From owner-freebsd-pf@FreeBSD.ORG Mon Jun 5 11:03:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5FDD16A4EF for ; Mon, 5 Jun 2006 11:03:08 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CFD143D4C for ; Mon, 5 Jun 2006 11:03:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k55B38j0010343 for ; Mon, 5 Jun 2006 11:03:08 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k55B37mZ010339 for freebsd-pf@freebsd.org; Mon, 5 Jun 2006 11:03:07 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 5 Jun 2006 11:03:07 GMT Message-Id: <200606051103.k55B37mZ010339@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 11:03:09 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 6 00:46:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8124D16CE6F for ; Mon, 5 Jun 2006 23:40:40 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2006E43D49 for ; Mon, 5 Jun 2006 23:40:40 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FnOgZ-0006OK-Ay for freebsd-pf@freebsd.org; Mon, 05 Jun 2006 23:40:39 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1FnOgZ-0006yr-5y for freebsd-pf@freebsd.org; Mon, 05 Jun 2006 23:40:39 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 5CB8D8E2E7; Mon, 5 Jun 2006 18:40:32 -0500 (CDT) Date: Mon, 5 Jun 2006 18:40:32 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20060605234031.GA4787@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: pfsync after reboot does not synchronize X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 00:46:38 -0000 I tried posting some messages about PF to the freebsd-net mailing list, but they seemed to be ignored. So I thought I would try sending my questions here. I am trying to figure out why pfsync does not seem to work correctly when one of my cluster nodes reboots. When I reboot one of the cluster members, the state tables do appear to synchronize, sort of, and populate with some of the same connection states, but not all of them. That is "pfctl -ss" on both cluster members will show a different number of state entries. Vastly different if the new member has only been up for a minute or two. In particular, long-lived, extant connections (such as IRC server connections) seem to never show up in the rebooted member's state table, even though the connections continue to update their state on the current carp master. I figured that doing ifconfig down/up would send some sort of "full sync" message between the two members, to cause the entire state table to be sent in bulk. Eventually I learned that the method to do this is to use "ifconfig syncdev" to force a bulk update: ifconfig pfsync0 syncdev fxp0 # $pfsync_syncdev When I perform the above command, I see the following debug output (when PF is configured at "misc" or "loud" debug level): On the cluster member receiving the requests: pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request pfsync: received bulk update request On the cluster member making the request (where syncdev was just ifconfig'd): pfsync: requesting bulk update pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: received bulk update start pfsync: failed to receive bulk update status After performing this manual action, I find the state table is much better populated, and the two firewalls appear to be synchronized. However, the messages above bother me. It looks to me like the cluster member making the request repeats it over and over again, and finally gives up after PFSYNC_MAX_BULKTRIES (12) attempts. Shouldn't that be something that only happens in exceptional conditions? Yet, I can make it happen every time, even on a test cluster with no traffic (and thus an almost empty state table). Does anyone have any insight as to why I see these problems? 1. Why does pfsync synchronize the state tables when I use the "ifconfig syncdev" trick to force a bulk update, yet it does not do this when the system is booting up? 2. Why does pfsync keep repeating the bulk update request and then give up? What message is not getting through? The two cluster members have a direct cross-cable between them. My PF policy has these settings: set skip on pfsync0 pass quick on fxp0 proto pfsync # $pfsync_syncdev -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley From owner-freebsd-pf@FreeBSD.ORG Tue Jun 6 01:51:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD12F16B82B for ; Tue, 6 Jun 2006 01:18:08 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FFC143D45 for ; Tue, 6 Jun 2006 01:18:08 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wr-out-0506.google.com with SMTP id i20so1139916wra for ; Mon, 05 Jun 2006 18:18:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=l+jktupS73rctLQGRBMzy6U9xaQqJG/pscQ/Og912iG0yBlP5gpm2TcTOrIQOv3r8wb58/99x+w1CsnWWZCldS/pX1lf8KgN5HIoscOj+yZ9WOoHEhLmQoWf2IpOVKnZbk+ibh6Jxu7HQ4cky/9GahbEpLcxg2JvQcGqE2oA1FU= Received: by 10.54.93.15 with SMTP id q15mr5404483wrb; Mon, 05 Jun 2006 18:18:07 -0700 (PDT) Received: by 10.54.158.3 with HTTP; Mon, 5 Jun 2006 18:18:07 -0700 (PDT) Message-ID: Date: Mon, 5 Jun 2006 21:18:07 -0400 From: "Scott Ullrich" To: "David DeSimone" In-Reply-To: <20060605234031.GA4787@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060605234031.GA4787@verio.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync after reboot does not synchronize X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 01:51:05 -0000 On 6/5/06, David DeSimone wrote: > I tried posting some messages about PF to the freebsd-net mailing list, > but they seemed to be ignored. So I thought I would try sending my > questions here. > > I am trying to figure out why pfsync does not seem to work correctly > when one of my cluster nodes reboots. > > When I reboot one of the cluster members, the state tables do appear to > synchronize, sort of, and populate with some of the same connection > states, but not all of them. > > That is "pfctl -ss" on both cluster members will show a different number > of state entries. Vastly different if the new member has only been up > for a minute or two. > > In particular, long-lived, extant connections (such as IRC server > connections) seem to never show up in the rebooted member's state table, > even though the connections continue to update their state on the > current carp master. > > I figured that doing ifconfig down/up would send some sort of "full > sync" message between the two members, to cause the entire state table > to be sent in bulk. Eventually I learned that the method to do this is > to use "ifconfig syncdev" to force a bulk update: > > ifconfig pfsync0 syncdev fxp0 # $pfsync_syncdev > > When I perform the above command, I see the following debug output (when > PF is configured at "misc" or "loud" debug level): > > On the cluster member receiving the requests: > > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > pfsync: received bulk update request > > On the cluster member making the request (where syncdev was just > ifconfig'd): > > pfsync: requesting bulk update > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: received bulk update start > pfsync: failed to receive bulk update status > > After performing this manual action, I find the state table is much > better populated, and the two firewalls appear to be synchronized. > However, the messages above bother me. It looks to me like the cluster > member making the request repeats it over and over again, and finally > gives up after PFSYNC_MAX_BULKTRIES (12) attempts. Shouldn't that be > something that only happens in exceptional conditions? Yet, I can make > it happen every time, even on a test cluster with no traffic (and thus > an almost empty state table). > > Does anyone have any insight as to why I see these problems? > > 1. Why does pfsync synchronize the state tables when I use the > "ifconfig syncdev" trick to force a bulk update, yet it does > not do this when the system is booting up? > > 2. Why does pfsync keep repeating the bulk update request and then give > up? What message is not getting through? > > > The two cluster members have a direct cross-cable between them. My PF > policy has these settings: > > set skip on pfsync0 > > pass quick on fxp0 proto pfsync # $pfsync_syncdev I have also seen this problem with pfSense. To get around the problem I set the advskew to 200 on the host and wait 30 seconds to give everything time to sync. I am really not sure what is causing it but it may be related to the pfsync hold down timer? At any rate we worked around the problem and I wanted to readdress it after our 1.0 release. I am glad someone else is also seeing the problem. Let me know if anyone needs more information. Scott From owner-freebsd-pf@FreeBSD.ORG Tue Jun 6 02:01:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6179E16D5CA for ; Tue, 6 Jun 2006 01:28:51 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 676B343D6E for ; Tue, 6 Jun 2006 01:28:26 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m18so1608529nfc for ; Mon, 05 Jun 2006 18:28:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Sn+Jb1FpNDuEQosyPDHSyrgH7QiyAY0e5kbJDQ52lsQVrsZpIPnNf0CfZK3aUBfLtsK2vtm0UZBY61lwiVKq5nPPKiUjvbb/YqrdCXwigrZg5mwHxBrt+7N+mEq3mMYRIZ51eQdr6tbXBmGRCqR9/1GV2cnF9KO70MZpXGvO6b4= Received: by 10.48.213.20 with SMTP id l20mr4857782nfg; Mon, 05 Jun 2006 18:28:25 -0700 (PDT) Received: by 10.49.42.8 with HTTP; Mon, 5 Jun 2006 18:28:25 -0700 (PDT) Message-ID: Date: Mon, 5 Jun 2006 18:28:25 -0700 From: "Kian Mohageri" To: "David DeSimone" In-Reply-To: <20060605234031.GA4787@verio.net> MIME-Version: 1.0 References: <20060605234031.GA4787@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pfsync after reboot does not synchronize X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 02:01:35 -0000 1. Why does pfsync synchronize the state tables when I use the > "ifconfig syncdev" trick to force a bulk update, yet it does > not do this when the system is booting up? What does your rc.conf look like? 2. Why does pfsync keep repeating the bulk update request and then give > up? What message is not getting through? Are you running the same versions of everything on all nodes? Different versions of pfsync can sometimes not keep state with eachother (3.8 -> 3.9comes to mind). The two cluster members have a direct cross-cable between them. My PF > policy has these settings: > > set skip on pfsync0 > > pass quick on fxp0 proto pfsync # $pfsync_syncdev Won't fix your problem, but if you 'set skip' on that interface, you don't need to 'pass quick' as filtering isn't applied. Kian _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Jun 6 04:39:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64E3B16C34A for ; Tue, 6 Jun 2006 04:10:12 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CD0443D68 for ; Tue, 6 Jun 2006 04:10:09 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.62] (helo=dfw-mmp2.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FnStM-00072y-IU for freebsd-pf@freebsd.org; Tue, 06 Jun 2006 04:10:08 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp2.email.verio.net with esmtp id 1FnStM-0003Uh-Ez for freebsd-pf@freebsd.org; Tue, 06 Jun 2006 04:10:08 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id DC6D88E2E7; Mon, 5 Jun 2006 23:10:01 -0500 (CDT) Date: Mon, 5 Jun 2006 23:10:01 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20060606041001.GA4870@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20060605234031.GA4787@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: pfsync after reboot does not synchronize X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 04:39:53 -0000 Kian Mohageri wrote: > > > Why does pfsync synchronize the state tables when I use the > > "ifconfig syncdev" trick to force a bulk update, yet it does > > not do this when the system is booting up? > > What does your rc.conf look like? gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf" pflog_enable="YES" pfsync_enable="YES" pfsync_syncdev="fxp0" defaultrouter="192.168.40.254" cloned_interfaces="carp0 carp1" ifconfig_dc0="inet 192.168.40.231 netmask 255.255.255.224" ifconfig_dc1="inet 172.16.30.2 netmask 255.255.255.0" ifconfig_fxp0="up" ifconfig_carp0="inet 192.168.40.230 netmask 255.255.255.224 vhid 230" ifconfig_carp1="inet 172.16.30.1 netmask 255.255.255.0 vhid 11" As you can see, no IP is put on the sync interface; it is merely configured up. Auto-negotiation succeeds on both ends of the cross cable: media: Ethernet autoselect (100baseTX ) > > Why does pfsync keep repeating the bulk update request and then give > > up? What message is not getting through? > > Are you running the same versions of everything on all nodes? > Different versions of pfsync can sometimes not keep state with > eachother (3.8 -> 3.9comes to mind). Both are FreeBSD 6.0-RELEASE cloned from the same disk. > > set skip on pfsync0 > > > > pass quick on fxp0 proto pfsync # $pfsync_syncdev > > Won't fix your problem, but if you 'set skip' on that interface, you > don't need to 'pass quick' as filtering isn't applied. Note that the "set skip" is on the pfsync0 pseudo interface, while the "pass quick" is on the actual fxp0 interface. Is there a protocol other than pfsync that should be permitted on that interface? I didn't expect I'd see any other protocol there, so I didn't bother to allow anything else. -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley From owner-freebsd-pf@FreeBSD.ORG Tue Jun 6 10:19:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9BBF16AD80 for ; Tue, 6 Jun 2006 10:19:38 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4988643D48 for ; Tue, 6 Jun 2006 10:19:35 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m18so1672508nfc for ; Tue, 06 Jun 2006 03:19:34 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=DCihb5rd0DoB0n0EdDdCIzt8BjXXZBh9lBY4srl6tLVI83hewVMw2IGHfJyc1vVXg5i4FjE6+tzraCQzcFgAXKN+jCCmaQjdJahSNkde5jztCWIbDBhZK2fQb2pnXHF8NQBV05ZCntDIcneeY6CdyUAvR+Yx4/DaYjx8PGbwUvM= Received: by 10.49.91.12 with SMTP id t12mr4013258nfl; Tue, 06 Jun 2006 03:12:43 -0700 (PDT) Received: by 10.49.42.8 with HTTP; Tue, 6 Jun 2006 03:12:43 -0700 (PDT) Message-ID: Date: Tue, 6 Jun 2006 03:12:43 -0700 From: "Kian Mohageri" To: freebsd-pf@freebsd.org In-Reply-To: <20060606041001.GA4870@verio.net> MIME-Version: 1.0 References: <20060605234031.GA4787@verio.net> <20060606041001.GA4870@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pfsync after reboot does not synchronize X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 10:19:58 -0000 > As you can see, no IP is put on the sync interface; it is merely > configured up. Auto-negotiation succeeds on both ends of the cross > cable: All the examples I've seen give the syncdev an IP address, my setup included. I'd try that. It's strange that it works partially without having done that, though. Maybe someone with more pfsync knowledge could explain why for me? I'd imagine it has something to do with sending out via multicast. http://www.benzedrine.cx/pf/msg04781.html > > Note that the "set skip" is on the pfsync0 pseudo interface, while the > "pass quick" is on the actual fxp0 interface. My apologies, I misread that :) Is there a protocol other than pfsync that should be permitted on that > interface? I didn't expect I'd see any other protocol there, so I > didn't bother to allow anything else. You don't need anything other than pfsync to pass on fxp0 for this to work. Kian From owner-freebsd-pf@FreeBSD.ORG Wed Jun 7 11:24:13 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E617216B508; Wed, 7 Jun 2006 10:29:53 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98DEF43D45; Wed, 7 Jun 2006 10:29:53 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (glebius@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k57ATrku011174; Wed, 7 Jun 2006 10:29:53 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k57ATrP4011170; Wed, 7 Jun 2006 10:29:53 GMT (envelope-from glebius) Date: Wed, 7 Jun 2006 10:29:53 GMT From: Gleb Smirnoff Message-Id: <200606071029.k57ATrP4011170@freefall.freebsd.org> To: c_dornig@gmx.de, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org Cc: Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2006 11:24:24 -0000 Synopsis: [carp] pfsync state time problem with CARP + Arp.Balance State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Wed Jun 7 10:28:13 UTC 2006 State-Changed-Why: I have documented why this setup can't work in carp(4). Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Wed Jun 7 10:28:13 UTC 2006 Responsible-Changed-Why: I have documented why this setup can't work in carp(4). http://www.freebsd.org/cgi/query-pr.cgi?pr=93829 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 7 19:07:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25B4216A9A2 for ; Wed, 7 Jun 2006 16:43:27 +0000 (UTC) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from mailhost.u-strasbg.fr (mailhost.u-strasbg.fr [130.79.200.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50A6743D49 for ; Wed, 7 Jun 2006 16:43:26 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from [IPv6:2001:660:2402:1001:20e:cff:fe60:e734] (apophis.u-strasbg.fr [IPv6:2001:660:2402:1001:20e:cff:fe60:e734]) by mailhost.u-strasbg.fr (8.13.6/jtpda-5.5pre1) with ESMTP id k57GhPQN080037 for ; Wed, 7 Jun 2006 18:43:25 +0200 (CEST) Message-ID: <44870233.2040204@crc.u-strasbg.fr> Date: Wed, 07 Jun 2006 18:43:31 +0200 From: Philippe Pegon User-Agent: Thunderbird 1.5.0.2 (X11/20060503) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (mailhost.u-strasbg.fr [IPv6:2001:660:2402::151]); Wed, 07 Jun 2006 18:43:25 +0200 (CEST) X-Virus-Scanned: ClamAV 0.88.2/1518/Wed Jun 7 15:10:04 2006 on mr1.u-strasbg.fr X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=5.0 tests=AWL,NO_RELAYS autolearn=disabled version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mr1.u-strasbg.fr Subject: carp with IPv6 broken on 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2006 19:07:38 -0000 Hi, it seems that carp is really broken on FreeBSD 6.1 when an inet6 address is configured on a carp interface. Other persons observed the same symptoms. I filled a pr : kern/98622 thanks -- Philippe Pegon From owner-freebsd-pf@FreeBSD.ORG Wed Jun 7 20:30:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13C0416CEAE for ; Wed, 7 Jun 2006 18:44:12 +0000 (UTC) (envelope-from aftaha@cirp.usp.br) Received: from quartzo.cirp.usp.br (quartzo.cirp.usp.br [143.107.200.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 475FF43D48 for ; Wed, 7 Jun 2006 18:44:10 +0000 (GMT) (envelope-from aftaha@cirp.usp.br) Received: from [143.107.200.101] (granito2.cirp.usp.br [143.107.200.101]) by quartzo.cirp.usp.br (8.12.11/8.12.11) with ESMTP id k57IfWVp096285 for ; Wed, 7 Jun 2006 15:41:32 -0300 (BRT) (envelope-from aftaha@cirp.usp.br) Message-ID: <44871D73.2040602@cirp.usp.br> Date: Wed, 07 Jun 2006 15:39:47 -0300 From: Ali Faiez Taha Organization: Centro de =?ISO-8859-1?Q?Inform=E1tica_-_USP_-_Ribe?= =?ISO-8859-1?Q?ir=E3o_Preto?= User-Agent: Thunderbird 1.5 (X11/20060203) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Subject: How to setup a simple firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: aftaha@cirp.usp.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2006 20:30:12 -0000 What I need to allow simple clients (with Internet Explorer Browsers, IP 192.168.0.X) to access all FTP server on the net ? Any special rules ??? I am using a simple Firewall (with valid IP) with FreeBSD and PF . | Internet | ( ) Firewall (fixed IP) | | --------------|--------------------- | | | | | | | | | net 192.168.0.X * * * * * * * * * intranet From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 01:45:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BE9616B670; Wed, 7 Jun 2006 23:25:38 +0000 (UTC) (envelope-from mark@islandnet.com) Received: from cluster.islandnet.com (cluster.islandnet.com [199.175.106.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E9BC43D48; Wed, 7 Jun 2006 23:25:38 +0000 (GMT) (envelope-from mark@islandnet.com) Received: from [199.175.106.221] (port=20797 helo=helpdesk.islandnet.com) by cluster06.islandnet.com with SMTP id 1Fo7P7-00096n-MO ; Wed, 07 Jun 2006 16:25:37 -0700 Date: Wed, 7 Jun 2006 16:25:37 -0700 Message-ID: <44876071-491e@helpdesk.islandnet.com> From: Mark Morley To: freebsd-pf@freebsd.org,freebsd-stable@freebsd.org Content-type: text/plain MIME-Version: 1.0 X-Priority: 3 X-Mailer: Helpdesk Webmail (http://helpdesk.islandnet.com) X-Originating-IP: [199.175.106.243] X-GeoIP: CA Canada Cc: Subject: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Mark Morley List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 01:45:05 -0000 Hi folks, Wondering if this rings any bells for anyone: After upgrading a handful of web servers from FreeBSD 4.11 with ipfw to 6.1-STABLE with pf, customers started reporting that occasionally their server side scripts would fail to connect to the SQL servers (which are still 4.11 and are attached via a separate dedicated gigabit network). A test page that makes 10,000 rapid SQL connections which connected 100% of the time before, now will usually see anywhere from one or two failed connections to a dozen or so (per 10,000) After trying many other things first, we finally found that 'pf' seems to be the culprit. Disabling pf with pfctl -d allows 100% of all connections to work, and as soon as we enable it we see connection failures again. I've tried changing the pf rule set in different ways, with and without scrubbing, with and without queues, even to the point where I have a single rule that just allows everything. It doesn't seem to matter what the rules actually are, just whether or not pf is enabled. I recompiled the kernel with pf disabled and ipfw enabled, and it works fine with 100% successful connections. We have no funky compiler options or anything like that. Any thoughts? Mark -- Mark Morley Owner / Administrator Islandnet.com From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 06:35:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24D0516DBA3 for ; Thu, 8 Jun 2006 03:51:57 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA71E43D46 for ; Thu, 8 Jun 2006 03:51:56 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so329905wra for ; Wed, 07 Jun 2006 20:51:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=c387lDMfid6NVyYQOduVf3ligIVR2so4EntxitafpSmp8I0H/W8JJRz2g/8jVQyinrithOoXPu1aQlfwieUzDM3t/uxC6WK+Gq8GuBPn35Wtm4MBMYzK5IG+KHy6BqvyB9bHuo5j/KYc2fhuzoESD2g/WWhnbdG4uYAzUrchtMo= Received: by 10.54.120.7 with SMTP id s7mr373268wrc; Wed, 07 Jun 2006 20:49:25 -0700 (PDT) Received: by 10.54.126.19 with HTTP; Wed, 7 Jun 2006 20:51:55 -0700 (PDT) Message-ID: Date: Wed, 7 Jun 2006 23:51:55 -0400 From: "Scott Ullrich" To: "Mark Morley" In-Reply-To: <44876071-491e@helpdesk.islandnet.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44876071-491e@helpdesk.islandnet.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 06:35:31 -0000 On 6/7/06, Mark Morley wrote: > Hi folks, > > Wondering if this rings any bells for anyone: > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). > > A test page that makes 10,000 rapid SQL connections which connected 100% > of the time before, now will usually see anywhere from one or two failed > connections to a dozen or so (per 10,000) > > After trying many other things first, we finally found that 'pf' seems > to be the culprit. > > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. > > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a single > rule that just allows everything. It doesn't seem to matter what the rules > actually are, just whether or not pf is enabled. > > I recompiled the kernel with pf disabled and ipfw enabled, and it works > fine with 100% successful connections. We have no funky compiler options > or anything like that. > > Any thoughts? Did you increase the default state count from 10,000 to something higher? Add this to your pf.conf: set limit states 100000 Scott From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 06:48:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B3A016F903; Thu, 8 Jun 2006 04:13:19 +0000 (UTC) (envelope-from davidn@datalinktech.com.au) Received: from mail-ihug.icp-qv1-irony5.iinet.net.au (ihug-mail.icp-qv1-irony5.iinet.net.au [203.59.1.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id A837F43D45; Thu, 8 Jun 2006 04:13:17 +0000 (GMT) (envelope-from davidn@datalinktech.com.au) Received: from 203-206-162-119.perm.iinet.net.au (HELO mail.datalinktech.com.au) ([203.206.162.119]) by mail-ihug.icp-qv1-irony5.iinet.net.au with ESMTP; 08 Jun 2006 12:13:14 +0800 X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAA== X-IronPort-AV: i="4.05,218,1146412800"; d="scan'208"; a="791918994:sNHT88379244" Received: from [192.168.4.232] ([192.168.4.232]) by mail.datalinktech.com.au with esmtp; Thu, 08 Jun 2006 14:13:12 +1000 id 0018D8D9.4487A3D8.0000953F Message-ID: <4487A3C9.9010704@datalinktech.com.au> Date: Thu, 08 Jun 2006 14:12:57 +1000 From: David Nugent User-Agent: Thunderbird 1.5.0.2 (X11/20060516) MIME-Version: 1.0 To: Mark Morley References: <44876071-491e@helpdesk.islandnet.com> In-Reply-To: <44876071-491e@helpdesk.islandnet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 06:48:20 -0000 Mark Morley wrote: > Wondering if this rings any bells for anyone: > Yes it does... I had been seeing similar issues for some time on a couple HP Proliant servers - saw it in 5.4 as well - but have been attributing this to driver related issues (the bge driver in particular, which has seen many changes, fixes and enhancements in relatively recent history). In trying to isolate that particular problem I had been applying kernel updates regularly, pf was disabled along with a few other things (also switched from using mpd/netgraph to openvpn/udp), and the problem vanished at some point in between. I cannot definitely name pf as being the culprit as no testing of this was done at the time to confirm it. I had assumed the bge driver changes were responsible for things now working as they should. In addition to the occasional connection failure, I've also seen established connections broken (ssh, http, mysql/ssl and pptp/gre). This was causing havoc with mysql replication over the link, which became very brittle, and required manual fixing (it would get stuck, unable to read the last event in its relay log whenever a disconnection occurred and had to be manually pushed onto the next - mysql 5.0.[3 - .11 or so]). From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 07:20:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3B9316CA2B; Thu, 8 Jun 2006 04:43:27 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C33943D5E; Thu, 8 Jun 2006 04:43:24 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k584hL5Y011457 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 8 Jun 2006 06:43:21 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k584hKIR012155; Thu, 8 Jun 2006 06:43:20 +0200 (MEST) Date: Thu, 8 Jun 2006 06:43:20 +0200 From: Daniel Hartmeier To: Mark Morley Message-ID: <20060608044320.GC23685@insomnia.benzedrine.cx> References: <44876071-491e@helpdesk.islandnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44876071-491e@helpdesk.islandnet.com> User-Agent: Mutt/1.5.10i Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 07:20:26 -0000 On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote: > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. > > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a single > rule that just allows everything. It doesn't seem to matter what the rules > actually are, just whether or not pf is enabled. Was that single pass rule using 'keep state'? There is a default limit of 10,000 state entries (configurable with 'set limit states' in pf.conf). A state entry persists for several seconds even after a connection is closed, so quickly establishing 10,000 connections could easily hit that limit. Enable pf and load an empty ruleset (pfctl -e -Fa). Note the output of pfctl -si . Then repeat the test. Then run pfctl -si again, and compare the output with the previous one. Are any counters increasing? Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 08:07:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B38016ED74 for ; Thu, 8 Jun 2006 05:41:33 +0000 (UTC) (envelope-from clsung@FreeBSD.csie.nctu.edu.tw) Received: from FreeBSD.csie.nctu.edu.tw (freebsd.csie.nctu.edu.tw [140.113.17.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74C743D4C for ; Thu, 8 Jun 2006 05:41:27 +0000 (GMT) (envelope-from clsung@FreeBSD.csie.nctu.edu.tw) Received: from localhost (localhost.csie.nctu.edu.tw [127.0.0.1]) by FreeBSD.csie.nctu.edu.tw (Postfix) with ESMTP id 73A857EA54; Thu, 8 Jun 2006 13:42:29 +0800 (CST) Received: from FreeBSD.csie.nctu.edu.tw ([127.0.0.1]) by localhost (FreeBSD.csie.nctu.edu.tw [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtzX8AGjGSqc; Thu, 8 Jun 2006 13:42:28 +0800 (CST) Received: by FreeBSD.csie.nctu.edu.tw (Postfix, from userid 1038) id E17397EA56; Thu, 8 Jun 2006 13:42:28 +0800 (CST) Date: Thu, 8 Jun 2006 13:42:28 +0800 From: Cheng-Lung Sung To: Ali Faiez Taha Message-ID: <20060608054228.GA52575@FreeBSD.csie.nctu.edu.tw> References: <44871D73.2040602@cirp.usp.br> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <44871D73.2040602@cirp.usp.br> X-Fingerprint: E0BC 57F9 F44B 46C6 DB53 8462 F807 89F3 956E 8BC1 X-Public-Key: http://sungsung.dragon2.net/pubring.asc User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: How to setup a simple firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 08:07:28 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=big5 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I think this URL is sufficient http://www.openbsd.org/faq/pf/macros.html On Wed, Jun 07, 2006 at 03:39:47PM -0300, Ali Faiez Taha wrote: > What I need to allow simple clients (with Internet Explorer Browsers, IP > 192.168.0.X) to access all FTP server on the net ? >=20 > Any special rules ??? >=20 > I am using a simple Firewall (with valid IP) with FreeBSD and PF . >=20 >=20 >=20 > | Internet > | > ( ) Firewall (fixed IP) > | > | > --------------|--------------------- > | | | | | | | | | net 192.168.0.X > * * * * * * * * * intranet >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Cheng-Lung Sung - clsung@ --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEh7jE+AeJ85Vui8ERArPqAJ4+ajKwZccfXFRcIG7fiTA1KQEaSQCaAmSA Z35tacW4X6rKXLr7w5kIgB4= =qHa+ -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 08:43:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03DCD16AB1C; Thu, 8 Jun 2006 06:50:03 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A92343D45; Thu, 8 Jun 2006 06:50:03 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.253]) by smtp.nildram.co.uk (Postfix) with ESMTP id 3F380338D82; Thu, 8 Jun 2006 07:45:27 +0100 (BST) From: "Greg Hennessy" To: "'Mark Morley'" , , Date: Thu, 8 Jun 2006 07:45:27 +0100 Keywords: freebsd-pf Message-ID: <000401c68ac7$204fe630$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaKsDG9oQtRIaxhTjqAH+Mzd8F96wAFnvYg In-Reply-To: <44876071-491e@helpdesk.islandnet.com> X-OriginalArrivalTime: 08 Jun 2006 06:45:27.0187 (UTC) FILETIME=[204FE630:01C68AC7] Cc: Subject: RE: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 08:43:50 -0000 > A test page that makes 10,000 rapid SQL connections which > connected 100% of the time before, now will usually see > anywhere from one or two failed connections to a dozen or so > (per 10,000) Have you kept track of state table entries during this process with pfctl -si ? You may find that you need to increase set limit states >From the default as a consequence Greg From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 09:06:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7885416B4BE for ; Thu, 8 Jun 2006 06:48:15 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1042743D48 for ; Thu, 8 Jun 2006 06:48:14 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 817E7336095 for ; Thu, 8 Jun 2006 07:41:44 +0100 (BST) From: "Greg Hennessy" To: , Date: Thu, 8 Jun 2006 07:41:44 +0100 Keywords: freebsd-pf Message-ID: <000301c68ac6$9b64ccb0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaKhkVTWEzrSIlDRL2gphiMPfMDMgAP9W5g In-Reply-To: <44871D73.2040602@cirp.usp.br> X-OriginalArrivalTime: 08 Jun 2006 06:41:44.0218 (UTC) FILETIME=[9B6987A0:01C68AC6] Cc: Subject: RE: How to setup a simple firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:06:38 -0000 Everything you need to know here http://www.openbsd.org/faq/pf/index.html and even more here http://www.bgnett.no/~peter/pf/en/ > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Ali Faiez Taha > Sent: 07 June 2006 19:40 > To: freebsd-pf@freebsd.org > Subject: How to setup a simple firewall > > What I need to allow simple clients (with Internet Explorer > Browsers, IP > 192.168.0.X) to access all FTP server on the net ? > > Any special rules ??? > > I am using a simple Firewall (with valid IP) with FreeBSD and PF . > > > > | Internet > | > ( ) Firewall (fixed IP) > | > | > --------------|--------------------- > | | | | | | | | | net 192.168.0.X > * * * * * * * * * intranet > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 09:07:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F9E616E0AA; Thu, 8 Jun 2006 06:54:32 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADC2A43D45; Thu, 8 Jun 2006 06:54:31 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 7886B20001CC; Thu, 8 Jun 2006 08:54:29 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29193-01; Thu, 8 Jun 2006 08:54:28 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id DC92820001C9; Thu, 8 Jun 2006 08:54:27 +0200 (CEST) Date: Thu, 8 Jun 2006 08:54:27 +0200 To: Mark Morley Message-ID: <20060608065427.GA7985@marvin.harmless.hu> References: <44876071-491e@helpdesk.islandnet.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <44876071-491e@helpdesk.islandnet.com> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:07:35 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote: > Hi folks, >=20 > Wondering if this rings any bells for anyone: >=20 > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). >=20 > A test page that makes 10,000 rapid SQL connections which connected 100% > of the time before, now will usually see anywhere from one or two failed > connections to a dozen or so (per 10,000) >=20 > After trying many other things first, we finally found that 'pf' seems > to be the culprit. >=20 > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. >=20 > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a sing= le > rule that just allows everything. It doesn't seem to matter what the rul= es > actually are, just whether or not pf is enabled. >=20 > I recompiled the kernel with pf disabled and ipfw enabled, and it works > fine with 100% successful connections. We have no funky compiler options > or anything like that. >=20 > Any thoughts? could you show us the followings: - pf.conf - kernel configuration file - uname -a next time please include technical information along with the textual description of your problem Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEh8mjbBsEN0U7BV0RAleyAKD1Ibe/HW0ODP9Y7mACLtS5k9jjmgCg3N+M WXSuAnVg78pn5GyLSXq1to0= =lSX8 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 09:40:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C05816B9A2; Thu, 8 Jun 2006 07:42:08 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC24243D48; Thu, 8 Jun 2006 07:42:07 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1FoF9Y-000NuX-Ts; Thu, 08 Jun 2006 11:42:04 +0400 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Thu, 8 Jun 2006 11:40:03 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf buggy on 6.1-STABLE? Thread-Index: AcaKrotDnhhRHNJfRkO9YIF7uqGNrgAHolEA From: "Dmitry Andrianov" To: "Mark Morley" , , Cc: Subject: RE: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:40:59 -0000 Hi. I'm not sure it is related to your case but... I have seen a situation when application used for load-testing web server running on MS Windows box failed establishing HTTP connections to the server . Investigation identified that this is due to the fact that Windows relatively quickly reuses source TCP port numbers for these outbound connections. I'm not sure if Microsoft violates TCP standard with that or not. The fact is that pf keeps "closed" entries in the state table for 90 second and it still remembers old source port when Windows send SYN from it trying to establish new connection. As result, pf considers that packet invalid and drops it. You can check pfctl -s info . In my case the state-mismatch counter was increasing with for every falied connection. In any case, output of that tool can be very useful to you - if you see one of counters for dropped packet increasing, you will have an idea why. Regards, Dmitry Andrianov PS: my problem was solved adding following lines to pf.conf: # set short timeout for TCP closed state because Windows tends to reuse # the same outgoing port very quickly and pf starts refusing new connections # because of invalid state # (This occurs when load testing DMZ server from LAN) set timeout { tcp.closed 15 } -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Mark Morley Sent: Thursday, June 08, 2006 3:26 AM To: freebsd-pf@freebsd.org; freebsd-stable@freebsd.org Subject: pf buggy on 6.1-STABLE? Hi folks, Wondering if this rings any bells for anyone: After upgrading a handful of web servers from FreeBSD 4.11 with ipfw to 6.1-STABLE with pf, customers started reporting that occasionally their server side scripts would fail to connect to the SQL servers (which are still 4.11 and are attached via a separate dedicated gigabit network). A test page that makes 10,000 rapid SQL connections which connected 100% of the time before, now will usually see anywhere from one or two failed connections to a dozen or so (per 10,000) After trying many other things first, we finally found that 'pf' seems to be the culprit. Disabling pf with pfctl -d allows 100% of all connections to work, and as soon as we enable it we see connection failures again. I've tried changing the pf rule set in different ways, with and without scrubbing, with and without queues, even to the point where I have a single rule that just allows everything. It doesn't seem to matter what the rules actually are, just whether or not pf is enabled. I recompiled the kernel with pf disabled and ipfw enabled, and it works fine with 100% successful connections. We have no funky compiler options or anything like that. Any thoughts? Mark -- Mark Morley Owner / Administrator Islandnet.com _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 10:40:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5505416F6E4; Thu, 8 Jun 2006 09:12:00 +0000 (UTC) (envelope-from dom@helenmarks.co.uk) Received: from mail.goodforbusiness.co.uk (mail.goodforbusiness.co.uk [81.19.179.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5FCA43D60; Thu, 8 Jun 2006 09:11:53 +0000 (GMT) (envelope-from dom@helenmarks.co.uk) Received: from localhost (localhost [127.0.0.1]) by mail.goodforbusiness.co.uk (Postfix) with ESMTP id 696DD11480; Thu, 8 Jun 2006 10:11:52 +0100 (BST) X-Virus-Scanned: mail.goodforbusiness.co.uk Received: from mail.goodforbusiness.co.uk ([127.0.0.1]) by localhost (mail.goodforbusiness.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3nxtSDg16-q; Thu, 8 Jun 2006 10:11:51 +0100 (BST) Received: from mail.helenmarks.co.uk (unknown [192.168.100.1]) by mail.goodforbusiness.co.uk (Postfix) with ESMTP id 9BB991147F; Thu, 8 Jun 2006 10:11:51 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by mail.helenmarks.co.uk (Postfix) with ESMTP id 50F2517095; Thu, 8 Jun 2006 10:11:51 +0100 (BST) X-Virus-Scanned: amavisd-new at helenmarks.co.uk Received: from mail.helenmarks.co.uk ([127.0.0.1]) by localhost (mail.helenmarks.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzL8OXqhJzH1; Thu, 8 Jun 2006 10:11:48 +0100 (BST) Received: by mail.helenmarks.co.uk (Postfix, from userid 80) id 4F1551704D; Thu, 8 Jun 2006 10:11:04 +0100 (BST) Received: from mailhost.graphdata.co.uk ([195.12.22.194]) (SquirrelMail authenticated user dom) by mail.helenmarks.co.uk with HTTP; Thu, 8 Jun 2006 10:11:04 +0100 (BST) Message-ID: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> In-Reply-To: <44876071-491e@helpdesk.islandnet.com> References: <44876071-491e@helpdesk.islandnet.com> Date: Thu, 8 Jun 2006 10:11:04 +0100 (BST) From: "Dominic Marks" To: "Mark Morley" User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 10:41:18 -0000 Mark Morley wrote: > Hi folks, > > Wondering if this rings any bells for anyone: > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). > > A test page that makes 10,000 rapid SQL connections which connected > 100% > of the time before, now will usually see anywhere from one or two > failed > connections to a dozen or so (per 10,000) > > After trying many other things first, we finally found that 'pf' seems > to be the culprit. I've experienced the same. If you have a lot of concurrent connections going on it seems that every so often an connection will be blocked, even if it doesnt match any rule. In my case I experienced this with apache22 acting as a reverse proxy/virtual host. Symptoms: 1. Sudden burst of traffic to a specific virtual host. 2. After some time, normally <30 seconds one of the connection attempts is reset. 3. Apache immediately stops proxying for any subsequent connections and returning a 'too busy message'. The project this was related to got shelved so it hasn't bothered me again yet, but I didn't find any workaround. > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. Snap. > I've tried changing the pf rule set in different ways, with and > without > scrubbing, with and without queues, even to the point where I have a > single > rule that just allows everything. It doesn't seem to matter what the > rules > actually are, just whether or not pf is enabled. Same as me. > I recompiled the kernel with pf disabled and ipfw enabled, and it > works > fine with 100% successful connections. We have no funky compiler > options > or anything like that. > > Any thoughts? > > Mark > > -- > Mark Morley > Owner / Administrator > Islandnet.com > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org" > Cheers, Dom From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 14:00:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1D0016C0FF for ; Thu, 8 Jun 2006 11:44:51 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27DB243D49 for ; Thu, 8 Jun 2006 11:44:50 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1FoIwT-0001iF-7b for freebsd-pf@freebsd.org; Thu, 08 Jun 2006 15:44:49 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 8 Jun 2006 15:42:47 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Rules in anchor Thread-Index: AcaK8PJajLZJqVffSl2/vynP4wqdQw== From: "Dmitry Andrianov" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Rules in anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 14:00:19 -0000 Hi. I just installed ftpsesame ( http://www.sentia.org/projects/ftpsesame/ ) It watches FTP control connections for PORS/PASV commands and creates rules to allow corresponding data connections.=20 =20 I start long file transfer, ftpsesame console output says it is allowing incoming connection to my machine, transfer really starts but pfctl does not show any rules in the corresponding anchor. Or I'm using it improperly... =20 root@host # pfctl -s Anchors =20 ftpsesame root@host # pfctl -a ftpsesame -s rules root@host #=20 =20 >From the other hand I know for sure the rule is really created because otherwise FTP active mode would not work. (And yes, if I stop ftpsesame, active mode stops working). So either it is some kind of bug in pf/pfctl or I am missing something... =20 Regards, Dmitry Andrianov =20 PS: FreeBSD 6.0-RELEASE #0 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 15:18:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3FDD16CBFD for ; Thu, 8 Jun 2006 13:34:22 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id E214143D4C for ; Thu, 8 Jun 2006 13:34:21 +0000 (GMT) (envelope-from cbuechler@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so322099wxd for ; Thu, 08 Jun 2006 06:34:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UeSy4E3SuRQK+XMwMh3vpzddQ2E9JIDXURR4ngEzfoUZBAHRGj41Sdhw0y47WIGUdU4ux5mLwPWE1eB05RNIJEQBXFUipYgZuojBD9ewAPuDYGHXesLIpKIL5eT+0Vpfz+3KChFpYIW39qB+r8uNtXLQLSlg4GNXwi2JVGdYA+0= Received: by 10.70.87.8 with SMTP id k8mr2077696wxb; Thu, 08 Jun 2006 06:34:16 -0700 (PDT) Received: by 10.70.12.16 with HTTP; Thu, 8 Jun 2006 06:34:16 -0700 (PDT) Message-ID: Date: Thu, 8 Jun 2006 09:34:16 -0400 From: "Chris Buechler" To: "Dominic Marks" In-Reply-To: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44876071-491e@helpdesk.islandnet.com> <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 15:19:04 -0000 On 6/8/06, Dominic Marks wrote: > > I've experienced the same. If you have a lot of concurrent connections > going on it seems that every so often an connection will be blocked, > even if it doesnt match any rule. In my case I experienced this with > apache22 acting as a reverse proxy/virtual host. > This sounds a lot like the port randomization problems discussed by Michael Silbersack in his BSDCan presentation. specifically, pages 12-14. http://www.silby.com/bsdcan06/silbersack_bsdcan06.pdf That shouldn't be an issue anymore, but I don't know when that was resolved. cheers, -Chris From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 15:27:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05C1B16CECD for ; Thu, 8 Jun 2006 14:06:03 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD7F843D49 for ; Thu, 8 Jun 2006 14:06:01 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id l24so333769nfc for ; Thu, 08 Jun 2006 07:06:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Kj+g6kdk5mngEjGmQW8CQYDy41+uzYl8hXQZYnFIZPSundBrY9RcaU5kv4tjGKFSUP0vuXGElNed1/sLY+Uj5p52fTWYfeEzFnzsHKTmZJ6mSInvj0pCE0IncOb5jxZdPXLAD6x1/IIub4JguBBilWLCttozIufabJItX7vO9m0= Received: by 10.49.29.19 with SMTP id g19mr1491024nfj; Thu, 08 Jun 2006 07:06:00 -0700 (PDT) Received: by 10.48.108.17 with HTTP; Thu, 8 Jun 2006 07:06:00 -0700 (PDT) Message-ID: Date: Thu, 8 Jun 2006 07:06:00 -0700 From: "Kian Mohageri" To: "Dominic Marks" In-Reply-To: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> MIME-Version: 1.0 References: <44876071-491e@helpdesk.islandnet.com> <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 15:27:31 -0000 Same issue here when using keep state. Specifically, it happened with PHP scripts accessing a remote MySQL database. I think it also happened with Qmail LDAP lookups. This happened even when I did not specify 'flags S/SA' 'pass quick' (non-stateful) fixed the problems but I wasn't satisfied with that for obvious reasons. Client reusing source port before state expired seems like a good explanation for this. I should test that. Kian On 6/8/06, Dominic Marks wrote: > > Mark Morley wrote: > > Hi folks, > > > > Wondering if this rings any bells for anyone: > > > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > > to 6.1-STABLE with pf, customers started reporting that occasionally > > their server side scripts would fail to connect to the SQL servers > > (which are still 4.11 and are attached via a separate dedicated > > gigabit network). > > > > A test page that makes 10,000 rapid SQL connections which connected > > 100% > > of the time before, now will usually see anywhere from one or two > > failed > > connections to a dozen or so (per 10,000) > > > > After trying many other things first, we finally found that 'pf' seems > > to be the culprit. > > I've experienced the same. If you have a lot of concurrent connections > going on it seems that every so often an connection will be blocked, > even if it doesnt match any rule. In my case I experienced this with > apache22 acting as a reverse proxy/virtual host. > > Symptoms: > > 1. Sudden burst of traffic to a specific virtual host. > 2. After some time, normally <30 seconds one of the connection > attempts is reset. > 3. Apache immediately stops proxying for any subsequent connections > and returning a 'too busy message'. > > The project this was related to got shelved so it hasn't bothered me > again yet, but I didn't find any workaround. > > > Disabling pf with pfctl -d allows 100% of all connections to work, and > > as soon as we enable it we see connection failures again. > > Snap. > > > I've tried changing the pf rule set in different ways, with and > > without > > scrubbing, with and without queues, even to the point where I have a > > single > > rule that just allows everything. It doesn't seem to matter what the > > rules > > actually are, just whether or not pf is enabled. > > Same as me. > > > I recompiled the kernel with pf disabled and ipfw enabled, and it > > works > > fine with 100% successful connections. We have no funky compiler > > options > > or anything like that. > > > > Any thoughts? > > > > Mark > > > > -- > > Mark Morley > > Owner / Administrator > > Islandnet.com > > > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to > > "freebsd-stable-unsubscribe@freebsd.org" > > > > Cheers, > Dom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 18:43:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9698716AFD6 for ; Thu, 8 Jun 2006 16:40:14 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D770E43D48 for ; Thu, 8 Jun 2006 16:40:13 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k58Ge0Ut018188 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 8 Jun 2006 18:40:00 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k58GdtHc019576; Thu, 8 Jun 2006 18:39:55 +0200 (MEST) Date: Thu, 8 Jun 2006 18:39:55 +0200 From: Daniel Hartmeier To: Dmitry Andrianov Message-ID: <20060608163954.GE23685@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Rules in anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 18:43:52 -0000 On Thu, Jun 08, 2006 at 03:42:47PM +0400, Dmitry Andrianov wrote: > root@host # pfctl -s Anchors > ftpsesame > root@host # pfctl -a ftpsesame -s rules > root@host # It creates sub-anchors within that anchor (with the process pid and a connection id as part of the name), and the rules are inserted there. The reason for that is that it's simpler to flush an entire (sub)anchor than removing one specific (of potentially multiple) rules in just one set. Try pfctl -vs Anchors, it lists anchor and sub-anchors recursively. Then pfctl -a ftpsesame/sub.anchor -s rules. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jun 9 07:33:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FF7A16A418 for ; Fri, 9 Jun 2006 07:33:26 +0000 (UTC) (envelope-from mlusetti@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF1E343D72 for ; Fri, 9 Jun 2006 07:33:25 +0000 (GMT) (envelope-from mlusetti@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so784654pya for ; Fri, 09 Jun 2006 00:33:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tS4QX9jpcxvUKOoRw9DpzSktuXT9c6+5/tznKCnN62lvZue8R172mufVZaXOwAO9b0syeVSE8DX6GIzk72qGh9jUL+bvYEk1zyVUAxn5m/A6V0kJ6SS1zUR3kPfJkMD2Cjv0cuWre50BdRr6h3quxqUvmzaDVYKBwfVMLPs9IcQ= Received: by 10.35.9.15 with SMTP id m15mr2219259pyi; Fri, 09 Jun 2006 00:33:23 -0700 (PDT) Received: by 10.35.48.16 with HTTP; Fri, 9 Jun 2006 00:33:23 -0700 (PDT) Message-ID: Date: Fri, 9 Jun 2006 09:33:23 +0200 From: "Massimo Lusetti" To: "Chris Buechler" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44876071-491e@helpdesk.islandnet.com> <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> Cc: freebsd-stable@freebsd.org, Dominic Marks , freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 07:33:26 -0000 On 6/8/06, Chris Buechler wrote: > That shouldn't be an issue anymore, but I don't know when that was resolved. Does anyone take care of what Daniel and Greg have said or read doc/faq about PF? -- Massimo http://meridio.blogspot.com From owner-freebsd-pf@FreeBSD.ORG Fri Jun 9 08:47:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9442616A494 for ; Fri, 9 Jun 2006 08:47:55 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EDA543D77 for ; Fri, 9 Jun 2006 08:47:53 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so529386nfc for ; Fri, 09 Jun 2006 01:47:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:references; b=WfP++6G49Jwj/USxNx+Q1QHzWen3ZaNDkFgR42cGdRjzOhHZxAswfBMQJsvJdu2YNFvxlT8nDsHqIxv2zlpSe9uwM10geeZV/4YsGxouZcQ05wCG7WJ+XKvWWqA5EIbq77jcIlGC/wKNqVLy0w7CSoYomUHcWriHzvJSaywy2hs= Received: by 10.48.238.17 with SMTP id l17mr2201617nfh; Fri, 09 Jun 2006 01:47:50 -0700 (PDT) Received: by 10.48.108.17 with HTTP; Fri, 9 Jun 2006 01:47:50 -0700 (PDT) Message-ID: Date: Fri, 9 Jun 2006 01:47:50 -0700 From: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 References: <4F9C9299A10AE74E89EA580D14AA10A605F5BA@royal64.emp.zapto.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 08:47:55 -0000 I think it is also worth mentioning that the connections failed (at least for me) immediately. There does not appear to be any timeouts. Initially, this is what lead me to believe it was NOT pf because my block policy was drop, not reject. When a packet is a state mismatch, doesn't it simply get discarded (assuming block policy is "drop")? If so, shouldn't the client simply assume packet was lost and retransmit, or time out after a period of time? I am having trouble understanding why the connection would fail immediately if pf was dropping packets. That, however, should mean that disabling pf wouldn't help -- but it does. Does pf handle state-mismatch differently? Maybe a pf expert could speak on that. Kian On 6/8/06, Kian Mohageri wrote: > > I'm aware. I meant that as "pass quick" (without any keep state) ;) > > Kian > > > On 6/8/06, Daniel Eriksson < daniel_k_eriksson@telia.com> wrote: > > > > Kian Mohageri wrote: > > > > > 'pass quick' (non-stateful) fixed the problems but I wasn't > > > satisfied with that for obvious reasons. > > > > The 'quick' keyword does not make the rule non-stateful, it only aborts > > further evaluation of the specific packet. > > > > See http://www.openbsd.org/faq/pf/filter.html#quick for more > > information. > > > > /Daniel Eriksson > > > > From owner-freebsd-pf@FreeBSD.ORG Fri Jun 9 09:52:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B1E316A41B for ; Fri, 9 Jun 2006 09:52:48 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id C917A43D77 for ; Fri, 9 Jun 2006 09:52:46 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id l23so541356nfc for ; Fri, 09 Jun 2006 02:52:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:references; b=CJzBvD+OuFaW9OWtc305q9Fn2MHg1bCNv+qNetYKKT6riLtD8LUUP/ATEe+XXfcCtUINCGjJNY+QmpBs/KstDYcMRbTaU+nDuWxkABn4ia5Bfc08akQMrl8w6rLzWXG4GTSsCeXS4+L9ZtGPEgoDXHzDH+056ZzcyPm4KQEGS74= Received: by 10.48.225.3 with SMTP id x3mr1163474nfg; Fri, 09 Jun 2006 02:50:07 -0700 (PDT) Received: by 10.48.108.17 with HTTP; Fri, 9 Jun 2006 02:52:41 -0700 (PDT) Message-ID: Date: Fri, 9 Jun 2006 02:52:41 -0700 From: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 References: <4F9C9299A10AE74E89EA580D14AA10A605F5BA@royal64.emp.zapto.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 09:52:48 -0000 Just in case anyone is wondering about the same answers, I decided to check it out tonight. When a packet is a state mismatch, doesn't it simply get discarded (assuming > block policy is "drop")? > It appears that pf sends a RST when a state-mismatch happens during the initial handshake: if ((*state)->dst.state == TCPS_SYN_SENT && > (*state)->src.state == TCPS_SYN_SENT) { > /* Send RST for state mismatches during handshake */ > > That would explain why new connections fail immediately when the state is mismatched. On 6/8/06, Kian Mohageri wrote: > > > > I'm aware. I meant that as "pass quick" (without any keep state) ;) > > > > Kian > > > > > > On 6/8/06, Daniel Eriksson < daniel_k_eriksson@telia.com> wrote: > > > > > > Kian Mohageri wrote: > > > > > > > 'pass quick' (non-stateful) fixed the problems but I wasn't > > > > satisfied with that for obvious reasons. > > > > > > The 'quick' keyword does not make the rule non-stateful, it only > > > aborts > > > further evaluation of the specific packet. > > > > > > See http://www.openbsd.org/faq/pf/filter.html#quick for more > > > information. > > > > > > /Daniel Eriksson > > > > > > > > From owner-freebsd-pf@FreeBSD.ORG Fri Jun 9 10:11:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C21DC16A419; Fri, 9 Jun 2006 10:11:07 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2400743D70; Fri, 9 Jun 2006 10:11:05 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.62 #0 (FreeBSD 4.11-STABLE)) id 1Fodx6-000Ks9-Og by authid ; Fri, 09 Jun 2006 13:10:52 +0300 Date: Fri, 9 Jun 2006 13:10:52 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org, freebsd-stable@freebsd.org Message-ID: <20060609101052.GD62388@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org, freebsd-stable@freebsd.org References: <44876071-491e@helpdesk.islandnet.com> <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Cc: Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 10:11:07 -0000 * On 09/06/06 09:33 +0200, Massimo Lusetti wrote: | On 6/8/06, Chris Buechler wrote: | | >That shouldn't be an issue anymore, but I don't know when that was | >resolved. | | Does anyone take care of what Daniel and Greg have said or read | doc/faq about PF? The archives does ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Others will look to you for stability, so hide when you bite your nails.