From owner-freebsd-pf@FreeBSD.ORG Mon Jan 25 11:07:07 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C3ED10656A6 for ; Mon, 25 Jan 2010 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F2C2D8FC0A for ; Mon, 25 Jan 2010 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0PB76qf038852 for ; Mon, 25 Jan 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0PB76eO038850 for freebsd-pf@FreeBSD.org; Mon, 25 Jan 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Jan 2010 11:07:06 GMT Message-Id: <201001251107.o0PB76eO038850@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 40 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jan 26 10:29:19 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48B2E106566B for ; Tue, 26 Jan 2010 10:29:19 +0000 (UTC) (envelope-from stefanferreira@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id CBD3E8FC15 for ; Tue, 26 Jan 2010 10:29:18 +0000 (UTC) Received: by bwz5 with SMTP id 5so3489468bwz.3 for ; Tue, 26 Jan 2010 02:29:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=SfFfor8a/6WMuIw9n4kJ7q8ADUYIHpYMjZSPMJFrtH4=; b=smXBitm47tEY/qdDMTSuvmGrWR0qL3Amyp2iA5M17JRyVM+G/WZavIIlnW2hTZtPBO Gp7HOSUt8UrhmQyP2kbnotAFBrvBrQbeOhCdF+XK6gaWzbWfiv3tMCn7BlMDWmgjiZ3Z YQrKz84teQrECOjfh1ADqKy1NMmbRkp7KCWHU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=s3K+O8I0A6L+BDPntzzPP1ycgPmAcaEjTMN5skauEQEMkO2QY69JMaPYsMpsvnmzFA yls703dr6gkybwaR3TBEQZ0HDVIR37VlQxvhnKVOfpsIGdwUSkJMDENoyVYxPyQYENN+ HmUmtwEJlhpgaw+s//iVIU94ICZsun/rPoxcc= Received: by 10.204.153.27 with SMTP id i27mr738195bkw.155.1264500157048; Tue, 26 Jan 2010 02:02:37 -0800 (PST) Received: from ?192.168.8.120? (196-210-224-138.dynamic.isadsl.co.za [196.210.224.138]) by mx.google.com with ESMTPS id 13sm2557948bwz.2.2010.01.26.02.02.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 26 Jan 2010 02:02:35 -0800 (PST) Message-ID: <4B5EBDAC.2030605@gmail.com> Date: Tue, 26 Jan 2010 12:02:20 +0200 From: Stefan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Routing router-originating traffic via route-to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jan 2010 10:29:19 -0000 Hi I've googled this one to bits and pulled out quite a lot of hair: Basically I need a way to route, using "route-to" filter rules, the traffic originating on the freebsd router itself. The problem with doing this is that pf only sees the packets on their way out, when an outbound interface has already been chosen by the routing tables. Therefore pf's route-to rules have no effect on locally originating traffic. I've tried several approaches to get around this. They all center around looping back the router's traffic before routing it out, so that pf can see the packets as inbound once before they get routed properly. This means changing the default route to one of the tried loopbacks, then using pf filter rules coming in on the chosen loopback of bridge. I've tried this using bridged netgraph and tap interfaces, and using loopback interfaces. I've also tried it using a loopback interface with an IP on a unique subnet, to keep the packets from routing through lo0. Please, I'm desperate to get this working! Has anyone done this type of thing successfully or does anyone have any idea how to get it working? I'd think that this would be a fairly common requirement, if not for routing then at least for filtering outbound (router) traffic... From owner-freebsd-pf@FreeBSD.ORG Tue Jan 26 11:07:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74D21106566B for ; Tue, 26 Jan 2010 11:07:26 +0000 (UTC) (envelope-from frank@jasmin.behrens.de) Received: from post.behrens.de (post.behrens.de [IPv6:2a01:170:1023::1:2]) by mx1.freebsd.org (Postfix) with ESMTP id D18CE8FC14 for ; Tue, 26 Jan 2010 11:07:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=behrens.de; h=from:to:date:mime-version:subject:in-reply-to:content-type:content-transfer-encoding:content-description; s=pinky1; t=1264504044; i=frank@jasmin.behrens.de; bh=UZ2zyAJnpxiyGT0qg0wQIQ8+tcWrzK7kf/7LPN/Iu6Y=; b=otyT4VtcBj/FXzqgv70I4YKRM+a8CDg1/p/EeIhgP2RTYWvhITE3L2dcahCm+aZy4sldZr4Y/rQvEXqtlPCSKQ== Received: from sun.behrens ([IPv6:2a01:170:1023:0:312e:e393:fa6:d22c]) by post.behrens.de (8.14.3/8.14.3) with ESMTP(MSA) id o0QB7Gbq034146 for ; Tue, 26 Jan 2010 12:07:18 +0100 (CET) (envelope-from frank@jasmin.behrens.de) Message-Id: <201001261107.o0QB7Gbq034146@post.behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Tue, 26 Jan 2010 12:07:16 +0100 MIME-Version: 1.0 Priority: normal In-reply-to: <4B5EBDAC.2030605@gmail.com> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:23:100126:freebsd-pf@freebsd.org::hS7/abpAAPnsxibz:00000000000sEpK Subject: Re: Routing router-originating traffic via route-to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jan 2010 11:07:26 -0000 Stefan wrote on 26 Jan 2010 12:02: > I've googled this one to bits and pulled out quite a lot of hair: > Basically I need a way to route, using "route-to" filter rules, the > traffic originating on the freebsd router itself. The problem with doing > this is that pf only sees the packets on their way out, when an outbound > interface has already been chosen by the routing tables. Therefore pf's > route-to rules have no effect on locally originating traffic. I had always some trouble with this approach. I used rules like nat inet from any to xxx port yyy tag IF2 -> $myaddr pass out quick on $iface from $myaddr to any tag IF2 pass out quick on $defaultinterface route-to ($iface $hisaddr) tagged IF2 Now I'm using an associated FIB (setfib(8)) for desired processes and it works very well without any trouble. Routed traffic is also assigned to the fib with pf's "rtable" option. Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-pf@FreeBSD.ORG Tue Jan 26 11:27:39 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB688106566B for ; Tue, 26 Jan 2010 11:27:39 +0000 (UTC) (envelope-from stefanferreira@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id 2AF6B8FC14 for ; Tue, 26 Jan 2010 11:27:38 +0000 (UTC) Received: by ewy10 with SMTP id 10so3795042ewy.3 for ; Tue, 26 Jan 2010 03:27:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=NoSdztzxLukCzagsz0aY3eokoZLoTJEbQ8AdPYpAeTA=; b=ELOvdWk6YiHr9uiRNhUPYrUGruMdCxB1N7bkf9jmggR81EYv+r3AQ6odqYBVGTZ/nm kX6iv86x1c9RlnWKA1BSjL19wwMt9ddVCJRn2rFCNOUlUdWeONJ223ScfGf/t8QTVMFn KdJXmAEreU1+SFytuPJLILQSHCPzD+7hV4ZmI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=k6kNHcNK6k0VGLSJRXwxDC6MSkCwAi2zwEJGDFE9I0yztUCG4Yv3u4gMHquLYSvIAS 8ogMEKKiB9qBzyjTMaU1oZqB3N/Ua0Czc25tA9XYuTBFv621s86gJdQFeerCOooSyrg2 e2oyeLxdq6X3PHcIL/RhwCF4uwlhhjSkjDxzs= Received: by 10.213.54.13 with SMTP id o13mr1901530ebg.68.1264505255605; Tue, 26 Jan 2010 03:27:35 -0800 (PST) Received: from ?192.168.8.120? (196-210-224-138.dynamic.isadsl.co.za [196.210.224.138]) by mx.google.com with ESMTPS id 15sm5171101ewy.8.2010.01.26.03.27.32 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 26 Jan 2010 03:27:34 -0800 (PST) Message-ID: <4B5ED19A.3000803@gmail.com> Date: Tue, 26 Jan 2010 13:27:22 +0200 From: Stefan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <201001261107.o0QB7Gbq034146@post.behrens.de> In-Reply-To: <201001261107.o0QB7Gbq034146@post.behrens.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Routing router-originating traffic via route-to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jan 2010 11:27:39 -0000 Thanks, I'll keep that approach in mind. Unfortunately that still relies on routing tables to perform outbound routing, unless I misunderstand? The problem is that my routing setup is a little complex for the routing tables, so I really need to route using pf. My setup looks roughly like this: * Almost 600 IP ranges get routed over one set of links, with load balancing to get better ADSL line usage (local routes) * VPN traffic goes out over an IPSec tunnel * Other traffic gets routed via another ADSL link (International traffic) Most of the above can be done using routing tables (except for the load balancing?), but having to maintain both the pf rules and the routing tables is undesirable, especially since my setup changes quite often. This is what I've managed so far: 1 - The default route (set to IP of lo1) loops traffic back to the router. Without pf routing, that traffic loops until the TTL is exceeded, as expected. But when I try to route it on the incoming traffic of the loopback (pass in on lo1 route-to ...), the packets go nowhere and I can't figure out what's happening with tcpdump. 2 - The above setup results in the packets looping back via lo0, despite setting the default route to lo1. This happens even when I configure lo1 on a unique subnet. When I configure the route via the loopback IP first, and then use "route change" to set the interface to lo1 explicitly on the default route, I get messages along the line of "address family not supported by the protocol family" whenever packets are routed to the loopback. This happens even after I make sure to assign both IPv4 and IPv6 addresses to lo1. From the above it seems I'm very close to a solution, but it just doesn't want to work... On 2010-01-26 13:07, Frank Behrens wrote: > Stefan wrote on 26 Jan 2010 12:02: > >> I've googled this one to bits and pulled out quite a lot of hair: >> Basically I need a way to route, using "route-to" filter rules, the >> traffic originating on the freebsd router itself. The problem with doing >> this is that pf only sees the packets on their way out, when an outbound >> interface has already been chosen by the routing tables. Therefore pf's >> route-to rules have no effect on locally originating traffic. >> > I had always some trouble with this approach. I used rules like > > nat inet from any to xxx port yyy tag IF2 -> $myaddr > pass out quick on $iface from $myaddr to any tag IF2 > pass out quick on $defaultinterface route-to ($iface $hisaddr) tagged IF2 > > > Now I'm using an associated FIB (setfib(8)) for desired processes and it works very well > without any trouble. Routed traffic is also assigned to the fib with pf's "rtable" option. > > Frank > > From owner-freebsd-pf@FreeBSD.ORG Wed Jan 27 00:05:09 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E29C6106566C for ; Wed, 27 Jan 2010 00:05:09 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 9DCDB8FC0A for ; Wed, 27 Jan 2010 00:05:09 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1NZvP8-0003qx-FT for freebsd-pf@freebsd.org; Wed, 27 Jan 2010 01:05:06 +0100 Received: from 128.111.48.6 ([128.111.48.6]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 27 Jan 2010 01:05:06 +0100 Received: from ludovico.cavedon by 128.111.48.6 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 27 Jan 2010 01:05:06 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Ludovico Cavedon Date: Wed, 27 Jan 2010 00:01:01 +0000 (UTC) Lines: 25 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 128.111.48.6 (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7) Sender: news Subject: allow-opts on a nat pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2010 00:05:10 -0000 Hi all, I have a freebsd firewall with a configuration like this: #### BEGIN ### ext_if4="em0" # public interface int_if="em1" # private interface, to be source NATted nat pass log (to pflog2) on $ext_if4 inet from $int_if:network to ! ($ext_if4) -> ($ext_if4) block drop log # logs to pflog0 pass quick log (to pflog1) on $int_if allow-opts # private network pass out from ($ext_if4) allow-opts modulate state # public network #### END ### If I send a packet to a public host from an private one, everything is fine, the packet arrives at the destination, and is logged by pflog1 and pflog2. If this packet, however, contains an IP option (e.g. NOP), the packets if blocked by the firewall, and logged by pflog1 and pflog0. Looks like it is not possible to specify "allow-opts" for the "nat pass" rules. Is there any way I can get packets with IP options to be NATted? Thank you in advance, Ludovico From owner-freebsd-pf@FreeBSD.ORG Fri Jan 29 04:39:15 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFF5D10656A5 for ; Fri, 29 Jan 2010 04:39:14 +0000 (UTC) (envelope-from rose_fingerspot@yahoo.co.id) Received: from avas2.indosat.net.id (avas2.indosat.net.id [202.155.90.3]) by mx1.freebsd.org (Postfix) with ESMTP id 66DB08FC08 for ; Fri, 29 Jan 2010 04:39:14 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AmAPADfuYUtyOFBq/2dsb2JhbACBbYFCgzWBD4kOiTywSAqBdkqEIYhtglSBbASDCYEehm0 X-IronPort-AV: E=Sophos;i="4.49,364,1262538000"; d="scan'208,217";a="16837780" Received: from unknown (HELO IONBARU3) ([114.56.80.106]) by avas1.indosat.net.id with ESMTP; 29 Jan 2010 11:00:52 +0700 MIME-Version: 1.0 From: "Absensi Sidik Jari 1, 3Jt ---> LIFETIME WARANTY" To: freebsd-pf@freebsd.org X-Mailer: SendBlaster.1.6.0 Date: Fri, 29 Jan 2010 11:10:43 +0700 Message-ID: <28126442798416907214@IONBARU-3> Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Absensi Sidik Jari 1,3Jt ---> LIFETIME WARANTY X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rose_fingerspot@yahoo.co.id List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 04:39:15 -0000 Absensi Sidik Jari Cuma 1,3 JT GARANSI SPARE PART 3 TAHUN GARANSI SERVICE LIFETIME Gratis Ongkos Kirim untuk wilayah Jakarta Hub : Rosnita ( 021- 93229090) Id YM : rose_fingerspot From owner-freebsd-pf@FreeBSD.ORG Sat Jan 30 04:11:30 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 495EC106566B for ; Sat, 30 Jan 2010 04:11:30 +0000 (UTC) (envelope-from jkkn@jkkn.dk) Received: from blackbird.jkkn.net (blackbird.home6.jkkn.net [IPv6:2001:16d8:dd04:0:207:e9ff:fe62:64be]) by mx1.freebsd.org (Postfix) with ESMTP id E59D88FC16 for ; Sat, 30 Jan 2010 04:11:29 +0000 (UTC) Received: from [192.168.2.2] (online.jkkn.net. [83.91.180.61]) (authenticated bits=0) by blackbird.jkkn.net (envelope-from jkkn@jkkn.dk) (8.14.3/8.14.3) with ESMTP id o0U4BLrD088790 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 30 Jan 2010 05:11:22 +0100 (CET) (envelope-from jkkn@jkkn.dk) Message-ID: <4B63B165.2020809@jkkn.dk> Date: Sat, 30 Jan 2010 05:11:17 +0100 From: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.1 required=5.0 tests=RCVD_IN_PBL, RCVD_IN_SORBS_DUL, SPF_PASS autolearn=no version=3.2.5 X-Spam-Report: * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [83.91.180.61 listed in zen.spamhaus.org] * -0.0 SPF_PASS SPF: sender matches SPF record * 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [83.91.180.61 listed in dnsbl.sorbs.net] X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on blackbird.jkkn.net X-Virus-Scanned: clamav-milter 0.95.3 at blackbird.jkkn.net X-Virus-Status: Clean Subject: Possible bug: pf ignores "reply-to" in block-rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2010 04:11:30 -0000 Hey, I am experiencing an issue using reply-to on block rules. I am a "nice" firewall administrator and always uses "block return" rules, thereby pf sends nice reset packets back to clients if they attempt to connect to a port that pf is setup to block. My setup is using a gif0 tunnel to tunnel specific traffic from another public IP-address to the server. Since it is important that packages are then to be routed back the same way and not using the default-route, I use "pass in reply-to gif0"-rules and this worked perfectly for all incoming traffic. But, on my "block return in gif0 reply-to gif0" - pf seem to simply ignore the reply-to parameter and instead decides to send the packs back using the default route. I see the packages go out on the wrong interface, in my case my ethernet interface (em0), that is the default route for the server. Could someone check to see if pf respects "reply-to" when sending reset packages (block return)? Or if that is not the case explain to me what "reply-to" is suppose to do on "block"-rules? Best regards, Kristian Krĉmmer Nielsen, Odense, Denmark From owner-freebsd-pf@FreeBSD.ORG Sat Jan 30 05:31:30 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92EA6106566B for ; Sat, 30 Jan 2010 05:31:30 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.27]) by mx1.freebsd.org (Postfix) with ESMTP id 2614B8FC0C for ; Sat, 30 Jan 2010 05:31:29 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so621759eye.9 for ; Fri, 29 Jan 2010 21:31:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=Huy901OG7BRq4RHnIOqJLLygySc30yBLuO+15GhPU+k=; b=j4Lh6HqWuHLHimeP1DVAq3wldE5ihaCOfWSe9EVb4TUYwlaJIbCItyUkWEIrVA+liC ymUjAYQYEjB6pby6kUMRx12W4eGFTToSXZ6blDrMKJrnVSR40v6Dy68tMfm2UeBdN9A4 wbtQxL884BFfvx/BpRSnMOER1VH+IaDNBXBec= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=keVHlL5pm2+bcqz4AykTTQpjxkragGIOHldvtD5ELj2HZMZqrREAo/uxY5OEM9+PNT rXd9vPT/Jf1yl90EsLRSyXMxi8UCmBaOWSj1aqadnPS03kQ+Ox/zCke4EeZNVgmgSL/o NQQQweIQGeCReRNO7EFERyPY5HALPRcLB91po= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.213.100.139 with SMTP id y11mr1811922ebn.1.1264829489001; Fri, 29 Jan 2010 21:31:29 -0800 (PST) In-Reply-To: <4B63B165.2020809@jkkn.dk> References: <4B63B165.2020809@jkkn.dk> Date: Sat, 30 Jan 2010 05:31:28 +0000 X-Google-Sender-Auth: be4313c14ef4b564 Message-ID: <7731938b1001292131l15a5eef3n7a55f6cd196e10a@mail.gmail.com> From: Peter Maxwell To: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Possible bug: pf ignores "reply-to" in block-rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2010 05:31:30 -0000 Hi Kristian, This is quite late, so if my reply doesn't make and sense please ignore it ;-) Also, I'm not really answering your question, just suggesting an alternative. Instead of using reply-to, can the upstream device that is sending packets to the gif0 tunnel - or even pf if it works in this scenario - NAT the source address of incoming packets to a rfc1918 subnet? That way all you need to do is add an appropriate entry to your routing table and you don't have to worry about trying to route to overlapping address space. Although I haven't tried it, FreeBSD 8.0 can use multiple routing tables but have no idea whether this would help. I know it comes down to personal taste but can I ask why you are using "block return" in the first place? There are a few possible disadvantages: if the packet source address is spoofed your packet filter will be sending tcp rst/icmp packets back to the wrong IP, and you are also doubling the resources taken for dealing with what is essentially spurious traffic. It's not a big deal normally but if someone attempts some form of denial of service, it won't help either. Regards, Peter On 30 January 2010 04:11, Kristian Kr=E6mmer Nielsen wrote: > Hey, > > I am experiencing an issue using reply-to on block rules. > > I am a "nice" firewall administrator and always uses "block return" rules= , > thereby pf sends nice reset packets back to clients if they attempt to > connect to a port that pf is setup to block. > > My setup is using a gif0 tunnel to tunnel specific traffic from another > public IP-address to the server. Since it is important that packages are > then to be routed back the same way and not using the default-route, I us= e > "pass in reply-to gif0"-rules and this worked perfectly for all incoming > traffic. > > But, on my "block return in gif0 reply-to gif0" - pf seem to simply ignor= e > the reply-to parameter and instead decides to send the packs back using t= he > default route. > > I see the packages go out on the wrong interface, in my case my ethernet > interface (em0), that is the default route for the server. > > Could someone check to see if pf respects "reply-to" when sending reset > packages (block return)? > > Or if that is not the case explain to me what "reply-to" is suppose to do= on > "block"-rules? > > Best regards, > Kristian Kr=E6mmer Nielsen, > Odense, Denmark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Jan 30 05:41:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94009106566B for ; Sat, 30 Jan 2010 05:41:58 +0000 (UTC) (envelope-from jkkn@jkkn.dk) Received: from blackbird.jkkn.net (blackbird.home6.jkkn.net [IPv6:2001:16d8:dd04:0:207:e9ff:fe62:64be]) by mx1.freebsd.org (Postfix) with ESMTP id D1A438FC08 for ; Sat, 30 Jan 2010 05:41:57 +0000 (UTC) Received: from [192.168.2.2] (online.jkkn.net. [83.91.180.61]) (authenticated bits=0) by blackbird.jkkn.net (envelope-from jkkn@jkkn.dk) (8.14.3/8.14.3) with ESMTP id o0U5fpX4092336 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 30 Jan 2010 06:41:52 +0100 (CET) (envelope-from jkkn@jkkn.dk) Message-ID: <4B63C69B.5080201@jkkn.dk> Date: Sat, 30 Jan 2010 06:41:47 +0100 From: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: Peter Maxwell References: <4B63B165.2020809@jkkn.dk> <7731938b1001292131l15a5eef3n7a55f6cd196e10a@mail.gmail.com> In-Reply-To: <7731938b1001292131l15a5eef3n7a55f6cd196e10a@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.1 required=5.0 tests=RCVD_IN_PBL, RCVD_IN_SORBS_DUL, SPF_PASS autolearn=no version=3.2.5 X-Spam-Report: * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [83.91.180.61 listed in zen.spamhaus.org] * -0.0 SPF_PASS SPF: sender matches SPF record * 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [83.91.180.61 listed in dnsbl.sorbs.net] X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on blackbird.jkkn.net X-Virus-Scanned: clamav-milter 0.95.3 at blackbird.jkkn.net X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Possible bug: pf ignores "reply-to" in block-rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2010 05:41:58 -0000 Hi Peter, Thanks for the reply. Unfortunately I do not see NAT'ing as an alternative in this case. The main reason for that is that the traffic that I am forwarding is smtp-traffic and I need sendmail to see the actual source IP address to validate the source mail-server and not a NAT-IP. So best case is that the server sees the right public address even it has a different return route. I also considered the multiple routing tables for FreeBSD, which might also help me do this special routing scenario but I found it much more complex than using the nice "pass in reply-to"-feature of pf which works perfect for my allowed traffic. Also I would have to have multiple sendmail-instances running which for each routing scenario - I don't by using pf. The reason for using "block return" is I think it makes debugging much easier than dropping packages. To avoid spoofing I of course have "antispoof"-rules that have higher priority and these are of course set to drop packets and not return them. So again, why is "block return reply-to" not sending the reset-packages back to the specified interface? /Kristian On 30-01-2010 06:31, Peter Maxwell wrote: > Hi Kristian, > > This is quite late, so if my reply doesn't make and sense please > ignore it ;-) Also, I'm not really answering your question, just > suggesting an alternative. > > Instead of using reply-to, can the upstream device that is sending > packets to the gif0 tunnel - or even pf if it works in this scenario - > NAT the source address of incoming packets to a rfc1918 subnet? That > way all you need to do is add an appropriate entry to your routing > table and you don't have to worry about trying to route to overlapping > address space. > > Although I haven't tried it, FreeBSD 8.0 can use multiple routing > tables but have no idea whether this would help. > > I know it comes down to personal taste but can I ask why you are using > "block return" in the first place? There are a few possible > disadvantages: if the packet source address is spoofed your packet > filter will be sending tcp rst/icmp packets back to the wrong IP, and > you are also doubling the resources taken for dealing with what is > essentially spurious traffic. It's not a big deal normally but if > someone attempts some form of denial of service, it won't help either. > > Regards, > > Peter > > > > > > On 30 January 2010 04:11, Kristian Krĉmmer Nielsen wrote: > >> Hey, >> >> I am experiencing an issue using reply-to on block rules. >> >> I am a "nice" firewall administrator and always uses "block return" rules, >> thereby pf sends nice reset packets back to clients if they attempt to >> connect to a port that pf is setup to block. >> >> My setup is using a gif0 tunnel to tunnel specific traffic from another >> public IP-address to the server. Since it is important that packages are >> then to be routed back the same way and not using the default-route, I use >> "pass in reply-to gif0"-rules and this worked perfectly for all incoming >> traffic. >> >> But, on my "block return in gif0 reply-to gif0" - pf seem to simply ignore >> the reply-to parameter and instead decides to send the packs back using the >> default route. >> >> I see the packages go out on the wrong interface, in my case my ethernet >> interface (em0), that is the default route for the server. >> >> Could someone check to see if pf respects "reply-to" when sending reset >> packages (block return)? >> >> Or if that is not the case explain to me what "reply-to" is suppose to do on >> "block"-rules? >> >> Best regards, >> Kristian Krĉmmer Nielsen, >> Odense, Denmark >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >>