1712844.fdpqWnkfRp"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510022052.08240.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf kernel module(s) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 18:52:25 -0000 --nextPart1712844.fdpqWnkfRp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Yar, On Sunday 02 October 2005 17:16, Yar Tikhiy wrote: > While making an rc.d script for pfsync as I had promised here, I > noticed that pf.ko didn't include support for pfsync. Closer study > revealed that it would be better to split pf.ko in separate modules > for pf itself, pflog, and pfsync. The reason is as follows. > > As MODULES_WITH_WORLD are about to depart for /dev/null soon, modules > should not rely on the opt_*.h files they create with their Makefiles > now: The configuration is to be obtained from the opt_*.h files in > the kernel build directory. Therefore it will not be possible to > include pflog or pfsync functionality in pf.ko unless it is in the > main kernel file, too, which is ridiculous. OTOH, having separate > pflog.ko and pfsync.ko would allow for the modules to be built > irrespective of the current kernel configuration. > > If the separation is not possible now, the pf.ko module should > include all the functionality irrespective of the DEV_PF, DEV_PFLOG, > or DEV_PFSYNC values found in opt_pf.h. As a matter of fact, a > modern FreeBSD device driver should rarely use DEV_FOO values in > its code because the inclusion of the driver source files in the > build process is the major sign of the driver being enabled, and > device instances should be created dynamically. Alas, OpenBSD > code doesn't seem to follow this trend, so I'd consider setting > NPFLOG and NPFSYNC to 1 statically if possible. There is one big issue with PFSYNC as a module. pfsync needs to register a= =20 kernel level multicast protocol. This is not (yet) possible at runtime, bu= t=20 needs to happen statically. So in order to use pfsync you need a pfsync=20 enabled kernel - and can just build in pfsync alltogether. All this makes = a=20 pfsync.ko pretty useless. The story for pflog is simply me reasoning that people don't usually want a= =20 firewall without logging. And if we know whether or not we have to log at= =20 compile time we can save (at least) one pointer deref per packet (and a lot= =20 of hook-in/hook-out logic as well). I am open to any improvement of the situation, just wanted to get out the=20 reasoning so you don't have to find out the hard way. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1712844.fdpqWnkfRp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDQCxYXyyEoT62BG0RAuJ+AJ9GzcWJ50saYTYXrl2AoQlrIN40iwCeP4vC 46jnNe1aiL9oulO3vfPsiB4= =TFJr -----END PGP SIGNATURE----- --nextPart1712844.fdpqWnkfRp-- From owner-freebsd-pf@FreeBSD.ORG Sun Oct 2 19:32:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F71416A41F for ; Sun, 2 Oct 2005 19:32:29 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2639143D58 for ; Sun, 2 Oct 2005 19:32:26 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j92JWPGj014059; Sun, 2 Oct 2005 23:32:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j92JWPbt014058; Sun, 2 Oct 2005 23:32:25 +0400 (MSD) (envelope-from yar) Date: Sun, 2 Oct 2005 23:32:24 +0400 From: Yar Tikhiy To: Max Laier Message-ID: <20051002193224.GB11825@comp.chem.msu.su> References: <20050922112017.GB16325@comp.chem.msu.su> <200509221413.03576.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509221413.03576.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF in /etc/rc.d: some issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 19:32:29 -0000 On Thu, Sep 22, 2005 at 02:12:52PM +0200, Max Laier wrote: > On Thursday 22 September 2005 13:20, Yar Tikhiy wrote: > > > First, in the presence of vlan's or other dynamic interfaces it can > > be hard to ensure that pfsync0 will appear after its syncdev on the > > final list of interfaces built inside /etc/network.subr from several > > rc.conf variables and other sources. Consequently, pfsync0 won't > > get up because it is configured before its syncdev is up and running. > > IMHO, this problem can be addressed by creating a separate rcNG script > > for pfsync, which I already did in my systems using PF (see below.) > > Sounds reasonable, but put at least an additional $pfsync_ifconfig_flags at > the end of the ifconfig so that people can specify maxupd. pfsync.4 needs to > be updated for this as well. Just added src/etc/rc.d/pfsync, wired it to the system and updated the relevant manpages. The rc.conf variables are pfsync_enable, pfsync_syncdev and pfsync_ifconfig, the latter being optional. > > Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which > > is too late IMHO. Can we make it start before "routing"? In an > > ideal world, a firewall should start before "netif", but I'm unsure > > if PF can start when not all interfaces mentioned in pf.conf are > > present in the system yet. > > The only remaining problem (that I know of) is "set loginterface" on a > non-existing interface. Everything else should be taken care of by now. > This late startup was in fact a bandaid to get things working back then, but > the problems have been shaken out and now that "set loginterface" is more or > less obsolete by $pfctl -vsI -i anyway, we could move it back to > where it belongs. I'd like to keep that change in HEAD for the time being, > however. It appears we cannot start pf before netif since we have rc.d/pfsync now, which should start before pf, but after netif. So I made pf start before routing for now. No network services should be running at that time anyway. This change won't affect "set loginterface", so it should be safe to MFC it to RELENG_6, shouldn't it? -- Yar From owner-freebsd-pf@FreeBSD.ORG Sun Oct 2 20:04:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74E0616A41F for ; Sun, 2 Oct 2005 20:04:19 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA05443D45 for ; Sun, 2 Oct 2005 20:04:18 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j92K4G0j015969; Mon, 3 Oct 2005 00:04:17 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j92K4GkH015964; Mon, 3 Oct 2005 00:04:16 +0400 (MSD) (envelope-from yar) Date: Mon, 3 Oct 2005 00:04:16 +0400 From: Yar Tikhiy To: Max Laier Message-ID: <20051002200416.GC11825@comp.chem.msu.su> References: <20051002151642.GC76606@comp.chem.msu.su> <200510022052.08240.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200510022052.08240.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: pf kernel module(s) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 20:04:19 -0000 On Sun, Oct 02, 2005 at 08:51:57PM +0200, Max Laier wrote: > > There is one big issue with PFSYNC as a module. pfsync needs to register a > kernel level multicast protocol. This is not (yet) possible at runtime, but > needs to happen statically. So in order to use pfsync you need a pfsync > enabled kernel - and can just build in pfsync alltogether. All this makes a > pfsync.ko pretty useless. OK, this issue seems to need revisiting later. > The story for pflog is simply me reasoning that people don't usually want a > firewall without logging. And if we know whether or not we have to log at > compile time we can save (at least) one pointer deref per packet (and a lot > of hook-in/hook-out logic as well). Just looked at the pf kernel code and saw the following: - DEV_PFLOG is transormed into NPFLOG because OpenBSD still uses old config(8) semantics; - with __FreeBSD__ defined, NPFLOG is used only in if_pflog.h to define PFLOG_PACKET() as the actual log function call, or a nul statement. Can't we call the log function by a pointer to it, which could be NULL to indicate no logging support loaded? The pflog0 interface itself can be created at any time since we are lucky to have fully dynamic network interfaces in our kernel. My concern is that with no MODULES_WITH_WORLD chads around, i.e., when modules' Makefiles no longer create magic opt_*.h with needed options, it will be rather problematic to compile in pflog support conditionally, and pf.ko will be broken. > I am open to any improvement of the situation, just wanted to get out the > reasoning so you don't have to find out the hard way. Thanks a lot for your detailed considerations! I think they will be of value to the developer who decides to improve the area, be it me or someone else :-) -- Yar From owner-freebsd-pf@FreeBSD.ORG Mon Oct 3 11:02:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B9F916A423 for ; Mon, 3 Oct 2005 11:02:31 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47BBA43DA0 for ; Mon, 3 Oct 2005 11:02:18 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j93B2IjY066343 for ; Mon, 3 Oct 2005 11:02:18 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j93B2HLZ066337 for freebsd-pf@freebsd.org; Mon, 3 Oct 2005 11:02:17 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 3 Oct 2005 11:02:17 GMT Message-Id: <200510031102.j93B2HLZ066337@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 11:02:31 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 4 03:37:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE69016A41F for ; Tue, 4 Oct 2005 03:37:13 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [203.177.161.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B0D243D46 for ; Tue, 4 Oct 2005 03:37:13 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from [10.3.2.25] ([10.3.2.25]) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Oct 2005 11:24:17 +0800 Message-ID: <4341F5D8.9000504@infoweapons.com> Date: Tue, 04 Oct 2005 11:24:08 +0800 From: "Ivan R. Sy Jr." User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050930) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 04 Oct 2005 03:24:17.0096 (UTC) FILETIME=[19F1EC80:01C5C893] Subject: monitoring CARP status X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 03:37:14 -0000 Hi all, i wish to know if there are open source software that monitor's CARP interface when master/slave and would execute a certain script according to its state. like if its master: it will run a script if its slave: it will run this script. i was playing with ifstated but somehow its not working. thanks Ivan From owner-freebsd-pf@FreeBSD.ORG Tue Oct 4 12:49:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D72516A41F for ; Tue, 4 Oct 2005 12:49:32 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 053A243D45 for ; Tue, 4 Oct 2005 12:49:31 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id e12so652387qba for ; Tue, 04 Oct 2005 05:49:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LD2oCMHGp2aqP/9mDPINvK6JAePK5QGIcqrOWvCkJCxgjzQyjDZRnU2dXgK24aPBxNcaxMEgTMNpMhm3vwUTTyq5YefTBU9fW84uiX5MHkRdOmoaxYSgIHdNUJ3DWBtDMOOcuGso/xaPSX6HOKuFlhL5SH6gkI6qt81ZMolfzQw= Received: by 10.64.204.1 with SMTP id b1mr3065226qbg; Tue, 04 Oct 2005 05:49:31 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Tue, 4 Oct 2005 05:49:31 -0700 (PDT) Message-ID: Date: Tue, 4 Oct 2005 08:49:31 -0400 From: Scott Ullrich To: "Ivan R. Sy Jr." In-Reply-To: <4341F5D8.9000504@infoweapons.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4341F5D8.9000504@infoweapons.com> Cc: freebsd-pf@freebsd.org Subject: Re: monitoring CARP status X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 12:49:32 -0000 Check out ifstated in the ports section. Scott On 10/3/05, Ivan R. Sy Jr. wrote: > Hi all, > > i wish to know if there are open source software that monitor's CARP > interface when master/slave and would execute a certain script according > to its state. > > like if its master: > it will run a script > > if its slave: > it will run this script. > > i was playing with ifstated but somehow its not working. > > thanks > > Ivan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Oct 4 21:27:04 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7C1E16A41F for ; Tue, 4 Oct 2005 21:27:04 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-03-eri0.ohiordc.rr.com (ms-smtp-03-smtplb.ohiordc.rr.com [65.24.5.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CB1A43D49 for ; Tue, 4 Oct 2005 21:27:03 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-187.woh.res.rr.com [65.31.44.187]) by ms-smtp-03-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j94LQwYF013581 for ; Tue, 4 Oct 2005 17:26:59 -0400 (EDT) Message-ID: <000301c5c929$99f8aae0$0900a8c0@satellite> From: "Dave" To: Date: Tue, 4 Oct 2005 17:21:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: active ftp, pf, and traffic queueing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 21:27:04 -0000 Hello, I'm running pf on a freebsd 5.4-p6 gateway box which also does nat for an internal network. I *finally* after a lot of help/google searching, got passive ftp connections working not only from my gateway box but from my lan clients. I consider this quite good! My problem now is i have two clients older that utilize active ftp and they're not working. I've got rules in pf.conf to allow active connections, but apparently it's not right, no good. If anyone can help with this i'd appreciate it. I'm also looking for evaluations on the security of my ruleset, does it in fact block everything and only allow what i designate? And given my setup i want to get in to traffic prioritization, with these rules i'm wondering the most efficient way? Thanks. Dave. pf.conf # pf.conf # for use on gateway box # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # define the two network interfaces ext_if = "rl0" int_if = "rl1" # define some address macros lan_server = "192.168.1.3" # define services int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 8000 }" lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 4000, 4662, 4711, 5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }" lan_to_fw_services = "{ ssh }" fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }" nameservers = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }" isp_dhcp_server = "10.40.224.1" # options set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # normalize packets to prevent fragmentation attacks scrub on $ext_if all random-id reassemble tcp scrub on $int_if inet no-df # queue band width limiting #altq on $ext_if cbq bandwidth 768Kb queue { std, ssh, ftp, pop3 } #queue std bandwidth 50% cbq(default) #queue ssh bandwidth 25% { ssh_login, ssh_bulk } #queue ssh_login bandwidth 25% priority 4 cbq(ecn) #queue ssh_bulk bandwidth 75% cbq(ecn) #queue ftp bandwidth 50Kb priority 3 cbq(borrow red) #queue pop3 bandwidth 100Kb priority 3 cbq(borrow red) # translate lan client addresses to that of the external interface nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services -> $lan_server rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port 1194 # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 8080 # redirect gre traffic rdr on $ext_if inet proto gre from any to any -> $lan_server # pass all loopback traffic pass quick on lo0 all # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all # Thwart nmap scans block in log quick on $ext_if proto tcp all flags FUP/FUP # prevent lan originated spoofing from occurring antispoof for $ext_if inet # block everything from entering EXT block in log on $ext_if all # allow WAN requests from the internet to enter EXT # in order to contact our web server (keep state on this connection) pass in on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA modulate state # UDP 1194 for openvpn pass in on $ext_if inet proto udp from any to $lan_server port 1194 keep state # Gre traffic for mpd pass in on $ext_if inet proto gre from any to $lan_server keep state # Allow dhcp in pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 255.255.255.255 port bootpc keep state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 >< 57000 user proxy flags S/SA keep state # block everything from exiting EXT block out log on $ext_if all # allow UDP requests to port 53 from firewall to exit EXT # in order to contact internet nameservers (keep state on this connection) pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep state # allow UDP requests to port 123 from firewall to exit ext_if_if # in order to contact internet ntp servers # (keep state on this connection) pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state # Allow UDP requests to port 67 from firewall to exit ext_if # in order to contact internet dhcp servers (keep state on this connection) pass out quick on $ext_if inet proto udp from $ext_if to any port bootps keep state # allow lan requests from lan clients to exit EXT # (after natting is performed) in order to contact internet servers # (keep state on this connection) pass out quick on $ext_if inet proto tcp from $ext_if to any port $lan_to_int_services flags S/SA modulate state # allow ICMP requests from firewall to exit EXT (after natting is performed) # in order to ping/traceroute internet hosts on the behalf of lan clients pass out on $ext_if inet proto icmp from $ext_if to any icmp-type 8 keep state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 flags S/SA modulate state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy flags S/SA keep state # block everything from entering LAN block in log on $int_if all # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall (keep state on this connection) pass in quick on $int_if inet proto udp from $int_if:network to $int_if port 53 keep state # allow UDP requests to ports 67, 68, and 123 from int_if clients to enter int_if # in order to perform dhcp and ntp queries on the firewall # ( Keep state on this connection) pass in quick on $int_if inet proto udp from $int_if:network to $int_if port { 67, 68, 123, 6112 } keep state # allow LAN requests from lan clients to enter LAN # in order to contact internet servers (keep state on this connection) pass in quick on $int_if inet proto tcp from $int_if:network to any port $lan_to_int_services flags S/SA modulate state # lan network connects to firewall via ssh for administrative purposes pass in on $int_if inet proto tcp from $int_if:network to $int_if port $lan_to_fw_services modulate state # allow requests from lan network to enter LAN # in order to ping/traceroute any system (firewall, dmz server, and internet hosts) pass in quick on $int_if inet proto icmp from $int_if:network to any icmp-type 8 keep state # allow lan broadcasts pass in quick on $int_if proto { tcp, udp } from $int_if:network to $int_if:broadcast keep state # allow squid connections from lan to proxy pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state # allow ftp connections from lan to proxy pass quick on $int_if inet proto tcp from $int_if:network to lo0 port 8021 flags S/SA keep state pass in quick on $int_if inet proto tcp from $int_if:network to $ext_if port 55000:57000 flags S/SA keep state # block everything from exiting LAN block out log on $int_if all # allow WAN requests from the internet to exit LAN # in order to contact our lan server (keep state on this connection) pass out quick on $int_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA modulate state # UDP 1194 pass out quick on $int_if inet proto udp from any to $lan_server port 1194 keep state # GRE traffic out pass out quick on $int_if inet proto gre from any to $lan_server keep state # firewall connects to the lan server via scp/ssh for backup purposes pass out quick on $int_if inet proto tcp from $int_if to $lan_server port $fw_to_lan_services flags S/SA modulate state From owner-freebsd-pf@FreeBSD.ORG Tue Oct 4 21:45:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51B8D16A41F for ; Tue, 4 Oct 2005 21:45:12 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBA9943D48 for ; Tue, 4 Oct 2005 21:45:11 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id o12so18487qba for ; Tue, 04 Oct 2005 14:45:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nNX1YSEoi8EPMrmmAk8IQyAPgCRX9ZDfJDvXkQTcTW11xx5/5OWD5M9txilnZ6xo/TibgcPCogoVVVT0Gz9YMrfttxz/pR/xO7RMbuV0a5Fgo/6flMRZ/dcnMS2ynasO3ybrjKtvtYdQTDbr4EVzarskzY+M05Um/0CdFqLVCFY= Received: by 10.65.22.7 with SMTP id z7mr38645qbi; Tue, 04 Oct 2005 14:38:20 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Tue, 4 Oct 2005 14:38:20 -0700 (PDT) Message-ID: Date: Tue, 4 Oct 2005 17:38:20 -0400 From: Scott Ullrich To: "Ivan R. Sy Jr." In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4341F5D8.9000504@infoweapons.com> Cc: freebsd-pf@freebsd.org Subject: Re: monitoring CARP status X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 21:45:12 -0000 On 10/4/05, Scott Ullrich wrote: > Check out ifstated in the ports section. Replied too soon. What problems are you having with ifstated? I've used it in the past and it seems to work pretty good for kicking off scripts on state change. Scott From owner-freebsd-pf@FreeBSD.ORG Wed Oct 5 18:01:49 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F2B216A41F; Wed, 5 Oct 2005 18:01:49 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D913243D4C; Wed, 5 Oct 2005 18:01:48 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j95I1mBW046562; Wed, 5 Oct 2005 18:01:48 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j95I1mt1046558; Wed, 5 Oct 2005 18:01:48 GMT (envelope-from arved) Date: Wed, 5 Oct 2005 18:01:48 GMT From: Tilman Linneweh Message-Id: <200510051801.j95I1mt1046558@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/86752: pf does not use default timeouts when reloading config file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 18:01:49 -0000 Synopsis: pf does not use default timeouts when reloading config file Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: arved Responsible-Changed-When: Wed Oct 5 18:01:32 GMT 2005 Responsible-Changed-Why: Over to pf Mailinglist http://www.freebsd.org/cgi/query-pr.cgi?pr=86752 From owner-freebsd-pf@FreeBSD.ORG Thu Oct 6 12:02:50 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A6D416A421; Thu, 6 Oct 2005 12:02:50 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BD0543D48; Thu, 6 Oct 2005 12:02:39 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j96C2dRK057040; Thu, 6 Oct 2005 12:02:39 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j96C2dWu057036; Thu, 6 Oct 2005 12:02:39 GMT (envelope-from mlaier) Date: Thu, 6 Oct 2005 12:02:39 GMT From: Max Laier Message-Id: <200510061202.j96C2dWu057036@freefall.freebsd.org> To: mlaier@FreeBSD.org, freebsd-i386@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: i386/86072: Packet Filter rule not working properly (with SYNPROXY option) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 12:02:50 -0000 Synopsis: Packet Filter rule not working properly (with SYNPROXY option) Responsible-Changed-From-To: freebsd-i386->freebsd-pf Responsible-Changed-By: mlaier Responsible-Changed-When: Thu Oct 6 12:01:19 GMT 2005 Responsible-Changed-Why: Over to pf mailing list to make sure this is not a configuration problem. Synproxy is unfortunately *not* a simple replacement for keep state anymore. http://www.freebsd.org/cgi/query-pr.cgi?pr=86072 From owner-freebsd-pf@FreeBSD.ORG Fri Oct 7 14:23:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EE9116A41F for ; Fri, 7 Oct 2005 14:23:18 +0000 (GMT) (envelope-from Shiva@asform.ch) Received: from dky118.neoplus.adsl.tpnet.pl (dky118.neoplus.adsl.tpnet.pl [83.24.28.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 885AC43D46 for ; Fri, 7 Oct 2005 14:23:15 +0000 (GMT) (envelope-from Shiva@asform.ch) Received: from unknown (HELO slouches) (192.168.102.204) by dky118.neoplus.adsl.tpnet.pl with SMTP; Fri, 7 Oct 2005 02:41:53 +0200 Content-Transfer-Encoding: 7bit Message-Id: <6460859937.2683130@dky118.neoplus.adsl.tpnet.pl> Content-Type: text/plain; charset=us-ascii To: freebsd-pf@freebsd.org From: Nathan Fowler Date: Fri, 7 Oct 2005 14:23:15 +0000 (GMT) Subject: Millions of people do it daily to save their privacy and money X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 14:23:18 -0000 Pharmacy - No prescription required http://hdjhazm.dm0f1z1fja0ldvdoivdo0vvv.spinousdl.com/?mdoygtj Everything should be made as simple as possible, but not simpler. The ability to quote is a serviceable substitute for wit. Love is the triumph of imagination over intelligence. Eagles may soar, but weasels don't get sucked into jet engines. A man will fight harder for his interests than for his rights. Music is the wine that fills the cup of silence. BRUTE, n. See HUSBAND.