From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 11:07:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD63D16A417 for ; Mon, 21 Jan 2008 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C7E1613C45B for ; Mon, 21 Jan 2008 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0LB744A047085 for ; Mon, 21 Jan 2008 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0LB74ka047081 for freebsd-pf@FreeBSD.org; Mon, 21 Jan 2008 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Jan 2008 11:07:04 GMT Message-Id: <200801211107.m0LB74ka047081@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 11:07:05 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work 9 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 16:32:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 454BF16A419 for ; Mon, 21 Jan 2008 16:32:15 +0000 (UTC) (envelope-from doug@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.123]) by mx1.freebsd.org (Postfix) with ESMTP id 076DF13C4D9 for ; Mon, 21 Jan 2008 16:32:14 +0000 (UTC) (envelope-from doug@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta06.mail.rr.com with ESMTP id <20080121161705.LGWK2392.hrndva-omta06.mail.rr.com@corinth.polands.org> for ; Mon, 21 Jan 2008 16:17:05 +0000 Received: from omnihp.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.13.8/8.13.8) with ESMTP id m0LGH4T6035598 for ; Mon, 21 Jan 2008 10:17:04 -0600 (CST) (envelope-from doug@polands.org) Message-ID: <4794C5A8.8040402@polands.org> Date: Mon, 21 Jan 2008 10:17:44 -0600 From: Doug Poland User-Agent: Thunderbird 2.0.0.9 (X11/20071117) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.4/5507/Mon Jan 21 08:34:07 2008 on corinth.polands.org X-Virus-Status: Clean Subject: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 16:32:15 -0000 Hello, I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, but a working configuration eludes me. Here's my environment: Firewall: FreeBSD 6.2-STABLE pf 1 public (routable) IP address HTTPS: FreeBSD 7.0-PRERELEASE Listening on 3 private (RFC-1918) IPs Apache22 w/SSL and name-based virtual hosts I would like to redirect incoming https traffic to a specific https server. So far, I've experimented with various rdr options pf.conf. I've even tried to create an address pool, but to no avail. This is a rather high-level explanation and I didn't want to clutter this email with pf/DNS/apache syntax that is not working. I'm open to other solutions if pf is not capable of doing the job. I have an idea of how apache and mod_rewrite "might" get me there but wanted to try pf first. -- Regards, Doug From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 16:57:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8590516A47D for ; Mon, 21 Jan 2008 16:57:32 +0000 (UTC) (envelope-from doug@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.122]) by mx1.freebsd.org (Postfix) with ESMTP id 4738B13C474 for ; Mon, 21 Jan 2008 16:57:32 +0000 (UTC) (envelope-from doug@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta05.mail.rr.com with ESMTP id <20080121165731.KCQC14424.hrndva-omta05.mail.rr.com@corinth.polands.org>; Mon, 21 Jan 2008 16:57:31 +0000 Received: from omnihp.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.13.8/8.13.8) with ESMTP id m0LGvUvU035812; Mon, 21 Jan 2008 10:57:30 -0600 (CST) (envelope-from doug@polands.org) Message-ID: <4794CF21.2090606@polands.org> Date: Mon, 21 Jan 2008 10:58:09 -0600 From: Doug Poland User-Agent: Thunderbird 2.0.0.9 (X11/20071117) MIME-Version: 1.0 To: OutbackDingo References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> In-Reply-To: <1200904649.33634.9.camel@z60m> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.4/5507/Mon Jan 21 08:34:07 2008 on corinth.polands.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 16:57:32 -0000 OutbackDingo wrote: > > On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: >> Hello, >> >> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, >> but a working configuration eludes me. >> >> Here's my environment: >> >> Firewall: >> FreeBSD 6.2-STABLE pf >> 1 public (routable) IP address >> >> HTTPS: >> FreeBSD 7.0-PRERELEASE >> Listening on 3 private (RFC-1918) IPs >> Apache22 w/SSL and name-based virtual hosts >> >> >> I would like to redirect incoming https traffic to a specific https >> server. So far, I've experimented with various rdr options pf.conf. >> I've even tried to create an address pool, but to no avail. >> >> This is a rather high-level explanation and I didn't want to clutter >> this email with pf/DNS/apache syntax that is not working. >> >> I'm open to other solutions if pf is not capable of doing the job. I >> have an idea of how apache and mod_rewrite "might" get me there but >> wanted to try pf first. >> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" > > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ > round-robin sticky-address > Hi, thanks for the quick response. Your suggestion was actually the first thing I tried :) Unfortunately, each host listens on a specific IP address for that virtual host. So if: webmail.example.com = 10.0.0.10 subversion.example.com = 10.0.0.11 timesheets.example.com = 10.0.0.12 and pf sends a request for webmail.example.com to timesheets.example.com, the request fails. -- Regards, Doug From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 17:16:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17F3316A500 for ; Mon, 21 Jan 2008 17:16:23 +0000 (UTC) (envelope-from doug@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.122]) by mx1.freebsd.org (Postfix) with ESMTP id C9E2213C46A for ; Mon, 21 Jan 2008 17:16:22 +0000 (UTC) (envelope-from doug@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta06.mail.rr.com with ESMTP id <20080121171621.MYQQ2392.hrndva-omta06.mail.rr.com@corinth.polands.org>; Mon, 21 Jan 2008 17:16:21 +0000 Received: from omnihp.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.13.8/8.13.8) with ESMTP id m0LHGKeq035929; Mon, 21 Jan 2008 11:16:21 -0600 (CST) (envelope-from doug@polands.org) Message-ID: <4794D38C.6020007@polands.org> Date: Mon, 21 Jan 2008 11:17:00 -0600 From: Doug Poland User-Agent: Thunderbird 2.0.0.9 (X11/20071117) MIME-Version: 1.0 To: OutbackDingo References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> In-Reply-To: <1200906215.33634.14.camel@z60m> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.4/5509/Mon Jan 21 10:23:11 2008 on corinth.polands.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 17:16:23 -0000 OutbackDingo wrote: > On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote: >> OutbackDingo wrote: >>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: >>>> Hello, >>>> >>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, >>>> but a working configuration eludes me. >>>> >>>> Here's my environment: >>>> >>>> Firewall: >>>> FreeBSD 6.2-STABLE pf >>>> 1 public (routable) IP address >>>> >>>> HTTPS: >>>> FreeBSD 7.0-PRERELEASE >>>> Listening on 3 private (RFC-1918) IPs >>>> Apache22 w/SSL and name-based virtual hosts >>>> >>>> >>>> I would like to redirect incoming https traffic to a specific https >>>> server. So far, I've experimented with various rdr options pf.conf. >>>> I've even tried to create an address pool, but to no avail. >>>> >>>> This is a rather high-level explanation and I didn't want to clutter >>>> this email with pf/DNS/apache syntax that is not working. >>>> >>>> I'm open to other solutions if pf is not capable of doing the job. I >>>> have an idea of how apache and mod_rewrite "might" get me there but >>>> wanted to try pf first. >>>> >> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" >> > >> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ >> > round-robin sticky-address >> > >> Hi, thanks for the quick response. Your suggestion was actually the >> first thing I tried :) Unfortunately, each host listens on a specific >> IP address for that virtual host. So if: >> >> webmail.example.com = 10.0.0.10 >> subversion.example.com = 10.0.0.11 >> timesheets.example.com = 10.0.0.12 >> >> and pf sends a request for webmail.example.com to >> timesheets.example.com, the request fails. >> > ahhh read the email again, you want specific requests to go to > specific servers based on domain i take it. > correct > you might want to look at varnish or a reverse cache engine, in order > for pf to accomlish that > or perhaps an a reverse proxy engine? > pf would need to be able to do a dns reolution for the specific host > ie... pf see a request for subversion.example.com it should send all > requests for that site to 10.0.0.11, > I have DNS resolution, the problem ( I think ) is in that pf simply sees the packet destined for my single public IP (because all my public host names must resolve to the same public IP address) and port 443. > a proxy would be better to use for this such as varnish, but why three > servers, if you used one apache wth 3 virtual hosts on each box you > get the load balance results > Because when one uses SSL, each virtualhost must be on a distinct IP address. This was the only way to do things in the apache13 days. I did read somewhere that apache22 supports multiple SSL sites per IP, but browsers do not yet support this. Thanks for your help so far. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 17:51:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C58516A418 for ; Mon, 21 Jan 2008 17:51:35 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id D8E0113C448 for ; Mon, 21 Jan 2008 17:51:34 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so3869457waf.3 for ; Mon, 21 Jan 2008 09:51:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=aOu+i/3hK2WuMkLQ9LcoxEqCEB04Sgk9fYGHyVjp2VQ=; b=gPAAWCqp7QI+IXmSeyK/+9KBjU18d71Fe8gR6S4cosMwen+uybjf0p8z8yCFCZENSmQiUkqBhmVunskCXNuV6NZcfyAxqC7iGnfNP/Q4TEHVA5cEot44flgUSSpIeUQxPDylNDPsM6mCSl1X0nI4wn+uFJornkWb238xjMG4nl8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=hbf4ut9//ZjDK3yAke7F6CmnknK/A6vosboccIPOMW8hYqVqz3ive6BlGtnsVokO6tXSSl3Os31ERWoQZ+u7p1LVCYwF8HuoAqUCY+w0kGFKP1HJtrmXHk1djHbZzj/HjkAKu1+16lBgP20rRac9v0fLn6TiHZEFrmXDO7wpBPI= Received: by 10.115.54.1 with SMTP id g1mr3587055wak.133.1200936287513; Mon, 21 Jan 2008 09:24:47 -0800 (PST) Received: from ?10.1.1.2? ( [124.157.244.165]) by mx.google.com with ESMTPS id j15sm11386097waf.51.2008.01.21.09.24.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 21 Jan 2008 09:24:46 -0800 (PST) From: OutbackDingo To: Doug Poland In-Reply-To: <4794D38C.6020007@polands.org> References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> Content-Type: text/plain Date: Mon, 21 Jan 2008 17:24:36 +0800 Message-Id: <1200907476.33634.20.camel@z60m> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 17:51:35 -0000 the problem here is pf doesnt do hostname resolution, its not supported by the filter so dns doesnt help, a reverse proxy would do a name resolution, though you can use ACLs to direct traffic from a name to an IP in a proxy also, and this isnt load balanceing, this would be name based redirection. oops a proxy cache and varnich a cache accelerator would work here, so probably would nginx which is a proxy in itself. On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote: > OutbackDingo wrote: > > > On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote: > >> OutbackDingo wrote: > >>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: > >>>> Hello, > >>>> > >>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, > >>>> but a working configuration eludes me. > >>>> > >>>> Here's my environment: > >>>> > >>>> Firewall: > >>>> FreeBSD 6.2-STABLE pf > >>>> 1 public (routable) IP address > >>>> > >>>> HTTPS: > >>>> FreeBSD 7.0-PRERELEASE > >>>> Listening on 3 private (RFC-1918) IPs > >>>> Apache22 w/SSL and name-based virtual hosts > >>>> > >>>> > >>>> I would like to redirect incoming https traffic to a specific https > >>>> server. So far, I've experimented with various rdr options pf.conf. > >>>> I've even tried to create an address pool, but to no avail. > >>>> > >>>> This is a rather high-level explanation and I didn't want to clutter > >>>> this email with pf/DNS/apache syntax that is not working. > >>>> > >>>> I'm open to other solutions if pf is not capable of doing the job. I > >>>> have an idea of how apache and mod_rewrite "might" get me there but > >>>> wanted to try pf first. > >>>> > >> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" > >> > > >> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ > >> > round-robin sticky-address > >> > > >> Hi, thanks for the quick response. Your suggestion was actually the > >> first thing I tried :) Unfortunately, each host listens on a specific > >> IP address for that virtual host. So if: > >> > >> webmail.example.com = 10.0.0.10 > >> subversion.example.com = 10.0.0.11 > >> timesheets.example.com = 10.0.0.12 > >> > >> and pf sends a request for webmail.example.com to > >> timesheets.example.com, the request fails. > >> > > ahhh read the email again, you want specific requests to go to > > specific servers based on domain i take it. > > > correct > > > you might want to look at varnish or a reverse cache engine, in order > > for pf to accomlish that > > > or perhaps an a reverse proxy engine? > > > pf would need to be able to do a dns reolution for the specific host > > ie... pf see a request for subversion.example.com it should send all > > requests for that site to 10.0.0.11, > > > I have DNS resolution, the problem ( I think ) is in that pf simply sees > the packet destined for my single public IP (because all my public host > names must resolve to the same public IP address) and port 443. > > > > a proxy would be better to use for this such as varnish, but why three > > servers, if you used one apache wth 3 virtual hosts on each box you > > get the load balance results > > > Because when one uses SSL, each virtualhost must be on a distinct IP > address. This was the only way to do things in the apache13 days. I > did read somewhere that apache22 supports multiple SSL sites per IP, but > browsers do not yet support this. > > Thanks for your help so far. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 17:55:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40CE016A418 for ; Mon, 21 Jan 2008 17:55:56 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 1CCFE13C45D for ; Mon, 21 Jan 2008 17:55:55 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JH0sF-00027A-Gd for freebsd-pf@freebsd.org; Mon, 21 Jan 2008 17:55:55 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JH0sF-0000Kh-BB for freebsd-pf@freebsd.org; Mon, 21 Jan 2008 17:55:55 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 054D68E296; Mon, 21 Jan 2008 11:55:51 -0600 (CST) Date: Mon, 21 Jan 2008 11:55:51 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080121175551.GB11928@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <4794D38C.6020007@polands.org> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 17:55:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Poland wrote: > > I have DNS resolution, the problem ( I think ) is in that pf simply > sees the packet destined for my single public IP (because all my > public host names must resolve to the same public IP address) and port > 443. I am not sure how you expect this to work. The web browser will expect the server to send a certificate with its identity as part of the initial SSL negotiation. The client has not yet sent its request, so the web server has no idea which of the three domains the browser wanted to talk to, so it does not know which certificate should be sent. This is the reason why every SSL site must have its own unique (public) IP address. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHlNynFSrKRjX5eCoRAp52AKCIqjzGs2D1o0JAdXfcbZU7YZMlYwCgo0Hz b0D/2UqYItVoa28DeRUPXy0= =QKzq -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 18:56:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A099A16A417 for ; Mon, 21 Jan 2008 18:56:37 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id 685D013C4CE for ; Mon, 21 Jan 2008 18:56:37 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so534160anc.13 for ; Mon, 21 Jan 2008 10:56:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=WcZGLLeNPUFRe7+0EovNqsbqsrSdqWFVSuJTvgMhMkE=; b=RpEXngphLRUndePJ/CrJPe1LD4tFtSZwl/kZQ5r5Ryses/ETFbBGjCgKHLlIcrsqe7iW3n+hAPnOyp5awhZLWGbZP+ivsWWYU74dS4TUixh30qi3w50ukT4fcwKr+a3DxJ4Aa0iSrgJn94jADtID9FucmlMh1kVHGt02RTIvUnQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=xf7bYnVlfki7hi9vf4iiC2CYEQcPuI7ug9AF1nyvfaEAHNgEJdfv5p6TakjniSqVPMBQ/rJ7bZ+9iZGZapbIlgIoTZky6lpIwrG+P9ZQwNkSZrb5Fu8dVAhjnotRz2NrgqBmBEe/QElM+96zSeikPW39opriiNZLv1nCKYlHn68= Received: by 10.100.254.18 with SMTP id b18mr15299070ani.103.1200940345055; Mon, 21 Jan 2008 10:32:25 -0800 (PST) Received: by 10.100.202.17 with HTTP; Mon, 21 Jan 2008 10:32:25 -0800 (PST) Message-ID: <9a542da30801211032s10a260c4vbbdaf5f3d96ba49f@mail.gmail.com> Date: Mon, 21 Jan 2008 19:32:25 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: HFSC notes. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 18:56:37 -0000 If you want to know something more for HFSC in this link there is some explanation on how to use and configure it to suit your needs. The link: http://forum.pfsense.org/index.php?PHPSESSID=efbbb6e4e74cdefced188b28de395e46&topic=2484.0 From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 19:22:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 490CD16A418 for ; Mon, 21 Jan 2008 19:22:26 +0000 (UTC) (envelope-from doug@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.123]) by mx1.freebsd.org (Postfix) with ESMTP id 0D03813C45B for ; Mon, 21 Jan 2008 19:22:25 +0000 (UTC) (envelope-from doug@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta04.mail.rr.com with ESMTP id <20080121192225.QKIQ17975.hrndva-omta04.mail.rr.com@corinth.polands.org> for ; Mon, 21 Jan 2008 19:22:25 +0000 Received: from omnihp.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.13.8/8.13.8) with ESMTP id m0LJMOIp036479 for ; Mon, 21 Jan 2008 13:22:24 -0600 (CST) (envelope-from doug@polands.org) Message-ID: <4794F117.2000804@polands.org> Date: Mon, 21 Jan 2008 13:23:03 -0600 From: Doug Poland User-Agent: Thunderbird 2.0.0.9 (X11/20071117) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net> In-Reply-To: <20080121175551.GB11928@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.4/5510/Mon Jan 21 11:33:44 2008 on corinth.polands.org X-Virus-Status: Clean Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 19:22:26 -0000 David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Doug Poland wrote: >> I have DNS resolution, the problem ( I think ) is in that pf simply >> sees the packet destined for my single public IP (because all my >> public host names must resolve to the same public IP address) and port >> 443. > > I am not sure how you expect this to work. The web browser will expect > the server to send a certificate with its identity as part of the > initial SSL negotiation. The client has not yet sent its request, so > the web server has no idea which of the three domains the browser wanted > to talk to, so it does not know which certificate should be sent. This > is the reason why every SSL site must have its own unique (public) IP > address. > > - -- > David DeSimone == Network Admin == fox@verio.net > I see what you are getting it. I told pf to simply route all https requests to a fixed private IP. When I pointed my browser at the FQDN, firefox told me I had a certificate problem... i.e., the certificate returned was not the one expected. So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts behind a single public IP? So my only solution, given apache and one public IP, is a single host listening on 443 and each "domain" would have to be served as a . e.g., https://secure.example.com/webmail/ https://secure.example.com/subversion/ instead of https://webmail.example.com https://subversion.example.com -- Regards, Doug From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 19:30:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E1A616A41A for ; Mon, 21 Jan 2008 19:30:04 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4DB5613C461 for ; Mon, 21 Jan 2008 19:30:04 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1JH2LL-0003VM-Of for freebsd-pf@freebsd.org; Mon, 21 Jan 2008 19:30:03 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1JH2LL-0005Yp-LI for freebsd-pf@freebsd.org; Mon, 21 Jan 2008 19:30:03 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 336C58E296; Mon, 21 Jan 2008 13:30:00 -0600 (CST) Date: Mon, 21 Jan 2008 13:30:00 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080121192959.GA12018@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net> <4794F117.2000804@polands.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <4794F117.2000804@polands.org> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 19:30:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Poland wrote: > > So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts > behind a single public IP? So my only solution, given apache and one > public IP, is a single host listening on 443 and each "domain" would > have to be served as a . e.g., > > https://secure.example.com/webmail/ > https://secure.example.com/subversion/ That is one method; another is to use TCP port numbers to differentiate the servers: https://webmail.example.com:444/ https://subversion.example.com:445/ You can have PF forward the correct port to the correct server. This allows the servers to be more independent of one another. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHlPK3FSrKRjX5eCoRAt+7AKCF/mClCPN5Wzh9mUk8A157esU6hACdG7zD rPZR6UTRRwtJ4KKH/2KPwyI= =g76r -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 19:31:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 079B316A469 for ; Mon, 21 Jan 2008 19:31:21 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200bog10.obsmtp.com (s200bog10.obsmtp.com [207.126.150.124]) by mx1.freebsd.org (Postfix) with SMTP id B755813C4E9 for ; Mon, 21 Jan 2008 19:31:13 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu2sys200bob010.postini.com ([207.126.147.11]) with SMTP; Mon, 21 Jan 2008 19:31:12 UTC Received: from bill.mintel.co.uk (bill.mintel.co.uk [10.0.0.89]) by rodney.mintel.co.uk (Postfix) with ESMTP id 0DAF418141F; Mon, 21 Jan 2008 19:31:12 +0000 (GMT) Message-ID: <4794F2FF.1040106@tomjudge.com> Date: Mon, 21 Jan 2008 19:31:11 +0000 From: Tom Judge User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: OutbackDingo References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <1200907476.33634.20.camel@z60m> In-Reply-To: <1200907476.33634.20.camel@z60m> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 19:31:21 -0000 OutbackDingo wrote: > the problem here is pf doesnt do hostname resolution, its not supported > by the filter so dns doesnt help, a reverse proxy would do a name > resolution, though you can use ACLs to direct traffic from a name to an > IP in a proxy also, and this isnt load balanceing, this would be name > based redirection. oops a proxy cache and varnich a cache accelerator > would work here, so probably would nginx which is a proxy in itself. > This configuration will never work as expected. There is no way for the SSL layer to know what certificate to present before the request has been issued. As SSL is negotiated at accept time, and as such only knows the ip address of the local and remote tcp connection end points. The host name is then sent inside the SSL connection as part of the http request in the host header. This is a problem because the host name of the site being requested is present in the certificate and the SSL layer cannot work out which certificate to serve. HTTPs hosts must be on distinct IP addresses because of this. There is a spec for HTTP+TLS I believe which would allow for 'https' virtual hosting on a single IP as the hostname can be sent to the webserver before the START_TLS command is issued, but I don't know if any browsers support this at the moment. Tom > On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote: >> OutbackDingo wrote: >> >>> On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote: >>>> OutbackDingo wrote: >>>>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: >>>>>> Hello, >>>>>> >>>>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, >>>>>> but a working configuration eludes me. >>>>>> >>>>>> Here's my environment: >>>>>> >>>>>> Firewall: >>>>>> FreeBSD 6.2-STABLE pf >>>>>> 1 public (routable) IP address >>>>>> >>>>>> HTTPS: >>>>>> FreeBSD 7.0-PRERELEASE >>>>>> Listening on 3 private (RFC-1918) IPs >>>>>> Apache22 w/SSL and name-based virtual hosts >>>>>> >>>>>> >>>>>> I would like to redirect incoming https traffic to a specific https >>>>>> server. So far, I've experimented with various rdr options pf.conf. >>>>>> I've even tried to create an address pool, but to no avail. >>>>>> >>>>>> This is a rather high-level explanation and I didn't want to clutter >>>>>> this email with pf/DNS/apache syntax that is not working. >>>>>> >>>>>> I'm open to other solutions if pf is not capable of doing the job. I >>>>>> have an idea of how apache and mod_rewrite "might" get me there but >>>>>> wanted to try pf first. >>>>>> >>>> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" >>>> > >>>> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ >>>> > round-robin sticky-address >>>> > >>>> Hi, thanks for the quick response. Your suggestion was actually the >>>> first thing I tried :) Unfortunately, each host listens on a specific >>>> IP address for that virtual host. So if: >>>> >>>> webmail.example.com = 10.0.0.10 >>>> subversion.example.com = 10.0.0.11 >>>> timesheets.example.com = 10.0.0.12 >>>> >>>> and pf sends a request for webmail.example.com to >>>> timesheets.example.com, the request fails. >>>> >> > ahhh read the email again, you want specific requests to go to >> > specific servers based on domain i take it. >> > >> correct >> >> > you might want to look at varnish or a reverse cache engine, in order >> > for pf to accomlish that >> > >> or perhaps an a reverse proxy engine? >> >> > pf would need to be able to do a dns reolution for the specific host >> > ie... pf see a request for subversion.example.com it should send all >> > requests for that site to 10.0.0.11, >> > >> I have DNS resolution, the problem ( I think ) is in that pf simply sees >> the packet destined for my single public IP (because all my public host >> names must resolve to the same public IP address) and port 443. >> >> >> > a proxy would be better to use for this such as varnish, but why three >> > servers, if you used one apache wth 3 virtual hosts on each box you >> > get the load balance results >> > >> Because when one uses SSL, each virtualhost must be on a distinct IP >> address. This was the only way to do things in the apache13 days. I >> did read somewhere that apache22 supports multiple SSL sites per IP, but >> browsers do not yet support this. >> >> Thanks for your help so far. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Jan 22 00:30:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A2D016A420 for ; Tue, 22 Jan 2008 00:30:15 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id DC02A13C461 for ; Tue, 22 Jan 2008 00:30:14 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 6D2974BFC486 for ; Tue, 22 Jan 2008 01:12:49 +0100 (CET) Message-ID: <479534E5.9050103@netoyen.net> Date: Tue, 22 Jan 2008 01:12:21 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net> <4794F117.2000804@polands.org> In-Reply-To: <4794F117.2000804@polands.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 00:30:15 -0000 Doug Poland wrote: > I see what you are getting it. I told pf to simply route all https > requests to a fixed private IP. When I pointed my browser at the > FQDN, firefox told me I had a certificate problem... i.e., the > certificate returned was not the one expected. > > So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts > behind a single public IP? In fact, it has nothing to do with NAT. When the browser sees "secure.example.com", it will resolve the host and contact the corresponding IP. at this point, with NAT or without it, you do not know what "virtual host" is being queried. This is a known ssl shortcoming. May be future implementations (openssl, browsers, ...) will solve it. > So my only solution, given apache and one public IP, is a single host > listening on 443 and each "domain" would have to be served as a > . e.g., > > https://secure.example.com/webmail/ > https://secure.example.com/subversion/ This works indeed. it also costs less (for the certificates:). In some cases, you can use one of the boxes as an SSL proxy, though care is required (remote apps don't necessarily know whether the query was "secure" or not, so you need to enforce SSL on few paths and adequately structure your sites). > > instead of > > https://webmail.example.com > https://subversion.example.com These cannot work with a single IP (as viewed by the browser). you can also use different ports. but this is not necessarily "user friendly". From owner-freebsd-pf@FreeBSD.ORG Tue Jan 22 15:38:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE09316A419 for ; Tue, 22 Jan 2008 15:38:39 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.freebsd.org (Postfix) with ESMTP id 9B3DA13C474 for ; Tue, 22 Jan 2008 15:38:39 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by wr-out-0506.google.com with SMTP id 68so861590wra.13 for ; Tue, 22 Jan 2008 07:38:38 -0800 (PST) Received: by 10.143.40.18 with SMTP id s18mr2336636wfj.168.1201016316998; Tue, 22 Jan 2008 07:38:36 -0800 (PST) Received: from smtp.home.rakhesh.com ( [82.178.100.29]) by mx.google.com with ESMTPS id i37sm32708345wxd.12.2008.01.22.07.38.23 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Jan 2008 07:38:28 -0800 (PST) Received: from obelix (obelix [192.168.17.13]) by smtp.home.rakhesh.com (Postfix) with ESMTP id A0BFD1140D for ; Tue, 22 Jan 2008 19:38:10 +0400 (GST) Date: Tue, 22 Jan 2008 19:38:10 +0400 (GST) X-X-Sender: rakhesh@obelix.home.rakhesh.com To: freebsd-pf@freebsd.org In-Reply-To: <20080122185929.A35598@obelix.home.rakhesh.com> Message-ID: <20080122193545.N35750@obelix.home.rakhesh.com> References: <20080122185929.A35598@obelix.home.rakhesh.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: Re: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 15:38:40 -0000 Update below ... > Hi, > > I am running PF on a FreeBSD 6.2/i386 machine. Started doing so abt a week > ago. In case it matters, this machine is the master in a CARP group with > another machine. Both of them run PF and have pfsync to keep things in sync. > > What happens is that after a day or so of heavy usage (downloading some > torrents and doing a portinstall/ portupgrade/ copying stuff to other > machines on my LAN simultaneously), this PF FreeBSD machine stops responding > to the network. > > The machine is perfectly fine. I can login and do stuff, just that its as if > it's disconnected from the network. > > When I ping another host on the LAN, this is what I get: > PING 192.168.17.13 (192.168.17.13): 56 data bytes > ping: sendto: No buffer space available > ping: sendto: No buffer space available > ping: sendto: No buffer space available > ^C > --- 192.168.17.13 ping statistics --- > > Now, if I disable PF (pfctl -d) things start to work! > > And after that if I enable PF (pfctl -e) things continue to work. > > So it pretty much looks like a PF problem. Searching this list's archives I > found one old thread > (http://article.gmane.org/gmane.os.freebsd.devel.pf4freebsd/1745) that > mentions a similar problem. Only, there re-enabling PF didn't solve the > problem (thoguh reloading with a re-read of the rules helped). > > This problem's happened twice over the last week. > > Based on the previous thread, I though the following outputs might be useful. > > Output of ''pfctl -si'': > Interface Stats for xl0 IPv4 IPv6 > Bytes In 1778679531 0 > Bytes Out 424820294 0 > Packets In > Passed 2178377 0 > Blocked 14705 0 > Packets Out > Passed 1911568 0 > Blocked 74601 0 > > State Table Total Rate > current entries 632 > searches 18330505 10534.8/s > inserts 335629 192.9/s > removals 334997 192.5/s > Counters > match 551629 317.0/s > bad-offset 0 0.0/s > fragment 0 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 0 0.0/s > ip-option 21 0.0/s > proto-cksum 0 0.0/s > state-mismatch 12159 7.0/s > state-insert 61 0.0/s > state-limit 0 0.0/s > src-limit 0 0.0/s > synproxy 998 0.6/s > > I have the following line in my /etc/pf.conf file. So I suppose I'm not > running out of state table entries either ... > set limit { states 20000, frags 10000, src-nodes 2000 } > > Finally, here's the output of ''netstat -m'': > 324/666/990 mbufs in use (current/cache/total) > 322/308/630/32768 mbuf clusters in use (current/cache/total/max) > 320/192 mbuf+clusters out of packet secondary zone in use (current/cache) > 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) > 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) > 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) > 725K/782K/1507K bytes allocated to network (current/cache/total) > 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) > 0/0/0 requests for jumbo clusters denied (4k/9k/16k) > 0/7/6656 sfbufs in use (current/peak/max) > 0 requests for sfbufs denied > 0 requests for sfbufs delayed > 0 requests for I/O initiated by sendfile > 67 calls to protocol drain routines > > Any suggestions what I can do to troubleshoot? > > Thanks. > Rakhesh > > ps. Forgot to mention: yes, my rules have some ''rdr'' rules. That's another > similarity with the problem in the previous thread. > > ps2. When the problem happens, this machine goes down to a backup status (for > CARP). However, once I restart PF, even though things work fine otherwise, > the status does not return to master. Mentioning in case that means something > ... (I have the appropriate sysctls and advskew set for this machine to > become a master when things are restored. It works usually, except in this > situation). > Turns out disabling and enabling PF doesn't solve the problem permanently. After trying an NFS copy, the machine started having problems again! I don't think it copied anything more than 5-10MB of data before losing conectivity! The only solution then was to do a ''/etc/rc.d/pf reload''. Since this reloads the rules too it solves the problem. So my problem is same as that in the thread I mentioned. Please help. Thanks, Rakhesh --- http://rakhesh.net/ From owner-freebsd-pf@FreeBSD.ORG Tue Jan 22 15:46:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A481C16A421 for ; Tue, 22 Jan 2008 15:46:12 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.236]) by mx1.freebsd.org (Postfix) with ESMTP id 742C813C45A for ; Tue, 22 Jan 2008 15:46:12 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by wx-out-0506.google.com with SMTP id i29so1386842wxd.7 for ; Tue, 22 Jan 2008 07:46:11 -0800 (PST) Received: by 10.70.80.6 with SMTP id d6mr5458711wxb.15.1201015091513; Tue, 22 Jan 2008 07:18:11 -0800 (PST) Received: from smtp.home.rakhesh.com ( [82.178.100.29]) by mx.google.com with ESMTPS id i40sm32587302wxd.25.2008.01.22.07.18.02 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Jan 2008 07:18:09 -0800 (PST) Received: from obelix (obelix [192.168.17.13]) by smtp.home.rakhesh.com (Postfix) with ESMTP id 028A31140D for ; Tue, 22 Jan 2008 19:17:55 +0400 (GST) Date: Tue, 22 Jan 2008 19:17:54 +0400 (GST) X-X-Sender: rakhesh@obelix.home.rakhesh.com To: freebsd-pf@freebsd.org Message-ID: <20080122185929.A35598@obelix.home.rakhesh.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 15:46:12 -0000 Hi, I am running PF on a FreeBSD 6.2/i386 machine. Started doing so abt a week ago. In case it matters, this machine is the master in a CARP group with another machine. Both of them run PF and have pfsync to keep things in sync. What happens is that after a day or so of heavy usage (downloading some torrents and doing a portinstall/ portupgrade/ copying stuff to other machines on my LAN simultaneously), this PF FreeBSD machine stops responding to the network. The machine is perfectly fine. I can login and do stuff, just that its as if it's disconnected from the network. When I ping another host on the LAN, this is what I get: PING 192.168.17.13 (192.168.17.13): 56 data bytes ping: sendto: No buffer space available ping: sendto: No buffer space available ping: sendto: No buffer space available ^C --- 192.168.17.13 ping statistics --- Now, if I disable PF (pfctl -d) things start to work! And after that if I enable PF (pfctl -e) things continue to work. So it pretty much looks like a PF problem. Searching this list's archives I found one old thread (http://article.gmane.org/gmane.os.freebsd.devel.pf4freebsd/1745) that mentions a similar problem. Only, there re-enabling PF didn't solve the problem (thoguh reloading with a re-read of the rules helped). This problem's happened twice over the last week. Based on the previous thread, I though the following outputs might be useful. Output of ''pfctl -si'': Interface Stats for xl0 IPv4 IPv6 Bytes In 1778679531 0 Bytes Out 424820294 0 Packets In Passed 2178377 0 Blocked 14705 0 Packets Out Passed 1911568 0 Blocked 74601 0 State Table Total Rate current entries 632 searches 18330505 10534.8/s inserts 335629 192.9/s removals 334997 192.5/s Counters match 551629 317.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 21 0.0/s proto-cksum 0 0.0/s state-mismatch 12159 7.0/s state-insert 61 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 998 0.6/s I have the following line in my /etc/pf.conf file. So I suppose I'm not running out of state table entries either ... set limit { states 20000, frags 10000, src-nodes 2000 } Finally, here's the output of ''netstat -m'': 324/666/990 mbufs in use (current/cache/total) 322/308/630/32768 mbuf clusters in use (current/cache/total/max) 320/192 mbuf+clusters out of packet secondary zone in use (current/cache) 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) 725K/782K/1507K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/7/6656 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 67 calls to protocol drain routines Any suggestions what I can do to troubleshoot? Thanks. Rakhesh ps. Forgot to mention: yes, my rules have some ''rdr'' rules. That's another similarity with the problem in the previous thread. ps2. When the problem happens, this machine goes down to a backup status (for CARP). However, once I restart PF, even though things work fine otherwise, the status does not return to master. Mentioning in case that means something ... (I have the appropriate sysctls and advskew set for this machine to become a master when things are restored. It works usually, except in this situation). From owner-freebsd-pf@FreeBSD.ORG Tue Jan 22 15:52:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C8A316A418 for ; Tue, 22 Jan 2008 15:52:59 +0000 (UTC) (envelope-from kenlin66@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.235]) by mx1.freebsd.org (Postfix) with ESMTP id 3F50D13C45A for ; Tue, 22 Jan 2008 15:52:59 +0000 (UTC) (envelope-from kenlin66@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so1378086nzf.13 for ; Tue, 22 Jan 2008 07:52:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=W1rn932521XjRqMypIsb2u0V5mEKLbTkvzf2Y9DxdJY=; b=xovcus8OlEOA8Lkg/8lo7TBZy8mAZm0/K89ZZH1Ia3Yb4gB7ZHrmTxGZpftGonV5F8ySS8WMYAv833Yd61ZCfnl1/aat8JQCRzQ3XwAS/B078YQ6NGp9gXFyzej7s26y82svHJ6MR53fNMHY6YsMlWDJNjaJ0Od/xHCwx14IYIE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=tDJRKzwNvEtzrtZHTla2Gm4K1v4jjUtr+pbh8EI9v49YyvH71h9PDbYxChmhUhaLfLv7lpO0PbPTxFJwYNa/4i+zk9FCmB9V8CT1lqdLb4riGQGw7cspU/K84Eiuagz7iwCujCahMv0IkNWEaBwFB8pnQ7xA4Q3CMP2sfLQbIaE= Received: by 10.140.201.1 with SMTP id y1mr5455438rvf.246.1201015520115; Tue, 22 Jan 2008 07:25:20 -0800 (PST) Received: from ?192.168.123.130? ( [116.25.212.71]) by mx.google.com with ESMTPS id g22sm2045813rvb.5.2008.01.22.07.25.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 22 Jan 2008 07:25:18 -0800 (PST) Message-ID: <47960ADA.6020703@gmail.com> Date: Tue, 22 Jan 2008 23:25:14 +0800 From: Ken User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: about PF log problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 15:52:59 -0000 I do not set any options in PF ,but what is as follows tcpdump -n -e -ttt -r /var/log/pflog 124. 988648 rule 4294967295/unkn(8): pass in on tun0: 192.168.0.70 > 224.0.0.1: igmp query v3 124. 988657 rule 4294967295/unkn(8): pass in on tun0: 192.168.0.70 > 224.0.0.1: igmp query v3 124. 988650 rule 4294967295/unkn(8): pass in on tun0: 192.168.0.70 > 224.0.0.1: igmp query v3 124. 988649 rule 4294967295/unkn(8): pass in on tun0: 192.168.0.70 > 224.0.0.1: igmp query v3 124. 988652 rule 4294967295/unkn(8): pass in on tun0: 192.168.0.70 > 224.0.0.1: igmp query v3 From owner-freebsd-pf@FreeBSD.ORG Tue Jan 22 19:40:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE87D16A418 for ; Tue, 22 Jan 2008 19:40:31 +0000 (UTC) (envelope-from lm.net.security@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 920C213C46B for ; Tue, 22 Jan 2008 19:40:31 +0000 (UTC) (envelope-from lm.net.security@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so1468092wxd.7 for ; Tue, 22 Jan 2008 11:40:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=vTzzH6wi8ylgiKg9c6YK9kg6Sn+aTBufGc7M3J6W4dU=; b=XqMr7It4M0ttDDqN2R4onrKpbZz0Sog9Q1VlmRUu8MuBRaDotMtLeL1ihCKfzh1SNS63pElorORljhh6fxWrV+fCaWEiFBhlCAzSA85S6aSP1vJMWM38gWDuea3H4XULWQO7UW2Sxqe4VRN6z7iROIB1za15hWU5UbvNMAwn1VI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=skKmFwAPwhe+krx1+EwcMbOv28C3i3clY6pAX6PuR9vp4MjbzdYqsLn4+ermDJzNfHkSNipCeIJUuiT+ddcsPT6I85l3r+DsqHcouSxoelMdyZIAzuKuqbmGmS7YhQGkZIvuoYDtqt6FKTOOtk5UQq/Pdz4TEAU9oHwIgRPBC78= Received: by 10.143.161.3 with SMTP id n3mr4350896wfo.32.1201029100505; Tue, 22 Jan 2008 11:11:40 -0800 (PST) Received: by 10.142.98.7 with HTTP; Tue, 22 Jan 2008 11:11:40 -0800 (PST) Message-ID: <8142b02f0801221111v35de1643odc5846c840f0144c@mail.gmail.com> Date: Tue, 22 Jan 2008 17:11:40 -0200 From: "Leandro Malaquias" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 19:40:31 -0000 Hello everyone, This is my problem, my firewall is losing to many packets, below you will see the result of a simple ping. - RESULT of ping ======= [root@xxxx]# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1): 56 data bytes ping: sendto: No buffer space available 64 bytes from 192.168.0.1: icmp_seq=1 ttl=30 time=33.868 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=30 time=33.573 ms 64 bytes from 192.168.0.1: icmp_seq=3 ttl=30 time=3.880 ms 64 bytes from 192.168.0.1: icmp_seq=4 ttl=30 time=54.057 ms ping: sendto: No buffer space available 64 bytes from 192.168.0.1: icmp_seq=6 ttl=30 time=78.320 ms ping: sendto: No buffer space available 64 bytes from 192.168.0.1: icmp_seq=8 ttl=30 time=47.838 ms 64 bytes from 192.168.0.1: icmp_seq=9 ttl=30 time=47.046 ms 64 bytes from 192.168.0.1: icmp_seq=10 ttl=30 time=2.992 ms 64 bytes from 192.168.0.1: icmp_seq=11 ttl=30 time=65.535 ms 64 bytes from 192.168.0.1: icmp_seq=12 ttl=30 time=90.268 ms ^C --- 192.168.0.1 ping statistics --- 13 packets transmitted, 10 packets received, 23% packet loss ========= EOF - RESULT of netstat -m ========== [root@xxxx /usr/ports/net/mtr]# netstat -m 968/1342/2310 mbufs in use (current/cache/total) 932/1358/2290/25600 mbuf clusters in use (current/cache/total/max) 656/752 mbuf+clusters out of packet secondary zone in use (current/cache) 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) 2106K/3051K/5157K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/8/6656 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines =========== EOF I have raised the value of: kern.ipc.nmbclusters and kern.ipc.nmbufs, but I haven't tested it yet cause I have to reboot my firewall, does anyone have any other ideas? -- Leandro Malaquias Linux are for those who hate Windows BSD are for those who love Unix # echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From owner-freebsd-pf@FreeBSD.ORG Wed Jan 23 09:07:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA6C016A419 for ; Wed, 23 Jan 2008 09:07:13 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id A6E5113C45D for ; Wed, 23 Jan 2008 09:07:13 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id B786C1CC031; Wed, 23 Jan 2008 00:49:05 -0800 (PST) Date: Wed, 23 Jan 2008 00:49:05 -0800 From: Jeremy Chadwick To: freebsd-pf@freebsd.org Message-ID: <20080123084905.GA11909@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.16 (2007-06-09) Subject: RELENG_6 and blocked packes with state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 09:07:13 -0000 I'm having some problems with my pf rulesets on RELENG_6, where I see some occasional blocked packets which also increment state-mismatch. "Occasional" means maybe 3 or 4 packets every few minutes. The machine with the pf rules is 72.20.106.5 (also 72.20.106.8, which is an IP alias). Our ruleset is incredibly simple, so I'm a bit baffled as to how there could be a TCP state mismatch. I've used pfctl -xm to increase logging, and here are some example packets which are getting blocked. Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50665 [lo=606400253 high=606466492 win=501 modulator=1150870355 wscale=7] [lo=713095970 high=713158303 win=33120 modulator=41761135 wscale=1] 7:4 R seq=606400253 ack=713095970 len=0 ackskew=0 pkts=43:59 dir=in,fwd Jan 22 23:40:38 eos kernel: pf: State failure on: | Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50665 [lo=606400253 high=606466492 win=501 modulator=1150870355 wscale=7] [lo=713095970 high=713158303 win=33120 modulator=41761135 wscale=1] 7:4 R seq=606400253 ack=713095970 len=0 ackskew=0 pkts=43:59 dir=in,fwd Jan 22 23:40:38 eos kernel: pf: State failure on: | Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50666 [lo=1699814809 high=1699881048 win=501 modulator=4273956536 wscale=7] [lo=2035384330 high=2035447967 win=33120 modulator=4191871234 wscale=1] 7:4 R seq=1699814809 ack=2035384330 len=0 ackskew=0 pkts=37:41 dir=in,fwd Jan 22 23:40:38 eos kernel: pf: State failure on: | Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50667 [lo=3735841199 high=3735906736 win=46 modulator=90037527 wscale=7] [lo=683911965 high=683917853 win=32768 modulator=3541623580 wscale=1] 4:2 R seq=3735841199 ack=683911965 len=0 ackskew=0 pkts=1:1 dir=in,fwd Jan 22 23:40:38 eos kernel: pf: State failure on: | Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50668 [lo=3734587261 high=3734652798 win=46 modulator=3834798678 wscale=7] [lo=2009230346 high=2009236234 win=32768 modulator=3583619697 wscale=1] 4:2 R seq=3734587261 ack=2009230346 len=0 ackskew=0 pkts=1:1 dir=in,fwd Jan 22 23:40:38 eos kernel: pf: State failure on: | Jan 22 23:40:59 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50667 [lo=3735841199 high=3735906736 win=46 modulator=90037527 wscale=7] [lo=683911965 high=683917853 win=65535 modulator=3541623580 wscale=1] 4:2 R seq=3735841199 ack=683911965 len=0 ackskew=0 pkts=1:4 dir=in,fwd Jan 22 23:40:59 eos kernel: pf: State failure on: | Jan 22 23:40:59 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 75.136.198.15:50668 [lo=3734587261 high=3734652798 win=46 modulator=3834798678 wscale=7] [lo=2009230346 high=2009236234 win=65535 modulator=3583619697 wscale=1] 4:2 R seq=3734587261 ack=2009230346 len=0 ackskew=0 pkts=1:4 dir=in,fwd Jan 22 23:40:59 eos kernel: pf: State failure on: | Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 71.62.42.150:54696 [lo=517642228 high=517707765 win=16425 modulator=4291220578 wscale=2] [lo=2300896510 high=2300962210 win=32768 modulator=18820549 wscale=1] 4:4 RA seq=517642228 ack=2300896510 len=0 ackskew=0 pkts=2:1 dir=in,fwd Jan 22 23:45:56 eos kernel: pf: State failure on: | Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 71.62.42.150:54699 [lo=755329106 high=755394643 win=16425 modulator=46409624 wscale=2] [lo=3951467432 high=3951533132 win=32768 modulator=4200940856 wscale=1] 4:4 RA seq=755329106 ack=3951467432 len=0 ackskew=0 pkts=2:1 dir=in,fwd Jan 22 23:45:56 eos kernel: pf: State failure on: | Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 71.62.42.150:54697 [lo=2644295101 high=2644360638 win=16425 modulator=3415384929 wscale=2] [lo=2718937398 high=2719003098 win=32768 modulator=345620445 wscale=1] 4:4 RA seq=2644295101 ack=2718937398 len=0 ackskew=0 pkts=2:1 dir=in,fwd Jan 22 23:45:56 eos kernel: pf: State failure on: | Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 72.20.106.5:80 71.62.42.150:54698 [lo=4259750290 high=4259815827 win=16425 modulator=323853463 wscale=2] [lo=3391337059 high=3391402759 win=32768 modulator=3588322356 wscale=1] 4:4 RA seq=4259750290 ack=3391337059 len=0 ackskew=0 pkts=2:1 dir=in,fwd Jan 22 23:45:56 eos kernel: pf: State failure on: | Can someone help shed some light on what could be causing this, and/or is it anything I need to worry about? I'm concerned since 72.20.105.5:80 happens to be our production webserver, and I just recently applied pf rules there (particularly the "block in log all" clause). If tcpdump is needed against one of the src IPs, let me know and I can sniff a session to see what might be going on before the state mismatch occurs. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. ext_if="bge0" int_if="bge1" # IANA-reserved netblocks. # SSH brute-force attacks table persist file "/conf/ME/pf.conf.iana-reserved" table persist file "/conf/ME/pf.conf.ssh-deny" # Options -- Internal options to pf itself. set optimization normal set loginterface $ext_if set skip on lo0 set skip on $int_if # This helps decrease state-mismatch entries caused by port number re-use; # the pf state table keeps the state around for 100s (90s+10s internal) # by default; drop this down to 25s (15s+10s internal). set timeout { tcp.closed 15 } # Normalization -- reassemble fragments and resolve/reduce traffic ambiguities. # scrub in on $ext_if all fragment reassemble scrub out on $ext_if random-id # Filtering # - Block all inbound packets (on public interface only; see "set skip") # - Allow all outbound packets (on public interface only; see "set skip") # block in log all pass out quick all modulate state # Block traffic from IANA-reserved netblocks block in log quick on $ext_if inet from { } to any # Block traffic from SSH brute-force attackers block in log quick on $ext_if inet proto tcp from { } to any port ssh flags S/SA # Now we punch holes for services which we want to answer for on the # public interface. Look in /etc/services for service names. The # "sockstat -l" command might also come in handy. # pass in quick on $ext_if inet proto tcp from any to any port ssh modulate state flags S/SA pass in quick on $ext_if inet proto tcp from any to any port domain modulate state flags S/SA pass in quick on $ext_if inet proto udp from any to any port domain keep state pass in quick on $ext_if inet proto tcp from any to any port { http, https } modulate state flags S/SA pass in quick on $ext_if inet proto tcp from any to any port { smtp, smtps, submission } modulate state flags S/SA pass in quick on $ext_if inet proto tcp from any to any port auth modulate state flags S/SA pass in quick on $ext_if inet proto tcp from any to any port { imaps, pop3s } modulate state flags S/SA # Punch holes for FTP. The rule looks complex, so here it is explained: # - Make sure pass rule only applies to 72.20.106.8 (ftp.sc1.parodius.com) # - Permit incoming connections to port 21 (main FTP service) # - Permit incoming connections to ports 49152-65535 (FTP passive mode) # - TCP port 20 is actually for **outbound** connections in FTP active mode, # and since we allow all outbound traffic, we don't need a rule for it. # - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are # sysctl(8) knobs for theses, but we shouldn't mess with those. # pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port { ftp, 49152:65535 } modulate state flags S/SA # We also want to respond to incoming ICMP packets. This is necessary # for a lot of reasons; not just for ping/traceroute, but additionally # for things like path MTU discovery, network unreachable, source # quench, and other control messages that TCP and UDP rely on. # pass in quick on $ext_if inet proto icmp from any to any keep state From owner-freebsd-pf@FreeBSD.ORG Wed Jan 23 17:59:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 063D116A46C for ; Wed, 23 Jan 2008 17:59:44 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (mail.1command.com [75.160.109.226]) by mx1.freebsd.org (Postfix) with ESMTP id B20B813C4D9 for ; Wed, 23 Jan 2008 17:59:43 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (localhost.1command.com [127.0.0.1]) by mail.1command.com (8.13.3/8.13.3) with ESMTP id m0NHmb1f052432; Wed, 23 Jan 2008 09:48:43 -0800 (PST) (envelope-from chris#@1command.com) Received: (from www@localhost) by mail.1command.com (8.13.3/8.13.3/Submit) id m0NHmaPX052431; Wed, 23 Jan 2008 09:48:36 -0800 (PST) (envelope-from chris#@1command.com) Received: from hitme.hitometer.net (hitme.hitometer.net [75.160.109.235]) by webmail.1command.com (H.R. Communications Messaging System) with HTTP; Wed, 23 Jan 2008 09:48:36 -0800 Message-ID: <20080123094836.pah12u0agwkg8w80@webmail.1command.com> X-Priority: 3 (Normal) Date: Wed, 23 Jan 2008 09:48:36 -0800 From: "Chris H." To: Doug Poland References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net> <4794F117.2000804@polands.org> In-Reply-To: <4794F117.2000804@polands.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: H.R. Communications Internet Messaging System (HCIMS) 4.1 Professional (not for redistribution) / FreeBSD-5.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 17:59:44 -0000 Quoting Doug Poland : > David DeSimone wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Doug Poland wrote: >>> I have DNS resolution, the problem ( I think ) is in that pf simply >>> sees the packet destined for my single public IP (because all my >>> public host names must resolve to the same public IP address) and port >>> 443. >> >> I am not sure how you expect this to work. The web browser will expect >> the server to send a certificate with its identity as part of the >> initial SSL negotiation. The client has not yet sent its request, so >> the web server has no idea which of the three domains the browser wanted >> to talk to, so it does not know which certificate should be sent. This >> is the reason why every SSL site must have its own unique (public) IP >> address. >> >> - -- David DeSimone == Network Admin == fox@verio.net >> > I see what you are getting it. I told pf to simply route all https > requests to a fixed private IP. When I pointed my browser at the > FQDN, firefox told me I had a certificate problem... i.e., the > certificate returned was not the one expected. > > So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts > behind a single public IP? So my only solution, given apache and one > public IP, is a single host listening on 443 and each "domain" would > have to be served as a . e.g., > > https://secure.example.com/webmail/ > https://secure.example.com/subversion/ > > instead of > > https://webmail.example.com > https://subversion.example.com > This is actually more a DNS solution than anything else. For example there is nothing to stop you from using the following in example.com's zone file: $ORIGIN example.com @ IN SOA ns.example.com. rootexample.com. ( ... ) IN A pu.bl.ic.IP IN NS ns.example.com. IN NS another-ns.some-domain.tld. webmail IN A pu.bl.ic.IP subversion IN A pu.bl.ic.IP another-host IN A pu.bl.ic.IP where pu.bl.ic.IP = your internet routeable IP. then simply setup another zone to route your private IP block. This requires a "multi-view" named configuration. But will give you all the routing you require to get this done. Given the above, you'll be able to self-sign all of your hosts certs - or better still, have them signed "officially". But if you self-sign, you can have example.com sign all the hosts certs that are within example.com. Anyway, point being; you can resolve alot of what you are trying to accomplish with a little DNS trickery. Best wishes. --Chris > > -- > Regards, > Doug > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- panic: kernel trap (ignored) From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 14:31:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB18716A468 for ; Thu, 24 Jan 2008 14:31:39 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9ACD213C4D5 for ; Thu, 24 Jan 2008 14:31:39 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JI37A-0007mD-KW for freebsd-pf@freebsd.org; Thu, 24 Jan 2008 14:31:36 +0000 Received: from cairn.ints.net ([194.44.58.121]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 24 Jan 2008 14:31:36 +0000 Received: from c.kworr by cairn.ints.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 24 Jan 2008 14:31:36 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Volodymyr Kostyrko Date: Thu, 24 Jan 2008 16:31:28 +0200 Lines: 16 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: cairn.ints.net User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.8.1.11) Gecko/20080123 SeaMonkey/1.1.7 In-Reply-To: Sender: news Subject: Re: rfc1323 and scrub: window scaling X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 14:31:39 -0000 Volodymyr Kostyrko пишет: > It seems that I have failed to properly configure my machine to allow > windows scaling. Whenever another host connects to my machine with > window scaling enabled my host stop respond to his request after certain > number of seconds. However, if I forcefully turn off rfc1323 support on > my machine or "that other machine". Everything works just fine. > > Also with rfc1323 on my config produces two states per connection, each > one for one direction of packets - in and out. With rfc1323 off only one > state is produced. The workaround was to disable "reassemble tcp" in scrub. Is scrub known to work this way? -- Sphinx of black quartz judge my vow. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 15:56:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17D5916A418 for ; Thu, 24 Jan 2008 15:56:24 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id C981013C46A for ; Thu, 24 Jan 2008 15:56:23 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id 799421B10EF4; Thu, 24 Jan 2008 16:39:47 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from hater.haters.org (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id 60B441B10EF0 for ; Thu, 24 Jan 2008 16:39:41 +0100 (CET) Message-ID: <4798B13D.4080701@moneybookers.com> Date: Thu, 24 Jan 2008 17:39:41 +0200 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.9 (X11/20071120) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/5544/Thu Jan 24 12:02:44 2008 on blah.cmotd.com X-Virus-Status: Clean Subject: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 15:56:24 -0000 Hello, I'm doing some tests and benchmarks and I'm testing pf on bridge firewall. One of the specific tests is how PF will handle SYN flood from random source addresses. While the bridge is w/o activated PF, I see 12-14MB/s traffic. When I enable the PF the traffic drops to 2-5MB/s and I'm starting to see lost packets. Here is what top -S shows when PF is not active: 25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0 taskq - only 26% CPU used but when I enable PF it (em0 taskq) goes up to 100% and packets are lost. Here is the pf.conf used for tests: #macros ext_if="em0" int_if="em1" br_if="bridge0" www="10.3.3.1" #sets set skip on lo0 set skip on $int_if set skip on $br_if set limit states 20000000 set limit src-nodes 15000 set optimization aggressive table persist file "/etc/abusive_hosts" block log quick from to any block log quick from any to pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } flags S/SA keep state \ (source-track rule, max-src-conn-rate 150/10, max-src-states 250, overload flush global) The number of states that I reach is little more then 2,000,000. (20,000,000 is the limit that I enforce) FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule Please advise. -- Best Wishes, Stefan Lambrev ICQ# 24134177 From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 16:53:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B91C416A41A for ; Thu, 24 Jan 2008 16:53:59 +0000 (UTC) (envelope-from wearabnet@yahoo.ca) Received: from web33714.mail.mud.yahoo.com (web33714.mail.mud.yahoo.com [68.142.201.211]) by mx1.freebsd.org (Postfix) with SMTP id 75EE213C47E for ; Thu, 24 Jan 2008 16:53:59 +0000 (UTC) (envelope-from wearabnet@yahoo.ca) Received: (qmail 52720 invoked by uid 60001); 24 Jan 2008 16:27:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=U7oDE3puh6GbJ7FeaIIco3iHOWvf1ML9vK4FvxJ1inQoo9BT5LoMQsAiS1bvfB2IG4Vj2XAWzKA/kBShoVFlc5N5GeUdqVO8XLXPBAy+bZgMWGgnzHR2yjTk1XGeNhIQjjnEXNhBWtjwSM95vP7NWNyDgArbrEpyS0c/1MmBvvc=; X-YMail-OSG: 9Dt1Ya4VM1k95xwfjWxjvAYqEAchPI53TePyB11Uu8DplalFkqyHdnmQ4H0T3DzzdtCjHant7qaymZL51X.QRxz5yy88wu5qK.3pLU4Um0quOdo- Received: from [89.211.6.3] by web33714.mail.mud.yahoo.com via HTTP; Thu, 24 Jan 2008 08:27:18 PST X-Mailer: YahooMailRC/818.31 YahooMailWebService/0.7.160 Date: Thu, 24 Jan 2008 08:27:18 -0800 (PST) From: Abdullah Ibn Hamad Al-Marri To: Stefan Lambrev , freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <127299.50887.qm@web33714.mail.mud.yahoo.com> Cc: Subject: Re: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 16:53:59 -0000 ----- Original Message ---- > From: Stefan Lambrev > To: freebsd-pf@freebsd.org > Sent: Thursday, January 24, 2008 6:39:41 PM > Subject: PF makes em0 taskq to eat 100% CPU > > Hello, > > I'm doing some tests and benchmarks and I'm testing pf on > bridge > firewall. > One of the specific tests is how PF will handle SYN flood from random > source addresses. > While the bridge is w/o activated PF, I see 12-14MB/s traffic. > When I enable the PF the traffic drops to 2-5MB/s and I'm starting to > see lost packets. > > Here is what top -S shows when PF is not active: > 25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0 > taskq - only 26% CPU used > > but when I enable PF it (em0 taskq) goes up to 100% and packets > are > lost. > > Here is the pf.conf used for tests: > > #macros > ext_if="em0" > int_if="em1" > br_if="bridge0" > > www="10.3.3.1" > > #sets > set skip on lo0 > set skip on $int_if > set skip on $br_if > set limit states 20000000 > set limit src-nodes 15000 > set optimization aggressive > > table persist file "/etc/abusive_hosts" > > block log quick from to any > block log quick from any to > > pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } > flags S/SA keep state \ > (source-track rule, max-src-conn-rate 150/10, max-src-states 250, > overload flush global) > > The number of states that I reach is little more then 2,000,000. > (20,000,000 is the limit that I enforce) > FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule > > Please advise. > > -- > > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > Hello Stefan, What version of FreeBSD do you use and what arch? what is your CPU spec and what ram? Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 17:37:29 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53D8D16A420 for ; Thu, 24 Jan 2008 17:37:29 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id BA6FD13C448 for ; Thu, 24 Jan 2008 17:37:28 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id 040EE1B10ED2; Thu, 24 Jan 2008 18:37:26 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from hater.haters.org (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id 8EF051B10EA4; Thu, 24 Jan 2008 18:37:23 +0100 (CET) Message-ID: <4798CCD3.6050002@moneybookers.com> Date: Thu, 24 Jan 2008 19:37:23 +0200 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.9 (X11/20071120) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <127299.50887.qm@web33714.mail.mud.yahoo.com> In-Reply-To: <127299.50887.qm@web33714.mail.mud.yahoo.com> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/5544/Thu Jan 24 12:02:44 2008 on blah.cmotd.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 17:37:29 -0000 Abdullah Ibn Hamad Al-Marri wrote: > ----- Original Message ---- > >> From: Stefan Lambrev >> To: freebsd-pf@freebsd.org >> Sent: Thursday, January 24, 2008 6:39:41 PM >> Subject: PF makes em0 taskq to eat 100% CPU >> >> Hello, >> >> I'm doing some tests and benchmarks and I'm testing pf on >> bridge >> >> > firewall. > >> One of the specific tests is how PF will handle SYN flood from random >> source addresses. >> While the bridge is w/o activated PF, I see 12-14MB/s traffic. >> When I enable the PF the traffic drops to 2-5MB/s and I'm starting to >> see lost packets. >> >> Here is what top -S shows when PF is not active: >> 25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0 >> taskq - only 26% CPU used >> >> but when I enable PF it (em0 taskq) goes up to 100% and packets >> are >> >> > lost. > >> Here is the pf.conf used for tests: >> >> #macros >> ext_if="em0" >> int_if="em1" >> br_if="bridge0" >> >> www="10.3.3.1" >> >> #sets >> set skip on lo0 >> set skip on $int_if >> set skip on $br_if >> set limit states 20000000 >> set limit src-nodes 15000 >> set optimization aggressive >> >> table persist file "/etc/abusive_hosts" >> >> block log quick from to any >> block log quick from any to >> >> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } >> flags S/SA keep state \ >> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, >> overload flush global) >> >> The number of states that I reach is little more then 2,000,000. >> (20,000,000 is the limit that I enforce) >> FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule >> >> Please advise. >> >> -- >> >> Best Wishes, >> Stefan Lambrev >> ICQ# 24134177 >> >> > > Hello Stefan, > > What version of FreeBSD do you use and what arch? what is your CPU spec and what ram? > FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R) X3220 2.4 GHz - quad core, 2GB RAM I increased kern.ipc.nmbclusters=262144 I find device polling quite helpful here - at least the CPUs are idle. > > > Regards, > -Abdullah Ibn Hamad Al-Marri > Arab Portal > http://www.WeArab.Net/ > > > > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > -- Best Wishes, Stefan Lambrev ICQ# 24134177 From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 18:35:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 975A216A417 for ; Thu, 24 Jan 2008 18:35:08 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38215.mail.mud.yahoo.com (web38215.mail.mud.yahoo.com [209.191.124.158]) by mx1.freebsd.org (Postfix) with SMTP id 655EE13C455 for ; Thu, 24 Jan 2008 18:35:08 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 70852 invoked by uid 60001); 24 Jan 2008 18:35:07 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=BkWyIlkVsXg4tWfT6VyDlyd+pRQ6KjTMClOdtm2bgRtRozToX6G04rFTqoDolDQz9zhsV6UKPBhL9vIudPZ/lhFT4Krs3IvfgJAfBmNz5onnFP/rtXgr9opQbIYI26QwKU6Y9UP7kj8FnolW59XxeYPUbeRu5rFnpr1qOS8qBGo=; X-YMail-OSG: UYomA5cVM1kUqQmtkxad8X2zrBozmA3h.4wopz_Q7W1Bm3QgX6QQrSv9.N.l7P6YROsWnBc8l8me3YdmMyu_TLaeWlY6Iztp0VL2Rakct6giWXNCQ9JTzP3rZ73eoMnZhDuKUWWm6utqKw5ANC51QAl4 Received: from [24.227.124.250] by web38215.mail.mud.yahoo.com via HTTP; Thu, 24 Jan 2008 10:35:07 PST Date: Thu, 24 Jan 2008 10:35:07 -0800 (PST) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: <20080123084905.GA11909@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <698416.69586.qm@web38215.mail.mud.yahoo.com> Subject: Re: RELENG_6 and blocked packes with state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 18:35:08 -0000 Hi Jeremy, Are your serves (web, mail, etc.) inside a LAN or DMZ behind the pf box? If so, you're missing NAT and rdr rules. It may help if you can make a network layout of your setup like Internet <---> router/firewall (FreeBSD pf box) <---> LAN ^ | | DMZ Regards, Tommy --- Jeremy Chadwick wrote: > I'm having some problems with my pf rulesets on RELENG_6, where I see > some occasional blocked packets which also increment state-mismatch. > "Occasional" means maybe 3 or 4 packets every few minutes. The > machine > with the pf rules is 72.20.106.5 (also 72.20.106.8, which is an IP > alias). > > Our ruleset is incredibly simple, so I'm a bit baffled as to how > there > could be a TCP state mismatch. I've used pfctl -xm to increase > logging, > and here are some example packets which are getting blocked. > > Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50665 [lo=606400253 high=606466492 > win=501 modulator=1150870355 wscale=7] [lo=713095970 high=713158303 > win=33120 modulator=41761135 wscale=1] 7:4 R seq=606400253 > ack=713095970 len=0 ackskew=0 pkts=43:59 dir=in,fwd > Jan 22 23:40:38 eos kernel: pf: State failure on: | > Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50665 [lo=606400253 high=606466492 > win=501 modulator=1150870355 wscale=7] [lo=713095970 high=713158303 > win=33120 modulator=41761135 wscale=1] 7:4 R seq=606400253 > ack=713095970 len=0 ackskew=0 pkts=43:59 dir=in,fwd > Jan 22 23:40:38 eos kernel: pf: State failure on: | > Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50666 [lo=1699814809 high=1699881048 > win=501 modulator=4273956536 wscale=7] [lo=2035384330 high=2035447967 > win=33120 modulator=4191871234 wscale=1] 7:4 R seq=1699814809 > ack=2035384330 len=0 ackskew=0 pkts=37:41 dir=in,fwd > Jan 22 23:40:38 eos kernel: pf: State failure on: | > Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50667 [lo=3735841199 high=3735906736 > win=46 modulator=90037527 wscale=7] [lo=683911965 high=683917853 > win=32768 modulator=3541623580 wscale=1] 4:2 R seq=3735841199 > ack=683911965 len=0 ackskew=0 pkts=1:1 dir=in,fwd > Jan 22 23:40:38 eos kernel: pf: State failure on: | > Jan 22 23:40:38 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50668 [lo=3734587261 high=3734652798 > win=46 modulator=3834798678 wscale=7] [lo=2009230346 high=2009236234 > win=32768 modulator=3583619697 wscale=1] 4:2 R seq=3734587261 > ack=2009230346 len=0 ackskew=0 pkts=1:1 dir=in,fwd > Jan 22 23:40:38 eos kernel: pf: State failure on: | > > Jan 22 23:40:59 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50667 [lo=3735841199 high=3735906736 > win=46 modulator=90037527 wscale=7] [lo=683911965 high=683917853 > win=65535 modulator=3541623580 wscale=1] 4:2 R seq=3735841199 > ack=683911965 len=0 ackskew=0 pkts=1:4 dir=in,fwd > Jan 22 23:40:59 eos kernel: pf: State failure on: | > Jan 22 23:40:59 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 75.136.198.15:50668 [lo=3734587261 high=3734652798 > win=46 modulator=3834798678 wscale=7] [lo=2009230346 high=2009236234 > win=65535 modulator=3583619697 wscale=1] 4:2 R seq=3734587261 > ack=2009230346 len=0 ackskew=0 pkts=1:4 dir=in,fwd > Jan 22 23:40:59 eos kernel: pf: State failure on: | > > Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 71.62.42.150:54696 [lo=517642228 high=517707765 > win=16425 modulator=4291220578 wscale=2] [lo=2300896510 > high=2300962210 win=32768 modulator=18820549 wscale=1] 4:4 RA > seq=517642228 ack=2300896510 len=0 ackskew=0 pkts=2:1 dir=in,fwd > Jan 22 23:45:56 eos kernel: pf: State failure on: | > Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 71.62.42.150:54699 [lo=755329106 high=755394643 > win=16425 modulator=46409624 wscale=2] [lo=3951467432 high=3951533132 > win=32768 modulator=4200940856 wscale=1] 4:4 RA seq=755329106 > ack=3951467432 len=0 ackskew=0 pkts=2:1 dir=in,fwd > Jan 22 23:45:56 eos kernel: pf: State failure on: | > Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 71.62.42.150:54697 [lo=2644295101 high=2644360638 > win=16425 modulator=3415384929 wscale=2] [lo=2718937398 > high=2719003098 win=32768 modulator=345620445 wscale=1] 4:4 RA > seq=2644295101 ack=2718937398 len=0 ackskew=0 pkts=2:1 dir=in,fwd > Jan 22 23:45:56 eos kernel: pf: State failure on: | > Jan 22 23:45:56 eos kernel: pf: BAD state: TCP 72.20.106.5:80 > 72.20.106.5:80 71.62.42.150:54698 [lo=4259750290 high=4259815827 > win=16425 modulator=323853463 wscale=2] [lo=3391337059 > high=3391402759 win=32768 modulator=3588322356 wscale=1] 4:4 RA > seq=4259750290 ack=3391337059 len=0 ackskew=0 pkts=2:1 dir=in,fwd > Jan 22 23:45:56 eos kernel: pf: State failure on: | > > Can someone help shed some light on what could be causing this, > and/or > is it anything I need to worry about? I'm concerned since > 72.20.105.5:80 happens to be our production webserver, and I just > recently applied pf rules there (particularly the "block in log all" > clause). > > If tcpdump is needed against one of the src IPs, let me know and I > can > sniff a session to see what might be going on before the state > mismatch > occurs. > > -- > | Jeremy Chadwick jdc at > parodius.com | > | Parodius Networking > http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, > USA | > | Making life hard for others since 1977. PGP: > 4BD6C0CB | > > > # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp > $ > # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ > # > # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > # Required order: options, normalization, queueing, translation, > filtering. > # Macros and tables may be defined and used anywhere. > # Note that translation rules are first match while filter rules are > last match. > > ext_if="bge0" > int_if="bge1" > > # IANA-reserved netblocks. > # SSH brute-force attacks > table persist file "/conf/ME/pf.conf.iana-reserved" > table persist file "/conf/ME/pf.conf.ssh-deny" > > > # Options -- Internal options to pf itself. > set optimization normal > set loginterface $ext_if > set skip on lo0 > set skip on $int_if > > # This helps decrease state-mismatch entries caused by port number > re-use; > # the pf state table keeps the state around for 100s (90s+10s > internal) > # by default; drop this down to 25s (15s+10s internal). > set timeout { tcp.closed 15 } > > > # Normalization -- reassemble fragments and resolve/reduce traffic > ambiguities. > # > scrub in on $ext_if all fragment reassemble > scrub out on $ext_if random-id > > > # Filtering > # - Block all inbound packets (on public interface only; see "set > skip") > # - Allow all outbound packets (on public interface only; see "set > skip") > # > block in log all > pass out quick all modulate state > > # Block traffic from IANA-reserved netblocks > block in log quick on $ext_if inet from { } to any > > # Block traffic from SSH brute-force attackers > block in log quick on $ext_if inet proto tcp from { } to > any port ssh flags S/SA > > # Now we punch holes for services which we want to answer for on the > # public interface. Look in /etc/services for service names. The > # "sockstat -l" command might also come in handy. > # > pass in quick on $ext_if inet proto tcp from any to any port ssh > modulate state flags S/SA > pass in quick on $ext_if inet proto tcp from any to any port domain > modulate state flags S/SA > pass in quick on $ext_if inet proto udp from any to any port domain > keep state > pass in quick on $ext_if inet proto tcp from any to any port { http, > https } modulate state flags S/SA > pass in quick on $ext_if inet proto tcp from any to any port { smtp, > smtps, submission } modulate state flags S/SA > pass in quick on $ext_if inet proto tcp from any to any port auth > modulate state flags S/SA > pass in quick on $ext_if inet proto tcp from any to any port { imaps, > pop3s } modulate state flags S/SA > > # Punch holes for FTP. The rule looks complex, so here it is > explained: > # - Make sure pass rule only applies to 72.20.106.8 > (ftp.sc1.parodius.com) > # - Permit incoming connections to port 21 (main FTP service) > # - Permit incoming connections to ports 49152-65535 (FTP passive > mode) > # - TCP port 20 is actually for **outbound** connections in FTP > active mode, > # and since we allow all outbound traffic, we don't need a rule for > it. > # - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there > are > # sysctl(8) knobs for theses, but we shouldn't mess with those. > # > pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port > { ftp, 49152:65535 } modulate state flags S/SA > > # We also want to respond to incoming ICMP packets. This is > necessary > # for a lot of reasons; not just for ping/traceroute, but > additionally > # for things like path MTU discovery, network unreachable, source > # quench, and other control messages that TCP and UDP rely on. > # > pass in quick on $ext_if inet proto icmp from any to any keep state > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 18:43:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5235116A41A for ; Thu, 24 Jan 2008 18:43:57 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38211.mail.mud.yahoo.com (web38211.mail.mud.yahoo.com [209.191.124.154]) by mx1.freebsd.org (Postfix) with SMTP id 2809A13C461 for ; Thu, 24 Jan 2008 18:43:57 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 9570 invoked by uid 60001); 24 Jan 2008 18:43:56 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Jv5xp3oag1gV7v88pqowvdf+k9OGmC/Yqr3JztcTFUlMPnafeDOzFxiLSA5TjPVIlcoQkJPSyw4kTEspS4RW3AuScWyKu3TtLBstDPqN6rvsE+zOhJumNLLugAlcX1mN5F56YXZkm22qQHfsqz4xTvLQMyMy6YipJSuBtLEo6kA=; X-YMail-OSG: w31GS2kVM1kPXKHV3ydf2jzyiiZpfT3xG.gdutk2oJaJ6L52JQeRgMQ7MerW6OQHsA-- Received: from [24.227.124.250] by web38211.mail.mud.yahoo.com via HTTP; Thu, 24 Jan 2008 10:43:56 PST Date: Thu, 24 Jan 2008 10:43:56 -0800 (PST) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: <4798CCD3.6050002@moneybookers.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <468875.8048.qm@web38211.mail.mud.yahoo.com> Subject: Re: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 18:43:57 -0000 Hi Stefan, I suggest you cvs the source to branch RELENG_7 and rebuild world kernel. (Rebuilding kernel helps a little but still have performance hits.) I had major performance issues with RC1 on my P3 box (128 RAM) with load hitting 6+ in top. Now the load averages at 0.15. Regards, Tommy --- Stefan Lambrev wrote: > > > Abdullah Ibn Hamad Al-Marri wrote: > > ----- Original Message ---- > > > >> From: Stefan Lambrev > >> To: freebsd-pf@freebsd.org > >> Sent: Thursday, January 24, 2008 6:39:41 PM > >> Subject: PF makes em0 taskq to eat 100% CPU > >> > >> Hello, > >> > >> I'm doing some tests and benchmarks and I'm testing pf on > >> bridge > >> > >> > > firewall. > > > >> One of the specific tests is how PF will handle SYN flood from > random > >> source addresses. > >> While the bridge is w/o activated PF, I see 12-14MB/s traffic. > >> When I enable the PF the traffic drops to 2-5MB/s and I'm starting > to > >> see lost packets. > >> > >> Here is what top -S shows when PF is not active: > >> 25 root 1 -68 - 0K 16K - 1 34:45 26.37% > em0 > >> taskq - only 26% CPU used > >> > >> but when I enable PF it (em0 taskq) goes up to 100% and packets > >> are > >> > >> > > lost. > > > >> Here is the pf.conf used for tests: > >> > >> #macros > >> ext_if="em0" > >> int_if="em1" > >> br_if="bridge0" > >> > >> www="10.3.3.1" > >> > >> #sets > >> set skip on lo0 > >> set skip on $int_if > >> set skip on $br_if > >> set limit states 20000000 > >> set limit src-nodes 15000 > >> set optimization aggressive > >> > >> table persist file "/etc/abusive_hosts" > >> > >> block log quick from to any > >> block log quick from any to > >> > >> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 > } > >> flags S/SA keep state \ > >> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, > >> overload flush global) > >> > >> The number of states that I reach is little more then 2,000,000. > >> (20,000,000 is the limit that I enforce) > >> FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule > >> > >> Please advise. > >> > >> -- > >> > >> Best Wishes, > >> Stefan Lambrev > >> ICQ# 24134177 > >> > >> > > > > Hello Stefan, > > > > What version of FreeBSD do you use and what arch? what is your CPU > spec and what ram? > > > > FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R) > X3220 2.4 GHz - quad core, 2GB RAM > I increased kern.ipc.nmbclusters=262144 > I find device polling quite helpful here - at least the CPUs are > idle. > > > > > > Regards, > > -Abdullah Ibn Hamad Al-Marri > > Arab Portal > > http://www.WeArab.Net/ > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > > > -- > > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 18:44:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B4F416A46C for ; Thu, 24 Jan 2008 18:44:10 +0000 (UTC) (envelope-from nullpt@gmail.com) Received: from ro-out-1112.google.com (ro-out-1112.google.com [72.14.202.182]) by mx1.freebsd.org (Postfix) with ESMTP id AADEE13C457 for ; Thu, 24 Jan 2008 18:44:09 +0000 (UTC) (envelope-from nullpt@gmail.com) Received: by ro-out-1112.google.com with SMTP id d36so368579roh.13 for ; Thu, 24 Jan 2008 10:44:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=KeHqAVBm/5v6PamMeizUEQA+1QmI9i8b/AryKciBzAw=; b=mPViINlZ7tukEnl1dbSA0HkbJrnps0oQk3Ye7qzF7F+Q1KM4+HKRwSoOVJx0pnt4Ez/f8EJ/dzhzcq2Dkvf3kODC2Ra4bRw2XzWpryIii7UBBInx9QtQ/O8Qu1LPvIRCDRkgrFv7RZv4VtWKgvcBRbHLGdWBzwJQxKrj02o3Azc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=aL88FnkWDVigSYmm9Yy94QCObYgEYFa2WMMjAsXFyPHjuiZSPNRg7WeYWsStYNLtTZUdRlX9VUmta7tqxWKNqtkzzQ1one0+5XRteAJVkCMjfKpFUTTDzCvw7pUasNRG158X9rECUKvhi5m1de7/MtTCG6P6smzTYM6qI4Z8Guo= Received: by 10.115.88.1 with SMTP id q1mr1145830wal.98.1201200222029; Thu, 24 Jan 2008 10:43:42 -0800 (PST) Received: by 10.115.60.11 with HTTP; Thu, 24 Jan 2008 10:43:41 -0800 (PST) Message-ID: <755cb9fc0801241043k3b39b585keea0082988c2d0db@mail.gmail.com> Date: Thu, 24 Jan 2008 18:43:41 +0000 From: "Alexandre Vieira" To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org In-Reply-To: <755cb9fc0801151358k35cdd267x7500767925e5f3cc@mail.gmail.com> MIME-Version: 1.0 References: <755cb9fc0801151129h6e519557g7ea33e4190196fed@mail.gmail.com> <478D1694.8010906@FreeBSD.org> <200801151529.32312.brad@comstyle.com> <755cb9fc0801151358k35cdd267x7500767925e5f3cc@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Relayd (former hoststated) status for freebsd 7.0RC1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 18:44:10 -0000 On Jan 15, 2008 9:58 PM, Alexandre Vieira wrote: > > > On Jan 15, 2008 8:29 PM, Brad wrote: > > > On Tuesday 15 January 2008 15:24:52 Bruce M. Simpson wrote: > > > Alexandre Vieira wrote: > > > > Hello all, > > > > > > > > I remember that there was a port (net/hoststated) where I could > > install > > > > hoststated to use with PF. Anyone can shed a light on what is the > > status of > > > > this software implementation on 7.0? > > > > > > > > > > Perhaps ports/net/ifstated is the answer? > > > > > > BMS > > > > ifstated and relayd (used to be hoststated) are for totally different > > purposes. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > Hi, I meant hostated aka hoststated aka relayd. It's in Obsd base system > and had there was a port for freebsd not long ago. > > I've found the old port structure: > http://people.freebsd.org/~flz/local/ports/hoststated/which stands for ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/flz/hoststated/hoststated-20070131.tgz > . > > Many changes were commited since 07/01/31: http://kho.bonghongxanh.vn/pub/.disk0/ftp.openbsd.org/pub/OpenBSD/cvs/src/usr.sbin/relayd/Makefile,v > > > Added flz@ to the loop. > TIA for any effort to get this working. > > Kind Regards > > > > -- > Alexandre Vieira - nullpt@gmail.com > FYI http://www.freshports.org/net/relayd/ kudos to kuriyama@ -- Alexandre Vieira - nullpt@gmail.com From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 18:50:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C75F16A46B for ; Thu, 24 Jan 2008 18:50:27 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4D7A713C469 for ; Thu, 24 Jan 2008 18:50:27 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 3066E1CC033; Thu, 24 Jan 2008 10:50:27 -0800 (PST) Date: Thu, 24 Jan 2008 10:50:27 -0800 From: Jeremy Chadwick To: Tommy Pham Message-ID: <20080124185027.GA9600@eos.sc1.parodius.com> References: <20080123084905.GA11909@eos.sc1.parodius.com> <698416.69586.qm@web38215.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <698416.69586.qm@web38215.mail.mud.yahoo.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: RELENG_6 and blocked packes with state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 18:50:27 -0000 On Thu, Jan 24, 2008 at 10:35:07AM -0800, Tommy Pham wrote: > Are your serves (web, mail, etc.) inside a LAN or DMZ behind the pf > box? If so, you're missing NAT and rdr rules. It may help if you can > make a network layout of your setup like > > Internet <---> router/firewall (FreeBSD pf box) <---> LAN > ^ > | > | > DMZ Good question -- nope, no NAT is being used. The machine which is doing the pf filtering is directly on the Internet. It does not act as a gateway for other machines on our LAN. I thought this was implied by the state-mismatch logs I was showing, re: public Internet-facing IPs, but I guess not. :-) The physical wiring is literally this: Internet <--> ISP CAT5e <--> HP ProCurve 2626 switch <--> FreeBSD boxes The routing setup is simple: our co-lo provider handles the routing for us. We're given an IP (on their Cisco router) which acts as a gateway IP for our network block (72.20.106.0/25). There's no NAT or filtering going on upstream -- this is a co-location facility. Is it possible the state-mismatch logs shown are the result of a broken IP stack on the visitors' machines (e.g. 71.62.42.150 and 75.136.198.15), and pf is filtering it because the TCP state is truly out-of-order or incorrect? I haven't been able to find docs on what all of the counter descriptions actually represent (e.g. state-mismatch, congestion, normalise, bad-offset, ip-option, etc.); some are obvious, while others are not. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 18:52:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE6A416A418 for ; Thu, 24 Jan 2008 18:52:07 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 39FED13C4F0 for ; Thu, 24 Jan 2008 18:52:06 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so60429nfb.33 for ; Thu, 24 Jan 2008 10:52:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=IDPiInw1ea6rKnPbQAPNpbPM5EW4MxB3UyjkMfXYCcw=; b=Yw7bFgwXzEBZcIbwKDCj2Zk8DsudgFCwNUtC4lD4Cad1Olpk55Ki9pe+dELh3iDk5a/QZqsGct/kpwOC2FL5wf4z9zHp0ulGKmAxJ18G4ZmfK5fHA/TrlGhCpe5tIkZpN4k24SxrKA90KlIhAHOc7ETvs0uwFt50ibfgWDzgf4M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OtybMKyDaDV63EWBsdt+nZ/uhlgIPAfOXsz1NM3UFPMusMTC4Rbed1fnk0ScGH1hJLMiswGZKvLfcW9VKdSVvslWooavt+iy5voXcLH2gwXOcjyslA7uB+YAzwOTaIJ7KcgJO5mdNqG0zkLVN2sqNW9hkjWF4I2Q+AmrOmzruxc= Received: by 10.78.136.9 with SMTP id j9mr1464564hud.70.1201200725194; Thu, 24 Jan 2008 10:52:05 -0800 (PST) Received: by 10.78.166.13 with HTTP; Thu, 24 Jan 2008 10:52:05 -0800 (PST) Message-ID: Date: Thu, 24 Jan 2008 13:52:05 -0500 From: "Scott Ullrich" To: "Alexandre Vieira" In-Reply-To: <755cb9fc0801241043k3b39b585keea0082988c2d0db@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <755cb9fc0801151129h6e519557g7ea33e4190196fed@mail.gmail.com> <478D1694.8010906@FreeBSD.org> <200801151529.32312.brad@comstyle.com> <755cb9fc0801151358k35cdd267x7500767925e5f3cc@mail.gmail.com> <755cb9fc0801241043k3b39b585keea0082988c2d0db@mail.gmail.com> Cc: freebsd-net@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Relayd (former hoststated) status for freebsd 7.0RC1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 18:52:07 -0000 On 1/24/08, Alexandre Vieira wrote: > FYI > > http://www.freshports.org/net/relayd/ > > kudos to kuriyama@ > > -- > Alexandre Vieira - nullpt@gmail.com Yay! Thanks to everyone involved in bringing this over. I was about to start porting this and you just saved me a lot of time :) Scott From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 01:04:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 237A816A417 for ; Fri, 25 Jan 2008 01:04:34 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from charybdis.cts.cwu.edu (charybdis.cts.cwu.edu [198.104.67.152]) by mx1.freebsd.org (Postfix) with ESMTP id 6336513C45A for ; Fri, 25 Jan 2008 01:04:33 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.CHARYBDIS.CTS.CWU.EDU by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQH6S1GPZ4001T3W@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Thu, 24 Jan 2008 16:03:44 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQH6S16EWE001SOJ@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Thu, 24 Jan 2008 16:03:43 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Thu, 24 Jan 2008 16:03:43 -0800 Date: Thu, 24 Jan 2008 16:03:35 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4798B6D70200009000012FAB@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 01:04:34 -0000 I have followed the instructions in the FreeBSD Handbook for implementing = pf, but when I run pfctl -e, I get: pfctl: /dev/pf: No such file or directory". I do an ls of /dev and sure enough, there's no pf device. I have googled = for a couple of days (!) and my fingers are about to fall off and am = losing my sanity. What do I have to do to get pf going? Here is what I HAVE done: 1. I built a custom kernel following the instructions in the FreeBSD = Handbook. Specifically for pf I added: device pf device pflog device pfsync 2. I added the following to /etc/rc.conf: pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pf_flags=3D"" pflog_logfile=3D"/var/log/pflog" 3. I rebooted and tried pfctl -e again. No dice. Grrrrr. I am using 6.2-RELEASE. What's a guy gotta do to get a firewall around = here? ;) Gavin Spomer Systems Programmer Brooks Library Central Washington Univerisity From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 01:17:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 641C216A41B for ; Fri, 25 Jan 2008 01:17:50 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38214.mail.mud.yahoo.com (web38214.mail.mud.yahoo.com [209.191.124.157]) by mx1.freebsd.org (Postfix) with SMTP id 2929513C442 for ; Fri, 25 Jan 2008 01:17:49 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 6293 invoked by uid 60001); 25 Jan 2008 01:17:49 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=q5ku2QikeexhkY65qzQez9wGGwXMhoxI6Yg1RI7xkxJ3m8LFZkQVjuWMvxe0VATvnE+ju2zWNh701SUV4hYQ7xIxSKldcA4pdqqHIOkZiyF4OhMOC4joOeQj+TmhxKOwFb6+nMLBetX226G1VNEAuT8xRzlSBVX5T5BbJfORkgU=; X-YMail-OSG: TzwsqxwVM1nbEenDCg0X9AYN9xWvnW_fzmkpM04w Received: from [24.227.124.250] by web38214.mail.mud.yahoo.com via HTTP; Thu, 24 Jan 2008 17:17:48 PST Date: Thu, 24 Jan 2008 17:17:48 -0800 (PST) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: <4798B6D70200009000012FAB@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <340877.6112.qm@web38214.mail.mud.yahoo.com> Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 01:17:50 -0000 Hi Gavin, Check your /etc/make.conf. I remember that you can disable it if NO_PF=YES is not commented out. Also, I remember reading it somewhere that pf requires 'device bpf' in the kernel (which you might want to check for that too). I presume you used a copy of GENERIC kernel file and comment out what you don't need...? If so, did you specify the kernel file name in the /etc/make.conf or in the command line KERNCONF=? Regards, Tommy --- Gavin Spomer wrote: > I have followed the instructions in the FreeBSD Handbook for > implementing pf, but when I run pfctl -e, I get: > > pfctl: /dev/pf: No such file or directory". > > I do an ls of /dev and sure enough, there's no pf device. I have > googled for a couple of days (!) and my fingers are about to fall off > and am losing my sanity. What do I have to do to get pf going? > > Here is what I HAVE done: > > 1. I built a custom kernel following the instructions in the FreeBSD > Handbook. Specifically for pf I added: > device pf > device pflog > device pfsync > > 2. I added the following to /etc/rc.conf: > pf_enable="YES" > pf_rules="/etc/pf.conf" > pf_flags="" > pflog_logfile="/var/log/pflog" > > 3. I rebooted and tried pfctl -e again. No dice. Grrrrr. > > I am using 6.2-RELEASE. What's a guy gotta do to get a firewall > around here? ;) > > Gavin Spomer > Systems Programmer > Brooks Library > Central Washington Univerisity > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 07:01:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F2B516A419 for ; Fri, 25 Jan 2008 07:01:57 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.226]) by mx1.freebsd.org (Postfix) with ESMTP id 55D0813C455 for ; Fri, 25 Jan 2008 07:01:57 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by wx-out-0506.google.com with SMTP id i29so404243wxd.7 for ; Thu, 24 Jan 2008 23:01:56 -0800 (PST) Received: by 10.70.29.14 with SMTP id c14mr1042849wxc.86.1201244516355; Thu, 24 Jan 2008 23:01:56 -0800 (PST) Received: from smtp.home.rakhesh.com ( [82.178.100.29]) by mx.google.com with ESMTPS id h11sm3784008wxd.5.2008.01.24.23.01.37 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 24 Jan 2008 23:01:38 -0800 (PST) Received: from dogmatix (dogmatix [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id ED6DC11451 for ; Fri, 25 Jan 2008 10:57:42 +0400 (GST) Date: Fri, 25 Jan 2008 10:57:58 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: freebsd-pf@freebsd.org Message-ID: <20080125105622.L51665@dogmatix.home.rakhesh.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: CARP and FreeBSD 6.3 (fwd) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 07:01:57 -0000 (Hi! I had sent this to freebsd-questions first. Didnt get a response, so sending it to freebsd-pf. Its a CARP question.) > Hi, > > I have two machines. Each have two interfaces, xl0 and fxp0. And each have > two carp interfaces -- carp1 (xl0 of both) and carp2 (fxp0 of both). One of > the machines is master, the other is backup. > > I also have the following sysctl set: net.inet.carp.preempt -> 1 > > My understanding is that if I down one of the interfaces on the master > machine (say ''ifconfig xl0 down''), then both carp interfaces on the master > will be marked as down. And the backup will become the new master. Later, > when the interface is marked up (''ifconfig xl0 up''), the old master will > resume control. This is my understanding and that's how things were till > yesterday (when I was on FreeBSD 6.2/i386 with both machines). > > Today morning I upgraded both machines to FreeBSD 6.3 and that does not seem > to be the case any more. > > Now, on the master machine when I down the xl0 interface, only carp1 (the > group containing xl0) goes into init state (and the other machine's carp1 > interface becomes the new master). Ditto for fxp0 and carp2. So in essence, > the net.inet.carp.preempt=1 sysctl does not seem to be working as expected > which is unlike how things were in FreeBSD 6.2. > > Has something changed with regards to carp between FreeBSD 6.2 and 6.3? Any > one else encountering a similar problem? I happened to reboot the machines now while sitting at the console. And I noticed that the master machine emits an error like ''carp2: incorrect hash'' while booting up. Checking the console logs showed me that the errors have been appearing ever since I upgraded the machine. Most of the times it was to do with carp2, once it was to do with carp1. Here's the relevant bits of my rc.conf file from the master machine. ---8<-- ifconfig_fxp0="inet 192.168.10.10 netmask 255.255.255.0 polling" ifconfig_fxp0_alias0="inet 192.168.10.11 netmask 255.255.255.255" ifconfig_xl0="inet 192.168.20.20 netmask 255.255.255.0 polling" cloned_interfaces="carp1 carp2" ifconfig_carp1="vhid 1 pass password advskew 0 192.168.10.2 netmask 255.255.255.0" ifconfig_carp2_alias0="vhid 2 pass password advskew 0 192.168.20.1 netmask 255.255.255.0" ifconfig_carp2_alias1="vhid 2 pass password advskew 0 192.168.20.2 netmask 255.255.255.0" ---8<-- Its the same on the backup machine, except for the different IPs for fxp0 and xl0. Thanks, Rakhesh --- http://rakhesh.net/ From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 07:06:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0103216A41B for ; Fri, 25 Jan 2008 07:06:10 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.190]) by mx1.freebsd.org (Postfix) with ESMTP id D0C0D13C46A for ; Fri, 25 Jan 2008 07:06:09 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by rv-out-0910.google.com with SMTP id l15so514573rvb.43 for ; Thu, 24 Jan 2008 23:06:08 -0800 (PST) Received: by 10.141.89.13 with SMTP id r13mr1184651rvl.88.1201244768824; Thu, 24 Jan 2008 23:06:08 -0800 (PST) Received: from smtp.home.rakhesh.com ( [82.178.100.29]) by mx.google.com with ESMTPS id h15sm3764550wxd.23.2008.01.24.23.06.04 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 24 Jan 2008 23:06:08 -0800 (PST) Received: from dogmatix (dogmatix [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id B67EF11439; Fri, 25 Jan 2008 10:55:48 +0400 (GST) Date: Fri, 25 Jan 2008 10:56:04 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: Gilberto Villani Brito In-Reply-To: <6e6841490801221122p108f8196x9c50f216cccac956@mail.gmail.com> Message-ID: <20080125105447.K51665@dogmatix.home.rakhesh.com> References: <20080122185929.A35598@obelix.home.rakhesh.com> <20080122193545.N35750@obelix.home.rakhesh.com> <6e6841490801221122p108f8196x9c50f216cccac956@mail.gmail.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Cc: freebsd-pf@freebsd.org Subject: Re: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 07:06:10 -0000 Gilberto Villani Brito wrote: > Try use those options in your pf.conf: > set limit { states 1000000000, src-nodes 1000000000, frags 50000000 } I did this. After about a day of usage and no significant uploads/ downloads (unlike the previous two times) I started getting the same problems. I am on FreeBSD 6.3/i386 now. Upgraded day-before. Thanks, Rakhesh > > -- > Gilberto Villani Brito > System Administrator > Londrina - PR > Brazil > gilbertovb(a)gmail.com > > > On 22/01/2008, Rakhesh Sasidharan wrote: >> >> Update below ... >> >>> Hi, >>> >>> I am running PF on a FreeBSD 6.2/i386 machine. Started doing so abt a week >>> ago. In case it matters, this machine is the master in a CARP group with >>> another machine. Both of them run PF and have pfsync to keep things in sync. >>> >>> What happens is that after a day or so of heavy usage (downloading some >>> torrents and doing a portinstall/ portupgrade/ copying stuff to other >>> machines on my LAN simultaneously), this PF FreeBSD machine stops responding >>> to the network. >>> >>> The machine is perfectly fine. I can login and do stuff, just that its as if >>> it's disconnected from the network. >>> >>> When I ping another host on the LAN, this is what I get: >>> PING 192.168.17.13 (192.168.17.13): 56 data bytes >>> ping: sendto: No buffer space available >>> ping: sendto: No buffer space available >>> ping: sendto: No buffer space available >>> ^C >>> --- 192.168.17.13 ping statistics --- >>> >>> Now, if I disable PF (pfctl -d) things start to work! >>> >>> And after that if I enable PF (pfctl -e) things continue to work. >>> >>> So it pretty much looks like a PF problem. Searching this list's archives I >>> found one old thread >>> (http://article.gmane.org/gmane.os.freebsd.devel.pf4freebsd/1745) that >>> mentions a similar problem. Only, there re-enabling PF didn't solve the >>> problem (thoguh reloading with a re-read of the rules helped). >>> >>> This problem's happened twice over the last week. >>> >>> Based on the previous thread, I though the following outputs might be useful. >>> >>> Output of ''pfctl -si'': >>> Interface Stats for xl0 IPv4 IPv6 >>> Bytes In 1778679531 0 >>> Bytes Out 424820294 0 >>> Packets In >>> Passed 2178377 0 >>> Blocked 14705 0 >>> Packets Out >>> Passed 1911568 0 >>> Blocked 74601 0 >>> >>> State Table Total Rate >>> current entries 632 >>> searches 18330505 10534.8/s >>> inserts 335629 192.9/s >>> removals 334997 192.5/s >>> Counters >>> match 551629 317.0/s >>> bad-offset 0 0.0/s >>> fragment 0 0.0/s >>> short 0 0.0/s >>> normalize 0 0.0/s >>> memory 0 0.0/s >>> bad-timestamp 0 0.0/s >>> congestion 0 0.0/s >>> ip-option 21 0.0/s >>> proto-cksum 0 0.0/s >>> state-mismatch 12159 7.0/s >>> state-insert 61 0.0/s >>> state-limit 0 0.0/s >>> src-limit 0 0.0/s >>> synproxy 998 0.6/s >>> >>> I have the following line in my /etc/pf.conf file. So I suppose I'm not >>> running out of state table entries either ... >>> set limit { states 20000, frags 10000, src-nodes 2000 } >>> >>> Finally, here's the output of ''netstat -m'': >>> 324/666/990 mbufs in use (current/cache/total) >>> 322/308/630/32768 mbuf clusters in use (current/cache/total/max) >>> 320/192 mbuf+clusters out of packet secondary zone in use (current/cache) >>> 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) >>> 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) >>> 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) >>> 725K/782K/1507K bytes allocated to network (current/cache/total) >>> 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) >>> 0/0/0 requests for jumbo clusters denied (4k/9k/16k) >>> 0/7/6656 sfbufs in use (current/peak/max) >>> 0 requests for sfbufs denied >>> 0 requests for sfbufs delayed >>> 0 requests for I/O initiated by sendfile >>> 67 calls to protocol drain routines >>> >>> Any suggestions what I can do to troubleshoot? >>> >>> Thanks. >>> Rakhesh >>> >>> ps. Forgot to mention: yes, my rules have some ''rdr'' rules. That's another >>> similarity with the problem in the previous thread. >>> >>> ps2. When the problem happens, this machine goes down to a backup status (for >>> CARP). However, once I restart PF, even though things work fine otherwise, >>> the status does not return to master. Mentioning in case that means something >>> ... (I have the appropriate sysctls and advskew set for this machine to >>> become a master when things are restored. It works usually, except in this >>> situation). >>> >> >> Turns out disabling and enabling PF doesn't solve the problem permanently. >> After trying an NFS copy, the machine started having problems again! I >> don't think it copied anything more than 5-10MB of data before losing >> conectivity! >> >> The only solution then was to do a ''/etc/rc.d/pf reload''. Since this >> reloads the rules too it solves the problem. So my problem is same as that >> in the thread I mentioned. >> >> Please help. >> >> Thanks, >> Rakhesh >> >> --- >> http://rakhesh.net/ >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > Rakhesh --- http://rakhesh.net/ From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 12:03:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4005816A418 for ; Fri, 25 Jan 2008 12:03:26 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 0578F13C45D for ; Fri, 25 Jan 2008 12:03:25 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id A0BCC1B10EE0; Fri, 25 Jan 2008 13:03:24 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from hater.haters.org (unknown [192.168.25.10]) by blah.sun-fish.com (Postfix) with ESMTP id 315C71B10EF6 for ; Fri, 25 Jan 2008 13:03:21 +0100 (CET) Message-ID: <4799D008.8020201@moneybookers.com> Date: Fri, 25 Jan 2008 14:03:20 +0200 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.9 (X11/20071120) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4798B13D.4080701@moneybookers.com> In-Reply-To: <4798B13D.4080701@moneybookers.com> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/5550/Fri Jan 25 08:02:45 2008 on blah.cmotd.com X-Virus-Status: Clean Subject: Re: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 12:03:26 -0000 Greets, Thanks to Kris Kennaway I was able to get pmc profiling working, Here is the "top" while flooding target behind the firewall: % cumulative self self total time seconds seconds calls ms/call ms/call name 24.4 231689.00 231689.00 0 100.00% _mtx_lock_sleep [1] 6.5 293004.00 61315.00 0 100.00% pf_state_compare_ext_gwy [2] 6.4 353672.00 60668.00 0 100.00% pf_src_compare [3] 3.8 389565.00 35893.00 0 100.00% pf_state_compare_lan_ext [4] 3.5 422911.00 33346.00 0 100.00% pf_test [5] 3.2 453703.00 30792.00 0 100.00% bcopy [6] 2.9 481264.00 27561.00 0 100.00% pf_test_tcp [7] 2.1 501546.00 20282.00 0 100.00% pfsync_pack_state [8] 2.0 520685.00 19139.00 0 100.00% pf_state_compare_id [9] 2.0 539293.00 18608.00 0 100.00% bridge_pfil [10] 1.6 554228.00 14935.00 0 100.00% uma_zfree_arg [11] 1.5 568593.00 14365.00 0 100.00% uma_zalloc_arg [12] 1.4 581556.00 12963.00 0 100.00% bzero [13] 1.2 592594.00 11038.00 0 100.00% bus_dmamap_load_mbuf_sg [14] 1.1 603052.00 10458.00 0 100.00% bridge_rtnode_lookup [15] 1.1 613173.50 10121.50 0 100.00% _rw_rlock [16] 1.0 622984.50 9811.00 0 100.00% rn_match [17] 1.0 632477.00 9492.50 0 100.00% pf_state_tree_id_RB_REMOVE [18] 0.9 641356.00 8879.00 0 100.00% bridge_forward [19] 0.9 649984.00 8628.00 0 100.00% em_encap [20] 0.9 658479.00 8495.00 0 100.00% _rw_runlock [21] So the kernel spend 24.4% waiting for _mtx_lock_sleep .. I think something is really wrong here. I'll make profiling with polling enabled on network interfaces. -- Best Wishes, Stefan Lambrev ICQ# 24134177 From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 13:51:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BBB916A419 for ; Fri, 25 Jan 2008 13:51:41 +0000 (UTC) (envelope-from linux@giboia.org) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242]) by mx1.freebsd.org (Postfix) with ESMTP id CDBB713C448 for ; Fri, 25 Jan 2008 13:51:40 +0000 (UTC) (envelope-from linux@giboia.org) Received: by an-out-0708.google.com with SMTP id c14so175546anc.13 for ; Fri, 25 Jan 2008 05:51:40 -0800 (PST) Received: by 10.100.31.3 with SMTP id e3mr4120399ane.112.1201267415297; Fri, 25 Jan 2008 05:23:35 -0800 (PST) Received: by 10.100.91.18 with HTTP; Fri, 25 Jan 2008 05:23:35 -0800 (PST) Message-ID: <6e6841490801250523u67a55707g77d13356125283fa@mail.gmail.com> Date: Fri, 25 Jan 2008 11:23:35 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <20080125105447.K51665@dogmatix.home.rakhesh.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080122185929.A35598@obelix.home.rakhesh.com> <20080122193545.N35750@obelix.home.rakhesh.com> <6e6841490801221122p108f8196x9c50f216cccac956@mail.gmail.com> <20080125105447.K51665@dogmatix.home.rakhesh.com> Subject: Re: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 13:51:41 -0000 On 25/01/2008, Rakhesh Sasidharan wrote: > Gilberto Villani Brito wrote: > > > Try use those options in your pf.conf: > > set limit { states 1000000000, src-nodes 1000000000, frags 50000000 } > > I did this. After about a day of usage and no significant uploads/ > downloads (unlike the previous two times) I started getting the same > problems. > > I am on FreeBSD 6.3/i386 now. Upgraded day-before. > > Thanks, > Rakhesh > > > > > -- > > Gilberto Villani Brito > > System Administrator > > Londrina - PR > > Brazil > > gilbertovb(a)gmail.com > > > > > > On 22/01/2008, Rakhesh Sasidharan wrote: > >> > >> Update below ... > >> > >>> Hi, > >>> > >>> I am running PF on a FreeBSD 6.2/i386 machine. Started doing so abt a week > >>> ago. In case it matters, this machine is the master in a CARP group with > >>> another machine. Both of them run PF and have pfsync to keep things in sync. > >>> > >>> What happens is that after a day or so of heavy usage (downloading some > >>> torrents and doing a portinstall/ portupgrade/ copying stuff to other > >>> machines on my LAN simultaneously), this PF FreeBSD machine stops responding > >>> to the network. > >>> > >>> The machine is perfectly fine. I can login and do stuff, just that its as if > >>> it's disconnected from the network. > >>> > >>> When I ping another host on the LAN, this is what I get: > >>> PING 192.168.17.13 (192.168.17.13): 56 data bytes > >>> ping: sendto: No buffer space available > >>> ping: sendto: No buffer space available > >>> ping: sendto: No buffer space available > >>> ^C > >>> --- 192.168.17.13 ping statistics --- > >>> > >>> Now, if I disable PF (pfctl -d) things start to work! > >>> > >>> And after that if I enable PF (pfctl -e) things continue to work. > >>> > >>> So it pretty much looks like a PF problem. Searching this list's archives I > >>> found one old thread > >>> (http://article.gmane.org/gmane.os.freebsd.devel.pf4freebsd/1745) that > >>> mentions a similar problem. Only, there re-enabling PF didn't solve the > >>> problem (thoguh reloading with a re-read of the rules helped). > >>> > >>> This problem's happened twice over the last week. > >>> > >>> Based on the previous thread, I though the following outputs might be useful. > >>> > >>> Output of ''pfctl -si'': > >>> Interface Stats for xl0 IPv4 IPv6 > >>> Bytes In 1778679531 0 > >>> Bytes Out 424820294 0 > >>> Packets In > >>> Passed 2178377 0 > >>> Blocked 14705 0 > >>> Packets Out > >>> Passed 1911568 0 > >>> Blocked 74601 0 > >>> > >>> State Table Total Rate > >>> current entries 632 > >>> searches 18330505 10534.8/s > >>> inserts 335629 192.9/s > >>> removals 334997 192.5/s > >>> Counters > >>> match 551629 317.0/s > >>> bad-offset 0 0.0/s > >>> fragment 0 0.0/s > >>> short 0 0.0/s > >>> normalize 0 0.0/s > >>> memory 0 0.0/s > >>> bad-timestamp 0 0.0/s > >>> congestion 0 0.0/s > >>> ip-option 21 0.0/s > >>> proto-cksum 0 0.0/s > >>> state-mismatch 12159 7.0/s > >>> state-insert 61 0.0/s > >>> state-limit 0 0.0/s > >>> src-limit 0 0.0/s > >>> synproxy 998 0.6/s > >>> > >>> I have the following line in my /etc/pf.conf file. So I suppose I'm not > >>> running out of state table entries either ... > >>> set limit { states 20000, frags 10000, src-nodes 2000 } > >>> > >>> Finally, here's the output of ''netstat -m'': > >>> 324/666/990 mbufs in use (current/cache/total) > >>> 322/308/630/32768 mbuf clusters in use (current/cache/total/max) > >>> 320/192 mbuf+clusters out of packet secondary zone in use (current/cache) > >>> 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) > >>> 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) > >>> 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) > >>> 725K/782K/1507K bytes allocated to network (current/cache/total) > >>> 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) > >>> 0/0/0 requests for jumbo clusters denied (4k/9k/16k) > >>> 0/7/6656 sfbufs in use (current/peak/max) > >>> 0 requests for sfbufs denied > >>> 0 requests for sfbufs delayed > >>> 0 requests for I/O initiated by sendfile > >>> 67 calls to protocol drain routines > >>> > >>> Any suggestions what I can do to troubleshoot? > >>> > >>> Thanks. > >>> Rakhesh > >>> > >>> ps. Forgot to mention: yes, my rules have some ''rdr'' rules. That's another > >>> similarity with the problem in the previous thread. > >>> > >>> ps2. When the problem happens, this machine goes down to a backup status (for > >>> CARP). However, once I restart PF, even though things work fine otherwise, > >>> the status does not return to master. Mentioning in case that means something > >>> ... (I have the appropriate sysctls and advskew set for this machine to > >>> become a master when things are restored. It works usually, except in this > >>> situation). > >>> > >> > >> Turns out disabling and enabling PF doesn't solve the problem permanently. > >> After trying an NFS copy, the machine started having problems again! I > >> don't think it copied anything more than 5-10MB of data before losing > >> conectivity! > >> > >> The only solution then was to do a ''/etc/rc.d/pf reload''. Since this > >> reloads the rules too it solves the problem. So my problem is same as that > >> in the thread I mentioned. > >> > >> Please help. > >> > >> Thanks, > >> Rakhesh > >> > >> --- > >> http://rakhesh.net/ > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > > > > Rakhesh > > --- > http://rakhesh.net/ > Are you using hfsc, cbq or other thing to control the bandwidth ??? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 14:14:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D23416A421 for ; Fri, 25 Jan 2008 14:14:03 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.226]) by mx1.freebsd.org (Postfix) with ESMTP id 05ADB13C46B for ; Fri, 25 Jan 2008 14:14:02 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by wr-out-0506.google.com with SMTP id 68so354434wra.13 for ; Fri, 25 Jan 2008 06:14:02 -0800 (PST) Received: by 10.143.162.8 with SMTP id p8mr1217212wfo.49.1201270441106; Fri, 25 Jan 2008 06:14:01 -0800 (PST) Received: from smtp.home.rakhesh.com ( [82.178.100.29]) by mx.google.com with ESMTPS id i12sm4583592wxd.31.2008.01.25.06.13.53 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 25 Jan 2008 06:13:58 -0800 (PST) Received: from dogmatix (dogmatix [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id 71BB21140C for ; Fri, 25 Jan 2008 18:12:24 +0400 (GST) Date: Fri, 25 Jan 2008 18:12:39 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: "FreeBSD (PF)" In-Reply-To: <6e6841490801250523u67a55707g77d13356125283fa@mail.gmail.com> Message-ID: <20080125181146.G78711@dogmatix.home.rakhesh.com> References: <20080122185929.A35598@obelix.home.rakhesh.com> <20080122193545.N35750@obelix.home.rakhesh.com> <6e6841490801221122p108f8196x9c50f216cccac956@mail.gmail.com> <20080125105447.K51665@dogmatix.home.rakhesh.com> <6e6841490801250523u67a55707g77d13356125283fa@mail.gmail.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: Re: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 14:14:03 -0000 Gilberto Villani Brito wrote: > On 25/01/2008, Rakhesh Sasidharan wrote: >> Gilberto Villani Brito wrote: >> >>> Try use those options in your pf.conf: >>> set limit { states 1000000000, src-nodes 1000000000, frags 50000000 } >> >> I did this. After about a day of usage and no significant uploads/ >> downloads (unlike the previous two times) I started getting the same >> problems. >> >> I am on FreeBSD 6.3/i386 now. Upgraded day-before. >> >> Thanks, >> Rakhesh >> > > Are you using hfsc, cbq or other thing to control the bandwidth ??? > Yes, I am using cbq. Sorry, I forgot to mention it earlier ... Thanks, Rakhesh --- http://rakhesh.net/ From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 14:46:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D95216A419 for ; Fri, 25 Jan 2008 14:46:18 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id CD78113C44B for ; Fri, 25 Jan 2008 14:46:17 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id m0PEkH4D008535 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 25 Jan 2008 15:46:17 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id m0PEkHjb003332; Fri, 25 Jan 2008 15:46:17 +0100 (MET) Date: Fri, 25 Jan 2008 15:46:17 +0100 From: Daniel Hartmeier To: Rakhesh Sasidharan Message-ID: <20080125144617.GL26684@insomnia.benzedrine.cx> References: <20080122185929.A35598@obelix.home.rakhesh.com> <20080122193545.N35750@obelix.home.rakhesh.com> <6e6841490801221122p108f8196x9c50f216cccac956@mail.gmail.com> <20080125105447.K51665@dogmatix.home.rakhesh.com> <6e6841490801250523u67a55707g77d13356125283fa@mail.gmail.com> <20080125181146.G78711@dogmatix.home.rakhesh.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080125181146.G78711@dogmatix.home.rakhesh.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: "FreeBSD \(PF\)" Subject: Re: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 14:46:18 -0000 On Fri, Jan 25, 2008 at 06:12:39PM +0400, Rakhesh Sasidharan wrote: > Yes, I am using cbq. Sorry, I forgot to mention it earlier ... Well, disable it temporarily and see if the problem goes away... If you set up queueing, and the queue you assign ICMP to is full, what do you expect happens when ping tries to send an ICMP echo request? Have you checked the run-time statistics of the queues (pfctl -vvsq), any correlation between drops and ping error messages? Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 15:44:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A85616A494 for ; Fri, 25 Jan 2008 15:44:09 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from scylla.cts.cwu.edu (scylla.cts.cwu.edu [198.104.67.151]) by mx1.freebsd.org (Postfix) with ESMTP id 8D34F13C4CE for ; Fri, 25 Jan 2008 15:44:09 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.SCYLLA.CTS.CWU.EDU by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQI3LZXQCG001U6S@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 07:44:08 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQI3LZR0AK001UAU@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 07:44:08 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 07:44:08 -0800 Date: Fri, 25 Jan 2008 07:43:54 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799933A0200009000012FFC@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 15:44:09 -0000 First of all, thanks! :) >>> Tommy Pham 01/24/08 5:17 PM >>> Check your /etc/make.conf. I remember that you can disable it if NO_PF=3DYES is not commented out.=20 I only have 3 lines in my /etc/make.conf: a comment and 2 lines about = what perl to use. Is NO_PF=3DYES the default if not specified? In that case adding NO_PF=3DNO and then building may work. Also, I remember reading it somewhere that pf requires 'device bpf' in the kernel (which you might want to check for that too).=20 I read that somewhere too and it is indeed left uncommented. I presume you used a copy of GENERIC kernel file and comment out what you don't need...?=20 That is correct. I did: cp GENERIC MACHINEHOSTNAME and edited MACHINEHOS= TNAME w/ vim. If so, did you specify the kernel file name in the /etc/make.conf or in the command line KERNCONF=3D? I did it via the command line: make buildkernel KERNCONF=3DMACHINEHOSTNAME make installkernel KERNCONT=3DMACHINEHOSTNAME Shouldn't having "device pf" in MACHINEHOSTNAME file and building = provide /dev/pf? I have such a vanilla installation of FreeBSD, it's hard for me to see = where I went wrong. I seem to have all the components of pf except /dev/pf. I have /sbin/pfctl, /etc/pf.conf, = /boot/kernel/pf.ko, /boot/kernel/pflog.ko and the appropriate stuff I mentioned in /etc/rc.conf and probably others as = well. I just don't have /dev/pf. How does this get created? Regards, Tommy --- Gavin Spomer wrote: > I have followed the instructions in the FreeBSD Handbook for > implementing pf, but when I run pfctl -e, I get: >=20 > pfctl: /dev/pf: No such file or directory". From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 15:56:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73F4F16A41B for ; Fri, 25 Jan 2008 15:56:14 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38213.mail.mud.yahoo.com (web38213.mail.mud.yahoo.com [209.191.124.156]) by mx1.freebsd.org (Postfix) with SMTP id 4A95D13C46E for ; Fri, 25 Jan 2008 15:56:14 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 54365 invoked by uid 60001); 25 Jan 2008 15:56:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=KWwO9T27rCl1TfhAb8p/R5ZWSuDWPc8ZYfDmwvZ5ADjQzjeyaX0C6JzQH90aw1QxhSEuLd0ymJEid1wO4SaD6S9JjSiieKi8mzNHz1wa6e/wM4QwF2egXjrBcKgxId3qT5U0qX2+L/GQ8aXbGH8BedXQWccfmcZom0uryOHlhNM=; X-YMail-OSG: q..UN0AVM1kWLX0B3Fp7qQrJKcWSNePFiA6Ejq2J Received: from [74.229.174.93] by web38213.mail.mud.yahoo.com via HTTP; Fri, 25 Jan 2008 07:56:13 PST Date: Fri, 25 Jan 2008 07:56:13 -0800 (PST) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: <4799933A0200009000012FFC@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <499023.26589.qm@web38213.mail.mud.yahoo.com> Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 15:56:14 -0000 Hi Gavin, Have you rebuilt world or is it a clean install? Update the src to RELENG_6_2 patch 9 via cvs? If I remember correctly, a clean install of 6.2-RELEASE from the cD should have the require pf device. You can start using it by enabling in the rc.conf. (ALTQ will not be available until you specify device+options and rebuild the kernel.) This will get you going using the rules w/o queueing. ~Tommy --- Gavin Spomer wrote: > First of all, thanks! :) > > >>> Tommy Pham 01/24/08 5:17 PM >>> > Check your /etc/make.conf. I remember that you can disable it if > NO_PF=YES is not commented out. > > I only have 3 lines in my /etc/make.conf: a comment and 2 lines > about what perl to use. Is NO_PF=YES the default if not > specified? In that case adding NO_PF=NO and then building may > work. > > Also, I remember reading it somewhere > that pf requires 'device bpf' in the kernel (which you might want to > check for that too). > > I read that somewhere too and it is indeed left uncommented. > > I presume you used a copy of GENERIC kernel file > and comment out what you don't need...? > > That is correct. I did: cp GENERIC MACHINEHOSTNAME and edited > MACHINEHOSTNAME w/ vim. > > If so, did you specify the > kernel file name in the /etc/make.conf or in the command line > KERNCONF=? > > I did it via the command line: > make buildkernel KERNCONF=MACHINEHOSTNAME > make installkernel KERNCONT=MACHINEHOSTNAME > > Shouldn't having "device pf" in MACHINEHOSTNAME file and building > provide /dev/pf? > > I have such a vanilla installation of FreeBSD, it's hard for me to > see where I went wrong. I seem to have all the > components of pf except /dev/pf. I have /sbin/pfctl, /etc/pf.conf, > /boot/kernel/pf.ko, /boot/kernel/pflog.ko and the > appropriate stuff I mentioned in /etc/rc.conf and probably others > as well. I just don't have /dev/pf. How does this get > created? > > Regards, > Tommy > > --- Gavin Spomer wrote: > > > I have followed the instructions in the FreeBSD Handbook for > > implementing pf, but when I run pfctl -e, I get: > > > > pfctl: /dev/pf: No such file or directory". > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 16:12:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31DA416A419 for ; Fri, 25 Jan 2008 16:12:15 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 30F6513C44B for ; Fri, 25 Jan 2008 16:12:15 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 107661CC05F; Fri, 25 Jan 2008 08:12:15 -0800 (PST) Date: Fri, 25 Jan 2008 08:12:15 -0800 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080125161215.GA38146@eos.sc1.parodius.com> References: <4799933A0200009000012FFC@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799933A0200009000012FFC@hermes.cwu.edu> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 16:12:15 -0000 On Fri, Jan 25, 2008 at 07:43:54AM -0800, Gavin Spomer wrote: > I only have 3 lines in my /etc/make.conf: a comment and 2 lines about what perl to use. > Is NO_PF=YES the default if not specified? NO_PF in /etc/make.conf (RELENG_6), or WITHOUT_PF in /etc/src.conf (RELENG_7) will simply disable building pf-related utilities in the base system (e.g. pfctl and others). It should not affect what features/capabilities your kernel configuration specifies. > In that case adding NO_PF=NO and then building may work. No, this will not work. NO_xxx variables do not check the actual value of the assignment; NO_PF=HEHEHE would be the same thing as NO_PF=true. The same goes for src.conf as described above. > I did it via the command line: > make buildkernel KERNCONF=MACHINEHOSTNAME > make installkernel KERNCONT=MACHINEHOSTNAME Your installkernel line is incorrect. KERNCONT != KERNCONF. Also, consider simply placing KERNCONF=WHATEVER in /etc/make.conf, then you won't have to remember to specify the variable on the command-line when building/installing kernels. > Shouldn't having "device pf" in MACHINEHOSTNAME file and building provide /dev/pf? Yes and no. The /dev/pf device is created on-the-fly when the pf module is loaded by the kernel. It is not a device that's made during build time or via any other means. A missing /dev/pf (as claimed by your pfctl) seems to indicate you do not have the pf module loaded into the kernel (either as a module loaded via kldload, or built-in to the kernel via 'device pf') On none of our production machines do we have "device pf" in our kernel configs. Instead, we rely on the following /etc/rc.conf variable to kldload the pf kernel module during boot: pf_enable="yes" If you want pflog support, you will also need the following line: pflog_enable="yes" Drivers being loaded This can be verified by doing `kldstat' and seeing the module(s) loaded as so: # kldstat Id Refs Address Size Name 1 6 0xc0400000 3f5b50 kernel 2 1 0xc07f6000 64340 acpi.ko 4 2 0xc81b5000 2e000 pf.ko 6 1 0xcaf50000 3000 pflog.ko > I have such a vanilla installation of FreeBSD, it's hard for me to see where I went wrong. I seem to have all the > components of pf except /dev/pf. I have /sbin/pfctl, /etc/pf.conf, /boot/kernel/pf.ko, /boot/kernel/pflog.ko and the > appropriate stuff I mentioned in /etc/rc.conf and probably others as well. I just don't have /dev/pf. How does this get > created? It would help if you could provide: * Output of uname -a on the machine which doesn't have /dev/pf * Output of kldstat * Your /etc/rc.conf * Your /boot/loader.conf * Your /etc/make.conf * Your kernel configuration file -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 16:17:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 569AE16A469 for ; Fri, 25 Jan 2008 16:17:23 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.239]) by mx1.freebsd.org (Postfix) with ESMTP id 0F44813C46E for ; Fri, 25 Jan 2008 16:17:21 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by wr-out-0506.google.com with SMTP id 68so422019wra.13 for ; Fri, 25 Jan 2008 08:17:21 -0800 (PST) Received: by 10.142.109.16 with SMTP id h16mr1330278wfc.38.1201277840212; Fri, 25 Jan 2008 08:17:20 -0800 (PST) Received: from smtp.home.rakhesh.com ( [82.178.100.29]) by mx.google.com with ESMTPS id i38sm2073476wxd.16.2008.01.25.08.17.11 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 25 Jan 2008 08:17:17 -0800 (PST) Received: from dogmatix (dogmatix [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id 3C6F611427; Fri, 25 Jan 2008 20:16:26 +0400 (GST) Date: Fri, 25 Jan 2008 20:16:41 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: Daniel Hartmeier In-Reply-To: <20080125144617.GL26684@insomnia.benzedrine.cx> Message-ID: <20080125201439.L86151@dogmatix.home.rakhesh.com> References: <20080122185929.A35598@obelix.home.rakhesh.com> <20080122193545.N35750@obelix.home.rakhesh.com> <6e6841490801221122p108f8196x9c50f216cccac956@mail.gmail.com> <20080125105447.K51665@dogmatix.home.rakhesh.com> <6e6841490801250523u67a55707g77d13356125283fa@mail.gmail.com> <20080125181146.G78711@dogmatix.home.rakhesh.com> <20080125144617.GL26684@insomnia.benzedrine.cx> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Cc: "FreeBSD \(PF\)" Subject: Re: ping: sendto: No buffer space available X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 16:17:23 -0000 Daniel Hartmeier wrote: > On Fri, Jan 25, 2008 at 06:12:39PM +0400, Rakhesh Sasidharan wrote: > >> Yes, I am using cbq. Sorry, I forgot to mention it earlier ... > > Well, disable it temporarily and see if the problem goes away... Ok, will do and try. > If you set up queueing, and the queue you assign ICMP to is full, what > do you expect happens when ping tries to send an ICMP echo request? > > Have you checked the run-time statistics of the queues (pfctl -vvsq), > any correlation between drops and ping error messages? Actually (I suppose I mentioned this in my original post) the problem isn't just for ICMP packets. I gave an example of ICMP packets, but it happens for everything! All TCP, UDP packets. All queues. Thanks, Rakhesh --- http://rakhesh.net/ From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 16:52:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E8AE16A419 for ; Fri, 25 Jan 2008 16:52:16 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from scylla.cts.cwu.edu (scylla.cts.cwu.edu [198.104.67.151]) by mx1.freebsd.org (Postfix) with ESMTP id 61F3113C4E7 for ; Fri, 25 Jan 2008 16:52:16 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.SCYLLA.CTS.CWU.EDU by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQI603P8HC001U6S@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 08:52:15 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQI603B6PQ001UP2@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 08:51:59 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 08:51:59 -0800 Date: Fri, 25 Jan 2008 08:51:48 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799A3240200009000013010@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: multipart/mixed; boundary="Boundary_(ID_LRsNu3A/mlzu6byXaf6rUQ)" Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 16:52:16 -0000 This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --Boundary_(ID_LRsNu3A/mlzu6byXaf6rUQ) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Thanks Jeremy. See more below. >>> Jeremy Chadwick 01/25/08 8:12 AM >>> On Fri, Jan 25, 2008 at 07:43:54AM -0800, Gavin Spomer wrote: > I did it via the command line: > make buildkernel KERNCONF=3DMACHINEHOSTNAME > make installkernel KERNCONT=3DMACHINEHOSTNAME Your installkernel line is incorrect. KERNCONT !=3D KERNCONF. That was a typo in my email, not what I actually typed when I build my = kernel. Sorry 'bout that. ;) (more below) > Shouldn't having "device pf" in MACHINEHOSTNAME file and building = provide /dev/pf? Yes and no. The /dev/pf device is created on-the-fly when the pf module is loaded by the kernel. It is not a device that's made during build time or via any other means. A missing /dev/pf (as claimed by your pfctl) seems to indicate you do not have the pf module loaded into the kernel (either as a module loaded via kldload, or built-in to the kernel via 'device pf') On none of our production machines do we have "device pf" in our kernel configs. Instead, we rely on the following /etc/rc.conf variable to kldload the pf kernel module during boot: pf_enable=3D"yes" If you want pflog support, you will also need the following line: pflog_enable=3D"yes" Drivers being loaded This can be verified by doing `kldstat' and seeing = the module(s) loaded as so: # kldstat Id Refs Address Size Name 1 6 0xc0400000 3f5b50 kernel 2 1 0xc07f6000 64340 acpi.ko 4 2 0xc81b5000 2e000 pf.ko 6 1 0xcaf50000 3000 pflog.ko Okay, well it's obvious that the modules aren't getting loaded, even = though (as I said in original email) I have the correct lines in /etc/rc.conf. I ran kldstat and only got: Id Refs Address Size Name 1 8 0xc0400000 44c4e0 kernel 2 1 0xc084d000 2364 accf_http.ko 3 1 0xc0850000 59f20 acpi.ko 4 1 0xc881d000 16000 linux.ko 5 1 0xc8833000 4000 sysvshm.ko (even more below) > I have such a vanilla installation of FreeBSD, it's hard for me to = see where I went wrong. I seem to have all the > components of pf except /dev/pf. I have /sbin/pfctl, /etc/pf.conf, = /boot/kernel/pf.ko, /boot/kernel/pflog.ko and the > appropriate stuff I mentioned in /etc/rc.conf and probably others as = well. I just don't have /dev/pf. How does this get > created? It would help if you could provide: * Output of uname -a on the machine which doesn't have /dev/pf * Output of kldstat * Your /etc/rc.conf * Your /boot/loader.conf * Your /etc/make.conf * Your kernel configuration file uname -a: FreeBSD machinehostname.cwu.edu 6.2-RELEASE FreeBSD 6.2-RELEAS= E #2: Wed Dec 12 14:59:04 PST 2007 root@machinehostname.cwu.edu:/usr/ob= j/usr/src/sys/MACHINEHOSTNAME i386 kldstat: (see above) /etc/rc.conf: (attached) /boot/loader.conf: # Makes Apache Work - 11/30/07 - GS accf_http_load=3D"YES" /etc/make.conf: # added by use.perl 2007-12-11 11:29:06 PERL_VER=3D5.8.8 PERL_VERSION=3D5.8.8 kernel config: (attached) Thanks again, folks. FWIW, I'm a *little* new to FreeBSD. I've been = using SuSE Linux for 2 years solid and have had sporadic experience with FreeBSD and Solaris before that. - Gavin --Boundary_(ID_LRsNu3A/mlzu6byXaf6rUQ) Content-type: text/plain; name="rc.conf.txt" Content-transfer-encoding: quoted-printable Content-disposition: attachment; filename="rc.conf.txt" # -- sysinstall generated deltas -- # Thu Nov 29 13:29:41 2007 # Created: Thu Nov 29 13:29:41 2007 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. hostname=3D"pc86579.d.cwu.edu" ifconfig_bce0=3D"DHCP" linux_enable=3D"YES" sshd_enable=3D"YES" #usbd_enable=3D"YES" ntpd_enable=3D"YES" mysql_enable=3D"YES" apache22_enable=3D"YES" zope210_enable=3D"YES" zope210_instances=3D"/usr/local/zope" #Packet Filter (Firewall) pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pf_flags=3D"" pflog_logfile=3D"/var/log/pflog" --Boundary_(ID_LRsNu3A/mlzu6byXaf6rUQ) Content-type: application/octet-stream; name=MACHINEHOSTNAME Content-transfer-encoding: BASE64 Content-disposition: attachment; filename=MACHINEHOSTNAME IwojIEdFTkVSSUMgLS0gR2VuZXJpYyBrZXJuZWwgY29uZmlndXJhdGlvbiBmaWxl IGZvciBGcmVlQlNEL2kzODYKIwojIEZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHRo aXMgZmlsZSwgcGxlYXNlIHJlYWQgdGhlIGhhbmRib29rIHNlY3Rpb24gb24KIyBL ZXJuZWwgQ29uZmlndXJhdGlvbiBGaWxlczoKIwojICAgIGh0dHA6Ly93d3cuRnJl ZUJTRC5vcmcvZG9jL2VuX1VTLklTTzg4NTktMS9ib29rcy9oYW5kYm9vay9rZXJu ZWxjb25maWctY29uZmlnLmh0bWwKIwojIFRoZSBoYW5kYm9vayBpcyBhbHNvIGF2 YWlsYWJsZSBsb2NhbGx5IGluIC91c3Ivc2hhcmUvZG9jL2hhbmRib29rCiMgaWYg eW91J3ZlIGluc3RhbGxlZCB0aGUgZG9jIGRpc3RyaWJ1dGlvbiwgb3RoZXJ3aXNl IGFsd2F5cyBzZWUgdGhlCiMgRnJlZUJTRCBXb3JsZCBXaWRlIFdlYiBzZXJ2ZXIg KGh0dHA6Ly93d3cuRnJlZUJTRC5vcmcvKSBmb3IgdGhlCiMgbGF0ZXN0IGluZm9y bWF0aW9uLgojCiMgQW4gZXhoYXVzdGl2ZSBsaXN0IG9mIG9wdGlvbnMgYW5kIG1v cmUgZGV0YWlsZWQgZXhwbGFuYXRpb25zIG9mIHRoZQojIGRldmljZSBsaW5lcyBp cyBhbHNvIHByZXNlbnQgaW4gdGhlIC4uLy4uL2NvbmYvTk9URVMgYW5kIE5PVEVT IGZpbGVzLgojIElmIHlvdSBhcmUgaW4gZG91YnQgYXMgdG8gdGhlIHB1cnBvc2Ug b3IgbmVjZXNzaXR5IG9mIGEgbGluZSwgY2hlY2sgZmlyc3QKIyBpbiBOT1RFUy4K IwojICRGcmVlQlNEOiBzcmMvc3lzL2kzODYvY29uZi9HRU5FUklDLHYgMS40Mjku Mi4xMyAyMDA2LzEwLzA5IDE4OjQxOjM2IHNpbW9uIEV4cCAkCgptYWNoaW5lCQlp Mzg2CiNjcHUJCUk0ODZfQ1BVCiNjcHUJCUk1ODZfQ1BVCmNwdQkJSTY4Nl9DUFUK aWRlbnQJCVBDODY1NzkKCiMgVG8gc3RhdGljYWxseSBjb21waWxlIGluIGRldmlj ZSB3aXJpbmcgaW5zdGVhZCBvZiAvYm9vdC9kZXZpY2UuaGludHMKI2hpbnRzCQki R0VORVJJQy5oaW50cyIJCSMgRGVmYXVsdCBwbGFjZXMgdG8gbG9vayBmb3IgZGV2 aWNlcy4KCm1ha2VvcHRpb25zCURFQlVHPS1nCQkjIEJ1aWxkIGtlcm5lbCB3aXRo IGdkYigxKSBkZWJ1ZyBzeW1ib2xzCgpvcHRpb25zIAlTQ0hFRF80QlNECQkjIDRC U0Qgc2NoZWR1bGVyCm9wdGlvbnMgCVBSRUVNUFRJT04JCSMgRW5hYmxlIGtlcm5l bCB0aHJlYWQgcHJlZW1wdGlvbgpvcHRpb25zIAlJTkVUCQkJIyBJbnRlck5FVHdv cmtpbmcKb3B0aW9ucyAJSU5FVDYJCQkjIElQdjYgY29tbXVuaWNhdGlvbnMgcHJv dG9jb2xzCm9wdGlvbnMgCUZGUwkJCSMgQmVya2VsZXkgRmFzdCBGaWxlc3lzdGVt Cm9wdGlvbnMgCVNPRlRVUERBVEVTCQkjIEVuYWJsZSBGRlMgc29mdCB1cGRhdGVz IHN1cHBvcnQKb3B0aW9ucyAJVUZTX0FDTAkJCSMgU3VwcG9ydCBmb3IgYWNjZXNz IGNvbnRyb2wgbGlzdHMKb3B0aW9ucyAJVUZTX0RJUkhBU0gJCSMgSW1wcm92ZSBw ZXJmb3JtYW5jZSBvbiBiaWcgZGlyZWN0b3JpZXMKb3B0aW9ucyAJTURfUk9PVAkJ CSMgTUQgaXMgYSBwb3RlbnRpYWwgcm9vdCBkZXZpY2UKI29wdGlvbnMgCU5GU0NM SUVOVAkJIyBOZXR3b3JrIEZpbGVzeXN0ZW0gQ2xpZW50CiNvcHRpb25zIAlORlNT RVJWRVIJCSMgTmV0d29yayBGaWxlc3lzdGVtIFNlcnZlcgojb3B0aW9ucyAJTkZT X1JPT1QJCSMgTkZTIHVzYWJsZSBhcyAvLCByZXF1aXJlcyBORlNDTElFTlQKI29w dGlvbnMgCU1TRE9TRlMJCQkjIE1TRE9TIEZpbGVzeXN0ZW0Kb3B0aW9ucyAJQ0Q5 NjYwCQkJIyBJU08gOTY2MCBGaWxlc3lzdGVtCm9wdGlvbnMgCVBST0NGUwkJCSMg UHJvY2VzcyBmaWxlc3lzdGVtIChyZXF1aXJlcyBQU0VVRE9GUykKb3B0aW9ucyAJ UFNFVURPRlMJCSMgUHNldWRvLWZpbGVzeXN0ZW0gZnJhbWV3b3JrCm9wdGlvbnMg CUdFT01fR1BUCQkjIEdVSUQgUGFydGl0aW9uIFRhYmxlcy4Kb3B0aW9ucyAJQ09N UEFUXzQzCQkjIENvbXBhdGlibGUgd2l0aCBCU0QgNC4zIFtLRUVQIFRISVMhXQpv cHRpb25zIAlDT01QQVRfRlJFRUJTRDQJCSMgQ29tcGF0aWJsZSB3aXRoIEZyZWVC U0Q0Cm9wdGlvbnMgCUNPTVBBVF9GUkVFQlNENQkJIyBDb21wYXRpYmxlIHdpdGgg RnJlZUJTRDUKb3B0aW9ucyAJU0NTSV9ERUxBWT01MDAwCQkjIERlbGF5IChpbiBt cykgYmVmb3JlIHByb2JpbmcgU0NTSQpvcHRpb25zIAlLVFJBQ0UJCQkjIGt0cmFj ZSgxKSBzdXBwb3J0CiNvcHRpb25zIAlTWVNWU0hNCQkJIyBTWVNWLXN0eWxlIHNo YXJlZCBtZW1vcnkKb3B0aW9ucyAJU1lTVk1TRwkJCSMgU1lTVi1zdHlsZSBtZXNz YWdlIHF1ZXVlcwpvcHRpb25zIAlTWVNWU0VNCQkJIyBTWVNWLXN0eWxlIHNlbWFw aG9yZXMKb3B0aW9ucyAJX0tQT1NJWF9QUklPUklUWV9TQ0hFRFVMSU5HICMgUE9T SVggUDEwMDNfMUIgcmVhbC10aW1lIGV4dGVuc2lvbnMKb3B0aW9ucyAJS0JEX0lO U1RBTExfQ0RFVgkjIGluc3RhbGwgYSBDREVWIGVudHJ5IGluIC9kZXYKb3B0aW9u cyAJQURBUFRJVkVfR0lBTlQJCSMgR2lhbnQgbXV0ZXggaXMgYWRhcHRpdmUuCgpk ZXZpY2UJCWFwaWMJCQkjIEkvTyBBUElDCgojIEJ1cyBzdXBwb3J0LgpkZXZpY2UJ CWVpc2EKZGV2aWNlCQlwY2kKCiMgRmxvcHB5IGRyaXZlcwojZGV2aWNlCQlmZGMK CiMgQVRBIGFuZCBBVEFQSSBkZXZpY2VzCmRldmljZQkJYXRhCiNkZXZpY2UJCWF0 YWRpc2sJCSMgQVRBIGRpc2sgZHJpdmVzCiNkZXZpY2UJCWF0YXJhaWQJCSMgQVRB IFJBSUQgZHJpdmVzCiNkZXZpY2UJCWF0YXBpY2QJCSMgQVRBUEkgQ0RST00gZHJp dmVzCiNkZXZpY2UJCWF0YXBpZmQJCSMgQVRBUEkgZmxvcHB5IGRyaXZlcwojZGV2 aWNlCQlhdGFwaXN0CQkjIEFUQVBJIHRhcGUgZHJpdmVzCm9wdGlvbnMgCUFUQV9T VEFUSUNfSUQJIyBTdGF0aWMgZGV2aWNlIG51bWJlcmluZwoKIyBTQ1NJIENvbnRy b2xsZXJzCmRldmljZQkJYWhiCQkjIEVJU0EgQUhBMTc0MiBmYW1pbHkKZGV2aWNl CQlhaGMJCSMgQUhBMjk0MCBhbmQgb25ib2FyZCBBSUM3eHh4IGRldmljZXMKb3B0 aW9ucyAJQUhDX1JFR19QUkVUVFlfUFJJTlQJIyBQcmludCByZWdpc3RlciBiaXRm aWVsZHMgaW4gZGVidWcKCQkJCQkjIG91dHB1dC4gIEFkZHMgfjEyOGsgdG8gZHJp dmVyLgpkZXZpY2UJCWFoZAkJIyBBSEEzOTMyMC8yOTMyMCBhbmQgb25ib2FyZCBB SUM3OXh4IGRldmljZXMKb3B0aW9ucyAJQUhEX1JFR19QUkVUVFlfUFJJTlQJIyBQ cmludCByZWdpc3RlciBiaXRmaWVsZHMgaW4gZGVidWcKCQkJCQkjIG91dHB1dC4g IEFkZHMgfjIxNWsgdG8gZHJpdmVyLgpkZXZpY2UJCWFtZAkJIyBBTUQgNTNDOTc0 IChUZWtyYW0gREMtMzkwKFQpKQpkZXZpY2UJCWlzcAkJIyBRbG9naWMgZmFtaWx5 CiNkZXZpY2UgCWlzcGZ3CQkjIEZpcm13YXJlIGZvciBRTG9naWMgSEJBcy0gbm9y bWFsbHkgYSBtb2R1bGUKZGV2aWNlCQltcHQJCSMgTFNJLUxvZ2ljIE1QVC1GdXNp b24KI2RldmljZQkJbmNyCQkjIE5DUi9TeW1iaW9zIExvZ2ljCmRldmljZQkJc3lt CQkjIE5DUi9TeW1iaW9zIExvZ2ljIChuZXdlciBjaGlwc2V0cyArIHRob3NlIG9m IGBuY3InKQpkZXZpY2UJCXRybQkJIyBUZWtyYW0gREMzOTVVL1VXL0YgREMzMTVV IGFkYXB0ZXJzCgpkZXZpY2UJCWFkdgkJIyBBZHZhbnN5cyBTQ1NJIGFkYXB0ZXJz CmRldmljZQkJYWR3CQkjIEFkdmFuc3lzIHdpZGUgU0NTSSBhZGFwdGVycwpkZXZp Y2UJCWFoYQkJIyBBZGFwdGVjIDE1NHggU0NTSSBhZGFwdGVycwpkZXZpY2UJCWFp YwkJIyBBZGFwdGVjIDE1WzAxMl14IFNDU0kgYWRhcHRlcnMsIEFJQy02WzIzXTYw LgpkZXZpY2UJCWJ0CQkjIEJ1c2xvZ2ljL015bGV4IE11bHRpTWFzdGVyIFNDU0kg YWRhcHRlcnMKCmRldmljZQkJbmN2CQkjIE5DUiA1M0M1MDAKZGV2aWNlCQluc3AJ CSMgV29ya2JpdCBOaW5qYSBTQ1NJLTMKZGV2aWNlCQlzdGcJCSMgVE1DIDE4QzMw LzE4QzUwCgojIFNDU0kgcGVyaXBoZXJhbHMKZGV2aWNlCQlzY2J1cwkJIyBTQ1NJ IGJ1cyAocmVxdWlyZWQgZm9yIFNDU0kpCmRldmljZQkJY2gJCSMgU0NTSSBtZWRp YSBjaGFuZ2VycwpkZXZpY2UJCWRhCQkjIERpcmVjdCBBY2Nlc3MgKGRpc2tzKQpk ZXZpY2UJCXNhCQkjIFNlcXVlbnRpYWwgQWNjZXNzICh0YXBlIGV0YykKZGV2aWNl CQljZAkJIyBDRApkZXZpY2UJCXBhc3MJCSMgUGFzc3Rocm91Z2ggZGV2aWNlIChk aXJlY3QgU0NTSSBhY2Nlc3MpCmRldmljZQkJc2VzCQkjIFNDU0kgRW52aXJvbm1l bnRhbCBTZXJ2aWNlcyAoYW5kIFNBRi1URSkKCiMgUkFJRCBjb250cm9sbGVycyBp bnRlcmZhY2VkIHRvIHRoZSBTQ1NJIHN1YnN5c3RlbQojZGV2aWNlCQlhbXIJCSMg QU1JIE1lZ2FSQUlECiNkZXZpY2UJCWFyY21zcgkJIyBBcmVjYSBTQVRBIElJIFJB SUQKI2RldmljZQkJYXNyCQkjIERQVCBTbWFydFJBSUQgViwgVkkgYW5kIEFkYXB0 ZWMgU0NTSSBSQUlECmRldmljZQkJY2lzcwkJIyBDb21wYXEgU21hcnQgUkFJRCA1 KgojZGV2aWNlCQlkcHQJCSMgRFBUIFNtYXJ0Y2FjaGUgSUlJLCBJViAtIFNlZSBO T1RFUyBmb3Igb3B0aW9ucwojZGV2aWNlCQlocHRtdgkJIyBIaWdocG9pbnQgUm9j a2V0UkFJRCAxODJ4CiNkZXZpY2UJCXJyMjMyeAkJIyBIaWdocG9pbnQgUm9ja2V0 UkFJRCAyMzJ4CiNkZXZpY2UJCWlpcgkJIyBJbnRlbCBJbnRlZ3JhdGVkIFJBSUQK I2RldmljZQkJaXBzCQkjIElCTSAoQWRhcHRlYykgU2VydmVSQUlECiNkZXZpY2UJ CW1seQkJIyBNeWxleCBBY2NlbGVSQUlEL2VYdHJlbWVSQUlECiNkZXZpY2UJCXR3 YQkJIyAzd2FyZSA5MDAwIHNlcmllcyBQQVRBL1NBVEEgUkFJRAoKIyBSQUlEIGNv bnRyb2xsZXJzCiNkZXZpY2UJCWFhYwkJIyBBZGFwdGVjIEZTQSBSQUlECiNkZXZp Y2UJCWFhY3AJCSMgU0NTSSBwYXNzdGhyb3VnaCBmb3IgYWFjIChyZXF1aXJlcyBD QU0pCmRldmljZQkJaWRhCQkjIENvbXBhcSBTbWFydCBSQUlECiNkZXZpY2UJCW1m aQkJIyBMU0kgTWVnYVJBSUQgU0FTCiNkZXZpY2UJCW1seAkJIyBNeWxleCBEQUM5 NjAgZmFtaWx5CiNkZXZpY2UJCXBzdAkJIyBQcm9taXNlIFN1cGVydHJhayBTWDYw MDAKI2RldmljZQkJdHdlCQkjIDN3YXJlIEFUQSBSQUlECgojIGF0a2JkYzAgY29u dHJvbHMgYm90aCB0aGUga2V5Ym9hcmQgYW5kIHRoZSBQUy8yIG1vdXNlCmRldmlj ZQkJYXRrYmRjCQkjIEFUIGtleWJvYXJkIGNvbnRyb2xsZXIKZGV2aWNlCQlhdGti ZAkJIyBBVCBrZXlib2FyZApkZXZpY2UJCXBzbQkJIyBQUy8yIG1vdXNlCgojZGV2 aWNlCQlrYmRtdXgJCSMga2V5Ym9hcmQgbXVsdGlwbGV4ZXIKCmRldmljZQkJdmdh CQkjIFZHQSB2aWRlbyBjYXJkIGRyaXZlcgoKZGV2aWNlCQlzcGxhc2gJCSMgU3Bs YXNoIHNjcmVlbiBhbmQgc2NyZWVuIHNhdmVyIHN1cHBvcnQKCiMgc3lzY29ucyBp cyB0aGUgZGVmYXVsdCBjb25zb2xlIGRyaXZlciwgcmVzZW1ibGluZyBhbiBTQ08g Y29uc29sZQpkZXZpY2UJCXNjCgojIEVuYWJsZSB0aGlzIGZvciB0aGUgcGN2dCAo VlQyMjAgY29tcGF0aWJsZSkgY29uc29sZSBkcml2ZXIKI2RldmljZQkJdnQKI29w dGlvbnMgCVhTRVJWRVIJCSMgc3VwcG9ydCBmb3IgWCBzZXJ2ZXIgb24gYSB2dCBj b25zb2xlCiNvcHRpb25zIAlGQVRfQ1VSU09SCSMgc3RhcnQgd2l0aCBibG9jayBj dXJzb3IKCiNkZXZpY2UJCWFncAkJIyBzdXBwb3J0IHNldmVyYWwgQUdQIGNoaXBz ZXRzCgojIFBvd2VyIG1hbmFnZW1lbnQgc3VwcG9ydCAoc2VlIE5PVEVTIGZvciBt b3JlIG9wdGlvbnMpCiNkZXZpY2UJCWFwbQojIEFkZCBzdXNwZW5kL3Jlc3VtZSBz dXBwb3J0IGZvciB0aGUgaTgyNTQuCmRldmljZQkJcG10aW1lcgoKIyBQQ0NBUkQg KFBDTUNJQSkgc3VwcG9ydAojIFBDTUNJQSBhbmQgY2FyZGJ1cyBicmlkZ2Ugc3Vw cG9ydAojZGV2aWNlCQljYmIJCSMgY2FyZGJ1cyAoeWVudGEpIGJyaWRnZQojZGV2 aWNlCQlwY2NhcmQJCSMgUEMgQ2FyZCAoMTYtYml0KSBidXMKI2RldmljZQkJY2Fy ZGJ1cwkJIyBDYXJkQnVzICgzMi1iaXQpIGJ1cwoKIyBTZXJpYWwgKENPTSkgcG9y dHMKZGV2aWNlCQlzaW8JCSMgODI1MCwgMTZbNDVdNTAgYmFzZWQgc2VyaWFsIHBv cnRzCgojIFBhcmFsbGVsIHBvcnQKZGV2aWNlCQlwcGMKZGV2aWNlCQlwcGJ1cwkJ IyBQYXJhbGxlbCBwb3J0IGJ1cyAocmVxdWlyZWQpCiNkZXZpY2UJCWxwdAkJIyBQ cmludGVyCmRldmljZQkJcGxpcAkJIyBUQ1AvSVAgb3ZlciBwYXJhbGxlbApkZXZp Y2UJCXBwaQkJIyBQYXJhbGxlbCBwb3J0IGludGVyZmFjZSBkZXZpY2UKI2Rldmlj ZQkJdnBvCQkjIFJlcXVpcmVzIHNjYnVzIGFuZCBkYQoKIyBJZiB5b3UndmUgZ290 IGEgImR1bWIiIHNlcmlhbCBvciBwYXJhbGxlbCBQQ0kgY2FyZCB0aGF0IGlzCiMg c3VwcG9ydGVkIGJ5IHRoZSBwdWMoNCkgZ2x1ZSBkcml2ZXIsIHVuY29tbWVudCB0 aGUgZm9sbG93aW5nCiMgbGluZSB0byBlbmFibGUgaXQgKGNvbm5lY3RzIHRvIHRo ZSBzaW8gYW5kL29yIHBwYyBkcml2ZXJzKToKI2RldmljZQkJcHVjCgojIFBDSSBF dGhlcm5ldCBOSUNzLgpkZXZpY2UJCWRlCQkjIERFQy9JbnRlbCBEQzIxeDR4IChg YFR1bGlwJycpCmRldmljZQkJZW0JCSMgSW50ZWwgUFJPLzEwMDAgYWRhcHRlciBH aWdhYml0IEV0aGVybmV0IENhcmQKZGV2aWNlCQlpeGdiCQkjIEludGVsIFBSTy8x MEdiRSBFdGhlcm5ldCBDYXJkCmRldmljZQkJdHhwCQkjIDNDb20gM2NSOTkwIChg YFR5cGhvb24nJykKZGV2aWNlCQl2eAkJIyAzQ29tIDNjNTkwLCAzYzU5NSAoYGBW b3J0ZXgnJykKCiMgUENJIEV0aGVybmV0IE5JQ3MgdGhhdCB1c2UgdGhlIGNvbW1v biBNSUkgYnVzIGNvbnRyb2xsZXIgY29kZS4KIyBOT1RFOiBCZSBzdXJlIHRvIGtl ZXAgdGhlICdkZXZpY2UgbWlpYnVzJyBsaW5lIGluIG9yZGVyIHRvIHVzZSB0aGVz ZSBOSUNzIQojQnJvYWRjb20gTmV0WHRyZW1lIElJIEJDTTU3MDggMTAwMEJhc2Ut VCAoQjIpCmRldmljZQkJbWlpYnVzCQkjIE1JSSBidXMgc3VwcG9ydApkZXZpY2UJ CWJjZQkJIyBCcm9hZGNvbSBCQ001NzA2L0JDTTU3MDggR2lnYWJpdCBFdGhlcm5l dAojZGV2aWNlCQliZmUJCSMgQnJvYWRjb20gQkNNNDQweCAxMC8xMDAgRXRoZXJu ZXQKI2RldmljZQkJYmdlCQkjIEJyb2FkY29tIEJDTTU3MHh4IEdpZ2FiaXQgRXRo ZXJuZXQKI2RldmljZQkJZGMJCSMgREVDL0ludGVsIDIxMTQzIGFuZCB2YXJpb3Vz IHdvcmthbGlrZXMKI2RldmljZQkJZnhwCQkjIEludGVsIEV0aGVyRXhwcmVzcyBQ Uk8vMTAwQiAoODI1NTcsIDgyNTU4KQojZGV2aWNlCQlsZ2UJCSMgTGV2ZWwgMSBM WFQxMDAxIGdpZ2FiaXQgRXRoZXJuZXQKI2RldmljZQkJbmdlCQkjIE5hdFNlbWkg RFA4MzgyMCBnaWdhYml0IEV0aGVybmV0CiNkZXZpY2UJCW52ZQkJIyBuVmlkaWEg bkZvcmNlIE1DUCBvbi1ib2FyZCBFdGhlcm5ldCBOZXR3b3JraW5nCiNkZXZpY2UJ CXBjbgkJIyBBTUQgQW03OUM5N3ggUENJIDEwLzEwMChwcmVjZWRlbmNlIG92ZXIg J2xuYycpCiNkZXZpY2UJCXJlCQkjIFJlYWxUZWsgODEzOUMrLzgxNjkvODE2OVMv ODExMFMKI2RldmljZQkJcmwJCSMgUmVhbFRlayA4MTI5LzgxMzkKI2RldmljZQkJ c2YJCSMgQWRhcHRlYyBBSUMtNjkxNSAoYGBTdGFyZmlyZScnKQojZGV2aWNlCQlz aXMJCSMgU2lsaWNvbiBJbnRlZ3JhdGVkIFN5c3RlbXMgU2lTIDkwMC9TaVMgNzAx NgojZGV2aWNlCQlzawkJIyBTeXNLb25uZWN0IFNLLTk4NHggJiBTSy05ODJ4IGdp Z2FiaXQgRXRoZXJuZXQKI2RldmljZQkJc3RlCQkjIFN1bmRhbmNlIFNUMjAxIChE LUxpbmsgREZFLTU1MFRYKQojZGV2aWNlCQlzdGdlCQkjIFN1bmRhbmNlL1RhbWFy YWNrIFRDOTAyMSBnaWdhYml0IEV0aGVybmV0CiNkZXZpY2UJCXRpCQkjIEFsdGVv biBOZXR3b3JrcyBUaWdvbiBJL0lJIGdpZ2FiaXQgRXRoZXJuZXQKI2RldmljZQkJ dGwJCSMgVGV4YXMgSW5zdHJ1bWVudHMgVGh1bmRlckxBTgojZGV2aWNlCQl0eAkJ IyBTTUMgRXRoZXJQb3dlciBJSSAoODNjMTcwIGBgRVBJQycnKQojZGV2aWNlCQl2 Z2UJCSMgVklBIFZUNjEyeCBnaWdhYml0IEV0aGVybmV0CiNkZXZpY2UJCXZyCQkj IFZJQSBSaGluZSwgUmhpbmUgSUkKI2RldmljZQkJd2IJCSMgV2luYm9uZCBXODlD ODQwRgojZGV2aWNlCQl4bAkJIyAzQ29tIDNjOTB4IChgYEJvb21lcmFuZycnLCBg YEN5Y2xvbmUnJykKCiMgSVNBIEV0aGVybmV0IE5JQ3MuICBwY2NhcmQgTklDcyBp bmNsdWRlZC4KZGV2aWNlCQljcwkJIyBDcnlzdGFsIFNlbWljb25kdWN0b3IgQ1M4 OXgwIE5JQwojICdkZXZpY2UgZWQnIHJlcXVpcmVzICdkZXZpY2UgbWlpYnVzJwpk ZXZpY2UJCWVkCQkjIE5FWzEyXTAwMCwgU01DIFVsdHJhLCAzYzUwMywgRFM4Mzkw IGNhcmRzCmRldmljZQkJZXgJCSMgSW50ZWwgRXRoZXJFeHByZXNzIFByby8xMCBh bmQgUHJvLzEwKwpkZXZpY2UJCWVwCQkjIEV0aGVybGluayBJSUkgYmFzZWQgY2Fy ZHMKZGV2aWNlCQlmZQkJIyBGdWppdHN1IE1CODY5NnggYmFzZWQgY2FyZHMKZGV2 aWNlCQlpZQkJIyBFdGhlckV4cHJlc3MgOC8xNiwgM0M1MDcsIFN0YXJMQU4gMTAg ZXRjLgpkZXZpY2UJCWxuYwkJIyBORTIxMDAsIE5FMzItVkwgTGFuY2UgRXRoZXJu ZXQgY2FyZHMKZGV2aWNlCQlzbgkJIyBTTUMncyA5MDAwIHNlcmllcyBvZiBFdGhl cm5ldCBjaGlwcwpkZXZpY2UJCXhlCQkjIFhpcmNvbSBwY2NhcmQgRXRoZXJuZXQK CiMgV2lyZWxlc3MgTklDIGNhcmRzCiNkZXZpY2UJCXdsYW4JCSMgODAyLjExIHN1 cHBvcnQKI2RldmljZQkJd2xhbl93ZXAJIyA4MDIuMTEgV0VQIHN1cHBvcnQKI2Rl dmljZQkJd2xhbl9jY21wCSMgODAyLjExIENDTVAgc3VwcG9ydAojZGV2aWNlCQl3 bGFuX3RraXAJIyA4MDIuMTEgVEtJUCBzdXBwb3J0CiNkZXZpY2UJCWFuCQkjIEFp cm9uZXQgNDUwMC80ODAwIDgwMi4xMSB3aXJlbGVzcyBOSUNzLgojZGV2aWNlCQlh dGgJCSMgQXRoZXJvcyBwY2kvY2FyZGJ1cyBOSUMncwojZGV2aWNlCQlhdGhfaGFs CQkjIEF0aGVyb3MgSEFMIChIYXJkd2FyZSBBY2Nlc3MgTGF5ZXIpCiNkZXZpY2UJ CWF0aF9yYXRlX3NhbXBsZQkjIFNhbXBsZVJhdGUgdHggcmF0ZSBjb250cm9sIGZv ciBhdGgKI2RldmljZQkJYXdpCQkjIEJheVN0YWNrIDY2MCBhbmQgb3RoZXJzCiNk ZXZpY2UJCXJhbAkJIyBSYWxpbmsgVGVjaG5vbG9neSBSVDI1MDAgd2lyZWxlc3Mg TklDcy4KI2RldmljZQkJd2kJCSMgV2F2ZUxBTi9JbnRlcnNpbC9TeW1ib2wgODAy LjExIHdpcmVsZXNzIE5JQ3MuCiNkZXZpY2UJCXdsCQkjIE9sZGVyIG5vbiA4MDIu MTEgV2F2ZWxhbiB3aXJlbGVzcyBOSUMuCgojIFBzZXVkbyBkZXZpY2VzLgpkZXZp Y2UJCWxvb3AJCSMgTmV0d29yayBsb29wYmFjawpkZXZpY2UJCXJhbmRvbQkJIyBF bnRyb3B5IGRldmljZQpkZXZpY2UJCWV0aGVyCQkjIEV0aGVybmV0IHN1cHBvcnQK I2RldmljZQkJc2wJCSMgS2VybmVsIFNMSVAKZGV2aWNlCQlwcHAJCSMgS2VybmVs IFBQUApkZXZpY2UJCXR1bgkJIyBQYWNrZXQgdHVubmVsLgpkZXZpY2UJCXB0eQkJ IyBQc2V1ZG8tdHR5cyAodGVsbmV0IGV0YykKZGV2aWNlCQltZAkJIyBNZW1vcnkg ImRpc2tzIgpkZXZpY2UJCWdpZgkJIyBJUHY2IGFuZCBJUHY0IHR1bm5lbGluZwpk ZXZpY2UJCWZhaXRoCQkjIElQdjYtdG8tSVB2NCByZWxheWluZyAodHJhbnNsYXRp b24pCgojIFRoZSBgYnBmJyBkZXZpY2UgZW5hYmxlcyB0aGUgQmVya2VsZXkgUGFj a2V0IEZpbHRlci4KIyBCZSBhd2FyZSBvZiB0aGUgYWRtaW5pc3RyYXRpdmUgY29u c2VxdWVuY2VzIG9mIGVuYWJsaW5nIHRoaXMhCiMgTm90ZSB0aGF0ICdicGYnIGlz IHJlcXVpcmVkIGZvciBESENQLgpkZXZpY2UJCWJwZgkJIyBCZXJrZWxleSBwYWNr ZXQgZmlsdGVyCgojIHBmIChGaXJld2FsbCkKZGV2aWNlIHBmCmRldmljZSBwZmxv ZwpkZXZpY2UgcGZzeW5jCm9wdGlvbnMgQUxUUQoKIyBVU0Igc3VwcG9ydAojZGV2 aWNlCQl1aGNpCQkjIFVIQ0kgUENJLT5VU0IgaW50ZXJmYWNlCiNkZXZpY2UJCW9o Y2kJCSMgT0hDSSBQQ0ktPlVTQiBpbnRlcmZhY2UKI2RldmljZQkJZWhjaQkJIyBF SENJIFBDSS0+VVNCIGludGVyZmFjZSAoVVNCIDIuMCkKI2RldmljZQkJdXNiCQkj IFVTQiBCdXMgKHJlcXVpcmVkKQojZGV2aWNlCQl1ZGJwCQkjIFVTQiBEb3VibGUg QnVsayBQaXBlIGRldmljZXMKI2RldmljZQkJdWdlbgkJIyBHZW5lcmljCiNkZXZp Y2UJCXVoaWQJCSMgIkh1bWFuIEludGVyZmFjZSBEZXZpY2VzIgojZGV2aWNlCQl1 a2JkCQkjIEtleWJvYXJkCiNkZXZpY2UJCXVscHQJCSMgUHJpbnRlcgojZGV2aWNl CQl1bWFzcwkJIyBEaXNrcy9NYXNzIHN0b3JhZ2UgLSBSZXF1aXJlcyBzY2J1cyBh bmQgZGEKI2RldmljZQkJdW1zCQkjIE1vdXNlCiNkZXZpY2UJCXVyYWwJCSMgUmFs aW5rIFRlY2hub2xvZ3kgUlQyNTAwVVNCIHdpcmVsZXNzIE5JQ3MKI2RldmljZQkJ dXJpbwkJIyBEaWFtb25kIFJpbyA1MDAgTVAzIHBsYXllcgojZGV2aWNlCQl1c2Nh bm5lcgkjIFNjYW5uZXJzCiMgVVNCIEV0aGVybmV0LCByZXF1aXJlcyBtaWlidXMK I2RldmljZQkJYXVlCQkjIEFETXRlayBVU0IgRXRoZXJuZXQKI2RldmljZQkJYXhl CQkjIEFTSVggRWxlY3Ryb25pY3MgVVNCIEV0aGVybmV0CiNkZXZpY2UJCWNkY2UJ CSMgR2VuZXJpYyBVU0Igb3ZlciBFdGhlcm5ldAojZGV2aWNlCQljdWUJCSMgQ0FU QyBVU0IgRXRoZXJuZXQKI2RldmljZQkJa3VlCQkjIEthd2FzYWtpIExTSSBVU0Ig RXRoZXJuZXQKI2RldmljZQkJcnVlCQkjIFJlYWxUZWsgUlRMODE1MCBVU0IgRXRo ZXJuZXQKCiMgRmlyZVdpcmUgc3VwcG9ydAojZGV2aWNlCQlmaXJld2lyZQkjIEZp cmVXaXJlIGJ1cyBjb2RlCiNkZXZpY2UJCXNicAkJIyBTQ1NJIG92ZXIgRmlyZVdp cmUgKFJlcXVpcmVzIHNjYnVzIGFuZCBkYSkKI2RldmljZQkJZndlCQkjIEV0aGVy bmV0IG92ZXIgRmlyZVdpcmUgKG5vbi1zdGFuZGFyZCEpCg== --Boundary_(ID_LRsNu3A/mlzu6byXaf6rUQ)-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 16:59:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7170816A418 for ; Fri, 25 Jan 2008 16:59:30 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from scylla.cts.cwu.edu (scylla.cts.cwu.edu [198.104.67.151]) by mx1.freebsd.org (Postfix) with ESMTP id 64F8013C4E5 for ; Fri, 25 Jan 2008 16:59:30 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.SCYLLA.CTS.CWU.EDU by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQI69EBAR4001XI0@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 08:59:29 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQI69E4ML0001UP2@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 08:59:29 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 08:59:29 -0800 Date: Fri, 25 Jan 2008 08:59:19 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799A4E70200009000013014@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 16:59:30 -0000 >>> Tommy Pham 01/25/08 7:56 AM >>> Hi Gavin, Have you rebuilt world or is it a clean install? Update the src to RELENG_6_2 patch 9 via cvs? If I remember correctly, a clean install of 6.2-RELEASE from the cD should have the require pf device. You can start using it by enabling in the rc.conf. (ALTQ will not be available until you specify device+options and rebuild the kernel.) This will get you going using the rules w/o queueing. I have never rebuilt world. I am still learning FreeBSD, even though I = have a semi-strong linux background. ;) Yes, I installed from downloaded cd's. "Update the src to RELENG_6_2 patch 9 via cvs?" ? = Don't understand. :o Thanks again. - Gavin From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 17:08:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08ADB16A417 for ; Fri, 25 Jan 2008 17:08:40 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 07C2413C457 for ; Fri, 25 Jan 2008 17:08:39 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id DAFF41CC038; Fri, 25 Jan 2008 09:08:39 -0800 (PST) Date: Fri, 25 Jan 2008 09:08:39 -0800 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080125170839.GA39659@eos.sc1.parodius.com> References: <4799A3240200009000013010@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799A3240200009000013010@hermes.cwu.edu> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 17:08:40 -0000 On Fri, Jan 25, 2008 at 08:51:48AM -0800, Gavin Spomer wrote: > Okay, well it's obvious that the modules aren't getting loaded, even though (as I said in original email) I have the > correct lines in /etc/rc.conf. I ran kldstat and only got: > > Id Refs Address Size Name > 1 8 0xc0400000 44c4e0 kernel > 2 1 0xc084d000 2364 accf_http.ko > 3 1 0xc0850000 59f20 acpi.ko > 4 1 0xc881d000 16000 linux.ko > 5 1 0xc8833000 4000 sysvshm.ko Hmm. Your /etc/rc.conf looks right for loading pf as a kernel module. I don't see anything wrong with that. However, your kernel configuration shows that you have "device pf" in the kernel. The /etc/rc.d/pf script is supposed to figure out if you have pf built-in or not (and if not, kldload it). What do you get if you do `kldload -v pf'? The only other recommendation I have would be to change your setup in the following way: 1) Remove the following lines from your kernel configuration: device pf device pflog device pfsync options ALTQ And replace them with just these: # pf altq support options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build options ALTQ_DEBUG 2) Remove pf-related lines from /etc/rc.conf and use these instead: pf_enable="yes" pflog_enable="yes" 3) Rebuild your kernel and reboot; remove the KERNCONF=xxx stuff if you went ahead and added the KERNCONF=xxx line to /etc/make.conf. cd /usr/src make buildkernel KERNCONF=whatever make installkernel KERNCONF=whatever reboot 4) See if pf loads after that. I'm left thinking there's some bizarre situation where since you have the "device pf" (and related stuff) in your kernel config hard-coded, the rc.d/pf script isn't properly initialising pf. I can assure you that the above steps described are *exactly* what we use on our RELENG_6 production systems with pf, and we've never run into any trouble. Also, one unrelated thing: I'd recommend removing the Apache-related line you have in /boot/loader.conf. This should be done during startup of httpd via /usr/local/etc/rc.d/*httpd* using rc.conf variables. Add this to your /etc/rc.conf and that's all you should need: apache22_http_accept_enable="yes" Otherwise, I've seen many systems where Apache upon being shut down then start up complains about how it can't load the Accept filter. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 17:12:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7822516A419 for ; Fri, 25 Jan 2008 17:12:46 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 76DEE13C474 for ; Fri, 25 Jan 2008 17:12:46 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 4AF3A1CC038; Fri, 25 Jan 2008 09:12:46 -0800 (PST) Date: Fri, 25 Jan 2008 09:12:46 -0800 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080125171246.GB39659@eos.sc1.parodius.com> References: <4799A4E70200009000013014@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799A4E70200009000013014@hermes.cwu.edu> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 17:12:46 -0000 On Fri, Jan 25, 2008 at 08:59:19AM -0800, Gavin Spomer wrote: > >>> Tommy Pham 01/25/08 7:56 AM >>> > Hi Gavin, > Have you rebuilt world or is it a clean install? Update the src to > RELENG_6_2 patch 9 via cvs? If I remember correctly, a clean install > of 6.2-RELEASE from the cD should have the require pf device. You can > start using it by enabling in the rc.conf. (ALTQ will not be available > until you specify device+options and rebuild the kernel.) This will > get you going using the rules w/o queueing. > > I have never rebuilt world. I am still learning FreeBSD, even though I have a semi-strong linux background. ;) Yes, I installed > from downloaded cd's. "Update the src to RELENG_6_2 patch 9 via cvs?" ? Don't understand. :o The FreeBSD Handbook has instructions on how to update your system. You should really be using the RELENG_6 cvs tag and not RELENG_6_2. The proper procedure for building/installing world and kernel is documented in /usr/src/Makefile: # 1. `cd /usr/src' (or to the directory containing your source tree). # 2. `make buildworld' # 3. `make buildkernel KERNCONF=YOUR_KERNEL_HERE' (default is GENERIC). # 4. `make installkernel KERNCONF=YOUR_KERNEL_HERE' (default is GENERIC). # 5. `reboot' (in single user mode: boot -s from the loader prompt). # 6. `mergemaster -p' # 7. `make installworld' # 8. `make delete-old' # 9. `mergemaster' # 10. `reboot' # 11. `make delete-old-libs' (in case no 3rd party program uses them anymore) For updating the FreeBSD source code (for kernel and base utilities), you'll need to use csup. To make it simple, use the following arguments in /etc/make.conf: SUP_UPDATE=yes SUP=/usr/bin/csup SUPFLAGS=-g -L 2 -4 SUPHOST=cvsup4.freebsd.org SUPFILE=/usr/share/examples/cvsup/stable-supfile PORTSSUPFILE=/usr/share/examples/cvsup/ports-supfile Change SUPHOST to a cvsupXXX.freebsd.org server which you can reach from your machine that has low latency (try pinging them). I happen to use cvsup4, but they go all the way up to cvsup18. After that, all you need to do to update changes to the ports tree as well as your source tree (for world/kernel) is: umask 022 cd /usr/src make update And that's it. :-) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 17:54:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 551C016A417 for ; Fri, 25 Jan 2008 17:54:28 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from charybdis.cts.cwu.edu (charybdis.cts.cwu.edu [198.104.67.152]) by mx1.freebsd.org (Postfix) with ESMTP id 457AB13C457 for ; Fri, 25 Jan 2008 17:54:28 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.CHARYBDIS.CTS.CWU.EDU by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQI86JIN5S001WKR@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 09:54:27 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQI86JBUAC001RSI@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 09:54:27 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 09:54:27 -0800 Date: Fri, 25 Jan 2008 09:54:19 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799B1CB020000900001301E@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 17:54:28 -0000 I followed your instructions to a "T" and then after I rebooted, I double = checked everything to make sure I didn't do anything stupid. Still no /dev/pf. Running kldstat still shows that = pf.ko didn't get loaded. Trying to load it via your instructions (kldload -v pf) I get: kldload: can't load pf: No such file or directory When I ran this before following your instructions I got something = like: (I'm doing this partially from memory) kldload: can't load pf.ko: File exists That doesn't make a lick of sense to me. Stupid (?) question: Is there a way to manually create /dev/pf or can = it be copied from another system? Thanks for taking the time to help this quasi-newbie. :) - Gavin >>> Jeremy Chadwick 01/25/08 9:08 AM >>> 1) Remove the following lines from your kernel configuration: device pf device pflog device pfsync options ALTQ And replace them with just these: # pf altq support options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build options ALTQ_DEBUG 2) Remove pf-related lines from /etc/rc.conf and use these instead: pf_enable=3D"yes" pflog_enable=3D"yes" 3) Rebuild your kernel and reboot; remove the KERNCONF=3Dxxx stuff if you went ahead and added the KERNCONF=3Dxxx line to /etc/make.conf. cd /usr/src make buildkernel KERNCONF=3Dwhatever make installkernel KERNCONF=3Dwhatever reboot 4) See if pf loads after that. I'm left thinking there's some bizarre situation where since you have the "device pf" (and related stuff) in your kernel config hard-coded, the rc.d/pf script isn't properly initialising pf. I can assure you that the above steps described are *exactly* what we use on our RELENG_6 production systems with pf, and we've never run into any trouble. From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 18:05:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B3D416A420 for ; Fri, 25 Jan 2008 18:05:16 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6676E13C442 for ; Fri, 25 Jan 2008 18:05:16 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 214371CC038; Fri, 25 Jan 2008 10:05:16 -0800 (PST) Date: Fri, 25 Jan 2008 10:05:16 -0800 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080125180516.GA41255@eos.sc1.parodius.com> References: <4799B1CB020000900001301E@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799B1CB020000900001301E@hermes.cwu.edu> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 18:05:16 -0000 On Fri, Jan 25, 2008 at 09:54:19AM -0800, Gavin Spomer wrote: > I followed your instructions to a "T" and then after I rebooted, I double checked everything to make sure I didn't do > anything stupid. Still no /dev/pf. Running kldstat still shows that pf.ko didn't get loaded. Trying to load it via your > instructions (kldload -v pf) I get: > > kldload: can't load pf: No such file or directory This would indicate that /boot/kernel/pf.ko is missing. It doesn't appear it was built during your last buildkernel/installkernel. An example of kldload working properly: eos# ls -l /boot/kernel/if_nge* -r-xr-xr-x 1 root wheel 27793 Jan 15 00:17 /boot/kernel/if_nge.ko eos# kldload if_nge eos# kldstat Id Refs Address Size Name 1 10 0xc0400000 3f5b50 kernel 2 1 0xc07f6000 64340 acpi.ko 4 2 0xc81b5000 2e000 pf.ko 5 1 0xc83e2000 2000 accf_http.ko 6 1 0xcaf50000 3000 pflog.ko 7 1 0xcd810000 7000 if_nge.ko eos# kldunload if_nge eos# kldstat Id Refs Address Size Name 1 6 0xc0400000 3f5b50 kernel 2 1 0xc07f6000 64340 acpi.ko 4 2 0xc81b5000 2e000 pf.ko 5 1 0xc83e2000 2000 accf_http.ko 6 1 0xcaf50000 3000 pflog.ko > When I ran this before following your instructions I got something like: (I'm doing this partially from memory) > > kldload: can't load pf.ko: File exists > > That doesn't make a lick of sense to me. This is what kldload will say (for most modules) when you already have said module built in to the kernel. The kernel module utilities on FreeBSD are not very "user-friendly" when it comes to error messages; your confusion in this regard is nothing to be ashamed of. If /dev/pf isn't being created despite pf being built-in, it could indicate some strange bug in the pf module (where it prefers to be loaded as a kernel module), OR, a problem with devfs (the filesystem that controls /dev on FreeBSD) on your machine. Can you provide the output of df, and the contents of /etc/fstab? > Stupid (?) question: Is there a way to manually create /dev/pf or can it be copied from another system? No, it needs to be automatically created by pf via devfs. > Thanks for taking the time to help this quasi-newbie. :) No problem. It's a learning experience, and over time you'll eventually be able to help others. :-) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 19:10:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54C3016A418 for ; Fri, 25 Jan 2008 19:10:31 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from charybdis.cts.cwu.edu (charybdis.cts.cwu.edu [198.104.67.152]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED2613C4CE for ; Fri, 25 Jan 2008 19:10:31 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.CHARYBDIS.CTS.CWU.EDU by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQIAS0D80W001WKR@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 11:10:30 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQIAROKKIM001VGK@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 11:08:46 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 11:08:46 -0800 Date: Fri, 25 Jan 2008 11:08:37 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799C3350200009000013052@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 19:10:31 -0000 >>> Jeremy Chadwick 01/25/08 10:05 AM >>> On Fri, Jan 25, 2008 at 09:54:19AM -0800, Gavin Spomer wrote: > I followed your instructions to a "T" and then after I rebooted, I = double checked everything to make sure I didn't do > anything stupid. Still no /dev/pf. Running kldstat still shows that = pf.ko didn't get loaded. Trying to load it via your > instructions (kldload -v pf) I get: >=20 > kldload: can't load pf: No such file or directory This would indicate that /boot/kernel/pf.ko is missing. It doesn't appear it was built during your last buildkernel/installkernel. Yes, you're quite correct. Oddly enough, I remember that when I had the = pf stuff in my kernel config, pk.ko DID exist in /boot/kernel. THAT doesn't make much sense. An example of kldload working properly: [deleted text] Your example made complete sense to me. Thanks. > When I ran this before following your instructions I got something = like: (I'm doing this partially from memory) > kldload: can't load pf.ko: File exists=20 > That doesn't make a lick of sense to me. This is what kldload will say (for most modules) when you already have said module built in to the kernel. The kernel module utilities on FreeBSD are not very "user-friendly" when it comes to error messages; your confusion in this regard is nothing to be ashamed of. No shame here. I just LOVE to point out retarded error messages! ;) If /dev/pf isn't being created despite pf being built-in, it could indicate some strange bug in the pf module (where it prefers to be loaded as a kernel module), OR, a problem with devfs (the filesystem that controls /dev on FreeBSD) on your machine. Can you provide the output of df, and the contents of /etc/fstab? df: (with -h) Filesystem Size Used Avail Capacity Mounted on /dev/da0s1a 496M 75M 381M 16% / devfs 1.0K 1.0K 0B 100% /dev /dev/da0s1e 496M 222K 456M 0% /tmp /dev/da0s1f 256G 2.8G 233G 1% /usr /dev/da0s1d 4.1G 141M 3.6G 4% /var /etc/fstab: # Device Mountpoint FStype Options Dump = Pass# /dev/da0s1b none swap sw 0 = 0 /dev/da0s1a / ufs rw 1 = 1 /dev/da0s1e /tmp ufs rw 2 = 2 /dev/da0s1f /usr ufs rw 2 = 2 /dev/da0s1d /var ufs rw 2 = 2 /dev/acd0 /cdrom cd9660 ro,noauto 0 = 0 > Thanks for taking the time to help this quasi-newbie. :) No problem. It's a learning experience, and over time you'll eventually be able to help others. :-) Thanks, I believe you. There's a lot of things that I know inside and = out now that were completely foreign to me when I started with them. Some good examples are EZProxy and Greenstone. Two = very untraditional pieces of software of which I now answer other people's questions on their respective lists. :) - Gavin From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 20:00:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D33E516A418 for ; Fri, 25 Jan 2008 20:00:24 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from lewey.cts.cwu.edu (lewey.cts.cwu.edu [198.104.67.145]) by mx1.freebsd.org (Postfix) with ESMTP id A4CEB13C467 for ; Fri, 25 Jan 2008 20:00:24 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.LEWEY.CTS.CWU.EDU by LEWEY.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQICDDJ3XC001VC4@LEWEY.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 12:00:21 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by LEWEY.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQIC1T6A8M0004KK@LEWEY.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 11:45:11 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 11:45:10 -0800 Date: Fri, 25 Jan 2008 11:45:00 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799CBBC020000900001305B@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 20:00:24 -0000 My mistake, I DO have pf.ko: # ls /boot/kernel/pf.ko -r-xr-xr-x 1 root wheel 184K Jan 25 09:33 kernel/pf.ko I was trying "ls /boot/kernel/pf" before. Now I'm wondering why I'm = still getting "kldload: can't load pf.ko: No such file or directory" when I run kldload. Sigh, shouldn't be this difficult. ;) - Gavin >>> Gavin Spomer 01/25/08 11:08 AM >>> >>> Jeremy Chadwick 01/25/08 10:05 AM >>> On Fri, Jan 25, 2008 at 09:54:19AM -0800, Gavin Spomer wrote: > I followed your instructions to a "T" and then after I rebooted, I = double checked everything to make sure I didn't do > anything stupid. Still no /dev/pf. Running kldstat still shows that = pf.ko didn't get loaded. Trying to load it via your > instructions (kldload -v pf) I get: >=20 > kldload: can't load pf: No such file or directory This would indicate that /boot/kernel/pf.ko is missing. It doesn't appear it was built during your last buildkernel/installkernel. Yes, you're quite correct. Oddly enough, I remember that when I had the = pf stuff in my kernel config, pk.ko DID exist in /boot/kernel. THAT doesn't make much sense. From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 21:47:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D55416A41A for ; Fri, 25 Jan 2008 21:47:22 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (unknown [IPv6:2001:5c0:8fff:fffe::214d]) by mx1.freebsd.org (Postfix) with ESMTP id 2D17513C46E for ; Fri, 25 Jan 2008 21:47:22 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD)) id 1JIWOP-000MIz-0p; Fri, 25 Jan 2008 16:47:21 -0500 Date: Fri, 25 Jan 2008 16:47:20 -0500 From: Gary Palmer To: Gavin Spomer Message-ID: <20080125214720.GC86111@in-addr.com> References: <4799CBBC020000900001305B@hermes.cwu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799CBBC020000900001305B@hermes.cwu.edu> Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 21:47:22 -0000 On Fri, Jan 25, 2008 at 11:45:00AM -0800, Gavin Spomer wrote: > My mistake, I DO have pf.ko: > > # ls /boot/kernel/pf.ko > -r-xr-xr-x 1 root wheel 184K Jan 25 09:33 kernel/pf.ko > > I was trying "ls /boot/kernel/pf" before. Now I'm wondering why I'm still getting "kldload: can't load pf.ko: No such file or > directory" when I run kldload. > > Sigh, shouldn't be this difficult. ;) ENOENT ("No such file or directory") can also mean that a symbol that the module requires cannot be found in the kernel. This can be many things, including a missing prerequisite module or that the module was built with a different set of options to the currently running kernel. Check dmesg to see if there is a related error message from the kernel. Gary > - Gavin > > >>> Gavin Spomer 01/25/08 11:08 AM >>> > >>> Jeremy Chadwick 01/25/08 10:05 AM >>> > On Fri, Jan 25, 2008 at 09:54:19AM -0800, Gavin Spomer wrote: > > I followed your instructions to a "T" and then after I rebooted, I double checked everything to make sure I didn't do > > anything stupid. Still no /dev/pf. Running kldstat still shows that pf.ko didn't get loaded. Trying to load it via your > > instructions (kldload -v pf) I get: > > > > kldload: can't load pf: No such file or directory > This would indicate that /boot/kernel/pf.ko is missing. It doesn't > appear it was built during your last buildkernel/installkernel. > > > Yes, you're quite correct. Oddly enough, I remember that when I had the pf stuff in my kernel config, pk.ko DID exist in > /boot/kernel. THAT doesn't make much sense. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 22:18:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FA6316A418 for ; Fri, 25 Jan 2008 22:18:53 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from lewey.cts.cwu.edu (lewey.cts.cwu.edu [198.104.67.145]) by mx1.freebsd.org (Postfix) with ESMTP id 4DA8D13C447 for ; Fri, 25 Jan 2008 22:18:53 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.LEWEY.CTS.CWU.EDU by LEWEY.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQIHEDZRKW001Z6P@LEWEY.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 14:18:52 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by LEWEY.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQIHEDRNM8001YSM@LEWEY.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 14:18:52 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 14:18:52 -0800 Date: Fri, 25 Jan 2008 14:18:40 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <4799EFC0020000900001307D@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: multipart/mixed; boundary="Boundary_(ID_4sGk/HZSBWNl/Pnnoittwg)" Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 22:18:53 -0000 This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --Boundary_(ID_4sGk/HZSBWNl/Pnnoittwg) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline >>> Gary Palmer 01/25/08 1:47 PM >>> On Fri, Jan 25, 2008 at 11:45:00AM -0800, Gavin Spomer wrote: > My mistake, I DO have pf.ko: > # ls /boot/kernel/pf.ko > -r-xr-xr-x 1 root wheel 184K Jan 25 09:33 kernel/pf.ko > I was trying "ls /boot/kernel/pf" before. Now I'm wondering why I'm = still getting "kldload: can't load pf.ko: No such file or > directory" when I run kldload. > Sigh, shouldn't be this difficult. ;) ENOENT ("No such file or directory") can also mean that a symbol that the module requires cannot be found in the kernel. This can be many things, including a missing prerequisite module or that the module was built with a different set of options to the currently running kernel. Check dmesg to see if there is a related error message from the kernel. Geez, I'm so embarrassed. This is the first time I've ever run dmesg. = Lots of stuff in there; anything in particular I'm looking for? I see "link_elf: symbol altq_remove undefined" 6 times at the end. = Before that I see "pid 34320 (conftest), uid 0: exited on signal 12 (core dumped)"... yikes, that doesn't sound good. I piped = it all through grep for "pf" and didn't find anything. I've attached the dmesg output. Sorry everyone, I'm not trying to get = anyone to do my work for me. I've actually been working very hard to solve this on my own. I genuinely want to learn = something from this in the process, and to be truthful, I HAVE learned much from all this. But I would also like to get pf to = work! :D Thank goodness it's Friday. - Gavin --Boundary_(ID_4sGk/HZSBWNl/Pnnoittwg) Content-type: text/plain; name="dmesg.txt" Content-transfer-encoding: quoted-printable Content-disposition: attachment; filename="dmesg.txt" Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-RELEASE #2: Wed Dec 12 14:59:04 PST 2007 root@pc86579.d.cwu.edu:/usr/obj/usr/src/sys/PC86579 ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 3.00GHz (3000.02-MHz 686-class CPU) Origin =3D "GenuineIntel" Id =3D 0xf64 Stepping =3D 4 Features=3D0xbfebfbff Features2=3D0xe4bd,= > AMD Features=3D0x20000000 AMD Features2=3D0x1 Cores per package: 2 Logical CPUs per core: 2 real memory =3D 3487924224 (3326 MB) avail memory =3D 3413344256 (3255 MB) ioapic0 irqs 0-23 on motherboard acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x908-0x90b on acpi0 cpu0: on acpi0 pcib0: on acpi0 pci0: on pcib0 pcib1: at device 2.0 on pci0 pci9: on pcib1 pcib2: at device 0.0 on pci9 pci10: on pcib2 pcib3: at device 0.0 on pci10 pci11: on pcib3 pcib4: at device 1.0 on pci10 pci14: on pcib4 pcib5: at device 2.0 on pci10 pci17: on pcib5 pcib6: at device 0.3 on pci9 pci18: on pcib6 pcib7: at device 3.0 on pci0 pci6: on pcib7 ciss0: port 0x4000-0x40ff mem 0xfde00000-0xfdefffff,0= xfddf0000-0xfddf0fff irq 18 at device 0.0 on pci6 ciss0: [GIANT-LOCKED] pcib8: at device 4.0 on pci0 pci19: on pcib8 pcib9: at device 5.0 on pci0 pci22: on pcib9 pcib10: at device 6.0 on pci0 pci23: on pcib10 pcib11: at device 7.0 on pci0 pci26: on pcib11 pcib12: at device 28.0 on pci0 pci2: on pcib12 pcib13: at device 0.0 on pci2 pci3: on pcib13 bce0: mem = 0xf8000000-0xf9ffffff irq 16 at device 0.0 on pci3 bce0: ASIC ID 0x57081020; Revision (B2); PCI-X 64-bit 133MHz miibus0: on bce0 brgphy0: on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, = 1000baseTX-FDX, auto bce0: Ethernet address: 00:18:fe:73:2b:da pcib14: at device 28.1 on pci0 pci4: on pcib14 pcib15: at device 0.0 on pci4 pci5: on pcib15 bce1: mem = 0xfa000000-0xfbffffff irq 17 at device 0.0 on pci5 bce1: ASIC ID 0x57081020; Revision (B2); PCI-X 64-bit 133MHz miibus1: on bce1 brgphy1: on miibus1 brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, = 1000baseTX-FDX, auto bce1: Ethernet address: 00:18:fe:73:2b:d8 pci0: at device 29.0 (no driver attached) pci0: at device 29.1 (no driver attached) pci0: at device 29.2 (no driver attached) pci0: at device 29.3 (no driver attached) pci0: at device 29.7 (no driver attached) pcib16: at device 30.0 on pci0 pci1: on pcib16 pci1: at device 3.0 (no driver attached) pci1: at device 4.0 (no driver attached) pci1: at device 4.2 (no driver attached) pci1: at device 4.4 (no driver attached) pci1: at device 4.6 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0= x177,0x376,0x500-0x50f irq 17 at device 31.1 on pci0 ata0: on atapci0 ata1: on atapci0 acpi_tz0: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model IntelliMouse Explorer, device ID 4 sio0: port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A pmtimer0 on isa0 orm0: at iomem 0xc0000-0xcafff,0xe6000-0xe7fff on isa0 ppc0: parallel port not found. sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 3000019986 Hz quality 800 Timecounters tick every 1.000 msec da0 at ciss0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-5 device=20 da0: 135.168MB/s transfers da0: 279900MB (573235602 512 byte sectors: 255H 32S/T 65535C) Trying to mount root from ufs:/dev/da0s1a pid 24454 (conftest), uid 0: exited on signal 12 (core dumped) Limiting closed port RST response from 1077 to 200 packets/sec Limiting closed port RST response from 1100 to 200 packets/sec Limiting closed port RST response from 1088 to 200 packets/sec Limiting closed port RST response from 1091 to 200 packets/sec Limiting closed port RST response from 1506 to 200 packets/sec Limiting closed port RST response from 1369 to 200 packets/sec Limiting closed port RST response from 1451 to 200 packets/sec Limiting closed port RST response from 1512 to 200 packets/sec Limiting closed port RST response from 347 to 200 packets/sec Limiting closed port RST response from 1079 to 200 packets/sec Limiting closed port RST response from 1104 to 200 packets/sec Limiting closed port RST response from 1100 to 200 packets/sec Limiting closed port RST response from 1101 to 200 packets/sec Limiting closed port RST response from 1568 to 200 packets/sec Limiting closed port RST response from 1602 to 200 packets/sec Limiting closed port RST response from 1599 to 200 packets/sec Limiting closed port RST response from 1587 to 200 packets/sec bce0: promiscuous mode enabled bce0: promiscuous mode disabled bce0: promiscuous mode enabled bce0: promiscuous mode disabled bce0: promiscuous mode enabled bce0: promiscuous mode disabled pid 34320 (conftest), uid 0: exited on signal 12 (core dumped) link_elf: symbol altq_remove undefined link_elf: symbol altq_remove undefined link_elf: symbol altq_remove undefined link_elf: symbol altq_remove undefined link_elf: symbol altq_remove undefined link_elf: symbol altq_remove undefined --Boundary_(ID_4sGk/HZSBWNl/Pnnoittwg)-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 22:39:29 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F1C016A420 for ; Fri, 25 Jan 2008 22:39:29 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2BF1213C44B for ; Fri, 25 Jan 2008 22:39:28 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id B8AEE1CC038; Fri, 25 Jan 2008 14:39:28 -0800 (PST) Date: Fri, 25 Jan 2008 14:39:28 -0800 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080125223928.GA49313@eos.sc1.parodius.com> References: <4799EFC0020000900001307D@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799EFC0020000900001307D@hermes.cwu.edu> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 22:39:29 -0000 On Fri, Jan 25, 2008 at 02:18:40PM -0800, Gavin Spomer wrote: > >>> Gary Palmer 01/25/08 1:47 PM >>> > ENOENT ("No such file or directory") can also mean that a symbol that the > module requires cannot be found in the kernel. This can be many things, > including a missing prerequisite module or that the module was built with > a different set of options to the currently running kernel. > Check dmesg to see if there is a related error message from the kernel. > Geez, I'm so embarrassed. This is the first time I've ever run > dmesg. Lots of stuff in there; anything in particular I'm looking > for? > > {snip} > > Limiting closed port RST response from 1077 to 200 packets/sec Are you using this box for torrents or are you being DoS'd in any way? This is an awful large sum of TCP RST packets to receive; if it's normal, you can tune this with a sysctl, I believe. You should also consider looking at the blackhole(4) manpage, as those may help you as well. However, those aren't needed if you manage to get pf up and working and set up a good firewall list. :-) > bce0: promiscuous mode enabled > bce0: promiscuous mode disabled Probably caused by packet sniffer use (tcpdump, snoop, Wireshark, etc.). > pid 34320 (conftest), uid 0: exited on signal 12 (core dumped) conftest coredumps are "normal" -- they even happen on Linux. Some software you installed did this. Usually it happens in software that uses GNU autoconf to do some compiler tests. I'd really love to find out why they happen and strangle whoever introduced it, though. > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined And, very likely, here is the cause of your pf problem. :-) Please go back to what I said about your kernel configuration -- you're missing a lot of "option" arguments for ALTQ support. Add all of the ones I gave you, follow the instructions for buildkernel/installkernel, and it should all begin working. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 22:41:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C15116A41A for ; Fri, 25 Jan 2008 22:41:07 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (unknown [IPv6:2001:5c0:8fff:fffe::214d]) by mx1.freebsd.org (Postfix) with ESMTP id C16AD13C448 for ; Fri, 25 Jan 2008 22:41:06 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD)) id 1JIXEP-000MUQ-LL; Fri, 25 Jan 2008 17:41:05 -0500 Date: Fri, 25 Jan 2008 17:41:05 -0500 From: Gary Palmer To: Gavin Spomer Message-ID: <20080125224105.GD86111@in-addr.com> References: <4799EFC0020000900001307D@hermes.cwu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799EFC0020000900001307D@hermes.cwu.edu> Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 22:41:07 -0000 On Fri, Jan 25, 2008 at 02:18:40PM -0800, Gavin Spomer wrote: > >>> Gary Palmer 01/25/08 1:47 PM >>> > On Fri, Jan 25, 2008 at 11:45:00AM -0800, Gavin Spomer wrote: > > My mistake, I DO have pf.ko: > > # ls /boot/kernel/pf.ko > > -r-xr-xr-x 1 root wheel 184K Jan 25 09:33 kernel/pf.ko > > I was trying "ls /boot/kernel/pf" before. Now I'm wondering why I'm still getting "kldload: can't load pf.ko: No such file or > > directory" when I run kldload. > > Sigh, shouldn't be this difficult. ;) > ENOENT ("No such file or directory") can also mean that a symbol that the > module requires cannot be found in the kernel. This can be many things, > including a missing prerequisite module or that the module was built with > a different set of options to the currently running kernel. > Check dmesg to see if there is a related error message from the kernel. > > Geez, I'm so embarrassed. This is the first time I've ever run dmesg. Lots of stuff in there; anything in particular I'm looking > for? I see "link_elf: symbol altq_remove undefined" 6 times at the end. Before that I see "pid 34320 (conftest), uid 0: exited > on signal 12 (core dumped)"... yikes, that doesn't sound good. I piped it all through grep for "pf" and didn't find anything. conftest is part of the GNU autoconf tools and it coredumping is not unusual. I'm suspecting you compiled one or more ports or GNU tools, and that caused that message. Infact although I never looked into it, I suspect the test is coredumping deliberately Try doing kldload pf and looking at the end of /var/log/messages by doing tail /var/log/messages I suspect that if you compare the timestamp of when you ran kldload and the timestamp in the messages logfile you'll find that the link_elf errors are related to the kldload failure. Or if you have multiple xterms / command windows open, do tail -0f /var/log/messages in one terminal window and the kldload in the other. Why thats happening I'm not entirely sure. My test 6.2-RELEASE install loads pf fine. Did you recompile the pf module to try and include altq support? altq_remove is only used if ALTQ is defined when the module is built. Gary > > I've attached the dmesg output. Sorry everyone, I'm not trying to get anyone to do my work for me. I've actually been > working very hard to solve this on my own. I genuinely want to learn something from this in the process, and to be truthful, > I HAVE learned much from all this. But I would also like to get pf to work! :D Thank goodness it's Friday. > > - Gavin > Copyright (c) 1992-2007 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights reserved. > FreeBSD is a registered trademark of The FreeBSD Foundation. > FreeBSD 6.2-RELEASE #2: Wed Dec 12 14:59:04 PST 2007 > root@pc86579.d.cwu.edu:/usr/obj/usr/src/sys/PC86579 > ACPI APIC Table: > Timecounter "i8254" frequency 1193182 Hz quality 0 > CPU: Intel(R) Xeon(TM) CPU 3.00GHz (3000.02-MHz 686-class CPU) > Origin = "GenuineIntel" Id = 0xf64 Stepping = 4 > Features=0xbfebfbff > Features2=0xe4bd,> > AMD Features=0x20000000 > AMD Features2=0x1 > Cores per package: 2 > Logical CPUs per core: 2 > real memory = 3487924224 (3326 MB) > avail memory = 3413344256 (3255 MB) > ioapic0 irqs 0-23 on motherboard > acpi0: on motherboard > acpi0: Power Button (fixed) > Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000 > acpi_timer0: <24-bit timer at 3.579545MHz> port 0x908-0x90b on acpi0 > cpu0: on acpi0 > pcib0: on acpi0 > pci0: on pcib0 > pcib1: at device 2.0 on pci0 > pci9: on pcib1 > pcib2: at device 0.0 on pci9 > pci10: on pcib2 > pcib3: at device 0.0 on pci10 > pci11: on pcib3 > pcib4: at device 1.0 on pci10 > pci14: on pcib4 > pcib5: at device 2.0 on pci10 > pci17: on pcib5 > pcib6: at device 0.3 on pci9 > pci18: on pcib6 > pcib7: at device 3.0 on pci0 > pci6: on pcib7 > ciss0: port 0x4000-0x40ff mem 0xfde00000-0xfdefffff,0xfddf0000-0xfddf0fff irq 18 at device 0.0 on pci6 > ciss0: [GIANT-LOCKED] > pcib8: at device 4.0 on pci0 > pci19: on pcib8 > pcib9: at device 5.0 on pci0 > pci22: on pcib9 > pcib10: at device 6.0 on pci0 > pci23: on pcib10 > pcib11: at device 7.0 on pci0 > pci26: on pcib11 > pcib12: at device 28.0 on pci0 > pci2: on pcib12 > pcib13: at device 0.0 on pci2 > pci3: on pcib13 > bce0: mem 0xf8000000-0xf9ffffff irq 16 at device 0.0 on pci3 > bce0: ASIC ID 0x57081020; Revision (B2); PCI-X 64-bit 133MHz > miibus0: on bce0 > brgphy0: on miibus0 > brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto > bce0: Ethernet address: 00:18:fe:73:2b:da > pcib14: at device 28.1 on pci0 > pci4: on pcib14 > pcib15: at device 0.0 on pci4 > pci5: on pcib15 > bce1: mem 0xfa000000-0xfbffffff irq 17 at device 0.0 on pci5 > bce1: ASIC ID 0x57081020; Revision (B2); PCI-X 64-bit 133MHz > miibus1: on bce1 > brgphy1: on miibus1 > brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto > bce1: Ethernet address: 00:18:fe:73:2b:d8 > pci0: at device 29.0 (no driver attached) > pci0: at device 29.1 (no driver attached) > pci0: at device 29.2 (no driver attached) > pci0: at device 29.3 (no driver attached) > pci0: at device 29.7 (no driver attached) > pcib16: at device 30.0 on pci0 > pci1: on pcib16 > pci1: at device 3.0 (no driver attached) > pci1: at device 4.0 (no driver attached) > pci1: at device 4.2 (no driver attached) > pci1: at device 4.4 (no driver attached) > pci1: at device 4.6 (no driver attached) > isab0: at device 31.0 on pci0 > isa0: on isab0 > atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x500-0x50f irq 17 at device 31.1 on pci0 > ata0: on atapci0 > ata1: on atapci0 > acpi_tz0: on acpi0 > atkbdc0: port 0x60,0x64 irq 1 on acpi0 > atkbd0: irq 1 on atkbdc0 > kbd0 at atkbd0 > atkbd0: [GIANT-LOCKED] > psm0: irq 12 on atkbdc0 > psm0: [GIANT-LOCKED] > psm0: model IntelliMouse Explorer, device ID 4 > sio0: port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 > sio0: type 16550A > pmtimer0 on isa0 > orm0: at iomem 0xc0000-0xcafff,0xe6000-0xe7fff on isa0 > ppc0: parallel port not found. > sc0: at flags 0x100 on isa0 > sc0: VGA <16 virtual consoles, flags=0x300> > sio1 at port 0x2f8-0x2ff irq 3 on isa0 > sio1: type 16550A > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > Timecounter "TSC" frequency 3000019986 Hz quality 800 > Timecounters tick every 1.000 msec > da0 at ciss0 bus 0 target 0 lun 0 > da0: Fixed Direct Access SCSI-5 device > da0: 135.168MB/s transfers > da0: 279900MB (573235602 512 byte sectors: 255H 32S/T 65535C) > Trying to mount root from ufs:/dev/da0s1a > pid 24454 (conftest), uid 0: exited on signal 12 (core dumped) > Limiting closed port RST response from 1077 to 200 packets/sec > Limiting closed port RST response from 1100 to 200 packets/sec > Limiting closed port RST response from 1088 to 200 packets/sec > Limiting closed port RST response from 1091 to 200 packets/sec > Limiting closed port RST response from 1506 to 200 packets/sec > Limiting closed port RST response from 1369 to 200 packets/sec > Limiting closed port RST response from 1451 to 200 packets/sec > Limiting closed port RST response from 1512 to 200 packets/sec > Limiting closed port RST response from 347 to 200 packets/sec > Limiting closed port RST response from 1079 to 200 packets/sec > Limiting closed port RST response from 1104 to 200 packets/sec > Limiting closed port RST response from 1100 to 200 packets/sec > Limiting closed port RST response from 1101 to 200 packets/sec > Limiting closed port RST response from 1568 to 200 packets/sec > Limiting closed port RST response from 1602 to 200 packets/sec > Limiting closed port RST response from 1599 to 200 packets/sec > Limiting closed port RST response from 1587 to 200 packets/sec > bce0: promiscuous mode enabled > bce0: promiscuous mode disabled > bce0: promiscuous mode enabled > bce0: promiscuous mode disabled > bce0: promiscuous mode enabled > bce0: promiscuous mode disabled > pid 34320 (conftest), uid 0: exited on signal 12 (core dumped) > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 23:30:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C34516A41A for ; Fri, 25 Jan 2008 23:30:57 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from scylla.cts.cwu.edu (scylla.cts.cwu.edu [198.104.67.151]) by mx1.freebsd.org (Postfix) with ESMTP id 2AB8E13C465 for ; Fri, 25 Jan 2008 23:30:57 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.SCYLLA.CTS.CWU.EDU by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQIJWHRPQO001VZF@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 15:30:44 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQIJWHEK08001VM2@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 15:30:44 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 15:30:43 -0800 Date: Fri, 25 Jan 2008 15:30:32 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <479A009802000090000130A1@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 23:30:57 -0000 >>> Jeremy Chadwick 01/25/08 2:39 PM >>> > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined And, very likely, here is the cause of your pf problem. :-) Please go back to what I said about your kernel configuration -- you're missing a lot of "option" arguments for ALTQ support. Add all of the ones I gave you, follow the instructions for buildkernel/installkernel, and it should all begin working. The ALTQ options are still in my kernel; I never removed them since you = recommended I put them in and I rebuilt my kernel. I went ahead and did the buildkernel/installkernel again, = checking to see if the ALTQ stuff was in there before. This time I tried adding the "device pf" stuff back in. Still the same = story. Maybe I'm rebuilding my kernel wrong? Doesn't seem likely. How hard is it to screw up the following? 1. vi /usr/src/sys/i386/conf/MACHINEHOSTNAME (edit accordingly) 2. cd /usr/src 3. make buildkernel KERNCONF=3DMACHINEHOSTNAME 4. make installkernel KERNCONF=3DMACHINEHOSTNAME 5. shutdown -r now Well, the weekend is upon us. We can continue this on Monday, if you're = still willing. Thanks for the extra effort. - Gavin From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 23:45:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4A2816A417 for ; Fri, 25 Jan 2008 23:45:06 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from scylla.cts.cwu.edu (scylla.cts.cwu.edu [198.104.67.151]) by mx1.freebsd.org (Postfix) with ESMTP id A28A113C478 for ; Fri, 25 Jan 2008 23:45:06 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.SCYLLA.CTS.CWU.EDU by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQIKF9GUSW001ZGZ@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 15:45:05 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by SCYLLA.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQIKF9AAEE0020VI@SCYLLA.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Fri, 25 Jan 2008 15:45:05 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Fri, 25 Jan 2008 15:45:05 -0800 Date: Fri, 25 Jan 2008 15:44:57 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <479A03F902000090000130A5@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 23:45:06 -0000 >>> Gary Palmer 01/25/08 2:41 PM >>> > Geez, I'm so embarrassed. This is the first time I've ever run dmesg. = Lots of stuff in there; anything in particular I'm looking > for? I see "link_elf: symbol altq_remove undefined" 6 times at the = end. Before that I see "pid 34320 (conftest), uid 0: exited > on signal 12 (core dumped)"... yikes, that doesn't sound good. I = piped it all through grep for "pf" and didn't find anything. Try doing kldload pf and looking at the end of /var/log/messages by doing tail /var/log/messages I suspect that if you compare the timestamp of when you ran kldload=20 and the timestamp in the messages logfile you'll find that the link_elf errors are related to the kldload failure. Or if you have multiple xterms / command windows open, do Well, that was a fine guess but the timestamps of the log messages are = much earlier in the day, very likely when I didn't have all the ALTQ schtuff in my kernel config. Did you recompile the pf module to try and include altq support? altq_remove is only used if ALTQ is defined when the module is built. Gary Uh... I'm trying to think of a half-way intelligent response so my = pride doesn't get clobbered too awfully much. So, I can compile the pf module alone, by itself? Where is it? I assume I use = "make" somehow to do this? Sorry, it's Friday of a very long, stressful week for me and my brain is just about used up. Having = trouble keeping up and groking all this.