From owner-freebsd-pf@FreeBSD.ORG Sun Mar 13 16:38:49 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54D991065672 for ; Sun, 13 Mar 2011 16:38:49 +0000 (UTC) (envelope-from peppe.maniscalco@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id E0D4E8FC14 for ; Sun, 13 Mar 2011 16:38:48 +0000 (UTC) Received: by eyg7 with SMTP id 7so1420242eyg.13 for ; Sun, 13 Mar 2011 09:38:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=3rWRea4OQ5wOG5emmoDTT9dSYhfsIpCUGOlJZXuPLZQ=; b=gygtr90Yij0XGCX2cn1YgT9htPjP3xJrCJmqSmoZbkkpCDQI4VnIrNmQITk3nMSjY6 4RSbhBvFuFrMB4XueMESndyIVlpR2oBKnRN7LQgh5rseebTQqo2akNqLZAevR2QPYP04 9My4AVI2iCLDgFvNhrzAuBVzAFRUPLC48Gx0c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=fUGSCrpQFhVgxhknUJ+6Ifoewd5767DzXPFcwPhAL7PA5zDniFD4SBm5GCFmN97SJe TFHytQhidIpQZ79BxOoVF4RUJ11P9hFWKCVlCcaKgRz/Au6+TFwtB97U0i43j6hAz+89 9ICTAi/O91XHlznEAxfDi7YHq0VwUJZBQf5D4= MIME-Version: 1.0 Received: by 10.213.103.142 with SMTP id k14mr883873ebo.37.1300032835586; Sun, 13 Mar 2011 09:13:55 -0700 (PDT) Received: by 10.14.122.202 with HTTP; Sun, 13 Mar 2011 09:13:55 -0700 (PDT) Date: Sun, 13 Mar 2011 17:13:55 +0100 Message-ID: From: Giuseppe Maniscalco To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: FreeBSD7, pf, carp... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2011 16:38:49 -0000 Hi List! I need your help!!! I've two firewalls configured in parallel (connected with a crossover cable) and I use pfsync+carp to failover. So one firewall (A) handles all traffic as MASTER and, if it dies or if some NIC interface go down, the second firewall (B) takes over automatically. Well... As usually everything works properly, but since a few days ago "B" takes control and "A" become backup. But "A" cannot return to be master until rebooting! After reboot, "A" is the master for a while, then I've the same problem... I identified a problem here: fwA# sysctl -a | grep arp net.inet.ip.same_prefix_carp_only: 0 net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 0 net.inet.carp.suppress_preempt: 1 >From man carp: net.inet.carp.suppress_preempt: A read only value showing the status of preemption suppression. Preemption can be suppressed if link on an interface is down or when pfsync(4) interface is not synchronized. Value of 0 means that preemption is not suppressed, since no problems are detected. Every problem increments suppression counter. All my interfaces are UP... now I don't know how to check if pfsync is synched or not... Meanwhile, in B node: fwB# sysctl -a | grep arp net.inet.ip.same_prefix_carp_only: 0 net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 0 net.inet.carp.suppress_preempt: 0 I tried with a tcpdump on the interfaces, but I see just the change of condition (master/backup) with the advskew modification... This is the only strange thing on DMZ interface... : 17:01:32.397429 01:80:c2:00:00:01 (oui Unknown) > 01:80:c2:00:00:01 (oui Unknown), ethertype Unknown (0x8808), length 60: 0x0000: 0001 ffff 0000 0000 0000 0000 0000 0000 ................ 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. I just tried to change the NIC, but nothing! "A" continue to lose control in 30/45 minutes... I read somewhere that the result of "pfctl -ss" must give the same result on both nodes: fwA# pfctl -ss | wc -l 5833 fwB# pfctl -ss | wc -l 5507 Could it be important? Some additional information: fwA# more /etc/rc.conf ifconfig_em0="inet a.a.a.12 netmask 255.255.255.0 polling" ### DMZ ### ifconfig_em1="inet b.b.b.2 netmask 255.255.0.0 polling" ### CROSSOVER ### ifconfig_em2="inet c.c.c.189 netmask 255.255.255.224 polling" ### ISP1 ### ifconfig_em3="inet d.d.d.249 netmask 255.255.255.0 polling" ### ISP2 ### defaultrouter="c.c.c.1" #Firewall pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" #Failover pfsync_enable="YES" pfsync_syncdev="em1" cloned_interfaces="carp0 carp1 carp2" ifconfig_carp0="a.a.a.1/24 vhid 1 pass foo" ifconfig_carp0_alias0="a.a.a.11/24 vhid 1 pass foo" ifconfig_carp1="d.d.d.14/24 vhid 2 pass bar" ifconfig_carp1_alias0="d.d.d.2/24 vhid 2 pass bar" ifconfig_carp2="c.c.c.188/27 vhid 3 pass jack" ifconfig_carp2_alias0="c.c.c.165/27 vhid 3 pass jack" fwB# more /etc/rc.conf ifconfig_ste0="inet a.a.a.13 netmask 255.255.255.0 polling" ifconfig_ste1="inet b.b.b.3 netmask 255.255.0.0 polling" ifconfig_em0="inet c.c.c.190 netmask 255.255.255.224 polling" ifconfig_em1="inet d.d.d.250 netmask 255.255.255.0 polling" defaultrouter="c.c.c.1" #Firewall pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" #Failover pfsync_enable="YES" pfsync_syncdev="ste1" cloned_interfaces="carp0 carp1 carp2" ifconfig_carp0="a.a.a.1/24 vhid 1 advskew 128 pass foo" ifconfig_carp0_alias0="a.a.a.11/24 vhid 1 advskew 128 pass foo" ifconfig_carp1="d.d.d.14/24 vhid 2 advskew 64 pass bar" ifconfig_carp1_alias0="d.d.d.2/24 vhid 2 advskew 64 pass bar" ifconfig_carp2="c.c.c.188/27 vhid 3 advskew 100 pass jack" ifconfig_carp2_alias0="c.c.c.165/27 vhid 3 advskew 100 pass jack" In each node pf.conf I added: fwA# more pf.conf | grep failover pass quick on { em1 } proto pfsync # failover pass on { em0 em2 em3 } proto carp # failover fwB# more pf.conf | grep failover pass quick on { ste1 } proto pfsync # failover pass on { em0 ste0 em1 } proto carp # failover I hope that someone can give me a solution please, or maybe just an idea, cause I'm getting crazy!!! Please ask me, if you need further information... Thank you all! From owner-freebsd-pf@FreeBSD.ORG Mon Mar 14 11:07:06 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B672106564A for ; Mon, 14 Mar 2011 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 098058FC18 for ; Mon, 14 Mar 2011 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p2EB7595002635 for ; Mon, 14 Mar 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p2EB75J3002633 for freebsd-pf@FreeBSD.org; Mon, 14 Mar 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Mar 2011 11:07:05 GMT Message-Id: <201103141107.p2EB75J3002633@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Mar 2011 11:07:06 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 15 11:40:13 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE41B106564A for ; Tue, 15 Mar 2011 11:40:13 +0000 (UTC) (envelope-from peppe.maniscalco@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 35B438FC16 for ; Tue, 15 Mar 2011 11:40:12 +0000 (UTC) Received: by ewy1 with SMTP id 1so136644ewy.13 for ; Tue, 15 Mar 2011 04:40:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=6frx68GypDmQ5K25r8QFG/wAT8wAelIvhmCYgrlomLQ=; b=jBRpJVgf9TNxw0X+IBxCxjv/H9piDfhA6gX4XiQSi+e899UrFGOuDPEd6hAdPTnKqi DQypAdweHT1RmMWerlO6bLQEyvCXJEDT2gdV0jhyhRobdjJnt/SfYMlu4KevyYGuXfwU WIY645yMPKVYpEtO4DEaNGQonTRkRgjjy0BKk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Ut7VWVg/98BTqek9FTxIwnUmPA56knWTLXtfG+m432WbTKQS+8APPoK8JD8gbuKnrA r33jtIHDlK2c5FogVd0efQ+lQzcxJnLi02cyeBbwbmlqUKpDqw+ZdgqEeze9PDHVyvY1 0YK/tbSf8L3okpsLux1kf39IX3jzC3Cp/lezA= MIME-Version: 1.0 Received: by 10.14.124.74 with SMTP id w50mr4468259eeh.34.1300189211923; Tue, 15 Mar 2011 04:40:11 -0700 (PDT) Received: by 10.14.122.202 with HTTP; Tue, 15 Mar 2011 04:40:11 -0700 (PDT) In-Reply-To: References: Date: Tue, 15 Mar 2011 12:40:11 +0100 Message-ID: From: Giuseppe Maniscalco To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: FreeBSD7, pf, carp... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2011 11:40:13 -0000 Update... Its a strange day, today... Yesterday I changed the nodes states, so now the master is the old backup. And it works fine... The new backup (the nodes that give me problems) seems to be ok... but... The last rule of my pf ruleset is for load balancing between external connections ... [...] pass out log on $ext_if1 route-to ($ext_if2 $ext_if2_gw) from $ext_if2 to any pass out log on $ext_if2 route-to ($ext_if1 $ext_if1_gw) from $ext_if1 to any Now I'm running out of ideas I checked all the pf rules with pfctl -sa and... Arrrggh!... pass out log on em2 route-to (axe0 213.x.x.254) inet from 212.52.82.27 to any flags S/SA keep state WHAT!?! the hell and who is 212.52.82.27??? It doesn't belong to my IP addresses!? After a flush it becomes normal: pass out log on em2 route-to (axe0 213.x.x.254) inet from 213.x.x.249 to any flags S/SA keep state What do you think about that?! 2011/3/13 Giuseppe Maniscalco : > Hi List! I need your help!!! > > I've two firewalls configured in parallel (connected with a crossover > cable) and I use pfsync+carp to failover. So one firewall (A) handles > all traffic as MASTER and, if it dies or if some NIC interface go > down, the second firewall (B) takes over automatically. > Well... As usually everything works properly, but since a few days ago > "B" takes control and "A" become backup. But "A" cannot return to be > master until rebooting! > After reboot, "A" is the master for a while, then I've the same problem... > > I identified a problem here: > > fwA# sysctl -a | grep arp > net.inet.ip.same_prefix_carp_only: 0 > net.inet.carp.allow: 1 > net.inet.carp.preempt: 1 > net.inet.carp.log: 1 > net.inet.carp.arpbalance: 0 > net.inet.carp.suppress_preempt: 1 > > From man carp: > net.inet.carp.suppress_preempt: > A read only value showing the status of preemption suppression. > Preemption can be suppressed if link on an interface is down or when > pfsync(4) interface is not synchronized. > Value of 0 means that preemption is not suppressed, since no problems > are detected. Every problem increments suppression counter. > > All my interfaces are UP... now I don't know how to check if pfsync is > synched or not... > > Meanwhile, in B node: > fwB# sysctl -a | grep arp > net.inet.ip.same_prefix_carp_only: 0 > net.inet.carp.allow: 1 > net.inet.carp.preempt: 1 > net.inet.carp.log: 1 > net.inet.carp.arpbalance: 0 > net.inet.carp.suppress_preempt: 0 > > I tried with a tcpdump on the interfaces, but I see just the change of > condition (master/backup) with the advskew modification... > This is the only strange thing on DMZ interface... : > > 17:01:32.397429 01:80:c2:00:00:01 (oui Unknown) > 01:80:c2:00:00:01 > (oui Unknown), ethertype Unknown (0x8808), length 60: > 0x0000: 0001 ffff 0000 0000 0000 0000 0000 0000 ................ > 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. > > I just tried to change the NIC, but nothing! "A" continue to lose > control in 30/45 minutes... > > I read somewhere that the result of "pfctl -ss" must give the same > result on both nodes: > > fwA# pfctl -ss | wc -l > 5833 > fwB# pfctl -ss | wc -l > 5507 > > Could it be important? > > > Some additional information: > > fwA# more /etc/rc.conf > ifconfig_em0="inet a.a.a.12 netmask 255.255.255.0 polling" ### DMZ ### > ifconfig_em1="inet b.b.b.2 netmask 255.255.0.0 polling" ### CROSSOVER ### > ifconfig_em2="inet c.c.c.189 netmask 255.255.255.224 polling" ### ISP1 ### > ifconfig_em3="inet d.d.d.249 netmask 255.255.255.0 polling" ### ISP2 ### > defaultrouter="c.c.c.1" > > #Firewall > pf_enable="YES" > pf_rules="/etc/pf.conf" > pf_flags="" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > > #Failover > pfsync_enable="YES" > pfsync_syncdev="em1" > cloned_interfaces="carp0 carp1 carp2" > ifconfig_carp0="a.a.a.1/24 vhid 1 pass foo" > ifconfig_carp0_alias0="a.a.a.11/24 vhid 1 pass foo" > ifconfig_carp1="d.d.d.14/24 vhid 2 pass bar" > ifconfig_carp1_alias0="d.d.d.2/24 vhid 2 pass bar" > ifconfig_carp2="c.c.c.188/27 vhid 3 pass jack" > ifconfig_carp2_alias0="c.c.c.165/27 vhid 3 pass jack" > > fwB# more /etc/rc.conf > ifconfig_ste0="inet a.a.a.13 netmask 255.255.255.0 polling" > ifconfig_ste1="inet b.b.b.3 netmask 255.255.0.0 polling" > ifconfig_em0="inet c.c.c.190 netmask 255.255.255.224 polling" > ifconfig_em1="inet d.d.d.250 netmask 255.255.255.0 polling" > defaultrouter="c.c.c.1" > > #Firewall > pf_enable="YES" > pf_rules="/etc/pf.conf" > pf_flags="" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > > #Failover > pfsync_enable="YES" > pfsync_syncdev="ste1" > cloned_interfaces="carp0 carp1 carp2" > ifconfig_carp0="a.a.a.1/24 vhid 1 advskew 128 pass foo" > ifconfig_carp0_alias0="a.a.a.11/24 vhid 1 advskew 128 pass foo" > ifconfig_carp1="d.d.d.14/24 vhid 2 advskew 64 pass bar" > ifconfig_carp1_alias0="d.d.d.2/24 vhid 2 advskew 64 pass bar" > ifconfig_carp2="c.c.c.188/27 vhid 3 advskew 100 pass jack" > ifconfig_carp2_alias0="c.c.c.165/27 vhid 3 advskew 100 pass jack" > > In each node pf.conf I added: > > fwA# more pf.conf | grep failover > pass quick on { em1 } proto pfsync # failover > pass on { em0 em2 em3 } proto carp # failover > > fwB# more pf.conf | grep failover > pass quick on { ste1 } proto pfsync # failover > pass on { em0 ste0 em1 } proto carp # failover > > > I hope that someone can give me a solution please, or maybe just an > idea, cause I'm getting crazy!!! > Please ask me, if you need further information... > Thank you all! > From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 11:47:31 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2189B1065677 for ; Fri, 18 Mar 2011 11:47:31 +0000 (UTC) (envelope-from melissa-freebsdstable@littlebluecar.co.uk) Received: from filter.blacknosugar.com (filter.blacknosugar.com [212.13.204.214]) by mx1.freebsd.org (Postfix) with ESMTP id C295D8FC1B for ; Fri, 18 Mar 2011 11:47:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=littlebluecar.co.uk; s=dkim; h=Subject:To:References:Message-Id:Content-Transfer-Encoding:Date:In-Reply-To:From:Mime-Version:Content-Type; bh=/ZDXUy8Ew0/vlslA0Fb53df1lTFdgYFcgb/KiKUIQG4=; b=pLDVEv57k+L429JYWQk2rdGjsqC4dS8mQ52C63C1TRLlgiKPtP87DHeuz9guCc0FBlWKt72DgfXeL2NZcYTFFMOcAbNa+WUAwo8aFmEN7z7YnVq0cCVa2fh7uY7swEAh; Received: from bowser.blacknosugar.com ([78.86.203.16] helo=[192.168.1.59]) by filter.blacknosugar.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Q0Xtm-0003i2-IQ for freebsd-pf@freebsd.org; Fri, 18 Mar 2011 11:31:30 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1082) From: Melissa Jenkins In-Reply-To: <20110131112244.839B610656A8@hub.freebsd.org> Date: Fri, 18 Mar 2011 11:31:12 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <9C34D3E1-5F82-461B-AD1D-9BD7402D794E@littlebluecar.co.uk> References: <20110131112244.839B610656A8@hub.freebsd.org> To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.1082) X-SA-Exim-Connect-IP: 78.86.203.16 X-SA-Exim-Mail-From: melissa-freebsdstable@littlebluecar.co.uk X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on filter.blacknosugar.com) Subject: PFsync & RDR/NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2011 11:47:31 -0000 Hiya, I was wondering if anybody knew how to stop the states generated by RDR = and NAT rules from synchronising over PFSYNC? In particular I have an RDR for DNS traffic. The states this produces = don't need to be synchronised between the two machines, but I can't = figure out how to stop this. Adding the (no state) flags to the pass = rule doesn't stop the states from being synchronised. Thanks! Mel= From owner-freebsd-pf@FreeBSD.ORG Fri Mar 18 16:08:23 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FB0D106566B for ; Fri, 18 Mar 2011 16:08:23 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2002:d596:2a92:2:155::]) by mx1.freebsd.org (Postfix) with ESMTP id 0D6728FC14 for ; Fri, 18 Mar 2011 16:08:23 +0000 (UTC) Received: from tykburk.tyknet.cn.dom (unknown [IPv6:2002:5996:79d2:1:224:8cff:fe02:de01]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id 07F6E63AB14; Fri, 18 Mar 2011 17:08:21 +0100 (CET) X-DKIM: OpenDKIM Filter v2.2.2 mail.tyknet.dk 07F6E63AB14 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1300464502; bh=2oBI6amsJJTDlyvYYzNqouGOdcQBFjkYavO2oWs5lZc=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=p+Etc1HZV2AWommwP24reQLDmpLDzAHNUHYFPCLKqkwo6hhB3UFkPmDC4rlPUfkyG 0KHpY/TYtr4apPiEIaEMI3uyE1dUOyq0l2WhtORwaFl3fl7DmQN16i7xlPktkJ8wv1 C9Ov96Ff9cfeJEYpJYkJkigjQ1XO8Bj725WEPHLU= Message-ID: <4D838372.2060401@gibfest.dk> Date: Fri, 18 Mar 2011 17:08:18 +0100 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20101231 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Melissa Jenkins References: <20110131112244.839B610656A8@hub.freebsd.org> <9C34D3E1-5F82-461B-AD1D-9BD7402D794E@littlebluecar.co.uk> In-Reply-To: <9C34D3E1-5F82-461B-AD1D-9BD7402D794E@littlebluecar.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PFsync & RDR/NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2011 16:08:23 -0000 On 18.03.2011 12:31, Melissa Jenkins wrote: > Hiya, > > I was wondering if anybody knew how to stop the states generated by RDR and NAT rules from synchronising over PFSYNC? > > In particular I have an RDR for DNS traffic. The states this produces don't need to be synchronised between the two machines, but I can't figure out how to stop this. Adding the (no state) flags to the pass rule doesn't stop the states from being synchronised. Hello, You need the no-sync keyword on the state options, check man pf.conf(5). Best regards Thomas Steen Rasmussen From owner-freebsd-pf@FreeBSD.ORG Sat Mar 19 08:46:44 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD26D106564A for ; Sat, 19 Mar 2011 08:46:44 +0000 (UTC) (envelope-from melissa-freebsdstable@littlebluecar.co.uk) Received: from filter.blacknosugar.com (filter.blacknosugar.com [212.13.204.214]) by mx1.freebsd.org (Postfix) with ESMTP id 72CE78FC08 for ; Sat, 19 Mar 2011 08:46:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=littlebluecar.co.uk; s=dkim; h=Subject:To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version; bh=1s7RwGCs4s1QAyjkIPgD+fR+XmX4m4HF52YCiUVgMYw=; b=FVCT/S5+vTbx53ew1jiwRkZfBBNuK+ILrbzj68b2zOTndfCic1Qu74FjcMD+RqmLrk9LKfW8tYXT86HS3OhvUeJ/WMlAZAeQrh2q2A+cbqcu3rkaGexS41Hxi9AfkcoR; Received: from host86-160-236-238.range86-160.btcentralplus.com ([86.160.236.238] helo=ex.home) by filter.blacknosugar.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Q0rnz-0009Ux-KU; Sat, 19 Mar 2011 08:46:42 +0000 Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Melissa Jenkins In-Reply-To: <4D838372.2060401@gibfest.dk> Date: Sat, 19 Mar 2011 08:46:33 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <64167BE5-C27D-415C-A490-0953DC30B6DD@littlebluecar.co.uk> References: <20110131112244.839B610656A8@hub.freebsd.org> <9C34D3E1-5F82-461B-AD1D-9BD7402D794E@littlebluecar.co.uk> <4D838372.2060401@gibfest.dk> To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.1082) X-SA-Exim-Connect-IP: 86.160.236.238 X-SA-Exim-Mail-From: melissa-freebsdstable@littlebluecar.co.uk X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on filter.blacknosugar.com) Cc: Subject: Re: PFsync & RDR/NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Mar 2011 08:46:44 -0000 Hi Thomas, I wish it was that simple :( If I add it to the rdr I get an error loading the file: rdr pass on $if proto udp from to any port 53 -> 127.0.0.1 port = 53 keep state (no-sync) pf.conf:124: syntax error If I put it on the pass rule it doesn't stop the state from being = synchronised... I'm guessing because the state was created by the RDR = rule. I've tried in Freebsd 8.0 & 8.1 Mel On 18 Mar 2011, at 16:08, Thomas Steen Rasmussen wrote: > On 18.03.2011 12:31, Melissa Jenkins wrote: >> Hiya, >>=20 >> I was wondering if anybody knew how to stop the states generated by = RDR and NAT rules from synchronising over PFSYNC? >>=20 >> In particular I have an RDR for DNS traffic. The states this = produces don't need to be synchronised between the two machines, but I = can't figure out how to stop this. Adding the (no state) flags to the = pass rule doesn't stop the states from being synchronised. > Hello, >=20 > You need the no-sync keyword on the state options, > check man pf.conf(5). >=20 > Best regards >=20 > Thomas Steen Rasmussen From owner-freebsd-pf@FreeBSD.ORG Sat Mar 19 12:11:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C00EA106567F for ; Sat, 19 Mar 2011 12:11:33 +0000 (UTC) (envelope-from vilem.kebrt@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4A5648FC1E for ; Sat, 19 Mar 2011 12:11:31 +0000 (UTC) Received: by bwz12 with SMTP id 12so4461034bwz.13 for ; Sat, 19 Mar 2011 05:11:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=Ji4xYFDT9jWYXrRCMo/D/s/GC5WM9uhgpzqRKMLBW6I=; b=oo3JFqbVQWhE/vfyNHsMkx8k6v3w+siUODsNcw6zsUuXTmNi7V5PY9O86NQhKYqcCm wIdfZ5cEcagqDURYz/xOLOB20oH+4PrkJgf2vq62nrJKZKqX/M/ct7JDt4ZbRXCTF/yO JZZ0CmgSyWorMfZIccNQMK9YXtes8OKemn6vs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=o+bzSG/X4h3X+CWY892LUpe1HbQpC68mn1v7VO3ty+7FG+CPzHVQdIj2J2pkAEYAQ4 k507axn5vupxT+v8m9B8WsJvVl8/rOTl87/dQz6RODR+fWzrh8HNF0azqxRO7SDkPJlk rOY7Hz4qilO6t+Wzukgi4dg2F+c1Qjl5jaIK8= Received: by 10.204.170.130 with SMTP id d2mr1908632bkz.116.1300535078564; Sat, 19 Mar 2011 04:44:38 -0700 (PDT) Received: from [192.168.133.10] (ip-89-103-9-22.net.upcbroadband.cz [89.103.9.22]) by mx.google.com with ESMTPS id v21sm2816977bkt.23.2011.03.19.04.44.36 (version=SSLv3 cipher=OTHER); Sat, 19 Mar 2011 04:44:37 -0700 (PDT) Message-ID: <4D849722.9010003@gmail.com> Date: Sat, 19 Mar 2011 12:44:34 +0100 From: Vilem Kebrt User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20110131112244.839B610656A8@hub.freebsd.org> <9C34D3E1-5F82-461B-AD1D-9BD7402D794E@littlebluecar.co.uk> <4D838372.2060401@gibfest.dk> <64167BE5-C27D-415C-A490-0953DC30B6DD@littlebluecar.co.uk> In-Reply-To: <64167BE5-C27D-415C-A490-0953DC30B6DD@littlebluecar.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PFsync & RDR/NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Mar 2011 12:11:33 -0000 Dne 19.3.2011 9:46, Melissa Jenkins napsal(a): > Hi Thomas, > > I wish it was that simple :( > > If I add it to the rdr I get an error loading the file: > rdr pass on $if proto udp from to any port 53 -> 127.0.0.1 port 53 keep state (no-sync) > > pf.conf:124: syntax error Hi Melissa, call me old school but keep state on UDP ? btw on rdr is no pass. - pass is to filter rules, rdr to nat rules :) example: rdr on em0 proto {tcp,udp} from any to $my_ip port 53 -> $int_ip port 53 I'm using both protocols, 'cause when response is long, dns resolver will use tcp. William From owner-freebsd-pf@FreeBSD.ORG Sat Mar 19 14:20:19 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46A99106568B for ; Sat, 19 Mar 2011 14:20:19 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2002:d596:2a92:2:155::]) by mx1.freebsd.org (Postfix) with ESMTP id 036CF8FC08 for ; Sat, 19 Mar 2011 14:20:19 +0000 (UTC) Received: from tykburk.tyknet.cn.dom (unknown [IPv6:2002:5996:79d2:1:224:8cff:fe02:de01]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id B99A263AB2E; Sat, 19 Mar 2011 15:20:17 +0100 (CET) X-DKIM: OpenDKIM Filter v2.2.2 mail.tyknet.dk B99A263AB2E DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1300544417; bh=p/eJrnF93Ggt6QF6TYggvaNuaVE+/40a2ufcj9uf7XE=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Z+Jp1JwBgN7kauf3UjrZPcuw1W9PBHT5s9+SyZnHnev+KpR+aA7tS0fGsWqGB2frD dYftv99/Y+qplP1QR17hTME4WNg0q72PktW7ibE53okLYzkfTAy2ADeVVhModKDYlF d25NUr05qNNyElxLN2/Il2w9QEs8IUG7kYPSMN40= Message-ID: <4D84BBA0.40208@gibfest.dk> Date: Sat, 19 Mar 2011 15:20:16 +0100 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20101231 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Melissa Jenkins References: <20110131112244.839B610656A8@hub.freebsd.org> <9C34D3E1-5F82-461B-AD1D-9BD7402D794E@littlebluecar.co.uk> <4D838372.2060401@gibfest.dk> <64167BE5-C27D-415C-A490-0953DC30B6DD@littlebluecar.co.uk> In-Reply-To: <64167BE5-C27D-415C-A490-0953DC30B6DD@littlebluecar.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PFsync & RDR/NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Mar 2011 14:20:19 -0000 On 19.03.2011 09:46, Melissa Jenkins wrote: > Hi Thomas, > > I wish it was that simple :( > > If I add it to the rdr I get an error loading the file: > rdr pass on $if proto udp from to any port 53 -> 127.0.0.1 port 53 keep state (no-sync) > > pf.conf:124: syntax error > > If I put it on the pass rule it doesn't stop the state from being synchronised... I'm guessing because the state was created by the RDR rule. I've tried in Freebsd 8.0 & 8.1 > Hello, You need to remove the "pass" keyword from the RDR rule and make an explicit "pass" rule with the no-state keyword. So instead of: rdr pass on $if proto udp from to any port 53 -> 127.0.0.1 port 53 keep state (no-sync) You do: rdr on $if proto udp from to any port 53 -> 127.0.0.1 port 53 pass in on $if inet proto udp from to 127.0.0.1 port 53 keep state (no-sync)Best regards Let me know how it works out. Thomas Steen Rasmussen ps. Please don't top-post :)