From owner-freebsd-pf@FreeBSD.ORG Sun Mar 30 03:30:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50635106564A for ; Sun, 30 Mar 2008 03:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2969D8FC12 for ; Sun, 30 Mar 2008 03:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2U3U2xr051785 for ; Sun, 30 Mar 2008 03:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2U3U22s051784; Sun, 30 Mar 2008 03:30:02 GMT (envelope-from gnats) Date: Sun, 30 Mar 2008 03:30:02 GMT Message-Id: <200803300330.m2U3U22s051784@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris S." Cc: Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Boris S." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2008 03:30:03 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: "Boris S." To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Sun, 30 Mar 2008 05:30:00 +0200 OK, thank you! I'm going to test it in the next days on two machines (6-Stable and 7-Stable). Boris From owner-freebsd-pf@FreeBSD.ORG Sun Mar 30 22:00:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 695C2106564A for ; Sun, 30 Mar 2008 22:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 489678FC20 for ; Sun, 30 Mar 2008 22:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2UM04Yp014365 for ; Sun, 30 Mar 2008 22:00:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2UM04U3014364; Sun, 30 Mar 2008 22:00:04 GMT (envelope-from gnats) Date: Sun, 30 Mar 2008 22:00:04 GMT Message-Id: <200803302200.m2UM04U3014364@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris S." Cc: Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Boris S." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2008 22:00:04 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: "Boris S." To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Sun, 30 Mar 2008 23:59:59 +0200 Feedback for RELENG_7: I can't reproduce this bug at RELENG_7 currently. I tried mpd4 and mpd5. It seems to be fixed otherwise. I applied this patch anyway and tried to trigger the bug, but it doesn't happen. All is working fine so far! I'll try this patch on RELENG_6 in the next days. On RELENG_6 I can reproduce this bug for sure. Boris From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 11:07:06 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAA9C106581C for ; Mon, 31 Mar 2008 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BBB4D8FC1A for ; Mon, 31 Mar 2008 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2VB76Cr039002 for ; Mon, 31 Mar 2008 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2VB76eB038998 for freebsd-pf@FreeBSD.org; Mon, 31 Mar 2008 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 31 Mar 2008 11:07:06 GMT Message-Id: <200803311107.m2VB76eB038998@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 11:07:06 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf f kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work f kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 14:41:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 124A41065671 for ; Mon, 31 Mar 2008 14:41:38 +0000 (UTC) (envelope-from kenlin66@gmail.com) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.188]) by mx1.freebsd.org (Postfix) with ESMTP id 7B17E8FC15 for ; Mon, 31 Mar 2008 14:41:37 +0000 (UTC) (envelope-from kenlin66@gmail.com) Received: by rn-out-0910.google.com with SMTP id s46so555127rnb.3 for ; Mon, 31 Mar 2008 07:41:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=FkiE/JtS59S5OvJIs1bsJ4Gi6WdRZSHGJ9iLiCfu2sw=; b=DAe9eMDWCEUTbX+JQEZnVcBHM3ekaUQUmhf18xFDM0gog9WsLNGNHXSo+Sam3xI5H3LtsgYVha2G7QcuGOsUGfwyGmoKEDb867w2gHPRwdGuOiui6nJjjG7iyZDeDqhnVOnIF+7/3/D3uTvhBB6fTFHNFQYEcIkUU2dsp9u1v4s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=KRcva5yb1TMfykWLPQxR1WHSueaaZoE7PP5hsIp7Fbq/AVXW70+rt4A/Lwzw9NsQ03E+r+LLusyC75eaVaAZ6EdCuDDlC29TfqNNAyWCFlqpdK2I/UB+QZBFGF0cOrhzaIcNnnOa/iHyoU3H8eqOMv+c3F7sBsKlX0cyfCLTSXY= Received: by 10.114.37.1 with SMTP id k1mr10120014wak.6.1206972742033; Mon, 31 Mar 2008 07:12:22 -0700 (PDT) Received: from ?192.168.123.130? ( [116.30.196.237]) by mx.google.com with ESMTPS id k26sm4271889waf.8.2008.03.31.07.12.19 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 31 Mar 2008 07:12:21 -0700 (PDT) Message-ID: <47F0F131.1070904@gmail.com> Date: Mon, 31 Mar 2008 22:12:01 +0800 From: Ken User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: How to block Domain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 14:41:38 -0000 PF how to block domain. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 17:39:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 138D51065673 for ; Mon, 31 Mar 2008 17:39:49 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id AB69D8FC29 for ; Mon, 31 Mar 2008 17:39:48 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.17.152]) by ns2.bafirst.com with esmtp; Mon, 31 Mar 2008 12:29:30 -0500 id 000D4C57.47F11F7A.0000FDB3 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Mon, 31 Mar 2008 11:29:24 -0600 id 0004AC1A.47F11F74.0001113F Received: from 172.16.0.2 (172.16.0.2 [172.16.0.2]) by intranet.encontacto.net (Horde Framework) with HTTP; Mon, 31 Mar 2008 12:29:24 -0500 Message-ID: <20080331122924.20571g6z8gwzu3dw@intranet.encontacto.net> Date: Mon, 31 Mar 2008 12:29:24 -0500 From: eculp To: freebsd-pf@freebsd.org References: <47F0F131.1070904@gmail.com> In-Reply-To: <47F0F131.1070904@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) Subject: Re: How to block Domain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 17:39:49 -0000 Quoting Ken : > PF how to block domain Outgoing, I assume? Maybe something like the following. block = "{ domain.com, domain2.com, domain3.com }" block out quick from any to $block You can also block addresses and or address blocks addressblock = "{ 207.46.0.0/16 65.55.0.0/16 }" block out quick from any to $addressblock good luck, ed From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 18:45:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C3EC1065672 for ; Mon, 31 Mar 2008 18:45:04 +0000 (UTC) (envelope-from lists@qwirky.net) Received: from public.aci.on.ca (aci.on.ca [205.207.148.251]) by mx1.freebsd.org (Postfix) with ESMTP id 422F18FC16 for ; Mon, 31 Mar 2008 18:45:04 +0000 (UTC) (envelope-from lists@qwirky.net) Received: from (invalid client hostname: host address literal does not match remote client address)[127.0.0.1] ((no PTR matching greeting name)xtreme-54-62.dyn.aci.on.ca[24.137.213.62] port=1870) by public.aci.on.ca([205.207.148.251] port=25) via TCP with esmtp (1295 bytes) (sender: ) id for ; Mon, 31 Mar 2008 14:33:21 -0400 (EDT) (Smail-3.2.0.122-Pre 2005-Nov-17 #1 built 2007-Apr-30) Message-ID: <47F12E99.8000805@qwirky.net> Date: Mon, 31 Mar 2008 14:34:01 -0400 From: Jeff Royle User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <47F0F131.1070904@gmail.com> In-Reply-To: <47F0F131.1070904@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 080330-0, 30/03/2008), Outbound message X-Antivirus-Status: Clean Cc: Subject: Re: How to block Domain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lists@qwirky.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 18:45:04 -0000 Ken wrote: > PF how to block domain. You could do something like this: table persist file "/path/to/file/restricted" block in log quick on $ext_if proto { tcp, udp } from to any This way you can just edit the file and add in what you wish to block. Then you simply have to run pfctl -Tl -f /etc/pf.conf to load in your additions. Cheers, Jeff From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:18:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFE88106564A for ; Mon, 31 Mar 2008 19:18:38 +0000 (UTC) (envelope-from ranceh@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by mx1.freebsd.org (Postfix) with ESMTP id A02DB8FC26 for ; Mon, 31 Mar 2008 19:18:38 +0000 (UTC) (envelope-from ranceh@gmail.com) Received: by yw-out-2324.google.com with SMTP id 2so155480ywt.13 for ; Mon, 31 Mar 2008 12:18:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=wTlDIUZT5o5QpYdo0/RHg7CtuSkkUggRycugSqKyDrs=; b=gz58HeOyI/mvBjT8hvMlbMZbRDNFNCwx0GwOy1ri/Vm7/UfLRzWOSFVDc8P/u6xcG2d/niUUIy859jrMP75aK2DoI/dru5mdtzRXndaVs1I08UxLgsY2ZcvRBh88CuuGLMmLEpa1gIa4F+A2ce99Aze8QqK0qUWaI2tmusL+2k4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sJbQypFN/2T30GjTnDVdNnc0fpZIzG6zVEvSM697kU6lxGuLvj/oDxEB27Nwsw3qDY7OXq/cTzcWSh6eG6m0GLKQ+VMLkbe69/uZ3HqliWeym84LchCujCJDWSOJqga/Sisf+9p5HFsQbUwbKEgQsiLyRwzEes4D/wkd7PVbSgQ= Received: by 10.143.17.13 with SMTP id u13mr4173347wfi.69.1206989494584; Mon, 31 Mar 2008 11:51:34 -0700 (PDT) Received: by 10.142.194.10 with HTTP; Mon, 31 Mar 2008 11:51:34 -0700 (PDT) Message-ID: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> Date: Mon, 31 Mar 2008 13:51:34 -0500 From: "Rance Hall" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: need help figuring out if pf is right for me. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 19:18:39 -0000 Ive been tasked with writing a firewall script for a client, and I'm looking at pf for the firewall. so far the only requirement I cant seem to find an example of how to do is to actually script the pf rules from a shell script. The project entails two pieces. A firewall script, and a config file which is parsed by the firewall script for values for variables. example: #!/bin/sh CONFIG_FILE=/path/to/config if [ -e $CONFIG_FILE ] ; then . $CONFIG_FILE else (fail miserably) fi pf macro based rules go here END Idea being that the same script can be used multiple places by just changing the config file, also that there is some job duty split between the setup of the firewall and the execution of the firewall. Can I do this with pf in a way that makes at least some sense? Thanks for your help From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:34:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED6EC1065671 for ; Mon, 31 Mar 2008 19:34:27 +0000 (UTC) (envelope-from avonders@calarts.edu) Received: from muse2.calarts.edu (muse2.calarts.edu [198.182.157.28]) by mx1.freebsd.org (Postfix) with ESMTP id B86F38FC25 for ; Mon, 31 Mar 2008 19:34:27 +0000 (UTC) (envelope-from avonders@calarts.edu) Received: from [172.24.103.237] (librarylab-dhcp-172-24-103.calarts.edu [172.24.103.237] (may be forged)) (authenticated bits=0) by muse2.calarts.edu (8.14.2/8.14.2) with ESMTP id m2VJCYgu057732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 31 Mar 2008 12:12:34 -0700 (PDT) (envelope-from avonders@calarts.edu) Message-ID: <47F137A2.70400@calarts.edu> Date: Mon, 31 Mar 2008 12:12:34 -0700 From: Adam Vondersaar User-Agent: Thunderbird 2.0.0.12 (X11/20080226) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: problem with PF tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 19:34:28 -0000 I have had a production machine running for 6 months now using PF to block SSH brute force attacks. What seems to happen now is that the table is not staying open and PF can not add the IP to block. I am curious if anyone has ran in to such a problem. I am using the expiretable port to clear the tables with a cron job and here is an excerpt from the pf.conf: table persist block quick from pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/30, \ overload flush global) -Adam From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:48:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E601E106567B for ; Mon, 31 Mar 2008 19:48:47 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2B68FC17 for ; Mon, 31 Mar 2008 19:48:47 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 2147 invoked by uid 89); 31 Mar 2008 19:48:46 -0000 Received: by simscan 1.2.0 ppid: 2142, pid: 2144, t: 0.1298s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 31 Mar 2008 19:48:46 -0000 From: Elliott Perrin To: Adam Vondersaar In-Reply-To: <47F137A2.70400@calarts.edu> References: <47F137A2.70400@calarts.edu> Content-Type: text/plain; charset=UTF-8 Date: Mon, 31 Mar 2008 15:46:38 -0400 Message-Id: <1206992798.2108.34.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: problem with PF tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 19:48:48 -0000 On Mon, 2008-03-31 at 12:12 -0700, Adam Vondersaar wrote: > I have had a production machine running for 6 months now using PF to > block SSH brute force attacks. What seems to happen now is that the > table is not staying open and PF can not add the IP to block. I am > curious if anyone has ran in to such a problem. I am using the > expiretable port to clear the tables with a cron job and here is an > excerpt from the pf.conf: > > table persist > > block quick from > > pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 3/30, \ > overload flush global) > > > > -Adam > > One problem I thing I can see right now is that your rule should maybe be pass in log quick on $ext_if inet proto tcp from any to $ext_if port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/30, overload flush global) is there a reason you are not using quick on a rule that creates state such as this? If you do a pfctl -t bruteforce -Tshow -vv do you see recent entries? (might want to grep on today's / yesterdays date to see when you stopped adding addresses to the table) I do not know what the limit on table entries is off hand but you can also quickly see how many addresses are in the table currently by doing pfctl -t bruteforce -Tshow | wc -l Again, don't know what the limits are on number of entries in a table but check that and post it and perhaps if Max sees it he can tell you if you have exceeded the limit. Cheers, Elliott Perrin elliott@c7.a From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:53:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC89F1065670 for ; Mon, 31 Mar 2008 19:53:46 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.freebsd.org (Postfix) with ESMTP id 865DF8FC24 for ; Mon, 31 Mar 2008 19:53:46 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so2535589pyb.10 for ; Mon, 31 Mar 2008 12:53:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Kn9tiNj37q64O3cgvKIE+7J2sLPZEsW734AnKJOKWfU=; b=nQEQI6BL9jpc9uRIM9O1kWmTPWK8v4h5m0zhXQWMtwMn6LAPhfFKA1vL4hOXzEeuzEO926BJ6Beb1S1ZKBTvgNtZ1C2uWfZEBz6Lx6SrXQ/xR2jMyOqskIyDXA3RQo4sOGbczxai6eXJi9MfAuoFH6F+feG5MWQsy/ajzYsi+Kk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YyMK040PR2EPYelFddBN/yR0E1Fw4/ifSHtXIawaV6OH/qZCTl+lBSuF4hEwz80CEty3QicKQPBTwKKmVTe5vYnSuFoNlyVOc6D0ya2G+eX6roq2kDcNALwvVB7dJIat6b51ePNH1KFO7VW6OAEmLN0KgL5HouNsS88qpzIRCVs= Received: by 10.65.73.16 with SMTP id a16mr14535254qbl.85.1206993225153; Mon, 31 Mar 2008 12:53:45 -0700 (PDT) Received: by 10.65.243.15 with HTTP; Mon, 31 Mar 2008 12:53:45 -0700 (PDT) Message-ID: Date: Mon, 31 Mar 2008 12:53:45 -0700 From: "Kian Mohageri" To: "Adam Vondersaar" In-Reply-To: <47F137A2.70400@calarts.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47F137A2.70400@calarts.edu> Cc: freebsd-pf@freebsd.org Subject: Re: problem with PF tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 19:53:46 -0000 On Mon, Mar 31, 2008 at 12:12 PM, Adam Vondersaar wrote: > I have had a production machine running for 6 months now using PF to > block SSH brute force attacks. What seems to happen now is that the > table is not staying open and PF can not add the IP to block. I am > curious if anyone has ran in to such a problem. I am using the > expiretable port to clear the tables with a cron job and here is an > excerpt from the pf.conf: > What versions of everything? What is the expiretable line you're using? What do you mean not "staying open" etc. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 20:04:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 539331065670 for ; Mon, 31 Mar 2008 20:04:49 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id E946F8FC13 for ; Mon, 31 Mar 2008 20:04:48 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 596 invoked by uid 89); 31 Mar 2008 19:38:07 -0000 Received: by simscan 1.2.0 ppid: 590, pid: 592, t: 0.0913s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 31 Mar 2008 19:38:07 -0000 From: Elliott Perrin To: Rance Hall In-Reply-To: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> References: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> Content-Type: text/plain Date: Mon, 31 Mar 2008 15:35:59 -0400 Message-Id: <1206992159.2108.23.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: need help figuring out if pf is right for me. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 20:04:49 -0000 On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote: > Ive been tasked with writing a firewall script for a client, and I'm > looking at pf for the firewall. > > so far the only requirement I cant seem to find an example of how to > do is to actually script the pf rules from a shell script. > > The project entails two pieces. A firewall script, and a config file > which is parsed by the firewall script for values for variables. > > example: > > #!/bin/sh > > CONFIG_FILE=/path/to/config > > if [ -e $CONFIG_FILE ] ; then > . $CONFIG_FILE > else > (fail miserably) > fi > > pf macro based rules go here > > END > > Idea being that the same script can be used multiple places by just > changing the config file, also that there is some job duty split > between the setup of the firewall and the execution of the firewall. > > Can I do this with pf in a way that makes at least some sense? > > Thanks for your help > _______________________________________________ I am assuming what you are trying to do is have a base template and a script that can modify said template with output redirected to /etc/pf.conf. This is of course more than possible if planned out properly. With pf's support for variable / macro / table definition in pf.conf it should be pretty easy to come up with your template structure. At the end of the day it really depends on what each firewall needs to do, but if you have x firewalls all doing the exact same thing it shouldn't be a problem at all. Cheers, elliott@c7.ca From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 20:16:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04F021065676 for ; Mon, 31 Mar 2008 20:16:07 +0000 (UTC) (envelope-from ranceh@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id B629F8FC30 for ; Mon, 31 Mar 2008 20:16:06 +0000 (UTC) (envelope-from ranceh@gmail.com) Received: by yw-out-2324.google.com with SMTP id 2so157525ywt.13 for ; Mon, 31 Mar 2008 13:16:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=4SCnYgWwxiEsbi7pd1MOj/mviPH9nXM2SBmifZX3HZo=; b=kle1cnl+4qDzoPKoct9/YbFlyyf+mo1OzCKL7O/IVZwFJqyY/3NQ/e5FTR3k+kAju7SVa3vJPgCLU7NiQl9OLBNrUnni/eEGHyoOuox4+4R4+23XBKoW2KscD57gi4xuk9I0VB0aYgtIVkRKBUXI+8bp1Jlnfz06FHHABuTXEAM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uiLmQNQsF/rh8n66VSWdY40YehvG7m7Iukw90KiCfoLIvw00gOZ6we20+2W4ASLbfld7kz3NgkeX6pFlHrxapal6TmByxVuuezuS+zMETxIgBGfdNjjnnsDCMv4ceW+vAgK/y1VSuoW3WpN62dyUu4m1p1oBMOoSlcbwqixuaR0= Received: by 10.142.241.10 with SMTP id o10mr4245708wfh.155.1206994565354; Mon, 31 Mar 2008 13:16:05 -0700 (PDT) Received: by 10.142.194.10 with HTTP; Mon, 31 Mar 2008 13:16:05 -0700 (PDT) Message-ID: <845c0f80803311316k7a34bf5bq8b1638581a78e53@mail.gmail.com> Date: Mon, 31 Mar 2008 15:16:05 -0500 From: "Rance Hall" To: freebsd-pf@freebsd.org In-Reply-To: <1206992159.2108.23.camel@kensho.c7.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> <1206992159.2108.23.camel@kensho.c7.ca> Subject: Re: need help figuring out if pf is right for me. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 20:16:07 -0000 On 3/31/08, Elliott Perrin wrote: > On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote: > > Ive been tasked with writing a firewall script for a client, and I'm > > looking at pf for the firewall. > > > > so far the only requirement I cant seem to find an example of how to > > do is to actually script the pf rules from a shell script. > > > > The project entails two pieces. A firewall script, and a config file > > which is parsed by the firewall script for values for variables. > > > > example: > > > > #!/bin/sh > > > > CONFIG_FILE=/path/to/config > > > > if [ -e $CONFIG_FILE ] ; then > > . $CONFIG_FILE > > else > > (fail miserably) > > fi > > > > pf macro based rules go here > > > > END > > > > Idea being that the same script can be used multiple places by just > > changing the config file, also that there is some job duty split > > between the setup of the firewall and the execution of the firewall. > > > > Can I do this with pf in a way that makes at least some sense? > > > > Thanks for your help > > > _______________________________________________ > > I am assuming what you are trying to do is have a base template and a > script that can modify said template with output redirected > to /etc/pf.conf. > > This is of course more than possible if planned out properly. With pf's > support for variable / macro / table definition in pf.conf it should be > pretty easy to come up with your template structure. At the end of the > day it really depends on what each firewall needs to do, but if you have > x firewalls all doing the exact same thing it shouldn't be a problem at > all. > > Cheers, > elliott@c7.ca > > I found this piece of documentation for freebsd-ipf in the handbook: #!/bin/sh # use ONE of the following: #cat > /etc/ipf.rules << EOF # or /sbin/ipf -Fa - << EOF rules go here EOF it looks like that the cat option is what you are thinking of. use a script that can recognize macros to create /etc/pf.conf but look at the other option, somehow feed the constructed rules into pfctl dynamically as they are "interpreted" im thinking I want the second choice of the two, but this is early planning stages, so if there is a reason to not do this thats fine. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 22:18:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 539091065671 for ; Mon, 31 Mar 2008 22:18:26 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.betherenow.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with SMTP id E480B8FC1B for ; Mon, 31 Mar 2008 22:18:15 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (87-194-161-157.bethere.co.uk [87.194.161.157]) by smtp1.betherenow.co.uk (Postfix) with SMTP id 633CE2923A4 for ; Mon, 31 Mar 2008 22:53:26 +0100 (BST) From: "Greg Hennessy" To: "'Rance Hall'" , References: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> <1206992159.2108.23.camel@kensho.c7.ca> <845c0f80803311316k7a34bf5bq8b1638581a78e53@mail.gmail.com> In-Reply-To: <845c0f80803311316k7a34bf5bq8b1638581a78e53@mail.gmail.com> Date: Mon, 31 Mar 2008 22:53:17 +0100 Message-ID: <000001c89379$a0dccd10$e2966730$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciTbqe+gpz2ctYuQ82YmW1mB93KzAACq2Sg Content-Language: en-gb x-cr-hashedpuzzle: 3zw= AtHN BIyi B78S B+38 DBTA DdQy F/Jy GfLY Kl+q MfDA N+S8 PQMW PSCt PtPE QW0I; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AHIAYQBuAGMAZQBoAEAAZwBtAGEAaQBsAC4AYwBvAG0A; Sosha1_v1; 7; {104AEF43-4417-4C28-97C0-AC7FA206AC29}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Mon, 31 Mar 2008 21:53:13 GMT; UgBFADoAIABuAGUAZQBkACAAaABlAGwAcAAgAGYAaQBnAHUAcgBpAG4AZwAgAG8AdQB0ACAAaQBmACAAcABmACAAaQBzACAAcgBpAGcAaAB0ACAAZgBvAHIAIABtAGUALgA= x-cr-puzzleid: {104AEF43-4417-4C28-97C0-AC7FA206AC29} X-Antivirus: avast! (VPS 080331-0, 31/03/2008), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: need help figuring out if pf is right for me. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 22:18:26 -0000 > but look at the other option, somehow feed the constructed rules into > pfctl dynamically as they are "interpreted" By that statement, you really need to forget everything you know about IPTables and read the relevant PF documentation, in particular the man page for pfctl, unlike other unix like operating systems, the man pages on *BSDs usually contain *all* the information you need to configure something in an appropriate manner. Regards Greg From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 11:17:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1B29106564A for ; Tue, 1 Apr 2008 11:17:24 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (tyknet.dk [80.160.141.33]) by mx1.freebsd.org (Postfix) with ESMTP id 817238FC23 for ; Tue, 1 Apr 2008 11:17:24 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (localhost [127.0.0.1]) by mail.gibfest.dk (Postfix) with ESMTP id B3DFDB90B for ; Tue, 1 Apr 2008 01:27:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.4 Received: from [10.10.1.199] (tykling.tyknet.cn.dom [10.10.1.199]) by mail.gibfest.dk (Postfix) with ESMTP id 99ECCB90A for ; Tue, 1 Apr 2008 01:27:18 +0200 (CEST) Message-ID: <47F1735B.9060707@gibfest.dk> Date: Tue, 01 Apr 2008 01:27:23 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 11:17:24 -0000 Gentlemen, Any plans to update pftop in ports to 0.7 ? http://www.eee.metu.edu.tr/~canacar/pftop/ says: Changes in version 0.7: This version adds state filtering...... It would be very nice to have that on FreeBSD as well. Thank you in advance. Thomas From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 12:26:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 135DF1065670 for ; Tue, 1 Apr 2008 12:26:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 6FC9C8FC22 for ; Tue, 1 Apr 2008 12:26:48 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-190-098.pools.arcor-ip.net [88.64.190.98]) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis) id 0MKwh2-1JgfZO07H4-0008Pk; Tue, 01 Apr 2008 14:26:31 +0200 Received: (qmail 43801 invoked from network); 1 Apr 2008 12:25:35 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 1 Apr 2008 12:25:35 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 1 Apr 2008 14:24:25 +0200 User-Agent: KMail/1.9.9 References: <47F1735B.9060707@gibfest.dk> In-Reply-To: <47F1735B.9060707@gibfest.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804011424.25499.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1++kC47DSrv4vKcJYS+vAwfDmJlu/dvZOLlKDi mE95pJMmrtH/ceZzt0nxKHAPJZerIW3ry0WhWqRkOBVxih+Sg1 9OMLskbkpohl2YtSeMYWQ== Cc: Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 12:26:49 -0000 On Tuesday 01 April 2008 01:27:23 Thomas Rasmussen wrote: > Any plans to update pftop in ports to 0.7 ? > > http://www.eee.metu.edu.tr/~canacar/pftop/ says: > Changes in version 0.7: > This version adds state filtering...... > > It would be very nice to have that on FreeBSD as well. I'll have a go at it, stay tuned. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 13:22:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C9D9106566B for ; Tue, 1 Apr 2008 13:22:12 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 961248FC32 for ; Tue, 1 Apr 2008 13:22:11 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-190-098.pools.arcor-ip.net [88.64.190.98]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1JggRG2N9w-0000oy; Tue, 01 Apr 2008 15:22:10 +0200 Received: (qmail 46598 invoked from network); 1 Apr 2008 13:21:14 -0000 Received: from myhost.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 1 Apr 2008 13:21:14 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 1 Apr 2008 15:20:04 +0200 User-Agent: KMail/1.9.9 References: <47F1735B.9060707@gibfest.dk> <200804011424.25499.max@love2party.net> In-Reply-To: <200804011424.25499.max@love2party.net> MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_Eaj8H4g51pl4PB2" Message-Id: <200804011520.04872.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19wY5MugbWsYwGuD0nFy16CerWkQEqAj5xAZf+ Ri6H31w+nje+UmSZOwGM3gbiy41sWUAq9FYVk31Ng+BYxDpiC7 Bgsz+j7HB5FJVyA3f+F4w== Cc: Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 13:22:12 -0000 --Boundary-00=_Eaj8H4g51pl4PB2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline On Tuesday 01 April 2008 14:24:25 Max Laier wrote: > On Tuesday 01 April 2008 01:27:23 Thomas Rasmussen wrote: > > Any plans to update pftop in ports to 0.7 ? > > > > http://www.eee.metu.edu.tr/~canacar/pftop/ says: > > Changes in version 0.7: > > This version adds state filtering...... > > > > It would be very nice to have that on FreeBSD as well. > > I'll have a go at it, stay tuned. Here you go, please test. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-00=_Eaj8H4g51pl4PB2 Content-Type: text/x-diff; charset="iso-8859-1"; name="pftop-0.7.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pftop-0.7.diff" Index: Makefile =================================================================== RCS file: /usr/store/mlaier/fcvs/ports/sysutils/pftop/Makefile,v retrieving revision 1.9 diff -u -r1.9 Makefile --- Makefile 8 Sep 2007 18:14:51 -0000 1.9 +++ Makefile 1 Apr 2008 13:07:02 -0000 @@ -6,7 +6,7 @@ # PORTNAME= pftop -PORTVERSION= 0.6 +PORTVERSION= 0.7 CATEGORIES= sysutils net MASTER_SITES= http://www.eee.metu.edu.tr/~canacar/ DISTNAME= ${PORTNAME}-${PORTVERSION} @@ -45,6 +45,10 @@ post-patch: @${REINPLACE_CMD} -e 's||"${FILESDIR}/queue.h"|g' \ ${WRKSRC}/engine.c + @${REINPLACE_CMD} -e 's|__dead|__dead2|g' ${WRKSRC}/sf-gencode.h + @${REINPLACE_CMD} -e 's|__dead|__dead2|g' ${WRKSRC}/sf-gencode.c + @${REINPLACE_CMD} -e 's|#include ||g' \ + ${WRKSRC}/sf-gencode.c do-install: ${INSTALL_PROGRAM} ${WRKSRC}/pftop ${PREFIX}/sbin Index: distinfo =================================================================== RCS file: /usr/store/mlaier/fcvs/ports/sysutils/pftop/distinfo,v retrieving revision 1.6 diff -u -r1.6 distinfo --- distinfo 8 Sep 2007 18:14:51 -0000 1.6 +++ distinfo 1 Apr 2008 12:31:34 -0000 @@ -1,3 +1,3 @@ -MD5 (pftop-0.6.tar.gz) = c84fb960d36e9a9271c211c98efae062 -SHA256 (pftop-0.6.tar.gz) = bc6e9f93405b6a941074e4e5454adb56c63e24b3def4660d32c826237a8faaba -SIZE (pftop-0.6.tar.gz) = 26236 +MD5 (pftop-0.7.tar.gz) = 2fdef1e3fffc38ae40f27aa2dfdcf6fc +SHA256 (pftop-0.7.tar.gz) = afde859fab77597e4aae1ef6b87f1bb26a5ad8cb2b1d7316a12e5098153492af +SIZE (pftop-0.7.tar.gz) = 59765 Index: files/patch-ab =================================================================== RCS file: files/patch-ab diff -N files/patch-ab --- files/patch-ab 29 Jan 2006 04:44:00 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,29 +0,0 @@ -*** pftop.c.orig Tue Jan 10 21:06:14 2006 ---- pftop.c Sat Jan 21 04:47:06 2006 -*************** -*** 2215,2226 **** - tb_print_fromto(&pr->src, &pr->dst, pr->af, pr->proto); - #ifdef HAVE_RULE_UGID - if (pr->uid.op) - tb_print_ugid(pr->uid.op, pr->uid.uid[0], pr->uid.uid[1], -! "user", UID_MAX); - if (pr->gid.op) - tb_print_ugid(pr->gid.op, pr->gid.gid[0], pr->gid.gid[1], -! "group", GID_MAX); - #endif - - if (pr->flags || pr->flagset) { - tbprintf(" flags "); ---- 2215,2226 ---- - tb_print_fromto(&pr->src, &pr->dst, pr->af, pr->proto); - #ifdef HAVE_RULE_UGID - if (pr->uid.op) - tb_print_ugid(pr->uid.op, pr->uid.uid[0], pr->uid.uid[1], -! "user", UINT_MAX); - if (pr->gid.op) - tb_print_ugid(pr->gid.op, pr->gid.gid[0], pr->gid.gid[1], -! "group", UINT_MAX); - #endif - - if (pr->flags || pr->flagset) { - tbprintf(" flags "); Index: files/patch-pftop.c =================================================================== RCS file: files/patch-pftop.c diff -N files/patch-pftop.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-pftop.c 1 Apr 2008 13:16:05 -0000 @@ -0,0 +1,40 @@ +*** pftop.c.orig 2007-11-07 07:36:46.000000000 +0100 +--- pftop.c 2008-04-01 15:14:04.666339681 +0200 +*************** +*** 1570,1579 **** + #ifdef HAVE_RULE_UGID + if (pr->uid.op) + tb_print_ugid(pr->uid.op, pr->uid.uid[0], pr->uid.uid[1], +! "user", UID_MAX); + if (pr->gid.op) + tb_print_ugid(pr->gid.op, pr->gid.gid[0], pr->gid.gid[1], +! "group", GID_MAX); + #endif + + if (pr->flags || pr->flagset) { +--- 1570,1579 ---- + #ifdef HAVE_RULE_UGID + if (pr->uid.op) + tb_print_ugid(pr->uid.op, pr->uid.uid[0], pr->uid.uid[1], +! "user", UINT_MAX); + if (pr->gid.op) + tb_print_ugid(pr->gid.op, pr->gid.gid[0], pr->gid.gid[1], +! "group", UINT_MAX); + #endif + + if (pr->flags || pr->flagset) { +*************** +*** 1765,1771 **** +--- 1765,1776 ---- + strerror(errno)); + return (-1); + } ++ #ifdef PFALTQ_FLAG_IF_REMOVED ++ if (pa.altq.qid > 0 && ++ !(pa.altq.local_flags & PFALTQ_FLAG_IF_REMOVED)) { ++ #else + if (pa.altq.qid > 0) { ++ #endif + pq.nr = nr; + pq.ticket = pa.ticket; + pq.buf = &qstats; Index: files/patch-sf-scanner.l =================================================================== RCS file: files/patch-sf-scanner.l diff -N files/patch-sf-scanner.l --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-sf-scanner.l 1 Apr 2008 12:57:21 -0000 @@ -0,0 +1,19 @@ +*** sf-scanner.l.orig 2007-11-07 07:34:18.000000000 +0100 +--- sf-scanner.l 2008-04-01 14:48:15.639616549 +0200 +*************** +*** 233,239 **** + size_t len = strlen(yytext) * 4 + 1; + char *v = malloc(len); + if (v != NULL) +! strnvis(v, yytext, len, 0); + sf_error("illegal token: %s", v); + free(v); + } +--- 233,239 ---- + size_t len = strlen(yytext) * 4 + 1; + char *v = malloc(len); + if (v != NULL) +! strvis(v, yytext, 0); + sf_error("illegal token: %s", v); + free(v); + } --Boundary-00=_Eaj8H4g51pl4PB2-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 13:59:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C228106567A for ; Tue, 1 Apr 2008 13:59:03 +0000 (UTC) (envelope-from silver@ultrasoft.ee) Received: from silver.ultrasoft.ee (81-20-146-150.ipv4.ee [81.20.146.150]) by mx1.freebsd.org (Postfix) with ESMTP id 235C98FC2C for ; Tue, 1 Apr 2008 13:59:02 +0000 (UTC) (envelope-from silver@ultrasoft.ee) Received: from localhost (localhost [127.0.0.1]) by silver.ultrasoft.ee (Postfix) with ESMTP id 654F04AC2B; Tue, 1 Apr 2008 16:42:46 +0300 (EEST) X-Virus-Scanned: amavisd-new at silver.ultrasoft.ee X-Spam-Flag: NO X-Spam-Score: -4.399 X-Spam-Level: X-Spam-Status: No, score=-4.399 required=4 tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599] Received: from silver.ultrasoft.ee ([127.0.0.1]) by localhost (silver.ultrasoft.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DsfKiZBRUJgO; Tue, 1 Apr 2008 16:42:41 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by silver.ultrasoft.ee (Postfix) with ESMTP id E98704AC20; Tue, 1 Apr 2008 16:42:41 +0300 (EEST) From: Silver Salonen To: freebsd-pf@freebsd.org Date: Tue, 1 Apr 2008 16:42:40 +0300 User-Agent: KMail/1.9.9 References: <47F1735B.9060707@gibfest.dk> <200804011424.25499.max@love2party.net> <200804011520.04872.max@love2party.net> In-Reply-To: <200804011520.04872.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804011642.40992.silver@ultrasoft.ee> Cc: Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 13:59:03 -0000 On Tuesday 01 April 2008 16:20, Max Laier wrote: > On Tuesday 01 April 2008 14:24:25 Max Laier wrote: > > On Tuesday 01 April 2008 01:27:23 Thomas Rasmussen wrote: > > > Any plans to update pftop in ports to 0.7 ? > > > > > > http://www.eee.metu.edu.tr/~canacar/pftop/ says: > > > Changes in version 0.7: > > > This version adds state filtering...... > > > > > > It would be very nice to have that on FreeBSD as well. > > > > I'll have a go at it, stay tuned. > > Here you go, please test. Works for me on FreeBSD-7.0 :) -- Silver From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 15:10:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DF691065689 for ; Tue, 1 Apr 2008 15:10:57 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (tyknet.dk [80.160.141.33]) by mx1.freebsd.org (Postfix) with ESMTP id E355B8FC23 for ; Tue, 1 Apr 2008 15:10:56 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (localhost [127.0.0.1]) by mail.gibfest.dk (Postfix) with ESMTP id 00FCBB89B for ; Tue, 1 Apr 2008 17:10:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.4 Received: from [10.10.1.199] (tykling.tyknet.cn.dom [10.10.1.199]) by mail.gibfest.dk (Postfix) with ESMTP id E353AB895 for ; Tue, 1 Apr 2008 17:10:54 +0200 (CEST) Message-ID: <47F2507A.1000407@gibfest.dk> Date: Tue, 01 Apr 2008 17:10:50 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <47F1735B.9060707@gibfest.dk> <200804011424.25499.max@love2party.net> <200804011520.04872.max@love2party.net> <200804011642.40992.silver@ultrasoft.ee> In-Reply-To: <200804011642.40992.silver@ultrasoft.ee> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 15:10:57 -0000 > On Tuesday 01 April 2008 16:20, Max Laier wrote: > >> On Tuesday 01 April 2008 14:24:25 Max Laier wrote: >> >>> On Tuesday 01 April 2008 01:27:23 Thomas Rasmussen wrote: >>> >>>> Any plans to update pftop in ports to 0.7 ? >>>> >>>> http://www.eee.metu.edu.tr/~canacar/pftop/ says: >>>> Changes in version 0.7: >>>> This version adds state filtering...... >>>> >>>> It would be very nice to have that on FreeBSD as well. >>>> >>> I'll have a go at it, stay tuned. >>> >> Here you go, please test. >> > > Works for me on FreeBSD-7.0 :) > > Works for me as well! :) Thank you very much for the quick reply, and for all your work with pf for FreeBSD. When can we expect to see this in ports ? Best regards Thomas From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 15:17:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59481106566B for ; Tue, 1 Apr 2008 15:17:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id E3FB98FC29 for ; Tue, 1 Apr 2008 15:17:48 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-190-098.pools.arcor-ip.net [88.64.190.98]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JgiF92VZO-0003gd; Tue, 01 Apr 2008 17:17:48 +0200 Received: (qmail 48012 invoked from network); 1 Apr 2008 15:16:51 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 1 Apr 2008 15:16:51 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 1 Apr 2008 17:15:41 +0200 User-Agent: KMail/1.9.9 References: <47F1735B.9060707@gibfest.dk> <200804011642.40992.silver@ultrasoft.ee> <47F2507A.1000407@gibfest.dk> In-Reply-To: <47F2507A.1000407@gibfest.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804011715.41522.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/FsY6uwxpsavu3icYhQfmxhEojFCLYw594pwc stpuEBRYv5t0exgtp9LkzkPvniSBtYA6w7z2tH8cJe0Ab4ySP1 aaUZ30yavUa033PkzT2pg== Cc: Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 15:17:49 -0000 On Tuesday 01 April 2008 17:10:50 Thomas Rasmussen wrote: > When can we expect to see this in ports ? went in seconds before you hit send ;) mlaier 2008-04-01 15:10:35 UTC FreeBSD ports repository (src committer) Modified files: sysutils/pftop Makefile distinfo Added files: sysutils/pftop/files patch-pftop.c patch-sf-scanner.l Removed files: sysutils/pftop/files patch-ab Log: Update to 0.7 - adds state display filters. While here also add a patch to support dynamic ALTQ (by ignoring INACTIVE queues). Approved by: flz -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Apr 1 20:24:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF2C61065670 for ; Tue, 1 Apr 2008 20:24:07 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id 8DFE48FC2E for ; Tue, 1 Apr 2008 20:24:07 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 0B203186A8; Wed, 2 Apr 2008 08:58:43 +1300 (NZDT) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIQ3IW56uO50; Wed, 2 Apr 2008 08:58:42 +1300 (NZDT) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 6C720186AD; Wed, 2 Apr 2008 08:58:42 +1300 (NZDT) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Wed, 2 Apr 2008 08:57:39 +1300 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Wed, 2 Apr 2008 08:57:39 +1300 Message-ID: In-Reply-To: <200804011715.41522.max@love2party.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pftop 0.7 in ports ? Thread-Index: AciUC5ldKh4Qgdk6RxakR/SmSo4HaQAJuy2A References: <47F1735B.9060707@gibfest.dk><200804011642.40992.silver@ultrasoft.ee><47F2507A.1000407@gibfest.dk> <200804011715.41522.max@love2party.net> From: "Mark Pagulayan" To: "Max Laier" , X-OriginalArrivalTime: 01 Apr 2008 19:57:39.0803 (UTC) FILETIME=[A3D5C2B0:01C89432] Cc: Subject: RE: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2008 20:24:08 -0000 Hi,=20 I have checked this link for the pftop-0.7 ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ But no luck, where can I get the pftop-0.7 version for freebsd 7.0?=20 Cheers,=20 Mark -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Max Laier Sent: Wednesday, 2 April 2008 4:16 a.m. To: freebsd-pf@freebsd.org Subject: Re: pftop 0.7 in ports ? On Tuesday 01 April 2008 17:10:50 Thomas Rasmussen wrote: > When can we expect to see this in ports ? went in seconds before you hit send ;) mlaier 2008-04-01 15:10:35 UTC FreeBSD ports repository (src committer) Modified files: sysutils/pftop Makefile distinfo=20 Added files: sysutils/pftop/files patch-pftop.c patch-sf-scanner.l=20 Removed files: sysutils/pftop/files patch-ab=20 Log: Update to 0.7 - adds state display filters. While here also add a patch to support dynamic ALTQ (by ignoring INACTIVE queues). =20 Approved by: flz --=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 05:38:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5ED9106564A for ; Wed, 2 Apr 2008 05:38:35 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n77.bullet.mail.sp1.yahoo.com (n77.bullet.mail.sp1.yahoo.com [98.136.44.45]) by mx1.freebsd.org (Postfix) with SMTP id 86C4C8FC18 for ; Wed, 2 Apr 2008 05:38:35 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [216.252.122.217] by n77.bullet.mail.sp1.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 Received: from [68.142.237.90] by t2.bullet.sp1.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 Received: from [66.196.97.146] by t6.bullet.re3.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 Received: from [127.0.0.1] by omp204.mail.re3.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 489101.14322.bm@omp204.mail.re3.yahoo.com Received: (qmail 72216 invoked by uid 60001); 2 Apr 2008 05:26:19 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=FV5mYg0FXu4k1IKmRi9rcXesHL5/mT8Zn8HwFpa2CPC6hbo/kjLXVvfeZRv4/23APPHMHx57CCVMmvln+AFl0DbX0uxLGCbVU5sdDkDMyyvrNBOhYm3l/qEYYA/v4r2/pgZbWlqlnEgjXAF56j4yxFYDXN9TAvK9Bx7A8AS1Kho=; X-YMail-OSG: mP1W9XAVM1l8vfnZ4K3iBckI7wncmt47VrQ1drnx9NJTAfLiDAQOW6_10bkwAs2fs0p0748YSoBNn2j_WkkxhDIbiyXwGTEI8MagGEdCQGYl2aP6XRanAg-- Received: from [58.71.34.137] by web57401.mail.re1.yahoo.com via HTTP; Tue, 01 Apr 2008 22:26:18 PDT Date: Tue, 1 Apr 2008 22:26:18 -0700 (PDT) From: Diego Salvador To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <88224.68960.qm@web57401.mail.re1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 05:38:35 -0000 To Whom It May Concerned: Hi! Can someone explain the details on how PF state table stores stateful filtering option of "keep state" because I know this will be used and applied to TCP, UDP and ICMP/ICMPv6 protocols for stateful filtering. Because when I use this "keep state" option, it is said that it can help in optimizing firewall rules due to rule evaluation will no longer be evaluated when those information are already stored in the table. Is it only IP address (source->destination or destination->source) are being keep in the state table? If it is then does it matter on IP address source-destination direction entries? What about with TCP and its flags? How does PF stored it in the state table? Is there any varying performance if we should specify TCP flags with keep state as compared to TCP with keep state but without flags? For example, pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state flags S/SA What file in PF on FreeBSD kernel does state table structure is located? Thank you! Sincerely Yours, Diego Salvador --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 06:39:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E735B1065670 for ; Wed, 2 Apr 2008 06:39:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id D832E8FC16 for ; Wed, 2 Apr 2008 06:39:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id B8A3D1CC060; Tue, 1 Apr 2008 23:39:10 -0700 (PDT) Date: Tue, 1 Apr 2008 23:39:10 -0700 From: Jeremy Chadwick To: Diego Salvador Message-ID: <20080402063910.GA36819@eos.sc1.parodius.com> References: <88224.68960.qm@web57401.mail.re1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <88224.68960.qm@web57401.mail.re1.yahoo.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 06:39:11 -0000 On Tue, Apr 01, 2008 at 10:26:18PM -0700, Diego Salvador wrote: > Hi! Can someone explain the details on how PF state table stores stateful filtering option of "keep state" because I know this will be used and applied to TCP, UDP and ICMP/ICMPv6 protocols for stateful filtering. Because when I use this "keep state" option, it is said that it can help in optimizing firewall rules due to rule evaluation will no longer be evaluated when those information are already stored in the table. Is it only IP address (source->destination or destination->source) are being keep in the state table? If it is then does it matter on IP address source-destination direction entries? What about with TCP and its flags? How does PF stored it in the state table? Is there any varying performance if we should specify TCP flags with keep state as compared to TCP with keep state but without flags? For example, > > pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state > pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state flags S/SA I think what you're asking is how pf actually keeps track of state, and how pf rules define when to start tracking state. Looking at the above two rules you provided, the rule #1 would cause any inbound TCP packets destined to 192.168.100.1 to cause pf to begin tracking state -- that means, any TCP packet, with any TCP flags set (including bogus packets which might set FIN+PSH at the same time, or other oddities). This is somewhat risky, because you really don't want to waste a state entry on something that's half-way in the middle of a TCP session (well, I suppose you could, but it seems insecure. You should track state from the point of an initial connection to the end of it -- see below). Rule #2, however, would do the same thing -- except would only begin tracking state when TCP SYN is seen (and only looking at the SYN and ACK flags in the TCP header). This is more along the lines of what you want. The state tracking stuff actually causes pf to monitor each state of a TCP session, ensuring that responses to certain TCP states (that the sender or receiver has sent/received) are correct -- and simultaneously uses the state table to permit packets through. Neither of those rules, however, handle state for UDP or ICMP. They're stateless protocols, but pf does keep track of when the UDP connection closes (or times out after a while), and the same with ICMP. > What file in PF on FreeBSD kernel does state table structure is located? I don't understand this question. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 08:07:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2049106564A for ; Wed, 2 Apr 2008 08:07:52 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id C06378FC15 for ; Wed, 2 Apr 2008 08:07:52 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1Jgy0e-0000Tl-BD for freebsd-pf@freebsd.org; Wed, 02 Apr 2008 08:07:52 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1Jgy0e-0003Kx-6f for freebsd-pf@freebsd.org; Wed, 02 Apr 2008 08:07:52 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 01B418E296; Wed, 2 Apr 2008 03:07:40 -0500 (CDT) Date: Wed, 2 Apr 2008 03:07:40 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080402080740.GA2396@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <88224.68960.qm@web57401.mail.re1.yahoo.com> <20080402063910.GA36819@eos.sc1.parodius.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20080402063910.GA36819@eos.sc1.parodius.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 08:07:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Chadwick wrote: > > This is somewhat risky, because you really don't want to waste a state > entry on something that's half-way in the middle of a TCP session > (well, I suppose you could, but it seems insecure. It's more than just insecure; it can cause breakage of TCP connections, especially in a world where RFC 1323 is commonplace (i.e. today's world). If PF starts tracking state from the middle of a connection, it has missed out on discovering what TCP window scaling factors are in use. If there happens to be no scaling in use, it works fine, but if a scale factor is being applied, PF will not track the state correctly, and the connection will stall out. > > What file in PF on FreeBSD kernel does state table structure is > > located? > > I don't understand this question. I think the question is asking for details on how PF state is stored in memory. I found a very nice struct pf_state in /usr/include/net/pfvar.h. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFH8z7MFSrKRjX5eCoRAk0CAJ9nF+Khgn0JAmAFA9oOaR5iA+hpkgCfTwAO moQSQmUAZCVMhR6tmlaspJc= =uDM8 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 08:21:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FEF8106564A for ; Wed, 2 Apr 2008 08:21:34 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from v-smtp-auth-relay-3.gradwell.net (v-smtp-auth-relay-3.gradwell.net [79.135.125.42]) by mx1.freebsd.org (Postfix) with ESMTP id C8C138FC2F for ; Wed, 2 Apr 2008 08:21:33 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from 87-194-161-157.bethere.co.uk ([87.194.161.157] helo=[192.168.0.227] country=GB ident=gregh*pop3#nviz&net) by v-smtp-auth-relay-3.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.289) id 47f3413a.3cb.8fe; Wed, 2 Apr 2008 09:18:02 +0100 (envelope-sender ) Message-ID: <47F34123.1000301@nviz.net> Date: Wed, 02 Apr 2008 09:17:39 +0100 From: Greg Hennessy User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Mark Pagulayan References: <47F1735B.9060707@gibfest.dk><200804011642.40992.silver@ultrasoft.ee><47F2507A.1000407@gibfest.dk> <200804011715.41522.max@love2party.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 08:21:34 -0000 Mark Pagulayan wrote: > Hi, > > I have checked this link for the pftop-0.7 > ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ > > But no luck, where can I get the pftop-0.7 version for freebsd 7.0? > The same place as everyone else. ---> Listing the results (+:done / -:ignored / *:skipped / !:failed) + sysutils/pftop (pftop-0.6) + devel/glib20 (glib-2.16.1_2) ---> Packages processed: 2 done, 0 ignored, 0 skipped and 0 failed ---> Session ended at: Wed, 02 Apr 2008 09:11:48 +0100 (consumed 00:12:32) Time for you to figure out how the ports system works. Regards Greg > Cheers, > > Mark > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On Behalf Of Max Laier > Sent: Wednesday, 2 April 2008 4:16 a.m. > To: freebsd-pf@freebsd.org > Subject: Re: pftop 0.7 in ports ? > > On Tuesday 01 April 2008 17:10:50 Thomas Rasmussen wrote: > >> When can we expect to see this in ports ? >> > > went in seconds before you hit send ;) > > mlaier 2008-04-01 15:10:35 UTC > > FreeBSD ports repository (src committer) > > Modified files: > sysutils/pftop Makefile distinfo > Added files: > sysutils/pftop/files patch-pftop.c patch-sf-scanner.l > Removed files: > sysutils/pftop/files patch-ab > Log: > Update to 0.7 - adds state display filters. While here also add a > patch > to support dynamic ALTQ (by ignoring INACTIVE queues). > > Approved by: flz > > From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 09:07:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D4A2106570C for ; Wed, 2 Apr 2008 09:07:49 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n2.bullet.mail.re4.yahoo.com (n2.bullet.mail.re4.yahoo.com [206.190.56.21]) by mx1.freebsd.org (Postfix) with SMTP id C8BA38FC1C for ; Wed, 2 Apr 2008 09:07:48 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [68.142.237.87] by n2.bullet.re4.yahoo.com with NNFMP; 02 Apr 2008 08:55:07 -0000 Received: from [216.252.110.140] by t3.bullet.re3.yahoo.com with NNFMP; 02 Apr 2008 08:55:07 -0000 Received: from [127.0.0.1] by omp210.mail.re3.yahoo.com with NNFMP; 02 Apr 2008 08:55:07 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 265653.47583.bm@omp210.mail.re3.yahoo.com Received: (qmail 48835 invoked by uid 60001); 2 Apr 2008 08:55:05 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=4Ujr795CIE5acg+UzQBzLTpdVpCDrnRGskXbng1gN0ZCHR31VdkDuW3are6y0S/ZUK5hfnw2BvQRqoe/a5Sj/I3gk9UPJKWL2uF74kRO3wzW7ToIu59LyPH/a/uwAfPlKEnb6PQx6pin7GxwAxeEUvLfZfrZYCdyHBYJRrIIRN8=; X-YMail-OSG: PwkRMrwVM1msw04a2eSYlUWxMzadeih2PRUTIk_G0kFeb5X15g19bO_fpaoNtI8yvPYX5Xmtb3Qs55srClXrmwupxPWReLqng0O5hv8HQtx3shbgBkzFNxfbPXupQfQL Received: from [58.71.34.138] by web57409.mail.re1.yahoo.com via HTTP; Wed, 02 Apr 2008 01:55:05 PDT Date: Wed, 2 Apr 2008 01:55:05 -0700 (PDT) From: Diego Salvador To: koitsu@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1209350812-1207126505=:47278" Content-Transfer-Encoding: 8bit Message-ID: <699482.47278.qm@web57409.mail.re1.yahoo.com> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Fwd: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 09:07:49 -0000 --0-1209350812-1207126505=:47278 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Note: forwarded message attached. --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com --0-1209350812-1207126505=:47278 Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Received: from [58.71.34.137] by web57413.mail.re1.yahoo.com via HTTP; Wed, 02 Apr 2008 00:56:10 PDT Date: Wed, 2 Apr 2008 00:56:10 -0700 (PDT) From: Diego Salvador Subject: Re: PF and State Table To: Jeremy Chadwick In-Reply-To: <20080402063910.GA36819@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-388257216-1207122970=:57670" Content-Transfer-Encoding: 8bit Content-Length: 2601 --0-388257216-1207122970=:57670 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sir Jeremy, Thanks for the immediate reply sharing your good ideas! Yes you are right! I was asking of how PF keeps track of the state when used in filtering rules. So, when keeping track of the state, the basis of the state tracking is the source and destination IP address regardless of each direction either in or out of a certain interface? For example, pass in on $ext_if inet proto tcp from any to 192.168.100.1 keep state flags S/SA pass out on $ext_if inet proto tcp from 192.168.100.1 to any keep state flags S/SA wherein the first rule will keep a state on the state table and another state is keep on the table even the same upper layer protocol TCP is being keep track? I'm sorry on that question, I was pertaining to the source code of PF in FreeBSD where I can locate the PF state table structure so that I can analyze the code well in order to understand its framework. Thanks you! Sincerely Yours, Diego Salvador Jeremy Chadwick wrote: On Tue, Apr 01, 2008 at 10:26:18PM -0700, Diego Salvador wrote: > Hi! Can someone explain the details on how PF state table stores stateful filtering option of "keep state" because I know this will be used and applied to TCP, UDP and ICMP/ICMPv6 protocols for stateful filtering. Because when I use this "keep state" option, it is said that it can help in optimizing firewall rules due to rule evaluation will no longer be evaluated when those information are already stored in the table. Is it only IP address (source->destination or destination->source) are being keep in the state table? If it is then does it matter on IP address source-destination direction entries? What about with TCP and its flags? How does PF stored it in the state table? Is there any varying performance if we should specify TCP flags with keep state as compared to TCP with keep state but without flags? For example, > > pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state > pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state flags S/SA I think what you're asking is how pf actually keeps track of state, and how pf rules define when to start tracking state. Looking at the above two rules you provided, the rule #1 would cause any inbound TCP packets destined to 192.168.100.1 to cause pf to begin tracking state -- that means, any TCP packet, with any TCP flags set (including bogus packets which might set FIN+PSH at the same time, or other oddities). This is somewhat risky, because you really don't want to waste a state entry on something that's half-way in the middle of a TCP session (well, I suppose you could, but it seems insecure. You should track state from the point of an initial connection to the end of it -- see below). Rule #2, however, would do the same thing -- except would only begin tracking state when TCP SYN is seen (and only looking at the SYN and ACK flags in the TCP header). This is more along the lines of what you want. The state tracking stuff actually causes pf to monitor each state of a TCP session, ensuring that responses to certain TCP states (that the sender or receiver has sent/received) are correct -- and simultaneously uses the state table to permit packets through. Neither of those rules, however, handle state for UDP or ICMP. They're stateless protocols, but pf does keep track of when the UDP connection closes (or times out after a while), and the same with ICMP. > What file in PF on FreeBSD kernel does state table structure is located? I don't understand this question. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com --0-388257216-1207122970=:57670 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Sir Jeremy, Thanks for the immediate reply sharing your good ideas! Yes you are right! I was asking of how PF keeps track of the state when used in filtering rules. So, when keeping track of the state, the basis of the state tracking is the source and destination IP address regardless of each direction either in or out of a certain interface? For example, pass in on $ext_if inet proto tcp from any to 192.168.100.1 keep state flags S/SA pass out on $ext_if inet proto tcp from 192.168.100.1 to any keep state flags S/SA wherein the first rule will keep a state on the state table and another state is keep on the table even the same upper layer protocol TCP is being keep track? I'm sorry on that question, I was pertaining to the source code of PF in FreeBSD where I can locate the PF state table structure so that I can analyze the code well in order to understand its framework. Thanks you! Sincerely Yours, Diego Salvador Jeremy Chadwick wrote: On Tue, Apr 01, 2008 at 10:26:18PM -0700, Diego Salvador wrote: > Hi! Can someone explain the details on how PF state table stores stateful filtering option of "keep state" because I know this will be used and applied to TCP, UDP and ICMP/ICMPv6 protocols for stateful filtering. Because when I use this "keep state" option, it is said that it can help in optimizing firewall rules due to rule evaluation will no longer be evaluated when those information are already stored in the table. Is it only IP address (source->destination or destination->source) are being keep in the state table? If it is then does it matter on IP address source-destination direction entries? What about with TCP and its flags? How does PF stored it in the state table? Is there any varying performance if we should specify TCP flags with keep state as compared to TCP with keep state but without flags? For example, > > pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state > pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state flags S/SA I think what you're asking is how pf actually keeps track of state, and how pf rules define when to start tracking state. Looking at the above two rules you provided, the rule #1 would cause any inbound TCP packets destined to 192.168.100.1 to cause pf to begin tracking state -- that means, any TCP packet, with any TCP flags set (including bogus packets which might set FIN+PSH at the same time, or other oddities). This is somewhat risky, because you really don't want to waste a state entry on something that's half-way in the middle of a TCP session (well, I suppose you could, but it seems insecure. You should track state from the point of an initial connection to the end of it -- see below). Rule #2, however, would do the same thing -- except would only begin tracking state when TCP SYN is seen (and only looking at the SYN and ACK flags in the TCP header). This is more along the lines of what you want. The state tracking stuff actually causes pf to monitor each state of a TCP session, ensuring that responses to certain TCP states (that the sender or receiver has sent/received) are correct -- and simultaneously uses the state table to permit packets through. Neither of those rules, however, handle state for UDP or ICMP. They're stateless protocols, but pf does keep track of when the UDP connection closes (or times out after a while), and the same with ICMP. > What file in PF on FreeBSD kernel does state table structure is located? I don't understand this question. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _________________________________________________________________ Tired of spam? Yahoo! Mail has the best spam protection around [1]http://ph.mail.yahoo.com References 1. http://sg.rd.yahoo.com/mail/ph/footer/def/*http://ph.mail.yahoo.com --0-388257216-1207122970=:57670-- --0-1209350812-1207126505=:47278-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 09:53:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F5851065670 for ; Wed, 2 Apr 2008 09:53:59 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n71.bullet.mail.sp1.yahoo.com (n71.bullet.mail.sp1.yahoo.com [98.136.44.36]) by mx1.freebsd.org (Postfix) with SMTP id 2E6448FC21 for ; Wed, 2 Apr 2008 09:53:58 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [216.252.122.218] by n71.bullet.mail.sp1.yahoo.com with NNFMP; 02 Apr 2008 09:53:58 -0000 Received: from [68.142.237.88] by t3.bullet.sp1.yahoo.com with NNFMP; 02 Apr 2008 09:53:58 -0000 Received: from [66.196.97.156] by t4.bullet.re3.yahoo.com with NNFMP; 02 Apr 2008 09:53:58 -0000 Received: from [127.0.0.1] by omp209.mail.re3.yahoo.com with NNFMP; 02 Apr 2008 09:53:57 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 983876.80561.bm@omp209.mail.re3.yahoo.com Received: (qmail 90600 invoked by uid 60001); 2 Apr 2008 09:53:57 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=mSupEGGCxEg3766ucrGMBV9co36Dron7loO+icn34Ab1DZmizlvxoPCUPpbs63ZsYBSanlLZzsh9bjkiokW1VZPm+N3A7p8IJTYuxCeHb5izKSqnwAdgpaRHhr7kkLwqrtgs2fGs1vAuxs5APmoxexM9uC0ckcnR/KXxWmmndaY=; X-YMail-OSG: J0U.sy4VM1kz2LBdtlCKkVNnhSeOhwNANnALGctitY_rixiznJWNxr7TcnEKaMBLSuIFP0fk0Tm9d8uE4QvmjfpK Received: from [58.71.34.138] by web57414.mail.re1.yahoo.com via HTTP; Wed, 02 Apr 2008 02:53:57 PDT Date: Wed, 2 Apr 2008 02:53:57 -0700 (PDT) From: Diego Salvador To: fox@verio.net MIME-Version: 1.0 Message-ID: <684548.87924.qm@web57414.mail.re1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 09:53:59 -0000 Sir David, So you mean to say that it is really required for pf rules to specify TCP flags when used with keep state? Because this seems to relate my previous problem with PF firewall that will cause a problem in browsing Google and Youtube web sites with Windows Vista nodes behind PF. Example rules for the node are pass in on $ext_if inet from any to 192.168.100.1 pass out on $ext_if inet from 192.168.100.1 to any keep state where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF firewall. As you can see the above rules, I didn't specify any specific protocols like TCP, UDP and ICMP so TCP here just use the "keep state" option without flags. Google and Youtube sites seem to not continue displaying web pages but I can see that the connection were established with the Windows Vista node with Google and Youtube sites. Yes, that's what I'm looking for, the file where I can analyze PF state table in the source code. Thanks, Diego Salvador > > This is somewhat risky, because you really don't want to waste a state > entry on something that's half-way in the middle of a TCP session > (well, I suppose you could, but it seems insecure. It's more than just insecure; it can cause breakage of TCP connections, especially in a world where RFC 1323 is commonplace (i.e. today's world). If PF starts tracking state from the middle of a connection, it has missed out on discovering what TCP window scaling factors are in use. If there happens to be no scaling in use, it works fine, but if a scale factor is being applied, PF will not track the state correctly, and the connection will stall out. > > What file in PF on FreeBSD kernel does state table structure is > > located? > > I don't understand this question. I think the question is asking for details on how PF state is stored in memory. I found a very nice struct pf_state in /usr/include/net/pfvar.h. --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 09:59:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4ACE81065670 for ; Wed, 2 Apr 2008 09:59:41 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3A5C68FC19 for ; Wed, 2 Apr 2008 09:59:41 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 2D4C81CC060; Wed, 2 Apr 2008 02:59:41 -0700 (PDT) Date: Wed, 2 Apr 2008 02:59:41 -0700 From: Jeremy Chadwick To: Diego Salvador Message-ID: <20080402095941.GA43510@eos.sc1.parodius.com> References: <684548.87924.qm@web57414.mail.re1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <684548.87924.qm@web57414.mail.re1.yahoo.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: fox@verio.net, freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 09:59:41 -0000 On Wed, Apr 02, 2008 at 02:53:57AM -0700, Diego Salvador wrote: > pass out on $ext_if inet from 192.168.100.1 to any keep state This rule is going to break the things David mentioned; RFC1323 (window size negotiation) for example. You're going to be creating a new state table entry for every outbound packet (TCP, UDP, ICMP), and for TCP, regardless of what TCP state. Also, ensure that you don't have any rules **below** that rule which might override the behaviour (you're not using "quick" on that rule). Otherwise: you should use flags S/SA on that statement, but that adds ambiguity in regards to UDP and ICMP. Thus, I'd recommend you use this instead (you can remove "inet" unless you really want to limit to IPv4 packets): pass out quick on $ext_if inet proto tcp all flags S/SA keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp all keep state > where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF firewall. As you > can see the above rules, I didn't specify any specific protocols like TCP, UDP > and ICMP so TCP here just use the "keep state" option without flags. Google and > Youtube sites seem to not continue displaying web pages but I can see that the > connection were established with the Windows Vista node with Google and Youtube > sites. And I bet you have a large number of state-mismatch entries in pfctl -s info, which are likely caused by the above problem. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 12:59:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48C1D1065670 for ; Wed, 2 Apr 2008 12:59:19 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id E3F098FC16 for ; Wed, 2 Apr 2008 12:59:18 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m32CxIIo076342 for ; Wed, 2 Apr 2008 08:59:18 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m32CxI3U071076 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Apr 2008 08:59:18 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200804021259.m32CxI3U071076@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Apr 2008 08:57:14 -0400 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: carp between RELENG_6 and RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 12:59:19 -0000 Does anyone know if there are there any issues running a pair of FreeBSD boxes, one RELENG_6 and one RELENG_7 in carp failover ? Are there any compatibility issues ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 16:58:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AFC71065677 for ; Wed, 2 Apr 2008 16:58:54 +0000 (UTC) (envelope-from adam@avertech.net) Received: from avertech.net (avertech.net [161.58.222.54]) by mx1.freebsd.org (Postfix) with ESMTP id 357C08FC28 for ; Wed, 2 Apr 2008 16:58:54 +0000 (UTC) (envelope-from adam@avertech.net) Received: from localhost (c-76-22-91-156.hsd1.wa.comcast.net [76.22.91.156]) by avertech.net (8.13.6.20060614/8.13.1) with ESMTP id m32GTAnm026974 for ; Wed, 2 Apr 2008 16:29:11 GMT Date: Wed, 2 Apr 2008 09:29:10 -0700 From: Adam Richards To: FREEBSD-PF Message-ID: <20080402162910.GA49320@avertech.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD/7.0-RELEASE (i386) X-Crypto: gpg (GnuPG) 2.0.8 http://www.gnupg.org X-GPG-Key: https://www.avertech.net/public/adam-gpg.asc (0x0BA2643B) X-GPG-Fingerprint: 37A8 0950 DF94 097E C49C AE1B C97E 54BC 0BA2 643B Subject: newstyle ftp-proxy and localhost connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 16:58:54 -0000 Hi, I have a problem getting ftp-proxy to work for connections *originating* from the machine running ftp-proxy (the firewall itself). Presently I have ftp-proxy working just fine for client connections being forwarded *through* my firewall; but how do I get ftp to work with the firewall as the client? For example, when I do a cvsup of /usr/src to upgrade the firewall? My firewall is running FreeBSD 7.0-RELEASE, nating to the Internet via cable modem (bridging mode -- terminating the public IP on my firewall itself), ALTQ'ing on my Internet-facing iface, and blocking all outbound connections by default and only allowing out explicitly defined protocols/ports. Nothing terribly special or unique IMHO. I would like to somehow direct *all* ftp traffic, both from clients I'm forwarding for as well as the firewall itself, through ftp-proxy without entering into a logic loop. Opening up ephemeral ports for ftp-data is not an option. :) Here's a small snippet of my /etc/pf.conf (if this isn't enough, I'm happy to supply additional pf.conf details to provide more context, if needed): ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ EXT_if = bge0 LAN_if = em0 LO0_if = lo0 table persist { \ $EXT_if \ $LAN_if \ } [...] FTP_proxy = $EXT_if [...] EXT_net = $EXT_if:network LAN_net = $LAN_if:network LO0_net = $LO0_if:network table persist { \ $LAN_net \ $EXT_if \ } [...] GENERAL_TCP_out = "{ \ domain, ntp, sds, sip, sip-tls, rdp, 2703 \ }" MAIL_out = "{ smtp, imaps, pop3s, mailq }" HTTP_out = "{ http, https, 8080 }" SSH_ports = "{ ssh, 2222:2226 }" CVSUP_ports = "{ cvsup }" TCP_VPN_ports = "{ https, 1194:1195 }" [...] set debug urgent set loginterface $EXT_if set loginterface $LAN_if # to get inbound synproxy to work I had to do this: set state-policy if-bound [...] scrub in on $EXT_if all fragment reassemble [...] nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $LAN_if \ proto tcp \ from $LAN_net \ to any port ftp \ -> $LO0_if port 8021 nat on $EXT_if inet from $LAN_net to any -> ($EXT_if) [...] block log (to pflog0) all block log (to pflog1) quick from [...] # (in my pass out filter rules for $EXT_if, I do not specify ftp # or ftp-data since I expect all outgoing ftp connections to be # handled by user proxy running ftp-proxy; thus I install # ftp-proxy filter rules *after* my $EXT_if filter rules [...] anchor "ftp-proxy/*" pass out \ inet proto tcp \ from $FTP_proxy \ to any port ftp \ flags S/SA modulate state \ user { proxy } \ queue(Q_transfers, Q_ack) \ label "ftpproxy_to_all - $proto:$dstport ->" pass on $LO0_if # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Thanks in advance for any insight or help you can provide! :) -- Adam Richards e:adam@avertech.net | k:0x0BA2643B From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 19:16:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 377EE1065672 for ; Wed, 2 Apr 2008 19:16:24 +0000 (UTC) (envelope-from pyueshd@b2e.co.za) Received: from canit02.b2e.co.za (filtermx5.b2e.co.za [196.3.168.6]) by mx1.freebsd.org (Postfix) with ESMTP id 241E68FC1A for ; Wed, 2 Apr 2008 19:16:22 +0000 (UTC) (envelope-from pyueshd@b2e.co.za) Received: from b2ecgp.b2e.co.za ([172.31.252.253]) by canit02.b2e.co.za (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id m32IwX2d007216 for ; Wed, 2 Apr 2008 20:58:34 +0200 Received: from [196.209.62.119] (account pyueshd@b2e.co.za HELO [192.168.1.100]) by b2ecgp.b2e.co.za (CommuniGate Pro SMTP 5.1.12) with ESMTPSA id 947290 for freebsd-pf@freebsd.org; Wed, 02 Apr 2008 20:59:44 +0200 Message-ID: <47F3D787.4030407@b2e.co.za> Date: Wed, 02 Apr 2008 20:59:19 +0200 From: Pyuesh Daya Organization: Beginning 2 End Technologies (Pty) Ltd User-Agent: Thunderbird 2.0.0.12 (X11/20080227) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Canit-CHI2: 0.00 X-Bayes-Prob: 0.0001 (Score 0, tokens from: @@RPTN) X-Spam-Score: 0.00 () [Tag at 6.50] X-CanItPRO-Stream: default X-Canit-Stats-ID: 1042092 - 9e4aee855370 X-Antispam-Training-Forget: http://spamfilter.b2e.co.za/canit/b.php?i=1042092&m=9e4aee855370&c=f X-Antispam-Training-Nonspam: http://spamfilter.b2e.co.za/canit/b.php?i=1042092&m=9e4aee855370&c=n X-Antispam-Training-Spam: http://spamfilter.b2e.co.za/canit/b.php?i=1042092&m=9e4aee855370&c=s X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.168.20.133 Subject: Filtering Rules Bases on MAC Address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyueshd@b2e.co.za List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 19:16:24 -0000 Hi Guys I used to the MAC Address filtering on iptables on a linux box. Since moving to FreeBSD with PF, everything is working except for the MAC Address filtering. Is this possible to do with PF in FREEBSD. Please advise. -- Regards Pyuesh Daya Beginning 2 End Technologies (Pty) Ltd Tel : +27 861 223 223 Fax : +27 866 741 600 Cell: +27 82 777 9983 E-Mail: pyueshd@b2e.co.za WebSite: http://www.b2e.co.za From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 20:33:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17895106566C for ; Wed, 2 Apr 2008 20:33:57 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id A7D9A8FC13 for ; Wed, 2 Apr 2008 20:33:56 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 3ACCB48070B; Thu, 3 Apr 2008 09:33:55 +1300 (NZDT) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THr+O3UaYFlM; Thu, 3 Apr 2008 09:33:54 +1300 (NZDT) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 984A64806EC; Thu, 3 Apr 2008 09:33:53 +1300 (NZDT) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 3 Apr 2008 09:33:30 +1300 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Thu, 3 Apr 2008 09:33:28 +1300 Message-ID: In-Reply-To: <684548.87924.qm@web57414.mail.re1.yahoo.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF and State Table Thread-Index: AciUqhzCzqq4/JzkTs67UBTfXdfdYAAVms5A References: <684548.87924.qm@web57414.mail.re1.yahoo.com> From: "Mark Pagulayan" To: "Diego Salvador" , X-OriginalArrivalTime: 02 Apr 2008 20:33:30.0644 (UTC) FILETIME=[D03FCD40:01C89500] Cc: freebsd-pf@freebsd.org Subject: RE: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 20:33:57 -0000 Hi,=20 What pf version are you using? Correct me if I am wrong guys, on PF4.1 which a the release version of pf on freebsd 7.0 when you specify keep state the flag S/A is implied?=20 Cheers,=20 Mark -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Diego Salvador Sent: Wednesday, 2 April 2008 10:54 p.m. To: fox@verio.net Cc: freebsd-pf@freebsd.org Subject: Re: PF and State Table Sir David, So you mean to say that it is really required for pf rules to specify TCP=20 flags when used with keep state? Because this seems to relate my=20 previous problem with PF firewall that will cause a problem in browsing Google and Youtube web sites with Windows Vista nodes behind PF. Example rules for the node are pass in on $ext_if inet from any to 192.168.100.1=20 pass out on $ext_if inet from 192.168.100.1 to any keep state=20 where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF firewall. As you can see the above rules, I didn't specify any specific protocols like TCP, UDP=20 and ICMP so TCP here just use the "keep state" option without flags. Google and=20 Youtube sites seem to not continue displaying web pages but I can see that the=20 connection were established with the Windows Vista node with Google and Youtube=20 sites. Yes, that's what I'm looking for, the file where I can analyze PF state table=20 in the source code. Thanks, Diego Salvador > > This is somewhat risky, because you really don't want to waste a state > entry on something that's half-way in the middle of a TCP session > (well, I suppose you could, but it seems insecure. It's more than just insecure; it can cause breakage of TCP connections, especially in a world where RFC 1323 is commonplace (i.e. today's world). If PF starts tracking state from the middle of a connection, it has missed out on discovering what TCP window scaling factors are in use.=20 If there happens to be no scaling in use, it works fine, but if a scale factor is being applied, PF will not track the state correctly, and the connection will stall out. > > What file in PF on FreeBSD kernel does state table structure is > > located? >=20 > I don't understand this question. I think the question is asking for details on how PF state is stored in memory. I found a very nice struct pf_state in /usr/include/net/pfvar.h. =20 --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 23:47:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 113F9106566C for ; Wed, 2 Apr 2008 23:47:27 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id B91118FC1C for ; Wed, 2 Apr 2008 23:47:26 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so792223anc.13 for ; Wed, 02 Apr 2008 16:47:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=wsKlb8Uszjuc/2UQOuouWVjDvA8Qih0/88ZBjwsIHdM=; b=aplIS9VrwyoQNLiWmO8v+78Q+5ZOQvIhOvANhZ35tVwmgEuB4ahvkltBQ/fNxgaQ/8O7UH8wMM5psNJfSd+DmWXtZ4V6itX+YOsoYT4hDX98L+ltrkTzPKu+AaIUtAbOj3NT3ARx2Zte/euQQP1nfLGVIK/SKtV+8qA/535ND60= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=iRh1q5ae8gZ8cw4ijCUNL3LQJxdJeqrHaFzLObWQIv5c0/bcAJkG2q8J7f2SqIfOUvawzBYZR/YGUodJobxVLuInpiNhA+MENS221+MWaB6/78IhuQounTety5FQpjqs9YE+6ExiHwMDKxO6bZUOUbVBDUvYum2sm2Ou55YND/8= Received: by 10.100.255.17 with SMTP id c17mr24117790ani.37.1207180045808; Wed, 02 Apr 2008 16:47:25 -0700 (PDT) Received: by 10.100.254.13 with HTTP; Wed, 2 Apr 2008 16:47:25 -0700 (PDT) Message-ID: <55e8a96c0804021647sa108cfm56d87884c3a08f5c@mail.gmail.com> Date: Wed, 2 Apr 2008 18:47:25 -0500 From: "Bill Marquette" To: "Mike Tancsa" In-Reply-To: <200804021259.m32CxI3U071076@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200804021259.m32CxI3U071076@lava.sentex.ca> Cc: freebsd-pf@freebsd.org Subject: Re: carp between RELENG_6 and RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 23:47:27 -0000 On Wed, Apr 2, 2008 at 7:57 AM, Mike Tancsa wrote: > Does anyone know if there are there any issues running a pair of FreeBSD > boxes, one RELENG_6 and one RELENG_7 in carp failover ? Are there any > compatibility issues ? I believe the pfsync protocol version (and corresponding struct) changed between these two releases. If the lack of state synchronization can be lived with (ie. it's a high availability address for a service, not a firewall), you should have no other issues with CARP. --Bill From owner-freebsd-pf@FreeBSD.ORG Thu Apr 3 01:35:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAF89106566B for ; Thu, 3 Apr 2008 01:35:10 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by mx1.freebsd.org (Postfix) with ESMTP id 899E48FC1D for ; Thu, 3 Apr 2008 01:35:09 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 5478A9C662; Thu, 3 Apr 2008 14:35:07 +1300 (NZDT) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKwyZT4G4ddo; Thu, 3 Apr 2008 14:35:07 +1300 (NZDT) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id ACB2F9C669; Thu, 3 Apr 2008 14:35:06 +1300 (NZDT) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 3 Apr 2008 14:34:20 +1300 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Thu, 3 Apr 2008 14:34:18 +1300 Message-ID: In-Reply-To: <47F34123.1000301@nviz.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pftop 0.7 in ports ? Thread-Index: AciUm1aw2tBteFIOQ6+tT5FRb6DLAgAj1s/w References: <47F1735B.9060707@gibfest.dk><200804011642.40992.silver@ultrasoft.ee><47F2507A.1000407@gibfest.dk> <200804011715.41522.max@love2party.net> <47F34123.1000301@nviz.net> From: "Mark Pagulayan" To: "Greg Hennessy" X-OriginalArrivalTime: 03 Apr 2008 01:34:20.0557 (UTC) FILETIME=[D6D5F3D0:01C8952A] Cc: freebsd-pf@freebsd.org Subject: RE: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 01:35:11 -0000 Hi guys,=20 Thanks for the help. Able to update my ports and installd the new version of pftop.=20 Cheers,=20 Mark -----Original Message----- From: Greg Hennessy [mailto:Greg.Hennessy@nviz.net]=20 Sent: Wednesday, 2 April 2008 9:18 p.m. To: Mark Pagulayan Cc: freebsd-pf@freebsd.org Subject: Re: pftop 0.7 in ports ? Mark Pagulayan wrote: > Hi,=20 > > I have checked this link for the pftop-0.7 > ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ > > But no luck, where can I get the pftop-0.7 version for freebsd 7.0?=20 > =20 The same place as everyone else. ---> Listing the results (+:done / -:ignored / *:skipped / !:failed) + sysutils/pftop (pftop-0.6) + devel/glib20 (glib-2.16.1_2) ---> Packages processed: 2 done, 0 ignored, 0 skipped and 0 failed ---> Session ended at: Wed, 02 Apr 2008 09:11:48 +0100 (consumed 00:12:32) Time for you to figure out how the ports system works. Regards Greg > Cheers,=20 > > Mark > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On Behalf Of Max Laier > Sent: Wednesday, 2 April 2008 4:16 a.m. > To: freebsd-pf@freebsd.org > Subject: Re: pftop 0.7 in ports ? > > On Tuesday 01 April 2008 17:10:50 Thomas Rasmussen wrote: > =20 >> When can we expect to see this in ports ? >> =20 > > went in seconds before you hit send ;) > > mlaier 2008-04-01 15:10:35 UTC > > FreeBSD ports repository (src committer) > > Modified files: > sysutils/pftop Makefile distinfo=20 > Added files: > sysutils/pftop/files patch-pftop.c patch-sf-scanner.l=20 > Removed files: > sysutils/pftop/files patch-ab=20 > Log: > Update to 0.7 - adds state display filters. While here also add a > patch > to support dynamic ALTQ (by ignoring INACTIVE queues). > =20 > Approved by: flz > > =20 From owner-freebsd-pf@FreeBSD.ORG Thu Apr 3 01:47:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07AD8106564A for ; Thu, 3 Apr 2008 01:47:51 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id BE0688FC15 for ; Thu, 3 Apr 2008 01:47:50 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m331lnKG095768; Wed, 2 Apr 2008 21:47:49 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m331lnUX074256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Apr 2008 21:47:49 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200804030147.m331lnUX074256@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Apr 2008 21:45:46 -0400 To: "Bill Marquette" From: Mike Tancsa In-Reply-To: <55e8a96c0804021647sa108cfm56d87884c3a08f5c@mail.gmail.com> References: <200804021259.m32CxI3U071076@lava.sentex.ca> <55e8a96c0804021647sa108cfm56d87884c3a08f5c@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: carp between RELENG_6 and RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 01:47:51 -0000 At 07:47 PM 4/2/2008, Bill Marquette wrote: >I believe the pfsync protocol version (and corresponding struct) >changed between these two releases. If the lack of state >synchronization can be lived with (ie. it's a high availability >address for a service, not a firewall), you should have no other >issues with CARP. Thanks, this is just for an internal router, so no pf rules/states! ---Mike From owner-freebsd-pf@FreeBSD.ORG Thu Apr 3 04:17:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 550C1106564A for ; Thu, 3 Apr 2008 04:17:09 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id 0D3398FC23 for ; Thu, 3 Apr 2008 04:17:08 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so4246854pyb.10 for ; Wed, 02 Apr 2008 21:17:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=mZsPDlgsIrWyBgLc5ffWb94ni1IRoXPF87AfPtp9+ZM=; b=BEJbfUrLefamH+hmB7UtqLGZ6hDiMFZ1T//C1xs+3+O5jUmsmQrGevisVAKer4SjjmI2AgSllISLTY+WSm9Sl+CVMxENE8aKR0+vcRjTyyX/wc/Hf3zC2L8W6EE8Dp68ew+Or90GL284M2erL0JD6zcCmKj3EsygpGluJAzF4oI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=q7DVEuC4pjqscjKTiwGvVH6CNBEvlaJm1ep9vayBWgoI2+8v2rYoNtfLaWzFF8+vSHsPnKh8ZXigbSevY2pQ6CHwbjS9QVTpfIFyQElBTWrzgR0UOBPsXv6oC6NyGhqu008Jq/WZHywFOIiJEPdQoDASJnuqi6Bh5oEbaUWg6Ks= Received: by 10.65.242.7 with SMTP id u7mr21730981qbr.59.1207196227987; Wed, 02 Apr 2008 21:17:07 -0700 (PDT) Received: by 10.65.116.4 with HTTP; Wed, 2 Apr 2008 21:17:07 -0700 (PDT) Message-ID: Date: Wed, 2 Apr 2008 21:17:07 -0700 From: "Kian Mohageri" To: "Mark Pagulayan" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <684548.87924.qm@web57414.mail.re1.yahoo.com> Cc: Diego Salvador , fox@verio.net, freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 04:17:09 -0000 On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan wrote: > Hi, > > What pf version are you using? Correct me if I am wrong guys, on PF4.1 > which a the release version of pf on freebsd 7.0 when you specify keep > state the flag S/A is implied? > Correct, and if you leave out 'keep state' entirely, it will apply 'flags S/SA keep state' e.g., kian@alvis:~ > cat pf.conf pass on em0 kian@alvis:~ > pfctl -vnf pf.conf pass on em0 all flags S/SA keep state -Kian From owner-freebsd-pf@FreeBSD.ORG Thu Apr 3 04:20:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56D2D106564A for ; Thu, 3 Apr 2008 04:20:26 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 46B268FC12 for ; Thu, 3 Apr 2008 04:20:26 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 2B4461CC038; Wed, 2 Apr 2008 21:20:26 -0700 (PDT) Date: Wed, 2 Apr 2008 21:20:26 -0700 From: Jeremy Chadwick To: Kian Mohageri Message-ID: <20080403042026.GA88726@eos.sc1.parodius.com> References: <684548.87924.qm@web57414.mail.re1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: Diego Salvador , fox@verio.net, freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 04:20:26 -0000 On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote: > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan > wrote: > > Hi, > > > > What pf version are you using? Correct me if I am wrong guys, on PF4.1 > > which a the release version of pf on freebsd 7.0 when you specify keep > > state the flag S/A is implied? > > > > Correct, and if you leave out 'keep state' entirely, it will apply > 'flags S/SA keep state' > > e.g., > > kian@alvis:~ > > cat pf.conf > pass on em0 > > kian@alvis:~ > > pfctl -vnf pf.conf > pass on em0 all flags S/SA keep state I'd like to know what exactly happens to UDP and ICMP packets when hitting that rule, since UDP and ICMP don't have such flags. The documentation doesn't really discuss what happens in this case. This is why I solicit having 3 separate rules for each protocol (TCP = flags S/SA keep state, UDP = keep state, ICMP = keep state). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Apr 3 04:51:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51B9F1065671 for ; Thu, 3 Apr 2008 04:51:06 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0C7718FC1C for ; Thu, 3 Apr 2008 04:51:05 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so4266696pyb.10 for ; Wed, 02 Apr 2008 21:51:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=TuPhF/lw7J/IFilpPbq89TWataYtxvVvcG16YHms/5g=; b=j4BgMDIcO4ieR2MUDhSHnJp1qWduYlP/9HliEeamQ3A69Si/zzZeN5cqo7vS72q/y64zGLqk9beliFmD5WgXFM2NRkb3yky/x/y1cKy6uXjsgdqGsIJ/NUJngxxAcQKOF4XjQAG89SjQniAz4AF643qyX6a9NNGYOw4UhtLYfGA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YuAunCgcBcliihfZZYrdToA3Ek03f/d9HykEX1sRYM9t+vgBoHxmc+nI+4CBP0IMYJWhCmNeKRZrrN+bbBRfPzCncbFpnxGcHMJaTbrk5YveFpd0OFv6iIJrvKV3Cigc5XtlFblkJQZyNoo7ZT1Hp8EQfUBQGvT+rCy0usEEvSk= Received: by 10.65.213.4 with SMTP id p4mr21764564qbq.83.1207198265304; Wed, 02 Apr 2008 21:51:05 -0700 (PDT) Received: by 10.65.116.4 with HTTP; Wed, 2 Apr 2008 21:51:05 -0700 (PDT) Message-ID: Date: Wed, 2 Apr 2008 21:51:05 -0700 From: "Kian Mohageri" To: "Jeremy Chadwick" In-Reply-To: <20080403042026.GA88726@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <684548.87924.qm@web57414.mail.re1.yahoo.com> <20080403042026.GA88726@eos.sc1.parodius.com> Cc: Diego Salvador , fox@verio.net, freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 04:51:06 -0000 On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick wrote: > > On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote: > > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan > > wrote: > > > Hi, > > > > > > What pf version are you using? Correct me if I am wrong guys, on PF4.1 > > > which a the release version of pf on freebsd 7.0 when you specify keep > > > state the flag S/A is implied? > > > > > > > Correct, and if you leave out 'keep state' entirely, it will apply > > 'flags S/SA keep state' > > > > e.g., > > > > kian@alvis:~ > > > cat pf.conf > > pass on em0 > > > > kian@alvis:~ > > > pfctl -vnf pf.conf > > pass on em0 all flags S/SA keep state > > I'd like to know what exactly happens to UDP and ICMP packets when > hitting that rule, since UDP and ICMP don't have such flags. The > documentation doesn't really discuss what happens in this case. > > This is why I solicit having 3 separate rules for each protocol (TCP = > flags S/SA keep state, UDP = keep state, ICMP = keep state). > > The flags requirement only applies to TCP, so only the 'keep state' part is applied to UDP/ICMP. -Kian From owner-freebsd-pf@FreeBSD.ORG Fri Apr 4 22:50:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5FC61065670 for ; Fri, 4 Apr 2008 22:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A87E48FC15 for ; Fri, 4 Apr 2008 22:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m34Mo3qa094022 for ; Fri, 4 Apr 2008 22:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m34Mo3gK094021; Fri, 4 Apr 2008 22:50:03 GMT (envelope-from gnats) Date: Fri, 4 Apr 2008 22:50:03 GMT Message-Id: <200804042250.m34Mo3gK094021@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris S." Cc: Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Boris S." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2008 22:50:04 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: "Boris S." To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Sat, 05 Apr 2008 00:48:20 +0200 As I said, the bug was always reproducible on a RELENG_6 server. I applied the patch and now I can kill/restart mpd and pf without a crash. I tried it many times and in random order. My RELENG_7 server is running this patch now for serval days without a problem. Problem solved! THANK YOU VERY MUCH! Boris From owner-freebsd-pf@FreeBSD.ORG Sat Apr 5 11:08:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBF15106566C for ; Sat, 5 Apr 2008 11:08:46 +0000 (UTC) (envelope-from zinovik@kspu.karelia.ru) Received: from mail.kspu.karelia.ru (mail.kspu.karelia.ru [195.209.249.1]) by mx1.freebsd.org (Postfix) with ESMTP id 75F3B8FC17 for ; Sat, 5 Apr 2008 11:08:46 +0000 (UTC) (envelope-from zinovik@kspu.karelia.ru) Received: from localhost (localhost.kspu.karelia.ru [127.0.0.1]) by mail.kspu.karelia.ru (Postfix) with ESMTP id BC023B24789 for ; Sat, 5 Apr 2008 14:46:54 +0400 (MSD) X-Virus-Scanned: amavisd-new at kspu.karelia.ru Received: from mail.kspu.karelia.ru ([127.0.0.1]) by localhost (mail.kspu.karelia.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJZA8iBJTF7z for ; Sat, 5 Apr 2008 14:46:51 +0400 (MSD) Received: from localhost (unknown [192.168.70.251]) by mail.kspu.karelia.ru (Postfix) with ESMTP id 3E7BAB241F3 for ; Sat, 5 Apr 2008 14:46:51 +0400 (MSD) Date: Sat, 5 Apr 2008 13:42:33 +0400 From: Igor Zinovik To: freebsd-pf@freebsd.org Message-ID: <20080405094233.GA64607@zinovik.kspu.karelia.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r; format=flowed Content-Disposition: inline X-Comment-To: "Igor Zinovik" Subject: pf + NAT + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2008 11:08:46 -0000 Hello, freebsd-pf@ readers. I'm working with following setup: we are running freebsd box that is used as internet access gateway. Currently ipf i used as firewall package. But i want to switch from ipf to pf. In my opinion setup is awkward (do not ask why): machine is acting as bridge and have to provide access to some internal hosts (e.g. www) from public internet. Bridge was made to provide transparent access to several trusted networks to access internal host that holds database needed by clients in these subnets (also do not ask why VPN is not implemented). Also current ruleset is damn huge and ugly. [ Internet ] | | [ mynetwork ]---[gate]---[ subnet_2 ] | | [ subnet_3 ] I read the docs across the network and understanded that pf cannot track states on bridge (at least on one interface of bridge). So my question is can pf handle rdr when machine is acting as bridge? My ruleset does not allow to access internal hosts from public internet. I understanded that i have to track state for udp connections, otherwise pf blocks dns responses. ftp-proxy also does not work with this setup, i may assume this is beacase i do not keep state on internal interface. There is also an strange timeouts (up 20 seconds) with smtp connections to mail server, but pop3 works fine. /etc/pf.conf: scrub in all rdr pass on $ext_if inet proto tcp from any to $www_public_ip port { ssh, www, ftp, ftp-data } -> $www_private_ip rdr pass on $int_if inet proto tcp from any to any port ftp -> 127.0.0.1 port 8021 block return-rst proto tcp all block all pass quick on $int_if all pass out on $ext_if all pass in quick on $ext_if proto tcp to self port ssh flags S/SA keep state pass out on $ext_if inet proto udp from any to any port domain keep state pass in quick on $ext_if proto tcp from any to $www_private_ip port www flags S/SA keep state pass in quick on $ext_if proto tcp from any to $mail_public_ip port { smtp, pop3, www } flags S/SA keep state