From owner-freebsd-pf@FreeBSD.ORG Sun Apr 16 05:30:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4278816A401 for ; Sun, 16 Apr 2006 05:30:47 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from dbmail-mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46D5A43D46 for ; Sun, 16 Apr 2006 05:30:45 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received-SPF: none Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by dbmail-mx1.orcon.net.nz (8.13.6/8.13.6/Debian-1) with SMTP id k3G5VGYE000606; Sun, 16 Apr 2006 17:31:17 +1200 Received: by heff.fud.org.nz (Postfix, from userid 1001) id CD1D71CC37; Sun, 16 Apr 2006 17:30:23 +1200 (NZST) Date: Sun, 16 Apr 2006 17:30:23 +1200 From: Andrew Thompson To: Daniel Hartmeier Message-ID: <20060416053023.GD56603@heff.fud.org.nz> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline In-Reply-To: <20060405130645.GB5683@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Apr 2006 05:30:47 -0000 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: > On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > > > The other big problem that just crossed my mind: Reassembly in the bridge > > path!? It doesn't look like the current bridge code on either OS is ready to > > deal with packets > MTU coming out of the filter. The question here is > > probably how much IP processing we want to do in the bridge code? > > OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted > ip_fragment() so it could be called from there, and not too much code > had to be duplicated. > Here is a patch that adds fragmenting, largely based on whats in OpenBSD. I didnt bring over bridge_send_icmp_err() as we can only get a large packet to fragment by reassembling a previous fragment, checking for DF and sending an icmp doesnt apply to us. Can I get a review, esp. the traversal of the mbufs. cheers, Andrew --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="bridge_frag.diff" Index: ../../net/if_bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_bridge.c,v retrieving revision 1.58 diff -u -p -r1.58 if_bridge.c --- ../../net/if_bridge.c 26 Mar 2006 20:52:47 -0000 1.58 +++ ../../net/if_bridge.c 16 Apr 2006 05:23:03 -0000 @@ -263,6 +263,8 @@ static int bridge_ip_checkbasic(struct m # ifdef INET6 static int bridge_ip6_checkbasic(struct mbuf **mp); # endif /* INET6 */ +static int bridge_fragment(struct ifnet *, struct mbuf *, + struct ether_header *, int, struct llc *); SYSCTL_DECL(_net_link); SYSCTL_NODE(_net_link, IFT_BRIDGE, bridge, CTLFLAG_RW, 0, "Bridge"); @@ -1497,13 +1499,21 @@ bridge_stop(struct ifnet *ifp, int disab __inline void bridge_enqueue(struct bridge_softc *sc, struct ifnet *dst_ifp, struct mbuf *m) { - int len, err; + int len, err = 0; short mflags; + struct mbuf *m0; len = m->m_pkthdr.len; mflags = m->m_flags; - IFQ_ENQUEUE(&dst_ifp->if_snd, m, err); + for (; m; m = m0) { + m0 = m->m_nextpkt; + m->m_nextpkt = NULL; + + if (err == 0) + IFQ_ENQUEUE(&dst_ifp->if_snd, m, err); + } + if (err == 0) { sc->sc_ifp->if_opackets++; @@ -2761,13 +2771,24 @@ ipfwpass: error = pfil_run_hooks(&inet_pfil_hook, mp, bifp, dir, NULL); - /* Restore ip and the fields ntohs()'d. */ - if (*mp != NULL && error == 0) { - ip = mtod(*mp, struct ip *); - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); + if (*mp == NULL || error != 0) /* filter may consume */ + break; + + /* check if we need to fragment the packet */ + if (pfil_member && ifp != NULL && dir == PFIL_OUT) { + i = (*mp)->m_pkthdr.len; + if (i > ifp->if_mtu) { + error = bridge_fragment(ifp, *mp, &eh2, snap, + &llc1); + return error; + } } + /* Restore ip and the fields ntohs()'d. */ + ip = mtod(*mp, struct ip *); + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); + break; # ifdef INET6 case ETHERTYPE_IPV6 : @@ -2979,3 +3000,59 @@ bad: return -1; } # endif /* INET6 */ + +/* + * bridge_fragment: + * + * Return a fragmented mbuf chain. + */ +static int +bridge_fragment(struct ifnet *ifp, struct mbuf *m, struct ether_header *eh, + int hassnap, struct llc *llc) +{ + struct mbuf *m0; + int error = -1; + struct ip *ip; + + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) + goto dropit; + ip = mtod(m, struct ip *); + + error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, + CSUM_DELAY_IP); + if (error) + goto dropit; + + /* walk the chain and re-add the Ethernet header */ + for (m0 = m; m0; m0 = m0->m_nextpkt) { + if (error == 0) { + if (hassnap) { + M_PREPEND(m0, sizeof(struct llc), M_DONTWAIT); + if (m0 == NULL) { + error = ENOBUFS; + continue; + } + bcopy(llc, mtod(m0, caddr_t), + sizeof(struct llc)); + } + M_PREPEND(m0, ETHER_HDR_LEN, M_DONTWAIT); + if (m0 == NULL) { + error = ENOBUFS; + continue; + } + bcopy(eh, mtod(m0, caddr_t), ETHER_HDR_LEN); + } else + m_freem(m); + } + + if (error == 0) + ipstat.ips_fragmented++; + + return (error); + +dropit: + if (m != NULL) + m_freem(m); + return (error); +} --qMm9M+Fa2AknHoGS-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 18 16:58:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 560CC16A404 for ; Tue, 18 Apr 2006 16:58:34 +0000 (UTC) (envelope-from scott.nolde@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25C2143D5E for ; Tue, 18 Apr 2006 16:58:30 +0000 (GMT) (envelope-from scott.nolde@gmail.com) Received: by wproxy.gmail.com with SMTP id i12so870159wra for ; Tue, 18 Apr 2006 09:58:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=r42gBUtrdZ6NKVjBPP2t4adpeyd5T9Bo0pN3ypzZo0QiaO3RmZArS1/317yarSBvw3AYu7kKq5AXf9/uzGuf/zmK4yETBYovLJoeHDYsBcaCJmdLCXRPlVwqVakUZbiNA2Zcsv0pRY0hE3LXV+ddIFOsTJDfdrvMfTIPUOvsE7k= Received: by 10.54.94.8 with SMTP id r8mr700248wrb; Tue, 18 Apr 2006 09:58:30 -0700 (PDT) Received: by 10.54.103.5 with HTTP; Tue, 18 Apr 2006 09:56:34 -0700 (PDT) Message-ID: <34041e6e0604180956x47e88f51ib43f1661cdb9778d@mail.gmail.com> Date: Tue, 18 Apr 2006 12:56:34 -0400 From: "Scott Nolde" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: FreeBSD 6.1-RC and pf dropping NAT packets to Windows 98 computers? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 16:58:34 -0000 Greetings, I've recently upgraded my firewall from 5.4 to FreeBSD 6.1-RC #2: Wed Apr 12 13:40:41 EDT 2006. I use pf as the packet filtering software and it has worked well for my home network up until this point. In my home network, I have a mixed environment of devices and operating systems which includes a windows 98 host my wife uses. This windows 98 computer can no longer netsurf or check email through the new pf firewall. I make no special allowances for hosts on this network, other than it has a corresponding nat setup and a pass rule for the local lan traffic. I believe the problem to be a scrub setting where "scrub in all" isn't sufficient. I can't get too technical, but when the win98 host begins an http session or POP session (to an offsite server), the initial state is created and some data is exchanged. However, the session doesn't continue. For a web browser, little is seen other than the website's header at the top of the browser. For a pop session the user/pass exchange is made, but any download never completes. I can use telnet and connect to the pop server and run simple checks like top and stat and the single state connection works just fine. Does anyone have any suggestions for a scrub rule to try which might address and accept packets from the win98 host? - smn From owner-freebsd-pf@FreeBSD.ORG Thu Apr 20 15:27:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B24F816A401 for ; Thu, 20 Apr 2006 15:27:12 +0000 (UTC) (envelope-from freebsd-questions@premsoft.co.za) Received: from riot.premsoft.co.za (mail.accountmate.co.za [196.38.54.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59FDD43D46 for ; Thu, 20 Apr 2006 15:27:09 +0000 (GMT) (envelope-from freebsd-questions@premsoft.co.za) Received: (qmail 40484 invoked by uid 80); 20 Apr 2006 15:27:06 -0000 Received: from 196.37.144.101 (SquirrelMail authenticated user freebsd-questions@premsoft.co.za) by webmail.premsoft.co.za with HTTP; Thu, 20 Apr 2006 17:27:06 +0200 (SAST) Message-ID: <3095.196.37.144.101.1145546826.squirrel@webmail.premsoft.co.za> Date: Thu, 20 Apr 2006 17:27:06 +0200 (SAST) From: freebsd-questions@premsoft.co.za To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Bridge + PF + ALTQ: Is this possible? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 15:27:12 -0000 Hello all, Is it possible to have FreeBSD configured as a bridge and let PF do filtering of the traffic and ALTQ do shaping of the traffic? My common sense tells me that this should be possible, as it is possible using IPFW/IPFilter and DUMMYNET. If it is possible, are there any pitfalls that I must watch out for? I will be using FreeBSD 6-STABLE. Thank you in advance. ---Jaco From owner-freebsd-pf@FreeBSD.ORG Sat Apr 22 05:05:47 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3885D16A401 for ; Sat, 22 Apr 2006 05:05:47 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4E2643D46 for ; Sat, 22 Apr 2006 05:05:46 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 0FBA0250; Sat, 22 Apr 2006 01:05:42 -0400 (EDT) Date: Sat, 22 Apr 2006 01:05:42 -0400 From: "Michael W. Oliver" To: pf@freebsd.org Message-ID: <20060422050542.GG44647@gargantuan.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QWpDgw58+k1mSFBj" Content-Disposition: inline X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL X-Mailing-Address2: 33810-2172 X-Mailing-Address3: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: Subject: (long) antispoof for inet6 before inet6 addr assignment X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2006 05:05:47 -0000 --QWpDgw58+k1mSFBj Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi folks, I am using FreeBSD (semi)-CURRENT, here is my uname: FreeBSD gambit.gargantuan.com 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Mar 15 12:56:49 EST 2006 mwoliver@gambit.gargantuan.com:/usr/obj/usr/src/sys/GAMBIT i386 I have the following lines (among others) in my pf.conf file: =2E.. antispoof quick for $int_if inet antispoof quick for $int_if inet6 antispoof quick for $ext_if inet antispoof quick for $ext_if inet6 =2E.. After adding these rules, I rebooted my PC and upon boot the pf rules were not loaded, and here is why (from dmesg -a): -----8<----- Starting wpa_supplicant. DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPACK from 10.0.0.7 bound to 10.0.0.27 -- renewal in 43200 seconds. lo0: flags=3D8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 ath0: flags=3D8843 mtu 1500 inet6 fe80::20f:eaff:fe60:3337%ath0 prefixlen 64 scopeid 0x1 inet 10.0.0.27 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:0f:ea:60:33:37 media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps) status: associated ssid ******* channel 5 bssid 00:13:10:e3:3a:78 authmode WPA privacy ON deftxkey UNDEF TKIP 3:128-bit txpowmax 51 protmode CTS burst roaming MANUAL bintval 100 re0: flags=3D8843 mtu 1500 options=3D18 inet6 fe80::290:f5ff:fe32:359f%re0 prefixlen 64 tentative scopeid 0x3 inet 172.31.1.1 netmask 0xffffff00 broadcast 172.31.1.255 ether 00:90:f5:32:35:9f media: Ethernet autoselect (none) status: no carrier Starting pflog. Apr 21 19:08:16 pflogd[294]: [priv]: msg PRIV_OPEN_LOG received Enabling pf. /etc/pf.conf:90: rule expands to no valid combination /etc/pf.conf:92: rule expands to no valid combination pfctl: Syntax error in config file: pf rules not loaded pf enabled Additional routing options: =2E add net ::ffff:0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 net.inet6.ip6.forwarding: 0 -> 0 ath0: flags=3D8843 mtu 1500 inet6 fe80::20f:eaff:fe60:3337%ath0 prefixlen 64 scopeid 0x1 inet6 2001:4830:2502:8001::a00:1b prefixlen 64 tentative fwe0: flags=3D108802 mtu 1500 options=3D8 ch 1 dma -1 re0: flags=3D8843 mtu 1500 options=3D18 inet6 fe80::290:f5ff:fe32:359f%re0 prefixlen 64 tentative scopeid 0x3 inet6 2001:4830:2502:8080::ac1f:101 prefixlen 64 tentative plip0: flags=3D108810 mtu 1500 lo0: flags=3D8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 pfsync0: flags=3D0<> mtu 2020 pflog0: flags=3D141 mtu 33208 add net fe80::: gateway ::1 add net ff02::: gateway ::1 add net default: gateway 2001:4830:2502:8001::1 IPv4 mapped IPv6 address support=3DNO Starting devd. =2E............. etc. -----8<----- Now, I am no expert, but it looks like the link-local address isn't enough to satisfy pf so that it will load the rules, because I saw the same "rule expands to no valid combination" error when testing this config before having a non-link-local addr assigned to re0. It looks like pf is being started after the inet config, but before the inet6 config, and since there are no non-link-local addrs assigned yet, pf is failing to load the pf.conf rules. Is this a simple order-of-operation bug, or am I doing something wrong. Just so you know, this isn't a live firewall yet, just a simple setup I am doing on my laptop to become familiar with pf enough to (maybe) move away from IPFW2. Here is some more (maybe relevant) info: pf.conf: -------------------- $ cat /etc/pf.conf | egrep -v '(^#|^$)' ext_if=3D"ath0" # replace with actual external interface name i.e., dc0 int_if=3D"re0" # replace with actual internal interface name i.e., dc1 internal_net=3D"172.31.1.1/24" external_addr=3D"10.0.0.27" table { 10.0.0.0/24, 172.16.0.0/24 } table { 192.168.0.0/24, 192.168.1.0/24 } table const { self } set skip on lo0 scrub in on $ext_if all no-df fragment reassemble nat on $ext_if from $internal_net to any -> ($ext_if) rdr on $ext_if proto tcp from any to $external_addr/32 port 2222 -> 172.16.= 31.2 port 22 rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 block all block in log all antispoof quick for $int_if inet antispoof quick for $int_if inet6 antispoof quick for $ext_if inet antispoof quick for $ext_if inet6 pass in on $ext_if proto tcp from any to $ext_if port 22 flags S/SA modula= te state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $ext_if proto { ipv6, ipv6-route, ipv6-frag, ipv6-icmp, ipv6-no= nxt, ipv6-opts, esp } all keep state pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state pass in on $ext_if proto { ipv6-icmp } from any keep state pass in log on $ext_if proto tcp from any to ! \ port ssh flags S/SA synproxy state /etc/rc.conf: -------------------------- $ egrep '(ath0|re0|pf)' /etc/rc.conf | grep -v ^# ifconfig_re0=3D"inet 172.31.1.1/24" ifconfig_ath0=3D"WPA DHCP" ipv6_ifconfig_ath0=3D"2001:4830:2502:8001::a00:1b/64" ipv6_ifconfig_re0=3D"2001:4830:2502:8080::ac1f:101/64" pf_enable=3D"YES" pflog_enable=3D"YES" Thanks for your help, have a good day! --=20 Mike Oliver, KI4OFU [see complete headers for contact information] --QWpDgw58+k1mSFBj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFESbmmsWv7q8X6o8kRApOQAJ9klaZy0KSqQFnZfquRxC3ZlCRcFwCgvK4w b0yAn6D9lUsSWbhi4GL4ZP4= =Zib+ -----END PGP SIGNATURE----- --QWpDgw58+k1mSFBj-- From owner-freebsd-pf@FreeBSD.ORG Sat Apr 22 08:13:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 599B316A402 for ; Sat, 22 Apr 2006 08:13:25 +0000 (UTC) (envelope-from david.hall@sublimeip.com) Received: from sublime-pyr-ex1.sydney.sublimeip.com (exchange1.syd.sublimeip.net [203.12.2.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D894443D48 for ; Sat, 22 Apr 2006 08:13:24 +0000 (GMT) (envelope-from david.hall@sublimeip.com) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sat, 22 Apr 2006 18:13:32 +1000 X-MIMEOLE: Produced By Microsoft Exchange V6.5 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PFW Thread-Index: AcZl5HGV4tNZBrSiQbyE+rKurnGA0wAAB33g From: "David J. Hall" To: X-Mailman-Approved-At: Sat, 22 Apr 2006 12:27:05 +0000 Subject: PFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2006 08:13:25 -0000 Hi all, I'm using pfw to provide config for pf. This question may be slightly in the wrong place but - how do I go about running apache in non chrooted mode on freebsd? =20 And has anyone else used pfw / comments? =20 Cheers, =20 David J A Hall Technical Sales Manager Telephone 1300 SUBLIME Fax 1300 858 877=20 Sublime//IP =20