From owner-freebsd-pf@FreeBSD.ORG Mon Jan 19 03:53:05 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D8E15DBA for ; Mon, 19 Jan 2015 03:53:05 +0000 (UTC) Received: from mail134-16.atl141.mandrillapp.com (mail134-16.atl141.mandrillapp.com [198.2.134.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 74A19AFA for ; Mon, 19 Jan 2015 03:53:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail134-16.atl141.mandrillapp.com; h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type; i=emma@mail134-16.atl141.mandrillapp.com; bh=Tb3IV0qV9uOmFRDbgW+Qezg3qYw=; b=YcQURfDZib9QViHcgw/iP25JjiZilhP85NrTnP0n0rOU+RVhb4stn38EMFF+Jqy44vlHhq9DiVP3 ClApz4FKxvBSR/HITF/elEZ9FHHh4vqvcCYnYMRWo+MiyRlV6MdmLmYTM7aumH+H/Q5W1CFo/zAk U/vFdrn6glDCFo86Exw= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=mail134-16.atl141.mandrillapp.com; b=MVN7FmuJIFTAYJl14YrI3W95+qRggoK9qkAyatuu/gJRYR5NMgyhk/YBaHbnJ2YWaDeo00UEdF/s GEDSi4RoacJWLS4eaAv6rcDRayI7Rkn0XEZsVHa398MohZ5o/a3oOCw8T8ZVMD27Zk6R8qV5RZtG mN0vIgxOFuLzjEQa+Tw=; Received: from pmta14.atl01.mandrillapp.com (127.0.0.1) by mail134-16.atl141.mandrillapp.com id hnhvq21sau8h for ; Mon, 19 Jan 2015 03:37:56 +0000 (envelope-from ) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1421638675; h=From : Sender : Subject : To : Message-Id : Date : MIME-Version : Content-Type : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; bh=G2nm9pKJF/xVpt59xttNfH/mdhJGFvVx28ey7JGMHnU=; b=ECKJzY69PtFyhdCUOcPnYXvMVFBNilqDAbwSYZNwUiRmq3uLuo9aVMiporLfyg77pjVM+9 5hBVbfHiKS8X9Hs1ejQMebXmenI8mWOlpH4Co60/NPt22PhTUYtpImeRkkSqhBUYjUsAVnD5 kTS1LGYPqz8lEk3+2TOTrZ5oWWvsg= From: Emma Turing Sender: Emma Turing Subject: Kickstarter Invitation To: Received: from [54.146.80.80] by mandrillapp.com id 3ee58861b0694413b31303775d514fac; Mon, 19 Jan 2015 03:37:55 +0000 X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30485748.3ee58861b0694413b31303775d514fac X-Mandrill-User: md_30485748 Message-Id: <30485748.20150119033755.54bc7c13dd5499.85989338@mail134-16.atl141.mandrillapp.com> Date: Mon, 19 Jan 2015 03:37:55 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 03:53:05 -0000 Hi, I'd like to invite you to back our Kickstarter project - The World's First Personal Robot . We're already 210% funded and the #1 Robot Project on Kickstarter now. PERSONAL ROBOT IS THE WHOLE PACKAGE: - The world's first personal assistant robot that can see, hear, smell, move, and feel - The smartest home automation system (supports both Z-Wave and Zigbee) - A photographer, storyteller, companion, security guard, and more - Powered by Artificial Intelligence algorithms - Open APIs We're been featured by TechCrunch, Mashable, and VentureBeat. Thanks, Emma *If you're not interested, please simply reply "don't email" and we'll stop emailing you immediately.* From owner-freebsd-pf@FreeBSD.ORG Mon Jan 19 16:07:19 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6868560C for ; Mon, 19 Jan 2015 16:07:19 +0000 (UTC) Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D171EFA for ; Mon, 19 Jan 2015 16:07:18 +0000 (UTC) Received: by mail-lb0-f170.google.com with SMTP id 10so28843511lbg.1 for ; Mon, 19 Jan 2015 08:07:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=k+SBNumzCp9edRI4nD1n0YRJmHlw+WkUAO3Dq0SdK9M=; b=r1xWawwo1VKRdjiBxmb6Dp11SLWryCFO6ztBQ52qVJmK35EPl3Jc7ioKPW6s8QvKKh F6RxXSmufcr/VDh5N+rY0BEX9vAJrDJ+xp5xYVNsyJn9RnSE2+EWXi7k7XQK7tAr3nKk 3/XxiKcReH0zKT2FLv+pF2/qLfGvaz1Cya34iO47hc0zHJ6voqPNLgatMQNoO4a5J/Y/ aVuUWNDMFjJRWi+JDTnvFeUn6DC8cWgQr78O0DBXZwrtS373TUbj1R1m67/n7mQo/ocp I5yRZ5P4lv2T+ZiC+apJOaPGw0uG7jb64kom1X5trBDVXcLHKyjMd/FXFELLH5y2aQpt xafQ== X-Received: by 10.112.160.33 with SMTP id xh1mr32654170lbb.60.1421683625563; Mon, 19 Jan 2015 08:07:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.20.229 with HTTP; Mon, 19 Jan 2015 08:06:25 -0800 (PST) From: Odhiambo Washington Date: Mon, 19 Jan 2015 19:06:25 +0300 Message-ID: Subject: Controlling P2P with PF To: "freebsd-pf@freebsd org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 16:07:19 -0000 Hello all, So I found this link while trying to figure out of PF can control P2P - ttp://www.benhup.com/?mf=freebsd&sf=freebsd8.2-p9_04_peerblock I tried using it, but I could still download using utorrent from my network. Does this mean I am beating a dead horse, or I have my filter rules in bad order or something I am missing? My pf.conf: for FreeBSD 10.1-RELEASE I appreciate all advise. ## Options ### ### Macros ### ext_if = "re1" # External network interface for IPv4 ext_if6 = "re1" # External network interface for IPv6 ext_addr = "A.B.C.D" # External IPv4 address (i.e., global) int_if = "re0" # Internal network interface for IPv4 int_if6 = "re0" # Internal network interface for IPv6 int_addr = "192.168.2.254" # Internal IPv4 address (i.e., gateway for private network) int_network = "192.168.2.0/24" # Internal IPv4 network WinSvr2008 = "192.168.2.2" ### Tables ### # Host local address table const { 127.0.0.1 } # IPv4 private address ranges table const { 10/8, 172.16/12, 192.168/16 } # Special-use IPv4 addresses defined in RFC3330 table const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 240/4 } # Block P2P # http://www.benhup.com/?mf=freebsd&sf=freebsd8.2-p9_04_peerblock table persist file "/etc/pf/block-p2p.pf" # LIMITS set limit { frags 30000, states 100000, table-entries 300000 } ### Scrub: Packet normalization ### # Scrub for all incoming packets scrub in all # Randomize the ID field for all outgoing packets scrub out all random-id # If you have MTU problem or something like that #scrub out all random-id max-mss 1400 ### NAT ### #RDP to WinSvr2008 rdr on $ext_if proto tcp from any to any port 3389 -> $WinSvr2008 # Redirect direct/local web traffic to local web server. rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32 port 80 -> 192.168.2.254 port 80 rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32 port 443 -> 192.168.2.254 port 443 # Squid Transparent Proxy # refer http://www.benzedrine.cx/tranint_addr.html rdr on $int_if proto tcp from $int_network to any port 80 -> $int_addr port 13128 #rdr on $int_if proto tcp from $int_network to any port 443 -> $int_addr port 13129 # SMTP redirection rdr on $int_if proto tcp from $int_network to any port 25 -> $int_addr port 587 rdr on $int_if proto tcp from $int_network to any port 110 -> $int_addr port 110 # Let all other stuff go out nat on $ext_if from $int_network to ! -> $ext_addr ### Filters ### # P2P Blocking block log quick from any to label "Attempted p2p-sniffer traffic" # Permit keep-state packets for UDP and TCP on external interfaces pass out quick on $ext_if proto udp all keep state pass out quick on $ext_if6 proto udp all keep state pass out quick on $ext_if proto tcp all modulate state flags S/SA pass out quick on $ext_if6 proto tcp all modulate state flags S/SA # Permit any packets from internal network to this host pass in quick on $int_if inet from $int_network to $int_addr # Permit established sessions from internal network to any (incl. the Internet) pass in quick on $int_if inet from $int_network to any keep state # If you want to limit the number of sessions per NAT, nodes per NAT (simultaneously), and sessions per source IP # Please refer to for greater detailed information #pass in quick on $int_if inet from $int_network to any keep state (max 30000, source-track rule, max-src-nodes 100, max-src-states 500 ) # Permit and log all packets from clients in private network through NAT pass in quick log on $int_if all # Pass any other packets pass in all pass out all -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."