From owner-freebsd-pf@FreeBSD.ORG Mon May 5 11:07:10 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6EA21065751 for ; Mon, 5 May 2008 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 91A678FC15 for ; Mon, 5 May 2008 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m45B7ALS070796 for ; Mon, 5 May 2008 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m45B79NL070792 for freebsd-pf@FreeBSD.org; Mon, 5 May 2008 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 May 2008 11:07:09 GMT Message-Id: <200805051107.m45B79NL070792@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2008 11:07:10 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 6 10:03:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCA54106567A for ; Tue, 6 May 2008 10:03:45 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe10.ukr.net (ffe10.ukr.net [195.214.192.29]) by mx1.freebsd.org (Postfix) with ESMTP id 87FDF8FC30 for ; Tue, 6 May 2008 10:03:45 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe10.ukr.net with local ID 1JtJlc-000OA8-CH for freebsd-pf@freebsd.org; Tue, 06 May 2008 12:47:24 +0300 MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Message-Id: Date: Tue, 06 May 2008 12:47:24 +0300 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: dst_addr and subdomains X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 10:03:45 -0000              Hi!  How can I specify dst_addr in my rule for all subdomains of server. E.g. example1.server.com, example2.server.com and so on. Something like this: pass out on sk0 inet proto tcp from $MY_LAN to *.example.org port www From owner-freebsd-pf@FreeBSD.ORG Tue May 6 10:06:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E99991065676 for ; Tue, 6 May 2008 10:06:58 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id DF0B48FC2C for ; Tue, 6 May 2008 10:06:58 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id CB69C1CC038; Tue, 6 May 2008 03:06:58 -0700 (PDT) Date: Tue, 6 May 2008 03:06:58 -0700 From: Jeremy Chadwick To: Vitaliy Vladimirovich Message-ID: <20080506100658.GA3813@eos.sc1.parodius.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: dst_addr and subdomains X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 10:06:59 -0000 On Tue, May 06, 2008 at 12:47:24PM +0300, Vitaliy Vladimirovich wrote: > Hi! > ow can I specify dst_addr in my rule for all subdomains of server. E.g. example1.server.com, example2.server.com and so on. > > Something like this: > > pass out on sk0 inet proto tcp from $MY_LAN to *.example.org port www What you want is basically a layer 7 filter -- pf does not do that. If all the machines within *.example.org are within a specific network block (e.g. 20.30.40.0/24), then you can use that CIDR netblock instead of *.example.org in your above example. But you cannot use wildcards for domains. All hostnames given as a dst/src address will be resolved first. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue May 6 23:39:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAC851065673 for ; Tue, 6 May 2008 23:39:06 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id 85C978FC13 for ; Tue, 6 May 2008 23:39:06 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so58292pyb.10 for ; Tue, 06 May 2008 16:39:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; bh=mJ5QQ439qzXI6SvpdOzLBULHlcFT+s+7UwkovH0jcyc=; b=SIm0dfwHLp95t1Mp2pTDEo7BeKLY0BA/+e78wwtEx3Ws6LxF+B3EUIbw3RdgokLY4S07wGCZvabLXM5IaRDIAWmq5pyTBG+X7oBdP57LzJnHfiMtPbCL3w+uMzxfo5feNmJY5usklYUvsOOFpDSbo6PFgpGY7M+JAXoNUl6uMAI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:content-language; b=mNcGu6ccV4TE3OjlVYHxsyv3EKlKPK30WHHS4dOSG8KIkRq4dthwkMf0SizW7XgYh1usMYorRbX1NjqEtRd2r2ENnXGsgizkZKdt5mM+y9Cg4ZnOQ79mDLLp+6mPPqFhse8iSL/lvSgVgH4Oa+JotPCoNTCSuGJSJ70ripHDeDs= Received: by 10.65.22.9 with SMTP id z9mr2502923qbi.32.1210115644966; Tue, 06 May 2008 16:14:04 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id e17sm1371119qba.0.2008.05.06.16.14.03 (version=SSLv3 cipher=RC4-MD5); Tue, 06 May 2008 16:14:04 -0700 (PDT) From: "Ansar Mohammed" To: Date: Tue, 6 May 2008 19:14:02 -0400 Message-ID: <03b201c8afce$e0325d60$a0971820$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acivzt9Xn75EMBj+Qn2VEsCFT82R1w== Content-Language: en-ca Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: DCE-RPC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 23:39:07 -0000 Hello All, Does pf have any higher level application inspection capability such as RPC filtering based on UUID? From owner-freebsd-pf@FreeBSD.ORG Wed May 7 07:39:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C9FF1065671 for ; Wed, 7 May 2008 07:39:32 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from v-smtp-auth-relay-2.gradwell.net (v-smtp-auth-relay-2.gradwell.net [79.135.125.41]) by mx1.freebsd.org (Postfix) with ESMTP id CC7268FC16 for ; Wed, 7 May 2008 07:39:31 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from host81-139-129-161.in-addr.btopenworld.com ([81.139.129.161] helo=[192.168.1.114] country=GB ident=gregh$pop3#nviz#net) by v-smtp-auth-relay-2.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.290) id 48215cb1.a0a.46b; Wed, 7 May 2008 08:39:29 +0100 (envelope-sender ) Message-ID: <48215CB4.7060907@nviz.net> Date: Wed, 07 May 2008 08:39:32 +0100 From: Greg Hennessy User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Ansar Mohammed References: <03b201c8afce$e0325d60$a0971820$@com> In-Reply-To: <03b201c8afce$e0325d60$a0971820$@com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: DCE-RPC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 07:39:32 -0000 Ansar Mohammed wrote: > Hello All, > > Does pf have any higher level application inspection capability such as RPC > filtering based on UUID? > No, that is layer 7 style 'deep packet inspection' (tm) voodoo. Greg From owner-freebsd-pf@FreeBSD.ORG Wed May 7 17:34:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D33E1106567C for ; Wed, 7 May 2008 17:34:03 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.freebsd.org (Postfix) with ESMTP id 8F0098FC19 for ; Wed, 7 May 2008 17:34:03 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so532667pyb.10 for ; Wed, 07 May 2008 10:34:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=FlM/p9/InZmTNVRiKB+YhCHIXIY0HJF+d5EduwwqMIw=; b=C983eWavq2gxkm9/3D5Q7+woenNEJyLxdceUwGIBl05shmEGxqswiAD9qXfLg6GkTQso1C38dV3YPwI3jqwRHiq2O07kl6x9DdmABJ9pm7DxMTOfoDCVBeHWOwrzgpEuHumnwjBsSLLROe0V/LvSI4iwXJMiHIPez673vG0cg2o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=QHfmVAY6XMbb77RyJX2KCs2cKMVcuWGhJ1subRLfFBvuI4zGpZGz3/9lRlR6UmJxPsTsOos5Tzs4otKGS5xosNFoBVU4YVs0NPZNgo+PXJ2WQG7VvnbzxXYJcev6BANHSsDAW5WngFdB1uLdVmOgqtIgn5jCXwm45+Jka2Xi8pI= Received: by 10.65.84.3 with SMTP id m3mr4649557qbl.94.1210181642480; Wed, 07 May 2008 10:34:02 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id c5sm1979982qbc.10.2008.05.07.10.34.01 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 10:34:01 -0700 (PDT) From: "Ansar Mohammed" To: Date: Wed, 7 May 2008 13:34:00 -0400 Message-ID: <004f01c8b068$89c89350$9d59b9f0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciwaIi9DeA70Ec8S9CJzUU+Q2PZ2Q== Content-Language: en-ca Subject: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 17:34:03 -0000 I have a very simple configuration yet I am bemused as to what I am doing wrong. Windows 2003 <- FreeBSD-PF -> Windows 2003 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 Here are my rules ext_if="le0" int_if="le1" int_net="192.168.3.0/24" ext_net="192.168.2.0/24" int_addr="192.168.3.1" ext_addr="192.168.2.2" scrub on $ext_if all reassemble tcp scrub on $int_if all reassemble tcp block in log all pass in proto icmp from any to any pass in proto udp from any to any port 53 pass in on $ext_if inet proto tcp from any to any port 3389 DNS traffic is allowed though but the return packet gets blocked. Can anyone explain why? This is true on ALL UDP traffic TCP traffic works well Pflog message: 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > 192.168.2.130.3837: [|domain] From owner-freebsd-pf@FreeBSD.ORG Wed May 7 17:55:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F242F106567D for ; Wed, 7 May 2008 17:55:23 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) Received: from ironport2-out.teksavvy.com (ironport2-out.pppoe.ca [206.248.154.182]) by mx1.freebsd.org (Postfix) with ESMTP id BDF2E8FC0C for ; Wed, 7 May 2008 17:55:23 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AuYEAB+JIUhMCqa7/2dsb2JhbACBU4l4og8E X-IronPort-AV: E=Sophos;i="4.27,449,1204520400"; d="scan'208";a="20028903" Received: from mail.pppoe.ca (HELO mail.teksavvy.com) ([65.39.192.132]) by ironport2-out.teksavvy.com with ESMTP; 07 May 2008 13:54:19 -0400 Received: from kevin ([76.10.166.187]) by mail.teksavvy.com (Internet Mail Server v1.0) with ASMTP id NWJ50719; Wed, 07 May 2008 13:54:19 -0400 From: "Kevin K" To: "'Ansar Mohammed'" , References: <004f01c8b068$89c89350$9d59b9f0$@com> In-Reply-To: <004f01c8b068$89c89350$9d59b9f0$@com> Date: Wed, 7 May 2008 13:54:17 -0400 Message-ID: <005101c8b06b$5f0743c0$1d15cb40$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: AciwaIi9DeA70Ec8S9CJzUU+Q2PZ2QAAscEQ Content-Language: en-us Cc: Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 17:55:24 -0000 Try pass out proto udp from any to any port 53 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Ansar Mohammed > Sent: Wednesday, May 07, 2008 1:34 PM > To: freebsd-pf@freebsd.org > Subject: UDP weirdness > > I have a very simple configuration yet I am bemused as to what I am > doing > wrong. > > > Windows 2003 <- FreeBSD-PF -> Windows 2003 > 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 > Here are my rules > > > ext_if="le0" > int_if="le1" > int_net="192.168.3.0/24" > ext_net="192.168.2.0/24" > int_addr="192.168.3.1" > ext_addr="192.168.2.2" > scrub on $ext_if all reassemble tcp > scrub on $int_if all reassemble tcp > block in log all > pass in proto icmp from any to any > pass in proto udp from any to any port 53 > pass in on $ext_if inet proto tcp from any to any port 3389 > > > DNS traffic is allowed though but the return packet gets blocked. Can > anyone > explain why? > This is true on ALL UDP traffic TCP traffic works well > > Pflog message: > > 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > > 192.168.2.130.3837: [|domain] > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:34:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 585AC106566C for ; Wed, 7 May 2008 20:34:44 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.freebsd.org (Postfix) with ESMTP id 110CA8FC0A for ; Wed, 7 May 2008 20:34:43 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so610649pyb.10 for ; Wed, 07 May 2008 13:34:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=eePnm1xF4yZ6lkcCrFG6tqNq2aLoctVy2izrOqOvx40=; b=UFDmG0vNHFqjkKBfaLiDrY//1hNInJOCOFjk6GNdylTSYU3/2fccH6FfBi6oGNpxXU64d/vBkWhuJ7h5Q1Rhw4Y/Fumg9Rhhi8DGUktARBixenmQCXYS0EyUcUlb8poPrYmq8Zfq4DegGwuUhlaTmUphaNs7SQoaR84EYcWwrFw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=YxNJfytHAjuueAtYZGwEITa/kw9eca4Xri4EBnFr/457IbLXO6EjHXultRvq6W6Y26/tbIBUQCUDAZd5PSj0Jp6oB3bqlbuWl/YIegoHYRRNt8JZF6KhwWENPCh3deJxdIrPoAEIp+BPBswA06h7spw7SYMcbLSAjz6WBo4q3rg= Received: by 10.64.193.2 with SMTP id q2mr5028190qbf.51.1210192483068; Wed, 07 May 2008 13:34:43 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id a5sm2045846qbd.25.2008.05.07.13.34.41 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 13:34:42 -0700 (PDT) From: "Ansar Mohammed" To: "'Kevin K'" , References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> In-Reply-To: <005101c8b06b$5f0743c0$1d15cb40$@com> Date: Wed, 7 May 2008 16:34:40 -0400 Message-ID: <008b01c8b081$c74692e0$55d3b8a0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciwaIi9DeA70Ec8S9CJzUU+Q2PZ2QAAscEQAAWS9QA= Content-Language: en-ca Cc: Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:34:44 -0000 Ok, so adding the line as you suggested worked. Thanks Kevin. But why do I need to have both entries in for pass in proto udp from any to any port 53 pass out proto udp from any to any port 53 what makes UDP so special? > -----Original Message----- > From: Kevin K [mailto:kkutzko@teksavvy.com] > Sent: May 7, 2008 1:54 PM > To: 'Ansar Mohammed'; freebsd-pf@freebsd.org > Subject: RE: UDP weirdness > > Try pass out proto udp from any to any port 53 > > > -----Original Message----- > > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > > pf@freebsd.org] On Behalf Of Ansar Mohammed > > Sent: Wednesday, May 07, 2008 1:34 PM > > To: freebsd-pf@freebsd.org > > Subject: UDP weirdness > > > > I have a very simple configuration yet I am bemused as to what I am > > doing > > wrong. > > > > > > Windows 2003 <- FreeBSD-PF -> Windows 2003 > > 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 > > Here are my rules > > > > > > ext_if="le0" > > int_if="le1" > > int_net="192.168.3.0/24" > > ext_net="192.168.2.0/24" > > int_addr="192.168.3.1" > > ext_addr="192.168.2.2" > > scrub on $ext_if all reassemble tcp > > scrub on $int_if all reassemble tcp > > block in log all > > pass in proto icmp from any to any > > pass in proto udp from any to any port 53 > > pass in on $ext_if inet proto tcp from any to any port 3389 > > > > > > DNS traffic is allowed though but the return packet gets blocked. Can > > anyone > > explain why? > > This is true on ALL UDP traffic TCP traffic works well > > > > Pflog message: > > > > 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > > > 192.168.2.130.3837: [|domain] > > > > > > > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:50:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 014FD1065670 for ; Wed, 7 May 2008 20:50:13 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp4.versatel.nl (smtp4.versatel.nl [62.58.50.91]) by mx1.freebsd.org (Postfix) with ESMTP id 6A5C18FC13 for ; Wed, 7 May 2008 20:50:12 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 11095 invoked by uid 0); 7 May 2008 20:50:11 -0000 Received: from ip83-113-174-82.adsl2.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp4.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 7 May 2008 20:50:11 -0000 Received: by istud.quis.cx (Postfix, from userid 100) id C3FB239825; Wed, 7 May 2008 22:50:08 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on istud.quis.cx X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.4 Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id A8A0B39819; Wed, 7 May 2008 22:50:01 +0200 (CEST) Message-ID: <482215F4.1080806@quis.cx> Date: Wed, 07 May 2008 22:49:56 +0200 From: Jille User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Ansar Mohammed References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> In-Reply-To: <008b01c8b081$c74692e0$55d3b8a0$@com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:50:13 -0000 Ansar Mohammed schreef: > Ok, so adding the line as you suggested worked. > Thanks Kevin. > > But why do I need to have both entries in for > > pass in proto udp from any to any port 53 > pass out proto udp from any to any port 53 > > what makes UDP so special? UDP is stateless, With TCP you've got an connection (identified by: local host:port and remote host:port) With UDP, well, you just trow the packages over the line, and hope the is (still) someone on the other end. So the is (almost) no way to detect whether packets are responses to eachother -- Jille From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:54:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1AD5106567A for ; Wed, 7 May 2008 20:54:26 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id 86F4B8FC17 for ; Wed, 7 May 2008 20:54:26 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so618750pyb.10 for ; Wed, 07 May 2008 13:54:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=hpXh/I4YE0ppm5bX57ahu3a/YEpFpuxN6x9gTZz0i7Q=; b=yEW0G5ydDd/VTDMk9g1kS3YJt6wackhu+KiTDkrBxggQJfVCcRpovwjmyjTNA5/Qx12kQh0QM0JDFETbDQ//zbXxqaXmSeDYm80o05OnNgQyAGQ5yWAwG1OD7pKSvRul0TLfG8u6QDfdIKOlqN0AKl4ltAplf2qqtWtiEvrpA3Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=OMKms3ciYSj6NF1BFd5Eu8I0Zy2bwppe7lMWMc1oOnaB8a02wb3S1QPRbEoRATyrNGE4qX6YsRcJh+VY2iQ29ULq+kkKa0Z6afC1SwPXHt+olvMHO/UqU2lf+/jOeN02hoTrdn1NRzBu+DvBKmnHVVQc/2Vrum/HmxCEAJquB68= Received: by 10.65.116.10 with SMTP id t10mr5039024qbm.77.1210193665140; Wed, 07 May 2008 13:54:25 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id d5sm2199912qbd.8.2008.05.07.13.54.23 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 13:54:24 -0700 (PDT) From: "Ansar Mohammed" To: "'Jille'" References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> In-Reply-To: <482215F4.1080806@quis.cx> Date: Wed, 7 May 2008 16:54:22 -0400 Message-ID: <00a401c8b084$87da9540$978fbfc0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Aciwg/GPI5k62vZdTBW7EoGhGqmv/AAAGspQ Content-Language: en-ca Cc: freebsd-pf@freebsd.org Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:54:26 -0000 But I thought pf would be tracking state? Isnt that the whole point of statefull firewalls? > -----Original Message----- > From: Jille [mailto:jille@quis.cx] > Sent: May 7, 2008 4:50 PM > To: Ansar Mohammed > Cc: 'Kevin K'; freebsd-pf@freebsd.org > Subject: Re: UDP weirdness > > > > Ansar Mohammed schreef: > > Ok, so adding the line as you suggested worked. > > Thanks Kevin. > > > > But why do I need to have both entries in for > > > > pass in proto udp from any to any port 53 > > pass out proto udp from any to any port 53 > > > > what makes UDP so special? > UDP is stateless, > With TCP you've got an connection (identified by: local host:port and > remote host:port) > With UDP, well, you just trow the packages over the line, and hope the > is (still) someone on the other end. > > So the is (almost) no way to detect whether packets are responses to > eachother > > -- Jille From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:56:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 659EA1065673 for ; Wed, 7 May 2008 20:56:58 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) Received: from ironport2-out.teksavvy.com (ironport2-out.pppoe.ca [206.248.154.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2BAE18FC13 for ; Wed, 7 May 2008 20:56:57 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AsQEAJuyIUhMCqa7/2dsb2JhbACBU4l3oikE X-IronPort-AV: E=Sophos;i="4.27,450,1204520400"; d="scan'208";a="20042838" Received: from mail.pppoe.ca (HELO mail.teksavvy.com) ([65.39.192.132]) by ironport2-out.teksavvy.com with ESMTP; 07 May 2008 16:56:56 -0400 Received: from kevin ([76.10.166.187]) by mail.teksavvy.com (Internet Mail Server v1.0) with ASMTP id NZL78056; Wed, 07 May 2008 16:56:56 -0400 From: "Kevin K" To: "'Ansar Mohammed'" , "'Jille'" References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> In-Reply-To: <00a401c8b084$87da9540$978fbfc0$@com> Date: Wed, 7 May 2008 16:56:54 -0400 Message-ID: <006c01c8b084$e1d82670$a5887350$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: Aciwg/GPI5k62vZdTBW7EoGhGqmv/AAAGspQAAAdsfA= Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:56:58 -0000 You cannot track state of stateless protocols such as UDP. > -----Original Message----- > From: Ansar Mohammed [mailto:ansarm@gmail.com] > Sent: Wednesday, May 07, 2008 4:54 PM > To: 'Jille' > Cc: 'Kevin K'; freebsd-pf@freebsd.org > Subject: RE: UDP weirdness > > But I thought pf would be tracking state? > Isnt that the whole point of statefull firewalls? > > > > > -----Original Message----- > > From: Jille [mailto:jille@quis.cx] > > Sent: May 7, 2008 4:50 PM > > To: Ansar Mohammed > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > Subject: Re: UDP weirdness > > > > > > > > Ansar Mohammed schreef: > > > Ok, so adding the line as you suggested worked. > > > Thanks Kevin. > > > > > > But why do I need to have both entries in for > > > > > > pass in proto udp from any to any port 53 > > > pass out proto udp from any to any port 53 > > > > > > what makes UDP so special? > > UDP is stateless, > > With TCP you've got an connection (identified by: local host:port and > > remote host:port) > > With UDP, well, you just trow the packages over the line, and hope > the > > is (still) someone on the other end. > > > > So the is (almost) no way to detect whether packets are responses to > > eachother > > > > -- Jille From owner-freebsd-pf@FreeBSD.ORG Wed May 7 21:01:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E70CF106564A for ; Wed, 7 May 2008 21:01:27 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.184]) by mx1.freebsd.org (Postfix) with ESMTP id 6E7E08FC2D for ; Wed, 7 May 2008 21:01:27 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so102627gve.39 for ; Wed, 07 May 2008 14:01:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=qGyMFE5Xvh8Ga4tfzMV+OfP1fA2tktqzDHmB0OzhxcI=; b=WPQrxYISJCzzMZZPcVPQpySG+2JTaDF3A5Kw4kjN+EYNgVzrSGlkdERAr52yJuna2/1WRYrkDNr+KQNxtCmJvTF6DQ/qwMGnWB6y4YhNb5C+WChMolWXqlrmyRFRt2AmYHKhlr11aUfZIKh3Ly3XRVqShz3wx9EemiaMMkBa/ew= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=oRUxPWlF3+l5vor1slCX1XuZQv+KQAImfla4tPHgLMXQdx5OnFlbubOfpg8KnOWQ3T9Tcm8/r/XqU050LtZ3gbBXM0orwYk+ANkOcGioi1DXV3C7WcrcGhz+bZAun6MMRXWIE2w4OZkqhhkSTUhQtIyCIT+JZfcmLLdiR+LvqA4= Received: by 10.78.134.7 with SMTP id h7mr710186hud.94.1210194085059; Wed, 07 May 2008 14:01:25 -0700 (PDT) Received: by 10.78.162.8 with HTTP; Wed, 7 May 2008 14:01:24 -0700 (PDT) Message-ID: <139b44430805071401h664fe840r541afa063b7fe0ca@mail.gmail.com> Date: Thu, 8 May 2008 00:01:24 +0300 From: "Valentin Bud" To: "Kevin K" In-Reply-To: <006c01c8b084$e1d82670$a5887350$@com> MIME-Version: 1.0 References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> <006c01c8b084$e1d82670$a5887350$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 21:01:28 -0000 from pf faq --- http://www.openbsd.org/faq/pf/filter.html#pass quote: " One will sometimes hear it said that, "One can not create state with UDP as UDP is a stateless protocol!" While it is true that a UDP communication session does not have any concept of state (an explicit start and stop of communications), this does not have any impact on PF's ability to create state for a UDP session. In the case of protocols without "start" and "end" packets, PF simply keeps track of how long it has been since a matching packet has gone through. If the timeout is reached, the state is cleared. The timeout values can be set in the optionssection of the pf.conf file." On Wed, May 7, 2008 at 11:56 PM, Kevin K wrote: > You cannot track state of stateless protocols such as UDP. > > > > > -----Original Message----- > > From: Ansar Mohammed [mailto:ansarm@gmail.com] > > Sent: Wednesday, May 07, 2008 4:54 PM > > To: 'Jille' > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > Subject: RE: UDP weirdness > > > > But I thought pf would be tracking state? > > Isnt that the whole point of statefull firewalls? > > > > > > > > > -----Original Message----- > > > From: Jille [mailto:jille@quis.cx] > > > Sent: May 7, 2008 4:50 PM > > > To: Ansar Mohammed > > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > > Subject: Re: UDP weirdness > > > > > > > > > > > > Ansar Mohammed schreef: > > > > Ok, so adding the line as you suggested worked. > > > > Thanks Kevin. > > > > > > > > But why do I need to have both entries in for > > > > > > > > pass in proto udp from any to any port 53 > > > > pass out proto udp from any to any port 53 > > > > > > > > what makes UDP so special? > > > UDP is stateless, > > > With TCP you've got an connection (identified by: local host:port and > > > remote host:port) > > > With UDP, well, you just trow the packages over the line, and hope > > the > > > is (still) someone on the other end. > > > > > > So the is (almost) no way to detect whether packets are responses to > > > eachother > > > > > > -- Jille > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Kind Regards, Valentin Bud www.syk.ro www.spreadbsd.org/aff/86/1 www.spreadbsd.org/aff/86/2 valentin [dot] bud [at] gmail [dot] com valentin [dot] bud [at] dep [dot] upt [dot] ro From owner-freebsd-pf@FreeBSD.ORG Wed May 7 21:14:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D153D106567B for ; Wed, 7 May 2008 21:14:14 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED1D8FC12 for ; Wed, 7 May 2008 21:14:13 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so473178nfh.33 for ; Wed, 07 May 2008 14:14:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=VNbWj+9YKhTLVwHnVCw8X+QDR2NpcO3fawc7YbQXGpk=; b=p1ryGgML35PsCfLtlhXXV+el4LNpomWvCieAL32GrVmsrw7bXDlCs9xph8T5QqPyd1ZaKlWPG1MuKdznRP0weLmDm02q4LM6Vqug1byZVyzSg/00eAyaDlpGGl113cKx5MZ19QRDacDTdueMo5bMHRLAenYDUIAASCD3j9iby3c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=bgMN3EIddinCRconSuWFsv42JDu4pcIZtWeCCdg7/Lz0/E3GhSJr5f+DXI/1szcM/sllqsTUjkl9XFkHPR92g+96/VFgB3fSEzIqQWyMbgdUSKavVpTU1yQCU9pRfytcHhUkpsQ2aPbK+y7+flib0N+oGNc7aWr77z6Xx7fq860= Received: by 10.78.179.12 with SMTP id b12mr712451huf.61.1210193327498; Wed, 07 May 2008 13:48:47 -0700 (PDT) Received: by 10.78.162.8 with HTTP; Wed, 7 May 2008 13:48:47 -0700 (PDT) Message-ID: <139b44430805071348x4b20f4b0oe281eaf61380f046@mail.gmail.com> Date: Wed, 7 May 2008 23:48:47 +0300 From: "Valentin Bud" To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: proftpd and pf weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 21:14:14 -0000 Hello to you all, Last week i've begun to have problem with an HUAWEI E220 HSDPA modem when connecting to proftpd server. First thing i want to mention is that the thing that i'll describe here only happens when i connect from that modem. First of all the topology of the servers: ISP----[bridged modem]-----[FreeBSD mpd4+pf]----[FreeBSD proftpd] the pf rules that redirect traffic to proftpd: rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 21 -> port 21 rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 59000:59100 -> port 59000:59100 DMZ_HOST (192.168.1.2) being the FreeBSD 6.2-RELEASEp6 box that runs - ProFTPD Version 1.3.1 no firewall running on DMZ_HOST here is the relevant ouput that the server gives when the ftp session is closed: 12.34.56.78 (213.233.102.254[213.233.102.254]) - Entering Passive Mode (192,168,1,2,230,167). 12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching POST_CMD command 'PASV' to mod_sql 12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command 'PASV' to mod_sql 12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command 'PASV' to mod_log 12.34.56.78 (213.233.102.254[213.233.102.254]) - FTP session closed. tcpdump output from the [mpd4+pf] box: 14:04:58.299572 AF IPv4 (2), length 94: 12.34.56.78.21 > 213.233.102.254.40437: P 261:311(50) ack 92 win 65535 0x0000: 4500 005a be9c 4000 3f06 0f55 597a d74a E..Z..@.?..UYz.J 0x0010: d5e9 66fe 0015 9df5 2ded 1879 01dc 346b ..f.....-..y..4k 0x0020: 5018 ffff aea7 0000 3232 3720 456e 7465 P.......227.Ente 0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod 0x0040: 6520 2831 3932 2c31 3638 2c31 2c32 2c32 e.(192,168,1,2,2 0x0050: 3330 2c31 3637 292e 0d0a 30,167)... 14:04:58.348823 AF IPv4 (2), length 94: 213.233.102.254.40437 > 12.34.56.78.21: R 92:142(50) ack 261 win 65535 0x0000: 4500 005a be9c 4000 2806 2655 d5e9 66fe E..Z..@.(.&U..f. 0x0010: 597a d74a 9df5 0015 01dc 346b 2ded 1879 Yz.J......4k-..y 0x0020: 5014 ffff aeab 0000 3232 3720 456e 7465 P.......227.Ente 0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod 0x0040: 6520 2831 3932 2c31 3638 2c31 2c32 2c32 e.(192,168,1,2,2 0x0050: 3330 2c31 3637 292e 0d0a 30,167)... The last snippet from tcpdump shows (as far as i know) that the huawei modem sends an R and that the server (before) that reset sends the PASV port answer. If i am not right please correct me. The ppp connection made from the modem receives an ip from 172.16/12 private class which gets nat-ed to the 213.* ip from the logs. If it matters the modem is from Vodafone. I will attach the proftpd config file. I think that vodafone does some check on packets and it doesn't like that the connection to the ftp server passes through the [mpd4+pf] box. Configuring proftpd on the [mpd4+pf] box works like a charm. This is a viable solution but i want to find out what happens. Any hints to dig further are more than welcomed. Thank you. PS: the 12.34.56.78 ip is bogus to protect my server's identity, everything else is copy paste from server output. -- Kind Regards, Valentin Bud www.syk.ro www.spreadbsd.org/aff/86/1 www.spreadbsd.org/aff/86/2 valentin [dot] bud [at] gmail [dot] com valentin [dot] bud [at] dep [dot] upt [dot] ro From owner-freebsd-pf@FreeBSD.ORG Wed May 7 21:43:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1D301065670 for ; Wed, 7 May 2008 21:43:52 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id C72B28FC22 for ; Wed, 7 May 2008 21:43:51 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id AF8251CC05B; Wed, 7 May 2008 14:43:51 -0700 (PDT) Date: Wed, 7 May 2008 14:43:51 -0700 From: Jeremy Chadwick To: Ansar Mohammed Message-ID: <20080507214351.GA74641@eos.sc1.parodius.com> References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00a401c8b084$87da9540$978fbfc0$@com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 21:43:52 -0000 On Wed, May 07, 2008 at 04:54:22PM -0400, Ansar Mohammed wrote: > But I thought pf would be tracking state? > Isnt that the whole point of statefull firewalls? UDP is stateless, however pf still tracks the "state" in the sense that it knows when there's an outbound or inbound initial packet for UDP, thus creates a "state" for it. It can do the same with ICMP. I believe the teardown/state removal is based on a timeout (of when it last sees packets matching that src/dst IP and port). Keep in mind that if you're using RELENG_6, you'll need "keep state" on those pass in/pass out rules you used. If you're using RELENG_7, "keep state" is implicit, so you won't need to specify it in your config. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed May 7 22:02:25 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA9CC1065687 for ; Wed, 7 May 2008 22:02:25 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2D48FC17 for ; Wed, 7 May 2008 22:02:25 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id 0FC1EC42F for ; Thu, 8 May 2008 01:02:24 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.14.191] (pigeon.telesweet [10.0.14.191]) by mail.telesweet.net (Postfix) with ESMTP id 7567EB895 for ; Thu, 8 May 2008 01:02:10 +0300 (EEST) Message-ID: <482226E5.4090802@samoylyk.sumy.ua> Date: Thu, 08 May 2008 01:02:13 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 22:02:26 -0000 Dear Community, I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. After reading man pf.conf for a couple of minutes I couldn't find the realization of such iptables rule in pf: iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 How it can be rewriting in pf.conf? Thanks! -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed May 7 22:05:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93915106568F for ; Wed, 7 May 2008 22:05:07 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4D2C98FC0C for ; Wed, 7 May 2008 22:05:07 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id 217E5B895 for ; Thu, 8 May 2008 01:05:06 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.14.191] (pigeon.telesweet [10.0.14.191]) by mail.telesweet.net (Postfix) with ESMTP id EE0A9B839 for ; Thu, 8 May 2008 01:04:50 +0300 (EEST) Message-ID: <48222786.3050400@samoylyk.sumy.ua> Date: Thu, 08 May 2008 01:04:54 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 22:05:07 -0000 Dear Community, I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. After reading man pf.conf for a couple of minutes I couldn't find the realization of such iptables rule in pf: iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 How it can be rewriting in pf.conf? Thanks! -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed May 7 22:06:43 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C2291065672 for ; Wed, 7 May 2008 22:06:43 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id D5F798FC14 for ; Wed, 7 May 2008 22:06:42 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so649970pyb.10 for ; Wed, 07 May 2008 15:06:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=wtYPysHB459mfjqYgzQs/rWSwzVmTniQ9Ha+xgRbZLw=; b=eDA2gEbI7j2rt+xQw8xQ4pgnWl/ZxvqW6sYAWyeEd9u7/ifhmoCLdCPaBX/2/qCykZITwKb1tdC1A9wmtkeaw0yo9f3z6ReTZKbOUmJT49/8hoNxGNvKwpqKLYTJrcDvu01+oMVXJYdZXAKSiUnOI8NZSKvAw3rw6Ro546/rf+g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=SJxirAquVmdCwOy+N/XSZAgS1ZkjhhFdvW22R03V+S0rzzEUy2anXr6LPL53i6yrbmT+kBSyj0ZWB2VIc2dHxMrG/bh6avYD/azIDfonWi9GrJjfmWxzqSqg2HHD/cKwTGbsMoYlZ5e85F2qAraO27GLfZ4grXtpj+sECFrytWY= Received: by 10.65.163.8 with SMTP id q8mr5159411qbo.97.1210198001666; Wed, 07 May 2008 15:06:41 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id f14sm2073841qba.22.2008.05.07.15.06.39 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 15:06:40 -0700 (PDT) From: "Ansar Mohammed" To: "'Jeremy Chadwick'" References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> <20080507214351.GA74641@eos.sc1.parodius.com> In-Reply-To: <20080507214351.GA74641@eos.sc1.parodius.com> Date: Wed, 7 May 2008 18:06:38 -0400 Message-ID: <00bc01c8b08e$a080cf60$e1826e20$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Aciwi3bKXr789ITVSQqdkHZ31FtuSwAAr9jA Content-Language: en-ca Cc: freebsd-pf@freebsd.org Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 22:06:43 -0000 So I am using FreeBSD 7 and it doesn't work either way with "keep state" there or not. The only catch here is that everything is running on VMWare, although that should not matter. I have been using pf for about 2 years now. I feel this may be a bit of a bug. I even set the state-policy to floating (which I believe is default) and still I need the second rule. > -----Original Message----- > From: Jeremy Chadwick [mailto:koitsu@freebsd.org] > Sent: May 7, 2008 5:44 PM > To: Ansar Mohammed > Cc: 'Jille'; freebsd-pf@freebsd.org > Subject: Re: UDP weirdness > > On Wed, May 07, 2008 at 04:54:22PM -0400, Ansar Mohammed wrote: > > But I thought pf would be tracking state? > > Isnt that the whole point of statefull firewalls? > > UDP is stateless, however pf still tracks the "state" in the sense that > it knows when there's an outbound or inbound initial packet for UDP, > thus creates a "state" for it. It can do the same with ICMP. I > believe > the teardown/state removal is based on a timeout (of when it last sees > packets matching that src/dst IP and port). > > Keep in mind that if you're using RELENG_6, you'll need "keep state" on > those pass in/pass out rules you used. If you're using RELENG_7, "keep > state" is implicit, so you won't need to specify it in your config. > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed May 7 22:20:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CA7F1065679 for ; Wed, 7 May 2008 22:20:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9E1B98FC16 for ; Wed, 7 May 2008 22:20:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-050-061.pools.arcor-ip.net [88.66.50.61]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1JtrzS0GzY-0004LL; Thu, 08 May 2008 00:20:00 +0200 Received: (qmail 81556 invoked from network); 7 May 2008 22:18:26 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 7 May 2008 22:18:26 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 8 May 2008 00:15:27 +0200 User-Agent: KMail/1.9.9 References: <004f01c8b068$89c89350$9d59b9f0$@com> In-Reply-To: <004f01c8b068$89c89350$9d59b9f0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805080015.27191.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18oA8AVPM/b64p39/njxMZiSuTJZDNmcPuUuQF KdqXNvDgYN9IjPl/W4PVwwch+EIBXCvtkdpCW51PILpD4/vHFX h9yf7LOISyvMu6yBWyzeA== Cc: Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 22:20:02 -0000 On Wednesday 07 May 2008 19:34:00 Ansar Mohammed wrote: > I have a very simple configuration yet I am bemused as to what I am > doing wrong. > > > Windows 2003 <- FreeBSD-PF -> Windows 2003 > 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 > Here are my rules > > > ext_if="le0" > int_if="le1" > int_net="192.168.3.0/24" > ext_net="192.168.2.0/24" > int_addr="192.168.3.1" > ext_addr="192.168.2.2" > scrub on $ext_if all reassemble tcp > scrub on $int_if all reassemble tcp > block in log all > pass in proto icmp from any to any > pass in proto udp from any to any port 53 > pass in on $ext_if inet proto tcp from any to any port 3389 > > > DNS traffic is allowed though but the return packet gets blocked. Can > anyone explain why? > This is true on ALL UDP traffic TCP traffic works well > > Pflog message: > > 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > > 192.168.2.130.3837: [|domain] Here is what happend: 1) You sent a DNS request from 192.168.2.130:3837 to 192.168.3.2:53 this passes on le0 (which I assume is the interface on 192.168.2.0/24) because of the "pass in ... to any port 53" (because the packet is indeed destined to any port 53). This creates a state: le0 IN 192.168.2.130:3837->192.168.3.2:53 2) You forward the packet and it leaves le1 in out direction. This passes because you don't block outgoing packets at all. It doesn't create state either. 3) The server replies from 192.168.3.2:53 to 192.168.2.130:3837 this is blocked on le1 because there is no rule to allow it and the state created above does *NOT* match! Why doesn't it match the state? A state "le0 IN 192.168.2.130:3837->192.168.3.2:53" will match: IN 192.168.2.130:3837->192.168.3.2:53 and OUT 192.168.3.2:53->192.168.2.130:3837 but not IN 192.168.3.2:53->192.168.2.130:3837 if state-policy is set to floating, the interface doesn't matter, but the direction does! This is a FAQ! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Wed May 7 22:44:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B5F9106566C for ; Wed, 7 May 2008 22:44:09 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 698CD8FC0C for ; Wed, 7 May 2008 22:44:09 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 52CC51CC05B; Wed, 7 May 2008 15:44:09 -0700 (PDT) Date: Wed, 7 May 2008 15:44:09 -0700 From: Jeremy Chadwick To: Ansar Mohammed Message-ID: <20080507224409.GA77067@eos.sc1.parodius.com> References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> <20080507214351.GA74641@eos.sc1.parodius.com> <00bc01c8b08e$a080cf60$e1826e20$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00bc01c8b08e$a080cf60$e1826e20$@com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 22:44:09 -0000 On Wed, May 07, 2008 at 06:06:38PM -0400, Ansar Mohammed wrote: > So I am using FreeBSD 7 and it doesn't work either way with "keep state" > there or not. The only catch here is that everything is running on VMWare, > although that should not matter. I have been using pf for about 2 years now. > I feel this may be a bit of a bug. > > I even set the state-policy to floating (which I believe is default) and > still I need the second rule. You don't need "keep state" or "keep state flags S/SA" on any of your rules because you're using RELENG_7. Regarding the need for the "pass out" line, Max has explained the reason/need for it in another Email. It's not a bug. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu May 8 00:43:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8A231065672 for ; Thu, 8 May 2008 00:43:20 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id 3471B8FC0C for ; Thu, 8 May 2008 00:43:19 +0000 (UTC) (envelope-from jon@radel.com) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 7581218; Wed, 07 May 2008 19:43:19 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 7581222; Wed, 07 May 2008 19:43:02 -0400 Message-ID: <48223E86.5010603@radel.com> Date: Wed, 07 May 2008 19:43:02 -0400 From: Jon Radel User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Jille , Ansar Mohammed References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> In-Reply-To: <482215F4.1080806@quis.cx> X-Enigmail-Version: 0.95.3 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050804050306030104010406" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 00:43:20 -0000 This is a cryptographically signed message in MIME format. --------------ms050804050306030104010406 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Jille wrote: > > > > Ansar Mohammed schreef: >> Ok, so adding the line as you suggested worked. Thanks Kevin. >> >> But why do I need to have both entries in for >> pass in proto udp from any to any port 53 >> pass out proto udp from any to any port 53 >> >> what makes UDP so special? > UDP is stateless, > With TCP you've got an connection (identified by: local host:port and > remote host:port) > With UDP, well, you just trow the packages over the line, and hope the > is (still) someone on the other end. > > So the is (almost) no way to detect whether packets are responses to > eachother Other than looking at local host:port and remote host:port and matching things up.... Which PF does just fine ordinarily. (Only exception I can think of right now is if you're using a TFTP server which actually implements the RFC rather than breaking it to make firewalls work....) Current versions also match ICMP up with other traffic with which it is associated. But this has already been addressed in another reply. I have reread this thread and can't find any indication of which version of PF is running. This makes it rather hard to comment on whether a "keep state" would make things better, though I suspect you're using FreeBSD 7.x. So what follows are some thoughts which may or may not apply to your implementation. (Somebody else has already pointed out when the default for keep state changed.) pass in proto udp from any to any port 53 pass out proto udp from any to any port 53 can be combined into pass proto udp from any to any port 53 If the rule set is complete as presented: > > ext_if="le0" > > int_if="le1" > > int_net="192.168.3.0/24" > > ext_net="192.168.2.0/24" > > int_addr="192.168.3.1" > > ext_addr="192.168.2.2" > > scrub on $ext_if all reassemble tcp > > scrub on $int_if all reassemble tcp > > block in log all > > pass in proto icmp from any to any > > pass in proto udp from any to any port 53 > > pass in on $ext_if inet proto tcp from any to any port 3389 then you're making use of the default action of "pass" on all outbound traffic. I wouldn't recommend doing that, particularly on a firewall. To be specific, my firewall rulesets tend to start with block log all If you do that, then you need to do something such as pass in on $int_if proto udp from any to any port 53 [keep state] pass out on $ext_if proto udp all [keep state] if you want machines on the inside to initiate DNS queries, which are allowed to pass in on the internal interface and then out on the external interface. If you want DNS queries to be allowed in both directions (you have an authoritative DNS server on the inside, or something...) you'd want something like pass in proto udp from any to any port 53 [keep state] pass out proto udp all [keep state] and that would cover both directions. In writing this I am struck by an interesting question: Is there a possibility that what you're running into is a difference in the default keep state behavior in the default pass rule between UDP and TCP. The documentation I've looked at has been silent on whether the default pass rule is expected to establish state (for versions of PF recent enough), and I'm not quite curious enough to build a testbed right now. If anyone knows the answer to this one, please do share. :-) --Jon Radel --------------ms050804050306030104010406 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODA1MDcyMzQzMDJaMCMGCSqGSIb3DQEJBDEWBBSxwB0T93R9sKOsATLaaKk2nC6aZzBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAxxqE IuMAu4dnNtdd3G7V46eCEYtyosKIJ2iCV7SE3uFtGGFOMHbxdgt8qi44hORrOQ5t0pD5dblk Dpxa2/nD19RCciS403SjbWI3GgAExCBSBm/jaZzsN9qPp2X1cEalyHKuJEplcxs5tCHvjoE6 dmfEVDiU8G+0BMSHKnORTIMkp9GZ2xti3+jYavYK6mfFnO0FJeWGpXpjtMtQkHowmLtAhblk 0XMV1CQx4NmKzHIdeLKb/UXkNWNRZMGfFFe3ep8ZmzjvWlNwSFEDgeTHVbgpfT5pi8Nhv7NQ s3xZf+okuRCi50KOCgt1znP+nF59kkPP/j/7/8PuIrmv2oz5hAAAAAAAAA== --------------ms050804050306030104010406-- From owner-freebsd-pf@FreeBSD.ORG Thu May 8 06:52:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 910F8106567F for ; Thu, 8 May 2008 06:52:39 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (www.ssl.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id 4953E8FC17 for ; Thu, 8 May 2008 06:52:39 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by marvin.harmless.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JtzzZ-000K9o-4J; Thu, 08 May 2008 08:52:37 +0200 Date: Thu, 8 May 2008 08:52:34 +0200 From: CZUCZY Gergely To: Oleksandr Samoylyk Message-ID: <20080508085234.2cac29ca@twoflower.in.publishing.hu> In-Reply-To: <48222786.3050400@samoylyk.sumy.ua> References: <48222786.3050400@samoylyk.sumy.ua> Organization: Harmless Digital X-Mailer: Claws Mail 3.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/=L5Buy3.2NiRU63BpbvyJZu"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 06:52:39 -0000 --Sig_/=L5Buy3.2NiRU63BpbvyJZu Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 08 May 2008 01:04:54 +0300 Oleksandr Samoylyk wrote: > Dear Community, >=20 > I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. >=20 > After reading man pf.conf for a couple of minutes I couldn't find the > realization of such iptables rule in pf: >=20 > iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport > 25 -j DROP block in on $interface proto tcp from any to ! my.smtp.server port 25 > iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT > --to-destination :25 rdr on $interface proto tcp from any to port 2525 -> port 25 > How it can be rewriting in pf.conf? be sure to read the openbsd faq: http://www.openbsd.org/faq/pf pf works quite differently then iptables, it has a different logic. you will get used to it. just forget these "tables" which you've got used to with iptables. --=20 Sincerely, CZUCZY Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/=L5Buy3.2NiRU63BpbvyJZu Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFIIqM0zrC0WyuMkpsRAuXBAJ45VB7boCA17y6Jbu63P6446PNjbwCdEuAE Gou47R0Ev0cRMjJeCJUS0kA= =nKPD -----END PGP SIGNATURE----- --Sig_/=L5Buy3.2NiRU63BpbvyJZu-- From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:06:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 995B2106564A for ; Thu, 8 May 2008 08:06:47 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4EBAD8FC16 for ; Thu, 8 May 2008 08:06:46 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id 9B95C10028; Thu, 8 May 2008 11:06:43 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.0.109] (pigeon-work.telesweet [10.0.0.109]) by mail.telesweet.net (Postfix) with ESMTP id B32ACC435; Thu, 8 May 2008 11:05:41 +0300 (EEST) Message-ID: <4822B459.6090307@samoylyk.sumy.ua> Date: Thu, 08 May 2008 11:05:45 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: CZUCZY Gergely References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> In-Reply-To: <20080508085234.2cac29ca@twoflower.in.publishing.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:06:47 -0000 CZUCZY Gergely wrote: > On Thu, 08 May 2008 01:04:54 +0300 > Oleksandr Samoylyk wrote: > >> Dear Community, >> >> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. >> >> After reading man pf.conf for a couple of minutes I couldn't find the >> realization of such iptables rule in pf: >> >> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport >> 25 -j DROP > block in on $interface proto tcp from any to ! my.smtp.server port 25 > >> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT >> --to-destination :25 > rdr on $interface proto tcp from any to port 2525 -> > port 25 I meant _any_ destination with 25 port. That iptables rule worked for any destination. >> How it can be rewriting in pf.conf? > be sure to read the openbsd faq: > http://www.openbsd.org/faq/pf > > pf works quite differently then iptables, it has a different logic. you will > get used to it. just forget these "tables" which you've got used to with > iptables. > -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:12:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB12A1065684 for ; Thu, 8 May 2008 08:12:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (www.ssl.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id A18898FC0A for ; Thu, 8 May 2008 08:12:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by marvin.harmless.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Ju1FI-000Lux-Af; Thu, 08 May 2008 10:12:56 +0200 Date: Thu, 8 May 2008 10:12:52 +0200 From: CZUCZY Gergely To: Oleksandr Samoylyk Message-ID: <20080508101252.4d25b9eb@twoflower.in.publishing.hu> In-Reply-To: <4822B459.6090307@samoylyk.sumy.ua> References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> Organization: Harmless Digital X-Mailer: Claws Mail 3.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/V4Xpv67TkFgRf=DFF1.N8Bq"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:12:58 -0000 --Sig_/V4Xpv67TkFgRf=DFF1.N8Bq Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, 08 May 2008 11:05:45 +0300 Oleksandr Samoylyk wrote: > CZUCZY Gergely wrote: > > On Thu, 08 May 2008 01:04:54 +0300 > > Oleksandr Samoylyk wrote: > >=20 > >> Dear Community, > >> > >> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. > >> > >> After reading man pf.conf for a couple of minutes I couldn't find the > >> realization of such iptables rule in pf: > >> > >> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dpo= rt > >> 25 -j DROP > > block in on $interface proto tcp from any to ! my.smtp.server port 25 > >=20 > >> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT > >> --to-destination :25 > > rdr on $interface proto tcp from any to port 2525 -> > > port 25 >=20 > I meant _any_ destination with 25 port. >=20 > That iptables rule worked for any destination. You cannot rewrite a packet's destination address to _any_ destination. It's like you cannot submit a package at the post office with the destinati= on address "any". It's just meaningless. >=20 > >> How it can be rewriting in pf.conf? > > be sure to read the openbsd faq: > > http://www.openbsd.org/faq/pf > >=20 > > pf works quite differently then iptables, it has a different logic. you= will > > get used to it. just forget these "tables" which you've got used to with > > iptables. > >=20 >=20 --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/V4Xpv67TkFgRf=DFF1.N8Bq Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFIIrYGzrC0WyuMkpsRAiCZAJ0UDnS92X2rwCbxPGu24LFQM8s50ACdFaAN kzy6AVUv+J/ELAVXYWq/SME= =Kvrc -----END PGP SIGNATURE----- --Sig_/V4Xpv67TkFgRf=DFF1.N8Bq-- From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:16:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F63E1065671 for ; Thu, 8 May 2008 08:16:22 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp1.versatel.nl (smtp1.versatel.nl [62.58.50.88]) by mx1.freebsd.org (Postfix) with ESMTP id 7BB408FC15 for ; Thu, 8 May 2008 08:16:21 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 16764 invoked by uid 0); 8 May 2008 08:16:19 -0000 Received: from ip83-113-174-82.adsl2.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp1.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 8 May 2008 08:16:19 -0000 Received: by istud.quis.cx (Postfix, from userid 100) id 6AE1F39825; Thu, 8 May 2008 10:16:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on istud.quis.cx X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.4 Received: from [192.168.1.3] (hic [192.168.1.3]) by istud.quis.cx (Postfix) with ESMTP id EB01139819; Thu, 8 May 2008 10:16:15 +0200 (CEST) Message-ID: <4822B6CC.1080502@quis.cx> Date: Thu, 08 May 2008 10:16:12 +0200 From: Jille User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: CZUCZY Gergely References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> In-Reply-To: <20080508101252.4d25b9eb@twoflower.in.publishing.hu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:16:22 -0000 CZUCZY Gergely schreef: > On Thu, 08 May 2008 11:05:45 +0300 > Oleksandr Samoylyk wrote: > > >> CZUCZY Gergely wrote: >> >>> On Thu, 08 May 2008 01:04:54 +0300 >>> Oleksandr Samoylyk wrote: >>> >>> >>>> Dear Community, >>>> >>>> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. >>>> >>>> After reading man pf.conf for a couple of minutes I couldn't find the >>>> realization of such iptables rule in pf: >>>> >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport >>>> 25 -j DROP >>>> >>> block in on $interface proto tcp from any to ! my.smtp.server port 25 >>> >>> >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT >>>> --to-destination :25 >>>> >>> rdr on $interface proto tcp from any to port 2525 -> >>> port 25 >>> >> I meant _any_ destination with 25 port. >> >> That iptables rule worked for any destination. >> > You cannot rewrite a packet's destination address to _any_ destination. > > It's like you cannot submit a package at the post office with the destination > address "any". It's just meaningless. > I think he only want to 'change' the port-number, and don't touch the destination address. You could try: rdr on $interface proto tcp from any to port 2525 -> port 25 But that's a wild guess (I'm *not* sure) -- Jille > >>>> How it can be rewriting in pf.conf? >>>> >>> be sure to read the openbsd faq: >>> http://www.openbsd.org/faq/pf >>> >>> pf works quite differently then iptables, it has a different logic. you will >>> get used to it. just forget these "tables" which you've got used to with >>> iptables. >>> >>> > > > From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:20:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EE76106566B for ; Thu, 8 May 2008 08:20:27 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 8B2958FC13 for ; Thu, 8 May 2008 08:20:27 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 43DF51CC05B; Thu, 8 May 2008 01:20:27 -0700 (PDT) Date: Thu, 8 May 2008 01:20:27 -0700 From: Jeremy Chadwick To: Jille Message-ID: <20080508082027.GA98876@eos.sc1.parodius.com> References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822B6CC.1080502@quis.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4822B6CC.1080502@quis.cx> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: CZUCZY Gergely , freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:20:27 -0000 On Thu, May 08, 2008 at 10:16:12AM +0200, Jille wrote: >>>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT >>>>> --to-destination :25 >>>>> >>>> rdr on $interface proto tcp from any to port 2525 -> >>>> port 25 >>>> >>> I meant _any_ destination with 25 port. >>> >>> That iptables rule worked for any destination. >>> >> You cannot rewrite a packet's destination address to _any_ destination. >> >> It's like you cannot submit a package at the post office with the destination >> address "any". It's just meaningless. >> > I think he only want to 'change' the port-number, and don't touch the > destination address. > You could try: > > rdr on $interface proto tcp from any to port 2525 -> port 25 > > But that's a wild guess (I'm *not* sure) He'll need to specify an IP address for the redirection destination, e.g.: rdr on $interface proto tcp from any to port 2525 -> 127.0.0.1 port 25 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:36:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C96F1065673 for ; Thu, 8 May 2008 08:36:38 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id D4AF88FC0C for ; Thu, 8 May 2008 08:36:37 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id E7041C435; Thu, 8 May 2008 11:36:35 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.0.109] (pigeon-work.telesweet [10.0.0.109]) by mail.telesweet.net (Postfix) with ESMTP id C573BB81A; Thu, 8 May 2008 11:36:22 +0300 (EEST) Message-ID: <4822BB8A.8030507@samoylyk.sumy.ua> Date: Thu, 08 May 2008 11:36:26 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: CZUCZY Gergely References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> In-Reply-To: <20080508101252.4d25b9eb@twoflower.in.publishing.hu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:36:38 -0000 CZUCZY Gergely wrote: > On Thu, 08 May 2008 11:05:45 +0300 > Oleksandr Samoylyk wrote: > >> CZUCZY Gergely wrote: >>> On Thu, 08 May 2008 01:04:54 +0300 >>> Oleksandr Samoylyk wrote: >>> >>>> Dear Community, >>>> >>>> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. >>>> >>>> After reading man pf.conf for a couple of minutes I couldn't find the >>>> realization of such iptables rule in pf: >>>> >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport >>>> 25 -j DROP >>> block in on $interface proto tcp from any to ! my.smtp.server port 25 >>> >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT >>>> --to-destination :25 >>> rdr on $interface proto tcp from any to port 2525 -> >>> port 25 >> I meant _any_ destination with 25 port. >> >> That iptables rule worked for any destination. > You cannot rewrite a packet's destination address to _any_ destination. > > It's like you cannot submit a package at the post office with the destination > address "any". It's just meaningless. > However it works with iptables. :) What can I do in my situation in order to gain the same functionality by means of pf or other additional daemons? -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:43:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBB4C1065673 for ; Thu, 8 May 2008 08:43:12 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (www.ssl.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id A1AE68FC0C for ; Thu, 8 May 2008 08:43:12 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by marvin.harmless.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Ju1iZ-000Mdi-KA; Thu, 08 May 2008 10:43:11 +0200 Date: Thu, 8 May 2008 10:43:08 +0200 From: CZUCZY Gergely To: Oleksandr Samoylyk Message-ID: <20080508104308.702e8911@twoflower.in.publishing.hu> In-Reply-To: <4822BB8A.8030507@samoylyk.sumy.ua> References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> Organization: Harmless Digital X-Mailer: Claws Mail 3.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/geKEQbz3FrEYRYCTsonydfv"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:43:13 -0000 --Sig_/geKEQbz3FrEYRYCTsonydfv Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk wrote: > >> That iptables rule worked for any destination. =20 > > You cannot rewrite a packet's destination address to _any_ destination. > >=20 > > It's like you cannot submit a package at the post office with the > > destination address "any". It's just meaningless. > > =20 >=20 > However it works with iptables. :) >=20 > What can I do in my situation in order to gain the same functionality by= =20 > means of pf or other additional daemons? No, it doesn't. That iptables rule only affects the port number, where it defaults to the original dst address. So it defaults to something, where as= pf doesn't. With pf you have to explicitly specify the rewritten dst IP. In my first reply I've told you to read the openbsd FAQ. You haven't done i= t. I _strongly_ suggest you, before doing your next reply to the list. go and re= ad that FAQ. Here's the URL once more, I bet you've lost it under your desk... http://www.openbsd.org/faq/pf/ --=20 Sincerely, CZUCZY Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/geKEQbz3FrEYRYCTsonydfv Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFIIr0ezrC0WyuMkpsRAvnJAKChDiocqfMRXO4jepbb85Z4e9mysACeJzuC xdSmoJPpL6YsW4AxtvztVZA= =5t+S -----END PGP SIGNATURE----- --Sig_/geKEQbz3FrEYRYCTsonydfv-- From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:43:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DF1B1065671 for ; Thu, 8 May 2008 08:43:35 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id BB6B68FC1F for ; Thu, 8 May 2008 08:43:34 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 34615 invoked by uid 89); 8 May 2008 08:43:33 -0000 Received: by simscan 1.2.0 ppid: 34610, pid: 34612, t: 0.1637s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 8 May 2008 08:43:33 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <48222786.3050400@samoylyk.sumy.ua> References: <48222786.3050400@samoylyk.sumy.ua> Content-Type: text/plain; charset=UTF-8 Date: Thu, 08 May 2008 04:43:02 -0400 Message-Id: <1210236182.5607.138.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:43:35 -0000 On Thu, 2008-05-08 at 01:04 +0300, Oleksandr Samoylyk wrote: > Dear Community, > > I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. > > After reading man pf.conf for a couple of minutes I couldn't find the > realization of such iptables rule in pf: > > iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport > 25 -j DROP > iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT > --to-destination :25 > > How it can be rewriting in pf.conf? > > Thanks! > Its been a while since I worked with iptables but The first rule  iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP says all packets destined for port 25 for any address other than my.smtp.server, jump to the builtin DROP table/chain. The second rule iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 I would think builds on the first (just like in pf order of rule processing is very important) and says anything with a destination of port 2525, jump to the DNAT table/chain and switch the destination port to port 25, leaving the destination IP address untouched. Essentially you are just doing PAT there. Hard to know exactly what you are trying to do without network topography. Is this on a three legged firewall for LAN to DMZ/Internet connections or is this intended for inbound connections to your SMTP servers? The rules in pf to serve either purpose would be different. Also what does your DNAT table look like? That second rule causes packets to rewrite their destination port, but what then happens in the DNAT table? Cheers, ~e From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:59:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A31551065671 for ; Thu, 8 May 2008 08:59:14 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 536BF8FC19 for ; Thu, 8 May 2008 08:59:14 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 36019 invoked by uid 89); 8 May 2008 08:59:13 -0000 Received: by simscan 1.2.0 ppid: 36013, pid: 36016, t: 0.1416s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 8 May 2008 08:59:13 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <4822BB8A.8030507@samoylyk.sumy.ua> References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> Content-Type: text/plain Date: Thu, 08 May 2008 04:58:42 -0400 Message-Id: <1210237122.5607.149.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:59:14 -0000 On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote: > CZUCZY Gergely wrote: > > On Thu, 08 May 2008 11:05:45 +0300 > > Oleksandr Samoylyk wrote: > > > >> CZUCZY Gergely wrote: > >>> On Thu, 08 May 2008 01:04:54 +0300 > >>> Oleksandr Samoylyk wrote: > >>> > >>>> Dear Community, > >>>> > >>>> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. > >>>> > >>>> After reading man pf.conf for a couple of minutes I couldn't find the > >>>> realization of such iptables rule in pf: > >>>> > >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport > >>>> 25 -j DROP > >>> block in on $interface proto tcp from any to ! my.smtp.server port 25 > >>> > >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT > >>>> --to-destination :25 > >>> rdr on $interface proto tcp from any to port 2525 -> > >>> port 25 > >> I meant _any_ destination with 25 port. > >> > >> That iptables rule worked for any destination. > > You cannot rewrite a packet's destination address to _any_ destination. > > > > It's like you cannot submit a package at the post office with the destination > > address "any". It's just meaningless. > > > > However it works with iptables. :) > > What can I do in my situation in order to gain the same functionality by > means of pf or other additional daemons? > It doesn't just "work" in iptables. All you are doing is PAT with that rule, rewriting destination ports. What does your DNAT table look like where packets matching this rule then jump to? That iptables rule may have worked for any destination, but it merely jumps (-j) to another table where address rewriting is pretty much a guarantee since by definition DNAT is Destination Network Address Translation. That rule does PAT and nothing more. If those 2 rules alone form the base logic of your firewall structure I would really love to know the address of that machine :-) Cheers ~e From owner-freebsd-pf@FreeBSD.ORG Thu May 8 11:34:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A34C106567A for ; Thu, 8 May 2008 11:34:56 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from hobbes.ustdmz.roe.ch (hobbes.roe.ch [213.144.141.27]) by mx1.freebsd.org (Postfix) with ESMTP id B6C5F8FC26 for ; Thu, 8 May 2008 11:34:55 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from roe by hobbes.ustdmz.roe.ch (envelope-from ) with LOCAL id 1Ju4PE-0003Me-00 for freebsd-pf@freebsd.org; Thu, 08 May 2008 13:35:24 +0200 Date: Thu, 8 May 2008 13:35:24 +0200 From: Daniel Roethlisberger To: freebsd-pf@freebsd.org Message-ID: <20080508113524.GA7168@hobbes.ustdmz.roe.ch> Mail-Followup-To: freebsd-pf@freebsd.org References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <1210237122.5607.149.camel@kensho.c7.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1210237122.5607.149.camel@kensho.c7.ca> User-Agent: Mutt/1.5.4i Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 11:34:56 -0000 Elliott Perrin 2008-05-08: > On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote: > > CZUCZY Gergely wrote: > > > On Thu, 08 May 2008 11:05:45 +0300 Oleksandr Samoylyk > > > wrote: > > >> CZUCZY Gergely wrote: > > >>> On Thu, 08 May 2008 01:04:54 +0300 Oleksandr Samoylyk > > >>> wrote: > > >>>> Dear Community, > > >>>> > > >>>> I want to move some of our firewalls from Linux/iptables to > > >>>> FreeBSD/pf. > > >>>> > > >>>> After reading man pf.conf for a couple of minutes I couldn't > > >>>> find the realization of such iptables rule in pf: > > >>>> > > >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p > > >>>> tcp --dport 25 -j DROP > > >>> block in on $interface proto tcp from any to ! my.smtp.server > > >>> port 25 > > >>> > > >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j > > >>>> DNAT --to-destination :25 > > >>> rdr on $interface proto tcp from any to port 2525 -> > > >>> port 25 > > >> I meant _any_ destination with 25 port. > > >> > > >> That iptables rule worked for any destination. > > > You cannot rewrite a packet's destination address to _any_ > > > destination. > > > > > > It's like you cannot submit a package at the post office with the > > > destination address "any". It's just meaningless. > > > > However it works with iptables. :) > > > > What can I do in my situation in order to gain the same > > functionality by means of pf or other additional daemons? > > It doesn't just "work" in iptables. All you are doing is PAT with that > rule, rewriting destination ports. What does your DNAT table look like > where packets matching this rule then jump to? [...] Your analysis of the two provided netfilter rules is wrong. DNAT is a built-in pseudo-chain which does the actual destination address/port translation, in this case it rewrites the destination port to 25 and leaves the destination address untouched. Just to clear up some of the terms used with netfilter: you don't jump to tables, you jump to chains. Tables in netfilter are "nat", "filter" and "mangle"; like parallel worlds with their own set of chains, each table having a distinct purpose (packet filtering, address/port translations, and other packet mangling/tagging). -- Daniel Roethlisberger http://daniel.roe.ch/ From owner-freebsd-pf@FreeBSD.ORG Thu May 8 11:57:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B407B106566C for ; Thu, 8 May 2008 11:57:53 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from hobbes.ustdmz.roe.ch (hobbes.roe.ch [213.144.141.27]) by mx1.freebsd.org (Postfix) with ESMTP id 3C7638FC15 for ; Thu, 8 May 2008 11:57:53 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from roe by hobbes.ustdmz.roe.ch (envelope-from ) with LOCAL id 1Ju4lT-0003cT-00 for freebsd-pf@freebsd.org; Thu, 08 May 2008 13:58:23 +0200 Date: Thu, 8 May 2008 13:58:23 +0200 From: Daniel Roethlisberger To: freebsd-pf@freebsd.org Message-ID: <20080508115823.GB7168@hobbes.ustdmz.roe.ch> Mail-Followup-To: freebsd-pf@freebsd.org References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <20080508104308.702e8911@twoflower.in.publishing.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080508104308.702e8911@twoflower.in.publishing.hu> User-Agent: Mutt/1.5.4i Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 11:57:53 -0000 CZUCZY Gergely 2008-05-08: > On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk > wrote: > > >> That iptables rule worked for any destination. > > > You cannot rewrite a packet's destination address to _any_ > > > destination. > > > > > > It's like you cannot submit a package at the post office with the > > > destination address "any". It's just meaningless. > > > > However it works with iptables. :) > > > > What can I do in my situation in order to gain the same > > functionality by means of pf or other additional daemons? > No, it doesn't. That iptables rule only affects the port number, where > it defaults to the original dst address. So it defaults to something, > where as pf doesn't. With pf you have to explicitly specify the > rewritten dst IP. > > In my first reply I've told you to read the openbsd FAQ. You haven't > done it. I _strongly_ suggest you, before doing your next reply to the > list. go and read that FAQ. Here's the URL once more, I bet you've > lost it under your desk... http://www.openbsd.org/faq/pf/ Netfilter allows to rewrite the destination port without rewriting the destination address. It would seem like that this is not possible with pf, at least not using rdr. But it is not necessary, since my.smtp.server is the only destination on port 25 that will not be dropped by the previous rule, so you can just specify my.smtp.server as destination in the rdr rule. Just in case this is about submitting mail around port 25 filters (in contrast to a fixed MTA-MTA "tunnel" on port 2525), you probably want to use SMTP AUTH on the submission port (587) to solve this problem, not just provide plain SMTP on a different port. On the submission port, authentication is mandatory, which prevents it being used by spambots to deliver mail directly to your MTA. Using submission and blocking port 25 for end-user address ranges does have anti-spam benefits. -- Daniel Roethlisberger http://daniel.roe.ch/ From owner-freebsd-pf@FreeBSD.ORG Thu May 8 14:39:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E5051065721 for ; Thu, 8 May 2008 14:39:36 +0000 (UTC) (envelope-from viaprog@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id 652708FC14 for ; Thu, 8 May 2008 14:39:36 +0000 (UTC) (envelope-from viaprog@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1339481rvf.43 for ; Thu, 08 May 2008 07:39:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=D6Di//LGyWrw0wsDoBqQu1MAMK25dt6DB7p06VILVSo=; b=JYACz+G9IX8bx/djI+WrlcJOXYRxgkH4sjfjjMKRZi+Y/wm3voSDb31eOU0pK3V/Ggnv0q8OTFWMmoOOs+QW/+RWnd3coRdrIl3ChMPsIWvwtCC+TmZbFiFTklPxD3kLdPXWuC2b6i5B4UIjSdlxlKGnzKMFNY+SjLYn+3ncHHY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=H0rwmsR2UwJ0mJGZBWTNUmXEPnkEjuL9UDqxV/UKS276zjb922eR7TB+bJgcZa8U9Vo0QCQublK83O684hq0dpR4/9Ta6R9xIn64U/DElDO87ccAIsRSsXDEbApdlzrnnMSTyR9ZkSA22IZc2KL57D+fpXkJtt1QFah/COuK180= Received: by 10.141.71.14 with SMTP id y14mr1533933rvk.253.1210255853152; Thu, 08 May 2008 07:10:53 -0700 (PDT) Received: by 10.140.187.7 with HTTP; Thu, 8 May 2008 07:10:52 -0700 (PDT) Message-ID: Date: Thu, 8 May 2008 18:10:53 +0400 From: "Igor A. Valcov" To: freebsd-pf@freebsd.org, freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: do not work nested unnamed anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 14:39:36 -0000 Hello. For example: ==== pf.conf ==== ext_if="xl0" ip_world="nn.nn.nn.nn" # Filter rules block log all anchor in on $ext_if { pass quick proto tcp to $ip_world port 22 keep state # SSH pass quick proto tcp to $ip_world port 25 keep state # SMTP pass quick proto tcp to $ip_world port 110 keep state # POP3 anchor { pass quick proto tcp to $ip_world port 995 keep state # POP3S } } ============ nmap results: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0) 25/tcp open smtp? 110/tcp open pop3 Openwall popa3d I can not understand what the problem... FreeBSD-7.0-RELEASE-p1 i386 -- Igor A. Valcov From owner-freebsd-pf@FreeBSD.ORG Thu May 8 15:46:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E81CC106567D for ; Thu, 8 May 2008 15:46:59 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id C01F48FC16 for ; Thu, 8 May 2008 15:46:59 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1376434rvf.43 for ; Thu, 08 May 2008 08:46:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=Dudw4A3b5stzB76rw+1n7fw93h7wCPwoTk8JteMTSV8=; b=AwJ5G3rsbapbYhqWRWU6QBCiim5oHs2pHOByQDXaHVE+2v7Sgef3Vp1X/stX2T+PYrkFeMborUkyqSeoTmh3Lz/NhfRwj29YP8gXrq+BGwqvERbmCOt++q19nu2SbTf3l5L/26SsEYLhKhJEHwLmBuRiYtLJzbg2g1sjEip/a7Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=CyyT7fRSI5aJsR4snJ2d1RPB77P8sLHj16ZK5wQOt9lA5lWFYHwf3WNBdpxpwVnv+9XYBqJVCIpqVrmrkTKhdknRiT865YxY4v1kOOV5TuwmdUYMkMxCUNPJ0BhTOqZJusL9BD1Wylejk6CEr4xqmF/Pt3CwWl4XpjuC+RdPDoo= Received: by 10.141.190.9 with SMTP id s9mr1592064rvp.110.1210261619300; Thu, 08 May 2008 08:46:59 -0700 (PDT) Received: by 10.140.135.3 with HTTP; Thu, 8 May 2008 08:46:59 -0700 (PDT) Message-ID: <9a542da30805080846v1bcde1afp79293ac3efda2865@mail.gmail.com> Date: Thu, 8 May 2008 17:46:59 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Patch to allow shaping inside ipsec tunnels with ALTQ. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 15:47:00 -0000 This one is for RELENG_7[_0] but should apply ok to CURRENT too. http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_0/ipsec_altq.diff?rev=1.2;content-type=text%2Fplain For RELENG_6 check the freebsd-ipfw@ list i sent one there in reply to a thread. Ermal From owner-freebsd-pf@FreeBSD.ORG Thu May 8 16:41:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 953D51065674 for ; Thu, 8 May 2008 16:41:30 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.234]) by mx1.freebsd.org (Postfix) with ESMTP id 63A308FC14 for ; Thu, 8 May 2008 16:41:30 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1405411rvf.43 for ; Thu, 08 May 2008 09:41:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=e8K0MLFwaZ3g/mCu82Z+UWcBt/e6dRpDm5EGxtbSDjA=; b=vqQmZt7kJF4DGQ73PgeDTqFfqFrQhhrbs9xDmkxbLaKs9I31PXEikHSN39V95cMk4EFai4aDt2LO+k8/isa7vblJq3SSy9YN+FEY0HhbxqhdfT1rP5BzM6vd9sEFX5ozVJitUZXNLmvYKWp47hvLkuXudf2sK07+YqqCzXUCqmM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JaeN2UwHrxeJDzsDH321qkkH8uTYbExZLCiPUZhY+/wPkxp2OegtKrek1igKF68RHe0EapAnlzuKykrxUxkW0B5ZsTrpTzjAsX7lUcWRtV5JetLjiQJXIMDeFNm48ga6ko/CYIAaaUgmys8+G++Y/MKUNvOCirl7EtD8nhPnDho= Received: by 10.141.132.1 with SMTP id j1mr1620712rvn.64.1210264889637; Thu, 08 May 2008 09:41:29 -0700 (PDT) Received: by 10.140.135.3 with HTTP; Thu, 8 May 2008 09:41:29 -0700 (PDT) Message-ID: <9a542da30805080941odbc9f74g1a2367285c5a718a@mail.gmail.com> Date: Thu, 8 May 2008 18:41:29 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org In-Reply-To: <20080508115823.GB7168@hobbes.ustdmz.roe.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <20080508104308.702e8911@twoflower.in.publishing.hu> <20080508115823.GB7168@hobbes.ustdmz.roe.ch> Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 16:41:30 -0000 On Thu, May 8, 2008 at 1:58 PM, Daniel Roethlisberger wrote: > CZUCZY Gergely 2008-05-08: >> On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk >> wrote: >> > >> That iptables rule worked for any destination. >> > > You cannot rewrite a packet's destination address to _any_ >> > > destination. >> > > >> > > It's like you cannot submit a package at the post office with the >> > > destination address "any". It's just meaningless. >> > >> > However it works with iptables. :) >> > >> > What can I do in my situation in order to gain the same >> > functionality by means of pf or other additional daemons? >> No, it doesn't. That iptables rule only affects the port number, where >> it defaults to the original dst address. So it defaults to something, >> where as pf doesn't. With pf you have to explicitly specify the >> rewritten dst IP. >> >> In my first reply I've told you to read the openbsd FAQ. You haven't >> done it. I _strongly_ suggest you, before doing your next reply to the >> list. go and read that FAQ. Here's the URL once more, I bet you've >> lost it under your desk... http://www.openbsd.org/faq/pf/ > > Netfilter allows to rewrite the destination port without rewriting the > destination address. It would seem like that this is not possible with > pf, at least not using rdr. But it is not necessary, since > my.smtp.server is the only destination on port 25 that will not be > dropped by the previous rule, so you can just specify my.smtp.server as > destination in the rdr rule. > > Just in case this is about submitting mail around port 25 filters (in > contrast to a fixed MTA-MTA "tunnel" on port 2525), you probably want to > use SMTP AUTH on the submission port (587) to solve this problem, not > just provide plain SMTP on a different port. On the submission port, > authentication is mandatory, which prevents it being used by spambots to > deliver mail directly to your MTA. Using submission and blocking port > 25 for end-user address ranges does have anti-spam benefits. > > -- > Daniel Roethlisberger > http://daniel.roe.ch/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > How about this patch. I have not really tested it but should do just port rewriting with a rule as rdr on $int proto tcp from any to any port 255 -> port 25 any Ermal Index: contrib/pf/pfctl/parse.y =================================================================== RCS file: /home/ncvs/src/contrib/pf/pfctl/parse.y,v retrieving revision 1.8 diff -u -r1.8 parse.y --- contrib/pf/pfctl/parse.y 3 Jul 2007 12:30:02 -0000 1.8 +++ contrib/pf/pfctl/parse.y 8 May 2008 16:33:30 -0000 @@ -3326,6 +3326,12 @@ $$->host = $2; $$->rport.a = $$->rport.b = $$->rport.t = 0; } + | ARROW PORT rport { + $$ = calloc(1, sizeof(struct redirection)); + if ($$ == NULL) + err(1, "redirection: calloc"); + $$->rport = $4; + } | ARROW redirspec PORT rport { $$ = calloc(1, sizeof(struct redirection)); if ($$ == NULL) @@ -3442,6 +3448,13 @@ pool_opts.marker |= POM_STICKYADDRESS; pool_opts.opts |= PF_POOL_STICKYADDR; } + | ANY { + if (pool_opts.type) { + yyerror("pool type cannot be redefined"); + YYERROR; + } + pool_opts.type = PF_POOL_ANY; + } ; redirection : /* empty */ { $$ = NULL; } @@ -3549,6 +3562,10 @@ YYERROR; } } else { + r.rpool.opts = $10.type; + if ((r.rpool.opts & PF_POOL_TYPEMASK) != + PF_POOL_ANY) { + if ($9 == NULL || $9->host == NULL) { yyerror("translation rule requires '-> " "address'"); @@ -3562,6 +3579,14 @@ YYERROR; if (check_netmask($9->host, r.af)) YYERROR; + } + + if ((r.rpool.opts & PF_POOL_TYPEMASK) == + PF_POOL_ANY && r.action != PF_RDR) { + yyerror("any pool type valid only for rdr" + " action"); + YYERROR; + } r.rpool.proxy_port[0] = ntohs($9->rport.a); @@ -3596,7 +3621,6 @@ break; } - r.rpool.opts = $10.type; if ((r.rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_NONE && ($9->host->next != NULL || $9->host->addr.type == PF_ADDR_TABLE || @@ -3614,7 +3638,7 @@ "is only supported in round-robin " "redirection pools")) YYERROR; - if ($9->host->next != NULL) { + if ($9 != NULL && $9->host != NULL && $9->host->next != NULL) { if ((r.rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) { yyerror("only round-robin " Index: sys/contrib/pf/net/pf.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.46.2.1 diff -u -r1.46.2.1 pf.c --- sys/contrib/pf/net/pf.c 25 Nov 2007 19:26:46 -0000 1.46.2.1 +++ sys/contrib/pf/net/pf.c 8 May 2008 16:33:31 -0000 @@ -2859,13 +2859,18 @@ } break; case PF_RDR: { - if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) - return (NULL); - if ((r->rpool.opts & PF_POOL_TYPEMASK) == - PF_POOL_BITMASK) - PF_POOLMASK(naddr, naddr, - &r->rpool.cur->addr.v.a.mask, daddr, - pd->af); + if ((r->rpool.opts & PF_POOL_TYPEMASK) == + PF_POOL_ANY) { + PF_ACPY(naddr, daddr, pd->af); + } else { + if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) + return (NULL); + if ((r->rpool.opts & PF_POOL_TYPEMASK) == + PF_POOL_BITMASK) + PF_POOLMASK(naddr, naddr, + &r->rpool.cur->addr.v.a.mask, daddr, + pd->af); + } if (r->rpool.proxy_port[1]) { u_int32_t tmp_nport; Index: sys/contrib/pf/net/pfvar.h =================================================================== RCS file: /home/ncvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.16.2.1 diff -u -r1.16.2.1 pfvar.h --- sys/contrib/pf/net/pfvar.h 12 Apr 2008 18:26:48 -0000 1.16.2.1 +++ sys/contrib/pf/net/pfvar.h 8 May 2008 16:33:31 -0000 @@ -130,7 +130,7 @@ PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; #define PF_POOL_IDMASK 0x0f enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, - PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; + PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN, PF_POOL_ANY }; enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED }; #define PF_POOL_TYPEMASK 0x0f From owner-freebsd-pf@FreeBSD.ORG Fri May 9 02:16:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 694C51065676 for ; Fri, 9 May 2008 02:16:16 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 2C1138FC0A for ; Fri, 9 May 2008 02:16:15 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 57672 invoked by uid 89); 9 May 2008 02:16:15 -0000 Received: by simscan 1.2.0 ppid: 57665, pid: 57668, t: 0.3312s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 9 May 2008 02:16:14 -0000 From: Elliott Perrin To: Daniel Roethlisberger In-Reply-To: <20080508113524.GA7168@hobbes.ustdmz.roe.ch> References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <1210237122.5607.149.camel@kensho.c7.ca> <20080508113524.GA7168@hobbes.ustdmz.roe.ch> Content-Type: text/plain; charset=UTF-8 Date: Thu, 08 May 2008 22:15:43 -0400 Message-Id: <1210299343.28559.31.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2008 02:16:16 -0000 On Thu, 2008-05-08 at 13:35 +0200, Daniel Roethlisberger wrote: > Elliott Perrin 2008-05-08: > > On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote: > > > CZUCZY Gergely wrote: > > > > On Thu, 08 May 2008 11:05:45 +0300 Oleksandr Samoylyk > > > > wrote: > > > >> CZUCZY Gergely wrote: > > > >>> On Thu, 08 May 2008 01:04:54 +0300 Oleksandr Samoylyk > > > >>> wrote: > > > >>>> Dear Community, > > > >>>> > > > >>>> I want to move some of our firewalls from Linux/iptables to > > > >>>> FreeBSD/pf. > > > >>>> > > > >>>> After reading man pf.conf for a couple of minutes I couldn't > > > >>>> find the realization of such iptables rule in pf: > > > >>>> > > > >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p > > > >>>> tcp --dport 25 -j DROP > > > >>> block in on $interface proto tcp from any to ! my.smtp.server > > > >>> port 25 > > > >>> > > > >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j > > > >>>> DNAT --to-destination :25 > > > >>> rdr on $interface proto tcp from any to port 2525 -> > > > >>> port 25 > > > >> I meant _any_ destination with 25 port. > > > >> > > > >> That iptables rule worked for any destination. > > > > You cannot rewrite a packet's destination address to _any_ > > > > destination. > > > > > > > > It's like you cannot submit a package at the post office with the > > > > destination address "any". It's just meaningless. > > > > > > However it works with iptables. :) > > > > > > What can I do in my situation in order to gain the same > > > functionality by means of pf or other additional daemons? > > > > It doesn't just "work" in iptables. All you are doing is PAT with that > > rule, rewriting destination ports. What does your DNAT table look like > > where packets matching this rule then jump to? [...] > > Your analysis of the two provided netfilter rules is wrong. DNAT is a > built-in pseudo-chain which does the actual destination address/port > translation, in this case it rewrites the destination port to 25 and > leaves the destination address untouched. > > Just to clear up some of the terms used with netfilter: you don't jump > to tables, you jump to chains. Tables in netfilter are "nat", "filter" > and "mangle"; like parallel worlds with their own set of chains, each > table having a distinct purpose (packet filtering, address/port > translations, and other packet mangling/tagging). > I was not sure if DNAT was a built in or not. As far as the difference between tables / chains, thanks for clearing that up. I have not firewalled with ipchains/iptables for quite some time so I am not completely up to speed on the semantics surrounding the software's current incarnation. If having used incorrect terminology resulted in difficulties I apologize. However, from a processing perspective my analysis is correct in concept. The second rule does a port address translation switching the destination port from port 2525 to port 25 on packets that match the rule. My analysis of both rules was in a previous reply to the posters original email, I have included that analysis again below. Perhaps if it too is incorrect from a conceptual perspective you could be so kind as to point out why? "iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP says all packets destined for port 25 for any address other than my.smtp.server, jump to the builtin DROP table/chain. The second rule iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 I would think builds on the first (just like in pf order of rule processing is very important) and says anything with a destination of port 2525, jump to the DNAT table/chain and switch the destination port to port 25, leaving the destination IP address untouched. Essentially you are just doing PAT there. Hard to know exactly what you are trying to do without network topography. Is this on a three legged firewall for LAN to DMZ/Internet connections or is this intended for inbound connections to your SMTP servers? The rules in pf to serve either purpose would be different." From owner-freebsd-pf@FreeBSD.ORG Fri May 9 09:58:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6293A1065678 for ; Fri, 9 May 2008 09:58:13 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from hobbes.ustdmz.roe.ch (hobbes.roe.ch [213.144.141.27]) by mx1.freebsd.org (Postfix) with ESMTP id D93E28FC29 for ; Fri, 9 May 2008 09:58:12 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from roe by hobbes.ustdmz.roe.ch (envelope-from ) with LOCAL id 1JuPN1-0004q9-00 ; Fri, 09 May 2008 11:58:31 +0200 Date: Fri, 9 May 2008 11:58:31 +0200 From: Daniel Roethlisberger To: Elliott Perrin Message-ID: <20080509095831.GB14550@hobbes.ustdmz.roe.ch> Mail-Followup-To: Elliott Perrin , freebsd-pf@freebsd.org References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <1210237122.5607.149.camel@kensho.c7.ca> <20080508113524.GA7168@hobbes.ustdmz.roe.ch> <1210299343.28559.31.camel@kensho.c7.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1210299343.28559.31.camel@kensho.c7.ca> User-Agent: Mutt/1.5.4i Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2008 09:58:13 -0000 Elliott Perrin 2008-05-08: > On Thu, 2008-05-08 at 13:35 +0200, Daniel Roethlisberger wrote: > > Elliott Perrin 2008-05-08: > > > On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote: > > > > CZUCZY Gergely wrote: > > > > > On Thu, 08 May 2008 11:05:45 +0300 Oleksandr Samoylyk > > > > > wrote: > > > > >> CZUCZY Gergely wrote: > > > > >>> On Thu, 08 May 2008 01:04:54 +0300 Oleksandr Samoylyk > > > > >>> wrote: > > > > >>>> Dear Community, > > > > >>>> > > > > >>>> I want to move some of our firewalls from Linux/iptables to > > > > >>>> FreeBSD/pf. > > > > >>>> > > > > >>>> After reading man pf.conf for a couple of minutes I > > > > >>>> couldn't find the realization of such iptables rule in pf: > > > > >>>> > > > > >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server > > > > >>>> -p tcp --dport 25 -j DROP > > > > >>> block in on $interface proto tcp from any to ! > > > > >>> my.smtp.server port 25 > > > > >>> > > > > >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 > > > > >>>> -j DNAT --to-destination :25 > > > > >>> rdr on $interface proto tcp from any to port 2525 -> > > > > >>> port 25 > > > > >> I meant _any_ destination with 25 port. > > > > >> > > > > >> That iptables rule worked for any destination. > > > > > You cannot rewrite a packet's destination address to _any_ > > > > > destination. > > > > > > > > > > It's like you cannot submit a package at the post office with > > > > > the destination address "any". It's just meaningless. > > > > > > > > However it works with iptables. :) > > > > > > > > What can I do in my situation in order to gain the same > > > > functionality by means of pf or other additional daemons? > > > > > > It doesn't just "work" in iptables. All you are doing is PAT with > > > that rule, rewriting destination ports. What does your DNAT table > > > look like where packets matching this rule then jump to? [...] > > > > Your analysis of the two provided netfilter rules is wrong. DNAT is > > a built-in pseudo-chain which does the actual destination > > address/port translation, in this case it rewrites the destination > > port to 25 and leaves the destination address untouched. > > > > Just to clear up some of the terms used with netfilter: you don't > > jump to tables, you jump to chains. Tables in netfilter are "nat", > > "filter" and "mangle"; like parallel worlds with their own set of > > chains, each table having a distinct purpose (packet filtering, > > address/port translations, and other packet mangling/tagging). > > > > I was not sure if DNAT was a built in or not. As far as the difference > between tables / chains, thanks for clearing that up. I have not > firewalled with ipchains/iptables for quite some time so I am not > completely up to speed on the semantics surrounding the software's > current incarnation. If having used incorrect terminology resulted in > difficulties I apologize. > > However, from a processing perspective my analysis is correct in > concept. The second rule does a port address translation switching the > destination port from port 2525 to port 25 on packets that match the > rule. > [...] You are right in that aspect, I apologize for my bad choice of words. -- Daniel Roethlisberger http://daniel.roe.ch/ From owner-freebsd-pf@FreeBSD.ORG Fri May 9 12:54:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73686106564A for ; Fri, 9 May 2008 12:54:44 +0000 (UTC) (envelope-from viaprog@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id 33BF38FC0A for ; Fri, 9 May 2008 12:54:44 +0000 (UTC) (envelope-from viaprog@gmail.com) Received: by wa-out-1112.google.com with SMTP id j4so1556438wah.3 for ; Fri, 09 May 2008 05:54:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=D6Di//LGyWrw0wsDoBqQu1MAMK25dt6DB7p06VILVSo=; b=OD6Ud3elD36PyiZeMvNvUkz5woTs4L+eqP1BHb9KzwOyaJ4ZqUTW+l31xF93HzO4z2oGrIoUhH6aD2zGbeYmWYKzMV0cymMmKzORBPmKFAIngvLYnX9yWZ+y4TzkwCN2LNBNEPOziBFHbjeNSRRhFxa8e4xKHavDD0CRPjuTc1M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=WNK78gglattgjmhoEQNoBIxBlaJGWZ4X41la1DPG8jJoMbySnMin0DR8jqgYuqxZIWfFv4ZTEM0MmFpi35EOvVir7nQffFgz4B3IajRqjJALC4XCuRsbUFZP8SINzXgUniWlUQyb03eem82FUVOwePgD3/alTJ5a3VX0V3EPpDc= Received: by 10.115.32.8 with SMTP id k8mr4182543waj.89.1210337683915; Fri, 09 May 2008 05:54:43 -0700 (PDT) Received: by 10.114.170.15 with HTTP; Fri, 9 May 2008 05:54:43 -0700 (PDT) Message-ID: Date: Fri, 9 May 2008 16:54:43 +0400 From: "Igor A. Valcov" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: do not work nested unnamed anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2008 12:54:44 -0000 Hello. For example: ==== pf.conf ==== ext_if="xl0" ip_world="nn.nn.nn.nn" # Filter rules block log all anchor in on $ext_if { pass quick proto tcp to $ip_world port 22 keep state # SSH pass quick proto tcp to $ip_world port 25 keep state # SMTP pass quick proto tcp to $ip_world port 110 keep state # POP3 anchor { pass quick proto tcp to $ip_world port 995 keep state # POP3S } } ============ nmap results: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0) 25/tcp open smtp? 110/tcp open pop3 Openwall popa3d I can not understand what the problem... FreeBSD-7.0-RELEASE-p1 i386 -- Igor A. Valcov