From owner-freebsd-pf@FreeBSD.ORG Sun Apr 9 18:55:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DC6416A402 for ; Sun, 9 Apr 2006 18:55:14 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85DA443D53 for ; Sun, 9 Apr 2006 18:55:14 +0000 (GMT) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1FSf3t-0006am-Uc for freebsd-pf@freebsd.org; Sun, 09 Apr 2006 20:55:01 +0200 Received: from bb-87-81-140-128.ukonline.co.uk ([87.81.140.128]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 09 Apr 2006 20:55:01 +0200 Received: from list-freebsd-2004 by bb-87-81-140-128.ukonline.co.uk with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 09 Apr 2006 20:55:01 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: rw Date: Sun, 09 Apr 2006 19:44:44 +0100 Lines: 22 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: bb-87-81-140-128.ukonline.co.uk User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table) Sender: news Subject: Lockups with "user" option X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2006 18:55:15 -0000 After switching to pf+altq, I've had lock-ups when running Azureus and MLDonkey (under KDE). Top shows one of the processes in the state "*pf ta" Changing from CBQ to PRIQ, and removing unnecessary kernel options, had no effect, but the problems went away when I redefined these macros as "": bt_users = "user != unknown" mlnet_users = "user mlnet" These are used in my Bittorrent and MLDonkey rules to prevent the ports being open when nothing is listening, and to send MLDonkey uploads to a separate queue. The user and group options don't seem to be covered on the OpenBSD site, but they are in the pf.conf manpage. Is this a known problem? Any advice? From owner-freebsd-pf@FreeBSD.ORG Sun Apr 9 19:33:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D56A16A402 for ; Sun, 9 Apr 2006 19:33:20 +0000 (UTC) (envelope-from danger@rulez.sk) Received: from virtual.micronet.sk (smtp.micronet.sk [84.16.32.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3224443D45 for ; Sun, 9 Apr 2006 19:33:19 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by virtual.micronet.sk (Postfix) with ESMTP id 9E92410E68C; Sun, 9 Apr 2006 21:34:30 +0200 (CEST) Received: from virtual.micronet.sk ([127.0.0.1]) by localhost (virtual.micronet.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13966-13; Sun, 9 Apr 2006 21:34:30 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) by virtual.micronet.sk (Postfix) with ESMTP id 04BA910E571; Sun, 9 Apr 2006 21:34:30 +0200 (CEST) Date: Sun, 9 Apr 2006 21:32:21 +0200 From: Daniel Gerzo X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <1163820900.20060409213221@rulez.sk> To: rw In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at virtual.micronet.sk Cc: freebsd-pf@freebsd.org Subject: Re: Lockups with "user" option X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2006 19:33:20 -0000 Hello rw, Sunday, April 9, 2006, 8:44:44 PM, you wrote these comments: > The user and group options don't seem to be covered on the OpenBSD site, > but they are in the pf.conf manpage. > Is this a known problem? Any advice? see the BUGS section of pf.conf(5) -- Sincerely, Daniel Gerzo From owner-freebsd-pf@FreeBSD.ORG Mon Apr 10 07:46:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4265916A407 for ; Mon, 10 Apr 2006 07:46:08 +0000 (UTC) (envelope-from drs@rucus.net) Received: from f.mail.ru.ac.za (f.mail.ru.ac.za [146.231.129.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9913043D48 for ; Mon, 10 Apr 2006 07:46:06 +0000 (GMT) (envelope-from drs@rucus.net) Received: from damar.ru.ac.za ([146.231.89.6]:65217) by f.mail.ru.ac.za with esmtp (Exim 4.52 (FreeBSD)) id 1FSr62-000C57-JG for freebsd-pf@freebsd.org; Mon, 10 Apr 2006 09:46:03 +0200 Received: from localhost (localhost [127.0.0.1]) by damar.ru.ac.za (Postfix) with ESMTP id 69CCF5CBC for ; Mon, 10 Apr 2006 09:46:02 +0200 (SAST) Received: from damar.ru.ac.za ([127.0.0.1]) by localhost (damar.ru.ac.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26997-01 for ; Mon, 10 Apr 2006 09:46:01 +0200 (SAST) Received: by damar.ru.ac.za (Postfix, from userid 1001) id 416E55C9A; Mon, 10 Apr 2006 09:46:01 +0200 (SAST) From: David =?iso-8859-1?q?Sieb=F6rger?= To: freebsd-pf@freebsd.org Date: Mon, 10 Apr 2006 09:46:00 +0200 User-Agent: KMail/1.9.1 Organization: RUCUS MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200604100946.00773.drs@rucus.net> Subject: pfsync's syncpeer address is backwards X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2006 07:46:08 -0000 I've found that I need to specify the syncpeer IP address backwards for=20 it to work. Here's how my pfsync0 interface is configured: root@bert# ifconfig pfsync0 pfsync0: flags=3D41 mtu 1348 pfsync: syncdev: vlan0 syncpeer: 3.12.231.146 maxupd: 128 but the traffic is sent with the IP address the right way around: root@bert# tcpdump -pni vlan0 proto pfsync tcpdump: verbose output suppressed, use -v or -vv for full protocol=20 decode listening on vlan0, link-type EN10MB (Ethernet), capture size 96 bytes 09:32:12.455049 IP 146.231.12.2 > 146.231.12.3: pfsync 356 09:32:12.548227 IP 146.231.12.3 > 146.231.12.2: pfsync 268 09:32:13.457113 IP 146.231.12.2 > 146.231.12.3: pfsync 356 09:32:13.650316 IP 146.231.12.3 > 146.231.12.2: pfsync 268 pfsync does work now, in that both firewalls are aware of state changes,=20 but it would seem that either there's an extra or a missing hton/ntoh=20 call somewhere in pfsync. I'm running FreeBSD 6.1-RC (compiled from < 24h old source). =20 The "hardware" configuration is a bit unusual, though: I'm using pfsync=20 on vlan0, whose parent device is le1 in a VMware Server virtual=20 machine. Is anyone else seeing anything similar? =2D-=20 David Sieb=F6rger drs@rucus.ru.ac.za From owner-freebsd-pf@FreeBSD.ORG Mon Apr 10 08:40:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CACB16A402 for ; Mon, 10 Apr 2006 08:40:27 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DE5B43D45 for ; Mon, 10 Apr 2006 08:40:26 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nproxy.gmail.com with SMTP id m18so627384nfc for ; Mon, 10 Apr 2006 01:40:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:content-type:date:message-id:mime-version:x-mailer; b=DAaUPX5DjB5PNUYwtgTP92jvk9Gr+xLwf6qJ5zTE5GfSkaRxoww21uvtp3/s711zRC2imOyWkGdmWPypBmX60ymnEI4vHgLKWFpThMApBngp5DiZIEQ8YIsOFpZ936AO6JE3JLcv9fbv7/ZVpDNPh3t4fvYHDd6ImhFX2nKbgZQ= Received: by 10.48.243.6 with SMTP id q6mr3364503nfh; Mon, 10 Apr 2006 01:40:13 -0700 (PDT) Received: from localhost.localdomain ( [193.140.74.2]) by mx.gmail.com with ESMTP id k24sm517632nfc.2006.04.10.01.40.12; Mon, 10 Apr 2006 01:40:13 -0700 (PDT) From: "N. Ersen SISECI" To: freebsd-pf@freebsd.org Date: Mon, 10 Apr 2006 11:40:26 +0300 Message-Id: <1144658426.69354.8.camel@siseci.gdg.gov.tr> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF Version X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2006 08:40:27 -0000 Which pf version From owner-freebsd-pf@FreeBSD.ORG Mon Apr 10 08:43:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6263316A400 for ; Mon, 10 Apr 2006 08:43:35 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id C029143D46 for ; Mon, 10 Apr 2006 08:43:34 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nproxy.gmail.com with SMTP id m18so627888nfc for ; Mon, 10 Apr 2006 01:43:33 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:content-type:date:message-id:mime-version:x-mailer; b=rVEhDFQ7Kvc6Z75DEko35iOHp35q9DTHM1RIl942zZ8pVlw6KtXFzOMlVr7fncmHxTVRUeQmjvwRlyyPtgxKQ9AxMCGMjKqtXRUTPTTro7i7OvJuJDKTGOdilkUeb0yHL31ub+3WfV2mP66kxckn5rszjEplgdcuHUy5kYk2258= Received: by 10.49.69.20 with SMTP id w20mr3542281nfk; Mon, 10 Apr 2006 01:43:33 -0700 (PDT) Received: from localhost.localdomain ( [193.140.74.2]) by mx.gmail.com with ESMTP id m16sm71348nfc.2006.04.10.01.43.32; Mon, 10 Apr 2006 01:43:33 -0700 (PDT) From: "N. Ersen SISECI" To: freebsd-pf@freebsd.org Date: Mon, 10 Apr 2006 11:43:46 +0300 Message-Id: <1144658626.69354.13.camel@siseci.gdg.gov.tr> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF Version X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2006 08:43:35 -0000 Hi, Is it possible to someone to tell me which OpenBSD PF version is used in 5.4, 5.5, 6.0 and 6.1? For example, FreeBSD 5.4 -> OpenBSD 3.6 FreeBSD 5.5 -> ?? FreeBSD 6.0 -> ?? FreeBSD 6.1 -> ?? Thank you. N. Ersen SISECI EnderUNIX SDT @ Turkey http://www.enderunix.org From owner-freebsd-pf@FreeBSD.ORG Mon Apr 10 11:02:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B87EC16A400 for ; Mon, 10 Apr 2006 11:02:53 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 815E843D45 for ; Mon, 10 Apr 2006 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3AB2r93092612 for ; Mon, 10 Apr 2006 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3AB2qti092605 for freebsd-pf@freebsd.org; Mon, 10 Apr 2006 11:02:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 10 Apr 2006 11:02:52 GMT Message-Id: <200604101102.k3AB2qti092605@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2006 11:02:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 10 13:52:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7D3416A400 for ; Mon, 10 Apr 2006 13:52:05 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DE9043D46 for ; Mon, 10 Apr 2006 13:52:05 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by uproxy.gmail.com with SMTP id j40so582956ugd for ; Mon, 10 Apr 2006 06:52:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O/4WiZ3I0Kam5Mxt1z1+vRVFwV1f8VZgumtkIcHNmjBkcJD4FUCnwAqlw0skWV/E3FOB5WdV/IDdashpQ1o9J8t33kNrUq5ksGksPohtuGB7PRnL/BGIHUfNfsSqLAObf53DxIFA+a8hwj/84WRdFR58izJyEJBFv0jgGp8rIns= Received: by 10.78.48.16 with SMTP id v16mr175905huv; Mon, 10 Apr 2006 06:52:03 -0700 (PDT) Received: by 10.78.46.14 with HTTP; Mon, 10 Apr 2006 06:52:03 -0700 (PDT) Message-ID: <55e8a96c0604100652w502bbab2o247d462e5030d3@mail.gmail.com> Date: Mon, 10 Apr 2006 08:52:03 -0500 From: "Bill Marquette" To: "N. Ersen SISECI" In-Reply-To: <1144658626.69354.13.camel@siseci.gdg.gov.tr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1144658626.69354.13.camel@siseci.gdg.gov.tr> Cc: freebsd-pf@freebsd.org Subject: Re: PF Version X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2006 13:52:06 -0000 On 4/10/06, N. Ersen SISECI wrote: > > Hi, > > Is it possible to someone to tell me which OpenBSD PF version is used > in 5.4, 5.5, 6.0 and 6.1? > > For example, > FreeBSD 5.4 -> OpenBSD 3.6 > FreeBSD 5.5 -> ?? > FreeBSD 6.0 -> ?? > FreeBSD 6.1 -> ?? More or less 3.7 (I seem to recall one or two OpenBSD specific items pulled= ). --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Apr 11 00:10:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A867A16A404 for ; Tue, 11 Apr 2006 00:10:05 +0000 (UTC) (envelope-from test@krea.pl) Received: from krea.pl (pi20.poznan.sdi.tpnet.pl [213.76.217.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F62B43D49 for ; Tue, 11 Apr 2006 00:10:03 +0000 (GMT) (envelope-from test@krea.pl) Received: by krea.pl (Postfix, from userid 1003) id D72F45953; Tue, 11 Apr 2006 01:13:09 +0200 (CEST) To: freebsd-pf@freebsd.org From: postcard.com Message-Id: <20060410231309.D72F45953@krea.pl> Date: Tue, 11 Apr 2006 01:13:09 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: You have received a postcard ! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 00:10:05 -0000 Hello friend ! You have just received a postcard from someone who cares about you! This is a part of the message: "Hy there! It has been a long time since I haven't heared about you! I've just found out about this service from Claire, a friend of mine who also told me that..." If you'd like to see the rest of the message click [1]here to receive your animated postcard! =================== Thank you for using www.yourpostcard.com 's services !!! Please take this opportunity to let your friends hear about us by sending them a postcard from our collection ! ================== References 1. http://www.felicitacards.xhost.ro/postcard.gif.exe From owner-freebsd-pf@FreeBSD.ORG Tue Apr 11 13:30:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3858816A4E3; Tue, 11 Apr 2006 13:30:55 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75CA4441A9; Tue, 11 Apr 2006 13:03:49 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id CC5F01CC29; Tue, 11 Apr 2006 09:03:48 -0400 (EDT) Date: Tue, 11 Apr 2006 09:03:48 -0400 From: Adam McDougall To: Max Laier , Andrew Thompson , freebsd-pf@freebsd.org Message-ID: <20060411130348.GV14961@egr.msu.edu> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060405130645.GB5683@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 Cc: Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 13:30:56 -0000 On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > The other big problem that just crossed my mind: Reassembly in the bridge > path!? It doesn't look like the current bridge code on either OS is ready to > deal with packets > MTU coming out of the filter. The question here is > probably how much IP processing we want to do in the bridge code? OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted ip_fragment() so it could be called from there, and not too much code had to be duplicated. if ((len - ETHER_HDR_LEN) > dst_if->if_mtu) bridge_fragment(sc, dst_if, &eh, m); else { ... bridge_ifenqueue(sc, dst_if, m); ... } bridge_fragment() error = ip_fragment(m, ifp, ifp->if_mtu); if (error) { m = NULL; goto dropit; } for (; m; m = m0) { m0 = m->m_nextpkt; m->m_nextpkt = NULL; ... error = bridge_ifenqueue(sc, ifp, m); ... } That's one more layer violation in bridge, but stateful filtering basically requires fragment reassembly, at least in general. Daniel Would it be possible to get bridge reassembly and even a quick and dirty patch to fixup the checksum on every packet into FreeBSD soon? I have 4 firewalls to deploy this summer, the simplest and smallest one first which would benefit from these fixes but could probably get away without them. For my largest one I would prefer to use fragment reassembly to improve the accuracy of my ruleset, but I can't risk a jumbo packet wedging my firewalls, and of course bad checksum packets are useless. Using pf in routing mode is undesirable for my situations. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 11 18:59:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1498416A40D for ; Tue, 11 Apr 2006 18:59:39 +0000 (UTC) (envelope-from mailme@roelsieg.nl) Received: from smtp3.versatel.nl (smtp1.versatel.nl [62.58.50.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9103C43D5A for ; Tue, 11 Apr 2006 18:59:36 +0000 (GMT) (envelope-from mailme@roelsieg.nl) Received: (qmail 7511 invoked by uid 0); 11 Apr 2006 18:59:34 -0000 Received: from ip115-143-211-87.adsl2.versatel.nl (HELO beneden) ([87.211.143.115]) (envelope-sender ) by smtp1.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 11 Apr 2006 18:59:34 -0000 Message-ID: <000601c65d9a$11570460$0601a8c0@beneden> From: "mailme" To: Date: Tue, 11 Apr 2006 20:59:26 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ADSL/router(VOIP) pf in private ip range X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 18:59:39 -0000 Old Situation to internet ^ | | ADSL Router/Modem(Bridged) |=20 V ip ext from isp BSD router with pf+NAT ip 192.168.0.1 ^ | | V ip 192.168.0.4 client PC New Situation: to internet ^ | | ip ext from isp Davolink DV-201AMR (NAT)----->to VOIP telephone ip 192.168.1.1 ^ | | (DMZ 192.168.1.7) V ip 192.168.1.7 BSD router with pf ip 192.168.0.1 ^ | | V ip 192.168.0.4 client PC The prefered settings for NAT on the would be like mentioned with a = DeMilitartized Zone to just let BSD take care of the secrurity issues.=20 It is not possible to set the router to a bridged-setting because: -first the web-interface doesnot allow this and I found no way to telnet = into the router for different settings -second I don't think this will work in combination with the VOIP (the = Davolink should have the extern ip from the isp) Further more I have a packet filter installed on the BSD machine, the = following rule set used to work in the old situation: # /etc/pf.conf # Macros EXT_IF=3D"rl0" INT_IF=3D"rl1" LOCAL_IF=3D"lo0" LAN=3D"192.168.0.0/24" NO_ROUTE=3D" { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } = " # Options set optimization normal set block-policy drop set require-order yes # Traffic Normalization scrub in all # Translation # General rdr to a port #rdr on $EXT_IF inet proto tcp from any to $EXT_IF port $RDR_PORT -> = $DEST_IP port $DEST_PORT # Network Adress Translation nat on $EXT_IF inet from $LAN to any -> $EXT_IF # Packet Filtering block in log all block out log all antispoof log quick for $LOCAL_IF inet pass in on $LOCAL_IF inet all keep state pass out on $LOCAL_IF inet all keep state antispoof log quick for $INT_IF inet pass in on $INT_IF inet all keep state pass out on $INT_IF inet all keep state antispoof log quick for $EXT_IF inet block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF block return-rst in log quick on $EXT_IF inet proto tcp from any to = $EXT_IF port 113 pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code = 0 keep state pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags = S/SA modulate state pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 80 flags = S/SA modulate state pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 25 flags = S/SA modulate state pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 443 flags = S/SA modulate state block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE pass out on $EXT_IF inet from $EXT_IF to any keep state Now I think there is probably a problem in the NO_ROUTE statements = because the NO_ROUTE 192.168.0.0/16 section includes the address range 192.168.1.0/24 but since the DMZ forwards all = the incoming trafic to 192.168.1.7 and if I make a statment allowing incoming trafic from 192.168.1.1 = because i don't know if this in combination with the DMZ just by-passes my packetfilter. From the dump beneat I get the = impression that the DMZ just forwards all trafic to 192.168.1.7 without NAT (192.168.1.1) but I am not sure. The strangest things happen at the moment: -I can connect to the internet from my client PC with a browser but MSN = cannot make a connection -I can recieve and send mail from the mail-server on the BSD machine but = with a subject only no text To get an impression of what happens here is a dump from the incomming = traffic on the BSD machine=20 pfTop: Up State 1-5/5, View: default, Order: none, Cache: 10000 = 09:47:17 PR DIR SRC DEST STATE = AGE EXP PKTS BYTES tcp In 192.168.0.4:1374 192.168.0.1:22 = ESTABLISHED:ESTABLISHED 00:09:33 23:59:55 1141 102486 tcp In 192.168.0.4:1375 65.54.239.80:1863 = FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934 tcp In 192.168.0.4:1376 207.46.2.124:1863 = ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932 tcp In 192.168.0.4:1377 65.54.183.192:443 = ESTABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903 tcp Out 192.168.0.4:1375 65.54.239.80:1863 = FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934 tcp Out 192.168.0.4:1376 207.46.2.124:1863 = ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932 tcp Out 192.168.0.4:1377 65.54.183.192:443 = STABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903 udp In 192.168.0.4:1063 192.168.0.1:53 MULTIPLE:MULTIPLE = 00:00:25 00:00:37 4 711 udp Out 192.168.1.7:11789 62.4.69.96:53 MULTIPLE:SINGLE = 00:00:25 00:00:05 2 160 udp Out 192.168.1.7:11789 65.55.238.126:53 MULTIPLE:SINGLE = 00:00:23 00:00:07 2 201 udp Out 192.168.1.7:11789 65.54.240.126:53 MULTIPLE:SINGLE = 00:00:25 00:00:05 2 196 udp Out 192.168.1.7:11789 212.187.162.134:53 MULTIPLE:SINGLE = 00:00:23 00:00:07 2 392 udp Out 192.168.1.7:11789 213.199.144.151:53 MULTIPLE:SINGLE = 00:00:23 00:00:07 12 972 (ps don't know how the mailinglist works so reply to mailme@roelsieg.nl = please) From owner-freebsd-pf@FreeBSD.ORG Tue Apr 11 22:56:52 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B49FC16A406 for ; Tue, 11 Apr 2006 22:56:52 +0000 (UTC) (envelope-from matthieu.michaud@epita.info) Received: from marge.cload.net (marge.cload.net [213.41.172.209]) by mx1.FreeBSD.org (Postfix) with SMTP id EABDA43D6A for ; Tue, 11 Apr 2006 22:56:47 +0000 (GMT) (envelope-from matthieu.michaud@epita.info) Received: (qmail 73620 invoked by uid 100); 12 Apr 2006 00:56:57 +0200 Received: from homer.cload.net (HELO moe) (192.168.2.1) by marge.cload.net with SMTP; 12 Apr 2006 00:56:57 +0200 From: Matthieu Michaud To: Daniel Hartmeier In-Reply-To: <20060404145704.GW2684@insomnia.benzedrine.cx> References: <20060402054532.GF17711@egr.msu.edu> <200604021734.09622.max@love2party.net> <20060404145704.GW2684@insomnia.benzedrine.cx> Content-Type: text/plain Organization: EPITA SRS 2007 - Adaptive Hacking Date: Wed, 12 Apr 2006 00:56:20 +0200 Message-Id: <1144796180.805.41.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 22:56:52 -0000 On Tue, 2006-04-04 at 16:57 +0200, Daniel Hartmeier wrote: > It begins to look like OpenBSD does fix IP checksums on bridges outside > of pf, while FreeBSD doesn't. > > The weird thing is that I haven't found where exactly this happens. It's > kind of a layer violation for bridge code to do that, but maybe it's > somewhere else along the code path. > > Instead of adding checksum fixup code again, I think it's better to take > a step back and find out why the checksums are correct on OpenBSD. The > previous fixes assumed the checksums would be wrong on OpenBSD as well, > but they related to pf actions more subtle than basic fragment > reassembly. i noticed a nfs freeze which might be related to the same issue. the setup is : one bridge with four interfaces (dc driver) + clients and servers on dc1 and dc2. bridge, client and server are running 6.0-RELEASE-p6 with pf. dc0 is my external interface where i apply filtering. pf does not filter on three others (set skip {dc1, dc2, dc3}). ls -R /mnt from client to server on the same interface works well. but if it goes through different interfaces it freezes after few entries. i changed the transport protocol from udp to tcp and it fixed it. can it be related to udp handling ? i have an other question out of this topic. i read on openbsd pf's faq that filtering on only one interface is highly recommended. can you give me more information about that ? -- Matthieu Michaud EPITA SRS 2007 - Adaptive Hacking From owner-freebsd-pf@FreeBSD.ORG Wed Apr 12 04:51:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD77316A404 for ; Wed, 12 Apr 2006 04:51:00 +0000 (UTC) (envelope-from cdtelting-ml@comcast.net) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [204.127.200.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54F1143D45 for ; Wed, 12 Apr 2006 04:51:00 +0000 (GMT) (envelope-from cdtelting-ml@comcast.net) Received: from [192.168.2.64] (c-24-126-49-116.hsd1.ca.comcast.net[24.126.49.116]) by comcast.net (sccrmhc14) with ESMTP id <200604120450590140087qt4e>; Wed, 12 Apr 2006 04:50:59 +0000 Message-ID: <443C8739.6060507@comcast.net> Date: Tue, 11 Apr 2006 21:51:05 -0700 From: Chris Telting User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Nat interfering with filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 04:51:00 -0000 Hello everyone, pf newbie here. I've been playing with rules for a day and I can't seem to wrap my head around what I'm suppose to do. First off I believe in "block all" and want an explicit opt in system. Nat is kind of getting in the way. pf.conf ------------- int_if="em0" ext_if="rl0" int_net="192.168.2.0/24" # Nat supposedly wants to be at he top of the list nat on $ext_if from $int_if:network to any -> ($ext_if) # Block everything, all rules are eqplicitly opt in block log all # Allow all local trafic on local network pass in on $int_if from $int_if:network to any pass out on $int_if from $int_if:network to any # Pass out to internet all local network trafic and keep state to allow connect pass out on $ext_if from $int_if:network to any keep state #pass from any to any This doesn't work because the packet IP address has already tanslated before the filter could get to it on $ext_if. If I change the rule to "from $ext_if" I can't distinguish between packets origionating on the local network verses the gateway/server. And if I do so anyway even if I specify "keep state" the returning packets don't get through from their external IP addresses. Only if I declare explicit pass in rules from specific ip addreses will I get return trafic. Is there anyway to do with without using a blanket "from any to any"? My first line of defence is identifiing the trafic source. Can I possiably change the priority of Nat so that it is the last action processed? Of course after I get it working I'll add port spefic rules. I'll appreciate any help offered. Blue From owner-freebsd-pf@FreeBSD.ORG Wed Apr 12 05:25:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5318116A404 for ; Wed, 12 Apr 2006 05:25:13 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id C747643D49 for ; Wed, 12 Apr 2006 05:25:12 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id i13so1120891wra for ; Tue, 11 Apr 2006 22:25:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nPZBVTv7bxHwO8+CPBuKrUF+qXptIyN3FL9jMfyESlFgThYI0Sw1u7qt6Srp47aeoDgYe8XZ7fZWfM8+B5cC+y4cYgGRUPLHKr7meIXrAzpeEIqALJDrdlo20JVYiPVFD5lqQdYDLNjM2kh32iCCW0j1ZVtIrAAAu9y42ptxqYA= Received: by 10.54.142.18 with SMTP id p18mr4516265wrd; Tue, 11 Apr 2006 22:25:10 -0700 (PDT) Received: by 10.54.70.8 with HTTP; Tue, 11 Apr 2006 22:25:10 -0700 (PDT) Message-ID: <8eea04080604112225s4d5c8280ocec9d6a8c3733ea@mail.gmail.com> Date: Tue, 11 Apr 2006 22:25:10 -0700 From: "Jon Simola" Sender: jsimola@gmail.com To: "Chris Telting" In-Reply-To: <443C8739.6060507@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <443C8739.6060507@comcast.net> Cc: freebsd-pf@freebsd.org Subject: Re: Nat interfering with filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 05:25:13 -0000 On 4/11/06, Chris Telting wrote: > pf newbie here. I've been playing with rules for a day and I can't seem > to wrap my head around > what I'm suppose to do. First off I believe in "block all" and want an > explicit opt in system. Nat > is kind of getting in the way. Have you read through the well commented example in the PF users guide at http://www.openbsd.org/faq/pf/example1.html ? > > pf.conf > ------------- > int_if=3D"em0" > ext_if=3D"rl0" > int_net=3D"192.168.2.0/24" > > # Nat supposedly wants to be at he top of the list > nat on $ext_if from $int_if:network to any -> ($ext_if) > > # Block everything, all rules are eqplicitly opt in > block log all > # Allow all local trafic on local network > pass in on $int_if from $int_if:network to any > pass out on $int_if from $int_if:network to any > # Pass out to internet all local network trafic and keep state to allow > connect > pass out on $ext_if from $int_if:network to any keep state > #pass from any to any > > This doesn't work because the packet IP address has already tanslated > before the filter > could get to it on $ext_if. If I change the rule to "from $ext_if" I > can't distinguish between > packets origionating on the local network verses the gateway/server. You *could* do that by tagging in the NAT rule if you needed to. Personally, I haven't run into any situation where I needed to do that. > And if I do so anyway > even if I specify "keep state" the returning packets don't get through > from their external IP > addresses. You haven't allowed traffic out of the internal interface (pass out on $int_of from any to $int_if:network). > Only if I declare explicit pass in rules from specific ip > addreses will I get return > trafic. Is there anyway to do with without using a blanket "from any to > any"? My first line of > defence is identifiing the trafic source. Can I possiably change the > priority of Nat so that it is > the last action processed? No, in PF the translation rules are always processed first. > Of course after I get it working I'll add port spefic rules. I'll > appreciate any help offered. The man page for pf.conf can be a pretty intimidating read, I've got a couple network guys that have been going over it for a couple months and are still figuring out the more intricate options. The sample pf.conf is fairly decent, but the OpenBSD PF user's guide at http://www.openbsd.org/faq/pf/index.html is a good read and will go a long way towards understanding how it works. -- Jon Simola Systems Administrator ABC Communications