From owner-freebsd-pf@freebsd.org Tue Oct 20 00:47:48 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19869A19974 for ; Tue, 20 Oct 2015 00:47:48 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AEA72AF3 for ; Tue, 20 Oct 2015 00:47:47 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by wikq8 with SMTP id q8so22860214wik.1 for ; Mon, 19 Oct 2015 17:47:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wcMUDx06QVJe997g4JiP9jGuHimpuGOtelTugBDnrYo=; b=jISkRABSOdfz2GZXgsyhCulFh9Emaka56uyR34hDVyJpdorV64AMvH5S9byjMXqo5E ccfOJ/U+w53vT0B0xDy7fsfKJJQ2xv08dS2Jto70mF4ZHzCnGr3UDSeoeF2YkK7vbuK0 4bsioL4YF1FVaTn59Ji6XhvmSKUL9KT7HgPydSwOMk8NWKgd/GbU+s4Jub6mOkNqhIBL /CHUm5rxStwfYuw8d1BSWjtKtVu13QxsxmDC2pnKKnKY8o19cLAH0U2ag9NtiqAcqkwc EEVFkfALAFpXrZ52lEsHPjlpBF6o9oLlzoPHFIv+mw8kUD4kXVe6jMezYGzyzXbzs5X1 f2Og== MIME-Version: 1.0 X-Received: by 10.194.80.71 with SMTP id p7mr287565wjx.83.1445302066291; Mon, 19 Oct 2015 17:47:46 -0700 (PDT) Received: by 10.194.162.100 with HTTP; Mon, 19 Oct 2015 17:47:46 -0700 (PDT) Date: Mon, 19 Oct 2015 20:47:46 -0400 Message-ID: Subject: Working pf ftp configurations From: David Mehler To: freebsd-pf Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2015 00:47:48 -0000 Hello, If anyone is using freebsd 10 I suppose, pf, and using a system as an ftp client or using the system to protect jails or other systems on a network, providing them ftp access to the net, via ftp-proxy can you share your configurations? What I've got is not working, initially I had a single system that wouldn't allow an ls ona remote ftp server, I then added in some jails for other reasons, tried them, and they do the same, can connect can log in, can not do ls or anything else. The original system/gateway/jail holding box, does run ftp-proxy it is showing up on 127.0.0.1 port 8021. Thanks. Dave. From owner-freebsd-pf@freebsd.org Tue Oct 20 07:35:27 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10238A19F1E for ; Tue, 20 Oct 2015 07:35:27 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv189.fwdcdn.com (frv189.fwdcdn.com [212.42.77.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4DF6C3F for ; Tue, 20 Oct 2015 07:35:26 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from [10.10.2.23] (helo=frv198.fwdcdn.com) by frv189.fwdcdn.com with esmtp ID 1ZoPue-000Eyb-9h for freebsd-pf@freebsd.org; Tue, 20 Oct 2015 08:56:44 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=ITP60IRJzBjIFU9Zh2Z3kD1Rxlv2m3rWzqjgx370tVU=; b=ErCEy92slZdc0Y0Lh5F578EWE/LniRPGH/PMWwUXP3OQNmeMDMLoLXDGrQ3wu1Fo5qMEIyp9NabP4oRF4S3878kOtMqfW8MA7XE8zAmmh8T5apeTTMUd8pQp0t5JQCFNgybHeZK4I9++watNdWAk/+9n519UL9RgnrUEcwpOKvI=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv198.fwdcdn.com with smtp ID 1ZoPua-000I8g-Kc for freebsd-pf@freebsd.org; Tue, 20 Oct 2015 08:56:40 +0300 Date: Tue, 20 Oct 2015 08:56:40 +0300 From: wishmaster Subject: Re: Working pf ftp configurations To: David Mehler Cc: freebsd-pf X-Mailer: mail.ukr.net 5.0 Message-Id: <1445320261.248562855.wf3ncryq@frv34.fwdcdn.com> In-Reply-To: References: X-Reply-Action: reply Received: from artemrts@ukr.net by frv34.fwdcdn.com; Tue, 20 Oct 2015 08:56:40 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2015 07:35:27 -0000 --- Original message --- From: "David Mehler" Date: 20 October 2015, 03:47:52 > Hello, > > If anyone is using freebsd 10 I suppose, pf, and using a system as an > ftp client or using the system to protect jails or other systems on a > network, providing them ftp access to the net, via ftp-proxy can you > share your configurations? What I've got is not working, initially I > had a single system that wouldn't allow an ls ona remote ftp server, I > then added in some jails for other reasons, tried them, and they do > the same, can connect can log in, can not do ls or anything else. The > original system/gateway/jail holding box, does run ftp-proxy it is > showing up on 127.0.0.1 port 8021. My system maintains a lot of jails with VIMAGE. FTP server inside jail. Rules in the base system like below: pass in quick on $ext_if from any to $jail port 39000-40000 keep-state vsftpd inside jail has directives: pasv_min_port=39000 pasv_max_port=40000 This above for the passive ftp. I do not like ftp-proxy ;-) --- Vitaliy From owner-freebsd-pf@freebsd.org Wed Oct 21 15:33:25 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA105A1BFA1 for ; Wed, 21 Oct 2015 15:33:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 96DF31370 for ; Wed, 21 Oct 2015 15:33:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9LFXPPq013163 for ; Wed, 21 Oct 2015 15:33:25 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 198868] pf brakes tcp checksum if enabled for ue adapter Date: Wed, 21 Oct 2015 15:33:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Oct 2015 15:33:25 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198868 --- Comment #4 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Wed Oct 21 15:32:21 UTC 2015 New revision: 289703 URL: https://svnweb.freebsd.org/changeset/base/289703 Log: MFC r289316: pf: Fix TSO issues In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Relnotes: yes Sponsored by: RootBSD Changes: _U stable/10/ stable/10/sys/net/pfvar.h stable/10/sys/netpfil/pf/pf.c stable/10/sys/netpfil/pf/pf_ioctl.c stable/10/sys/netpfil/pf/pf_norm.c -- You are receiving this mail because: You are the assignee for the bug.