From owner-freebsd-pf@FreeBSD.ORG Sun May 7 00:38:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E85CD16A401 for ; Sun, 7 May 2006 00:38:40 +0000 (UTC) (envelope-from magalhj@yahoo.com.br) Received: from web31608.mail.mud.yahoo.com (web31608.mail.mud.yahoo.com [68.142.198.154]) by mx1.FreeBSD.org (Postfix) with SMTP id 74BF943D48 for ; Sun, 7 May 2006 00:38:40 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 46678 invoked by uid 60001); 7 May 2006 00:38:40 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=S9a/bFROrqVBOKoQgzdC07Wyj3dqx40A/ck0SWSoYumWxmcP635YrSjvlkhapTVi0mShWAU9K5FnCIR/IOykDAcF/OAW2rx7WfIoC+oxkuq0S1TNJgX5XyMmvzkYd8NLqZYav37iFEiE1lz8tlZP050Xs45NX5aIVjSv9eP86KY= ; Message-ID: <20060507003840.46676.qmail@web31608.mail.mud.yahoo.com> Received: from [201.50.68.160] by web31608.mail.mud.yahoo.com via HTTP; Sat, 06 May 2006 21:38:40 ART Date: Sat, 6 May 2006 21:38:40 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: logging pass rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 00:38:41 -0000 List, I have a rule "block log all" in my pf.conf and the command "tcpdump -n -e -ttt -i pflog0" shows me the blocked packages. I'd like to make the same with the pass rules and then to know the matched pass rule: block log all pass in on $int_if inet proto tcp from $internal_net to any port 80 keep state pass in on $int_if proto udp from $internal_net to any port 53 keep state ... etc Do I have to add the word "log" for each pass rule ? Is there another way ? How can i do it ? Thanks, Aguiar _______________________________________________________ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Sun May 7 00:54:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93FFD16A42F for ; Sun, 7 May 2006 00:54:19 +0000 (UTC) (envelope-from magalhj@yahoo.com.br) Received: from web31612.mail.mud.yahoo.com (web31612.mail.mud.yahoo.com [68.142.198.158]) by mx1.FreeBSD.org (Postfix) with SMTP id 017B443D4C for ; Sun, 7 May 2006 00:54:18 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 63151 invoked by uid 60001); 7 May 2006 00:54:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=rnsuxNuoe0ui7RpCIXj44CEZ3So4cf/ZgaH410grLuO2Mn/m891x0rEG59Ud5sTkRcIL1trEdFeFRLAUIq+qO6ryfGpJAze7ndE2jR4ItKI6OuABXnMO7g2AUCnhw71jvVfbdI5wbdzCjIH70+X/F88KFEbYjcO5DTwQ2BDpwJQ= ; Message-ID: <20060507005418.63149.qmail@web31612.mail.mud.yahoo.com> Received: from [201.50.68.160] by web31612.mail.mud.yahoo.com via HTTP; Sat, 06 May 2006 21:54:18 ART Date: Sat, 6 May 2006 21:54:18 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org In-Reply-To: <000001c67117$251f69c0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: RE: Stranger addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 00:54:20 -0000 Hi Greg, I have some windows machine in my LAN, but I'd like to stop these packages on my network. I don't have DHCP. Is it possible ?? --- Greg Hennessy > > > Hi list, > > > > I've blocking on internal interface some stranger > addresses > > from our LAN.. > > > > Here are they: 0.0.0.0.68 > > DHCP > > > 172.16.1.125.137 > > 172.16.1.125.138 > > If you're not using that subnet, then it's nbt > broadcast chatter. > > > grep /etc/services and google for more. > > > > Greg > > _______________________________________________________ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Sun May 7 11:46:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC13416A400 for ; Sun, 7 May 2006 11:46:34 +0000 (UTC) (envelope-from SRS0=rMce=63=web.de=kay.abendroth@srs.kundenserver.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51AAA43D46 for ; Sun, 7 May 2006 11:46:33 +0000 (GMT) (envelope-from SRS0=rMce=63=web.de=kay.abendroth@srs.kundenserver.de) Received: from [84.184.240.12] (helo=[84.184.240.12]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML2ov-1Fchia3ezX-0003Kx; Sun, 07 May 2006 13:46:33 +0200 Message-ID: <445DDE15.8050700@web.de> Date: Sun, 07 May 2006 13:46:29 +0200 From: Kay Abendroth User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20060507003840.46676.qmail@web31608.mail.mud.yahoo.com> In-Reply-To: <20060507003840.46676.qmail@web31608.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de login:b74ade515889ad97333045239a316a52 Subject: Re: logging pass rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 11:46:35 -0000 Aguiar Magalhaes wrote: [...] > Do I have to add the word "log" for each pass rule ? Yes. > Is there another way ? No. > How can i do it ? See http://www.openbsd.org/faq/pf/logging.html. Greetings, Kay From owner-freebsd-pf@FreeBSD.ORG Sun May 7 18:22:37 2006 Return-Path: X-Original-To: Freebsd-pf@freebsd.org Delivered-To: Freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD0E716A404 for ; Sun, 7 May 2006 18:22:37 +0000 (UTC) (envelope-from louisk@cryptomonkeys.com) Received: from mx1.cryptomonkeys.com (abeyance.cryptomonkeys.com [67.42.3.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1510643D48 for ; Sun, 7 May 2006 18:22:36 +0000 (GMT) (envelope-from louisk@cryptomonkeys.com) Received: from [192.168.0.87] (monkey-router.cryptomonkeys.org [65.103.65.190]) (authenticated bits=0) by mx1.cryptomonkeys.com (8.13.5+Sun/8.13.5) with ESMTP id k47IMXAM005032 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sun, 7 May 2006 11:22:35 -0700 (PDT) From: Louis Kowolowski To: Freebsd-pf@freebsd.org In-Reply-To: <20060507005418.63149.qmail@web31612.mail.mud.yahoo.com> References: <20060507005418.63149.qmail@web31612.mail.mud.yahoo.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-3RBPMKqUrnw+b16tZ6Zp" Organization: Cryptomonkeys UNIX/Security Consulting Date: Sun, 07 May 2006 11:22:24 -0700 Message-Id: <1147026144.1095.44.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on abeyance.cryptomonkeys.com X-Virus-Status: Clean Cc: Subject: RE: Stranger addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 18:22:38 -0000 --=-3RBPMKqUrnw+b16tZ6Zp Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2006-05-06 at 21:54 -0300, Aguiar Magalhaes wrote: > Hi Greg, >=20 > I have some windows machine in my LAN, but I'd like to > stop these packages on my network. I don't have DHCP. >=20 > Is it possible ?? >=20 > --- Greg Hennessy =20 >=20 > > =20 > > > Hi list, > > >=20 > > > I've blocking on internal interface some stranger > > addresses=20 > > > from our LAN.. > > >=20 > > > Here are they: 0.0.0.0.68 =20 > >=20 > > DHCP > >=20 > > > 172.16.1.125.137 > > > 172.16.1.125.138 > >=20 > > If you're not using that subnet, then it's nbt > > broadcast chatter.=20 > >=20 > >=20 > > grep /etc/services and google for more.=20 > >=20 > >=20 > >=20 > > Greg > >=20 It looks to me like the format that (t)ethereal uses when printing IPs and ports. I suspect that the last set of digits there are port numbers. --=20 Louis Kowolowski KE7BAX louisk@cryptomonkeys.com Cryptomonkeys: http://www.cryptomonkeys.com/~louisk --=-3RBPMKqUrnw+b16tZ6Zp Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBEXjrgZFV69jbeB6gRAjFMAJoCt6Rt0uLAWjtvsCEaI//lOV9VlQCg5PUF AAkLW6xUhCriLQNJNk1iZZQ= =qm+W -----END PGP SIGNATURE----- --=-3RBPMKqUrnw+b16tZ6Zp-- From owner-freebsd-pf@FreeBSD.ORG Sun May 7 20:45:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68EC816A44F for ; Sun, 7 May 2006 20:45:13 +0000 (UTC) (envelope-from yamamoto436@oki.com) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B34CD43D66 for ; Sun, 7 May 2006 20:44:53 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from aoi.bmc.oki.co.jp (IDENT:root@localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id FAA27523 for ; Mon, 8 May 2006 05:44:51 +0900 Received: (qmail 12377 invoked from network); 8 May 2006 05:44:52 +0900 Received: from tulip.bmc.oki.co.jp (172.19.236.119) by aoi.bmc.oki.co.jp with SMTP; 8 May 2006 05:44:52 +0900 Received: from localhost (tulip.bmc.oki.co.jp [172.19.236.119]) by tulip.bmc.oki.co.jp (8.13.6/8.13.6) with ESMTP id k47Kipus061730; Mon, 8 May 2006 05:44:51 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Mon, 08 May 2006 05:44:51 +0900 (JST) Message-Id: <20060508.054451.41688849.yamamoto436@oki.com> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org From: Hideki Yamamoto X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: IPv6 raw socket to send original udp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:45:15 -0000 Hi, I tried to use pf as a traffic shaper for a streaming server, but it does not work well. Input of pf is bursted packets within around 20 msec, but is not bursted packets within around 100 msec or longer. This traffic pattern is the feature of the streaming server. As pf is does not work well, I am thinking designinig original shaper command on bridge-like freebsd box, and that the command will receive the sever packet via libpcap, shape it and then send it constantly to another device. To send packet from bridge-like freebsd box, I plan to use RAW IPV6 socket. However in my small experiment, it does not seems good, IP_HDRINCL option does not woks. I wonder if IPv6 raw socket can be used only for ICMPv6. I would like to use IPv6 raw socket for original udp packet. Thanks in advance. Hideki Yamamoto -- From owner-freebsd-pf@FreeBSD.ORG Sun May 7 21:38:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCDAF16A401 for ; Sun, 7 May 2006 21:38:54 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ED0C43D45 for ; Sun, 7 May 2006 21:38:54 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so1228154pya for ; Sun, 07 May 2006 14:38:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UcwOawR+5xMa4SgWvgZMUgmdIzeHBJr4QEAFFQEt9/px0qKM/wOCfdzaEZjaFych3tjdK6PlMNw15M/Pxmtf15CcHeQG49foSBD1vQZjOde4iq4/VHtqd/E9l21dnfNYiippiF6K8uroCVpqfl6BA3ZaK2cuz2PwjcWcL6gjvAQ= Received: by 10.35.15.11 with SMTP id s11mr179299pyi; Sun, 07 May 2006 14:38:53 -0700 (PDT) Received: by 10.35.30.16 with HTTP; Sun, 7 May 2006 14:38:53 -0700 (PDT) Message-ID: Date: Sun, 7 May 2006 16:38:53 -0500 From: "Travis H." To: "Aguiar Magalhaes" In-Reply-To: <20060507003840.46676.qmail@web31608.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060507003840.46676.qmail@web31608.mail.mud.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: logging pass rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 21:38:54 -0000 On 5/6/06, Aguiar Magalhaes wrote: > I'd like to make the same with the pass rules and then > to know the matched pass rule: > > block log all > pass in on $int_if inet proto tcp from $internal_net > to any port 80 keep state > pass in on $int_if proto udp from $internal_net to any > port 53 keep state > ... etc > > Do I have to add the word "log" for each pass rule ? > Is there another way ? pfctl -s rules -v -v (check "Evaluations" and "Packets" fields) > How can i do it ? p=3D"pass log" $p in on $int_if inet proto tcp from $interna_net... See? I've saved you two whole bytes per rule! -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Sun May 7 21:51:46 2006 Return-Path: X-Original-To: Freebsd-pf@freebsd.org Delivered-To: Freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2EA616A401 for ; Sun, 7 May 2006 21:51:46 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42FF443D55 for ; Sun, 7 May 2006 21:51:46 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so1229606pya for ; Sun, 07 May 2006 14:51:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kXb/lbuvyFzsqfsgeDZ31f5nOpiupYWYcHZFSvDhZKu/Erx7A1o6TDfxcP8rTlY5pocWXcKExJmJI05DqV6gRIf+tJw80xurP78aogwCIgFY1v4p9Z6VXSMXyB0qoC9XpUxxcF0VaRFZLW8ZMECligbwzFXBbiDy91sd6MZwNiM= Received: by 10.35.37.18 with SMTP id p18mr2018638pyj; Sun, 07 May 2006 14:51:45 -0700 (PDT) Received: by 10.35.30.16 with HTTP; Sun, 7 May 2006 14:51:45 -0700 (PDT) Message-ID: Date: Sun, 7 May 2006 16:51:45 -0500 From: "Travis H." To: "Louis Kowolowski" In-Reply-To: <1147026144.1095.44.camel@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060507005418.63149.qmail@web31612.mail.mud.yahoo.com> <1147026144.1095.44.camel@localhost> Cc: Freebsd-pf@freebsd.org Subject: Re: Stranger addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 21:51:46 -0000 On 5/7/06, Louis Kowolowski wrote: > > I have some windows machine in my LAN, but I'd like to > > stop these packages on my network. I don't have DHCP. Are you saying that no machine on your LAN supports DHCP? I don't believe it. It's the default during installation for most OSes since it's simpler. > > > > 172.16.1.125.137 > > > > 172.16.1.125.138 > > > > > > If you're not using that subnet, then it's nbt > > > broadcast chatter. Yes, thats RFC 1918 class B addresses, ports 137 and 138 (Windows SMB traffic). To get rid of them, disable NetBIOS over TCP/IP in the windows client with the IPv4 address 172.16.125. You should also see a lot of 172.16.255.255 (subnet-directed broadcast), because SMB is almost totally dependent on broadcasts. I find it very annoying. They are NOT IPv6 packets. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Mon May 8 11:02:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 436ED16A40D for ; Mon, 8 May 2006 11:02:43 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D545543D49 for ; Mon, 8 May 2006 11:02:33 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k48B2XvP048372 for ; Mon, 8 May 2006 11:02:33 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k48B2WEi048366 for freebsd-pf@freebsd.org; Mon, 8 May 2006 11:02:32 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 May 2006 11:02:32 GMT Message-Id: <200605081102.k48B2WEi048366@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 11:02:43 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 8 15:49:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 598E416A405; Mon, 8 May 2006 15:49:31 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC08C43D5C; Mon, 8 May 2006 15:49:30 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 4884D1CC30; Mon, 8 May 2006 11:49:30 -0400 (EDT) Date: Mon, 8 May 2006 11:49:30 -0400 From: Adam McDougall To: Andrew Thompson Message-ID: <20060508154929.GS30200@egr.msu.edu> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060416053023.GD56603@heff.fud.org.nz> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 15:49:31 -0000 On Sun, Apr 16, 2006 at 05:30:23PM +1200, Andrew Thompson wrote: On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: > On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > > > The other big problem that just crossed my mind: Reassembly in the bridge > > path!? It doesn't look like the current bridge code on either OS is ready to > > deal with packets > MTU coming out of the filter. The question here is > > probably how much IP processing we want to do in the bridge code? > > OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted > ip_fragment() so it could be called from there, and not too much code > had to be duplicated. > Here is a patch that adds fragmenting, largely based on whats in OpenBSD. I didnt bring over bridge_send_icmp_err() as we can only get a large packet to fragment by reassembling a previous fragment, checking for DF and sending an icmp doesnt apply to us. Can I get a review, esp. the traversal of the mbufs. cheers, Andrew I should have a chance to test this support this week, thanks for working on it. Could someone possibly produce a patch to force if_bridge to recalculate the checksum on every packet so I can test that as well? To me, the extra load on the firewall is less important than breaking packets I am trying to pass. From owner-freebsd-pf@FreeBSD.ORG Mon May 8 18:30:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 532CF16A401; Mon, 8 May 2006 18:30:08 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2360843D45; Mon, 8 May 2006 18:30:03 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k48ITiBO025253 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 8 May 2006 20:29:44 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k48IRNx5031786; Mon, 8 May 2006 20:27:23 +0200 (MEST) Date: Mon, 8 May 2006 20:27:23 +0200 From: Daniel Hartmeier To: Adam McDougall Message-ID: <20060508182723.GG9739@insomnia.benzedrine.cx> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508154929.GS30200@egr.msu.edu> User-Agent: Mutt/1.5.10i Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 18:30:08 -0000 On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > Could someone possibly produce a patch to force if_bridge to > recalculate the checksum on every packet so I can test that as well? > To me, the extra load on the firewall is less important than breaking > packets I am trying to pass. Try the patch below, the first one is against -current and the second against 6.0-stable. It compiles, but is otherwise untested. I'm not sure if the potential m_pullup() is needed, but better safe than sorry. Maybe Andrew can comment. Daniel Index: if_bridge.c =================================================================== RCS file: /pub/tmp/cvs/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.59 diff -u -r1.59 if_bridge.c --- if_bridge.c 29 Apr 2006 05:37:25 -0000 1.59 +++ if_bridge.c 8 May 2006 18:17:40 -0000 @@ -2590,7 +2590,7 @@ static int bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) { - int snap, error, i; + int snap, error, i, hlen; struct ether_header *eh1, eh2; struct ip_fw_args args; struct ip *ip; @@ -2787,8 +2787,25 @@ /* Restore ip and the fields ntohs()'d. */ ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + hlen = ip->ip_hl << 2; + if (hlen < sizeof(struct ip)) + goto bad; + if (hlen > (*mp)->m_len) { + if ((*mp = m_pullup(*mp, hlen)) == 0) + goto bad; + ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + } ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); + ip->ip_sum = 0; + if (hlen == sizeof(struct ip)) + ip->ip_sum = in_cksum_hdr(ip); + else + ip->ip_sum = in_cksum(*mp, hlen); break; # ifdef INET6 Index: if_bridge.c =================================================================== RCS file: /pub/tmp/cvs/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.11.2.12.2.4 diff -u -r1.11.2.12.2.4 if_bridge.c --- if_bridge.c 25 Jan 2006 10:01:26 -0000 1.11.2.12.2.4 +++ if_bridge.c 8 May 2006 18:21:03 -0000 @@ -2281,7 +2281,7 @@ static int bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) { - int snap, error, i; + int snap, error, i, hlen; struct ether_header *eh1, eh2; struct ip_fw_args args; struct ip *ip; @@ -2459,8 +2459,25 @@ /* Restore ip and the fields ntohs()'d. */ if (*mp != NULL && error == 0) { ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + hlen = ip->ip_hl << 2; + if (hlen < sizeof(struct ip)) + goto bad; + if (hlen > (*mp)->m_len) { + if ((*mp = m_pullup(*mp, hlen)) == 0) + goto bad; + ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + } ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); + ip->ip_sum = 0; + if (hlen == sizeof(struct ip)) + ip->ip_sum = in_cksum_hdr(ip); + else + ip->ip_sum = in_cksum(*mp, hlen); } break; From owner-freebsd-pf@FreeBSD.ORG Mon May 8 20:19:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD3C516A40E for ; Mon, 8 May 2006 20:19:18 +0000 (UTC) (envelope-from matheuslamberti@yahoo.com) Received: from web52912.mail.yahoo.com (web52912.mail.yahoo.com [206.190.49.22]) by mx1.FreeBSD.org (Postfix) with SMTP id EF4B643D7C for ; Mon, 8 May 2006 20:19:16 +0000 (GMT) (envelope-from matheuslamberti@yahoo.com) Received: (qmail 62717 invoked by uid 60001); 8 May 2006 20:15:12 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=e1oMjJV5TGJ+Ir35USEUaHltMOSS/MQ5G3eEl4tAv6dEoAlB6eIQWQtX720qjuwO254SEilh0pFw6wPIIMH4N9erFS7mPrzCQcvYQQqKr4G4D5UnWE+1ndSA1cT1r+nz2T0CJaJpwsFMxujmCJq9QmPwoDnFgWvlq5zxnN+a1BM= ; Message-ID: <20060508201512.62715.qmail@web52912.mail.yahoo.com> Received: from [201.22.68.18] by web52912.mail.yahoo.com via HTTP; Mon, 08 May 2006 13:15:12 PDT Date: Mon, 8 May 2006 13:15:12 -0700 (PDT) From: Matheus Lamberti To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Problem with ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 20:19:18 -0000 Hello list, Whell, i have implemented a firewall with the default police "block all", i made very restritive rules allowing only some connecting ports from the machines of my LAN. My problem is, the ftp-proxy is working... * inetd call then with my flags * the ftp transaction starts * but i can recieve back the answer from the remote server Bellow is a part of my pf.conf file ... -- start -- # ftp-proxy nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $if_intr proto tcp to port ftp -> 127.0.0.1 port 8021 # rules anchor "ftp-proxy/*" pass out on $if_adsl proto udp from $if_adsl to any port $udp_sai keep state pass out on $if_adsl proto tcp from $if_adsl to any port $tcp_sai flags $flagtcp modulate state pass out on $if_adsl proto tcp from $if_adsl to any port $tcp_ent flags $flagtcp modulate state pass in on $if_adsl from any to $srv_vip modulate state pass in on $if_adsl from any to $if_adsl keep state pass out on $if_intr from any to $intrant modulate state pass in on $if_intr proto udp from $intrant to any port $udp_sai keep state pass in on $if_intr proto tcp from $intrant to any port $tcp_sai flags $flagtcp keep state pass in on $if_intr proto tcp from $intrant to any port $tcp_ent flags $flagtcp keep state pass in on $if_intr proto { tcp, udp } from $intrant to $srv_bsd port $dhcp_pt keep state pass in on $if_intr proto { tcp, udp } from $ip_voip to any keep state -- end -- Matheus Lamberti de Abreu BSD UserID: 051370 / ICQ UIN: 58854189 " Diante da vastidão do tempo... E da imensidão do universo, É um imenso prazer pra mim, Dividir um planeta e uma época com você! " ( Carl Sagan ) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Mon May 8 23:34:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 934CF16A457 for ; Mon, 8 May 2006 23:34:42 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73C4443D73 for ; Mon, 8 May 2006 23:34:31 +0000 (GMT) (envelope-from pyunyh@gmail.com) Received: by nz-out-0102.google.com with SMTP id i11so1287195nzi for ; Mon, 08 May 2006 16:34:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=c9N8BOW0kqkDG8bfC7xgqYICBhpfwdAKD+UJHC4PhRRmeSNkCSrKcTqPBpVEFQkz/HICa+5BITaqJsZEq/YhassLheetrZaNERpS4HiuJtBxS+FMPGlNN9RPPcKHDHMHUL1i0Tj5SqX55MmbdwJvcWp0S2gq02anEjJ2qFFj5wk= Received: by 10.36.9.3 with SMTP id 3mr4023052nzi; Mon, 08 May 2006 16:34:30 -0700 (PDT) Received: from michelle.cdnetworks.co.kr ( [211.53.35.84]) by mx.gmail.com with ESMTP id 38sm5180462nza.2006.05.08.16.34.28; Mon, 08 May 2006 16:34:30 -0700 (PDT) Received: from michelle.cdnetworks.co.kr (localhost.cdnetworks.co.kr [127.0.0.1]) by michelle.cdnetworks.co.kr (8.13.5/8.13.5) with ESMTP id k48NXxuo006745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 May 2006 08:33:59 +0900 (KST) (envelope-from pyunyh@gmail.com) Received: (from yongari@localhost) by michelle.cdnetworks.co.kr (8.13.5/8.13.5/Submit) id k48NXv0J006744; Tue, 9 May 2006 08:33:57 +0900 (KST) (envelope-from pyunyh@gmail.com) Date: Tue, 9 May 2006 08:33:57 +0900 From: Pyun YongHyeon To: Adam McDougall Message-ID: <20060508233357.GA6572@cdnetworks.co.kr> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508154929.GS30200@egr.msu.edu> User-Agent: Mutt/1.4.2.1i Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 23:34:42 -0000 On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > On Sun, Apr 16, 2006 at 05:30:23PM +1200, Andrew Thompson wrote: > > On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: > > On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > > > > > The other big problem that just crossed my mind: Reassembly in the bridge > > > path!? It doesn't look like the current bridge code on either OS is ready to > > > deal with packets > MTU coming out of the filter. The question here is > > > probably how much IP processing we want to do in the bridge code? > > > > OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted > > ip_fragment() so it could be called from there, and not too much code > > had to be duplicated. > > > > Here is a patch that adds fragmenting, largely based on whats in > OpenBSD. I didnt bring over bridge_send_icmp_err() as we can only get a > large packet to fragment by reassembling a previous fragment, checking > for DF and sending an icmp doesnt apply to us. > As You can get jumbo frames(which is common feature for modern GigE) you should be prepared to fragment the frame. Because you may get the first ethernet member's MTU for bridge(4) there is still chance to get other sized MTU which could be larger than the first ethernet member's MTU. Personally I beleive OpenBSD's bridge_send_icmp_err() or equivalent is needed for FreeBSD too. > Can I get a review, esp. the traversal of the mbufs. > > > cheers, > Andrew > > I should have a chance to test this support this week, thanks for working > on it. Could someone possibly produce a patch to force if_bridge to > recalculate the checksum on every packet so I can test that as well? > To me, the extra load on the firewall is less important than breaking > packets I am trying to pass. -- Regards, Pyun YongHyeon From owner-freebsd-pf@FreeBSD.ORG Mon May 8 23:53:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDF2B16A425 for ; Mon, 8 May 2006 23:53:31 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.FreeBSD.org (Postfix) with SMTP id 5EB4C43D4C for ; Mon, 8 May 2006 23:53:26 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id B75031CC1F; Tue, 9 May 2006 11:53:24 +1200 (NZST) Date: Tue, 9 May 2006 11:53:24 +1200 From: Andrew Thompson To: Pyun YongHyeon Message-ID: <20060508235324.GD16485@heff.fud.org.nz> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> <20060508233357.GA6572@cdnetworks.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508233357.GA6572@cdnetworks.co.kr> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 23:53:32 -0000 On Tue, May 09, 2006 at 08:33:57AM +0900, Pyun YongHyeon wrote: > On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > > On Sun, Apr 16, 2006 at 05:30:23PM +1200, Andrew Thompson wrote: > > > > On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: > > > On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > > > > > > > The other big problem that just crossed my mind: Reassembly in the bridge > > > > path!? It doesn't look like the current bridge code on either OS is ready to > > > > deal with packets > MTU coming out of the filter. The question here is > > > > probably how much IP processing we want to do in the bridge code? > > > > > > OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted > > > ip_fragment() so it could be called from there, and not too much code > > > had to be duplicated. > > > > > > > Here is a patch that adds fragmenting, largely based on whats in > > OpenBSD. I didnt bring over bridge_send_icmp_err() as we can only get a > > large packet to fragment by reassembling a previous fragment, checking > > for DF and sending an icmp doesnt apply to us. > > > > As You can get jumbo frames(which is common feature for modern GigE) > you should be prepared to fragment the frame. Because you may > get the first ethernet member's MTU for bridge(4) there is still > chance to get other sized MTU which could be larger than the first > ethernet member's MTU. Personally I beleive OpenBSD's > bridge_send_icmp_err() or equivalent is needed for FreeBSD too. The bridge will take the MTU of the first interface but it also enforces subsequent interfaces to have the same value. Im not keen to allow bridging of different MTU sizes like OpenBSD allows and it only works for IP traffic anyway. A bridge is layer2, not layer3. /* Allow the first Ethernet member to define the MTU */ if (ifs->if_type != IFT_GIF) { if (LIST_EMPTY(&sc->sc_iflist)) sc->sc_ifp->if_mtu = ifs->if_mtu; else if (sc->sc_ifp->if_mtu != ifs->if_mtu) { if_printf(sc->sc_ifp, "invalid MTU for %s\n", ifs->if_xname); return (EINVAL); } } cheers, Andrew From owner-freebsd-pf@FreeBSD.ORG Tue May 9 13:33:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93D7816A401 for ; Tue, 9 May 2006 13:33:56 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 80DF243D45 for ; Tue, 9 May 2006 13:33:55 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 11874 invoked by uid 98); 9 May 2006 13:33:50 -0000 Received: from 10.0.0.95 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.95):. Processed in 0.035774 secs); 09 May 2006 13:33:50 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.95) by adriana.dilk.com.br with SMTP; 9 May 2006 13:33:50 -0000 Date: Tue, 9 May 2006 10:37:31 -0300 From: Gilberto Villani Brito To: freebsd-pf@freebsd.org Message-ID: <20060509103731.4876913c@giboia> In-Reply-To: <20060508201512.62715.qmail@web52912.mail.yahoo.com> References: <20060508201512.62715.qmail@web52912.mail.yahoo.com> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Problem with ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 13:33:56 -0000 Why don't you use only this in your pf.conf?? # rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy fl= ags S/SA keep state I belive your problem is for your users using public ftp. Is it correct?? PS: Esse FAQ esta em portugu=EAs http://www.openbsd.org/faq/pf/pt/ftp.html#= client Gilberto On Mon, 8 May 2006 13:15:12 -0700 (PDT) Matheus Lamberti wrote: > Hello list, >=20 > Whell, i have implemented a firewall with the default > police "block all", i made very restritive rules > allowing only some connecting ports from the machines > of my LAN. > My problem is, the ftp-proxy is working... > * inetd call then with my flags > * the ftp transaction starts > * but i can recieve back the answer from the remote > server >=20 > Bellow is a part of my pf.conf file ... >=20 > -- start -- > # ftp-proxy > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr pass on $if_intr proto tcp to port ftp -> > 127.0.0.1 port 8021 >=20 > # rules > anchor "ftp-proxy/*" > pass out on $if_adsl proto udp from $if_adsl to any > port $udp_sai keep state > pass out on $if_adsl proto tcp from $if_adsl to any > port $tcp_sai flags $flagtcp modulate state > pass out on $if_adsl proto tcp from $if_adsl to any > port $tcp_ent flags $flagtcp modulate state > pass in on $if_adsl from any to $srv_vip modulate > state > pass in on $if_adsl from any to $if_adsl keep state > pass out on $if_intr from any to $intrant modulate > state > pass in on $if_intr proto udp from $intrant to any > port $udp_sai keep state > pass in on $if_intr proto tcp from $intrant to any > port $tcp_sai flags $flagtcp keep state > pass in on $if_intr proto tcp from $intrant to any > port $tcp_ent flags $flagtcp keep state > pass in on $if_intr proto { tcp, udp } from $intrant > to $srv_bsd port $dhcp_pt keep state > pass in on $if_intr proto { tcp, udp } from $ip_voip > to any keep state > -- end -- >=20 >=20 >=20 > Matheus Lamberti de Abreu > BSD UserID: 051370 / ICQ UIN: 58854189 >=20 > " Diante da vastid=E3o do tempo... > E da imensid=E3o do universo, > =C9 um imenso prazer pra mim, > Dividir um planeta e uma =E9poca com voc=EA! " ( Carl Sagan ) >=20 > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around=20 > http://mail.yahoo.com=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 From owner-freebsd-pf@FreeBSD.ORG Thu May 11 13:25:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA57616A402; Thu, 11 May 2006 13:25:15 +0000 (UTC) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from mailhost.u-strasbg.fr (mailhost.u-strasbg.fr [130.79.200.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2731244390; Thu, 11 May 2006 13:25:14 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from [IPv6:2001:660:2402:1001:20e:cff:fe60:e734] (apophis.u-strasbg.fr [IPv6:2001:660:2402:1001:20e:cff:fe60:e734]) by mailhost.u-strasbg.fr (8.13.4/jtpda-5.5pre1) with ESMTP id k4BDPDKr089402 ; Thu, 11 May 2006 15:25:13 +0200 (CEST) Message-ID: <44633B3A.8090302@crc.u-strasbg.fr> Date: Thu, 11 May 2006 15:25:14 +0200 From: Philippe Pegon User-Agent: Thunderbird 1.5.0.2 (X11/20060503) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (mailhost.u-strasbg.fr [IPv6:2001:660:2402::154]); Thu, 11 May 2006 15:25:13 +0200 (CEST) X-Virus-Scanned: ClamAV 0.88.1/1456/Thu May 11 07:57:31 2006 on mr4.u-strasbg.fr X-Virus-Status: Clean X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,NO_RELAYS autolearn=disabled version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mr4.u-strasbg.fr Cc: Subject: carp with IPv6 broken on 6.1-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 13:25:16 -0000 Hi, I've already posted this on freebsd-stable@ but maybe freebsd-pf or freebsd-net is a more appropriate place... it seems that carp is broken on FreeBSD 6.1-RELEASE when an inet6 address is configured on a carp interface. Since I upgraded from 6.0 to 6.1 (today) I can't see IPv6 carp advertisement with tcpdump. Did someone else notice this ? thanks -- Philippe Pegon From owner-freebsd-pf@FreeBSD.ORG Fri May 12 03:59:59 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DC6116A48C; Fri, 12 May 2006 03:59:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14E6A43D9F; Fri, 12 May 2006 03:59:59 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4C3xw1I092993; Fri, 12 May 2006 03:59:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4C3xwOZ092989; Fri, 12 May 2006 03:59:58 GMT (envelope-from linimon) Date: Fri, 12 May 2006 03:59:58 GMT From: Mark Linimon Message-Id: <200605120359.k4C3xwOZ092989@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/97057: IPSEC + pf stateful filtering does not work "out of the box" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 04:00:07 -0000 Synopsis: IPSEC + pf stateful filtering does not work "out of the box" Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri May 12 03:59:48 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=97057 From owner-freebsd-pf@FreeBSD.ORG Fri May 12 05:40:20 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8364016A400 for ; Fri, 12 May 2006 05:40:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 119AE43D45 for ; Fri, 12 May 2006 05:40:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4C5eJVd003660 for ; Fri, 12 May 2006 05:40:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4C5eJHa003658; Fri, 12 May 2006 05:40:19 GMT (envelope-from gnats) Date: Fri, 12 May 2006 05:40:19 GMT Message-Id: <200605120540.k4C5eJHa003658@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Dmitry Andrianov" Cc: Subject: Re: kern/97057: IPSEC + pf stateful filtering does not work "out of the box" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dmitry Andrianov List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 05:40:20 -0000 The following reply was made to PR kern/97057; it has been noted by GNATS. From: "Dmitry Andrianov" To: , Cc: Subject: Re: kern/97057: IPSEC + pf stateful filtering does not work "out of the box" Date: Fri, 12 May 2006 09:32:53 +0400 This is a multi-part message in MIME format. ------_=_NextPart_001_01C67585.8470424C Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > Responsible-Changed-From-To: freebsd-bugs->freebsd-pf=20 I would not say this is a bug in pf. It is more like improper kernel configuration used "by default". =20 Regards, Dmitry Andrianov =20 ------_=_NextPart_001_01C67585.8470424C Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
> = Responsible-Changed-From-To: freebsd-bugs->freebsd-pf=20
I would=20 not say this is a bug in pf.
It is=20 more like improper kernel configuration used "by=20 default".
 
Regards,
Dmitry = Andrianov
 
------_=_NextPart_001_01C67585.8470424C-- From owner-freebsd-pf@FreeBSD.ORG Fri May 12 08:18:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AD5716A400 for ; Fri, 12 May 2006 08:18:31 +0000 (UTC) (envelope-from gb@isis.u-strasbg.fr) Received: from chimie.u-strasbg.fr (chimie.u-strasbg.fr [130.79.40.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id C75D743D46 for ; Fri, 12 May 2006 08:18:30 +0000 (GMT) (envelope-from gb@isis.u-strasbg.fr) Received: from localhost (localhost.localdomain [127.0.0.1]) by chimie.u-strasbg.fr (Postfix) with ESMTP id 406906E006 for ; Fri, 12 May 2006 10:18:29 +0200 (CEST) Received: from chimie.u-strasbg.fr ([127.0.0.1]) by localhost (chimie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30464-07 for ; Fri, 12 May 2006 10:18:29 +0200 (CEST) Received: from 6nq.u-strasbg.fr (chimie.u-strasbg.fr [130.79.40.6]) by chimie.u-strasbg.fr (Postfix) with ESMTP id 01FF46E003 for ; Fri, 12 May 2006 10:18:28 +0200 (CEST) Received: by 6nq.u-strasbg.fr (Postfix, from userid 1001) id C90BA6812; Fri, 12 May 2006 10:12:03 +0200 (CEST) Date: Fri, 12 May 2006 10:12:03 +0200 From: Guy Brand To: freebsd-pf@freebsd.org Message-ID: <20060512081202.GA976@chimie.u-strasbg.fr> References: <44633B3A.8090302@crc.u-strasbg.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <44633B3A.8090302@crc.u-strasbg.fr> x-gpg-fingerprint: B423 4924 012E 52F3 BA9E 547F CC8C 0BC5 9C0E B1CA x-gpg-key: 9C0EB1CA User-Agent: Mutt/1.5.11 X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at chimie.u-strasbg.fr Subject: Re: carp with IPv6 broken on 6.1-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 08:18:31 -0000 On 11 mai at 15:25, Philippe Pegon wrote: > it seems that carp is broken on FreeBSD 6.1-RELEASE when an inet6 > address is configured on a carp interface. Since I upgraded from 6.0 to > 6.1 (today) I can't see IPv6 carp advertisement with tcpdump. > > Did someone else notice this ? I had not tested CARP using IPv6 on 6.0, but I confirm what you write on a FreeBSD 6.1-STABLE #1: Tue May 9 07:51:45 CEST 2006 with two bge interfaces having only v6 addresses and carped using a v6 address too. No advertisements on interfaces. It works with v4 (and even without IP address at all!). BTW, has someone tried to import Ryan McBride's patch for carpdev support in FreeBSD? Cheers gb From owner-freebsd-pf@FreeBSD.ORG Fri May 12 12:07:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B91D216A533 for ; Fri, 12 May 2006 12:07:42 +0000 (UTC) (envelope-from agaviola@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id D41ED43D68 for ; Fri, 12 May 2006 12:07:40 +0000 (GMT) (envelope-from agaviola@infoweapons.com) Content-class: urn:content-classes:message MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Date: Fri, 12 May 2006 20:07:38 +0800 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_000F_01C675FF.B7B6F950" Message-ID: X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: CARP and Router Advertisement for Load Balancing in IPv6 Thread-Index: AcZ1vKmRzQ5fgd9DSlGQHiXDfi/o4w== From: "Archimedes Gaviola" To: X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: CARP and Router Advertisement for Load Balancing in IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 12:08:01 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C675FF.B7B6F950 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi! I have two dual-stack firewalls on which I used CARP for load balancing on IPv4 on both external and internal interfaces while I got some problem on IPv6 since it's running router advertisements. My plan would be to create a CARP interface for IPv6 and this CARP interface will be used for router advertisement with the same purpose on load balancing. The problem is CARP interface cannot be used as router advertisement interface since it doesn't have a link-local address for neighbor discovery process. I used router advertisement on my firewalls for stateless autoconfiguration. Is there a way to solve this problem? Does anybody has an alternative on this for load balancing? Thank you. Archimedes S. Gaviola ------=_NextPart_000_000F_01C675FF.B7B6F950 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJYjCCAuow ggJToAMCAQICECmNETAKqQm550Zef1ntdl4wDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUwMjA3MTMyNloXDTA3MDUwMjA3MTMy NlowSjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYYWdh dmlvbGFAaW5mb3dlYXBvbnMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8PJB ajTVS2g92hOKLubcYz4P9wru799XXKdtZVnsPYbg07N+Nro7h9tSaXwnunfUD9ot+oMjsEnAmdK6 evVqUKr7J9SgAoEWItQDrZ6Bn3OxLExNoKLik2DU4KsWr1n0NFU3lcVip0kGDWJZTyKIgcsk0JCX 8F+htKZefh/zT3ArzwF1rCMRimeIngINW89PfWObOZfj5ZY+Yt0Y+CTCXNmTyHDArid/ZsDTQ98j GLTt/ysiuvL3hUxQ5DZVXxFHiFO+V2zE4zqss1rEmDcQAjyFlYfeZs9Xgy83a2H343OvUn0LG/7p 7mrXqUC8ajmAX9xn2Sz2uX1bBi5GNWPRywIDAQABozUwMzAjBgNVHREEHDAagRhhZ2F2aW9sYUBp bmZvd2VhcG9ucy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCLxOytH7FV8ZuW kXmUmMqNKaXIDwcYvncUf/1Ds++GSUFAB9uIkFigTc1UlOMDHO8Cjt6MoJdsuf3RsBS/rW+SRE3i kjMJJmgwg/cQRC+vr5Pd6MBnBWquhPxVq0bOetmibhbGj35RuXWwwP0yUFvw6evzKrEO37T5cADL 7GHIqzCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYD VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENv bnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNV BAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwt ZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQsw CQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAY BgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2Vz IERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj 3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11uenwMpUtVfwYZKX+emibV ars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN AQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umSc F6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLm nC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHR MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24x GjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZp Y2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkq hkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0Ew gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb 8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9 A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYD VR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2j ZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4l UJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9d X2VPMYIDeTCCA3UCAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg Q0ECECmNETAKqQm550Zef1ntdl4wCQYFKw4DAhoFAKCCAdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTEyMTIwNzM4WjAjBgkqhkiG9w0BCQQxFgQUaF/EYX8+ DjY0QLI3WiP038EtQBIwZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZI hvcNAgUwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ c3N1aW5nIENBAhApjREwCqkJuedGXn9Z7XZeMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhApjREwCqkJuedGXn9Z7XZeMA0GCSqG SIb3DQEBAQUABIIBAMJvFAamn8zXyPcEocBC5M75TOE943ePE15nD+7+/AKm+/eNXmkYlfXFETgg t8i3uqzCExLBZK3gkNJ4L1tkrwFxdeaaNMZoh5b8gAqpM/bjuNMPTlkW4uZ8Dogzg2r+lf+rgWMc rYdiRYIvfda2bjjiTA9QpYaG98zYgnaovmIMfVf7OvaG8HN5poIYl9zq7xtB5ceLadJv2GdxQNnU fcgPpC06w4DPQs0PjRo0Jd1G+PQ/QgXevDiacOJIkq73uFmf1bk/WDPHQ49eecdumJqlprhF7y8e f+eE637F4VC1m/lZKHcgibgv+9ruopq3IRvaD0sCCLuTcB/ZYJQsp2UAAAAAAAA= ------=_NextPart_000_000F_01C675FF.B7B6F950-- From owner-freebsd-pf@FreeBSD.ORG Fri May 12 12:20:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEE5916A407 for ; Fri, 12 May 2006 12:20:47 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 8CE6143D46 for ; Fri, 12 May 2006 12:20:46 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 15691 invoked by uid 98); 12 May 2006 12:20:45 -0000 Received: from 10.0.0.95 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.95):. Processed in 0.025041 secs); 12 May 2006 12:20:45 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.95) by adriana.dilk.com.br with SMTP; 12 May 2006 12:20:44 -0000 Date: Fri, 12 May 2006 09:24:30 -0300 From: Gilberto Villani Brito To: freebsd-pf@freebsd.org Message-ID: <20060512092430.0e3298ea@giboia> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: PF - ftp passive mode. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 12:20:47 -0000 Hello, I have a ftp server in a DMZ and this is not accepting passive conections. I tryed ipfw + natd and it works. I am using this rules: # rdr on em0 proto tcp from any to 200.250.23.1 port 21 -> 192.168.0.2 port 21 # rdr on em0 proto tcp from any to 200.250.23.1 port 49152:65535 -> 192.168.0.2 port 49152:65535 # pass in on em1 from 192.168.0.0/24 to any keep state # pass out on em1 from any to 192.168.0.0/24 keep state http://www.openbsd.org/faq/pf/ftp.html#natserver What is the problem??? Don't PF make nat for passive ftp?? Gilberto From owner-freebsd-pf@FreeBSD.ORG Fri May 12 13:06:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C87A316A406 for ; Fri, 12 May 2006 13:06:58 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09A9143D46 for ; Fri, 12 May 2006 13:06:55 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by nz-out-0102.google.com with SMTP id l1so427863nzf for ; Fri, 12 May 2006 06:06:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ROxricJH+sT6CxAtnxcBpdQttAKlhQQYWsDFBmzZA2KHbXZSI5aLNvYOmz9AkmVmNpVAkRLeC584yNjheQKVuWD6Q7TLuMDoUy+bKHAoycDxfh5CZp0O4V/tfNlIoRM7kpTTTGeQ3kYAyKoiD4zHhmuNR1s/Pgcya2kgpGGwJBM= Received: by 10.65.212.11 with SMTP id o11mr1527117qbq; Fri, 12 May 2006 06:06:53 -0700 (PDT) Received: by 10.65.59.11 with HTTP; Fri, 12 May 2006 06:06:53 -0700 (PDT) Message-ID: Date: Fri, 12 May 2006 16:06:53 +0300 From: "Huzeyfe Onal" To: "Gilberto Villani Brito" In-Reply-To: <20060512092430.0e3298ea@giboia> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060512092430.0e3298ea@giboia> Cc: freebsd-pf@freebsd.org Subject: Re: PF - ftp passive mode. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 13:06:59 -0000 Hi, you need following rules++ pass in on em0 proto tcp from any to 192.168.0.2 port 21 keep state pass in on em0 proto tcp from any to 192.168.0.2 port 49512 >< 65535 keep s= tate and your FTP server's Passive ports interval must be 49152:65535 ? On 5/12/06, Gilberto Villani Brito wrote: > Hello, > I have a ftp server in a DMZ and this is not accepting passive conections= . > I tryed ipfw + natd and it works. > I am using this rules: > # rdr on em0 proto tcp from any to 200.250.23.1 port 21 -> 192.168.0.2 po= rt 21 > # rdr on em0 proto tcp from any to 200.250.23.1 port 49152:65535 -> 192.1= 68.0.2 port 49152:65535 > > # pass in on em1 from 192.168.0.0/24 to any keep state > # pass out on em1 from any to 192.168.0.0/24 keep state > > http://www.openbsd.org/faq/pf/ftp.html#natserver > > What is the problem??? Don't PF make nat for passive ftp?? > > Gilberto > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Huzeyfe =D6NAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ From owner-freebsd-pf@FreeBSD.ORG Fri May 12 21:19:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66D0316AF81; Fri, 12 May 2006 21:19:33 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFE3C43D46; Fri, 12 May 2006 21:19:32 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 650191CD33; Fri, 12 May 2006 17:19:32 -0400 (EDT) Date: Fri, 12 May 2006 17:19:32 -0400 From: Adam McDougall To: Daniel Hartmeier Message-ID: <20060512211932.GA9173@egr.msu.edu> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> <20060508182723.GG9739@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508182723.GG9739@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 21:19:35 -0000 Thanks, that does seem to work. I can now use UDP NFS because the checksum is valid. I am also testing it alongside the bridge fragmentation patch and that works as well. I'm pretty sure these two patches remove the roadblocks from me putting it into production in bridging mode! On Mon, May 08, 2006 at 08:27:23PM +0200, Daniel Hartmeier wrote: On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > Could someone possibly produce a patch to force if_bridge to > recalculate the checksum on every packet so I can test that as well? > To me, the extra load on the firewall is less important than breaking > packets I am trying to pass. Try the patch below, the first one is against -current and the second against 6.0-stable. It compiles, but is otherwise untested. I'm not sure if the potential m_pullup() is needed, but better safe than sorry. Maybe Andrew can comment. Daniel Index: if_bridge.c =================================================================== RCS file: /pub/tmp/cvs/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.59 diff -u -r1.59 if_bridge.c --- if_bridge.c 29 Apr 2006 05:37:25 -0000 1.59 +++ if_bridge.c 8 May 2006 18:17:40 -0000 @@ -2590,7 +2590,7 @@ static int bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) { - int snap, error, i; + int snap, error, i, hlen; struct ether_header *eh1, eh2; struct ip_fw_args args; struct ip *ip; @@ -2787,8 +2787,25 @@ /* Restore ip and the fields ntohs()'d. */ ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + hlen = ip->ip_hl << 2; + if (hlen < sizeof(struct ip)) + goto bad; + if (hlen > (*mp)->m_len) { + if ((*mp = m_pullup(*mp, hlen)) == 0) + goto bad; + ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + } ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); + ip->ip_sum = 0; + if (hlen == sizeof(struct ip)) + ip->ip_sum = in_cksum_hdr(ip); + else + ip->ip_sum = in_cksum(*mp, hlen); break; # ifdef INET6 Index: if_bridge.c =================================================================== RCS file: /pub/tmp/cvs/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.11.2.12.2.4 diff -u -r1.11.2.12.2.4 if_bridge.c --- if_bridge.c 25 Jan 2006 10:01:26 -0000 1.11.2.12.2.4 +++ if_bridge.c 8 May 2006 18:21:03 -0000 @@ -2281,7 +2281,7 @@ static int bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) { - int snap, error, i; + int snap, error, i, hlen; struct ether_header *eh1, eh2; struct ip_fw_args args; struct ip *ip; @@ -2459,8 +2459,25 @@ /* Restore ip and the fields ntohs()'d. */ if (*mp != NULL && error == 0) { ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + hlen = ip->ip_hl << 2; + if (hlen < sizeof(struct ip)) + goto bad; + if (hlen > (*mp)->m_len) { + if ((*mp = m_pullup(*mp, hlen)) == 0) + goto bad; + ip = mtod(*mp, struct ip *); + if (ip == NULL) + goto bad; + } ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); + ip->ip_sum = 0; + if (hlen == sizeof(struct ip)) + ip->ip_sum = in_cksum_hdr(ip); + else + ip->ip_sum = in_cksum(*mp, hlen); } break;