From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 11:08:15 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB1BC16A509 for ; Mon, 10 Sep 2007 11:08:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 796A813C459 for ; Mon, 10 Sep 2007 11:08:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8AB8FqG017340 for ; Mon, 10 Sep 2007 11:08:15 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8AB8E0r017336 for freebsd-pf@FreeBSD.org; Mon, 10 Sep 2007 11:08:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Sep 2007 11:08:14 GMT Message-Id: <200709101108.l8AB8E0r017336@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 11:08:15 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 13:31:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67D9C16A41A for ; Mon, 10 Sep 2007 13:31:33 +0000 (UTC) (envelope-from rian.shelley@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.188]) by mx1.freebsd.org (Postfix) with ESMTP id 132CE13C442 for ; Mon, 10 Sep 2007 13:31:32 +0000 (UTC) (envelope-from rian.shelley@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so987480rvb for ; Mon, 10 Sep 2007 06:31:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=sbTWWl5R5ht8ixDHaS3Qj7fvldaZlWfhjGirgd3ZLVc=; b=BiQkinB4vjHHZjWNBDpurqJoYzI/ZyIQR9Y6gOC48Mj/IeMbLahRS1mNQk3YiYxJQISbsLvdgA/8XMg8zUSPGoHzV2BLh6cicEyqfCki30cEFFTxGevXQfw9jv2Zhmj6eXYNMFsnxqxJBaTS61RbALKDYt0PHSrRqqq5ZoI4iTE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=IN8wYlhnftupaxNa+bJeHMOXeC599LuZlwtWZ2nEwaEz5czXkI7L/3waPpQVR4Kb0l6eqw/ej7DxooY0BsJo2RACLGI/iwiM6IEjcbMKet7tT6v/s5cQqtCcZ/KSArcdh9Tw8DtLczNGyh7qRiSGMUteJeo3Zu9uivwx0mVua0Y= Received: by 10.141.90.17 with SMTP id s17mr1824896rvl.1189431092619; Mon, 10 Sep 2007 06:31:32 -0700 (PDT) Received: by 10.141.2.19 with HTTP; Mon, 10 Sep 2007 06:31:32 -0700 (PDT) Message-ID: Date: Mon, 10 Sep 2007 07:31:32 -0600 From: "Rian Shelley" Sender: rian.shelley@gmail.com To: freebsd-pf@freebsd.org In-Reply-To: <200709062304.19833.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200709052316.41257.max@love2party.net> <55e8a96c0709051745v45a40cf3qb8d9ff9725ad8a55@mail.gmail.com> <200709062304.19833.max@love2party.net> X-Google-Sender-Auth: 7ab390dd8acb8868 Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 13:31:33 -0000 On 9/6/07, Max Laier wrote: > On Thursday 06 September 2007, Bill Marquette wrote: > > On 9/5/07, Max Laier wrote: > > > Another way to go is setting the queuelength for the internal > > > processing queue to something insanely high (1000+). This will most > > > likely work around the problem at the cost of burning (mbuf) memory. I set it to 2000, and it doesn't appear to have fixed the problem. I suppose ill wait for the next release... From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 20:07:49 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0684016A421 for ; Mon, 10 Sep 2007 20:07:49 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (216-70-250-4.static-ip.telepacific.net [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7B1E913C467 for ; Mon, 10 Sep 2007 20:07:47 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id F24419582C for ; Mon, 10 Sep 2007 13:07:46 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Mon, 10 Sep 2007 13:07:47 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D00A3@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Mon, 10 Sep 2007 13:07:46 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 20:07:49 -0000 > Hi all, > > I've been running pf+obspamd on FBSD 6.2-RELEASE. > > I appear to be blocking some addresses that appear in my > spamd-mywhite file > and I don't understand why that would be the case here. I'm > guessing I've > screwed up my pf.conf file. > > Here's my config file: > > # pfctl -vvnf /etc/pf.conf > ext_if = "rl0" > int_if = "xl0" > internal_net = "192.168.1.1/24" > external_addr = "216.70.250.4" > vpn_net = "10.8.0.0/24" > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" > webserver1 = "192.168.1.4" > set skip on { lo0 } > set skip on { gif0 } > @0 scrub in all fragment reassemble > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin > @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http -> > 192.168.1.4 port 80 > table persist > table persist > table persist file > "/usr/local/etc/spamd/spamd-mywhite" > table persist file > "/usr/local/etc/spamd/spamd.alloweddomains" > @4 rdr pass inet proto tcp from to > 216.70.250.4 port = smtp > -> 127.0.0.1 port 25 > @5 rdr pass inet proto tcp from to 216.70.250.4 > port = smtp -> > 127.0.0.1 port 8025 > @6 rdr pass inet proto tcp from ! to > 216.70.250.4 port = > smtp -> 127.0.0.1 port 8025 > @7 pass in log inet proto tcp from any to 216.70.250.4 port = > smtp flags > S/SA synproxy state > @8 pass out log inet proto tcp from 216.70.250.4 to any port > = smtp flags > S/SA synproxy state > @9 pass in log inet proto tcp from 192.168.1.0/24 to > 192.168.1.25 port = > smtp flags S/SA synproxy state > @10 block drop in log all > @11 pass in log quick on xl0 inet proto tcp from any to > 192.168.1.25 port = > ssh flags S/SA synproxy state > @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any > @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any > @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any > @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any > @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 > @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 > @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 > @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 > @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any > @21 block drop in log quick inet from 192.168.1.25 to any > @22 pass in on xl0 inet from 192.168.1.0/24 to any > @23 pass out log on xl0 inet from any to 192.168.1.0/24 > @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 > @25 pass out on rl0 proto tcp all flags S/SA modulate state > @26 pass out on rl0 proto udp all keep state > @27 pass out on rl0 proto icmp all keep state > @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 > port = http flags > S/SA synproxy state > @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 > port = ssh keep > state > > /var/log/pflog0 shows the following: > > 141748 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 0,nop> > 2. 049208 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 0,nop> > 3. 068169 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 0,nop> > 5. 594277 rule 3/0(match): block in on rl0: 205.188.139.137.61419 > > 216.70.250.4.25: S 2510359871:2510359871(0) win 24820 > 1460> > 525916 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 0,nop> > > # pfctl -t spamd-mywhite -T show | grep 205.188. > No ALTQ support in kernel > ALTQ related functions disabled > 205.188.139.0/24 > 205.188.144.0/24 > 205.188.156.0/23 > 205.188.157.0/24 > 205.188.159.0/24 > > Thus 205.188.159.7 shouldn't be blocked. > > # spamdb | grep 205\.188\. > WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|0 > WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0 > WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0 > # > > spamdb doesn't show any entries for 205.188.159.7. > > These entries are for AOL mail. I've received complaints from > AOL users of > mail bouncing back to them. > > What am I doing wrong? Are CIDR records accepted by > pf+obspamd? I can't > trace the block back to the proper rules- i.e. rule 3/0 as > shown in pflog0 > matches up with which rule in pf.conf? > > Any suggestions are appreciated! > > ~Doug Hi, I'm resending this as I have not received any replies. Can someone help me out here? Oh, and I'm running obspamd 4.1.1. ~Doug From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 20:11:07 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54BB816A418 for ; Mon, 10 Sep 2007 20:11:07 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (216-70-250-4.static-ip.telepacific.net [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 24B2413C461 for ; Mon, 10 Sep 2007 20:11:07 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id ED2EF9582C for ; Mon, 10 Sep 2007 13:11:06 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Mon, 10 Sep 2007 13:11:07 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D00A4@cetus.dawnsign.com> From: Doug Sampson To: Doug Sampson , "'freebsd-pf@freebsd.org'" Date: Mon, 10 Sep 2007 13:11:06 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Cc: Subject: RE: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 20:11:07 -0000 > > Hi all, > > > > I've been running pf+obspamd on FBSD 6.2-RELEASE. > > > > I appear to be blocking some addresses that appear in my > > spamd-mywhite file > > and I don't understand why that would be the case here. I'm > > guessing I've > > screwed up my pf.conf file. > > ... > > Hi, > > I'm resending this as I have not received any replies. Can > someone help me > out here? > > Oh, and I'm running obspamd 4.1.1. > I should also mention that when I was running spamd 3.7 prior to upgrading in around July, spamd appeared to be running smoothly with no apparent errors. ~Doug From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 23:21:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6277816A417 for ; Mon, 10 Sep 2007 23:21:14 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id 64EDB13C48A for ; Mon, 10 Sep 2007 23:21:14 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-170-114-32.dllstx.fios.verizon.net ([71.170.114.32] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1IUsYz-0003Pm-4T; Mon, 10 Sep 2007 16:21:05 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 27530-1189466461; Mon, 10 Sep 2007 18:21:02 -0500 Date: Mon, 10 Sep 2007 18:21:00 -0500 (CDT) From: "Jeremy C. Reed" To: Doug Sampson In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0099@cetus.dawnsign.com> Message-ID: References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0099@cetus.dawnsign.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: "'freebsd-pf@freebsd.org'" Subject: Re: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 23:21:14 -0000 On Thu, 6 Sep 2007, Doug Sampson wrote: > What am I doing wrong? Are CIDR records accepted by pf+obspamd? I can't > trace the block back to the proper rules- i.e. rule 3/0 as shown in pflog0 > matches up with which rule in pf.conf? Maybe use "pfctl -vvsr" instead to see rule numbers of already loaded rules (instead of your pf.conf)? Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 03:39:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41F9C16A417 for ; Tue, 11 Sep 2007 03:39:42 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id E817613C458 for ; Tue, 11 Sep 2007 03:39:40 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: (from jon@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l8B3dxZ17110; Tue, 11 Sep 2007 13:39:59 +1000 (EST) Message-ID: <20070911133959.25090@caamora.com.au> Date: Tue, 11 Sep 2007 13:39:59 +1000 From: jonathan michaels To: freebsd pf Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Subject: pf, ping and traceroute X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 03:39:42 -0000 greetings all, i am new to pf and freebsd (v6.2-R), while i have been using freebsd for about ten years .. i stoped at about v2.2.5 (or 7) it worked for me and on a 386dx33 with 8 mb dram it was perfect. now i am slowly coming to terms with freebsd v6.2, i did it in one step, from v2 to v6 it is a big cultural shift. my question is to do with pf and the using of things like ping and traceroute, using pf (any sort of a generic 'firewall' device/application/whatever) seems to preclude or severly limit my ability to do/use tools like ping/traceroute to test/check/verify whatever the usual admin functionality. i've read (and rearead, and rerea..) the documentation to me (with my learning difficulties) it is hard very hard to understand. i get that it is part of teh functionality to stop outside stuff garbage bad people from getting to teh inside but how do i make a "hole" in teh 'firewall' for ping/traceroute without opening up teh firewall to let the same (ping/traceroute/etc) stuff come in from teh outside ???? apologies for my poor writing. kind regards appreciations and thanks jonathan -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 09:35:44 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2D9516A419 for ; Tue, 11 Sep 2007 09:35:44 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id 68BC313C461 for ; Tue, 11 Sep 2007 09:35:44 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so1751732fka for ; Tue, 11 Sep 2007 02:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=MSXYepGEWLhpd0Qm0DW855sAgXsElOq6NXT2C8xWrps=; b=apnJTQz33xraGje7nkptFsbgYVS4T7XIVsPmiugth2TSc/7H8yQNcev4uC+ZBJchNNPvXl8q0UPcEir1X2XfCgXZrm8oh/C0bAZyhauqPWBHgJwNSLICFFhiEGeUF7oz7izmLw36l7Gc9hMKPMOXdjw/J9MDpXRSqJzBv2E7260= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=B4joMcHdEaGnoCR4OYYIUJEjSyaPUuslWxkDleYQ/P3oQNfOV7AYWqRu0GLLs9lO28uFk91gz4EnelWKbx5kfJ/JcxlnweQG/EWHu2uQxTlOSRTjBv7o0l+48o5jJnHUEWh3XaFXdhJuDZoJVTVTnU3Rf7X54f4Gpxa1VVP2Krs= Received: by 10.82.162.14 with SMTP id k14mr6071391bue.1189501665773; Tue, 11 Sep 2007 02:07:45 -0700 (PDT) Received: by 10.82.100.18 with HTTP; Tue, 11 Sep 2007 02:07:45 -0700 (PDT) Message-ID: Date: Tue, 11 Sep 2007 02:07:45 -0700 From: "Kian Mohageri" To: "jonathan michaels" In-Reply-To: <20070911133959.25090@caamora.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070911133959.25090@caamora.com.au> Cc: freebsd pf Subject: Re: pf, ping and traceroute X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 09:35:44 -0000 On 9/10/07, jonathan michaels wrote: > > i get that it is part of teh functionality to stop outside stuff > garbage bad people from getting to teh inside but how do i make a > "hole" in teh 'firewall' for ping/traceroute without opening up teh > firewall to let the same (ping/traceroute/etc) stuff come in from teh > outside ???? > PF was developed by OpenBSD, so their documentation is mostly authoritative. Keep in mind the PF found in FreeBSD is slightly different -- it isn't as new, for the most part (much of that changed recently thanks to Max Laier). Anyway, have you read the OpenBSD documentation? http://www.openbsd.org/faq/pf/ Focus on understanding how the directions work (e.g. pass in vs. pass out) and also 'keep state.' Understanding states is critical... have you figured out how those work yet? Are you filtering on a router? Switch? Server? -Kian From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:09:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6E2116A41B for ; Tue, 11 Sep 2007 10:09:18 +0000 (UTC) (envelope-from mlists@shadow-security.net) Received: from pecan.exetel.com.au (pecan.exetel.com.au [220.233.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id B41BE13C468 for ; Tue, 11 Sep 2007 10:09:18 +0000 (UTC) (envelope-from mlists@shadow-security.net) Received: from 39.233.233.220.exetel.com.au ([220.233.233.39] helo=[192.168.1.150]) by pecan.exetel.com.au with esmtp (Exim 4.63) (envelope-from ) id 1IUyQV-0007Xv-Lm for freebsd-pf@freebsd.org; Tue, 11 Sep 2007 15:36:43 +1000 Message-ID: <46E62975.7040707@shadow-security.net> Date: Tue, 11 Sep 2007 15:36:53 +1000 From: Sh4d03 User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Reasonable settings for greyexp and whiteexp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 10:09:18 -0000 Hi all, I've got spamd working on my FreeBSD pf gateway, however it seems there maybe a few legit senders who are never becoming whitelisted (though most are). Until just now my settings were: passtime: 25 greyexp: 8 whiteexp: 36 I've now just lowered the passtime to 10 and increased the greyexp to 12 in the hope that I can eliminate the legitimate senders from failing to successfully transmit their messages. I was wondering what other people have configured for the above settings. Thanks in advance, Sh4d03 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:38:32 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B416616A41B for ; Tue, 11 Sep 2007 11:38:32 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id 3906013C459 for ; Tue, 11 Sep 2007 11:38:30 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: (from jon@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l8BBcfH18316; Tue, 11 Sep 2007 21:38:41 +1000 (EST) Message-ID: <20070911213841.01986@caamora.com.au> Date: Tue, 11 Sep 2007 21:38:41 +1000 From: jonathan michaels To: Kian Mohageri References: <20070911133959.25090@caamora.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: ; from Kian Mohageri on Tue, Sep 11, 2007 at 02:07:45AM -0700 Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Cc: freebsd pf Subject: Re: pf, ping and traceroute X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 11:38:32 -0000 On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote: > On 9/10/07, jonathan michaels wrote: > > > > i get that it is part of teh functionality to stop outside stuff > > garbage bad people from getting to teh inside but how do i make a > > "hole" in teh 'firewall' for ping/traceroute without opening up teh > > firewall to let the same (ping/traceroute/etc) stuff come in from teh > > outside ???? > > > > PF was developed by OpenBSD, so their documentation is mostly > authoritative. Keep in mind the PF found in FreeBSD is slightly > different -- it isn't as new, for the most part (much of that changed > recently thanks to Max Laier). > > Anyway, have you read the OpenBSD documentation? yes, but, > http://www.openbsd.org/faq/pf/ yes, kian, my basic problem is that english is not my first language and i still have difficulty understanding the way that teh document is written. > Focus on understanding how the directions work (e.g. pass in vs. pass > out) and also 'keep state.' Understanding states is critical... have > you figured out how those work yet? i think that i have .. but, i have a way to go yet i think. learning for me is a hard process of reading and reading and reading untill i understand it and i can get it past teh damaged bits of my brain. sorry, i don't have any other way of explaining what is going on. > Are you filtering on a router? Switch? Server? pentium 133 mhz that is running freebsd v6.2 and i am using the included version pf. so i suppose that it is a server, yes ?? my internet connection is via a v.90 dialup modem that provides me a permanent connected ppp style connection/account (been using some 10 plus years). ext_if=ppp0 = this is teh modem, on serial (comm0/cuad0 ) port 1 int_if=de0 = nic, accton en1203 21040 (a digital 10 mhz clone) this is all that that there is, so i suppose its a simple router ?? i am thinking of using pf to defend all teh internal machines from stuff that makes it through the firewall, is this possible (there seems to be nothing, that i have been able to find/understand in teh doc or via google) ?? this means that i am looking at using ipfw as a secondary firewall, or just as a filter kind of thing to keep out the stuff that is making it through the firewall. > -Kian -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 13:09:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FE2E16A417 for ; Tue, 11 Sep 2007 13:09:51 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id 8359813C45B for ; Tue, 11 Sep 2007 13:09:51 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-170-114-32.dllstx.fios.verizon.net ([71.170.114.32] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1IV5Us-0003f5-Fh; Tue, 11 Sep 2007 06:09:42 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 9888-1189516180; Tue, 11 Sep 2007 08:09:41 -0500 Date: Tue, 11 Sep 2007 08:09:39 -0500 (CDT) From: "Jeremy C. Reed" To: Sh4d03 In-Reply-To: <46E62975.7040707@shadow-security.net> Message-ID: References: <46E62975.7040707@shadow-security.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: Reasonable settings for greyexp and whiteexp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 13:09:51 -0000 On Tue, 11 Sep 2007, Sh4d03 wrote: > I've got spamd working on my FreeBSD pf gateway, however it seems there > maybe a few legit senders who are never becoming whitelisted (though > most are). > Until just now my settings were: > passtime: 25 > greyexp: 8 > whiteexp: 36 > > I've now just lowered the passtime to 10 and increased the greyexp to 12 > in the hope that I can eliminate the legitimate senders from failing to > successfully transmit their messages. I was wondering what other people > have configured for the above settings. I use: -G 20:6:864 passtime = 20 minutes greyexp = 6 hours whiteexp = 864 hours (default) Your whiteexp is way too low. (That is hours not days.) You also need to take in consideration common MTAs queue retry times. Sendmail defaults usually have 30 minutes minimum time in queue before retry (up to five days). Exim commonly will retry every 15 minutes for first two hours, then increase the times between retries up to six hours between until four days. While postfix (by default) will retry between five minutes and 66 minutes up to five days (times between increasing). Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 14:42:37 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BED216A41B for ; Tue, 11 Sep 2007 14:42:37 +0000 (UTC) (envelope-from mlists@shadow-security.net) Received: from pecan.exetel.com.au (pecan.exetel.com.au [220.233.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id 350D713C468 for ; Tue, 11 Sep 2007 14:42:37 +0000 (UTC) (envelope-from mlists@shadow-security.net) Received: from 39.233.233.220.exetel.com.au ([220.233.233.39] helo=[192.168.1.150]) by pecan.exetel.com.au with esmtp (Exim 4.63) (envelope-from ) id 1IV6wl-0003GP-Hv for freebsd-pf@freebsd.org; Wed, 12 Sep 2007 00:42:35 +1000 Message-ID: <46E6A965.5070200@shadow-security.net> Date: Wed, 12 Sep 2007 00:42:45 +1000 From: Sh4d03 User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46E62975.7040707@shadow-security.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Reasonable settings for greyexp and whiteexp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 14:42:37 -0000 Jeremy C. Reed wrote: > On Tue, 11 Sep 2007, Sh4d03 wrote: > > >> I've got spamd working on my FreeBSD pf gateway, however it seems there >> maybe a few legit senders who are never becoming whitelisted (though >> most are). >> Until just now my settings were: >> passtime: 25 >> greyexp: 8 >> whiteexp: 36 >> >> I've now just lowered the passtime to 10 and increased the greyexp to 12 >> in the hope that I can eliminate the legitimate senders from failing to >> successfully transmit their messages. I was wondering what other people >> have configured for the above settings. >> > > > I use: -G 20:6:864 > passtime = 20 minutes > greyexp = 6 hours > whiteexp = 864 hours (default) > > Your whiteexp is way too low. (That is hours not days.) > > You also need to take in consideration common MTAs queue retry times. > Sendmail defaults usually have 30 minutes minimum time in queue before > retry (up to five days). Exim commonly will retry every 15 minutes for > first two hours, then increase the times between retries up to six hours > between until four days. While postfix (by default) will retry between > five minutes and 66 minutes up to five days (times between increasing). > > > > Jeremy C. Reed > > > > Sorry, I made the conversion in my head when I wrote the E-mail. My whiteexp was and is 864, which equals 36 days (hence where the 36 came from). -G 10:12:864 passtime = 10 minutes greyexp = 12 hours whiteexp = 864 hours (36 days) I'll keep an eye on things and see if all is ok. I'm still concerned that there are too many legit senders not being whitelisted. Also, after a change to the flags in rc.conf is /usr/local/etc/rc.d/obspamd restart sufficient for the changes to take effect or must I do a killall -HUP? Thanks for your reply, Sh4d03 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 14:44:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C3C116A419 for ; Tue, 11 Sep 2007 14:44:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [82.208.36.70]) by mx1.freebsd.org (Postfix) with ESMTP id 0EE3813C46A for ; Tue, 11 Sep 2007 14:44:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id C08A319E02A; Tue, 11 Sep 2007 16:28:19 +0200 (CEST) Received: from [192.168.1.2] (r3a200.net.upc.cz [213.220.192.200]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id 3C54719E027; Tue, 11 Sep 2007 16:28:17 +0200 (CEST) Message-ID: <46E6A648.8080700@quip.cz> Date: Tue, 11 Sep 2007 16:29:28 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: jonathan michaels References: <20070911133959.25090@caamora.com.au> <20070911213841.01986@caamora.com.au> In-Reply-To: <20070911213841.01986@caamora.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd pf Subject: Re: pf, ping and traceroute X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 14:44:33 -0000 jonathan michaels wrote: > On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote: [...] > yes, kian, my basic problem is that english is not my first language > and i still have difficulty understanding the way that teh document is > written. Even if you are not native english speaking, please use "the" and not "teh". It is hard to read your sentences. >>Focus on understanding how the directions work (e.g. pass in vs. pass >>out) and also 'keep state.' Understanding states is critical... have >>you figured out how those work yet? > > > i think that i have .. but, i have a way to go yet i think. learning > for me is a hard process of reading and reading and reading untill i > understand it and i can get it past teh damaged bits of my brain. > > sorry, i don't have any other way of explaining what is going on. I am using PF on my servers and I am using the folowing two lines to allow incoming & outgoing pings: # Allow pings and replies while keeping state pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state pass in quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state Where $ext_if is ext_if="bge0" >>Are you filtering on a router? Switch? Server? > > > pentium 133 mhz that is running freebsd v6.2 and i am using the > included version pf. so i suppose that it is a server, yes ?? > > my internet connection is via a v.90 dialup modem that provides me a > permanent connected ppp style connection/account (been using some 10 > plus years). > > ext_if=ppp0 = this is teh modem, on serial (comm0/cuad0 ) port 1 > int_if=de0 = nic, accton en1203 21040 (a digital 10 mhz clone) > > this is all that that there is, so i suppose its a simple router ?? > > i am thinking of using pf to defend all teh internal machines from > stuff that makes it through the firewall, is this possible (there seems > to be nothing, that i have been able to find/understand in teh doc or > via google) ?? > > this means that i am looking at using ipfw as a secondary firewall, or > just as a filter kind of thing to keep out the stuff that is making it > through the firewall. I don't understand what do you mean... There is no reason to use more then one firewall on the machine and PF is just fine. Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 14:51:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A23C416A41A for ; Tue, 11 Sep 2007 14:51:33 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id A354D13C465 for ; Tue, 11 Sep 2007 14:51:33 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-170-114-32.dllstx.fios.verizon.net ([71.170.114.32] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1IV75Q-0003oN-UF; Tue, 11 Sep 2007 07:51:33 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 29993-1189522290; Tue, 11 Sep 2007 09:51:31 -0500 Date: Tue, 11 Sep 2007 09:51:30 -0500 (CDT) From: "Jeremy C. Reed" To: Sh4d03 In-Reply-To: <46E6A965.5070200@shadow-security.net> Message-ID: References: <46E62975.7040707@shadow-security.net> <46E6A965.5070200@shadow-security.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: Reasonable settings for greyexp and whiteexp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 14:51:33 -0000 On Wed, 12 Sep 2007, Sh4d03 wrote: > I'll keep an eye on things and see if all is ok. I'm still concerned that > there are too many legit senders not being whitelisted. Some mail services use different hosts (different IPs) to retry queued email. You may want to show us a specific example of one that doesn't work. > Also, after a change to the flags in rc.conf is > /usr/local/etc/rc.d/obspamd restart sufficient for the changes to take > effect or must I do a killall -HUP? The rc.d script with restart would be fine. (spamd doesn't listen to HUP signal.) Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 18:19:49 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD85F16A417 for ; Tue, 11 Sep 2007 18:19:49 +0000 (UTC) (envelope-from jlm@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id 78FC413C47E for ; Tue, 11 Sep 2007 18:19:47 +0000 (UTC) (envelope-from jlm@seaholm.caamora.com.au) Received: (from jlm@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l8BHg0419409; Wed, 12 Sep 2007 03:42:00 +1000 (EST) Message-ID: <20070912034159.36394@caamora.com.au> Date: Wed, 12 Sep 2007 03:41:59 +1000 From: jonathan michaels To: Miroslav Lachman <000.fbsd@quip.cz> References: <20070911133959.25090@caamora.com.au> <20070911213841.01986@caamora.com.au> <46E6A648.8080700@quip.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: <46E6A648.8080700@quip.cz>; from Miroslav Lachman on Tue, Sep 11, 2007 at 04:29:28PM +0200 Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Cc: freebsd pf Subject: Re: pf, ping and traceroute X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 18:19:49 -0000 On Tue, Sep 11, 2007 at 04:29:28PM +0200, Miroslav Lachman wrote: > jonathan michaels wrote: > > On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote: > [...] > > yes, kian, my basic problem is that english is not my first language > > and i still have difficulty understanding the way that teh document is > > written. > > Even if you are not native english speaking, please use "the" and not > "teh". It is hard to read your sentences. greetings, please eaxcuse my off topic post, it is an issue that i would rather deal with openly and not the countless time that i would have to if i replied to each one of these kinds of posts in private as i usually do, moderator, please, excuse my liberty, i do not how else to deal with this kind of issue/situation, other than to tackle it head on. apart from a non english first language speaker i am a significantly disbled man with significant genetic component brain damage resulting in significant learning difficulties. i have replied to mr lachman in detail, outling some of teh difficulties that i live with and take for granted as part of teh price of entry into teh show called life. i am just asking for a little understanding, if i could reasonably accomodate the requests for changes i would addopt them in a flash, but, i have neither teh tools, nor teh expertise, or teh resources to mke it happen now or in teh reasonable long term future. kind regards/apologies/appreciations jonathan -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 20:01:45 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EE0316A469 for ; Tue, 11 Sep 2007 20:01:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 95BD913C4CE for ; Tue, 11 Sep 2007 20:01:44 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 11 Sep 2007 20:01:42 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.50]) [194.231.39.124] by mail.gmx.net (mp010) with SMTP; 11 Sep 2007 22:01:42 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX18oBt4hva4omjMRV3Kq4as4AaACHDNk+BZMnXLmug AOYOBImYAIH8o8 From: Olli Hauer To: Doug Sampson In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D00A3@cetus.dawnsign.com> References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D00A3@cetus.dawnsign.com> Content-Type: text/plain Date: Tue, 11 Sep 2007 22:02:43 +0200 Message-Id: <1189540963.30294.89.camel@amd.uni.vrs> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: "'freebsd-pf@freebsd.org'" Subject: RE: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 20:01:45 -0000 On Mon, 2007-09-10 at 13:07 -0700, Doug Sampson wrote: > > Hi all, > > > > I've been running pf+obspamd on FBSD 6.2-RELEASE. > > > > I appear to be blocking some addresses that appear in my > > spamd-mywhite file > > and I don't understand why that would be the case here. I'm > > guessing I've > > screwed up my pf.conf file. > > > > Here's my config file: > > > > # pfctl -vvnf /etc/pf.conf > > ext_if = "rl0" > > int_if = "xl0" > > internal_net = "192.168.1.1/24" > > external_addr = "216.70.250.4" > > vpn_net = "10.8.0.0/24" > > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" > > webserver1 = "192.168.1.4" > > set skip on { lo0 } > > set skip on { gif0 } > > @0 scrub in all fragment reassemble > > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin > > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin > > @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http -> > > 192.168.1.4 port 80 > > table persist > > table persist I will try to comment the changes to get your setup working. (I removed the trailing >> for the corrected rules) # -- OK, your own whitelist to pass spamd table persist file "/usr/local/etc/spamd/spamd-mywhite" # -- silly dont't do this ! # -- !! This file is no table, it is even not for usage in pf ruleset !! # remove this! table persist \ # remove this! file "/usr/local/etc/spamd/spamd.alloweddomains" >From man (8) spamd: The file /usr/local/etc/spamd/spamd.alloweddomains can be used to specify a list of domainname suffixes, one per line, one of which must match each destination email address in the greylist. Any destination address which does not match one of the suffixes listed in spamd.alloweddomains will be trapped, exactly as if it were sent to a spamtrap address. @this is only a FreeBSD thing, do not use # or whitespaces in OpenBSD! Comment lines beginning with # are ignored. Maybe this example is better to understand the spamd.alloweddomains # all mail to @example.org is good @example.org # all mail to example.com even foo.bar@sub.example.com is OK example.com # mail to this RFC only is OK all others will be blacklisted abuse@example.net postmaster@example.net hostmaster@example.net OK, back to the ruleset. # -- Let all smtp traffic from the table pass before # -- any other rules since we trust them (if you like to log this # -- traffic with spamlogd remove the pass keyword) rdr (pass) inet proto tcp from to 216.70.250.4 \ port = smtp -> 127.0.0.1 port 25 # -- remove also the *pass* keyword if you use spamlogd so the entry # -- can be refreshed with every mail during passtime rdr (pass) inet proto tcp from to 216.70.250.4 \ port = smtp -> 127.0.0.1 port 25 # -- OK, this rule *with pass* rdr pass inet proto tcp from to 216.70.250.4 \ port = smtp -> 127.0.0.1 port 8025 # -- change this table from to , # -- since processed two rules before rdr pass inet proto tcp from ! to 216.70.250.4 \ port = smtp -> 127.0.0.1 port 8025 # -- Now traffic from the tables and # -- flows in with logging (good with spamlogd) pass in log inet proto tcp from any to 216.70.250.4 \ port = smtp flags S/SA synproxy state > > @8 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state > > @9 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state > > @10 block drop in log all > > @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state > > @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any > > @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any > > @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any > > @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any > > @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 > > @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 > > @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 > > @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 > > @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any > > @21 block drop in log quick inet from 192.168.1.25 to any > > @22 pass in on xl0 inet from 192.168.1.0/24 to any > > @23 pass out log on xl0 inet from any to 192.168.1.0/24 > > @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 > > @25 pass out on rl0 proto tcp all flags S/SA modulate state > > @26 pass out on rl0 proto udp all keep state > > @27 pass out on rl0 proto icmp all keep state > > @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state > > @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state > > > > /var/log/pflog0 shows the following: > > > > 141748 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 > 0,nop> > > 2. 049208 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 > 0,nop> > > 3. 068169 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 > 0,nop> > > 5. 594277 rule 3/0(match): block in on rl0: 205.188.139.137.61419 > > > 216.70.250.4.25: S 2510359871:2510359871(0) win 24820 > > > 1460> > > 525916 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > > > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 > 0,nop> If my count is the same as pfctl -sr then this was the dropping rule (count only arguments from pfctl -sr not the 'rdr pass' rules) > > @10 block drop in log all > > # pfctl -t spamd-mywhite -T show | grep 205.188. > > No ALTQ support in kernel > > ALTQ related functions disabled > > 205.188.139.0/24 > > 205.188.144.0/24 > > 205.188.156.0/23 > > 205.188.157.0/24 > > 205.188.159.0/24 This list is fine, with the changed rules it will work > > Thus 205.188.159.7 shouldn't be blocked. It was possible to block this IP with the old ruleset > > # spamdb | grep 205\.188\. > > WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|0 > > WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0 > > WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0 > > # > > > > spamdb doesn't show any entries for 205.188.159.7. Since the traffic was blocked before spamd can't see it. If my count is the same as pfctl -sr then this was the dropping rule (count only arguments from pfctl -sr not the 'rdr pass' rules) @10 block drop in log all > > These entries are for AOL mail. I've received complaints from > > AOL users of > > mail bouncing back to them. > > > > What am I doing wrong? Are CIDR records accepted by > > pf+obspamd? CIDR is OK and supported with pf. (Ranges like spamd-setup are just committed from Daniel Hartmeier to OpenBSD 4.2 two weeks ago and don't know if they find the way into FreeBSD 7.0) > I can't trace the block back to the proper rules- i.e. rule 3/0 as > > shown in pflog0 matches up with which rule in pf.conf? @10 block drop in log all > I'm resending this as I have not received any replies. Can someone help me > out here? > Oh, and I'm running obspamd 4.1.1. > > ~Doug olli From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 22:23:58 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB18016A418 for ; Tue, 11 Sep 2007 22:23:58 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (cetus.dawnsign.com [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 9D05D13C459 for ; Tue, 11 Sep 2007 22:23:58 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 5713F95827 for ; Tue, 11 Sep 2007 15:23:58 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Tue, 11 Sep 2007 15:23:58 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D00A8@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Tue, 11 Sep 2007 15:23:55 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: RE: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 22:23:58 -0000 > On Thu, 6 Sep 2007, Doug Sampson wrote: > > > What am I doing wrong? Are CIDR records accepted by > pf+obspamd? I can't > > trace the block back to the proper rules- i.e. rule 3/0 as > shown in pflog0 > > matches up with which rule in pf.conf? > > Maybe use "pfctl -vvsr" instead to see rule numbers of already loaded > rules (instead of your pf.conf)? > mailfilter-root@/tmp# pfctl -vvsr No ALTQ support in kernel ALTQ related functions disabled @0 scrub in all fragment reassemble [ Evaluations: 161863 Packets: 84353 Bytes: 0 States: 0 ] @0 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state [ Evaluations: 8035 Packets: 0 Bytes: 0 States: 0 ] @1 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state [ Evaluations: 6170 Packets: 0 Bytes: 0 States: 0 ] @2 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state [ Evaluations: 5358 Packets: 0 Bytes: 0 States: 0 ] @3 block drop in log all [ Evaluations: 5801 Packets: 1645 Bytes: 88495 States: 0 ] @4 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state [ Evaluations: 4989 Packets: 462 Bytes: 163101 States: 1 ] @5 block drop in log quick on rl0 inet from 127.0.0.0/8 to any [ Evaluations: 4988 Packets: 0 Bytes: 0 States: 0 ] @6 block drop in log quick on rl0 inet from 192.168.0.0/16 to any [ Evaluations: 1640 Packets: 0 Bytes: 0 States: 0 ] @7 block drop in log quick on rl0 inet from 172.16.0.0/12 to any [ Evaluations: 1640 Packets: 0 Bytes: 0 States: 0 ] @8 block drop in log quick on rl0 inet from 10.0.0.0/8 to any [ Evaluations: 1640 Packets: 0 Bytes: 0 States: 0 ] @9 block drop out log quick on rl0 inet from any to 127.0.0.0/8 [ Evaluations: 4686 Packets: 0 Bytes: 0 States: 0 ] @10 block drop out log quick on rl0 inet from any to 192.168.0.0/16 [ Evaluations: 768 Packets: 0 Bytes: 0 States: 0 ] @11 block drop out log quick on rl0 inet from any to 172.16.0.0/12 [ Evaluations: 768 Packets: 0 Bytes: 0 States: 0 ] @12 block drop out log quick on rl0 inet from any to 10.0.0.0/8 [ Evaluations: 768 Packets: 0 Bytes: 0 States: 0 ] @13 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any [ Evaluations: 8034 Packets: 0 Bytes: 0 States: 0 ] @14 block drop in log quick inet from 192.168.1.25 to any [ Evaluations: 7266 Packets: 0 Bytes: 0 States: 0 ] @15 pass in on xl0 inet from 192.168.1.0/24 to any [ Evaluations: 4988 Packets: 3343 Bytes: 568790 States: 0 ] @16 pass out log on xl0 inet from any to 192.168.1.0/24 [ Evaluations: 6394 Packets: 2278 Bytes: 1320301 States: 0 ] @17 pass out log quick on xl0 inet from any to 10.8.0.0/24 [ Evaluations: 2278 Packets: 0 Bytes: 0 States: 0 ] @18 pass out on rl0 proto tcp all flags S/SA modulate state [ Evaluations: 4686 Packets: 10811 Bytes: 8834639 States: 0 ] @19 pass out on rl0 proto udp all keep state [ Evaluations: 768 Packets: 1246 Bytes: 93336 States: 3 ] @20 pass out on rl0 proto icmp all keep state [ Evaluations: 768 Packets: 6 Bytes: 504 States: 0 ] @21 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state [ Evaluations: 5756 Packets: 0 Bytes: 0 States: 0 ] @22 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state [ Evaluations: 7249 Packets: 0 Bytes: 0 States: 0 ] mailfilter-root@/tmp# From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 01:25:09 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA92916A417 for ; Wed, 12 Sep 2007 01:25:09 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (cetus.dawnsign.com [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 9225D13C46A for ; Wed, 12 Sep 2007 01:25:09 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 65C3795831; Tue, 11 Sep 2007 18:25:08 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Tue, 11 Sep 2007 18:25:08 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D00AA@cetus.dawnsign.com> From: Doug Sampson To: 'Olli Hauer' Date: Tue, 11 Sep 2007 18:24:58 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: "'freebsd-pf@freebsd.org'" Subject: RE: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 01:25:09 -0000 > # -- silly dont't do this ! > # -- !! This file is no table, it is even not for usage in pf > ruleset !! > # remove this! table persist \ > # remove this! file "/usr/local/etc/spamd/spamd.alloweddomains" Removed. > OK, back to the ruleset. > > # -- Let all smtp traffic from the table pass before > # -- any other rules since we trust them (if you like to log this > # -- traffic with spamlogd remove the pass keyword) > rdr (pass) inet proto tcp from to 216.70.250.4 \ > port = smtp -> 127.0.0.1 port 25 > > # -- remove also the *pass* keyword if you use spamlogd so the entry > # -- can be refreshed with every mail during passtime > rdr (pass) inet proto tcp from to 216.70.250.4 \ > port = smtp -> 127.0.0.1 port 25 > > # -- OK, this rule *with pass* > rdr pass inet proto tcp from to 216.70.250.4 \ > port = smtp -> 127.0.0.1 port 8025 > > # -- change this table from to , > # -- since processed two rules before > rdr pass inet proto tcp from ! to 216.70.250.4 \ > port = smtp -> 127.0.0.1 port 8025 > > > # -- Now traffic from the tables and > # -- flows in with logging (good with spamlogd) > pass in log inet proto tcp from any to 216.70.250.4 \ > port = smtp flags S/SA synproxy state > Now I'm seeing mail flowing into our smtp server from addresses within spamd-mywhite. Incidentially, I'm using the rules from Dan Langille's article on pf and spamd at http://www.freebsddiary.org/pf.php and http://www.onlamp.com/pub/a/bsd/2007/01/18/greylisting-with-pf.html I'm wondering if his rules needs to be changed? Thanks to Olli & Jeremy who helped me through this! ~Doug From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 18:21:37 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6484B16A41A for ; Wed, 12 Sep 2007 18:21:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 0A20713C458 for ; Wed, 12 Sep 2007 18:21:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id l8CI4xuZ063456 for ; Wed, 12 Sep 2007 14:04:59 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id l8CI4wVY071879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 12 Sep 2007 14:04:59 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200709121804.l8CI4wVY071879@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 12 Sep 2007 14:03:07 -0400 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: pflog problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 18:21:37 -0000 On a box that got recently upgraded to current, I am having a problem reading from the pflog file. Not sure what are the "unknown" bits are, but I cant match hosts. e.g. here are the last few entries in /var/log/pflog [zoo]# tcpdump -ner /var/log/pflog | tail -10 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 13:43:33.182398 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:43:35.622474 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:43:40.501939 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:43:43.279628 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: . ack 1 win 5840 13:43:50.262294 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:44:09.783308 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:44:48.823375 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:46:06.904224 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:50:29.020966 rule 7/0(match): block unkn(255) on rl0: 207.231.228.166.31047 > 64.7.141.9.1026: UDP, length 365 13:52:25.229899 rule 7/0(match): block unkn(255) on rl0: 64.7.128.102.55203 > 64.7.141.9.23: S 623064939:623064939(0) win 65535 64.7.141.9.23: [|tcp] ^C 1 packets captured 1 packets received by filter 0 packets dropped by kernel [zoo]# tcpdump -nei pflog0 host 64.7.128.102 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes I should see entries on the second tcpdump of pflog0, but it too does not filter it correctly. It is hitting the rule block in log on $ext_if all ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 18:56:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 875AE16A419 for ; Wed, 12 Sep 2007 18:56:24 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 08E4C13C46C for ; Wed, 12 Sep 2007 18:56:24 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-037-076.pools.arcor-ip.net [88.66.37.76] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1IVXNq40UK-0006iE; Wed, 12 Sep 2007 20:56:23 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 12 Sep 2007 20:56:08 +0200 User-Agent: KMail/1.9.7 References: <200709121804.l8CI4wVY071879@lava.sentex.ca> In-Reply-To: <200709121804.l8CI4wVY071879@lava.sentex.ca> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2035184.j8oNzgNkta"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709122056.17441.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19wxMF3RV5KrUQlvrgSgGsK2DSSeZAVrfAUfnF l53FlGhgF4+4nF57r3z4orOo6LoPWlVnPE0l73RDRNYjj153Vz D+XQ4R6Ycstwg/UMd/WjVKkQiYbQKIQzYVUku1q9Ls= Cc: Subject: Re: pflog problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 18:56:24 -0000 --nextPart2035184.j8oNzgNkta Content-Type: multipart/mixed; boundary="Boundary-01=_KZD6GBuypcZDTGj" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_KZD6GBuypcZDTGj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 12 September 2007, Mike Tancsa wrote: > On a box that got recently upgraded to current, I am having a problem > reading from the pflog file. > > Not sure what are the "unknown" bits are, but I cant match hosts. You are missing the attached patch - which I am trying to get through=20 tcpdump.org. The pflog header changed (once again) and changes are=20 required. Sorry for the mess. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_KZD6GBuypcZDTGj Content-Type: text/x-diff; charset="iso-8859-1"; name="pf.41.tcpdump_local.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf.41.tcpdump_local.diff" Index: contrib/libpcap/gencode.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/contrib/libpcap/gencode.c,v retrieving revision 1.16 diff -u -r1.16 gencode.c =2D-- contrib/libpcap/gencode.c 4 Sep 2006 19:54:21 -0000 1.16 +++ contrib/libpcap/gencode.c 30 Jun 2007 17:01:13 -0000 @@ -75,7 +75,14 @@ #include "ppp.h" #include "sll.h" #include "arcnet.h" +#ifdef HAVE_NET_PFVAR_H +#include +#include +#include +#include +#else #include "pf.h" +#endif #ifndef offsetof #define offsetof(s, e) ((size_t)&((s *)0)->e) #endif Index: contrib/libpcap/grammar.y =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/contrib/libpcap/grammar.y,v retrieving revision 1.11 diff -u -r1.11 grammar.y =2D-- contrib/libpcap/grammar.y 4 Sep 2006 19:54:21 -0000 1.11 +++ contrib/libpcap/grammar.y 30 Jun 2007 17:02:55 -0000 @@ -53,7 +53,13 @@ #include "pcap-int.h" =20 #include "gencode.h" +#ifdef HAVE_NET_PFVAR_H +#include +#include +#include +#else #include "pf.h" +#endif #include =20 #ifdef HAVE_OS_PROTO_H Index: contrib/tcpdump/print-pflog.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/contrib/tcpdump/print-pflog.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 print-pflog.c =2D-- contrib/tcpdump/print-pflog.c 4 Sep 2006 20:04:14 -0000 1.1.1.3 +++ contrib/tcpdump/print-pflog.c 30 Jun 2007 17:03:26 -0000 @@ -28,6 +28,16 @@ #include "config.h" #endif =20 +#ifdef HAVE_NET_PFVAR_H +#include +#include +#include +#include +#include +#else +#include "pf.h" +#endif + #include =20 #include @@ -35,7 +45,6 @@ =20 #include "interface.h" #include "addrtoname.h" =2D#include "pf.h" =20 static struct tok pf_reasons[] =3D { { 0, "0(match)" }, Index: lib/libpcap/config.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/lib/libpcap/config.h,v retrieving revision 1.5 diff -u -r1.5 config.h =2D-- lib/libpcap/config.h 29 May 2005 18:12:46 -0000 1.5 +++ lib/libpcap/config.h 30 Jun 2007 17:05:20 -0000 @@ -45,6 +45,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_MEMORY_H 1 =20 +/* Define to 1 if you have the header file. */ +#define HAVE_NET_PFVAR_H 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_NETINET_ETHER_H */ =20 Index: usr.sbin/tcpdump/tcpdump/config.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/usr.sbin/tcpdump/tcpdump/config.h,v retrieving revision 1.7 diff -u -r1.7 config.h =2D-- usr.sbin/tcpdump/tcpdump/config.h 11 Jul 2005 04:14:42 -0000 1.7 +++ usr.sbin/tcpdump/tcpdump/config.h 30 Jun 2007 17:06:34 -0000 @@ -193,6 +193,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_NETDNET_DNETDB_H */ =20 +/* Define to 1 if you have the header file. */ +#define HAVE_NET_PFVAR_H 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_NETINET_ETHER_H */ =20 --Boundary-01=_KZD6GBuypcZDTGj-- --nextPart2035184.j8oNzgNkta Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG6DZRXyyEoT62BG0RApUmAJ93ofPpuPwAjZPIw08sm2PHQ2XOPwCfUrNc YmjYmx84A/uheHPcpq5+aG0= =36tY -----END PGP SIGNATURE----- --nextPart2035184.j8oNzgNkta-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 13 02:00:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D74116A41A for ; Thu, 13 Sep 2007 02:00:33 +0000 (UTC) (envelope-from skridsko@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 1933913C45B for ; Thu, 13 Sep 2007 02:00:32 +0000 (UTC) (envelope-from skridsko@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so329351wxd for ; Wed, 12 Sep 2007 19:00:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=P4n3uhwnjQI4tJV+evZbMEtQ4frg27923mlKJdJgjl4=; b=YRg7ImZf8yeHBnDq6CxpXfwvfANLdkOhdIM9uV8HW/4G26M/coNT20HE0fh5l66irRsZX3pk/vUXIecmISx6hRTEpGQBDgO68TaRLORd9XdNgIqAAAvj/TRbGLzNCKpUf6DqO73kIMpIJmvXIw27W66cnMM3sxKvOD0flaSXDts= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=BZiBDojB5O0of45AIKRlnIJVt9ebx1372B9ZE2pspLRWLGi+rbiC9ymtDvYPDTcdy2meNJAD3X9OPL1R7R7I3CUGbN3sFzGhmda8lQAIHHI3oxhKjP55nAe8zo2iIbk3i5g7IVpU6NM4V5OyyT5GOSGwVJ34LwRDvJWztU0bQoY= Received: by 10.90.49.1 with SMTP id w1mr385126agw.1189647148920; Wed, 12 Sep 2007 18:32:28 -0700 (PDT) Received: by 10.70.33.5 with HTTP; Wed, 12 Sep 2007 18:32:28 -0700 (PDT) Message-ID: <319abcb30709121832i7d0100e6ibe2b98294030c63e@mail.gmail.com> Date: Thu, 13 Sep 2007 09:32:28 +0800 From: "skridsko grafstrom" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Problem with pf route-to in jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2007 02:00:33 -0000 Encountered a weird problem with pf, but before going into that, a description of my network, Network interfaces - 1) lnc0 - ethernet interface, inet 192.168.1.2 netmask 255.255.255.0 2) ng0 - netgraph pptp interface, 10.0.0.2 -> 10.0.0.1 point-to-point 3) vlan0 - virtual interface, inet 172.16.1.1 netmask 255.255.255.255 Default gateway - 192.168.1.1 I have a jail running on vlan0 IP, ie. 172.16.1.1 and I want to route all traffic from the jail thru ng0, ie, all jail traffic goes thru pptp. Since I'm unable to change the default route for the jail, I resorted to using pf. Below are my rules, nat on ng0 from vlan0 to any -> ng0 rdr on ng0 from any to ng0 -> vlan0 pass out route-to ng0 from vlan0 to !vlan0 This works, but only partially, with the following observations, 1) Ping works, but only for the first packet, subsequent packets are lost ping -c4 google.com PING google.com (64.233.187.99): 56 data bytes 64 bytes from 64.233.187.99: icmp_seq=0 ttl=244 time=278.728 ms --- google.com ping statistics --- 4 packets transmitted, 1 packets received, 75% packet loss round-trip min/avg/max/stddev = 278.728/278.728/278.728/0.000 ms 2) DNS resolutions work fine, as do traceroutes (a sign of UDP working?) 3) Using nc to connect to a remote listening port shows successful connection but no data can be sent subsequently in the same nc session. Anyone can help with what's going on here? Or provide a better solution on how to achieve the setup I want? Thanks! From owner-freebsd-pf@FreeBSD.ORG Thu Sep 13 12:08:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15F2916A417 for ; Thu, 13 Sep 2007 12:08:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.freebsd.org (Postfix) with ESMTP id BDDA013C458 for ; Thu, 13 Sep 2007 12:08:30 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.14.1/8.13.8) with ESMTP id l8DC8TIE067203; Thu, 13 Sep 2007 08:08:29 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id l8DC8Sle076779 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 Sep 2007 08:08:28 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200709131208.l8DC8Sle076779@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 13 Sep 2007 08:06:38 -0400 To: Max Laier , freebsd-pf@freebsd.org From: Mike Tancsa In-Reply-To: <200709122056.17441.max@love2party.net> References: <200709121804.l8CI4wVY071879@lava.sentex.ca> <200709122056.17441.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: pflog problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2007 12:08:31 -0000 At 02:56 PM 9/12/2007, Max Laier wrote: >You are missing the attached patch - which I am trying to get through >tcpdump.org. The pflog header changed (once again) and changes are >required. Sorry for the mess. Hi, Thanks very much, that does indeed fix the problem! ---Mike From owner-freebsd-pf@FreeBSD.ORG Sat Sep 15 01:49:12 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D427916A419 for ; Sat, 15 Sep 2007 01:49:12 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 9D7D813C45B for ; Sat, 15 Sep 2007 01:49:12 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IWMR4-0004XP-HH for freebsd-pf@freebsd.org; Fri, 14 Sep 2007 18:27:02 -0700 Message-ID: <12686194.post@talk.nabble.com> Date: Fri, 14 Sep 2007 18:27:02 -0700 (PDT) From: Ingo Flaschberger To: freebsd-pf@freebsd.org In-Reply-To: <8e10486b0708220501m6c2c5f2bn270b498c8cc01062@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: if@xip.at References: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> <200708220622.28573.max@love2party.net> <8e10486b0708220501m6c2c5f2bn270b498c8cc01062@mail.gmail.com> Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Sep 2007 01:49:12 -0000 Alexandre Biancalana wrote: > > >> On Wednesday 22 August 2007, Alexandre Biancalana wrote: >> > Someone have news about ifconfig carpdev option implementation on >> > FreeBSD ? > I have implemented at FreeBSD 6.2-STABLE. http://www.nabble.com/file/p12686194/carpdev.diff carpdev.diff Is a working solution, but not 100% failsave. See fixme. Kind regards, Ingo -- View this message in context: http://www.nabble.com/ifconfig-carpdev-tf4309277.html#a12686194 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 15 04:30:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53D2716A469 for ; Sat, 15 Sep 2007 04:30:54 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 13E3B13C483 for ; Sat, 15 Sep 2007 04:30:53 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IWPIV-0007hK-Jz for freebsd-pf@freebsd.org; Fri, 14 Sep 2007 21:30:23 -0700 Message-ID: <12687223.post@talk.nabble.com> Date: Fri, 14 Sep 2007 21:30:23 -0700 (PDT) From: Ingo Flaschberger To: freebsd-pf@freebsd.org In-Reply-To: <12686194.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: if@xip.at References: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> <200708220622.28573.max@love2party.net> <8e10486b0708220501m6c2c5f2bn270b498c8cc01062@mail.gmail.com> <12686194.post@talk.nabble.com> Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Sep 2007 04:30:54 -0000 Ingo Flaschberger wrote: > > I have implemented at FreeBSD 6.2-STABLE. > http://www.nabble.com/file/p12686194/carpdev.diff carpdev.diff > Is a working solution, but not 100% failsave. > See fixme. > argl.. need some more tweaks. carp adds only a hostroute, and no network. fixed that it add a network, but now kernels cries to receive the arp at the parent interface and not at the carp interface... bye, Ingo -- View this message in context: http://www.nabble.com/ifconfig-carpdev-tf4309277.html#a12687223 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 15 11:43:27 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48B6F16A420 for ; Sat, 15 Sep 2007 11:43:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id D75A613C461 for ; Sat, 15 Sep 2007 11:43:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-064-178-221.pools.arcor-ip.net [88.64.178.221] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1IWW3Y2bMU-00070z; Sat, 15 Sep 2007 13:43:25 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 15 Sep 2007 13:43:30 +0200 User-Agent: KMail/1.9.7 References: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> <12686194.post@talk.nabble.com> <12687223.post@talk.nabble.com> In-Reply-To: <12687223.post@talk.nabble.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1703785.YpLodl5682"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709151343.37635.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+4aFixbB+GUf0IqjJ/zWoD9pyf3n2cupN5iji PLd/zra8W9n1CGonaaND+Ddk6gjB5e5K+hJWOUEGobhs3D3laW OumRLYo7Kq7aWtlDJZxCrsKRB0ljzTs4BuYQtf9uXU= Cc: Ingo Flaschberger Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Sep 2007 11:43:27 -0000 --nextPart1703785.YpLodl5682 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 15 September 2007, Ingo Flaschberger wrote: > Ingo Flaschberger wrote: > > I have implemented at FreeBSD 6.2-STABLE. > > http://www.nabble.com/file/p12686194/carpdev.diff carpdev.diff > > Is a working solution, but not 100% failsave. > > See fixme. > > argl.. need some more tweaks. > > carp adds only a hostroute, and no network. > fixed that it add a network, but now kernels cries to receive the arp > at the parent interface and not at the carp interface... There is a lot more to this. Please hold your breath just a few more days= =20 and I'll have a working sollution as promised. Also, the proposed ioctl=20 change is not the preferred way of doing things. If you pass in an=20 interface index, there is no way of making sure that the interface didn't=20 change underneath you - that's why we rather pass the whole string and do=20 the resolution in the kernel. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1703785.YpLodl5682 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG68VpXyyEoT62BG0RAjO3AJ0d+5WIGuiGSMtPhcdufZqgZaT1mQCeNQaZ 0bsifhrWxsM3wB2vE3HnTE0= =R/VT -----END PGP SIGNATURE----- --nextPart1703785.YpLodl5682--