From owner-freebsd-pf@FreeBSD.ORG Mon Jul 20 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2C17106564A for ; Mon, 20 Jul 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B72248FC21 for ; Mon, 20 Jul 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6KB71Hg002390 for ; Mon, 20 Jul 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6KB70L3002386 for freebsd-pf@FreeBSD.org; Mon, 20 Jul 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Jul 2009 11:07:00 GMT Message-Id: <200907201107.n6KB70L3002386@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2009 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 35 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 20 12:44:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60B00106566C for ; Mon, 20 Jul 2009 12:44:28 +0000 (UTC) (envelope-from gdakos@enovation.gr) Received: from server.8com.gr (server.8com.gr [213.163.64.14]) by mx1.freebsd.org (Postfix) with ESMTP id D7BF18FC0C for ; Mon, 20 Jul 2009 12:44:27 +0000 (UTC) (envelope-from gdakos@enovation.gr) Received: from john ([83.235.249.6]) by server.8com.gr (IceWarp 9.1.0) with ASMTP id BTM85957 for ; Mon, 20 Jul 2009 15:44:57 +0300 From: "John Dakos [ Enovation Technologies ]" To: Date: Mon, 20 Jul 2009 15:44:25 +0300 Message-ID: <1B1238E1D957409EA47868C515354286@john> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcoJN8/WHgQ35D6rRIG+su4Yt2jOpg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Filtered Ports or Closed Ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2009 12:44:28 -0000 Hello All. Im newbie on PF , I install PF on FreeBSD 7.2 Released. I have a question, what is more secure for the system Filtered Ports or Closed Ports? Thanks All John Dakos Network Administrator Enovation Technologies Filellinon 35, Chalandrion 15232 Athens, GREECE Tel: +30-210 8119784 Mob: +30-6979348082 From owner-freebsd-pf@FreeBSD.ORG Mon Jul 20 13:22:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6D63106564A for ; Mon, 20 Jul 2009 13:22:18 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-ew0-f222.google.com (mail-ew0-f222.google.com [209.85.219.222]) by mx1.freebsd.org (Postfix) with ESMTP id 6226E8FC08 for ; Mon, 20 Jul 2009 13:22:18 +0000 (UTC) (envelope-from leccine@gmail.com) Received: by ewy22 with SMTP id 22so581102ewy.43 for ; Mon, 20 Jul 2009 06:22:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=lrQ3HJezztxL1GYlAQtMpU7FcUFAQdmoreArqyp/ovk=; b=Ox2+/wE10LKzVuwCRPFTPa9qlZDhE1JBE+7pp1TYTLHoOSx12XXijUbzIZTg4xaI/P zeOotHSPcr0E48MhWUHNA01cFIs1rI5Ra3iA/1jfphZtxtFeg+iG9a5fXGIm4YKXvKxd QsO7NkldcP/VrIvOUbCGifFPbh7+Z5Ev/bHM4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jnBH1SJcHg8bgdsjy/0mnJDi0uBfk5N3HcrkJTums8zDksifNIVEJZgOfSzFr5RP92 bj50eHpRHwU4b34P4xuaMjQ7Qy8smrdpOeiOVHANTSEKDRJVUFLCG/V56QRZ4Bbr/OmZ uvk6cuupSW01rAgrh0riEACrHM455MD2y4iEk= MIME-Version: 1.0 Received: by 10.210.53.1 with SMTP id b1mr3657452eba.20.1248094572323; Mon, 20 Jul 2009 05:56:12 -0700 (PDT) In-Reply-To: <1B1238E1D957409EA47868C515354286@john> References: <1B1238E1D957409EA47868C515354286@john> Date: Mon, 20 Jul 2009 05:56:12 -0700 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: "John Dakos [ Enovation Technologies ]" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Filtered Ports or Closed Ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2009 13:22:19 -0000 are you talking about the block-policy? I think drop is better because if somebody is flooding you from fake addresses you are going to send out million packets to wrong targets. I vote for set block-policy drop Regards, Istvan On Mon, Jul 20, 2009 at 5:44 AM, John Dakos [ Enovation Technologies ] < gdakos@enovation.gr> wrote: > > > Hello All. > > > > Im newbie on PF , I install PF on FreeBSD 7.2 Released. > > > > I have a question, what is more secure for the system Filtered Ports or > Closed Ports? > > > > Thanks All > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > John Dakos > Network Administrator > Enovation Technologies > Filellinon 35, Chalandrion > 15232 Athens, GREECE > Tel: +30-210 8119784 > Mob: +30-6979348082 > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- the sun shines for all From owner-freebsd-pf@FreeBSD.ORG Thu Jul 23 13:24:00 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08354106566B for ; Thu, 23 Jul 2009 13:24:00 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id D76CE8FC15 for ; Thu, 23 Jul 2009 13:23:59 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1MTyH9-0003xg-Bo for freebsd-pf@freebsd.org; Thu, 23 Jul 2009 06:23:59 -0700 Message-ID: <24625659.post@talk.nabble.com> Date: Thu, 23 Jul 2009 06:23:59 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com Subject: please Help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 13:24:00 -0000 Dear Members! I have FreeBSD 7.1 with squid proxy running. PF is configured. Last few days i am facing some problems. Browsing is stuck time by time on clients machine. I tried to ping my local network from my FreeBSD server there i found the issue. here is the output of ping. [root@proxyServer ~]# ping 10.11.0.3 PING 10.11.0.3 (10.11.0.3): 56 data bytes ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 10.11.0.3: icmp_seq=3 ttl=64 time=0.111 ms 64 bytes from 10.11.0.3: icmp_seq=4 ttl=64 time=0.147 ms 64 bytes from 10.11.0.3: icmp_seq=5 ttl=64 time=0.099 ms [root@proxyServer ~]# ping 10.11.0.5 PING 10.11.0.5 (10.11.0.5): 56 data bytes ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 10.11.0.5: icmp_seq=3 ttl=64 time=0.111 ms 64 bytes from 10.11.0.5: icmp_seq=4 ttl=64 time=0.147 ms 64 bytes from 10.11.0.5: icmp_seq=5 ttl=64 time=0.099 ms On DNS queury [root@proxyServer~]# nslookup www.yahoo.com ;; connection timed out; no servers could be reached [root@proxyServer~]# nslookup www.yahoo.com Server: 10.11.0.9 Address: 10.11.0.9#53 Non-authoritative answer: www.yahoo.com canonical name = www.wa1.b.yahoo.com. www.wa1.b.yahoo.com canonical name = www-real.wa1.b.yahoo.com. Name: www-real.wa1.b.yahoo.com Address: 87.248.113.14 As you can see some time its getting response and some times not. If I stop (PF) then its working fine. Is there any traffic load issue or PF issue? or any kernel tunning required for heavy traffic. Please help Regards, Umar -- View this message in context: http://www.nabble.com/please-Help-tp24625659p24625659.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 23 13:27:21 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DC2B10656C8 for ; Thu, 23 Jul 2009 13:27:21 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.27]) by mx1.freebsd.org (Postfix) with ESMTP id F03EE8FC15 for ; Thu, 23 Jul 2009 13:27:20 +0000 (UTC) (envelope-from leccine@gmail.com) Received: by ey-out-2122.google.com with SMTP id 9so242154eyd.7 for ; Thu, 23 Jul 2009 06:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=nKi522LD9cZ9fuY6prKHGZiBNQq0ngqe/R6BqLx//LI=; b=oDodzSYcZkcxlLBXGCFqR9Nufz6Eo54cfrTVfMlmgu85BPOWsQDQgkeDztsKNrCbCy hVY/V7i2iG6aSZVnFjSK4+4ntnVWJ00czg7jy2odOkXisbcXyBYIi4FXDlYW3Sh2jMO0 gzm0q1erdWesZS3dDBBOlMR9Jzd5d0EP6oFZw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=gPAqjZk8CCmFbXbfqG6FPtCOfhLTRflemSkOPGtEe/rsmBXnuUJGEXh/mgiDTTD0gL byx5vhBjDLSql1Fd//pAyTaHV88b9I/1lbN1dMxTbqgsXrEH0UcA1ZMmGsUFwNSAAaAb gYWZNHKG0gZGZMhgjAbi+wvutp13XbSwl/Y48= MIME-Version: 1.0 Received: by 10.210.58.13 with SMTP id g13mr2594679eba.99.1248355639320; Thu, 23 Jul 2009 06:27:19 -0700 (PDT) In-Reply-To: <24625659.post@talk.nabble.com> References: <24625659.post@talk.nabble.com> Date: Thu, 23 Jul 2009 06:27:19 -0700 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: Umar Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: please Help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 13:27:21 -0000 check the pf logs if you are logging at all.... http://www.openbsd.org/faq/pf/logging.html regards, Istvan On Thu, Jul 23, 2009 at 6:23 AM, Umar wrote: > > Dear Members! > > I have FreeBSD 7.1 with squid proxy running. PF is configured. > > Last few days i am facing some problems. Browsing is stuck time by time on > clients machine. > > I tried to ping my local network from my FreeBSD server there i found the > issue. > > here is the output of ping. > > [root@proxyServer ~]# ping 10.11.0.3 > PING 10.11.0.3 (10.11.0.3): 56 data bytes > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > 64 bytes from 10.11.0.3: icmp_seq=3 ttl=64 time=0.111 ms > 64 bytes from 10.11.0.3: icmp_seq=4 ttl=64 time=0.147 ms > 64 bytes from 10.11.0.3: icmp_seq=5 ttl=64 time=0.099 ms > > [root@proxyServer ~]# ping 10.11.0.5 > PING 10.11.0.5 (10.11.0.5): 56 data bytes > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > 64 bytes from 10.11.0.5: icmp_seq=3 ttl=64 time=0.111 ms > 64 bytes from 10.11.0.5: icmp_seq=4 ttl=64 time=0.147 ms > 64 bytes from 10.11.0.5: icmp_seq=5 ttl=64 time=0.099 ms > > On DNS queury > [root@proxyServer~]# nslookup www.yahoo.com > ;; connection timed out; no servers could be reached > > [root@proxyServer~]# nslookup www.yahoo.com > Server: 10.11.0.9 > Address: 10.11.0.9#53 > > Non-authoritative answer: > www.yahoo.com canonical name = www.wa1.b.yahoo.com. > www.wa1.b.yahoo.com canonical name = www-real.wa1.b.yahoo.com. > Name: www-real.wa1.b.yahoo.com > Address: 87.248.113.14 > > As you can see some time its getting response and some times not. If I stop > (PF) then its working fine. > > Is there any traffic load issue or PF issue? or any kernel tunning required > for heavy traffic. > > Please help > > Regards, > > Umar > -- > View this message in context: > http://www.nabble.com/please-Help-tp24625659p24625659.html > Sent from the freebsd-pf mailing list archive at Nabble.com. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- the sun shines for all