From owner-freebsd-pf@FreeBSD.ORG Mon Sep 24 11:08:32 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 711AB16A46B for ; Mon, 24 Sep 2007 11:08:32 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4112113C457 for ; Mon, 24 Sep 2007 11:08:32 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8OB8WZm064260 for ; Mon, 24 Sep 2007 11:08:32 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8OB8VSH064256 for freebsd-pf@FreeBSD.org; Mon, 24 Sep 2007 11:08:31 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Sep 2007 11:08:31 GMT Message-Id: <200709241108.l8OB8VSH064256@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2007 11:08:32 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 24 20:24:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1CF716A4EB for ; Mon, 24 Sep 2007 20:24:04 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 794C613C4A5 for ; Mon, 24 Sep 2007 20:24:04 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from [217.225.201.30] (helo=interactive.dnsalias.net) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1IZuH81ccc-0002QH; Mon, 24 Sep 2007 22:11:26 +0200 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1IZuH7-00013l-5s for freebsd-pf@freebsd.org; Mon, 24 Sep 2007 22:11:25 +0200 Received: from [192.168.0.75] (core2duo.interactive.de [192.168.0.75]) by fs-inter.interactive.de; Mon, 24 Sep 2007 22:10:53 +0200 Message-ID: <46F819D2.5060904@interactive-net.de> Date: Mon, 24 Sep 2007 22:10:58 +0200 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX1+eaRj5DXZXJoOPS+JT83pn1OxB8EUwLLoo2NX nr/CBPioMMUhOA6y8LeFbBI4ELOQwp/qPZ+ecPVWPaNUyIUKIT bNkdULQ5CTYCj0clFdtyA== Subject: filtering local traffic on nat gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2007 20:24:05 -0000 Hi, I want to restrict the locally generated outgoing traffic from the nat gateway (cvsup, ddclient i.e. http + https, portupgrade i.e. ftp + http) to the internet. How to distinguish forwarded traffic on tun0 from the local traffic after natting? Thanks Reinhard From owner-freebsd-pf@FreeBSD.ORG Mon Sep 24 22:02:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FB0016A41B for ; Mon, 24 Sep 2007 22:02:54 +0000 (UTC) (envelope-from adam.wien@gmail.com) Received: from mx1.cpanel.net (mx1.cpanel.net [208.74.121.68]) by mx1.freebsd.org (Postfix) with ESMTP id E543013C458 for ; Mon, 24 Sep 2007 22:02:53 +0000 (UTC) (envelope-from adam.wien@gmail.com) Received: from [208.74.121.102] (helo=[192.168.97.100]) by mx1.cpanel.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1IZuwc-0004Ib-Uk for freebsd-pf@freebsd.org; Mon, 24 Sep 2007 15:54:18 -0500 Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: <20677C74-4EFC-400B-ADE4-A794F87B2FA4@gmail.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Adam Wien Date: Mon, 24 Sep 2007 15:55:54 -0500 X-Mailer: Apple Mail (2.752.3) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mx1.cpanel.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - gmail.com Subject: pf nat and UMA X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2007 22:02:54 -0000 I'm trying to get my new UMA phones working behind a pf firewall. I'm having all sorts of trouble. I've tried static maps, binat, redirects, nothing seems to be working. They seem to work on port 4500. Port 4500 on the phone to port 4500 on the remote server. It looks to me to look a lot like SIP. When I make calls, it rings on the other side but, after 15 seconds, at best, it drops the call. Here's what I have so far. nat on em3 proto udp from any port 4500 to any port 4500 -> (carp0) static-port #nat for my phones nat on em3 from carp1:network to any -> carp0 #basic nat rule I see it in the state table... self tcp 192.168.x.131:51325 -> 208.74.x.x:57358 -> 204.187.87.88:443 ESTABLISHED:ESTABLISHED self tcp 192.168.x.131:52324 -> 208.74.x.x:52324 -> 216.9.242.88:443 ESTABLISHED:ESTABLISHED self udp 192.168.x.131:4500 -> 208.74.x.x:62310 -> 208.54.83.1:4500 MULTIPLE:MULTIPLE I'm really at a loss. Thanks, Adam From owner-freebsd-pf@FreeBSD.ORG Tue Sep 25 15:21:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5196D16A41A for ; Tue, 25 Sep 2007 15:21:04 +0000 (UTC) (envelope-from linux@giboia.org) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.191]) by mx1.freebsd.org (Postfix) with ESMTP id C08C013C459 for ; Tue, 25 Sep 2007 15:21:03 +0000 (UTC) (envelope-from linux@giboia.org) Received: by fk-out-0910.google.com with SMTP id b27so2377056fka for ; Tue, 25 Sep 2007 08:21:02 -0700 (PDT) Received: by 10.82.165.13 with SMTP id n13mr277095bue.1190733651122; Tue, 25 Sep 2007 08:20:51 -0700 (PDT) Received: by 10.82.135.11 with HTTP; Tue, 25 Sep 2007 08:20:51 -0700 (PDT) Message-ID: <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> Date: Tue, 25 Sep 2007 12:20:51 -0300 From: "Gilberto Villani Brito" To: "Reinhard Haller" In-Reply-To: <46F819D2.5060904@interactive-net.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46F819D2.5060904@interactive-net.de> Cc: freebsd-pf@freebsd.org Subject: Re: filtering local traffic on nat gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 15:21:04 -0000 On 24/09/2007, Reinhard Haller wrote: > Hi, > > I want to restrict the locally generated outgoing traffic from the nat > gateway (cvsup, ddclient i.e. http + https, portupgrade i.e. ftp + http) > to the internet. > > How to distinguish forwarded traffic on tun0 from the local traffic > after natting? > > Thanks > Reinhard > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Try this: block on $ext_if all pass in on $int_if from to any -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Wed Sep 26 03:49:05 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75A1816A418; Wed, 26 Sep 2007 03:49:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3F55013C457; Wed, 26 Sep 2007 03:49:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8Q3n5ln018007; Wed, 26 Sep 2007 03:49:05 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8Q3n5XV018003; Wed, 26 Sep 2007 03:49:05 GMT (envelope-from linimon) Date: Wed, 26 Sep 2007 03:49:05 GMT Message-Id: <200709260349.l8Q3n5XV018003@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 03:49:05 -0000 Synopsis: pfctl -k does not work in securelevel 3 Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Sep 26 03:48:40 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 From owner-freebsd-pf@FreeBSD.ORG Wed Sep 26 09:08:08 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF39316A417 for ; Wed, 26 Sep 2007 09:08:08 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 6CA7613C469 for ; Wed, 26 Sep 2007 09:08:08 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from [217.225.244.66] (helo=interactive.dnsalias.net) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1IaSsH3v3S-0006nj; Wed, 26 Sep 2007 11:08:06 +0200 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1IaSsG-0001MW-Nv for freebsd-pf@freebsd.org; Wed, 26 Sep 2007 11:08:04 +0200 Received: from [192.168.0.75] (core2duo.interactive.de [192.168.0.75]) by fs-inter.interactive.de; Wed, 26 Sep 2007 11:07:38 +0200 Message-ID: <46FA215F.7040905@interactive-net.de> Date: Wed, 26 Sep 2007 11:07:43 +0200 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> In-Reply-To: <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX1/CLOSbR/WwamcF2PaZQJMSWl3qPtGxA4CPxKE RQbsRzvoGDBSyAXWikINWMMFGuB5tpVgJL9AbZm2QpvVPtZpk7 K1ruNvjnRfJTPvgiXV6/A== Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: filtering local traffic on nat gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 09:08:08 -0000 Hi Gilberto, Gilberto Villani Brito schrieb: > On 24/09/2007, Reinhard Haller wrote: > >> Hi, >> >> I want to restrict the locally generated outgoing traffic from the nat >> gateway (cvsup, ddclient i.e. http + https, portupgrade i.e. ftp + http) >> to the internet. >> >> How to distinguish forwarded traffic on tun0 from the local traffic >> after natting? >> >> Thanks >> Reinhard >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > Try this: > block on $ext_if all > pass in on $int_if from to any > > your ruleset blocks all outgoing traffic on $ext_if because there is no pass rule for outgoing traffic. My own ruleset works only with the last rule (natting is done before filtering). At the moment of filtering all packets have ($ext_if) as source address and arbitrary source port numbers. Based on the last rule there is no way to distinguish forwarded from local outgoing traffic. Any suggestions? Greetings Reinhard ---------------------- ext_if="tun0" int_if="fxp0" internal_net="192.168.0.0/16" external_net="!192.168.0.0/16" tcp_unrestricted_ports="{ pop3, imap, ldap, ldaps, nntp, auth, cvsup }" set skip on lo0 nat on $ext_if from !($ext_if) -> ($ext_if) block log all pass quick proto tcp from $internal_net to $external_net port $tcp_unrestricted_ports pass out on $ext_if from ($ext_if) to $external_net From owner-freebsd-pf@FreeBSD.ORG Wed Sep 26 21:20:41 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 894C916A418 for ; Wed, 26 Sep 2007 21:20:41 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from webmail.fcl.com.br (webmail.fcl.com.br [200.186.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id E6CA913C44B for ; Wed, 26 Sep 2007 21:20:39 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from (webmail.fcl.com.br [200.186.101.7]) by webshield.fcl.com.br with smtp id 27b2_d587566e_c6e0_11d5_9f4a_003048296fe4; Mon, 22 Oct 2001 09:35:03 -0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 26 Sep 2007 18:06:50 -0300 Message-ID: <94CADB570ACCB0418E8236C8F24BD95C01469FA6@VIRTUALEXCHANGE.corp.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Trouble with PF Thread-Index: AcgAgSd3qfMQN1qbQCGZxdInqLNp2g== From: "David Verzolla" To: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Trouble with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 21:20:41 -0000 Hi, =20 I'm working with two firewall box: - Dell poweredge 2950 - First network device BCE0 - Second network device BCE1 =20 - HP ML350 G3 - First network device BGE0 - Second network device XL0 =20 My FreeBSD Box is a: 6.2-STABLE. =20 I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP. All interfaces is cloned with CARP. =20 The problem is: My network is slow, when I try to connect in a web server, or try pings = from my Firewall to some machine located in DMZ (tests from DMZ -> = Firewall Box have the same result), I get this trouble: =20 The command: while true ; do ping -c 1 DMZ_IP ; done Ping works in the = most of tests, but some tests give me this error: =20 (For security reasons I suppress my original IP, sorry for = inconvenience) =20 --- 201.x.x.x ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip = min/avg/max/stddev =3D 0.194/0.194/0.194/0.000 ms PING 201.x.x.x = (201.x.x.x): 56 data bytes 64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.197 ms =20 --- 201.x.x.x ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip = min/avg/max/stddev =3D 0.197/0.197/0.197/0.000 ms PING 201.x.x.x = (201.x.x.x): 56 data bytes 64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.192 ms =20 --- 201.x.x.x ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip = min/avg/max/stddev =3D 0.211/0.211/0.211/0.000 ms PING 201.x.x.x = (201.x.x.x): 56 data bytes ---> ping: sendto: Operation not permitted =20 The ping returns "Operation not permitted". =20 Other command: [root@f1000 /etc/pf]# ping 201.x.x.x PING 201.x.x.x (201.x.x.x): 56 data bytes ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 201.x.x.x: icmp_seq=3D4 ttl=3D64 time=3D2.636 ms 64 bytes from 201.x.x.x: icmp_seq=3D5 ttl=3D64 time=3D0.210 ms 64 bytes from 201.x.x.x: icmp_seq=3D6 ttl=3D64 time=3D0.136 ms =20 The ping returns "Operation not permitted" too. =20 I have other applications working with Ajax that is broken, the time to = load all the resources is bigger, within this trouble (Ajax) its = possible verify that the problem occur with TCP protocol as well. =20 =20 When I disable PF, all works greatly. =20 Bellow my rules: -- begin # $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp = $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, = filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are = last match. =20 # Macros: define common values, so they can be referenced and changed = easily. =20 ### NET DEVICES ext_if =3D "bce0" dmz_if =3D "vlan20" corp_if =3D "vlan30" ras_if =3D "vlan40" sync_if =3D $ras_if =20 ### ICMP OPTIONS icmp_types=3D"{ echoreq, unreach }" =20 =20 table { 200.x.x.0/26 } table { 201.x.x.0/20 } table { 201.x.x.0/24 } =20 =20 # Options: tune the behavior of pf, default values are given. set optimization normal #set timeout { tcp.closing 900, tcp.finwait 15, tcp.closed 90 } set = block-policy return set state-policy floating set skip on lo set = loginterface $ext_if set fingerprints "/etc/pf/_pf.os" =20 # Normalization: reassemble fragments and resolve or reduce traffic = ambiguities. scrub in all =20 #### start block in =20 # PFSYNC pass on $sync_if proto pfsync =20 # Permit all out pass out keep state =20 # PERMIT MULTI-CAST (CARP) pass quick on { $dmz_if $corp_if $ras_if $ext_if } inet from any to = 224.0.0.0/4 allow-opts keep state =20 # PERMIT DNS OUT pass in quick on { $dmz_if $corp_if $ras_if } inet proto { udp tcp } = from any to any port 53 keep state =20 # PERMIT DMZ OUT pass in quick on { $dmz_if } inet proto tcp from to any \ port 80 flags S/SA keep state =20 # PERMITE SSH pass in quick on { $ext_if } inet proto tcp from to any \ port { 22 } flags S/SA keep state =20 # TEMP PERMIT, OLD NET -> NEW NET pass quick inet proto tcp from to \ flags S/SA keep state =20 # ME pass in quick on $ext_if inet proto tcp from to $ext_if:network = \ port 22 flags S/SA keep state =20 pass in quick on $ext_if inet proto udp from to $ext_if:network = \ port snmp keep state =20 pass in quick on $ext_if inet proto tcp from to = $ext_if:network \ port 22 flags S/SA keep state =20 pass in quick on $ext_if inet proto udp from to = $ext_if:network \ port snmp keep state =20 ### GERAL RULES ## NTP pass in quick on { $dmz_if } inet proto udp from 200.x.x.1 port { 123 } = to any \ port { 123 } keep state =20 ### pass in quick on { $ext_if $corp_if } inet proto tcp from any port { 53 = } to 200.x.x.2 \ port { 53 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.2 \ port { 53 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto tcp from to = 200.x.x.2 \ port { 22 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto udp from any to = 200.x.x.2 \ port { 53 } keep state =20 ### =20 ### pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.3 \ port { 20 21 80 443 } flags S/SA keep state =20 # RSYNC pass in quick on { $ext_if } inet proto tcp from to 200.x.x.3 \ port { 873 } flags S/SA keep state =20 # FTP pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.3 \ port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE # FTP = pass in quick on { $dmz_if } inet proto tcp from 200.x.x.3 port 20 to = any \ flags S/SA keep state tag FTP-BACK # ACTIVE MODE ### =20 ### # WEB pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.4 \ port { 80 } flags S/SA keep state =20 ### =20 # pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.5 \ port { 554 1755 } flags S/SA keep state =20 # VNC pass in quick on { $ext_if } inet proto tcp from to 200.x.x.5 \ port { 5900 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto udp from any to = 200.x.x.5 \ port { 554 1755 } keep state # =20 # TEST NOTEBOOK - HOLYDAY pass in quick on { $ext_if $dmz_if } inet proto tcp from any to = 200.x.x.6 \ port { 22 80 } flags S/SA keep state # =20 # TEST WITH CISNET pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.7 \ port { 21 22 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.7 \ port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE =20 pass in quick on { $dmz_if } inet proto tcp from 200.x.x.7 port 20 to = any \ flags S/SA keep state tag FTP-BACK # ACTIVE MODE # =20 # PING pass log inet proto icmp all icmp-type $icmp_types keep state =20 # TRACEROUTE pass inet proto udp from any to any \ port 33433 >< 33626 keep state =20 -- end =20 Thanks in advance. =20 =20 David Verzolla Administrador de Redes Funda=E7=E3o C=E1sper L=EDbero - FCLNet Tel: +55 11 3170.5937 =20 From owner-freebsd-pf@FreeBSD.ORG Wed Sep 26 22:49:28 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F57716A494 for ; Wed, 26 Sep 2007 22:49:28 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 23F1813C44B for ; Wed, 26 Sep 2007 22:49:28 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1Iadtn-0005iJ-9O for freebsd-pf@freebsd.org; Wed, 26 Sep 2007 20:54:23 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1Iadtn-0007SN-66 for freebsd-pf@freebsd.org; Wed, 26 Sep 2007 20:54:23 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 504F88E297; Wed, 26 Sep 2007 15:54:22 -0500 (CDT) Date: Wed, 26 Sep 2007 15:54:22 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070926205421.GE32662@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> <46FA215F.7040905@interactive-net.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <46FA215F.7040905@interactive-net.de> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: filtering local traffic on nat gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 22:49:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reinhard Haller wrote: > > Based on the last rule there is no way to distinguish forwarded from > local outgoing traffic. > > Any suggestions? Change this rule like so: > nat on $ext_if from !($ext_if) -> ($ext_if) to > nat pass on $ext_if from !($ext_if) -> ($ext_if) This way, all traffic chosen to be nat'd will also pass the ruleset. Or rather, bypass the ruleset. I am worried about your rule, though, because it seems that any even traffic arriving from the Internet will have a source IP of !($ext_if), so it will end up matching ALL traffic. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6 GdZ6ARC0dBlz4Lm6Uo9ZE5s= =gMmc -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 04:53:48 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2473F16A41B for ; Thu, 27 Sep 2007 04:53:48 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id EE17413C447 for ; Thu, 27 Sep 2007 04:53:47 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IalNi-0004Aj-SC for freebsd-pf@freebsd.org; Wed, 26 Sep 2007 21:53:46 -0700 Message-ID: <12914823.post@talk.nabble.com> Date: Wed, 26 Sep 2007 21:53:46 -0700 (PDT) From: kbsd To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: kimlor@shaw.ca Subject: Newbie - cannot upgrade packages from FTP sites X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 04:53:48 -0000 I am new to FreeBSD 6.2 and am having problems upgrading packages from FTP sites. Ports build fine from http but I prefer to use packages if possible. I have not found any clear information on setting up PF rules for FTP with only one interface. Please check my rules and tell me if I am missing something. Thanks Example of upgrade failure: [Updating the pkgdb in /var/db/pkg ... - 491 packages found (-0 +1) . done] ---> Checking for the latest package of 'audio/libmtp' ---> Fetching the package(s) for 'libmtp-0.2.1' (audio/libmtp) ---> Fetching libmtp-0.2.1 fetch: ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tbz: Operation not permitted ** The command returned a non-zero exit status: 1 ** Failed to fetch ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tbz fetch: ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tgz: Operation not permitted ** The command returned a non-zero exit status: 1 ** Failed to fetch ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tgz ** Failed to fetch libmtp-0.2.1 ** Listing the failed packages (*:skipped / !:failed) ! libmtp-0.2.1 (fetch error) ---> Packages processed: 0 done, 0 ignored, 0 skipped and 1 failed ** Could not find the latest version (0.2.1) ---> Using the port instead of a package These are my filter rules: ext_if = "sis0" # Macros tcp_pass = "{ 53, 80, 25, 110, 123, 443, 631, 20, 21, 8080 }" udp_pass = "{ 53, 110, 443, 631, 20, 21, 8080 }" # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # antispoof antispoof for $ext_if # firewall default block all block all pass quick on lo0 all # tcp pass in on $ext_if inet proto tcp from any to $ext_if port 20 keep state pass in on $ext_if inet proto tcp from any to $ext_if port 21 keep state pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state pass out on $ext_if inet proto tcp to any port $tcp_pass flags S/SA keep state # udp pass in on $ext_if inet proto udp from any to $ext_if port 20 keep state pass in on $ext_if inet proto udp from any to $ext_if port 21 keep state pass out on $ext_if inet proto udp to any port $udp_pass keep state # end rules -- View this message in context: http://www.nabble.com/Newbie---cannot-upgrade-packages-from-FTP-sites-tf4526399.html#a12914823 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 13:19:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD3DB16A418 for ; Thu, 27 Sep 2007 13:19:23 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from webmail.fcl.com.br (webmail.fcl.com.br [200.186.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id 437E913C45B for ; Thu, 27 Sep 2007 13:19:22 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from (webmail.fcl.com.br [200.186.101.7]) by webshield.fcl.com.br with smtp id 4a19_c5d39328_c766_11d5_82ee_003048296fe4; Tue, 23 Oct 2001 01:33:49 -0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 27 Sep 2007 10:19:03 -0300 Message-ID: <94CADB570ACCB0418E8236C8F24BD95C015FB4B1@VIRTUALEXCHANGE.corp.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Trouble with PF Thread-Index: AcgAgSd3qfMQN1qbQCGZxdInqLNp2gAhz9Ig From: "David Verzolla" To: Subject: RES: Trouble with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 13:19:24 -0000 Hi, The limit of the states was reached. "set limit { states 70000, frags 5000 }": solves my problem. Have anyone that has a number higher then 100000? Regards, David -----Mensagem original----- De: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = Em nome de David Verzolla Enviada em: quarta-feira, 26 de setembro de 2007 18:07 Para: freebsd-pf@freebsd.org Assunto: Trouble with PF Hi, I'm working with two firewall box: - Dell poweredge 2950 - First network device BCE0 - Second network device BCE1 - HP ML350 G3 - First network device BGE0 - Second network device XL0 =20 My FreeBSD Box is a: 6.2-STABLE. I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP. All interfaces is cloned with CARP. =20 The problem is: My network is slow, when I try to connect in a web server, or try pings = from my Firewall to some machine located in DMZ (tests from DMZ -> = Firewall Box have the same result), I get this trouble: [David Verzolla] [sniped] =20 David Verzolla Administrador de Redes Funda=E7=E3o C=E1sper L=EDbero - FCLNet Tel: +55 11 3170.5937 =20 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 13:52:12 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B89316A419 for ; Thu, 27 Sep 2007 13:52:12 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 0AFE813C4AA for ; Thu, 27 Sep 2007 13:52:11 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 12891 invoked by uid 2009); 27 Sep 2007 13:18:18 -0000 Received: from 10.1.0.72 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.72):SA:0(-4.2/5.0):. Processed in 4.510891 secs); 27 Sep 2007 13:18:18 -0000 X-Spam-Status: No, hits=-4.2 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.72):SA:0(-4.2/5.0):. Processed in 4.510891 secs Process 12877) Received: from unknown (HELO ?10.1.0.72?) (cmarlatt@rxsec.com@10.1.0.72) by core.rxsec.com with SMTP; 27 Sep 2007 13:18:14 -0000 Message-ID: <46FBAF3C.207@rxsec.com> Date: Thu, 27 Sep 2007 09:25:16 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: David Verzolla References: <94CADB570ACCB0418E8236C8F24BD95C015FB4B1@VIRTUALEXCHANGE.corp.com> In-Reply-To: <94CADB570ACCB0418E8236C8F24BD95C015FB4B1@VIRTUALEXCHANGE.corp.com> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: RES: Trouble with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 13:52:12 -0000 David Verzolla wrote: > Hi, > The limit of the states was reached. > > "set limit { states 70000, frags 5000 }": solves my problem. > > Have anyone that has a number higher then 100000? > > Regards, > > David > One of the firewalls I maintain averages at ~420k without issue or special memory tuning and during a D/DoS I've had others go up as high as 1.8 million, though you do need to tune your memory settings to get more than a million. Regards, Chris From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 16:09:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6509F16A41B for ; Thu, 27 Sep 2007 16:09:02 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id D456913C45B for ; Thu, 27 Sep 2007 16:09:01 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from [217.225.200.4] (helo=interactive.dnsalias.net) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1IavvA0BSR-00087W; Thu, 27 Sep 2007 18:09:00 +0200 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1Iavv8-00038i-SK for freebsd-pf@freebsd.org; Thu, 27 Sep 2007 18:08:58 +0200 Received: from [192.168.0.75] (core2duo.interactive.de [192.168.0.75]) by fs-inter.interactive.de; Thu, 27 Sep 2007 18:08:34 +0200 Message-ID: <46FBD584.5010907@interactive-net.de> Date: Thu, 27 Sep 2007 18:08:36 +0200 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> <46FA215F.7040905@interactive-net.de> <20070926205421.GE32662@verio.net> In-Reply-To: <20070926205421.GE32662@verio.net> X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX184Y8vVYNFoznp1qaqpNFMMpHKeHkIwH+RSkEf WR5fvNTQAYTjQjncTsVPirRT8dCJzTpzQtZJGCUE3vtvSK1kYW G3xY6MnDXkT4KRQ5/L/fA== Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: filtering local traffic on nat gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 16:09:02 -0000 Hi David, David DeSimone schrieb: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reinhard Haller wrote: > >> Based on the last rule there is no way to distinguish forwarded from >> local outgoing traffic. >> >> Any suggestions? >> > > Change this rule like so: > > >> nat on $ext_if from !($ext_if) -> ($ext_if) >> > > to > > >> nat pass on $ext_if from !($ext_if) -> ($ext_if) >> > > I used tagging instead: pass quick proto tcp from $internal_net to $external_net port $tcp_unrestricted_ports tag PASS pass out on $ext_if from ($ext_if) to $external_net tagged PASS > This way, all traffic chosen to be nat'd will also pass the ruleset. > Or rather, bypass the ruleset. > > I am worried about your rule, though, because it seems that any even > traffic arriving from the Internet will have a source IP of !($ext_if), > so it will end up matching ALL traffic. > The nat rule is borrowed from man pf.conf (translation examples). Hope they know what they do. > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6 > GdZ6ARC0dBlz4Lm6Uo9ZE5s= > =gMmc > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Greetings Reinhard From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 16:24:48 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD17416A420 for ; Thu, 27 Sep 2007 16:24:48 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from webmail.fcl.com.br (webmail.fcl.com.br [200.186.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id EDEE013C4BD for ; Thu, 27 Sep 2007 16:24:47 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from (webmail.fcl.com.br [200.186.101.7]) by webshield.fcl.com.br with smtp id 7315_ace1df36_c780_11d5_9c5e_003048296fe4; Tue, 23 Oct 2001 04:39:15 -0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 27 Sep 2007 13:24:45 -0300 Message-ID: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Rule doubt Thread-Index: AcgBIungPKu08xBSSCqf62wsLfR9HQ== From: "David Verzolla" To: Subject: Rule doubt X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 16:24:48 -0000 Hi All, Its possible creates a rule that can match all the traffic designated to = an specific interface? Example: pass in on $vlan10 from to (the interface, not the address) = $ext_if The $ext_if:network doesn't works for me. Thanks. David Verzolla Administrador de Redes Funda=E7=E3o C=E1sper L=EDbero - FCLNet Tel: +55 11 3170.5937 From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 17:01:54 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F39E216A418; Thu, 27 Sep 2007 17:01:53 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B95F913C45A; Thu, 27 Sep 2007 17:01:53 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8RH1rvF026012; Thu, 27 Sep 2007 17:01:53 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8RH1rpb026008; Thu, 27 Sep 2007 17:01:53 GMT (envelope-from remko) Date: Thu, 27 Sep 2007 17:01:53 GMT Message-Id: <200709271701.l8RH1rpb026008@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 17:01:54 -0000 Synopsis: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Thu Sep 27 17:01:13 UTC 2007 Responsible-Changed-Why: Reassign to PF team since this influences the PF application suite (I understand that the change must be made in tcpdump so perhaps we should allocate someone else, but lets see what the PF team can do for us). http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 17:13:56 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3786816A419 for ; Thu, 27 Sep 2007 17:13:56 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id 0BDD313C459 for ; Thu, 27 Sep 2007 17:13:55 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in06.adhost.com (mail-in06.adhost.com [10.211.128.134]) by mail-defer01.adhost.com (Postfix) with ESMTP id BB8C1EDB91 for ; Thu, 27 Sep 2007 09:58:32 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in06.adhost.com (Postfix) with ESMTP id 014F216482C; Thu, 27 Sep 2007 09:58:32 -0700 (PDT) (envelope-from mksmith@adhost.com) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Thu, 27 Sep 2007 09:58:31 -0700 Message-ID: <17838240D9A5544AAA5FF95F8D52031602895CD4@ad-exh01.adhost.lan> In-Reply-To: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Rule doubt Thread-Index: AcgBIungPKu08xBSSCqf62wsLfR9HQABIcyw References: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> From: "Michael K. Smith - Adhost" To: "David Verzolla" , Cc: Subject: RE: Rule doubt X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 17:13:56 -0000 Hello David: > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of David Verzolla > Sent: Thursday, September 27, 2007 9:25 AM > To: freebsd-pf@freebsd.org > Subject: Rule doubt >=20 > Hi All, > Its possible creates a rule that can match all the traffic designated > to an specific interface? >=20 > Example: >=20 > pass in on $vlan10 from to (the interface, not the address) > $ext_if >=20 > The $ext_if:network doesn't works for me. >=20 Did you try specifying the interface name instead? As an example: ext_if=3D"em1" or bge0 or whatever. Regards, Mike From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 18:31:59 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0771316A420 for ; Thu, 27 Sep 2007 18:31:59 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from webmail.fcl.com.br (webmail.fcl.com.br [200.186.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id 4B9C313C504 for ; Thu, 27 Sep 2007 18:31:57 +0000 (UTC) (envelope-from dverzolla@fcl.com.br) Received: from (webmail.fcl.com.br [200.186.101.7]) by webshield.fcl.com.br with smtp id 1748_714f55d6_c792_11d5_896b_003048296fe4; Tue, 23 Oct 2001 06:46:25 -0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 27 Sep 2007 15:31:55 -0300 Message-ID: <94CADB570ACCB0418E8236C8F24BD95C015FB534@VIRTUALEXCHANGE.corp.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Rule doubt Thread-Index: AcgBIungPKu08xBSSCqf62wsLfR9HQABIcywAAMxiIA= From: "David Verzolla" To: "Michael K. Smith - Adhost" , Cc: Subject: RES: Rule doubt X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 18:31:59 -0000 Hi Michael, When I do this, the PF changes de interface to IP. Exemple: ext_if=3D"bge0" IN pf.conf: pass in quick on $vlan10 inet from any to $ext_if With pfctl -sr: pass in quick on vlan10 inet from any to 200.x.x.x Regards, David -----Mensagem original----- De: Michael K. Smith - Adhost [mailto:mksmith@adhost.com]=20 Enviada em: quinta-feira, 27 de setembro de 2007 13:59 Para: David Verzolla; freebsd-pf@freebsd.org Assunto: RE: Rule doubt Hello David: > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of David Verzolla > Sent: Thursday, September 27, 2007 9:25 AM > To: freebsd-pf@freebsd.org > Subject: Rule doubt >=20 > Hi All, > Its possible creates a rule that can match all the traffic designated > to an specific interface? >=20 > Example: >=20 > pass in on $vlan10 from to (the interface, not the address) > $ext_if >=20 > The $ext_if:network doesn't works for me. >=20 Did you try specifying the interface name instead? As an example: ext_if=3D"em1" or bge0 or whatever. Regards, Mike From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 18:53:07 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D35F716A419 for ; Thu, 27 Sep 2007 18:53:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 525BC13C4B2 for ; Thu, 27 Sep 2007 18:53:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.191.111] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1IayTt2UY9-00041C; Thu, 27 Sep 2007 20:53:02 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 27 Sep 2007 20:52:49 +0200 User-Agent: KMail/1.9.7 References: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> In-Reply-To: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart31342622.rOQGGJjSZx"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709272052.59861.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+VxZZWgCv+DyKWxdz0Z+0bx4pzlNTvdVnReG9 OclKMskxLpo6VlcGjEY9uqHu3+a1LJ+JXNFNZeu35qY6d+bSbW eMQ0PNJAlHtj2q/vSMNNmcfX++S5bT1deK07+b6wDY= Cc: Subject: Re: Rule doubt X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 18:53:07 -0000 --nextPart31342622.rOQGGJjSZx Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 27 September 2007, David Verzolla wrote: > Hi All, > Its possible creates a rule that can match all the traffic designated > to an specific interface? > > Example: > > pass in on $vlan10 from to (the interface, not the address) > $ext_if I'm not 100% sure what you are after here. The from/to part always takes=20 an address as argument. You can use the "($ext_if)" syntax to=20 dynamically fill in all addresses that are configured on the interface at=20 the moment of evaluation, but you can't directly influence routing=20 decisions. That means you can't write a single rule that says "traffic=20 from $vlan10 must only go to $ext_if". In order to do this, you should=20 take a look at tagging. > The $ext_if:network doesn't works for me. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart31342622.rOQGGJjSZx Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG+/wLXyyEoT62BG0RAsoKAJ9DVO4btHwvRTSk31rTQCITS8/kGQCfVOHx /TJQVDUsGNO16IJ4SSE79KI= =LB0O -----END PGP SIGNATURE----- --nextPart31342622.rOQGGJjSZx-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 20:14:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9ECA316A417 for ; Thu, 27 Sep 2007 20:14:47 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 318A713C447 for ; Thu, 27 Sep 2007 20:14:46 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l8RKEjVg010110 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 27 Sep 2007 22:14:45 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l8RKEipe016669; Thu, 27 Sep 2007 22:14:44 +0200 (MEST) Date: Thu, 27 Sep 2007 22:14:44 +0200 From: Daniel Hartmeier To: David Verzolla Message-ID: <20070927201444.GI32278@insomnia.benzedrine.cx> References: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Rule doubt X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 20:14:47 -0000 On Thu, Sep 27, 2007 at 01:24:45PM -0300, David Verzolla wrote: > Its possible creates a rule that can match all the traffic designated to an specific interface? > > Example: > > pass in on $vlan10 from to (the interface, not the address) $ext_if > > The $ext_if:network doesn't works for me. Not with the "to" keyword. That keyword always means "compare the destination IP address of the packet with ...", it never means "compare the interface the packet would be routed out to", even if the English language might allow for both meanings. At the point in time when pf filters an incoming packet, the routing table has not been consulted yet, and it is not yet decided what the outgoing interface will be[1]. Assuming what you want to express is "pass in on $vlan10 packets that will get routed out on $ext_if (no matter what the destination IP address of the packet is)", you can use the "tag"/"tagged" keywords for that, i.e. pass in all packets on $vlan10 and tag them. Then filter so tagged packets on all possible outgoing interfaces, and only allow them on $ext_if. With a known static routing table, this is usually not necessary, as the destination IP address will determine the outgoing interface, and restricting based on the IP address with "to" will suffice. Daniel [1] In OpenBSD, there are "route labels". You can assign labels to routing table entries. Then filter incoming packets based on the label of the matching routing table entry (forcing an early lookup), like in pass in on $vlan10 to route