From owner-freebsd-pf@FreeBSD.ORG Sun Jun 25 07:09:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E24D716A4A0 for ; Sun, 25 Jun 2006 07:09:18 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8047F43D6D for ; Sun, 25 Jun 2006 07:09:14 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 753A0236929 for ; Sun, 25 Jun 2006 08:09:11 +0100 (BST) From: "Greg Hennessy" To: "'Kerry Jean'" , Date: Sun, 25 Jun 2006 08:09:11 +0100 Keywords: freebsd-pf Message-ID: <000001c69826$428fb010$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaX5jyBVH3DmJLtTimmdbXKnLinwgAP/ikg In-Reply-To: X-OriginalArrivalTime: 25 Jun 2006 07:09:11.0953 (UTC) FILETIME=[428FB010:01C69826] Cc: Subject: RE: REDIRECTING using the NAT table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jun 2006 07:09:19 -0000 > Hi, > > I am new to FreeBSD and PF but was wondering how I could do > using PF a rule from iptables on Linux. > > The rule using iptables in Linux is: > iptables -t nat -A PREROUTING -p udp --dport 3322 -j REDIRECT > --to-ports 3323 > > I would like to know how you perform the same operation using PF. > http://www.openbsd.org/faq/pf/rdr.html Greg From owner-freebsd-pf@FreeBSD.ORG Mon Jun 26 11:03:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A998916A406 for ; Mon, 26 Jun 2006 11:03:52 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B07A43D90 for ; Mon, 26 Jun 2006 11:03:02 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5QB32NU042469 for ; Mon, 26 Jun 2006 11:03:02 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5QB31go042465 for freebsd-pf@freebsd.org; Mon, 26 Jun 2006 11:03:01 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 26 Jun 2006 11:03:01 GMT Message-Id: <200606261103.k5QB31go042465@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2006 11:03:52 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/03/27] kern/94992 pf [pf] [patch] pfctl complains about ALTQ m o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 5 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 26 12:08:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 395BE16A4B3 for ; Mon, 26 Jun 2006 12:08:05 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id A403E44938 for ; Mon, 26 Jun 2006 11:35:11 +0000 (GMT) (envelope-from rmaglasang@infoweapons.com) Received: from [10.3.1.41] ([10.3.1.41] RDNS failed) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 26 Jun 2006 19:35:09 +0800 Message-ID: <449FC649.4030205@infoweapons.com> Date: Mon, 26 Jun 2006 19:34:33 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 26 Jun 2006 11:35:09.0857 (UTC) FILETIME=[94A05910:01C69914] Subject: maximum number of queues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2006 12:08:05 -0000 hi, is there a maximum system limit for the number of queues for altq? is this settable/tunable? whats the default limit? thanks sho From owner-freebsd-pf@FreeBSD.ORG Mon Jun 26 13:08:10 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 061E816A407; Mon, 26 Jun 2006 13:08:10 +0000 (UTC) (envelope-from keramida@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 592F144908; Mon, 26 Jun 2006 13:07:55 +0000 (GMT) (envelope-from keramida@FreeBSD.org) Received: from freefall.freebsd.org (keramida@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5QD7tJJ053092; Mon, 26 Jun 2006 13:07:55 GMT (envelope-from keramida@freefall.freebsd.org) Received: (from keramida@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5QD7sNA053088; Mon, 26 Jun 2006 13:07:54 GMT (envelope-from keramida) Date: Mon, 26 Jun 2006 13:07:54 GMT From: Giorgos Keramidas Message-Id: <200606261307.k5QD7sNA053088@freefall.freebsd.org> To: freebsd@dima.spb.ru, keramida@FreeBSD.org, freebsd-pf@FreeBSD.org, keramida@FreeBSD.org Cc: Subject: Re: kern/97057: IPSEC + pf stateful filtering does not work "out of the box" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2006 13:08:10 -0000 Synopsis: IPSEC + pf stateful filtering does not work "out of the box" State-Changed-From-To: open->closed State-Changed-By: keramida State-Changed-When: Mon Jun 26 13:06:42 UTC 2006 State-Changed-Why: I added a note about this in revision 1.296 of doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v Thanks :) Responsible-Changed-From-To: freebsd-pf->keramida Responsible-Changed-By: keramida Responsible-Changed-When: Mon Jun 26 13:06:42 UTC 2006 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=97057 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 26 13:32:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4A1216A562 for ; Mon, 26 Jun 2006 13:32:53 +0000 (UTC) (envelope-from freebsd@bitparts.org) Received: from mail.bitparts.org (63-253-101-190.ip.mcleodusa.net [63.253.101.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4466C43D58 for ; Mon, 26 Jun 2006 13:32:48 +0000 (GMT) (envelope-from freebsd@bitparts.org) Received: from [127.0.0.1] (71-11-157-24.dhcp.stls.mo.charter.com [71.11.157.24]) (authenticated bits=0) by mail.bitparts.org (8.13.6/8.13.6) with ESMTP id k5QDWkBr056845 for ; Mon, 26 Jun 2006 08:32:48 -0500 (CDT) (envelope-from freebsd@bitparts.org) Message-ID: <449FE1FE.5060308@bitparts.org> Date: Mon, 26 Jun 2006 08:32:46 -0500 From: "J. Buck Caldwell" User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <449FC649.4030205@infoweapons.com> In-Reply-To: <449FC649.4030205@infoweapons.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass (mail.bitparts.org: authenticated connection) receiver=mail.bitparts.org; client-ip=71.11.157.24; helo=[127.0.0.1]; envelope-from=freebsd@bitparts.org; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; Subject: Re: maximum number of queues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2006 13:32:53 -0000 Ronnel P. Maglasang wrote: > hi, is there a maximum system limit for the number of queues for > altq? is this settable/tunable? whats the default limit? > I'm not sure about this - but if you're using PRIQ, there are 16 priorities available (0-15), and I don't think you can have multiple queues with the same priority (although I could be wrong). What I want to know is if there is a way to show how much memory pf's queues, state tables, etc. are taking up. Right now, I'm assigning a tag on 'in $int_if', assigning a queue based on that tag on 'out $ext_if', and keeping state in both spots. Seems like this would double the amount of memory the state tables would need, but I don't know how to check and/or do it better. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 00:06:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B69BA16A531 for ; Tue, 27 Jun 2006 00:06:08 +0000 (UTC) (envelope-from max@neuropunks.org) Received: from finn.neuropunks.org (neuropunks.org [69.31.43.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D53B4415C for ; Mon, 26 Jun 2006 23:46:48 +0000 (GMT) (envelope-from max@neuropunks.org) Received: from localhost (localhost [127.0.0.1]) by finn.neuropunks.org (Postfix) with ESMTP id 25A23A0 for ; Mon, 26 Jun 2006 18:46:38 -0500 (EST) Received: from finn.neuropunks.org ([127.0.0.1]) by localhost (finn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47295-09 for ; Mon, 26 Jun 2006 18:46:36 -0500 (EST) Received: from [192.168.0.2] (207-38-217-86.c3-0.43d-ubr2.qens-43d.ny.cable.rcn.com [207.38.217.86]) by finn.neuropunks.org (Postfix) with ESMTP id 877069E for ; Mon, 26 Jun 2006 18:46:36 -0500 (EST) Message-ID: <44A071D7.8080203@neuropunks.org> Date: Mon, 26 Jun 2006 18:46:31 -0500 From: Max Gribov User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051111) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: nat pool, route-to and servers behind nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 00:06:09 -0000 Hello, I am trying to figure this out for a couple of days.. I have a fbsd 6.1 router connected to local network, to DSL ISP and a Cable ISP. All user traffic goes out via the Cable line, the default route on the box is the Cable. There is a windows server behind the firewall, and firewall's DSL IP address has a port forward for 3389/tcp (rdp) to the windows box. Im able to pipe users' traffic via the cable, but no matter what i do, i cannot get the windows server on the internal network to be accessible from the DSL ip. I can reach internet, I can see both cable and DSL routers, and if I change my default gateway to the DSL, then it works fine. [root@styx /home/max]# uname -a FreeBSD styx.neuropunks.org 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Mon Jun 12 19:44:57 EDT 2006 max@styx.neuropunks.org:/usr/src/sys/sparc64/compile/STYX sparc64 Here are the relevant rule parts (the order of the rules below is actual order in the pf.conf) int="hme0" ext="hme1" ext_cable="hme5" gw_dsl="216.254.70.1" gw_cable="207.38.217.1" draco="192.168.0.4" # nat nat on $ext_cable from $local_net to any -> ($ext_cable) nat on $ext from $local_net to any -> ($ext) # rdr rdr inet proto tcp from any to $styx_ext/32 port 3389 -> $draco port 3389 # default deny block log-all all pass quick on lo0 all # ensures that we can pass to draco's 192.168.x.x ip address pass in log on $ext inet proto tcp from any to $draco/32 port 3389 flags S/SA modulate state queue (prirdp, tcpack) # pass tcp to DSL public IP to port 3389, reply through DSL interface/IP pass in quick log on $ext reply-to ($ext $gw_dsl) inet proto tcp from any to $styx_ext/32 port 3389 flags S/SA modulate state queue (prirdp, tcpack) # local interface filtering pass out on $int from any to $local_net pass in quick on $int from $local_net to $int # pass into local interface with source of 192.168.x.x pass in log on $int route-to ($ext $gw_dsl) proto tcp from $draco/32 port 3389 to any keep state queue (intprirdp, inttcpack) # global allow all outgoing pass out on $ext_cable inet proto tcp from any to any flags S/SA modulate state pass out on $ext_cable inet proto { udp, icmp } from any to any keep state pass out on $ext inet proto tcp from any to any flags S/SA modulate state pass out on $ext inet proto { udp, icmp } from any to any keep state # keep track of the interfaces/sources pass out on $ext route-to ($ext_cable $gw_cable) from $ext_cable to any pass out on $ext_cable route-to ($ext $gw_dsl) from $ext to any # EOF Here is tcpdump from watching pflog0 for relevant log statements: 19:27:50.405748 rule 12/0(match): pass in on hme1: finn.neuropunks.org.64868 > draco.rdp: S 2150035332:2150035332(0) win 65535 0x0000: 4520 003c d29a 4000 3b06 3c2c 451f 2b0a 0x0010: c0a8 0004 fd64 0d3d 8026 ef84 0000 0000 0x0020: a002 ffff 5f15 0000 0204 05b4 0103 0301 19:27:50.405910 rule 67/0(match): pass out on hme0: finn.neuropunks.org.64868 > draco.rdp: S 2150035332:2150035332(0) win 65535 0x0000: 4520 003c d29a 4000 3a06 3d2c 451f 2b0a 0x0010: c0a8 0004 fd64 0d3d 8026 ef84 0000 0000 0x0020: a002 ffff 5f15 0000 0204 05b4 0103 0301 The packets are not being filtered, the global block policy logs denies. I looked at plain interface tcpdump (hme0, hme1) and my router does address packets to local DSL router MAC address, and I am able to ssh into the firewall itself, which is handled by this rule: pass in quick log on $ext reply-to ($ext $gw_dsl) inet proto tcp from any to $styx_ext/32 port 22 flags S/SA modulate state (max-src-conn-rate 8/60, overload flush global) queue (prissh, tcpack) so i know i can get packets back over the dsl interface even if the static route is the cable. There seems to be some issue with either nat'ing, or i am not using reply-to/route-to rules, but ive tried everything, and i cant figure it out. If anyone has any idea, or did something similar, please let me know Thank you, Max From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 10:37:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C49C16A405 for ; Tue, 27 Jun 2006 10:37:10 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 350F043D67 for ; Tue, 27 Jun 2006 10:37:02 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id c29so1038375nfb for ; Tue, 27 Jun 2006 03:37:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=pYXv40RaO1wML1PUNKkScojrHh4RsYTFDcO4pl8RamP4UI0Yz6GQSL7QZs25S2a5Nz9UFrW5jyCpWtkq26B07WUH174qfEOvuj+B5fKb2bVPLkkOCv8E6bXKUHBMl9LA9qDmZZnRF9YudSGBF1fEpJus8Kf6fof6cPiQCpk33+g= Received: by 10.49.78.10 with SMTP id f10mr5475700nfl; Tue, 27 Jun 2006 03:37:01 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id x27sm5269332nfb.2006.06.27.03.37.01; Tue, 27 Jun 2006 03:37:01 -0700 (PDT) Message-ID: <44A10A44.1070602@gmail.com> Date: Tue, 27 Jun 2006 13:36:52 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 10:37:10 -0000 Hi, There seems to be a problem with the "keep state" handling with my pf on FreeBSD 6.1-RELEASE-p1. My first rule is pass in all with keep state. But the packets do not seem to be able pass out from the other interface. If i change the last block's to "pass" everything works fine. It seems that the state table is always on if-bound'ed??? Is there a solution for this problem, or do I miss a configuration with kernel, pf, pf.conf etc... ??? or is this a bug :) Please help... Here is my rules, set state-policy floating pass in log quick proto tcp from any to any keep state block in log quick all block out log quick all These are pf log lines; 2006-06-27 15:22:27.188969 rule 0/0(match): pass in on bge0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 2006-06-27 15:22:27.188986 rule 2/0(match): block out on em0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 10:40:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92A5E16A40D for ; Tue, 27 Jun 2006 10:40:02 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E2843D7B for ; Tue, 27 Jun 2006 10:39:51 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id c29so1038700nfb for ; Tue, 27 Jun 2006 03:39:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=qOYiIRk8ekqejJgAiJ91bZRJArrmFXDEYqHlTSQIThuT3Z07BaF8VqLGuxn0usgj0cs5xucfFiZT4fclbjvXLQ4WAMkCve72E2nAAqsmWte4VFW+TGu7PSm6Z/T82yQm7Tpyy2GyCPDW+Ugw0yJ8ExqRFLYCIuQQjjKCQoXi5hY= Received: by 10.49.64.2 with SMTP id r2mr5503044nfk; Tue, 27 Jun 2006 03:39:50 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id l21sm6639117nfc.2006.06.27.03.39.49; Tue, 27 Jun 2006 03:39:50 -0700 (PDT) Message-ID: <44A10AED.6040606@gmail.com> Date: Tue, 27 Jun 2006 13:39:41 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 10:40:02 -0000 Hi, There seems to be a problem with the "keep state" handling with my pf on FreeBSD 6.1-RELEASE-p1. My first rule is pass in all with keep state. But the packets do not seem to be able pass out from the other interface. If i change the last block's to "pass" everything works fine. It seems that the state table is always on if-bound'ed??? Is there a solution for this problem, or do I miss a configuration with kernel, pf, pf.conf etc... ??? or is this a bug :) Please help... Here is my rules, set state-policy floating pass in log quick proto tcp from any to any keep state block in log quick all block out log quick all These are pf log lines; 2006-06-27 15:22:27.188969 rule 0/0(match): pass in on bge0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 2006-06-27 15:22:27.188986 rule 2/0(match): block out on em0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 12:06:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75F7616A410 for ; Tue, 27 Jun 2006 12:06:23 +0000 (UTC) (envelope-from Artis.Caune@latnet.lv) Received: from dzilna.latnet.lv (dzilna.latnet.lv [159.148.19.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 024BC43D45 for ; Tue, 27 Jun 2006 12:06:22 +0000 (GMT) (envelope-from Artis.Caune@latnet.lv) Received: from localhost (localhost.localdomain [127.0.0.1]) by dzilna.latnet.lv (Postfix) with ESMTP id 4C3A99845D for ; Tue, 27 Jun 2006 15:06:21 +0300 (EEST) X-Virus-Scanned: Debian amavisd-new at dzilna.latnet.lv Received: from dzilna.latnet.lv ([127.0.0.1]) by localhost (dzilna.latnet.lv [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MtZM9Wv8w6wL for ; Tue, 27 Jun 2006 15:06:20 +0300 (EEST) Received: from [159.148.108.180] (artis.latnet.lv [159.148.108.180]) by dzilna.latnet.lv (Postfix) with ESMTP id EF27E9843E for ; Tue, 27 Jun 2006 15:06:20 +0300 (EEST) Mime-Version: 1.0 (Apple Message framework v750) In-Reply-To: <449FE1FE.5060308@bitparts.org> References: <449FC649.4030205@infoweapons.com> <449FE1FE.5060308@bitparts.org> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Artis Caune Date: Tue, 27 Jun 2006 15:06:20 +0300 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.750) Subject: Re: maximum number of queues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 12:06:23 -0000 > Ronnel P. Maglasang wrote: >> hi, is there a maximum system limit for the number of queues for >> altq? is this settable/tunable? whats the default limit? >> # grep _MAX_ sys/contrib/altq/altq/*.h edit, tune && recompile kernel From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 12:21:48 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16B6E16A505 for ; Tue, 27 Jun 2006 12:21:48 +0000 (UTC) (envelope-from mclone@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CF6F43D67 for ; Tue, 27 Jun 2006 12:21:46 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by nz-out-0102.google.com with SMTP id q3so1715337nzb for ; Tue, 27 Jun 2006 05:21:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fFQsqIfGUy3+WDL7qEyFA0jczNOxPkBVNgFYs99X5dVTv9D6fX+4DHBjsWZy3nLyS/clwHBuHriZFkIXzY3ere4yVSCunMzA0pk5MhAici/5WgUbBYcgi2B4omjlimTATr50tu0PohqKtgg/RGR9q00XWcXLTRro6KIZLP0cXqE= Received: by 10.36.224.8 with SMTP id w8mr4283347nzg; Tue, 27 Jun 2006 05:21:45 -0700 (PDT) Received: by 10.36.20.19 with HTTP; Tue, 27 Jun 2006 05:21:45 -0700 (PDT) Message-ID: <451cb3010606270521x506735aep67d18acf95de7b98@mail.gmail.com> Date: Tue, 27 Jun 2006 15:21:45 +0300 From: McLone To: pf@freebsd.org, pf@benzedrine.cx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: queueing: give some BW to each addr (in a table)? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 12:21:48 -0000 Hello. I work for small isp, and we want to make customer plan look like this: client A has N kbits/s while business day; he has N*2 kbits/s at night and weekends; and we guarantee to him minimum speed of N/2. (we also buying our main uplink BW according to this formula) We have many clients here, so i wanted to do it on my freebsd6 router, with simple cron job switching tables in PF, but pf doesn't support a thing like "give EACH ip in that table N kbits/s". So i thought i will be able to do it using anchors for pass rules AND for queues (many subqueues, every client has one). But, unfortunately, PF in freebsd6.1 and in openbsd3.9 does not support anchors in queue declarations (i looked at man page). So i have one option now - write some pf.conf preprocessor, with soem frontend to edit it. Also i have two feature suggestions (i'd be happy to see just one of them implemented): a) make pf+altq able to do things like =============== >8 ===== table persist { ip-one; ip-two; ... queue int_cli512 bandwidth 8192Kb priority 2 \ cbq(ecn rio each=512Kb) ... pass out quick on $int_if to keep state \ queue int_cli512 ===== 8< =============== b) make anchors work also for queues, not only for rdr, nat and filtering rules p.s. i used cbq in example, but i need hfsc here, so if someone has a good documentation on hfsc, please let me know where i can find it. (i grok some hfsc only with this list archive's help) Also, i may be on totally wrong way, and things i need can be done in some other way i missed?... -- wbr, |\ _,,,---,,_ dog bless ya! ` Zzz /,`.-'`' -. ;-;;,_ McLone at GMail dot com |,4- ) )-,_. ,\ ( `'-' , net- and *BSD admin '---''(_/--' `-'\_) ...translit rawx From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 13:29:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40EDF16A404 for ; Tue, 27 Jun 2006 13:29:27 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A20143D76 for ; Tue, 27 Jun 2006 13:29:26 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k5RDTOSW031882 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 27 Jun 2006 15:29:24 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k5RDTNh5019529; Tue, 27 Jun 2006 15:29:23 +0200 (MEST) Date: Tue, 27 Jun 2006 15:29:23 +0200 From: Daniel Hartmeier To: "N. Ersen SISECI" Message-ID: <20060627132923.GE14502@insomnia.benzedrine.cx> References: <44A10A44.1070602@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44A10A44.1070602@gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 13:29:27 -0000 On Tue, Jun 27, 2006 at 01:36:52PM +0300, N. Ersen SISECI wrote: > My first rule is pass in all with keep state. But the packets do not > seem to be able pass out from the other interface. If i change the last > block's to "pass" everything works fine. It seems that the state table > is always on if-bound'ed??? > > Is there a solution for this problem, or do I miss a configuration with > kernel, pf, pf.conf etc... ??? or is this a bug :) Neither, your interpretation of 'floating' does not match reality, see http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238&w=2 In short, create two state entries per connection. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 13:58:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F68916A40A for ; Tue, 27 Jun 2006 13:58:23 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB30343D73 for ; Tue, 27 Jun 2006 13:58:14 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id c29so1065396nfb for ; Tue, 27 Jun 2006 06:58:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=Cm3b7lIijT8vwkzmpzY7m5v1UeCfn/QHoPHCnXuo/hcxbKCr3vPpLZsdFAEzA06TdHb+yKrFT9OSkEzHNhWs8w4nZwF/SG+6h+q4fewo4eEVNFqRiFepeCZl6cKcl0ccxlnTnOJP8aSXS61OcVK4SQ13Z3dmf5r5kHXxKfztbBU= Received: by 10.48.232.15 with SMTP id e15mr5618387nfh; Tue, 27 Jun 2006 06:58:13 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id x1sm1819036nfb.2006.06.27.06.58.13; Tue, 27 Jun 2006 06:58:13 -0700 (PDT) Message-ID: <44A1396C.7040708@gmail.com> Date: Tue, 27 Jun 2006 16:58:04 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 13:58:23 -0000 So we dont have a "keep state" interpretation like ipf etc.... (OK I understand floating option for state table. It is not related with our problem...) What we are looking for is to be able to pass through firewall with one set of rule per allowed traffic like it is used to be in ipf like firewalls. For pf a solution we come up with: pass in quick ... port 22 ... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ .... .... #last rules block in all #let everything out with a new state entry pass out all keep tagged XYZ Is there another way to securely let everything "pass through" firewall? without having to write another rule for outgoing packets. We have hundreds of rules on our gateway, and it is quite difficult to dublicate rules and keep track of incoming interface as well as the outgoing interface... Thanx for your help N. Ersen SISECI http://www.enderunix.org Daniel Hartmeier yazm?s,: > > On Tue, Jun 27, 2006 at 01:36:52PM +0300, N. Ersen SISECI wrote: > > > > > >> >> My first rule is pass in all with keep state. But the packets do not >> >> seem to be able pass out from the other interface. If i change the last >> >> block's to "pass" everything works fine. It seems that the state table >> >> is always on if-bound'ed??? >> >> >> >> Is there a solution for this problem, or do I miss a configuration with >> >> kernel, pf, pf.conf etc... ??? or is this a bug :) >> >> >> > > > > Neither, your interpretation of 'floating' does not match reality, see > > > > http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238&w=2 > > > > In short, create two state entries per connection. > > > > Daniel > > > > > From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 16:29:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD6E916A56E for ; Tue, 27 Jun 2006 16:29:37 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B11144A75 for ; Tue, 27 Jun 2006 16:11:05 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k5RGB4lA023546 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 27 Jun 2006 18:11:04 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k5RGB3Vx010682; Tue, 27 Jun 2006 18:11:03 +0200 (MEST) Date: Tue, 27 Jun 2006 18:11:02 +0200 From: Daniel Hartmeier To: "N. Ersen SISECI" Message-ID: <20060627161102.GF14502@insomnia.benzedrine.cx> References: <44A1396C.7040708@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44A1396C.7040708@gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 16:29:38 -0000 On Tue, Jun 27, 2006 at 04:58:04PM +0300, N. Ersen SISECI wrote: > For pf a solution we come up with: > > pass in quick ... port 22 ... keep state tag XYZ > pass in quick .... keep state tag XYZ > pass in quick .... keep state tag XYZ > pass in quick .... keep state tag XYZ > pass in quick .... keep state tag XYZ > .... > .... > #last rules > block in all > > #let everything out with a new state entry > pass out all keep tagged XYZ Yes, that'll work fine. > Is there another way to securely let everything "pass through" firewall? > without having to write another rule for outgoing packets. We have > hundreds of rules on our gateway, and it is quite difficult to dublicate > rules and keep track of incoming interface as well as the outgoing > interface... One common approach is to only filter incoming packets, and to let everything pass out from the firewall. This covers all forwarded traffic: anything leaving the firewall must first have passed in (and has, therefore, been checked). It does not cover connections originating from the firewall itself. But often, you either don't run any processes on the firewall (that need to connect out), or you trust those implicitely. Another common case is three (or more) legged firewall, where you have strict policies about what interface a type of connection may enter and where it may and may not leave (e.g. in on if1, out on if2, but never out on if3), i.e. you don't trust the routing table (which might be dynamically updated). In this case, you DO need per-interface rules, and they are not really duplicates. Tagging helps in this case, too (you'd tag passed incoming packets so they'd be allowed out on a specific other interface). I guess it boils down to whether you a) trust all processes on the firewall b) trust the routing table on the firewall Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 18:04:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBB7B16A409 for ; Tue, 27 Jun 2006 18:04:11 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67228448F7 for ; Tue, 27 Jun 2006 18:04:11 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 52D952382DE for ; Tue, 27 Jun 2006 19:04:01 +0100 (BST) From: "Greg Hennessy" To: "'N. Ersen SISECI'" Date: Tue, 27 Jun 2006 19:04:04 +0100 Keywords: freebsd-pf Message-ID: <000f01c69a14$13b106f0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaZ8h3vyqlOg5BZTA23j2XTr13UJgAICQCQ In-Reply-To: <44A1396C.7040708@gmail.com> X-OriginalArrivalTime: 27 Jun 2006 18:04:04.0703 (UTC) FILETIME=[13B106F0:01C69A14] Cc: freebsd-pf@freebsd.org Subject: RE: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 18:04:11 -0000 > What we are looking for is to be able to pass through > firewall with one set of rule per allowed traffic like it is > used to be in ipf like firewalls. > [snip] > > Is there another way to securely let everything "pass > through" firewall? > without having to write another rule for outgoing packets. There's a couple of ways to do this, I've used both. Create generic tagged egress rules on the relevant firewall interfaces. Eg. pass out log quick on int1 from any to any tagged outyougo keep state You only need as many egress rules as there are filtered interfaces with the above. Then tag ingress rules appropriately pass in log quick on int0 $TCP from source to dest tag outyougo $KSF Or. If all the interfaces on the system are of the same driver family, use interface classes combined with anti spoofing. E.g antispoof log quick for {int0,int1,int2..... } pass log quick on int $TCP from source to dest $KSF If you have a mixture of interfaces, you may be able to add something like /sbin/ifconfig fxp0 name eth0 # spit ;-) /sbin/ifconfig fxp1 name eth1 /sbin/ifconfig bge0 name eth2 /sbin/ifconfig bge1 name eth3 to /etc/rc.early and then see can you pass log quick on eth $TCP .... etc Havent tried it, so YMMV. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Jun 28 00:41:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F36FF16A51A for ; Wed, 28 Jun 2006 00:41:43 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5F5243D5E for ; Wed, 28 Jun 2006 00:41:36 +0000 (GMT) (envelope-from rmaglasang@infoweapons.com) Received: from [10.3.1.41] ([10.3.1.41] RDNS failed) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Wed, 28 Jun 2006 08:41:33 +0800 Message-ID: <44A1D018.7010003@infoweapons.com> Date: Wed, 28 Jun 2006 08:40:56 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: Artis Caune References: <449FC649.4030205@infoweapons.com> <449FE1FE.5060308@bitparts.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Jun 2006 00:41:33.0110 (UTC) FILETIME=[9A732560:01C69A4B] Cc: freebsd-pf@freebsd.org Subject: Re: maximum number of queues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 00:41:44 -0000 Artis Caune wrote: >> Ronnel P. Maglasang wrote: >>> hi, is there a maximum system limit for the number of queues for >>> altq? is this settable/tunable? whats the default limit? >>> > > > # grep _MAX_ sys/contrib/altq/altq/*.h > > edit, tune && recompile kernel > i came across an old thread that answered the same problem, it said modify the following typedef: #define HFSC_MAX_CLASSES 64 is this enough? whats the logic behind the changes? is there a formula to this? looking at the code, pf seemed to run out of memory when it allocates an "altq" data from the altq pool. sys/contrib/pf/net/pf_ioctl.c -- -- case DIOCADDALTQ: { struct pfioc_altq *pa = (struct pfioc_altq *)addr; struct pf_altq *altq, *a; if (pa->ticket != ticket_altqs_inactive) { error = EBUSY; break; } altq = pool_get(&pf_altq_pl, PR_NOWAIT); if (altq == NULL) { error = ENOMEM; break; } -- -- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 28 06:22:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3643116A4D0 for ; Wed, 28 Jun 2006 06:22:53 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F1F844561 for ; Wed, 28 Jun 2006 05:56:15 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so159583uge for ; Tue, 27 Jun 2006 22:56:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kS0UJmmFIqDIRRzSnL4fVUHXq/KK9MvWGK1XxL9j0DiyzKWG5I/Z6QVFEYFtvXJ4P83GgBsF1heCBr64gWB/bpDzG/bpxaaxde2C1qdG2JRll34PsX0mXizfyiT6Wg50YlKzKkGNeDoQYHHsJIxzzva+9QZjYvG6ItMxCKMrIi0= Received: by 10.78.140.17 with SMTP id n17mr37282hud; Tue, 27 Jun 2006 22:56:14 -0700 (PDT) Received: by 10.78.35.18 with HTTP; Tue, 27 Jun 2006 22:56:13 -0700 (PDT) Message-ID: Date: Wed, 28 Jun 2006 00:56:13 -0500 From: "Travis H." To: "Florent Thiery" In-Reply-To: <449AE9B9.1030703@int-evry.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <449AE9B9.1030703@int-evry.fr> Cc: Olivier PAUL , Soufiane BENJILLALI , freebsd-pf@freebsd.org Subject: Re: Anti-DoS QoS with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 06:22:53 -0000 On 6/22/06, Florent Thiery wrote: > I'm wondering how to make altq use 2 queues defined as follow > - the first one is the "attackers" queue, and should be defined by a > static file containing ip adresses, filled by another program. RED > should be used on this queue (every client in this queue should have the > same priority) table file pass in quick on $wan_if from to $web_server port { 80 8080 } queue attacks Then write a small script to add them to the attackers table. > - the second one is the "normal clients" queue, which should have the > best effort possible (again, every client in this queue should have the > same priority) ; i don't know which scheduler to use... pass in quick on $wan_if from any to $web_server port { 80 8080 } queue normal > I don't know how to manage the > - the ip file part (altq-file interconnection) altq on $wan_if priq bandwidth $upstream_bw queue { attacker, normal } queue attacker priority 0 priq(red) queue normal priority 7 priq(default) Note that you can only queue on outbound connections. Well, you can assign queues on inbound packets, but it only matters when they're queued up to go out (inbound packets get processed almost immediately if the CPU is fast enough). > - how to benchmark.... store and plot the results... (i guess it will be > shell scripting, watch grep wc pipes etc... ) gnuplot > Thanks in advance for your help. If there is an IRC channel or anybody > ok to discuss with me (messaging or mail), please contact me. I charge reasonable rates, but bear in mind that firewall rules can take a long time to debug and tweak and tune, and I charge by the hour. -- "I sometimes have delusions of adequacy" -- Woody Allen Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 28 08:33:34 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1278A16A47B for ; Wed, 28 Jun 2006 08:33:34 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A52543D7D for ; Wed, 28 Jun 2006 08:33:31 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so204218uge for ; Wed, 28 Jun 2006 01:33:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ntkTOS73AY7YcYkMCN9VKW8P7jbh/FvpKGYwcWyzFvfmIkUFaaCGWyGZa33iBczqrKKrguXrXNp47011urJsKiYMEligf87TUkUici3INVqn/wrqtRhwvileALWMJUzOXPUXrUESJHqOt/WHbTTZ7xYjdvItV7KpJldeFJGYP34= Received: by 10.78.140.17 with SMTP id n17mr136746hud; Wed, 28 Jun 2006 01:33:30 -0700 (PDT) Received: by 10.78.35.18 with HTTP; Wed, 28 Jun 2006 01:33:30 -0700 (PDT) Message-ID: Date: Wed, 28 Jun 2006 03:33:30 -0500 From: "Travis H." To: McLone In-Reply-To: <451cb3010606270521x506735aep67d18acf95de7b98@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <451cb3010606270521x506735aep67d18acf95de7b98@mail.gmail.com> Cc: pf@freebsd.org, pf@benzedrine.cx Subject: Re: queueing: give some BW to each addr (in a table)? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 08:33:34 -0000 On 6/27/06, McLone wrote: > We have many clients here, so i wanted to do it > on my freebsd6 router, with simple cron job switching > tables in PF, but pf doesn't support a thing like > "give EACH ip in that table N kbits/s". Yes, what you want is a list. > So i have one option now - write some pf.conf > preprocessor, with soem frontend to edit it. If you know python, check out dfd_keeper. There is an OpenBSD port here: http://www.lightconsulting.com/~travis/OpenBSD/ Basically you can, from a script that uses nc/netcat, add or delete from a list relatively trivially. It then renders the ruleset and loads it into pf. It looks intimidating at first but isn't really. You have my permission to use it in your commercial environment. Once installed, you need to write a short python script; there is an example in the dist (but it doesn't get installed by the port yet, sorry). If you have any further questions, or if you want [paid] help implementing it, email me. -- "I sometimes have delusions of adequacy" -- Woody Allen Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 28 09:02:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53B1C16A584 for ; Wed, 28 Jun 2006 09:02:52 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D884446FB for ; Wed, 28 Jun 2006 09:02:51 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so212762uge for ; Wed, 28 Jun 2006 02:02:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Wnvc2yl6dxGx4CeuZQo4F6k8DSVSW73BCG0DXiXdvJQ/EagkmnMMgXPTaVAEH62SHP8KoZSzG9RV/Yzs+F/DJBo1SA/Pddz1rMRJoVUrUs/KDOcggJw8+5APIP70irayrjCw9YYz1Eqq459epBXwMH6yQC7IN/r7z2rDXKFboUQ= Received: by 10.78.185.7 with SMTP id i7mr82458huf; Wed, 28 Jun 2006 02:02:50 -0700 (PDT) Received: by 10.78.35.18 with HTTP; Wed, 28 Jun 2006 02:02:49 -0700 (PDT) Message-ID: Date: Wed, 28 Jun 2006 04:02:49 -0500 From: "Travis H." To: "Daniel Hartmeier" In-Reply-To: <20060627161102.GF14502@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44A1396C.7040708@gmail.com> <20060627161102.GF14502@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 09:02:52 -0000 On 6/27/06, Daniel Hartmeier wrote: > One common approach is to only filter incoming packets, and to let > everything pass out from the firewall. This covers all forwarded > traffic: anything leaving the firewall must first have passed in (and > has, therefore, been checked). It does not cover connections originating > from the firewall itself. But often, you either don't run any processes > on the firewall (that need to connect out), or you trust those > implicitely. One could also compromise and write a very short rule specific to the firewall's IPs, providing outbound filtering only for those source IPs. > Another common case is three (or more) legged firewall, where you have > strict policies about what interface a type of connection may enter and > where it may and may not leave (e.g. in on if1, out on if2, but never > out on if3), i.e. you don't trust the routing table (which might be > dynamically updated). In this case, you DO need per-interface rules, > and they are not really duplicates. Tagging helps in this case, too > (you'd tag passed incoming packets so they'd be allowed out on a > specific other interface). Often if one uses antispoof, one can eliminate the interface specifications entirely. In his case, he could also eliminate in/out entirely, and be left with a fairly terse ruleset. Note however that antispoof doesn't help too much if a particular interface leads to distant networks. Therefore, you shouldn't eliminate e.g. the WAN interface from rules, since antispoof won't prevent arbitrary Internet IPs from appearing on the non-WAN interfaces. -- `I put my heart and my soul into my work, and have lost my mind in the process.'' -- van Gogh | Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 29 06:54:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF7AC16A4A0; Thu, 29 Jun 2006 06:54:01 +0000 (UTC) (envelope-from vapcom@mail.ru) Received: from f7.mail.ru (f7.mail.ru [194.67.57.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5854D43D46; Thu, 29 Jun 2006 06:54:01 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f7.mail.ru with local id 1FvqPX-000NjB-00; Thu, 29 Jun 2006 10:53:59 +0400 Received: from [62.16.92.130] by koi.mail.ru with HTTP; Thu, 29 Jun 2006 10:53:59 +0400 From: Boris Polevoy To: Daniel Hartmeier Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.7 via proxy [62.16.92.130] Date: Thu, 29 Jun 2006 10:53:59 +0400 In-Reply-To: <20060629052504.GA12614@insomnia.benzedrine.cx> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: mlaier@freebsd.org, pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re[2]: anchors - weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2006 06:54:01 -0000 -----Original Message----- From: Daniel Hartmeier To: David Diggles Date: Thu, 29 Jun 2006 07:25:04 +0200 Subject: Re: anchors - weirdness > > There was a bug that caused anchors defined from sub-anchors with "load > anchor" statements to get defined directly in the root, and not relative > to the position of the anchor defining them. This was fixed in OpenBSD > just a couple of weeks ago with > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.67&r2=1.68&f=h > http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/parse.y.diff?r1=1.497&r2=1.498&f=h > > This isn't in FreeBSD (or OpenBSD -stable) yet, but it probably makes > sense to pull it in. > I have use same pf_table.c patch under FreeBSD 6.0, 6.1 two months. It's work well. To Max Laier: please, patch FreeBSD's PF/pfctl. With best regards Boris Polevoy From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 01:26:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A127216A5B3 for ; Fri, 30 Jun 2006 01:26:44 +0000 (UTC) (envelope-from sysupdates@spaceservices.net) Received: from smart-serv.net (smart-serv.net [208.68.18.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA7BF448B0 for ; Fri, 30 Jun 2006 01:07:23 +0000 (GMT) (envelope-from sysupdates@spaceservices.net) Received: (qmail 50897 invoked by uid 0); 25 Jun 2006 00:07:21 -0000 Received: from 69.141.50.80 by smart-serv.net (envelope-from , uid 0) with qmail-scanner-1.25 (clamdscan: 0.87/1106. spamassassin: 3.1.0. Clear:RC:0(69.141.50.80):SA:0(-2.5/4.0):. Processed in 0.355064 secs); 25 Jun 2006 00:07:21 -0000 X-Spam-Status: No, hits=-2.5 required=4.0 X-Qmail-Scanner-Mail-From: sysupdates@spaceservices.net via smart-serv.net X-Qmail-Scanner: 1.25 (Clear:RC:0(69.141.50.80):SA:0(-2.5/4.0):. Processed in 0.355064 secs) Received: from c-69-141-50-80.hsd1.pa.comcast.net (HELO Neptune.SpaceServices.net) (brandon@69.141.50.80) by smart-serv.net with SMTP; 25 Jun 2006 00:07:20 -0000 Date: Sat, 24 Jun 2006 20:07:19 -0400 From: Brandon Penglase To: freebsd-pf@freebsd.org Message-ID: <20060624200719.43ccaa04@Neptune.SpaceServices.net> In-Reply-To: References: Organization: Space Networks X-Mailer: Sylpheed-Claws 2.3.0 (GTK+ 2.8.19; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: REDIRECTING using the NAT table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 01:26:44 -0000 > Hi, > > I am new to FreeBSD and PF but was wondering how I could do using PF > a rule from iptables on Linux. > > The rule using iptables in Linux is: > iptables -t nat -A PREROUTING -p udp --dport 3322 -j REDIRECT > --to-ports 3323 rdr on $ext_if proto tcp from any to $ext_if port 86 -> 10.0.1.10 port 80 $ext_if is the interface facing the net, or I suppose the side from that you want to modify. if your looking to just change port, I suppose you could remove the IP at the end. Hope this helps. Brandon From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 07:06:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F32C416A403 for ; Fri, 30 Jun 2006 07:06:10 +0000 (UTC) (envelope-from lev-bazanov@mail.ru) Received: from mx5.mail.ru (mx5.mail.ru [194.67.23.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9139C43D62 for ; Fri, 30 Jun 2006 07:06:10 +0000 (GMT) (envelope-from lev-bazanov@mail.ru) Received: from [62.16.92.130] (port=42061 helo=localhost) by mx5.mail.ru with asmtp id 1FwD4r-000L8f-00 for freebsd-pf@freebsd.org; Fri, 30 Jun 2006 11:06:09 +0400 Date: Fri, 30 Jun 2006 11:06:02 +0400 From: lev-bazanov@mail.ru X-Mailer: The Bat! (v3.80.06) Professional X-Priority: 3 (Normal) Message-ID: <1664838932.20060630110602@mail.ru> To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: problem with keyword self X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lev-bazanov@mail.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 07:06:11 -0000 Hello, All. There is a problem in pf, when I try to add rules with keyword "self". Example: My box have three physical and one loopback interfaces: fxp0 - 10.0.0.1 fxp1 - 20.0.0.1 fxp3 - 30.0.0.1 lo0 - 127.0.0.1 Add rules in pf: ---- pf.conf ---- block drop in quick from any to self pass in quick all ---- pf.conf ---- # pfctl -f /etc/pf.conf # pfctl -q -s rules block drop in quick inet from any to 10.0.0.1 block drop in quick inet from any to 20.0.0.1 block drop in quick inet from any to 30.0.0.1 block drop in quick inet from any to 127.0.0.1 pass in quick all # # ifconfig fxp0 50.0.0.1 # pfctl -q -s rules block drop in quick inet from any to 10.0.0.1 block drop in quick inet from any to 20.0.0.1 block drop in quick inet from any to 30.0.0.1 block drop in quick inet from any to 127.0.0.1 pass in quick all Result of this command: all incoming traffic on interface fxp0 will be passed. This situation don't correct, because I want disable all traffic on fxp0, even after changing IP address on fxp0. Similar situation happens, when I try add rule in pf with table, which contains interface's name or keyword "self". For example: 1. Table contains name of interface ----- pf.conf ----- table { fxp0 } block drop in quick from any to ----- pf.conf ----- # pfctl -f /etc/pf.conf # pfctl -q -s rules block drop in quick from any to # pfctl -q -t test -T show 10.0.0.1 # ifconfig fxp0 50.0.0.1 # pfctl -q -t test -T show 10.0.0.1 2. Table contains keyword "self" ----- pf.conf ---- table { self } block drop in quick from any to ----- pf.conf ---- # pfctl -f /etc/pf.conf # pfctl -q -s rules block drop in quick from any to # pfctl -q -t test -T show 10.0.0.1 20.0.0.1 30.0.0.1 127.0.0.1 # ifconfig fxp0 50.0.0.1 # pfctl -q -t test -T show 10.0.0.1 20.0.0.1 30.0.0.1 127.0.0.1 Is there some means in pf, which correctly resolve described situations? For example, like "me" keyword in ipfw. -- Best regards, Lev Bazanov mailto:lev-bazanov@mail.ru From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 09:13:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F7A316A565 for ; Fri, 30 Jun 2006 09:13:26 +0000 (UTC) (envelope-from clsung@FreeBSD.csie.nctu.edu.tw) Received: from FreeBSD.csie.nctu.edu.tw (freebsd.csie.nctu.edu.tw [140.113.17.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id E70E044726 for ; Fri, 30 Jun 2006 08:52:08 +0000 (GMT) (envelope-from clsung@FreeBSD.csie.nctu.edu.tw) Received: from localhost (localhost.csie.nctu.edu.tw [127.0.0.1]) by FreeBSD.csie.nctu.edu.tw (Postfix) with ESMTP id 6825E7E9A7; Fri, 30 Jun 2006 16:53:37 +0800 (CST) Received: from FreeBSD.csie.nctu.edu.tw ([127.0.0.1]) by localhost (FreeBSD.csie.nctu.edu.tw [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSk3BS+Vm5RF; Fri, 30 Jun 2006 16:53:36 +0800 (CST) Received: by FreeBSD.csie.nctu.edu.tw (Postfix, from userid 1038) id 813D07E9B4; Fri, 30 Jun 2006 16:53:36 +0800 (CST) Date: Fri, 30 Jun 2006 16:53:36 +0800 From: Cheng-Lung Sung To: lev-bazanov@mail.ru Message-ID: <20060630085336.GA19494@FreeBSD.csie.nctu.edu.tw> References: <1664838932.20060630110602@mail.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <1664838932.20060630110602@mail.ru> X-Fingerprint: E0BC 57F9 F44B 46C6 DB53 8462 F807 89F3 956E 8BC1 X-Public-Key: http://sungsung.dragon2.net/pubring.asc User-Agent: Mutt/1.5.11 Cc: freebsd-pf Subject: Re: problem with keyword self X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 09:13:26 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=big5 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 30, 2006 at 11:06:02AM +0400, lev-bazanov@mail.ru wrote: > Hello, All. >=20 > There is a problem in pf, when I try to add rules with keyword > "self". Example: >=20 > ...deleted >=20 > Is there some means in pf, which correctly resolve described situations? > For example, like "me" keyword in ipfw.=20 Unfortunately, it seems you can only use /etc/rc.d/pf reload to=20 flush/read rules. --=20 Cheng-Lung Sung - clsung@ --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEpOaP+AeJ85Vui8ERAuE9AKCUR11byVy2s2YNocCdoix0S7Vm4wCeID7N 4jybcIex712StRn0FoOwesU= =kf7v -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 09:57:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CCAD16A415 for ; Fri, 30 Jun 2006 09:57:46 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9909643D48 for ; Fri, 30 Jun 2006 09:57:45 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k5U9vguw018306 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 30 Jun 2006 11:57:42 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k5U9vgXO010464; Fri, 30 Jun 2006 11:57:42 +0200 (MEST) Date: Fri, 30 Jun 2006 11:57:41 +0200 From: Daniel Hartmeier To: lev-bazanov@mail.ru Message-ID: <20060630095741.GE26234@insomnia.benzedrine.cx> References: <1664838932.20060630110602@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1664838932.20060630110602@mail.ru> User-Agent: Mutt/1.5.10i Cc: freebsd-pf Subject: Re: problem with keyword self X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 09:57:46 -0000 On Fri, Jun 30, 2006 at 11:06:02AM +0400, lev-bazanov@mail.ru wrote: > There is a problem in pf, when I try to add rules with keyword > "self". Example: "self" always translates to IP addresses at load-time. To re-translate, you have to re-load the ruleset. In rule addresses (but not tables) you can put an interface name in parentheses, like (fxp0), which causes run-time translation, i.e. the rule automatically updates when the interfaces changes addresses. >From pf.conf(5) Host name resolution and interface to address translation are done at ruleset load-time. When the address of an interface (or host name) changes (under DHCP or PPP, for instance), the ruleset must be reloaded for the change to be reflected in the kernel. Sur- rounding the interface name (and optional modifiers) in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the inter- face changes its address. The ruleset does not need to be reload- ed. This is especially useful with nat. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 12:38:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4985116A403 for ; Fri, 30 Jun 2006 12:38:35 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id A466543D48 for ; Fri, 30 Jun 2006 12:38:34 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de [212.23.126.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 5A16C33D05 for ; Fri, 30 Jun 2006 14:38:29 +0200 (CEST) Received: from [127.0.0.1] (unknown [192.168.201.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id BCC302E51E; Fri, 30 Jun 2006 14:38:21 +0200 (CEST) Message-ID: <44A51B54.4090908@vwsoft.com> Date: Fri, 30 Jun 2006 14:38:44 +0200 From: Volker User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20060630120116.AA95F16A85D@hub.freebsd.org> In-Reply-To: <20060630120116.AA95F16A85D@hub.freebsd.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Subject: Re: problem with keyword self X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 12:38:35 -0000 On 2006-06-30, daniel@benzedrine.cx wrote: > "self" always translates to IP addresses at load-time. To re-translate, > you have to re-load the ruleset. > Daniel, a while ago I was experiencing one thing where it can be dangerous to make use of the 'self' keyword. If you're setting up a DSL connection using mpd (I guess it's the same with userland ppp, but have never tried that) the system has got an unconfigured IP interface (xl0 or whatever), where unconfigured means it's up but has an IP address of 0.0.0.0. PPPoE is being done on the interface ng0 for example and this one has an IP address if the connection is up. Now if you're using a rule like 'pass in from any to self' (or something similar) the rule is being translated into 'pass in from 0.0.0.0 to 0.0.0.0' which in turn means 'just pass all traffic unconditionally' and you're having a great wide open firewall (in fact, no firewall at all). I know the example rule is not a real world rule but just image you're having a rule like 'pass in from any to self port 80' to have the http server being reachable. That would let pass traffic to _any_ internal webserver. Sometimes admins are lazy and doing stupid things like that and being not aware of the consequences of a quickly hacked rule. I'm wondering if you're able to check whether and interface has a valid IP address or not before processing rules and skip unconfigured interfaces (or at least do not let them being included when it comes to 'self' rules). IMHO 'self' should never validate to an IP address like 0.0.0.0. Greetings, Volker