From owner-freebsd-pf@FreeBSD.ORG Mon Jun 19 02:17:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7074116A479 for ; Mon, 19 Jun 2006 02:17:11 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id F004443D6A for ; Mon, 19 Jun 2006 02:17:07 +0000 (GMT) (envelope-from rmaglasang@infoweapons.com) Received: from [10.3.1.41] ([10.3.1.41] RDNS failed) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Jun 2006 10:17:02 +0800 Message-ID: <44960900.4000406@infoweapons.com> Date: Mon, 19 Jun 2006 10:16:32 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Jun 2006 02:17:02.0298 (UTC) FILETIME=[73981BA0:01C69346] Subject: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 02:17:11 -0000 I have a minimum PF setup that sits in between my internal network(lan) and external network(wan). PF by design, bypasses ruleset evaluation(on external interfaces) for incoming packets on external interface that corresponds to an entry in the state table or a response to an internal generated packet. I observe this for TCP, UDP and also ICMP packets. Even if the matching rule in the internal interface do not have a "keep state", still the response packet bypasses the ruleset evaluation. Is there a way (force) to allow response packets to go thru ruleset evaluation? I just want to have full control of the incoming packets on the external interface wether they are response to a LAN traffic or not. I'll be implementing queueing soon and I think this PF behavior will affect badly. Has anyone experienced this? Thanks a lot. - sho From owner-freebsd-pf@FreeBSD.ORG Mon Jun 19 05:33:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3C8C16A47B for ; Mon, 19 Jun 2006 05:33:17 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D4DB43D49 for ; Mon, 19 Jun 2006 05:33:16 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so1094956nfc for ; Sun, 18 Jun 2006 22:33:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=B80sJ1Rn+NfeWAU3BJwe2HS94DdBA+blZd+jsP4whXJgJUiqAyqF/7L70GA+SgBbJULFx1FNpZHnfg1wEA8kcPGCb0XTDtTtINoX0t7m+5q0jidusyXMz96MezBJY+jNVlwacV8ozunxUcvXRnT8UiKnBHY+Fm2Ar0tkrfFqmrM= Received: by 10.48.216.14 with SMTP id o14mr5015450nfg; Sun, 18 Jun 2006 22:33:15 -0700 (PDT) Received: by 10.48.255.10 with HTTP; Sun, 18 Jun 2006 22:33:15 -0700 (PDT) Message-ID: Date: Sun, 18 Jun 2006 22:33:15 -0700 From: "Kian Mohageri" To: "Ronnel P. Maglasang" In-Reply-To: <44960900.4000406@infoweapons.com> MIME-Version: 1.0 References: <44960900.4000406@infoweapons.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 05:33:18 -0000 Post your ruleset and people can help you. You're probably using nat/rdr/binat which create states. -Kian On 6/18/06, Ronnel P. Maglasang wrote: > > I have a minimum PF setup that sits in between my internal network(lan) > and external network(wan). PF by design, bypasses ruleset evaluation(on > external interfaces) for incoming packets on external interface that > corresponds > to an entry in the state table or a response to an internal generated > packet. > I observe this for TCP, UDP and also ICMP packets. Even if the matching > rule > in the internal interface do not have a "keep state", still the response > packet > bypasses the ruleset evaluation. Is there a way (force) to allow response > packets to go thru ruleset evaluation? I just want to have full control of > the incoming packets on the external interface wether they are response to > a LAN traffic or not. I'll be implementing queueing soon and I think this > PF behavior will affect badly. Has anyone experienced this? > > Thanks a lot. > - sho > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Jun 19 06:02:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8599D16A474 for ; Mon, 19 Jun 2006 06:02:19 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 953E143D45 for ; Mon, 19 Jun 2006 06:02:18 +0000 (GMT) (envelope-from rmaglasang@infoweapons.com) Received: from [10.3.1.41] ([10.3.1.41] RDNS failed) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Jun 2006 14:02:16 +0800 Message-ID: <44963DCA.8030800@infoweapons.com> Date: Mon, 19 Jun 2006 14:01:46 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: Kian Mohageri References: <44960900.4000406@infoweapons.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Jun 2006 06:02:16.0996 (UTC) FILETIME=[EAFB5E40:01C69365] Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 06:02:19 -0000 i have nat function enabled, also tried enabling rdr and binat. are you saying the "keep state" functionality depends on these 3? here's my pf config file: # # Aliases # loopback = "{ lo0 }" lan = "{ em0 }" wan = "{ vr0 }" #statistics set loginterface em0 set loginterface vr0 #optimize packets set optimization normal #normalize outgoing packets IP ID field scrub log on vr0 all random-id fragment reassemble # # NAT on WAN interface (dont use IF alias for on the fly changes) # nat on $wan from 20.0.0.0/8 to any -> (vr0) # loopback pass in quick on lo0 all pass out quick on lo0 all # for ssh from 10.3.1.41 to 10.10.0.161 pass in log quick on $wan proto tcp from 10.3.1.41 to 10.10.0.161 port 22 pass out log quick on $wan proto tcp from 10.10.0.161 port 22 to 10.3.1.41 # tcp from internal source to external dest # note: response packet will not be evaluated against incoming wan rules pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19 pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19 pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161 pass out log quick on $lan proto tcp from 10.3.2.19 to any # # default block # block in log quick all block out log quick all Kian Mohageri wrote: > Post your ruleset and people can help you. You're probably using > nat/rdr/binat which create states. > > -Kian > > On 6/18/06, *Ronnel P. Maglasang* > wrote: > > I have a minimum PF setup that sits in between my internal > network(lan) > and external network(wan). PF by design, bypasses ruleset > evaluation(on > external interfaces) for incoming packets on external interface that > corresponds > to an entry in the state table or a response to an internal generated > packet. > I observe this for TCP, UDP and also ICMP packets. Even if the > matching rule > in the internal interface do not have a "keep state", still the > response > packet > bypasses the ruleset evaluation. Is there a way (force) to allow > response > packets to go thru ruleset evaluation? I just want to have full > control of > the incoming packets on the external interface wether they are > response to > a LAN traffic or not. I'll be implementing queueing soon and I > think this > PF behavior will affect badly. Has anyone experienced this? > > Thanks a lot. > - sho > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to " > freebsd-pf-unsubscribe@freebsd.org > " > > From owner-freebsd-pf@FreeBSD.ORG Mon Jun 19 10:18:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9212816A479 for ; Mon, 19 Jun 2006 10:18:35 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1A5C43D6E for ; Mon, 19 Jun 2006 10:18:26 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id l24so1110733nfc for ; Mon, 19 Jun 2006 03:18:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=pvkTyqfadaUkiV51TfH9D4Gj/t8pUL+YDe2wyaGT8BE9vZ54trR1dnJsndeGEu61ZcmX5nNSYQrCUzIzwdHFuvMAK6fxqAQ9RkAJ8fzhMRsB+CIBPLw25qR/JATEyWs57yiao8Al4bltuDIKgUBjbK4hBzhChrQwOMC9aN2OeEA= Received: by 10.48.47.10 with SMTP id u10mr1130553nfu; Mon, 19 Jun 2006 03:18:25 -0700 (PDT) Received: by 10.48.255.10 with HTTP; Mon, 19 Jun 2006 03:18:25 -0700 (PDT) Message-ID: Date: Mon, 19 Jun 2006 03:18:25 -0700 From: "Kian Mohageri" To: "Ronnel P. Maglasang" In-Reply-To: <44963DCA.8030800@infoweapons.com> MIME-Version: 1.0 References: <44960900.4000406@infoweapons.com> <44963DCA.8030800@infoweapons.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 10:18:35 -0000 On 6/18/06, Ronnel P. Maglasang wrote: > > i have nat function enabled, also tried enabling rdr and binat. are you > saying the "keep state" functionality depends on these 3? No, but translation rules create states according to pf.conf(5). " Note: nat, binat and rdr rules implicitly create state for connections." Check out the 'state-policy' option (if-bound). I think it's what you're looking for. A few other things to mention. I'm pretty sure you can only have one loginterface. I'd suggest making it your external one. You can, instead of passing quick on lo0, just 'set skip on lo0' so pf doesn't process those packets at all... -Kian here's my pf config file: > > # > # Aliases > # > loopback = "{ lo0 }" > lan = "{ em0 }" > wan = "{ vr0 }" > > #statistics > set loginterface em0 > set loginterface vr0 > > #optimize packets > set optimization normal > > #normalize outgoing packets IP ID field > scrub log on vr0 all random-id fragment reassemble > > # > # NAT on WAN interface (dont use IF alias for on the fly changes) > # > nat on $wan from 20.0.0.0/8 to any -> (vr0) > > # loopback > pass in quick on lo0 all > pass out quick on lo0 all > > # for ssh from 10.3.1.41 to 10.10.0.161 > pass in log quick on $wan proto tcp from 10.3.1.41 to 10.10.0.161 port 22 > pass out log quick on $wan proto tcp from 10.10.0.161 port 22 to 10.3.1.41 > > # tcp from internal source to external dest > # note: response packet will not be evaluated against incoming wan rules > pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19 > pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19 > pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161 > pass out log quick on $lan proto tcp from 10.3.2.19 to any > > # > # default block > # > block in log quick all > block out log quick all > > > Kian Mohageri wrote: > > Post your ruleset and people can help you. You're probably using > > nat/rdr/binat which create states. > > > > -Kian > > > > On 6/18/06, *Ronnel P. Maglasang* > > wrote: > > > > I have a minimum PF setup that sits in between my internal > > network(lan) > > and external network(wan). PF by design, bypasses ruleset > > evaluation(on > > external interfaces) for incoming packets on external interface that > > corresponds > > to an entry in the state table or a response to an internal > generated > > packet. > > I observe this for TCP, UDP and also ICMP packets. Even if the > > matching rule > > in the internal interface do not have a "keep state", still the > > response > > packet > > bypasses the ruleset evaluation. Is there a way (force) to allow > > response > > packets to go thru ruleset evaluation? I just want to have full > > control of > > the incoming packets on the external interface wether they are > > response to > > a LAN traffic or not. I'll be implementing queueing soon and I > > think this > > PF behavior will affect badly. Has anyone experienced this? > > > > Thanks a lot. > > - sho > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to " > > freebsd-pf-unsubscribe@freebsd.org > > " > > > > > > From owner-freebsd-pf@FreeBSD.ORG Mon Jun 19 11:03:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5403716A55D for ; Mon, 19 Jun 2006 11:03:03 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B96A43D46 for ; Mon, 19 Jun 2006 11:03:03 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5JB32PU064262 for ; Mon, 19 Jun 2006 11:03:03 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5JB31m2064258 for freebsd-pf@freebsd.org; Mon, 19 Jun 2006 11:03:01 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Jun 2006 11:03:01 GMT Message-Id: <200606191103.k5JB31m2064258@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 11:03:03 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/03/27] kern/94992 pf [pf] [patch] pfctl complains about ALTQ m o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 5 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 19 11:43:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96B2D16A479 for ; Mon, 19 Jun 2006 11:43:29 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FBBE43D45 for ; Mon, 19 Jun 2006 11:43:28 +0000 (GMT) (envelope-from rmaglasang@infoweapons.com) Received: from [10.3.1.41] ([10.3.1.41] RDNS failed) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Jun 2006 19:43:27 +0800 Message-ID: <44968D8C.5010606@infoweapons.com> Date: Mon, 19 Jun 2006 19:42:04 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: Kian Mohageri References: <44960900.4000406@infoweapons.com> <44963DCA.8030800@infoweapons.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Jun 2006 11:43:27.0177 (UTC) FILETIME=[94291B90:01C69395] Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 11:43:29 -0000 Kian Mohageri wrote: > On 6/18/06, *Ronnel P. Maglasang* > wrote: > > i have nat function enabled, also tried enabling rdr and > binat. are you > saying the "keep state" functionality depends on these 3? > > > > No, but translation rules create states according to pf.conf(5). > > " Note: nat, binat and rdr rules implicitly create state for > connections." > > Check out the 'state-policy' option (if-bound). I think it's what > you're looking for. i think the implementation and the documentation do not match well on this. i've looked at the PF online documentation in http://www.openbsd.org/faq/pf/nat.html and it says that translated packets still go to the ruleset evaluation. you're correct that nat and translation rules implicitly creates states, i can see the states with the 'pfctl -sa' command. what i'm looking for is the ability to configure PF such that reply packets for packets originated on the LAN or all packets arriving on the external interface go to the ruleset evaluation(for rules on the external interface) and match a rule, even if an state exist. the global run-time 'state-policy' option does not help, i've tried setting all the values. i think this is used on conjunction with the "keep state" enabled on a rule. one note, i observe that reply packets can match a rule(s) on the internal interface. > A few other things to mention. I'm pretty sure you can only have one > loginterface. I'd suggest making it your external one. > You can, instead of passing quick on lo0, just 'set skip on lo0' so pf > doesn't process those packets at all... > thanks for your suggestions on these. > -Kian > > here's my pf config file: > > # > # Aliases > # > loopback = "{ lo0 }" > lan = "{ em0 }" > wan = "{ vr0 }" > > #statistics > set loginterface em0 > set loginterface vr0 > > #optimize packets > set optimization normal > > #normalize outgoing packets IP ID field > scrub log on vr0 all random-id fragment reassemble > > # > # NAT on WAN interface (dont use IF alias for on the fly changes) > # > nat on $wan from 20.0.0.0/8 to any -> (vr0) > > # loopback > pass in quick on lo0 all > pass out quick on lo0 all > > # for ssh from 10.3.1.41 to 10.10.0.161 > > pass in log quick on $wan proto tcp from 10.3.1.41 > to 10.10.0.161 port 22 > pass out log quick on $wan proto tcp from 10.10.0.161 > port 22 to 10.3.1.41 > > # tcp from internal source to external dest > # note: response packet will not be evaluated against incoming wan > rules > pass in log quick on $lan proto tcp from 20.0.0.0/8 > to 10.3.2.19 > pass out log quick on $wan proto tcp from 10.10.0.161 > to 10.3.2.19 > pass in log quick on $wan proto tcp from 10.3.2.19 > to 10.10.0.161 > pass out log quick on $lan proto tcp from 10.3.2.19 > to any > > # > # default block > # > block in log quick all > block out log quick all > > > Kian Mohageri wrote: > > Post your ruleset and people can help you. You're probably using > > nat/rdr/binat which create states. > > > > -Kian > > > > On 6/18/06, *Ronnel P. Maglasang* < rmaglasang@infoweapons.com > > > >> wrote: > > > > I have a minimum PF setup that sits in between my internal > > network(lan) > > and external network(wan). PF by design, bypasses ruleset > > evaluation(on > > external interfaces) for incoming packets on external > interface that > > corresponds > > to an entry in the state table or a response to an internal > generated > > packet. > > I observe this for TCP, UDP and also ICMP packets. Even if the > > matching rule > > in the internal interface do not have a "keep state", still the > > response > > packet > > bypasses the ruleset evaluation. Is there a way (force) to allow > > response > > packets to go thru ruleset evaluation? I just want to have full > > control of > > the incoming packets on the external interface wether they are > > response to > > a LAN traffic or not. I'll be implementing queueing soon and I > > think this > > PF behavior will affect badly. Has anyone experienced this? > > > > Thanks a lot. > > - sho > > _______________________________________________ > > freebsd-pf@freebsd.org > > > mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to " > > freebsd-pf-unsubscribe@freebsd.org > > > >" > > > > > > From owner-freebsd-pf@FreeBSD.ORG Tue Jun 20 11:00:41 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A976E16A479 for ; Tue, 20 Jun 2006 11:00:41 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 783B943D46 for ; Tue, 20 Jun 2006 11:00:41 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5KB0fVL058603 for ; Tue, 20 Jun 2006 11:00:41 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5KB0fJR058602; Tue, 20 Jun 2006 11:00:41 GMT (envelope-from gnats) Date: Tue, 20 Jun 2006 11:00:41 GMT Message-Id: <200606201100.k5KB0fJR058602@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Maciej Wierzbicki Cc: Subject: Re: bin/96150: pfctl(8) -k non-functional X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Maciej Wierzbicki List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2006 11:00:41 -0000 The following reply was made to PR bin/96150; it has been noted by GNATS. From: Maciej Wierzbicki To: bug-followup@FreeBSD.org, james@jlauser.net Cc: Subject: Re: bin/96150: pfctl(8) -k non-functional Date: Tue, 20 Jun 2006 13:00:19 +0200 pfctl -k works without any problem on either 6.1-RELEASE-p1 or several 5.4/5.5 machines. Most probably the originator tried to use -k with "external" hosts, not local ones. In that case he should use pfctl -k host -k host as described in manpage: /* To kill all of the state entries from host1 to host2: # pfctl -k host1 -k host2 */ So, in case there are two states: self tcp A.B.C.D:22 <- A1.B1.C.D:60361 ESTABLISHED:ESTABLISHED self tcp A.B.C.D:22 <- A2.B2.C.D:50120 ESTABLISHED:ESTABLISHED pfctl -k A.B.C.D will kill both, while pfctl -k A.B.C.D -k A1.B1.C.D will kill first one only. -- * Maciej Wierzbicki * At paranoia's poison door * * VOO1-RIPE * From owner-freebsd-pf@FreeBSD.ORG Wed Jun 21 09:10:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFAC216A479 for ; Wed, 21 Jun 2006 09:10:59 +0000 (UTC) (envelope-from roma.a.g@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EBCF43D46 for ; Wed, 21 Jun 2006 09:10:57 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: by nf-out-0910.google.com with SMTP id l23so61229nfc for ; Wed, 21 Jun 2006 02:10:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=TAvJZrE5nmJ7iNTviSzzz7de+N0GXFlV8KRQTOujFwWqX1TtbINsFbtxiquvX90TzvTmYhhwfWS/WvpXPHBxkXvONNR5qB5CL8yIt4bc8PikbiZxuBszSepLrS8fnl7RHWeEqY2KhKrL1bSMocTfDgScOZkdJZBRhugHygDNnag= Received: by 10.49.49.6 with SMTP id b6mr364971nfk; Wed, 21 Jun 2006 02:10:56 -0700 (PDT) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.gmail.com with ESMTP id z73sm466525nfb.2006.06.21.02.10.56; Wed, 21 Jun 2006 02:10:56 -0700 (PDT) Date: Wed, 21 Jun 2006 13:10:54 +0400 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <1559453030.20060621131054@gmail.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: transparent proxy on bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 09:10:59 -0000 Hello list. I'm planning to configure pf in bridged environment(using if_bridge on 6.1), so I have question if transparent proxy will work? Is the any working config, or some known issues? TIA, Roman Gorohov. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 21 09:46:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB86816A479 for ; Wed, 21 Jun 2006 09:46:29 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EB7D43D48 for ; Wed, 21 Jun 2006 09:46:29 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so1746583uge for ; Wed, 21 Jun 2006 02:46:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=d+j6OcRADXcr/IZNtO5V1SpE6A4KbvBF1d7XmJa91K86E/leemBU9CiVyzzdY0E6CI7dlNN0mANyPsqpsIZtuRUmQnf2SuCGOM2m4flzVZby3Q4Q22OUWgk2SKUJMc0IC/JQitEbkYAsOFUfxQrqY3mkCwdhi6s4VhCv9shVRqw= Received: by 10.78.67.20 with SMTP id p20mr3263658hua; Wed, 21 Jun 2006 02:46:28 -0700 (PDT) Received: by 10.78.35.18 with HTTP; Wed, 21 Jun 2006 02:46:27 -0700 (PDT) Message-ID: Date: Wed, 21 Jun 2006 04:46:27 -0500 From: "Travis H." To: "Ronnel P. Maglasang" In-Reply-To: <44968D8C.5010606@infoweapons.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44960900.4000406@infoweapons.com> <44963DCA.8030800@infoweapons.com> <44968D8C.5010606@infoweapons.com> Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 09:46:30 -0000 On 6/19/06, Ronnel P. Maglasang wrote: > one note, i observe that reply packets can match a rule(s) on the > internal interface. When it passes through the firewall and out towards the LAN, right? > > #normalize outgoing packets IP ID field > > scrub log on vr0 all random-id fragment reassemble Aside: doesn't scrubbing create a state? This doesn't look like a dump from pfctl, since it has macros in it. Can you double-check the active ruleset and make sure it is equivalent to what you have in your config file? pfctl -s rules I notice that your list macros $lan and $wan have just one element in them. This is illegal syntax on OpenBSD, so maybe your ruleset isn't loading due to the syntax and hence packets are being evaluated against an old ruleset, maybe the default. Another handy thing is to run "pfctl -s rules -v -v" twice, with a decent delay in between, and see what rules are getting evaluated. PS: Please don't top-post. -- "I sometimes have delusions of adequacy" -- Woody Allen Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 21 10:01:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64CAB16A4A7 for ; Wed, 21 Jun 2006 10:01:54 +0000 (UTC) (envelope-from mv@thebeastie.org) Received: from p4.roq.com (ns1.ecoms.com [207.44.130.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97C6B43DCB for ; Wed, 21 Jun 2006 10:01:03 +0000 (GMT) (envelope-from mv@thebeastie.org) Received: from p4.roq.com (localhost.roq.com [127.0.0.1]) by p4.roq.com (Postfix) with ESMTP id E355F4CD35 for ; Wed, 21 Jun 2006 10:01:21 +0000 (GMT) Received: from vaulte.jumbuck.com (ppp166-27.static.internode.on.net [150.101.166.27]) by p4.roq.com (Postfix) with ESMTP id 8795B4C973 for ; Wed, 21 Jun 2006 10:01:21 +0000 (GMT) Received: from vaulte.jumbuck.com (localhost [127.0.0.1]) by vaulte.jumbuck.com (Postfix) with ESMTP id 0BCE78A029; Wed, 21 Jun 2006 20:00:59 +1000 (EST) Received: from [192.168.46.102] (unknown [192.168.46.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vaulte.jumbuck.com (Postfix) with ESMTP id F38CC8A023; Wed, 21 Jun 2006 20:00:58 +1000 (EST) Message-ID: <449918DA.1060308@thebeastie.org> Date: Wed, 21 Jun 2006 20:00:58 +1000 From: Michael Vince User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.7.12) Gecko/20060404 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "roma.a.g" References: <1559453030.20060621131054@gmail.com> In-Reply-To: <1559453030.20060621131054@gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy on bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 10:01:54 -0000 Roman Gorohov. wrote: >Hello list. >I'm planning to configure pf in bridged environment(using if_bridge on 6.1), >so I have question if transparent proxy will work? >Is the any working config, or some known issues? > >TIA, Roman Gorohov. > >_______________________________________________ > > What kind of transparent proxy are we talking here, web? I guess most people would recommend squid, Out of interest I tested out the new proxy modules for Apache 2.0 and 2.2 as a proxy and it does work quite well, has a fair amount of options for cache size and what types to cache and expire. My main aim for it was just to run it in the office for a while and have a strict rule to just cache stuff over 1 meg or larger. To me it seems silly and a waste of cpu / hd / io on the proxy server if you bother caching 10k files while everyone in the office is downloading open office and firefox all day. I would of liked to try it in production if I could figure out how to run it transparently let alone for a bridge, but I couldn't quite get there. Mike From owner-freebsd-pf@FreeBSD.ORG Wed Jun 21 13:39:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07A8B16A47D for ; Wed, 21 Jun 2006 13:39:26 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3964043D64 for ; Wed, 21 Jun 2006 13:39:23 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id x30so90222nfb for ; Wed, 21 Jun 2006 06:39:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type; b=uY+SgpSVlAEGAZFf870C/oR+jwsCUaLdbnSLxdXKIZ369G5el03776g9julaK5uUFeMY6onxsuOfI93VFXgkpikUHsEeXzmDcHSbtk/VYW2D5KRIGySqBzDDkXTEAnz+MErIwPdHYx54KzqegDGV9nVTVqMSqN1TKrVJNov3zlE= Received: by 10.49.58.3 with SMTP id l3mr584070nfk; Wed, 21 Jun 2006 06:39:21 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id i1sm720594nfe.2006.06.21.06.39.21; Wed, 21 Jun 2006 06:39:21 -0700 (PDT) Message-ID: <44994C05.7050007@gmail.com> Date: Wed, 21 Jun 2006 16:39:17 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: multipart/mixed; boundary="------------070404010607040601040006" Cc: Subject: PF and tcpdump Label Patch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 13:39:26 -0000 This is a multi-part message in MIME format. --------------070404010607040601040006 Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Hello, I wrote a patch for PF to log "label" names like IPF's log-tag option. PF already has a label option to mark rules in `pfctl -sr `, but it does not write labels to log file, which is very usefull to match log entries to rules/or group of rules created by lists ( pass from any to any port {10,20,30,40} label "passing_ports" etc...) For example; pass in log quick all keep state label MAIN_RULE So log line like this 2006-06-21 18:26:06.969874 rule 67/0(match): pass in on bge0: label MAIN_RULE: 192.168.9.99.53568 > 66.249.85.99.80: S ... To properly use tcpdump to display logs entries from pflog0 interface, tcpdump has to be patched also. Since the above patch changes a struct in pflog, without patching tcpdump log packets appear truncated. I tested both of patches in FreeBSD 5.4 and FreeBSD 6.0. I attached the both of patches. Sincerly, N. Ersen SISECI http://www.enderunix.org --------------070404010607040601040006 Content-Type: text/plain; name="pf.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pf.patch" --- if_pflog.h.org Wed Apr 5 10:10:56 2006 +++ if_pflog.h Wed Apr 5 09:26:31 2006 @@ -40,6 +40,12 @@ #define PF_RULESET_NAME_SIZE 16 #endif +#ifndef PF_RULE_LABEL_SIZE +#define PF_RULE_LABEL_SIZE 64 +#endif + +#define PF_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -50,6 +56,9 @@ u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; +#ifdef PF_LOG_LABEL + char label[PF_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; --- if_pflog.c.org Wed Apr 5 10:10:52 2006 +++ if_pflog.c Wed Apr 5 10:47:01 2006 @@ -296,6 +296,7 @@ hdr.action = rm->action; hdr.reason = reason; memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); + memcpy(hdr.label, rm->label, sizeof(rm->label)); if (am == NULL) { hdr.rulenr = htonl(rm->nr); --------------070404010607040601040006 Content-Type: text/plain; name="tcpdump.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="tcpdump.patch" --- pf.h.org Wed Apr 5 10:15:22 2006 +++ pf.h Wed Apr 5 10:18:15 2006 @@ -55,6 +55,8 @@ } #define PF_RULESET_NAME_SIZE 16 +#define PF_RULE_LABEL_SIZE 64 + /* from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27 dhartmei Exp $ */ @@ -62,6 +64,8 @@ #define IFNAMSIZ 16 #endif +#define PF_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -72,6 +76,9 @@ u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; +#ifdef PF_LOG_LABEL + char label[PF_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; #define PFLOG_HDRLEN sizeof(struct pfloghdr) --- print-pflog.c.org Wed Apr 5 10:15:31 2006 +++ print-pflog.c Wed Apr 5 10:17:44 2006 @@ -81,11 +81,20 @@ printf("rule %u.%s.%u/", ntohl(hdr->rulenr), hdr->ruleset, ntohl(hdr->subrulenr)); - printf("%s: %s %s on %s: ", +#ifndef PF_LOG_LABEL + printf("%s: %s %s on %s:", tok2str(pf_reasons, "unkn(%u)", hdr->reason), tok2str(pf_actions, "unkn(%u)", hdr->action), tok2str(pf_directions, "unkn(%u)", hdr->dir), hdr->ifname); +#else + printf("%s: %s %s on %s: label %s: ", + tok2str(pf_reasons, "unkn(%u)", hdr->reason), + tok2str(pf_actions, "unkn(%u)", hdr->action), + tok2str(pf_directions, "unkn(%u)", hdr->dir), + hdr->ifname, + hdr->label); +#endif } u_int --------------070404010607040601040006-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 22 15:53:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E90A016A479 for ; Thu, 22 Jun 2006 15:53:51 +0000 (UTC) (envelope-from saveline@alinto.net) Received: from alinto.net (saturn.alinto.net [195.167.226.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 25F4143D49 for ; Thu, 22 Jun 2006 15:53:50 +0000 (GMT) (envelope-from saveline@alinto.net) Received: (qmail 27839 invoked by uid 64); 22 Jun 2006 15:53:48 -0000 Received: from saveline@alinto.net by alinto.net (uvscan: v4.4.00/v4790. Clean); 22 Jun 2006 15:53:48 -0000 Received: from unknown (HELO ?192.168.0.213?) (saveline@alinto.net@82.235.12.159) by smtpp.alinto.net with SMTP; 22 Jun 2006 15:53:48 -0000 Message-ID: <449ABD0B.2040706@alinto.net> Date: Thu, 22 Jun 2006 17:53:47 +0200 From: =?ISO-8859-1?Q?S=E9bastien_AVELINE?= User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-aduser: saveline@alinto.net/82.235.12.159 Subject: pf and policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2006 15:53:52 -0000 Hi, I would like to have some advises on pf. I'd like to use pf for clustering a firewall and using pfsync. Actually I use a Linux Box to do this. The problem is that I have specific rules for routing with iproute2 because I got a lot of different subnets with multi-homing. It seems that freebsd support policy routing only with ipfw. My question is : is it possible to use ipfw just for policy routing and pf just for packet filtering ? For example I want to to do something like that : I had a default gateway (a) but if I received a packet from subnet(c) to subnet(d) --> use an another default gateway(y) a packet from subnet(a) to subnet(x) --> use an another default gateway(y) I wonder if route-to of pf is good for my exemple or if I should try something else like ipfw for routing and pf for firewalling as I said above. Actually I'm using freebsd 6.1 for some tests. Thanx for your answers. Sebastien AVELINE From owner-freebsd-pf@FreeBSD.ORG Thu Jun 22 16:28:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36DB816A60C for ; Thu, 22 Jun 2006 16:28:33 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F82D44024 for ; Thu, 22 Jun 2006 16:07:22 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so601717uge for ; Thu, 22 Jun 2006 09:07:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qDdVs7HJQ3uO79QzuJM0qGMSV0SxeHZGFq6T3X6R1PWlfchrz+TmwVfE64Wf9fe3+mbpcUgUerMKHqGd9b4rdTiKu3JHBExwKxa1fi/gMtXAo1VhbC9iK0LQvOqR4wUTD5BZQh3iwTLmkxdsdRNqYsWnVaJGXCarrB+JjcfzHOI= Received: by 10.66.240.12 with SMTP id n12mr1202137ugh; Thu, 22 Jun 2006 09:00:58 -0700 (PDT) Received: by 10.67.15.17 with HTTP; Thu, 22 Jun 2006 09:00:58 -0700 (PDT) Message-ID: Date: Thu, 22 Jun 2006 19:00:58 +0300 From: "Huzeyfe Onal" To: "=?ISO-8859-1?Q?S=E9bastien_AVELINE?=" In-Reply-To: <449ABD0B.2040706@alinto.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <449ABD0B.2040706@alinto.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf and policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2006 16:28:33 -0000 Hi, you can use PF's route-to options for Policy routing.. On 6/22/06, S=E9bastien AVELINE wrote: > Hi, > > I would like to have some advises on pf. I'd like to use pf for > clustering a firewall and using pfsync. > Actually I use a Linux Box to do this. The problem is that I have > specific rules for routing with iproute2 because I got a lot of > different subnets with multi-homing. It seems that freebsd support > policy routing only with ipfw. > My question is : is it possible to use ipfw just for policy routing and > pf just for packet filtering ? > For example I want to to do something like that : > > I had a default gateway (a) but if I received a packet from subnet(c) to > subnet(d) --> use an another default gateway(y) > a > packet from subnet(a) to subnet(x) --> use an another default gateway(y) > > > I wonder if route-to of pf is good for my exemple or if I should try > something else like ipfw for routing and pf for firewalling as I said > above. Actually I'm using freebsd 6.1 for some tests. > > Thanx for your answers. > > > Sebastien AVELINE > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Huzeyfe =D6NAL +90 505 5260064 --- Ag Guvenligi Listesine uye oldunuz mu? http://www.huzeyfe.net/netsec.html From owner-freebsd-pf@FreeBSD.ORG Thu Jun 22 16:31:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 140F016A4AB for ; Thu, 22 Jun 2006 16:31:59 +0000 (UTC) (envelope-from saveline@alinto.net) Received: from alinto.net (saturn.alinto.net [195.167.226.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 29D3543D58 for ; Thu, 22 Jun 2006 16:31:54 +0000 (GMT) (envelope-from saveline@alinto.net) Received: (qmail 28981 invoked by uid 64); 22 Jun 2006 16:31:53 -0000 Received: from saveline@alinto.net by alinto.net (uvscan: v4.4.00/v4790. Clean); 22 Jun 2006 16:31:53 -0000 Received: from unknown (HELO ?192.168.0.213?) (saveline@alinto.net@82.235.12.159) by smtpp.alinto.net with SMTP; 22 Jun 2006 16:31:53 -0000 Message-ID: <449AC5F8.9000905@alinto.net> Date: Thu, 22 Jun 2006 18:31:52 +0200 From: =?ISO-8859-1?Q?S=E9bastien_AVELINE?= User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) To: freebsd-pf@freebsd.org References: <449ABD0B.2040706@alinto.net> In-Reply-To: Content-Transfer-Encoding: 7bit X-aduser: saveline@alinto.net/82.235.12.159 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pf and policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2006 16:31:59 -0000 Thanks for your answer but what do you think of using ipfw for routing policy and pf for firewalling, is it possible ? Huzeyfe Onal a écrit : Hi, you can use PF's route-to options for Policy routing.. On 6/22/06, Sébastien AVELINE [1] wrote: Hi, I would like to have some advises on pf. I'd like to use pf for clustering a firewall and using pfsync. Actually I use a Linux Box to do this. The problem is that I have specific rules for routing with iproute2 because I got a lot of different subnets with multi-homing. It seems that freebsd support policy routing only with ipfw. My question is : is it possible to use ipfw just for policy routing and pf just for packet filtering ? For example I want to to do something like that : I had a default gateway (a) but if I received a packet from subnet(c) to subnet(d) --> use an another default gateway(y) a packet from subnet(a) to subnet(x) --> use an another default gateway(y) I wonder if route-to of pf is good for my exemple or if I should try something else like ipfw for routing and pf for firewalling as I said above. Actually I'm using freebsd 6.1 for some tests. Thanx for your answers. Sebastien AVELINE _______________________________________________ [2]freebsd-pf@freebsd.org mailing list [3]http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to [4]"freebsd-pf-unsubscribe@freebsd.org" -- Sébastien AVELINE [5]saveline@alinto.net Adjoint d'Exploitation 15 quai Tilsitt - 69002 LYON ...................................................................... ......... >>> [6]www.alinto.net - The messaging reflex <<< References 1. mailto:saveline@alinto.net 2. mailto:freebsd-pf@freebsd.org 3. http://lists.freebsd.org/mailman/listinfo/freebsd-pf 4. mailto:freebsd-pf-unsubscribe@freebsd.org 5. mailto:saveline@alinto.net 6. http://www.alinto.net/ From owner-freebsd-pf@FreeBSD.ORG Thu Jun 22 16:36:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAA0016A47B for ; Thu, 22 Jun 2006 16:36:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05CBE43D45 for ; Thu, 22 Jun 2006 16:36:26 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.183.148] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1FtSAL33sa-0002LC; Thu, 22 Jun 2006 18:36:26 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 22 Jun 2006 18:36:18 +0200 User-Agent: KMail/1.9.1 References: <449ABD0B.2040706@alinto.net> In-Reply-To: <449ABD0B.2040706@alinto.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2143727.AOlMRXj7kl"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606221836.24040.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf and policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2006 16:36:28 -0000 --nextPart2143727.AOlMRXj7kl Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 June 2006 17:53, S=E9bastien AVELINE wrote: > I would like to have some advises on pf. I'd like to use pf for > clustering a firewall and using pfsync. > Actually I use a Linux Box to do this. The problem is that I have > specific rules for routing with iproute2 because I got a lot of > different subnets with multi-homing. It seems that freebsd support > policy routing only with ipfw. > My question is : is it possible to use ipfw just for policy routing and > pf just for packet filtering ? > For example I want to to do something like that : > > I had a default gateway (a) but if I received a packet from subnet(c) to > subnet(d) --> use an another default gateway(y) > a > packet from subnet(a) to subnet(x) --> use an another default gateway(y) > > > I wonder if route-to of pf is good for my exemple or if I should try > something else like ipfw for routing and pf for firewalling as I said > above. Actually I'm using freebsd 6.1 for some tests. > > Thanx for your answers. http://openbsd.org/faq/pf/pools.html#outgoing =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2143727.AOlMRXj7kl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEmscIXyyEoT62BG0RAsm9AJ9Ic+78gFjsmkM69oLRc9uzqp8gwACfVKNZ 6JxWhVOkGskiPdliYfg81Ds= =EraE -----END PGP SIGNATURE----- --nextPart2143727.AOlMRXj7kl-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 22 17:52:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E13816A643 for ; Thu, 22 Jun 2006 17:52:36 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97D7443D8F for ; Thu, 22 Jun 2006 17:18:33 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 65E54236F8F for ; Thu, 22 Jun 2006 18:18:26 +0100 (BST) From: "Greg Hennessy" To: =?iso-8859-1?Q?'S=E9bastien_AVELINE'?= , Date: Thu, 22 Jun 2006 18:18:24 +0100 Keywords: freebsd-pf Message-ID: <000b01c6961f$de54f4a0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <449AC5F8.9000905@alinto.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaWHXeElG0bJJAlRLG3mcBoGOh9wgAAZcIg X-OriginalArrivalTime: 22 Jun 2006 17:18:24.0490 (UTC) FILETIME=[DE54F4A0:01C6961F] Cc: Subject: RE: pf and policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2006 17:52:37 -0000 > > Thanks for your answer but what do you think of using ipfw > for routing policy and pf for firewalling, is it possible ? With two active packet filters in the system, I would not like to be the one trying to debug problems. One can do policy based routing in PF using route-to. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Jun 23 17:05:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A75AF16A4D2 for ; Fri, 23 Jun 2006 17:05:17 +0000 (UTC) (envelope-from florent.thiery@int-evry.fr) Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4403343D79 for ; Fri, 23 Jun 2006 17:05:08 +0000 (GMT) (envelope-from florent.thiery@int-evry.fr) Received: from smyrne.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id 28CEC2FD2B; Fri, 23 Jun 2006 19:05:05 +0200 (CEST) Received: from [157.159.44.43] (ddwarf.maisel.int-evry.fr [157.159.44.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smyrne.int-evry.fr (Postfix) with ESMTP id 548EACF30D; Fri, 23 Jun 2006 19:04:55 +0200 (CEST) Message-ID: <449AE9B9.1030703@int-evry.fr> Date: Thu, 22 Jun 2006 19:04:25 +0000 From: Florent Thiery User-Agent: Thunderbird 1.5.0.4 (X11/20060615) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-INT-MailScanner-Information: Please contact the ISP for more information X-INT-MailScanner: Found to be clean X-INT-MailScanner-MCPCheck: X-INT-MailScanner-SpamCheck: X-MailScanner-From: florent.thiery@int-evry.fr Cc: Olivier PAUL , Soufiane BENJILLALI Subject: Anti-DoS QoS with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 17:05:17 -0000 Hi, I'm wondering how to make altq use 2 queues defined as follow - the first one is the "attackers" queue, and should be defined by a static file containing ip adresses, filled by another program. RED should be used on this queue (every client in this queue should have the same priority) - the second one is the "normal clients" queue, which should have the best effort possible (again, every client in this queue should have the same priority) ; i don't know which scheduler to use... The only traffic considered (as of now) is web traffic. The end purpose of this is anti-DoS QoS on web server (80 and 8080 at the same time). I have a running webserver and traffic generator, and a freebsd 6.1 gateway with custom kernel (altq + pf options enabled). webserver -100 MB link - gateway - 1 Gb link - traffic generator machine 1 freebsd machine 1 my purpose is to know the best combination in order to get the best service possible for normal clients and the rest of bandwith should go to attackers (if any of them are false positives). I don't know how to manage the - the ip file part (altq-file interconnection) - the schedulers part: i'm gonna test them (httperf), are there some altq-dedicated benchmarking tools (which, ideally would change QoS options sequentially)? - how to benchmark.... store and plot the results... (i guess it will be shell scripting, watch grep wc pipes etc... ) Thanks in advance for your help. If there is an IRC channel or anybody ok to discuss with me (messaging or mail), please contact me. Regards, Florent From owner-freebsd-pf@FreeBSD.ORG Fri Jun 23 18:05:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F0416A47C for ; Fri, 23 Jun 2006 18:05:51 +0000 (UTC) (envelope-from thecoba@gmail.com) Received: from infinity.severen.ru (severen.ru [194.135.30.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 643E143D45 for ; Fri, 23 Jun 2006 18:05:49 +0000 (GMT) (envelope-from thecoba@gmail.com) Received: from dummy.name; Fri, 23 Jun 2006 22:06:02 +0400 Message-ID: <449C2D70.3080804@gmail.com> Date: Fri, 23 Jun 2006 22:05:36 +0400 From: thecoba@gmail.com User-Agent: Thunderbird 1.5.0.4 (X11/20060609) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20060623120047.7905C16A567@hub.freebsd.org> In-Reply-To: <20060623120047.7905C16A567@hub.freebsd.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pf and policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 18:05:51 -0000 im using PF with policy routing (route-to), it works great. i'd also suggest you only one firewall on your system and i also suggest PF. :-) > Date: Thu, 22 Jun 2006 19:00:58 +0300 > From: "Huzeyfe Onal" > Subject: Re: pf and policy routing > To: " S?bastien AVELINE " > Cc: freebsd-pf@freebsd.org > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi, > > you can use PF's route-to options for Policy routing.. From owner-freebsd-pf@FreeBSD.ORG Sat Jun 24 23:28:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F62616A4AB for ; Sat, 24 Jun 2006 23:28:54 +0000 (UTC) (envelope-from jeankerry@hotmail.com) Received: from hotmail.com (bay108-dav17.bay108.hotmail.com [65.54.162.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BAF143D48 for ; Sat, 24 Jun 2006 23:28:52 +0000 (GMT) (envelope-from jeankerry@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 24 Jun 2006 16:28:52 -0700 Message-ID: Received: from 84.70.243.247 by BAY108-DAV17.phx.gbl with DAV; Sat, 24 Jun 2006 23:28:50 +0000 X-Originating-IP: [84.70.243.247] X-Originating-Email: [jeankerry@hotmail.com] X-Sender: jeankerry@hotmail.com From: "Kerry Jean" To: Date: Sun, 25 Jun 2006 00:28:49 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 24 Jun 2006 23:28:52.0611 (UTC) FILETIME=[F4268D30:01C697E5] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: REDIRECTING using the NAT table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jun 2006 23:28:54 -0000 Hi, I am new to FreeBSD and PF but was wondering how I could do using PF a = rule from iptables on Linux. The rule using iptables in Linux is: iptables -t nat -A PREROUTING -p udp --dport 3322 -j REDIRECT --to-ports = 3323 I would like to know how you perform the same operation using PF. Any advice would be very appreciated. Anthony