From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 05:33:03 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48DDA10656F4 for ; Mon, 23 Aug 2010 05:33:03 +0000 (UTC) (envelope-from earl.lapus@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1705B8FC19 for ; Mon, 23 Aug 2010 05:33:02 +0000 (UTC) Received: by iwn36 with SMTP id 36so6164289iwn.13 for ; Sun, 22 Aug 2010 22:33:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=dHryOeAFbktpx/A9LAiWAikGIphU8QhgABLqHwZqAfI=; b=GscUN0pkHzHZGug2Iqz/7/5RZAGnz1A+oKnBiOiENC9WX0zTp678ic1RkCizK1M7sB Hflj6faWbIUwiAMMmNtCzPqo/yvlpl4UUMHXwXM6w1r87VlwWk7dUo49hlYUrUoh+rYj OmjOAjIsnEHgXWvOEgOlxLzfLb3uV3Ki0Xu4M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=aHHN2y5+zG1xNmQqpV9gQf1Bc+0hEogKFu5yZjYa1vXkEphr8I1rGPLcaWOYcebSpF 2B0lwvr/eY5sriH5zSSFBnpY3gvabIuOU/+0INRaMQd5nud503OUZRpThVWucPaa9DUz 20jLPcY4GiFu70zRVD1b6xN5T/XQS8W/3VpJY= MIME-Version: 1.0 Received: by 10.231.149.12 with SMTP id r12mr5945151ibv.185.1282540130105; Sun, 22 Aug 2010 22:08:50 -0700 (PDT) Received: by 10.231.115.212 with HTTP; Sun, 22 Aug 2010 22:08:50 -0700 (PDT) Date: Mon, 23 Aug 2010 13:08:50 +0800 Message-ID: From: Earl Lapus To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: pf state options X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 05:33:03 -0000 Hi, I've setup the following rules in pf.conf --- set limit states 20000 pass in from 192.168.56.100 to any keep state (max 30000) --- It loads perfectly fine. However, if you noticed, the max states value in the rule (30000) is greater than the hard limit (20000). So my question is: what is the distinction between the states count specified in `set limit states (n)` with the `max (n)` specified in a rule? Are they at all related? Cheers! -- There are seven words in this sentence. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 11:07:05 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E56941065696 for ; Mon, 23 Aug 2010 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D36D48FC0C for ; Mon, 23 Aug 2010 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7NB74qh089158 for ; Mon, 23 Aug 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7NB74rR089156 for freebsd-pf@FreeBSD.org; Mon, 23 Aug 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Aug 2010 11:07:04 GMT Message-Id: <201008231107.o7NB74rR089156@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 15:21:05 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA09210656A3 for ; Mon, 23 Aug 2010 15:21:05 +0000 (UTC) (envelope-from danno@deathstar.org) Received: from mail.deathstar.org (maniac.deathstar.org [204.42.254.2]) by mx1.freebsd.org (Postfix) with ESMTP id ABE9D8FC15 for ; Mon, 23 Aug 2010 15:21:05 +0000 (UTC) Received: by mail.deathstar.org (Mail Transport, from userid 23454) id 4B646661C753; Mon, 23 Aug 2010 11:16:48 -0400 (EDT) Date: Mon, 23 Aug 2010 11:16:48 -0400 From: Dan Pritts To: Earl Lapus Message-ID: <20100823151647.GD10713@maniac.deathstar.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Sender: Dan Pritts Cc: freebsd-pf@freebsd.org Subject: Re: pf state options X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 15:21:05 -0000 i don't know the answer to your question, but can tell you that there appears to be a bug in "set limit" parsing. it probably won't affect you on states, but just in case, here goes: If i put this in a pf.conf: set limit table-entries 500000 and then try to load a table with more than the default number of entries, it pukes. If i instead make a special /etc/pf.set (name not significant) with just the set limit command, and then do this: /sbin/pfctl -f /etc/pf.set; /sbin/pfctl -f /etc/pf.conf it works as i'd want. I assume this is because the tables are loaded before the limits are raised. oops. On Mon, Aug 23, 2010 at 01:08:50PM +0800, Earl Lapus wrote: > Hi, > > I've setup the following rules in pf.conf > --- > set limit states 20000 > pass in from 192.168.56.100 to any keep state (max 30000) > --- > > It loads perfectly fine. However, if you noticed, the max states value > in the rule (30000) is greater than the hard limit (20000). > So my question is: what is the distinction between the states count > specified in `set limit states (n)` with the `max (n)` specified in a > rule? Are they at all related? > > Cheers! > > -- > There are seven words in this sentence. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" danno -- dan pritts danno@umich.edu 734-929-9770 From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 15:25:04 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38683106564A for ; Mon, 23 Aug 2010 15:25:04 +0000 (UTC) (envelope-from danno@deathstar.org) Received: from mail.deathstar.org (maniac.deathstar.org [204.42.254.2]) by mx1.freebsd.org (Postfix) with ESMTP id 1B2338FC1C for ; Mon, 23 Aug 2010 15:25:03 +0000 (UTC) Received: by mail.deathstar.org (Mail Transport, from userid 23454) id 1F54E661B9A7; Mon, 23 Aug 2010 11:08:33 -0400 (EDT) Date: Mon, 23 Aug 2010 11:08:33 -0400 From: Dan Pritts To: Patrick Mahan Message-ID: <20100823150831.GB10713@maniac.deathstar.org> References: <32AB5C9615CC494997D9ABB1DB12783C024C875098@SJ-EXCH-1.adaranet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32AB5C9615CC494997D9ABB1DB12783C024C875098@SJ-EXCH-1.adaranet.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-pf@freebsd.org Subject: Re: PF newbie questions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 15:25:04 -0000 On Thu, Aug 19, 2010 at 05:44:26PM -0700, Patrick Mahan wrote: > I am just a little concern over the potential for impact to the > throughput by the re-assembling of an IP packet from its fragments > However, it seems to me that limiting it to 0 is a bit drastic. Shouldn't > it be something like 4-8 packet limit? hi Patrick - My slightly-educated guess is that you are right to have performance concerns. pf comes from openbsd. relatively speaking, openbsd doesn't care about performance; they care about security and correctness. They are the same folks behind openssh, and they have refused requests to merge patches that *drastically* improve openssh transfer speeds over WANs: http://www.psc.edu/networking/projects/hpn-ssh/ http://www.psc.edu/networking/projects/hpn-ssh/faq.php (near bottom) Also, note the example configurations in the pf faq: http://www.openbsd.org/faq/pf/queueing.html basically, home users and companies with T1 lines. how easily the issues you note can be dealt with without affecting security I do not know. Surely, it would be much more complex to do effective firewall filters of IP fragments than it is to use the current approach. As a practical concern for that one, I don't know what your product does, but do you really expect to transfer many fragmented packets? I'd also note that the current freebsd pf code is based on an old snapshot from openbsd. depending on your product plans you might want to wait/join the effort to merge a newer version; there has been some discussion on this list. if you are just looking for queueing, I assume you also know about ipfw DUMMYNET; if not check it out. danno -- dan pritts ann arbor, mi, us From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 17:03:41 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 218191065670 for ; Mon, 23 Aug 2010 17:03:41 +0000 (UTC) (envelope-from tech@stuxnet.org) Received: from mx1.stux6.net (mx1.stux6.net [IPv6:2001:41d0:2:2692::25]) by mx1.freebsd.org (Postfix) with ESMTP id 79A878FC0C for ; Mon, 23 Aug 2010 17:03:40 +0000 (UTC) Received: from mx1.stux6.net (localhost [127.0.0.1]) by mx1.stux6.net (mx1.stux6.net) with ESMTP id CB9B28C861F for ; Mon, 23 Aug 2010 17:03:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at stux6.net Received: from mx1.stux6.net ([127.0.0.1]) by mx1.stux6.net (mx1.stux6.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ESDHnLQFD884 for ; Mon, 23 Aug 2010 17:03:21 +0000 (UTC) Received: from localmx.stux.fr (localmx.ipv6.stux.fr [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2511]) by mx1.stux6.net (mx1.stux6.net) with ESMTP id 3F9B08C8619 for ; Mon, 23 Aug 2010 17:03:21 +0000 (UTC) Received: from zimbra.stux.fr (zimbra.ipv6.stux.fr [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2534]) by localmx.stux.fr (Postfix) with ESMTP id 62625F60F5 for ; Mon, 23 Aug 2010 20:39:28 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.stux.fr (Postfix) with ESMTP id ACD5F8B452 for ; Mon, 23 Aug 2010 20:39:23 +0200 (CEST) X-Virus-Scanned: amavisd-new at zimbra.stux.fr Received: from zimbra.stux.fr ([127.0.0.1]) by localhost (zimbra.stux.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKomPyqnrjTM for ; Mon, 23 Aug 2010 20:39:23 +0200 (CEST) Received: from [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2549] (appsrv.ipv6.stux.fr [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2549]) by zimbra.stux.fr (Postfix) with ESMTPA id 064FC8B451 for ; Mon, 23 Aug 2010 20:39:23 +0200 (CEST) Message-ID: <4C72AA09.6030604@stuxnet.org> Date: Mon, 23 Aug 2010 19:04:09 +0200 From: STux User-Agent: Thunderbird 2.0.0.24 (X11/20100623) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF filtering with IPv6 and IPSEC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 17:03:41 -0000 Hello guys, I'm running FreeBSD 8.0 and I experience a problem with pf . The network configuration is the following : NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd) <=> NetworkB (ipv6) OpenBsd is running isakmpd , and seems working well. FreeBSD is running racoon (ipsec-tools from ports) without pf enabled on freebsd, ipv6/ipsec tunnel works well (tcpdump approves it) : machines on networkB access to networkA and machines on network A access to networkB Code: -------------------------------------------------------- 23:30:00.815393 IP6 gwB > gwA: ESP spi=0x0b9ef32c,seq=0xe), length 92 23:30:00.815546 IP6 gwA > gwB: ESP spi=0xf3cb2428,seq=0x1a), length 92 -------------------------------------------------------- with pf enabled : tcpdump continues to show similar packets , machines on networkA continue to access to NetworkB BUT machines on networkB accessing NetworkA are blocked by PF, with a singular reason. pflog, shows unencrypted packets from NetworkA to NetworkB : example of an ssh connexion initiated from NetworkB to NetworkA (this applies to all protocols except ICMP) : Code: -------------------------------------------------------- 00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq 1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val 211216935 ecr 257703668,nop,wscale 4], length 0 -------------------------------------------------------- Please note the source port and Flag !. I've tcpdumped on openbsd, and no packet is transmitted in clear from NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is the problem. when pf is disabled on freebsd, there no packet transmitted in clear from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and from gwB to gwA. So I think there is a problem after decryption of packet by racoon. But I don't see why (despire several nights ;) ). For information : sample of pf.conf, which causes problem. Code: -------------------------------------------------------- ext_if="sis0" int_if="sis1" set skip on { lo0 enc0 } set state-policy if-bound set block-policy return scrub in all block in log (all, to pflog0) pass out keep state pass in on $ext_if keep state pass in on $int_if keep state -------------------------------------------------------- Any advice ? Thanks. Christophe.