From owner-freebsd-pf@FreeBSD.ORG Mon Sep 7 11:07:05 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFCF1106566B for ; Mon, 7 Sep 2009 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 945538FC1B for ; Mon, 7 Sep 2009 11:07:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n87B751E010332 for ; Mon, 7 Sep 2009 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n87B74we010328 for freebsd-pf@FreeBSD.org; Mon, 7 Sep 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Sep 2009 11:07:04 GMT Message-Id: <200909071107.n87B74we010328@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2009 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 8 07:59:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 699521065676 for ; Tue, 8 Sep 2009 07:59:23 +0000 (UTC) (envelope-from josep@bellera.cat) Received: from mail.bellera.cat (174.Red-80-38-146.staticIP.rima-tde.net [80.38.146.174]) by mx1.freebsd.org (Postfix) with ESMTP id D06808FC13 for ; Tue, 8 Sep 2009 07:59:21 +0000 (UTC) Received: from localhost (unknown [127.0.0.1]) by mail.bellera.cat (Postfix) with ESMTP id 42289409AE1 for ; Tue, 8 Sep 2009 09:27:25 +0200 (CEST) Received: from mail.bellera.cat ([127.0.0.1]) by localhost (mail.bellera.cat [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49297-06 for ; Tue, 8 Sep 2009 09:27:24 +0200 (CEST) Received: from mail.bellera.cat (localhost [127.0.0.1]) by mail.bellera.cat (Postfix) with ESMTP id 5EC2C4099B3 for ; Tue, 8 Sep 2009 09:27:24 +0200 (CEST) From: "Josep Pujadas i Jubany" To: freebsd-pf@freebsd.org Date: Tue, 8 Sep 2009 09:27:24 +0200 Message-Id: <20090908071705.M81528@bellera.cat> X-Mailer: Open WebMail 2.32 20040525 X-OriginatingIP: 83.56.83.223 (super) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: ADSL bonding X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2009 07:59:23 -0000 Hello! I want to use a PF box to balance 4 ADSL lines. I read: http://www.openbsd.org/faq/pf/pools.html#outgoing but I'm not sure what it happens when one ADSL line fails. How round-robin algorithm works in this case? Thanks, Josep Pujadas From owner-freebsd-pf@FreeBSD.ORG Fri Sep 11 01:46:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD451106566B for ; Fri, 11 Sep 2009 01:46:39 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-yx0-f193.google.com (mail-yx0-f193.google.com [209.85.210.193]) by mx1.freebsd.org (Postfix) with ESMTP id 9D5C88FC18 for ; Fri, 11 Sep 2009 01:46:39 +0000 (UTC) Received: by yxe31 with SMTP id 31so890414yxe.29 for ; Thu, 10 Sep 2009 18:46:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=2d8ohIWTeG4ZHh110q3tQxjSUJsbvsInvOvkhHekPlA=; b=Www5n57TdyvJT7sTkR2vtu5dk+RK41BTmFggb3kxn/vp/3JzqbMOuwlVx2qPSgw2qR hdW9gSYuyHyGQFyFXtz9aTR/klxzmYdwoykWj9nfbtpUX4/TGdxYfppI8N3Ly7RS3WUL 7LLkeqVwRoUZdPzuHFA9xokJrK8LJ0Alcs3VY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=Ru4HT9Qo1OnN7BOh0hJFePCINg9EYtEA534FC1rylXwfPA4iW2g51FHE6kFQKUiryz rvZ7oaPTkoavC3lRiVsR9/a1d/tkuGyz4b+rmyOOoIG1/8KnFrMTKWYIoJjtx9ErWBvz UHUAKcgV3kmFd+D3gmw/SVHiiDveeUXop9rS4= MIME-Version: 1.0 Received: by 10.90.121.2 with SMTP id t2mr1285660agc.50.1252633598797; Thu, 10 Sep 2009 18:46:38 -0700 (PDT) From: Maxim Khitrov Date: Thu, 10 Sep 2009 21:46:17 -0400 Message-ID: <26ddd1750909101846t131b6e0byaec95189f363c076@mail.gmail.com> To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Rule equivalence of uRPF check X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2009 01:46:39 -0000 Hello all, I would like to verify my assumptions regarding the way uRPF check works. I'm using a Soekris net5501 board as a firewall; port 0 ($ext_if) is internet uplink, ports 1-3 ($int_if, $mil_if, $vpn_if) are separate lan segments that should not be communicating with one another. Here is the start of my filter section: # Block all traffic by default block log # Broadcast DHCP traffic must be passed before urpf check pass in quick on !$ext_if proto udp from port dhcpc to 255.255.255.255 port dhcps # Enable source address spoofing protection block in quick from urpf-failed The question I have is whether the urpf-failed check is equivalent to the following three rules for each of the interfaces (I'm using $int_if as an example here): block in quick on $int_if from !$int_if:network block in quick on !$int_if from $int_if:network block in quick from $int_if The OpenBSD pf faq states that urpf-check is equivalent to the antispoof rules, but the antispoof section lists only the last two rules in my example as being equivalent. So the question is does urpf imply the first rule as well? - Max