From owner-freebsd-pf@FreeBSD.ORG Sun Nov 27 02:01:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81BA916A41F for ; Sun, 27 Nov 2005 02:01:05 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from gwfra.elbekies.net (tce71.tce85.de [195.145.102.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD49043D58 for ; Sun, 27 Nov 2005 02:01:02 +0000 (GMT) (envelope-from volker@vwsoft.com) Received-SPF: pass (gwfra.elbekies.net: domain of vwsoft.com designates 87.193.17.41 as permitted sender) client-ip=87.193.17.41; envelope-from=volker@vwsoft.com; helo=mail.vtec.ipme.de; Received: from mail.vtec.ipme.de (unknown [87.193.17.41]) by gwfra.elbekies.net (Postfix) with ESMTP id A799317035 for ; Sun, 27 Nov 2005 03:00:53 +0100 (CET) Received: from [127.0.0.1] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 816C15C10 for ; Sun, 27 Nov 2005 03:00:40 +0100 (CET) Message-ID: <438912DA.4080509@vwsoft.com> Date: Sun, 27 Nov 2005 02:58:50 +0100 From: Volker User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-TarmacIntl-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com Subject: pf, nat, 2 public IP-addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 02:01:05 -0000 Hi folks, while trying to manage some PPTP trouble at a border gateway (using RELENG_5_4 + pf + altq) I tried to have some packets being NATed differently (using an alias'ed IP address). The network in question is using private IP address space (so I need to NAT). The server has a 2 MBit connection and I've temporarily (for testing it out) two public IP addresses bound to the machine. example setup: +-------------+ / IP 1.2.3.2/29 \ | fbsd54 | -- IF em1-- < > -- router: IP 1.2.3.1 (public internet) +-------------+ \ IP 1.2.3.3/32 / IP 1.2.3.3/32 is an alias. default gateway for that machine is 1.2.3.1 While regular traffic is being NATed with 1.2.3.2 and sent to the default gateway 1.2.3.1, some traffic should be NATed by using the source address 1.2.3.3. So I tried (for NATing traffic to a known destination): nat on em1 from any to 123.234.123.234/32 -> 1.2.3.3 while all other traffic is being NATed by: nat on em1 from any to any -> 1.2.3.2 Using pftop and generating some traffic to 123.234.123.234/32 I do see rules to the destination network but the source (local) address is 1.2.3.2 (expected source address is 1.2.3.3). I'm wondering if pf is unable to use an alias'ed IP address on the same interface as a NAT address? I also tried to setup a pass rule with the route-to option (pass out on em1 route-to (em1 1.2.3.3) from any to .... keep state but this even didn't work to have packets going out with a different (NAT) source address. I really need to do that because I have to run poptop as a VPN server (for some M$ clients) and also need to pass PPTP traffic out via the PPTP proxy 'frickin'. If both daemon processes are running, they seem to conflict with listening on the GRE protocol at the same IP address. Traffic for the frickin proxy is being handled by poptop as both are listening to GRE. Please DON'T tell me not to use M$-PPTP VPN - I already know this is a bad idea, but management want's to use that.... they don't know it's a bad idea (I already told them but they do not care about, so I have to solve the trouble it's causing). Any hints for the 2nd IP address NAT problem? Is that a known issue? The _real_ problem is not poptop + frickin at the same machine. It's to solve the problem to have more than one MS-PPTP VPN client connecting to the same destination VPN server being NATed blues. If there would be a better solution than frickin....? Thanks for any hints! Volker From owner-freebsd-pf@FreeBSD.ORG Sun Nov 27 07:25:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5BF816A41F for ; Sun, 27 Nov 2005 07:25:11 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFD9A43D46 for ; Sun, 27 Nov 2005 07:25:10 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jAR7P87h001346 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 27 Nov 2005 08:25:09 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jAR7P6jY031054; Sun, 27 Nov 2005 08:25:06 +0100 (MET) Date: Sun, 27 Nov 2005 08:25:06 +0100 From: Daniel Hartmeier To: Volker Message-ID: <20051127072505.GA21209@insomnia.benzedrine.cx> References: <438912DA.4080509@vwsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438912DA.4080509@vwsoft.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: pf, nat, 2 public IP-addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 07:25:11 -0000 Can you reproduce the problem (create one connection), then run pfctl -vsn (entire output) and pfctl -vss (the state using the wrong source address)? The connection might match the wrong nat rule (unlike filter rules, translation rules are first-match). Or the connection might not be nat'ed at all. Are the two proxies you mentioned running on the same box as pf? Why do you need to nat at all? Because you can't bind(2) one's outgoing connections to the alias address? So you want to replace source 1.2.3.2 with 1.2.3.3 for these connections? Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Nov 28 11:02:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAA7C16A41F for ; Mon, 28 Nov 2005 11:02:39 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7749443D6A for ; Mon, 28 Nov 2005 11:02:14 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jASB296H088254 for ; Mon, 28 Nov 2005 11:02:09 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jASB287x088248 for freebsd-pf@freebsd.org; Mon, 28 Nov 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 28 Nov 2005 11:02:08 GMT Message-Id: <200511281102.jASB287x088248@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 11:02:40 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 28 12:52:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28D2316A420 for ; Mon, 28 Nov 2005 12:52:29 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 426C543D6A for ; Mon, 28 Nov 2005 12:52:24 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Mon, 28 Nov 2005 13:52:10 +0100 Message-ID: From: "Constant, Benjamin" To: freebsd-pf@freebsd.org Date: Mon, 28 Nov 2005 13:52:09 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: pf + ip alias + route-to interrogation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 12:52:29 -0000 Hello list, I've some questions regarding source routing with route-to option. Here is what I try to setup: I've two network interfaces on a box, one is dedicated to lan, the other one is dedicated to wan. On each of these interfaces, there are 1 IP + 1 IP alias in another subnet (security aspect is not important here). Here is the scheme: 10.1.1.0/24 -- 10.1.1.1 192.168.1.2 -- gw1 [192.168.1.1] [em0 FreeBSD em1] 10.1.2.0/24 -- 10.1.2.1(alias) 192.168.2.2(alias) -- gw2 [192.168.2.1] I'm not performing 'NATting' on this box. All the traffic coming from 10.1.1.0/24 is using the kernel routing table of the box and going to gateway 192.168.1.1. I'm doing source routing for every packets coming from 10.1.2.0/24 and send them to 192.168.1.2. It using working correctly with the following /etc/pf.conf: $ext_if="em1" $int_if="em0" pass out quick on $ext_if route-to ($ext_if 192.168.2.1) from 10.1.2.0/24 to any keep state pass in quick on $int_if route-to ($ext_if 192.168.2.1) from 10.1.2.0/24 to any keep state # default rules in case of policy change in future update pass in all flags S/SA keep state pass out all I don't understand why I need to use keep state on each rule. If I remove the keep state keyword, the first packet is using the route-to but the other ones are using the kernel routing table. If I remove the quick keywork, it doesn't work at all (it seems to fall in one of the last two rules depending how the traffic hit the box). In an other mail I can read "unlike filter rules, translation rules are first-match", what is the policy for route-to? I think it should be the same as for a simple pass or block rule but am I right? Why do I have to use a "pass in on $int_if..." for all the traffic coming from the lan? The traffic should hit the rule pass out when it crosses the box. I can't perform a ping -S lan_ip_alias ip_to_reach, why such traffic isn't using the pass out source routing rule. This box is running 5.4 stable and the following pf.c revision: $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.18.2.10 2005/08/06 01:54:11 mlaier Exp which seem to be the last commit for RELENG_5. I'm a bit confused, can someone give me some more explanation? Thanks! PS: This message was also sent to pf official mailing-list to gather as much information as possible. Benjamin Constant TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 28 13:30:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BF7D16A422 for ; Mon, 28 Nov 2005 13:30:33 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail05.syd.optusnet.com.au (mail05.syd.optusnet.com.au [211.29.132.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1502143DAB for ; Mon, 28 Nov 2005 13:30:13 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-104-249-166.dsl.nsw.optusnet.com.au [58.104.249.166]) by mail05.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id jASDU97G018003 for ; Tue, 29 Nov 2005 00:30:10 +1100 Message-ID: <000c01c5f41f$ce3ec1b0$0600a8c0@delta> From: "Josh Finlay" To: Date: Mon, 28 Nov 2005 23:29:47 +1000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RDR with dynamic IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 13:30:33 -0000 Here's the full scenario, I'm running q3server (/usr/ports/games/q3server), bound to an external = ip on iface ng0.. but LAN clients can't connect to it when its bound to = an external iface (dont know why? had problems like this since i started = using pf...) By default it binds to localhost So I need to at least tell it to bind to an ip (can't bind to multiple) If I tell it bind to 192.168.0.x - internet clients can't get in if I tell it to bind to 58.104.249.xx - lan clients can't get in So what I want to do is bind it to 58.104.249.xx and then re-direct = 192.168.0.x on port 27960, to 58.104.249.xx port 27960... but the = problem is the 58.104.249.xx ip is dynamic, so how do I create a RDR = rule that will be valid an interface rather than an IP? ie. rdr pass on $IntIF inet proto udp to port 27960 -> [the ip currently = assigned to ng0 here] port 27960 any suggestions? I'm hoping this is a total no-brainer ;) From owner-freebsd-pf@FreeBSD.ORG Mon Nov 28 17:27:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35E8B16A41F for ; Mon, 28 Nov 2005 17:27:00 +0000 (GMT) (envelope-from weirdo@tehran.lain.pl) Received: from tehran.lain.pl (tehran.lain.pl [85.221.230.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85B2843D76 for ; Mon, 28 Nov 2005 17:26:47 +0000 (GMT) (envelope-from weirdo@tehran.lain.pl) Received: from weirdo by tehran.lain.pl with local id 1Egmlx-000HrD-UD for freebsd-pf@freebsd.org, local user weirdo; Mon, 28 Nov 2005 18:26:37 +0100 Date: Mon, 28 Nov 2005 18:26:37 +0100 From: Stanislaw Halik To: freebsd-pf@freebsd.org Message-ID: <20051128172637.GA68581@tehran.lain.pl> References: <000c01c5f41f$ce3ec1b0$0600a8c0@delta> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline In-Reply-To: <000c01c5f41f$ce3ec1b0$0600a8c0@delta> X-PGP-Key: http://tehran.lain.pl/public.key User-Agent: Mutt/1.5.11 Subject: Re: RDR with dynamic IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 17:27:00 -0000 --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Josh Finlay wrote: > I'm running q3server (/usr/ports/games/q3server), bound to an external > ip on iface ng0.. but LAN clients can't connect to it when its bound > to an external iface (dont know why? had problems like this since i > started using pf...) > By default it binds to localhost > So I need to at least tell it to bind to an ip (can't bind to multiple) > If I tell it bind to 192.168.0.x - internet clients can't get in > if I tell it to bind to 58.104.249.xx - lan clients can't get in why can't you bind it to 0.0.0.0? --=20 Stanis=B3aw Halik, http://tehran.lain.pl --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDiz3NadU+vjT62TERAiXCAJ40vez2l/8kn1Q7tBR5gqliitF8CACfdcLw h76fee4aYzbpD+DcqZOdEvw= =HoaT -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 28 19:22:59 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C673A16A41F for ; Mon, 28 Nov 2005 19:22:59 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from gwfra.elbekies.net (tce71.tce85.de [195.145.102.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B75B43D78 for ; Mon, 28 Nov 2005 19:22:51 +0000 (GMT) (envelope-from volker@vwsoft.com) Received-SPF: pass (gwfra.elbekies.net: domain of vwsoft.com designates 84.245.182.89 as permitted sender) client-ip=84.245.182.89; envelope-from=volker@vwsoft.com; helo=mail.vtec.ipme.de; Received: from mail.vtec.ipme.de (84-245-182-89.ipool.celox.de [84.245.182.89]) by gwfra.elbekies.net (Postfix) with ESMTP id 09BE617035 for ; Mon, 28 Nov 2005 20:22:42 +0100 (CET) Received: from [127.0.0.1] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B3EA65C10; Mon, 28 Nov 2005 20:22:38 +0100 (CET) Message-ID: <438B5890.8030201@vwsoft.com> Date: Mon, 28 Nov 2005 20:20:48 +0100 From: Volker User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Josh Finlay References: <000c01c5f41f$ce3ec1b0$0600a8c0@delta> In-Reply-To: <000c01c5f41f$ce3ec1b0$0600a8c0@delta> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-TarmacIntl-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: RDR with dynamic IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 19:22:59 -0000 from man pf.conf: > When the address of an interface (or host > name) changes (under DHCP or PPP, for instance), the ruleset must > be reloaded for the change to be reflected in the kernel. Sur- > rounding the interface name (and optional modifiers) in parentheses > changes this behaviour. When the interface name is surrounded by > parentheses, the rule is automatically updated whenever the inter- > face changes its address. Another way: using mpd, create an linkup-script and re-load pf rules from there (like it's possible with ppp). Greetings, Volker On 2005-11-28 14:29, Josh Finlay wrote: > Here's the full scenario, > > I'm running q3server (/usr/ports/games/q3server), bound to an external ip on iface ng0.. but LAN clients can't connect to it when its bound to an external iface (dont know why? had problems like this since i started using pf...) > > By default it binds to localhost > So I need to at least tell it to bind to an ip (can't bind to multiple) > If I tell it bind to 192.168.0.x - internet clients can't get in > if I tell it to bind to 58.104.249.xx - lan clients can't get in > > So what I want to do is bind it to 58.104.249.xx and then re-direct 192.168.0.x on port 27960, to 58.104.249.xx port 27960... but the problem is the 58.104.249.xx ip is dynamic, so how do I create a RDR rule that will be valid an interface rather than an IP? > > ie. > rdr pass on $IntIF inet proto udp to port 27960 -> [the ip currently assigned to ng0 here] port 27960 > > any suggestions? > I'm hoping this is a total no-brainer ;) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 28 20:21:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24C4B16A41F for ; Mon, 28 Nov 2005 20:21:03 +0000 (GMT) (envelope-from michiel@nl-hrln-ptgrf.net) Received: from mail.nl-hrln-ptgrf.net (83-138.surfsnel.dsl.internl.net [145.99.138.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B67B43D53 for ; Mon, 28 Nov 2005 20:21:01 +0000 (GMT) (envelope-from michiel@nl-hrln-ptgrf.net) Received: from ws01michiel (85-138.surfsnel.dsl.internl.net [145.99.138.85]) by mail.nl-hrln-ptgrf.net (Postfix) with ESMTP id 337CA193636 for ; Mon, 28 Nov 2005 19:07:21 +0000 (UTC) From: "Michiel Kranenburg" To: Date: Mon, 28 Nov 2005 21:22:15 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcX0WWxtZ4gahsCyR5KfA201zE4xrA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> Subject: OpenBSD's PF with a bridge on FreeBSD 6.x X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 20:21:03 -0000 Hi all, I=92m currently running FreeBSD 6.0-RELEASE.=20 I have 2 ethernet-cards running in promisc mode that should bridge my = ISP modem with my switch. xl0: flags=3D8943 mtu = 1500 =A0=A0=A0=A0=A0=A0=A0 options=3D9 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 = scopeid 0x1 =A0=A0=A0=A0=A0=A0=A0 inet 145.99.138.82 netmask 0xfffffff0 broadcast = 145.99.138.95 =A0=A0=A0=A0=A0=A0=A0 inet 145.99.138.83 netmask 0xfffffff0 broadcast = 145.99.138.95 =A0=A0=A0=A0=A0=A0=A0 ether 00:01:02:09:84:f3 =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX = ) =A0=A0=A0=A0=A0=A0=A0 status: active xl2: flags=3D8943 mtu = 1500 =A0=A0=A0=A0=A0=A0=A0 options=3D9 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 = scopeid 0x3 =A0=A0=A0=A0=A0=A0=A0 ether 00:50:04:55:28:52 =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX = ) =A0=A0=A0=A0=A0=A0=A0 status: active Currently this is my situation: ( Internet (/28) )=A0 <->=A0 ( xl0 ) ( xl2 ) =A0<-> =A0( = switchs ) =A0<-> =A0( clients ) The problem is that I want PF (OpenBSD=92s Packet Filter) to firewall my server and the bridge (for the clients). The packet filter works great for the server, it handles packets that = are defined in the ruleset perfectly. The real problem relies on filtering the bridge, PF passes all traffic = too the bridge _even_ when some kind of traffic is blocked on xl0. (So it shouldn=92t be on the network anyway) Can someone help me to get filtering on de bridge to work? Please CC me as I'm not subscribed to this list! With kind regards, Michiel Kranenburg From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 02:12:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 567DE16A41F; Tue, 29 Nov 2005 02:12:09 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AD1943D6B; Tue, 29 Nov 2005 02:12:06 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from tomcat.kitchenlab.org (tomcat.kitchenlab.org [64.142.31.107]) by b.mail.sonic.net (8.13.3/8.13.3) with ESMTP id jAT2C5Bg024628 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 28 Nov 2005 18:12:06 -0800 Received: from tomcat.kitchenlab.org (localhost.kitchenlab.org [127.0.0.1]) by tomcat.kitchenlab.org (8.13.4/8.13.1) with ESMTP id jAT2C5iR072668; Mon, 28 Nov 2005 18:12:05 -0800 (PST) (envelope-from bmah@freebsd.org) Received: (from bmah@localhost) by tomcat.kitchenlab.org (8.13.4/8.13.1/Submit) id jAT2C4N0072667; Mon, 28 Nov 2005 18:12:04 -0800 (PST) (envelope-from bmah@freebsd.org) X-Authentication-Warning: tomcat.kitchenlab.org: bmah set sender to bmah@freebsd.org using -f From: "Bruce A. Mah" To: Michiel Kranenburg In-Reply-To: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> References: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-jzXl4O38hjMgbqV168bd" Date: Mon, 28 Nov 2005 18:12:02 -0800 Message-Id: <1133230323.70949.77.camel@tomcat.kitchenlab.org> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Cc: freebsd-pf@freebsd.org Subject: Re: OpenBSD's PF with a bridge on FreeBSD 6.x X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 02:12:09 -0000 --=-jzXl4O38hjMgbqV168bd Content-Type: text/plain; charset=iso-8859-13 Content-Transfer-Encoding: quoted-printable If memory serves me right, Michiel Kranenburg wrote: > I=FFm currently running FreeBSD 6.0-RELEASE.=20 >=20 > I have 2 ethernet-cards running in promisc mode that should bridge my ISP > modem with my switch. >=20 > xl0: flags=3D8943 mtu 150= 0 > options=3D9 > inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 scopeid 0x1 > inet 145.99.138.82 netmask 0xfffffff0 broadcast 145.99.138.95 > inet 145.99.138.83 netmask 0xfffffff0 broadcast 145.99.138.95 > ether 00:01:02:09:84:f3 > media: Ethernet autoselect (100baseTX ) > status: active > xl2: flags=3D8943 mtu 150= 0 > options=3D9 > inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 scopeid 0x3 > ether 00:50:04:55:28:52 > media: Ethernet autoselect (100baseTX ) > status: active Are you doing bridge(4) or if_bridge(4)? For 6.0, I highly recommend the latter; the integration with packet filters (such as PF) works out a lot better. To wit: with if_bridge(4), your physical interfaces xl0 and xl2 are unnumbered and you assign IPv4/IPv6 addresses to a new pseudo-interface bridge0. You can use PF rules on bridge0 to filter packets addressed to/from the bridging machine. You can also define PF rules on the physical interfaces to filter packets passing through the bridge. I believe that bridge(4) is deprecated in 6.X and will be removed in 7.X. > Currently this is my situation: >=20 > ( Internet (/28) ) <-> ( xl0 ) ( xl2 ) <-> ( switchs ) <-> = ( > clients ) >=20 > The problem is that I want PF (OpenBSD=FFs Packet Filter) to firewall my > server and the bridge (for the clients). > The packet filter works great for the server, it handles packets that are > defined in the ruleset perfectly. >=20 > The real problem relies on filtering the bridge, PF passes all traffic to= o > the bridge _even_ when some kind of traffic is blocked on xl0. (So it > shouldn=FFt be on the network anyway) >=20 > Can someone help me to get filtering on de bridge to work? I'm doing something similar to this with no problems, using PF and if_bridge(4). Where is your "server" in the ASCII art above? You might need to give some more details (such as the ruleset you're using). If you use if_bridge, you want to make sure that both of the net.link.bridge.pfil_bridge and net.link.bridge.pfil_member sysctl variables are set to 1. (Or at least something non-zero?) Finally you might want to look at the 6.0 errata for an item about a kernel memory leak when running if_bridge with a packet filter. Good luck, Bruce. --=-jzXl4O38hjMgbqV168bd Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDi7jy2MoxcVugUsMRArSSAKCsTfbBZA13JJfIP60TJzJWKRJbvwCgsDED 1kW+PCIHqAn5Qp46cffixt8= =h61s -----END PGP SIGNATURE----- --=-jzXl4O38hjMgbqV168bd-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 06:22:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10A5E16A41F for ; Tue, 29 Nov 2005 06:22:11 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BA5B43D5D for ; Tue, 29 Nov 2005 06:22:10 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jAT6MAG2002772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 01:22:10 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438BF404.7030009@forrie.com> Date: Tue, 29 Nov 2005 01:24:04 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051128) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on server.forrie.com X-Virus-Status: Clean Subject: Using / notation in tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 06:22:11 -0000 Is it not valid to specify in a file based table: 11.22.33.0/24 using slash notation? I looked at the PF page, and it seems ambiguious about whether this is valid or not. I'm guessing not, since I just created a GeoIP table (file-based) which has slash notation in it, and I'm getting spam hits from one of the networks already/still. If it's not valid to use / notation in file-based tables, what is the proper/better workaround for it? Thanks. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 08:49:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B82D16A42D for ; Tue, 29 Nov 2005 08:49:12 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58A0A43D46 for ; Tue, 29 Nov 2005 08:49:11 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jAT8n0tj030387 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 09:49:01 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jAT8n0L6014440; Tue, 29 Nov 2005 09:49:00 +0100 (MET) Date: Tue, 29 Nov 2005 09:49:00 +0100 From: Daniel Hartmeier To: Forrest Aldrich Message-ID: <20051129084900.GA23781@insomnia.benzedrine.cx> References: <438BF404.7030009@forrie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438BF404.7030009@forrie.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Using / notation in tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 08:49:12 -0000 On Tue, Nov 29, 2005 at 01:24:04AM -0500, Forrest Aldrich wrote: > Is it not valid to specify in a file based table: > > 11.22.33.0/24 > > using slash notation? > > I looked at the PF page, and it seems ambiguious about whether this is > valid or not. It's valid: # cat file 1.2.3.4 11.22.33.0/24 5.6.7.8 # pfctl -t foo -Tr -f file 1 table created. 3 addresses added. # pfctl -t foo -Ts 1.2.3.4 5.6.7.8 11.22.33.0/24 # pfctl -t foo -vTt 11.22.33.44 1/1 addresses match. M 11.22.33.44 > I'm guessing not, since I just created a GeoIP table (file-based) which > has slash notation in it, and I'm getting spam hits from one of the > networks already/still. Then something else is wrong, either the rule using the table doesn't match (for some other reason than the table not matching), or another rule is the last matching rule for that connection. Either way, the CIDR notation in the table is not the problem. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 08:51:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA67D16A425 for ; Tue, 29 Nov 2005 08:51:52 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7E2043D8B for ; Tue, 29 Nov 2005 08:51:38 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jAT8pQhM006550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 03:51:26 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438C1700.7010805@forrie.com> Date: Tue, 29 Nov 2005 03:53:20 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051128) MIME-Version: 1.0 To: Daniel Hartmeier References: <438BF404.7030009@forrie.com> <20051129084900.GA23781@insomnia.benzedrine.cx> In-Reply-To: <20051129084900.GA23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on server.forrie.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Using / notation in tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 08:51:52 -0000 Thanks for your reply. I think you may be correct - I have been mulling over my syntax, but haven't found the problem yet (I just converted to PF from ipfw2). Here is what I'm using for the tables: block in quick on $ext_if proto { tcp, udp } from { , } \ to $ext_if:network port 25 I wonder if this should be written differently. I initially had "block in quick on $ext_if from" but it complained until I put the proto statement in there. Thanks. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 01:24:04AM -0500, Forrest Aldrich wrote: > > >> Is it not valid to specify in a file based table: >> >> 11.22.33.0/24 >> >> using slash notation? >> >> I looked at the PF page, and it seems ambiguious about whether this is >> valid or not. >> > > It's valid: > > # cat file > 1.2.3.4 > 11.22.33.0/24 > 5.6.7.8 > > # pfctl -t foo -Tr -f file > 1 table created. > 3 addresses added. > > # pfctl -t foo -Ts > 1.2.3.4 > 5.6.7.8 > 11.22.33.0/24 > > # pfctl -t foo -vTt 11.22.33.44 > 1/1 addresses match. > M 11.22.33.44 > > >> I'm guessing not, since I just created a GeoIP table (file-based) which >> has slash notation in it, and I'm getting spam hits from one of the >> networks already/still. >> > > Then something else is wrong, either the rule using the table doesn't > match (for some other reason than the table not matching), or another > rule is the last matching rule for that connection. Either way, the CIDR > notation in the table is not the problem. > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 08:54:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3357116A41F for ; Tue, 29 Nov 2005 08:54:41 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id A61D943D49 for ; Tue, 29 Nov 2005 08:54:40 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jAT8seGx006702 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 03:54:40 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438C17C2.8040709@forrie.com> Date: Tue, 29 Nov 2005 03:56:34 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051128) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on server.forrie.com X-Virus-Status: Clean Subject: Statistics on individual table entries... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 08:54:41 -0000 In ipfw2, I can use: # ipfw -t show 3 and I'll get a timestamp next to each rule that's been hit, which helps keep track of hits and can be used for other reporting. In PF, I am trying to determine how to accomplish similiarly. The command: pf -vvs Tables Provides summaries only. I don't see a way to accomplish the above. Thanks. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 09:01:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6792A16A41F for ; Tue, 29 Nov 2005 09:01:56 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id A398B43D62 for ; Tue, 29 Nov 2005 09:01:55 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jAT91k36010739 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 10:01:47 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jAT91kIw005275; Tue, 29 Nov 2005 10:01:46 +0100 (MET) Date: Tue, 29 Nov 2005 10:01:45 +0100 From: Daniel Hartmeier To: Forrest Aldrich Message-ID: <20051129090145.GB23781@insomnia.benzedrine.cx> References: <438BF404.7030009@forrie.com> <20051129084900.GA23781@insomnia.benzedrine.cx> <438C1700.7010805@forrie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438C1700.7010805@forrie.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Using / notation in tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 09:01:56 -0000 On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote: > Here is what I'm using for the tables: > > block in quick on $ext_if proto { tcp, udp } from { , } \ > to $ext_if:network port 25 > > I wonder if this should be written differently. I don't see anything obviously wrong. If a packet is passing despite this rule, there are two possibilities: a) evaluation doesn't reach this rule at all, because the packet matches an earlier quick rule b) evaluation does reach this rule, but the rule isn't matching, because 1) the interface is not $ext_if 2) the protocol is not tcp or udp (maybe some encapsulation or tunnel protocol?) 2) the source address is not in either table (use pfctl -vTt to test) 3) the destination address is not in $ext_if:network (use pfctl -sr to see what it expands to, might be surprising if $ext_if has multiple network aliases) c) pf is not enabled at all (pfctl -si | head -n 1) d) the packet is reaching the server through another path, not going through the pf box at all If you can't spot it, provide the entire ruleset and a tcpdump showing the packet passing on $ext_if. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 09:07:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6943216A41F for ; Tue, 29 Nov 2005 09:07:40 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8063A43D5C for ; Tue, 29 Nov 2005 09:07:39 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jAT97UMD001419 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 10:07:30 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jAT97UZc029544; Tue, 29 Nov 2005 10:07:30 +0100 (MET) Date: Tue, 29 Nov 2005 10:07:30 +0100 From: Daniel Hartmeier To: Forrest Aldrich Message-ID: <20051129090730.GC23781@insomnia.benzedrine.cx> References: <438C17C2.8040709@forrie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438C17C2.8040709@forrie.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Statistics on individual table entries... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 09:07:40 -0000 On Tue, Nov 29, 2005 at 03:56:34AM -0500, Forrest Aldrich wrote: > In PF, I am trying to determine how to accomplish similiarly. The command: > > pf -vvs Tables > > Provides summaries only. I don't see a way to accomplish the above. Additional per-table counters can be printed with pfctl -t foo -vvTs There's no 'last-matched timestamp', however. Depending on what you need it for (like, purge entries that haven't been used for a period of time), you could work around that by clearing the packet/byte counters (representing the packets that were matched by rules using the tables) and regularly remove those that show zero values (unused since last invokation of that clearing script). Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 09:24:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19A8616A420 for ; Tue, 29 Nov 2005 09:24:18 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8926643D46 for ; Tue, 29 Nov 2005 09:24:17 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jAT9OHen007478 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 04:24:17 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438C1EB3.3040200@forrie.com> Date: Tue, 29 Nov 2005 04:26:11 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051128) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <438BF404.7030009@forrie.com> <20051129084900.GA23781@insomnia.benzedrine.cx> <438C1700.7010805@forrie.com> <20051129090145.GB23781@insomnia.benzedrine.cx> In-Reply-To: <20051129090145.GB23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on server.forrie.com X-Virus-Status: Clean Subject: Re: Using / notation in tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 09:24:18 -0000 I think this might be the problem. $ext_if:network expands to 24.62.224.0/20, which is of course not my network. I've been following examples on the net about configuring this. Perhaps I should put a variable in there as gw=24.62.224.xx/32. It's not clear to me where that should be used (ext_if:network). Thank you. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote: > > >> Here is what I'm using for the tables: >> >> block in quick on $ext_if proto { tcp, udp } from { , } \ >> to $ext_if:network port 25 >> >> I wonder if this should be written differently. >> > > I don't see anything obviously wrong. If a packet is passing despite > this rule, there are two possibilities: > > a) evaluation doesn't reach this rule at all, because the packet > matches an earlier quick rule > > b) evaluation does reach this rule, but the rule isn't matching, > because > > 1) the interface is not $ext_if > 2) the protocol is not tcp or udp (maybe some encapsulation or > tunnel protocol?) > 2) the source address is not in either table (use pfctl -vTt to > test) > 3) the destination address is not in $ext_if:network (use > pfctl -sr to see what it expands to, might be surprising if > $ext_if has multiple network aliases) > > c) pf is not enabled at all (pfctl -si | head -n 1) > > d) the packet is reaching the server through another path, not going > through the pf box at all > > If you can't spot it, provide the entire ruleset and a tcpdump showing > the packet passing on $ext_if. > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 22:32:35 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DB8216A41F for ; Tue, 29 Nov 2005 22:32:35 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 440DF43D83 for ; Tue, 29 Nov 2005 22:32:21 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATMW9eN012171 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 17:32:19 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CD75B.2060002@forrie.com> Date: Tue, 29 Nov 2005 17:34:03 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Subject: Unable to attach to public IP from private net... and a couple of questions. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 22:32:35 -0000 I am unable to route to my public IP address from my private RFC network, which is puzzling me. I can get to 192.168.1.2:80 just fine (which I have internal DNS pointing my domain to anyhow). From what I understand, the connection should simply redirect internally. What am I doing wrong? (rules below). Another item that puzzles me is: pass quick on $int_if inet all keep state # pass in quick on $int_if inet from $prv_net to any flags S/SA keep state # pass in quick on $int_if inet from $prv_net to any keep state If I do any of the commented-out items, I cannot ssh or do anything from the gateway to the internal network. I also found, using ($ext_if) does not seem to work correctly. According to the PF BOOK, you should be able to use: block in quick on $ext_if proto { tcp, udp } from to ($ext_if) port 25 where the use of parenthesis ($ext_if) should automatically obtain the IP address of the interface and place it into the rules accordingly - when I debug, it shows only "fxp0" and indeed the rules don't match. I seem to have most of this working okay - it's been rough (converting from ipfw2). Any constructive critique/advice on the rules below would be greatly appreciated (before I lose my mind adding CBC queue for VoIP ). Thank you. ext_if = "fxp0" int_if = "em0" icmp_types = "echoreq" server = "192.168.1.2/32" ext_ad = "24.62.224.XXX/32" prv_net = "192.168.1.0/24" rfc_nets = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, \ 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0 }" tcp_services = "imap imaps www smtp smtps http https" set require-order yes set limit { frags 30000, states 25000 } set block-policy drop set optimization normal set timeout tcp.first 20 set timeout { udp.first 300, udp.single 150, udp.multiple 900 } table persist file "/etc/pf.d/spammers" table persist file "/etc/pf.d/abuse" table persist { \ 58.0.0.0/8, \ 61.0.0.0/8, \ 124.0.0.0/8, \ 126.0.0.0/8, \ 168.208.0.0/16, \ 196.192.0.0/16, \ 202.0.0.0/8, \ 210.0.0.0/8, \ 218.0.0.0/8, \ 220.0.0.0/8, \ 222.0.0.0/8 \ } table persist { \ 80.0.0.0/8, \ 81.0.0.0/8, \ 82.0.0.0/8, \ 83.0.0.0/8, \ 84.0.0.0/8, \ 85.0.0.0/8, \ 86.0.0.0/8, \ 87.0.0.0/8, \ 88.0.0.0/8, \ 89.0.0.0/8, \ 90.0.0.0/8, \ 91.0.0.0/8, \ 193.0.0.0/8, \ 194.0.0.0/8, \ 195.0.0.0/8, \ 212.0.0.0/8, \ 213.0.0.0/8, \ 217.0.0.0/8 \ } table persist { \ 41.0.0.0/8 \ } table persist { \ 189.0.0.0/8, \ 190.0.0.0/8, \ 200.0.0.0/8, \ 201.0.0.0/8 \ } scrub on $ext_if all reassemble tcp no-df random-id nat on $ext_if inet from $prv_net to any -> $ext_if rdr pass on $ext_if inet proto tcp from any to $ext_ad \ port { $tcp_services } -> $server antispoof for { lo0, $int_if, $ext_if } set skip on lo0 block all block in quick on $ext_if proto { tcp, udp } from { , , , } \ to $ext_ad port 25 block in quick on $ext_if from to any block in quick on $ext_if proto { tcp, udp } from to $ext_ad port 25 pass in quick on $int_if inet from $prv_net to any keep state pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ flags S/SA modulate state pass in on $ext_if inet proto udp all keep state pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state (max 32) pass out quick on $ext_if inet proto tcp all \ flags S/SA keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 23:38:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 983D516A420 for ; Tue, 29 Nov 2005 23:38:22 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id D015543D53 for ; Tue, 29 Nov 2005 23:38:04 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATNc021013276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 18:38:01 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CE6CA.2030508@forrie.com> Date: Tue, 29 Nov 2005 18:39:54 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Subject: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 23:38:22 -0000 In an example pf.conf for OpenBSD PF, a table that does not have "," (commas) in the port specifications, ie: tcp_to_hera = "ssh http netris 49152:65535" On FreeBSD-6-STABLE if I use: tcp_services = "imap imaps http https" rdr pass on $ext_if inet proto tcp from any to $ext_ad \ port { $tcp_services } -> $server it fails. But if I change the variable to: tcp_services = "imap, imaps, http, https" with added commas, it seems to work properly. Now that seems like a bug. ? _F From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 23:46:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC94B16A420 for ; Tue, 29 Nov 2005 23:46:11 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF92F43DF5 for ; Tue, 29 Nov 2005 23:45:32 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jATNjGKJ014025 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 30 Nov 2005 00:45:17 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jATNjFip008280; Wed, 30 Nov 2005 00:45:15 +0100 (MET) Date: Wed, 30 Nov 2005 00:45:13 +0100 From: Daniel Hartmeier To: Forrest Aldrich Message-ID: <20051129234513.GG23781@insomnia.benzedrine.cx> References: <438CE6CA.2030508@forrie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438CE6CA.2030508@forrie.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 23:46:12 -0000 On Tue, Nov 29, 2005 at 06:39:54PM -0500, Forrest Aldrich wrote: > On FreeBSD-6-STABLE if I use: > > tcp_services = "imap imaps http https" > rdr pass on $ext_if inet proto tcp from any to $ext_ad \ > port { $tcp_services } -> $server > > it fails. I can't confirm that, it works for me (substituting $ext_if, $ext_ad and $server with simple values) on 6-release and -stable. What error do you get, precisely? Are you sure $tcp_services is the only difference to your working ruleset? Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 23:48:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC07316A422 for ; Tue, 29 Nov 2005 23:48:12 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0E0343D92 for ; Tue, 29 Nov 2005 23:47:14 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATNkiDJ013683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 18:46:44 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CE8D5.6050605@forrie.com> Date: Tue, 29 Nov 2005 18:48:37 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: Daniel Hartmeier References: <438CE6CA.2030508@forrie.com> <20051129234513.GG23781@insomnia.benzedrine.cx> In-Reply-To: <20051129234513.GG23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 23:48:13 -0000 Yes, it was the only variable that I changed. Once I added the commas, it works like a charm. But see my previous post - maybe there's a connection. Where I can't get to my public address via the private net (I have my pf.conf posted, pre-comma addition). Thanks. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 06:39:54PM -0500, Forrest Aldrich wrote: > > >> On FreeBSD-6-STABLE if I use: >> >> tcp_services = "imap imaps http https" >> rdr pass on $ext_if inet proto tcp from any to $ext_ad \ >> port { $tcp_services } -> $server >> >> it fails. >> > > I can't confirm that, it works for me (substituting $ext_if, $ext_ad and > $server with simple values) on 6-release and -stable. What error do you > get, precisely? Are you sure $tcp_services is the only difference to > your working ruleset? > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 23:56:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68AD416A422 for ; Tue, 29 Nov 2005 23:56:34 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 231E043E1E for ; Tue, 29 Nov 2005 23:54:15 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATNs4fU013715 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 18:54:04 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CEA8E.1060109@forrie.com> Date: Tue, 29 Nov 2005 18:55:58 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: Daniel Hartmeier References: <438CE6CA.2030508@forrie.com> <20051129234513.GG23781@insomnia.benzedrine.cx> In-Reply-To: <20051129234513.GG23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 23:56:34 -0000 Interestingly, when I "nmap" my server (public ip) from the private network, I find SSH. Which, ironically, is the ONLY service I don't have configured or redirected in the pf.conf file. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 06:39:54PM -0500, Forrest Aldrich wrote: > > >> On FreeBSD-6-STABLE if I use: >> >> tcp_services = "imap imaps http https" >> rdr pass on $ext_if inet proto tcp from any to $ext_ad \ >> port { $tcp_services } -> $server >> >> it fails. >> > > I can't confirm that, it works for me (substituting $ext_if, $ext_ad and > $server with simple values) on 6-release and -stable. What error do you > get, precisely? Are you sure $tcp_services is the only difference to > your working ruleset? > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 23:58:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 768B216A423 for ; Tue, 29 Nov 2005 23:58:22 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFF4543D53 for ; Tue, 29 Nov 2005 23:58:18 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jATNw8wl013096 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 30 Nov 2005 00:58:08 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jATNw8rS022990; Wed, 30 Nov 2005 00:58:08 +0100 (MET) Date: Wed, 30 Nov 2005 00:58:07 +0100 From: Daniel Hartmeier To: Forrest Aldrich Message-ID: <20051129235807.GH23781@insomnia.benzedrine.cx> References: <438CE6CA.2030508@forrie.com> <20051129234513.GG23781@insomnia.benzedrine.cx> <438CE8D5.6050605@forrie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438CE8D5.6050605@forrie.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 23:58:22 -0000 On Tue, Nov 29, 2005 at 06:48:37PM -0500, Forrest Aldrich wrote: > Yes, it was the only variable that I changed. Once I added the commas, > it works like a charm. > > But see my previous post - maybe there's a connection. Where I can't > get to my public address via the private net (I have my pf.conf posted, > pre-comma addition). Well, "it fails" is not a very precise description. Does pfctl refuse to load the ruleset and produce an error message? If so, please provide the precise error message it prints. For instance, if I use the symbolic port name "netris" from the OpenBSD example (which isn't in FreeBSD's /etc/services), I get # pfctl -nvf /etc/pf.conf tcp_services = "imap imaps http netris" /etc/pf.conf:3: unknown port netris # cat -n /etc/pf.conf | grep -B 1 -A 1 '^ * 3' 2 rdr pass on gem0 inet proto tcp from any to 10.1.1.60 \ 3 port { $tcp_services } -> 10.1.1.60 If it's not a syntax problem pfctl complains about, please explain how "it fails", i.e. what you expect it to do and what you observe it doing that differs from expectations. I can't imagine how the commas make a semantic (but not a syntactic) difference. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 00:00:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF0116A51A for ; Wed, 30 Nov 2005 00:00:44 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id B40C843D9F for ; Wed, 30 Nov 2005 00:00:24 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATNxuUf013765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 18:59:56 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CEBED.6030002@forrie.com> Date: Tue, 29 Nov 2005 19:01:49 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: Daniel Hartmeier References: <438CE6CA.2030508@forrie.com> <20051129234513.GG23781@insomnia.benzedrine.cx> <438CE8D5.6050605@forrie.com> <20051129235807.GH23781@insomnia.benzedrine.cx> In-Reply-To: <20051129235807.GH23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 00:00:47 -0000 Sorry, I meant to say that I'm not using "netris" (that was just an example). The filters "fail" in that only traffic for imap and possibly smtp get through, the rest did not. I wasn't able to figure out "why" in that case, as when I added the commas it works fine now. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 06:48:37PM -0500, Forrest Aldrich wrote: > > >> Yes, it was the only variable that I changed. Once I added the commas, >> it works like a charm. >> >> But see my previous post - maybe there's a connection. Where I can't >> get to my public address via the private net (I have my pf.conf posted, >> pre-comma addition). >> > > Well, "it fails" is not a very precise description. Does pfctl refuse to > load the ruleset and produce an error message? If so, please provide the > precise error message it prints. > > For instance, if I use the symbolic port name "netris" from the OpenBSD > example (which isn't in FreeBSD's /etc/services), I get > > # pfctl -nvf /etc/pf.conf > tcp_services = "imap imaps http netris" > /etc/pf.conf:3: unknown port netris > > # cat -n /etc/pf.conf | grep -B 1 -A 1 '^ * 3' > 2 rdr pass on gem0 inet proto tcp from any to 10.1.1.60 \ > 3 port { $tcp_services } -> 10.1.1.60 > > If it's not a syntax problem pfctl complains about, please explain how > "it fails", i.e. what you expect it to do and what you observe it doing > that differs from expectations. I can't imagine how the commas make a > semantic (but not a syntactic) difference. > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 14:56:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB38A16A41F for ; Wed, 30 Nov 2005 14:56:53 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from jedi.netinet.si (jedi.netinet.si [213.143.65.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29C4943D6A for ; Wed, 30 Nov 2005 14:56:52 +0000 (GMT) (envelope-from cuk@cuk.nu) Received: from localhost (localhost [127.0.0.1]) by jedi.netinet.si (Postfix) with ESMTP id D5CD71254B2; Wed, 30 Nov 2005 15:56:50 +0100 (CET) Received: from jedi.netinet.si ([127.0.0.1]) by localhost (jedi.netinet.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09171-09; Wed, 30 Nov 2005 15:56:50 +0100 (CET) Received: from [192.168.6.60] (nu.cuk.nu [213.143.78.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jedi.netinet.si (Postfix) with ESMTP id E80C81254A6; Wed, 30 Nov 2005 15:56:49 +0100 (CET) Message-ID: <438DBE64.8030102@cuk.nu> Date: Wed, 30 Nov 2005 15:59:48 +0100 From: Marko Cuk Organization: NetInet User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Constant, Benjamin" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at NetInet.si Cc: freebsd-pf@freebsd.org Subject: Re: pf + ip alias + route-to interrogation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 14:56:53 -0000 I have same problems with route-to. I have solved the problem with IPF, wich "grabs" packets on output interface and route-to them to proper interface and gateway. The problem is, that it works only when IPF is loaded after booting and boot scripts, because if IPF is loaded at boot time, the packet flow obviously changes and IPF won't work. The kldunload ipl / kldload ipl / ipf -f /etc/ipf.rules helps, but it is not a proper solution. Max and others... please, help. We can test, try, send some data back... Marko Constant, Benjamin wrote: >Hello list, > >I've some questions regarding source routing with route-to option. > >Here is what I try to setup: > >I've two network interfaces on a box, one is dedicated to lan, the other one >is dedicated to wan. >On each of these interfaces, there are 1 IP + 1 IP alias in another subnet >(security aspect is not important here). > >Here is the scheme: > >10.1.1.0/24 -- 10.1.1.1 192.168.1.2 -- gw1 [192.168.1.1] > [em0 FreeBSD em1] >10.1.2.0/24 -- 10.1.2.1(alias) 192.168.2.2(alias) -- gw2 >[192.168.2.1] > >I'm not performing 'NATting' on this box. All the traffic coming from >10.1.1.0/24 is using the kernel routing table of the box and going to >gateway 192.168.1.1. I'm doing source routing for every packets coming from >10.1.2.0/24 and send them to 192.168.1.2. >It using working correctly with the following /etc/pf.conf: > >$ext_if="em1" >$int_if="em0" > >pass out quick on $ext_if route-to ($ext_if 192.168.2.1) from 10.1.2.0/24 to >any keep state pass in quick on $int_if route-to ($ext_if 192.168.2.1) from >10.1.2.0/24 to any keep state > ># default rules in case of policy change in future update pass in all flags >S/SA keep state pass out all > >I don't understand why I need to use keep state on each rule. If I remove >the keep state keyword, the first packet is using the route-to but the other >ones are using the kernel routing table. If I remove the quick keywork, it >doesn't work at all (it seems to fall in one of the last two rules depending >how the traffic hit the box). In an other mail I can read "unlike filter >rules, translation rules are first-match", what is the policy for route-to? >I think it should be the same as for a simple pass or block rule but am I >right? >Why do I have to use a "pass in on $int_if..." for all the traffic coming >from the lan? The traffic should hit the rule pass out when it crosses the >box. >I can't perform a ping -S lan_ip_alias ip_to_reach, why such traffic isn't >using the pass out source routing rule. >This box is running 5.4 stable and the following pf.c revision: $FreeBSD: >src/sys/contrib/pf/net/pf.c,v 1.18.2.10 2005/08/06 01:54:11 mlaier Exp which >seem to be the last commit for RELENG_5. > >I'm a bit confused, can someone give me some more explanation? Thanks! > >PS: > >This message was also sent to pf official mailing-list to gather as much >information as possible. > >Benjamin Constant >TI Automotive > >The information contained in this transmission may contain privileged and >confidential information. It is intended only for the use of the >person(s) named above. If you are not the intended recipient, you are >hereby notified that any review, dissemination, distribution or >duplication of this communication is strictly prohibited. If you are not >the intended recipient, please contact the sender by reply email and >destroy all copies of the original message. This communication is from TI >Automotive. >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > -- NetInet d.o.o. http://www.NetInet.si Private: http://cuk.nu MountainBikeSlovenia team: http://mtb.si Slovenian FreeBSD mirror admin http://www2.si.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 16:01:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BFF516A435 for ; Wed, 30 Nov 2005 16:01:50 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EC0643D82 for ; Wed, 30 Nov 2005 16:01:36 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.199.66] (helo=donor.laier.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1EhUOQ3BDN-0001Un; Wed, 30 Nov 2005 17:01:16 +0100 From: Max Laier To: Marko Cuk Date: Wed, 30 Nov 2005 17:00:40 +0100 User-Agent: KMail/1.8.2 References: <438DBE64.8030102@cuk.nu> In-Reply-To: <438DBE64.8030102@cuk.nu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart62965534.DXuRcxDMD0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200511301701.06808.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: pf + ip alias + route-to interrogation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 16:01:50 -0000 --nextPart62965534.DXuRcxDMD0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 30 November 2005 15:59, Marko Cuk wrote: > I have same problems with route-to. > > I have solved the problem with IPF, wich "grabs" packets on output > interface and route-to them to proper interface and gateway. The problem > is, that it works only when IPF is loaded after booting and boot > scripts, because if IPF is loaded at boot time, the packet flow > obviously changes and IPF won't work. > The kldunload ipl / kldload ipl / ipf -f /etc/ipf.rules helps, but it is > not a proper solution. > > Max and others... please, help. We can test, try, send some data back... If you want help, please post proper details and complete pf.conf Please a= lso=20 describe how it fails. Without complete pf.conf it's merely guesswork than= =20 proper debugging. Also: PLEASE DO NOT TOP-POST! > Constant, Benjamin wrote: > >Hello list, > > > >I've some questions regarding source routing with route-to option. > > > >Here is what I try to setup: > > > >I've two network interfaces on a box, one is dedicated to lan, the other > > one is dedicated to wan. > >On each of these interfaces, there are 1 IP + 1 IP alias in another subn= et > >(security aspect is not important here). > > > >Here is the scheme: > > > >10.1.1.0/24 -- 10.1.1.1 192.168.1.2 -- gw1 [192.168.1.1] > > [em0 FreeBSD em1] > >10.1.2.0/24 -- 10.1.2.1(alias) 192.168.2.2(alias) -- gw2 > >[192.168.2.1] > > > >I'm not performing 'NATting' on this box. All the traffic coming from > >10.1.1.0/24 is using the kernel routing table of the box and going to > >gateway 192.168.1.1. I'm doing source routing for every packets coming > > from 10.1.2.0/24 and send them to 192.168.1.2. > >It using working correctly with the following /etc/pf.conf: > > > >$ext_if=3D"em1" > >$int_if=3D"em0" > > > >pass out quick on $ext_if route-to ($ext_if 192.168.2.1) from 10.1.2.0/24 > > to any keep state pass in quick on $int_if route-to ($ext_if 192.168.2.= 1) > > from 10.1.2.0/24 to any keep state > > > ># default rules in case of policy change in future update pass in all > > flags S/SA keep state pass out all > > > >I don't understand why I need to use keep state on each rule. If I remove > >the keep state keyword, the first packet is using the route-to but the > > other ones are using the kernel routing table. If I remove the quick > > keywork, it doesn't work at all (it seems to fall in one of the last two > > rules depending how the traffic hit the box). In an other mail I can re= ad > > "unlike filter rules, translation rules are first-match", what is the > > policy for route-to? I think it should be the same as for a simple pass > > or block rule but am I right? > >Why do I have to use a "pass in on $int_if..." for all the traffic coming > >from the lan? The traffic should hit the rule pass out when it crosses t= he > >box. > >I can't perform a ping -S lan_ip_alias ip_to_reach, why such traffic isn= 't > >using the pass out source routing rule. > >This box is running 5.4 stable and the following pf.c revision: $FreeBSD: > >src/sys/contrib/pf/net/pf.c,v 1.18.2.10 2005/08/06 01:54:11 mlaier Exp > > which seem to be the last commit for RELENG_5. > > > >I'm a bit confused, can someone give me some more explanation? Thanks! Not without seeing your complete ruleset. Quick is a two-edged sword and y= ou=20 really need to know what you are doing when using it. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart62965534.DXuRcxDMD0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDjczCXyyEoT62BG0RAqvDAJwI1HRmAWYk2x/q/kJo5F60Uc2cHwCeMf83 clht4xNdswE51tLNH9z1oas= =tf13 -----END PGP SIGNATURE----- --nextPart62965534.DXuRcxDMD0-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 22:48:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14BB016A41F for ; Wed, 30 Nov 2005 22:48:23 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 186C543D64 for ; Wed, 30 Nov 2005 22:48:13 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from hefesto ([69.65.149.194]) by jupiter.espoltel.net (8.12.10/8.12.10) with ESMTP id jAUMjnlH005753 for ; Wed, 30 Nov 2005 17:45:49 -0500 Message-Id: <200511302245.jAUMjnlH005753@jupiter.espoltel.net> From: "Marcelo Celleri" To: Date: Wed, 30 Nov 2005 17:48:05 -0500 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 thread-index: AcX2ACB/pOJ6aNLIRqudtYOqFUj4oQ== X-Antivirus: avast! (VPS 0548-0, 29/11/2005), Outbound message X-Antivirus-Status: Clean X-ESPOLTEL-MailScanner-Information: Please contact the ISP for more information X-ESPOLTEL-MailScanner: Found to be clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 22:48:23 -0000 Hi everyone, I'm trying PF + ALTQ on FreeBSD to implement policies for the traffic flows of my clients, for each one of them I have a configuration like this: $int_if="em1" queue marcelo bandwidth 128Kb cbq { gold, silver, default } queue marcelo1 bandwidth 70% priority 3 cbq(borrow red) queue marcelo2 bandwidth 20% priority 2 cbq(borrow red) queue marcelodf bandwidth 10% cbq(borrow) pass in on $int_if from any to xxx.xxx.xxx.xxx keep state queue default pass in on $int_if proto tcp from any port { 25,110 } to 200.49.242.42 keep state queue silver pass in on $int_if proto tcp from any port { 22,80,443 } to 200.49.242.42 keep state queue gold pass in on $int_if proto { udp,tcp } from any port 53 to 200.49.242.42 keep state queue gold I supposed that the "borrow" parameter allows the queue to borrow the exceed of bandwidth until the top of 128 Kb depending on the priority value, but I realized that if I'm getting my e-mail via POP3 from xxx.xxx.xxx.xxx the maximum bandwidth allocated is approximately 40 or 50 Kbps even if there is no other flow of traffic present. I need to get this setup: If there is full load, I must have 70% of 128 Kbps for domain, ssh, http and https traffic, 20% for pop3 and smtp and the rest for any other service, but when I'm using the services defined for the silver queue like pop3 and if the queue gold isn't full, the bandwidth has to be ( 128Kb - (bw allocated in gold)), so if I have no http, https, ssh or domain traffic the value for the pop3 connection must be in theory 128Kbps. The same should happen if I use a p2p application, that it would be defined by the default queue, if there is no traffic flow defined by gold or silver queue at the same time when I'm doing a download; the bandwidth allocated for this connection has to be 128 Kbps. So, every one of the flows has to reach the maximum of 128Kbps when there is no other flow with greater priority present at the same time, based on: http, https, dns, ssh: first priority pop3, smtp: medium priority rest of services: last priority Thanks for your comments and help. -- Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que está limpio. From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 23:07:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71BBD16A41F for ; Wed, 30 Nov 2005 23:07:49 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51EC643D69 for ; Wed, 30 Nov 2005 23:07:46 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by zproxy.gmail.com with SMTP id i1so4898nzh for ; Wed, 30 Nov 2005 15:07:45 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dT0TtocWwMivXx8CJLeqs/FGHL/W7VMvepgvbkicfQY9UuW3rj+Ej3kCceT85nuQcPOxOP3F5Rjh1Dx0hiK3tkNFUkzTCWq39yoQbia5jl3yYrUZ965fGbyhBVfBv7CMmSe+AWsgEm4tTgqt/ThblOro88JDdQihckXUCEU+PBA= Received: by 10.65.116.15 with SMTP id t15mr519323qbm; Wed, 30 Nov 2005 15:07:45 -0800 (PST) Received: by 10.65.150.7 with HTTP; Wed, 30 Nov 2005 15:07:45 -0800 (PST) Message-ID: <8eea04080511301507k5d8db25dm6f4724beced44279@mail.gmail.com> Date: Wed, 30 Nov 2005 15:07:45 -0800 From: Jon Simola Sender: jsimola@gmail.com To: Marcelo Celleri In-Reply-To: <200511302245.jAUMjnlH005753@jupiter.espoltel.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200511302245.jAUMjnlH005753@jupiter.espoltel.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 23:07:49 -0000 On 11/30/05, Marcelo Celleri wrote: > $int_if=3D"em1" > queue marcelo bandwidth 128Kb cbq { gold, silver, default } > queue marcelo1 bandwidth 70% priority 3 cbq(borrow red) > queue marcelo2 bandwidth 20% priority 2 cbq(borrow red) > queue marcelodf bandwidth 10% cbq(borrow) You've omitted a lot of the pf.conf file. The only thing I can suggest is that you name the sub-queues (marcelo1/2/df) the same as what the queue expects them to be named (gold/silver/default). Like this: altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn= ) queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn) > pass in on $int_if proto { udp,tcp } from any port 53 to 200.49.242.42 ke= ep > state queue gold Not actually having defined a gold queue, that does nothing. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 23:40:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 218EA16A41F for ; Wed, 30 Nov 2005 23:40:03 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id C24D143D55 for ; Wed, 30 Nov 2005 23:40:01 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from hefesto ([69.65.149.194]) by jupiter.espoltel.net (8.12.10/8.12.10) with ESMTP id jAUNbflH017010 for ; Wed, 30 Nov 2005 18:37:41 -0500 Message-Id: <200511302337.jAUNbflH017010@jupiter.espoltel.net> From: "Marcelo Celleri" To: Date: Wed, 30 Nov 2005 18:39:57 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 thread-index: AcX2Ao8IxA7uO5APRvWqcKeet1WHgQABFHUQ In-Reply-To: <8eea04080511301507k5d8db25dm6f4724beced44279@mail.gmail.com> X-Antivirus: avast! (VPS 0548-0, 29/11/2005), Outbound message X-Antivirus-Status: Clean X-ESPOLTEL-MailScanner-Information: Please contact the ISP for more information X-ESPOLTEL-MailScanner: Found to be clean Subject: RE: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 23:40:03 -0000 Sorry, but it was a mistake when I wrote the mail... The configuration looks like this: queue marcelo bandwidth 128Kb cbq { gold, silver, default } queue gold bandwidth 70% priority 3 cbq(borrow red) queue silver bandwidth 20% priority 2 cbq(borrow red) queue default bandwidth 10% cbq(borrow) =20 pass in on $int_if from any to xxx.xxx.xxx.xxx keep state queue default pass in on $int_if proto tcp from any port { 25,110 } to 200.49.242.42 \ keep state queue silver pass in on $int_if proto tcp from any port { 22,80,443 } to 200.49.242.42 \ keep state queue gold pass in on $int_if proto { udp,tcp } from any port 53 to 200.49.242.42 \ keep state queue gold But it doesn't work like I want... -----Mensaje original----- De: jsimola@gmail.com [mailto:jsimola@gmail.com] En nombre de Jon Simola Enviado el: Mi=E9rcoles, 30 de Noviembre de 2005 18:08 Para: Marcelo Celleri CC: freebsd-pf@freebsd.org Asunto: Re: PF + ALTQ... help please!! On 11/30/05, Marcelo Celleri wrote: > $int_if=3D"em1" > queue marcelo bandwidth 128Kb cbq { gold, silver, default } > queue marcelo1 bandwidth 70% priority 3 cbq(borrow red) > queue marcelo2 bandwidth 20% priority 2 cbq(borrow red) > queue marcelodf bandwidth 10% cbq(borrow) You've omitted a lot of the pf.conf file. The only thing I can suggest is that you name the sub-queues (marcelo1/2/df) the same as what the queue expects them to be named (gold/silver/default). Like this: altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn) queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn) > pass in on $int_if proto { udp,tcp } from any port 53 to 200.49.242.42 keep > state queue gold Not actually having defined a gold queue, that does nothing. -- Jon Simola Systems Administrator ABC Communications --=20 Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que est=E1 limpio. --=20 Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que est=E1 limpio. From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 23:57:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C39E416A41F for ; Wed, 30 Nov 2005 23:57:40 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2658043D46 for ; Wed, 30 Nov 2005 23:57:39 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from hefesto ([69.65.149.194]) by jupiter.espoltel.net (8.12.10/8.12.10) with ESMTP id jAUNtHlH019276 for ; Wed, 30 Nov 2005 18:55:17 -0500 Message-Id: <200511302355.jAUNtHlH019276@jupiter.espoltel.net> From: "Marcelo Celleri" To: Date: Wed, 30 Nov 2005 18:57:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 thread-index: AcX2Ao8IxA7uO5APRvWqcKeet1WHgQABFHUQAAChEaA= In-Reply-To: <200511302337.jAUNbflH017010@jupiter.espoltel.net> X-Antivirus: avast! (VPS 0548-0, 29/11/2005), Outbound message X-Antivirus-Status: Clean X-ESPOLTEL-MailScanner-Information: Please contact the ISP for more information X-ESPOLTEL-MailScanner: Found to be clean Subject: RE: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 23:57:40 -0000 There is a little more: int_if="em1" altq on $int_if bandwidth 100Mb cbq queue { std, uees, lnaval, tes, ecomundo, montepiedra, offset, \ andec, copol, asuncion, umetro, calcivar, corpecuador, ststeban, extradio, capig, oxxo, ryc, \ esmena, marianitas, diteca, canizares, codelfos, metain, nnuu, cyber, antena3, stabarbara, \ maqhensa, agarcia, pymes256_n3, pymes256_n4, pymes128, residencial, marcelo } queue std bandwidth 10.0Mb cbq(default) #Then for each one of the subqueues: queue marcelo bandwidth 128Kb cbq { gold, silver, default } queue gold bandwidth 70% priority 3 cbq(borrow red) queue silver bandwidth 20% priority 2 cbq(borrow red) queue default bandwidth 10% cbq(borrow) #These are the rules: pass in on $int_if from any to xxx.xxx.xxx.xxx keep state queue default pass in on $int_if proto { tcp } from any port { 25,110 } to xxx.xxx.xxx.xxx keep state queue silver pass in on $int_if proto { tcp } from any port { 22,53,80,443 } to xxx.xxx.xxx.xxx keep state queue gold On 11/30/05, Marcelo Celleri wrote: > $int_if="em1" > queue marcelo bandwidth 128Kb cbq { gold, silver, default } > queue marcelo1 bandwidth 70% priority 3 cbq(borrow red) > queue marcelo2 bandwidth 20% priority 2 cbq(borrow red) > queue marcelodf bandwidth 10% cbq(borrow) You've omitted a lot of the pf.conf file. The only thing I can suggest is that you name the sub-queues (marcelo1/2/df) the same as what the queue expects them to be named (gold/silver/default). Like this: altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn) queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn) > pass in on $int_if proto { udp,tcp } from any port 53 to 200.49.242.42 keep > state queue gold Not actually having defined a gold queue, that does nothing. -- Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que está limpio. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 1 00:14:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E4D616A422 for ; Thu, 1 Dec 2005 00:14:25 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67D4A43D53 for ; Thu, 1 Dec 2005 00:14:24 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by zproxy.gmail.com with SMTP id i11so129710nzh for ; Wed, 30 Nov 2005 16:14:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Yd6wLJ9+6or7ggdqyW+WS8abezkdy+3ehRNWGoPrQEfLr2HFsVIIv3yFhILQ9PnWA1fGmpbo2j8VwTdPEgJFcTonJVWOmxRJPS01vV91ViZGca8Ake8b/TaSXWmoN6u/AYebBRKD2nrtTMSNh3L1PlR5hFFAxGmQrNusfaCzkWs= Received: by 10.65.123.16 with SMTP id a16mr548438qbn; Wed, 30 Nov 2005 16:14:23 -0800 (PST) Received: by 10.65.150.7 with HTTP; Wed, 30 Nov 2005 16:14:23 -0800 (PST) Message-ID: <8eea04080511301614t65037325h44106d2336f7a9f8@mail.gmail.com> Date: Wed, 30 Nov 2005 16:14:23 -0800 From: Jon Simola Sender: jsimola@gmail.com To: Marcelo Celleri In-Reply-To: <200511302355.jAUNtHlH019276@jupiter.espoltel.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200511302337.jAUNbflH017010@jupiter.espoltel.net> <200511302355.jAUNtHlH019276@jupiter.espoltel.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 00:14:25 -0000 On 11/30/05, Marcelo Celleri wrote: > int_if=3D"em1" > > altq on $int_if bandwidth 100Mb cbq queue { std, uees, lnaval, marcelo, .= .. } > queue std bandwidth 10.0Mb cbq(default) > #Then for each one of the subqueues: > queue marcelo bandwidth 128Kb cbq { gold, silver, default } > queue gold bandwidth 70% priority 3 cbq(borrow red) > queue silver bandwidth 20% priority 2 cbq(borrow red) > queue default bandwidth 10% cbq(borrow) > #These are the rules: > > pass in on $int_if from any to xxx.xxx.xxx.xxx keep state queue default > pass in on $int_if proto { tcp } from any port { 25,110 } to xxx.xxx.xxx.= xxx > keep state queue silver > pass in on $int_if proto { tcp } from any port { 22,53,80,443 } to > xxx.xxx.xxx.xxx keep state queue gold You cannot duplicate the gold/silver/default queue names, just in case you're doing that. The other problem is that you're trying to queue on an inbound interface. Going back to my example: # External interface -> OC3 altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn= ) queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn) # Internal interface -> LAN clients altq on em1 cbq bandwidth 100Mb queue { default_int, throttle_int } queue default_int bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn= ) queue throttle_int bandwidth 64Kb priority 1 cbq(red ecn) The queueing rule for this is: pass out on em0 from to any queue throttle_ext Or you can specify a queue on the outbound interface (em0) with a rule on the inbound (em1), for a basically similar effect: pass in on em1 from to any queue throttle_ext Hope that helps a bit. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Thu Dec 1 09:11:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47D1316A41F for ; Thu, 1 Dec 2005 09:11:44 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFB1B43D5D for ; Thu, 1 Dec 2005 09:11:43 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so315883wri for ; Thu, 01 Dec 2005 01:11:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZSCEJFQyY/zJNDcij20Kek1egeYbmUn/k7fIdE1ypEFhN6h414sX5V5zxF+o0E5ZtvT6Xc7Tr9RZLcM8OnkzAFONzFhsKJZhhRwNO9TJ31C1D3Nq1iQxPgkEIiTk4H+jLz4qLl0XcXCQsZFOkZfLq1Df1j9uk/loz1+ifVi9X1k= Received: by 10.54.62.18 with SMTP id k18mr1582194wra; Thu, 01 Dec 2005 01:11:42 -0800 (PST) Received: by 10.54.81.20 with HTTP; Thu, 1 Dec 2005 01:11:42 -0800 (PST) Message-ID: Date: Thu, 1 Dec 2005 03:11:42 -0600 From: "Travis H." To: Thiago Damas , alexandre.delay@free.fr In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: Protocol filter capabilities X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 09:11:44 -0000 On 11/24/05, Thiago Damas wrote: > I have a program that implements this, via divert socket with ipfw. > I think the better way to do this is with a program that listens > with bfp/pcap, and inserts/deletes rules using ioctls in /dev/pf I am doing something similar to this. Actually I've decoupled the two functions; I have the dynamic firewall daemon which re-writes firewall rules and exports a sort of command line, and then I am working on a pcap-based listener which will invoke rules on that command line. dfd_keeper works with pf, and I'm looking for someone to take over the iptables version (dfd_tbk). See my homepage for the dynamic firewall daemon. Please send me any requests about exactly what protocols you'd like to take action in response to, and I'll do my best to include that capability in my pcap-based listener. And, as always, I am very open to any suggestions. I had a root disk failure recently, but if I recover from that quickly, I may have working code by Sunday. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Thu Dec 1 09:19:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55D3F16A41F for ; Thu, 1 Dec 2005 09:19:07 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id E941043D69 for ; Thu, 1 Dec 2005 09:19:03 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so316883wri for ; Thu, 01 Dec 2005 01:19:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mkei166eg/h1XyEW4KM3bLUhvynvvQPv89B+SdSHY1OY2erw8btGZ/J5In5fvPNcoqTim3rgx5PWgXCkds8oW/d/TG5TJ91KqGJ5dEmGOwdLv4uJTiiCly83rBRUWfb7mtMz0G7Wg0y09IUnYP9PBPiH7fXWkkGyomqYY8aVjO0= Received: by 10.54.89.12 with SMTP id m12mr1605814wrb; Thu, 01 Dec 2005 01:19:02 -0800 (PST) Received: by 10.54.81.20 with HTTP; Thu, 1 Dec 2005 01:19:02 -0800 (PST) Message-ID: Date: Thu, 1 Dec 2005 03:19:02 -0600 From: "Travis H." To: Thiago Damas , alexandre.delay@free.fr In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: Protocol filter capabilities X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 09:19:07 -0000 Specifically, here are my goals for the listener: GOALS: python-based sniffer that runs on OpenBSD should be able to sniff pflog device or any other interface should detect port knocking a la fwknop should detect port scanning a la psad should duplicate functionality of arpwatch should detect use of protocols that require port forwarding should detect p2p protocols like edonkey or beep and block them NOTE: all can be done by monitoring the WAN interface alone should interface to dfd_keeper to trigger rule changes ideally any module we use should exploit full features of libpcap ideally any module we use should be OO ideally any module we use should be written at as high a level as possible ideally any module we use should be thread-safe should use publisher-subscriber design pattern for efficiency each consumer (psad, fwknop, port fwd) should specify BPF filter ORed toget= her each consumer is en/disabled via command line options And I've already done the analysis of python pcap interfaces and I'll be using pcapy/impacket, perhaps with some minor modifications which will be sent back to the authors. I evaluated pycap, pylibcap, and pynetlibs and found them to be inferior to pcapy/impacket. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Thu Dec 1 09:24:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D882216A41F for ; Thu, 1 Dec 2005 09:24:22 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72B9C43D5A for ; Thu, 1 Dec 2005 09:24:19 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 1 Dec 2005 10:24:14 +0100 Message-ID: From: "Constant, Benjamin" To: freebsd-pf@freebsd.org Date: Thu, 1 Dec 2005 10:24:11 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C5F658.FD533172" Cc: Subject: RE: pf + ip alias + route-to interrogation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 09:24:23 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C5F658.FD533172 Content-Type: text/plain > -----Original Message----- > From: Max Laier [mailto:max@love2party.net] > Sent: mercredi 30 novembre 2005 17:01 > To: Marko Cuk > Cc: freebsd-pf@freebsd.org; Constant, Benjamin > Subject: Re: pf + ip alias + route-to interrogation > > On Wednesday 30 November 2005 15:59, Marko Cuk wrote: > > I have same problems with route-to. > > > > I have solved the problem with IPF, wich "grabs" packets on output > > interface and route-to them to proper interface and gateway. The > > problem is, that it works only when IPF is loaded after booting and > > boot scripts, because if IPF is loaded at boot time, the > packet flow > > obviously changes and IPF won't work. > > The kldunload ipl / kldload ipl / ipf -f /etc/ipf.rules > helps, but it > > is not a proper solution. > > > > Max and others... please, help. We can test, try, send some > data back... > > If you want help, please post proper details and complete > pf.conf Please also describe how it fails. Without complete > pf.conf it's merely guesswork than proper debugging. > > Also: PLEASE DO NOT TOP-POST! > > > Constant, Benjamin wrote: > > >Hello list, > > > > > >I've some questions regarding source routing with route-to option. > > > > > >Here is what I try to setup: > > > > > >I've two network interfaces on a box, one is dedicated to lan, the > > >other one is dedicated to wan. > > >On each of these interfaces, there are 1 IP + 1 IP alias > in another > > >subnet (security aspect is not important here). > > > > > >Here is the scheme: > > > > > >10.1.1.0/24 -- 10.1.1.1 192.168.1.2 -- gw1 > [192.168.1.1] > > > [em0 FreeBSD em1] > > >10.1.2.0/24 -- 10.1.2.1(alias) 192.168.2.2(alias) -- gw2 > > >[192.168.2.1] > > > > > >I'm not performing 'NATting' on this box. All the traffic > coming from > > >10.1.1.0/24 is using the kernel routing table of the box > and going to > > >gateway 192.168.1.1. I'm doing source routing for every packets > > >coming from 10.1.2.0/24 and send them to 192.168.1.2. > > >It using working correctly with the following /etc/pf.conf: > > > > > >$ext_if="em1" > > >$int_if="em0" > > > > > >pass out quick on $ext_if route-to ($ext_if 192.168.2.1) from > > >10.1.2.0/24 to any keep state pass in quick on $int_if route-to > > >($ext_if 192.168.2.1) from 10.1.2.0/24 to any keep state > > > > > ># default rules in case of policy change in future update > pass in all > > >flags S/SA keep state pass out all > > > > > >I don't understand why I need to use keep state on each rule. If I > > >remove the keep state keyword, the first packet is using > the route-to > > >but the other ones are using the kernel routing table. If > I remove > > >the quick keywork, it doesn't work at all (it seems to > fall in one > > >of the last two rules depending how the traffic hit the > box). In an > > >other mail I can read "unlike filter rules, translation rules are > > >first-match", what is the policy for route-to? I think it > should be > > >the same as for a simple pass or block rule but am I right? > > >Why do I have to use a "pass in on $int_if..." for all the traffic > > >coming from the lan? The traffic should hit the rule pass > out when it > > >crosses the box. > > >I can't perform a ping -S lan_ip_alias ip_to_reach, why > such traffic > > >isn't using the pass out source routing rule. > > >This box is running 5.4 stable and the following pf.c > revision: $FreeBSD: > > >src/sys/contrib/pf/net/pf.c,v 1.18.2.10 2005/08/06 01:54:11 mlaier > > >Exp which seem to be the last commit for RELENG_5. > > > > > >I'm a bit confused, can someone give me some more > explanation? Thanks! > > Not without seeing your complete ruleset. Quick is a > two-edged sword and you really need to know what you are > doing when using it. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Good morning, Thanks for your reply, here is my complete pf.conf (some changes has occured since my last message). There are now 3 network behind the int_if. The 2 network behind the ext_if haven't changed. Operating system version and pf revision haven't changed. The routing table contains an entry for each subnet in and each of these subnet is routed to 192.168.1.2. How can a the quick keyword interfer with the route-to option? My understanding of the quick keyword is rule match stop processing, am I missing something? I was using the attached scheme (not sure it is up to date) for creating my ruleset. In this scheme, I'm considering everything between the IN and the KERNEL PROCESSING (routing table?) is specific to int_if while everything between KERNEL PROCESSING and OUT is related to ext_if. When I read the scheme and look at the state check, it should not interfer with the pf-routing but am I right? Is the processing changing between FreeBSD release? Is there a place where I can find detailed documentation for the behaviour of pf for each release if it is changing? Thanks in advance for the time you'll spend on my interrogation! Regards, Here is my complete /etc/pf.conf: The table is containing a lot of /24 network subnets, nothing particular about that. ##### Macros ################################################################### int_if = "em0" ext_if = "em1" table persist file "/etc/pf.tirange" ##### Normalization ############################################################ #scrub log-all on $int_if all #scrub log-all on $int_if all reassemble tcp #scrub log-all on $ext_if all #scrub log-all on $ext_if all reassemble tcp ##### Queue Definition ######################################################### ##### Redirection ############################################################## ##### Network Address Translation ############################################## ##### Firewalling and Traffic Shaping ########################################## # drop broadcast packets block drop in quick on $int_if from any to $int_if:broadcast block drop in quick on $ext_if from any to $ext_if:broadcast # avoid source routing for DDC network ranges for traffic to DEE pass out quick on $ext_if from 10.1.2.0/24 to 10.1.1.0/24 keep state pass in quick on $int_if from 10.1.2.0/24 to 10.1.1.0/24 keep state pass out quick on $ext_if from 10.1.3.0/24 to 10.1.1.0/24 keep state pass in quick on $int_if from 10.1.3.0/24 to 10.1.1.0/24 keep state # source routing for DDC network ranges for traffic outside DEE pass out quick on $ext_if route-to ($ext_if 192.168.2.2) from \ 10.1.2.0/24 to keep state pass in quick on $int_if route-to ($ext_if 192.168.2.2) from \ 10.1.2.0/24 to keep state pass out quick on $ext_if route-to ($ext_if 192.168.2.2) from \ 10.1.2.0/24 to keep state pass in quick on $int_if route-to ($ext_if 192.168.2.2) from \ 10.1.3.0/24 to keep state # source routing for DDC pass out quick on $ext_if route-to ($ext_if 192.168.2.2) from \ 192.168.159.0/24 to keep state # overwritten default policy (in case of changes when updating) pass in all flags S/SA keep state pass out all The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. ------_=_NextPart_000_01C5F658.FD533172 Content-Type: application/octet-stream; name="packet_flow.png" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="packet_flow.png" iVBORw0KGgoAAAANSUhEUgAAAT0AAAR3CAIAAAAKAiRnAAAABGdBTUEAAK/INwWK6QAAIABJREFU eJzs3XlcE9f6MPBnsgsJmxLEHVkUBUEpKGJRUYsFFRGhrlgUS62KVluX2+V6u2lt1S6iCFost1ep WlyqFKsgrlj9oaiU64ZBRUiAECAGsjLvH9Ob8ooihEAy8Hz/8CMzmTMnkzw55zlzZoYgSRIQQrTC MHUFEEKthnGLEP1g3CJEP2YXt4WFhZaWlkQXY2lpWVhYaOpjj2jD7OJ2yJAhCQkJQ4YMUSgUZBeg UCj0b9nUxx7RBkGa5Xjym2++SRBESkqKqSvS7rrOO0VGZHbtLWXHjh1XrlzZu3evqSvSvlJSUv74 449NmzbJ/0en05m6UogGzLS9BYDCwsJx48bl5OR01g5kYWFhYGDgv//9bxcXF2oJh8Oxs7OzsLBg MpmmrRsyc+YbtwCwd+/ezZs3/9///Z+FhYWp62JkdXV1I0aMmDlzZmhoKLWEwWDY2NjweDw7Ozs+ n08QhGlriMyZWcctALz55psA0Pk6zPPnzy8vL1+xYoV+iUAg4HA4VOg6OjpyOBwTVg+ZOTPNb/V2 7Nhx9erVTha3KSkp58+fj4mJUf0PQRBarZbJZKrVahaLpdVqTV1HZNbMvb2FTpfoFhYWjhkzZsOG DX379qWWsFgsPp/P4/EsLCyo9lYoFGI/GTXD3NtbABgyZMjmzZtnzpxZV1dn6rq0VV1dXXh4+Ny5 c/VBS026YLFYFhYWFhYWHA7H1tYWgxY1jwbtLaVzJLrz588Xi8XvvPOOfgmfz2ez2dbW1lwu19bW ls/nCwQCE9YQ0QIN2ltKeyS6d+/eHT58OAD8+9//dnJyEolE1PJ79+6NHTvWiDuiUGntokWL9Et4 PB7VSWaxWNbW1hwOB4MWtQRt4tbCwuLgwYNr1qwx4jxejUZTVlYGAE+fPq2srNQ3gxqNRiwWG2sv lMLCwtWrV69atYrL5VJLWCwWj8fj8XhsNtvKyorFYtna2hp3p6izok3cQjsnuhEREWVlZT///LPR S4YWp7UMBp0+DmRCNPuivPnmm35+fo3zQ2Nhs9nJycmrV6+uqakxeuFxcXH9+vULCgrSL7G0tGQw GFRyy+fz+Xw+nrBFLUezuIX2PKPr6+s7c+bM9evXG7dYTGuR0bFMXYFWoxLdcePG+fn5Gf2M7mef febp6enr62usAqm0dsOGDZjWIiOiX3sL7Zno8vn877//fs2aNUYpDdNa1E7o+o1pv0R3ypQpjRPR tsC0FrUT2sy7aKqurs7X1/f999+npmSYm5SUlH/961+bNm3S95Cp7rFAIOByuXZ2djwer3v37qat JKIpGsctmPHU5ZZMQra3t8ceMjIMvb835jl1GdNa1N7o3d5SzG3qMk5CRu2tM/zkm9U1uni2FnWA ztDegtkkupjWoo7RSb5A5pDoYlqLOkwnaW8ppk10Ma1FHaZT/fabMNHFtBZ1pE7V3oKJEl1Ma1EH 62zfpI5PdDGtRR2vs7W3lI5MdDGtRR2vczYCHZboYlqLTKJztrfQIYkuprXIVDrtV6q9E11Ma5EJ ddr2ltJ+iS6mtciEOnlr0E6JLqa1yLQ6eXsL7ZDoYlqLTK7zf7eMm+hiWovMQedvbynGSnQxrUXm oKs0C0ZJdDGtRWaiq7S30OZEF9NaZD660JesLYkuprXIrHSh9pZiWKKLaS0yK12ufTAg0cW0Fpmb LtfeQisTXUxrkRnqit+2lie6mNYi89QV21tKSxJdTGuReeq6DcVLE11Ma5HZ6rrtLTSb6GJai8xZ l/7avSjRpdLaefPmYVqLzFOXbm8pTRNdTGuRmcMW49lEF9NaZP6wvQVolOgCAKa1yPyxTF0Bs6BP dBsaGjCtReYP29u/TZ48WafTrV27Vi6XU0swrUXmCZuOv/n4+Pj5+Xl5ebFYLMC0FpkxjNu/sdls Npttb28/aNAgNpvN4/F4PB6bzbaysmKxWLa2tqauIEJ/wfz2OVxcXABAIpFgWovME8btczAYDBcX FzabXV9fz+fz+Xw+h8MxdaUQ+hvG7fMxGIwBAwbU1dURBGFhYWHq6iD0/8G4fSHqJJCpa4HQc2DO hhD9YNwiRD8YtwjRD8YtQvSDcYsQ/WDcIkQ/GLcI0Q/GLUL0g3GLEP1g3CJEPzjPEbKzs+/fvw8A eXl5AJCUlAQALi4uQUFBJq4ZQi+AcQvFxcXLli1js9nUrT+ys7M1Gk1iYqKp64XQC+F9akAulwuF QqVSqV/C4/HKy8vx7hbIbGF+CwKBICQkhCAI6k+CIEJCQjBokTnDuAUAWLp0KZ/Pp/7P5/OXLl1q 2vog1DzsJwMAkCQpFAorKysBoEePHuXl5frmFyEzhO0tAABBELGxsRwOh8PhxMbGYtAiM4ft7V+K ioo8PDwAoKCgwNnZ2dTVQag5GLd/8/b2BoD8/HxTVwShl8Dzt3+Lj483dRUQahF6t7cKheLgwYPH jx/Pz88Xi8UKhcLUNQJLS8uePXt6e3tPmTIlMjIS7yyH2gONx6V27Njh6up67NixsLCwzMxMiURC mgGJRJKZmRkWFnbs2DFXV9cdO3aY+jihToiW7W1dXV10dPSTJ0+Sk5OpwSTzVFBQsHjx4t69e6em puJNmJER0S9uGxoawsPDrays9uzZY/6PEVCr1YsWLaqtrT18+DA+qQQZC/2+SZs3b1YoFCkpKR0W tL6+vjKZzLBtORxOSkrK06dPN2/ebNxaoa6MZu2tRCLx8PC4cuWKk5NTh+3U2dn56tWrdnZ2Bpcg EoleeeWVW7du9erVy4gVQ10Wzdrbffv2TZ8+vbVBKxaL33rrrZEjR27atIlqOS9cuDB69OgRI0Zs 2rQJAPbs2ZOYmBgeHv7bb79NmzaN2ur48ePff/899f+kpCQvL6+4uLi7d+8aUG0nJ6ewsLCtW7eq 1WoDNkfoGTSL26NHj86cObO1W23dutXT0/PcuXM6nW737t0A8NZbb33zzTe///77r7/+euPGjeLi 4i+++GLOnDne3t6XLl2itiotLaWupweAP//889SpU0OGDDH4koOoqKisrKzc3FyVSmVYCQjp0Wze xb179wwYQHZ2dv72228ZDEZ0dHTfvn3z8/MdHR39/PwAQD9cNHv27MjIyJqamueWsGrVKqFQuHz5 8o0bN9bU1FhbW7e2Dp6eniUlJVVVVZcuXRo9ejSXy21tCQjp0ay9raystLe3b+1WcXFxSUlJDx48 GDt2bEJCwt27d/XJqp2dnY2NDQAIhcJntqqurtb/v3fv3gDAYDC4XG5DQ4MBNbe3t6cKrKmpKSgo 0Gq1BhSCEIVmcWtvb19RUdHarZYsWeLo6Lhly5aUlJSjR48GBwdfvXpVLpcDQFhY2B9//KF/paWl pUqlonLgrKws/fLff/8dAPLy8vr162dra2tAzSsqKqgNSZKsrq4uKSkxoBCEKDTrJ7u4uBQUFFCt X8uFhIRMnTrV3d29rKzso48+sra2jo6OdnZ2HjhwoIeHR0BAQGZmJvVKFos1d+5cV1dXDw+PxvH5 yy+/JCUl3bx5c//+/YbVvPFgslarlclkvXv3ZrPZhpWGujianQfatm1bYWFhcnJyazckSbKoqMjZ 2Vl/bW1NTQ2TydTf5qKxyspKGxsbFuv/+1ErLS21s7Pj8XiG1TwmJgYAqMFqHo/XvXv3QYMGGZAn IwS0i1uTnL9tO5FINGLEiK1bt1K5tIWFhbW1tZubW1vOCaOujGb5rYODw+rVqxcvXkyjcR2tVhsT EzN16lQqaAGAyWTinEfUFvT79qxZs8bS0jImJoYWcxjUanV0dLRKpQoLC6OWEATBZDKZTKZpK4Zo jX5xy2Aw9u/fX19fHxgYWFBQYOrqNKegoCAgIODRo0crVqzQN7BcLpcgCBaLhU0uMhjNxpMpFhYW hw4dSkhImDhxop+fX2RkpL+/v6OjozlcpK5QKMrKynJzcw8cOHD58uUZM2ZMnjxZv5bJZHK5XB6P x2AwsMlFBqPZuNQzampqtm3blpWVJRKJqqqq6uvrTV0j6Natm52dnZOTk7e39+jRoxuPPxMEIRAI WCyWtbU1n8/v2bPnc0ezEXopesctAKhUqkuXLjWe22SwtLQ0AJg1a1bbi2qKyWRaWloymUwrKysu l2tra2tvb4/nb5FhaJ9icbnc0aNH29nZmW23k8lkWlhYCAQCNpttZWXFZrOtra3ZbDYGLTIYLfPb Z3C5XH9//8LCQplMplarDZs/DADURAuDZ1Y0RSWxFB6Px+Vy9aGLZ25RW3SGuAUADofj6elZVlZW VVWlVCobGhoM6P9TEas/y9p2BEEwGAwWi8VkMlksloWFBY/HY7PZtra2Zts7QLTQSeIWAJhMZp8+ fRwcHJRKpVarNaDV7d69OwC4ubkZt2KMRjgcDnaPUdt1nriltCVvpG65SEUvQuaM9uNSCHVBGLcI 0Q/GLUL0g3GLEP1g3CJEPxi3CNEPxi1C9INxixD9YNwiRD8YtwjRT2eb52iA7Oxs6jlAeXl5AJCU lAQALi4uQUFBJq4ZQi+AcQvFxcXLli1js9nUJUTZ2dkajSYxMdHU9ULohWh/v4u2k8vlQqFQqVTq l/B4vPLycoFAYMJaIdQMzG9BIBCEhITon2NAEERISAgGLTJnGLcAAEuXLtXfoo3P5xv8kFuEOgb2 kwEASJIUCoWVlZUA0KNHj/Lycn3zi5AZwvYWAIAgiNjYWA6Hw+FwYmNjMWiRmcP29i9FRUXUk+wL CgqcnZ1NXR2EmoNx+zdvb28AyM/PN3VFEHoJPH/7t/j4eFNXAaGWIc2PqQ+JaRh8uOrr6w8fPtza Va2SlZW1cOHCpsuLi4svXbrU9vJRa5ljP5kgzLFW7aotb1ksFo8cOfLhw4etWtUqNTU1FRUVLi4u zyxPS0v77bfffvzxxzaWj1oLx5Pp548//oiIiBg/fnxqaqpOp3vnnXckEklcXBwApKamjh07duzY sQkJCQDQeFVGRsarr77q7++/e/fuZwq8e/duWFiYt7f3mjVr1Gp1RUVFcHAwFe0ff/xxamrqnTt3 fvrpJwD4z3/+ExQUFBkZmZOTIxaLP/nkk5MnT+7cuZMkyY8++mjkyJHx8fH37t3r6CPSBZm2uX8u 86xVuwKA2tra2tpalUr10hf7+vreuHFDKpVGRUVduHBBJBL17dtXqVRKpVI/P7+SkpLq6mpXV1eR SKRfVV1dPWDAgLy8vKtXr3p6ep44caJxgSNHjvz5558fPXo0c+bM999/nyTJzz//fNKkSadPnx48 eHBdXd2JEyemTZtWWVnp6uqqUCju37//yiuvKBSKvXv3zp07V61WnzhxIjIyUqPRZGZmTp8+vb0O E/qfztPeKpXKI0eOtHZVM/71r3/t2bOntVsFBweXlpa2disAEIvFYrFYKpWq1ermX+ns7Lx27drf f/999+7dAQEBPB6PIAgul2tnZ5ednX316tWkpCSZTPbo0SP9qqNHjw4aNKioqEgkEg0fPjwzM1Nf 2sOHD0tLSwmCuHz5sq+vL7Vq7dq1crk8MjIyNTW1W7du1CstLS21Wu2aNWsePHiQm5trYWHB5XKZ TCabze7fv39OTs7GjRuFQuHhw4cNePuoVTpP3FZXV69YsaK1q5qhUCgMeKBueXm5Tqdr7VYAUFlZ WVlZKZFIpFJp8yXs3bs3Njb25MmTrq6u165d0y+/ffu2p6dnfn6+i4vL4MGDG2/y4MEDACgrKysr K/Px8Zk6dWrjVRwOh1rF4/FWrVoFANTzPrVarZWVlf6VPB7v6tWrHh4e33///aBBgxofnKFDh168 eJHBYMTFxUVFRRnw9lGr0DhujZ7mXbhwYfTo0SNGjNi0aRO15M6dO1OmTPHy8tq1axe1pOnmiYmJ w4YNGz9+/NGjR/VF6XS65cuXHzhwoOVvRyaTyWSyqqoqiUTSzO+FWq2OiooKDw9PSUlZsmQJ1TxS D0M6fvx4aGjohg0bgoKCioqKqNdTq2bMmFFfX79s2bL4+HipVNr4ccGBgYE6ne7NN9+Mj48fMGDA 7du3AWDnzp0ajWbLli3R0dH6H5H8/Pwvv/zy7bffPnbsWL9+/a5fv64vf/fu3devX//ggw/Onj17 5swZjUbT8jeODGHqjvpztLBWRk/z3N3d//jjj4qKitGjR+fn57///vt9+/b9888/r1y5YmlpqVKp mm4uEonc3d0lEsl///tfNzc3pVLp7e394MGDN954Y/Xq1a16y+np6enp6RkZGZcuXaqsrGzmxRs2 bBg6dGhERERAQMDjx48bGhrc3d1jYmLu3bvn6uo6derU11577Y033ggLC9OvIkny3Xff9fb29vDw CA0Nraura1zg3r17hw0bFhgYOHTo0Nu3b9+7d69Hjx737t0jSXLSpEmffPIJld82NDSEhoaOGjVq 2rRpVOG3b9/u3bt3QkKCSCQaMWLE5MmTx40b99lnn7X8jSPDmOMZlxaeFJk9e3Z1dfWCBQtCQ0MF AkHjcx4KheLUqVP37t3bvHnzL7/84ubmRq1KTU3dt2/fokWLAOD48ePW1tbfffcdVVp+fv7q1auz srIAoLy8nMFgbN68Wa1Wf/PNNwDg6uqamZl58eLFZzYfOHCgXC7/6KOPAODBgweOjo6jR4+2srKS SqUFBQWtesvp6ekAwOPxbGxs3Nzcmn+8mFKplEgk/fv3p/4kSVKhUPD5fJ1OV1pa2rdvXwCQSqXd u3fXrwKA2tpaqVTq5OTUtECtVnv//n1XV9eXPuBTKpVCo6efUdk4h8MBgIcPHzo4OBjxAcLoRWg8 X2rv3r3Hjx8/fvz4ypUrMzIyevXqRS2/fft2SEhIdHS0l5fXi9I8APDx8XF3d9evunv3rv5Z0vr/ 6M9YMpnMhoaGppsfPnx46NCh1Gv69OlDPfl67Nixv/76688///zGG2+0/O3MmDGjtUeA7sywzaAL uua3Rk/zgoODr169KpfLASAsLOyPP/5outOmm0+dOvX3339vaGioq6sbNmyYQqEAgMWLFycmJq5c uZJqmlqo5f3kzsHwzx7RN245HM6IESOGDRs2c+bMU6dORUdHOzg4CASChQsXTp8+/eTJk9OmTYuK igoMDNy6dat+1bBhw3x8fHx8fDw9PfPy8qZMmaIv0NraOjo62tnZedSoUY6OjgEBAU132nTziRMn 1tfXDxkyZPTo0StXrtTfJWPkyJHh4eHvvvtuBx0O1MXQOL+FdkjzampqmEym/t4Xz9V0c7FYbG9v /9LMsBmtzW87gS44m9WIzPHYdcFPFOMWtQpd+8kIdWUYtwjRD8YtQvSDcYsQ/ZjpvAu8oyJCzTDH uNUPM8rlcrFYXFlZKZPJVCpVe+83LS0NAGbNmtXeO0KojbCfjBD9mGN7q8flcvl8PnUdbAf0nKnZ xaadFk/VAaHmmfW3hMPh6KcfGHAJe2tREWtjY9PeO2oem802bQWQ+TPruAUADocjFAoFAkEH5LfU b4Sbm1t77+ilLC0tTV0FZNbMPW4BgJow3PycYaOwsLCARleWImS2cFwKIfrBuEWIfjBuEaIfjFuE 6AfjFiH6wbhFiH4wbhGiH4xbhOgH4xYh+sG4RYh+aDDPsb1lZ2ffv38fAPLy8gAgKSkJAFxcXIKC gkxcM4ReAOMWiouLly1bxmazqev1s7OzNRpNYmKiqeuF0AvhPWxBLpcLhUKlUqlfwuPxysvL9Q8f QO0B75/cFpjfgkAgCAkJ0V+XTxBESEgIBi0yZxi3AABLly7VXyfI5/OXLl1q2vog1DzsqwAAkCQp FAorKysBoEePHuXl5XhDyfaG/eS2wPYWAIAgiNjYWA6Hw+FwYmNjMWiRmcPfvL8UFRV5eHgAQEFB gbOzs6mr0/lhe9sWeOz+5u3tDQD5+fmmrkiXgHHbFnj+9m/x8fGmrgJCLULv3zyFQnHw4MHjx4/n 5+eLxWKFQmHqGoGlpWXPnj29vb2nTJkSGRlprDszPnz4sLS01N/f/5nl9fX13t7ed+7cMcpeOhK2 t21B43GpHTt2uLq6Hjt2LCwsLDMzUyKRkGZAIpFkZmaGhYUdO3bM1dV1x44dRnmzubm5z53CRZKk VCo1yi4QnRj3W7tgwYJdu3aNGjVq8eLF9+/fp77H0dHRw4cPnz17tkgkIkny8uXLM2bMGDdu3I8/ /qjVahsaGj788EM/P7/ly5ffvXu3JXtRKBQRERGjRo26deuWcetvXLdu3Ro1alRERIRCoWi6Ni4u LjExccyYMWFhYWfPnn3ttdd8fHx+/fVXsslBKysrc3d3d3Bw2LFjh1KpjI+PHzRoUEREREFBgUKh sLOz27Rpk5eXV2hoqFgs7vB3aSCjf/e6FCMfu4EDB8bGxioUirS0tODgYJIk161b991332k0mu3b ty9cuJAkSV9f3xs3bkil0qioqAsXLpw4cSIyMlKj0WRmZk6fPv2lu9DpdNOmTZs3b55KpTJu5duD SqWaN2/etGnTdDrdM6t8fX2nTp1aUlIya9as7t2737x58+jRo56enmSTg9bQ0LB37965c+eq1eqU lJS5c+fW1dXt27dv+vTpVGrwwQcfVFRUzJ0795///KcJ3qRBMG7bwvhxe+PGDf3/q6urSZK8cePG nj17IiIixo8fT5LkrFmzJk+evH///traWpIkCwoK7O3tP/nkk2vXrrVkFxs3bpwwYYJGozFuzSlZ WVlxcXHGLVOj0QQFBW3cuPGZ5b6+vkePHiVJ8vvvv58/fz5JkjU1NQKBgFr7zEHbv39/dHQ0SZJh YWHnzp2jXkO1t0wms6KigiTJn376ad68ecatfPvBuG0L4+e3dnZ21H/q6+urq6vj4uLWrVun0WiC g4Op5Xv37o2NjT158qSrq+u1a9eGDh168eJFBoMRFxcXFRXVfOESiWTLli3Jycnt9PwrjUYjl8uN WyaLxdq9e/dXX31VWlr6zKqBAwcCAIPB0B80StODpnf37l39i6nzzDY2Nj169AAAJpPZ0NBg3Moj 82T8uD179iwA5OXlaTSaPn36pKWlpaamxsXFyWQyAFCr1VFRUeHh4SkpKUuWLMnMzNy9e/f169c/ +OCDs2fPnjlzRqPRNFM41Tl0cnJqez337NmTmJgYHh5+9uzZCxcuTJgwYeLEiWfOnKHWLl++fN++ fQEBAUZ5LpGTk1NYWNjWrVvVavVLX9zQ0PDMQdMvB4CpU6f+9ttvAHD16tWpU6e2vW6Ijozfau3d uzclJeXOnTvJyclMJjM2Nvb111+3sbHx8vIqKiq6ePHiiBEjhg0bNnjwYLFYnJaWptVqIyIiUlJS lErlypUrm38a3dGjR9evX2+UehYXF//4449btmzx8fFxdXVNSEjw9PScM2cO9Vyv/Pz8mzdvfvHF FxwOxyi7i4qKWr9+fW5u7qhRo7hcbjOvZDAYzxy0M2fODB8+/L333tuxY0dcXNykSZMOHjyoVqt3 7txplLoh+jFut3vgwIGlpaUlJSWN80/qzCpJknK5nBpMqq+vLy4ubrxhcXFxfX39S8vv1atXSUmJ Uar64YcfrlmzhiTJixcvjhkzhlqYkJAwZ84ckiTHjBmTkZFhlB1RSkpKevTokZ6enp2drVQqX/r6 pgdNpVJR/9HpdE+ePDFi3UzC6N+9LqWl7W3Lp9r36tXLwJ+QFmAwGPb29sYqTSgUAsCjR4969+5N LWmcZ1JrjcXe3l4qlc6YMcOIZTaPxFkNnVcr8tuW/AycOXOmJY2JwRwdHSsqKox7CCZPnpybm1tT UwMAJ06cMG7hehUVFVR7m56efvr0aepUdvtpp3eBzISRx6XGjRvXfPLWRi4uLgUFBcYt08bG5o03 3hgwYMCIESPa7+nYt27d0vdEtFqtTCZrfgQOoWa0dI6omcwm3bZtW2FhYXJystFLfvLkCY/Ha7+H VsfExADAtGnTAIDa0aBBg6ytrdtpd2byeTXD/Gtozmg2P3nOnDlHjhwRiURGL7l3797tF7QikejI kSOBgYHUnwwGo6GhQafTtdPuUKdHs7h1cHBYvXr14sWLtVqtqevSUlqtNiYmZurUqTY2NtQSJpPJ YNDsyCOzQr9vz5o1aywtLWNiYloyh8Hk1Gp1dHS0SqUKCwujlhAEwWQymUymaSuGaI1+cctgMPbv 319fXx8YGGj0MSrjKigoCAgIePTo0YoVK/QNLJfLJQiCxWJhk4sMRsv7XVhYWBw6dCghIWHixIl+ fn6RkZH+/v6Ojo7Guki9LRQKRVlZWW5u7oEDB6grFidPnqxfy2QyuVwuj8djMBjY5CKD0Ww8+Rk1 NTXbtm3LysoSiURVVVX19fWmrhF069bNzs7OycnJ29t79OjRPB5Pv4ogCIFAwGKxrK2t+Xx+z549 9TdtNjrz/LwaM/8amjN6xy0AqFSqS5cuVVdXt72otLQ0AJg1a1bbi2qKyWRaWloymUwrKysul2tr a2tvb9/8ZOy2MNvPS8/8a2jOaJ9icbnc0aNH29nZmW23k8lkWlhYCAQCNpttZWXFZrOtra3ZbHb7 BS3q9GiZ3z6Dy+X6+/sXFhbKZDK1Wm3wNajUNb2Ne7ZtRCWxFB6Px+Vy9aH7zAW3CLVKZ4hbAOBw OJ6enmVlZVVVVUqlsqGhwYA+GBWx+rOsbUcQBIPBYLFYTCaTxWJZWFjweDw2m21ra2u2vQNEC50k bgGAyWT26dPHwcFBqVRSt5trbQnUfCnq+lsjYjTC4XCwe4zarvPELaUteaOFhQX8L3oRMme0H5dC qAvqbO0tMmc1NTU///yz/s+kpCTqP7NmzbKysjJRpWiJ9udvjWjDhg36f+nOPD8vkiQdHBxqa2up W08yGAytVmttbS2RSPDZpa2C/WTUcQiCWLRoEUmSdXV1SqWyrq4OABYtWoRB21oYt6hDxcbGNr6g grp5pQnrQ1MYt6hDOTs7Dxo0SP/noEGD8CnhBsC4RR0tPj6eunLL0tKW4g88AAAgAElEQVQSnzls GIxb1NEiIyOpe/TodLrIyEhTV4eWMG5RRxMIBCEhIQAQEhIiEAhMXR1awrhFJrB06VL9v8gAeP4W srOz79+/DwC//vorAFAPy3JxcQkKCjJxzdrAzD8vkiTHjRuXk5ODZ4AMg/OloLi4eNmyZWw2m/qi Z2dnazSaxMREU9fLBDo4ijryDlvm/CtmAGxvQS6XC4VCpVKpX8Lj8crLy2mdehn2eXXWT7nzvS/M b/8aJtE3NQRB4HgJMnMYtwAAS5cu1d+ijc/n43hJ5yOXy+VyOS3uud0S2E8GACBJUigUVlZWAkCP Hj3Ky8vpPl6C/eTGCIK4e/cuAPD5/O7duxvrWeQmhO0tAABBELGxsRwOh8PhxMbG0j1oUVOVlZWV lZUSiUQqlXaCJzNh3P6Fmu+O09xb6I8//oiIiBg/fnxqaqpOp1u5cmVOTg61auHChbdu3Xr77bd/ +umngIAAf3//8+fPA8Cbb76ZlJTk7+//1ltvFRUVAcDy5cv37dsXEBCgUqlyc3MDAwNfeeWVb775 pq6urqKiIjg4+OHDhwDw8ccfp6amNt1Fqyosk8lkMllVVZVEIjGH+2y3Vcufg9yGpyjTg5eXl5eX l6lrYRyGfV4t38rX1/fGjRtSqTQqKurChQvffPNNTEwMSZIPHz50dHTUarW+vr4zZ86srq7+6quv AgMDSZIcOHBgbGysQqFIS0sLDg4mSXLMmDGBgYE5OTkNDQ3u7u7p6emPHz+ePn16UlISSZKff/75 pEmTTp8+PXjw4Lq6uqa7aNX7op4YnpGRcenSpcrKytYeGXODcfu3PXv27Nmzx9S1MI72jttZs2ZN njx5//79tbW1JEmKxeIePXqo1eqtW7euXLmSJElfX9/c3FySJMvKyvr06UOS5MCBA2/cuEFtPnDg wOrq6jFjxmRkZJAkee3ataCgIGpVfn7+uHHjSJLUarWjRo2ytbW9cuXKc3fRqvfVyeKW3v1khUKx d+/emTNnuri48Pl8om0WLVpEXcPdFnw+38XFZebMmXv37lUoFKY+Qu1l7969sbGxJ0+edHV1vXbt moODwyuvvJKdnX3w4MH58+dTr6GG6KlbW1BL9HeNrq+vpx4xIRQKAaCoqMjR0VFfOHUunXq2g1ar pW5h89xddFk0jtsdO3a4uroeO3YsLCwsMzNTIpGY+keQJElSIpFkZmaGhYUdO3bM1dV1x44dpj5O xqdWq6OiosLDw1NSUpYsWZKZmQkAc+fO/eabb2pra0eMGPGiDc+ePQsAeXl5Go2mX79++uWvvfZa bm7u06dPAeDw4cOhoaEAsHPnTo1Gs2XLlujoaGokqSW76Cpa+HVs4SsXLFiwa9euUaNGLV68+P79 +9T3ODo6evjw4bNnzxaJRCRJUk+pGzdu3I8//kjd6PjDDz/08/Nbvnz53bt3W7IXhUIRERExatSo W7dutbD+JnHr1q1Ro0ZFREQoFIoO3nXLP1nDttqwYcPQoUMjIiICAgIeP35MkuTTp08tLCy++uor 6gW+vr7Up1NeXt6rVy+SJAcOHDhx4sQJEyb06dPn8OHDJEmOGTPm//7v/6jXr1+/3s7O7pVXXhk8 ePCjR4/u3bvXo0ePe/fukSQ5adKkTz75pOkuWvW+Olk/2chx23TsYd26dd99951Go9m+ffvChQvJ JkMaJ06ciIyM1Gg0mZmZ06dPf+kudDrdtGnT5s2bp1KpWlh5E1KpVPPmzZs2bZpOp+vI/bZ33JIk WV9fX1xcrP9Tq9U6OTlVVFS86PUDBw4sLS0tKSnRaDTPfYFEIrl37x71rInneukuXqTzxa3x+8nL ly+3sLB444037t27V1NTs3HjxrFjx6ampp45c0YkEgGAs7Pz2rVrf//99927dwcEBPTv3z8nJ2fj xo1CofDw4cMvLX/z5s0KhSIlJaW1Z89Xrlx54sSJxks+//zz3bt3t3DzK1euPHjwoFV7BAAOh5OS kvL06dPNmze3dlszx+Px+vfvT/0/Ly8vOjo6NDS0R48ezW/Vu3dv6jlMTQmFQhcXlxedPG/5LroC 48ftM2MPcXFx69at02g0wcHB1PJnhjSGDh168eJFBoMRFxcXFRXVfOESiWTLli3Jyckv+uybIZfL VSpV4yULFiygrtpriR9++IFKz1qLxWLt3r37q6++Ki0tNWBzWhAKhe+8887333/fzGv27NnTlqeZ tWQXXYfx47bx2EOfPn3S0tJSU1Pj4uJkMhk8b0hj9+7d169f/+CDD86ePXvmzBmNRtNM4fv27Zs+ fbqTk5Nhdbt06dLo0aOnTJmSnZ0NAJmZmRcvXlSpVG+88ca33347fPjw0NBQsVgMAJcvX542bRqV dWu12szMzGPHjn355Ze5ubkG7NfJySksLGzr1q2dZn7sM/r27RsQEND8a8aNG8flctt1F12H8eN2 7969EydOnD59enJyMpPJjI2Nff311ydNmlReXl5UVHTx4sURI0YMGzZs5syZp06dio6Onjhx4pdf fvn666+HhISsXLmy+af7HD16dObMmQbX7fTp0z/++OOqVauio6NVKtXdu3cfPnyo0+kOHDigVqtz cnL4fP7OnTsBYM2aNR9//PGFCxekUun+/fsnTZoUEhLy7rvvjhw50rBdR0VFZWVl5ebmPtPmI2QA 4183n5qa2tDQ4ODgQHVlt2zZIpFIBAKBhYXFhg0bOBzO+PHj165dK5FIGmdHDx8+dHBweOmzZ+/d u+fh4WFw3RYsWODq6urq6urr65uVlaVfzuPx3n//fQAIDw+ncuAzZ86cO3du9+7dt2/fHjx4MPUg TA6HY/Cl3p6eniUlJVVVVVSb35aWB6FWxG0LZ9v36tXL0Mq8HIPBsLe3N3jz3r17U/+xtLTUarX6 5dRtQeF/kwR0Op2Xl9e4ceNGjRo1ZsyYtlRYz97enpppUFNTU1BQ4OXlZUCK3gHwmgpaaMVXh2zB FV45OTn+/v7t15j06dOnoqJCH36t9fvvv0dFRdXU1Fy+fHnXrl0XLlx47suuX79OEMT27dtJkkxL S9MPYLblOpKKigpbW1sAIEmyurq6pKRkwIABBpfWTvQfsVwuF4vFlZWVMpmsnTr2M2bMSE9Pb4+S uwIj57dtHHt4KRcXl4KCAoM3f/jw4ZgxY5ydnefPn69vY5saMWKEQCAIDg4eN26cs7NzWlpaeXl5 QEDAZ599Zti4FADcunVL3xPRarUymaz5ETiEmkGz6+a3bdtWWFiYnJxscAnV1dUkSVJNX/MeP37c q1cvJpMpk8lsbGwIglAoFN26dTMsxY2JiQGAadOmAQCPx+vevfugQYOsra0NKKol2vh5qdVqqVQq kUiqqqraqb0NCQnJyMhoj5KbwWKx+Hy+m5sb3Z9Obo4pVjPmzJnj4eHxj3/8w+BTQTY2Ni18Zd++ fan/6IO8mSa6eSKR6MiRI1u3bqX+ZDAYVBZtWGkdgMPh6L/Z7Xe1ass/CyNq/oQFXdCsvQWATZs2 nT59OjMz0zzHdZrSarUTJ07s169feHg4tUQgEFhZWbm4uLRlHkLzjPJ56XS6+vr6dmpve/ToQd0Y qONZWlq+9MyFmaNf3DY0NISHh1tZWe3Zs8f8bxSkVqvffPNNkUj03nvvUR1sgiCsra2trKycnJzM PG7blfnX0JzR7zo+BoOxf//++vr6wMDAtoxRdYCCgoKAgIBHjx6tWLFCnxVzuVyCIFgsVkfe9Rt1 MvToaj7DwsLi0KFDCQkJEydO9PPzi4yM9Pf3d3R0NDj/NCKFQlFWVpabm3vgwAHqisXJkyfr1zKZ TC6Xy+PxGAwGk8k0YT0RrdGvn9xYTU3Ntm3bsrKyRCJRVVWVOdzvq1u3bnZ2dk5OTt7e3qNHj26c RxEEIRAIWCyWtbU1n8/v2bOn/qbNRmeen1dj5l9Dc0bvuAUAlUp16dIlaipSG6WlpQHArFmz2l5U U0wm09LSkrr3CpfLtbW1tbe3b7+xTbP9vPTMv4bmjPYpFpfLHT16tJ2dndl2O5lMpoWFhUAgYLPZ VlZWbDbb2tqazWZ3jhMSyCRomd8+g8vl+vv7FxYWymQytVqtvwtZa1Enlox4hoBKYik8Ho/L5epD t/1GklFX0BniFgA4HI6np2dZWVlVVZVSqaTuddLaQqiINeJkAIIgGAwGi8WiLieysLDg8XhsNtvW 1tZseweIFjpJ3AIAk8ns06ePg4ODUqmkbjfX2hKoGUJubm7GrRijEQ6Hg91j1HadJ24pbckbLSws 4H/Ri5A5o/24FEJdEMYtQvSDcYsQ/WDcIkQ/GLcI0Q/GLUL0g3GLEP1g3CJEPxi3CNEPxi1C9NPZ 5jkaIDs7+/79+wCQl5cHAElJSQDg4uISFBRk4pp1OjU1NT///LP+T+pQA8CsWbOsrKxMVClaov11 8233ww8/vP3222w2m3qDBEFoNJrExMSFCxeaumqGM8/PiyRJBweH2tpa6nkuDAZDq9VaW1tLJBJ8 vkmrYD8ZIiMjmUxmXV1dfX19fX19XV0dk8mMjIw0db06IYIgFi1aRJJkXV2dUqmsq6sDgEWLFmHQ thbGLQgEgpCQEP1XhyCIkJAQgUBg2lp1VrGxsY1vZMlgMGJjY01YH5rCuAUAWLp0qf4WbXw+f+nS paatTyfm7Ow8aNAg/Z+DBg1ydnY2YX1oCuMWAGD8+PH6x5Fxudzx48ebtj6dW3x8PHXHXEtLy/j4 eFNXh5YwbgEACIKIjY3lcDgcDic2NhbTrXYVGRlJPRtJp9PhOIJhMG7/QuVdmG51AGpAAQBwHMFg GLd/ofIuTLc6BjWCgOMIBsN5F3/DXKvDjB8/PjAwEMcRDEbveRcKheLgwYPHjx/Pz88Xi8UKhcLU NQJLS8uePXt6e3tPmTIlMjLSVI8sMuzz6sSJvRl+e9uCxv3kHTt2uLq6Hjt2LCwsLDMzUyKRkGZA IpFkZmaGhYUdO3bM1dV1x44dpj5OrWPq49cuTH1QjY+W7W1dXV10dPSTJ0+Sk5M9PDxMXZ0XKigo WLx4ce/evVNTU6mbvHYYg9tb8/mUjajzvS/6xS3tnlu9aNGi2traw4cPd+QDbzFuGyMIora2FgC4 XK75f2dagn795M2bNysUipSUFAM+AKlUOmnSpFWrViUnJ2/evFmn01Fzd65cufLgwYN2qCxwOJyU lJSnT59u3ry5Pcqnhddff/25h/fChQtvvvnmczfRfyJTpkz5888/214HsVgsFoulUqlarW57aSZH s/FkiUSyZcuWK1euUM/gaq2rV6+SJLl161aJRKLVagGgtLQUAH744YeRI0cOHDjQyNUFAAAWi7V7 9+5XXnklOjq6V69ez30NSZK1tbXW1tbtUQGTq66upiZaPEOlUkml0uduov9Evvrqq/79+7e9DpWV lQBAjVwKhUK6P5+JZu3tvn37pk+f7uTkZMC2VVVV//jHP27durVly5YLFy6cOnWKWp6ZmXns2LEv v/wyNzeXJMmvv/7ax8cnODj44sWLALBnz57ExMTw8PCzZ88aXG0nJ6ewsLCtW7c2/bEvKipav369 g4ND4wtTzdPbb7+9a9euV199dfr06efOnQsODn7llVeOHz8OAKWlpTNnzhwyZMjatWtLSkoAQK1W r1q1ytfX991331WpVACwffv29PR0qqiIiIinT5/qS758+fK0adP8/PyWL1+u1WobfyI7d+4sKysD gD179gwfPvy11147dOgQtcnHH3/8zjvveHp6vvPOO9SvcDNkMplMJquqqpJIJObwfPO2avmInNFH +QwwduzYzMxMgzc/dOjQzJkz1Wr1li1bPvjgA61Wy+fztVrtokWLEhMTdTrdb7/9NmHChMePHx84 cKBnz56VlZUffvhh3759Dxw4oFAo2lLz3377zdvbOycnR6lUkiRZW1u7Z88eLy8vHo9Hza/ctWtX W8p/hmGfV/Nb+fr6Tp06taSkZNasWd27d7958+bRo0c9PT1JklywYMHHH38slUr/+c9/zpkzhyTJ b7/9NjQ0VCQSJSQkAMDdu3dXrlz5/fffU0U5OjpWVVWdPn16ypQpJEm++uqrV69eValUs2fPTk1N bfyJ+Pr6Xrt2TSQSDR48+Nq1a1euXBk6dOidO3dOnDjRrVu3M2fOiEQid3f37Ozs5t9Xenp6enp6 RkbGpUuXKisrDTg4ZoVm/eR79+61ZQCZy+UymcxnHvxFPeSSw+EwGIwDBw4MGzYsNzcXAHr37k21 sbNnz277NFpPT8+SkhKpVLp9+/YLFy5kZmYymUz9CecOHm02WGxsbO/evQMCAthstqenZ//+/YuL i7Va7enTpx88eMDhcDZs2NC3b1+FQnH8+PG1a9cOGDBgyZIl//rXv5ov9syZM+fOndu9e/ft27cH Dx7c+BOhXnD48OE5c+YMHz4cABYvXrx//35fX9/AwMBx48YBQGBg4IMHD7rULA6a9ZMrKyvt7e3b r/yioiK1Wl1WVlZWVhYdHe3u7g4AQqGw7SXb29vLZLKPPvrovffeO3LkiFKpbDxLpKGhIS4ujjCe tlf4uaghAAaD0fi521VVVQRBUMOEJElqNJqGhoZHjx717t0bAAiCsLW1bVwISZI1NTX6P3U6nZeX 1y+//GJlZTVmzJjn7reoqMjR0VH/p1KpBAD9pZfU3TOM9R5pgWZxa29vX1FR0R4lUwMnERERtra2 8fHxS5YsOXPmjBGfPV9RUWFnZ/fpp59u2LBhzJgxXC5X/7UDAAaDYdx+MtmBp3OEQmGfPn2uX78O ADk5OR4eHgKBgJp5AgD379+/c+cOANjZ2RUXFwPA5cuXqTtdUK5fv04QxPbt2+fOndt42LnxUNbU qVNPnDjR0NCgUqkyMjJCQ0M76s2ZKZr1k11cXAoKCqgfciMKCAj46KOPhg4dOnv27LfeemvMmDGP Hj1asGCBYQNgz3Xr1q1evXoRBDFs2LBRo0ZZWloWFhbu2LHjzp07DQ0NLx1WMXPr1q0bP368t7f3 zZs3Dx48CACxsbHjx4//5ZdfNBqNl5cXAERERLz66qs5OTn9+vXr16+fftsRI0YIBILg4GClUunt 7Z2Wlvb222/rPxHqNUFBQRs3bnR3d1er1V5eXv7+/idPnjTJOzUTNJt3sW3btsLCwuTkZKOXrFAo unXrRiVUpaWlbDbbuB3ymJgYAJg2bRoA8Hi87t27Dxo0yNrauqioaPfu3Xv27Pnss8/eeustI+7R AG35lJ8+ffr48WNnZ2f9eXW1Wv3w4cOBAwfqT7potdrq6uoePXo03fzx48e9evViMpkymczGxoYg iMafCEUkEvF4vMYd5hYiCIIayubxeDY2Nm5ubnR/OjnN4lYikXh4eFy5csWILWEHEIlEI0aM2Lp1 q42NDQBYWFhYW1u7ubnps0SSJOVyucnvRWomn7LRdb64pVl+6+DgsHr16sWLF9OoY6nVamNiYqZO nUoFLQAwmcxn5jwSBGHyoEU0QrO4BYA1a9ZYWlrGxMTQYsKaWq2Ojo5WqVRhYWHUEoIgmEwm3efr INOiX9wyGIz9+/fX19cHBgYWFBSYujrNKSgoCAgIePTo0YoVK/QNLJfLJQiCxWJ15GUGqJOh2Xgy xcLC4tChQwkJCRMnTvTz84uMjPT393d0dDTVReqNKRSKsrKy3NzcAwcOXL58ecaMGZMnT9avZTKZ XC6Xx+MxGAxscpHBaDYu9Yyamppt27ZlZWWJRKKqqipzmHfarVs3Ozs7Jycnb2/v0aNHNz4DTBCE QCBgsVjW1tZ8Pr9nz56NT+Gag058v4tONi5F77gFAJVKdenSperq6rYXlZaWBgCzZs1qe1FNMZlM S0tLJpNpZWXF5XJtbW3t7e2fmXFpPuRyuVgsrqyslMlk1FUBRvfBBx98/vnn7VFyMzpN3NI+xeJy uaNHj7azszPbbieTybSwsBAIBGw228rKis1mW1tbs9lssw1aZP5omd8+g8vl+vv7FxYWymQytVpt 8FRV6ppeI85tpJJYCo/H43K5+tBtPL/XDFHTMBUKRX19fTt1nrVarREPdQsZdtm2Geokb4PD4Xh6 epaVlVVVVSmVyoaGBgN69dTXSH+Wte0IgmAwGCwWi7rAxcLCgsfjsdlsW1tbs+0dUDgcjr4n2U6j Bkql0oiHuuU6Rzenk8QtADCZzD59+jg4OCiVSq1Wa0CrS31T3dzcjFsxRiMcDocu3xsOhyMUCgUC QTvlt1Kp1OiHuoXM4bxDG3WeuKW0JW+kLoKl+4iFETGZTD6f306D3nV1dXioDUb7cSmEuiCMW4To B+MWIfrBuEWIfjBuEaIfjFuE6AfjFiH6wbhFiH4wbhGiH4xbhOins81zNEB2dvb9+/cBIC8vDwCS kpIAwMXFJSgoyMQ1Q+gFMG6huLh42bJlbDabuoQoOztbo9EkJiaaul4IvRDt73fRdnK5XCgUUo+c ofB4vPLycoFAYMJadXqd+BvVATC/BYFAEBISor86nCCIkJAQDFpkzjBuAQCWLl2qv1qNz+cvXbrU tPVBqHnYTwYAIElSKBRWVlYCQI8ePcrLyzvxnQ3NROf+RrU3bG8BAAiCiI2NpZ77Hhsbi0GLzBy2 t38pKiqinmRfUFDg7Oxs6up0fp3+G9WuMG7/5u3tDQD5+fmmrkiX0BW+Ue0Hz9/+LT4+3tRVQKhF TNbeYg7Zcp2yXcL2ti1M2d7ix9YS+AOHmsLxZIToB/NbGpDL5QDA5XI5HI6p64LMAm3aW6VSeeTI kdau6nhXrlx58OABAEyZMuXPP/80SplisVgsFkulUrVabZQCEd21Y9zW1tYaMYOtrq5esWJFa1d1 vB9++OHs2bMA8NVXXzk5ORmlzMrKysrKSolEIpVKdTqdUcpEtNaOcZuWlubg4LB+/fqioiIDNv/j jz8iIiLGjx+fmpqq0+neeecdiUQSFxcHAKmpqWPHjh07dmxCQgIANF6VkZHx6quv+vv77969+5kC L168GBQUFBoampCQ8O233wKAXC5fsmTJsGHD5syZU1paCgBvv/32Tz/9FBAQ4O/vf/78eQAgSfLr r7/28fEJDg6+ePEiAOzZsycxMTE8PPzs2bPl5eULFiwYMWLEnDlziouLMzMzjx079uWXX+bm5u7c ubOsrIx6/fDhw1977bVDhw4BgEqleuONN7799tvhw4eHhoaKxeKXHgqZTCaTyaqqqiQSiTk8mxuZ HtkyLX+l3q5du6iZgzwez8vLa8+ePVQL3MICfX19b9y4IZVKo6KiLly4IBKJ+vbtq1QqpVKpn59f SUlJdXW1q6urSCTSr6qurh4wYEBeXt7Vq1c9PT1PnDjRuEB3d/fz588XFhYOHz48JiaGJMm1a9eu Xr26vLz8008/9fX1pXY6c+bM6urqr776KjAwkCTJ3377bcKECY8fPz5w4EDPnj0rKys//PDDvn37 HjhwQKFQrFu37rvvvtNoNNu3b1+4cKFWq120aFFiYqJOp/P19b127ZpIJBo8ePC1a9euXLkydOjQ O3fuKBQKANi8eXN1dXVUVNTHH3/80iOfnp6enp6ekZFx6dKlysrK1n4Q5smAbxTSa9/8lsViqdVq pVJ548aN+Ph4oVAYERGRnZ1NtqD/7OzsvHbt2t9//3337t0BAQE8Ho8gCC6Xa2dnl52dffXq1aSk JJlM9ujRI/2qo0ePDho0qKioSCQSDR8+PDMzU19aXl6em5vbmDFj3N3dFyxYQFXg4MGDgwcPzsnJ cXNzKygoqKqqAoDVq1dbW1vPmzePSlMPHDgwbNiw3NxcAOjduzfVB549e3ZkZKSFhcXGjRvHjh2b mpp65swZkUhEPS+Tw+EwGH8d2MOHD8+ZM2f48OG+vr6LFy/ev38/APB4vPfff9/a2jo8PJzaC0Kt 0oq4JVopLi6u8cMsFQqFUqlMT0+fMGHCuHHjXrq7vXv3xsbGnjx50tXV9dq1a/rlt2/f9vT0zM/P d3FxGTx4cONNqBgoKysrKyvz8fGZOnWqflVBQYH+Sj2hUAgA9fX1YrG4tra2rKxMLBZv2rSJepAf 9TImk0lVvqioSK1WU2VGR0e7u7vrSwCAuLi4devWaTSa4ODg576LoqIiR0dH/Z/U1fn65zjq94JQ q7Q0bg1oynft2qVvdgCAz+fzeLwZM2ZkZWXl5OQ0vzu1Wh0VFRUeHp6SkrJkyRKq5aS+4sePHw8N Dd2wYUNQUJA+c6ZWzZgxo76+ftmyZfHx8VKptLq6Wl+gh4dHTk4O1Uf95ZdfAKBbt27BwcFeXl7x 8fHh4eEZGRnPfWBkRESEra1tfHz8kiVLzpw50/gR6Q0NDWlpaampqXFxcTKZTL+88dDR1KlTT5w4 0dDQoFKpMjIyQkNDW3jAEWpG+/aTdTqdPr/99ttvy8vLf/nll6CgoJfOAeJwOCNGjBg2bNjMmTNP nToVHR3t4OAgEAgWLlw4ffr0kydPTps2LSoqKjAwcOvWrfpVw4YN8/Hx8fHx8fT0zMvLmzJlir5A Hx+fVatWBQQE+Pn51dfXUydC161b99FHH02YMGH06NFxcXHPrdXs2bMLCgrGjBnj7Ozs4eHReIiY wWDExsa+/vrrkyZNKi8vLyoqOnPmTEBAwGeffUb1qwEgKChIJpO5u7sPHjy4W7du/v7+RjisqMtr xzmiSUlJH3744aJFi2JjY5teGdeS6alKpVIikfTv35/6kyRJhULB5/N1Ol1paWnfvn0BQCqVdu/e Xb8KAGpra6VS6TPnYJ4+fXrz5s1Ro0YRBLFp06Zu3bqtXLmSWnX//n1HR8fmn0FeWlrKZrPt7e2b rpJIJAKBwMLC4unTp9Q4nEKh6NatW+O+hkgk4vF4jTvMLUcQRHp6OgDweDwbGxs3N7fO8bhnnJ/c Fu147GpqaqysrF7UtHbwx0aS5MiRI8ePHy+VSjMzM8+fP2+skxTHrM0AACAASURBVKvtDeMWNdWO 8xytra3br/DWIggiOzv73LlzCoXiiy++0A8sIURHXWh+Mp/PDwkJMXUtEDIC2sxPRgjpYdwiRD+m 7CfjFeEIGcZkcasfS5TL5WKxuLKyUiaTqVQqU9UHANLS0gBg1qxZJqwDQi2B/WSE6Mf048lcLpfP 5ysUivr6etP2nFksFgA0nsloVqjqIQTmELccDkc/kcC0F5dSEWtjY2PCOjSPuvIBIdPHLQBwOByh UCgQCEyb31I/H25ubiasw0s1Px8TdRFmEbcAwGQy+Xz+c6/I6TAWFhbwv+hFyJzhuBRC9INxixD9 YNwiRD8YtwjRD8YtQvSDcYsQ/WDcIkQ/GLcI0Q/GLUL0g3GLEP2YyzxHE8rOzr5//z4A5OXlAUBS UhIAuLi4BAUFmbhmCL0Axi0UFxcvW7aMzWZTl/JnZ2drNJrExERT1wuhF8J72IJcLhcKhdSTeyg8 Hq+8vFwgEJiwVp0e3j+5LTC/BYFAEBISor9knyCIkJAQDFpkzjBuAQCWLl2qv4SQz+cvXbrUtPVB qHnYVwEAIElSKBRWVlYCQI8ePcrLy/Fek+0N+8ltge0tAABBELGxsdRTuWJjYzFokZnD37y/FBUV eXh4AEBBQUHTpwcio8P2ti3w2P3N29sbAPLz801dkS4B47Yt8Pzt3+Lj401dBYRaxBx/87pmemmG H0S7wva2Lcy0ve1qn2jX/KlCBsPxZITox0zb2y5ILpcDAJfL5XA4pq4LMnfY3v5FqVQeOXKkLSVM mTLlzz//NHhzsVgsFoulUqlarW5LNVBXYI5jAyYZsRCLxSNHjnz48KHBJfz3v//t378/9dCD1iII 4tKlSwDQrVs3BwcHoVDIZDKpVSRJ1tbWWltbG1wx84TjUm1Bj/a2tLQ0PDx85MiRO3funDlzJgDE xsaKRCIAKCkpWbRoEQDI5fIlS5YMGzZszpw5paWlALB9+/b09HSqhIiIiKdPn5Ik+fXXX/v4+AQH B1+8eLHxLt555x2JRBIXFwcAqampY8eOHTt2bEJCArX24sWLQUFBoaGhCQkJ33777XOX7Ny5s6ys LDExMTExcdq0ad7e3jt27KA2T05OHjVq1Pz58zdv3pydnf3c9yiTyWQyWVVVlUQioZ5vVlRUtH79 egcHh59//tnohxTRG2l+mtZqzpw5n3zySXV19YoVK3r16kWSpLe3961bt0iSvHPnzrBhw0iSXLt2 7erVq8vLyz/99FNfX1+SJFeuXPn9999TJTg6OlZVVf32228TJkx4/PjxgQMHevbsWVlZqd+FSCTq 27evUqmUSqV+fn4lJSXV1dWurq4ikYgkSXd39/PnzxcWFg4fPjwmJua5S3x9fa9du/b++++7u7s/ ePDg/PnzlpaWKpXq/v37Hh4eDx8+PHXqlEAg+PHHH5/7ltPT09PT0zMyMrKyshISEry8vHg8HjX1 cteuXcY/yqZmnt89uqDBuJROp8vKykpOTrawsFi+fPnBgwef+7KDBw+uX78+JyfHzc2toKCgqqqq 6WsOHDgwbNiw3NxcAOjdu/fZs2dnzJhBreLxeARBcLlcLpebnZ196tSpe/fuyWSyR48eSaVSNze3 MWPGAMCCBQvy8/Pz8vKeWdJ4L9HR0U5OTk5OTn369Hn8+PGRI0cWLVrUr1+/fv36TZgwgXxB55Ak yQcPHuTm5l6/fl0ul1MXOcD/njaGUGM06CdXVVVxOBzq69v0S1xdXQ0A9fX1YrG4tra2rKxMLBZv 2rSp8aNiSZKsqakBgKKiIrVaXVZWVlZWFh0d7e7u3nR3t2/f9vT0zM/Pd3FxGTx4MAAUFBTor/IT CoXPXdKYfhWTyWxoaGj+xXrJyck//PDDrVu3tFptXV2dfnlDQ0NcXBzR6bzkU0fNokHc2tvb9+vX j7oFVFZWFrXQzs6uuLhYv6Rbt27BwcFeXl7x8fHh4eEZGRl8Pl//msuXL1OREBERYWtrGx8fv2TJ kjNnzjzzaPmGhgYAOH78eGho6IYNG4KCgoqKigDAw8MjJydHoVAAwC+//PLcJc3w9PTMyMhoaGiQ y+WnTp160csWL168cOFCT09PFovV+OeJwWB0yn4yiYNSbUCDfjIA/OMf/5g/f76VlZX+d3rhwoWR kZF+fn4DBw6klqxbt27lypVffPHF3bt3v/vuO4IgIiIiXn311ZycHKqPCgCzZ89+6623xowZ8+jR owULFjg5Oel34eDgIBAIFi5c+I9//CMkJGTatGkqlSowMHDr1q1HjhxZtWpVQEAAh8Oxt7fv3r27 j4/PM0uaqfySJUvu3r3r4+PDZrN79uz5otOzBEE4OzsPHTqUy+Xevn07KSnpzp07DQ0NWq3WOAcR dSam/s19jufWSqfTPXnypLKykhqXIkny6dOntbW1z7zs3r171LgxRaPRVFRUPPOaJ0+elJeXN90F 1SSSJKnVah89ekQtrKyslMvlFy9e1Ol0DQ0NX3zxxbZt25ouaebtPHz48L///a9GoyFJ8rXXXrt+ /fpz37J+XOrSpUvUgNn9+/fXrVtnb2/fWdtbZDBzPIdGvPjMXlVVlaen55MnTzqyPiRJjhw5cvz4 8VKpNDMz8/z58wMGDHhmSeOm+xlPnjwZN25cTEzM6dOnNRpNdnZ249ybQhAEdcqKx+PZ2Ni4ubnp 23CSJOVyuZWVVfu9QUQ7NItbjUZz7ty5CRMmdHCVnj59eu7cOYVCMXbsWGpsqemSZojF4pycHBsb m7Fjx3br1q3pC5qJW4SaolncdlYYt6hVaDCejBB6BsYtQvRjpueB8Lw8Qs0wx7jVJ7dyuVwsFldW VspkMpVK1d77TUtLA4BZs2a1944QaiPsJyNEP+bY3upxuVw+n69QKOrr6zug58xisQDgmcmPHYyq A0LNM+tvCYfD0Z8OoS5JbVdUxNrY2LT3jprXdFYGQs8w67gFAA6HIxQKBQJBB+S31G+Em5tbe+/o pSwtLU1dBWTWzD1uAYDJZPL5fP2lcO2HugoHJzwg84fjUgjRD8YtQvSDcYsQ/WDcIkQ/GLcI0Q/G LUL0g3GLEP1g3CJEPxi3CNEPxi1C9EODeY7tLTs7m7qpel5eHgAkJSUBgIuLS1BQkIlrhtALYNxC cXHxsmXL2Gw2db1+dna2RqNJTEw0db0QeqEud+fEpuRyuVAoVCqV+iU8Hq+8vFwgEJiwVgg1A/Nb EAgEISEh+uvyCYIICQnBoEXmDOMWAGDp0qX66wT5fP7SpUtNWx+Emof9ZAAAkiSFQiH1yNkePXqU l5fjDSWROcP2FgCAIIjY2Fjq4e6xsbEYtMjMYXv7l6KiIg8PDwAoKChwdnY2dXUQag7G7d+8vb0B ID8/39QVQegl8Pzt3+Lj401dBYRahGbtLd0zT3odbWS26Nfe0verT/cfHWQ+cDwZIfqhX3tLa3K5 HAC4XC6HwzF1XRCNddr2dsaMGTdv3jRs2/r6+iFDhhi3PhSxWCwWi6VSqVqtbo/yURfRadvbiooK jUZj2LZcLvc///mPcetDoaZkKRQKABAKhUwmsz32gjq9TtveUtRq9XvvvTdkyJDo6OirV69SC5OT k0eNGjV//vzNmzdnZ2c3XaLRaD799FMAePvtt3/66aeAgAB/f//z588DgEqleu+99/z8/NatW7dq 1aqKiopW1Ucmk8lksqqqKolE0gFPKkOdVSeP23379t2/fz8rKyskJCQmJoYkyaKiou++++7AgQML Fiz47LPPSkpKmi7R6XRZWVkAcO3ataNHj2ZkZERERHz44YcA8J///KeiouL48eMODg7btm1rbeyp /qe+vr4DnlSGOqtOHreHDx9evXq1o6PjrFmzXF1dz507d+TIkUWLFvXr12/ixIkTJkwgSbLpksYl rF692traet68eQ8ePKAKfPfdd4VC4YoVK+zs7Oh7UgrRWieP26KiIkdHR/2fSqWyoKBAf8meUCgE gKZLGqNWMZnMhoaGxi9mMBg9evRo/3eA0HN08ridOnXqr7/+CgASieTGjRvjxo3z9PTMyMhoaGiQ y+WnTp0CgKZLmuHp6Xn8+HEAuHnzJnVXKoQ6XqcdT6YsWrRo4sSJhw4dKigo+OCDD7hc7pIlS+7e vevj48Nms3v27MnhcJouaabAr7/++r333vvpp5/s7e0dHBzwNCwyCfrNT25thTUaTVFRUa9evays rADg0aNHdXV1Li4uLBYrODj4yy+/tLOze2YJdWHQc+Xn5/fq1YvKbJ2cnEpKSlpV+fT0dADg8Xg2 NjZubm74jGxkmE7eTwYANps9ePBgKmgBgMlkTp06dfPmzUFBQXV1/4+9+45rIukbAD4hpJBCkyJY KUE8QRBEETxE7hRFEZWqKLYopyi2O8vZsJ2np8CrgkgR5DxFRax4qAfiKWJD8cRGEVCkBqkBQkL2 /WOfZy8PzRASUpjvH35wszs7WfjtzO7Ozq9p1KhRHZd0U1phYeHMmTMPHz48cuRIX1/fPvkGENSe 4re3HZWXl6enp6urq0+aNElFRaXTJd149+7d48ePGQyGnZ1dj/YL21tIXPpj3EoLjFtIXBS/nwxB igfGLQTJH/l7DgTfPocgOYtb7OK2oaGhvLycxWLV1NSIa6BvQkICAMDHx0cspUGQ5MB+MgTJHzlr bzEkEolGo7HZ7ObmZnH1nJWVlQEAZDJZLKV9dUcQJDJ5/QMiEonYQxRxvciKRqy6urpYSusegUDo g71Aikpe4xYAQCQSdXR06HS6uK5v0ROBiYmJWEr7KiqV2jc7ghSPHMctAACPx9NoNOwtvF6iUCjg v9ELQbIM3peCIPkD4xaC5A+MWwiSPzBuIUj+wLiFIPkD4xaC5A+MWwiSPzBuIUj+wLiFIPkD4xaC 5I98j3MUi7S0NHQG86ysLABAZGQkAMDY2NjJyUnKNYOgLsC4BUVFRatXryYQCOhL+Wg+voiICGnX C4K6JMfTI4pLQ0ODjo5OS0sLtoRMJldWVtLpdCnWCoK6Aa9vAZ1Od3FxwV6+x+FwLi4uMGghWQbj FgAAAgICsJcBaTRaQECAdOsDQd2D/WQAAEAQREdHh8ViAQC0tLQqKyvhrJGQLIPtLQAA4HA4JpNJ JBKJRCKTyYRBC8k42N7+R0FBgZmZGQAgJyfHyMhI2tWBoO7AuP0Xmj4zOztb2hWBoK+A/eR/BQYG BgYGSrsWPXb9+nU2m939OhwOZ/To0YJLbGxsampqRN5pZmampaVlYmKiyCVAvSFn7a28X3lK4mib mpr++eefBgYG3azD4XAMDQ0/f/6MLTEyMnr69KmmpqZoO92yZQuVSt2xY4dom0O9JH/tLSK3hPyC a9asOXv2rL29PYfDiYmJGTNmzNSpU9GWrbGxcdasWehqN27cOHbs2K+//vrx48d58+Y1Nzfn5ua6 ublZWlpu2rSptbUVAFBaWurp6TlhwoTw8PCOO4qMjLSwsPD398/NzW1tbZ06dWptbS0AoK6ubvr0 6VwuF12tqqpq+fLlO3fuHDt27N69e+vr69PT0xMSEs6ePXvnzp3e/0IhEchf3Cq87OzskydP/vLL L6WlpYcPHz516tT+/fuDgoJyc3Pb2toePnyIrlZaWpqfn79x48bBgwfHxsaqqKj4+fn5+vpev369 sLBw+/btAIDVq1ebmJgkJia+evWq445ev359586db775JiAggEgkUqnUa9euAQCuX79Oo9Gwmdlb Wlqio6OHDx9+//59FosVHh7+7bffzp49e9WqVXAIt7TAuO1TDQ0NDQ0NaGPYjS1btkyaNOnKlSvz 588fM2aMjY3N8uXLz50713FNAoGgpKREJpOLi4tLS0txONyjR49sbGxSUlI4HM7ff/+9bdu2QYMG /fjjjx233bBhg46Ozpo1a169elVXV7dgwYKLFy8CAC5evLhgwQLBNTU0NJYuXaqiohIYGJiUlITH 45WVlQkEAh6P78XBgESnyHHb+3snT548+fDhAwBg5syZr1+/7n2VysvLy8vLq6uruw9dHR0dAEBB QYGenh62UHAENQAA7dNiPnz4QCQSy8rKysrKyGTyhg0bvnz5QiAQ0MncNTU1O3bUBw0aBABQUlIi kUh8Pn/mzJlPnjwpKSl59uyZi4uL4JrYZXBbW1tVVVVPvzUkdooct1evXnV3d/fw8BC5hFOnTt27 dw8A8Ntvv3V/40dILBaLxWJVVFRUV1e3tbV1v7Krq2tycjKfz+dwODdv3pwxYwaVSuVwOOh94NTU VGxNPp/v4ODQ1ta2ePHiwMDA4cOHv3v3Tk9Pb+jQoU+ePAEAJCcnd7yld/v2bQBAVlbW0KFDNTQ0 SCSSq6vrihUrZs+e3S59UVFRUXFxMQDg+vXrVlZWvT8OUC8pznt8ixcvtrOzi42NNTc337x586dP nxISElRUVGxtbadMmYKus2bNmgkTJoSFhaWlpT1//nzz5s1NTU0LFixYsWIFhUJhMpnbtm0zMDAo KSnZtWuXp6fntWvX0tPTTU1Nz507t3bt2qqqqps3b7JYrPv373/77bdHjx5VVlaOioqKiYlhMBjm 5uZjx47t/pIPDTk0ERmdTu8+Q4qTk9OBAwdGjhzZ2tpqYWExYcIEPB7v6+vLYDDMzMw0NDTQ1Rwd HWfNmvXs2bOgoKBvv/1WXV29urr60qVLAIAtW7Y4OTlZWlrq6up2zCR26dKlyMjIf/75B+uBL1iw YPLkyU+fPm235oABA9CeM4vFunHjhnC/EEiSpH2TtWe6qbChoSGTyWSz2QkJCc7Ozjweb+3atUeP HuXxeNg6EydOdHBwSE9P5/P5I0eOTEpK+vTp0+zZsyMjIxEEsbS0fPXqFYIg79+/Hz16NI/HW7Zs WURERFtbm42NzfPnz5OTk1VUVO7evVtYWDhy5Ej0hXszM7Pi4uI7d+7Q6fTTp093X/mkpKSkpKSb N28+fPiQxWIJ85U/fPhQWloquKSqqorL5Qouqa+vR3/gcrlv374V/Mq1tbVFRUVdFf758+fm5mbs v2/fvrWysmq3zsePH01MTPh8/sePH4WpMNQHFKqfvGbNGgqF4u3tnZeX19jY2Om9E/SWT3Z2tp6e 3pw5cwYPHhwUFHT27NmOpaF3X4hEopLSv0fJwcHB0dFx+PDhDg4OHz58uHLlyrJly4YOHfr9999/ 9913iAQezxoYGAhe5QIAtLS02mXQxd46VFZWNjU1FfzKampqw4YN66pwfX19LN9vYmIik8ncsmVL p2vicLghQ4aI9hUgsVOcfjIQuH3S3Nzc7rYNRoRbPoKwni0ej+fz+Tk5Ofb29oIld2/u3LlfXUe6 MjIyOl0u8ogXSZzLIIVqb9F7SFlZWVwud+jQod2sOXXq1MzMzMbGRgDA5cuXZ8yYAQDQ1NQsKioC /3vLp/u7R+bm5jdv3uTz+Q0NDcIMQhChnyzXhPq1QT2nUO1tXFxcbGzs+/fvo6Kium8fVFVVvb29 hw0bZmho2NjYiN5ZXbp0qaen57hx4wwNDdHV7O3td+zYMWrUqK7KWblyZW5urrW1NYFAGDhwIJFI FO83gqBOyd/45K4qbGRk9ODBAz6fr6ur2+7yryuVlZX19fVGRkZYkLPZbD6fLzhJDZvNVlFREbzE FfTx48empiZjY2NlZWVnZ+eDBw+iLxV1VfmkpCQAAJlMVldXNzExUfgc2d38vqDeUKj2Fvx3LIGQ dHR02l2UUqnUdut0XCIIj8e7urouWbLkr7/+4nK53bTMECRGinN9GxMTI/LbLSIbNGjQ/fv3DQ0N N23adPv27Y7PSCFIEuSsGyPX/S7YT4bERXHaWwjqP2DcQpD8kb/7UvI+5QUE9Z6cxS12sdTQ0FBe Xs5isWpqajgcjlgKT0hIAAD4+PiIpTQIkhzYT4Yg+SNn7S2GRCLRaDQ2m93c3CyunjM6WgMbZy85 Qg4LgaCuyOsfEJFIxB6ioK+z9h4aserq6mIprXvwSS/UG/IatwAAIpGoo6NDp9PFdX2LnghMTEzE UtpXdT8SC4K6IcdxCwDA4/E0Gq37WSOEh07FpPBjISAFAO9LQZD8gXELQfIHxi0EyR8YtxAkf2Dc QpD8gXELQfIHxi0EyR8YtxAkf2DcQpD8gXELQfJHvsc5igWa5gcAkJWVBQCIjIwEABgbG8OkzJDM gnELioqKVq9eTSAQ0Jfy09LSuFxuRESEtOsFQV2C0+2BhoYGHR0dwRRBZDK5srJScPZzSDRwPkcJ gde3gE6nu7i4YC/f43A4FxcXGLSQLINxCwAAAQEB2MuANBotICBAuvWBoO7BbgwAACAIoqOjw2Kx AABaWlqVlZVw1kixgP1kCYHtLQAA4HA4JpNJJBKJRCKTyYRBC8k4eDr8j4KCAjMzMwBATk6OkZGR tKujIGB7KyHwsP4LTYGZnZ0t7YooDhi3EgKf3/4rMDBQ2lWAIKHI0Onw9OnTixcvlnYtpCwuLm7R okXSroXYwPZWQmTlsObm5k6cODEtLQ29yOyfcnJynJycHjx40GdzwUoajFsJkYn7ya2trT4+Pnv3 7u3PQQsAMDMz27t3r4+PT2trq7TrAsk0mTgdrlu3rqSkJDExUdoVkQnu7u66urrh4eHSrogYwPZW QqR/X+rGjRtXrlyBd3ExMTExo0ePnjBhwsKFC6VdF0hGSfl0WFpaam1tfenSJTs7OylWQ9Y8fPjQ zc3t5s2bNjY20q5Lr8D2VkKkeX3L5/MXLFiwevVqGLTt2NnZBQYG+vv7f/jwQdp1gWSRNE+H+/bt S0tL++uvv5SUZOL2mEzh8/mOjo4GBgZHjhzR0tKSdnVEBNtbCZHa9W1GRkZYWFhWVhYM2k4pKSkl JCRYWFiMHTt2+fLlfZCVF5Ij0omZmpoaX1/f6OhofX19qVRALujr68fFxf3yyy9Pnjzh8/nSrg4k Q6TTjXF3dx86dGhISEjf71ruBAYGPn/+/I8//hg2bJi069JjsJ8sIVJob0+cOFFUVHTw4MG+37U8 Onz4cENDw+HDh+vq6qRdF0hW9PXpEB3Kl5GRwWAw+nK/ci0vL2/8+PGhoaHz5s0jEAjSrk4PwPZW Qvq0vW1ubvb29j5y5AgM2h5hMBihoaG7du3Kzs6GYQCBPm5vV6xY0dzc/Pvvv/fZHhXJ/Pnza2tr 5etmHmxvJaTv2tuLFy+mp6efOHGiz/aoYCIjI9+9e3fixAk2my3tukBS1kenw6KiovHjx9+8edPa 2roPdqeosrKypk6dGh0dPWvWLDweL+3qfB1sbyWkL9pbHo83f/78LVu2wKDtJWtr659//nn79u3v 37+Xdl0gaeqL0+HPP//88uXLGzduwHkSew9BkGnTpqmrqx8/flxbW1va1fkK2N5KiMTb29TU1Pj4 +Li4OBi0YoHD4c6cOXPv3r3Tp08L5kaB+hXJxm1VVdWiRYvi4+Nlv2WQI9ra2mfPnj106NCDBw/g +Mf+SYLdGARBZsyYMWbMmP3790toF/3Z1q1bU1NTExISDA0NpV2XLsF+soRI8LAGBwcnJib+/fff ysrSn1VD8fB4PDs7O0tLy4MHD2poaEi7Op2DcSshkjqsWVlZLi4uT548kcfR8PKiuLjYysrq119/ XbRoEZFIlHZ1OgHjVkIkcn3b0NDg4+MTFhYGg1aihg0bFhERsXv37qysLBge/YpETocLFy6kUCgn T54Ue8lQR0wms7CwMDY2dujQodKuS3uwvZUQ8be3p0+ffvHiRWhoqNhLhjp17Nixz58/Hzt2rL6+ Xtp1gfqImE+HMO2AVOTk5Dg4OISFhXl6esrUXUDY3kqIONtbmHZAWszMzPbv379r166cnBxp1wXq C+I8HcK0A9I1e/ZsAEBERMTAgQOlXZf/gO2thIitvU1OTr5y5Up0dLS4CoR6Ki4u7tmzZzExMU1N TdKuCyRZ4onb0tJSJpN59uxZdXV1sRQIiUBdXf3ChQshISFpaWlw/KNiE0PcwrQDssPOzm7t2rU7 duzIy8uTdl0gCRLD5QdMOyBTZCrRAby+lZDePjOAaQdkDUx00B/0Kthg2gHZBBMdKLxedWNg2gFZ JguJDmA/WUJEb28jIiJg2gFZBhMdKDART4cw7YBckHqiA9jeSogo7W1zc7OPj8/hw4dh0Mo4BoMR EhISFBQEEx0oGFFOh/7+/k1NTTDtgLyYP39+XV1dVFRU398+hO2thPS4vb148WJaWlp4eLgkagNJ wsmTJ9+8eRMREQETHSiMnp0Oi4uLx40bB9MOyB000UFMTIyrq2tfJjqA7a2E9KC95fF48+bNg2kH 5JG1tfXWrVu3bdsGEx0ohh6cDmHaAbkmlUQHsL2VEGHbW5h2QN7BRAeKRKi4RdMOnD59GqYdkGva 2tp//PEHTHSgAL7ejYFpBxRMXyY6gP1kCfl6exsSElJbW7t79+4+qE0vjRkz5tOnT+jP4eHhtra2 ZWVlu3fvHvK/Xr9+nZ6ejv3XxMRk7ty56Aurv//+u4GBQWFhIVpIXl7epEmTAAC3b99uV0h0dHR+ fr6VlZW0vqzI9u7dCwD49ddfa2pqpF0XSERfeY8vKyvr4MGDT548kalZArtSWlrK4/EAAGFhYb/9 9ltqaqqenl5tba2fn9+GDRuw1dTV1T99+qSnp3f//n0AQEtLy6ZNmxYsWPD48ePGxkYWi7Vq1ao/ //wTAMDlcsvLywEAzc3NRkZGly5dwgqhUqmFhYWlpaV9/SV7TVlZ+eLFi1ZWVuPGjfPz85PNRAdQ 97prb+U07UBYWFhISMi9e/eMjIzQJRQKZYAA9AEmDocjkUgkEklNTW3hwoVYBLq7u5eVlZ0/f75d sQQCQbAQuX6vFU10EBQUBBMdyKnuWtFVq1Y5OTl5eHj0WW16Lyws7MiRI5GRkYLnmtu3bzc2NqI/ 6+jorF+/HgBQV1d3+/ZtAMCXL19Onjy5YsUKdAUCgRAV62TvfQAAIABJREFUFTVnzpxp06YJlpyf n79161bsv9u3b5f0d5EoT0/PW7dubd++PS4ubsiQIdKuDtQzXcZtfHz8ixcvnj592pe16b3bt2+f OnXqxx9/dHFxGTRoELpwwIAB2CsQ2Mx1X758QRvVxsbGnJyclStXYoXY2Nh4eHhs3bp19erV2EIK hSL4HkVfjjqSkGPHjo0ZM+bo0aM7d+6k0+nSrg7UA53HbV5e3o8//piWlqaiotLHFeql8+fPjxw5 8smTJwsXLsSmvLK2tl66dGm7NQ0MDGJiYtCfw8LCjh496uXlhX26b98+c3NzGxsbbIm+vn7HQuSa iopKYmKig4ODtbW1h4eHXNzCgFCdXN+iaQf27Nkjj2kH0MvOI0eOlJSUHDp0SMitxo0bV1VVJbiE RqMdO3Zs06ZN4q+iLDEzM9u3b9/OnTthogP50kncbt682cDA4Icffuj72ogLhUI5c+bMnj17nj17 BgDYu3evuoC7d++2W19TU/PTp09lZWWCC2fOnOnk5IT9Nz09XbAQ9GlKZWUltmTEiBGS/2bit2rV qm+++SYoKAi9cw7JhfaPxZOTkwMCArKzs+EM5v1HTU2Nubn5ypUr169fT6FQxFgyHHchIf/T3qJp B/744w8YtP2KhobG+fPnYaIDOfJv3KJpBwICAuzt7aVYIUgq7O3tAwMDYaIDeQEnK4f+A+3Q5uXl sVgsadcF+or/ufwoLS21trZOTEyETW5/k5GR4ebmdvDgQU1NTQ0NDVtbW7EMCIPXtxLyP+2tvr5+ dHS0r6+vAow4b2xs7PRSra2tjcPhCFkIl8vt+GeHIAiXyxWhSgiCNDc3i7ChpNXU1Hh7e/v7+2tq agIAamtr3717By90ZVn7fvKMGTPmzJmzbNkyqdSmU9OmTUNfwRk+fPiSJUv++ecfAMCBAwewV3NG jx69cuVKbCRjUlKSqakpg8HQ1dWdNm0a9oZQdXX13Llz9fX1TU1N58+f/+jRIwBAQ0NDuxd90O9e WFi4YMECExOToUOHLlmypLKyEgDQ2tq6fv16U1PToUOHzpo16/Hjx2jJFhYW+fn5+fn5Q4YMuXDh AlZzS0tLdMPGxsYVK1bo6uoOHz7c0tJS1qbCXLx48dixY8eOHYstYbFYJSUlUqwS1L1Orm8PHjxY XFwsOzM2VlRUoC/NvXz5Uk9Pb926dQCAuro6b29vNFpu3779+PFj9IHqnTt3AgIC4uLiysrKysvL x48fP3HiRARB0FlaRowYUVZWVlBQMG/evHnz5rW2tvL5/PLy8mwBoaGhAIADBw7Y2toWFBQ8ffqU z+dv3LgRAJCYmFhZWfnixYuCggLBkdvoe0hcLvfLly/r16/H8gOUlpa2tbUBABYvXszj8T5+/Fhe Xn7y5MlVq1Y9fPhQKgezo7CwsLdv386fPx9boqKigsfjq6urhe+YQH2sk6FtRCIxISHB3t7ewcFB RoZMEQgE9N2dlStXhoSEoC/r4fF4EokEABg4cODcuXPRGc8uXLgwb948W1tbdIUdO3ag6QJrampq a2v379+Pjnx0dXWtqakpKSkZMGAAAAD9V9Djx4+9vLyUlJQGDhx44MCBBw8eoAsNDAzQJ5xr164l EolcLlcwD4C+vr6zs/OWLVtOnDiBLfznn38yMjIKCwvRK8bx48efPXtWRmaKycnJ2bFjx969e7Fv QSAQiEQihULB4/EcDgc9wpCs6XxIKoPBOHLkiJeXV1ZWliwMUX716hWRSGxoaIiLi3NxcUFH0hYV FaEv9BQVFZ05c+b48eMAgJs3b547dw7bUFlZ2c3NLTk5mU6njx07VjDZp5+fHwCgrq6Oz+cLvugz f/58c3Pzn3/+2cPDw9HR0cHBYebMmejQ5bVr144dO/bvv/+ePHnylClTVq1a1bGqv/zyi5mZ2aNH j9BzBwDg5cuXVlZWaNC+ffu2rq5OW1tbTU1NAsepZ5qbm93d3RcuXIjNh66kpKSiokIgEMhkMo1G g7lRZVaXQ8kXLlx4+/btwMDAqKiovqxQpy5fvpyRkaGsrDxjxgysd/r27Vv0hZ7Kysr6+np9fX0u l1tRUaGnpye4bVtbG5vNVldXb21t7ap8wRd9aDQaAMDb2/u77767fv16amrqrl279u3bt3btWkND w9LS0lu3bqWlpXl7e48fPz4pKaldUaqqqkePHvX398/KykKXNDY2YrtOSkp6+fLl58+fyWRyampq b49L76xevXrQoEGOjo7YEgqFoqysTKVSSSSSiooKbGxlF9K1hoYGBoNx/vz5btbpA5aWlqmpqe0W bt68edOmTdh/PTw8tm3bhiAIg8EIDQ0VXFNfX//3339PSUlRVVVF7w+jvLy80tLSamtrlZWV2xVe Xl5+4MAB7L///POPnp4ej8fbtWtXTU0NupDD4ejp6eXk5CAIoqWl9fbt2zdv3hgbG6Ofzpkz59Ch Q9ra2qWlpX/99ReZTG5ubsYK3LBhg5OTk6jHQzzOnz8/ePDgP/74I+m/bt68mZaW9vTp01evXpWU lHz58qX3e+n+DwwSWXcdIRqNdu7cuTVr1hQVFfXRWURU2As9a9eujYqKwt4QiI6OJhKJXl5ejo6O gwcPPnnyJLo8NTX15cuX6NxRHdFotF9++eXFixfofzkcDo/Hw+Px9+7di4uLQxc2Nzd30408fvx4 SEgImtfDwcHB0NAwIiIC/SgvL0+wJy8VRUVFK1euXLt2LXYRpKysTCaT0U4ynU4nEAiy0JOHuvKV Vy6tra23bNkyb968+/fvy/L7mZqamk+ePAEArFy5srq6+ptvvmEwGDU1NVpaWvfu3UOnUEpISJg/ f35ISAiVSm1paTl9+jQaeDweT3A89vjx42/dunX27NmffvoJvRvc2NiIhuuJEye2bNmSmJhIpVIr KysDAgJGjRrVaX309fV37NiBXgATCIRz584tXLjwxIkTFAqlpqYmNDQ0MjJS4gelCzwez8vLy83N DZvHB4fDUalUZWVlFRUVKpVKJBLV1dXhxa0sE2oe1pkzZ44ePfrAgQN9U6fea21tzc3N1dPT63ij +OPHjwCAoUOHClNOaWkpgUBoN2t0Y2NjZWWlCJOYfvr0SUlJCZuFQ1q2bNmSlpa2ZcsWbAp7NFbV 1NRIJJKGhgadTkcv8nsPjpeSEKEOa1VV1ZgxY06fPv3dd9/1QZ0gyUlNTZ03b96hQ4ewbjB6C4pG o5HJZE1NTTKZ3PFkJzIYtxIiVF9IW1s7Pj5+0aJF7SaFgORLVVWVr69vQEAAFrR4PF5FRYVMJhOJ RDqdrqysrKGhId1KQsLowelw27Ztz58/v3nzJkwRJI8QBHF2dlZTU8OGRuFwOBqNhvaQKRQKjUbT 0NAQ7/yysL2VkB7ce9i9e3ddXV1wcLDkagNJzpEjRz5//uzt7Y0tQccz0mg0AoFAo9GoVKpcTwrd r8C81f0Cmrf6l19+0dHRQZegl7VorGpoaKioqGhpaYl9v7C9lZCe3esfNmxYWFiYt7d3Q0ODhCoE iV1DQ4OHh8fSpUuxoMXj8WQyGR3yjT6thTMTyRdRTof+/v5sNvvMmTOSqBAkdvPmzautrcUSMgAA 6HQ6kUhUVVWlUCh0Ol1dXV1Co9BheyshojxbDw0Nzc7OxkYOQbIsLi7u0aNHixYtwpagl7VUKhW9 rKVQKLLw6gjUIyKeDnNycpycnB48eGBiYiL2OkHikpuba2tru3PnTixbEoFAoFKpFApF8LJWcg8I YHsrISKOZTMzM9u7d6+3t3c3L9lA0tXa2urh4eHt7Y0FLQ6Ho1Ao2Gt66GUtfKonj0Qfg+rv729k ZPTTTz+JsTaQGG3cuFFVVXXq1KnYEiqVqqSkRKPRSCQShUJRVVUVfOkfkiO9GjseHR199erV5ORk cdUGEpfk5OTExETBZDFkMllZWZlGo+HxeFVVVTKZTKVSpVhDqDd6e/nx8OFDd3f3rKwsbM4ESOpK S0stLCw2bNhgamqKLkEjlkwmUygUdXV1Mpmso6PTBz1keH0rIb19V8vOzm716tW+vr5w2k4Zwefz fXx8nJ2dsaBVUlJCJ7KgUCgUCoVIJGpoaMDLWrkmhncst27disPh9u/f3/uioN7bt29ffX39nDlz sCXtHvygY5KlWEOo98TTjYGJDmSEYNoBdAk6OSPaSUYf/IjxNb2vgv1kCRHPnAZoooP58+crQKID +dUu7QD472t6JBIJfU0PjmdUGOI8Ha5fv764uLjjFIdQ33BzcwMALF68GP0v+poeOlMUOp5R7K/p fRVsbyVEnHMIoYkOBKf8hvpMeHj427dvfX19sSXoZS3azKLjGeFregpDzKfDvLw8e3v7tLQ0GUl0 0E/k5OQ4ODjs3bsXexqHjWdUUVFBm1mJjmfsCmxvJUTMc/YxGIzDhw97e3vLZuI5hYSmHViwYEFX aQcIBAJ88KNgxD/Xpp+fn5WV1dq1a8VeMtQpNO3A5MmTsSXt0g6oqqrK8hy6kAgkMkdueHj43bt3 BTNKQhJy4cKFW7duMZlMbAk6nhF9Wkun09ExUlKsISQJkrr8yMrKcnFxefz48fDhwyVRPgQAKCoq sra23rp1KzaDOTqeUUVFRUVFBX0bXktLS4ozmMPrWwmR1G8US3SA5ryExA6mHejPJPhLXbdunaam 5o4dOyS3i/5s+/btAICZM2diSygUCvqaHnozGZ2MRnoVhCRIgnGLw+Hi4uJ+//13qSeMVDypqamn Tp1atWoVdpeYRCKh4aqsrKympkYkEsWVKwSSQZLtRGlra58+fRomOhAvmHYA6ovbBjDRgRhJJe2A yOB9KQnpi5sWMNGBGMG0AxDom/YWwEQHYtIx7QD6mp6k0w6IDLa3EtJHDwlgooPe6zTtgIqKCpFI hGkH+ps+PR3CRAe9gb7e3GnaAXQwo+TSDogMtrcS0qcP5dFEB6dPn+7LnSqG06dPZ2ZmdpV2gE6n o2OkpFhDqC/19ekQTXSQkZHBYDD6cr9yTeppB0QG21sJ6etBcGZmZnv27IGJDoSHph3w8vKCaQcg jBQGr/7www+GhoabNm3q+13Lox9//FFVVdXZ2RlbAtMOQNIZdB4VFXXlyhWY6OCrkpOTL168CNMO QO1I7fIjIyPDw8MDJjroBpp2YP369SNHjkSXSCvtgMjg9a2ESO0lL3t7+4CAAJjooCtY2gEsaGHa AQgjzZczf/75Z5jooCsw7QDUDSl3Y2Cig07JWtoBkcF+soRIeTIEmOigI5h2APoqmTgdwkQHgmQw 7YDIYHsrITIx+RBMdICBaQcgYcjK6RAmOgAynHZAZLC9lRBZmQ4bTXRgbm4u7YpI2Zo1a2DaAeir ZO502NLS8ujRI6ncpkpISAAA+Pj49P2uO4U+6UFf01NTU0Ovb6VdqZ6B7a2EyMT1rSAymWxmZkYi kaRdESmDaQegbshKP1mQlpbWqFGj3r5928enajSJjozc9SGTyWgnGb0jhU3dCEFANuMWADBs2DAl JaWSkpK+3CkasTLyaBSHw8G0A1BXZDRuAQBDhgzR0NDgcDh9tkd0BJKJiUmf7fGr0Lmj4HhGqB3Z jVsAADoKt892h15AysX4Qaifg70vCJI/MG4haTp9+vSqVasAALt37x7yXy4uLtevX+90fQ6HEx4e 7ufnd+HChXbXUJmZmZaWlomJiV/daUtLy5UrV0SorcgbdjRz5szXr18LLgkKCrp06ZKQm8O4haSp sbHxy5cvAIDa2lo/P7/8/Pz379+vXLnS19eXzWZ3XH/Xrl3JyclLliz5448/QkNDBT+6evWqu7u7 h4fHV3daW1u7du1aEWor8oYd/fbbbwYGBoJL6urqmpqahNwcxi0kK/B4PDpjlqurq5aWVkZGxvff f9/Y2AgAaGxsnD59en19fUhISEJCwuTJk2NiYr799lts2/T09ISEhLNnz965c6eysnLRokVWVlbz 588vKioCADx+/Njd3X3y5Mnx8fFtbW2rVq2qqKjw9/fn8/lz586NiopasGBBa2vrjz/++M033/j5 +T19+hQA8ODBg507d6Ll79279/79+9iGAIDc3Fw3NzdLS8tNmza1m+TwwYMHEydOnDJlSkhIyL59 +wAATCazsLAQAFBSUrJs2TIAwIkTJ8rKyp4/f75z585169YdPnwY2zwyMnLbtm3dHysYt5Cs+Pjx 44MHD+7evbtr1y42m+3k5KSkpIROQnb16lU1NbWPHz8aGxuvWbNmxIgRe/bsMTQ0xLb99ttvZ8+e vWrVKicnp5CQkLFjxz558sTe3n7v3r0AgDVr1uzatevSpUvJycmPHj0KDg7W0dE5evQogiDXr1/P zMzcvn372bNn8/PzU1NTXVxclixZgiBIdXX1mzdv0PLfvn3LYrGwDQEAfn5+vr6+169fLywsRHMR YxYsWLBjx45z584lJia+ffsWAJCVlYV2H5qamp49ewYAePToUX19fU1NzcGDB4cMGeLn54due+zY sbNnz27durX7YwXjFpIVT58+PXr06IkTJygUysuXL5WVlf38/NDr1fPnzy9evLioqOjNmzfOzs4P Hz7kcrmC/WQ8Hq+srEwgEPB4/IEDByZNmhQfH3/37l20lTMyMtq8efPt27ejo6Pt7e3JZDIOh8PG 5IWGhpqaml6+fHnjxo16eno+Pj4MBuPvv//uWENsw+Li4tLSUhwO9+jRIxsbm5SUFGyd58+fDx48 2NnZWUtLa+nSpV/91paWlhs3bkRzx0RFRW3cuDEhIeGrj1Fg3EKywt3d/cKFCxcuXNi8efPAgQMB AHPnzr1//35paWlOTs6UKVM0NDSGDh06b968AQMGBAYGXr16tdNy/P39t2zZwuVysclr4+LimEzm rVu3GAzG8+fPBVcmk8mqqqoAgIKCAj09PWx5S0uL4Gq1tbWC//3w4QORSCwrKysrKyOTyRs2bBD8 aPjw4ejPHYemtisHAIBlewIAUKnUxYsX7969u4sj9C8Yt5DsolAo06dPX758ube3Nx6PNzMzq6+v Ry9ZHz586OTk1HETPp+fkJAQHx/v7++Pvp3S2trq5eU1Z86c2NjYlStXom1jx9kIXV1d0ZvYFRUV L1++dHR01NTU/PTpU1tbW21tbVZWFlY+AMDBwaGtrW3x4sWBgYHDhw9/9+4dVo6zs3N2djZ6rzs1 NRVdqKmpiVYbW9Kp+fPnHz58+Pr165229oJketwFpAA6vnjYo2Hnfn5+Tk5OaPJkNTW148ePW1tb jxgxoqys7NatWx3XV1JSYjKZ06dPV1dXt7CwKCgoyMjIsLKyGj16tKmpaXl5eUJCgq6uLp1OX7p0 aVRUFLbhsmXLvv/++8TExJycnG3btpFIpLFjx7a2to4cOVJfX9/U1BQAgG146tSpoKCgb7/9Vl1d vbq6WvD5DZ1OX7hwoaOjI5FIRBBkyJAhAIClS5d6enqOGzdO8Jq8U6qqqsHBwcuXL3/58mU3Q+Xh a1b/CgoKwv6FxKLTt4V7+SfHZrNLS0sNDQ3xeHxX61RUVNDpdAqF0tjYSCQSiURiS0tLRUUFlqsF QRA2m93uMpLL5RYUFOjr66M9Z6woXV1dwcpjG/J4vPz8fAaD0bEmjY2NXC737t27ly5d+uOPP9Bq 8/l8Op3em++OgXEL0tLS8vPzAQBoN8nV1RUAYGxs3Gk3DOoRScStHElKSsLiVsyQfi8mJoZAIKBz waioqKAps06dOiXteimCTv/kdu3aJf6/Y4XW8cDC9hY0NDTo6OgI3j8kk8mVlZXi6tL0Z/28vRWL TucMgfeTAZ1Od3Fxwf7CcDjcjBkzYNBCsgzGLQAABAQEYLcoaDQaOtIdgmQW7CcDAACCIDo6OiwW CwCgpaVVWVkJp00UCzgvXO/BfnKXcDgck8lEHxgwmUwYtJCMg6fD/ygoKECnXM/JyTEyMpJ2dRQE bG97r9NjCA/rvywtLQEA2dnZ0q6I4oBx23udHkM4zvFfgYGB0q4CBAlFvk+HbDb74sWLN27cyM7O Li8v73SGhD5GpVIHDhxoaWk5c+ZMT09PKpUq7RpJE2xve0/R7kuFh4czGIxr1665ubmlpKRUVFRI fvzP11VUVKSkpLi5uV27do3BYISHh0v7OEEKSC5Ph01NTX5+fp8/f46KipLl/H05OTnLly8fNGhQ fHx8/8wSAtvb3lOQ+1J8Pn/OnDmqqqoxMTGyPyF4a2vrsmXL6uvrL1++3A9zDsC47T0F6ScfOnSI zWbHxsb2WdDa2NiInB+QSCTGxsY2NjYeOnRIvLWC+jM5Ox1WVFSYmZk9efKk3RyWEmVkZPT06VNN TU2RSygsLBw7duyrV6+w3LbtIAhSX1+veMm7YHvbe4rQ3p49e3b27Nk9Ddry8vIVK1aMHz/+119/ RVvOBw8e2NnZWVlZ/frrrwCAmJiYiIiIOXPm/Pnnn7NmzUK3unHjxrFjx9CfIyMjLSws/P39c3Nz Rai2gYGBm5tbcHBwuwk7AQAFBQVbt27V1dU9f/68CCVD/ZOcxe3Vq1eFmdi6neDgYHNz87///rut rS06OhoAsGLFitDQ0Nu3b1+/fv3ly5dFRUW//PLL/PnzLS0tHz58iG5VWlqKvk8PAHj9+vWdO3e+ +eabgIAA0Wru5eWVmpqamZmJzjzU0NBw6tQpS0tLMzOz4ODguro60YqF+ic5G3eRl5cnwg1kIyOj //u//1NSUvLz8xsyZEh2draent64ceMAANjtonnz5nl6enYVPxs2bNDR0VmzZs2BAwfq6upE6NCa m5uXlJRUV1cfP378wYMHKSkpeDwee+DcP+82QyKTs7hlsVja2to93crf33/UqFGXL1+eNGnSxo0b tbW1sYtV7AfB6TBRglNmDho0CACgpKREIpE6TgUoDG1t7Zqamh07dmBTaQvi8/n+/v7oRPgQ9FVy 1k/W1tauqqrq6VYrV67U09M7cuRIbGzs1atXnZ2dnz592tDQAABwc3N7/PgxtiaVSuVwOOg1sOCU mbdv3wYAZGVlDR06VENDQ4SaV1VVaWpq7t27NygoaOLEiSQSSXBSMiUlpZMnT0prrIhEiXCsoK+S s/bW2Ng4JycHbf2E5+Li4urqOnLkyLKysh07dqipqfn5+RkZGRkaGpqZmdnb22PzzSsrK/v6+jIY DDMzM8H4vHTpUmRk5D///HPu3DnRao7eTMbhcKNHj7a1taVSqW/evAkPD3///j2fz+fxeKIVC/VP cnabPiQk5M2bN4LT3goJQZCCggIjIyPs3dq6ujo8Ht9pQgcWi6Wurq6s/D8ntdLSUk1NzW6mtO3e kiVLAADozWoymTxgwIARI0aoqakVFBRER0fHxMTs27dvxYoVohUOKTBFGC8llee3vVdYWGhlZRUc HKyurg4AoFAoampqJiYm2NU1oqDPb6HeU4Tnt7q6uhs3bly+fLkcdSx5PN6SJUtcXV3RoAUA4PH4 dmMecTgcDFpIeHIWtwCATZs2UanUJUuWdBzDIINaW1v9/Pw4HI6bmxu6BIfD4fH4bubah6Cvkr+4 VVJSOnfuXHNzs4ODQ05OjrSr052cnBx7e/uPHz+uXbsWa2BJJBIOh1NWVu6HrxlA4iJn95NRFAol MTExLCzs+++/HzdunKen54QJE/T09GThJXU2m11WVpaZmXnhwoVHjx7NnTt32rRp2KdoSnUymayk pASbXEhkcnZfqp26urqQkJDU1NTCwsIvX740NzdLu0ZARUVFU1PTwMDA0tLSzs5O8P4zDoej0+nK yspqamo0Gm3gwIFfTU8MQYpwP7kjDofz8OHDjumARZCQkAAA8PHx6X1RHeHxeCqVisfjVVVVSSSS hoaGtrY2gUCQxL4gRaII95M7IpFIdnZ2mpqaMtvtxOPxFAqFTqcTCARVVVUCgaCmpkYgEGDQQiKT y+vbdkgk0oQJE968eVNTU9Pa2ira+GEAADrQQuSRFR2hF7EoMplMIpGw0O3N27wQpAhxCwAgEonm 5uZlZWVfvnxpaWnh8/ki9P/RiMWesvYeDodTUlJSVlbG4/HKysoUCoVMJhMIBA0NDZntHUByQUHi FgCAx+MHDx6sq6vb0tLC4/FEaHUHDBgAADAxMRFvxZQEEIlE2D2Gek9x4hbVm+tG9CVYNHohSJbJ /X0pCOqHYNxCkPyBcQtB8gfGLQTJHxi3ECR/YNxCkPyBcQtB8gfGLQTJHxi3ECR/YNxCkPxRtHGO IkhLS0PzAGVlZQEAIiMjAQDGxsZOTk5SrhkEdQHGLSgqKlq9ejWBQEBfIUpLS+NyuREREdKuFwR1 Se7nu+i9hoYGHR2dlpYWbAmZTK6srKTT6VKsFQShFHO+i96j0+kuLi5YHgMcDufi4gKDFpJlMG4B ACAgIACboo1Go4mc5BaC+gbsJwMAAIIgOjo6LBYLAKClpVVZWYk1vxAkXbCf3CUcDsdkMolEIpFI ZDKZMGghGQfb2/8oKChAM9nn5OQYGRlJuzoQ9B+KOX+yGFlaWgIAsrOzpV0RCPpXp3ELn9/+KzAw UNpVgCDhILJH2odEOkQ7Vs3NzZcvX+7pRz2Smpq6dOnSjsuLiooePnzY+/Kh7nX6tyGL/eROOwaK TeSvXF5ePn78+OLi4h591CN1dXVVVVXGxsbtlickJPz555+nT5/uZflQ9+D9ZEXw+PFjd3f3yZMn x8fHt7W1rVq1qqKiwt/fHwAQHx8/adKkSZMmhYWFAQAEP7p58+a33347YcKE6OjodgXm5ua6ublZ Wlpu2rSptbW1qqrK2dkZjfadO3fGx8e/f//+zJkzAIA//vjDycnJ09MzPT29vLx8z549t27dOnHi BIIgO3bsGD9+fGBgYF5eXl8fkf6pT5t84chmrSQKAFBfX19fX8/hcLpf08bG5uXLl9XV1V5eXg8e PCgsLBwyZEhLS0t1dfW4ceNKSkpqa2sZDEZhYSGqAi51AAAgAElEQVT2UW1t7fDhw7Oysp4+fWpu bp6cnCxY4Pjx48+fP//x40cPD4+ffvoJQZD9+/dPmTLlr7/+MjU1bWpqSk5OnjVrFovFYjAYbDY7 Pz9/7NixbDY7Li7O19e3tbU1OTnZ09OTy+WmpKTMnj1bgoepX+o0HBSnvW1pably5UpPP+rG7t27 Y2JierqVs7NzaWlpT7cCAJSXl5eXl1dXV7e2tnazmpGR0ebNm2/fvh0dHW1vb08mk3E4HIlE0tTU TEtLe/r0aWRkZE1NzcePH7GPrl69OmLEiIKCgsLCwjFjxqSkpGClFRcXl5aW4nC4R48e2djYoB9t 3ry5oaHB09MzPj5eRUUFXZNKpfJ4vE2bNn348CEzM5NCoZBIJDweTyAQhg0blp6efuDAAR0dncuX L4vw3aGeUpy4ra2tXbt2bU8/6gabzRYhoW5lZWVbW1tPtwIAsFgsFotVUVFRXV3dTQlxcXFMJvPW rVsMBuP58+fY8nfv3pmbm2dnZxsbG5uamgpu8uHDBwBAWVlZWVmZtbW1q6ur4EdEIhH9iEwmb9iw AQCAJvvk8XiqqqrYmmQy+enTp2ZmZseOHRsxYoTgkRk1alRGRoaSkpK/v7+Xl5cI3x3qKTmOW7Ff 6T148MDOzs7KyurXX39Fl7x//37mzJkWFhYnT55El3TcPCIiYvTo0ZMnT7569SpWVFtb25o1ay5c uCD816mpqampqfny5UtFRUVX54vW1lYvL685c+bExsauXLkSbR7RTEg3btyYMWNGUFCQk5NTQUEB uj760dy5c5ubm1evXh0YGFhdXS2YK9jBwaGtrW3x4sWBgYHDhw9/9+4dAODEiRNcLvfIkSN+fn7Y GSQ7O/vgwYM//PDDtWvXhg4d+uLFC6z86OjoFy9ebNu27d69e3fv3uVyucJ/a0hEfd9f/yohayX2 K72RI0c+fvy4qqrKzs4uOzv7p59+GjJkyOvXr588eUKlUjkcTsfNCwsLR44cWVFR8fbtWxMTk5aW FktLyw8fPnh7e2/cuLFHXzkpKSkpKenmzZsPHz5ksVhdrRkUFDRq1Ch3d3d7e/tPnz7x+fyRI0cu WbIkLy+PwWC4urpOnTrV29vbzc0N+whBkPXr11taWpqZmc2YMaOpqUmwwLi4uNGjRzs4OIwaNerd u3d5eXlaWlp5eXkIgkyZMmXPnj3o9S2fz58xY4atre2sWbPQwt+9ezdo0KCwsLDCwkIrK6tp06Y5 Ojru27dP+G8NCaPTcJDFJy5CPhSZN29ebW3tokWLZsyYQafTBR97sNnsO3fu5OXlHTp06NKlSyYm JuhH8fHxZ8+eXbZsGQDgxo0bampqR48eRUvLzs7euHFjamoqAKCyslJJSenQoUOtra2hoaEAAAaD kZKSkpGR0W5zQ0PDhoaGHTt2AAA+fPigp6dnZ2enqqpaXV2dk5PTo6+clJQEACCTyerq6iYmJt2k F2tpaamoqBg2bBj6XwRB2Gw2jUZra2srLS0dMmQIAKC6unrAgAHYRwCA+vr66upqAwODjgXyeLz8 /HwGg/HV7J7V1dVAIPUZeilOJBIBAMXFxbq6umLMHgyhFG28VFxc3I0bN27cuLFu3bqbN2/q6+uj y9+9e+fi4uLn52dhYdHVlR4AwNraeuTIkdhHubm5WC5p7AfsoSUej+fz+R03v3z58qhRo9B1Bg8e jGa+njRp0vXr18+fP+/t7S3815k7d25Pj4C8k8E2Q17I6/Wt2K/0nJ2dnz592tDQAABwc3N7/Phx x5123NzV1fX27dt8Pr+pqWn06NFsNhsAsHz58oiIiHXr1qGtk5CE7CcrDNF/95D8xi2RSLSysho9 erSHh8edO3f8/Px0dXXpdPrSpUtnz55969atWbNmeXl5OTg4BAcHYx+NHj3a2tra2tra3Nw8Kytr 5syZWIFqamp+fn5GRka2trZ6enr29vYdd9px8++//765ufmbb76xs7Nbt24dNkvG+PHj58yZs379 +j46HFA/I8fXt0ACV3p1dXV4PB6b+6JTHTcvLy/X1tb+6sVhN3p0fasY+uFoVtHIzXt8/fA3CuMW 6gocnwxBCgLGLQTJHxi3ECR/YNxCkPyR0XEXcEZFCOqGLMYtdvesoaGhvLycxWLV1NRwOBxJ7zch IQEA4OPjI+kdQVAvwX4yBMkfWWxvMSQSiUajoe/B9kHPGR1dLN2R8WgdIKh7Mv1XQiQSseEHIrzC 3lNoxKqrq0t6R90jEAjSrQAk+2Q6bgEARCJRR0eHTqf3wfUteo4wMTGR9I6+ikqlSrsKkEyT9bgF AKADhrsfMywWFAoFCLxcCkEyC96XgiD5A+MWguQPjFsIkj8wbiFI/sC4hSD5A+MWguQPjFsIkj8w biFI/sC4hSD5A+MWguSPHIxzlLS0tLT8/HwAQFZWFgAgMjISAGBsbOzk5CTlmkFQF2DcgqKiotWr VxMIBPR9/bS0NC6XGxERIe16QVCX4By2oKGhQUdHp6WlBVtCJpMrKyux5AOQJMD5k4UE50/uHJ1O d3Fxwd7Lx+FwLi4uMGghWQbjFgAAAgICsPcEaTRaQECAdOsDQd2DfRUAAEAQREdHh8ViAQC0tLQq KyvhhJKSBvvJQoL95C7hcDgmk0kkEolEIpPJhEELyTh4zvuPgoICMzMzAEBOTo6RkZG0q6P4YHsr JLnJxyctlpaWAIDs7GxpV6RfgHErpE4PFHx++6/AwEBpVwGChCLf5zw2m33x4sUbN25kZ2eXl5ez 2Wxp1whQqdSBAwdaWlrOnDnT09NTXDMzFhcXl5aWTpgwod3y5uZmS0vL9+/fi2UvfQm2t0JStPtS 4eHhDAbj2rVrbm5uKSkpFRUViAyoqKhISUlxc3O7du0ag8EIDw8Xy5fNzMzsdAgXgiDV1dVi2QUk T8T4J7to0aKTJ0/a2touX748Pz8f/SP28/MbM2bMvHnzCgsLEQR59OjR3LlzHR0dT58+zePx+Hz+ 9u3bx40bt2bNmtzcXCF3xGaz3d3dbW1tX716Jcb6i92rV69sbW3d3d3ZbHbHT/39/SMiIiZOnOjm 5nbv3r2pU6daW1tfv34d6XDcysrKRo4cqaurGx4e3tLSEhgYOGLECHd395ycHDabramp+euvv1pY WMyYMaO8vLzPv6WIxPu3p8A6PVDiPHaGhoZMJpPNZickJDg7OyMIsmXLlqNHj3K53OPHjy9duhRB EBsbm5cvX1ZXV3t5eT148CA5OdnT05PL5aakpMyePVuYvbS1tc2aNWvBggUcDkeMlZcQDoezYMGC WbNmtbW1tfvIxsbG1dW1pKTEx8dnwIAB//zzz9WrV83NzZEOx43P58fFxfn6+ra2tsbGxvr6+jY1 NZ09e3b27NnopcG2bduqqqp8fX137dolhS8pEhi3QuqLuH358iX2c21tLYIgL1++jImJcXd3nzx5 MoIgPj4+06ZNO3fuXH19PYIgOTk52trae/bsef78uZB7OXDgwHfffcflcntavbVr1964cUNwyb59 +6KiooTc/PHjxwUFBT3dKYIgXC7XycnpwIED7Zbb2NhcvXoVQZBjx44tXLgQQZC6ujo6nY5+2u64 nTt3zs/PD0EQNze3v//+G10HbW/xeHxVVRWCIGfOnFmwYIEINZQKGLdC6vRAifn6VlNTE/2hubm5 trbW399/y5YtXC7X2dkZXR4XF8dkMm/dusVgMJ4/fz5q1KiMjAwlJSV/f38vL6+vll9RUXHkyJGo qCgR8l81NDS0S1ayaNEiV1dXITc/derUvXv3erpTAICysnJ0dPRvv/1WWlra7iNDQ0MAgJKSEnbc UB2PGyY3NxdbGX3OrK6urqWlBQDA4/F8Pl+EGkJyR8xxi/5lZ2VlcbncwYMHJyQkxMfH+/v719TU AABaW1u9vLzmzJkTGxu7cuXKlJSU6OjoFy9ebNu27d69e3fv3uVyud2Xj3YODQwMRKvew4cP7ezs Zs6cmZaWBgBISUnJyMjgcDje3t7/93//N2bMGPQSEQDw6NGjWbNmoRfePB4vJSXl2rVrBw8ezMzM FGG/BgYGbm5uwcHBra2tX12Zz+e3O27YcgCAq6vrn3/+CQB4+vSp8CcdSMGI+fltXFxcbGzs+/fv o6Ki8Hg8k8mcPn26urq6hYVFQUFBRkaGlZXV6NGjTU1Ny8vLExISeDyeu7t7bGxsS0vLunXrvpqK 7urVq1u3bhW5en/99dfFixc/ffrk5+dXUFCQm5urp6fX1tZ24cKFsWPHpqenr1ix4sSJE7t37960 aVNwcPDo0aMXL1587ty5+fPnu7i42NjYjB8/XrRde3l5bd26NTMz09bWlkQidbOmkpJSu+N29+7d MWPG/Pjjj+Hh4f7+/lOmTLl48WJra+uJEydEqwwk98TYETc0NCwtLS0pKRG8+EQfqyIIgnZTEQRp bm4uKioS3LCoqKi5uVmYXejr65eUlIhWvaVLlwYHB6M/z549Ozk5+aeffgoODmaz2WQyGV1+7tw5 9BKRx+OlpaWFhYWNGTNm9+7dCIL4+/ufOnVKtF0jCFJSUqKlpZWUlJSWltbS0vLV9TseNw6Hg/7Q 1tb2+fNnkWsiI8T7t6fAOj1QQrW3wo+z19fXF/kM8lW7du1isVja2toilzBo0CD0ByqVyuPxsOXY 6Aj0ErGtrc3CwsLR0dHW1nbixIm9qTNGW1u7urp67ty5YilNGAgc1aC4hL2+FebEcPfuXWFaEpEF BQVpa2tXVVWJ/G1v374NAKirq3v06NF3333X1WovXrzA4XDHjx/39fX98OEDtrytrU3kXVdVVaHt bVJS0l9//YU+zZYckesJyQVx3pdydHTs/sqt94yNjXNyckTevLi4eOLEiUZGRgsXLuxmBKKVlRWd Tnd2dnZ0dDQyMkpISKisrLS3t9+3b59o96UAAK9evcI6Izwer6am5qs34SCoK0KNEZWdoaQhISFv 3ryJiooSuQT0qbKGhsZX1/z06ZO+vj4ej6+pqVFXV8fhcGw2W0VFRUlJlJPdkiVLAACzZs0CAJDJ 5AEDBowYMUJNTU2EooQhO7+yrsh+DWWE6O/xyc4hrqioMDMze/LkiciPgqSisLDQysoqODhYXV0d AEChUNTU1ExMTNo9thUj2fmVdUX2aygjFOG9Al1d3Y0bNy5fvlzwrpKM4/F4S5YscXV1RYMWAIDH 40VrtCEIJX9/PZs2baJSqUuWLBFmDIPUtba2+vn5cTgcNzc3dAkOh8Pj8Xg8XroVg+Sa/MWtkpLS uXPnmpubHRwcenOPqg/k5OTY29t//Phx7dq1WANLIpFwOJyysjJsciGRyeV8FxQKJTExMSws7Pvv vx83bpynp+eECRP09PTE9ZJ6b7DZ7LKysszMzAsXLqAvLU6bNg37FI/Hk0gkMpmspKQEm1xIZHJ2 X6qdurq6kJCQ1NTUwsLCL1++NDc3S7tGQEVFRVNT08DAwNLS0s7OjkwmYx/hcDg6na6srKympkaj 0QYOHIhN2ix2Mvsrw8h+DWWEItxP7ojD4Tx8+LC2trb3RSUkJAAAfHx8el9UR3g8nkql4vF4VVVV EomkoaGhra391fHYIpPlXxlK9msoIxThfnJHJBLJzs5OU1NTZrudeDyeQqHQ6XQCgaCqqkogENTU 1AgEguSCFlJ4cnl92w6JRJowYcKbN29qampaW1tFfgcVfadXsGfbS+hFLIpMJpNIJCx0JffkFuoP FCFuAQBEItHc3LysrOzLly8tLS18Pl+EPhgasdhT1t7D4XBKSkrKysp4PF5ZWZlCoZDJZAKBoKGh IbO9A0guKEjcAgDwePzgwYN1dXVbWlrQGed6WsKAAQMAACYmJuKtmJIAIpEIu8dQ7ylO3KJ6c91I oVDAf6MXgmSZ3N+XgqB+SNHaW0iW1dXVnT9/HvtvZGQk+oOPj4+qqqqUKiWX5P75rRgFBQVh/8o7 2fyVIQiiq6tbX1+PziuipKTE4/HU1NQqKipg7tKuKObzW0iO4HC4ZcuWIQjS1NTU0tLS1NQEAFi2 bBkM2p6CcQv1KSaTKfhCBTp5pRTrI6dg3EJ9ysjIaMSIEdh/R4wYAbOEiwDGLdTXAgMD0Te3qFQq zDksGhi3UF/z9PREZ8Zsa2vz9PSUdnXkEoxbqK/R6XQXFxcAgIuLC51Ol3Z15BKMW0gKAgICsH8h EcDntyAtLS0/Px8AcP36dQAAmizL2NjYyclJyjXrBRn/lSEI4ujomJ6eDp8AfVWnv0o4XgoUFRWt Xr2aQCCgRyctLY3L5UZEREi7XlLQx1HUlzNsyfJZTASwvQUNDQ06OjotLS3YEjKZXFlZKdeXXqL9 yhT1Fy3X3wuOl+ocepsEa2pwOBy8XwLJOBi3AAAQEBCATdFGo9Hg/RLF09DQ0NDQIBdzbgsD9pMB AABBEB0dHRaLBQDQ0tKqrKyU9/slsJ8sCIfD5ebmAgBoNNqAAQOIRKK0a9QDsJ/cJRwOx2QyiUQi kUhkMpnyHrRQRywWi8ViVVRUVFdX9yYfqoyAcfsf6Hh3OMxdSI8fP3Z3d588eXJ8fHxbW9u6devS 09PRj5YuXfrq1asffvjhzJkz9vb2EyZMuH//PgBg8eLFkZGREyZMWLFiRUFBAQBgzZo1Z8+etbe3 53A4mZmZDg4OY8eODQ0NbWpqqqqqcnZ2Li4uBgDs3LkzPj6+4y56VOGampqampovX75UVFTIwjzb vSVkEuQeJ06WQxYWFhYWFtKuhXiI9isTfisbG5uXL19WV1d7eXk9ePAgNDR0yZIlCIIUFxfr6enx eDwbGxsPD4/a2trffvvNwcEBQRBDQ0Mmk8lmsxMSEpydnREEmThxooODQ3p6Op/PHzlyZFJS0qdP n2bPnh0ZGYkgyP79+6dMmfLXX3+Zmpo2NTV13EWPvheaMfzmzZsPHz5ksVg9PTJS1OkvBcbtv2Ji YmJiYqRdC/GQdNz6+PhMmzbt3Llz9fX1CIKUl5draWm1trYGBwevW7cOQRAbG5vMzEwEQcrKygYP HowgiKGh4cuXL9HNDQ0Na2trJ06cePPmTQRBnj9/7uTkhH6UnZ3t6OiIIAiPx7O1tdXQ0Hjy5Emn u+jR91KwuJXvfjKbzY6Li/Pw8DA2NqbRaLjeWbZsGfoOd2/QaDRjY2MPD4+4uDg2my3tIyQpcXFx TCbz1q1bDAbj+fPnurq6Y8eOTUtLu3jx4sKFC9F10Fv06NQW6BJs1ujm5mY0xYSOjg4AoKCgQE9P DyscfZaO5nbg8XjoFDad7qLfkuO4DQ8PZzAY165dc3NzS0lJqaio6PtzYUcVFRUpKSlubm7Xrl1j MBjh4eHSPk7i19ra6uXlNWfOnNjY2JUrV6akpAAAfH19Q0ND6+vrraysutrw3r17AICsrCwulzt0 6FBs+dSpUzMzMxsbGwEAly9fnjFjBgDgxIkTXC73yJEjfn5+6J0kYXbRXwjztyjkaosWLTp58qSt re3y5cvz8/PRP2I/P78xY8bMmzevsLAQQRA0RZ2jo+Pp06fRWY63b98+bty4NWvW5ObmChkbbDbb 3d3d1tb21atXQm4iFa9evbK1tXV3d2ez2X28ayF/ZSJvFRQUNGrUKHd3d3t7+0+fPiEI0tjYSKFQ fvvtN3QFGxsb9LdTWVmpr6+PIIihoeH333//3XffDR48+PLlywiCTJw48dmzZ+j6W7du1dTUHDt2 rKmp6cePH/Py8rS0tPLy8hAEmTJlyp49ezruokffS8H6yeKM2443HrZs2XL06FEul3v8+PGlS5ci He5nJCcne3p6crnclJSU2bNnC7OXtra2WbNmLViwgMPhCLO+dHE4nAULFsyaNautra0v9yvpuEUQ pLm5uaioCPsvj8czMDCoqqrqan1DQ8PS0tKSkhIul9vpChUVFXl5eWiuiU59dRddUby4FXM/ec2a NRQKxdvbOy8vr66u7sCBA5MmTYqPj797925hYSEAwMjIaPPmzbdv346Ojra3tx82bFh6evqBAwd0 dHQuX74szC4OHTrEZrNjY2Ml/fS8paXlypUrvSyESCTGxsY2NjYeOnRILLWSHWQyediwYejPWVlZ fn5+M2bM0NLS6n6rQYMGoXmYOtLR0TE2Nu7q4bnwu+gXRI74jgwNDdEuE4Igenp6RUVFK1asmD59 ekRERGRk5OTJkxEEaWlpSUxMXLx4sa6ublZWFoIgubm5+/bts7Gx8fT0/Oou0JuKHz58EKY+vVRW VjZ06FCxFPXhwwdNTc3Pnz+LpTRhCPkrE8tWCIJ8/PjxwYMH3a9z9+7dlpYW0coXchddAQrX3oo5 bs+cOYMgyLNnz7S0tNA7gWiv5uDBg5MnT+ZwOFiPMSgoaP/+/VFRUefPn0cQpKmpCb3L3/0ugoOD mUymMJXp3okTJ06cOOHq6mphYREWFoYu3Lx5s42NjYuLy507dxAEmTNnDolEWrFiRe93hyDIkiVL Nm7c2Gd9+z6OWxmneHEr5vdv4+LiYmNj379/HxUVhcfjmUzm9OnT1dXVLSwsCgoKMjIyrKysRo8e bWpqWl5enpCQwOPx3N3dY2NjW1pa1q1b99XUPlevXt26dWvv6/nhw4cbN24kJyd//vx52rRpTCbz 7t27JSUld+/ezc/P9/DwyMvLCw4Ofvbs2dGjR3u/OwCAl5fX1q1bMzMzbW1tSSSSWMqE+i0xx218 fDyfz9fV1UWvYY4cOVJRUUGn0ykUSlBQEJFInDx58ubNmysqKgQvjYqLi3V1dYVJPJuXl2dmZiaW qvr5+RkYGBgYGAwePPjTp0/Ozs7m5uZXr179559/Pnz4AAAgk8k4HE5cMWZubl5SUvLly5eHDx/a 2dnB0IV6Q9i4FXKovb6+fi8q8xW7du1isVja2tpiKQ17cQ8dGPD7778fOXJk4cKFzs7OoaGhYtmF IG1tbXSkQV1dXU5OjoWFRVe3Z6QLvlMhF4T900GEeL0rPT19woQJEm1JoqOjq6qqBg0aJPaSz58/ v2PHDnd39ydPnmBvaYqcur6jqqoqDQ0NAACCILW1tSUlJcOHDxdX4eKC/ZYbGhrKy8tZLFZNTQ2H w5HEvubOnZuUlCSJkvsDcT4HcnR0lHT3z9jYOCcnRxIlL1q0aNu2bTNnzgwLC7O0tAwNDdXV1aXT 6UuXLhVL+a9evcI6Izwer6amhsvliqVkqB+Sxa5aN9zc3BITE52dnXtZjuDT1NevXwMAGAzG9OnT W1patLS0uFxuc3MzDod7/fq1uMYYnz9/fsyYMejPfD6fy+U2NTWpqamJpXCxI5FINBqNzWajx0FC exHmjoZ4yea1iQjk7GvMnz/fzMzs559/NjAwEHvhNBoNvejFktaj7wn0vuTCwsIrV64E/397dx/Q VNk/jv999gxsPClDfEYQRQFRRAUUFS26UTRESy1RBEPF0MTS7tLso99uQ9MsNQSNbislVHxIiVKR 1MT0RkkJs5wYKmy4MWQMxjZ2fn+cWvvxJLLBdsb79ZeeHa5zbTvvXdf7Otc51/bt1H8ZDIZOp7Pk u7c5HE6PHj2of3fe3aqOjo6dVHIbnnrNghZoFreurq7JyclLlizJzc2ly2+nVquNjY2NjIzUn6ZM JrMrH0HaMRwORygUCgSCTspvAcDLy6uTSm4btToRrdHv+VI6nS4qKsre3n7//v2W/6AgtVq9aNGi 0tLSNWvWULFKEISDg4O9vb27u7v+vjaTs6ivrEWWX0ML0eIHZem/+s0xGIxDhw7V19eHhoZ20hiV qRQXF4eEhJSVla1cuVLfwHK5XIIgWCyW5Te5yGLRo6vZhK2t7ZEjR3bv3j116tQxY8bMmTMnKCjI zc3NEvo/SqWyoqKioKAgKyuLumnxhRde0L/KZDK5XC6Px2MwGEwm04z1RLRGv36yoSdPnuzYsePc uXOlpaVVVVWW8LwvGxsbZ2dnd3d3f3//4OBgwyFTgiAEAgGLxXJwcODz+b169TLJoFeLLPYr07P8 GlqIFj8oesctADQ0NFy+fJmaimSkzMxMAJg7d67xRTXHZDLt7OyoZ69wuVwnJycXF5fOG9u05K+M Yvk1tBBWkt82weVyg4ODnZ2dLbbbyWQybW1tBQIBm822t7dns9kODg76S00IdQAt89smuFxuUFBQ SUmJXC5Xq9UdnpxIXVgy4WQAKoml8Hg8LperD93OG0lG3YE1xC0AcDgcX1/fioqKqqoqlUpFPevk WQuhItaEkwEIgmAwGCwWi8lkslgsW1tbHo/HZrOdnJwstneAaMFK4hYAmExm3759XV1dVSoV9cS5 Zy2BmiFk8skADAMcDge7x8h41hO3FGPyRltbW/g7ehGyZLQfl0KoG8K4RYh+MG4Roh+MW4ToB+MW IfrBuEWIfjBuEaIfjFuE6AfjFiH6wbhFiH6sbZ5jB+Tl5d29excACgsLASAtLQ0APD09w8LCzFwz q/PkyZNvvvlG/1/qowaAuXPn2tvbm6lStET7++aN9/nnny9dupTNZlPvkSAIjUaTmppqqieem4Vl fmUkSbq6utbU1FBruzAYDK1W6+DgIJFIcH2T1ljnffPGmzNnDpPJrKurq6+vr6+vr6urYzKZc+bM MXe9rBBBEHFxcSRJ1tXVqVSquro6AIiLi8OgfVYYtyAQCCIiIvSnDkEQERERAoHAvLWyVvHx8YYP smQwGPHx8WasD01h3AIAJCYm6h/RxufzExMTzVsfK+bh4TFkyBD9f4cMGeLh4WHG+tAUxi0AwOTJ k/UrknG53MmTJ5u3PtYtKSmJemKunZ1dUlKSuatDSxi3AAAEQcTHx3M4HA6HEx8fj+lWp5ozZw61 NlJjYyOOI3QMxu1fqLwL060uQA0oAACOI3QYxu1fqLwL062uQY0g4DhCh+G8i39grtVlJk+eHBoa iuMIHUbveRdKpfLw4cOnTp0qKioSi8WmWth24e8AACAASURBVGPaGHZ2dr169fL3958+ffqcOXPM tWRRx74yK07sLfMEbg9rm3exZ8+ewYMHnzx5cubMmbm5uRKJhLQAEokkNzd35syZJ0+eHDx48J49 e8z9OT0bc39+ncLcH6rp0bK9rauri4mJefToUXp6uo+Pj7mr06ri4uIlS5b06dPnwIED1ENeu0yH 21uL+qJNhdbvy0rW9aLdutVxcXE1NTXHjh3rygVvMW4NEQRRU1MDAFwu1/LPmSaspJ+ckpKiVCoz MjI68AXIZLLnnntu9erV6enpKSkpjY2N1Nydq1ev3rt3rxMqCxwOJyMjo7a2NiUlpTPKp4V//etf LX68ly5dWrRoUYt/ov9Gpk+f/uuvvxpfB7FYLBaLZTKZWq02vjSzo9l4skQi+eijj65evUqtwfWs rl27RpLk9u3bJRKJVqsFgPLycgD4/PPPx44dO2jQIBNXFwAAWCzWvn37Ro8eHRMT07t37xb3IUmy pqbGwcGhMypgdtXV1dREiyYaGhpkMlmLf6L/RrZu3TpgwADj6yCVSgGAGrkUCoV0X5+JZu3twYMH X3zxRXd39w78bVVV1b///e9bt2599NFHly5dOnPmDLU9Nzf35MmTH374YUFBAUmS27ZtCwgICA8P /+mnnwBg//79qampUVFRP/74Y4er7e7uPnPmzO3btzf/sReJRG+//barq6vhjamWaenSpXv37p0w YcKLL7544cKF8PDw0aNHnzp1CgDKy8tnz549bNiwtWvXPnz4EADUavXq1asDAwPfeOONhoYGANi1 a1d2djZVVHR0dG1trb7kK1euzJgxY8yYMa+//rpWqzX8Rj777LOKigoA2L9//8iRI59//vkjR45Q f7Jhw4bly5f7+vouX76c+hVug1wul8vlVVVVEonEEtY3N1Y7h+NMP8bXIRMnTszNze3wnx85cmT2 7Nlqtfqjjz565513tFotn8/XarVxcXGpqamNjY3ffffdlClTHjx4kJWV1atXL6lU+u677/br1y8r K0upVBpT8++++87f3z8/P1+lUpEkWVNTs3///hEjRvB4PGp+5d69e40pv4mOfWVt/1VgYGBkZOTD hw/nzp3bo0ePmzdvnjhxwtfXlyTJhQsXbtiwQSaTvffee/PnzydJcufOndOmTSstLd29ezcA/P77 76tWrfr000+potzc3Kqqqs6ePTt9+nSSJCdMmHDt2rWGhoZ58+YdOHDA8BsJDAy8fv16aWnp0KFD r1+/fvXq1eHDh9+5c+f06dM2Njbnz58vLS319vbOy8tr+31lZ2dnZ2fn5ORcvnxZKpV24MMxlxa/ FJr1k//44w9jBpC5XC6TyWyy8Be1yCWHw2EwGFlZWX5+fgUFBQDQp08fqo2dN2+e8dNofX19Hz58 KJPJdu3adenSpdzcXCaTqb/g3MWjzR0WHx/fp0+fkJAQNpvt6+s7YMCA+/fva7Xas2fP3rt3j8Ph bNy4sV+/fkql8tSpU2vXrh04cOCyZcvef//9tos9f/78hQsX9u3b99tvvw0dOtTwG6F2OHbs2Pz5 80eOHAkAS5YsOXToUGBgYGho6KRJkwAgNDT03r173WoWB836yVKp1MXFpfPKF4lEarW6oqKioqIi JibG29sbAIRCofElu7i4yOXy9evXr1mz5vjx4yqVynCWiE6nS0hIIEzH+Aq3iBoCYDAYhutuV1VV EQRBDROSJKnRaHQ6XVlZWZ8+fQCAIAgnJyfDQkiSfPLkif6/jY2NI0aMOHr0qL29/fjx41s8rkgk cnNz0/9XpVIBgP7WS+rpGaZ6j7RAs7h1cXF5/PhxZ5RMDZxER0c7OTklJSUtW7bs/PnzJlx7/vHj x87Ozps2bdq4ceP48eO5XK7+tAMABoNh2n4y2YWXc4RCYd++fW/cuAEA+fn5Pj4+AoGAmnkCAHfv 3r1z5w4AODs7379/HwCuXLlCPemCcuPGDYIgdu3a9corrxgOOxsOZUVGRp4+fVqn0zU0NOTk5Eyb Nq2r3pyFolk/2dPTs7i4mPohN6GQkJD169cPHz583rx5r7322vjx48vKyhYuXNixAbAW3bp1q3fv 3gRB+Pn5jRs3zs7OrqSkZM+ePXfu3NHpdE8dVrFw69atmzx5sr+//82bNw8fPgwA8fHxkydPPnr0 qEajGTFiBABER0dPmDAhPz+/f//+/fv31//tqFGjBAJBeHi4SqXy9/fPzMxcunSp/huh9gkLC/vP f/7j7e2tVqtHjBgRFBT0/fffm+WdWgiazbvYsWNHSUlJenq6yUtWKpU2NjZUQlVeXs5ms03bIY+N jQWAGTNmAACPx+vRo8eQIUMcHBxEItG+ffv279+/efPm1157zYRH7ABjvuja2toHDx54eHjor6ur 1eo///xz0KBB+osuWq22urq6Z8+ezf/8wYMHvXv3ZjKZcrnc0dGRIAjDb4RSWlrK4/EMO8ztRBAE NZTN4/EcHR29vLxotDq5NcyXkkgkPj4+V69eNWFL2AVKS0tHjRq1fft2R0dHALC1tXVwcPDy8tJn iaRlXL+1nC/atKwvbmmW37q6uiYnJy9ZsoRGHUutVhsbGxsZGUkFLQAwmcwmcx4JgjB70CIaoVnc AsBbb71lZ2cXGxtLiwlrarU6JiamoaFh5syZ1BaCIJhMJt3n6yDzol/cMhiMQ4cO1dfXh4aGFhcX m7s6bSkuLg4JCSkrK1u5cqW+geVyuQRBsFisrrzNAFkZmo0nU2xtbY8cObJ79+6pU6eOGTNmzpw5 QUFBbm5u5rpJ3ZBSqayoqCgoKMjKyrpy5cqsWbNeeOEF/atMJpPL5fJ4PAaDgU0u6jCajUs18eTJ kx07dpw7d660tLSqqsoS5p3a2Ng4Ozu7u7v7+/sHBwcbXgEmCEIgELBYLAcHBz6f36tXL8NLuJbA ip93YWXjUvSOWwBoaGi4fPlydXW18UVlZmYCwNy5c40vqjkmk2lnZ8dkMu3t7blcrpOTk4uLS5MZ l5ZDoVCIxWKpVCqXy6m7AkzunXfe+X//7/91RsltsJq4pX2KxeVyg4ODnZ2dLbbbyWQybW1tBQIB m822t7dns9kODg5sNttigxZZPlrmt01wudygoKCSkhK5XK5Wqzs8VZW6p9eEcxupJJbC4/G4XK4+ dA3n91ogahqmUqmsr6/vpM6zVqs14UfdTh27bdsCWcnb4HA4vr6+FRUVVVVVKpVKp9N1oGNPnUb6 q6zGIwiCwWCwWCzqBhdbW1sej8dms52cnCy2d0DhcDj6nmQnjRqoVCoTftTtZx3dHCuJWwBgMpl9 +/Z1dXVVqVRarbYDrS51pnp5eZm2YgwDHA6HLucNh8MRCoUCgaCT8luZTGbyj7qdLOG6g5GsJ24p xuSN1E2wNBqx6GxMJpPP53fSoHddXR1+1B1G+3EphLohjFuE6AfjFiH6wbhFiH4wbhGiH4xbhOgH 4xYh+sG4RYh+MG4Roh+MW4Tox9rmOXZAXl7e3bt3AaCwsBAA0tLSAMDT0zMsLMzMNUOoFRi3cP/+ /RUrVrDZbOoWory8PI1Gk5qaau56IdQq2j/vwngKhUIoFFJLzlB4PF5lZaVAIDBjrayedZ9UJmSd z7swnkAgiIiI0N8dThBEREQEBi2yZBi3AACJiYn6u9X4fH5iYqJ564NQ27CfDABAkqRQKJRKpQDQ s2fPyspKK36yoYWw+pPKVLCf3CqCIOLj46l13+Pj4zFokYXD9vYvIpGIWsm+uLjYw8PD3NWxft3h pDIJ63x+sgn5+/sDQFFRkbkr0i10k5PKeC1+UHj99h9JSUnmrgJC7WK29hZzyPazynYJ29t2srj2 Fr+29sAfONQcjicjRD+Y39KAQqEAAC6Xy+FwzF0XZBFo096qVKrjx48/60td7+rVq/fu3QOA6dOn //rrryYpUywWi8VimUymVqtNUiCiu86K25qaGtOmr9XV1StXrnzWl7re559//uOPPwLA1q1b3d3d TVKmVCqVSqUSiUQmkzU2NpqkTERrnRW3mZmZrq6ub7/9tkgk6lgJP//8c3R09OTJkw8cONDY2Lh8 +XKJRJKQkAAABw4cmDhx4sSJE3fv3g0Ahi/l5ORMmDAhKCho3759TQr86aefwsLCpk2btnv37p07 dwKAQqFYtmyZn5/f/Pnzy8vLAWDp0qVfffVVSEhIUFDQxYsXAYAkyW3btgUEBISHh//0008AsH// /tTU1KioqB9//LGysnLhwoWjRo2aP3/+/fv3c3NzT548+eGHHxYUFHz22WcVFRXU/iNHjnz++eeP HDkCAA0NDS+//PLOnTtHjhw5bdo0sVj81I9CLpfL5fKqqiqJRGIJa3Mj8yPboZ27Gdq7dy81bZDH 440YMWL//v1UC9z+MgMDA3/55ReZTPbSSy9dunSptLS0X79+KpVKJpONGTPm4cOH1dXVgwcPLi0t 1b9UXV09cODAwsLCa9eu+fr6nj592rBAb2/vixcvlpSUjBw5MjY2liTJtWvXJicnV1ZWbtq0KTAw kDro7Nmzq6urt27dGhoaSpLkd999N2XKlAcPHmRlZfXq1Usqlb777rv9+vXLyspSKpXr1q375JNP NBrNrl27Fi9erNVq4+LiUlNTGxsbAwMDr1+/XlpaOnTo0OvXr1+9enX48OF37txRKpUAkJKSUl1d /dJLL23YsOGpH352dnZ2dnZOTs7ly5elUumzfheWqQMnVffU4gfVifkti8VSq9UqleqXX35JSkoS CoXR0dF5eXlk+/rPHh4ea9eu/eGHH/bt2xcSEsLj8QiC4HK5zs7OeXl5165dS0tLk8vlZWVl+pdO nDgxZMgQkUhUWlo6cuTI3NxcfWmFhYVeXl7jx4/39vZeuHAhVYfDhw8PHTo0Pz/fy8uruLi4qqoK AJKTkx0cHF599VUqTc3KyvLz8ysoKACAPn36UH3gefPmzZkzx9bW9j//+c/EiRMPHDhw/vz50tJS ar1MDofDYPz1wR47dmz+/PkjR44MDAxcsmTJoUOHAIDH47355psODg5RUVHUURB6Ju2NW+IZJSQk GK5kqVQqVSpVdnb2lClTJk2aRHVK2/bFF1/Ex8d///33gwcPvn79un77b7/95uvrW1RU5OnpOXTo UMM/oWKgoqKioqIiICAgMjJS/1JxcbH+Tj2hUAgA9fX1YrG4pqamoqJCLBZv2bKFWsiP2o3JZFL1 F4lEarWaKjMmJsbb21tfAgAkJCSsW7dOo9GEh4e3+C5EIpGbm5v+v9Td+fp1HPVHQeiZtCtuO9C4 7927V9/mAACfz+fxeLNmzTp37lx+fn7v3r3bPqJarX7ppZeioqIyMjKWLVtGtZzUKX7q1Klp06Zt 3LgxLCxMnzxTL82aNau+vn7FihVJSUkymay6ulpfoI+PT35+PtVHPXr0KADY2NiEh4ePGDEiKSkp KioqJyenxQUjo6OjnZyckpKSli1bdv78ecMl0nU6XWZm5oEDBxISEuRyuX674dBRZGTk6dOndTpd Q0NDTk7OtGnT2vOBI9S2TuwnNzY26vPbnTt3VlZWHj16NCwsrD0TgDgczqhRo/z8/GbPnn3mzJmY mBhXV1eBQLB48eIXX3zx+++/nzFjxksvvRQaGrp9+3b9S35+fgEBAQEBAb6+voWFhdOnT9cXGBAQ sHr16pCQkDFjxtTX11MXQtetW7d+/fopU6YEBwcnJCS0WLF58+YVFxePHz/ew8PDx8fHcIiYwWDE x8f/61//eu655yorK0Ui0fnz50NCQjZv3kz1qwEgLCxMLpd7e3sPHTrUxsYmKCjI2I8VoXbOT+6A tLS0d999Ny4uLj4+vsXb4tozPVWlUkkkkgEDBlD/JUlSqVTy+fzGxsby8vJ+/foBgEwm69Gjh/4l AKipqZHJZE2uwdTW1t68eXPcuHEEQWzZssXGxmbVqlXUS3fv3nVzc2t7DfLy8nI2m+3i4tL8JYlE IhAIbG1ta2trqaE4pVJpY2Nj2N0oLS3l8XiGHeb2IwgiOzsbAHg8nqOjo5eXl3Us94zzk9up4/fx dcCTJ0/s7e3baFq7+GsjSXLs2LGTJ0+WyWS5ubkXL1401cXVzoZx28116X0FDg4OnVRyxxAEkZeX d+HCBaVS+cEHH+gHlhCio240P5nP50dERJi7FgiZAG3mJyOE9DBuEaIfc/aT8Y5whDrGbHGrHyJT KBRisVgqlcrl8oaGBnPVBwAyMzMBYO7cuWasA0Ltgf1khOjH/OPJXC6Xz+crlcr6+nrz9pxZLBYA GM5ktChU9RACS4hbDoejn0hg3ptLqYh1dHQ0Yx3aRt35gJD54xYAOByOUCgUCATmzW+pnw8vLy8z 1uGp2p6PiboJi4hbAGAymXw+v8U7crqMra0t/B29CFkyHJdCiH4wbhGiH4xbhOgH4xYh+sG4RYh+ MG4Roh+MW4ToB+MWIfrBuEWIfjBuEaIfS5nnaEZ5eXl3794FgMLCQgBIS0sDAE9Pz7CwMDPXDKFW YNzC/fv3V6xYwWazqVv58/LyNBpNamqqueuFUKvwGbagUCiEQiG1cg+Fx+NVVlYKBAIz1srq4fOT 26nFDwrzWxAIBBEREfpb9gmCiIiIwKBFlgzjFgAgMTFRfwshn89PTEw0b30Qahv2VQAASJIUCoVS qRQAevbsWVlZic+a7GzYT24n7Ce3iiCI+Ph4alWu+Ph4DFpk4fA37y8ikcjHxwcAiouLW1xAEJkW trft1KXr8dGRv78/ABQVFZm7It0Cxm07del6fHSUlJRk7iog1C6W+JvXPdNLC/wiOhW2t+1Ep/a2 u32j3fOnCnUYjicjRD8W2t52QwqFAgC4XC6HwzF3XZClw/b2LyqV6vjx48aUMH369F9//bXDfy4W i8VisUwmU6vVxlQDdQeWODZglhELsVg8duzYP//8s8Ml3L59e8CAAdSiB8+KIIjLly8DgI2Njaur q1AoZDKZ1EskSdbU1Dg4OHS4YpYJx6XaicbzpcrLy6OiosaOHfvZZ5/Nnj0bAOLj40tLSwHg4cOH cXFxAKBQKJYtW+bn5zd//vzy8nIA2LVrV3Z2NlVCdHR0bW0tSZLbtm0LCAgIDw//6aefDA+xfPly iUSSkJAAAAcOHJg4ceLEiRN3795NvfrTTz+FhYVNmzZt9+7dO3fubHHLZ599VlFRkZqampqaOmPG DH9//z179lB/np6ePm7cuAULFqSkpOTl5bX4HuVyuVwur6qqkkgk1PpmIpHo7bffdnV1/eabb0z+ kSJ6Iy1P81rNnz////7v/6qrq1euXNm7d2+SJP39/W/dukWS5J07d/z8/EiSXLt2bXJycmVl5aZN mwIDA0mSXLVq1aeffkqV4ObmVlVV9d13302ZMuXBgwdZWVm9evWSSqX6Q5SWlvbr10+lUslksjFj xjx8+LC6unrw4MGlpaUkSXp7e1+8eLGkpGTkyJGxsbEtbgkMDLx+/fqbb77p7e197969ixcv2tnZ NTQ03L1718fH588//zxz5oxAIPjvf//b4lvOzs7Ozs7Oyck5d+7c7t27R4wYwePxqKmXe/fuNf2n bG6Wee5ZoBY/KBqMSzU2Np47dy49Pd3W1vb1118/fPhwi7sdPnz47bffzs/P9/LyKi4urqqqar5P VlaWn59fQUEBAPTp0+fHH3+cNWsW9RKPxyMIgsvlcrncvLy8M2fO/PHHH3K5vKysTCaTeXl5jR8/ HgAWLlxYVFRUWFjYZIvhUWJiYtzd3d3d3fv27fvgwYPjx4/HxcX179+/f//+U6ZMIVvpHJIkee/e vYKCghs3bigUCuomB/h7tTGEDNGgn1xVVcXhcKjTt/lJXF1dDQD19fVisbimpqaiokIsFm/ZssVw qViSJJ88eQIAIpFIrVZXVFRUVFTExMR4e3s3P9xvv/3m6+tbVFTk6ek5dOhQACguLtbf5ScUClvc Ykj/EpPJ1Ol0be+sl56e/vnnn9+6dUur1dbV1em363S6hIQEwuo85VtHbaJB3Lq4uPTv3596BNS5 c+eojc7Ozvfv39dvsbGxCQ8PHzFiRFJSUlRUVE5ODp/P1+9z5coVKhKio6OdnJySkpKWLVt2/vz5 JkvL63Q6ADh16tS0adM2btwYFhYmEokAwMfHJz8/X6lUAsDRo0db3NIGX1/fnJwcnU6nUCjOnDnT 2m5LlixZvHixr68vi8Uy/HliMBhW2U8mcVDKCDToJwPAv//97wULFtjb2+t/pxcvXjxnzpwxY8YM GjSI2rJu3bpVq1Z98MEHv//++yeffEIQRHR09IQJE/Lz86k+KgDMmzfvtddeGz9+fFlZ2cKFC93d 3fWHcHV1FQgEixcv/ve//x0RETFjxoyGhobQ0NDt27cfP3589erVISEhHA7HxcWlR48eAQEBTba0 Uflly5b9/vvvAQEBbDa7V69erV2eJQjCw8Nj+PDhXC73t99+S0tLu3Pnjk6n02q1pvkQkTUx929u C1qsVWNj46NHj6RSKTUuRZJkbW1tTU1Nk93++OMPatyYotFoHj9+3GSfR48eVVZWNj8E1SSSJKnV asvKyqiNUqlUoVD89NNPjY2NOp3ugw8+2LFjR/MtbbydP//88/bt2xqNhiTJ559//saNGy2+Zf24 1OXLl6kBs7t3765bt87FxcVa21vUHi2GgyVeQyNav7JXVVXl6+v76NGjrqwPSZJjx46dPHmyTCbL zc29ePHiwIEDm2wxbLqbePTo0aRJk2JjY8+ePavRaPLy8gxzbwpBENQlKx6P5+jo6OXlpW/DSSu9 fovaqcVwoFncajSaCxcuTJkypYurVFtbe+HCBaVSOXHiRGpsqfmWNojF4vz8fEdHx4kTJ9rY2DTf oY24Rd2cNcSttcK4Ra1pMRxoMJ6MEGoC4xYh+rHQ60B4XR6hNlhi3Op78wqFQiwWS6VSuVze0NDQ 2cfNzMwEgLlz53b2gRAyEvaTEaIfS2xv9bhcLp/PVyqV9fX1XdBzZrFYANBk8mMXo+qAUNss+izh cDj6yyHULamdiopYR0fHzj5Q25rPykCoCYuOWwDgcDhCoVAgEHRBfkv9Rnh5eXX2gZ7Kzs7O3FVA Fs3S4xYAmEwmn8/X3wrXeai7cHDCA7J8OC6FEP1g3CJEPxi3CNEPxi1C9INxixD9YNwiRD8YtwjR D8YtQvSDcYsQ/WDcIkQ/NJjn2Nny8vKoh6oXFhYCQFpaGgB4enqGhYWZuWYItQLjFu7fv79ixQo2 m03dr5+Xl6fRaFJTU81dL4Ra1e2enNicQqEQCoUqlUq/hcfjVVZWCgQCM9YKIQo+z7FlAoEgIiJC f18+QRAREREYtMiSYdwCACQmJurvE+Tz+YmJieatD0Jtw34yAABJkkKhkFpytmfPnpWVlfhASWQh sJ/cKoIg4uPjqcXd4+PjMWiRhcP29i8ikcjHxwcAiouLPTw8zF0dhP5Cm/WBzMXf3x8AioqKzF0R hP7RYtzi9dt/JCUlmbsKCLULzdpbumee9Pq0kSWwkvaWvqc+3X90kOXA8WSE6Id+7S2tKRQKAOBy uRwOx9x1QTRmte3trFmzbt682bG/ra+vHzZsmGnrQxGLxWKxWCaTqdXqzigfdRNW294+fvxYo9F0 7G+5XO7XX39t2vpQqClZSqUSAIRCIZPJ7IyjIKtnte0tRa1Wr1mzZtiwYTExMdeuXaM2pqenjxs3 bsGCBSkpKXl5ec23aDSaTZs2AcDSpUu/+uqrkJCQoKCgixcvAkBDQ8OaNWvGjBmzbt261atXP378 +JnqI5fL5XJ5VVWVRCLpgpXKkLWy8rg9ePDg3bt3z507FxERERsbS5KkSCT65JNPsrKyFi5cuHnz 5ocPHzbf0tjYeO7cOQC4fv36iRMncnJyoqOj3333XQD4+uuvHz9+fOrUKVdX1x07djxr7DX8rb6+ vgtWKkPWysrj9tixY8nJyW5ubnPnzh08ePCFCxeOHz8eFxfXv3//qVOnTpkyhSTJ5lsMS0hOTnZw cHj11Vfv3btHFfjGG28IhcKVK1c6OzvT96IUojUrj1uRSOTm5qb/r0qlKi4u1t+yJxQKAaD5FkPU S0wmU6fTGe7MYDB69uzZ+e8AoRZYedxGRkZ+++23ACCRSH755ZdJkyb5+vrm5OTodDqFQnHmzBkA aL6lDb6+vqdOnQKAmzdvUk+lQqjrWe14MiUuLm7q1KlHjhwpLi5+5513uFzusmXLfv/994CAADab 3atXLw6H03xLGwVu27ZtzZo1X331lYuLi6urK16GRWZBv/nJz1phjUYjEol69+5tb28PAGVlZXV1 dZ6eniwWKzw8/MMPP3R2dm6yhboxqEVFRUW9e/emMlt3d/eHDx8+U+Wzs7MBgMfjOTo6enl54RrZ 6Km66X3zbDZ76NChVNACAJPJjIyMTElJCQsLq6urGz58ePMtbZRWWlo6ffr0bdu2eXt7v/LKK13y DhBqyvrb2+bEYnF+fr6jo+PEiRNtbGxa3NKG33777eeffx48eHBwcPAzHRfbW9QB1nDfvEni1lww blEHdNN+MkLWB+MWIfqh33UgvPscIZrFrb6jr1AoxGKxVCqVy+WmmuibmZkJAHPnzjVJaQh1Huwn I0Q/NGtv9bhcLp/PVyqV9fX1puo5s1gsAODxeCYp7akHQqjD6HoCcTgc/UUUU93ISkWso6OjSUpr G5vN7oKjIGtF17gFAA6HIxQKBQKBqfJb6ofAy8vLJKU9lZ2dXdccCFkfGsctADCZTD6fr78Lz0i2 trbwd/QiZMlwXAoh+sG4RYh+MG4Roh+MW4ToB+MWIfrBuEWIfjBuEaIfjFuE6AfjFiH6wbhFiH7o Pc/RJPLy8qgnmBcWFgJAWloaAHh6eoaFhZm5Zgi1AuMW7t+/v2LFCjabTd2UT63Hl5qaau56IdQq Gj8e0VQUCoVQKFSpVPotPB6vsrJSP6eXBAAAGOVJREFUIBCYsVYIUfB5ji0TCAQRERH6m+8JgoiI iMCgRZYM4xYAIDExUX8zIJ/PT0xMNG99EGob9pMBAEiSFAqFUqkUAHr27FlZWYlPjUQWAvvJrSII Ij4+nsPhcDic+Ph4DFpk4bC9/YtIJPLx8QGA4uJiDw8Pc1cHob9Yw/pAnYpaPrOoqMjcFUHoH9hP foqkpKSkpCRz1+KZXb169d69ewAwffr0X3/91dzVAQBQqVTHjx8HgLy8vLi4OHNXxwrRrL2le+bZ GZ/20qVLx44dGxsbe/v27QEDBlBPtzMvsVg8duzYP//888mTJ48fP/b09DR3jWjMStpbkrZafDvl 5eWzZ88eNmzY2rVrqdXrly5d+tVXX4WEhAQFBV28eBEAFArFsmXL/Pz85s+fX15ebvjnubm5J0+e /PDDDwsKCj777LOKioorV66sXbt2+fLlo0ePTk1N3bJly4gRIxYsWEA9ZTonJ2fChAlBQUH79u0z LEen082aNSs9Pf3VV19tvtv169c3bNiwatWqbdu2qdXqNWvWDBs2LCYm5tq1awCwa9cuan1QAIiO jq6trV2+fLlEIklISLhz585XX33V4psqLy9/6aWXxo8fn56evmTJEhOfJVbP3Cfzs6FdhQ21WPmF Cxdu2LBBJpO999578+fPJ0kyMDBw9uzZ1dXVW7duDQ0NJUly7dq1ycnJlZWVmzZtCgwMNPxzrVYb FxeXmpra2NgYGBh4/fr106dPEwTx/fff37hxgyCIVatWVVZWTpgw4ejRo9XV1QMHDiwsLLx27Zqv r+/p06cNy2GxWFSj3Xy3s2fPcjicbdu2SSSSjIyMmTNnlpeXHzp0aPjw4TqdbtWqVZ9++ilVjpub W1VVVWlpab9+/VQq1enTp2fMmNHim1qwYMGuXbsePXr06quvuru7d9qnTnstnjb0a29pTaFQKBQK tVpN/Ver1Z49e/add95xdnbeuHHjhQsXlEolACQnJzs4OLz66qtU4nr48OGhQ4fm5+d7eXkVFxdX VVXt2LHjjTfeeO+995hMJovF4nA4DMY/X6W/v//zzz/v7+/v7Oz8+uuvu7i4jB49+v79+ydOnBgy ZIhIJCotLR05cmRubm6T6n388cdDhw5tcTd/f//k5GShUHjs2LHk5GQ3N7e5c+cOHjz4woULzd8m j8cjCILL5RpuNHxTWq320qVLiYmJvXv3XrNmDUmrZM0SWHPcFhQU+Pv7HzlypMMlmHzIRywWi8Vi mUxGhW5VVRVBEBwOBwBIktRoNDqdDgCoyVtMJlOn09XX14vF4pqamoqKCrFYvGXLFjab3bt3b3d3 9/79+7d4lEGDBlH/YDAYzs7O+u3Ue6moqKioqAgICIiMjDT8Kx6PZ29v39puQqGQ2k0kErm5uen/ ynBeN0mST548ae29G76pR48e6X+89CWj9rPmuD1x4kR0dPTs2bM7XMLnn3/+448/AsDWrVvd3d2N r5JUKpVKpRKJRCaTNTY2CoXCvn373rhxAwDy8/N9fHyaz4u2sbEJDw8fMWJEUlJSVFRUTk4On89/ +eWXk5KS9EO1jY2N7Tn6rFmz6uvrV6xYkZSUJJPJqqurO7BbZGTkt99+CwASieSXX36ZNGmSs7Pz /fv3AeDKlSt1dXXUbtQPUGv69OlTV1dHXXI7evSo4Us1NTXY/D6V9cTtokWL0tLSgoKCXnvtNZFI lJ+fn5mZefDgwTNnzuj3ef311w8ePBgSEtLQ0FBQUBAaGjp69OiPP/6YOtvi4+NLS0sB4OHDh3Fx cS0O+WzYsGH58uW+vr7Lly/XarUAkJ6ePm7cuAULFqSkpOTl5bVdSblcLpfLq6qqJBIJNVC0bt26 yZMnT5o0KTo6+u23327xr9atW7d+/fopU6YEBwcnJCQ0GVQPCQnZvHlzQUHBUz8iPz+/gICAgIAA X1/fwsLC6dOnd2C3uLi4nTt3hoSEeHl5LV26lMvlRkdHZ2RkjB49euvWrVQXwNXVVSAQLF68uLWa sFisr7/+evny5ePGjbtw4QLV46BkZma6u7tv2LBBJBI99R11X12bYxurjQoPGjQoPj5eqVRmZmaG h4drtdqVK1d+8sknWq1Wv8/48eNDQ0Pz8/N1Op23t3d2dvaDBw9efPHFtLQ0kiT9/f1v3bpFkuSd O3f8/PxaHPKxsbE5f/58aWmpt7c3dcO9j4/Pn3/+eebMGYFA8N///rftymdnZ2dnZ+fk5Fy+fFkq lVLbFQpFSUlJQ0ND2+/9jz/+qK2tbfGl2traxsbGtv9c78mTJ/fu3TNmN7Vaffv27SdPnui3aDSa x48fG+6j0+kUCkUb5Z89e1aj0Wg0msuXL8+cOVO/fe/eveHh4atWrRIKhRMmTNi/fz/VAndbLZ7z 1tPeAsDrr79ua2v78ssvU6c4i8Vis9lMJtNwn3Xr1k2cOLGoqMjNzS0qKqpv374bN248ePBg89Ja HPIJDQ2dNGnSwIEDQ0ND7927d/z48bi4uP79+0+dOnXKlClkhzp4fD7f29vbsM1pkaenZ2tL+NnZ 2RlWsm329vbt6fO3sRubzR46dCiVDFNYLFbPnj0N9yEIou311k6ePDl//vz3338/MjKyydyMAQMG 7Nix4+HDh8nJyd9++23//v1jYmLy8vI69vFaJat63oV+DKa+vr615I0aBWljcAUAWvtb+HtwBf4e XykuLg4JCTEsuW2zZs166j7d0IwZMwz/S11DZrPZM2fOnDlz5u3bt+fMmfPll1+GhoYeOnSod+/e ZqqmBbGq9pYaQyosLNRoNK2NtVKef/75goKC2tpaADh27Ni0adMAQD++cu7cOf2ebQ/5+Pr65uTk UH1Cw0S6NS32k5GhvXv3UlO+NBrNiRMnoqKigoODR40ade7cufz8fAxailW1t1988UVGRsadO3fS 09PbnhFpb2//8ssvDxgwYNCgQbW1tT/88AMALF68eM6cOWPGjNFfRwkJCVm/fv3w4cNbK2fZsmW/ //57QEAAm83u1avXU/u6qD3KysreeOONgwcPDhkyZNGiRQcOHMDHjzRBv/nJrVXYw8Pj0qVLOp3O 1dWVxWrX71FlZWVNTY2Hh4c+yJVKpU6nMzxLlEqljY1Na9ljWVlZXV2dp6cni8UKDw//8MMPqZuK Wqs8NR+Qx+M5Ojp6eXnhGtnNpaWlffDBBzExMQsXLsQbKqGVc96q2lsA6NOnT/t3FgqFTZLS5gM/ rQ0FUZhMZmRkZGxsLDU62kbLjNrp5ZdfXrJkCd1vIOls1pPf7t+/33BuUNfo06fPxYsXBw0a9NZb b/3www9sNruLK2B9HBwcMGifynr6yZYP+8moA6zkPj6EEMYtQvRDv3EpTH4Qolnc6jv6CoVCLBZL pVK5XN7Q0GCSwjMzMwFg7ty5JikNoc6D/WSE6Idm7a0el8vl8/lKpbK+vt5UPWdqtgaPxzNJaU89 EEIdRtcTiMPh6C+iUDeyGo+KWEdHR5OU1ja80ouMQde4BQAOhyMUCgUCganyW+qHwMvLyySlPVXb M7EQagON4xYAmEwmn89v+z7P9qNuQ8G5EMjy4bgUQvSDcYsQ/WDcIkQ/GLcI0Q/GLUL0g3GLEP1g 3CJEPxi3CNEPxi1C9INxixD90Hueo0lQy/wAQGFhIQCkpaUBgKenZ1hYmJlrhlArMG7h/v37K1as YLPZ1E35eXl5Go0mNTXV3PVCqFU0fjyiqSgUCqFQaLhEEI/Hq6ysxGfkI0uAz3NsmUAgiIiI0N98 TxBEREQEBi2yZBi3AACJiYn6mwH5fH5iYqJ564NQ27CfDABAkqRQKJRKpQDQs2fPyspKfGokshDY T24VQRDx8fEcDofD4cTHx2PQIguH7e1fRCKRj48PABQXF+MycMhytNjeYtz+g1oCs6ioyNwVQegf 3WIdTWMkJSWZuwoItQu921ulUnn48OFTp04VFRWJxWKlUmnuGoGdnV2vXr38/f2nT58+Z84cfGgj MpK1jUvt2bNn8ODBJ0+enDlzZm5urkQiIS2ARCLJzc2dOXPmyZMnBw8evGfPHnN/TsgK0bK9raur i4mJefToUXp6OjWYZJmKi4uXLFnSp0+fAwcOUA95RehZWcm4lE6ni4qKsre3379/P4fDMXd1nkKt VsfFxdXU1Bw7dozBoHHvBpmLlfSTU1JSlEplRkaGCYN269ate/fuBYBvv/3WtEkyh8PJyMiora1N SUkxYbGom6NZ3Eokko8++ig9Pd20S2PV1NTU1tYCwJtvvllZWWnCkgGAxWLt27dv69at5eXlre1D kuSTJ09Me1xkxWgWtwcPHnzxxRfd3d2NLGfdunVjxoyZNm3a2bNn9Ru3bNlSVlY2b968+vr6S5cu jR8//rnnntuxY8fmzZuNPJy7u/vMmTO3b9+uVqubvCQSid5++21XV9dvvvnGyKOgbsSsg6/PbOLE ibm5uUYWkpub+8orr9TW1hYVFXl6epIk+e67727btk2tVg8ePLikpIQkyQEDBuTm5j5+/Dg4OHj+ /PnG1/y7777z9/fPz89XqVQkSdbU1Ozfv3/EiBE8Ho+aX7l3717jj4KsT4tBSrN5F3/88YfxA8jh 4eG+vr4nTpy4efPmvXv39NvZbDaDweDxeNevX+/bt294eDgALF68OC8vz8gjAoCvr+/Dhw9lMtmu XbsuXbqUm5vLZDL1uTSONqNnQrO4lUqlLi4uRhby5ZdffvTRRwsWLAgPD//444+b73Dv3r2BAwdS /zZVRLm4uMjl8vXr15eUlDR/VafTJSQkJCQkmORYyOrRLL91cXF5/PixkYV8880369evT05OtrOz a55w6nS68PDwoqIialndc+fOGXk4yuPHj52dnTdt2rRx48bx48dzuVzD5T8ZDAb2k1Frmp9ONGtv PT09i4uL+/TpY0whCxcufOeddzIyMnr06OHv72/Y5E6aNGnGjBn/+9//FixYMGnSJA6HQ5Jkv379 jK443Lp1q3fv3gRB+Pn5jRs3zs7OrqSkZM+ePXfu3NHpdFqt1vhDoO6DZvMuduzYUVJSkp6ebmQ5 tbW1KpWqZ8+eGo2mvr7e3t5e/5JCoaAeUlNbW6vRaM6fP3/06NGvv/7ayCPGxsYCwIwZMwCAx+P1 6NFjyJAhDg4OIpFo3759+/fv37x582uvvWbkUVA3QbO4lUgkPj4+V69eNf5SUDtlZ2cbH7elpaWj Ro3avn27o6MjANja2jo4OHh5eTk7O1M7kCRZU1Pj4OBgghqjboBm/WRXV9fk5OQlS5bk5uaadupF a4KDgwcNGmRMCVqtNjY2NjIykgpaAGAymU3mPBIEgUGL2o9m41IA8NZbb9nZ2cXGxjYfUuoM1E15 Hf5ztVodExPT0NAwc+ZMagtBEEwmk8lkmqiCqDuiX9wyGIxDhw7V19eHhoYWFxebuzptKS4uDgkJ KSsrW7lypb6B5XK5BEGwWCy8zQB1GM36yRRbW9sjR47s3r176tSpY8aMmTNnTlBQkJubmyXcpK5U KisqKgoKCrKysq5cuTJr1qwXXnhB/yqTyeRyuTwej8FgYJOLOoxm41JNPHnyZMeOHefOnSstLa2q qqqvrzd3jcDGxsbZ2dnd3d3f3z84OJjH4+lfIghCIBCwWCwHBwc+n9+rVy/DS7gItR+94xYAGhoa Ll++XF1dbXxRmZmZADB37lzji2qOyWTa2dkxmUx7e3sul+vk5OTi4sJmszvjWMjq0T7F4nK5wcHB zs7OFtvtZDKZtra2AoGAzWbb29uz2WwHBwc2m41BizqMlvltE1wuNygoqKSkRC6Xq9VqnU7XsXKo C0uGPVsjUUkshcfjcblcfejqr9wi1AHWELcAwOFwfH19KyoqqqqqVCqVTqfrQP+filj9VVbjEQTB YDBYLBaTyWSxWLa2tjwej81mOzk5WWzvANGClcQtADCZzL59+7q6uqpUKq1W24FWt0ePHgDg5eVl 2ooxDHA4HOweI+NZT9xSjMkbqVv2qOhFyJLRflwKoW4I4xYh+sG4RYh+MG4Roh+MW4ToB+MWIfrB uEWIfjBuEaIfjFuE6AfjFiH6sbZ5jh2Ql5d39+5dACgsLASAtLQ0APD09AwLCzNzzRBqBcYt3L9/ f8WKFWw2m7qFKC8vT6PRpKammrteCLWK9s+7MJ5CoRAKhSqVSr+Fx+NVVlZSTz9HyAJhfgsCgSAi IoIgCOq/BEFERERg0CJLhnELAJCYmKh/RBufz09MTDRvfRBqG/aTAQBIkhQKhVKpFAB69uxZWVmp b34RskDY3gIAEAQRHx9PrfseHx+PQYssHLa3fxGJRNRK9sXFxR4eHuauDkJtwbj9B7UOUFFRkbkr gtBT4PXbfyQlJZm7Cgi1i8W1tyUlJYGBgXV1deauSJeytbW9du3asGHDzF0RRA8WNy41bNiw3bt3 Dxs2TKlUkt2AUqnUv2Vzf/aINiyuvaUsWrSIIIiMjAxzV6TTdZ93ikzI4tpbyp49e65evfrFF1+Y uyKdKyMj4+eff96yZYvib42NjeauFKIBC21vAaCkpGTSpEn5+fnW2oEsKSkJDQ398ssvPT09qS0c DsfZ2dnW1hZXIUFts9y4BYAvvvgiJSXlf//7H7WSgDWpq6sbNWrU7Nmzp02bRm1hMBiOjo48Hs/Z 2ZnP5+PcD9QGi45bAFi0aBEAWF+HecGCBZWVlStXrtRvEQgEHA6HCl03NzcOh2PG6iELZ6H5rd6e PXuuXbtmZXGbkZFx8eLF2NjYhr8RBKHVaplMplqtZrFYWq3W3HVEFs3S21uwukS3pKRk/PjxGzdu 7NevH7WFxWLx+Xwej2dra0u1t0KhEPvJqA2W3t4CwLBhw1JSUmbPnm0FkzHq6uqioqJeeeUVfdAS BGFnZ0etjmtra8vhcJycnDBoUdto0N5STJjoqtVqkiS5XK7xRT2rBQsWiMXi5cuX67fw+Xw2m+3g 4MDlcp2cnPh8Pt6yj56KBu0txSSJ7u3bt4ODg/v06dO/f39/f/8LFy5Q28PCwq5cuaLfbeHChVlZ WRs2bOj3/zdlyhRjjk6ltXFxcfotPB6P6iSzWCwHBwcOh4NBi9qDNnFra2t7+PDht956q6SkpGMl yGSykJCQ1157rbKyUiKRbN68edq0aXfu3AEAsVjc0NCg31MqldbV1b3zzju3b9++ffu2SqU6evTo 7du3v/322w7Xv6SkJDk5efXq1fp2nsVi8Xg8Ho/HZrPt7e1ZLJaTk1OHy0fdCm3iFoxOdHNzcwcO HEjNKwSA6dOnT5kypY1Q5HK5fD6fz+czGAw7Ozs+n9/hy8jtTGsZDDp9HciMaHaiLFq0aMyYMYb5 Yfvl5OS8+OKLhluio6NPnz5toqq1JSEhoX///oYPZLazs2MwGFRyS/064AVb1H40i1swItF98OCB m5ub4ZbGxkalUgkAbDa7yc7Nt3QYprXI5OgXtx1OdIcOHZqTk2O45YcffvDz8wMALy+vsrIy/faK igovLy+T1BbTWtQZ6Be30NFE9/XXXz979qx+3LiwsPD7779fvXo1AIwaNSozM1On0wHA9evX//jj D5PM8cC0FnUSuj6nZtGiRfn5+cuXL29/h9nX1/fLL7+Miorq0aMHm82Wy+VHjhyh4nP16tU///yz h4dHjx49Hjx48PXXX9vZ2RlfSUxrUSehzbyL5urq6gIDA998801qSkY7kSQpEolYLNbAgQObvKRQ KCQSiYeHh0mmK2VkZLz//vtbtmzR95Cp7rFAIOByuc7Ozjwer0ePHsYfCHVDNI5bsOCpy+2ZhOzi 4oI9ZNQx9D5vLHPqMqa1qLPRu72lWNo9ujgJGXU2a/jJt6h7dPFqLeoC1tDegsUkupjWoq5hJSeQ JSS6mNaiLmMl7S3FvIkuprWoy1jVb78ZE11Ma1FXsqr2FsyU6GJai7qYtZ1JXZ/oYlqLup61tbeU rkx0Ma1FXc86G4EuS3QxrUVmYZ3tLXRJootpLTIXqz2lOjvRxbQWmZHVtreUzkt0Ma1FZmTlrUEn JbqY1iLzsvL2Fjoh0cW0Fpmd9Z9bpk10Ma1FlsD621uKqRJdTGuRJeguzYJJEl1Ma5GF6C7tLRid 6GJaiyxHNzrJjEl0Ma1FFqUbtbeUjiW6mNYii9Lt2ocOJLqY1iJL0+3aW3jGRBfTWmSBuuPZ1v5E F9NaZJm6Y3tLaU+ii2ktskzdt6F4aqKLaS2yWN23vYU2E11Ma5El69anXWuJLpXWvvrqq5jWIsvU rdtbSvNEF9NaZOGwxWia6GJaiywftrcABokuAGBaiywfy9wVsAj6RFen02Faiywftrf/WLRoUWNj 48KFCxUKBbUF01pkmTBu/0GNKiuVyitXrmi1Wh6Px+PxBAIBl8t1dnbm8Xg9evQwdx0RAsBxKUNU Z9jFxWXIkCFsNpuKWzabbW9vz2KxnJyczF1BhP6C+W0LPD09AUAikWBaiywTxm0LGAyGp6cnm82u r6/n8/l8Pp/D4Zi7Ugj94/8DO0dU9ZvhBGMAAAAASUVORK5CYII= ------_=_NextPart_000_01C5F658.FD533172-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 1 16:28:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7746416A41F for ; Thu, 1 Dec 2005 16:28:32 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E85A43D5C for ; Thu, 1 Dec 2005 16:28:28 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from hefesto ([69.65.149.194]) by jupiter.espoltel.net (8.12.10/8.12.10) with ESMTP id jB1GPUlH021812; Thu, 1 Dec 2005 11:25:31 -0500 Message-Id: <200512011625.jB1GPUlH021812@jupiter.espoltel.net> From: "Marcelo Celleri" To: "'Jon Simola'" Date: Thu, 1 Dec 2005 11:27:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcX2C9/QmaqhbXccSMeQPFtz+nTdiQAh2FsA In-Reply-To: <8eea04080511301614t65037325h44106d2336f7a9f8@mail.gmail.com> X-Antivirus: avast! (VPS 0548-1, 01/12/2005), Outbound message X-Antivirus-Status: Clean X-ESPOLTEL-MailScanner-Information: Please contact the ISP for more information X-ESPOLTEL-MailScanner: Found to be clean Cc: freebsd-pf@freebsd.org Subject: RE: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 16:28:32 -0000 I tried to change the rules to what you tell me, but now the outgoing traffic from em1 to my clients it's not restricted...Look at this address, there is a diagram of my case and what I'm trying to do: http://host-242-33.espoltel.net/diagram.jpg It's important the order of the rules? Which it could be for my needs?=20 -----Mensaje original----- De: jsimola@gmail.com [mailto:jsimola@gmail.com] En nombre de Jon Simola Enviado el: Mi=E9rcoles, 30 de Noviembre de 2005 19:14 Para: Marcelo Celleri CC: freebsd-pf@freebsd.org Asunto: Re: PF + ALTQ... help please!! On 11/30/05, Marcelo Celleri wrote: > int_if=3D"em1" > > altq on $int_if bandwidth 100Mb cbq queue { std, uees, lnaval, marcelo, ... } > queue std bandwidth 10.0Mb cbq(default) > #Then for each one of the subqueues: > queue marcelo bandwidth 128Kb cbq { gold, silver, default } > queue gold bandwidth 70% priority 3 cbq(borrow red) > queue silver bandwidth 20% priority 2 cbq(borrow red) > queue default bandwidth 10% cbq(borrow) > #These are the rules: > > pass in on $int_if from any to xxx.xxx.xxx.xxx keep state queue default > pass in on $int_if proto { tcp } from any port { 25,110 } to xxx.xxx.xxx.xxx > keep state queue silver > pass in on $int_if proto { tcp } from any port { 22,53,80,443 } to > xxx.xxx.xxx.xxx keep state queue gold You cannot duplicate the gold/silver/default queue names, just in case you're doing that. The other problem is that you're trying to queue on an inbound interface. Going back to my example: # External interface -> OC3 altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn) queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn) # Internal interface -> LAN clients altq on em1 cbq bandwidth 100Mb queue { default_int, throttle_int } queue default_int bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn) queue throttle_int bandwidth 64Kb priority 1 cbq(red ecn) The queueing rule for this is: pass out on em0 from to any queue throttle_ext Or you can specify a queue on the outbound interface (em0) with a rule on the inbound (em1), for a basically similar effect: pass in on em1 from to any queue throttle_ext Hope that helps a bit. -- Jon Simola Systems Administrator ABC Communications --=20 Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que est=E1 limpio. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 11:30:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7CF416A41F for ; Fri, 2 Dec 2005 11:30:05 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail05.syd.optusnet.com.au (mail05.syd.optusnet.com.au [211.29.132.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 072F243D58 for ; Fri, 2 Dec 2005 11:30:04 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-105-105-26.dsl.nsw.optusnet.com.au [58.105.105.26]) by mail05.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id jB2BTvDv025117; Fri, 2 Dec 2005 22:29:57 +1100 Message-ID: <000c01c5f733$bc4b4750$0600a8c0@delta> From: "Josh Finlay" To: "Marcelo Celleri" References: <200512011625.jB1GPUlH021812@jupiter.espoltel.net> Date: Fri, 2 Dec 2005 21:30:00 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 11:30:06 -0000 Hi, Sorry this has no relevence to your post, I just thought I would comment on the pretty network diagram you did =P Regards, ----- Original Message ----- From: "Marcelo Celleri" To: "'Jon Simola'" Cc: Sent: Friday, December 02, 2005 2:27 AM Subject: RE: PF + ALTQ... help please!! > > > I tried to change the rules to what you tell me, but now the outgoing > traffic from em1 to my clients it's not restricted...Look at this address, > there is a diagram of my case and what I'm trying to do: > > http://host-242-33.espoltel.net/diagram.jpg > > > It's important the order of the rules? Which it could be for my needs? > > > -----Mensaje original----- > De: jsimola@gmail.com [mailto:jsimola@gmail.com] En nombre de Jon Simola > Enviado el: Miércoles, 30 de Noviembre de 2005 19:14 > Para: Marcelo Celleri > CC: freebsd-pf@freebsd.org > Asunto: Re: PF + ALTQ... help please!! > > On 11/30/05, Marcelo Celleri wrote: > >> int_if="em1" >> >> altq on $int_if bandwidth 100Mb cbq queue { std, uees, lnaval, marcelo, > ... } >> queue std bandwidth 10.0Mb cbq(default) >> #Then for each one of the subqueues: >> queue marcelo bandwidth 128Kb cbq { gold, silver, default } >> queue gold bandwidth 70% priority 3 cbq(borrow red) >> queue silver bandwidth 20% priority 2 cbq(borrow red) >> queue default bandwidth 10% cbq(borrow) > >> #These are the rules: >> >> pass in on $int_if from any to xxx.xxx.xxx.xxx keep state queue default >> pass in on $int_if proto { tcp } from any port { 25,110 } to > xxx.xxx.xxx.xxx >> keep state queue silver >> pass in on $int_if proto { tcp } from any port { 22,53,80,443 } to >> xxx.xxx.xxx.xxx keep state queue gold > > You cannot duplicate the gold/silver/default queue names, just in case > you're doing that. > The other problem is that you're trying to queue on an inbound interface. > > Going back to my example: > # External interface -> OC3 > altq on em0 cbq bandwidth 100Mb queue { default_ext, throttle_ext } > queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red > ecn) > queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn) > > # Internal interface -> LAN clients > altq on em1 cbq bandwidth 100Mb queue { default_int, throttle_int } > queue default_int bandwidth 40Mb qlimit 1000 priority 5 cbq(default red > ecn) > queue throttle_int bandwidth 64Kb priority 1 cbq(red ecn) > > The queueing rule for this is: > pass out on em0 from to any queue throttle_ext > > Or you can specify a queue on the outbound interface (em0) with a rule > on the inbound (em1), for a basically similar effect: > pass in on em1 from to any queue throttle_ext > > Hope that helps a bit. > > -- > Jon Simola > Systems Administrator > ABC Communications > > > > -- > Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. > en busca de virus y otros contenidos peligrosos, > y se considera que está limpio. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 13:11:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 877E916A422 for ; Fri, 2 Dec 2005 13:11:52 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A81FC43D7F for ; Fri, 2 Dec 2005 13:11:51 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 48986 invoked by uid 89); 2 Dec 2005 13:11:50 -0000 Received: by simscan 1.1.0 ppid: 48974, pid: 48978, t: 2.2656s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Dec 2005 13:11:48 -0000 Message-ID: <43904815.4070805@wombatsweb.com> Date: Fri, 02 Dec 2005 08:11:49 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HOT_NASTY autolearn=ham version=3.0.2 Subject: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 13:11:52 -0000 I have been trying for some time to get if_bridge working on a FreeBSD 6.0 machine. I must be missing something simple. I have Googled, I have previously posted here, I've IRC'd and I have tried 3 different installations on different hardware ... I have read and reread the man pages for if_bridge and associated docs, I believe I made the correct choices. I have posted my edits so that it may jump out at someone and I can proceed on my merry way into ruleset building ... The configuration desired is a 3 NIC install ... 2 doing the bridge between the router and the network and the 3rd used for access I/O to the machine. When I am ready to try this new configuration, I pull the two CAT5 cables from the existing bridge (FBSD 4.11-p13 BRIDGE IPFW) and pop them into this new one. I see traffic being blocked using tcpdump -i pflog0 from machines within the network (fxp2), but nothing outside (fxp0 and fxp1). I see states being established and removed watching pftop but only for the internal network (fxp2). It appears the bridge is not working what-so-ever ... any ideas for me to try? I install from 6.0-RELEASE-i386-bootonly.iso using a Minimal install. Get base via FTP :: pkg_add -r cvsup-without-gui cvsup all source and ports and recompile the kernel editing GENERIC with: # Bridge support device if_bridge # PF support device pf device pflog device pfsync # ALTQ support options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ # for SMP machine options ALTQ_NOPCC # other stuff #options IPSTEALTH options HZ=1000 config SMP ; cd ../compile/SMP ; make depend ; make ; make install reboot /etc/sysctl.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Enable bridge and allow each NIC (member) in/out filtering for PF net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 # # Enable forwarding #net.inet.ip.forwarding=1 # I have tried with this on as well but bridge should do forwarding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/rc.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - defaultrouter="my.c.class.xxx" hostname="foo.mydomain.org" ifconfig_fxp2="inet my.c.class.xxx netmask 255.255.255.0" # # Create Bridge cloned_interfaces="bridge0" ifconfig_bridge0="addm fxp0 addm fxp1 up" # # Enable PF firewall pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" # # Enable PF logging pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" # # Start Apache2 at startup apache2_enable="YES" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/pf.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ext_if="fxp0" # replace with actual external interface name i.e., dc0 int_if="fxp1" # replace with actual internal interface name i.e., dc1 mgt_if="fxp2" # replace with actual internal interface name i.e., dc2 # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # localhost interface pass quick on lo0 all # Block everything and log it block log on $mgt_if all block log on $ext_if all block log on $int_if all # Internal interface pass out on $mgt_if all keep state pass in on $mgt_if proto tcp from any to $mgt_if port 80 keep state - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ifconfig output with cables unplugged from bridge: fxp0: flags=8902 mtu 1500 options=8 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp1: flags=8902 mtu 1500 options=8 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp2: flags=8843 mtu 1500 options=8 inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp2 prefixlen 64 scopeid 0x3 inet my.c.class.xxx netmask 0xffffff00 broadcast my.c.class.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 pfsync0: flags=0<> mtu 2020 pflog0: flags=141 mtu 33208 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8041 mtu 1500 ether xx:xx:xx:xx:xx:xx priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp1 flags=3 member: fxp0 flags=3 From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 17:56:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65A3616A41F for ; Fri, 2 Dec 2005 17:56:13 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E775843D62 for ; Fri, 2 Dec 2005 17:56:11 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from [192.168.2.64] (hornet.kitchenlab.org [64.142.31.105]) (authenticated bits=0) by b.mail.sonic.net (8.13.3/8.13.3) with ESMTP id jB2Hu643018191 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 2 Dec 2005 09:56:11 -0800 Message-ID: <43908AB1.7030107@freebsd.org> Date: Fri, 02 Dec 2005 09:56:01 -0800 From: "Bruce A. Mah" User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051111) X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Pierron References: <43904815.4070805@wombatsweb.com> In-Reply-To: <43904815.4070805@wombatsweb.com> X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE13F94D6FA64B90D788C9979" Cc: freebsd-pf@freebsd.org Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 17:56:13 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE13F94D6FA64B90D788C9979 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit If memory serves me right, David Pierron wrote: > I have been trying for some time to get if_bridge working on a FreeBSD > 6.0 machine. I must be missing something simple. [snip] > fxp0: flags=8902 mtu 1500 > options=8 > ether xx:xx:xx:xx:xx:xx > media: Ethernet autoselect (none) > status: no carrier > fxp1: flags=8902 mtu 1500 > options=8 > ether xx:xx:xx:xx:xx:xx > media: Ethernet autoselect (none) > status: no carrier It looks to me like you didn't turn up either the fxp0 or fxp1 interfaces. It's correct to leave these interfaces unnumbered (i.e. no IP addresses) but they do need to be up. Try adding these lines to /etc/rc.conf: ifconfig_fxp0="up" ifconfig_fxp1="up" Good luck, Bruce. --------------enigE13F94D6FA64B90D788C9979 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkIq22MoxcVugUsMRAtBoAKCcvzDcxUp1y6Bj5cmmYO7CeydJ7ACgmxC4 NGB3cWftlbV1DNkU7k1i/Oo= =CCVV -----END PGP SIGNATURE----- --------------enigE13F94D6FA64B90D788C9979-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 19:07:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3961C16A41F for ; Fri, 2 Dec 2005 19:07:55 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F0DB43D62 for ; Fri, 2 Dec 2005 19:07:52 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 88836 invoked by uid 89); 2 Dec 2005 19:07:51 -0000 Received: by simscan 1.1.0 ppid: 88830, pid: 88832, t: 1.3118s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Dec 2005 19:07:49 -0000 Message-ID: <43909B86.4050308@wombatsweb.com> Date: Fri, 02 Dec 2005 14:07:50 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> In-Reply-To: <43908AB1.7030107@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.2 Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 19:07:55 -0000 Bruce A. Mah on 12/02/2005 12:56 PM wrote: >If memory serves me right, David Pierron wrote: > > >>I have been trying for some time to get if_bridge working on a FreeBSD >>6.0 machine. I must be missing something simple. >> >> >[snip] > > > >>fxp0: flags=8902 mtu 1500 >> options=8 >> ether xx:xx:xx:xx:xx:xx >> media: Ethernet autoselect (none) >> status: no carrier >>fxp1: flags=8902 mtu 1500 >> options=8 >> ether xx:xx:xx:xx:xx:xx >> media: Ethernet autoselect (none) >> status: no carrier >> >>It looks to me like you didn't turn up either the fxp0 or fxp1 >>interfaces. It's correct to leave these interfaces unnumbered (i.e. no >>IP addresses) but they do need to be up. Try adding these lines to >>/etc/rc.conf: >> >>ifconfig_fxp0="up" >>ifconfig_fxp1="up" >> They weren't connected at the time the ifconfig was run. That's the reason for the no carrier ... I'm sure it's something in the configuration ... From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 19:24:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF08A16A41F for ; Fri, 2 Dec 2005 19:24:08 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A584843D64 for ; Fri, 2 Dec 2005 19:24:07 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from [192.168.2.64] (hornet.kitchenlab.org [64.142.31.105]) (authenticated bits=0) by b.mail.sonic.net (8.13.3/8.13.3) with ESMTP id jB2JO6VA022787 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 2 Dec 2005 11:24:07 -0800 Message-ID: <43909F53.4010905@freebsd.org> Date: Fri, 02 Dec 2005 11:24:03 -0800 From: "Bruce A. Mah" User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051111) X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Pierron References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> In-Reply-To: <43909B86.4050308@wombatsweb.com> X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig158A8ACFD8762E4DE82E5D2E" Cc: freebsd-pf@freebsd.org Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 19:24:08 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig158A8ACFD8762E4DE82E5D2E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit If memory serves me right, David Pierron wrote: > Bruce A. Mah on 12/02/2005 12:56 PM wrote: > > >>If memory serves me right, David Pierron wrote: >>>fxp0: flags=8902 mtu 1500 >>> options=8 >>> ether xx:xx:xx:xx:xx:xx >>> media: Ethernet autoselect (none) >>> status: no carrier >>>fxp1: flags=8902 mtu 1500 >>> options=8 >>> ether xx:xx:xx:xx:xx:xx >>> media: Ethernet autoselect (none) >>> status: no carrier >>> > > >>>It looks to me like you didn't turn up either the fxp0 or fxp1 >>>interfaces. It's correct to leave these interfaces unnumbered (i.e. no >>>IP addresses) but they do need to be up. Try adding these lines to >>>/etc/rc.conf: >>> >>>ifconfig_fxp0="up" >>>ifconfig_fxp1="up" >>> > > They weren't connected at the time the ifconfig was run. That's the > reason for the no carrier ... I'm sure it's something in the > configuration ... No, that's not what I meant. Notice that the fxp0 and fxp1 interfaces don't have the "UP" flags (whether or not they're physically plugged in is irrelevant). I'm pretty sure you need to "ifconfig up" both interfaces before the bridge can use them and as far as I can tell you didn't do this. I don't claim to be an expert in this area, but I *do* have a filtering bridge working using if_bridge and PF.... Bruce. --------------enig158A8ACFD8762E4DE82E5D2E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkJ9W2MoxcVugUsMRAmJVAJ0ZwTyGB2EEh5RJ5U0L2RfD/oPv8ACgufQl 4kV2hkivWIISjoAKV93tfL0= =jfQ4 -----END PGP SIGNATURE----- --------------enig158A8ACFD8762E4DE82E5D2E-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 21:05:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1160216A423 for ; Fri, 2 Dec 2005 21:05:32 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 684AE43D5E for ; Fri, 2 Dec 2005 21:05:31 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by zproxy.gmail.com with SMTP id x7so347165nzc for ; Fri, 02 Dec 2005 13:05:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=V1l+DiYc+abEoVHXgGl+xee27Z8f4rTlLbT39ZCVI1C3aZwZuPyx57c8RHNOl5xO1Pxuug4g0eWsEfLru68znrogaOgzIXQx3ENGjep4ydTavRD8sw3QQeOdqtAtc9lXHHwPK8s39Q5rIz5crI1dDtMqKlO97Tp54uffU+6HYEY= Received: by 10.65.103.2 with SMTP id f2mr1792297qbm; Fri, 02 Dec 2005 13:05:30 -0800 (PST) Received: by 10.65.150.7 with HTTP; Fri, 2 Dec 2005 13:05:30 -0800 (PST) Message-ID: <8eea04080512021305h27754ed7nfd92369870e85ada@mail.gmail.com> Date: Fri, 2 Dec 2005 13:05:30 -0800 From: Jon Simola Sender: jsimola@gmail.com To: Marcelo Celleri In-Reply-To: <200512011625.jB1GPUlH021812@jupiter.espoltel.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <8eea04080511301614t65037325h44106d2336f7a9f8@mail.gmail.com> <200512011625.jB1GPUlH021812@jupiter.espoltel.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 21:05:32 -0000 On 12/1/05, Marcelo Celleri wrote: > I tried to change the rules to what you tell me, but now the outgoing > traffic from em1 to my clients it's not restricted...Look at this address= , > there is a diagram of my case and what I'm trying to do: > > http://host-242-33.espoltel.net/diagram.jpg Very nicely done. If everyone who needed help could provide this kind of diagram, there would be a lot more people willing to offer it. Your queue setup looks to be properly done, so now you just have to tweak the rules. I've been thinking about whether you need if-bound states for this, and I think you do. Any other commentors on that? Give me a bit to think through that and I'll try and get you an example. In the meantime, take another read through the PF guide and see if you can pick up any pointers from there. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 22:19:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 187D316A41F for ; Fri, 2 Dec 2005 22:19:25 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72E4B43D58 for ; Fri, 2 Dec 2005 22:19:24 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 8094 invoked by uid 89); 2 Dec 2005 22:19:23 -0000 Received: by simscan 1.1.0 ppid: 8087, pid: 8089, t: 3.9994s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Dec 2005 22:19:19 -0000 Message-ID: <4390C868.5010705@wombatsweb.com> Date: Fri, 02 Dec 2005 17:19:20 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> <43909F53.4010905@freebsd.org> In-Reply-To: <43909F53.4010905@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HOT_NASTY autolearn=ham version=3.0.2 Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 22:19:25 -0000 Bruce A. Mah on 12/02/2005 2:24 PM wrote: >If memory serves me right, David Pierron wrote: > > >>Bruce A. Mah on 12/02/2005 12:56 PM wrote: >> >> >>>If memory serves me right, David Pierron wrote: >>> >>> >>>>fxp0: flags=8902 mtu 1500 >>>> options=8 >>>> ether xx:xx:xx:xx:xx:xx >>>> media: Ethernet autoselect (none) >>>> status: no carrier >>>>fxp1: flags=8902 mtu 1500 >>>> options=8 >>>> ether xx:xx:xx:xx:xx:xx >>>> media: Ethernet autoselect (none) >>>> status: no carrier >>>> >>>> >>>>It looks to me like you didn't turn up either the fxp0 or fxp1 >>>>interfaces. It's correct to leave these interfaces unnumbered (i.e. no >>>>IP addresses) but they do need to be up. Try adding these lines to >>>>/etc/rc.conf: >>>> >>>>ifconfig_fxp0="up" >>>>ifconfig_fxp1="up" >>>> >>>> >>They weren't connected at the time the ifconfig was run. That's the >>reason for the no carrier ... I'm sure it's something in the >>configuration ... >> >> > >No, that's not what I meant. Notice that the fxp0 and fxp1 interfaces >don't have the "UP" flags (whether or not they're physically plugged in >is irrelevant). I'm pretty sure you need to "ifconfig up" both >interfaces before the bridge can use them and as far as I can tell you >didn't do this. I don't claim to be an expert in this area, but I *do* >have a filtering bridge working using if_bridge and PF.... > Ah! I applied those settings to rc.conf and got the following results: fxp0: flags=8943 mtu 1500 options=8 inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp0 prefixlen 64 scopeid 0x1 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp1: flags=8943 mtu 1500 options=8 inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp1 prefixlen 64 scopeid 0x2 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp2: flags=8843 mtu 1500 options=8 inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp2 prefixlen 64 scopeid 0x3 inet my.c.class.xxx netmask 0xffffff00 broadcast 64.243.181.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 pfsync0: flags=0<> mtu 2020 pflog0: flags=141 mtu 33208 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8041 mtu 1500 ether xx:xx:xx:xx:xx:xx priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp1 flags=3 member: fxp0 flags=3 I can't wait until the wee hours to test this! They do seem to have IPV6 addresses ... Can I shut that off? Comment out IPV6 in the kernel? I don't need IPV6 ... I see my: pass in on $mgt_if proto tcp from any to $mgt_if port 80 keep state expands out to two rules, one for inet and another for inet6 ... or change the command to: pass in on $mgt_if inet proto tcp from any to $mgt_if port 80 keep state I shouldn't have to worry about IPV6 ... Anyway, I'll report on the ifconfig_inf(x)="up" and see if that is the ticket ... From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 22:53:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92E0B16A487 for ; Fri, 2 Dec 2005 22:53:26 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF4C343D8B for ; Fri, 2 Dec 2005 22:53:14 +0000 (GMT) (envelope-from marceloc@espoltel.net) Received: from hefesto ([69.65.149.194]) by jupiter.espoltel.net (8.12.10/8.12.10) with ESMTP id jB2MoSlH030026; Fri, 2 Dec 2005 17:50:29 -0500 Message-Id: <200512022250.jB2MoSlH030026@jupiter.espoltel.net> From: "Marcelo Celleri" To: "'Jon Simola'" Date: Fri, 2 Dec 2005 17:52:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <8eea04080512021305h27754ed7nfd92369870e85ada@mail.gmail.com> Thread-Index: AcX3g84SkMxWAMqVSb+JHgJQhnzPLgADqThQ X-Antivirus: avast! (VPS 0548-1, 01/12/2005), Outbound message X-Antivirus-Status: Clean X-ESPOLTEL-MailScanner-Information: Please contact the ISP for more information X-ESPOLTEL-MailScanner: Found to be clean Cc: freebsd-pf@freebsd.org Subject: RE: PF + ALTQ... help please!! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 22:53:26 -0000 I used Visio for the diagram, but other cool program is SmartDraw. I'm still waiting for help, thanks to everybody...but please give me light at the end of the tunnel!!=20 -----Mensaje original----- De: jsimola@gmail.com [mailto:jsimola@gmail.com] En nombre de Jon Simola Enviado el: Viernes, 02 de Diciembre de 2005 16:06 Para: Marcelo Celleri CC: freebsd-pf@freebsd.org Asunto: Re: PF + ALTQ... help please!! On 12/1/05, Marcelo Celleri wrote: > I tried to change the rules to what you tell me, but now the outgoing > traffic from em1 to my clients it's not restricted...Look at this address, > there is a diagram of my case and what I'm trying to do: > > http://host-242-33.espoltel.net/diagram.jpg Very nicely done. If everyone who needed help could provide this kind of diagram, there would be a lot more people willing to offer it. Your queue setup looks to be properly done, so now you just have to tweak the rules. I've been thinking about whether you need if-bound states for this, and I think you do. Any other commentors on that? Give me a bit to think through that and I'll try and get you an example. In the meantime, take another read through the PF guide and see if you can pick up any pointers from there. -- Jon Simola Systems Administrator ABC Communications --=20 Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que est=E1 limpio. --=20 Este mensaje ha sido analizado por el antivirus de ESPOLTEL S.A. en busca de virus y otros contenidos peligrosos, y se considera que est=E1 limpio. From owner-freebsd-pf@FreeBSD.ORG Sat Dec 3 01:02:59 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0D4E16A41F for ; Sat, 3 Dec 2005 01:02:58 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F01F43D46 for ; Sat, 3 Dec 2005 01:02:58 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from [192.168.2.64] (hornet.kitchenlab.org [64.142.31.105]) (authenticated bits=0) by a.mail.sonic.net (8.13.3/8.13.3) with ESMTP id jB312vpM019214 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 2 Dec 2005 17:02:58 -0800 Message-ID: <4390EEBE.5090206@freebsd.org> Date: Fri, 02 Dec 2005 17:02:54 -0800 From: "Bruce A. Mah" User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051111) X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Pierron References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> <43909F53.4010905@freebsd.org> <4390C868.5010705@wombatsweb.com> In-Reply-To: <4390C868.5010705@wombatsweb.com> X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig10C9172C5064142F62B81BC1" Cc: freebsd-pf@freebsd.org Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2005 01:02:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig10C9172C5064142F62B81BC1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit If memory serves me right, David Pierron wrote: > Ah! I applied those settings to rc.conf and got the following results: > > fxp0: flags=8943 mtu 1500 > options=8 > inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp0 prefixlen 64 scopeid 0x1 > ether xx:xx:xx:xx:xx:xx > media: Ethernet autoselect (none) > status: no carrier > fxp1: flags=8943 mtu 1500 > options=8 > inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp1 prefixlen 64 scopeid 0x2 > ether xx:xx:xx:xx:xx:xx > media: Ethernet autoselect (none) > status: no carrier OK, this looks better. No guarantees but I'm pretty sure it would never have worked before. Hopefully this will at least get you closer. > I can't wait until the wee hours to test this! They do seem to have > IPV6 addresses ... Can I shut that off? Comment out IPV6 in the > kernel? I don't need IPV6 ... If you really want them gone, then you probably need to comment out IPv6 from your kernel. Those are IPv6 "link local" addresses...they are designed for two nodes on the same subnet to communicate with each other even if there is no other addressing/routing infrastructure (to assign globally-visible addresses, etc.). The closest analog in the IPv4 world is the 169.254.0.0/16 range of addresses used by machines to communicate on a subnet when they can't get (e.g.) DHCP addresses. If there's no way for anybody to get an IPv6 packet to either fxp0 or fxp1, I wouldn't worry about it, but I have to admit I'm not 100% sure what the security implications of the link local addresses are. > I see my: > > pass in on $mgt_if proto tcp from any to $mgt_if port 80 keep state > > expands out to two rules, one for inet and another for inet6 ... > > or change the command to: > > pass in on $mgt_if inet proto tcp from any to $mgt_if port 80 keep state > > I shouldn't have to worry about IPV6 ... I don't think that having the inet and inet6 rules hurt you except (maybe) for performance. My bridge actually does filter IPv6 traffic (it's a tunnel endpoint) so it really does need those. > Anyway, I'll report on the ifconfig_inf(x)="up" and see if that is the ticket ... Looking forward to hearing the good news... Bruce. --------------enig10C9172C5064142F62B81BC1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkO7B2MoxcVugUsMRAh65AJ9kiubMCMKQhdOmkG9CP0NGpmUvPgCfURv8 tn76pVo7EYeSG89BFPQw6Lw= =0mlG -----END PGP SIGNATURE----- --------------enig10C9172C5064142F62B81BC1-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 3 11:44:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55F7E16A41F for ; Sat, 3 Dec 2005 11:44:53 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E28E43D6B for ; Sat, 3 Dec 2005 11:44:52 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 63365 invoked by uid 89); 3 Dec 2005 11:44:50 -0000 Received: by simscan 1.1.0 ppid: 63359, pid: 63361, t: 1.7669s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Dec 2005 11:44:49 -0000 Message-ID: <43918534.7070001@wombatsweb.com> Date: Sat, 03 Dec 2005 06:44:52 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> <43909F53.4010905@freebsd.org> <4390C868.5010705@wombatsweb.com> <4390EEBE.5090206@freebsd.org> In-Reply-To: <4390EEBE.5090206@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HOT_NASTY autolearn=ham version=3.0.2 Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2005 11:44:53 -0000 Bruce A. Mah on 12/02/2005 8:02 PM wrote: >If memory serves me right, David Pierron wrote: > > >>Ah! I applied those settings to rc.conf and got the following results: >> >>fxp0: flags=8943 mtu 1500 >> options=8 >> inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp0 prefixlen 64 scopeid 0x1 >> ether xx:xx:xx:xx:xx:xx >> media: Ethernet autoselect (none) >> status: no carrier >>fxp1: flags=8943 mtu 1500 >> options=8 >> inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp1 prefixlen 64 scopeid 0x2 >> ether xx:xx:xx:xx:xx:xx >> media: Ethernet autoselect (none) >> status: no carrier >> >> > >OK, this looks better. No guarantees but I'm pretty sure it would never >have worked before. Hopefully this will at least get you closer. > Bah! Left my IP address in there, but heck ... Who can't look at email headers? >> can't wait until the wee hours to test this! They do seem to have >>IPV6 addresses ... Can I shut that off? Comment out IPV6 in the >>kernel? I don't need IPV6 ... >> >> > >If you really want them gone, then you probably need to comment out IPv6 >from your kernel. > > Since I don't need it at all, I think good to remove from the kernel so nothing is an issue ... Saves me on the ruleset typing and it won't generate those rules needlessly ... While composing I was compiling the new kernel ... Commenting out IPV6 and removing "inet" from the rule did the trick ... It no longer produces 2 rules ... >>Anyway, I'll report on the ifconfig_inf(x)="up" and see if that is the ticket ... >> >> >Looking forward to hearing the good news... > Excuse my French but, OMFG! That was it! I had seen that as part of the OBSD setup ... but I thought that was the way OBSD worked or something because these statements were not necessary for the IPFW BRIDGE setup I have in place now ... I stuffed those CAT5 puppies into the NICs for about 5 minutes maybe ... Got 4100 lines of blocks from the two interfaces ... (They were all "block in" btw) ... Here I thought there wasn't that much traffic at this time of the AM ... Now will compose a ruleset before I start using it again ... Viewing with tcpdump -n -e -ttt -r /var/log/pflog ... WAY more detailed than the IPFW BRIDGE ... Just seeing the DNS queries to the name servers ... NEAT! I even see how noisy the Windows machines are ... so many broadcasts ... I have a colo here, and I see he has DHCP running ... Why? I will ask him later today ... Thanks ever so much! I popped your name in the HOW-TO I am creating @ http://test.davidpierron.com/fbsd-pf.php