From owner-freebsd-pf@FreeBSD.ORG Sun Dec 2 17:55:28 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B6091A25 for ; Sun, 2 Dec 2012 17:55:28 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm3.bullet.mail.ird.yahoo.com (nm3.bullet.mail.ird.yahoo.com [77.238.189.60]) by mx1.freebsd.org (Postfix) with ESMTP id 2519B8FC16 for ; Sun, 2 Dec 2012 17:55:27 +0000 (UTC) Received: from [77.238.189.56] by nm3.bullet.mail.ird.yahoo.com with NNFMP; 02 Dec 2012 17:55:27 -0000 Received: from [217.146.189.97] by tm9.bullet.mail.ird.yahoo.com with NNFMP; 02 Dec 2012 17:55:27 -0000 Received: from [127.0.0.1] by smtp113.mail.ird.yahoo.com with NNFMP; 02 Dec 2012 17:55:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354470927; bh=ayuySXjDJDuMlOycadQqUVzZwLy/2PxS4SlPKKe8DjE=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Message-ID:In-Reply-To:References:Subject:X-Mailer:MIME-Version:Content-Type; b=L8LaBye19mUroD9GfyGiQIRxg94KfcFgPkKqRoDOjuNtIvLMvkVIfDyKW5rBh9RIdTjldjFcoxqgVBZUPo17gcP7wmCEwaJ0yqeoVbz2EwPmmehv1bKW37fogBe79WM7ufsHDPLIJqmWyaLChEH/AAUBgs6Lfv3OnqUrSioAugw= X-Yahoo-Newman-Id: 219797.6835.bm@smtp113.mail.ird.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: YyyUJIgVM1lgH8CVPY9iomXr6Y.B3ro3ZOS.bCzVLAXwe3Q nIXJ3qyDnWoNYjaXqUuKCgGNkwGJZeajJCElwipfnt0g4JWI5qwFrhQh0qgw YRsMYa3kFGwerfgoM3hfavjaKM_CSw4fJjXQ.MnYl7g9SkIoHlQrwApbo5es YFbauymJEbbulJr6gD1ho5_Hd.pKCrK.9PzNNVWjMZYM9UUgIgPGW.8QymXN SBW0f_SlKOC1isPrk2alWQunbzGLIvgddcwFySbsfUOXSyywY2PqO7Iq8T7r uu9QyBEj4vc_1jA1hQfAA8wJTw8v7c4ctSJ4g0FGSfD7b4chT719DhK_91aS WKdYpyGgog6B3E8d_cC3VAKMKmW7CZVN6r1LClVgueQa907qZIOWGoy4v9nA xP57axJWn5j.gOHOM0_m87IZGmF.AXIM_D9uXNdzbUh1a_rK1jTev_6POfCp g3kNYUqwDbAH9ih6W48VkszkL.CSvDMuw_vV9uGii39rDPeD_BS.zSZsC9HV FTKoQ9Tfqmxg8CEUOWsq6QCHz.Zpn6g-- X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [192.168.1.100] (laszlo_danielisz@89.133.21.244 with plain) by smtp113.mail.ird.yahoo.com with SMTP; 02 Dec 2012 09:55:27 -0800 PST Date: Sun, 2 Dec 2012 18:55:26 +0100 From: Laszlo Danielisz To: freebsd-pf@freebsd.org Message-ID: <0316C1AC163245A1808EC0001AFCF048@yahoo.com> In-Reply-To: References: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> Subject: Re: pf rules vs DHCP X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Dec 2012 17:55:29 -0000 I changed to fix address, so I don't have any more issues with that. @Kevin, yes I'm using interfaces, is there any what not using them in pf.conf? -- Laszlo Danielisz Sent with Sparrow (http://www.sparrowmailapp.com/?sig) On 2012 December 2 Sunday at 12:04 AM, Kevin Wilcox wrote: > > On Dec 1, 2012 3:55 PM, "Laszlo Danielisz" wrote: > > > > Hi Everybody, > > > > Today I just found out that my pf rules are not loaded on boot if I configure my machine's interface with DHCP > If you use your interface in your rules, for example, > pass in on em0 > then you can tell pf to adapt to a changing IP on that interface with > pass in on (em0) > This works for interfaces with DHCP-provided addresses but introduces some ambiguity. > kmw > > From owner-freebsd-pf@FreeBSD.ORG Sun Dec 2 18:42:23 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 57BE6241 for ; Sun, 2 Dec 2012 18:42:23 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-da0-f54.google.com (mail-da0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 224928FC08 for ; Sun, 2 Dec 2012 18:42:22 +0000 (UTC) Received: by mail-da0-f54.google.com with SMTP id n2so951207dad.13 for ; Sun, 02 Dec 2012 10:42:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tNHHNTvDWy9hkEmAXt18uihOd3JyVSN5r0Q/2E5AH84=; b=ccvjHX4gnFhOk68p86atDU7qo6EtEpuZfQ2VRAelv6/7fZ20EPci8Qtco5l3FdL7z0 YJJA2ZkG1lPz5D2JF2GhAyG40dCg4VlhLjVUwtJGoZtjSe+nzM4y/BYnysVGQe/Juebd +nKEIhLbosAaI2lTwfYM/SCcJuvBulF4g8f3jpQH4bJ4xUU8FrmIg5GgsSD4h0Rbcr56 5SFuFRtqaIt27TrUkWr2Y1xrliLyrZyzKhr3WcauljbbcuoZ1CJZLKVHi2MMMHhaXqYA 8GqNi1/RH6iMNk0SesdolUg46M/h4GkYB7elp1gEHgDG52LTHyjnajgkXV8vYsWXDnY4 /Hfw== MIME-Version: 1.0 Received: by 10.68.240.233 with SMTP id wd9mr22851630pbc.127.1354473741651; Sun, 02 Dec 2012 10:42:21 -0800 (PST) Received: by 10.68.8.2 with HTTP; Sun, 2 Dec 2012 10:42:21 -0800 (PST) Received: by 10.68.8.2 with HTTP; Sun, 2 Dec 2012 10:42:21 -0800 (PST) In-Reply-To: <0316C1AC163245A1808EC0001AFCF048@yahoo.com> References: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> <0316C1AC163245A1808EC0001AFCF048@yahoo.com> Date: Sun, 2 Dec 2012 13:42:21 -0500 Message-ID: Subject: Re: pf rules vs DHCP From: Kevin Wilcox To: Laszlo Danielisz Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Dec 2012 18:42:23 -0000 On Dec 2, 2012 12:55 PM, "Laszlo Danielisz" wrote: > @Kevin, yes I'm using interfaces, is there any what not using them in pf.conf? I don't think so. I was replying by phone at the time so it was a little short, I meant if you were using the interface in the rule versus defining a macro and using it. It's the same syntax, I just didn't want someone new to pf to read it and think pass in on $int_if would automatically work. kmw From owner-freebsd-pf@FreeBSD.ORG Mon Dec 3 11:06:49 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF05ADE for ; Mon, 3 Dec 2012 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A92828FC0C for ; Mon, 3 Dec 2012 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qB3B6nIO027655 for ; Mon, 3 Dec 2012 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qB3B6nXU027653 for freebsd-pf@FreeBSD.org; Mon, 3 Dec 2012 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Dec 2012 11:06:49 GMT Message-Id: <201212031106.qB3B6nXU027653@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2012 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 48 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 4 01:31:42 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B2311D5E for ; Tue, 4 Dec 2012 01:31:42 +0000 (UTC) (envelope-from prvs=1685a61a7f=evendas@krazer.com.br) Received: from krazer.com.br (usaimport.com.br [74.208.147.131]) by mx1.freebsd.org (Postfix) with ESMTP id 9DC8A8FC28 for ; Tue, 4 Dec 2012 01:31:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=krazer.com.br; s=MDaemon; t=1354583460; x=1355188260; q=dns/txt; h=DomainKey-Signature: Received:From:To:Subject:Date:MIME-Version:Content-Type: Message-ID; bh=/AGF6JRzB/J7iTsWt8UkF/2jJ0/KNRujXWNnXTa6qHA=; b=N YZPHsRq4oISq6dxlGTSq+nZz9h/XpNcz+EnYQ4V8oeChWopU188xaycC3CD+PZ/I G7fvpz9D+VtL15xT2eUdSVIfn0XdZYFTzNeEpZLsuE++3S0c+xiYcB6Tlz3gfYkR lob+a5Y+OLhboGDq5nciybhqNy1ejdB1nveMjdd1gI= DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=krazer.com.br; c=simple; q=dns; h=from:message-id; b=qsrfnvAWtOO0ZKakOKmHw29Wdh7Ltv4uJZpzyx0RQ3RkzVhr6vRWlo2XAAgx WmGu7Sr7ZeufMUWwBnRmEONFmp+KqvYk8mhtzzdi9e+en7VelIeVP+MTl tGD/2HRI/ucRxIc71Nsfm4mBdOPM/sZunXiSq5X4RJDSwdCGvEdoUE=; X-MDAV-Processed: allearth.com.br, Mon, 03 Dec 2012 23:11:00 -0200 Received: from krazer by allearth.com.br (MDaemon PRO v11.0.0) with ESMTP id md50003170656.msg for ; Mon, 03 Dec 2012 23:10:59 -0200 X-Spam-Processed: allearth.com.br, Mon, 03 Dec 2012 23:10:59 -0200 (not processed: message from trusted or authenticated source) X-Authenticated-Sender: evendas@krazer.com.br X-MDRemoteIP: 74.208.167.75 X-Return-Path: prvs=1685a61a7f=evendas@krazer.com.br X-Envelope-From: evendas@krazer.com.br X-MDaemon-Deliver-To: freebsd-pf@freebsd.org From: "Vendas Krazer Technologies" To: Subject: =?utf-8?B?Tm92YSBDUEUgS3JhemVyIFNreSBTdGF0aW9uIDVHSHo=?= =?utf-8?B?IE4gLSBDUEUgQW50ZW5hIEludGVncmFkYSBkZSAxOGRCaQ==?= =?utf-8?B?IGUgQ29tIFNhw61kYSBwYXJhIEFudGVuYSBFeHRlcm5h?= Date: Mon, 03 Dec 2012 22:08:17 -0200 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=45652905_3502_4801_0078_850943129657" Message-ID: X-Mailer: Clientes Krazer X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2012 01:31:42 -0000 This is a multi-part message in MIME format. ------=45652905_3502_4801_0078_850943129657 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Lan=C3=A7amento CPE Krazer Sky Station 5GHz N Voc=C3=AA cliente pediu que a Krazer fizesse uma nova CPE num formato mais = estiloso, pequena, de menor tamanho e que tivesse novas funcionabilidade, m= ais especificamente acesso f=C3=A1cil ao bot=C3=A3o de reset, prote=C3=A7= =C3=A3o contra queima e a t=C3=A3o desejada SA=C3=8DDA PARA ANTENA EXTERNA!= !! R$ 179.90 Antena Integrada de 18dBi 60=C2=BA Duas Portas de Rede Lan e Wan PA Real de 630mW e LNA Ultra Ganho PoE Passivo com Prote=C3=A7=C3=A3o Dupla de 12 a 24V Fonte Chaveada 12V Full Range 110 a 220V Exclusiva Sa=C3=ADda para Antena Externa Homologa=C3=A7=C3=A3o Anatel 0269-11-5280 Instala=C3=A7=C3=A3o R=C3=A1pida e Simples. Software Amigavel e em Portugu=C3=AAs! Suporte a PPPoE Wisp Cliente! Controle de Banda! Excelente sinal de recep=C3=A7=C3=A3o! Longa Dist=C3=A2ncia! Fa=C3=A7a um teste em sua rede e compare com os concorrentes, muito mais si= nal que UBNT, muito mais dados, transmiss=C3=A3o de quase 90Mbps TCP/IP con= tinuamente! Lat=C3=AAncia de rede de 1 a 5 ms com carga completa! Contate-nos Val Campos // Carla Maria // Eder Roberto Email / MSN: vendas@allearth.com.br Vendas / SAC (19) 3256-5557 (19) 3245-0708 www.krazer.com.br Envio de Email n=C3=A3o autorizado =C3=A9 crime, n=C3=A3o seja o vil=C3=A3o= da hist=C3=B3ria! Email =C3=A9 protegido sobre sigilo fiscal e federal. Le= i Federal Brasil. ------=45652905_3502_4801_0078_850943129657-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 5 15:00:18 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B552E1C2 for ; Wed, 5 Dec 2012 15:00:18 +0000 (UTC) (envelope-from peter@aoeu.ca) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 6FFCF8FC17 for ; Wed, 5 Dec 2012 15:00:18 +0000 (UTC) Received: from homiemail-a42.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by hapkido.dreamhost.com (Postfix) with ESMTP id 6041CDD453 for ; Wed, 5 Dec 2012 06:51:43 -0800 (PST) Received: from homiemail-a42.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a42.g.dreamhost.com (Postfix) with ESMTP id 0D91E68C072 for ; Wed, 5 Dec 2012 06:51:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=aoeu.ca; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; s=aoeu.ca; bh=UonjPjq1KousO4hCSHL7kZjl7nc=; b=h10f WSQRCTvpx1ZTeHvLYE61vrBozKUakFOkzVCQ3TlVTDxutTKpR8xZ0xPyAoo1+l0X OR5uvXx8GLLITn4pTbz+fQgSHCiVcYKF/JZcsBQuck/x9xHbAGCYH0joYcrvOg0M O9auGzSLyIcbGppX2Knb5iFt6YK1RgG6FfDTWdc= Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: peter@aoeu.ca) by homiemail-a42.g.dreamhost.com (Postfix) with ESMTPSA id B6EFF68C06C for ; Wed, 5 Dec 2012 06:51:36 -0800 (PST) Received: by mail-pa0-f54.google.com with SMTP id bi5so3684719pad.13 for ; Wed, 05 Dec 2012 06:51:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.254.137 with SMTP id ai9mr49216854pbd.21.1354719096427; Wed, 05 Dec 2012 06:51:36 -0800 (PST) Received: by 10.68.247.105 with HTTP; Wed, 5 Dec 2012 06:51:36 -0800 (PST) In-Reply-To: References: <20121119235601.GK2692@verio.net> Date: Wed, 5 Dec 2012 09:51:36 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Peter McAlpine To: Kevin Wilcox Content-Type: multipart/mixed; boundary=047d7b2e0a1583552804d01c1ea5 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: fox@verio.net, freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2012 15:00:18 -0000 --047d7b2e0a1583552804d01c1ea5 Content-Type: text/plain; charset=ISO-8859-1 First off, thanks for all the suggestions from both of you. My email filters were messed up causing me to miss your replies. On 19 November 2012 18:56, David DeSimone wrote: > If I understand the poster's problem, it is that there could be whole > worlds of other networks behind $int_if, and he is not able to predict > what IP addresses should be used to match that traffic; in fact, it is > merely the fact that the traffic is arriving on $int_if that indicates > it shoudl be NAT'd. ^^ this is the problem exactly. Here's the config I have: tun_if = "tap3" ext_if = "xn0" set skip on lo nat on $ext_if from !$ext_if:network to any -> $ext_if pass in on $tun_if from $tun_if:network to any keep state pass out on $ext_if from any to any keep state I've attached a simple network diagram. If I ping google.com from a.b.c.d the icmp traffic on 'server' goes out ext_if NAT'd, then comes back from google.com, but then 'server' is trying to send it back out ext_if again because 'server''s default route is the Internet. I can get the return traffic to go down the tunnel by manually adding a route on 'server' to send traffic for a.b.c.0/24 down the tunnel, but then I need to be aware of what all the networks behind 'client' are, and I don't want to have to do that. Thanks again for all the ideas/input! -Peter On Mon, Nov 19, 2012 at 7:46 PM, Kevin Wilcox wrote: > On 19 November 2012 18:56, David DeSimone wrote: > > > This doesn't seem right, because even traffic coming in via the external > > interface will have its target IP changed to be the router, even if > > it is destined for some other place. Previously you were using "from > > $int_if:network" to prevent this from happening to other traffic, but > > without that restriction, every packet would be subject to NAT. > > My assumption was that the traffic coming in on the external interface > is already destined for the outside IP of the router, unless he's > doing some really funky stuff on both sides ;) > > It sounded like he wanted to NAT anything coming from the inside > interface and then anything on the outside that wasn't return NAT > traffic was supposed to terminate on the router, but I've been known > to have clogged ears and awfully poor eyesight. > > kmw > --047d7b2e0a1583552804d01c1ea5-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 5 15:21:48 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 42CDA8C9 for ; Wed, 5 Dec 2012 15:21:48 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id E0F3A8FC12 for ; Wed, 5 Dec 2012 15:21:47 +0000 (UTC) Received: by mail-qa0-f47.google.com with SMTP id a19so2520826qad.13 for ; Wed, 05 Dec 2012 07:21:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=v7ZQqSuOfIWB18lZbzn2lejMyWPAgybW62veuC35+2w=; b=MRXgvR7ldYyD44hlNpJteGPMYxnUzBxlg+bHO8gecDIEmta2Wt+TypEeUX9F5+Xace kQR1F61UWaJgdCRPxvQ59NyVf01KTWNmA03BycO6tV5oUTnOerX3gX2ugqQjuuiRvpIg 1O+sJlrH/VkjV9My/2Mdd4iTT9vFXxs1+IOaeyzrDUMJxAV/nQW6s6FB7ar74KpMDwhW 46dpqTI0C/pxQkmpsYjjaZFzWJKcryPM3kc8l8foqCEIapGhXds7WSyyg43IxpesbLPE //u+eila14+tI28DH3WVp/THDemdiqHCGZs541BIH2xSB9Qr8HTps5dsS08rV1DDRhYE kV5A== MIME-Version: 1.0 Received: by 10.229.69.102 with SMTP id y38mr6743037qci.23.1354720907187; Wed, 05 Dec 2012 07:21:47 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Wed, 5 Dec 2012 07:21:47 -0800 (PST) In-Reply-To: References: <20121119235601.GK2692@verio.net> Date: Wed, 5 Dec 2012 16:21:47 +0100 X-Google-Sender-Auth: U0cfNpY_B_Yd3O8ycrNlXL10Awc Message-ID: Subject: Re: Routing return NAT traffic based on interface From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Peter McAlpine Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: fox@verio.net, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2012 15:21:48 -0000 On Wed, Dec 5, 2012 at 3:51 PM, Peter McAlpine wrote: > First off, thanks for all the suggestions from both of you. My email > filters were messed up causing me to miss your replies. > > On 19 November 2012 18:56, David DeSimone wrote: > > If I understand the poster's problem, it is that there could be whole > > worlds of other networks behind $int_if, and he is not able to predict > > what IP addresses should be used to match that traffic; in fact, it is > > merely the fact that the traffic is arriving on $int_if that indicates > > it shoudl be NAT'd. > ^^ this is the problem exactly. > > Here's the config I have: > tun_if = "tap3" > ext_if = "xn0" > set skip on lo > nat on $ext_if from !$ext_if:network to any -> $ext_if > pass in on $tun_if from $tun_if:network to any keep state > pass out on $ext_if from any to any keep state > Maybe this can help, by writing the rules as follows. pass in on $tun_if from any to any tag TUNIFACE keep state pass in on $ext_if route-to ($tun_if $gateway_tun_if) from any to !self tag TUNIFACE keep state pass out on $tun_if reply-to ($ext_if $ext_if_gateway) from any to any tagged TUNIFACE keep state pass out on $ext_if reply-to ($tun_if $gateway_tun_if) from any to any tagged TUNIFACE keep state Then keep your other rules going... > I've attached a simple network diagram. If I ping google.com from a.b.c.d > the icmp traffic on 'server' goes out ext_if NAT'd, then comes back from > google.com, but then 'server' is trying to send it back out ext_if again > because 'server''s default route is the Internet. > > I can get the return traffic to go down the tunnel by manually adding a > route on 'server' to send traffic for a.b.c.0/24 down the tunnel, but then > I need to be aware of what all the networks behind 'client' are, and I > don't want to have to do that. > > Thanks again for all the ideas/input! > -Peter > > On Mon, Nov 19, 2012 at 7:46 PM, Kevin Wilcox >wrote: > > > On 19 November 2012 18:56, David DeSimone wrote: > > > > > This doesn't seem right, because even traffic coming in via the > external > > > interface will have its target IP changed to be the router, even if > > > it is destined for some other place. Previously you were using "from > > > $int_if:network" to prevent this from happening to other traffic, but > > > without that restriction, every packet would be subject to NAT. > > > > My assumption was that the traffic coming in on the external interface > > is already destined for the outside IP of the router, unless he's > > doing some really funky stuff on both sides ;) > > > > It sounded like he wanted to NAT anything coming from the inside > > interface and then anything on the outside that wasn't return NAT > > traffic was supposed to terminate on the router, but I've been known > > to have clogged ears and awfully poor eyesight. > > > > kmw > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Dec 6 02:15:52 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7EAFDB6C; Thu, 6 Dec 2012 02:15:52 +0000 (UTC) (envelope-from peter@aoeu.ca) Received: from homiemail-a57.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by mx1.freebsd.org (Postfix) with ESMTP id 40E988FC0C; Thu, 6 Dec 2012 02:15:51 +0000 (UTC) Received: from homiemail-a57.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a57.g.dreamhost.com (Postfix) with ESMTP id 8B795208076; Wed, 5 Dec 2012 18:15:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=aoeu.ca; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; s=aoeu.ca; bh=i83sZb6itjNrG4OqSx/8z4qwCPs=; b=p5EZ YnuNSrAMYZb8V9eqdlRdN3Ztbkm851pZyu9MHznSrxaXBegTtNpRMLxfbCYTqawU o978t5xQ8b78WjfF7hkYlE8SZlujRkVc0hmYnu04dJPw9T1yy2z8/bMi7H+t5tjK vUIqneXTHPcTC+j57A6u6DcaN3AgSpADIaH5Tk4= Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: peter@aoeu.ca) by homiemail-a57.g.dreamhost.com (Postfix) with ESMTPSA id 5CE73208070; Wed, 5 Dec 2012 18:15:48 -0800 (PST) Received: by mail-pa0-f54.google.com with SMTP id bi5so4130680pad.13 for ; Wed, 05 Dec 2012 18:15:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.191.104 with SMTP id gx8mr1488184pbc.138.1354760150862; Wed, 05 Dec 2012 18:15:50 -0800 (PST) Received: by 10.68.247.105 with HTTP; Wed, 5 Dec 2012 18:15:50 -0800 (PST) In-Reply-To: References: <20121119235601.GK2692@verio.net> Date: Wed, 5 Dec 2012 21:15:50 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Peter McAlpine To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: fox@verio.net, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 02:15:52 -0000 Ermal this looks to be working perfectly. Thank you so much! -Peter On Wed, Dec 5, 2012 at 10:21 AM, Ermal Lu=E7i wrote: > > > > On Wed, Dec 5, 2012 at 3:51 PM, Peter McAlpine wrote: > >> First off, thanks for all the suggestions from both of you. My email >> filters were messed up causing me to miss your replies. >> >> On 19 November 2012 18:56, David DeSimone wrote: >> > If I understand the poster's problem, it is that there could be whole >> > worlds of other networks behind $int_if, and he is not able to predict >> > what IP addresses should be used to match that traffic; in fact, it is >> > merely the fact that the traffic is arriving on $int_if that indicates >> > it shoudl be NAT'd. >> ^^ this is the problem exactly. >> >> Here's the config I have: >> tun_if =3D "tap3" >> ext_if =3D "xn0" >> set skip on lo >> nat on $ext_if from !$ext_if:network to any -> $ext_if >> pass in on $tun_if from $tun_if:network to any keep state >> pass out on $ext_if from any to any keep state >> > > Maybe this can help, by writing the rules as follows. > > pass in on $tun_if from any to any tag TUNIFACE keep state > pass in on $ext_if route-to ($tun_if $gateway_tun_if) from any to !self > tag TUNIFACE keep state > > pass out on $tun_if reply-to ($ext_if $ext_if_gateway) from any to any > tagged TUNIFACE keep state > pass out on $ext_if reply-to ($tun_if $gateway_tun_if) from any to any > tagged TUNIFACE keep state > > Then keep your other rules going... > > >> I've attached a simple network diagram. If I ping google.com from a.b.c.= d >> the icmp traffic on 'server' goes out ext_if NAT'd, then comes back from >> google.com, but then 'server' is trying to send it back out ext_if again >> because 'server''s default route is the Internet. >> >> I can get the return traffic to go down the tunnel by manually adding a >> route on 'server' to send traffic for a.b.c.0/24 down the tunnel, but th= en >> I need to be aware of what all the networks behind 'client' are, and I >> don't want to have to do that. >> >> Thanks again for all the ideas/input! >> -Peter >> >> On Mon, Nov 19, 2012 at 7:46 PM, Kevin Wilcox > >wrote: >> >> > On 19 November 2012 18:56, David DeSimone wrote: >> > >> > > This doesn't seem right, because even traffic coming in via the >> external >> > > interface will have its target IP changed to be the router, even if >> > > it is destined for some other place. Previously you were using "fro= m >> > > $int_if:network" to prevent this from happening to other traffic, bu= t >> > > without that restriction, every packet would be subject to NAT. >> > >> > My assumption was that the traffic coming in on the external interface >> > is already destined for the outside IP of the router, unless he's >> > doing some really funky stuff on both sides ;) >> > >> > It sounded like he wanted to NAT anything coming from the inside >> > interface and then anything on the outside that wasn't return NAT >> > traffic was supposed to terminate on the router, but I've been known >> > to have clogged ears and awfully poor eyesight. >> > >> > kmw >> > >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > > -- > Ermal >