From owner-freebsd-pf@freebsd.org Mon Aug 17 20:34:26 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 607239BCC40 for ; Mon, 17 Aug 2015 20:34:26 +0000 (UTC) (envelope-from it.nvsk.cbs@yandex.ru) Received: from forward17j.cmail.yandex.net (forward17j.cmail.yandex.net [5.255.227.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E49F4102D for ; Mon, 17 Aug 2015 20:34:25 +0000 (UTC) (envelope-from it.nvsk.cbs@yandex.ru) Received: from smtp12.mail.yandex.net (smtp12.mail.yandex.net [95.108.131.191]) by forward17j.cmail.yandex.net (Yandex) with ESMTP id 9AA5C20FB6 for ; Mon, 17 Aug 2015 23:33:55 +0300 (MSK) Received: from smtp12.mail.yandex.net (localhost [127.0.0.1]) by smtp12.mail.yandex.net (Yandex) with ESMTP id 68EB216A0347 for ; Mon, 17 Aug 2015 23:33:55 +0300 (MSK) Received: by smtp12.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id FsaVZ4tz2t-XsW0VDL5; Mon, 17 Aug 2015 23:33:54 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1439843634; bh=r2O4wapjTMwiTtkpx/g5wHMmS5w1ZMs0NY6RFoUZFKk=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: Content-Type; b=m+wLzp1HokyujDMBS90UBY1lQDreXF8JX9RIcVIeKs1QkDzFOfD1pblMpNiF9jdTb /WCIbOwOx7/YB02lyJAxLU5ZytSX8ihpJrZAvw/scnyy4ftegwW43zg2ss+uDLb7QE R/SU8EL020qqyrSCoph1iFS6RMRHHTM9BZsdhkYc= Authentication-Results: smtp12.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <55D24532.9030703@yandex.ru> Date: Mon, 17 Aug 2015 23:33:54 +0300 From: =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGA?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: packet processing figure out Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Aug 2015 20:34:26 -0000 Hello everyone. I've been using pf for quite a while with a pretty simple ruleset. Now I have a new network with lots of services and vpns, so i have to make a very good firewall. I looked up in man pf.conf and found that nat is evaluated before rules. I said ok, but than I found this http://www.benzedrine.ch/pf_flow.png and I got really confused. For example simple gateway with ext_if and int_if: 1. packet comes from inside to internet - i have to allow it to *pass in* on int_if - i have to allow *nat* on ext_if - i have to allow it to *pass out* on ext_if (and here i must take in consideration that src_ip was altered) Do i really have to write 3 rules to make nat working? (question 1) If i use nat pass statement how many rules i can omit? (question 2) 2. packet comes from internet to forwarded port - i have to allow *rdr on ext_if* - i have to allow *pass in* on ext_if (take in consideration dst_ip altering) - i have to allow *pass out* on int_if (dst_ip altered already) Again 3 rules? (question 3) If i use *rdr pass on* statement, how many rules can i omit?(question 4) If I'm right with all above, how can i differentiate traffic natted from internal network with one sourced by firewall itself if it has same source ip address?(question 5) And by the way is there any good flowchart of often used traffic going through pf firewall(with nat used along the way) so i can realy get a feeling about what is going under the hood? Thank you. P.S: 10.2-RELEASE Alex From owner-freebsd-pf@freebsd.org Wed Aug 19 21:57:26 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 656C69BEBE6 for ; Wed, 19 Aug 2015 21:57:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 487751072 for ; Wed, 19 Aug 2015 21:57:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t7JLvQUa019400 for ; Wed, 19 Aug 2015 21:57:26 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 202178] [pf] pf recursion panic when running ifconfig stf create Date: Wed, 19 Aug 2015 21:57:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 21:57:26 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202178 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #1 from Kristof Provost --- There's a patch in https://reviews.freebsd.org/D3435 It's not perfect, in that it doesn't fix all of the issues with interface groups in pf, but it does fix this panic. -- You are receiving this mail because: You are the assignee for the bug.