From owner-freebsd-pf@FreeBSD.ORG Sun Apr 22 08:34:19 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C691A16A406; Sun, 22 Apr 2007 08:34:19 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 68D5913C489; Sun, 22 Apr 2007 08:34:19 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3M8YJvS048684; Sun, 22 Apr 2007 08:34:19 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3M8YIhH048680; Sun, 22 Apr 2007 08:34:18 GMT (envelope-from linimon) Date: Sun, 22 Apr 2007 08:34:18 GMT From: Mark Linimon Message-Id: <200704220834.l3M8YIhH048680@freefall.freebsd.org> To: r.gruyters@yirdis.nl, linimon@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: conf/110838: tagged parameter on nat not working on FreeBSD 5.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Apr 2007 08:34:19 -0000 Old Synopsis: tagged parameter on nat not working New Synopsis: tagged parameter on nat not working on FreeBSD 5.2 State-Changed-From-To: open->suspended State-Changed-By: linimon State-Changed-When: Sun Apr 22 08:32:56 UTC 2007 State-Changed-Why: It is unlikely at this point that this fix will be merged to the RELENG-5 branch, as almost all developement is happening in 7-CURRENT and being merged only to 6-STABLE. Leave it suspended for now. http://www.freebsd.org/cgi/query-pr.cgi?pr=110838 From owner-freebsd-pf@FreeBSD.ORG Mon Apr 23 11:08:43 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B4B716A4DF for ; Mon, 23 Apr 2007 11:08:43 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5B2AC13C455 for ; Mon, 23 Apr 2007 11:08:43 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3NB8hiL093206 for ; Mon, 23 Apr 2007 11:08:43 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3NB8gfq093202 for freebsd-pf@FreeBSD.org; Mon, 23 Apr 2007 11:08:42 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Apr 2007 11:08:42 GMT Message-Id: <200704231108.l3NB8gfq093202@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2007 11:08:43 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 23 21:38:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EB91616A404 for ; Mon, 23 Apr 2007 21:38:45 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: from proxy2.romtelecom.net (proxy2.romtelecom.net [86.35.15.39]) by mx1.freebsd.org (Postfix) with ESMTP id 48D5713C45D for ; Mon, 23 Apr 2007 21:38:44 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: (qmail 14930 invoked from network); 23 Apr 2007 21:12:03 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on proxy2_romtelecom_net X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.0 Received: from r02s19p01.home.nbox.cz (HELO ivorde) (andrei.manescu@clicknet.ro@[83.240.46.91]) (envelope-sender ) by proxy2.romtelecom.net (qmail-ldap-1.03) with SMTP for ; 23 Apr 2007 21:12:03 -0000 Message-ID: <002101c785ec$0dd557d0$5501a8c0@ivorde> From: "Andrei Manescu" To: Date: Tue, 24 Apr 2007 00:12:08 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: bandwidth limiting per ip with PF and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2007 21:38:46 -0000 Hello Has anyone any idea on how to limit upload traffic per incoming = connection or per IP address (host) for a web or ftp server, or from any = specific port on the server using PF and ALTQ ?? I want that any web client for my server to be able to download from me = (via http) with maximum xxx kbps and, if available, to borrow bandwidth. I want to avoid situations in which 2 or 3 clients download something = from the server and all the other clients browse the web pages very = hard. Or is it better to use apache mod_cband ?? Thank you in advance. I wish you a very nice day. Andrei. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 23 22:11:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9BF2D16A403 for ; Mon, 23 Apr 2007 22:11:14 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id 2DCDD13C4AE for ; Mon, 23 Apr 2007 22:11:13 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so2182979muf for ; Mon, 23 Apr 2007 15:11:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=KptskJDvDcbbsgxxW5yeitWqBjMyu6qwHkJ162h86I85QMKnGx9OJUGQ1KF7L14GI/TaPeh0w/Eajwh4m8pX+rDJ/Uzh6F/9w0f7RxRNZ1pp7niClBGkGg2SoAgIbC6kUzDNxXFb0H7+SFi/F2pO4axkAAkCr7YTs6lOOsKGW34= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=a5PVoc5Crd02pfjZi3VmxQqjbnjHf5UJcMCgrv/FFOTnWWgqOsVBVe4bNof6VOfxTbqp7deorsk6NvgZ9Ykaewvir5BDjFvb2Hkcc+aIjAlERhBUhB9gEbTje4URDcJx4yH0hD1bqmWaNhUgF7xOjV/xXlV/e021+BvcLQz7LgM= Received: by 10.82.100.1 with SMTP id x1mr3014617bub.1177366272459; Mon, 23 Apr 2007 15:11:12 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Mon, 23 Apr 2007 15:11:12 -0700 (PDT) Message-ID: <70f41ba20704231511u2b7a1497y9063ec0d8eca6cbf@mail.gmail.com> Date: Mon, 23 Apr 2007 15:11:12 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 0235b838b9c3fbd8 Subject: logging pf in ASCII via syslog -- logs not saved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2007 22:11:14 -0000 i'm using FreeBSD v6.2-RELEASE + pf + pflog. firewall works great, and i can watch real-time output on logging_device:pflog0 with, tcpdump -tttt -nei pflog0 i'd like to archive & rotate the logs as well, so, following instructions at, "Packet Logging Through Syslog" http://www.openbsd.org/faq/pf/logging.html i've -- supposedly -- setup for pf to log in ASCII to /var/log/pflog.txt etc etc when i start pf, I see in the logs dir, ls -al *pf* -rw------- 1 root wheel 24 Apr 23 13:30 pflog -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt which, as time passes, show 'pflog' growing as expected, ls -al *pf* -rw------- 1 root wheel 1056 Apr 23 13:45 pflog -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt if i exec the /etc/pflogrotate script either manually @ shell, or via cron, i see, reading from file /var/log/pflog5min.200704231347, link-type PFLOG (OpenBSD pflog file) but immediately afterwards, checking in the log dir, i see only, ls -alt /var/log/*pf* -rw------- 1 root wheel 24 Apr 23 13:48 pflog -rw------- 1 root wheel 0 Apr 23 13:47 pflog.txt with no trace of the rolled log :-/ if i allow the top of the hour to pass, the newsyslog cron job fires, after which i see, ls -alt /var/log/*pf* -rw------- 1 root wheel 24 Apr 23 14:00 /var/log/pflog -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt.0 where, cat /var/log/pflog.txt.0 Apr 23 14:00:00 router newsyslog[36971]: logfile turned over bottom line -- i'm not getting my ascii-based pf-logs anywhere. any suggestions as to what i'm missing would be appreciated :-/ thanks! From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 06:03:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6967616A400 for ; Tue, 24 Apr 2007 06:03:32 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id 28F4913C45D for ; Tue, 24 Apr 2007 06:03:32 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so2213557ana for ; Mon, 23 Apr 2007 23:03:31 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J+KvvVS6jN5N34F1elxObPb2eM2x27vKUuva6n/7todALpvs0DEy3YdLO42SVRc+Yx6BOgnkVhI4w8LQHXNQmOqbv6oVstNf6SeL+b8ob2YMKD/T99QknqeMT2YE2Tn8gt5R5FkKNvcbqhX5OCho5aBKD2FpMkMFhKngwFwjgRg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gKIx90Ax33LBjVeDdYnNSa8tFaANFCg1S5ilgnDxy3DDr9Dhs2fUM2hJUO01muOhV6E2YqpFG4zLlyr+Li6v/GIAqc1v01ZJhTqnjO6BfDYF0ddZURr66wOd1VmF0pZUanZEuxQOn45N2/NcRcU7Ayvib4LMNxTXI1ayi5eUGrE= Received: by 10.100.96.9 with SMTP id t9mr4285108anb.1177393011308; Mon, 23 Apr 2007 22:36:51 -0700 (PDT) Received: by 10.100.48.8 with HTTP; Mon, 23 Apr 2007 22:36:51 -0700 (PDT) Message-ID: <11167f520704232236r257f90c9p2fb18d1b9c131642@mail.gmail.com> Date: Tue, 24 Apr 2007 00:36:51 -0500 From: "Sam Fourman Jr." To: "Andrei Manescu" In-Reply-To: <002101c785ec$0dd557d0$5501a8c0@ivorde> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <002101c785ec$0dd557d0$5501a8c0@ivorde> Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth limiting per ip with PF and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 06:03:32 -0000 yeah I was stumped on this as well, I was wanting to know how to have 2 upstream ISP's, and limit bandwidth to a pool of 192.168.x.x address but have it round robin the downloads. if someone could spare a working sample that would be Great Sam Fourman Jr. On 4/23/07, Andrei Manescu wrote: > Hello > > > Has anyone any idea on how to limit upload traffic per incoming connection or per IP address (host) for a web or ftp server, or from any specific port on the server using PF and ALTQ ?? > > I want that any web client for my server to be able to download from me (via http) with maximum xxx kbps and, if available, to borrow bandwidth. > > I want to avoid situations in which 2 or 3 clients download something from the server and all the other clients browse the web pages very hard. > > Or is it better to use apache mod_cband ?? > > Thank you in advance. > > I wish you a very nice day. > Andrei. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 13:31:11 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E36E116A402 for ; Tue, 24 Apr 2007 13:31:11 +0000 (UTC) (envelope-from jmok@attglobal.net) Received: from eoemailadmin.pacific.net.hk (eoemailadmin.pacific.net.hk [202.14.67.94]) by mx1.freebsd.org (Postfix) with ESMTP id 69F7F13C45A for ; Tue, 24 Apr 2007 13:31:11 +0000 (UTC) (envelope-from jmok@attglobal.net) Received: from cwb.pacific.net.hk (cwb.pacific.net.hk [202.14.67.92]) by eoemailadmin.pacific.net.hk with ESMTP id l3OChXxm013457 for ; Tue, 24 Apr 2007 20:43:33 +0800 Received: from [192.168.16.50] ([210.17.159.154]) by cwb.pacific.net.hk with ESMTP id l3OChUs3031510 for ; Tue, 24 Apr 2007 20:43:31 +0800 Message-ID: <462DFB71.5050003@attglobal.net> Date: Tue, 24 Apr 2007 20:43:29 +0800 From: John Mok User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: NAT-T support in FreeBSD + PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 13:31:12 -0000 Hi, I would like to build a NAT firewall box using FreeBSD + PF at work. However, I hope someone could advise if PF could support NAT-T, such that the IPSec client connections (e.g. a visitor notebook with IPSec client) inside the company Intranet could successfully connect passing through the NAT box to the Internet IPSec gateway (e.g. the home network of a visitor) . Thanks a lot. John Mok From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 14:18:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6716216A400 for ; Tue, 24 Apr 2007 14:18:58 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2D69B13C448 for ; Tue, 24 Apr 2007 14:18:57 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (unknown [89.53.124.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A9110128829 for ; Tue, 24 Apr 2007 15:59:10 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 7A8293F4E8 for ; Tue, 24 Apr 2007 15:58:26 +0200 (CEST) Message-ID: <462E0D08.4080505@vwsoft.com> Date: Tue, 24 Apr 2007 15:58:32 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: "FreeBSD (PF)" X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: debugging pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 14:18:58 -0000 Hi! While trying to nail down what I suspected to might be an MTU issue, using "debug urgent" I've seen a debug message like: pf: NAT proxy port allocation (50001-65535) failed >From the interpretation of the code (pf.c, function pf_get_sport) I think this function is trying to allocate a new source port to be used for NAT. If it fails, all source ports must be exhausted (or the packet is non TCP/UDP/ICMP). But in this case, all of 15,000 ports (range 50001-65535) must be in use. Near the time of this debug message, pf has had around 200 to 400 state table entries (all pf rules create state). 1) Why does pf state it's out of ports if it really isn't or am I misinterpreting the code of function pf_get_sport? 2) How do I figure out which packet (or connection) is causing this message? With loud debugging there are plenty of other (irrelevant) messages. Is there a way to direct debugging to pflog? I want to get an idea of the timing and see if this happens at the time where I expect a specific connection to fail. This gateway I'm trying to debug is serving a lot of users and I need to find the tree in the forrest. Thanks! Volker From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 15:12:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 59A3516A401 for ; Tue, 24 Apr 2007 15:12:17 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 1EB1713C43E for ; Tue, 24 Apr 2007 15:12:17 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id C06393F1F; Tue, 24 Apr 2007 16:49:36 +0200 (CEST) Date: Tue, 24 Apr 2007 16:49:36 +0200 From: VANHULLEBUS Yvan To: freebsd-pf@freebsd.org Message-ID: <20070424144936.GA11566@zen.inc> References: <462DFB71.5050003@attglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <462DFB71.5050003@attglobal.net> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: NAT-T support in FreeBSD + PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 15:12:17 -0000 On Tue, Apr 24, 2007 at 08:43:29PM +0800, John Mok wrote: > Hi, Hi. > I would like to build a NAT firewall box using FreeBSD + PF at work. > However, I hope someone could advise if PF could support NAT-T, such > that the IPSec client connections (e.g. a visitor notebook with IPSec > client) inside the company Intranet could successfully connect passing > through the NAT box to the Internet IPSec gateway (e.g. the home network > of a visitor) . Your PF will "just" see two UDP pseudo-sessions (one on dport 500 for the beggining of the negociation, one on dport 4500 for all the remaining negociations and for all traffic), so there is no need for specific NAT-T support, you just need to allow outgoing UDP traffic to port 500/4500, and incoming replies. That was the main goal of NAT-T: routers/NAT devices on the way just have to work as usual.... Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 15:36:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 21D5316A403 for ; Tue, 24 Apr 2007 15:36:06 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id ABE1713C44C for ; Tue, 24 Apr 2007 15:36:03 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c22.q.ppp-pool.de [89.53.124.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1A028128829 for ; Tue, 24 Apr 2007 17:35:56 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 784AC3F4E8; Tue, 24 Apr 2007 17:35:18 +0200 (CEST) Message-ID: <462E23BC.8020401@vwsoft.com> Date: Tue, 24 Apr 2007 17:35:24 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: schneecrash+pf@gmail.com References: <70f41ba20704231511u2b7a1497y9063ec0d8eca6cbf@mail.gmail.com> In-Reply-To: <70f41ba20704231511u2b7a1497y9063ec0d8eca6cbf@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: logging pf in ASCII via syslog -- logs not saved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 15:36:06 -0000 On 12/23/-58 20:59, snowcrash wrote: >
i'm using FreeBSD v6.2-RELEASE + pf + pflog. > > firewall works great, and i can watch real-time output on > logging_device:pflog0 with, > > tcpdump -tttt -nei pflog0 > > > i'd like to archive & rotate the logs as well, so, following > instructions at, > > "Packet Logging Through Syslog" > http://www.openbsd.org/faq/pf/logging.html > > i've -- supposedly -- setup for pf to log in ASCII to /var/log/pflog.txt > etc etc > > when i start pf, I see in the logs dir, > > ls -al *pf* > -rw------- 1 root wheel 24 Apr 23 13:30 pflog > -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt > > which, as time passes, show 'pflog' growing as expected, > > ls -al *pf* > -rw------- 1 root wheel 1056 Apr 23 13:45 pflog > -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt > > if i exec the /etc/pflogrotate script either manually @ shell, or via > cron, i see, > > reading from file /var/log/pflog5min.200704231347, link-type PFLOG > (OpenBSD pflog file) > > but immediately afterwards, checking in the log dir, i see only, > > ls -alt /var/log/*pf* > -rw------- 1 root wheel 24 Apr 23 13:48 pflog > -rw------- 1 root wheel 0 Apr 23 13:47 pflog.txt > > with no trace of the rolled log :-/ > > if i allow the top of the hour to pass, the newsyslog cron job fires, > after which i see, > > ls -alt /var/log/*pf* > -rw------- 1 root wheel 24 Apr 23 14:00 /var/log/pflog > -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt > -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt.0 > > where, > > cat /var/log/pflog.txt.0 > Apr 23 14:00:00 router newsyslog[36971]: logfile turned over > > bottom line -- i'm not getting my ascii-based pf-logs anywhere. > > any suggestions as to what i'm missing would be appreciated :-/ > > thanks! > >
I suspect there's a mistake in your script. Have you tried using `tcpdump | logger' manually? Have you tried using `set -x' in your shell script and checked if you see any errors? Have you removed the last `rm $FILE' and checked if $FILE is created well? Have you checked if logger does it's job when started manually (`echo "this is a test" | logger -t pf -p local0.info')? Check this out first. I suspect this to be a script issue. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 15:48:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9FFFD16A400 for ; Tue, 24 Apr 2007 15:48:28 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3CA2513C459 for ; Tue, 24 Apr 2007 15:48:28 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c22.q.ppp-pool.de [89.53.124.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 47376128829 for ; Tue, 24 Apr 2007 17:48:22 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id C22C03F4E8; Tue, 24 Apr 2007 17:47:54 +0200 (CEST) Message-ID: <462E26B0.9060509@vwsoft.com> Date: Tue, 24 Apr 2007 17:48:00 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Andrei Manescu References: <002101c785ec$0dd557d0$5501a8c0@ivorde> In-Reply-To: <002101c785ec$0dd557d0$5501a8c0@ivorde> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: bandwidth limiting per ip with PF and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 15:48:28 -0000 On 12/23/-58 20:59, Andrei Manescu wrote: > Hello > > > Has anyone any idea on how to limit upload traffic per incoming connection or per IP address (host) for a web or ftp server, or from any specific port on the server using PF and ALTQ ?? > > I want that any web client for my server to be able to download from me (via http) with maximum xxx kbps and, if available, to borrow bandwidth. > > I want to avoid situations in which 2 or 3 clients download something from the server and all the other clients browse the web pages very hard. > > Or is it better to use apache mod_cband ?? > > Thank you in advance. > > I wish you a very nice day. > Andrei. > Andrei, there's no way to tell another client something like "hey, you're talking too fast to me, please slow down a bit". You can control bandwidth for packets leaving your host but not arriving (just to avoid the term upstream as it depends from the point of view what upstream traffic really is). If your host is serving content to clients, you should be able to serve all clients in a reasonable fair way by using queuing. But you can't do that per client or per connection. For a http server (or mail or whatever public service) queuing is one of the very first things to setup when going into production as you probably don't want all http clients eat up all your bandwidth and the machine will be unable to serve anything else. You need to create one queue (for example) for your http server and assign all traffic to your http server into that queue. Having a queue with a guaranteed bandwidth for every connection (client) would require the creation of "dynamic queues" on the fly. I'm not aware of such possibility. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 16:19:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6437A16A401 for ; Tue, 24 Apr 2007 16:19:36 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id 28B6D13C46A for ; Tue, 24 Apr 2007 16:19:36 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so2092298wra for ; Tue, 24 Apr 2007 09:19:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZB6bN1163rqxaqZZOC5oUZggN+/fP0jg69n5kDSye2oLvN4mR1zslfV6kc/LMu3+ygdDgKkAfGv2R/6dz5FyLMrs5LV5R/E6aKyTOvg+nQ3uPB8jfGagMKuYMqbGLIWzltPKsRsBHosx5BKbPeOP7lsemut3jXD8PvJ+knrGyrI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Pw6Mm/OfImfsG6G2QbhuYjHz9WKDSExEG//nbnTEThcz4PFAclgzG30bQfUWYGZBxi7S5uAa1rPgtZLxW1T9Wuh8N00RBMKVv3XCvAVFQVKk7IbqKP++eEkzjGD4cL6HBEAxDF6ER7W6qSICOi2ea+VrMMjan4QF1TzucaTg9HE= Received: by 10.90.89.5 with SMTP id m5mr2591618agb.1177431575558; Tue, 24 Apr 2007 09:19:35 -0700 (PDT) Received: by 10.100.38.4 with HTTP; Tue, 24 Apr 2007 09:19:35 -0700 (PDT) Message-ID: <8eea04080704240919h5d478193n8bd4ae8f68516623@mail.gmail.com> Date: Tue, 24 Apr 2007 09:19:35 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <462E26B0.9060509@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <002101c785ec$0dd557d0$5501a8c0@ivorde> <462E26B0.9060509@vwsoft.com> Subject: Re: bandwidth limiting per ip with PF and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 16:19:36 -0000 On 4/24/07, Volker wrote: > Having a queue > with a guaranteed bandwidth for every connection (client) would > require the creation of "dynamic queues" on the fly. I'm not aware of > such possibility. ipfw with dummynet could do this. Very interesting feature. See DUMMYNET (specifically the mask option) in ipfw(8): "whereas when dynamic queues are used, each flow will share the parent's pipe bandwidth evenly with other flows generated by the same queue" The only way I can think of doing something similar in PF would be randomly assigning to one of N queues, like: pass out on $ext_if queue q1 probability 33% pass out on $ext_if queue q2 probability 50% pass out on $ext_if queue q3 -- Jon From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 16:54:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 41BD516A406 for ; Tue, 24 Apr 2007 16:54:29 +0000 (UTC) (envelope-from cangak_stress@yahoo.com) Received: from web37703.mail.mud.yahoo.com (web37703.mail.mud.yahoo.com [209.191.87.101]) by mx1.freebsd.org (Postfix) with SMTP id E6F9513C458 for ; Tue, 24 Apr 2007 16:54:28 +0000 (UTC) (envelope-from cangak_stress@yahoo.com) Received: (qmail 83798 invoked by uid 60001); 24 Apr 2007 16:27:47 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=eh4bcoFPM9GM48osfEV772qOKXncar4Z8RWmHQoRCauqA7OeJb1A45A5KzlMPw5+y5U8ashGqBzkNkMKjMvN4Pk8bcTmuJPsa8s5J4d25RMd3EAiAyc4PITw2DKC33crLVxoL/pAg0F7CXYvZWjIccfPzPwoPG33VfRXAqTcJAk= ; Message-ID: <20070424162747.83796.qmail@web37703.mail.mud.yahoo.com> X-YMail-OSG: wdavwewVM1mdrn9ybRrjZLzVqlpOwKRy2it.STpw8rXlS7rA6kxqbRGMrB3jQXmmcJeA1dLAFeQdvAMsbPIq2qM7mUgU5CdaHSdefUqXHxWAHtpN1l4p3SOaXjv3cg-- Received: from [125.160.95.10] by web37703.mail.mud.yahoo.com via HTTP; Tue, 24 Apr 2007 09:27:47 PDT Date: Tue, 24 Apr 2007 09:27:47 -0700 (PDT) From: cangak To: Volker In-Reply-To: <462E23BC.8020401@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: testing load balancig work. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 16:54:29 -0000 i have two connection, and i try load balancing by doing like this nat on $ext_if1 xxxxxxxxxxxxxxxxxxxxx nat on $ext_if2 xxxxxxxxxxxxxxxxxxxxx and now how to see its work or not. thanks imajenasi tanpa batas __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 18:00:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C99E216A403 for ; Tue, 24 Apr 2007 18:00:31 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com [65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id 7B03C13C4AE for ; Tue, 24 Apr 2007 18:00:31 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l3OI0TFj002872 for ; Tue, 24 Apr 2007 14:00:30 -0400 (EDT) Message-ID: <00b701c7869a$795c0db0$0200a8c0@satellite> From: "Dave" To: Date: Tue, 24 Apr 2007 14:00:41 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 18:00:31 -0000 Hello, I've got a machine running ssh and i'm trying to cut down on brute force attacks on it. I'm running pf on a freebsd 6.2 box and have added in swatch to try to curve these attacks. The problem is nothing is being added to either the memory hackers table nor the ondisk copy of it. I know i'm getting hits because i'm seeing entries in my auth.log like this: Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string from 125.33.163.188 Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not allowed because none of user's groups are listed in AllowGroups Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user root from 125.33.163.188 port 54521 ssh2 Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not allowed because none of user's groups are listed in AllowGroups Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user root from 125.33.163.188 port 54727 ssh2 Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user root from 218.205.231.39 port 61694 ssh2 Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not allowed because none of user's groups are listed in AllowGroups Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user root from 218.205.231.39 port 61773 ssh2 I don't want to move my ssh, i feel these bots would just find it again. I'm also getting postfix atempts i'd like to block them both. My swatch configuration looks like this: rc.conf swatch_enable="YES" swatch_rules="1" swatch_1_flags="--config-file=/usr/local/etc/swatchrc --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid" swatch_1_user="root" swatch_1_chdir="/var/tmp" swatch_1_pidfile="/var/run/swatch.pid" In pf i have a block by default policy and i've got these lines: table persist file "/etc/hackers" block all block in quick on $ext_if from to any and /usr/local/etc/swatchrc calls a script that looks like: #!/bin/sh /sbin/pfctl -t hackers -T add $1 /bin/echo $1 >> /etc/hackers /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table If there's a better way that i can get both ssh and smtp bots i'd like to know about it, also if my config is wrong let me know it's not working. One thing, i do not want to unblock atempted hackings, my feeling is those that do it should have no further interactions with my machines on any level. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 18:38:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2B2E716A400 for ; Tue, 24 Apr 2007 18:38:06 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id E3C6413C487 for ; Tue, 24 Apr 2007 18:38:03 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c22.q.ppp-pool.de [89.53.124.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 729E0128829 for ; Tue, 24 Apr 2007 20:37:57 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 579F63F4E8; Tue, 24 Apr 2007 20:37:32 +0200 (CEST) Message-ID: <462E4E71.4050605@vwsoft.com> Date: Tue, 24 Apr 2007 20:37:37 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: cangak References: <20070424162747.83796.qmail@web37703.mail.mud.yahoo.com> In-Reply-To: <20070424162747.83796.qmail@web37703.mail.mud.yahoo.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: testing load balancig work. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 18:38:06 -0000 On 04/24/07 18:27, cangak wrote: > i have two connection, and i try load balancing by > doing like this > nat on $ext_if1 xxxxxxxxxxxxxxxxxxxxx > nat on $ext_if2 xxxxxxxxxxxxxxxxxxxxx > > and now how to see its work or not. thanks > cangak, these are just two NAT rules. But it has nothing to do with load balancing. For load balancing somebody else on the list has to comment as I never tried balancing two external connections. In general, if you want to check out what packets are leaving your system, using which source address, check out the states `pfctl -ss'. AFAIK the way for you to go is to use rdr options. Also take a look at the round-robin options pf.conf(5). Other folks here on the list have the comfort of having two upstream connections and already tried things like that. Perhaps anybody else with some experience can comment on this? HTH Volker From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 18:44:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D12116A400 for ; Tue, 24 Apr 2007 18:44:13 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id ED0EB13C4BC for ; Tue, 24 Apr 2007 18:44:12 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.135]) by farris.bafirst.com with esmtp; Tue, 24 Apr 2007 13:34:01 -0500 id 0006D427.462E4D99.00014C7D Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Tue, 24 Apr 2007 13:33:55 -0500 id 0004AC40.462E4D93.000008EE Received: from dsl-189-129-2-135.prod-infinitum.com.mx (dsl-189-129-2-135.prod-infinitum.com.mx [189.129.2.135]) by intranet.encontacto.net (Horde MIME library) with HTTP; Tue, 24 Apr 2007 13:33:55 -0500 Message-ID: <20070424133355.652vt8e4dcoskcgk@intranet.encontacto.net> X-Priority: 3 (Normal) Date: Tue, 24 Apr 2007 13:33:55 -0500 From: eculp@encontacto.net To: freebsd-pf@freebsd.org References: <00b701c7869a$795c0db0$0200a8c0@satellite> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) X-Originating-IP: 189.129.2.135 Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 18:44:13 -0000 Quoting Dave : > Hello, > I've got a machine running ssh and i'm trying to cut down on =20 > brute force attacks on it. I'm running pf on a freebsd 6.2 box and =20 > have added in swatch to try to curve these attacks. The problem is =20 > nothing is being added to either the memory hackers table nor the =20 > ondisk copy of it. I know i'm getting hits because i'm seeing =20 > entries in my auth.log like this: > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification =20 > string from 125.33.163.188 > Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not =20 > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user =20 > root from 125.33.163.188 port 54521 ssh2 > Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not =20 > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user =20 > root from 125.33.163.188 port 54727 ssh2 > Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user =20 > root from 218.205.231.39 port 61694 ssh2 > Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not =20 > allowed because none of user's groups are listed in AllowGroups > Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user =20 > root from 218.205.231.39 port 61773 ssh2 > > I don't want to move my ssh, i feel these bots would just find it =20 > again. I'm also getting postfix atempts i'd like to block them both. =20 > My swatch configuration looks like this: > > rc.conf > swatch_enable=3D"YES" > swatch_rules=3D"1" > swatch_1_flags=3D"--config-file=3D/usr/local/etc/swatchrc =20 > --tail-file=3D/var/log/auth.log --daemon --pid-file=3D/var/run/swatch.pid" > swatch_1_user=3D"root" > swatch_1_chdir=3D"/var/tmp" > swatch_1_pidfile=3D"/var/run/swatch.pid" > > In pf i have a block by default policy and i've got these lines: > table persist file "/etc/hackers" > block all > block in quick on $ext_if from to any > > and /usr/local/etc/swatchrc calls a script that looks like: > #!/bin/sh > /sbin/pfctl -t hackers -T add $1 > /bin/echo $1 >> /etc/hackers > /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf tabl= e > > If there's a better way that i can get both ssh and smtp bots i'd =20 > like to know about it, also if my config is wrong let me know it's =20 > not working. One thing, i do not want to unblock atempted hackings, =20 > my feeling is those that do it should have no further interactions =20 > with my machines on any level. I'm pretty sure that I don't have a better way, in fact that is why =20 I'm posting it ;) but it seems to work. My rules are basically: block drop in quick on $ext_if from to any block drop in quick on $ext_if from to any pass in quick on $ext_if inet proto tcp from any to ($ext_if) port =20 smtp flags S/SA keep state \ ( max-src-conn 70, max-src-conn-rate 70/90, overload =20 flush global ) pass in quick on $ext_if inet proto tcp from any to ($ext_if) port =20 $ssh_services flags S/SA keep state \ ( max-src-conn-rate 3/30, overload flush global ) The connections and rates took me a couple of week to not block legit =20 smtp but it seems to be ok for my installation now. I'm not sure if the quick is good or bad but it was faster ;) Maybe this will give you another perspective, from someone less knowledgeabl= e. I also run expiretable to leave the ip's in for 24 hours and I get few =20 repeats. I've thought about not doing that but . . . . . Good luck, ed > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 19:02:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F365216A40E for ; Tue, 24 Apr 2007 19:02:50 +0000 (UTC) (envelope-from antik@pcbsd.org) Received: from a5.virtuaal.com (a5.virtuaal.com [195.222.15.75]) by mx1.freebsd.org (Postfix) with ESMTP id B112C13C46A for ; Tue, 24 Apr 2007 19:02:50 +0000 (UTC) (envelope-from antik@pcbsd.org) Received: from pc156.host1.ida.starman.ee ([62.65.240.156] helo=[192.168.2.100]) by a5.virtuaal.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1HgPZT-0003ZC-M9 for freebsd-pf@freebsd.org; Tue, 24 Apr 2007 21:17:01 +0300 From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Tue, 24 Apr 2007 21:16:49 +0300 User-Agent: KMail/1.9.6 References: <00b701c7869a$795c0db0$0200a8c0@satellite> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200704242116.49805.antik@pcbsd.org> X-Virtuaalcom-MailScanner-Information: Please contact the ISP for more information X-Virtuaalcom-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-Virtuaalcom-MailScanner-SpamCheck: X-Virtuaalcom-MailScanner-From: antik@pcbsd.org X-Spam-Status: No X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a5.virtuaal.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - pcbsd.org X-Source: X-Source-Args: X-Source-Dir: Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 19:02:51 -0000 On Tuesday 24 April 2007 21:00:41 Dave wrote: > Hello, > I've got a machine running ssh and i'm trying to cut down on brute > force attacks on it. I'm running pf on a freebsd 6.2 box and have added in > swatch to try to curve these attacks. The problem is nothing is being added > to either the memory hackers table nor the ondisk copy of it. I know i'm > getting hits because i'm seeing entries in my auth.log like this: > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string > from 125.33.163.188 I managed to cut down attacks and block ip-s with denyhosts: Port: denyhosts-2.6 Path: /usr/ports/security/denyhosts Info: Script to thwart ssh attacks Currently I block attackers for 10 minutes and then release IP- in case someone is using NAT and blocks all other users out of that network. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 19:26:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D39B16A402 for ; Tue, 24 Apr 2007 19:26:56 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 3BE7A13C45A for ; Tue, 24 Apr 2007 19:26:56 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id AD8707C0BD6; Tue, 24 Apr 2007 21:07:03 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id zDxMS5uXjXDN; Tue, 24 Apr 2007 21:07:03 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 4F7737C0BDD; Tue, 24 Apr 2007 21:07:03 +0200 (CEST) Date: Tue, 24 Apr 2007 21:07:03 +0200 From: Gergely CZUCZY To: Andrei Kolu Message-ID: <20070424190702.GA91635@harmless.hu> References: <00b701c7869a$795c0db0$0200a8c0@satellite> <200704242116.49805.antik@pcbsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <200704242116.49805.antik@pcbsd.org> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 19:26:56 -0000 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2007 at 09:16:49PM +0300, Andrei Kolu wrote: > On Tuesday 24 April 2007 21:00:41 Dave wrote: > > Hello, > > I've got a machine running ssh and i'm trying to cut down on brute > > force attacks on it. I'm running pf on a freebsd 6.2 box and have added= in > > swatch to try to curve these attacks. The problem is nothing is being a= dded > > to either the memory hackers table nor the ondisk copy of it. I know i'm > > getting hits because i'm seeing entries in my auth.log like this: > > > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string > > from 125.33.163.188 I've used a pf ruleset to block too intensive connect attempts to my sshd, as it was documented in the openbsd FAQ. I block IPs permanently, and if someone was blocked due to too intensive ssh-ing, then the IP will absolutely be blocked, globally. I auto-save this table, and it's an append-only one. This is a really easy policy, works great. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFNVEGLJDUUHmcUMSCy/+DpwQG3q6zq7m27S2bXdWdnHFzdFlo9rB5SqVdVoVNJ bZKa3ppf4EFQPCroxZsIHvbuVRDFHyCIh/0LHsWXKme0GehM8vJ93/u+1/n8+YO9 /Wu//vD4wfVPv/jqqe+f/iV/pem811XUcHsudZQmSRqt0sXsRjSPMEkSMS9ni3Je CrE6id//4I7RHrWPNn2LGXh85F9tFZf6dRA1tw79UefLaMku646la42TXhqdgdRK arw621iuXYk2uquFKaSuMnjYGY9F1FqpPc8VMnZfw6bDCdxuLUznE5gmyWvAPSSr LF1k89X6HbiezJKEKnRhUcLbRnWws4STsZswXncF7+l2AJFqhJimWZJk8xSO+Tn+ V38T3kKlzGRYhs/ZIR1XxgOHhoua9IPttCa14FwNXBcgDxvwtg9b3oDoPBRmp8Fo yG3ncYAqjRVIuj0XWxeOpI8Ju7kCa8uwy6G0iLkrYBFPITePBoI6SORFgcURIxMH QLfjXtSBkKhHXktVvkZ3xRPDpkZorSEnG5AOtPF1IKNljmHBj1iAHRAJAyXdtwEE GmwMAdeEg9bBkAbdHw+NLqTbgjBtD6Yce4GtNrvgxQBWofeBoJY+cAnekaxglMOB mPK3Eh11A00PvPN1rEwFSm5DD9INWQxIQ/ApJIssXWazJVxg54L1xYM0WSSrjzM4 lkXoDCwKlOSBLAhdllLwMHbgiElXYwrWNJBOb8SzWUwzHqfLJRsCJnUFmU8h2E6R gz64kSsjtrQwpJIG1gVsYbRG4YPD2LTUmzeMGgh6JsCpHw87+iqM6BpSQajU4WBZ izrkenL7vWDWiH22dqxF23BNtaqfjONUgjMNGpq0ADVUEk7R4ZD2/+Uw4o2ouUmg GHnO1rCTSgHPHf0QPKqe7L8EmUClTM6V6mN2Flw3kePno+NjxP9K8IeOFsBbUl1E RhMK6YkZ24RK+uPkdsAB5K6H1igpSP7OWJruio481b7Z44SxU7RVUHHnohMXPWu4 VN5kNCDDdiyG7Tfo8WjIeBfXHWNRdDRN2IeIOoyIR0fzdUr/UEoUvVHnV0NNpzU9 BtxKR+o+uXXwzF54pS5fuGv78oW9bz76dvPjd8/+9ef+b+u/n7wLX54c3Htp7+v0 7r3Tn3968eXH69//eO7Jor+/tp/9Aw== =xvw4 -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 22:50:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B121416A401 for ; Tue, 24 Apr 2007 22:50:43 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.227]) by mx1.freebsd.org (Postfix) with ESMTP id A4D7413C459 for ; Tue, 24 Apr 2007 22:50:42 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so11076wxc for ; Tue, 24 Apr 2007 15:50:42 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QGUNnAVo63PvEaAt+clekbNClh+zwkcJJtgIiE4HDhavCUOB6vV1K6S1mkBlkjF9UuGMIjmjURQoP6upOJsKHaF/feuYgK6o7WO9HV9pJ6J+9tW57M8geh4xhyI8JPGZ8Nh3lXSmI1ZCM0GOoHrzzCo2XvsboVXhOhVwCUnJ+nE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pmz/TrrdqW/Oe1Ad+WFIVO64ftH8ttNCrYAsEbCuNOZlC6Kn6y78LmgTmXvuG9i535sjt8VgLAQ7oWneSbS4ld2Oy9OuT/jOolfyLle2MSQ+v5d+u/mxth+GVRT/W7aGvWNXX5CqUtiZfESSGMCx4Z6XG6JqvU2mois7iKBI+MA= Received: by 10.70.90.18 with SMTP id n18mr18151wxb.1177455041762; Tue, 24 Apr 2007 15:50:41 -0700 (PDT) Received: by 10.100.48.8 with HTTP; Tue, 24 Apr 2007 15:50:41 -0700 (PDT) Message-ID: <11167f520704241550g7ebf705eqfc7cf4962e33592e@mail.gmail.com> Date: Tue, 24 Apr 2007 17:50:41 -0500 From: "Sam Fourman Jr." To: Volker In-Reply-To: <462E4E71.4050605@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070424162747.83796.qmail@web37703.mail.mud.yahoo.com> <462E4E71.4050605@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: testing load balancig work. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 22:50:43 -0000 Does someone have a sample pf.conf using 2 external connections in a load balanced or round robin fasion. I would like to use one as a refrence when buildinf my firewall / Router Sam Fourman Jr. On 4/24/07, Volker wrote: > On 04/24/07 18:27, cangak wrote: > > i have two connection, and i try load balancing by > > doing like this > > nat on $ext_if1 xxxxxxxxxxxxxxxxxxxxx > > nat on $ext_if2 xxxxxxxxxxxxxxxxxxxxx > > > > and now how to see its work or not. thanks > > > > cangak, > > these are just two NAT rules. But it has nothing to do with load > balancing. > > For load balancing somebody else on the list has to comment as I never > tried balancing two external connections. > > In general, if you want to check out what packets are leaving your > system, using which source address, check out the states `pfctl -ss'. > AFAIK the way for you to go is to use rdr options. Also take a look at > the round-robin options pf.conf(5). Other folks here on the list have > the comfort of having two upstream connections and already tried > things like that. Perhaps anybody else with some experience can > comment on this? > > HTH > > Volker > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Apr 25 09:09:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AC78B16A404 for ; Wed, 25 Apr 2007 09:09:52 +0000 (UTC) (envelope-from gamuso@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.225]) by mx1.freebsd.org (Postfix) with ESMTP id 12F1513C4BB for ; Wed, 25 Apr 2007 09:09:51 +0000 (UTC) (envelope-from gamuso@gmail.com) Received: by nz-out-0506.google.com with SMTP id r28so217858nza for ; Wed, 25 Apr 2007 02:09:51 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Ao983WEWUSNLDZVrNOdOgNNitKiDuQMEPvetM87k6iqwDkdWT4BCqJEm65I11fARMlethf+04mMuqLiuVZw3g241aBE4RfZTgnDAMZjPu5tcEkPgfMFBOti8dA+0h5AreCEJ5v/owxjswvm6n8/ZE2XjNaBXqfTaYs4rxbbwP5c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=McI6KMcUgbMC+c7R7eLh0dhtQhZLX3vflv+sOifna848ZR14dbG3F6t53+BxhTh0XFyrWwLCac2wr58WwKb1unQMcet/kNoH/oJow7KmCVvaV9taK1VR+HPwmIh50n9RD0xiRohmMNsCZPG8O0121gSrAtcrDtgjo2LRE9ThRFI= Received: by 10.114.173.15 with SMTP id v15mr136435wae.1177490534533; Wed, 25 Apr 2007 01:42:14 -0700 (PDT) Received: by 10.114.158.7 with HTTP; Wed, 25 Apr 2007 01:42:14 -0700 (PDT) Message-ID: Date: Wed, 25 Apr 2007 10:42:14 +0200 From: "Odd-Jarle Kristoffersen" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Multiple WAN with DHCP and routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2007 09:09:52 -0000 I've searched around a bit but couldn't find anything about just this topic. Most articles I've read deals with WAN interfaces having static IP and known routes which makes it not so hard to setup. Here's what I'm trying to accomplish. FreeBSD 6.2 box with 3 network interfaces. WAN1 fxp0 (IP provided by DHCP from DSL provider) WAN2 xl0 (IP provided by DHCP from DSL provider) LAN sis0 (192.168.50.0 / 24) WAN1 is a high-speed symmetrical connection and WAN2 is a slower asymmetrical connection. I've earlier used ipfilter and ipnat as a firewall with just one WAN and one LAN interface. But I have discovered that converting to pf is probably a must to get this new scenario working. And as I understand it pf does what ipf/ipnat does anyways - and more, so I won't mind the change. I have two groups of machines on the LAN segment. IPs from 192.168.50.10through 30 are suppsed to use the WAN1 connection all the time. These provide some webservices that should be reached from the WAN1 interface. Computers in the range 192.168.50.100 to 120 should use the WAN2 connection. None of these will need to be reached from the outside. Of course it'd be nice if the computers in this second range could reach the computers in the first range without being routed over the external network. I guess a couple of static routes should fix that, if at all needed. This is only a concern if I have to create two networks on the LAN interface (ie. 192.168.50.1/27 and 192.168.50.96/27 as an alias on the interface). First of all, is it all possible to perform routing based upon which LAN adress the traffic is coming from? And will it work when the WAN interfaces are dynamically assigned? If not, can a simple fall-over solution be implemented at all? If WAN1 goes down, that all traffic is automatically routed to WAN2? And then back to WAN1 when it comes back up... I've found out how to configure dhclient using /etc/dhclient.conf so that it don't overwrite the /etc/resolv.conf file, but am at loss when it comes to configurating pf and the routing. I've discovered if I leave "request routers" on just one interface in the /etc/dhclient.conf file this will become the default gateway for the FreeBSD box. If no such request is stated at all, there's no default gateway. Also how will all this work when the WAN DHCP-leases change? Maybe I'm trying something impossible, but then again who knows... Thanks for any input on the subject! O.J. Kristoffersen From owner-freebsd-pf@FreeBSD.ORG Wed Apr 25 15:26:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1AD2E16A400 for ; Wed, 25 Apr 2007 15:26:13 +0000 (UTC) (envelope-from jmok@attglobal.net) Received: from hanghau.pacific.net.hk (hanghau.pacific.net.hk [202.64.33.147]) by mx1.freebsd.org (Postfix) with ESMTP id A7C4913C4AE for ; Wed, 25 Apr 2007 15:26:12 +0000 (UTC) (envelope-from jmok@attglobal.net) Received: from [192.168.16.50] ([210.17.159.154]) by hanghau.pacific.net.hk with ESMTP id l3PFQAhc017249 for ; Wed, 25 Apr 2007 23:26:11 +0800 Message-ID: <462F7311.3040306@attglobal.net> Date: Wed, 25 Apr 2007 23:26:09 +0800 From: John Mok User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Newbie question - Both Ingress & Egress traffic shaping on WAN link needed ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2007 15:26:13 -0000 Hi, I have a newbie question. I would like to shape the traffic between the local subnet and the WAN link (e.g. Frame Relay or ATM ) of the company private network. The bandwidth of the WAN link is only 512Kbps, and the bandwidth of local subnet is 100Mbps. Uplink router ----WAN link 512K---- Downlink router --- local subnet (HQ subnet) (local subnet) I would like to deploy a FreeBSD bridge + PF between the downlink router and the main switch of the local subnet, such that the chance of network congestion on the WAN link / uplink router is kept to minimum and make the interactive applications ( e.g. Internet proxy access, or mail client ) more responsive :- altq on $bridge_if hfsc bandwidth 512Kb queue ( icmp, dns, mail, other ) .... queue icmp hfsc (linkshare (2Kb) upperlimit (4Kb) ) queue ( icmp_in, icmp_out ) queue dns hfsc (linkshare (4Kb) upperlimit (8Kb) ) queue ( dns_in, dns_out ) queue mail ( linkshare (250Kb) ) queue ( mail_in, mail_out ) queue other ( default ) queue ( other_in, other_out ) .... queue icmp_in priority 10 priq(red) queue icmp_out priority 5 priq(red) queue dns_in priority 10 priq(red) queue dns_out priority 5 priq(red) queue mail_in priority 10 priq(red) queue mail_out priority 5 priq(red) .... pass out quick on $bridge_if inet proto (icmp) from $int_net to any queue icmp_out pass out quick on $bridge_if inet proto (icmp) from !$int_net to any queue icmp_in pass out quick on $bridge_if inet proto (tcp, udp) from $int_net to any port 53 queue dns_out pass out quick on $bridge_if inet proto (tcp, udp) from !$int_net to any port 53 queue dns_in pass out quick on $bridge_if inet proto (tcp, udp) from $int_net to any port { 25, 109, 110, 143, 220, 995 } queue mail_out pass out quick on $bridge_if inet proto (tcp, udp) from !$int_net to any port { 25, 109, 110, 143, 220, 995 } queue mail_in .... My question is that, if it is necessary to account for the incoming traffic to the queue, such that the outgoing traffic could give way to the incoming traffic. For example, the smtp gateway could utilize the full 512Kb to deliver the mails to the local mail server, rather than being used by the file sharing traffic. In that situation, without accounting for the incoming traffic as above and shape the outgoing traffic (i.e. almost completely discarded), would it cause network congestion on the uplink router when someone shares the bandwidth for file copying? Thanks a lot. John Mok From owner-freebsd-pf@FreeBSD.ORG Thu Apr 26 09:00:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23E2516A400 for ; Thu, 26 Apr 2007 09:00:14 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (mail.1command.com [75.160.109.226]) by mx1.freebsd.org (Postfix) with ESMTP id E100D13C457 for ; Thu, 26 Apr 2007 09:00:13 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (localhost.1command.com [127.0.0.1]) by mail.1command.com (8.13.3/8.13.3) with ESMTP id l3P8Kv5d025936 for ; Wed, 25 Apr 2007 01:21:06 -0700 (PDT) (envelope-from chris#@1command.com) Received: (from www@localhost) by mail.1command.com (8.13.3/8.13.3/Submit) id l3P8Kvxn025935 for freebsd-pf@freebsd.org; Wed, 25 Apr 2007 01:20:57 -0700 (PDT) (envelope-from chris#@1command.com) Received: from hitme.hitometer.net (hitme.hitometer.net [75.160.109.235]) by webmail.1command.com (H.R. Communications Messaging System) with HTTP; Wed, 25 Apr 2007 01:20:57 -0700 Message-ID: <20070425012057.upvt9rld28kwk8sg@webmail.1command.com> X-Priority: 3 (Normal) Date: Wed, 25 Apr 2007 01:20:57 -0700 From: "Chris H." To: freebsd-pf@freebsd.org References: <00b701c7869a$795c0db0$0200a8c0@satellite> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: H.R. Communications Internet Messaging System (HCIMS) 4.1 Professional (not for redistribution) / FreeBSD-5.5 Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 09:00:14 -0000 Quoting Dave : > Hello, > I've got a machine running ssh and i'm trying to cut down on brute > force attacks on it. I'm running pf on a freebsd 6.2 box and have > added in swatch to try to curve these attacks. The problem is nothing > is being added to either the memory hackers table nor the ondisk copy > of it. I know i'm getting hits because i'm seeing entries in my > auth.log like this: > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification > string from 125.33.163.188 > Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user > root from 125.33.163.188 port 54521 ssh2 > Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user > root from 125.33.163.188 port 54727 ssh2 > Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user > root from 218.205.231.39 port 61694 ssh2 > Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not > allowed because none of user's groups are listed in AllowGroups > Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user > root from 218.205.231.39 port 61773 ssh2 > > I don't want to move my ssh, i feel these bots would just find it > again. I'm also getting postfix atempts i'd like to block them both. > My swatch configuration looks like this: > > rc.conf > swatch_enable="YES" > swatch_rules="1" > swatch_1_flags="--config-file=/usr/local/etc/swatchrc > --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid" > swatch_1_user="root" > swatch_1_chdir="/var/tmp" > swatch_1_pidfile="/var/run/swatch.pid" > > In pf i have a block by default policy and i've got these lines: > table persist file "/etc/hackers" > block all > block in quick on $ext_if from to any > > and /usr/local/etc/swatchrc calls a script that looks like: > #!/bin/sh > /sbin/pfctl -t hackers -T add $1 > /bin/echo $1 >> /etc/hackers > /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table > > If there's a better way that i can get both ssh and smtp bots i'd > like to know about it, also if my config is wrong let me know it's > not working. One thing, i do not want to unblock atempted hackings, Greetings, You /may/ want to re-consider this policy. I was plagued with dictionary/ brute force attempts against a couple of my mail servers. Which spurned me into concocting some method to ease the burden and ultimately defeat such attempts. My final solution was a combination of scripts (grep || sed || awk || uniq || sort ) run out of cron. That parse the maillog for patterns that match offenders. It works perfectly (over 7,700 IP's). BUT, you should consider, as I did, that many of the offending IP's are leased (DHCP) and are only owned/used by the perpetrator for a relatively short amount time, and then they become available and used by a now INNOCENT user. Also, there are those who /do/ own/lease the IP's on a longer term basis that have mis-configured boxen which are effectively open proxies that are later corrected. So they too are only guilty by proxy (sorry, I couldn't resist ;)). Anyway, the point I'm attempting to make here; is that you should probably consider developing an EXPIRE policy for the offending/accumulating IP list. That way, you'll be able to DIFF the current against the EXPIRED and gain a more reasonable understanding /which/ IP's are /always/ going to be offenders vs. those whom were just short term (for whatever reason). Just thought I'd mention it. Best wishes. > my feeling is those that do it should have no further interactions > with my machines on any level. > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- panic: kernel trap (ignored) From owner-freebsd-pf@FreeBSD.ORG Thu Apr 26 13:25:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1839616A400 for ; Thu, 26 Apr 2007 13:25:37 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id 041A713C455 for ; Thu, 26 Apr 2007 13:25:36 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1Hh3iQ-0003RE-Il; Thu, 26 Apr 2007 06:08:54 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 29968-1177592932; Thu, 26 Apr 2007 08:08:53 -0500 Date: Thu, 26 Apr 2007 08:08:52 -0500 (CDT) From: "Jeremy C. Reed" To: "Chris H." In-Reply-To: <20070425012057.upvt9rld28kwk8sg@webmail.1command.com> Message-ID: References: <00b701c7869a$795c0db0$0200a8c0@satellite> <20070425012057.upvt9rld28kwk8sg@webmail.1command.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 13:25:37 -0000 On Wed, 25 Apr 2007, Chris H. wrote: > You /may/ want to re-consider this policy. I was plagued with dictionary/ > brute force attempts against a couple of my mail servers. Which spurned > me into concocting some method to ease the burden and ultimately defeat > such attempts. My final solution was a combination of scripts (grep || > sed || awk || uniq || sort ) run out of cron. That parse the maillog > for patterns that match offenders. It works perfectly (over 7,700 IP's). > BUT, you should consider, as I did, that many of the offending IP's are > leased (DHCP) and are only owned/used by the perpetrator for a relatively > short amount time, and then they become available and used by a now > INNOCENT user. Also, there are those who /do/ own/lease the IP's on > a longer term basis that have mis-configured boxen which are effectively > open proxies that are later corrected. So they too are only guilty > by proxy (sorry, I couldn't resist ;)). Anyway, the point I'm attempting > to make here; is that you should probably consider developing an > EXPIRE policy for the offending/accumulating IP list. That way, you'll > be able to DIFF the current against the EXPIRED and gain a more reasonable > understanding /which/ IP's are /always/ going to be offenders vs. those > whom were just short term (for whatever reason). > > Just thought I'd mention it. Since you mentioned "mail" on pf list, you may want to try spamd's similar protection. You can create various spam traps. And they also auto expire. Newer spamd (not in FreeBSD ports yet I think) also has support for a spam trap file that lists hostnames or domain names suffixes -- and if the recipient doesn't match it, then it traps it also. It seems like it would be easy to extend spamd by adding a reverse of that -- have another file that lists the email address recipients that are allowed -- and tarpit any incoming emails that don't match. (On a big mail server with aliases and such it may be difficult to keep this list in sync so maybe it could be made more intelligent, but this is just an idea.) Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:05:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD0FB16A409 for ; Fri, 27 Apr 2007 18:05:02 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id 7604E13C46A for ; Fri, 27 Apr 2007 18:05:02 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so748377ugh for ; Fri, 27 Apr 2007 11:05:01 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=JkeibjOLK+IesrEugCHk0LpmO5Irb75V2X51BXdQyO6fbDn4izqnxHgPSUOj5Btw+6I5kQKwON4eNnm5eGvN6pyURXktnjqFKAwLrbNhBgxAmWA1eO7fkeUB66ICjgFhDJANYBH73sHyOn5O2xeh+qjDaD1ppfA44SCOY3ZSUeg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=eHEcy/klvjuVH6L7pindaiMvCjWfAAFG6vHFQP/xniSxr/SqCuHGzOn8xGu/liBRC+80rrxCcJ8H17fYuctoKduBTZi7B7yLvAPNZtua2T0S0rT9NLOmHnVg55HscLRzIpqES3JUm1QtCtpTDdGbRe1DKHTI0MJ6Zek4xMNXpG8= Received: by 10.82.100.1 with SMTP id x1mr6253465bub.1177697101151; Fri, 27 Apr 2007 11:05:01 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 11:05:01 -0700 (PDT) Message-ID: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> Date: Fri, 27 Apr 2007 11:05:01 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 7b4ade0791f39b01 Subject: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:05:02 -0000 hi, i've set up pf+spamd on FreeBSD 6.2-RELEASE. IPs that i've blocked seem to be sneaking through to spamd ... not always, apparently :-/ i'm guessing i've borked config, or there's an overflow of something ... dunno, yet. i've config'd pf as follows, pf.conf -------------------------- ... # OPTIONS set block-policy drop set optimization aggressive set state-policy if-bound ... # NORMALIZE scrub in all ... # TRANSLATE/REDIRECT nat on $ext_if from $int_if:network to any -> ($ext_if) ... rdr on $ext_if proto tcp from to $SMTP_WAN port 25 -> $SMTP_LAN port 25 rdr pass on $ext_if proto tcp from { , ! } \ to ($ext_if) port 25 -> 127.0.0.1 port 8025 rdr pass on $ext_if proto tcp from { !, ! } \ to ($ext_if) port 25 -> 127.0.0.1 port 8025 rdr on $ext_if proto tcp from to $SMTP_WAN port 25 -> $SMTP_LAN port 25 ... # FILTER block log quick from { } to any block log all pass in log quick on $ext_if proto tcp from { , } \ to $SMTP_LAN port 25 flags S/SFRA keep state pass out log quick on $ext_if proto tcp from any to port 25 flags S/SFRA keep state ... -------------------------- so, iiuc, anything in should NEVER be redirected to spamd, AND would be blocked anyway by the subsequent default filter ... but, in my spamd log i'm seeing, Apr 27 10:40:47 router spamd[984]: (GREY) 86.105.76.208: -> Apr 27 10:40:47 router spamd[984]: 86.105.76.208: disconnected after 1 seconds. checking, % pfctl -t ip-black -T show | grep 86.104.0.0/14 86.104.0.0/14 where, % whatmask 86.104.0.0/14 | grep "t Usable" First Usable IP Address = .....: 86.104.0.1 Last Usable IP Address = ......: 86.107.255.254 so, why is the addr in question, 86.105.76.208, even getting to spamd? any suggestions are appreciated! thanks. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:27:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0CC5216A400 for ; Fri, 27 Apr 2007 18:27:10 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id BEFFB13C45A for ; Fri, 27 Apr 2007 18:27:09 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so723793ana for ; Fri, 27 Apr 2007 11:27:08 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=B/ptQMfDnmuE63izpUT3y1rFzKznH6Be1niXv6rwXWO9JR8o0QmXp1dwc7lnAI+NLwR2Kpti9u6yJWfjJLXKi2ZZoIU0DcEqvUXtWRVOHgdjM4YaNl26Hqox4zqT0c9fpDRkVe7rejH5klKjDgm0S4nHjF0iaeXJdkG85CfLVjE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L/CCkihtnl4DwSZrRp8WS9qssBMlX7/qIo2rCMfPavf4q7CIlXYjd6T48OOFvKLbIPopzXKdX24Y3HD/BmVrkGIYw2s9ZXWPKVL7fGN/vCg7IGDWItIJ1sk5a5zlNr/alIGUvTWVB94ajq55yQmcofltwIJxjyQV/sFMj5ktEqM= Received: by 10.100.173.19 with SMTP id v19mr2269831ane.1177698427711; Fri, 27 Apr 2007 11:27:07 -0700 (PDT) Received: by 10.100.38.4 with HTTP; Fri, 27 Apr 2007 11:27:07 -0700 (PDT) Message-ID: <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> Date: Fri, 27 Apr 2007 11:27:07 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:27:10 -0000 On 4/27/07, snowcrash wrote: > rdr pass on $ext_if proto tcp from { , ! } \ > to ($ext_if) > port 25 -> 127.0.0.1 port 8025 > rdr pass on $ext_if proto tcp from { !, ! } \ > to ($ext_if) > port 25 -> 127.0.0.1 port 8025 > so, iiuc, anything in should NEVER be redirected to spamd, > AND would be blocked anyway by the subsequent default filter ... Look at what the rules are being evaluated as with pfctl -vvnf : @0 rdr pass on em2 inet proto tcp from to x.x.x.x port = smtp -> 127.0.0.1 port 8025 @1 rdr pass on em2 inet proto tcp from ! to x.x.x.x port = smtp -> 127.0.0.1 port 8025 @2 rdr pass on em2 inet proto tcp from ! to x.x.x.x port = smtp -> 127.0.0.1 port 8025 @3 rdr pass on em2 inet proto tcp from ! to x.x.x.x port = smtp -> 127.0.0.1 port 8025 > but, in my spamd log i'm seeing, > > Apr 27 10:40:47 router spamd[984]: (GREY) 86.105.76.208: > -> > Apr 27 10:40:47 router spamd[984]: 86.105.76.208: disconnected after > 1 seconds. > > > checking, > > % pfctl -t ip-black -T show | grep 86.104.0.0/14 > 86.104.0.0/14 > > where, > > % whatmask 86.104.0.0/14 | grep "t Usable" > First Usable IP Address = .....: 86.104.0.1 > Last Usable IP Address = ......: 86.107.255.254 > > so, why is the addr in question, 86.105.76.208, even getting to spamd? Because that block probably isn't in the spamd-white table, hence will be redirected and passed by rule @2 in the verbose output above. Multiple tables in rules are tricky because they are not treated as "sets" that can be arbitrarily compared (ie, IPs in table A that are not in table B). -- Jon From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:43:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B06716A406 for ; Fri, 27 Apr 2007 18:43:51 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id E426413C465 for ; Fri, 27 Apr 2007 18:43:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so754048ugh for ; Fri, 27 Apr 2007 11:43:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=EmRev4H4RhZC6NawkvF2wMzJNQlB4PLLbYobh2NiAJOU4HjDhNESfV83GzQE7aI6pAUtulNQMLohD5Yciw8qi00tPfUQ+V3DrTHKxd4pK7KC9WxJr7bM2LmT8NyB36ZBXAaxFa9UADhqZmUNnI7EDsEaRBBrSVwmlb+DLSLVMDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=OoPOYE5VUzHqw5O8z10zX6Roleepj9zX4WGuDozqhQRSDZAybNSX/34i58iZFZ/UYC6m6g8G93xccvdkqIQJOwU8yHM1ugX8XatERS4BbEBhqwle7Hi0coJrN2Ofvfz4ilYPfwnCDNxGpciKFk851pRjX9CuB64/gquWr9QZBJE= Received: by 10.82.158.12 with SMTP id g12mr6173109bue.1177699427206; Fri, 27 Apr 2007 11:43:47 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 11:43:47 -0700 (PDT) Message-ID: <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> Date: Fri, 27 Apr 2007 11:43:47 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Jon Simola" In-Reply-To: <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> X-Google-Sender-Auth: 35a277ff1eff1e3b Cc: freebsd-pf@freebsd.org Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:43:51 -0000 hi jon, > Multiple tables in rules are tricky because they are not treated as > "sets" that can be arbitrarily compared (ie, IPs in table A that are > not in table B). well a big aha!+grumble on my part ... thanks! for the clarification. i did NOT understand that correctly :-( so, *IS* there a way to accomplish that? namely, match against a boolean-composite of tables? From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:47:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EEF2C16A412 for ; Fri, 27 Apr 2007 18:47:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.189]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC6F13C468 for ; Fri, 27 Apr 2007 18:47:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so1067827muf for ; Fri, 27 Apr 2007 11:47:22 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=jEsNAvhzEGQkbSVY9d7m58d8hc0iAcJsRH4ZN5SsNIRMoGOjhgbrZgyTYbPWzgsQcsoYqyZVgvwxeN2TJOa7zKKCIewHtWDFcuf9hbBykHRUt/SibPkJ0IqvLxgyCqeNVdJq2+tYH5Js192PjhGucm1tcLQ0E5gUadPKyEe+Sno= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=PlbjjcHogfZmvPVG0hzLbQecCn7N45L8MjeJ+y+i8C6PugfOK7xTL9wKLjWE4dTAraORJU81d5kvX/t0uMfrpsyNSzb3Mk/Mnt+wGLOx3C3njk5NYdk5wAQUad4wzsWLZ2lXEN2bM9aS0UrVCFQeo2bv1GdsVTNaFMTMctYErMc= Received: by 10.82.185.12 with SMTP id i12mr6314036buf.1177699641790; Fri, 27 Apr 2007 11:47:21 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 11:47:21 -0700 (PDT) Message-ID: <70f41ba20704271147r566a99d3od45bd04fac484373@mail.gmail.com> Date: Fri, 27 Apr 2007 11:47:21 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Jon Simola" In-Reply-To: <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> X-Google-Sender-Auth: b3203f10703392af Cc: freebsd-pf@freebsd.org Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:47:24 -0000 i suppose alternative would be to, --- set require-order yes +++ set require-order no and put some block quick BEFORE those rdr's ... to prevent those addresses in from ever seeing the redirection in the first place (which is probably better anyway). BUT, i've heard tell that disabling require-order can have its own set of 'surprises' ... From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:51:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D5FE316A401 for ; Fri, 27 Apr 2007 18:51:03 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id CD71213C469 for ; Fri, 27 Apr 2007 18:51:02 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so730865ana for ; Fri, 27 Apr 2007 11:51:01 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jBImz7tyRrQF362DyMJ69r+N0MXHBYpcaa+GNXVeAgxTs5/e0Z0bOLi4oVHRQ1hoGk1gXK3BMH1l/0Iw/vrX6N5TWLnUJ40fmsGKAGv4SfESynE7k9O0zDPg8o3jUda+/VY98W2vy/JnPd3vtSU7MmZUMFVsux09P82o45CVKhY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L96T9d3Kal4oVo8ia7JgygPmo2QFgUyWoP1F0khA7HlJnouBUqeh6Jq01Wp/3y9KiSPbF1qyYKaTPSu4pJB2B1FEfFitXg7gvOmiomgGq1lYSDeaEk0Wb7qDfXuE10R0wy4EnJeBBv1LFIojbPcRzxt7hKhnKKr7QAljHrRVCfM= Received: by 10.100.190.8 with SMTP id n8mr2251563anf.1177699860848; Fri, 27 Apr 2007 11:51:00 -0700 (PDT) Received: by 10.100.38.4 with HTTP; Fri, 27 Apr 2007 11:51:00 -0700 (PDT) Message-ID: <8eea04080704271151h18e9a6eds5704e8fb3bb632f0@mail.gmail.com> Date: Fri, 27 Apr 2007 11:51:00 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20704271147r566a99d3od45bd04fac484373@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> <70f41ba20704271147r566a99d3od45bd04fac484373@mail.gmail.com> Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:51:03 -0000 On 4/27/07, snowcrash wrote: > i suppose alternative would be to, > > --- set require-order yes > +++ set require-order no > > and put some > > block quick > > BEFORE those rdr's ... to prevent those addresses in from > ever seeing the redirection in the first place no rdr proto tcp from to any port smtp ... other rdr stuff ... block from "The no option prefixed to a translation rule causes packets to remain un- translated, much in the same way as drop quick works in the packet filter" -- Jon From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:54:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD55D16A403 for ; Fri, 27 Apr 2007 18:54:53 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.241]) by mx1.freebsd.org (Postfix) with ESMTP id 99C9013C44B for ; Fri, 27 Apr 2007 18:54:53 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so732024ana for ; Fri, 27 Apr 2007 11:54:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CHupZDodeGX1BRk3Ci2VD6EnGoeugYbOahxGsYEF8O+1aYHrJJ8QbSy2X/Z+cAScs41P2rcoRNiUcZZArTWR3fN4a99LL5kF4f91rVl2fG/Jb3G9aNEJonEFAWYdOiIQKyp1SIRZrRSPR6rOFHKCrtsp9HToFXtdwum4Sb31r8k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ruozawke+EopUYbIbsMiCJh/LdmuNv02ia3Y0J0kVE6U0Ui7xeZ7WyslwzwFJxfS8m5yDKqbuhF7+4QAa+C5E3nKUiU+gblS7L7iVwVwL7XgxhKJ3ntn6DjXlcoyW6TgTjhFV/oiOR50aydryCQvG2T/Z12v6Hx5Dxad6Dnid5I= Received: by 10.100.247.11 with SMTP id u11mr2285422anh.1177700092687; Fri, 27 Apr 2007 11:54:52 -0700 (PDT) Received: by 10.100.38.4 with HTTP; Fri, 27 Apr 2007 11:54:52 -0700 (PDT) Message-ID: <8eea04080704271154q4a714cdre3adc5c009e52d5c@mail.gmail.com> Date: Fri, 27 Apr 2007 11:54:52 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:54:54 -0000 On 4/27/07, snowcrash wrote: > > Multiple tables in rules are tricky because they are not treated as > > "sets" that can be arbitrarily compared (ie, IPs in table A that are > > not in table B). > so, *IS* there a way to accomplish that? namely, match against a > boolean-composite of tables? On OpenBSD, I use spamd-setup which does exactly that with the whitelist/blacklist tables. One could probably hack up a cron-able sed/awk/perl thingy to read from 2 tables, mash up the contents however you wish, and fill a 3rd table with the result. -- Jon From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:55:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2E70D16A403 for ; Fri, 27 Apr 2007 18:55:04 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.188]) by mx1.freebsd.org (Postfix) with ESMTP id A320413C469 for ; Fri, 27 Apr 2007 18:55:03 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so1070069muf for ; Fri, 27 Apr 2007 11:55:02 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=divWPZpfxpvz7vSFIWju+YbVMUcalehwjrBB6sGFsUzhJNy+LvlqGIT61qekyQhfe/4aO/xA7cEZ37Gf2p6vktlx7jvLxyqXUF/TUD4BcZOlH6RzWkUbGnRrryX5Nyw7WVVNS2mL/Y6E8J1Hrh1SdotqGYSudjJg3FkpVEvktvw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=GeQ9DdkTSUjlSaEhGcFwR6NcgC2PjhVLZCBD8VXU+ZnEzqyOAzi1A6etG/Gfs4/LehQl17TJRZMfR5+DCo47T/kaNJmQMmA42WrO6NjeINpZOoQ5+iInYIgStkh657HSIhcUEv/1mWKNwv5EJEldlqFfN8RXoPSTS1IdJXtXGLM= Received: by 10.82.163.13 with SMTP id l13mr6336578bue.1177700102111; Fri, 27 Apr 2007 11:55:02 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 11:55:02 -0700 (PDT) Message-ID: <70f41ba20704271155g6bb6ace4lcaa7143fa8f679b9@mail.gmail.com> Date: Fri, 27 Apr 2007 11:55:02 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Jon Simola" In-Reply-To: <8eea04080704271151h18e9a6eds5704e8fb3bb632f0@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> <70f41ba20704271147r566a99d3od45bd04fac484373@mail.gmail.com> <8eea04080704271151h18e9a6eds5704e8fb3bb632f0@mail.gmail.com> X-Google-Sender-Auth: 8701828a618e1537 Cc: freebsd-pf@freebsd.org Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:55:04 -0000 hi jon, > "The no option prefixed to a translation rule causes packets to remain un- > translated, much in the same way as drop quick works in the packet filter" i'd read thru all the filter negation stuff, but missed that abt the translation negation completely :-/ thanks very much! From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 19:09:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4A72116A403 for ; Fri, 27 Apr 2007 19:09:29 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.191]) by mx1.freebsd.org (Postfix) with ESMTP id CB8BC13C480 for ; Fri, 27 Apr 2007 19:09:28 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so1074030muf for ; Fri, 27 Apr 2007 12:09:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=mpA1ytAbFr0hCTZxbF0LWnwiVXKL/4byjTlnZG+N4s2XLEpdCUzxmHeGPJKZ3FMjorWAdaj1NKxjikQV4Y5gbfr8hPPMDDNylc4uaTn6DAm6oZwcCav0g4wX5I8toNnAXfuOk/aqiOA3Gqck8e91E6QSus3xArk8/nBUZ4n/58o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=iamVx/h0SCpmZcTqO+SWk0hh3lHUd0BmyJNF1R3F7zb5Uz6TDzm6tjMtMXDBwM4Ax5lTwABTJkNwYyRTe/HQPh8hkOxySZr1KCipbNFrWQYtp5ZkODxrC8HpOkIl2JunUVZ1bZ1q8shxW9FIeRfIyVQfd+wqwm0YA6oq20oloBM= Received: by 10.82.158.12 with SMTP id g12mr6219255bue.1177700967572; Fri, 27 Apr 2007 12:09:27 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 12:09:27 -0700 (PDT) Message-ID: <70f41ba20704271209v12019809xabdebbf1adbc12d6@mail.gmail.com> Date: Fri, 27 Apr 2007 12:09:27 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Jon Simola" In-Reply-To: <8eea04080704271154q4a714cdre3adc5c009e52d5c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> <8eea04080704271154q4a714cdre3adc5c009e52d5c@mail.gmail.com> X-Google-Sender-Auth: 0d6cd8a78918cea6 Cc: freebsd-pf@freebsd.org Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 19:09:29 -0000 > On OpenBSD, I use spamd-setup which does exactly that with the > whitelist/blacklist tables. good point. spamd-setup is, of course, available on FreeBSD as well. in my specific case, is already populated in / use by pf elsewhere, so populating spamd's table with it too seemed wasteful. hence, i was flopping around trying to get-it-done 'just' in pf, not spamd. anyway, reading, the 'no rdr' seem lile the solution. again, thanks! on add'l question ... iiuc, i could either (1) no rdr from to any ... other rdr stuff ... block quick block all (2) no rdr pass from to any ... other rdr stuff ... block all where (2) seems more efficient. IF i understand correctly ... comments on the two above? > One could probably hack up a cron-able sed/awk/perl thingy to read > from 2 tables, mash up the contents however you wish, and fill a 3rd table with the result. yup. i do that for 'assembling' country-blocks from a list of countries. best, though, that i actually understand what i'm doing IN pf first, though ;-) cheers! From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 20:12:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DB21616A402 for ; Fri, 27 Apr 2007 20:12:08 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 936D213C465 for ; Fri, 27 Apr 2007 20:12:08 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so754146ana for ; Fri, 27 Apr 2007 13:12:07 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VUi/YgTdbBqkSPrFgcAdf1gS32A/EBP81ten5KLthnpenG9yetYsM+9t49hrTrthu+VRtcjZOrNppYp2J1G+qKsjidWP3I7rvGRR5ltIH0XW/ZRXJPsTF2S9EJ+gO2e0K5wjk8tnZOiwb+DAV1CXKpNaQv9w4140kelt0bV6978= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sTAWMjG5Yh3Csvl3bE53zRDO0NvuoSYXSTNEHW5koNy60mkNA/tK0sr2cSmr7MdORobPPtJI46My0ogWgormVuqxmybJtYSSd0CozYLBOsBvAqIGf51OffJ+s6csCdVqpazZGV5Qsa2BvbyefKtkkKfi3GzFmaq6C78s2zSSMXg= Received: by 10.100.5.17 with SMTP id 17mr2345577ane.1177704727685; Fri, 27 Apr 2007 13:12:07 -0700 (PDT) Received: by 10.100.38.4 with HTTP; Fri, 27 Apr 2007 13:12:07 -0700 (PDT) Message-ID: <8eea04080704271312w5f217a69ma46f65c0bc396933@mail.gmail.com> Date: Fri, 27 Apr 2007 13:12:07 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20704271209v12019809xabdebbf1adbc12d6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> <8eea04080704271154q4a714cdre3adc5c009e52d5c@mail.gmail.com> <70f41ba20704271209v12019809xabdebbf1adbc12d6@mail.gmail.com> Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 20:12:08 -0000 On 4/27/07, snowcrash wrote: > no rdr pass from to any # echo "no rdr pass from to any" | pfctl -vvnf- stdin:1: "pass" not valid with "no" Maybe you want to tag those packets and block them later: no rdr on em2 proto tcp from { , ! } to em2 port smtp tag BLOCKME ... block quick tagged BLOCKME -- Jon From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 20:50:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DBD5416A401 for ; Fri, 27 Apr 2007 20:50:54 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by mx1.freebsd.org (Postfix) with ESMTP id 6660F13C45D for ; Fri, 27 Apr 2007 20:50:54 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so1101014muf for ; Fri, 27 Apr 2007 13:50:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Iaww+lS9UdhWbO2XYQndpjDJ8BR0Ifziyx0HgUKE3Dpx/cWx+47qQuygI2ZZwv51K52qtMU3Mgum65HRJPk3pfefSZGqBUMI10Lq36bv5zrpmlvptCvH97AWg12H4bhjHqsbKwckdU7gtV1SJ8xT9ZdEp6rNPioaotd6fgyyYQU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=ai0o81u1c6J/9fEL7R04kWdFzC1HlZs4O96HbPrHXPeFHhQWsq4CR7bFX1i3/gMSq03sZuAG6Gaj68QVJlJqzRekUbuQoLsbCwqC+2AhzsUb97dZcetleGiJ1s5pOQrIZdkzeKqHrtjIVQJ31SHh0O7Sd1EsYe4rmrJIMjRrkYo= Received: by 10.82.147.6 with SMTP id u6mr6578490bud.1177707053033; Fri, 27 Apr 2007 13:50:53 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 13:50:52 -0700 (PDT) Message-ID: <70f41ba20704271350p7030e791ha67eb188de5fb383@mail.gmail.com> Date: Fri, 27 Apr 2007 13:50:52 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Jon Simola" In-Reply-To: <8eea04080704271312w5f217a69ma46f65c0bc396933@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> <70f41ba20704271143i962a7d3r821ddd34a4409f53@mail.gmail.com> <8eea04080704271154q4a714cdre3adc5c009e52d5c@mail.gmail.com> <70f41ba20704271209v12019809xabdebbf1adbc12d6@mail.gmail.com> <8eea04080704271312w5f217a69ma46f65c0bc396933@mail.gmail.com> X-Google-Sender-Auth: 82dc12d698c29351 Cc: freebsd-pf@freebsd.org Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 20:50:54 -0000 > # echo "no rdr pass from to any" | pfctl -vvnf- > stdin:1: "pass" not valid with "no" that's a nifty way to check. thanks! > Maybe you want to tag those packets and block them later: > > no rdr on em2 proto tcp from { , ! } to em2 port smtp > tag BLOCKME > ... > block quick tagged BLOCKME i'd gotten thru LABELs, but not to TAGs yet. excellent. much easier that iptables! still keep tryin' to do things bass-ackwards & the hard-way. ;-) thanks for the help/education & hagw!