From owner-freebsd-pf@FreeBSD.ORG Sun Jun 7 17:28:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37B2B106566B for ; Sun, 7 Jun 2009 17:28:12 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id 85DD18FC18 for ; Sun, 7 Jun 2009 17:28:09 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id 9B1D41AE03 for ; Sun, 7 Jun 2009 12:12:58 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id E98851D50B7; Sun, 7 Jun 2009 13:42:40 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 922181D50A6; Sun, 7 Jun 2009 13:42:39 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sun, 07 Jun 2009 13:27:51 -0400 Message-ID: <20090607132751.18wu3idnkgcgkss8@correo.cujae.edu.cu> Date: Sun, 07 Jun 2009 13:27:51 -0400 From: vila@tesla.cujae.edu.cu To: =?iso-8859-1?b?SXN0duFu?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> <20090606142940.0c42ju9uswkg4w8s@correo.cujae.edu.cu> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2009 17:28:12 -0000 Ok istvan, i=B4ll try this and post results. by the way, anyone knows if there are plans to include connection mark =20 capabilities to pf. i say this because until now is the only way i=B4ve found to solve my issue. if anybody knows another way to achieve the same goals, help is really =20 apriciated. thanks everyone, evelio vila Istv=E1n ha escrito: > Then we have to investigate the possibility to use those flags ;) > http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/threa= d/dd04e046f70e8ebc# > > > Regards, > Istvan > > On Sat, Jun 6, 2009 at 7:29 PM, wrote: > >> unfortunately that would not help me because the whole traffic is all >> originated from a single IP address (proxy) so i can not distinguish betw= een >> them (that is why i use dscp marks) >> even if i could achieved this, there is still the issue about selecting >> incoming packets accordingly and direct them to inbound queues (for >> downlink traffic shapping). >> >> regards, >> evelio vila >> >> >> Istv=E1n ha escrito: >> >> I guess you might want to tag that dscp enabled packets -because pf has = no >>> support for that at the moment, at least i cannot see- and put them into >>> the >>> queue based on the tag. >>> http://www.openbsd.org/faq/pf/queueing.html#assign >>> >>> >>> Regards, >>> Istvan >>> >>> On Sat, Jun 6, 2009 at 6:52 PM, wrote: >>> >>> Istv=E1n ha escrito: >>>> >>>> Hi! >>>> >>>>> >>>>> In general it is a very bad idea to use the same way what you have bee= n >>>>> using before when you are moving to a new platform. You wouldn't use >>>>> bash >>>>> to >>>>> manage win2k8 servers, just to give you an example what I am talking >>>>> about. >>>>> >>>>> The question is: >>>>> >>>>> What do you want to do with pf. Forget about netfilter/conntrack and s= o >>>>> on. >>>>> What do you want to achieve? >>>>> >>>>> This is the only question. >>>>> >>>>> >>>>> Regards, >>>>> Istvan >>>>> >>>>> >>>> I believe you are righ istvan! >>>> >>>> this is the thing: >>>> >>>> I want to make some traffic shapping on both interfaces of a freebsd bo= x. >>>> As u all probably know the real congestion occurs generally on the >>>> downlink >>>> interface because of the asymmetric nature of some protocols (eg. http) >>>> >>>> on the internal network i have some applications that puts dscp tags to >>>> packets according to different classes of service. the uplink shapping >>>> can >>>> be done simply by mathing the corresponding dscp field of each connecti= on >>>> and sending to different queues. (by the way the doc i=B4ve read only >>>> presents >>>> TOS mathing and nothing about dscp).. >>>> anyway , the problem arises when the incoming traffic (from the interne= t) >>>> has no dscp tags and i need to enqueue then accordingly to make the >>>> downlink >>>> traffic shapping. >>>> >>>> regards, >>>> evelio vila >>>> >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> On Sat, Jun 6, 2009 at 6:15 PM, wrote: >>>>> >>>>> Ermal Lu=E7i ha escrito: >>>>> >>>>>> >>>>>> >>>>>> On Sat, Jun 6, 2009 at 6:49 PM, wrote: >>>>>> >>>>>> >>>>>>> Vlad Galu ha escrito: >>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Hi folks! >>>>>>>>>> >>>>>>>>>> I=B4m trying to figure out if there is a way to make connection >>>>>>>>>> marking >>>>>>>>>> in >>>>>>>>>> a >>>>>>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>>>>>> >>>>>>>>>> Does pf supports this feature? >>>>>>>>>> >>>>>>>>>> My intentions are to tag an outgoing packet, transfer the tag to >>>>>>>>>> the >>>>>>>>>> hole >>>>>>>>>> connection and then use that tag to mark incoming packets belongi= ng >>>>>>>>>> to >>>>>>>>>> the >>>>>>>>>> same connection. >>>>>>>>>> >>>>>>>>>> Also, i would like then to use that mark to enqueue marked packet= s >>>>>>>>>> to >>>>>>>>>> hfsc >>>>>>>>>> clases. >>>>>>>>>> >>>>>>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve sea= rched >>>>>>>>>> in >>>>>>>>>> pf=B4s >>>>>>>>>> man page and the FAQ without success. >>>>>>>>>> >>>>>>>>>> thanks in advance, >>>>>>>>>> >>>>>>>>>> evelio vila >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi evelio, see below: >>>>>>>>> -- cut here -- >>>>>>>>> tag >>>>>>>>> Packets matching this rule will be tagged with the specifi= ed >>>>>>>>> string. The tag acts as an internal marker that can be us= ed >>>>>>>>> to >>>>>>>>> identify these packets later on. This can be used, for >>>>>>>>> example, to >>>>>>>>> provide trust between interfaces and to determine if packe= ts >>>>>>>>> have >>>>>>>>> been processed by translation rules. Tags are "sticky", >>>>>>>>> meaning >>>>>>>>> that the packet will be tagged even if the rule is not the >>>>>>>>> last >>>>>>>>> matching rule. Further matching rules can replace the tag >>>>>>>>> with >>>>>>>>> a >>>>>>>>> new one but will not remove a previously applied tag. A >>>>>>>>> packet >>>>>>>>> is >>>>>>>>> only ever assigned one tag at a time. Packet tagging can = be >>>>>>>>> done >>>>>>>>> during nat, rdr, or binat rules in addition to filter rule= s. >>>>>>>>> Tags >>>>>>>>> take the same macros as labels (see above). >>>>>>>>> >>>>>>>>> tagged >>>>>>>>> Used with filter or translation rules to specify that >>>>>>>>> packets >>>>>>>>> must >>>>>>>>> already be tagged with the given tag in order to match the >>>>>>>>> rule. >>>>>>>>> Inverse tag matching can also be done by specifying the ! >>>>>>>>> operator >>>>>>>>> before the tagged keyword. >>>>>>>>> -- and here -- >>>>>>>>> >>>>>>>>> Anyway, I believe that keeping state for the desired outgoing >>>>>>>>> connections should be enough all by itself. You would simply add t= he >>>>>>>>> >>>>>>>>> >>>>>>>>> Indeed no, what i want is also to mark the connection to be able >>>>>>>> then >>>>>>>> to mark incoming packets beloging to the same connection. >>>>>>>> >>>>>>>> "queue " directive at the end of your pass out rule, even >>>>>>>> >>>>>>>> though the interface packets go out through is the "external" one, >>>>>>>>> and >>>>>>>>> you want to do shaping on the "internal" one but, as I understand, >>>>>>>>> for >>>>>>>>> that you also need floating (not if-bound) states. If I'm wrong, I= 'd >>>>>>>>> >>>>>>>>> >>>>>>>>> i am not sure what you mean with "floating (not if-bound) states" >>>>>>>> could you please explain this. >>>>>>>> >>>>>>>> >>>>>>>> like somebody with better pf knowledge to correct me :) >>>>>>>>> >>>>>>>>> >>>>>>>>> pf(4) is not iptables. So before using it read more about it. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> I=B4m aware of that. >>>>>>> >>>>>> >>>>>> I think its pretty obvius that my post is simply trying to figure out >>>>>> how >>>>>> to achieve with pf something that i use to do with netfilter. >>>>>> >>>>>> I=B4ve read this before but nothing comes up to me. >>>>>> http://www.openbsd.org/faq/pf/tagging.html >>>>>> >>>>>> >>>>>> thanks anyway ermal >>>>>> regards, >>>>>> evelio vila >>>>>> >>>>>> >>>>>> http://home.nuug.no/~peter/pf/en/ >>>>>> >>>>>> http://www.openbsd.org/faq/pf >>>>>>> >>>>>>> >>>>>>> >>>>>>> thanks for your quick answer vlad. >>>>>>> >>>>>>> >>>>>>>> evelio vila >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>>>> >>>>>>>> >>>>>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Ener= g=EDa >>>>>>>> y >>>>>>>> Educaci=F3n Energ=E9tica >>>>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>>>>> ...Por una cultura energ=E9tica sustentable >>>>>>>> www.ciercuba.com_______________________________________________ >>>>>>>> freebsd-pf@freebsd.org mailing list >>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or= g >>>>>>>> " >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> Ermal >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> ---------------------------------------------------------------- >>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>> >>>>>> >>>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ= =EDa y >>>>>> Educaci=F3n Energ=E9tica >>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>>> ...Por una cultura energ=E9tica sustentable >>>>>> www.ciercuba.com_______________________________________________ >>>>>> freebsd-pf@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> the sun shines for all >>>>> >>>>> >>>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>>> Educaci=F3n Energ=E9tica >>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>> ...Por una cultura energ=E9tica sustentable >>>> www.ciercuba.com >>>> >>>> >>> >>> >>> -- >>> the sun shines for all >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com >> > > > > -- > the sun shines for all > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com From owner-freebsd-pf@FreeBSD.ORG Mon Jun 8 11:06:59 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 775ED1065678 for ; Mon, 8 Jun 2009 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A5E28FC2E for ; Mon, 8 Jun 2009 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n58B6xW7020752 for ; Mon, 8 Jun 2009 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n58B6w6R020748 for freebsd-pf@FreeBSD.org; Mon, 8 Jun 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Jun 2009 11:06:58 GMT Message-Id: <200906081106.n58B6w6R020748@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2009 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 32 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 8 20:53:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FD27106566C for ; Mon, 8 Jun 2009 20:53:16 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 406858FC12 for ; Mon, 8 Jun 2009 20:53:16 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (unknown [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 7CBF61FF0239; Mon, 8 Jun 2009 16:53:15 -0400 (EDT) thread-index: AcnoeyTAUEeoL3lrTk2a0+MD2yyyRg== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.59]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 8 Jun 2009 16:53:14 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Mon, 08 Jun 2009 15:53:12 +0000 Date: Mon, 8 Jun 2009 15:53:12 -0500 From: "David DeSimone" To: Importance: normal Priority: normal Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168 Message-ID: <20090608205312.GS5596@verio.net> Mail-Followup-To: vila@tesla.cujae.edu.cu, =?iso-8859-1?Q?Istv=E1n?= , freebsd-pf@freebsd.org References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> <20090606142940.0c42ju9uswkg4w8s@correo.cujae.edu.cu> <20090607132751.18wu3idnkgcgkss8@correo.cujae.edu.cu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20090607132751.18wu3idnkgcgkss8@correo.cujae.edu.cu> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 08 Jun 2009 20:53:14.0136 (UTC) FILETIME=[241E5980:01C9E87B] Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2009 20:53:16 -0000 vila@tesla.cujae.edu.cu wrote: > > by the way, anyone knows if there are plans to include connection mark > capabilities to pf. > > i say this because until now is the only way i=B4ve found to solve my > issue. I think the real question is whether tags become part of connection "state". For instance: pass in quick on $INT_IF from $NETWORK to any tag "INTERNAL" keep = state pass out quick on $EXT_IF tagged "INTERNAL" keep state So, when a packet comes in on $INT_IF and goes out $EXT_IF, obviously it will have tag "INTERNAL" attached to it. However, when the reply packet comes back in $EXT_IF and makes its way back to $INT_IF, will it also have the "INTERNAL" tag attached? If it does, that would make ALTQ able to assign it and classify it and queue it the way people want. But the question is, is the tagging considered part of the "state" that is kept in the state table? --=20 David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio, Inc. makes no warranty that this email is error or = virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 8 22:13:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A0B0106566C for ; Mon, 8 Jun 2009 22:13:06 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-gx0-f207.google.com (mail-gx0-f207.google.com [209.85.217.207]) by mx1.freebsd.org (Postfix) with ESMTP id 395118FC24 for ; Mon, 8 Jun 2009 22:13:06 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by gxk3 with SMTP id 3so151751gxk.19 for ; Mon, 08 Jun 2009 15:13:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to :content-type:content-transfer-encoding; bh=QxSsE55ujH1uoEubt+bR0fSWlYJqKWLnVGV+lj48SvA=; b=Si1Fum//u+6YykSYfVnoMEnMKXK0nK57KGfBmQ2gRDCulwSy0R3/45e8QIB1dalJAw +vDUI0xqSyd+uJfH3xZ1oBVl/tlv2uidry5AMGHIjTaCqDmVBtJxLBpZrQ/ZMiIkLNQe EcgJIZAfT7NBEfFjJaE/9wC9yGHIzCEkYkBk0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=rzOo6LXaYhdIePn+SwqtU5kUo0Ng5t9Evu8nKIDXwrdGBjKz0uhwO6IxmspopUNA74 oN8Gj69oT7tVemXvUweEclukziU2Swx1sPPL7rvggMcRriAnjJbtAONkaMNLXSNtpnmV P6ZeZ5Qw5nONrBL+6ajYka1WVcWYbIrEso6Ig= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.150.49.4 with SMTP id w4mr13613939ybw.71.1244499184525; Mon, 08 Jun 2009 15:13:04 -0700 (PDT) In-Reply-To: <20090608205312.GS5596@verio.net> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> <20090606142940.0c42ju9uswkg4w8s@correo.cujae.edu.cu> <20090607132751.18wu3idnkgcgkss8@correo.cujae.edu.cu> <20090608205312.GS5596@verio.net> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Tue, 9 Jun 2009 00:12:44 +0200 X-Google-Sender-Auth: 8e8d8e1dcbc51585 Message-ID: <9a542da30906081512v340b590fme0291f4fdd69db56@mail.gmail.com> To: vila@tesla.cujae.edu.cu, =?ISO-8859-1?B?SXN0duFu?= , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2009 22:13:06 -0000 On Mon, Jun 8, 2009 at 10:53 PM, David DeSimone wrote: > vila@tesla.cujae.edu.cu wrote: >> >> by the way, anyone knows if there are plans to include connection mark >> capabilities to pf. >> >> i say this because until now is the only way i=B4ve found to solve my >> issue. > > I think the real question is whether tags become part of connection > "state". > > For instance: > > =A0 =A0pass in quick on $INT_IF from $NETWORK to any tag "INTERNAL" keep = state pass in quick on $INT_IF from $NETWORK to any tag "INTERNAL" tagged INTERNAL keep state > > =A0 =A0pass out quick on $EXT_IF tagged "INTERNAL" keep state pass out quick on $EXT_IF tag INTERNAL tagged "INTERNAL" keep state In this way it would work. > > So, when a packet comes in on $INT_IF and goes out $EXT_IF, obviously it > will have tag "INTERNAL" attached to it. =A0However, when the reply packe= t > comes back in $EXT_IF and makes its way back to $INT_IF, will it also > have the "INTERNAL" tag attached? =A0If it does, that would make ALTQ abl= e > to assign it and classify it and queue it the way people want. =A0But the > question is, is the tagging considered part of the "state" that is kept > in the state table? > > -- > David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net > =A0"I don't like spinach, and I'm glad I don't, because if I > =A0 liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has b= een sent, and may contain information that is confidential or legally prote= cted. If you are not the intended recipient or have received this message i= n error, you are not authorized to copy, distribute, or otherwise use this = message or its attachments. Please notify the sender immediately by return = e-mail and permanently delete this message and any attachments. Verio, Inc.= makes no warranty that this email is error or virus free. =A0Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Jun 10 14:22:52 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F015C106566B for ; Wed, 10 Jun 2009 14:22:52 +0000 (UTC) (envelope-from rick.harris@strath.ac.uk) Received: from img3.mail.strath.ac.uk (img3.mail.strath.ac.uk [130.159.254.9]) by mx1.freebsd.org (Postfix) with ESMTP id A1D7B8FC12 for ; Wed, 10 Jun 2009 14:22:52 +0000 (UTC) (envelope-from rick.harris@strath.ac.uk) Received: from its-ehts1.ds.strath.ac.uk ([130.159.19.1]:7669) by khufu.cc.strath.ac.uk with esmtp (Exim 4.69 #6) id 1MEOEA-0005VQ-HH for ; Wed, 10 Jun 2009 13:52:30 +0000 Received: from E2K7-MS2.ds.strath.ac.uk ([130.159.19.27]) by ITS-EHTS1.ds.strath.ac.uk ([130.159.19.1]) with mapi; Wed, 10 Jun 2009 14:52:30 +0100 From: Rick Harris To: "'freebsd-pf@freebsd.org'" Date: Wed, 10 Jun 2009 14:52:29 +0100 Thread-Topic: PF display options Thread-Index: Acnp0rH5/LCeAhU1Sdi1+yx0M49Jhw== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US MIME-Version: 1.0 X-Strath-Information: Contact for more information X-Strath-Scan: clean X-Strath-UBECheck: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF display options X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 14:22:53 -0000 Hello,I am trying to use freebsd PF as a transparent bridge. I have 2 NICs. I have successfully bridged between the nics and have got a = windows pc connected on a crossover cable. I have established internet access on the windows pc through the bridge on = the unix box but how do I use PF or anything else to display the ip address/protocols (ie t= cp/udp) etc of the internet traffic packets going though the UNIX box? I have a live log showing IGMP Rick Harris, IT Technician| TEL: +44 (0)141-548-4842 email: | FAX: +44 (0)141-552-7986 Design, Manufacture and Engineering Management Dept, University of Strathcl= yde,James Weir Building, 75 Montrose Street, GLASGOW, G1 1XJ, UK <>< The University of Strathclyde is a charitable body, registered in Scotland,= number SC015263 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 10 16:26:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D8A31065676 for ; Wed, 10 Jun 2009 16:26:29 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 2B8728FC20 for ; Wed, 10 Jun 2009 16:26:28 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by ewy8 with SMTP id 8so947550ewy.43 for ; Wed, 10 Jun 2009 09:26:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=PZdETuNMjHh1Oyw40T+VHzLNJR9JrR2maNj/98reCm8=; b=lBCVNJRbJMFn83sBmakKwCo8kJuAFaav6f7zQQnANEtjQSAMLuHQYoTHiCx/PqXEHg cCASsZodwWedW7H9O1lRxU45VhixmuSLTOPv68cFT/7icKzGGuFxsqb9o94Lvzie238T b/LO9EqeBde0lXJwyagHmH5uczfp/mS+gptoI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=hIFdcVJFh5dwVDy/z33GcOY1xpsSk9/kY+Wdpr19APK+RjXBOefPZ8O25X7Z5MVY/D UKEwnC2SqvUIU/UJ5KssjYT3UcWZLUJ6O/R4UbUZAKzWHclrPIzT5nH361l/0OU4qPwE 7d9LzoBQTbGv4cLivIkO7U6H54uylV5Uq3x1o= MIME-Version: 1.0 Received: by 10.210.109.19 with SMTP id h19mr7563282ebc.45.1244651188103; Wed, 10 Jun 2009 09:26:28 -0700 (PDT) In-Reply-To: References: From: Scott Ullrich Date: Wed, 10 Jun 2009 12:26:08 -0400 Message-ID: To: Rick Harris Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: PF display options X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 16:26:30 -0000 On Wed, Jun 10, 2009 at 9:52 AM, Rick Harris wrot= e: > Hello,I am trying to use freebsd PF as a transparent bridge. > I have 2 NICs. I have successfully bridged between the nics and have got = a windows pc connected on a crossover cable. > I have established internet access on the windows pc through the bridge o= n the unix box but > how do I use PF or anything else to display the ip address/protocols =A0(= ie tcp/udp) etc of the internet traffic packets going though the UNIX box? > I have a live log showing IGMP Sounds like you are looking for the PFTOP port which is located in /usr/ports/sysutils/pftop Scott