From owner-freebsd-pf@FreeBSD.ORG Sun Apr 1 12:44:28 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id A181416A403
for <freebsd-pf@freebsd.org>; Sun, 1 Apr 2007 12:44:28 +0000 (UTC)
(envelope-from moisadoru@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169])
by mx1.freebsd.org (Postfix) with ESMTP id 33B5D13C4C1
for <freebsd-pf@freebsd.org>; Sun, 1 Apr 2007 12:44:27 +0000 (UTC)
(envelope-from moisadoru@gmail.com)
Received: by ug-out-1314.google.com with SMTP id 71so1344659ugh
for <freebsd-pf@freebsd.org>; Sun, 01 Apr 2007 05:44:27 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;
b=agz7ATP9Jm+cmOxB+x+hhEDXtfg7ObZ45K12pXC+nwFQ5j9nZ4so1+l8O9hz9FTc/6bhlfGH7kzzRV35YY3UPY+k16gy9dTTmjDwopzOglBSUbZZOLuFnNVQa9whRKmxDkqmWLjqgLmq+DRNHl2f1PlAlnM4J+iVqEG9BYYxpwA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
h=received:message-id:date:from:to:subject:mime-version:content-type;
b=bnvsmSqw565asG10g3PVpjL/J4tsn8DYChkKoqYIihCBvSjNVBkS1fDnNiaFBBAwdxOnGp/XZ7oP4Yd0Vyx6svFsC287ISP+EuN8pVWJ0MWui3L9++Zn6DHBXie5Fl5JSs3LrUnBTREwJUl5BboktZsbDvC+l/r3C9Sr5OAiNA4=
Received: by 10.78.171.13 with SMTP id t13mr1315263hue.1175429958059;
Sun, 01 Apr 2007 05:19:18 -0700 (PDT)
Received: by 10.78.31.7 with HTTP; Sun, 1 Apr 2007 05:19:18 -0700 (PDT)
Message-ID: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com>
Date: Sun, 1 Apr 2007 15:19:18 +0300
From: "Moisa Teodor" <moisadoru@gmail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: home multipurpose gateway/router/server setup help
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Apr 2007 12:44:28 -0000
Hello,
I wanted to set-up a multipurpose server/gateway/router with an old pc, but
ran into some trouble.
I have an internet connection from a local ISP (it's not cable or adsl it's
ethernet) and a couple of home computers. The ISP has a
litle program that needs to run continously in the background (it connects
to one of my ISP's servers on port 2400)
If that program does not run, i cannot go through the ISP's gateway.
In the past i had another box with smoothwall linux, but the motherboard
crashed. Anyway, on that box i was able to
do the trick.
I have installed FreeBSD. Both network cards are working (sis0 and pcn0). I
runt the ISP's software and i have internet
access. Good. But i want to shre this internet connection with my home LAN.
I read somewhere that i need to recompile
the kernel and enable packet filtering and firewall (the tutorial i used is
located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/).
However, when i reboot with the new kernel I cannot connect to any network,
neither the ISP's nor my home LAN.
I want to use this box as a gateway/router/firewall for my home lan, and
also run some services like a web server for my projects, etc.
Thanks a lot for your help, and keep up the good work
Doru Moisa
From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 11:08:15 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@FreeBSD.org
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 6F18816A4EB
for <freebsd-pf@FreeBSD.org>; Mon, 2 Apr 2007 11:08:15 +0000 (UTC)
(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
by mx1.freebsd.org (Postfix) with ESMTP id 5EE6413C4B0
for <freebsd-pf@FreeBSD.org>; Mon, 2 Apr 2007 11:08:15 +0000 (UTC)
(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l32B8F0l052217
for <freebsd-pf@FreeBSD.org>; Mon, 2 Apr 2007 11:08:15 GMT
(envelope-from owner-bugmaster@FreeBSD.org)
Received: (from linimon@localhost)
by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l32B8EHe052213
for freebsd-pf@FreeBSD.org; Mon, 2 Apr 2007 11:08:14 GMT
(envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 2 Apr 2007 11:08:14 GMT
Message-Id: <200704021108.l32B8EHe052213@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: linimon set sender to
owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@FreeBSD.org>
To: freebsd-pf@FreeBSD.org
Cc:
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2007 11:08:15 -0000
Current FreeBSD problem reports
Critical problems
Serious problems
S Tracker Resp. Description
--------------------------------------------------------------------------------
o kern/82271 pf [pf] cbq scheduler cause bad latency
o kern/92949 pf [pf] PF + ALTQ problems with latency
o kern/110698 pf nat rule of pf without "on" clause causes invalid pack
3 problems total.
Non-critical problems
S Tracker Resp. Description
--------------------------------------------------------------------------------
f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4
o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s
o kern/93825 pf [pf] pf reply-to doesn't work
o kern/103304 pf [pf] pf accepts nonexistent queue in rules
o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d
o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t
o conf/110838 pf tagged parameter on nat not working
7 problems total.
From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 15:27:30 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id A87F616A403
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 15:27:30 +0000 (UTC)
(envelope-from peter@bsdly.net)
Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19])
by mx1.freebsd.org (Postfix) with ESMTP id 6610113C46A
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 15:27:30 +0000 (UTC)
(envelope-from peter@bsdly.net)
Received: from thingy.datadok.no
([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter)
by skapet.datadok.no with esmtp (Exim 4.62)
(envelope-from <peter@bsdly.net>) id 1HYO0J-0008UE-Qj
for freebsd-pf@freebsd.org; Mon, 02 Apr 2007 16:59:31 +0200
To: freebsd-pf@freebsd.org
References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com>
From: peter@bsdly.net (Peter N. M. Hansteen)
Date: Mon, 02 Apr 2007 16:59:30 +0200
In-Reply-To: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com>
(Moisa Teodor's message of "Sun, 1 Apr 2007 15:19:18 +0300")
Message-ID: <87bqi63jql.fsf@thingy.datadok.no>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: home multipurpose gateway/router/server setup help
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2007 15:27:30 -0000
"Moisa Teodor" <moisadoru@gmail.com> writes:
> I read somewhere that i need to recompile
> the kernel and enable packet filtering and firewall (the tutorial i used is
> located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/).
That article describes FreeBSD 5.1, which probably means it's a couple
of years old at least. Also, it describes IPFW, which is a bit more
cumbersome to config than PF. Unless I'm terribly mistaken, running
PF on recent FreeBSDs does not require a kernel recompile.
My suggestion is that if you want to run PF on your FreeBSD box,
you're better off browsing http://home.nuug.no/~peter/pf/, and you'll
figure out rather easily what you need to do. (Yes, that's a tutorial
I wrote and update occasionally).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 16:03:12 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 5324B16A404
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 16:03:12 +0000 (UTC)
(envelope-from moisadoru@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174])
by mx1.freebsd.org (Postfix) with ESMTP id 0DB2413C455
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 16:03:10 +0000 (UTC)
(envelope-from moisadoru@gmail.com)
Received: by ug-out-1314.google.com with SMTP id 71so1672311ugh
for <freebsd-pf@freebsd.org>; Mon, 02 Apr 2007 09:03:08 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
b=RZ+nde/592+UK2Of2+2JUGDx2YslVaL/1/vBCS3/qiMU7i3hwFxsitAiHlPS+ipmHdzUWfQpN3m4abmub9x1zOKsaf7qmtSFyKi5yIsfqj3GD6zhFywe7uZsrKe6ZoUPHOwvO0QydTWtumx8Oe/30SYkmod5RuLJi+gJfxX0fQA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
b=LQaPSOBLB8bgguOnz19n8i2V3Ru037Zpflgt6vpfmwcfxOk5A7M0o38n8YZBp1PTOXwUoD+I0B+GEizOzN1BHViXOGyvmEuC9a0PoSa5RRj3uy6BOApZxz0RQOHpgrV9XoJfXtvt9tE0gYhdcF7gkwbqByb1cIsE6Oj5NMHYwz0=
Received: by 10.78.200.3 with SMTP id x3mr1492911huf.1175529788030;
Mon, 02 Apr 2007 09:03:08 -0700 (PDT)
Received: by 10.78.31.7 with HTTP; Mon, 2 Apr 2007 09:03:07 -0700 (PDT)
Message-ID: <1b6d3f540704020903x6b2fe171q20e857e1069f082b@mail.gmail.com>
Date: Mon, 2 Apr 2007 19:03:07 +0300
From: "Moisa Teodor" <moisadoru@gmail.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <87bqi63jql.fsf@thingy.datadok.no>
MIME-Version: 1.0
References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com>
<87bqi63jql.fsf@thingy.datadok.no>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: home multipurpose gateway/router/server setup help
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2007 16:03:12 -0000
wow, that's exactly what i need.
i owe you a lot of beers.
thanks a lot.
On 4/2/07, Peter N. M. Hansteen <peter@bsdly.net> wrote:
>
> "Moisa Teodor" <moisadoru@gmail.com> writes:
>
> > I read somewhere that i need to recompile
> > the kernel and enable packet filtering and firewall (the tutorial i used
> is
> > located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/).
>
> That article describes FreeBSD 5.1, which probably means it's a couple
> of years old at least. Also, it describes IPFW, which is a bit more
> cumbersome to config than PF. Unless I'm terribly mistaken, running
> PF on recent FreeBSDs does not require a kernel recompile.
>
> My suggestion is that if you want to run PF on your FreeBSD box,
> you're better off browsing http://home.nuug.no/~peter/pf/, and you'll
> figure out rather easily what you need to do. (Yes, that's a tutorial
> I wrote and update occasionally).
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 21:15:18 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 20C0316A402
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 21:15:18 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145])
by mx1.freebsd.org (Postfix) with SMTP id 07F4713C44C
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 21:15:17 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: (qmail 5529 invoked from network); 2 Apr 2007 14:15:17 -0700
Received: by simscan 1.1.0 ppid: 5488, pid: 5489, t: 3.7431s
scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam:
3.0.3
Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210)
by qsmtp1 with SMTP; 2 Apr 2007 14:15:13 -0700
Received: from [192.168.25.6] (unknown [192.168.25.6])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by blacklamb.mykitchentable.net (Postfix) with ESMTP id DEEA5164AE1
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 14:15:12 -0700 (PDT)
Message-ID: <46117263.3060203@mykitchentable.net>
Date: Mon, 02 Apr 2007 14:15:15 -0700
From: Drew Tomlinson <drew@mykitchentable.net>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net
X-Spam-Level:
X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_SORBS_DUL autolearn=no version=3.0.3
Subject: Bacula and pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2007 21:15:18 -0000
I run Bacula v1.38 on my home network. Ever since I moved from ipfw2 to
pf, backups fail intermittently on my router due to "broken network
pipes" usually after somewhere around 10 MB - 12 MB has been
transfered. Thus small incremental backups are successful but larger
full backups are not. I do not have this problem when I disable pf on
the router, nor do I have problems when completing backups with other
machines on my internal network. My setup looks like this:
bacula director --------- router (client)
192.168.1.4 (fxp0) 192.168.1.2 (dc0)
Communication takes place on ports 9102 and 9103. I captured this
output from pflog0 after starting a backup:
blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb )
and ( port 9102 or port 9103 )"
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
96 bytes
2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0:
192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win
65535 <mss 1460,nop,wscale 1,[|tcp]>
2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0:
192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win
65535 <mss 1460,nop,wscale 1,[|tcp]>
2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0:
192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack
2265048452 win 65535 <mss 1460,nop,wscale 1,[|tcp]>
And the rules are:
@7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any modulate
state queue(std_out, ack_out)
@13 pass out log on dc0 inet all
Any ideas why Bacula would have such a problem? Other things to check?
Thanks,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 22:19:22 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 7C99F16A406
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 22:19:22 +0000 (UTC)
(envelope-from root@mail.saipan.net)
Received: from mail.saipan.net (vhost.saipan.com [202.128.27.92])
by mx1.freebsd.org (Postfix) with SMTP id B6C5C13C459
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 22:19:20 +0000 (UTC)
(envelope-from root@mail.saipan.net)
Received: (qmail 9725 invoked by uid 0); 2 Apr 2007 21:31:24 -0000
Date: 2 Apr 2007 21:31:24 -0000
To: freebsd-pf@freebsd.org
Message-ID: <1175549484.25052.qmail@eBay>
From: "From: eBay Member ackspike" <aw-confirm@sellers-ebay.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Question about Item # 160092516098
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2007 22:19:22 -0000
eBay eBay sent this message from Albert Fuller (ackspike).
Registered name is included to show this message originated from eBay.
[1]Learn more.
[ltCurve.gif]
Question about Item --- Respond Now
[rtCurve.gif]
[s.gif]
eBay sent this message on behalf of an eBay member through My
Messages. Responses sent using email will go to the eBay member
directly and will include your email address. [s.gif]
[s.gif]
[s.gif]
[s.gif]
Question from ackspike
[s.gif] [2]ackspike( [3]30 [iconYellowStar_25x25.gif] )
[s.gif] Positive feedback: 100%
[s.gif] Member since: Sep-06-01
[s.gif] Location: MA, United States
[s.gif] Registered on: www.ebay.com
[s.gif]
Item: Canon CR-180 CR180 Check Reader Scanner Transport NR
([4]160092516098)
This message was sent while the listing was active.
ackspike is a potential buyer.
[s.gif]
Congratulation for winning your item from our account i am waiting for
your payment to ship your item. Thanks ackspike
Respond to this question
[s.gif]
[5]Respond Now
[s.gif]
Responses in My Messages will not include your email address.
[s.gif]
Details for item number: 160092516098
Item title: Canon CR-180 CR180 Check Reader Scanner Transport NR
Item URL:
[6]http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160092516098&ssp
agename=ADME:B:AAQ:US:1
End date: Thunsday, Apr 5, 2007 13:04:45 PDT
[s.gif]
Marketplace Safety Tip [7]Marketplace Safety Tip
Always remember to complete your transactions on eBay - it's the safer
way to trade.
Is this message an offer to buy your item directly through email
without winning the item on eBay? If so, please help make the eBay
marketplace safer by reporting it to us. These "outside of eBay"
transactions may be unsafe and are against eBay policy. [8]Learn more
about trading safely.
[s.gif]
[s.gif]
Is this email inappropriate? Does it violate [9]eBay policy? Help
protect the Community by [10]reporting it.
[s.gif]
[s.gif]
[s.gif]
[s.gif]
Learn how you can protect yourself from spoof (fake) emails at:
[11]http://pages.ebay.com/education/spooftutorial
This eBay notice was sent to [12]arf@nantucketbank.com on behalf of
another eBay member through the eBay platform and in accordance with
our Privacy Policy. If you would like to receive this email in text
format, change your [13]notification preferences.
See our Privacy Policy and User Agreement if you have questions about
eBay's communication policies.
Privacy Policy:
[14]http://pages.ebay.com/help/policies/privacy-policy.html
User Agreement: [15]http://pages.ebay.com/help/policies/user-agreement
.html
Copyright ? 2006-2007 eBay, Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective
owners.
eBay and the eBay logo are registered trademarks or trademarks of
eBay, Inc.
eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.
References
1. http://pages.ebay.com/help/confidence/name-userid-emails.html
2. http://myworld.ebay.com/ackspike
3. http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=ackspike
4. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei
5. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei
6. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei
7. http://pages.ebay.com/securitycenter
8. http://pages.ebay.com/securitycenter/selling_safely.html
9. http://pages.ebay.com/help/policies/rfe-unwelcome-email-misuse.html
10. http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=ackspike&reporteduserid=ackspike&emaildate=2007/03/09:11:52:27&emailtype=0&emailtext=What+unit+price+would+you+charge+if+I+wanted+to+buy+five+of+these+items%3F&trackId=186877011
11. http://pages.ebay.com/education/spooftutorial
12. mailto:arf@nantucketbank.com
13. http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow
14. http://pages.ebay.com/help/policies/privacy-policy.html
15. http://pages.ebay.com/help/policies/user-agreement.html
From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 23:14:22 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id B396A16A401
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 23:14:22 +0000 (UTC)
(envelope-from volker@vwsoft.com)
Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103])
by mx1.freebsd.org (Postfix) with ESMTP id 4D88E13C458
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 23:14:19 +0000 (UTC)
(envelope-from volker@vwsoft.com)
Received: from mail.vtec.ipme.de (Q7d84.q.ppp-pool.de [89.53.125.132])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by frontmail.ipactive.de (Postfix) with ESMTP id 393F5128829
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 01:14:13 +0200 (CEST)
Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3])
by mail.vtec.ipme.de (Postfix) with ESMTP id B54EA3F9E2;
Tue, 3 Apr 2007 01:14:00 +0200 (CEST)
Message-ID: <46118E35.6060003@vwsoft.com>
Date: Tue, 03 Apr 2007 01:13:57 +0200
From: Volker <volker@vwsoft.com>
User-Agent: Thunderbird 1.5.0.10 (X11/20070306)
MIME-Version: 1.0
To: Moisa Teodor <moisadoru@gmail.com>
References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com>
In-Reply-To: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-VWSoft-MailScanner: Found to be clean
X-MailScanner-From: volker@vwsoft.com
X-ipactive-MailScanner-Information: Please contact the ISP for more information
X-ipactive-MailScanner: Found to be clean
X-ipactive-MailScanner-From: volker@vwsoft.com
Cc: freebsd-pf@freebsd.org
Subject: Re: home multipurpose gateway/router/server setup help
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2007 23:14:22 -0000
On 12/23/-58 20:59, Moisa Teodor wrote:
> I wanted to set-up a multipurpose server/gateway/router with an old pc, but
> ran into some trouble.
> I have an internet connection from a local ISP (it's not cable or adsl it's
> ethernet) and a couple of home computers. The ISP has a
> litle program that needs to run continously in the background (it connects
> to one of my ISP's servers on port 2400)
> If that program does not run, i cannot go through the ISP's gateway.
> In the past i had another box with smoothwall linux, but the motherboard
> crashed. Anyway, on that box i was able to
> do the trick.
> I have installed FreeBSD. Both network cards are working (sis0 and pcn0). I
> runt the ISP's software and i have internet
> access. Good. But i want to shre this internet connection with my home LAN.
> I read somewhere that i need to recompile
> the kernel and enable packet filtering and firewall (the tutorial i used is
> located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/).
> However, when i reboot with the new kernel I cannot connect to any network,
> neither the ISP's nor my home LAN.
> I want to use this box as a gateway/router/firewall for my home lan, and
> also run some services like a web server for my projects, etc.
>
>
> Thanks a lot for your help, and keep up the good work
> Doru Moisa
Doru,
unfortunately you've taken a rather old how-to for your setup. Of
course you may go with IPFILTER (IPFW) firewalling but I would
recommend to use pf.
If you want to go with IPFW, you have to keep in mind it defaults to
deny traffic. If you don't activate a (correct) ruleset, all traffic
is being blocked. The last time I've used IPFW is about 2 or 3 years
ago so my memory about that is currently somewhat limited.
I think the default-to-deny is your problem. You may check that out
by temporarily disabling IPFW (using `ipfw disable firewall').
If you want to go with pf as your firewalling solution (a modern,
high quality firewall), all you need to do is using a GENERIC kernel
and kldload pf.ko, write your ruleset, load it (by `pfctl -f ...'
and you're done.
As you want to use your box as a router for your home LAN, you may
also want to set gateway_enable="YES" in /etc/rc.conf which will set
sysctl net.inet.ip.forwarding=1 and your box will act as a router.
HTH,
Volker
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 03:22:11 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 3F6CB16A405
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 03:22:11 +0000 (UTC)
(envelope-from chad.rawalt@ge.com)
Received: from ext-nj2ut-4.online-age.net (ext-nj2ut-4.online-age.net
[64.14.54.233])
by mx1.freebsd.org (Postfix) with ESMTP id F213F13C465
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 03:22:10 +0000 (UTC)
(envelope-from chad.rawalt@ge.com)
Received: from int-nj2ut-3.online-age.net (int-nj2ut-3.online-age.net
[3.159.237.72])
by ext-nj2ut-4.online-age.net (8.13.6/8.13.6/20051114-SVVS-TLS-DNSBL)
with ESMTP id l333BoZx014899
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 23:11:50 -0400
Received: from cinmlef09.e2k.ad.ge.com (int-nj2ut-3.online-age.net
[3.159.237.72])
by int-nj2ut-3.online-age.net (8.13.6/8.13.6/20050510-SVVS) with ESMTP
id l333BoVY003783
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 23:11:50 -0400
Received: from SCHMLVEM02.e2k.ad.ge.com ([3.159.169.34]) by
cinmlef09.e2k.ad.ge.com with Microsoft SMTPSVC(6.0.3790.2499);
Mon, 2 Apr 2007 23:11:49 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 2 Apr 2007 23:11:48 -0400
Message-ID: <F9846A6298C43B48AD6ABB02E746131501017019@SCHMLVEM02.e2k.ad.ge.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: home multipurpose gateway/router/server setup help
Thread-Index: Acd1fLjOh8U+jH3CTwe9SJxHkMVR4QAIGg0g
From: "Rawalt, Chad \(GE Infra, Oil & Gas\)" <chad.rawalt@ge.com>
To: <freebsd-pf@freebsd.org>
X-OriginalArrivalTime: 03 Apr 2007 03:11:49.0267 (UTC)
FILETIME=[D1BFC630:01C7759D]
Subject: RE: home multipurpose gateway/router/server setup help
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 03:22:11 -0000
May also help. Good resources. =20
http://www.bsdguides.org/guides/freebsd/networking/ho_router_pf.php
chad
On 12/23/-58 20:59, Moisa Teodor wrote:
> I wanted to set-up a multipurpose server/gateway/router with an old =
pc, but
> ran into some trouble.
> I have an internet connection from a local ISP (it's not cable or adsl =
it's
> ethernet) and a couple of home computers. The ISP has a
> litle program that needs to run continously in the background (it =
connects
> to one of my ISP's servers on port 2400)
> If that program does not run, i cannot go through the ISP's gateway.
> In the past i had another box with smoothwall linux, but the =
motherboard
> crashed. Anyway, on that box i was able to
> do the trick.
> I have installed FreeBSD. Both network cards are working (sis0 and =
pcn0). I
> runt the ISP's software and i have internet
> access. Good. But i want to shre this internet connection with my home =
LAN.
> I read somewhere that i need to recompile
> the kernel and enable packet filtering and firewall (the tutorial i =
used is
> located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/).
> However, when i reboot with the new kernel I cannot connect to any =
network,
> neither the ISP's nor my home LAN.
> I want to use this box as a gateway/router/firewall for my home lan, =
and
> also run some services like a web server for my projects, etc.
>=20
>=20
> Thanks a lot for your help, and keep up the good work
> Doru Moisa
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 04:00:55 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 8293416A403
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 04:00:55 +0000 (UTC)
(envelope-from dmehler26@woh.rr.com)
Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com
[65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id 4DA4E13C44C
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 04:00:55 +0000 (UTC)
(envelope-from dmehler26@woh.rr.com)
Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15])
by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id
l333LRXY004110
for <freebsd-pf@freebsd.org>; Mon, 2 Apr 2007 23:21:28 -0400 (EDT)
Message-ID: <000301c7759f$416d7210$0200a8c0@satellite>
From: "Dave" <dmehler26@woh.rr.com>
To: <freebsd-pf@freebsd.org>
Date: Mon, 2 Apr 2007 23:22:05 -0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: pf rules for dhcp servers and clients
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dave <dmehler26@woh.rr.com>
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 04:00:55 -0000
Hello,
I'm reconfiguring my pf firewalls updating to 6.2. I'm having an issue
with dhcp, getting the rules right. I've included the rules below, can
anyone comment if they're accurate or if you have working ones?
Thanks.
Dave.
This first snipet is from the network dhcp server, contacting the isp's dhcp
server so it can get an ip, and providing dhcp leases to other network
clients:
ext_if = "rl0"
# Allow dhcp
pass quick on $ext_if inet proto udp from any port bootps to {
255.255.255.255 ($ext_if) } port bootpc $keep_state
# Allow UDP requests to port 67 from firewall to exit ext_if
# allow DNS requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
# allow UDP requests to port 123 from firewall to exit ext_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass quick on $ext_if inet proto { tcp,udp } from ($ext_if) to any port {
ntp, domain } queue interact $keep_state
# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port
domain $keep_state
# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass quick on $int_if inet proto { tcp, udp } from { $int_net,
255.255.255.255 } to $int_if port { bootpc, bootps } $keep_state
pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port
ntp $keep_state
This next is for a lan network client contacting the lan router for dhcp and
dns
ext_if = "vr0"
udp_services = "{ domain, bootpc, ntp }"
# allow in udp services (dhcp, dns, ntp etc)
pass quick on $ext_if inet proto { tcp, udp } from any to any port
$udp_services keep state
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 15:18:02 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 532A516A407
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 15:18:02 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: from qsmtp4.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145])
by mx1.freebsd.org (Postfix) with SMTP id 38AB013C457
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 15:18:02 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: (qmail 31569 invoked from network); 3 Apr 2007 08:18:01 -0700
Received: by simscan 1.1.0 ppid: 31471, pid: 31472, t: 11.8414s
scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam:
3.0.3
Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210)
by qsmtp4 with SMTP; 3 Apr 2007 08:17:49 -0700
Received: from [192.168.25.6] (unknown [192.168.25.6])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by blacklamb.mykitchentable.net (Postfix) with ESMTP id 3AAC8164AE4;
Tue, 3 Apr 2007 08:17:48 -0700 (PDT)
Message-ID: <46127020.50207@mykitchentable.net>
Date: Tue, 03 Apr 2007 08:17:52 -0700
From: Drew Tomlinson <drew@mykitchentable.net>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: Dave <dmehler26@woh.rr.com>
References: <46117263.3060203@mykitchentable.net>
<000701c77581$e13730b0$0200a8c0@satellite>
In-Reply-To: <000701c77581$e13730b0$0200a8c0@satellite>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp4.surewest.net
X-Spam-Level:
X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_SORBS_DUL autolearn=no version=3.0.3
Cc: freebsd-pf@freebsd.org
Subject: Re: Bacula and pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 15:18:02 -0000
On 4/2/2007 4:51 PM Dave wrote:
> Hi Drew,
> I can't remember the specific setting, but it's something heartbeat
> in the file daemon's configuration file, that'll fix it. I'm currently
> in the process of making a new server for my home network, so don't
> have access to my configs at the moment or i'd be more specific. If
> you don't find it let me know, and i'll dig them out.
> Hth
> Dave.
Thanks for your reply. However I did find that and set the heartbeat to
'1', thinking that would ensure that a timed out connection wasn't the
problem. I then restarted the fd and tried again. Same problem. To
further determine if there was some lag in the data stream, I used
tcpdump on the actual interfaces of both machines and watched the
output. Packets just whizzed by until the connection was broken. There
were no pauses whatsoever.
Thanks,
Drew
>
> ----- Original Message ----- From: "Drew Tomlinson"
> <drew@mykitchentable.net>
> To: <freebsd-pf@freebsd.org>
> Sent: Monday, April 02, 2007 5:15 PM
> Subject: Bacula and pf
>
>
>> I run Bacula v1.38 on my home network. Ever since I moved from ipfw2
>> to pf, backups fail intermittently on my router due to "broken
>> network pipes" usually after somewhere around 10 MB - 12 MB has been
>> transfered. Thus small incremental backups are successful but larger
>> full backups are not. I do not have this problem when I disable pf on
>> the router, nor do I have problems when completing backups with other
>> machines on my internal network. My setup looks like this:
>>
>> bacula director --------- router (client)
>> 192.168.1.4 (fxp0) 192.168.1.2 (dc0)
>>
>> Communication takes place on ports 9102 and 9103. I captured this
>> output from pflog0 after starting a backup:
>>
>> blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb )
>> and ( port 9102 or port 9103 )"
>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
>> size 96 bytes
>> 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0:
>> 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win
>> 65535 <mss 1460,nop,wscale 1,[|tcp]>
>> 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0:
>> 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win
>> 65535 <mss 1460,nop,wscale 1,[|tcp]>
>> 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0:
>> 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack
>> 2265048452 win 65535 <mss 1460,nop,wscale 1,[|tcp]>
>>
>> And the rules are:
>>
>> @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any
>> modulate state queue(std_out, ack_out)
>> @13 pass out log on dc0 inet all
>>
>> Any ideas why Bacula would have such a problem? Other things to check?
>>
>> Thanks,
>>
>> Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 16:12:22 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id EE0B116A404
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 16:12:21 +0000 (UTC)
(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
[212.227.126.187])
by mx1.freebsd.org (Postfix) with ESMTP id 84AEA13C45E
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 16:12:19 +0000 (UTC)
(envelope-from max@love2party.net)
Received: from [88.66.51.80] (helo=amd64.laiers.local)
by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis),
id 0ML31I-1HYlc92TEE-00067v; Tue, 03 Apr 2007 18:12:15 +0200
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: freebsd-pf@freebsd.org
Date: Tue, 3 Apr 2007 17:11:54 +0100
User-Agent: KMail/1.9.5
References: <46117263.3060203@mykitchentable.net>
In-Reply-To: <46117263.3060203@mykitchentable.net>
X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGd<hB5S>u+2];
R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart23052544.sQyGFVaqnU";
protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200704031812.00089.max@love2party.net>
X-Provags-ID: V01U2FsdGVkX1+9DpMD60HI6ChxjChWOfZR7Dscti4jBuGP9U5
jFAumcWfR80TNCg9eZtchbT0pfVmUUQFnMIa5z047VLD+h3SES
rZPiYYyWA9bnpfTuVJVDw==
Cc:
Subject: Re: Bacula and pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 16:12:22 -0000
--nextPart23052544.sQyGFVaqnU
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Monday 02 April 2007 23:15, Drew Tomlinson wrote:
> I run Bacula v1.38 on my home network. Ever since I moved from ipfw2
> to pf, backups fail intermittently on my router due to "broken network
> pipes" usually after somewhere around 10 MB - 12 MB has been
> transfered. Thus small incremental backups are successful but larger
> full backups are not. I do not have this problem when I disable pf on
> the router, nor do I have problems when completing backups with other
> machines on my internal network. My setup looks like this:
>
> bacula director --------- router (client)
> 192.168.1.4 (fxp0) 192.168.1.2 (dc0)
>
> Communication takes place on ports 9102 and 9103. I captured this
> output from pflog0 after starting a backup:
>
> blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb )
> and ( port 9102 or port 9103 )"
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on pflog0, link-type PFLOG (OpenBSD pflog file),
> capture size 96 bytes
> 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0:
> 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win
> 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0:
> 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win
> 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0:
> 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack
> 2265048452 win 65535 <mss 1460,nop,wscale 1,[|tcp]>
>
> And the rules are:
>
> @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any
> modulate state queue(std_out, ack_out)
This rule should have "flags S/SA" on it.
> @13 pass out log on dc0 inet all
>
> Any ideas why Bacula would have such a problem? Other things to check?
Can you turn on pf debugging via "pfctl -xm" and watch the console while=20
doing the backup? Also monitor "pfctl -si" for increasing counters -=20
esp. state-mismatch.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart23052544.sQyGFVaqnU
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD4DBQBGEnzQXyyEoT62BG0RAoEHAJ0XsrugQv3pBwxKpC/axur2R12+tACYtoWI
uXPtA0pcN0E84FuZdaBEZQ==
=A6Rr
-----END PGP SIGNATURE-----
--nextPart23052544.sQyGFVaqnU--
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 19:19:03 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 9649816A402
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 19:19:03 +0000 (UTC)
(envelope-from rand@meridian-enviro.com)
Received: from newman.meridian-enviro.com (newman.meridian-enviro.com
[67.134.74.56])
by mx1.freebsd.org (Postfix) with ESMTP id E76BA13C45B
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 19:19:02 +0000 (UTC)
(envelope-from rand@meridian-enviro.com)
X-Envelope-To: vchepkov@gmail.com
Received: from delta.meridian-enviro.com (delta.meridian-enviro.com
[10.10.10.43])
by newman.meridian-enviro.com (8.13.6/8.13.6) with ESMTP id
l33Iv6dq068024; Tue, 3 Apr 2007 13:57:06 -0500 (CDT)
(envelope-from rand@meridian-enviro.com)
Received: (from rand@localhost)
by delta.meridian-enviro.com (8.13.8/8.13.8/Submit) id l33Iv62M052776;
Tue, 3 Apr 2007 13:57:06 -0500 (CDT)
(envelope-from rand@delta.meridian-enviro.com)
To: "Vadym Chepkov" <vchepkov@gmail.com>
References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan>
From: rand@meridian-enviro.com (Douglas K. Rand)
Date: 03 Apr 2007 13:57:05 -0500
In-Reply-To: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan>
Message-ID: <87648dgubi.fsf@delta.meridian-enviro.com>
Lines: 63
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: ClamAV 0.88.4/3007/Tue Apr 3 07:26:03 2007 on
newman.meridian-enviro.com
X-Virus-Status: Clean
Cc: freebsd-pf@freebsd.org
Subject: Re: packet filter and amanda
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 19:19:03 -0000
Vadym> Hello everybody,
Hello
Vadym> I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld kernel:
Vadym> device pf # PF OpenBSD packet-filter firewall
Vadym> device pflog # logging support interface for PF
Vadym> I am using amanda to backup a client which is behind router
Vadym> with pf running amanda server - FreeBSD pf - amanda client
Vadym> I compiled amanda with tcp/udp port ranges but I can get that far.
We use the knobs in /etc/make.conf to control which ports Amanda uses:
AMANDA_PORTRANGE = 50001,50099
AMANDA_UDPPORTRANGE = 801,899
Please note that recent versions of Amanda were not correctly
respecting the AMANDA_PORTRANGE knob. You need a ports tree that is
post PR 110687.
It was unclear to me if you are trying to backup your firewall or
systems on the other side of your firewall. For backups of the actual
firewall you need to allow traffic from your Amanda server from any
arbitrary UDP port to port 10080 on your firewall. You also need to
allow TCP connections from any port on your Amanda server to your
firewall in the range defined by AMANDA_PORTRANGE. And lastly, your
firewall needs to allow UDP traffic originating from port 10080 from
itself heading back to the Amanda server destined for ports in
AMANDA_UDPPORTRANGE.
The reference on Amanda FAQ is at
http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139
Snippets of our ruleset:
int_amanda="{ 10.10.10.26/32, 67.134.74.26/32 }"
amanda_tcp="50000:50100"
amanda_udp="800:900"
[...]
pass in log quick inet proto tcp from $int_amanda to <dmz> port $amanda_tcp flags S/SARF keep state (no-sync)
pass in log quick inet proto udp from $int_amanda to $int port amanda keep state (no-sync)
[...]
pass out log quick on $int inet proto udp from $int to $int_amanda port $amanda_udp keep state (no-sync)
[...]
pass log quick inet proto udp from <dmz> port = amanda to $int_amanda port $amanda_udp
And on a DMZ host we have:
amanda="67.134.74.26"
amandatcpports="50000:50100"
amandaudpports="800:900"
[...]
pass in log quick inet proto tcp from $amanda to $lan port $amandatcpports flags S/SARF keep state
pass in log quick inet proto udp from $amanda to $lan port amanda keep state
[...]
pass out log quick inet proto udp from $lan port amanda to $amanda port $amandaudpports keep state
Hope this helps.
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 23:08:55 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 2962216A405
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 23:08:55 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: from qsmtp4.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145])
by mx1.freebsd.org (Postfix) with SMTP id 0C7E013C484
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 23:08:54 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: (qmail 2986 invoked from network); 3 Apr 2007 16:08:54 -0700
Received: by simscan 1.1.0 ppid: 2957, pid: 2958, t: 3.2054s
scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam:
3.0.3
Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210)
by qsmtp4 with SMTP; 3 Apr 2007 16:08:51 -0700
Received: from [192.168.25.6] (unknown [192.168.25.6])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by blacklamb.mykitchentable.net (Postfix) with ESMTP id DA3F0164964;
Tue, 3 Apr 2007 16:08:50 -0700 (PDT)
Message-ID: <4612DE86.2000706@mykitchentable.net>
Date: Tue, 03 Apr 2007 16:08:54 -0700
From: Drew Tomlinson <drew@mykitchentable.net>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: Max Laier <max@love2party.net>
References: <46117263.3060203@mykitchentable.net>
<200704031812.00089.max@love2party.net>
In-Reply-To: <200704031812.00089.max@love2party.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp4.surewest.net
X-Spam-Level:
X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_SORBS_DUL autolearn=no version=3.0.3
Cc: freebsd-pf@freebsd.org
Subject: Re: Bacula and pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 23:08:55 -0000
On 4/3/2007 9:11 AM Max Laier wrote:
> On Monday 02 April 2007 23:15, Drew Tomlinson wrote:
>
>> I run Bacula v1.38 on my home network. Ever since I moved from ipfw2
>> to pf, backups fail intermittently on my router due to "broken network
>> pipes" usually after somewhere around 10 MB - 12 MB has been
>> transfered. Thus small incremental backups are successful but larger
>> full backups are not. I do not have this problem when I disable pf on
>> the router, nor do I have problems when completing backups with other
>> machines on my internal network. My setup looks like this:
>>
>> bacula director --------- router (client)
>> 192.168.1.4 (fxp0) 192.168.1.2 (dc0)
>>
>> Communication takes place on ports 9102 and 9103. I captured this
>> output from pflog0 after starting a backup:
>>
>> blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb )
>> and ( port 9102 or port 9103 )"
>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode listening on pflog0, link-type PFLOG (OpenBSD pflog file),
>> capture size 96 bytes
>> 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0:
>> 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win
>> 65535 <mss 1460,nop,wscale 1,[|tcp]>
>> 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0:
>> 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win
>> 65535 <mss 1460,nop,wscale 1,[|tcp]>
>> 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0:
>> 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack
>> 2265048452 win 65535 <mss 1460,nop,wscale 1,[|tcp]>
>>
>> And the rules are:
>>
>> @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any
>> modulate state queue(std_out, ack_out)
>>
>
> This rule should have "flags S/SA" on it.
>
In my attempts to get ALTQ queuing working, I have found that adding
flags here breaks it. However I am sure I am not approaching queuing
correctly. I posted a bit about the problem here:
http://www.freebsd.org/cgi/getmsg.cgi?fetch=4242+9504+/usr/local/www/db/text/2007/freebsd-pf/20070225.freebsd-pf
After getting no response (which made me think my approach was way off),
I attempted to redo my rule set and asked for help here:
http://www.freebsd.org/cgi/getmsg.cgi?fetch=87780+93096+/usr/local/www/db/text/2007/freebsd-pf/20070401.freebsd-pf
This post received one response regarding "keep state" and flags as
well. I think I understand the concept about stateful inspections but I
do not understand how to get queuing to work only on packets sent from
my router to machines over the Internet. Seems that when I make "keep
state" rules on inbound connections, the return traffic matches the
state rules and thus never gets queued. I would LOVE to understand this
better and would really appreciate any links to suggested reading.
>> @13 pass out log on dc0 inet all
>>
>> Any ideas why Bacula would have such a problem? Other things to check?
>>
>
> Can you turn on pf debugging via "pfctl -xm" and watch the console while
> doing the backup? Also monitor "pfctl -si" for increasing counters -
> esp. state-mismatch.
>
OK, I tried this and it's obvious to me that my pf configuration is not
correct. I see tons of messages such as these:
Apr 3 15:49:42 blacksheep kernel: pf_map_addr: selected address
66.205.146.210
Apr 3 15:49:46 blacksheep kernel: pf: BAD state: TCP
140.105.134.102:54934 140.105.134.102:54934 192.168.1.4:25 [lo=836336158
high=836336204 win=33304 modulator=0] [lo=1850627322 high=1850660626
win=46 modulator=0] 4:4 PA seq=836336158 ack=1850627322 len=185
ackskew=0 pkts=4:5 dir=in,fwd
Apr 3 15:49:46 blacksheep kernel: pf: State failure on: 1 |
However in searching the logs for messages containing the IP address of
the router (192.168.1.2) while running a full backup that errored out
after just 2.2 MB of data transfer, I found these entries:
Apr 3 15:50:19 blacksheep kernel: pf: BAD state: TCP 192.168.1.2:50083
192.168.1.2:50083 192.168.1.4:9103 [lo=1243881036 high=1243914340
win=33304 modulator=0] [lo=3549637128 high=3549637922 win=33304
modulator=0] 4:4 A seq=3549637128 ack=1243881036 len=1448 ackskew=0
pkts=1081:1727 dir=out,rev
Apr 3 15:50:19 blacksheep kernel: pf: State failure on: 1 |
Apr 3 15:50:19 blacksheep kernel: pf: BAD state: TCP 192.168.1.2:50083
192.168.1.2:50083 192.168.1.4:9103 [lo=1243881036 high=1243914340
win=33304 modulator=0] [lo=3549638576 high=3549639370 win=33304
modulator=0] 4:4 A seq=3549638576 ack=1243881036 len=1448 ackskew=0
pkts=1082:1728 dir=out,rev
I didn't monitor "pfctl -si" as you suggested. Obviously the counters
would be increasing dramatically. So apparently state failure is my
problem, likely caused by my misunderstanding of how to create a proper
pf ruleset to achieve my goals. I've been through OpenBSD's pf FAQ
numerous times. I've read Peter Hansteen's tutorial many times.
However I still can't seem to get it through my thick head how to write
a proper ruleset to get queuing to work the way I want.
Thanks for any suggestions,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 23:34:25 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 8BF3A16A402
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 23:34:25 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145])
by mx1.freebsd.org (Postfix) with SMTP id 6EA7013C44C
for <freebsd-pf@freebsd.org>; Tue, 3 Apr 2007 23:34:25 +0000 (UTC)
(envelope-from drew@mykitchentable.net)
Received: (qmail 19565 invoked from network); 3 Apr 2007 16:34:25 -0700
Received: by simscan 1.1.0 ppid: 19546, pid: 19547, t: 4.2771s
scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam:
3.0.3
Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210)
by qsmtp1 with SMTP; 3 Apr 2007 16:34:20 -0700
Received: from [192.168.25.6] (unknown [192.168.25.6])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by blacklamb.mykitchentable.net (Postfix) with ESMTP id AF3BA164964;
Tue, 3 Apr 2007 16:34:19 -0700 (PDT)
Message-ID: <4612E47E.4090602@mykitchentable.net>
Date: Tue, 03 Apr 2007 16:34:22 -0700
From: Drew Tomlinson <drew@mykitchentable.net>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: Dave <dmehler26@woh.rr.com>
References: <46117263.3060203@mykitchentable.net>
<000701c77581$e13730b0$0200a8c0@satellite>
<46127020.50207@mykitchentable.net>
<001d01c77605$f76a95a0$0200a8c0@satellite>
In-Reply-To: <001d01c77605$f76a95a0$0200a8c0@satellite>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net
X-Spam-Level:
X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_SORBS_DUL autolearn=no version=3.0.3
Cc: freebsd-pf@freebsd.org
Subject: Re: Bacula and pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 23:34:25 -0000
On 4/3/2007 8:37 AM Dave wrote:
> Hi,
> Ok, that's interesting. Can you send me your bacula configs for
> this client and the server box and your pf config? I'd like to compare
> them with mine, see if i can spot something subtle. Offhand though
> that's strange, i can think of several possibilities, but they're not
> usually set in pf. Does the box your server is on also have a
> firewall? Maybe related, maybe not, what kind of media are you backing
> up to? Maybe it's timing out waiting to spool data?
> Thanks.
> Dave.
Thanks for your offer of help. However after reading Max's post and
trying his suggestions, I really think the problem is with my pf
configuration and not Bacula especially since I've been running Bacula
with my current config without trouble for several years. It was only
when I moved firewalls from ipfw to pf that I began to have trouble.
But if you still want to see my configs I'll send them
To answer your other questions, my director is on is not on the firewall
and does not have one of its own. I'm backing up to FileStorage and am
not spooling data as I recall.
Thanks again,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
From owner-freebsd-pf@FreeBSD.ORG Wed Apr 4 07:43:48 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 220D016A401;
Wed, 4 Apr 2007 07:43:48 +0000 (UTC)
(envelope-from linimon@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
by mx1.freebsd.org (Postfix) with ESMTP id EDF6213C448;
Wed, 4 Apr 2007 07:43:47 +0000 (UTC)
(envelope-from linimon@FreeBSD.org)
Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l347hlvf057271;
Wed, 4 Apr 2007 07:43:47 GMT
(envelope-from linimon@freefall.freebsd.org)
Received: (from linimon@localhost)
by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l347hlq2057267;
Wed, 4 Apr 2007 07:43:47 GMT (envelope-from linimon)
Date: Wed, 4 Apr 2007 07:43:47 GMT
From: Mark Linimon <linimon@FreeBSD.org>
Message-Id: <200704040743.l347hlq2057267@freefall.freebsd.org>
To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc:
Subject: Re: kern/111220: [pf] repeatable hangs while manipulating pf tables
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2007 07:43:48 -0000
Synopsis: [pf] repeatable hangs while manipulating pf tables
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf
Responsible-Changed-By: linimon
Responsible-Changed-When: Wed Apr 4 07:43:31 UTC 2007
Responsible-Changed-Why:
Over to maintainer(s).
http://www.freebsd.org/cgi/query-pr.cgi?pr=111220
From owner-freebsd-pf@FreeBSD.ORG Wed Apr 4 13:36:57 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 68F0E16A408;
Wed, 4 Apr 2007 13:36:57 +0000 (UTC)
(envelope-from remko@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
by mx1.freebsd.org (Postfix) with ESMTP id 41D9F13C44C;
Wed, 4 Apr 2007 13:36:57 +0000 (UTC)
(envelope-from remko@FreeBSD.org)
Received: from freefall.freebsd.org (remko@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l34Dav2S088227;
Wed, 4 Apr 2007 13:36:57 GMT
(envelope-from remko@freefall.freebsd.org)
Received: (from remko@localhost)
by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l34Davc1088223;
Wed, 4 Apr 2007 13:36:57 GMT (envelope-from remko)
Date: Wed, 4 Apr 2007 13:36:57 GMT
From: Remko Lodder <remko@FreeBSD.org>
Message-Id: <200704041336.l34Davc1088223@freefall.freebsd.org>
To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc:
Subject: Re: conf/111225: [pfsync]: missing option "syncpeer" in pfsync
startup script
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2007 13:36:57 -0000
Old Synopsis: missing option "syncpeer" in pfsync startup script
New Synopsis: [pfsync]: missing option "syncpeer" in pfsync startup script
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf
Responsible-Changed-By: remko
Responsible-Changed-When: Wed Apr 4 13:36:31 UTC 2007
Responsible-Changed-Why:
Reassign to the PF team.
http://www.freebsd.org/cgi/query-pr.cgi?pr=111225
From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 19:26:48 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 2E72F16A401
for <freebsd-pf@freebsd.org>; Thu, 5 Apr 2007 19:26:48 +0000 (UTC)
(envelope-from dougs@dawnsign.com)
Received: from mailfilter.dawnsign.com (216-70-250-4.static-ip.telepacific.net
[216.70.250.4])
by mx1.freebsd.org (Postfix) with ESMTP id 1A8BD13C448
for <freebsd-pf@freebsd.org>; Thu, 5 Apr 2007 19:26:48 +0000 (UTC)
(envelope-from dougs@dawnsign.com)
Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5])
by mailfilter.dawnsign.com (Postfix) with ESMTP id EA59695818
for <freebsd-pf@freebsd.org>; Thu, 5 Apr 2007 11:56:17 -0700 (PDT)
Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72)
id <G5DF45TH>; Thu, 5 Apr 2007 11:56:17 -0700
Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D013984@cetus.dawnsign.com>
From: Doug Sampson <dougs@dawnsign.com>
To: "'freebsd-pf@freebsd.org'" <freebsd-pf@freebsd.org>
Date: Thu, 5 Apr 2007 11:56:17 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain;
charset="iso-8859-1"
Subject: collision errors
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2007 19:26:48 -0000
root@~# netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
xl0 1500 <Link#1> 00:10:5a:85:91:ad 950032 0 617837 10
45299
xl0 1500 192.168.xxx 192.168.xxx.xxx 680757 - 609403 -
-
rl0 1500 <Link#2> 00:40:f4:5d:6a:d5 21251657 0 21427783 0
0
rl0 1500 216.xxx.xxx/28 216-xxx-xxx-xxx.stat 390194 - 21427789 -
-
plip0 1500 <Link#3> 0 0 0 0
0
lo0 16384 <Link#4> 41894 0 41894 0
0
lo0 16384 fe80:4::1 fe80:4::1 0 - 0 -
-
lo0 16384 localhost ::1 0 - 0 -
-
lo0 16384 your-net localhost 20808137 - 41662 -
-
pflog 33208 <Link#5> 0 0 0 0
0
(IP addresses altered above for protection)
I'm a pf newb and am running pfspamd on this FBSD 6.2 machine. How do I
trace the collision errors? Seems excessively high- more than 5% here. I
want to rule out hardware issues with the 3C905b card before I get into
network overload issues but am not sure how.
~Doug
From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 19:36:45 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id C715D16A403
for <freebsd-pf@freebsd.org>; Thu, 5 Apr 2007 19:36:45 +0000 (UTC)
(envelope-from Greg.Hennessy@nviz.net)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
by mx1.freebsd.org (Postfix) with ESMTP id 9543313C44B
for <freebsd-pf@freebsd.org>; Thu, 5 Apr 2007 19:36:45 +0000 (UTC)
(envelope-from Greg.Hennessy@nviz.net)
Received: from d620 (85-211-224-44.dyn.gotadsl.co.uk [85.211.224.44])
by smtp.nildram.co.uk (Postfix) with ESMTP
id BA8B42B5F5A; Thu, 5 Apr 2007 20:36:40 +0100 (BST)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
To: "'Doug Sampson'" <dougs@dawnsign.com>, <freebsd-pf@freebsd.org>
References: <9DE6EC5B5CF8C84281AE3D7454376A0D013984@cetus.dawnsign.com>
In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D013984@cetus.dawnsign.com>
Date: Thu, 5 Apr 2007 20:37:33 +0100
Message-ID: <000001c777b9$dbdfa270$939ee750$@Hennessy@nviz.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acd3uPYamGqeEVWXSNqNR5g9fA2awwAAImug
Content-Language: en-gb
Cc:
Subject: RE: collision errors
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2007 19:36:45 -0000
> I'm a pf newb and am running pfspamd on this FBSD 6.2 machine. How do I
> trace the collision errors? Seems excessively high- more than 5% here.
> I
> want to rule out hardware issues with the 3C905b card before I get into
> network overload issues but am not sure how.
Hard set the card, switch ports and other end point to 100 full duplex.
Change the network cable.
Greg
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.26/746 - Release Date: 04/04/2007
13:09
From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 20:38:32 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 7A60616A4CD;
Thu, 5 Apr 2007 20:38:32 +0000 (UTC) (envelope-from fox@verio.net)
Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net
[129.250.36.42])
by mx1.freebsd.org (Postfix) with ESMTP id AB63413C4F3;
Thu, 5 Apr 2007 20:38:29 +0000 (UTC) (envelope-from fox@verio.net)
Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net)
by dfw-smtpout2.email.verio.net with esmtp
id 1HZW0I-00075D-4K; Thu, 05 Apr 2007 17:44:10 +0000
Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net)
by dfw-mmp4.email.verio.net with esmtp
id 1HZW0I-0000MI-0y; Thu, 05 Apr 2007 17:44:10 +0000
Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000)
id 21B9F8E131; Thu, 5 Apr 2007 12:44:00 -0500 (CDT)
Date: Thu, 5 Apr 2007 12:44:00 -0500
From: David DeSimone <fox@verio.net>
To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org
Message-ID: <20070405174359.GA23665@verio.net>
Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Cc:
Subject: Status of sasyncd for IPSEC?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2007 20:38:32 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Lists -
Sorry for the cross-post, but I am not actually sure which list this
question belongs on.
I have been working on building HA firewall/VPN systems using PF and
IPSEC and CARP. The systems work quite well, however there is a small
gap in the desired feature set: HA VPN.
I believe OpenBSD has a daemon called sasyncd(8) which utilizes
pfsync(4) to synchronize the negotiated SA's between the cluster
members. So, if one firewall fails, the other can pick up and continue
not only firewall state but VPN activity without a hitch.
So I am wondering, what is the status of a port of sasyncd to FreeBSD?
Any pointers appreciated.
I am also wondering about IKE synchronization. My understanding is that
sasyncd keeps the IPSEC SA's sync'd between cluster members, but the IKE
negotiations are not synchronized. I imagine that racoon(8) would have
to take on that role, and I am curious if any work has been done to
facilitate this.
If there is any further work needed, I would like to look into
completing it, but I don't want to start from scratch unless I have
to. Please let me know what info is available.
- --
David DeSimone == Network Admin == fox@verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGFTVfFSrKRjX5eCoRAuYoAKCiZqpY7dr1XdxaFr7oU2faK95qqgCdGrQb
HreD59KGGG9G18Qbp/uflYk=
=Cl2M
-----END PGP SIGNATURE-----
From owner-freebsd-pf@FreeBSD.ORG Fri Apr 6 02:10:10 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id B03F216A404
for <freebsd-pf@hub.freebsd.org>; Fri, 6 Apr 2007 02:10:10 +0000 (UTC)
(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
by mx1.freebsd.org (Postfix) with ESMTP id 546B213C4AE
for <freebsd-pf@hub.freebsd.org>; Fri, 6 Apr 2007 02:10:10 +0000 (UTC)
(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l362AAvp077021
for <freebsd-pf@freefall.freebsd.org>; Fri, 6 Apr 2007 02:10:10 GMT
(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l362AACg077020;
Fri, 6 Apr 2007 02:10:10 GMT (envelope-from gnats)
Date: Fri, 6 Apr 2007 02:10:10 GMT
Message-Id: <200704060210.l362AACg077020@freefall.freebsd.org>
To: freebsd-pf@FreeBSD.org
From: Giorgos Keramidas <keramida@freebsd.org>
Cc:
Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Giorgos Keramidas <keramida@freebsd.org>
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2007 02:10:10 -0000
The following reply was made to PR conf/111225; it has been noted by GNATS.
From: Giorgos Keramidas <keramida@freebsd.org>
To: Bas van Beek <bas@tobin.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script
Date: Fri, 6 Apr 2007 04:47:17 +0300
On 2007-04-04 13:10, Bas van Beek <bas@tobin.nl> wrote:
> A minor update of the pfsync script would allow for this option to be
> included in the rc.conf script:
>
> if [ -z "$pfsync_syncpeer" ] ; then
> ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
> else
> ifconfig pfsync0 syncpeer $pfsync_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
> fi
Sounds like a good idea. Does the following patch look like something
we can use to make pfsync_syncpeer="address" work, and document it as an
rc.conf option?
[ http://people.freebsd.org/~keramida/diff/conf-111225.patch ]
%%%
diff -r 7fd2429572a3 etc/rc.d/pfsync
--- a/etc/rc.d/pfsync Fri Apr 06 01:25:19 2007 +0300
+++ b/etc/rc.d/pfsync Fri Apr 06 04:42:46 2007 +0300
@@ -37,7 +37,11 @@ pfsync_start()
pfsync_start()
{
echo "Enabling pfsync."
- ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
+ if [ -n "${pfsync_syncpeer}" ]; then
+ _syncpeer="syncpeer ${pfsync_syncpeer}"
+ fi
+ ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
+ unset _syncpeer
}
pfsync_stop()
diff -r 7fd2429572a3 share/man/man5/rc.conf.5
--- a/share/man/man5/rc.conf.5 Fri Apr 06 01:25:19 2007 +0300
+++ b/share/man/man5/rc.conf.5 Fri Apr 06 04:42:46 2007 +0300
@@ -855,6 +855,26 @@ It must be set accordingly if
.Va pfsync_enable
is set to
.Dq Li YES .
+.It Va pfsync_syncpeer
+.Pq Vt str
+Empty by default.
+This variable is optional.
+By default, state change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group used is
+224.0.0.240.
+When a peer address is specified using the
+.Va pfsync_syncpeer
+option, the peer address is used as a destination for the pfsync
+traffic, and the traffic can then be protected using
+.Xr ipsec 4 .
+See the
+.Xr pfsync 4
+manpage for more details about using
+.Xr ipsec 4
+with
+.Xr pfsync 4
+interfaces.
.It Va pfsync_ifconfig
.Pq Vt str
Empty by default.
%%%
From owner-freebsd-pf@FreeBSD.ORG Fri Apr 6 21:30:09 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id B167B16A401
for <freebsd-pf@hub.freebsd.org>; Fri, 6 Apr 2007 21:30:09 +0000 (UTC)
(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
by mx1.freebsd.org (Postfix) with ESMTP id 5D48013C500
for <freebsd-pf@hub.freebsd.org>; Fri, 6 Apr 2007 21:30:09 +0000 (UTC)
(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l36LU9k2012876
for <freebsd-pf@freefall.freebsd.org>; Fri, 6 Apr 2007 21:30:09 GMT
(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l36LU9F8012873;
Fri, 6 Apr 2007 21:30:09 GMT (envelope-from gnats)
Date: Fri, 6 Apr 2007 21:30:09 GMT
Message-Id: <200704062130.l36LU9F8012873@freefall.freebsd.org>
To: freebsd-pf@FreeBSD.org
From: Giorgos Keramidas <keramida@freebsd.org>
Cc:
Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Giorgos Keramidas <keramida@freebsd.org>
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2007 21:30:09 -0000
The following reply was made to PR conf/111225; it has been noted by GNATS.
From: Giorgos Keramidas <keramida@freebsd.org>
To: Bas van Beek <bas@tobin.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script
Date: Sat, 7 Apr 2007 00:24:55 +0300
> From: Giorgos Keramidas <keramida@freebsd.org>
> To: Bas van Beek <bas@tobin.nl>
> Cc: freebsd-gnats-submit@freebsd.org
> Subject: conf/111225: Re: conf/111225: missing option "syncpeer" in pfsync startup script
> Date: Fri, 6 Apr 2007 04:47:17 +0300
>
> Sounds like a good idea. Does the following patch look like something
> we can use to make pfsync_syncpeer="address" work, and document it as an
> rc.conf option?
>
> [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ]
The original version of the patch used 'unset' to keep $_syncpeer local,
but Simon has pointed me at using "local _syncpeer" since then. I've
updated the patch online with:
%%%
diff -r 7fd2429572a3 etc/rc.d/pfsync
--- a/etc/rc.d/pfsync Fri Apr 06 01:25:19 2007 +0300
+++ b/etc/rc.d/pfsync Sat Apr 07 00:22:07 2007 +0300
@@ -36,8 +36,13 @@ pfsync_prestart()
pfsync_start()
{
+ local _syncpeer
+
echo "Enabling pfsync."
- ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
+ if [ -n "${pfsync_syncpeer}" ]; then
+ _syncpeer="syncpeer ${pfsync_syncpeer}"
+ fi
+ ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
}
pfsync_stop()
diff -r 7fd2429572a3 share/man/man5/rc.conf.5
--- a/share/man/man5/rc.conf.5 Fri Apr 06 01:25:19 2007 +0300
+++ b/share/man/man5/rc.conf.5 Sat Apr 07 00:22:07 2007 +0300
@@ -855,6 +855,26 @@ It must be set accordingly if
.Va pfsync_enable
is set to
.Dq Li YES .
+.It Va pfsync_syncpeer
+.Pq Vt str
+Empty by default.
+This variable is optional.
+By default, state change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group used is
+224.0.0.240.
+When a peer address is specified using the
+.Va pfsync_syncpeer
+option, the peer address is used as a destination for the pfsync
+traffic, and the traffic can then be protected using
+.Xr ipsec 4 .
+See the
+.Xr pfsync 4
+manpage for more details about using
+.Xr ipsec 4
+with
+.Xr pfsync 4
+interfaces.
.It Va pfsync_ifconfig
.Pq Vt str
Empty by default.
%%%
From owner-freebsd-pf@FreeBSD.ORG Sat Apr 7 17:45:55 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 6DBF816A403;
Sat, 7 Apr 2007 17:45:55 +0000 (UTC)
(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
[212.227.126.188])
by mx1.freebsd.org (Postfix) with ESMTP id 022EE13C468;
Sat, 7 Apr 2007 17:45:54 +0000 (UTC)
(envelope-from max@love2party.net)
Received: from [88.66.15.55] (helo=amd64.laiers.local)
by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis),
id 0ML25U-1HaEz216wn-00041r; Sat, 07 Apr 2007 19:45:53 +0200
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: Nate Lawson <nate@root.org>
Date: Sat, 7 Apr 2007 18:45:44 +0100
User-Agent: KMail/1.9.5
References: <4617D3A6.8000201@root.org>
In-Reply-To: <4617D3A6.8000201@root.org>
X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGd<hB5S>u+2];
R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1565023.8ZCeSOeJC0";
protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200704071945.51273.max@love2party.net>
X-Provags-ID: V01U2FsdGVkX1/1YiwzCRzP+ZrVGiJsPrszH9lpFNABSPhr8kV
0O+RyL5r32AMydwgk4FDSVikuIS8x3KPreJr91Mxx5QXm44oui
0ldj46Y7HJSC/isqGPE2A==
Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: call for testers: altq in current
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Apr 2007 17:45:55 -0000
--nextPart1565023.8ZCeSOeJC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Saturday 07 April 2007 19:23, Nate Lawson wrote:
> A few weeks ago, I committed a change to ALTQ that I was only able to
> compile-test. What I need is someone with a laptop or other
> cpufreq-capable system that is also using ALTQ to verify that with
> powerd running, the queuing timing is now reliable.
>
> Previously, altq would just cache the first value of the CPU freq it
> saw (based on tsc_freq) and use that forever. Now it gets updated each
> time the freq changes. I want to make sure the edge cases (i.e., freq
> changes while a packet is being timed) work ok.
I will try to give it a spin over the long weekend. Other testers please=20
note that you should test this without ALTQ_NOPCC. Looking at the patch=20
now, it seems that the eventhandler should take this into account, too. =20
i.e. when ALTQ_NOPCC is defined we emulate a 256Mhz clock with=20
microtime - this shouldn't be dependent on the real cpu frequency=20
(eventhough things will get strange when the clockspeed drops below=20
256Mhz). Sorry for not paying attention when you posted the patch.
CC'ing freebsd-pf@ ... laptop anyone?
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1565023.8ZCeSOeJC0
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQBGF9jPXyyEoT62BG0RAnBVAJ9KQwEuN07YBg5Y7SrNE4vNRXInawCdGRvw
5vPp/cN26WMz2BSlk9qJx7g=
=amR7
-----END PGP SIGNATURE-----
--nextPart1565023.8ZCeSOeJC0--
From owner-freebsd-pf@FreeBSD.ORG Sat Apr 7 19:00:03 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
by hub.freebsd.org (Postfix) with ESMTP id 8F8E316A405
for <freebsd-pf@freebsd.org>; Sat, 7 Apr 2007 19:00:03 +0000 (UTC)
(envelope-from nate@root.org)
Received: from root.org (root.org [67.118.192.226])
by mx1.freebsd.org (Postfix) with ESMTP id 54CA013C45E
for <freebsd-pf@freebsd.org>; Sat, 7 Apr 2007 19:00:03 +0000 (UTC)
(envelope-from nate@root.org)
Received: (qmail 17578 invoked from network); 7 Apr 2007 18:33:24 -0000
Received: from ppp-71-139-28-99.dsl.snfc21.pacbell.net (HELO ?10.0.0.235?)
(nate-mail@71.139.28.99)
by root.org with ESMTPA; 7 Apr 2007 18:33:24 -0000
Message-ID: <4617E3ED.9090400@root.org>
Date: Sat, 07 Apr 2007 11:33:17 -0700
From: Nate Lawson <nate@root.org>
User-Agent: Thunderbird 1.5.0.7 (X11/20061027)
MIME-Version: 1.0
To: Max Laier <max@love2party.net>
References: <4617D3A6.8000201@root.org> <200704071945.51273.max@love2party.net>
In-Reply-To: <200704071945.51273.max@love2party.net>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: call for testers: altq in current
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Apr 2007 19:00:03 -0000
Max Laier wrote:
> On Saturday 07 April 2007 19:23, Nate Lawson wrote:
>> A few weeks ago, I committed a change to ALTQ that I was only able to
>> compile-test. What I need is someone with a laptop or other
>> cpufreq-capable system that is also using ALTQ to verify that with
>> powerd running, the queuing timing is now reliable.
>>
>> Previously, altq would just cache the first value of the CPU freq it
>> saw (based on tsc_freq) and use that forever. Now it gets updated each
>> time the freq changes. I want to make sure the edge cases (i.e., freq
>> changes while a packet is being timed) work ok.
>
> I will try to give it a spin over the long weekend. Other testers please
> note that you should test this without ALTQ_NOPCC. Looking at the patch
> now, it seems that the eventhandler should take this into account, too.
> i.e. when ALTQ_NOPCC is defined we emulate a 256Mhz clock with
> microtime - this shouldn't be dependent on the real cpu frequency
> (eventhough things will get strange when the clockspeed drops below
> 256Mhz). Sorry for not paying attention when you posted the patch.
>
> CC'ing freebsd-pf@ ... laptop anyone?
Thanks Max. Yes, the microtime clock will be mostly unaffected by the
CPU frequency. However, we may need to look into that case.
--
Nate