From owner-freebsd-pf@FreeBSD.ORG Sun Sep 21 22:30:06 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B7641065671 for ; Sun, 21 Sep 2008 22:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 582418FC1A for ; Sun, 21 Sep 2008 22:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8LMU6sY020146 for ; Sun, 21 Sep 2008 22:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8LMU5Sw020143; Sun, 21 Sep 2008 22:30:06 GMT (envelope-from gnats) Date: Sun, 21 Sep 2008 22:30:06 GMT Message-Id: <200809212230.m8LMU5Sw020143@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2008 22:30:06 -0000 The following reply was made to PR conf/127511; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, ohauer@gmx.de Cc: Subject: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files Date: Mon, 22 Sep 2008 00:07:36 +0200 Leaving this to the administrator was a deliberate choice at the time in order to make sure people who use authpf had read the documentation carefully enough to not shoot themselfs in their feet. I don't have strong feelings about this, however. So if people feel that we should rather provide more rope, I'll commit your patch. Voting time, all in favor say "Aye"? Keep this on freebsd-pf@ though, please. -- Max From owner-freebsd-pf@FreeBSD.ORG Sun Sep 21 23:10:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AECFD106566C for ; Sun, 21 Sep 2008 23:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9B5EB8FC1F for ; Sun, 21 Sep 2008 23:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8LNA4ub022578 for ; Sun, 21 Sep 2008 23:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8LNA4Cv022577; Sun, 21 Sep 2008 23:10:04 GMT (envelope-from gnats) Date: Sun, 21 Sep 2008 23:10:04 GMT Message-Id: <200809212310.m8LNA4Cv022577@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Olli Hauer" Cc: Subject: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Olli Hauer List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2008 23:10:04 -0000 The following reply was made to PR conf/127511; it has been noted by GNATS. From: "Olli Hauer" To: Max Laier , bug-followup@freebsd.org Cc: Subject: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files Date: Mon, 22 Sep 2008 00:37:47 +0200 -------- Original-Nachricht -------- > Datum: Mon, 22 Sep 2008 00:07:36 +0200 > Von: Max Laier > An: bug-followup@freebsd.org, ohauer@gmx.de > Betreff: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files > Leaving this to the administrator was a deliberate choice at the time in > order > to make sure people who use authpf had read the documentation carefully > enough > to not shoot themselfs in their feet. I don't have strong feelings about > this, however. So if people feel that we should rather provide more rope, > I'll commit your patch. > > Voting time, all in favor say "Aye"? Keep this on freebsd-pf@ though, > please. > > -- > Max Hm, normaly everyone expect users are reading the man pages or other manuals. Sometime the learning curve will speed up, if you shoot yourself in the food. Something I missed in the patch (see additional diff) --- etc/shells.orig 2000-04-27 23:58:46.000000000 +0200 +++ etc/shells 2008-09-22 00:34:08.000000000 +0200 @@ -7,3 +7,4 @@ /bin/sh /bin/csh /bin/tcsh +/usr/sbin/authpf -- olli -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx From owner-freebsd-pf@FreeBSD.ORG Mon Sep 22 11:07:00 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 223DD106564A for ; Mon, 22 Sep 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 12AA18FC13 for ; Mon, 22 Sep 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8MB6xxe015459 for ; Mon, 22 Sep 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8MB6x7A015455 for freebsd-pf@FreeBSD.org; Mon, 22 Sep 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Sep 2008 11:06:59 GMT Message-Id: <200809221106.m8MB6x7A015455@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 22 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 22 11:53:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C655106567B for ; Mon, 22 Sep 2008 11:53:10 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3F2BF8FC08 for ; Mon, 22 Sep 2008 11:53:09 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id D60CF216C12 for ; Mon, 22 Sep 2008 13:53:05 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.379 X-Spam-Level: ** X-Spam-Status: No, score=2.379 tagged_above=-999 required=4.2 tests=[AWL=-0.790, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Kdc1VgMDpdn for ; Mon, 22 Sep 2008 13:52:59 +0200 (CEST) Received: from bljbsd01.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id 4E67E216C6B for ; Mon, 22 Sep 2008 13:52:59 +0200 (CEST) Message-ID: <48D7871E.1040902@eskk.nu> Date: Mon, 22 Sep 2008 13:53:02 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080917) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IMAP server talks back PF blocks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 11:53:10 -0000 When doing tcpdump -n -e -ttt -i pflog0 I frequently see packets blocked that looks like this 458660 rule 0/0(match): block in on em0: xxx.yyy.zzz.qqq.993 > qqq.zzz.yyy.xxx.59930: tcp 8 [bad hdr length 12 - too short, < 20] It's the IMAP server I'm using that tries to talk back. Is this something I should try to let through? /Leslie From owner-freebsd-pf@FreeBSD.ORG Mon Sep 22 11:53:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72D4D1065675 for ; Mon, 22 Sep 2008 11:53:40 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 35D0C8FC1E for ; Mon, 22 Sep 2008 11:53:40 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id 40D21216C43 for ; Mon, 22 Sep 2008 13:53:36 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.379 X-Spam-Level: ** X-Spam-Status: No, score=2.379 tagged_above=-999 required=4.2 tests=[AWL=-0.790, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfjTGnVN1cbb for ; Mon, 22 Sep 2008 13:53:29 +0200 (CEST) Received: from bljbsd01.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id B83E9216C12 for ; Mon, 22 Sep 2008 13:53:29 +0200 (CEST) Message-ID: <48D7873C.70903@eskk.nu> Date: Mon, 22 Sep 2008 13:53:32 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080917) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Explanation of macro X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 11:53:40 -0000 I'm setting up a pf firewall and came across this macro SYN_ONLY="S/FSRA" Have tried to find out what it does but have not been successful. Will someone explain Please? Thanks /Leslie From owner-freebsd-pf@FreeBSD.ORG Mon Sep 22 12:27:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCDB31065684 for ; Mon, 22 Sep 2008 12:27:58 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtpout1.ru.nl (smtpout1.ru.nl [131.174.66.174]) by mx1.freebsd.org (Postfix) with ESMTP id 819978FC1F for ; Mon, 22 Sep 2008 12:27:58 +0000 (UTC) (envelope-from jille@quis.cx) X-Virus-Scanned: by AMaViS & ClamAV Received: from [131.174.12.166] (tk023pc36.science.ru.nl [131.174.12.166]) by smtp.ru.nl (Postfix) with ESMTP id AD073A12F9; Mon, 22 Sep 2008 13:57:43 +0200 (CEST) Message-ID: <48D78839.2020106@quis.cx> Date: Mon, 22 Sep 2008 13:57:45 +0200 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: Leslie Jensen References: <48D7873C.70903@eskk.nu> In-Reply-To: <48D7873C.70903@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Explanation of macro X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 12:27:58 -0000 Leslie Jensen wrote: > I'm setting up a pf firewall and came across this macro > > SYN_ONLY="S/FSRA" This means it will only match packets which have only set the SYN flag of FIN, SYN, RST and ACK. This is the case when starting a new (tcp) connection. -- Jille > > Have tried to find out what it does but have not been successful. > > Will someone explain Please? > Thanks > /Leslie > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Sep 22 15:38:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58DAB106567B for ; Mon, 22 Sep 2008 15:38:07 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA07.emeryville.ca.mail.comcast.net (qmta07.emeryville.ca.mail.comcast.net [76.96.30.64]) by mx1.freebsd.org (Postfix) with ESMTP id 435ED8FC16 for ; Mon, 22 Sep 2008 15:38:07 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by QMTA07.emeryville.ca.mail.comcast.net with comcast id HnJn1a0080x6nqcA7re7qt; Mon, 22 Sep 2008 15:38:07 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA12.emeryville.ca.mail.comcast.net with comcast id Hre51a00U4v8bD78Yre60Z; Mon, 22 Sep 2008 15:38:06 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=CEMYV6H27fY1QBBHi5cA:9 a=ALjIIr2ljoZhwBJMQ4zjTJNN6nwA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 96C5017B81A; Mon, 22 Sep 2008 08:38:05 -0700 (PDT) Date: Mon, 22 Sep 2008 08:38:05 -0700 From: Jeremy Chadwick To: Leslie Jensen Message-ID: <20080922153805.GA29447@icarus.home.lan> References: <48D7871E.1040902@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48D7871E.1040902@eskk.nu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: IMAP server talks back PF blocks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 15:38:07 -0000 On Mon, Sep 22, 2008 at 01:53:02PM +0200, Leslie Jensen wrote: > When doing > tcpdump -n -e -ttt -i pflog0 > > I frequently see packets blocked that looks like this > > 458660 rule 0/0(match): block in on em0: xxx.yyy.zzz.qqq.993 > > qqq.zzz.yyy.xxx.59930: tcp 8 [bad hdr length 12 - too short, < 20] > > It's the IMAP server I'm using that tries to talk back. Is this > something I should try to let through? The blocks are happening, but you're not able to see the full data in the packet due to the snaplen on tcpdump being too small. Add -s 256 to your tcpdump argument and run it again. It looks to me like you have a rule problem; possibly IMAP+SSL isn't being permitted through, so the block ends up happening as a result of an ambiguous "block in on em0" rule you have. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |