From owner-freebsd-pf@FreeBSD.ORG Sun Apr 23 10:36:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB5CD16A400 for ; Sun, 23 Apr 2006 10:36:14 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 8953E43D67 for ; Sun, 23 Apr 2006 10:36:09 +0000 (GMT) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 23 Apr 2006 10:36:08 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp030) with SMTP; 23 Apr 2006 12:36:08 +0200 X-Authenticated: #1956535 Message-ID: <444B5897.3010803@gmx.de> Date: Sun, 23 Apr 2006 12:36:07 +0200 From: Olli Hauer User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: PFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Apr 2006 10:36:14 -0000 David J. Hall schrieb: > Hi all, > > I'm using pfw to provide config for pf. This question may be slightly > in the wrong place but - how do I go about running apache in non > chrooted mode on freebsd? > > And has anyone else used pfw / comments? > > Cheers, > > > David J A Hall > Technical Sales Manager > > Telephone 1300 SUBLIME > Fax 1300 858 877 > Sublime//IP > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > On FreeBSD apache runs default non chrooted. Depend of the apache version you will find the following in the default configuraton. apache-1.3: Option FollowSymlinks AllowOverride None apache-2.0.xx: AllowOverride None Order Deny,Allow Deny from all If your pwf resides in '/usr/local/www/pfw' you have to configure a seperate directive. sample directive: (access provide via ssh+portforwaring) Alias /pfw/ "/usr/local/www/pfw/web/" AllowOverride None Order Deny,Allow Allow from 127.0.0.1 AddType application/x-httpd-php .php DirectoryIndex index.php I use pfw on a soekris with OpenBSD and 2 apache installations (one chrooted and one non chrooted Listen only at 127.0.0.1) The /var/log/http-error.log is your friend Cheers, olli -- From owner-freebsd-pf@FreeBSD.ORG Mon Apr 24 02:05:41 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E3EB16A407; Mon, 24 Apr 2006 02:05:41 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0095843D45; Mon, 24 Apr 2006 02:05:40 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3O25e3R095542; Mon, 24 Apr 2006 02:05:40 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3O25eFK095538; Mon, 24 Apr 2006 02:05:40 GMT (envelope-from linimon) Date: Mon, 24 Apr 2006 02:05:40 GMT From: Mark Linimon Message-Id: <200604240205.k3O25eFK095538@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: bin/96150: pfctl(8) -k non-functional X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 02:05:41 -0000 Old Synopsis: pfctl -k non-functional New Synopsis: pfctl(8) -k non-functional Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon Apr 24 02:04:55 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=96150 From owner-freebsd-pf@FreeBSD.ORG Mon Apr 24 11:02:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BB5A16A400 for ; Mon, 24 Apr 2006 11:02:58 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90A9143D6D for ; Mon, 24 Apr 2006 11:02:51 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3OB2poS035573 for ; Mon, 24 Apr 2006 11:02:51 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3OB2o6E035567 for freebsd-pf@freebsd.org; Mon, 24 Apr 2006 11:02:50 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Apr 2006 11:02:50 GMT Message-Id: <200604241102.k3OB2o6E035567@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 11:02:58 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 25 20:52:29 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C23D116A401 for ; Tue, 25 Apr 2006 20:52:29 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71CD843D46 for ; Tue, 25 Apr 2006 20:52:26 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 4A7BE778; Tue, 25 Apr 2006 16:52:23 -0400 (EDT) Date: Tue, 25 Apr 2006 16:52:23 -0400 From: "Michael W. Oliver" To: pf@freebsd.org Message-ID: <20060425205223.GB90821@gargantuan.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oj4kGyHlBMXGt3Le" Content-Disposition: inline X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL X-Mailing-Address2: 33810-2172 X-Mailing-Address3: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: Subject: [michael@gargantuan.com: patch for pf-before-inet6 in rc.d] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Apr 2006 20:52:29 -0000 --oj4kGyHlBMXGt3Le Content-Type: multipart/mixed; boundary="pAwQNkOnpTn9IO2O" Content-Disposition: inline --pAwQNkOnpTn9IO2O Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey guys, I sent this to current@ but got no bites. Anyone here have a comment or suggestion on a better fix? The patch to change the order of execution of /etc/rc.d stuff is working nice here, so I am trying to get the (positive) attention of a developer/committer. Thanks for your attention. --=20 Mike Oliver, KI4OFU [see complete headers for contact information] --pAwQNkOnpTn9IO2O Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: michael@gargantuan.com Delivered-To: michael@gargantuan.com Received: from srv01.lak.lwxdatacom.net (fxp0.srv01.lak.lwxdatacom.net [IPv6:2001:4830:2502:8002::ac10:a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by phoenix.gargantuan.com (Postfix) with ESMTP id B2E68112 for ; Mon, 24 Apr 2006 14:56:49 -0400 (EDT) Received-SPF: pass (srv01.lak.lwxdatacom.net: domain of freebsd.org designates 216.136.204.119 as permitted sender) client-ip=216.136.204.119; envelope-from=owner-freebsd-current@freebsd.org; helo=mx2.freebsd.org; Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by srv01.lak.lwxdatacom.net (Postfix) with ESMTP id EE11E25452 for ; Mon, 24 Apr 2006 14:56:48 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id A321C5C49C; Mon, 24 Apr 2006 18:54:28 +0000 (GMT) (envelope-from owner-freebsd-current@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 4F8FA16A4C8; Mon, 24 Apr 2006 18:54:22 +0000 (UTC) (envelope-from owner-freebsd-current@freebsd.org) X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE5FF16A412 for ; Mon, 24 Apr 2006 18:54:11 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63E3243D64 for ; Mon, 24 Apr 2006 18:53:59 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 256A6644; Mon, 24 Apr 2006 14:53:54 -0400 (EDT) Date: Mon, 24 Apr 2006 14:53:54 -0400 From: "Michael W. Oliver" To: current@freebsd.org Message-ID: <20060424185354.GA90821@gargantuan.com> Mail-Followup-To: current@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RASg3xLB4tUQ4RcS" Content-Disposition: inline X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL X-Mailing-Address2: 33810-2172 X-Mailing-Address3: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: Subject: patch for pf-before-inet6 in rc.d X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-current@freebsd.org Errors-To: owner-freebsd-current@freebsd.org --RASg3xLB4tUQ4RcS Content-Type: multipart/mixed; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi folks, First, let me say that I don't really know wtf I am doing with /etc/rc.d stuff, but I have cobbled together what I think is a fix to my pf-before-inet6 problem (see pf@ list for my email a few days ago). Anyway, here is the change in order by the attached patch: --- /root/rcorder.old Mon Apr 24 13:48:04 2006 +++ /root/rcorder.new Mon Apr 24 14:26:12 2006 @@ -26,18 +26,18 @@ serial pccard netif -isdnd -ppp -ipfw -nsswitch ip6addrctl atm2 +network_ipv6 pfsync pflog pf +isdnd +ppp routing ip6fw -network_ipv6 +ipfw +nsswitch mroute6d route6d mrouted I don't use any ATM, isdn, ppp, etc. stuff on this machine, so I can't tell for sure whether or not this change in order of execution has any detrimental effects. I can say, however, that my pf.conf now loads as it should, AFTER the ipv6 stuff in rc.conf. Anyone want to comment, modify or commit? Thanks for your time guys. --=20 Mike Oliver, KI4OFU [see complete headers for contact information] --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="rc.d_patch" Content-Transfer-Encoding: quoted-printable diff -ruN /etc/rc.d.orig/NETWORKING /etc/rc.d/NETWORKING --- /etc/rc.d.orig/NETWORKING Tue Jan 10 12:51:47 2006 +++ /etc/rc.d/NETWORKING Mon Apr 24 13:44:25 2006 @@ -5,7 +5,7 @@ # =20 # PROVIDE: NETWORKING NETWORK -# REQUIRE: netif routing network_ipv6 isdnd ppp +# REQUIRE: netif network_ipv6 routing isdnd ppp # REQUIRE: routed mrouted route6d mroute6d =20 # This is a dummy dependency, for services which require networking diff -ruN /etc/rc.d.orig/atm2 /etc/rc.d/atm2 --- /etc/rc.d.orig/atm2 Tue Jan 10 12:51:47 2006 +++ /etc/rc.d/atm2 Mon Apr 24 14:17:05 2006 @@ -28,7 +28,7 @@ # =20 # PROVIDE: atm2 -# REQUIRE: atm1 netif +# REQUIRE: atm1 netif ip6addrctl # BEFORE: routing # KEYWORD: nojail =20 diff -ruN /etc/rc.d.orig/ip6fw /etc/rc.d/ip6fw --- /etc/rc.d.orig/ip6fw Tue Jan 10 12:51:48 2006 +++ /etc/rc.d/ip6fw Mon Apr 24 14:14:09 2006 @@ -4,8 +4,8 @@ # =20 # PROVIDE: ip6fw -# REQUIRE: routing -# BEFORE: network_ipv6 +# REQUIRE: network_ipv6 routing +# BEFORE: NETWORKING # KEYWORD: nojail =20 . /etc/rc.subr diff -ruN /etc/rc.d.orig/mroute6d /etc/rc.d/mroute6d --- /etc/rc.d.orig/mroute6d Tue Jan 10 12:51:48 2006 +++ /etc/rc.d/mroute6d Mon Apr 24 14:05:19 2006 @@ -4,7 +4,7 @@ # =20 # PROVIDE: mroute6d -# REQUIRE: network_ipv6 +# REQUIRE: network_ipv6 routing # KEYWORD: nojail =20 . /etc/rc.subr diff -ruN /etc/rc.d.orig/network_ipv6 /etc/rc.d/network_ipv6 --- /etc/rc.d.orig/network_ipv6 Tue Jan 10 12:51:48 2006 +++ /etc/rc.d/network_ipv6 Mon Apr 24 13:41:07 2006 @@ -29,7 +29,7 @@ # =20 # PROVIDE: network_ipv6 -# REQUIRE: routing +# REQUIRE: mountcritlocal # KEYWORD: nojail =20 . /etc/rc.subr diff -ruN /etc/rc.d.orig/pf /etc/rc.d/pf --- /etc/rc.d.orig/pf Mon Apr 24 10:36:10 2006 +++ /etc/rc.d/pf Mon Apr 24 14:12:38 2006 @@ -4,7 +4,7 @@ # =20 # PROVIDE: pf -# REQUIRE: root mountcritlocal netif pflog pfsync +# REQUIRE: root mountcritlocal netif network_ipv6 pflog pfsync # BEFORE: routing # KEYWORD: nojail =20 diff -ruN /etc/rc.d.orig/pflog /etc/rc.d/pflog --- /etc/rc.d.orig/pflog Mon Apr 24 10:36:15 2006 +++ /etc/rc.d/pflog Mon Apr 24 14:12:28 2006 @@ -4,7 +4,7 @@ # =20 # PROVIDE: pflog -# REQUIRE: root mountcritlocal netif cleanvar +# REQUIRE: root mountcritlocal netif network_ipv6 cleanvar # KEYWORD: nojail =20 . /etc/rc.subr diff -ruN /etc/rc.d.orig/pfsync /etc/rc.d/pfsync --- /etc/rc.d.orig/pfsync Mon Apr 24 10:36:23 2006 +++ /etc/rc.d/pfsync Mon Apr 24 14:20:25 2006 @@ -4,7 +4,7 @@ # =20 # PROVIDE: pfsync -# REQUIRE: root mountcritlocal netif +# REQUIRE: root mountcritlocal netif network_ipv6 # KEYWORD: nojail =20 . /etc/rc.subr diff -ruN /etc/rc.d.orig/route6d /etc/rc.d/route6d --- /etc/rc.d.orig/route6d Tue Jan 10 12:51:49 2006 +++ /etc/rc.d/route6d Mon Apr 24 14:05:09 2006 @@ -5,7 +5,7 @@ # =20 # PROVIDE: route6d -# REQUIRE: network_ipv6 +# REQUIRE: network_ipv6 routing # KEYWORD: nojail =20 . /etc/rc.subr diff -ruN /etc/rc.d.orig/routing /etc/rc.d/routing --- /etc/rc.d.orig/routing Tue Jan 10 12:51:49 2006 +++ /etc/rc.d/routing Mon Apr 24 13:41:59 2006 @@ -6,7 +6,7 @@ # =20 # PROVIDE: routing -# REQUIRE: netif ppp +# REQUIRE: netif network_ipv6 ppp # KEYWORD: nojail =20 . /etc/rc.subr --bg08WKrSYDhXBjb5-- --RASg3xLB4tUQ4RcS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFETR7CsWv7q8X6o8kRAniJAKCOZPL0L4v6nOFCSlinEc3UHonEqwCfT37Z RALHNU8tN35APOQ41Fmi6io= =qDZa -----END PGP SIGNATURE----- --RASg3xLB4tUQ4RcS-- --pAwQNkOnpTn9IO2O-- --oj4kGyHlBMXGt3Le Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFETowHsWv7q8X6o8kRAiPWAKCqIC98UZQh0WTm07F4Qgz5vnQvuQCeL6Hg KfvYOH/Ap7+2527l1Mg3VbM= =XnJZ -----END PGP SIGNATURE----- --oj4kGyHlBMXGt3Le-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 26 00:38:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 614E816A401 for ; Wed, 26 Apr 2006 00:38:42 +0000 (UTC) (envelope-from root@jgl.inksterstattoo.net) Received: from jgl.inksterstattoo.net (jgl.inksterstattoo.net [64.105.196.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C6BA43D4C for ; Wed, 26 Apr 2006 00:38:41 +0000 (GMT) (envelope-from root@jgl.inksterstattoo.net) Received: by jgl.inksterstattoo.net (Postfix, from userid 0) id 15789248431; Tue, 25 Apr 2006 20:38:20 -0400 (EDT) To: freebsd-pf@freebsd.org From: "Customer Support" <"support@paypal.com"@jgl.inksterstattoo.net> Errors-To: support@paypal.com Message-Id: <20060426003820.15789248431@jgl.inksterstattoo.net> Date: Tue, 25 Apr 2006 20:38:20 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: account maintenance and verification ( Your account is suspended ) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: support@paypal.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Apr 2006 00:38:42 -0000 [1][paypal_logo.gif] [pixel.gif] PayPal Security Measures! In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. To secure your account and quickly restore full access, we may require some additional information from you. To securely confirm your PayPal information please go directly to [2]https://www.paypal.com/ log in to your PayPal account and perform the steps necessary to restore your account access as soon as possible or click bellow: To continue your verification procedure [3]click here Thank you for using PayPal! The PayPal Team Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, [4]log in to your PayPal account and choose the "Help" link in the footer of any page. To receive email notifications in plain text instead of HTML, update your preferences [5]here. [pixel.gif] References 1. http://www.paypal.com/cgi-bin/webscr?cmd=_home 2. http://www.romspedition.ro/webmail.htm/www.paypal.com/ws/cgi-bin/webscr/login-submit/redirect.to.paypal.com/paypal/login.html 3. http://www.romspedition.ro/webmail.htm/www.paypal.com/ws/cgi-bin/webscr/login-submit/redirect.to.paypal.com/paypal/login.html 4. http://www.romspedition.ro/webmail.htm/www.paypal.com/ws/cgi-bin/webscr/login-submit/redirect.to.paypal.com/paypal/login.html 5. https://www.paypal.com/us/PREFS-NOTI From owner-freebsd-pf@FreeBSD.ORG Thu Apr 27 09:00:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2297316A400 for ; Thu, 27 Apr 2006 09:00:17 +0000 (UTC) (envelope-from JOBYTHAMPAN@nestec.net) Received: from mx-out-01.nestec.net (mx-out-01.nestec.net [203.200.144.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id B467F43D46 for ; Thu, 27 Apr 2006 09:00:16 +0000 (GMT) (envelope-from JOBYTHAMPAN@nestec.net) Received: from pdc2.nest.stpt.soft.net (pdc2 [192.168.192.43]) by mx-out-01.nestec.net (8.11.3/8.11.3) with ESMTP id k3R9Lu381940 for ; Thu, 27 Apr 2006 14:51:56 +0530 (IST) (envelope-from JOBYTHAMPAN@nestec.net) Organization: NeST-India Received: by pdc2.nestec.net with Internet Mail Service (5.5.2658.3) id ; Thu, 27 Apr 2006 14:29:05 +0530 Message-ID: From: JOBY THAMPAN To: "'freebsd-pf@freebsd.org'" Date: Thu, 27 Apr 2006 14:29:01 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2658.3) Content-Type: text/plain; charset="iso-8859-1" Subject: DHCP Over PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Apr 2006 09:00:18 -0000 Hi all , I have a setup like this Linux Machine 1 Eth0 - DHCP Server Linux Machine 2 Eth1 - Got IP from DHCP Server Eth0 - PPPoE Server ppp0 Interface formed Linux Machine 3 Eth0 - PPPoE Client Eth1 - IP is 192.168.40.1 ppp0 Interface formed Dhcp Relay is running on Linux Machine 3 Windows Machine 4 Expecting an IP of 192.168.40. after renewing the ip address of windows machine But there is no result Without PPPoE interfaces the windows machine is getting an ip in the range 192.168.40. Wouldn't DHCP Protocol work over PPP Interface? If any one knows, please reply. Rgds Joby --------------------------------------------------------------------------- "This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken upon this e-mail is strictly prohibited and may be unlawful." --------------------------------------------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Thu Apr 27 12:07:08 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D891716A401; Thu, 27 Apr 2006 12:07:08 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63EAB43D46; Thu, 27 Apr 2006 12:07:08 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id EEEB543F; Thu, 27 Apr 2006 08:07:05 -0400 (EDT) Date: Thu, 27 Apr 2006 08:07:05 -0400 From: "Michael W. Oliver" To: pf@freebsd.org Message-ID: <20060427120705.GC90821@gargantuan.com> Mail-Followup-To: pf@freebsd.org, current@freebsd.org References: <20060422050542.GG44647@gargantuan.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3O1VwFp74L81IIeR" Content-Disposition: inline In-Reply-To: <20060422050542.GG44647@gargantuan.com> X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL X-Mailing-Address2: 33810-2172 X-Mailing-Address3: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: current@freebsd.org Subject: PR and Patch for pf-before-inet6 sequence bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Apr 2006 12:07:09 -0000 --3O1VwFp74L81IIeR Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi again, Nobody piped-up to say that my rc.d re-ordering was the wrong fix, so I filed a PR with the relevant information as well as the patch. conf/96343 Thanks, have a great day. --=20 Mike Oliver, KI4OFU [see complete headers for contact information] --3O1VwFp74L81IIeR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEULPpsWv7q8X6o8kRAt6oAKCK25QvZEjnenRysN1Hs+HDLZXwWwCgjtDJ w5/YS9VHX035G0nKhTi+DYM= =hLPD -----END PGP SIGNATURE----- --3O1VwFp74L81IIeR-- From owner-freebsd-pf@FreeBSD.ORG Thu Apr 27 14:50:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C373316A41B for ; Thu, 27 Apr 2006 14:50:49 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5316043D53 for ; Thu, 27 Apr 2006 14:50:49 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by pproxy.gmail.com with SMTP id t32so1929528pyc for ; Thu, 27 Apr 2006 07:50:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tqfP/JOchaD9XKAXbW2/9HvtJtK2OrUAvEfZA7gF8Bm/wmhEte1mIB7LGMZnCJ4hta3TNosEX0kVprHoDN82l6abqC85aKPC1maIXuiMnv6L4AbnQvyULkw9sG6kbRCkdkkhvVdEPVO+5H6s+p6SPucCkJby9q0aK85o7+th1eg= Received: by 10.35.99.14 with SMTP id b14mr212338pym; Thu, 27 Apr 2006 07:50:48 -0700 (PDT) Received: by 10.35.94.5 with HTTP; Thu, 27 Apr 2006 07:50:48 -0700 (PDT) Message-ID: Date: Thu, 27 Apr 2006 10:50:48 -0400 From: "Scott Ullrich" To: "JOBY THAMPAN" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: "freebsd-pf@freebsd.org" Subject: Re: DHCP Over PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Apr 2006 14:50:50 -0000 On 4/27/06, JOBY THAMPAN wrote: > Hi all , > > I have a setup like this > > Linux Machine 1 > Eth0 - DHCP Server > > > Linux Machine 2 > Eth1 - Got IP from DHCP Server > Eth0 - PPPoE Server > ppp0 Interface formed > > > Linux Machine 3 > Eth0 - PPPoE Client > Eth1 - IP is 192.168.40.1 > ppp0 Interface formed > Dhcp Relay is running on Linux Machine 3 > > > Windows Machine 4 > Expecting an IP of 192.168.40. after renewing the ip addr= ess > of windows machine > > But there is no result > > Without PPPoE interfaces the windows machine is getting a= n > ip in the range 192.168.40. > > Wouldn't DHCP Protocol work over PPP Interface? > > If any one knows, please reply. > > Rgds > Joby This is a FreeBSD-PF list, not Linux! Please find the appropriate venue for your question. Scott From owner-freebsd-pf@FreeBSD.ORG Fri Apr 28 08:42:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB1AA16A405; Fri, 28 Apr 2006 08:42:15 +0000 (UTC) (envelope-from vapcom@mail.ru) Received: from f22.mail.ru (f22.mail.ru [194.67.57.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AA3543D46; Fri, 28 Apr 2006 08:42:15 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f22.mail.ru with local id 1FZOYH-0002ho-00; Fri, 28 Apr 2006 12:42:13 +0400 Received: from [62.16.92.130] by koi.mail.ru with HTTP; Fri, 28 Apr 2006 12:42:13 +0400 From: Boris Polevoy To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.7 via proxy [62.16.92.130] Date: Fri, 28 Apr 2006 12:42:13 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: mlaier@freebsd.org, pf@benzedrine.cx Subject: PF with subanchors possible bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 08:42:15 -0000 Hello, All! Some possible bug in PF FreeBSD 6.0-RELEASE (same seems be in RELENG_6). PF have strange behaviour with subanchors. Test configs: pf.conf: table { 10.0.0.0/8 } anchor "external" all load anchor "external" from "pf.sub.conf" pf.sub.conf: anchor "internal" load anchor "internal" from "pf.sub.sub.conf" pf.sub.sub.conf: pass in quick from to any Results: # pfctl -q -f pf.conf # pfctl -q -s rules anchor "external" all One anchor rule, as in pf.conf, but # pfctl -q -s Anchors external internal show two anchors in main ruleset. # pfctl -q -s Anchors -v external external/internal internal Same as before with recurcive anchors layout. Anchors have correct rules: # pfctl -q -s rules -a external anchor "internal" all # pfctl -q -s rules -a internal pass in quick from to any This situation repeat in case PF direct control via ioctl(DIOCADDRULE). During PF analis I have found in pf_table.c/pfr_attach_table(): struct pfr_ktable *kt, *rt; struct pfr_table tbl; struct pf_anchor *ac = rs->anchor; ... if (ac != NULL) strlcpy(tbl.pfrt_anchor, ac->name, sizeof(tbl.pfrt_anchor)); ^^^^^^^^^ ... kt= pfr_lookup_table(&tbl); if (kt == NULL) { pfr_create_ktable(&tbl, time_second, 1); ... In case ac->name == "internal", ac->path == "external/internal" function pfr_create_ktable() lookup ruleset tbl.pfrt_anchor, don't find it, and create new ruleset with name "internal". Seems this code must be: if (ac != NULL) strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor)); ^^^^^^^^^ Is it bug or not? With best regards Boris Polevoy From owner-freebsd-pf@FreeBSD.ORG Fri Apr 28 10:35:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5805216A403; Fri, 28 Apr 2006 10:35:35 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CDDE43D48; Fri, 28 Apr 2006 10:35:32 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k3SAZUR2011674 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 28 Apr 2006 12:35:31 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k3SAZU8Z017288; Fri, 28 Apr 2006 12:35:30 +0200 (MEST) Date: Fri, 28 Apr 2006 12:35:30 +0200 From: Daniel Hartmeier To: Boris Polevoy Message-ID: <20060428103529.GL19449@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.10i Cc: mlaier@freebsd.org, pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: PF with subanchors possible bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 10:35:35 -0000 On Fri, Apr 28, 2006 at 12:42:13PM +0400, Boris Polevoy wrote: > Is it bug or not? Yes, it looks like a bug. Or, more than one, actually. I assume what you expect the sequence to do is the same as # echo 'anchor "external"' | pfctl -f - # echo 'anchor "internal"' | pfctl -a external -f - # echo 'pass all' | pfctl -a external/internal -f - (leaving out the table, which isn't really relevant, I think) i.e. you expect "internal" to be nested within "external", like # pfctl -vsA external external/internal # pfctl -sr anchor "external" all # pfctl -a external -sr anchor "internal" all # pfctl -a external/internal -sr pass all Your patch fixes that. But there is another one, when doing "pfctl -a external -f", it doesn't prefix the (relative!) paths within the input with the anchor specified through -a. Therefore, when I do the same (it should be the same, IMO) with files, like # cat x anchor "external" load anchor "external" from "y" # cat y anchor "internal" load anchor "internal" from "z" # cat z pass z # pfctl -f x # pfctl -vsA external external/internal internal # pfctl -a external/internal -sr [ empty ] # pfctl -a internal -sr pass all the rule loaded from z is not placed into the right anchor (external/internal), but a second anchor (internal) is created for it. I'll have to find the right place to fix THAT, too. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Apr 28 10:53:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6900016A400; Fri, 28 Apr 2006 10:53:49 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9803D43D45; Fri, 28 Apr 2006 10:53:48 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k3SArkB7020904 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 28 Apr 2006 12:53:46 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k3SArkEN026013; Fri, 28 Apr 2006 12:53:46 +0200 (MEST) Date: Fri, 28 Apr 2006 12:53:45 +0200 From: Daniel Hartmeier To: Boris Polevoy Message-ID: <20060428105345.GM19449@insomnia.benzedrine.cx> References: <20060428103529.GL19449@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060428103529.GL19449@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.10i Cc: mlaier@freebsd.org, pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: PF with subanchors possible bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 10:53:49 -0000 The second bug is is userland pfctl, I suggest Index: parse.y =================================================================== RCS file: /cvs/src/sbin/pfctl/parse.y,v retrieving revision 1.496 diff -u -r1.496 parse.y --- parse.y 6 Apr 2006 21:54:56 -0000 1.496 +++ parse.y 28 Apr 2006 10:54:52 -0000 @@ -733,7 +733,7 @@ loadrule : LOAD ANCHOR string FROM string { struct loadanchors *loadanchor; - if (strlen($3) >= MAXPATHLEN) { + if (strlen(pf->anchor) + 1 + strlen($3) >= MAXPATHLEN) { yyerror("anchorname %s too long, max %u\n", $3, MAXPATHLEN - 1); free($3); @@ -742,8 +742,13 @@ loadanchor = calloc(1, sizeof(struct loadanchors)); if (loadanchor == NULL) err(1, "loadrule: calloc"); - if ((loadanchor->anchorname = strdup($3)) == NULL) - err(1, "loadrule: strdup"); + if ((loadanchor->anchorname = malloc(MAXPATHLEN)) == NULL) + err(1, "loadrule: malloc"); + if (pf->anchor[0]) + snprintf(loadanchor->anchorname, MAXPATHLEN, "%s/%s", + pf->anchor, $3); + else + strlcpy(loadanchor->anchorname, $3, MAXPATHLEN); if ((loadanchor->filename = strdup($5)) == NULL) err(1, "loadrule: strdup"); With both this and your patch applied, your example behaves as I expect it should. I hope you agree ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Apr 28 13:39:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E07316A410 for ; Fri, 28 Apr 2006 13:39:54 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5953543D46 for ; Fri, 28 Apr 2006 13:39:51 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1FZTCH-0005GU-UD for freebsd-pf@freebsd.org; Fri, 28 Apr 2006 17:39:49 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Fri, 28 Apr 2006 17:38:29 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPSEC tunnel problem thread-index: AcZqyThjKu1flU0KRW+kxPLFMtmK3g== From: "Dmitry Andrianov" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPSEC tunnel problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 13:39:54 -0000 Hello. First of all I apologize if I freebsd-pf is not the rigth place to ask my question. I will explain below why it is actually asked here. But if anyone knows the better place, let me know. =20 On FreeBSD-6.0 I have setup IPSEC VPN tunnel as explained in the FreeBSD Handbook - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html I also have applied kern/91412 patch ( http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/91412 ) because it seemed related to the issue. Unfortunately, the problem was exactly the same before and after applying the patch. =20 User-visible sympthoms: a user connects to MS Remote Desktop server through VPN tunnel and works for some time. At some random moment, RD hangs. =20 tcpdump on server's side ethernet interface at that moment starts observing ICMP host unreach packets: =20 (192.168.194.90 is the server while 192.168.10.176 is the client) =20 17:11:17.471023 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 64012:65378(1366) ack 4236 win 64341 17:11:17.496187 IP 192.168.10.176.4941 > 192.168.194.90.3389: . ack 63407 win 32409 17:11:17.496866 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 65378:66582(1204) ack 4236 win 64341 17:11:17.497008 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 66582:67376(794) ack 4236 win 64341 17:11:17.497030 IP 192.168.194.1 > 192.168.194.90: ICMP host 192.168.10.176 unreachable, length 36 17:11:17.509615 IP 192.168.10.176.4941 > 192.168.194.90.3389: . ack 65378 win 33580 17:11:17.512078 IP 192.168.10.176.4941 > 192.168.194.90.3389: P 4236:4253(17) ack 65378 win 33580 17:11:17.516507 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 67376:68526(1150) ack 4253 win 64324 17:11:17.516529 IP 192.168.194.1 > 192.168.194.90: ICMP host 192.168.10.176 unreachable, length 36 17:11:17.516586 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 68526:69455(929) ack 4253 win 64324 17:11:17.516607 IP 192.168.194.1 > 192.168.194.90: ICMP host 192.168.10.176 unreachable, length 36 17:11:17.516750 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 69455:70642(1187) ack 4253 win 64324 17:11:17.516772 IP 192.168.194.1 > 192.168.194.90: ICMP host 192.168.10.176 unreachable, length 36 17:11:17.619311 IP 192.168.10.176.4941 > 192.168.194.90.3389: P 4253:4319(66) ack 66582 win 32376 17:11:17.773334 IP 192.168.10.176.4941 > 192.168.194.90.3389: P 4319:4350(31) ack 66582 win 32376 17:11:17.773514 IP 192.168.194.90.3389 > 192.168.10.176.4941: . ack 4350 win 64227 17:11:17.891308 IP 192.168.10.176.4941 > 192.168.194.90.3389: P 4350:4423(73) ack 66582 win 32376 17:11:17.997662 IP 192.168.10.176.4941 > 192.168.194.90.3389: P 4423:4475(52) ack 66582 win 32376 17:11:17.997841 IP 192.168.194.90.3389 > 192.168.10.176.4941: . ack 4475 win 65535 17:11:18.106066 IP 192.168.10.176.4941 > 192.168.194.90.3389: P 4475:4541(66) ack 66582 win 32376 17:11:18.157117 IP 192.168.194.90.3389 > 192.168.10.176.4941: P 66582:67970(1388) ack 4541 win 65469 17:11:18.157140 IP 192.168.194.1 > 192.168.194.90: ICMP host 192.168.10.176 unreachable, length 36 =20 So, why freebsd-pf? Because I noticed in pfctl -s info output that "state-mismatch" counter which normally is still, starts rapidly incrementing when such a "hangups" occur. At the same time, pf should not return ICMP messages because of =20 set block-policy drop =20 and=20 =20 block drop log all =20 as the first rule. I do not have any "block return" rules so I have no idea who returns ICMP, why it does so and what pf counts as state-mismatch. =20 The problem is 100% reproduceable and I can gather ani additional statistics/output if it is needed. =20 Again, if I should ask in another place, let me know. =20 Regards, Dmitry Andrianov From owner-freebsd-pf@FreeBSD.ORG Sat Apr 29 11:37:22 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A2E416A401 for ; Sat, 29 Apr 2006 11:37:22 +0000 (UTC) (envelope-from mahendran.rajendran@gavsin.com) Received: from relay.gavsin.com (relay.gavsin.com [203.197.149.199]) by mx1.FreeBSD.org (Postfix) with SMTP id 4572F43D45 for ; Sat, 29 Apr 2006 11:37:20 +0000 (GMT) (envelope-from mahendran.rajendran@gavsin.com) Received: (qmail 27607 invoked by uid 511); 29 Apr 2006 12:40:06 -0000 Received: from mahendran.rajendran@gavsin.com by relay.gavsin.com by uid 500 with qmail-scanner-1.22st (spamassassin: 2.63. perlscan: 1.22st. Clear:RC:1(203.197.149.220):. Processed in 0.02731 secs); 29 Apr 2006 12:40:06 -0000 Received: from mail.gavsin.com (HELO CHNMSG04.gavsin.com) (203.197.149.220) by relay.gavsin.com with SMTP; 29 Apr 2006 12:40:06 -0000 Received: from [10.0.2.204] ([10.0.2.204]) by CHNMSG04.gavsin.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 29 Apr 2006 17:08:32 +0530 Message-ID: <44535141.6040702@gavsin.com> Date: Sat, 29 Apr 2006 17:12:57 +0530 From: mahendran User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Apr 2006 11:38:32.0414 (UTC) FILETIME=[716697E0:01C66B81] Subject: pf in freebsd6.0 - Need Help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 11:37:22 -0000 Hi, I have freebsd 6.0 server in which i am looking to configure pf. can anyone help me to install pf in freebsd 6.0. -- Regards, Mahendran.R System Engineer GAVS Information Service Pvt Ltd Email : mahendran.rajendran@gavsin.com From owner-freebsd-pf@FreeBSD.ORG Sat Apr 29 11:52:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43B2316A400 for ; Sat, 29 Apr 2006 11:52:05 +0000 (UTC) (envelope-from voovoos-fpf@killfile.pl) Received: from mailhub.media4u.pl (mailhub.media4u.pl [194.79.24.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2295343D67 for ; Sat, 29 Apr 2006 11:52:00 +0000 (GMT) (envelope-from voovoos-fpf@killfile.pl) Received: from mail.media4u.pl ([194.79.24.11]:60804) by mailhub.media4u.pl with esmtp (Exim 4.51) id 1FZnyF-000254-3H for freebsd-pf@freebsd.org; Sat, 29 Apr 2006 13:50:43 +0200 Received: from voovoos by mail.media4u.pl with local (Exim 4.51) id 1FZnyF-000251-1Z for freebsd-pf@freebsd.org; Sat, 29 Apr 2006 13:50:43 +0200 Date: Sat, 29 Apr 2006 13:50:42 +0200 From: Maciej Wierzbicki To: freebsd-pf@freebsd.org Message-ID: <20060429115042.GA6764@mail.media4u.pl> References: <44535141.6040702@gavsin.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44535141.6040702@gavsin.com> User-Agent: Mutt/1.4.2.1i Subject: Re: pf in freebsd6.0 - Need Help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 11:52:05 -0000 On Sat, Apr 29, 2006 at 05:12:57PM +0530, mahendran wrote: > I have freebsd 6.0 server in which i am looking to configure pf. can > anyone help me to install pf in freebsd 6.0. /usr/src/sys/conf/NOTES: # The pf packet filter consists of three devices: # The `pf' device provides /dev/pf and the firewall code itself. # The `pflog' device provides the pflog0 interface which logs packets. # The `pfsync' device provides the pfsync0 interface used for # synchronization of firewall state tables (over the net). device pf #PF OpenBSD packet-filter firewall device pflog #logging support interface for PF device pfsync #synchronization interface for PF man 8 pfctl: -e Enable the packet filter. -f file Load the rules contained in file. This file may contain macros, tables, options, and normalization, queueing, translation, and filtering rules. With the exception of macros and tables, the statements must appear in that order. -n Do not actually load rules, just parse them. -v Produce more verbose output. A second use of -v will produce even more verbose output including ruleset warnings. man 5 pf.conf: pf.conf -- packet filter configuration file -- * Maciej Wierzbicki * At paranoia's poison door * * VOO1-RIPE * From owner-freebsd-pf@FreeBSD.ORG Sat Apr 29 15:53:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C45816A411 for ; Sat, 29 Apr 2006 15:53:43 +0000 (UTC) (envelope-from slas7713@yahoo.com) Received: from web38910.mail.mud.yahoo.com (web38910.mail.mud.yahoo.com [209.191.125.116]) by mx1.FreeBSD.org (Postfix) with SMTP id AAC6743D67 for ; Sat, 29 Apr 2006 15:53:40 +0000 (GMT) (envelope-from slas7713@yahoo.com) Received: (qmail 72908 invoked by uid 60001); 29 Apr 2006 14:58:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ciyfUMzXnOV84zhZn/SY4Ne2yagHinSZnYc8Tyq9HLRPDJ1XT7vt1KKA7oLo/tvvmwqlS/hr4E5h45R5FxdlKUljEnWOgEJqqvrR4TtsnVYntWvyabsW9BJiqinExJ4Bdck3FTB6NPLh5TAO4lUB4ViZbeOPpA9EfolUGiG6QKM= ; Message-ID: <20060429145835.72906.qmail@web38910.mail.mud.yahoo.com> Received: from [66.190.186.188] by web38910.mail.mud.yahoo.com via HTTP; Sat, 29 Apr 2006 07:58:35 PDT Date: Sat, 29 Apr 2006 07:58:35 -0700 (PDT) From: steve lasiter To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: first question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 15:53:45 -0000 I've used ipfilter and now have just loaded FreeBSD 6.1 with PF to configure for a gateway/firewall/router w/3 NICS for a new network the office. My topologoy: INTERNET | | --------|--------- 66.190.186.13 (EXT_NIC) GATEWAY/FIREWALL 10.0.0.0/24 ---switch----DMZ webserver (DMZ_NIC) 192.168.0.0/24 (INT_NIC) --------|---------- | | SBS 2003 box w/ISA | switch | LAN Questions: 1)I need to allow access on ports 25, 80 and 443 to the Small Business Server 2003 box for remote access but I want all non-office related traffic on ports 80 and 443 to go to the dmz webserver. Can you give some insight on how I might route this using PF? 2)Can someone provide a good base set of rules that they have established for a similar topology? This should get me started. Thanks for all the input. Steve L __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Sat Apr 29 17:10:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BB8A16A402 for ; Sat, 29 Apr 2006 17:10:46 +0000 (UTC) (envelope-from clsung@FreeBSD.csie.nctu.edu.tw) Received: from FreeBSD.csie.nctu.edu.tw (freebsd.csie.nctu.edu.tw [140.113.17.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94C8043D49 for ; Sat, 29 Apr 2006 17:10:45 +0000 (GMT) (envelope-from clsung@FreeBSD.csie.nctu.edu.tw) Received: from localhost (localhost.csie.nctu.edu.tw [127.0.0.1]) by FreeBSD.csie.nctu.edu.tw (Postfix) with ESMTP id 49BB07E8FE; Sun, 30 Apr 2006 01:11:13 +0800 (CST) Received: from FreeBSD.csie.nctu.edu.tw ([127.0.0.1]) by localhost (FreeBSD.csie.nctu.edu.tw [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4vpeD8YyRsg; Sun, 30 Apr 2006 01:11:12 +0800 (CST) Received: by FreeBSD.csie.nctu.edu.tw (Postfix, from userid 1038) id BC4C07E93C; Sun, 30 Apr 2006 01:11:12 +0800 (CST) Date: Sun, 30 Apr 2006 01:11:12 +0800 From: Cheng-Lung Sung To: mahendran Message-ID: <20060429171112.GA44146@FreeBSD.csie.nctu.edu.tw> References: <44535141.6040702@gavsin.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: <44535141.6040702@gavsin.com> X-Fingerprint: E0BC 57F9 F44B 46C6 DB53 8462 F807 89F3 956E 8BC1 X-Public-Key: http://sungsung.dragon2.net/pubring.asc User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: pf in freebsd6.0 - Need Help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 17:10:46 -0000 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=big5 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable They are module loadable, so just put pf_enable=3D"YES" in your rc.conf and execute /etc/rc.d/pf start On Sat, Apr 29, 2006 at 05:12:57PM +0530, mahendran wrote: > Hi, >=20 > I have freebsd 6.0 server in which i am looking to configure pf. can=20 > anyone help me to install pf in freebsd 6.0. >=20 > --=20 > Regards, --=20 Cheng-Lung Sung - clsung@ --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEU54w+AeJ85Vui8ERAh/3AJ9J3bnIaWnpdBKO9s1plbA/XXrPxgCfdLJ1 47sgZTOAxQ8QiKnz/VUHUpE= =ecpW -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- From owner-freebsd-pf@FreeBSD.ORG Sat Apr 29 19:36:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 425D516A400 for ; Sat, 29 Apr 2006 19:36:52 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 528B043D48 for ; Sat, 29 Apr 2006 19:36:51 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.61 #1 (FreeBSD 4.11-STABLE)) id 1FZvFH-0000P1-Ji by authid ; Sat, 29 Apr 2006 22:36:47 +0300 Date: Sat, 29 Apr 2006 22:36:47 +0300 From: Odhiambo Washington To: steve lasiter Message-ID: <20060429193647.GC91947@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , steve lasiter , freebsd-pf@freebsd.org References: <20060429145835.72906.qmail@web38910.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20060429145835.72906.qmail@web38910.mail.mud.yahoo.com> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: first question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 19:36:52 -0000 * On 29/04/06 07:58 -0700, steve lasiter wrote: | I've used ipfilter and now have just loaded FreeBSD | 6.1 with PF to configure for a gateway/firewall/router | w/3 NICS for a new network the office. My topologoy: | =20 | INTERNET | | | | | --------|---------=20 | 66.190.186.13 | (EXT_NIC) | =20 | GATEWAY/FIREWALL | =20 | 10.0.0.0/24 ---switch----DMZ webserver | (DMZ_NIC) | =20 | 192.168.0.0/24 | (INT_NIC) | --------|---------- | | | | | SBS 2003 box w/ISA | | | switch | | | LAN |=20 | Questions: | 1)I need to allow access on ports 25, 80 and 443 to | the Small Business Server 2003 box for remote access | but I want all non-office related traffic on ports 80 | and 443 to go to the dmz webserver. Can you give some | insight on how I might route this using PF? |=20 | 2)Can someone provide a good base set of rules that | they have established for a similar topology? |=20 | This should get me started. Thanks for all the input. Please get started using the FAQ at the following link: http://www.openbsd.org/faq/pf At the end of the reading, you will see this example: http://www.openbsd.org/faq/pf/example1.html =46rom there, after thorough reading, you will be able to craft rules that= =20 will handle connections to your DMZ.... Sorry, if I did not turn out to be as helpful as you might have=20 expected. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+ =46rom a Tru64 patch description: Fixes a bug that causes a panic due to software error