From owner-freebsd-pf@FreeBSD.ORG Mon May 22 07:58:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AADD16A425 for ; Mon, 22 May 2006 07:58:45 +0000 (UTC) (envelope-from andrey.zverev@electro-com.ru) Received: from mail.electro-com.ru (mail.electro-com.ru [86.110.161.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C74B43D45 for ; Mon, 22 May 2006 07:58:42 +0000 (GMT) (envelope-from andrey.zverev@electro-com.ru) Received: from [86.110.161.246] (helo=[192.168.40.142]) by mail.electro-com.ru with esmtpa (Exim 4.60 (FreeBSD)) (envelope-from ) id 1Fi5JI-000O14-KS for freebsd-pf@freebsd.org; Mon, 22 May 2006 11:58:40 +0400 Message-ID: <44716F32.90404@electro-com.ru> Date: Mon, 22 May 2006 11:58:42 +0400 From: Andrej Zverev User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: PF setting tos and modify TTL X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 07:58:45 -0000 Hello, Can someone tell me, it's possible to setting tos and changing TTL value with pf. P.S. Please add me to Cc , i'm not yet subscribed to this list. WBR, Andrej Zverev From owner-freebsd-pf@FreeBSD.ORG Mon May 22 11:02:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FD3516A596 for ; Mon, 22 May 2006 11:02:57 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E60BB43D4C for ; Mon, 22 May 2006 11:02:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4MB2uPs034948 for ; Mon, 22 May 2006 11:02:56 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4MB2tlg034944 for freebsd-pf@freebsd.org; Mon, 22 May 2006 11:02:55 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 May 2006 11:02:55 GMT Message-Id: <200605221102.k4MB2tlg034944@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 11:03:02 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 22 22:30:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53E1316ABB9 for ; Mon, 22 May 2006 22:30:41 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDD8843D58 for ; Mon, 22 May 2006 22:30:40 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1FiIwu-0004Gm-3E for freebsd-pf@freebsd.org; Mon, 22 May 2006 19:32:28 -0300 Message-ID: <44723D2C.30801@clacso.edu.ar> Date: Mon, 22 May 2006 19:37:32 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 22:30:41 -0000 Hello Si alguien me puede ayudar En realidad te cuento los primeros pasos, supuestamente lo hacemos con un sola maquina contra el servidor freebsd. El servidor tiene como direccion IP al numero 168.96.200.114 y la 168.96.200.113 correspondientes a dos tarjetas de red 3com. Una tarjeta correspondiente a la 114 es la interna (xl1) y la 113 es la externa (xl0) Nuestra primera prueba es contra una maquina cuya IP es la 168.96.200.196 y a la misma deseamos que solo tenga un ancho de banda limitado a saber 6K. El gateway que trabajamos sin Freebsd es el correspondiente a 168.96.200.1 , en este caso la maquina .196 le fue asignado el 114 como gateway.. Hemos probado y no hemos tenido suerte Lo siguiente es lo que alteramos del archivo pf.conf. # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" external_addr="168.96.200.1" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% table {168.96.200.24, 168.96.200.82, 168.96.200.196} set loginterface $int_if set fingerprints "/etc/pf.os" altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in} altq on $ext_if bandwidth 600Kb cbq queue {dflt_out} queue dflt_in cbq (default) bandwidth 60% queue dflt_out cbq (default) queue uext1_in bandwidth 6Kb uext1="168.96.200.196" nat on $ext_if from to any -> ($ext_if) pass out on $int_if from any to $uext1 queue uext1_in # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing From owner-freebsd-pf@FreeBSD.ORG Tue May 23 00:24:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84E1A16A621 for ; Tue, 23 May 2006 00:24:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84BCB43D86 for ; Tue, 23 May 2006 00:24:38 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.179] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1FiKhJ00L6-0001rX; Tue, 23 May 2006 02:24:29 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 23 May 2006 02:24:22 +0200 User-Agent: KMail/1.9.1 References: <44723D2C.30801@clacso.edu.ar> In-Reply-To: <44723D2C.30801@clacso.edu.ar> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2972403.OYRcXJGJn8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605230224.27758.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 00:24:53 -0000 --nextPart2972403.OYRcXJGJn8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline This list is English only, thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2972403.OYRcXJGJn8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEclY7XyyEoT62BG0RAtjGAJ9bDxtYOycDb89TEAwGaR2RPlf6/wCdEsWI 1d+WFCf4B3VwgngS+yff2pE= =ICzM -----END PGP SIGNATURE----- --nextPart2972403.OYRcXJGJn8-- From owner-freebsd-pf@FreeBSD.ORG Tue May 23 03:06:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D11216A42D for ; Tue, 23 May 2006 03:06:49 +0000 (UTC) (envelope-from root@nobody.nothing.phpnet.org) Received: from phpnet.org (lb.phpnet.org [87.98.197.87]) by mx1.FreeBSD.org (Postfix) with SMTP id 3D60343D53 for ; Tue, 23 May 2006 03:06:47 +0000 (GMT) (envelope-from root@nobody.nothing.phpnet.org) Received: (qmail 12124 invoked by uid 89); 23 May 2006 03:02:51 -0000 Received: from unknown (HELO nobody.nothing.phpnet.org) (10.0.0.37) by phpnet.org with SMTP; 23 May 2006 03:02:51 -0000 Received: (qmail 12445 invoked by uid 500); 23 May 2006 03:02:51 -0000 Date: 23 May 2006 03:02:51 -0000 Message-ID: <20060523030251.12444.qmail@nobody.nothing.phpnet.org> To: freebsd-pf@freebsd.org ScriptPath: eeaissy.com/eeaissy/images/articles/send.php From: E-gold Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Update Your Account Information X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Robot_dontreply@egold.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 03:06:49 -0000 [1]e-gold logo _________________________________________________________________ Dear E-gold customer We regret to inform you that your E-gold account could be suspended if you don't re-update your account information. To resolve this problems please [2]click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 24 hours, after this period your account will be terminated. For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspension of this account, please be advised you are prohibited from using E-gold in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to E-gold. Regards,Safeharbor Department E-gold, Inc The E-gold team. This is an automatic message. Please do not reply. _________________________________________________________________ |[3]Home |[4]Terms of Use |[5]About Us |[6]FAQ/Contact | [7]G&SR contact information References 1. javascript:ol('http://www.e-gold.com/e-gold.html'); 2. http://www.scrapping.no/forum/auction/upload/www.e-gold.com/service/update/ss-connection/account-checking-services-2006/secure-web-server/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888/login.html 3. javascript:ol('http://www.e-gold.com/'); 4. javascript:ol('http://www.e-gold.com/unsecure/terms.htm'); 5. javascript:ol('http://www.e-gold.com/unsecure/aboutus.html'); 6. javascript:ol('http://www.e-gold.com/unsecure/contact.html'); 7. javascript:ol('http://www.e-gold.com/unsecure/contact.html'); From owner-freebsd-pf@FreeBSD.ORG Tue May 23 18:47:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93A6E16A77B for ; Tue, 23 May 2006 18:47:45 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9360243D73 for ; Tue, 23 May 2006 18:47:34 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1FibwU-0006yp-VS; Tue, 23 May 2006 15:49:19 -0300 Message-ID: <44735A60.70709@clacso.edu.ar> Date: Tue, 23 May 2006 15:54:24 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <44723D2C.30801@clacso.edu.ar> <200605230224.27758.max@love2party.net> In-Reply-To: <200605230224.27758.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 18:47:49 -0000 Max Laier wrote: >This list is English only, thanks. > > > ok , sorry for the language!! ============================================================== I have one server freebsd with IP address 168.96.200.114 and 168.96.200.113 for two network card 3com. One card has IP 114 (xl1) and the other 113 extern (xl0) . I had probe with one machine IP 168.96.200.196 and I would like that that machines use a little band anchor for example 6K. We have a gateway (not Freebsd ) IP 168.96.200.1 and so the machine .196 has the gateway 114. I don't have lucky The following is the file pf.conf Anyone can help me!!! regards Gus. # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" external_addr="168.96.200.1" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% table {168.96.200.24, 168.96.200.82, 168.96.200.196} set loginterface $int_if set fingerprints "/etc/pf.os" altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in} altq on $ext_if bandwidth 600Kb cbq queue {dflt_out} queue dflt_in cbq (default) bandwidth 60% queue dflt_out cbq (default) queue uext1_in bandwidth 6Kb uext1="168.96.200.196" nat on $ext_if from to any -> ($ext_if) pass out on $int_if from any to $uext1 queue uext1_in # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing From owner-freebsd-pf@FreeBSD.ORG Tue May 23 19:16:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58A6816A6ED for ; Tue, 23 May 2006 19:16:15 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id DF49143D49 for ; Tue, 23 May 2006 19:16:10 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 89049 invoked by uid 98); 23 May 2006 19:16:07 -0000 Received: from 10.0.0.93 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.93):. Processed in 0.025193 secs); 23 May 2006 19:16:07 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.93) by adriana.dilk.com.br with SMTP; 23 May 2006 19:16:07 -0000 Date: Tue, 23 May 2006 16:20:01 -0300 From: Gilberto Villani Brito To: freebsd-pf@freebsd.org Message-ID: <20060523162001.58be6ebe@giboia> In-Reply-To: <44735A60.70709@clacso.edu.ar> References: <44723D2C.30801@clacso.edu.ar> <200605230224.27758.max@love2party.net> <44735A60.70709@clacso.edu.ar> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 19:16:18 -0000 Gus, I already had this doubt. Try use: pass in on $int_if from $uext1 to any queue uext1_in PS: This cup is owned by Brazil. Gilberto On Tue, 23 May 2006 15:54:24 -0300 gus wrote: > Max Laier wrote: > > >This list is English only, thanks. > > > > > > > ok , sorry for the language!! > > ============================================================== > > > I have one server freebsd with IP address 168.96.200.114 and > 168.96.200.113 for two network card 3com. > One card has IP 114 (xl1) and the other 113 extern (xl0) . > I had probe with one machine IP 168.96.200.196 and I would like that > that machines use a little band anchor for example 6K. > > We have a gateway (not Freebsd ) IP 168.96.200.1 and so the machine .196 > has the gateway 114. > > > I don't have lucky > The following is the file pf.conf > > > > Anyone can help me!!! > regards > Gus. > > # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > # Required order: options, normalization, queueing, translation, filtering. > # Macros and tables may be defined and used anywhere. > # Note that translation rules are first match while filter rules are > last match. > > # Macros: define common values, so they can be referenced and changed > easily. > ext_if="xl0" # replace with actual external interface name i.e., dc0 > int_if="xl1" # replace with actual internal interface name i.e., dc1 > internal_net="168.96.200.0/24" > external_addr="168.96.200.1" > > # Tables: similar to macros, but more flexible for many addresses. > #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } > > # Options: tune the behavior of pf, default values are given. > #set timeout { interval 10, frag 30 } > #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > #set timeout { icmp.first 20, icmp.error 10 } > #set timeout { other.first 60, other.single 30, other.multiple 60 } > #set timeout { adaptive.start 0, adaptive.end 0 } > #set limit { states 10000, frags 5000 } > #set loginterface none > #set optimization normal > #set block-policy drop > #set require-order yes > set fingerprints "/etc/pf.os" > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. > #scrub in all > > # Queueing: rule-based bandwidth control. > #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } > #queue dflt bandwidth 5% cbq(default) > #queue developers bandwidth 80% > #queue marketing bandwidth 15% > > table {168.96.200.24, 168.96.200.82, 168.96.200.196} > > set loginterface $int_if > set fingerprints "/etc/pf.os" > > altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in} > altq on $ext_if bandwidth 600Kb cbq queue {dflt_out} > > queue dflt_in cbq (default) bandwidth 60% > queue dflt_out cbq (default) > > queue uext1_in bandwidth 6Kb > > uext1="168.96.200.196" > > nat on $ext_if from to any -> ($ext_if) > > pass out on $int_if from any to $uext1 queue uext1_in > > # Translation: specify how addresses are to be mapped or redirected. > # nat: packets going out through $ext_if with source address > $internal_net will > # get translated as coming from the address of $ext_if, a state is > created for > # such packets, and incoming packets will be redirected to the internal > address. > #nat on $ext_if from $internal_net to any -> ($ext_if) > > # rdr: packets coming in on $ext_if with destination $external_addr:1234 > will > # be redirected to 10.1.1.1:5678. A state is created for such packets, and > # outgoing packets will be translated as coming from the external address. > #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> > 10.1.1.1 port 5678 > > # rdr outgoing FTP requests to the ftp-proxy > #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > # spamd-setup puts addresses to be redirected into table . > #table persist > #no rdr on { lo0, lo1 } from any to any > #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 > > # Filtering: the implicit first two rules are > #pass in all > #pass out all > > # block all incoming packets but allow ssh, pass all outgoing tcp and udp > # connections and keep state, logging blocked packets. > #block in log all > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > #pass out on $ext_if proto { tcp, udp } all keep state > > # pass incoming packets destined to the addresses given in table . > #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state > > # pass incoming ports for ftp-proxy > #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep > state > > # assign packets to a queue. > #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers > #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed May 24 07:11:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D025016A4A0 for ; Wed, 24 May 2006 07:11:04 +0000 (UTC) (envelope-from apache@vessalex.com) Received: from www.vessalex.com (c-68-38-223-217.hsd1.nj.comcast.net [68.38.223.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F6A143D5C for ; Wed, 24 May 2006 07:11:01 +0000 (GMT) (envelope-from apache@vessalex.com) Received: by www.vessalex.com (Postfix, from userid 48) id 127761F3708; Wed, 24 May 2006 03:10:59 -0400 (EDT) To: freebsd-pf@freebsd.org From: aw-confirm@paypal.com Message-Id: <20060524071059.127761F3708@www.vessalex.com> Date: Wed, 24 May 2006 03:10:59 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PayPal Fraud Alert X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 07:11:10 -0000 [1][paypal_logo.gif] [pixel.gif] PayPal Security Measures! We are contacting you to remind you that: on 23 May 2006 our Account Review Team identified some unusual activity in your account, one or more attempts to log in to your PayPal account from a foreign IP address. IP Address Time Country 80.53.1.130 May 22, 2006 15:05:08 PDT Poland 80.53.255.174 May 22, 2006 15:07:58 PDT Poland 141.85.99.169 May 22, 2006 15:13:09 PDT Romania 141.85.99.169 May 22, 2006 21:28:08 PDT Romania 195.61.146.130 May 22, 2006 21:33:43 PDT Romania In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. To secure your account and quickly restore full access, we may require some additional information from you. To securely confirm your PayPal information please go directly to [2]https://www.paypal.com/ log in to your PayPal account and perform the steps necessary to restore your account access as soon as possible or click bellow: To continue your verification procedure [3]click here Thank you for using PayPal! The PayPal Team Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, [4]log in to your PayPal account and choose the "Help" link in the footer of any page. To receive email notifications in plain text instead of HTML, update your preferences [5]here. [pixel.gif] References 1. http://www.paypal.com/cgi-bin/webscr?cmd=_home 2. http://61-195-157-35.cust.bit-drive.ne.jp/~maeda/paypal.com/webscr 3. http://61-195-157-35.cust.bit-drive.ne.jp/~maeda/paypal.com/webscr 4. http://61-195-157-35.cust.bit-drive.ne.jp/~maeda/paypal.com/webscr 5. https://www.paypal.com/us/PREFS-NOTI From owner-freebsd-pf@FreeBSD.ORG Wed May 24 16:47:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F6DC16A584 for ; Wed, 24 May 2006 16:47:44 +0000 (UTC) (envelope-from mehmetpala@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB15843D46 for ; Wed, 24 May 2006 16:47:40 +0000 (GMT) (envelope-from mehmetpala@gmail.com) Received: by nz-out-0102.google.com with SMTP id n1so72659nzf for ; Wed, 24 May 2006 09:47:40 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=isb4DyMvC360qltIGgMSgXDcxAy7IDuLUGG45GfpNrkIKMcDZnziAUVQwqyfI2V0faIi3mtQPJswmeQCfZt76OV5w8PEk0fG5itU3+7roiVwpPWneAVbjkQPF8NJI2SjzJvIvgQUn3ESS5u8oqrJbJRvxZ/Xi/vTIXY3I9JEV2s= Received: by 10.65.20.9 with SMTP id x9mr3207311qbi; Wed, 24 May 2006 09:47:40 -0700 (PDT) Received: by 10.65.220.12 with HTTP; Wed, 24 May 2006 09:47:40 -0700 (PDT) Message-ID: <412ec2a30605240947i82497d4u7bcb638242954ffe@mail.gmail.com> Date: Wed, 24 May 2006 19:47:40 +0300 From: "Mehmet Pala" To: freebsd-pf@freebsd.org In-Reply-To: <20060524120102.B37D516A439@hub.freebsd.org> MIME-Version: 1.0 References: <20060524120102.B37D516A439@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-pf Digest, Vol 88, Issue 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 16:47:46 -0000 freebsd-pf-unsubscribe@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed May 24 17:49:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB84716A7B1 for ; Wed, 24 May 2006 17:49:44 +0000 (UTC) (envelope-from yamamoto436@oki.com) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE1D843D49 for ; Wed, 24 May 2006 17:49:41 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from aoi.bmc.oki.co.jp (IDENT:root@localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id CAA04109 for ; Thu, 25 May 2006 02:49:39 +0900 Received: (qmail 2137 invoked from network); 25 May 2006 02:49:39 +0900 Received: from tulip.bmc.oki.co.jp (172.19.236.119) by aoi.bmc.oki.co.jp with SMTP; 25 May 2006 02:49:39 +0900 Received: from localhost (tulip.bmc.oki.co.jp [172.19.236.119]) by tulip.bmc.oki.co.jp (8.13.6/8.13.6) with ESMTP id k4OHncvW025052; Thu, 25 May 2006 02:49:39 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Thu, 25 May 2006 02:49:38 +0900 (JST) Message-Id: <20060525.024938.74731993.yamamoto436@oki.com> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org From: Hideki Yamamoto In-Reply-To: <20060508.054451.41688849.yamamoto436@oki.com> References: <20060508.054451.41688849.yamamoto436@oki.com> X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: IPv6 raw socket to send original udp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 17:49:45 -0000 Hi, One of my collegues helped me. bpf described in the following page is useful. http://canmore.sdf-eu.org/freebsd/bpf.html And libdnet is a wrapper of the bpf on FreeBSD. Code using libdnet seems to be portable with Linux and so on. From: Hideki Yamamoto Subject: IPv6 raw socket to send original udp Date: Mon, 08 May 2006 05:44:51 +0900 (JST) Message-ID: <20060508.054451.41688849.yamamoto436@oki.com> > > Hi, > > I tried to use pf as a traffic shaper for a streaming server, but > it does not work well. Input of pf is bursted packets within around 20 > msec, but is not bursted packets within around 100 msec or longer. > This traffic pattern is the feature of the streaming server. > > As pf is does not work well, I am thinking designinig original shaper > command on bridge-like freebsd box, and that the command will receive > the sever packet via libpcap, shape it and then send it constantly to > another device. To send packet from bridge-like freebsd box, I plan > to use RAW IPV6 socket. However in my small experiment, it does not > seems good, IP_HDRINCL option does not woks. > > I wonder if IPv6 raw socket can be used only for ICMPv6. > I would like to use IPv6 raw socket for original udp packet. > > Thanks in advance. > > Hideki Yamamoto > -- > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --- From owner-freebsd-pf@FreeBSD.ORG Wed May 24 19:32:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FB3916A955 for ; Wed, 24 May 2006 19:32:52 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C8D443D5C for ; Wed, 24 May 2006 19:32:48 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 04CCC20001CB for ; Wed, 24 May 2006 21:32:46 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22055-09 for ; Wed, 24 May 2006 21:32:45 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 4CFC420001C9; Wed, 24 May 2006 21:32:45 +0200 (CEST) Date: Wed, 24 May 2006 21:32:45 +0200 To: freebsd-pf@freebsd.org Message-ID: <20060524193245.GA31411@marvin.harmless.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Subject: pf-nat with userland ppp source address issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 19:32:52 -0000 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline hello i've met a very strange issue with NATting. i've noticed that only every second outgoing SSH connections succeed, and this was a bit strange. i've started a few, and tcp dumped them, applied a filter for S/SA tcp flags, and i've got the following result: No. Time Source Destination Protocol Info 31 4.513136 213.178.116.238 195.56.55.204 TCP 53480 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2969214 TSER=0 32 6.542201 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2971243 TSER=0 73 8.293252 213.178.116.238 195.56.55.204 TCP 61535 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2972994 TSER=0 74 9.834288 213.178.109.103 195.56.55.204 TCP 59672 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2974535 TSER=0 115 11.384353 213.178.116.238 195.56.55.204 TCP 60708 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2976085 TSER=0 take a look at the source address now i've checked the interface configuration: # ifconfig tun0 tun0: flags=8051 mtu 1492 inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff Opened by PID 208 for my information i looked them up: 238.116.178.213.in-addr.arpa domain name pointer caracas-4334.adsl.interware.hu. 103.109.178.213.in-addr.arpa domain name pointer caracas-2407.adsl.interware.hu. so it appears that's just an other user-IP from my ISP's ADSL-pool. now the ppp.log looked like really interesting, here comes the point: --- chop with axe here --- May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing address: 213.178.116.238 --> 213. 178.109.103 --- chop with axe here --- as you can see, one source IP is the old one i had before, and the other on is that i'm using currently. i've tried to re-read pf.conf with pfctl -f, but that didn't helped, nor -d/-e (disabling and then enabling it). this solved it: # pfctl -d # pfctl -F nat # pfctl -F state # pfctl -F Sources # pfctl -f /etc/pf.conf # pfctl -e i'm using userland ppp service, as it seems from the tun0 interface. is this issue alread known, and is it really a bug, or i'm doing something wrong? the pf.conf is availabe from here. this is my home gateway, it's also a testbox, some kind of playground. uname -a: FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri May 19 14:25:03 CEST 2006 root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 pf.conf: http://phoemix.harmless.hu/pf.beeblebrox.conf Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEdLTdbBsEN0U7BV0RAkJcAJ9UzCa8718ZHVPmnjfCjX7gPkRrdACgoqX7 cgfJH/mN1ctcZCt2jx874DU= =q2xO -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- From owner-freebsd-pf@FreeBSD.ORG Wed May 24 19:51:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA22816A721 for ; Wed, 24 May 2006 19:51:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85D2B43D5A for ; Wed, 24 May 2006 19:51:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.215] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1FizNq0src-0000fM; Wed, 24 May 2006 21:51:10 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 24 May 2006 21:50:57 +0200 User-Agent: KMail/1.9.1 References: <20060524193245.GA31411@marvin.harmless.hu> In-Reply-To: <20060524193245.GA31411@marvin.harmless.hu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart143597996.dfrIlFpq8p"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605242151.05171.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf-nat with userland ppp source address issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 19:51:17 -0000 --nextPart143597996.dfrIlFpq8p Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote: > i've met a very strange issue with NATting. > > i've noticed that only every second outgoing SSH connections succeed, and > this was a bit strange. i've started a few, and tcp dumped them, applied > a filter for S/SA tcp flags, and i've got the following result: > > No. Time Source Destination Protocol > Info 31 4.513136 213.178.116.238 195.56.55.204 TCP =20 > 53480 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2969214 TSER=3D= 0 32 6.542201=20 > 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] > Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2971243 TSER=3D0 73 8.293252 2= 13.178.116.238 > 195.56.55.204 TCP 61535 > ssh [SYN] Seq=3D0 Len=3D0 MS= S=3D1460 > WS=3D1 TSV=3D2972994 TSER=3D0 74 9.834288 213.178.109.103 195.56= =2E55.204=20 > TCP 59672 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV= =3D2974535 > TSER=3D0 115 11.384353 213.178.116.238 195.56.55.204 TCP = =20 > 60708 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2976085 TSER=3D0 > > take a look at the source address > now i've checked the interface configuration: > > # ifconfig tun0 > tun0: flags=3D8051 mtu 1492 > inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff > Opened by PID 208 > > for my information i looked them up: > 238.116.178.213.in-addr.arpa domain name pointer > caracas-4334.adsl.interware.hu. 103.109.178.213.in-addr.arpa domain name > pointer caracas-2407.adsl.interware.hu. > > so it appears that's just an other user-IP from my ISP's ADSL-pool. > > now the ppp.log looked like really interesting, here comes the point: > --- chop with axe here --- > May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing > address: 213.178.116.238 --> 213. 178.109.103 > --- chop with axe here --- > as you can see, one source IP is the old one i had before, and the other = on > is that i'm using currently. i've tried to re-read pf.conf with pfctl -f, > but that didn't helped, nor -d/-e (disabling and then enabling it). > > this solved it: > # pfctl -d > # pfctl -F nat > # pfctl -F state > # pfctl -F Sources > # pfctl -f /etc/pf.conf > # pfctl -e > > i'm using userland ppp service, as it seems from the tun0 interface. > > is this issue alread known, and is it really a bug, or i'm doing something > wrong? the pf.conf is availabe from here. this is my home gateway, it's > also a testbox, some kind of playground. > > uname -a: > FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri May > 19 14:25:03 CEST 2006 =20 > root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 > > pf.conf: > http://phoemix.harmless.hu/pf.beeblebrox.conf Try using: (tun0:0) in "to", "from" and "->" statements. The ":0" after the interface= =20 name will make sure that we don't use alias addresses on the interface. In= =20 fact this is a bug in ppp, but it was decided that it was non-trivial to fi= x=20 it. I don't remember all the details, but http://www.freebsd.org/cgi/query-pr.cgi?pr=3D69954 was the PR back then. btw, you seem to be missing "()" around $if_ppp in the ftp-proxy rule. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart143597996.dfrIlFpq8p Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEdLkpXyyEoT62BG0RAsBkAJ9ByWvzw046mo8dOyfH70GR0R4PJQCfRnYL zmt42JaLbUwEOLYqqRdJ4go= =b8WY -----END PGP SIGNATURE----- --nextPart143597996.dfrIlFpq8p-- From owner-freebsd-pf@FreeBSD.ORG Wed May 24 19:57:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E57116A80D for ; Wed, 24 May 2006 19:57:40 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id E654A43D55 for ; Wed, 24 May 2006 19:57:34 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 2B1A820001CB; Wed, 24 May 2006 21:57:34 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25289-07; Wed, 24 May 2006 21:57:33 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 4EF6820001C9; Wed, 24 May 2006 21:57:33 +0200 (CEST) Date: Wed, 24 May 2006 21:57:33 +0200 To: Max Laier Message-ID: <20060524195733.GA22703@marvin.harmless.hu> References: <20060524193245.GA31411@marvin.harmless.hu> <200605242151.05171.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline In-Reply-To: <200605242151.05171.max@love2party.net> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: pf-nat with userland ppp source address issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 19:57:50 -0000 --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 24, 2006 at 09:50:57PM +0200, Max Laier wrote: > On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote: > > i've met a very strange issue with NATting. > > > > i've noticed that only every second outgoing SSH connections succeed, a= nd > > this was a bit strange. i've started a few, and tcp dumped them, applied > > a filter for S/SA tcp flags, and i've got the following result: > > > > No. Time Source Destination Protocol > > Info 31 4.513136 213.178.116.238 195.56.55.204 TCP = =20 > > 53480 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2969214 TSER= =3D0 32 6.542201=20 > > 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] > > Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2971243 TSER=3D0 73 8.293252 = 213.178.116.238 > > 195.56.55.204 TCP 61535 > ssh [SYN] Seq=3D0 Len=3D0 = MSS=3D1460 > > WS=3D1 TSV=3D2972994 TSER=3D0 74 9.834288 213.178.109.103 195.= 56.55.204=20 > > TCP 59672 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV= =3D2974535 > > TSER=3D0 115 11.384353 213.178.116.238 195.56.55.204 TC= P =20 > > 60708 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2976085 TSER= =3D0 > > > > take a look at the source address > > now i've checked the interface configuration: > > > > # ifconfig tun0 > > tun0: flags=3D8051 mtu 1492 > > inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff > > Opened by PID 208 > > > > for my information i looked them up: > > 238.116.178.213.in-addr.arpa domain name pointer > > caracas-4334.adsl.interware.hu. 103.109.178.213.in-addr.arpa domain name > > pointer caracas-2407.adsl.interware.hu. > > > > so it appears that's just an other user-IP from my ISP's ADSL-pool. > > > > now the ppp.log looked like really interesting, here comes the point: > > --- chop with axe here --- > > May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing > > address: 213.178.116.238 --> 213. 178.109.103 > > --- chop with axe here --- > > as you can see, one source IP is the old one i had before, and the othe= r on > > is that i'm using currently. i've tried to re-read pf.conf with pfctl -= f, > > but that didn't helped, nor -d/-e (disabling and then enabling it). > > > > this solved it: > > # pfctl -d > > # pfctl -F nat > > # pfctl -F state > > # pfctl -F Sources > > # pfctl -f /etc/pf.conf > > # pfctl -e > > > > i'm using userland ppp service, as it seems from the tun0 interface. > > > > is this issue alread known, and is it really a bug, or i'm doing someth= ing > > wrong? the pf.conf is availabe from here. this is my home gateway, it's > > also a testbox, some kind of playground. > > > > uname -a: > > FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri M= ay > > 19 14:25:03 CEST 2006 =20 > > root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 > > > > pf.conf: > > http://phoemix.harmless.hu/pf.beeblebrox.conf >=20 > Try using: >=20 > (tun0:0) in "to", "from" and "->" statements. The ":0" after the interfa= ce > name will make sure that we don't use alias addresses on the interface. = In > fact this is a bug in ppp, but it was decided that it was non-trivial to = fix > it. I don't remember all the details, but > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D69954 yes, seems similar > > was the PR back then. > > btw, you seem to be missing "()" around $if_ppp in the ftp-proxy rule. thanks for this notice i've changed my rules to: nat on $if_ppp from {10.1.0.0/16, 127.0.0.1, $ip_zaphod} to 0.0.0.0/0 -> ($= if_ppp:0) and also correct the non-related ftp-proxy rule :) thanks for the workaround, i've adjusted my config, i hope this will fix the issue for a while Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEdLqtbBsEN0U7BV0RAmAZAKCLAo2NiJjnIxWkXXKSXvD9ECbeYgCg+CnB v2H3IyPi8/mC+gjhE0NLL9w= =fijO -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- From owner-freebsd-pf@FreeBSD.ORG Wed May 24 21:14:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 239C216AC66 for ; Wed, 24 May 2006 21:14:15 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA8D343D78 for ; Wed, 24 May 2006 21:14:10 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1Fj0hv-0002Dn-Ko; Wed, 24 May 2006 18:15:55 -0300 Message-ID: <4474CE3D.8050702@clacso.edu.ar> Date: Wed, 24 May 2006 18:21:01 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gilberto Villani Brito , freebsd-pf@freebsd.org References: <44723D2C.30801@clacso.edu.ar> <200605230224.27758.max@love2party.net> <44735A60.70709@clacso.edu.ar> <20060523162001.58be6ebe@giboia> In-Reply-To: <20060523162001.58be6ebe@giboia> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 21:14:23 -0000 Gilberto Villani Brito wrote: >Gus, >I already had this doubt. >Try use: >pass in on $int_if from $uext1 to any queue uext1_in > >PS: This cup is owned by Brazil. > Gilberto Sorry for the win of world cup...(Argentina) but now the problem is pf.... I had change the line but , when triet of connect my machine 168.96.200.196 ...to 6K.... These not see these band , and so access to 100 K.... Any idea!!!! Abracos Gus ======================================= ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" #external_addr="168.96.200.1" #Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 } set loginterface $int_if set fingerprints "/etc/pf.os" altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in } altq on $ext_if bandwidth 600Kb cbq queue { dflt_out } queue dflt_in cbq (default) bandwidth 60% queue dflt_out cbq (default) queue uext1_in bandwidth 6Kb uext1="168.96.200.196" nat on $ext_if from to any -> ($ext_if) pass in on $int_if from $uext1 to any queue uext1_in # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing From owner-freebsd-pf@FreeBSD.ORG Thu May 25 12:32:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B7916A420 for ; Thu, 25 May 2006 12:32:13 +0000 (UTC) (envelope-from peter@bgnett.no) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF10843D45 for ; Thu, 25 May 2006 12:32:12 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from amidala.datadok.no ([194.54.103.98]) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1FjF0d-000840-DZ for freebsd-pf@freebsd.org; Thu, 25 May 2006 14:32:11 +0200 To: freebsd-pf@freebsd.org References: <4474CE3D.8050702@clacso.edu.ar> From: peter@bgnett.no (Peter N. M. Hansteen) Date: Thu, 25 May 2006 14:31:11 +0200 In-Reply-To: <4474CE3D.8050702@clacso.edu.ar> (gus@clacso.edu.ar's message of "Wed, 24 May 2006 18:21:01 -0300") Message-ID: <86slmy1e28.fsf@amidala.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 12:32:13 -0000 gus writes: > but now the problem is pf.... > I had change the line but , when triet of connect my machine > 168.96.200.196 ...to 6K.... > These not see these band , and so access to 100 K.... your rule set doesn't do a whole lot - if you remove the lines wihch are commented out, you get -- [ snip ] -- ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 } set loginterface $int_if set fingerprints "/etc/pf.os" altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in } altq on $ext_if bandwidth 600Kb cbq queue { dflt_out } queue dflt_in cbq (default) bandwidth 60% queue dflt_out cbq (default) queue uext1_in bandwidth 6Kb uext1="168.96.200.196" nat on $ext_if from to any -> ($ext_if) pass in on $int_if from $uext1 to any queue uext1_in -- [ unsnip ] -- (except possibly your lack of keep state and friends may be what trips you up since nat really needs state) which makes me suspect that the problem lies elsewhere. Have you enabled gatewaying, for example? Check the output from $ sysctl net.inet.ip.forwarding If it is net.inet.ip.forwarding: 0, that's where your problem is located. Next, I would try to get rid of the altq parts until you have useful filtering and NAT in place. One suggestion (untested but fairly trivial) for a starting point would be ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 } nat on $ext_if from $localnet to any -> ($ext_if) block all pass from to any keep state You may also want to take a peek at my PF tutorial located at http://www.bgnett.no/~peter/pf/, updated with some wart removal after BSDCan and SANE. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds. From owner-freebsd-pf@FreeBSD.ORG Thu May 25 14:46:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 789B116A476 for ; Thu, 25 May 2006 14:46:56 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D60043D46 for ; Thu, 25 May 2006 14:46:55 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 34794 invoked by uid 98); 25 May 2006 14:46:55 -0000 Received: from 10.0.0.93 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.93):. Processed in 0.025296 secs); 25 May 2006 14:46:55 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.93) by adriana.dilk.com.br with SMTP; 25 May 2006 14:46:54 -0000 Date: Thu, 25 May 2006 11:50:52 -0300 From: Gilberto Villani Brito To: gus , freebsd-pf@freebsd.org Message-ID: <20060525115052.092990aa@giboia> In-Reply-To: <4474CE3D.8050702@clacso.edu.ar> References: <44723D2C.30801@clacso.edu.ar> <200605230224.27758.max@love2party.net> <44735A60.70709@clacso.edu.ar> <20060523162001.58be6ebe@giboia> <4474CE3D.8050702@clacso.edu.ar> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 14:46:59 -0000 Hi, I tested your rules and it worked correctly. Maybe you need put: ... block all pass out on $int_if from any to pass in on $int_if any to any pass out on $ext_if from any to any pass in on $ext_if from any to any pass in on $int_if from $uext1 to any queue uext1_in ... All in this order. PS: Let see the champion. Abra=E7os Gilberto On Wed, 24 May 2006 18:21:01 -0300 gus wrote: > Gilberto Villani Brito wrote: >=20 > >Gus, > >I already had this doubt. > >Try use: > >pass in on $int_if from $uext1 to any queue uext1_in > > > >PS: This cup is owned by Brazil. > > > Gilberto >=20 > Sorry for the win of world cup...(Argentina) >=20 > but now the problem is pf.... > I had change the line but , when triet of connect my machine=20 > 168.96.200.196 ...to 6K.... > These not see these band , and so access to 100 K.... >=20 > Any idea!!!! >=20 > Abracos > Gus >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > ext_if=3D"xl0" # replace with actual external interface name i.e., dc0 > int_if=3D"xl1" # replace with actual internal interface name i.e., dc1 > internal_net=3D"168.96.200.0/24" > #external_addr=3D"168.96.200.1" >=20 > #Tables: similar to macros, but more flexible for many addresses. > #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } >=20 > # Options: tune the behavior of pf, default values are given. > #set timeout { interval 10, frag 30 } > #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > #set timeout { icmp.first 20, icmp.error 10 } > #set timeout { other.first 60, other.single 30, other.multiple 60 } > #set timeout { adaptive.start 0, adaptive.end 0 } > #set limit { states 10000, frags 5000 } > #set loginterface none > #set optimization normal > #set block-policy drop > #set require-order yes > #set fingerprints "/etc/pf.os" >=20 > # Normalization: reassemble fragments and resolve or reduce traffic=20 > ambiguities. > #scrub in all >=20 > # Queueing: rule-based bandwidth control. > #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } > #queue dflt bandwidth 5% cbq(default) > #queue developers bandwidth 80% > #queue marketing bandwidth 15% >=20 > table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 } >=20 > set loginterface $int_if > set fingerprints "/etc/pf.os" >=20 > altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in } > altq on $ext_if bandwidth 600Kb cbq queue { dflt_out } >=20 > queue dflt_in cbq (default) bandwidth 60% > queue dflt_out cbq (default) >=20 > queue uext1_in bandwidth 6Kb >=20 > uext1=3D"168.96.200.196" >=20 > nat on $ext_if from to any -> ($ext_if) >=20 > pass in on $int_if from $uext1 to any queue uext1_in >=20 > # Translation: specify how addresses are to be mapped or redirected. > # nat: packets going out through $ext_if with source address=20 > $internal_net will > # get translated as coming from the address of $ext_if, a state is=20 > created for > # such packets, and incoming packets will be redirected to the internal=20 > address. > #nat on $ext_if from $internal_net to any -> ($ext_if) >=20 > # rdr: packets coming in on $ext_if with destination $external_addr:1234= =20 > will > # be redirected to 10.1.1.1:5678. A state is created for such packets, and > # outgoing packets will be translated as coming from the external address. > #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->=20 > 10.1.1.1 port 5678 >=20 > # rdr outgoing FTP requests to the ftp-proxy > #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 >=20 > # spamd-setup puts addresses to be redirected into table . > #table persist > #no rdr on { lo0, lo1 } from any to any > #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 >=20 > # Filtering: the implicit first two rules are > #pass in all > #pass out all >=20 > # block all incoming packets but allow ssh, pass all outgoing tcp and udp > # connections and keep state, logging blocked packets. > #block in log all > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > #pass out on $ext_if proto { tcp, udp } all keep state >=20 > # pass incoming packets destined to the addresses given in table . > #pass in on $ext_if proto { tcp, udp } from any to port 80 keep sta= te >=20 > # pass incoming ports for ftp-proxy > #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep st= ate >=20 > # assign packets to a queue. > #pass out on $ext_if from 192.168.0.0/24 to any keep state queue develope= rs > #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing >=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Thu May 25 18:09:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33C5D16B3F1 for ; Thu, 25 May 2006 18:09:52 +0000 (UTC) (envelope-from veldy@veldy.net) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.200.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4BF843D46 for ; Thu, 25 May 2006 18:09:51 +0000 (GMT) (envelope-from veldy@veldy.net) Received: from fuggle.veldy.net (c-66-41-96-112.hsd1.mn.comcast.net[66.41.96.112]) by comcast.net (sccrmhc13) with ESMTP id <2006052518095001300bj11ce>; Thu, 25 May 2006 18:09:50 +0000 Received: from fuggle.veldy.net (localhost [127.0.0.1]) by fuggle.veldy.net (Postfix) with ESMTP id 258367C42 for ; Thu, 25 May 2006 13:09:50 -0500 (CDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by fuggle.veldy.net (Postfix) with ESMTP id CFFC27C04 for ; Thu, 25 May 2006 13:09:49 -0500 (CDT) Message-ID: <4475F2ED.5090603@veldy.net> Date: Thu, 25 May 2006 13:09:49 -0500 From: "Thomas T. Veldhouse" User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20060524071059.127761F3708@www.vessalex.com> In-Reply-To: <20060524071059.127761F3708@www.vessalex.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: PayPal Fraud Alert X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 18:10:05 -0000 aw-confirm@paypal.com wrote: > [1][paypal_logo.gif] > > [pixel.gif] > > PayPal Security Measures! > > Cool!!! FreeBSD-PF has a PayPal account!! :-) Tom Veldhouse From owner-freebsd-pf@FreeBSD.ORG Thu May 25 18:23:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1054616B4FE for ; Thu, 25 May 2006 18:23:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B53043D7C for ; Thu, 25 May 2006 18:23:06 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.191.119] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1FjKUB0jWT-0006su; Thu, 25 May 2006 20:23:03 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 25 May 2006 20:22:54 +0200 User-Agent: KMail/1.9.1 References: <20060524071059.127761F3708@www.vessalex.com> <4475F2ED.5090603@veldy.net> In-Reply-To: <4475F2ED.5090603@veldy.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart37086475.mY4enIxaAx"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605252023.02134.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: PayPal Fraud Alert X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 18:23:18 -0000 --nextPart37086475.mY4enIxaAx Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 25 May 2006 20:09, Thomas T. Veldhouse wrote: > aw-confirm@paypal.com wrote: > > [1][paypal_logo.gif] > > > > [pixel.gif] > > > > PayPal Security Measures! > > Cool!!! FreeBSD-PF has a PayPal account!! :-) http://freebsdfoundation.org/donating.shtml :-) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart37086475.mY4enIxaAx Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEdfYGXyyEoT62BG0RAgV1AJ4uH0QR3Wg0FuZi1nI1Bf1j1H/BwQCdHN1J EoYxKd+m5lT9vZmiYkcNie8= =yFxD -----END PGP SIGNATURE----- --nextPart37086475.mY4enIxaAx-- From owner-freebsd-pf@FreeBSD.ORG Fri May 26 05:52:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B505F16A625 for ; Fri, 26 May 2006 05:52:31 +0000 (UTC) (envelope-from wsantee@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D9F543D46 for ; Fri, 26 May 2006 05:52:31 +0000 (GMT) (envelope-from wsantee@gmail.com) Received: by nz-out-0102.google.com with SMTP id l8so370481nzf for ; Thu, 25 May 2006 22:52:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:x-enigmail-version:content-type:content-transfer-encoding; b=pjtAxyHbWhvf91bCJDa1QDmdFOZsdHhzChKUF+HHOHvy+36lzPuThaKw8J42Vt17doXnjJvv0s1V2naTdg33UqirraCxxNvwhWW7DiF+pxzsVDSjPnnXC1ZlAuWdut/T4a/JkD+uhrQcmkEwt+IiACZ/oRGe0YuXDWzuRg4IGsU= Received: by 10.36.134.14 with SMTP id h14mr238623nzd; Thu, 25 May 2006 22:52:30 -0700 (PDT) Received: from ?10.0.1.3? ( [70.56.74.135]) by mx.gmail.com with ESMTP id 8sm172767nzn.2006.05.25.22.52.29; Thu, 25 May 2006 22:52:30 -0700 (PDT) Message-ID: <447697BE.2080403@gmail.com> Date: Thu, 25 May 2006 22:53:02 -0700 From: Wes Santee User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: pfsync broadcasts without CARP/pfsync enabled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 05:52:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Greetings! I noticed that in FreeBSD 6.1-RELEASE, I'm seeing a lot of pfsync broadcasts. However, I have neither CARP nor pfsync enabled on the box. Anyone know where these are coming from and how I can stop them? $ tcpdump -n -i ath0 proto pfsync tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes 22:40:41.232887 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:41.273770 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:42.232928 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:43.232635 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:44.282448 IP 10.0.0.2 > 0.0.0.0: pfsync 452 22:40:45.291284 IP 10.0.0.2 > 0.0.0.0: pfsync 452 22:40:45.771212 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:46.514065 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:46.517593 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:47.514947 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:48.574785 IP 10.0.0.2 > 0.0.0.0: pfsync 228 22:40:48.919877 IP 10.0.0.2 > 0.0.0.0: pfsync 452 22:40:48.992723 IP 10.0.0.2 > 0.0.0.0: pfsync 900 ^C 13 packets captured 21 packets received by filter 0 packets dropped by kernel I've got 2 interfaces in the box, but it's only happening on ath0 (which is the only wireless NIC). Note that these appear to be pfsync protocol broadcast packets, not pfsync multicast packets. Cheers, - -Wes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBRHaXuorq8W17hxGfAQiCpw//QcjjtnI+/v/HFXVo1wO1pFnUK4rcwvk0 bsapBxmadE64ryLEz3uTfsGHRh777OP3owPRSnvVlzo8MMob6Rofj8ZRdBvQZaV2 vinR/lqXi8ZuXIMdiZAqHgAHfRGkLYRFjw71k/Aj+1bbhZh14ty1r7UZ4F3Y8nim cjyFIFs9wgFeddFyffNJKkuhyp2/IYeXu8BRJAhrdVEBnkjKcpTVmbGc/z5IJQkO YB4C/kkCfdUtGv60xwnYAYjDKAXlPAA5svfpmIe8jpSSwIUStBJK70kLdv0PkaWh +QN/G/uDPavYXwlblu3zHMdpemQaz91B4TUT7cGoVinbk/sOisHlWRb+HAHDhhks WejDhyo6QozqcXmzm8TweD95dF0cszEj3uGV/a7BT2pHd6VtwYhvv4veGStOdf01 MZ3UzVPs5QVasa07XID8bGkoTJlXvUn47FmP5OWJU97ys8tg0/8/CVdJ5Uwdo/3m auyxxSeDqAlx8w8reksRXWO68wNre4lj8G35IVNUgSvJhOgl5MrvYvAfhOswvGA+ x2W5e+zQ16pPsUEPxRO8TVJPW2V8EopcZZy1k5FilKa6ZTHM1MlZu9BCM/anApN2 +QomvIWomekXhkUyaCItXKINARAE3zBEQjXUY+RZCJ26NpqiTXEVEiFSbdWuqmWn jCzxlwM35kE= =upDG -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri May 26 07:49:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C96C216A836 for ; Fri, 26 May 2006 07:49:43 +0000 (UTC) (envelope-from hdemir@metu.edu.tr) Received: from tenedos.general.services.metu.edu.tr (tenedos.general.services.metu.edu.tr [144.122.144.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A357F43D48 for ; Fri, 26 May 2006 07:49:41 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from simena.user.services.metu.edu.tr (simena.user.services.metu.edu.tr [144.122.144.15]) by tenedos.general.services.metu.edu.tr (8.13.6/8.13.6) with ESMTP id k4Q7nep2030792; Fri, 26 May 2006 10:49:40 +0300 Received: (from hdemir@localhost) by simena.user.services.metu.edu.tr (8.13.6/8.13.6/Submit) id k4Q7ndch512094; Fri, 26 May 2006 10:49:39 +0300 Date: Fri, 26 May 2006 10:49:38 +0300 From: husnu demir To: Wes Santee Message-ID: <20060526074938.GA704568@metu.edu.tr> References: <447697BE.2080403@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <447697BE.2080403@gmail.com> User-Agent: Mutt/1.5.10i X-Virus-Scanned: ClamAV 0.88.2/1485/Thu May 25 22:29:05 2006 on tenedos.general.services.metu.edu.tr X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: pfsync broadcasts without CARP/pfsync enabled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 07:49:45 -0000 Just write ifconfig pfsync0 -syncif It will stop the sending of pfsync packets. Regards. Husnu Demir. On Thu, May 25, 2006 at 10:53:02PM -0700, Wes Santee wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Greetings! > > I noticed that in FreeBSD 6.1-RELEASE, I'm seeing a lot of pfsync > broadcasts. However, I have neither CARP nor pfsync enabled on the > box. Anyone know where these are coming from and how I can stop them? > > $ tcpdump -n -i ath0 proto pfsync > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes > 22:40:41.232887 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:41.273770 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:42.232928 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:43.232635 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:44.282448 IP 10.0.0.2 > 0.0.0.0: pfsync 452 > 22:40:45.291284 IP 10.0.0.2 > 0.0.0.0: pfsync 452 > 22:40:45.771212 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:46.514065 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:46.517593 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:47.514947 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:48.574785 IP 10.0.0.2 > 0.0.0.0: pfsync 228 > 22:40:48.919877 IP 10.0.0.2 > 0.0.0.0: pfsync 452 > 22:40:48.992723 IP 10.0.0.2 > 0.0.0.0: pfsync 900 > ^C > 13 packets captured > 21 packets received by filter > 0 packets dropped by kernel > > I've got 2 interfaces in the box, but it's only happening on ath0 > (which is the only wireless NIC). Note that these appear to be pfsync > protocol broadcast packets, not pfsync multicast packets. > > Cheers, > - -Wes > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > > iQIVAwUBRHaXuorq8W17hxGfAQiCpw//QcjjtnI+/v/HFXVo1wO1pFnUK4rcwvk0 > bsapBxmadE64ryLEz3uTfsGHRh777OP3owPRSnvVlzo8MMob6Rofj8ZRdBvQZaV2 > vinR/lqXi8ZuXIMdiZAqHgAHfRGkLYRFjw71k/Aj+1bbhZh14ty1r7UZ4F3Y8nim > cjyFIFs9wgFeddFyffNJKkuhyp2/IYeXu8BRJAhrdVEBnkjKcpTVmbGc/z5IJQkO > YB4C/kkCfdUtGv60xwnYAYjDKAXlPAA5svfpmIe8jpSSwIUStBJK70kLdv0PkaWh > +QN/G/uDPavYXwlblu3zHMdpemQaz91B4TUT7cGoVinbk/sOisHlWRb+HAHDhhks > WejDhyo6QozqcXmzm8TweD95dF0cszEj3uGV/a7BT2pHd6VtwYhvv4veGStOdf01 > MZ3UzVPs5QVasa07XID8bGkoTJlXvUn47FmP5OWJU97ys8tg0/8/CVdJ5Uwdo/3m > auyxxSeDqAlx8w8reksRXWO68wNre4lj8G35IVNUgSvJhOgl5MrvYvAfhOswvGA+ > x2W5e+zQ16pPsUEPxRO8TVJPW2V8EopcZZy1k5FilKa6ZTHM1MlZu9BCM/anApN2 > +QomvIWomekXhkUyaCItXKINARAE3zBEQjXUY+RZCJ26NpqiTXEVEiFSbdWuqmWn > jCzxlwM35kE= > =upDG > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri May 26 13:05:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7586216A487 for ; Fri, 26 May 2006 13:05:32 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CD2D43D60 for ; Fri, 26 May 2006 13:05:29 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1Fjc0N-000ENn-QH for freebsd-pf@freebsd.org; Fri, 26 May 2006 17:05:27 +0400 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Fri, 26 May 2006 17:03:40 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FILTERGIF Thread-Index: AcaAxQ4+IKmbzLfMQXyXmnJzCa6xNQ== From: "Dmitry Andrianov" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FILTERGIF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 13:05:32 -0000 Hello. Is there a way to identify that ipencap packet on external interface did not come from wire but was decapsulated from allowed ESP packet? =20 ... or should I fill PR for that? :=3D) =20 Regards, Dmitry Andrianov From owner-freebsd-pf@FreeBSD.ORG Fri May 26 14:52:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D20D216A420 for ; Fri, 26 May 2006 14:52:37 +0000 (UTC) (envelope-from peter@pean.org) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1318643D46 for ; Fri, 26 May 2006 14:52:36 +0000 (GMT) (envelope-from peter@pean.org) Received: from [192.168.1.24] ([213.114.218.56] [213.114.218.56]) by mxfep02.bredband.com with ESMTP id <20060526145235.NJUV29698.mxfep02.bredband.com@[192.168.1.24]> for ; Fri, 26 May 2006 16:52:35 +0200 Message-ID: <44771631.6050901@pean.org> Date: Fri, 26 May 2006 16:52:33 +0200 From: =?ISO-8859-1?Q?Peter_Ankerst=E5l?= User-Agent: Mozilla Thunderbird 1.0.7 (X11/20060103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: authpf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 14:52:37 -0000 I am using authpf for my wifi-network. But I want to redirect all of the http-traffic to a webserver to show a "error message" when not authenticated via authpf. But how to "remove" this rule when I authenticate? As far as I know authpf just adds rules to the ruleset. From owner-freebsd-pf@FreeBSD.ORG Fri May 26 15:40:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06F2816A508 for ; Fri, 26 May 2006 15:40:54 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA84C43D46 for ; Fri, 26 May 2006 15:40:18 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k4QFeD75016457 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 26 May 2006 17:40:13 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k4QFeClF024375; Fri, 26 May 2006 17:40:12 +0200 (MEST) Date: Fri, 26 May 2006 17:40:12 +0200 From: Daniel Hartmeier To: Peter =?iso-8859-1?Q?Ankerst=E5l?= Message-ID: <20060526154012.GT11262@insomnia.benzedrine.cx> References: <44771631.6050901@pean.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <44771631.6050901@pean.org> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: authpf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 15:40:54 -0000 On Fri, May 26, 2006 at 04:52:33PM +0200, Peter Ankerstål wrote: > I am using authpf for my wifi-network. But I want to redirect all of the > http-traffic to a webserver to show a "error message" when not > authenticated via authpf. But how to "remove" this rule when I > authenticate? As far as I know authpf just adds rules to the ruleset. Ah, sometimes more is less :) Assume you have a generic redirection like rdr on $int_if proto tcp to port 80 -> 127.0.0.1 8088 where 127.0.0.1:8088 is the web server with the error page, you can get a particular client not redirected by adding a rule in front of it, like no rdr on $int_if proto tcp from 10.1.2.3 to port 80 It has to be added in front because the first matching translation rule wins (unlike filter rules). I.e. place the rdr-anchor before the generic redirect, and add a 'no rdr' with authpf. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri May 26 17:42:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8426416ABD2 for ; Fri, 26 May 2006 17:42:34 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CFB143D76 for ; Fri, 26 May 2006 17:42:29 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id x29so118225nfb for ; Fri, 26 May 2006 10:42:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=b2fFlc4D4qqEC1b59SOEaSebq2SynCeuCQkyDDz80s/JuC59hxvuSQjv426mdWLP7tuI/Bf4kER1d5dwjP8MFBimZGZYggaA8UAjLJcZKv3PCtFF1UmzHtGpxmF/bTgSA3Q524qJM1kydOqtd8c8QsR4Gl33yld+5jOXXOhjAmM= Received: by 10.48.164.9 with SMTP id m9mr23835nfe; Fri, 26 May 2006 10:41:52 -0700 (PDT) Received: by 10.49.42.5 with HTTP; Fri, 26 May 2006 10:41:52 -0700 (PDT) Message-ID: Date: Fri, 26 May 2006 10:41:52 -0700 From: "Kian Mohageri" To: "=?ISO-8859-1?Q?Peter_Ankerst=E5l?=" In-Reply-To: <44771631.6050901@pean.org> MIME-Version: 1.0 References: <44771631.6050901@pean.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: authpf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 17:42:43 -0000 Authpf puts authenticated users in a table. You can then handle all of tha= t traffic to your liking. TYou can have a rule which redirects only certain HTTP connections to your web server. rdr pass on $wi_if inet proto tcp from ! to any port www -> ($wi_if) That should get you started. Keep in mind your wireless clients might not be able to resolve the addresses of any of those in the first place. If they can't resolve the names to addresses, they'll just fail without being redirected to your web server. Kian On 5/26/06, Peter Ankerst=E5l wrote: > > I am using authpf for my wifi-network. But I want to redirect all of the > http-traffic to a webserver to show a "error message" when not > authenticated via authpf. But how to "remove" this rule when I > authenticate? As far as I know authpf just adds rules to the ruleset. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri May 26 18:24:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CD916AC69 for ; Fri, 26 May 2006 18:24:03 +0000 (UTC) (envelope-from peter@pean.org) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E6CE43D7E for ; Fri, 26 May 2006 18:23:56 +0000 (GMT) (envelope-from peter@pean.org) Received: from [192.168.1.24] ([213.114.218.56] [213.114.218.56]) by mxfep02.bredband.com with ESMTP id <20060526182355.HDQ16183.mxfep02.bredband.com@[192.168.1.24]>; Fri, 26 May 2006 20:23:55 +0200 Message-ID: <447747B2.9060404@pean.org> Date: Fri, 26 May 2006 20:23:46 +0200 From: =?ISO-8859-1?Q?Peter_Ankerst=E5l?= User-Agent: Mozilla Thunderbird 1.0.7 (X11/20060103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kian Mohageri References: <44771631.6050901@pean.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: authpf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 18:24:10 -0000 Kian Mohageri wrote: > Authpf puts authenticated users in a table. You can then handle all > of that traffic to your liking. TYou can have a rule which redirects > only certain HTTP connections to your web server. > > rdr pass on $wi_if inet proto tcp from ! to any port > www -> ($wi_if) > > That should get you started. Keep in mind your wireless clients might > not be able to resolve the addresses of any of those in the first > place. If they can't resolve the names to addresses, they'll just > fail without being redirected to your web server. > > Kian > > On 5/26/06, *Peter Ankerstål* > > wrote: > > I am using authpf for my wifi-network. But I want to redirect all > of the > http-traffic to a webserver to show a "error message" when not > authenticated via authpf. But how to "remove" this rule when I > authenticate? As far as I know authpf just adds rules to the ruleset. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org > " > > This worked perfectly, thank you! From owner-freebsd-pf@FreeBSD.ORG Fri May 26 19:23:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3183B16AD22 for ; Fri, 26 May 2006 19:23:42 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7C2543D48 for ; Fri, 26 May 2006 19:23:40 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1Fjhw4-0000Nt-QH; Fri, 26 May 2006 16:25:24 -0300 Message-ID: <44775759.9080202@clacso.edu.ar> Date: Fri, 26 May 2006 16:30:33 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Peter N. M. Hansteen" , freebsd-pf@freebsd.org References: <4474CE3D.8050702@clacso.edu.ar> <86slmy1e28.fsf@amidala.datadok.no> In-Reply-To: <86slmy1e28.fsf@amidala.datadok.no> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 19:23:51 -0000 Peter These is OK , thanks very much... but my problem is for example , if I would like that the machine with IP 168.96.200.196 use 6% of Band... What must put in the suggestion... > >One suggestion (untested but fairly trivial) for a starting point would >be > > ext_if="xl0" # replace with actual external interface name i.e., dc0 > int_if="xl1" # replace with actual internal interface name i.e., dc1 > internal_net="168.96.200.0/24" > > table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 } > > nat on $ext_if from $localnet to any -> ($ext_if) > block all > pass from to any keep state > > > And what must delete of these file!!! Could you help me!!! Thanks From owner-freebsd-pf@FreeBSD.ORG Sat May 27 10:26:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA72516A43A for ; Sat, 27 May 2006 10:26:12 +0000 (UTC) (envelope-from peter@bgnett.no) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5107643D46 for ; Sat, 27 May 2006 10:26:12 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from [10.168.103.3] (helo=amidala.datadok.no) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1Fjvzm-00079T-7Z; Sat, 27 May 2006 12:26:10 +0200 To: gus References: <4474CE3D.8050702@clacso.edu.ar> <86slmy1e28.fsf@amidala.datadok.no> <44775759.9080202@clacso.edu.ar> From: peter@bgnett.no (Peter N. M. Hansteen) Date: Sat, 27 May 2006 12:25:00 +0200 In-Reply-To: <44775759.9080202@clacso.edu.ar> (gus@clacso.edu.ar's message of "Fri, 26 May 2006 16:30:33 -0300") Message-ID: <86irnrahoj.fsf@amidala.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 10:26:17 -0000 gus writes: > These is OK , thanks very much... but my problem is > for example , if I would like that the machine with IP 168.96.200.196 > use 6% of Band... well, if the minimal suggested rule set works, you could re-introduce your queues with matching pass rules. The altq example I lifted from unix.se (http://www.bgnett.no/~peter/pf/en/altqbypct.html) for my PF tutorial is similar enough to what you want to do that I think it should get you there. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds. From owner-freebsd-pf@FreeBSD.ORG Sat May 27 23:05:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89F4A16AC43; Sat, 27 May 2006 22:48:36 +0000 (UTC) (envelope-from savagers@bridges-across.org) Received: from ip-19.net-81-220-104.nantes.rev.numericable.fr (ip-19.net-81-220-104.nantes.rev.numericable.fr [81.220.104.19]) by mx1.FreeBSD.org (Postfix) with SMTP id D47F243D46; Sat, 27 May 2006 22:48:31 +0000 (GMT) (envelope-from savagers@bridges-across.org) Date: Sat, 27 May 2006 22:48:50 +0000 From: "katelynn estefania" X-Mailer: The Bat! (v3.0.0.10) Professional X-Priority: 3 (Normal) Message-ID: <387705653.20060100060730@81.220.104.19> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/related; boundary="----------53D40CE1F627A89B" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Do Lipton employees take coffee breaks? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: savagers@bridges-across.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 23:06:02 -0000 ------------53D40CE1F627A89B Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Hey! [cid:53D40CE1.F627A89B.53D40CE1.F627A89B_csseditor] upadukadel[dot]com ---- he was afraid to peep into. To put himself in thought and feeling in another person's place was a spiritual exercise not natural to Alexey Alexandrovitch. He looked on this spiritual exercise as a harmful and dangerous abuse of the fancy. "And the worst of it all," thought he, "is that just now, at the very moment when my great work is approaching completion" (he was thinking of the project he was bringing forward at the time), "when I stand in need of all my mental peace and all my energies, just now this stupid worry should fall foul of me. But what's to be done? I'm not one of those men who submit to uneasiness and worry without having the force of character to face them. "I must think it over, come to a decision, and put it out of my mind," he said aloud. "The question of her feelings, of what has passed and may be passing in her soul, that's not my affair; that's the affair of her conscience, and falls under the head of religion," he said to himself, feeling consolation in the sense that he had found to which division of regulating principles this new circumstance could be properly referred. "And so," Alexey Alexandrovitch said to himself, "questions as to ------------53D40CE1F627A89B--