From owner-freebsd-pf@FreeBSD.ORG Sun Nov 22 02:53:11 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2820B1065676 for ; Sun, 22 Nov 2009 02:53:11 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id CD38D8FC1A for ; Sun, 22 Nov 2009 02:53:10 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (unknown [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id B24BAB038266 for ; Sat, 21 Nov 2009 21:24:34 -0500 (EST) Thread-Index: AcprGu4sW7pXM1vqQ4OW+GB/HN68/g== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.13]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Sat, 21 Nov 2009 21:24:33 -0500 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Sat, 21 Nov 2009 20:23:47 +0000 Date: Sat, 21 Nov 2009 20:23:47 -0600 From: "David DeSimone" To: Message-ID: <20091122022346.GK2392@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Importance: normal References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> Priority: normal MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 22 Nov 2009 02:24:33.0190 (UTC) FILETIME=[ED87C460:01CA6B1A] Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Nov 2009 02:53:11 -0000 Michael Proto wrote: > > > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, = offset > > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] >=20 > This looks to be your problem-- bad hdr length 0. This is caused when tcpdump has too small a snaplen; it is not seeing enough of the packet from the pflog interface, so it reports incorrect information at the end. Try adding "-s 128" to collect a larger packet and you should see the full description from tcpdump. That said, the original problem seems like it could easily be caused by a PF state mismatch resulting from assymetric routing. If packets come in a different interface than they go out, or worse, if the return path doesn't even go through the firewall, PF cannot see the reply traffic allowing it to update its TCP window tracking. As a result, short TCP sessions, such as those that fit within the default TCP window, can work okay, but longer sessions that go beyond that window will stall out and fail. --=20 David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio, Inc. makes no warranty that this email is error or = virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Sun Nov 22 08:37:01 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C205106566B for ; Sun, 22 Nov 2009 08:37:01 +0000 (UTC) (envelope-from fullblaststorm@gmail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id 298E98FC12 for ; Sun, 22 Nov 2009 08:37:00 +0000 (UTC) Received: by fxm10 with SMTP id 10so2071019fxm.14 for ; Sun, 22 Nov 2009 00:37:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=wwalG64oTkrRg9yFH5nrEvhEf9n+VlC7rUXTA2ns+8U=; b=W5dlgiWisHw6pPVqiGoMCEbbKXNDGPc63OXQ4U/mpuFgfvOCS4hmgdiWOnBbYq5bOt qPt8/2PSp9nBTzSVUQizfRbc/ya8T7JioSpUybh64aPSXqfXOH2kRDc17xNS9SN0E0yb UUZ+cGpP/YUNfOL3Scg6qlFvYcmjjOyGUk3kk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=Xxqi22qTuBPaJPS649+5nXzkChxeb4AUVjx6IAT+QkMx56v1bAiN4BaEk0bhcnhRGq y3wItbxJLXp8bx1nLhxnSt6JwitJaE6jB5LRCKr4H5lUeRskpoas9dSGAdGRFB/fo3Yn ew9o1l4g2fjre06BnLl0un+unQUnFUwSfgglo= MIME-Version: 1.0 Received: by 10.239.139.32 with SMTP id r32mr336031hbr.86.1258879019110; Sun, 22 Nov 2009 00:36:59 -0800 (PST) In-Reply-To: <20091122022346.GK2392@verio.net> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> <20091122022346.GK2392@verio.net> Date: Sun, 22 Nov 2009 14:36:59 +0600 Message-ID: <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> From: Victor Lyapunov To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Nov 2009 08:37:01 -0000 Thank you guys for your attention to my problem. This time i increased the tcpdump capture buffer to 128 bytes and i got thi= s: # tcpdump -s 128 -net -i pflog0 (I tried to send mail with an attachment(700kb) to gmail.com(REQUIRES SSL) using outlook, which again timeout- failed) rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 794764624:794764677(53) ack 146734048 win 65535 rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 1/0(match): pass in on em0: 192.168.0.5.1025 > 192.168.0.3.53: 1016+ A? smtp.gmail.com. (32) rule 1/0(match): pass out on em0: 192.168.0.3.61974 > 208.67.222.222.53: 44197+% [1au] A? smtp.gmail.com. (43) rule 1/0(match): pass out on em0: 192.168.0.3.53758 > 208.67.222.222.53: 57704+% [1au][|domain] rule 1/0(match): pass in on em0: 192.168.0.5.2029 > 74.125.39.109.465: S 207714378:207714378(0) win 65535 rule 1/0(match): pass out on em0: 192.168.0.5.2029 > 74.125.39.109.465: S 207714378:207714378(0) win 65535 rule 1/0(match): pass out on em0: 192.168.0.3.55398 > 208.67.222.222.53: 26150+% [1au][|domain] rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2437 > 192.168.0.3.445: S 3245362396:3245362396(0) win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2442 > 192.168.0.3.445: S 3154965483:3154965483(0) win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2444 > 192.168.0.3.445: S 3857149154:3857149154(0) win 65535 rule 1/0(match): pass in on em0: 169.254.113.220.2447 > 192.168.0.3.139: S 4208647498:4208647498(0) win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2448 > 192.168.0.3.139: S 3459916613:3459916613(0) win 65535 rule 1/0(match): pass in on em0: 169.254.113.220.2449 > 192.168.0.3.139: S 2672892612:2672892612(0) win 65535 17 packets captured 17 packets received by filter 0 packets dropped by kernel After that i tried to send mail to a server that does not require ssl and i got this: rule 1/0(match): pass in on em0: 192.168.0.5.2035 > 94.100.177.1.25: S 237079791:237079791(0) win 65535 rule 1/0(match): pass out on em0: 192.168.0.5.2035 > 94.100.177.1.25: S 237079791:237079791(0) win 65535 2 packets captured 2 packets received by filter 0 packets dropped by kernel The sending process fails regardless of whether i use SSL or not. 192.168.0.1 -- Router 192.168.0.3 -- The FreeBSD box 192.168.0.5 -- Windows machine with default gateway set to 192.168.0.3 The ruleset is: block drop log on em0 all pass log on em0 all flags S/SA keep state I can't figure out what might be the cause of the problem... Is it possible that the router causes this? 2009/11/22 David DeSimone : > Michael Proto wrote: >> >> > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset >> > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > >> > 209.85.129.111.465: =A0tcp 28 [bad hdr length 0 - too short, < 20] >> >> This looks to be your problem-- bad hdr length 0. > > This is caused when tcpdump has too small a snaplen; it is not seeing > enough of the packet from the pflog interface, so it reports incorrect > information at the end. > > Try adding "-s 128" to collect a larger packet and you should see the > full description from tcpdump. > > > That said, the original problem seems like it could easily be caused by > a PF state mismatch resulting from assymetric routing. =A0If packets come > in a different interface than they go out, or worse, if the return path > doesn't even go through the firewall, PF cannot see the reply traffic > allowing it to update its TCP window tracking. > > As a result, short TCP sessions, such as those that fit within the > default TCP window, can work okay, but longer sessions that go beyond > that window will stall out and fail. > > -- > David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net > =A0"I don't like spinach, and I'm glad I don't, because if I > =A0 liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has b= een sent, and may contain information that is confidential or legally prote= cted. If you are not the intended recipient or have received this message i= n error, you are not authorized to copy, distribute, or otherwise use this = message or its attachments. Please notify the sender immediately by return = e-mail and permanently delete this message and any attachments. Verio, Inc.= makes no warranty that this email is error or virus free. =A0Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 23 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FDD510656A4 for ; Mon, 23 Nov 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 834EC8FC2B for ; Mon, 23 Nov 2009 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nANB71g4070210 for ; Mon, 23 Nov 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nANB70pL070208 for freebsd-pf@FreeBSD.org; Mon, 23 Nov 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Nov 2009 11:07:00 GMT Message-Id: <200911231107.nANB70pL070208@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 37 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 23 16:01:50 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2840D1065676 for ; Mon, 23 Nov 2009 16:01:50 +0000 (UTC) (envelope-from sife.mailling@yahoo.com) Received: from web113110.mail.gq1.yahoo.com (web113110.mail.gq1.yahoo.com [98.136.165.107]) by mx1.freebsd.org (Postfix) with SMTP id ECB618FC08 for ; Mon, 23 Nov 2009 16:01:49 +0000 (UTC) Received: (qmail 93805 invoked by uid 60001); 23 Nov 2009 15:35:08 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1258990508; bh=9IP0zyDGS1h/LITZmRl9SVxVNUN8b9rqnG+NvzqbcxU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=a0upCOnkcQm+fKienGEDEBpD5EKNqsUzlQZ343onKvZpWWpe45kTuw7LkYzucdJGfzk7iwVSbiMpJ/s8axqZwXmPBk3jQ9gx9CU06GVorHzAzHsB8/91nZcHA1930WQupplYX84GD8pAVWR4NZgChlq35eBBy1vMAYxwQ42KWzY= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=AyBecR2kBPjd2AfV4rqpPPwB52R5EO9ydlas0iNb29YlgD0Q+HKHymp4k+OtkKllPzYE8ww/5u4gacX6L+8xLY/ZwrodeeR+DgXvaAP9+nK1508x6nMI9zJ6W8D36190N3bF951bIMu6KDdKppWwqHyur9PJUn8iTRCrGYDE9ZM=; Message-ID: <745127.92574.qm@web113110.mail.gq1.yahoo.com> X-YMail-OSG: zzKGh1wVM1ncmbZTWMGmjCi7gI54ZNtir_N8kciO7lNGRS8rI6R1nlj1z.xgr7kkx7nkCshJZJO9jcmXOLM5gUh14rs8AiIQtJmLdpGkumWbhnuA8u243oQGl2gHw4St3oFYJ_p_2Had9V4KqSmxAMbXo4uAkrNUELwUKTvb9nSoyMxxZQPTsy_mInGxiDO3GDi9vBQM536ztbJs5U_n2K5LMhrlzANjSXe5KfYXMW8Ykt29JqXG.hApB8hCLfR_4velgNUPr7NdLkOr3bsMwe5.bHzQuUQ1LpiYEE3TTlWs6zbaIossa4Wmv7KVtw-- Received: from [41.100.92.173] by web113110.mail.gq1.yahoo.com via HTTP; Mon, 23 Nov 2009 07:35:08 PST X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.8.100.260964 Date: Mon, 23 Nov 2009 07:35:08 -0800 (PST) From: Sife Mailling To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: block ip's and ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 16:01:50 -0000 Salamo Alikom i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports . this my pf.conf : net_card="sis0" tcp_ports="{80 ,https ,domain ,auth ,21}" udp_ports="{domain}" table file "/etc/pf/banned" table {www.google.com} block in log (all) on $net_card proto {tcp ,udp} all pass in on $net_card proto tcp from any to any port $tcp_ports pass in on $net_card proto udp from any to any port $udp_ports pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16 block in on $net_card proto tcp from { , } to any port $tcp_ports pass out on $net_card proto tcp from any to any port $tcp_ports pass out on $net_card proto udp from any to any port $udp_ports pass out on $net_card inet proto tcp from any to any port ftp pass out on $net_card inet proto tcp from any to any port > 1023 now skype is work and the both tables banned and banned2 i can browse sites including theme . From owner-freebsd-pf@FreeBSD.ORG Mon Nov 23 16:22:45 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0128C1065694 for ; Mon, 23 Nov 2009 16:22:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 5C7438FC13 for ; Mon, 23 Nov 2009 16:22:44 +0000 (UTC) Received: (qmail invoked by alias); 23 Nov 2009 16:22:43 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp008) with SMTP; 23 Nov 2009 17:22:43 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/hCGMXDl/hWM0FWpbp1fDO4ZyxYgXCJDHLmD29H1 nkFFrZ50VLYFlS Message-ID: <4B0AB6D1.2040206@gmx.de> Date: Mon, 23 Nov 2009 17:22:41 +0100 From: olli hauer User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Sife Mailling References: <745127.92574.qm@web113110.mail.gq1.yahoo.com> In-Reply-To: <745127.92574.qm@web113110.mail.gq1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.68 Cc: freebsd-pf@freebsd.org Subject: Re: block ip's and ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 16:22:45 -0000 Sife Mailling wrote: > Salamo Alikom > i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports . > this my pf.conf : > net_card="sis0" > tcp_ports="{80 ,https ,domain ,auth ,21}" > udp_ports="{domain}" > table file "/etc/pf/banned" > table {www.google.com} > block in log (all) on $net_card proto {tcp ,udp} all > pass in on $net_card proto tcp from any to any port $tcp_ports > pass in on $net_card proto udp from any to any port $udp_ports > pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16 > block in on $net_card proto tcp from { , } to any port $tcp_ports > pass out on $net_card proto tcp from any to any port $tcp_ports > pass out on $net_card proto udp from any to any port $udp_ports > pass out on $net_card inet proto tcp from any to any port ftp > pass out on $net_card inet proto tcp from any to any port > 1023 > > now skype is work and the both tables banned and banned2 i can browse sites including theme . > Try the quick keyword, so traffic is not allowed in later rules. Additional disable outgoing traffic since if you create a connect from inside to a state which permits incoming traffic is created. example ordering: table file "/etc/pf/banned" table {www.google.com} block in log (all) on $net_card proto {tcp ,udp} all block in quick on $net_card proto tcp from { , } \ to any port $tcp_ports label blockin block out quick on $net_card proto tcp from { , } \ to any port $tcp_ports label blockout pass in on $net_card proto tcp from any to any port $tcp_ports From owner-freebsd-pf@FreeBSD.ORG Mon Nov 23 22:18:13 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48C741065670 for ; Mon, 23 Nov 2009 22:18:13 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id EB2B28FC1C for ; Mon, 23 Nov 2009 22:18:12 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id D74B41FF035A for ; Mon, 23 Nov 2009 17:18:11 -0500 (EST) Thread-Index: AcpsitfUSC9NxG+ETnulLua1X3uBQg== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.13]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 23 Nov 2009 17:18:10 -0500 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Mon, 23 Nov 2009 16:17:18 +0000 Date: Mon, 23 Nov 2009 16:17:18 -0600 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: Message-ID: <20091123221718.GR2392@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Importance: normal Priority: normal References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> <20091122022346.GK2392@verio.net> <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline In-Reply-To: <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 23 Nov 2009 22:18:10.0500 (UTC) FILETIME=[D72FC840:01CA6C8A] Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 22:18:13 -0000 Victor Lyapunov wrote: > > After that i tried to send mail to a server that does not require ssl > and i got this: > > rule 1/0(match): pass in on em0: 192.168.0.5.2035 > 94.100.177.1.25: S > 237079791:237079791(0) win 65535 > rule 1/0(match): pass out on em0: 192.168.0.5.2035 > 94.100.177.1.25: > S 237079791:237079791(0) win 65535 > 2 packets captured > 2 packets received by filter > 0 packets dropped by kernel This doesn't appear to be the same problem you originally submitted, about SMTP connections with no attachments working fine, but with attachments they fail. Seems like you are now describing that SMTP doesn't work at all. > 192.168.0.1 -- Router > 192.168.0.3 -- The FreeBSD box > 192.168.0.5 -- Windows machine with default gateway set to 192.168.0.3 This is probably the source of your problems. Your router and your firewall and your firewalled client are all on the same subnet together. There is nothing preventing the router from sending packets directly back to the Windows box, bypassing your firewall. As such, the firewall cannot see any of the reply traffic, and so it cannot follow the TCP state correctly, so eventually it begins to block the traffic. If you turn on logging with "pfctl -x loud" you will probably see a lot of messages about TCP state mismatches. The proper way to fix this is to rearchitect your network so that your firewall has two interfaces, one public, one private. The public interface connects only to your router, while the private interface connects to all your firewall clients. This forces the firewall to be the only path to and from the network, giving enhanced security. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.