From owner-freebsd-pf@FreeBSD.ORG Mon May 29 00:44:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 203A216A9AA for ; Mon, 29 May 2006 00:44:03 +0000 (UTC) (envelope-from anonymous@crowe-shop.com) Received: from crowe-shop.com (crowe-shop.com [199.237.206.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1050243D7C for ; Mon, 29 May 2006 00:43:56 +0000 (GMT) (envelope-from anonymous@crowe-shop.com) Received: (qmail 63653 invoked by uid 20114); 29 May 2006 00:39:59 -0000 Date: 29 May 2006 00:39:59 -0000 Message-ID: <20060529003959.63652.qmail@crowe-shop.com> To: freebsd-pf@freebsd.org From: CajaMadrid.es Content-Transfer-Encoding: 7bit X-Accept-Language: en-us, en MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Nuevo medio de seguridad X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "CajaMadrid.es" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 00:44:05 -0000 Inicio | Accesibilidad | Boletines | Atención al cliente | Ayuda | Oficinas y cajeros | Mapa Web | Portales Caja Madrid _________________________________________________________________ [SB_08_IMG.GIF] [SB_08_CLAIM.GIF] Oficina Internet Debido a los tentativas recientes de fraude Caja Madrid ha introducido un nuevo medio de seguridad. Debes conectar en tu cuenta de Caja Madrid usando tu ordenador personal o del lugar y ordenador que has utilizado en el pasado. Tu dirección IP será colocada a nuestra base de datos. Cualquier tentativa de conexión de un diverso dirección IP necesita confirmación sobre el el teléfono. Puedes corregir su detalles personales y su dirección IP principal usando el panel de control en cualquier momento. Por favor dar un plazo de 5 minutos a partir del momento que has llenado el formulario nuestro y darnos su dirección IP principal pulsa [1]aquí o usando la dirección. [2]https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login_IP_conf=tr ue Información Legal | Seguridad | Privacidad | Tarifas | Tablón de Anuncios _________________________________________________________________ References 1. http://www.markrolph.com/ 2. http://www.markrolph.com/ From owner-freebsd-pf@FreeBSD.ORG Mon May 29 11:03:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEF1A16A424 for ; Mon, 29 May 2006 11:03:12 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B91EE43D46 for ; Mon, 29 May 2006 11:03:12 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4TB3CMo097492 for ; Mon, 29 May 2006 11:03:12 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4TB3AJn097488 for freebsd-pf@freebsd.org; Mon, 29 May 2006 11:03:10 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 May 2006 11:03:10 GMT Message-Id: <200605291103.k4TB3AJn097488@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 11:03:18 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 29 20:38:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B36D16ACD4 for ; Mon, 29 May 2006 20:38:01 +0000 (UTC) (envelope-from pauamma@gundo.com) Received: from mail.gundo.com (javelin.gundo.com [216.36.125.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 450E143D73 for ; Mon, 29 May 2006 20:37:59 +0000 (GMT) (envelope-from pauamma@gundo.com) Received: by mail.gundo.com (Postfix, from userid 1054) id 740C4674FE; Mon, 29 May 2006 15:37:58 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mail.gundo.com (Postfix) with ESMTP id 6D488674FC for ; Mon, 29 May 2006 15:37:58 -0500 (CDT) Date: Mon, 29 May 2006 15:37:58 -0500 (CDT) From: PauAmma To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Loading table data into pf at start-up X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 20:38:02 -0000 /etc/rc.d/pf will happily let you load a rules file into pf, but unfortunately won't let you load table data if it doesn't fit on a single line or if you want to store table data in other files for any reason. pfctl only allows one -f option, so creative use of pf_flags won't help, so I added a configuration variable, pf_tables, and some extra logic in pf_start() to handle it. pf_tables is a space-separated list of action:table:file tuples, eg: pf_tables="a:idiots4:/etc/pf.idiots4 a:idiots6:/etc/pf.idiots6" For each tuple, my patched /etc/rc.d/pf runs: pfctl -T -t -f $pf_flags I tested that with /etc/rc.d/pf 1.3.2.2, and it works fine under 5.4-RELEASE-p14. If there's any interest, I can supply a patch against 1.3.2.2, or (if there's any interest) an untested patch against 1.12 (no -HEAD running here, so I can't test it). Suggestions/Comments/"Go file a PR" requests all welcome. (please cc me on list replies - I don't follow it regularly) From owner-freebsd-pf@FreeBSD.ORG Mon May 29 20:51:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D19CE16A59B for ; Mon, 29 May 2006 20:51:48 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D6F643D53 for ; Mon, 29 May 2006 20:51:46 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 9AC1820001CB; Mon, 29 May 2006 22:51:44 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22587-02; Mon, 29 May 2006 22:51:43 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 1307620001C9; Mon, 29 May 2006 22:51:43 +0200 (CEST) Date: Mon, 29 May 2006 22:51:43 +0200 To: PauAmma Message-ID: <20060529205143.GA17051@marvin.harmless.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: Loading table data into pf at start-up X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 20:51:56 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 29, 2006 at 03:37:58PM -0500, PauAmma wrote: > /etc/rc.d/pf will happily let you load a rules file into pf, but=20 > unfortunately won't let you load table data if it doesn't fit on a single= =20 > line or if you want to store table data in other files for any reason. >=20 > pfctl only allows one -f option, so creative use of pf_flags won't help,= =20 > so I added a configuration variable, pf_tables, and some extra logic in= =20 > pf_start() to handle it. >=20 > pf_tables is a space-separated list of action:table:file tuples, eg:=20 > pf_tables=3D"a:idiots4:/etc/pf.idiots4 a:idiots6:/etc/pf.idiots6" what's the problem with a ruleset like table persist file "/etc/pf-abuse_ssh" table persist file "/etc/goodguys" i have this, and works jolly good. so, what's the trouble with this? Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEe17ebBsEN0U7BV0RAuT6AKDNSUH2AzaZZD6inDm+ruf84B7CQgCdGhGP QYLVfxUyu8BScatsAE8ceT4= =TyZn -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- From owner-freebsd-pf@FreeBSD.ORG Mon May 29 21:14:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 787E416A845 for ; Mon, 29 May 2006 21:14:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AA8343D67 for ; Mon, 29 May 2006 21:14:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.189.24] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1Fkp4W0TPK-0006u9; Mon, 29 May 2006 23:14:44 +0200 From: Max Laier Organization: FreeBSD To: PauAmma Date: Mon, 29 May 2006 23:14:34 +0200 User-Agent: KMail/1.9.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3019715.7OgJbO0q7d"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605292314.42835.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: Loading table data into pf at start-up X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 21:14:59 -0000 --nextPart3019715.7OgJbO0q7d Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 29 May 2006 22:37, PauAmma wrote: > /etc/rc.d/pf will happily let you load a rules file into pf, but > unfortunately won't let you load table data if it doesn't fit on a single > line or if you want to store table data in other files for any reason. =46rom pf.conf(5): table persist file "/etc/spammers" file "/etc/openrelays" Too easy? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3019715.7OgJbO0q7d Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEe2RCXyyEoT62BG0RAk+1AJ40we/3IN/PcJG5a4ctmYRbG7tEKwCbB4Oe 7/dixKWzDg6vrNcJgQ+Uy2g= =KOUE -----END PGP SIGNATURE----- --nextPart3019715.7OgJbO0q7d-- From owner-freebsd-pf@FreeBSD.ORG Mon May 29 21:21:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBF4D16A8C6 for ; Mon, 29 May 2006 21:21:08 +0000 (UTC) (envelope-from pauamma@gundo.com) Received: from mail.gundo.com (javelin.gundo.com [216.36.125.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CED443D5F for ; Mon, 29 May 2006 21:21:07 +0000 (GMT) (envelope-from pauamma@gundo.com) Received: by mail.gundo.com (Postfix, from userid 1054) id 053B8674FC; Mon, 29 May 2006 16:21:07 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mail.gundo.com (Postfix) with ESMTP id 027E1674F6; Mon, 29 May 2006 16:21:06 -0500 (CDT) Date: Mon, 29 May 2006 16:21:06 -0500 (CDT) From: PauAmma To: Gergely CZUCZY In-Reply-To: <20060529205143.GA17051@marvin.harmless.hu> Message-ID: References: <20060529205143.GA17051@marvin.harmless.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Loading table data into pf at start-up X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 21:21:12 -0000 On Mon, 29 May 2006, Gergely CZUCZY wrote: > what's the problem with a ruleset like > table persist file "/etc/pf-abuse_ssh" > table persist file "/etc/goodguys" Er, nothing wrong with it, only with me for failing to spot it despite repeated readings of pf.conf(5) and eventually deciding to reinvent the wheel. D'uh. Thanks for pointing it out to me. From owner-freebsd-pf@FreeBSD.ORG Mon May 29 21:39:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18B6D16B097 for ; Mon, 29 May 2006 21:39:58 +0000 (UTC) (envelope-from pauamma@gundo.com) Received: from mail.gundo.com (javelin.gundo.com [216.36.125.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1F2B43E04 for ; Mon, 29 May 2006 21:39:12 +0000 (GMT) (envelope-from pauamma@gundo.com) Received: by mail.gundo.com (Postfix, from userid 1054) id AB525674FC; Mon, 29 May 2006 16:39:03 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mail.gundo.com (Postfix) with ESMTP id A87AB674F6; Mon, 29 May 2006 16:39:03 -0500 (CDT) Date: Mon, 29 May 2006 16:39:03 -0500 (CDT) From: PauAmma To: Max Laier In-Reply-To: <200605292314.42835.max@love2party.net> Message-ID: References: <200605292314.42835.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Loading table data into pf at start-up X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 21:40:00 -0000 On Mon, 29 May 2006, Max Laier wrote: > > From pf.conf(5): > table persist file "/etc/spammers" file "/etc/openrelays" > > Too easy? Too obvious in the doc for me to spot, I guess. :-( *pries foot from mouth, wipes egg off face* From owner-freebsd-pf@FreeBSD.ORG Mon May 29 22:03:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93CC416B367 for ; Mon, 29 May 2006 22:03:06 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B10D943D5F for ; Mon, 29 May 2006 22:03:05 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1Fkpqy-0007w9-Q9; Mon, 29 May 2006 19:04:48 -0300 Message-ID: <447B7138.9050009@clacso.edu.ar> Date: Mon, 29 May 2006 19:10:00 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Peter N. M. Hansteen" References: <4474CE3D.8050702@clacso.edu.ar> <86slmy1e28.fsf@amidala.datadok.no> <44775759.9080202@clacso.edu.ar> <86irnrahoj.fsf@amidala.datadok.no> In-Reply-To: <86irnrahoj.fsf@amidala.datadok.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 22:03:12 -0000 Peter Thanks very much for the link.. Here my new file pf.conf ================================================== ext_if="xl0" # replace with actual external interface name i.e., dc0 internal_net="168.96.200.0/24" table { 168.96.200.9, 168.96.200.8, 168.96.200.54, 168.96.200.196 } table { 168.96.200.57, 168.96.200.87, 168.96.200.36 } altq on $ext_if cbq bandwidth 1Mb queue { def, ftp, udp, http, ssh, \ icmp, lan, badboys } queue def bandwidth 15% cbq (default borrow red) queue ftp bandwidth 15% cbq (borrow red) queue udp bandwidth 38% cbq (borrow red) queue http bandwidth 10% cbq (borrow red) #queue ssh bandwidth 20% cbq (borrow red) { ssh_interactive, ssh_bulk } #queue ssh_interactive priority 7 #queue ssh_bulk priority 0 queue icmp bandwidth 2% cbq queue lan bandwidth 10% priority 4 cbq (borrow red) queue badboys bandwidth 10% priority 4 cbq (borrow red) #pass log quick on $ext_if proto tcp from any to any port 22 flags S/SA \ keep state queue (ssh_bulk, ssh_interactive) pass in quick on $ext_if proto tcp from any to any port 20 flags S/SA \ keep state queue ftp pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA \ keep state queue http pass out on $ext_if proto udp all keep state queue udp pass out on $ext_if proto icmp all keep state queue icmp From owner-freebsd-pf@FreeBSD.ORG Mon May 29 22:09:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78A5C16B449 for ; Mon, 29 May 2006 22:09:27 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12B6643D6D for ; Mon, 29 May 2006 22:09:27 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1FkpxA-0007y0-9E for freebsd-pf@freebsd.org; Mon, 29 May 2006 19:11:12 -0300 Message-ID: <447B72B8.2080806@clacso.edu.ar> Date: Mon, 29 May 2006 19:16:24 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: again Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 22:09:41 -0000 Peter Thanks very much for the link.. Here my new file pf.conf ================================================== ext_if="xl0" # replace with actual external interface name i.e., dc0 internal_net="168.96.200.0/24" table { 168.96.200.9, 168.96.200.8, 168.96.200.54, 168.96.200.196 } table { 168.96.200.57, 168.96.200.87, 168.96.200.36 } altq on $ext_if cbq bandwidth 1Mb queue { def, ftp, udp, http, ssh, \ icmp, lan, badboys } queue def bandwidth 15% cbq (default borrow red) queue ftp bandwidth 15% cbq (borrow red) queue udp bandwidth 38% cbq (borrow red) queue http bandwidth 10% cbq (borrow red) #queue ssh bandwidth 20% cbq (borrow red) { ssh_interactive, ssh_bulk } #queue ssh_interactive priority 7 #queue ssh_bulk priority 0 queue icmp bandwidth 2% cbq queue lan bandwidth 10% priority 4 cbq (borrow red) queue badboys bandwidth 10% priority 4 cbq (borrow red) #pass log quick on $ext_if proto tcp from any to any port 22 flags S/SA \ keep state queue (ssh_bulk, ssh_interactive) pass in quick on $ext_if proto tcp from any to any port 20 flags S/SA \ keep state queue ftp pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA \ keep state queue http pass out on $ext_if proto udp all keep state queue udp pass out on $ext_if proto icmp all keep state queue icmp But Don't run to 10% under http. Run to 60k ... Could you help me!!! From owner-freebsd-pf@FreeBSD.ORG Wed May 31 16:06:59 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 008C216A4A5; Wed, 31 May 2006 16:06:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFFE643D64; Wed, 31 May 2006 16:06:58 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4VG6wol057833; Wed, 31 May 2006 16:06:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4VG6wB6057829; Wed, 31 May 2006 16:06:58 GMT (envelope-from linimon) Date: Wed, 31 May 2006 16:06:58 GMT From: Mark Linimon Message-Id: <200605311606.k4VG6wB6057829@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2006 16:07:01 -0000 Old Synopsis: pf needs a way of matching on decapsulated IPSEC packets New Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed May 31 16:06:45 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=98219 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 07:50:18 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8CFC16A46C for ; Fri, 2 Jun 2006 07:50:18 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47CC843D46 for ; Fri, 2 Jun 2006 07:50:18 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k527oHNa015590 for ; Fri, 2 Jun 2006 07:50:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k527oHRr015589; Fri, 2 Jun 2006 07:50:17 GMT (envelope-from gnats) Date: Fri, 2 Jun 2006 07:50:17 GMT Message-Id: <200606020750.k527oHRr015589@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 07:50:23 -0000 The following reply was made to PR kern/93829; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, c_dornig@gmx.de Cc: Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance Date: Fri, 2 Jun 2006 09:45:20 +0200 Spring cleaning: Can this be closed now? Should we chown to doc? I'm not sure where or how to document it, though. -- Max From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 07:53:00 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96FA916A467; Fri, 2 Jun 2006 07:53:00 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5216643D48; Fri, 2 Jun 2006 07:53:00 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k527r0x1015731; Fri, 2 Jun 2006 07:53:00 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k527qxwa015727; Fri, 2 Jun 2006 07:52:59 GMT (envelope-from mlaier) Date: Fri, 2 Jun 2006 07:52:59 GMT From: Max Laier Message-Id: <200606020752.k527qxwa015727@freefall.freebsd.org> To: dimas@dataart.com, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 07:53:00 -0000 Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets State-Changed-From-To: open->analyzed State-Changed-By: mlaier State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 State-Changed-Why: The solution for this is the enc(4) interface from OpenBSD. There are ongoing porting efforts. http://www.freebsd.org/cgi/query-pr.cgi?pr=98219 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 07:56:50 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C44216A633; Fri, 2 Jun 2006 07:56:50 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0989443D62; Fri, 2 Jun 2006 07:56:49 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k527umfA015862; Fri, 2 Jun 2006 07:56:48 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k527umYI015858; Fri, 2 Jun 2006 07:56:48 GMT (envelope-from mlaier) Date: Fri, 2 Jun 2006 07:56:48 GMT From: Max Laier Message-Id: <200606020756.k527umYI015858@freefall.freebsd.org> To: ricardo_bsd@yahoo.com.br, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/84370: [modules] Unload pf.ko cause page fault X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 07:56:51 -0000 Synopsis: [modules] Unload pf.ko cause page fault State-Changed-From-To: feedback->closed State-Changed-By: mlaier State-Changed-When: Fri Jun 2 07:55:54 UTC 2006 State-Changed-Why: Spring cleaning. Closed as per originator. Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=84370 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 08:00:49 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81ECF16A776 for ; Fri, 2 Jun 2006 08:00:49 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A624B43D68 for ; Fri, 2 Jun 2006 08:00:46 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5280k4X016133 for ; Fri, 2 Jun 2006 08:00:46 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5280kOC016132; Fri, 2 Jun 2006 08:00:46 GMT (envelope-from gnats) Date: Fri, 2 Jun 2006 08:00:46 GMT Message-Id: <200606020800.k5280kOC016132@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/86072: [pf] Packet Filter rule not working properly (with SYNPROXY option) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 08:00:50 -0000 The following reply was made to PR kern/86072; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, fb@crou.net Cc: Subject: Re: kern/86072: [pf] Packet Filter rule not working properly (with SYNPROXY option) Date: Fri, 2 Jun 2006 09:58:51 +0200 Ping. What is the status of this? -- Max From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 08:50:38 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A586016A59D; Fri, 2 Jun 2006 08:50:38 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3797C43D45; Fri, 2 Jun 2006 08:50:38 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1Fm5Ma-000728-Lc; Fri, 02 Jun 2006 12:50:36 +0400 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 2 Jun 2006 12:48:42 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Thread-Index: AcaGHOa4e0YD6jFySTSlbI89RPhAFQAA7YxQ From: "Dmitry Andrianov" To: "Max Laier" , Cc: Subject: RE: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 08:50:38 -0000 Max, I'm not sure enc0 is the solution. Honestly, I haven't tried enc0 yet (only took a look at its sources) so I can be wrong. But to my understanding if you build kernel with FILTERGIF, then decapsulated packets will still be visible on the same interface original ESP packets come to (in addition to enc0). If this is true, there is need to allow them. Meaning there is need to distinguish decapsulated packets from received. So basically the question is how enc0 and FILTERGIF coesist together... If they do not, probably FILTERGIF should be deprecated in favor of enc0. Have to check. =20 -----Original Message----- From: Max Laier [mailto:mlaier@FreeBSD.org]=20 Sent: Friday, June 02, 2006 11:53 AM To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets State-Changed-From-To: open->analyzed State-Changed-By: mlaier State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 State-Changed-Why:=20 The solution for this is the enc(4) interface from OpenBSD. There are ongoing porting efforts. http://www.freebsd.org/cgi/query-pr.cgi?pr=3D98219 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 09:29:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4921416A420 for ; Fri, 2 Jun 2006 09:29:47 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8281843D49 for ; Fri, 2 Jun 2006 09:29:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.180.174] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1Fm5yS3YcV-0001aj; Fri, 02 Jun 2006 11:29:45 +0200 From: Max Laier Organization: FreeBSD To: "Dmitry Andrianov" Date: Fri, 2 Jun 2006 11:29:36 +0200 User-Agent: KMail/1.9.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6065878.7nNhq8ztjc"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606021129.42805.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 09:29:47 -0000 --nextPart6065878.7nNhq8ztjc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 02 June 2006 10:48, Dmitry Andrianov wrote: > I'm not sure enc0 is the solution. > > Honestly, I haven't tried enc0 yet (only took a look at its sources) so > I can be wrong. But to my understanding if you build kernel with > FILTERGIF, then decapsulated packets will still be visible on the same > interface original ESP packets come to (in addition to enc0). If this is > true, there is need to allow them. Meaning there is need to distinguish > decapsulated packets from received. If you can see the complete decapsulated transaction (through enc0) you can= =20 use tagging there to mark packets out of the tunnel and pass on that tag=20 later on. I have to admit that I do very few IPSEC/vnp stuff right now so I'm not up = to=20 speed on all aspects of FILTERGIF etc. Hopefully somebody else can fill in= =20 some more detail? > So basically the question is how enc0 and FILTERGIF coesist together... > If they do not, probably FILTERGIF should be deprecated in favor of > enc0. > > Have to check. > > > -----Original Message----- > From: Max Laier [mailto:mlaier@FreeBSD.org] > Sent: Friday, June 02, 2006 11:53 AM > To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org > Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated > IPSEC packets > > Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets > > State-Changed-From-To: open->analyzed > State-Changed-By: mlaier > State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 > State-Changed-Why: > The solution for this is the enc(4) interface from OpenBSD. There are > ongoing porting efforts. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D98219 =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6065878.7nNhq8ztjc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEgAUGXyyEoT62BG0RAg/7AJ0cQXwqrN2CIUVeEVzecXpwEvlscQCeKQKI eZBzW5+Bi/VT7Lh4Xo7JsBc= =HqIs -----END PGP SIGNATURE----- --nextPart6065878.7nNhq8ztjc-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 10:48:58 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77B9A16A45A; Fri, 2 Jun 2006 10:48:58 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3273443D45; Fri, 2 Jun 2006 10:48:58 +0000 (GMT) (envelope-from thompsa@FreeBSD.org) Received: from freefall.freebsd.org (thompsa@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k52Amrms026771; Fri, 2 Jun 2006 10:48:53 GMT (envelope-from thompsa@freefall.freebsd.org) Received: (from thompsa@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k52AmrWj026767; Fri, 2 Jun 2006 10:48:53 GMT (envelope-from thompsa) Date: Fri, 2 Jun 2006 10:48:53 GMT From: Andrew Thompson Message-Id: <200606021048.k52AmrWj026767@freefall.freebsd.org> To: thompsa@FreeBSD.org, freebsd-pf@FreeBSD.org, thompsa@FreeBSD.org Cc: Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 10:49:19 -0000 Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets Responsible-Changed-From-To: freebsd-pf->thompsa Responsible-Changed-By: thompsa Responsible-Changed-When: Fri Jun 2 10:48:13 UTC 2006 Responsible-Changed-Why: I have a working if_enc patch, grab this PR. http://www.freebsd.org/cgi/query-pr.cgi?pr=98219 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 14:42:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2818116A429 for ; Fri, 2 Jun 2006 14:42:17 +0000 (UTC) (envelope-from magalhj@yahoo.com.br) Received: from web31606.mail.mud.yahoo.com (web31606.mail.mud.yahoo.com [68.142.198.152]) by mx1.FreeBSD.org (Postfix) with SMTP id 7FF9343D45 for ; Fri, 2 Jun 2006 14:42:16 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 45716 invoked by uid 60001); 2 Jun 2006 14:42:15 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=igddWTlZ10Npo+VxSsca1362maYIxh60rrZ1rAlZPHpE6TT+xzK+SvbM5Z+5Ndn2x+FGEi1+VSrlf+gxBPaYulBxfxZQH73mx8rluf/xwIDbaRgkny0JDmdWmr4W6XT0lHzgPin6ZV/wkrzxbFOXHvl4GaiHfOGgV44rfIBnogY= ; Message-ID: <20060602144215.45714.qmail@web31606.mail.mud.yahoo.com> Received: from [200.131.52.1] by web31606.mail.mud.yahoo.com via HTTP; Fri, 02 Jun 2006 11:42:15 ART Date: Fri, 2 Jun 2006 11:42:15 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Updating Windows XP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 14:42:17 -0000 Hi list, I'm using pf and squid in the same machine.. All of browsers in the LAN are configured to use the proxy at 3128 port. Using tcpdump, i've noted the LAN machines (run windows update) are trying to stabilish direct connect to external servers on port 80. So, they're being blocked.. Is there a best way to unblock the windows update ?? Thanks, Aguiar __________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 14:43:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0255216A421 for ; Fri, 2 Jun 2006 14:43:46 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C8AD43D45 for ; Fri, 2 Jun 2006 14:43:45 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 16CA720001CB; Fri, 2 Jun 2006 16:43:44 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20072-04; Fri, 2 Jun 2006 16:43:42 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 87A5A20001C9; Fri, 2 Jun 2006 16:43:42 +0200 (CEST) Date: Fri, 2 Jun 2006 16:43:42 +0200 To: Aguiar Magalhaes Message-ID: <20060602144342.GA1207@marvin.harmless.hu> References: <20060602144215.45714.qmail@web31606.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <20060602144215.45714.qmail@web31606.mail.mud.yahoo.com> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: Updating Windows XP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 14:43:46 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 02, 2006 at 11:42:15AM -0300, Aguiar Magalhaes wrote: > Hi list, >=20 > I'm using pf and squid in the same machine.. >=20 > All of browsers in the LAN are configured to use the > proxy at 3128 port. >=20 > Using tcpdump, i've noted the LAN machines (run > windows update) are trying to stabilish direct connect > to external servers on port 80. So, they're being > blocked.. >=20 > Is there a best way to unblock the windows update ?? >=20 > Thanks, >=20 > Aguiar internet properties, set proxy and set the proxy there Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEgE6ebBsEN0U7BV0RAhH0AJ9AQMwX5FJLNOy5PANd96fQ+FIwEACdHHrC qf4gBuYqkjCP/y4bCp0eufg= =1eJK -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 14:48:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C71D116A438 for ; Fri, 2 Jun 2006 14:48:18 +0000 (UTC) (envelope-from clacroix@cegep-ste-foy.qc.ca) Received: from missive.cegep-ste-foy.qc.ca (missive.cegep-ste-foy.qc.ca [199.202.105.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6009A43D45 for ; Fri, 2 Jun 2006 14:48:16 +0000 (GMT) (envelope-from clacroix@cegep-ste-foy.qc.ca) Received: from LOCALHOST (unknown [127.0.0.1]) by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id 04710141A10 for ; Fri, 2 Jun 2006 10:48:16 -0400 (EDT) Received: from sti-test.cegep-ste-foy.qc.ca (sti-test.cegep-ste-foy.qc.ca [199.202.105.98]) by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id A75FC141A0C for ; Fri, 2 Jun 2006 10:48:15 -0400 (EDT) From: Charles Lacroix To: freebsd-pf@freebsd.org Date: Fri, 2 Jun 2006 10:48:14 -0400 User-Agent: KMail/1.9.1 References: <20060602144215.45714.qmail@web31606.mail.mud.yahoo.com> <20060602144342.GA1207@marvin.harmless.hu> In-Reply-To: <20060602144342.GA1207@marvin.harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200606021048.14432.clacroix@cegep-ste-foy.qc.ca> X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.16; VAE: 6.30.0.2; VDF: 6.30.0.16; host: missive.cegep-ste-foy.qc.ca) Subject: Re: Updating Windows XP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 14:48:21 -0000 I have no clue how to do it with pf, as i'm an iptables guy ... in the prerouting table you can force a redirection for port 80. i know for sure that it's possible with pf, i read about it for years and now it's time to get my paws dirty :) just check for "transparent proxy" setup where you redirect everthing going out on 80 to your squid server than he deals with the request. later, Charles On Friday 02 June 2006 10:43, Gergely CZUCZY wrote: > On Fri, Jun 02, 2006 at 11:42:15AM -0300, Aguiar Magalhaes wrote: > > Hi list, > > > > I'm using pf and squid in the same machine.. > > > > All of browsers in the LAN are configured to use the > > proxy at 3128 port. > > > > Using tcpdump, i've noted the LAN machines (run > > windows update) are trying to stabilish direct connect > > to external servers on port 80. So, they're being > > blocked.. > > > > Is there a best way to unblock the windows update ?? > > > > Thanks, > > > > Aguiar > > internet properties, set proxy and set the proxy there > > Bye, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu > PGP: http://phoemix.harmless.hu/phoemix.pgp > > Weenies test. Geniuses solve problems that arise. From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 15:37:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32CF216A48F for ; Fri, 2 Jun 2006 15:37:18 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA4C243D45 for ; Fri, 2 Jun 2006 15:37:17 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 050BF334113 for ; Fri, 2 Jun 2006 16:37:13 +0100 (BST) From: "Greg Hennessy" To: "'Aguiar Magalhaes'" Date: Fri, 2 Jun 2006 16:37:14 +0100 Keywords: freebsd-pf Message-ID: <000701c6865a$6c2a54d0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaGVWTp0F7oqw5gRsapaeXvID2PegABKEAQ In-Reply-To: <20060602144215.45714.qmail@web31606.mail.mud.yahoo.com> X-OriginalArrivalTime: 02 Jun 2006 15:37:14.0653 (UTC) FILETIME=[6C2A54D0:01C6865A] Cc: freebsd-pf@freebsd.org Subject: RE: Updating Windows XP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 15:37:18 -0000 > > Is there a best way to unblock the windows update ?? > Yes rebuild squid to operate as a transparent cache and redirect all outbound port 80 traffic through it. http://www.benzedrine.cx/transquid.html gw2:~ # grep -i 3128 /etc/pf.conf rdr pass on $Int $TCP from to ! port www -> 127.0.0.1 port 3128 rdr pass on $Int $TCP from to $Int:0 port 3128 -> 127.0.0.1 port 3128 Greg From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 17:59:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83E4B16A421 for ; Fri, 2 Jun 2006 17:59:04 +0000 (UTC) (envelope-from magalhj@yahoo.com.br) Received: from web31608.mail.mud.yahoo.com (web31608.mail.mud.yahoo.com [68.142.198.154]) by mx1.FreeBSD.org (Postfix) with SMTP id 0EED143D48 for ; Fri, 2 Jun 2006 17:59:03 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 67597 invoked by uid 60001); 2 Jun 2006 17:59:03 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=lSSUTTVh8h5nr36YvAob9SBHXrKAYvoeTJzLA0xkCGMyeN9HaA0Vv5ClisD4ccXjKb2D9SCLSf36SISSRPJ6DN/RC1N+S8Ktls4fJQB3lkqMlNPeqPkgeBeSgzLUXs+ZjMaNTZamu9HkpJ2R4I4dETLyGznik84jF996sIBkUx4= ; Message-ID: <20060602175903.67592.qmail@web31608.mail.mud.yahoo.com> Received: from [200.131.52.1] by web31608.mail.mud.yahoo.com via HTTP; Fri, 02 Jun 2006 14:59:03 ART Date: Fri, 2 Jun 2006 14:59:03 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org In-Reply-To: <20060602144342.GA1207@marvin.harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Updating Windows XP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 17:59:04 -0000 Hi, The proxy is correctly configured in all LAN machines, but the windows update is (trying) going out by port 80 --- Gergely CZUCZY escreveu: > On Fri, Jun 02, 2006 at 11:42:15AM -0300, Aguiar > Magalhaes wrote: > > Hi list, > > > > I'm using pf and squid in the same machine.. > > > > All of browsers in the LAN are configured to use > the > > proxy at 3128 port. > > > > Using tcpdump, i've noted the LAN machines (run > > windows update) are trying to stabilish direct > connect > > to external servers on port 80. So, they're being > > blocked.. > > > > Is there a best way to unblock the windows update > ?? > > > > Thanks, > > > > Aguiar > internet properties, set proxy and set the proxy > there > > Bye, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu > PGP: http://phoemix.harmless.hu/phoemix.pgp > > Weenies test. Geniuses solve problems that arise. > __________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 18:14:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABF8616A41F for ; Fri, 2 Jun 2006 18:14:19 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DF5D43D46 for ; Fri, 2 Jun 2006 18:14:18 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.195] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1FmEA444xI-000444; Fri, 02 Jun 2006 20:14:17 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 2 Jun 2006 20:14:07 +0200 User-Agent: KMail/1.9.1 References: <20060602175903.67592.qmail@web31608.mail.mud.yahoo.com> In-Reply-To: <20060602175903.67592.qmail@web31608.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2157415.TmNQc7CKt6"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606022014.13018.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Updating Windows XP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 18:14:19 -0000 --nextPart2157415.TmNQc7CKt6 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 02 June 2006 19:59, Aguiar Magalhaes wrote: > The proxy is correctly configured in all LAN machines, > but the windows update is (trying) going out by port > 80 1) Do not top post! 2) This is not a pf problem 3) Others already have pointed out how to fix this. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2157415.TmNQc7CKt6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEgH/0XyyEoT62BG0RApWgAJ9zYdJEiuoQ0a9YW5W2ZzRQX7r4OwCeKZyu yq7pjA0pCj4lRGrHjXrJOHA= =qcEG -----END PGP SIGNATURE----- --nextPart2157415.TmNQc7CKt6-- From owner-freebsd-pf@FreeBSD.ORG Sat Jun 3 22:40:20 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64FF416A47A for ; Sat, 3 Jun 2006 22:40:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 138B743D46 for ; Sat, 3 Jun 2006 22:40:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k53MeJ4m070526 for ; Sat, 3 Jun 2006 22:40:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k53MeJjQ070524; Sat, 3 Jun 2006 22:40:19 GMT (envelope-from gnats) Date: Sat, 3 Jun 2006 22:40:19 GMT Message-Id: <200606032240.k53MeJjQ070524@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: linimon@lonesome.com (Mark Linimon) Cc: Subject: kern/97057: IPSEC + pf needs note? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Mark Linimon List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jun 2006 22:40:20 -0000 The following reply was made to PR kern/97057; it has been noted by GNATS. From: linimon@lonesome.com (Mark Linimon) To: bug-followup@FreeBSD.org Cc: Subject: kern/97057: IPSEC + pf needs note? Date: Sat, 3 Jun 2006 17:38:04 -0500 ----- Forwarded message from Max Laier ----- anyone up for taking responsibility for this? I don't think we should change GENERIC for it, but it should clearly be documented somewhere somehow. Thanks.