From owner-freebsd-pf@FreeBSD.ORG Mon Aug 25 09:37:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 381DC106566C for ; Mon, 25 Aug 2008 09:37:23 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from svarun.infrax.si (syssvarun.infrax.si [89.212.81.4]) by mx1.freebsd.org (Postfix) with ESMTP id EFBB58FC13 for ; Mon, 25 Aug 2008 09:37:22 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (sysSvarun.infrax.si [89.212.81.4]) by svarun.infrax.si (Postfix) with ESMTP id 9F67024B18A for ; Mon, 25 Aug 2008 11:20:29 +0200 (CEST) Received: from svarun.infrax.si ([89.212.81.4]) by localhost (svarun.infrax.si [89.212.81.4]) (amavisd-maia, port 10024) with ESMTP id 39870-09 for ; Mon, 25 Aug 2008 11:20:11 +0200 (CEST) Received: from [192.168.15.2] (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejko@infrax.si) by svarun.infrax.si (Postfix) with ESMTP id E14D524BA8D for ; Mon, 25 Aug 2008 11:20:11 +0200 (CEST) Message-ID: <48B27948.5040101@skoberne.net> Date: Mon, 25 Aug 2008 11:20:08 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Subject: Proxying broadcasts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2008 09:37:23 -0000 Hello, I have a central FreeBSD 7.0 router running pf with SERVERS and USERS1 and USERS2 networks attached to it. I also have some Sybase SQL servers on SERVERS network, which use broadcasts to announce themselves to the network. Before, when there were no separate segments, everything worked fine of course. My question: is there any way to "proxy" (forward) broadcast requests from USERS1 to the SERVERS network? So the users in USERS* networks could find Sybase SQL servers via broadcasts? I tried something like this in my test environment (tried to NAT broadcasted DNS requests, just for trying if pf could do it): nat on $ServersInterface from 192.168.3.100 to 192.168.1.255 -> 192.168.1.1 rdr pass on $UsersInterface proto udp from 192.168.3.100 to 192.168.3.255 port 53 -> 192.168.1.255 (3.100 is a client from USERS1, 1.1 is the router) But this doesn't seem to be working (no translated packets on the interfaces). I guess it's impossible? Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Mon Aug 25 11:06:55 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56C75106569F for ; Mon, 25 Aug 2008 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 597048FC18 for ; Mon, 25 Aug 2008 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7PB6tSF027843 for ; Mon, 25 Aug 2008 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7PB6set027839 for freebsd-pf@FreeBSD.org; Mon, 25 Aug 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Aug 2008 11:06:54 GMT Message-Id: <200808251106.m7PB6set027839@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2008 11:06:55 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 27 11:20:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09EB01065670 for ; Wed, 27 Aug 2008 11:20:03 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id B1C818FC18 for ; Wed, 27 Aug 2008 11:20:02 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so1231822yxb.13 for ; Wed, 27 Aug 2008 04:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=qWXOr15ZnJNmxiiRvgLvlxFsFDiPaWvHqHIijdeW2Yo=; b=in3y7SA0fRQ04BrxqNgWfDly4LPxHNE51a6u995VFsCKIalf210Qm6QAJUIL6p/Svp SsP+yn23qq4qHd+pDIQU8v/Ye/6C3/Jcpv3QwAldiJl9o3ZHC/SYKVMkM1cQdeREvUG5 YjPNGJF6nGVRu3H38o+FlM2ALdoItjSlvbv3w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=dJ/LfKJTuZ/VLSt0a1GhulVjB+7SCwlXHTRszd0zLjXcKXM9mQlzjg5Tea4VxH2oMw M4NRPUG55jISIDs0n6YqX2FJiVmn1wNu1SYuinhNOzye3Txz6lwIT2qG7Q0uRkY116hL hTEMxWP5XMDFTMqPBRQKZRylWDEhB7Mx6nyVo= Received: by 10.150.12.10 with SMTP id 10mr10988837ybl.168.1219834076802; Wed, 27 Aug 2008 03:47:56 -0700 (PDT) Received: by 10.150.190.8 with HTTP; Wed, 27 Aug 2008 03:47:56 -0700 (PDT) Message-ID: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> Date: Wed, 27 Aug 2008 16:17:56 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ALTQ and shaping an existing session X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 11:20:03 -0000 Hi, I have configured pf/altq to shape traffic in my freebsd box. rule fragments are as below. altq on rl0 cbq bandwidth 512Kb queue { lanRoot } altq on rl1 cbq bandwidth 512Kb queue { wanRoot } queue lanRoot bandwidth 512Kb cbq { lanStd , lanBad } queue lanStd bandwidth 400Kb cbq (default) queue lanBad bandwidth 112Kb cbq #(default) queue wanRoot bandwidth 512Kb cbq { wanStd , wanBad } queue wanStd bandwidth 450Kb cbq (default) queue wanBad bandwidth 62Kb cbq #(default) pass out quick on $lan from any to any keep state pass in quick on $lan from to any keep state queue lanBad pass in quick on $lan from any to any keep state pass out quick on $ext_if from any to any keep state pass in quick on $ext_if from any to keep state queue wanBad pass in quick on $ext_if from any to any keep state IPs are added to by an external program based on bandwidth. The problem is that even when a new ip is added to or removed from already existing sessions from the newly added ip continues to have previous shaping configuration. All new sessions are shaped as expected. I have tried rules without "keep state", but results are the same. Is this the expected behavior of pf? Can the shaping be performed for existing sessions also when an ip is added to ? with regards, raj From owner-freebsd-pf@FreeBSD.ORG Wed Aug 27 19:22:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9FB5106568F for ; Wed, 27 Aug 2008 19:22:51 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from mx.sitkom.cz (mx.sitkom.cz [88.146.187.34]) by mx1.freebsd.org (Postfix) with ESMTP id 811DD8FC16 for ; Wed, 27 Aug 2008 19:22:51 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from [10.10.0.12] (manwe.buchtikov.borsice.sfn [10.10.0.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.sitkom.cz (Postfix) with ESMTPS id 70CD71C1299 for ; Wed, 27 Aug 2008 21:22:56 +0200 (CEST) From: Michal Buchtik To: freebsd-pf In-Reply-To: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> References: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Date: Wed, 27 Aug 2008 21:22:48 +0200 Message-Id: <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Subject: Re: ALTQ and shaping an existing session X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 19:22:51 -0000 Rajkumar S píše v st 27. 08. 2008 v 16:17 +0530: > The problem is that even when a new ip is added to or removed from > already existing sessions from the newly added ip continues > to have previous shaping configuration. All new sessions are shaped as > expected. I have tried rules without "keep state", but results are the > same. Is this the expected behavior of pf? Can the shaping be > performed for existing sessions also when an ip is added to ? I have same problem. The only way I found is kill existing states of affected ip's. But this is uncomfortable for users. Is there another solution? Michal From owner-freebsd-pf@FreeBSD.ORG Wed Aug 27 19:45:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97713106566B for ; Wed, 27 Aug 2008 19:45:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [76.96.30.96]) by mx1.freebsd.org (Postfix) with ESMTP id 83F588FC0A for ; Wed, 27 Aug 2008 19:45:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA08.emeryville.ca.mail.comcast.net ([76.96.30.12]) by QMTA09.emeryville.ca.mail.comcast.net with comcast id 7Nzt1a00H0FhH24A9XVf4G; Wed, 27 Aug 2008 19:29:39 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA08.emeryville.ca.mail.comcast.net with comcast id 7XVe1a0024v8bD78UXVeRH; Wed, 27 Aug 2008 19:29:38 +0000 X-Authority-Analysis: v=1.0 c=1 a=C901Kp35y-4A:10 a=QycZ5dHgAAAA:8 a=egIPmGsHOi9HuvhW0GsA:9 a=3G21QCYxEgfEwk6KcDIA:7 a=nBNsyNgCyerfE6GLavQPX0CTZ2EA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 09FE217B81A; Wed, 27 Aug 2008 12:29:38 -0700 (PDT) Date: Wed, 27 Aug 2008 12:29:38 -0700 From: Jeremy Chadwick To: Michal Buchtik Message-ID: <20080827192938.GA1711@icarus.home.lan> References: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf Subject: Re: ALTQ and shaping an existing session X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 19:45:39 -0000 On Wed, Aug 27, 2008 at 09:22:48PM +0200, Michal Buchtik wrote: > Rajkumar S pí??e v st 27. 08. 2008 v 16:17 +0530: > > The problem is that even when a new ip is added to or removed from > > already existing sessions from the newly added ip continues > > to have previous shaping configuration. All new sessions are shaped as > > expected. I have tried rules without "keep state", but results are the > > same. Is this the expected behavior of pf? Can the shaping be > > performed for existing sessions also when an ip is added to ? > > I have same problem. The only way I found is kill existing states of > affected ip's. But this is uncomfortable for users. Is there another > solution? It sounds like the root of this problem is that "flags S/SA" is implicit on RELENG_7 for TCP rules. "keep state" is also implicit (on TCP, UDP, and ICMP rules). The only solutions I see, both of which have consequences: 1) Use "flags any", but this *is not* something you would want to use in conjunction with "keep state", since you only want to cause pf to begin tracking state when SYN of SYN+ACK is set, and not on FIN, RST, or other combinations. There is probably some combination of rules you could set up which could utilise "flags any" correctly, but the risks are high. 2) Add "no state" to rules you want shaping to occur on. This has the added drawback of pf not being able to keep track of state on such packets (performance hit), and you'll need to tune your pf rules to match on traffic going both directions (since there's no longer a state kept) Max, does this sound correct? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Aug 27 19:57:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F97B106567D for ; Wed, 27 Aug 2008 19:57:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 9C8018FC16 for ; Wed, 27 Aug 2008 19:57:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-042-111.pools.arcor-ip.net [88.66.42.111]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KYR8i1K3D-00064r; Wed, 27 Aug 2008 21:57:12 +0200 Received: (qmail 16345 invoked from network); 27 Aug 2008 19:57:11 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 27 Aug 2008 19:57:11 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 27 Aug 2008 21:57:11 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> <20080827192938.GA1711@icarus.home.lan> In-Reply-To: <20080827192938.GA1711@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200808272157.11585.max@love2party.net> X-Provags-ID: V01U2FsdGVkX195nUZwx2VbSqBSXOJtdvZYCm1W7Npg9dsSYLv gCQ9lBg08jcM0RfLXVdTaM5ve6sh8fWNYogDo6a4JKkFVDEVe2 GKNfdnaBbRafcDZL3Ahvg== Cc: Subject: Re: ALTQ and shaping an existing session X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 19:57:14 -0000 On Wednesday 27 August 2008 21:29:38 Jeremy Chadwick wrote: > On Wed, Aug 27, 2008 at 09:22:48PM +0200, Michal Buchtik wrote: > > Rajkumar S p=ED??e v st 27. 08. 2008 v 16:17 +0530: > > > The problem is that even when a new ip is added to or removed from > > > already existing sessions from the newly added ip continues > > > to have previous shaping configuration. All new sessions are shaped as > > > expected. I have tried rules without "keep state", but results are the > > > same. Is this the expected behavior of pf? Can the shaping be > > > performed for existing sessions also when an ip is added to ? > > > > I have same problem. The only way I found is kill existing states of > > affected ip's. But this is uncomfortable for users. Is there another > > solution? > > It sounds like the root of this problem is that "flags S/SA" is implicit > on RELENG_7 for TCP rules. "keep state" is also implicit (on TCP, UDP, > and ICMP rules). > > The only solutions I see, both of which have consequences: > > 1) Use "flags any", but this *is not* something you would want to use in > conjunction with "keep state", since you only want to cause pf to begin > tracking state when SYN of SYN+ACK is set, and not on FIN, RST, or other > combinations. There is probably some combination of rules you could set > up which could utilise "flags any" correctly, but the risks are high. > > 2) Add "no state" to rules you want shaping to occur on. This has the > added drawback of pf not being able to keep track of state on such > packets (performance hit), and you'll need to tune your pf rules to > match on traffic going both directions (since there's no longer a state > kept) > > Max, does this sound correct? Yes, about right. There might be a way to solve this by hacking up the "pf= ctl=20 =2Dk" mechanism, though. In a nutshell every state maintains a reference t= o the=20 rule it was created by (it's parent). The ALTQ queues used by that state c= ome=20 directly from that parent (i.e. the state doesn't store them). If we could= =20 modify the "pfctl -k" mechanism to move a state from one rule to another, t= he=20 ALTQ definitions would change accordingly. I yet have to check how much wo= rk=20 that would be or if there are any problems with the basic idea, but since=20 there is a 3 byte hole in pfioc_state_kill this could even be MFCed. I'll= =20 have a look. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Aug 28 00:57:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67EA61065671 for ; Thu, 28 Aug 2008 00:57:12 +0000 (UTC) (envelope-from shupej@hermetek.com) Received: from pandora.hermetek.com (pandora.hermetek.com [72.249.164.250]) by mx1.freebsd.org (Postfix) with ESMTP id 321CC8FC15 for ; Thu, 28 Aug 2008 00:57:12 +0000 (UTC) (envelope-from shupej@hermetek.com) Received: from localhost (localhost [127.0.0.1]) by pandora.hermetek.com (Postfix) with ESMTP id E8F038F8127 for ; Wed, 27 Aug 2008 19:27:20 -0500 (CDT) Received: from pandora.hermetek.com ([127.0.0.1]) by localhost (pandora.hermetek.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezkS35nV6Uxh for ; Wed, 27 Aug 2008 19:27:18 -0500 (CDT) Received: from [10.45.28.140] (unknown [74.196.125.220]) by pandora.hermetek.com (Postfix) with ESMTP id 361F98F8100 for ; Wed, 27 Aug 2008 19:27:18 -0500 (CDT) Message-ID: <48B5F155.3000107@hermetek.com> Date: Wed, 27 Aug 2008 19:29:09 -0500 From: James Shupe User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig16BECFB043928059547F94C5" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Squid/ Danguardian + Transparent Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2008 00:57:12 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig16BECFB043928059547F94C5 Content-Type: multipart/mixed; boundary="------------090807070504080705070406" This is a multi-part message in MIME format. --------------090807070504080705070406 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I've been trying to get pf to transparently redirect all incoming traffic on port 80 to port 8080 on a bridge to pass through to Dansguardian. This machine is a replacement for a Linux box which did the same thing with IPtables flawlessly, but I can't seem to get it work with PF. I've tried using dozens of rulesets, including route-to statements, and have had no success. I was wondering if anybody has a working ruleset that they could share as an example, as I've seen lots of questions in mailing list archives regarding this, but no positive fix= es. Thank you, --=20 James Shupe HermeTek Network Solutions http//www.hermetek.com 1.866.325.6207 ------------------------------------------------------------------------ This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient= , you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.866.325.6207 and destroy the original message. --------------090807070504080705070406 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjQuOSAo TWluZ1czMikNCkNvbW1lbnQ6IFVzaW5nIEdudVBHIHdpdGggTW96aWxsYSAtIGh0dHA6Ly9l bmlnbWFpbC5tb3pkZXYub3JnDQoNCmlFWUVBUkVDQUFZRkFraTE4UVlBQ2drUVZ3UVpoNms0 M3pvNC9nQ2c0UzFyVE9iK2Raak5SR3BsdFd4ZE1BbzYNClVBQUFuM1BVeGN5alBGZ1RXVFRi bHZ5SXdhbktRa24zDQo9N1Rxdw0KLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQoNCg== --------------090807070504080705070406-- --------------enig16BECFB043928059547F94C5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAki18VUACgkQVwQZh6k43zph6gCeNbxs4pqHwXz8diH+2Xnj0JtR 5ZUAn3hcUx33a7P1QnepZAOQd1KUe9nN =KVaX -----END PGP SIGNATURE----- --------------enig16BECFB043928059547F94C5-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 28 01:03:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C3C11065678 for ; Thu, 28 Aug 2008 01:03:34 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by mx1.freebsd.org (Postfix) with ESMTP id 62F778FC0C for ; Thu, 28 Aug 2008 01:03:34 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA09.emeryville.ca.mail.comcast.net ([76.96.30.20]) by QMTA08.emeryville.ca.mail.comcast.net with comcast id 7XTt1a05C0S2fkCA8d3aJj; Thu, 28 Aug 2008 01:03:34 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA09.emeryville.ca.mail.comcast.net with comcast id 7d3Y1a00G4v8bD78Vd3Y0o; Thu, 28 Aug 2008 01:03:33 +0000 X-Authority-Analysis: v=1.0 c=1 a=BizAfdEQGRAA:10 a=vwvmK9qPvBoA:10 a=QycZ5dHgAAAA:8 a=gWOpd8Jsirjr83vlYhoA:9 a=wn0PG5y_J9ziEa6uJLAA:7 a=alggKItk89ktWbv26fd0df6kniEA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 4D09F17B81A; Wed, 27 Aug 2008 18:03:32 -0700 (PDT) Date: Wed, 27 Aug 2008 18:03:32 -0700 From: Jeremy Chadwick To: James Shupe Message-ID: <20080828010332.GA8172@icarus.home.lan> References: <48B5F155.3000107@hermetek.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48B5F155.3000107@hermetek.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: Squid/ Danguardian + Transparent Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2008 01:03:34 -0000 On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote: > I've been trying to get pf to transparently redirect all incoming > traffic on port 80 to port 8080 on a bridge to pass through to > Dansguardian. This machine is a replacement for a Linux box which did > the same thing with IPtables flawlessly, but I can't seem to get it work > with PF. I've tried using dozens of rulesets, including route-to > statements, and have had no success. I was wondering if anybody has a > working ruleset that they could share as an example, as I've seen lots > of questions in mailing list archives regarding this, but no positive fixes. You mean something like this? rdr pass proto tcp from any to port 80 -> 127.0.0.1 port 8080 Assuming ipofyourbox is 4.4.4.4, this will transparently redirect incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080. Response packets will also be remapped appropriately (meaning the remote user will see the response packets coming from 4.4.4.4 port 80). This is under the assumption that Dansguardian is listening on 127.0.0.1 port 8080. It might just be listening on INADDR_ANY port 8080, in which case you should probably configure it to bind to 127.0.0.1 -- or if you cannot, set up an appropriate firewall rule in pf to block that traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080 and talk to Dansguardian directly). Hope this helps. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Aug 28 01:12:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2805A106564A for ; Thu, 28 Aug 2008 01:12:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id AFFEB8FC0A for ; Thu, 28 Aug 2008 01:12:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-042-111.pools.arcor-ip.net [88.66.42.111]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1KYW470Tel-0003Dx; Thu, 28 Aug 2008 03:12:49 +0200 Received: (qmail 21522 invoked from network); 28 Aug 2008 01:12:46 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 28 Aug 2008 01:12:46 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 28 Aug 2008 03:12:45 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <48B5F155.3000107@hermetek.com> <20080828010332.GA8172@icarus.home.lan> In-Reply-To: <20080828010332.GA8172@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200808280312.45587.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+L0yk7h5eM1yHEul1912njjn3ZPK9WwyOf2AT PRRlGgglwGU6AWevITDi9b9uCwDlv+NfzvetPvcdtMkW310sYz 72CUgUhQ8ykfpJLoGAtcQ== Cc: Subject: Re: Squid/ Danguardian + Transparent Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2008 01:12:55 -0000 On Thursday 28 August 2008 03:03:32 Jeremy Chadwick wrote: > On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote: > > I've been trying to get pf to transparently redirect all incoming > > traffic on port 80 to port 8080 on a bridge to pass through to > > Dansguardian. This machine is a replacement for a Linux box which did > > the same thing with IPtables flawlessly, but I can't seem to get it work > > with PF. I've tried using dozens of rulesets, including route-to > > statements, and have had no success. I was wondering if anybody has a > > working ruleset that they could share as an example, as I've seen lots > > of questions in mailing list archives regarding this, but no positive > > fixes. > > You mean something like this? > > rdr pass proto tcp from any to port 80 -> 127.0.0.1 port 8080 > > Assuming ipofyourbox is 4.4.4.4, this will transparently redirect > incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080. > Response packets will also be remapped appropriately (meaning the remote > user will see the response packets coming from 4.4.4.4 port 80). > > This is under the assumption that Dansguardian is listening on 127.0.0.1 > port 8080. It might just be listening on INADDR_ANY port 8080, in which > case you should probably configure it to bind to 127.0.0.1 -- or if > you cannot, set up an appropriate firewall rule in pf to block that > traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080 > and talk to Dansguardian directly). Note that software that wants to do transparent proxying needs to be aware of the pf redirection. For squid you can enable code to do that by enabling the port option SQUID_PF (see make config). I have no idea if Dansguardian has support for pf or if squid or Dansguardian is the first to look at the traffic. If squid is the first you should be good ... otherwise you must talk to the Dansguardian people about pf support. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Aug 28 03:56:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2F08106564A for ; Thu, 28 Aug 2008 03:56:18 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA07.westchester.pa.mail.comcast.net (qmta07.westchester.pa.mail.comcast.net [76.96.62.64]) by mx1.freebsd.org (Postfix) with ESMTP id 91FE18FC0A for ; Thu, 28 Aug 2008 03:56:18 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA08.westchester.pa.mail.comcast.net ([76.96.62.12]) by QMTA07.westchester.pa.mail.comcast.net with comcast id 7dGE1a0020Fqzac57fmG3T; Thu, 28 Aug 2008 03:46:16 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA08.westchester.pa.mail.comcast.net with comcast id 7fmF1a0054v8bD73UfmFTB; Thu, 28 Aug 2008 03:46:16 +0000 X-Authority-Analysis: v=1.0 c=1 a=LSr4VaG-Lp4A:10 a=XHmrTfkXgsYA:10 a=BKUZnpncAAAA:8 a=QycZ5dHgAAAA:8 a=WhtsX7SljIoDVcUFZpwA:9 a=Y6BxsMWn1w3_PGQ7gzgA:7 a=F7edkQCx2TdVHVU90_DiXgN2ws8A:4 a=31jpz_uetaAA:10 a=EoioJ0NPDVgA:10 a=gBuvGuxN0mQA:10 a=SV7veod9ZcQA:10 a=rPt6xJ-oxjAA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id F318517B81A; Wed, 27 Aug 2008 20:46:14 -0700 (PDT) Date: Wed, 27 Aug 2008 20:46:14 -0700 From: Jeremy Chadwick To: freebsd-pf@freebsd.org Message-ID: <20080828034614.GA11207@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Fwd: Re: Squid/ Danguardian + Transparent Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2008 03:56:19 -0000 ----- Forwarded message from James Shupe ----- > From: James Shupe > To: Jeremy Chadwick > Date: Wed, 27 Aug 2008 20:26:59 -0500 > Subject: Re: Squid/ Danguardian + Transparent Bridge > > I've tried this, and it works with NAT but not when the interfaces are > in a bridge. I'll re-attempt this tomorrow though, just in case I'm wrong. > > Thank you, > James Shupe > > Jeremy Chadwick wrote: > > On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote: > >> I've been trying to get pf to transparently redirect all incoming > >> traffic on port 80 to port 8080 on a bridge to pass through to > >> Dansguardian. This machine is a replacement for a Linux box which did > >> the same thing with IPtables flawlessly, but I can't seem to get it work > >> with PF. I've tried using dozens of rulesets, including route-to > >> statements, and have had no success. I was wondering if anybody has a > >> working ruleset that they could share as an example, as I've seen lots > >> of questions in mailing list archives regarding this, but no positive fixes. > > > > You mean something like this? > > > > rdr pass proto tcp from any to port 80 -> 127.0.0.1 port 8080 > > > > Assuming ipofyourbox is 4.4.4.4, this will transparently redirect > > incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080. > > Response packets will also be remapped appropriately (meaning the remote > > user will see the response packets coming from 4.4.4.4 port 80). > > > > This is under the assumption that Dansguardian is listening on 127.0.0.1 > > port 8080. It might just be listening on INADDR_ANY port 8080, in which > > case you should probably configure it to bind to 127.0.0.1 -- or if > > you cannot, set up an appropriate firewall rule in pf to block that > > traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080 > > and talk to Dansguardian directly). > > > > Hope this helps. > > > > Thank you, > -- > James Shupe > HermeTek Network Solutions > http//www.hermetek.com > 1.866.325.6207 ----- End forwarded message ----- James forgot to CC the list when replying; I got his permission to forward this. His problem seems to be when using rdr while a bridge is in use. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Aug 29 10:54:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97C7B1065671 for ; Fri, 29 Aug 2008 10:54:28 +0000 (UTC) (envelope-from bw@exodus.desync.com) Received: from exodus.desync.com (desync.com [IPv6:2607:f178::165]) by mx1.freebsd.org (Postfix) with ESMTP id 41B148FC20 for ; Fri, 29 Aug 2008 10:54:27 +0000 (UTC) (envelope-from bw@exodus.desync.com) Received: from exodus.desync.com (localhost [127.0.0.1]) by exodus.desync.com (8.14.2/8.14.2) with ESMTP id m7TAsNe3090272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 29 Aug 2008 06:54:23 -0400 (EDT) (envelope-from bw@exodus.desync.com) Received: (from bw@localhost) by exodus.desync.com (8.14.2/8.14.2/Submit) id m7TAsNcr090271 for freebsd-pf@freebsd.org; Fri, 29 Aug 2008 06:54:23 -0400 (EDT) (envelope-from bw) Date: Fri, 29 Aug 2008 06:54:23 -0400 From: ben wilber To: freebsd-pf@freebsd.org Message-ID: <20080829105422.GI1644@exodus.desync.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Angst-Level: High User-Agent: Mutt/1.5.18 (2008-05-17) Subject: pf and mxge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 10:54:28 -0000 Hello, I'm trying to use PF on a machine with an mxge(4) interface and am having some difficulty. With my ruleset loaded, any TCP session that gets a state grinds to a halt. For example, I can log in via SSH and issue commands that return a couple lines, but the output from a command like dmesg(8) comes very slowly and sometimes won't finish before SSH times out. MTU on the interface is 1500 bytes. This doesn't happen unless states are created (e.g., not with "pass no state"). The machine is running -CURRENT for amd64 as of Jul 18th compiled with ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled). IP and IPv6 forwarding are enabled, as well as fastforwarding. Only filtering; no bridges, ALTQ, NAT or scrubbing. Any insight? Thanks, bw. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 29 11:04:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44A071065679 for ; Fri, 29 Aug 2008 11:04:01 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by mx1.freebsd.org (Postfix) with ESMTP id E4AD58FC1E for ; Fri, 29 Aug 2008 11:04:00 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA08.westchester.pa.mail.comcast.net with comcast id 8ApL1a0030SCNGk58B3zWk; Fri, 29 Aug 2008 11:03:59 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA09.westchester.pa.mail.comcast.net with comcast id 8B3y1a00J4v8bD73VB3zVQ; Fri, 29 Aug 2008 11:03:59 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=VYC7y0bpvaNsSFGLE8MA:9 a=1MllLpo7mYeA6ZBaG8s8MihUSasA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id A3A0C17B81A; Fri, 29 Aug 2008 04:03:58 -0700 (PDT) Date: Fri, 29 Aug 2008 04:03:58 -0700 From: Jeremy Chadwick To: ben wilber Message-ID: <20080829110358.GA72503@icarus.home.lan> References: <20080829105422.GI1644@exodus.desync.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080829105422.GI1644@exodus.desync.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: pf and mxge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 11:04:01 -0000 On Fri, Aug 29, 2008 at 06:54:23AM -0400, ben wilber wrote: > I'm trying to use PF on a machine with an mxge(4) interface and am > having some difficulty. With my ruleset loaded, any TCP session that > gets a state grinds to a halt. > > For example, I can log in via SSH and issue commands that return a > couple lines, but the output from a command like dmesg(8) comes very > slowly and sometimes won't finish before SSH times out. MTU on the > interface is 1500 bytes. This doesn't happen unless states are created > (e.g., not with "pass no state"). > > The machine is running -CURRENT for amd64 as of Jul 18th compiled with > ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled). > IP and IPv6 forwarding are enabled, as well as fastforwarding. Only > filtering; no bridges, ALTQ, NAT or scrubbing. > > Any insight? I've seen this problem on RELENG_6, although the SSH connections would not "time out" -- after a page or so of 'dmesg' output, they would immediately get disconnected/severed. I believe the problem was caused by my use of "modulate state" instead of "keep state" (since on RELENG_6 "keep state" is not implicit). Are you using "reassemble tcp", "synproxy state", or "modulate state" directives? Does disabling RFC1323 (see sysctl) make a difference at all? Are you blindly filtering all ICMP traffic and destroying PMTU negotiation? Can you provide your pf.conf? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Aug 29 13:13:43 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E11B81065674 for ; Fri, 29 Aug 2008 13:13:43 +0000 (UTC) (envelope-from mcdouga9@egr.msu.edu) Received: from mx.egr.msu.edu (surfnturf.egr.msu.edu [35.9.37.164]) by mx1.freebsd.org (Postfix) with ESMTP id B6A028FC35 for ; Fri, 29 Aug 2008 13:13:43 +0000 (UTC) (envelope-from mcdouga9@egr.msu.edu) Received: from localhost (localhost [127.0.0.1]) by mx.egr.msu.edu (Postfix) with ESMTP id CEE2871F027; Fri, 29 Aug 2008 08:55:49 -0400 (EDT) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mx.egr.msu.edu ([127.0.0.1]) by localhost (surfnturf.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99lTIWogQv3B; Fri, 29 Aug 2008 08:55:49 -0400 (EDT) Received: from localhost (daemon.egr.msu.edu [35.9.44.65]) by mx.egr.msu.edu (Postfix) with ESMTP id AA69671F04D; Fri, 29 Aug 2008 08:55:49 -0400 (EDT) Received: by localhost (Postfix, from userid 21281) id 88478916; Fri, 29 Aug 2008 08:55:49 -0400 (EDT) Date: Fri, 29 Aug 2008 08:55:49 -0400 From: Adam McDougall To: ben wilber , freebsd-pf@freebsd.org Message-ID: <20080829125549.GR64444@egr.msu.edu> References: <20080829105422.GI1644@exodus.desync.com> <20080829110358.GA72503@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080829110358.GA72503@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Subject: Re: pf and mxge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 13:13:44 -0000 On Fri, Aug 29, 2008 at 04:03:58AM -0700, Jeremy Chadwick wrote: On Fri, Aug 29, 2008 at 06:54:23AM -0400, ben wilber wrote: > I'm trying to use PF on a machine with an mxge(4) interface and am > having some difficulty. With my ruleset loaded, any TCP session that > gets a state grinds to a halt. > > For example, I can log in via SSH and issue commands that return a > couple lines, but the output from a command like dmesg(8) comes very > slowly and sometimes won't finish before SSH times out. MTU on the > interface is 1500 bytes. This doesn't happen unless states are created > (e.g., not with "pass no state"). > > The machine is running -CURRENT for amd64 as of Jul 18th compiled with > ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled). > IP and IPv6 forwarding are enabled, as well as fastforwarding. Only > filtering; no bridges, ALTQ, NAT or scrubbing. > > Any insight? I've seen this problem on RELENG_6, although the SSH connections would not "time out" -- after a page or so of 'dmesg' output, they would immediately get disconnected/severed. I believe the problem was caused by my use of "modulate state" instead of "keep state" (since on RELENG_6 "keep state" is not implicit). Are you using "reassemble tcp", "synproxy state", or "modulate state" directives? Does disabling RFC1323 (see sysctl) make a difference at all? Are you blindly filtering all ICMP traffic and destroying PMTU negotiation? Can you provide your pf.conf? -- | Jeremy Chadwick jdc at parodius.com | Just for posterity, I had similar problems and ended up getting rid of floating state in favor of "set state-policy if-bound". If you run pfctl -x loud and watch the kernel output, you should be able to see a state mismatch when the ssh has a problem. Warning, I've had consoles lock up with too much output from pfctl -x loud, so if you care, don't run it too long or with too much traffic (pfctl -x none to disable). From owner-freebsd-pf@FreeBSD.ORG Fri Aug 29 15:56:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC8981065689 for ; Fri, 29 Aug 2008 15:56:38 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 683128FC2F for ; Fri, 29 Aug 2008 15:56:38 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 065561FF00D2 for ; Fri, 29 Aug 2008 11:56:36 -0400 (EDT) thread-index: AckJ79EzVHsYY5I7TDS8Ix9WQfk5gQ== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 29 Aug 2008 11:56:36 -0400 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id E77B88E29B; Fri, 29 Aug 2008 10:56:30 -0500 (CDT) Date: Fri, 29 Aug 2008 10:56:30 -0500 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: Message-ID: <20080829155630.GA31307@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org Content-Class: urn:content-classes:message References: <20080829105422.GI1644@exodus.desync.com> Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 MIME-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset="us-ascii" Content-Disposition: inline In-reply-to: <20080829105422.GI1644@exodus.desync.com> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 29 Aug 2008 15:56:36.0779 (UTC) FILETIME=[D129EFB0:01C909EF] Subject: Re: pf and mxge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 15:56:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ben wilber wrote: > > For example, I can log in via SSH and issue commands that return a > couple lines, but the output from a command like dmesg(8) comes very > slowly and sometimes won't finish before SSH times out. MTU on the > interface is 1500 bytes. This doesn't happen unless states are > created (e.g., not with "pass no state"). This can happen when TCP Window Scaling (RFC1323) is in effect, but PF is not aware of it. PF can only capture the window scales in effect if it sees the "SYN" and "SYN+ACK" packets that begin a connection, as they are not advertised at any other time. If the state is built from the "middle" of a connection, PF enforces a much smaller version of the expected TCP window, and things slow down tremendously. This is why PF in FreeBSD 7.0 add the "flags S/SA" and "keep state" options by default. Since this is the default, it is surprising to me that you would see this type of behavior, but it gives you something to look into. - -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIuBwuFSrKRjX5eCoRAj70AJ0UIEt5TXIalIWHYWywYMWocHj/8gCfdJrD 8t8KYLSPL1VlLIWuda5v3/U= =Gk8w -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.