From owner-freebsd-pf@FreeBSD.ORG Mon Sep 4 11:08:39 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 104F916A525 for ; Mon, 4 Sep 2006 11:08:39 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D44D243D45 for ; Mon, 4 Sep 2006 11:08:38 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k84B8cVD094466 for ; Mon, 4 Sep 2006 11:08:38 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k84B8b1g094462 for freebsd-pf@FreeBSD.org; Mon, 4 Sep 2006 11:08:37 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Sep 2006 11:08:37 GMT Message-Id: <200609041108.k84B8b1g094462@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2006 11:08:39 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/102647 pf Using pf stateful rules for inet6 fails for connection 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 4 16:44:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B51B16A4E0 for ; Mon, 4 Sep 2006 16:44:08 +0000 (UTC) (envelope-from whatawonderfulworldweliveintoo@yahoo.com) Received: from web58411.mail.re3.yahoo.com (web58411.mail.re3.yahoo.com [68.142.236.179]) by mx1.FreeBSD.org (Postfix) with SMTP id DC60B43D4C for ; Mon, 4 Sep 2006 16:44:07 +0000 (GMT) (envelope-from whatawonderfulworldweliveintoo@yahoo.com) Received: (qmail 71616 invoked by uid 60001); 4 Sep 2006 16:44:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=WtMN+nfKVoQI10RM6hp6QwpSpOPRDwER7BZFk0NBCc3If09brOP1xUFdzdJijBbUpaui7Qej668X88kWEn/d+uzqbQJ8NoN9P+Yy20eaN5bByE+24k+gb/JspMXsKm49+uSMopWcHX2/5h3SgsjfNTjuCVMV5Elvfv6kxu20tFU= ; Message-ID: <20060904164404.71614.qmail@web58411.mail.re3.yahoo.com> Received: from [66.82.9.66] by web58411.mail.re3.yahoo.com via HTTP; Mon, 04 Sep 2006 09:44:04 PDT Date: Mon, 4 Sep 2006 09:44:04 -0700 (PDT) From: Ted Johnson To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 04 Sep 2006 17:05:02 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: How To Close Ports (OT?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2006 16:44:08 -0000 Hi; I have many ports open for various functions, email, ftp, squid, pound, various instances of zope, etc. Of course, all of them are libel to be attacked. What does one do? My research indicates ALF is a viable option, but I can't find an open source version. I presume putting another box in front of my server would be a second option, but it's one I can't afford right now. Comments? TIA, Ted2 --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 4 20:34:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F86716A4E1 for ; Mon, 4 Sep 2006 20:34:35 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5EE243D53 for ; Mon, 4 Sep 2006 20:34:30 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id w49so2319259pyg for ; Mon, 04 Sep 2006 13:34:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DFVZjH9RnpU3767cj8Z5JfIfG0cFNQG6v3kPnn1rNb/bfwi0lnNW2on525dpK/iFS+wC7kf6Sly4DuIupOWu8vLvDHnEDLQEHa92g+hgJM6MelFRJlJMHoHHEgd+4lmxs1GuhzyqbBLtrw1yqACGEQ8H+Nv4SNCyi88w65E0x0k= Received: by 10.35.8.1 with SMTP id l1mr10903121pyi; Mon, 04 Sep 2006 13:34:29 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Mon, 4 Sep 2006 13:34:29 -0700 (PDT) Message-ID: Date: Mon, 4 Sep 2006 15:34:29 -0500 From: "Travis H." To: "Ted Johnson" In-Reply-To: <20060904164404.71614.qmail@web58411.mail.re3.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060904164404.71614.qmail@web58411.mail.re3.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: How To Close Ports (OT?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2006 20:34:35 -0000 On 9/4/06, Ted Johnson wrote: > I have many ports open for various functions, email, ftp, squid, pound, various > instances of zope, etc. Of course, all of them are libel to be attacked. > What does one do? There's this thing called pf, you should really look into it. Start with: man pf Then try reading the pf FAQ. If that is too confusing, google for a basic tutorial on network security. -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 03:11:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9E5D16A4DF for ; Tue, 5 Sep 2006 03:11:12 +0000 (UTC) (envelope-from wwwrun@h5497.serverkompetenz.net) Received: from h5497.serverkompetenz.net (nickeys.de [81.169.174.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 351DA43D53 for ; Tue, 5 Sep 2006 03:11:12 +0000 (GMT) (envelope-from wwwrun@h5497.serverkompetenz.net) Received: by h5497.serverkompetenz.net (Postfix, from userid 30) id 815EC865B81; Tue, 5 Sep 2006 05:02:20 +0200 (CEST) To: freebsd-pf@freebsd.org From: WellsFargo Online Content-Transfer-Encoding: 8bit Message-Id: <20060905030220.815EC865B81@h5497.serverkompetenz.net> Date: Tue, 5 Sep 2006 05:02:20 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Urgent Action : Your Account Has Been Suspended X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 03:11:13 -0000 [logo_62sq.gif] [coach.gif] Dear valued WellsFargo member: Due to concerns, for the safety and integrity of the wellsfargo account we have issued this warning message We have noticed that your Wells Fargo online account needs to be updated onceagain, please enteryour online account information, because we haveto verify all of the online accounts after we have updated our Wells FargoOnline Banking site. To verify your online account and access your bank account, please click on the link below: [1][al_continue_off.gif] [2]Continue to Stop Payment This e-mail was sent to all of our Wells Fargo customers. Recently, we have found that manyaccounts were hacked. For furtherinformation, please contact our Customer Services. Consumer Credit Card Services: Customer Service: 1-800-642-4720 Application Status: 1-800-967-9521 Security Issues: Phone: 415-623-7706 Fax: 415-544-0826 Email: [3]myershh@wellsfargo.com Sincerely, Wells FargoMember Services Team Thank You [4]About Wells Fargo | [5]Employment | [6]Report Email Fraud | [7]Privacy, Security & Legal | [8]Home 1995 - 2006 Wells Fargo. All rights reserved. References 1. http://www.piles.gr/themes/piles/images/.sec/www.wellsfargo.com/updateyouracount/index.html?wellsfargo.comlogin.uersr 2. http://www.piles.gr/themes/piles/images/.sec/www.wellsfargo.com/updateyouracount/index.html?wellsfargo.comlogin.uersr 3. http://mail.yahoo.com/config/login?/ym/Compose?To=myershh@wellsfargo.com 4. http://www.wellsfargo.com/about/about.jhtml 5. http://www.wellsfargo.com/employment 6. http://www.wellsfargo.com/privacy_security/email_fraud/report.jhtml 7. http://www.wellsfargo.com/privacy_security/index.jhtml 8. http://www.wellsfargo.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 03:12:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5AAD16A7FE for ; Tue, 5 Sep 2006 03:12:12 +0000 (UTC) (envelope-from wwwrun@h5497.serverkompetenz.net) Received: from h5497.serverkompetenz.net (nickeys.de [81.169.174.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9B6443D45 for ; Tue, 5 Sep 2006 03:12:11 +0000 (GMT) (envelope-from wwwrun@h5497.serverkompetenz.net) Received: by h5497.serverkompetenz.net (Postfix, from userid 30) id 2AB8986687F; Tue, 5 Sep 2006 05:04:34 +0200 (CEST) To: freebsd-pf@freebsd.org From: WellsFargo Online Content-Transfer-Encoding: 8bit Message-Id: <20060905030434.2AB8986687F@h5497.serverkompetenz.net> Date: Tue, 5 Sep 2006 05:04:34 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Urgent Action : Your Account Has Been Suspended X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 03:12:12 -0000 [logo_62sq.gif] [coach.gif] Dear valued WellsFargo member: Due to concerns, for the safety and integrity of the wellsfargo account we have issued this warning message We have noticed that your Wells Fargo online account needs to be updated onceagain, please enteryour online account information, because we haveto verify all of the online accounts after we have updated our Wells FargoOnline Banking site. To verify your online account and access your bank account, please click on the link below: [1][al_continue_off.gif] [2]Continue to Stop Payment This e-mail was sent to all of our Wells Fargo customers. Recently, we have found that manyaccounts were hacked. For furtherinformation, please contact our Customer Services. Consumer Credit Card Services: Customer Service: 1-800-642-4720 Application Status: 1-800-967-9521 Security Issues: Phone: 415-623-7706 Fax: 415-544-0826 Email: [3]myershh@wellsfargo.com Sincerely, Wells FargoMember Services Team Thank You [4]About Wells Fargo | [5]Employment | [6]Report Email Fraud | [7]Privacy, Security & Legal | [8]Home 1995 - 2006 Wells Fargo. All rights reserved. References 1. http://www.piles.gr/themes/piles/images/.sec/www.wellsfargo.com/updateyouracount/index.html?wellsfargo.comlogin.uersr 2. http://www.piles.gr/themes/piles/images/.sec/www.wellsfargo.com/updateyouracount/index.html?wellsfargo.comlogin.uersr 3. http://mail.yahoo.com/config/login?/ym/Compose?To=myershh@wellsfargo.com 4. http://www.wellsfargo.com/about/about.jhtml 5. http://www.wellsfargo.com/employment 6. http://www.wellsfargo.com/privacy_security/email_fraud/report.jhtml 7. http://www.wellsfargo.com/privacy_security/index.jhtml 8. http://www.wellsfargo.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 03:53:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0E6516A4EF; Tue, 5 Sep 2006 03:53:34 +0000 (UTC) (envelope-from suz@alaxala.net) Received: from pc1.alaxala.net (pc1.alaxala.net [203.178.142.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9FCB43D66; Tue, 5 Sep 2006 03:53:33 +0000 (GMT) (envelope-from suz@alaxala.net) Received: from localhost (localhost [127.0.0.1]) by pc1.alaxala.net (Postfix) with ESMTP id 832AEB993; Tue, 5 Sep 2006 12:53:31 +0900 (JST) X-Virus-Scanned: amavisd-new at alaxala.net Received: from pc1.alaxala.net ([127.0.0.1]) by localhost (pc1.alaxala.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xj3tD64s-FEy; Tue, 5 Sep 2006 12:53:27 +0900 (JST) Received: from flora220.uki-uki.net (pc2.alaxala.net [203.178.142.163]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pc1.alaxala.net (Postfix) with ESMTP id E17CFB939; Tue, 5 Sep 2006 12:53:26 +0900 (JST) Date: Tue, 05 Sep 2006 12:53:26 +0900 Message-ID: From: SUZUKI Shinsuke To: max@love2party.net X-cite: xcite 1.33 In-Reply-To: <200609012122.53206.max@love2party.net> References: <200608291637.k7TGbNxd002409@www.freebsd.org> <200609012122.53206.max@love2party.net> User-Agent: Wanderlust/2.15.1 (Almost Unreal) Emacs/22.0 Mule/5.0 (SAKAKI) Organization: Networking Technology Development Dept., ALAXALA Networks Corporation MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: suz@freebsd.org, freebsd-gnats-submit@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 03:53:35 -0000 Hi, >>>>> On Fri, 1 Sep 2006 21:22:45 +0200 >>>>> max@love2party.net(Max Laier) said: > Thinking about this for a bit we might want to use the patch below > instead. i.e. do the fixup locally in the pfil wrapper instead. This > way other filters don't break if they have adapted to the new world > order. > > Thoughts? Please test and report back, either way. I'm fine with your patch. (it is preferable to add a comment about this hack, though) After the PR originator confirmed the fix, could you please commit it? Thanks, ---- SUZUKI, Shinsuke @ KAME Project > Index: pf_ioctl.c > =================================================================== > RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v > retrieving revision 1.25 > diff -u -r1.25 pf_ioctl.c > --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 > +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 > @@ -3442,7 +3442,8 @@ > */ > int chk; > > - chk = pf_test6(PF_IN, ifp, m, NULL, inp); > + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, > + NULL, inp); > if (chk && *m) { > m_freem(*m); > *m = NULL; From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 03:55:17 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C56C616A4DA; Tue, 5 Sep 2006 03:55:17 +0000 (UTC) (envelope-from suz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6448F43D46; Tue, 5 Sep 2006 03:55:17 +0000 (GMT) (envelope-from suz@FreeBSD.org) Received: from freefall.freebsd.org (suz@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k853tHPX095353; Tue, 5 Sep 2006 03:55:17 GMT (envelope-from suz@freefall.freebsd.org) Received: (from suz@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k853tGJY095349; Tue, 5 Sep 2006 03:55:16 GMT (envelope-from suz) Date: Tue, 5 Sep 2006 03:55:16 GMT From: SUZUKI Shinsuke Message-Id: <200609050355.k853tGJY095349@freefall.freebsd.org> To: steinex@nognu.de, suz@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 03:55:17 -0000 Synopsis: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box State-Changed-From-To: open->feedback State-Changed-By: suz State-Changed-When: Tue Sep 5 03:54:33 UTC 2006 State-Changed-Why: patch is proposed by Max Laier http://www.freebsd.org/cgi/query-pr.cgi?pr=102647 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 04:00:42 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA86916A4DA for ; Tue, 5 Sep 2006 04:00:42 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A480343D45 for ; Tue, 5 Sep 2006 04:00:42 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8540gAT095897 for ; Tue, 5 Sep 2006 04:00:42 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8540gqj095896; Tue, 5 Sep 2006 04:00:42 GMT (envelope-from gnats) Date: Tue, 5 Sep 2006 04:00:42 GMT Message-Id: <200609050400.k8540gqj095896@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: SUZUKI Shinsuke Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SUZUKI Shinsuke List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 04:00:43 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: SUZUKI Shinsuke To: max@love2party.net Cc: freebsd-pf@freebsd.org, suz@freebsd.org, steinex@nognu.de, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Date: Tue, 05 Sep 2006 12:53:26 +0900 Hi, >>>>> On Fri, 1 Sep 2006 21:22:45 +0200 >>>>> max@love2party.net(Max Laier) said: > Thinking about this for a bit we might want to use the patch below > instead. i.e. do the fixup locally in the pfil wrapper instead. This > way other filters don't break if they have adapted to the new world > order. > > Thoughts? Please test and report back, either way. I'm fine with your patch. (it is preferable to add a comment about this hack, though) After the PR originator confirmed the fix, could you please commit it? Thanks, ---- SUZUKI, Shinsuke @ KAME Project > Index: pf_ioctl.c > =================================================================== > RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v > retrieving revision 1.25 > diff -u -r1.25 pf_ioctl.c > --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 > +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 > @@ -3442,7 +3442,8 @@ > */ > int chk; > > - chk = pf_test6(PF_IN, ifp, m, NULL, inp); > + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, > + NULL, inp); > if (chk && *m) { > m_freem(*m); > *m = NULL; From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 20:20:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77C2816A4E1; Tue, 5 Sep 2006 20:20:37 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAE5143D5E; Tue, 5 Sep 2006 20:20:36 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 8810FB828; Wed, 6 Sep 2006 00:19:47 +0200 (CEST) Date: Wed, 6 Sep 2006 00:19:47 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, suz@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060905221947.8810FB828@shodan.nognu.de> Cc: suz@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 20:20:37 -0000 freebsd-gnats-submit@freebsd.org Bcc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Reply-To: Frank Steinborn wrote: > Max Laier wrote: > > On Friday 01 September 2006 21:22, Max Laier wrote: > > > On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > > > > Hi, > > > > > > > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > > > > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > > > > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > > > > > > > Using pf stateful rules for inet6 fails for connections originating > > > > > from the firewall itself to a service running on the same box. > > > > > Culprit seems to be interface selection in inet6 (switching between > > > > > the interface that has the address configured and lo0). > > > > > > > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 > > > > > (See below for ruleset used). The reply then comes via lo0 and > > > > > matches the state (if state-policy is floating). The third packet > > > > > (again via > > > > > > > > > > bge0) then does no longer match the state - however: > > > > > >How-To-Repeat: > > > > > > > > > > Use this ruleset: > > > > > > > > > > pass quick on lo0 all > > > > > pass quick on bge0 inet all > > > > > block drop log all > > > > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = > > > > > ssh flags S/SA keep state > > > > > > > > > > Then try to open an inet6-connection to a service running on the > > > > > firewall itself from the firewall itself. > > > > > > > > Could you please try the attached patch for kernel? > > > > > > > > Using this patch, PF regards the initial SYN (and the third packet) > > > > is coming from lo0, instead of bge0. (There was a similar bug-report > > > > regarding PF for looped-back IPv6 packet, and this patch fixed the > > > > problem) > > > > > > > > If it seems okay from the PF's point of view, I'll commit it to > > > > -current. > > > > > > Thinking about this for a bit we might want to use the patch below > > > instead. i.e. do the fixup locally in the pfil wrapper instead. This > > > way other filters don't break if they have adapted to the new world > > > order. > > > > > > Thoughts? Please test and report back, either way. > > > > Any progress on this issue? I haven't heard back from you. The patch > > (attached again) can be built into the pf module and doesn't require a > > full kernel build. Please test and inform us in order for it to get > > fixed in time for FreeBSD 6.2. > > > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > Index: pf_ioctl.c > > =================================================================== > > RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v > > retrieving revision 1.25 > > diff -u -r1.25 pf_ioctl.c > > --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 > > +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 > > @@ -3442,7 +3442,8 @@ > > */ > > int chk; > > > > - chk = pf_test6(PF_IN, ifp, m, NULL, inp); > > + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, > > + NULL, inp); > > if (chk && *m) { > > m_freem(*m); > > *m = NULL; > > I think i'll get the patch tested tonight. Please excuse that I can't > do it right now, since the box is productive and I'll get flamed... > :-) > > Furthermore pf is statically build into the kernel, so I can't just > replace the kld. > > Frank Okay, I tested the patch and it fixes the problem. Would be nice to see it in 6.2-RELEASE. Lot of thanks! Frank From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 20:37:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D1DD16A4DE for ; Tue, 5 Sep 2006 20:37:10 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-f131.google.com (nf-out-f131.google.com [64.233.182.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4F0B43D78 for ; Tue, 5 Sep 2006 20:37:03 +0000 (GMT) (envelope-from linux@giboia.org) Received: by nf-out-f131.google.com with SMTP id x9so121591nfb for ; Tue, 05 Sep 2006 13:37:02 -0700 (PDT) Received: by 10.90.73.3 with SMTP id v3mr227093aga; Tue, 05 Sep 2006 13:37:01 -0700 (PDT) Received: by 10.90.120.19 with HTTP; Tue, 5 Sep 2006 13:37:01 -0700 (PDT) Message-ID: <6e6841490609051337g5e676e76iebc1e7dfb28a9f41@mail.gmail.com> Date: Tue, 5 Sep 2006 17:37:01 -0300 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: pf+altq (all traffic are in queue default) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 20:37:10 -0000 Hi, Try to use these rules: # pass out on xl0 proto tcp from $int_net to $ext_net port 80 queue www # pass out on xl0 proto tcp from $int_net to $ext_net port { 21, 20 } queue ftp # pass out on xl0 proto tcp from any to any port 22 queue(ssh_bulk, ssh_login) Gilberto 2006/8/31, Hajime : > Hello, > > I want to implement a pf+altq for traffic shaping with freebsd 5.4-Release. > I have done kernel compilation in my freebsd box for those pf and altq. > Then, my scenario is like this : > > My network : > external-network-----------------------rl0-FreeBSD-xl0-----------------------internal-network > 192.168.0.0/24 > 10.2.0.0/16 > > I want each http, ssh and ftp traffic going from external-network to > internal-network get 25% from total available bandwidth in xl0. > > This is my pf.conf : > > #Root Queue > altq on xl0 cbq bandwidth 10Mb queue { www, ftp, ssh, std } > > #Child Queue > queue www bandwidth 25% priority 2 cbq(borrow) > queue ftp bandwidth 25% priority 2 cbq(borrow) > queue ssh bandwidth 25% { ssh_login, ssh_bulk } > queue ssh_login bandwidth 25% priority 4 cbq(ecn) > queue ssh_bulk bandwidth 75% cbq(ecn) > queue std bandwidth 25% priority 3 cbq(default borrow) > > #Macros > ext_net = "192.168.0.0/24" > int_net = "10.2.0.0/16" > > #Filter rule > pass out on xl0 proto tcp from $ext_net to $int_net port 80 queue www > pass out on xl0 proto tcp from $ext_net to $int_net port { 21, 20 } queue > ftp > pass out on xl0 proto tcp from any to any port 22 queue(ssh_bulk, ssh_login) > > Then i test this configuration by generate traffic http, ftp, ssh, etc (the > traffic is going from external-network to internal-network). I saw pf status > with command "pfctl -vs all", all the traffic are in queue default, not in > the each queue ( for ftp, http, ssh etc). > Is there any mistake in my pf.conf? please help me. > > Thx > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Sep 6 13:49:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9773D16A4DE; Wed, 6 Sep 2006 13:49:28 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 447DC43D6E; Wed, 6 Sep 2006 13:49:23 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 6AEB4B828; Wed, 6 Sep 2006 15:49:22 +0200 (CEST) Date: Wed, 6 Sep 2006 15:49:22 +0200 From: Frank Steinborn To: SUZUKI Shinsuke Mail-Followup-To: SUZUKI Shinsuke , max@love2party.net, freebsd-pf@freebsd.org, freebsd-gnats-submit@freebsd.org References: <200608291637.k7TGbNxd002409@www.freebsd.org> <200609012122.53206.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060906134922.6AEB4B828@shodan.nognu.de> Cc: freebsd-gnats-submit@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 13:49:28 -0000 SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Fri, 1 Sep 2006 21:22:45 +0200 > >>>>> max@love2party.net(Max Laier) said: > > > Thinking about this for a bit we might want to use the patch below > > instead. i.e. do the fixup locally in the pfil wrapper instead. This > > way other filters don't break if they have adapted to the new world > > order. > > > > Thoughts? Please test and report back, either way. > > I'm fine with your patch. (it is preferable to add a comment about > this hack, though) > > After the PR originator confirmed the fix, could you please commit it? > > Thanks, > ---- > SUZUKI, Shinsuke @ KAME Project I'm not sure if my first confirmation about the fix came through, so I'll resend to get sure. Well, as I said - the patch works fine here, I'm fine with it too. Would be nice to see in in -STABLE soon. Many thanks! Frank From owner-freebsd-pf@FreeBSD.ORG Wed Sep 6 13:50:24 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA4D616A4DD for ; Wed, 6 Sep 2006 13:50:24 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7362143D49 for ; Wed, 6 Sep 2006 13:50:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k86DoOdB095730 for ; Wed, 6 Sep 2006 13:50:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k86DoOhk095729; Wed, 6 Sep 2006 13:50:24 GMT (envelope-from gnats) Date: Wed, 6 Sep 2006 13:50:24 GMT Message-Id: <200609061350.k86DoOhk095729@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Frank Steinborn Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank Steinborn List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 13:50:24 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: Frank Steinborn To: SUZUKI Shinsuke Cc: max@love2party.net, freebsd-pf@freebsd.org, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Date: Wed, 6 Sep 2006 15:49:22 +0200 SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Fri, 1 Sep 2006 21:22:45 +0200 > >>>>> max@love2party.net(Max Laier) said: > > > Thinking about this for a bit we might want to use the patch below > > instead. i.e. do the fixup locally in the pfil wrapper instead. This > > way other filters don't break if they have adapted to the new world > > order. > > > > Thoughts? Please test and report back, either way. > > I'm fine with your patch. (it is preferable to add a comment about > this hack, though) > > After the PR originator confirmed the fix, could you please commit it? > > Thanks, > ---- > SUZUKI, Shinsuke @ KAME Project I'm not sure if my first confirmation about the fix came through, so I'll resend to get sure. Well, as I said - the patch works fine here, I'm fine with it too. Would be nice to see in in -STABLE soon. Many thanks! Frank From owner-freebsd-pf@FreeBSD.ORG Wed Sep 6 15:53:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E91D716A4DA for ; Wed, 6 Sep 2006 15:53:46 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from f80.mail.ru (f80.mail.ru [194.67.57.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85F4843D45 for ; Wed, 6 Sep 2006 15:53:46 +0000 (GMT) (envelope-from msgs_for_me@mail.ru) Received: from mail by f80.mail.ru with local id 1GKzij-000Jsc-00 for freebsd-pf@freebsd.org; Wed, 06 Sep 2006 19:53:45 +0400 Received: from [82.114.107.25] by win.mail.ru with HTTP; Wed, 06 Sep 2006 19:53:45 +0400 From: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [82.114.107.25] Date: Wed, 06 Sep 2006 19:53:45 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: Troubles with PF Tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 15:53:47 -0000 I have table "spamers", which renews by cron with help of easy script: cp /home/netup/spamers /pf/spamers; pfctl -d; sleep 15; pfctl -e -f /etc/pf.conf; but after that actually table "spamers" have no changes if I do the same manually (disable & enable PF) the changes take effect how can I implement some automatization on this process? From owner-freebsd-pf@FreeBSD.ORG Wed Sep 6 16:04:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCECD16A4DD for ; Wed, 6 Sep 2006 16:04:03 +0000 (UTC) (envelope-from peter.wullinger@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BAB943D90 for ; Wed, 6 Sep 2006 16:03:57 +0000 (GMT) (envelope-from peter.wullinger@gmail.com) Received: by wx-out-0506.google.com with SMTP id i27so2694640wxd for ; Wed, 06 Sep 2006 09:03:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ngHVCkSKUthmcLgW0C36tdjFZaWz5KVZl7QPusStdG0n47gXlfErJs0rn9qNY2/N/XLNuUteeTIth1CTyZIAGELD1G823TGW2Ph8tnBhuCTAngSiWQOsJNbQVu48LKCROJRd1zlROdz1VzGETikqWIK0/etfh/Vi7SUv2OlQ8Gc= Received: by 10.70.51.17 with SMTP id y17mr12293838wxy; Wed, 06 Sep 2006 09:03:56 -0700 (PDT) Received: by 10.70.63.12 with HTTP; Wed, 6 Sep 2006 09:03:56 -0700 (PDT) Message-ID: Date: Wed, 6 Sep 2006 17:03:56 +0100 From: "Peter Wullinger" To: "=?KOI8-R?B?98zBxMnNydIg68HQ1dPUyc4=?=" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: base64 Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: Troubles with PF Tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 16:04:03 -0000 MjAwNi85LzYsIPfMwcTJzcnSIOvB0NXT1MnOIDxtc2dzX2Zvcl9tZUBtYWlsLnJ1PjoKPiBJIGhh dmUgdGFibGUgInNwYW1lcnMiLCB3aGljaCByZW5ld3MgYnkgY3JvbiB3aXRoIGhlbHAgb2YgZWFz eSBzY3JpcHQ6Cj4KPiBjcCAvaG9tZS9uZXR1cC9zcGFtZXJzIC9wZi9zcGFtZXJzOwo+IHBmY3Rs IC1kOwo+IHNsZWVwIDE1Owo+IHBmY3RsIC1lIC1mIC9ldGMvcGYuY29uZjsKCnNlZSB0aGUgbWFu cGFnZSBmb3IgcGZjdGwoOCkuIFlvdSBjYW4gdXBkYXRlIGEgdGFibGUgd2l0aG91dCBoYXZpbmcg dG8KcmVsb2FkIHRoZSBlbnRpcmUgcnVsZXNldDoKCiMgcGZjdGwgLXQgc3BhbW1lcnMgLVQgcmVw bGFjZSAtZiAvcGYvc3BhbWVycwoKSSB1c2UgdGhpcyB3aXRoIHRyb2phbiBwb3J0IGJsb2NrbGlz dHMgcXVpdGUgc3VjY2Vzc2Z1bGx5LgoKPiBidXQgYWZ0ZXIgdGhhdCBhY3R1YWxseSB0YWJsZSAi c3BhbWVycyIgaGF2ZSBubyBjaGFuZ2VzCj4KPiBpZiBJIGRvIHRoZSBzYW1lIG1hbnVhbGx5IChk aXNhYmxlICYgZW5hYmxlIFBGKSB0aGUgY2hhbmdlcyB0YWtlIGVmZmVjdAo+IGhvdyBjYW4gSSBp bXBsZW1lbnQgc29tZSBhdXRvbWF0aXphdGlvbiBvbiB0aGlzIHByb2Nlc3M/CgpJIGNhbm5vdCBy ZWFsbHkgdmVyaWZ5IHRoaXMgaGVyZS4gInBmY3RsIC1lIC1mIiBzZWVtcyB0byBjb3JyZWN0bHkg ZW5hYmxlCnRoZSBwYWNrZXQgZmlsdGVyIGFuZCBsb2FkIHRoZSBuZXcgcnVsZXNldC4gQSBzaG9y dCBnbGFuY2UgYXQgcGZjdGwtc291cmNlCnNlZW1zIHRvIGNvbmZpcm0gdGhhdCB0aGlzIHdvcmtz IGNvcnJlY3RseS4KCkNoZWVycywKICBQZXRlcgo= From owner-freebsd-pf@FreeBSD.ORG Wed Sep 6 17:20:50 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FA0216A4E5; Wed, 6 Sep 2006 17:20:50 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 062AC43D8B; Wed, 6 Sep 2006 17:20:50 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k86HKnjI015291; Wed, 6 Sep 2006 17:20:49 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k86HKnmt015287; Wed, 6 Sep 2006 17:20:49 GMT (envelope-from mlaier) Date: Wed, 6 Sep 2006 17:20:49 GMT From: Max Laier Message-Id: <200609061720.k86HKnmt015287@freefall.freebsd.org> To: steinex@nognu.de, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 17:20:50 -0000 Synopsis: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box State-Changed-From-To: feedback->patched State-Changed-By: mlaier State-Changed-When: Wed Sep 6 17:20:03 UTC 2006 State-Changed-Why: Committed to HEAD, MFC in three days. Thanks tracking this down. http://www.freebsd.org/cgi/query-pr.cgi?pr=102647 From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 03:17:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB02916A4DA for ; Thu, 7 Sep 2006 03:17:55 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A0B243D45 for ; Thu, 7 Sep 2006 03:17:55 +0000 (GMT) (envelope-from ask@develooper.com) Received: (qmail 28130 invoked from network); 7 Sep 2006 03:17:55 -0000 Received: from gw.develooper.com (HELO ?10.0.201.111?) (ask@cleverpeople.org@64.81.84.140) by smtp.develooper.com with (RC4-SHA encrypted) SMTP; 7 Sep 2006 03:17:55 -0000 Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: <596996E2-D643-4D66-ADE3-36099FF2BDD6@develooper.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= Date: Wed, 6 Sep 2006 20:17:53 -0700 X-Mailer: Apple Mail (2.752.2) Subject: bad ruleset - pf not keeping state for some bridged connections? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 03:17:55 -0000 Hi everyone, I am having a bit of trouble with my pf ruleset that I can't figure out. My ISP gives me a few static IPs, so I have a Soekris box running as a bridging firewall running 6.0-RELEASE-p4. It does NAT for my RFC1918 net and does the bridging firewall for my public IPs. I've posted my pf.conf here: http://tmp.askask.com/2006/09/pf.conf The bridge is setup with net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1 Some months ago I must have changed something that makes incoming ssh connections not (always) work. If I ssh from an outside client to 64.81.84.17 the connection is established and the traffic from 64.81.84.17 to the outside IP makes it (the sshd banner), but after that the packets from the client doesn't make it through the BSD box. I can see with tcpdump that they come in on sis0, but there's nothing on sis1. Any ideas? Also, any suggestions for general cleanup and optimizations of the rulesets are welcome. The box is also doing ipsec to another 10/8 network, but I'm honestly not sure if it's even being filtered (?!) - ask -- http://www.askbjoernhansen.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 13:00:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C392B16A4DF for ; Thu, 7 Sep 2006 13:00:03 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from mx18.yandex.ru (smtp2.yandex.ru [213.180.200.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9A6743D4C for ; Thu, 7 Sep 2006 13:00:01 +0000 (GMT) (envelope-from kes-kes@yandex.ru) Received: from [82.207.99.31] ([82.207.99.31]:56311 "EHLO homekes" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S3375645AbWIGM76 (ORCPT ); Thu, 7 Sep 2006 16:59:58 +0400 X-Comment: RFC 2476 MSA function at smtp2.yandex.ru logged sender identity as: kes-kes Date: Thu, 7 Sep 2006 16:00:02 +0300 From: KES X-Mailer: The Bat! (v3.62.12) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <922498059.20060907160002@yandex.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 13:00:03 -0000 Hello pf fails to start if interface doesnt exist or IP address not assigned I have trobles with tun0 (pppeo connection) Look at next picture: 1) power fail, 2) FreeBSD starting, 3) do pppoe connection to provider 3.a) pppoe fail (ISP has some problem) 4) pf starts and fails =(( 5) FreeBSD fall to infinit loop (I have wait 15minutes and then pressCTRL+C) Copy of console messages: pflog promiscios pf enabled pflog: here some message (I don't remember) some experements: kes# ps ax|grep ppp 357 ?? Ss 0:18.88 /usr/sbin/ppp -ddial -unit1 adsl 373 ?? Rs 46:53.56 /usr/sbin/ppp -dedicated -quiet -unit0 leased 47226 p2 DL+ 0:00.00 grep ppp #KILL pppoe connection kes# kill -9 373 kes# kill -9 373 373: No such process #Reload pf.conf kes# pfctl -f /etc/pf.conf no IP address found for tun0 /etc/pf.conf:48: could not parse host specification no IP address found for tun0 /etc/pf.conf:66: could not parse host specification no IP address found for tun0 /etc/pf.conf:100: could not parse host specification no IP address found for tun0 /etc/pf.conf:101: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded #start pppoe kes# /usr/sbin/ppp -dedicated -quiet -unit0 leased kes# pfctl -f /etc/pf.conf #no errors here. kes# So I have no "Syntax error in config file" TO authur of pf: You must change behavior of pf like ipfw does. ipfw only do warning messages in situations like this. KES mailto:kes-kes@yandex.ru From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 13:35:22 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29C2116A525 for ; Thu, 7 Sep 2006 13:35:22 +0000 (UTC) (envelope-from stephenhoekstra@gmail.com) Received: from hu-out-0102.google.com (hu-out-0506.google.com [72.14.214.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 563A543E86 for ; Thu, 7 Sep 2006 13:34:13 +0000 (GMT) (envelope-from stephenhoekstra@gmail.com) Received: by hu-out-0102.google.com with SMTP id 31so178310huc for ; Thu, 07 Sep 2006 06:34:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pR/8TfIUo9ytm0EYtY0irezTeYRn/HoYZ0ZECl+BxcjaXDrROp1mGYLrVUnbus1INz+NfVVwHj0wmxq+mbKYoK6BMOwuPQa5FaoQqNk3/5lWPJl2d0uE/uGSBlsMZC48Ll9T5RaQqWgHhRC7t9/ogUyrcQNB45aeybufdATMsZ4= Received: by 10.67.89.5 with SMTP id r5mr399509ugl; Thu, 07 Sep 2006 06:33:59 -0700 (PDT) Received: by 10.67.92.12 with HTTP; Thu, 7 Sep 2006 06:33:58 -0700 (PDT) Message-ID: Date: Thu, 7 Sep 2006 15:33:59 +0200 From: "stephen hoekstra" To: KES In-Reply-To: <922498059.20060907160002@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <922498059.20060907160002@yandex.ru> Cc: freebsd-pf@freebsd.org Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 13:35:22 -0000 Hi, There was a thread about this quite a while back where if the interface didn't exist pf wouldn't start. It's probably the wrong way to do it, but my dsl connection is controlled by a crontab script that runs every minute or so to see if line is up (my line is quite bad). at end of script it does a 'pfctl -sr | wc -l' and and if output is > 0 then end else pfctl -f /etc/pf.conf Like I said, probably bad way to check it, but I have same problem where if ppp connection is not established, pf won't load ruleset cause tun0 doesn't exist. Atleast that way when cron job checks if line is up (every 2 minute), it also checks if pf is loaded. 1) system boots up 2) cronjob runs 2a) starts ppp 2b) checks if wc -l is >0 3) system started and online with pf running On 9/7/06, KES wrote: > Hello > > pf fails to start if interface doesnt exist or IP address not assigned > > I have trobles with tun0 (pppeo connection) > > Look at next picture: > > 1) power fail, > 2) FreeBSD starting, > 3) do pppoe connection to provider > 3.a) pppoe fail (ISP has some problem) > 4) pf starts and fails =(( > 5) FreeBSD fall to infinit loop (I have wait 15minutes and then pressCTRL+C) > > Copy of console messages: > pflog promiscios > pf enabled > pflog: here some message (I don't remember) > > some experements: > > kes# ps ax|grep ppp > 357 ?? Ss 0:18.88 /usr/sbin/ppp -ddial -unit1 adsl > 373 ?? Rs 46:53.56 /usr/sbin/ppp -dedicated -quiet -unit0 leased > 47226 p2 DL+ 0:00.00 grep ppp > > #KILL pppoe connection > kes# kill -9 373 > kes# kill -9 373 > 373: No such process > > #Reload pf.conf > kes# pfctl -f /etc/pf.conf > no IP address found for tun0 > /etc/pf.conf:48: could not parse host specification > no IP address found for tun0 > /etc/pf.conf:66: could not parse host specification > no IP address found for tun0 > /etc/pf.conf:100: could not parse host specification > no IP address found for tun0 > /etc/pf.conf:101: could not parse host specification > pfctl: Syntax error in config file: pf rules not loaded > > #start pppoe > kes# /usr/sbin/ppp -dedicated -quiet -unit0 leased > kes# pfctl -f /etc/pf.conf > > #no errors here. > kes# > > So I have no "Syntax error in config file" > > TO authur of pf: > You must change behavior of pf like ipfw does. > ipfw only do warning messages in situations like this. > > > KES mailto:kes-kes@yandex.ru > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 15:44:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40FEA16A4DE for ; Thu, 7 Sep 2006 15:44:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB6EF43DC1 for ; Thu, 7 Sep 2006 15:43:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.52] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1GLM1m0KZZ-0007fL; Thu, 07 Sep 2006 17:42:54 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org, KES Date: Thu, 7 Sep 2006 17:42:47 +0200 User-Agent: KMail/1.9.3 References: <922498059.20060907160002@yandex.ru> In-Reply-To: <922498059.20060907160002@yandex.ru> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1695583.HGTgrclHDy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609071742.53209.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 15:44:06 -0000 --nextPart1695583.HGTgrclHDy Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 07 September 2006 15:00, KES wrote: > pf fails to start if interface doesnt exist or IP address not assigned There are a couple of gotchas in this area, but most of them can be worked= =20 around. 1) "set loginterface tun0" Generally, there is no need for "set loginterface" anymore as we collect=20 statistics for all interfaces by default. (see "pfctl -vvvs Interfaces"). 2) "altq on tun0 ..." This one can't be worked around directly due to the way ALTQ is=20 implemented, but see below. 3) "... from tun0 ..." or "... to tun0 ..." in filter rules, "-> tun0" in=20 nat rules This can easily be solved by using "(tun0)" in these rules. This assures=20 two things, firstly it allows to load the rule w/o tun0 existing,=20 secondly it tracks address changes on the interface. Note that due to=20 some unclear ppp bug it might be necessary to use "(tun0:0)" instead. A general sollution for ppp devices is the use of the "ppp.linkup" script. = =20 All ppp clients, I'm aware of, support it in one way or another. This=20 script is executed just after the link is up and IP addresses are=20 configured - usually before data is accepted from the device. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1695583.HGTgrclHDy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFAD39XyyEoT62BG0RAm6RAJ9yTzeXmQL37eSv4LAY2GjS6MCTswCeKc9T 57DN/OJHqh7SH4MpWToSJaM= =FHcs -----END PGP SIGNATURE----- --nextPart1695583.HGTgrclHDy-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 15:45:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A0E916A4DD for ; Thu, 7 Sep 2006 15:45:04 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6D5143D64 for ; Thu, 7 Sep 2006 15:44:51 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so274864uge for ; Thu, 07 Sep 2006 08:44:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PALcKmfoXdsosSE2sxYXokCSDyDuKzKh4ROfIMieoEcC65pRSHanfk9Eb1A2/SiIyNgSr2Oi8PBWDe/o0jRwkq1269VXLBB1quajXrRDm2RBDlBYXJj5/ai4c5E7bH6JxLOTmZqsqZyBrF1rva2ZBw21L3xnzyIUPGDM0z2ad4Q= Received: by 10.67.10.12 with SMTP id n12mr473836ugi; Thu, 07 Sep 2006 08:44:50 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Thu, 7 Sep 2006 08:44:50 -0700 (PDT) Message-ID: Date: Thu, 7 Sep 2006 11:44:50 -0400 From: "Scott Ullrich" To: KES In-Reply-To: <922498059.20060907160002@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <922498059.20060907160002@yandex.ru> Cc: freebsd-pf@freebsd.org Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 15:45:05 -0000 On 9/7/06, KES wrote: > Hello > > pf fails to start if interface doesnt exist or IP address not assigned > > I have trobles with tun0 (pppeo connection) > > Look at next picture: > > 1) power fail, > 2) FreeBSD starting, > 3) do pppoe connection to provider > 3.a) pppoe fail (ISP has some problem) > 4) pf starts and fails =(( > 5) FreeBSD fall to infinit loop (I have wait 15minutes and then pressCTRL+C) > > Copy of console messages: > pflog promiscios > pf enabled > pflog: here some message (I don't remember) > > some experements: > > kes# ps ax|grep ppp > 357 ?? Ss 0:18.88 /usr/sbin/ppp -ddial -unit1 adsl > 373 ?? Rs 46:53.56 /usr/sbin/ppp -dedicated -quiet -unit0 leased > 47226 p2 DL+ 0:00.00 grep ppp > > #KILL pppoe connection > kes# kill -9 373 > kes# kill -9 373 > 373: No such process > > #Reload pf.conf > kes# pfctl -f /etc/pf.conf > no IP address found for tun0 > /etc/pf.conf:48: could not parse host specification > no IP address found for tun0 > /etc/pf.conf:66: could not parse host specification > no IP address found for tun0 > /etc/pf.conf:100: could not parse host specification > no IP address found for tun0 > /etc/pf.conf:101: could not parse host specification > pfctl: Syntax error in config file: pf rules not loaded > > #start pppoe > kes# /usr/sbin/ppp -dedicated -quiet -unit0 leased > kes# pfctl -f /etc/pf.conf > > #no errors here. > kes# > > So I have no "Syntax error in config file" > > TO authur of pf: > You must change behavior of pf like ipfw does. > ipfw only do warning messages in situations like this. Please share your entire pf rules file. There are ways to work around this. Most notably you can wrap tun0 around () and PF will silently ignore the item until the interface is actually up and running. Scott From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 18:51:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7534A16A5E2 for ; Thu, 7 Sep 2006 18:51:37 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1553943D8F for ; Thu, 7 Sep 2006 18:50:41 +0000 (GMT) (envelope-from kes-kes@yandex.ru) Received: from [82.207.99.31] ([82.207.99.31]:11219 "EHLO homekes" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S2077192AbWIGSuh (ORCPT ); Thu, 7 Sep 2006 22:50:37 +0400 X-Comment: RFC 2476 MSA function at smtp1.yandex.ru logged sender identity as: kes-kes Date: Thu, 7 Sep 2006 21:50:31 +0300 From: KES X-Mailer: The Bat! (v3.62.12) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <1211713334.20060907215031@yandex.ru> To: freebsd-pf@freebsd.org In-Reply-To: References: <922498059.20060907160002@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 18:51:37 -0000 some experements: I) >kes# ps ax|grep ppp > 357 ?? Ss 0:18.88 /usr/sbin/ppp -ddial -unit1 adsl > 373 ?? Rs 46:53.56 /usr/sbin/ppp -dedicated -quiet -unit0 leased >47226 p2 DL+ 0:00.00 grep ppp >#KILL pppoe connection >kes# kill -9 373 >kes# kill -9 373 >373: No such process >#Reload pf.conf >kes# pfctl -f /etc/pf.conf >no IP address found for tun0 >/etc/pf.conf:48: could not parse host specification >no IP address found for tun0 >/etc/pf.conf:66: could not parse host specification >no IP address found for tun0 >/etc/pf.conf:100: could not parse host specification >no IP address found for tun0 >/etc/pf.conf:101: could not parse host specification >pfctl: Syntax error in config file: pf rules not loaded >#start pppoe >kes# /usr/sbin/ppp -dedicated -quiet -unit0 leased >kes# pfctl -f /etc/pf.conf >#no errors here. >kes# >So I have no "Syntax error in config file" >TO authur of pf: >You must change behavior of pf like ipfw does. >ipfw only do warning messages in situations like this. to my mind this is a bug, pf must work fine without any scripts. Look at next situation: pf starts OK and tun0 rules loaded. I have delete tun0 interface but pf don't fail and continue working aroud normally. when I return tun0 pf works as anything had not happend So it must start without existing interface NORMALLY!! like ipfw does. >This can easily be solved by using "(tun0)" in these rules I have such rule: adslIf = "tun1" denIf = "rl2" nat on $denIf from { } to ! -> ($adslIf) #pfctl -sn ..... nat on rl2 from to ! -> (tun1) round-robin ROUND-ROBIN???!!! or no!!!! If I have many IP's and I don't want round-robin.... Any ideas? >2) "altq on tun0 ..." >This one can't be worked around directly due to the way ALTQ is >implemented, but see below. I have posted next message to NETGRAPH team. I think this will be better to shape with netgraph against pf + ALTQ Archie Cobbs wrote: >>KES wrote: >> Hello, archie. >> >> How about 'ALTQ' node? or may be 'queue' node >> for packets scheduling > >> in--->|policy|--->out > >> policy may be CBQ, PRIO, HFSC or HTB.... > >> I want this: > >> in-->HTB-->out - - - in-->PRIO-->out >Sounds neat.. ask around on freebsd-net@freebsd.org as there may >be others interested, etc. ----------------------------------- pf.conf -------------------------------- table const { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 } table const { 127.0.0.0/8 } table const { 10.10.0.0/16 10.11.0.0/16 10.0.0.0/16 } table const { 192.168.0.0/16 172.16.0.0/12 } table persist { 192.168.0.0/24 } table persist { 192.168.1.0/24 172.16.82.1 192.168.2.0/24 } table persist { 172.16.82.2 } table persist { 192.168.3.0/24 172.16.82.3 10.10.16.6 10.10.16.1 10.10.16.5 } table persist { 192.168.4.0/24 172.16.82.4 } loopIf = "lo0" artsvIf = "rl0" kesIf = "rl2" denIf = "rl2" siriusIf = "tun0" adslIf = "tun1" vpnIf = "ng" dialIf = "ppp" allIntIf = "{" $artsvIf $kesIf "}" allExtIf = "{" $artsvIf $kesIf $adslIf $siriusIf "}" realIf = "{" $artsvIf $kesIf $adslIf $siriusIf "}" localNat= "10.10.16.1 10.10.16.5 10.10.16.6" clientsNat = "192.168.0.0/24" denNat = "192.168.1.0/24" adslNat = "192.168.2.0/24" siriusNat = "192.168.3.0/24" artsvNat = "192.168.4.0/24" artsvIP = "MySomeRealIP" denIP = "10.0.0.250" ################################################# ############ QUEUEING ################ ################################################# altq on tun0 cbq bandwidth 20Kb queue { tun0_std } queue tun0_std on tun0 cbq ( default ) # queue tun0_std on tun0 cbq { tun0_out tun0_in } # queue tun0_in bandwidth 30% cbq (default) # queue tun0_out bandwidth 30% cbq ################################################# ############ NAT ################### ################################################# nat on $siriusIf from { } to ! -> $siriusIf nat on $siriusIf from { } to ! -> $denIP nat on $siriusIf from { } to ! -> $artsvIP nat on $siriusIf from { } to ! -> ($adslIf) nat on $denIf from { } to ! -> $denIP nat on $denIf from { } to !-> $artsvIP nat on $denIf from { } to ! -> ($adslIf) nat on $adslIf from { } to ! -> ($adslIf) nat on $adslIf from { } to ! -> $artsvIP nat on $artsvIf from { } to ! -> $artsvIP #rdr LAN irc to world IRC server. rdr proto tcp from any to 10.0.16.1 port 6667 -> some_Real_IP port 6667 rdr proto tcp from any to any port 8888 -> 192.168.18.50 port 80 rdr proto tcp from any to $siriusIf port { 1313 8080 8085 8086 3724 37240 8087 } -> 10.10.16.6 ################################################# ############ FILTER ################ ################################################# ################################################# #Put packets to queues ################################################# #pass in on tun0 from any to My_REAL_IP queue tun0_in #pass out on tun0 from My_REAL_IP to any queue tun0_out block log all #block on $vpnIf all block in log quick on $realIf from to any block quick on { ng } from any to block quick on { ng } from to any pass quick from to ################################################# pass quick on lo0 from any to any block from 127.0.0.0/8 to any block from any to 127.0.0.0/8 #************************************************ #Allow outgoing traffic from ME(real IPs) to LANs. We mustnt route it pass quick on {!ppp !ng} from { 193.239.133.66 10.0.0.250 tun0 (tun1) } to pass quick on {ppp ng} from { 193.239.133.66 10.0.0.250 tun0 (tun1) } to 192.168.0.0/16 #Allow outgoing traffic with guaranty next hop #WARNING: to ANY but ! and !192.168.0.0/16 pass out quick route-to (rl2 10.0.0.30) from 10.0.0.250 to any pass out quick route-to (rl0 GW_Real_IP_HERE_1 ) from My_Real_IP_HERE_1 to any pass out quick route-to (tun0 GW_Real_IP_HERE_2 ) from My_Real_IP_HERE_2 to any #I get dynIP from provider. so I dont know real IP, so I use (tun1) #but If I get many IP and don'want round-robin. Any Ideas? pass out quick route-to (tun1 GW_Real_IP_HERE_3 ) from (tun1) to any #Allow incoming traffic pass in on rl0 from ! to any pass in on rl2 from ! to any pass in on tun1 from any to any pass in on tun0 from any to any #Allow IN traffic to internet from LOCAL trusted mashines pass quick from { $localNat } to ! pass quick from ! to { $localNat } pass quick on $dialIf from { 192.168.0.0/16 } to any pass quick on $dialIf from any to { 192.168.0.0/16 } pass quick on $vpnIf from { 192.168.0.0/16 } to ! pass quick on $vpnIf from ! to { 192.168.0.0/16 } ----------------------------------------------------------------- ################################################################# II) It's handy if pf have static rule numeration, but pf have not :`-( If I have changed pf.conf (For example I have two firewall's rules one if tun0 exists, two if tun0 dont :-\ ) I must change rules for gathering a statistic. It's very inconvenient!!! If I have more than one iface to the world. I cant count incoming trafic, because of when packet goes through rules it look like this: world_IP to local_IP -------------------- 213.180.193.123:80 to 192.168.0.1:34212 and I dont know It have come via rl0, rl2, tun0 ro tun1 ??? ------------------------ My Program to get statistic ------------------------ #!/usr/bin/perl -w while( -x '/auto/pfStat/dbDir/lock' ) { $date= `date`; `echo -n $date>> /auto/pfStat/dbDir/locked`; } `echo > /auto/pfStat/dbDir/lock`; $periods= { 'hour'=> 'periodic', 'day'=> 'hour', 'month'=> 'day' }; $saveToRule= { '29' => 'den_out', '30' => 'artsv_out', '31' => 'sirius_out', '32' => 'adsl_out' }; $saveToNat= { '0' => 'sirius_in', '1' => 'sirius2_in', '2' => 'den_in', '3' => 'artsv_in', '4' => 'adsl_in' }; while( $saveTo= (each %$saveToRule)[1] ){ push @saveToAll, $saveTo; } while( $saveTo= (each %$saveToNat)[1] ){ push @saveToAll, $saveTo; } if( defined $ARGV[0] ) { $period= $ARGV[0]; foreach $saveName ( @saveToAll) { $sumPkts= 0; $sumBytes= 0; if( open( FH, "{$period}") ) { $sumPkts= 0; $sumBytes= 0; while( =~ /.*?> (\d+) (\d+)/go) { $sumPkts= $sumPkts + $1; $sumBytes= $sumBytes + $2; } close FH; } # print "$sumPkts $sumBytes\n"; #Move old Statistics to DB $_= $period; SWITCH:{ /hour/ && do { ($hour)= (localtime())[2]; `mv /auto/pfStat/dbDir/$saveName.$periods->{$period} /auto/pfStat/dbDir/$saveName.$period.$hour`; last SWITCH;}; /day/ && do { ($day)= (localtime())[3]; `mkdir /auto/pfStat/dbDir/$day` if ! -e "/auto/pfStat/dbDir/$day"; `mv /auto/pfStat/dbDir/$saveName.$periods->{$period} /auto/pfStat/dbDir/$day`; `mv /auto/pfStat/dbDir/$saveName.$periods->{$period}.* /auto/pfStat/dbDir/$day`; last SWITCH;}; /month/ && do { ($month,$year)= (localtime())[4,5]; $month+= 1; $year+= 1900; `mkdir /auto/pfStat/dbDir/$year-$month` if ! -e "/auto/pfStat/dbDir/$year-$month"; `mv /auto/pfStat/dbDir/$saveName.$periods->{$period} /auto/pfStat/dbDir/$year-$month` if -e "/auto/pfStat/dbDir/$saveName.$periods->{$period}"; $files= `ls -m -p /auto/pfStat/dbDir`; # print $files; while ( $files =~ /(.*?),/og ) { $file= $1; ($dir)= $file =~ /^ ?(\d+)\/$/; next if !$dir; `mv /auto/pfStat/dbDir/$dir /auto/pfStat/dbDir/$year-$month` if -e "/auto/pfStat/dbDir/$dir"; } last SWITCH;}; } ($date)= `date` =~ /(.*?)\n/; `echo "$date> $sumPkts $sumBytes" >> /auto/pfStat/dbDir/$saveName.$period`; } `rm /auto/pfStat/dbDir/lock`; exit; } else {$period= 'periodic';}; $saveTo= $saveToRule; $pfstat= `pfctl -sr -v -v`; $matchRule= '@(\d+).*?\n.*?Packets:.*?(\d+).*?Bytes:.*?(\d+).*?\n'; while ( $pfstat =~ /$matchRule/go ) { if( defined $saveTo->{$1} ) { $saveName= $saveTo->{$1}; $pktsNew= $2; $bytesNew= $3; ($pkts, $bytes)= `cat /auto/pfStat/dbDir/$saveName` =~ /(\d+) (\d+)/; # print "pkts: $pktsNew - $pkts; bytes: $bytesNew - $bytes\n"; if( $pktsNew < $pkts ) {$pkts= $pktsNew;} else {$pkts= $pktsNew - $pkts;} if( $bytesNew < $bytes ) {$bytes= $bytesNew;} else {$bytes= $bytesNew - $bytes;} ($date)= `date` =~ /(.*?)\n/; `echo "$date> $pkts $bytes" >> /auto/pfStat/dbDir/$saveName.$period`; `echo -n "$pktsNew $bytesNew" > /auto/pfStat/dbDir/$saveName`; } # print "$1 $2 $3\n"; } $saveTo= $saveToNat; $pfstat= `pfctl -sn -v -v`; $matchRule= '@(\d+) nat.*?\n.*?Packets:.*?(\d+).*?Bytes:.*?(\d+).*?\n'; while ( $pfstat =~ /$matchRule/go ) { # print $1 ." ". $2 ." ". $3 ."\n"; if( defined $saveTo->{$1} ) { $saveName= $saveTo->{$1}; $pktsNew= $2; $bytesNew= $3; ($pkts, $bytes)= `cat /auto/pfStat/dbDir/$saveName` =~ /(\d+) (\d+)/; # print "pkts: $pktsNew - $pkts; bytes: $bytesNew - $bytes\n";next; if( $pktsNew < $pkts ) {$pkts= $pktsNew;} else {$pkts= $pktsNew - $pkts;} if( $bytesNew < $bytes ) {$bytes= $bytesNew;} else {$bytes= $bytesNew - $bytes;} ($date)= `date` =~ /(.*?)\n/; `echo "$date> $pkts $bytes" >> /auto/pfStat/dbDir/$saveName.$period`; `echo -n "$pktsNew $bytesNew" > /auto/pfStat/dbDir/$saveName`; } # print "$1 $2 $3\n"; } `rm /auto/pfStat/dbDir/lock`; -------------------------------- PS. pf vs ipfw ipfw -- better fro gather statistic, but elephantine with NATing pf -- useless for gather statistic, VERY good for redirect, nat etc. KES mailto:kes-kes@yandex.ru From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 19:35:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4B6816A52E for ; Thu, 7 Sep 2006 19:35:23 +0000 (UTC) (envelope-from eculp@bafirst.com) Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37B7743E45 for ; Thu, 7 Sep 2006 19:34:15 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by bafirst.com with local; Thu, 07 Sep 2006 14:34:15 -0500 id 00095801.45007437.0000691E Received: from dsl-189-129-2-76.prod-infinitum.com.mx (dsl-189-129-2-76.prod-infinitum.com.mx [189.129.2.76]) by mail.bafirst.com (Horde MIME library) with HTTP; Thu, 07 Sep 2006 14:34:15 -0500 Message-ID: <20060907143415.scknj7rgo40k8k0w@mail.bafirst.com> Date: Thu, 07 Sep 2006 14:34:15 -0500 From: eculp@bafirst.com To: freebsd-pf@freebsd.org References: <922498059.20060907160002@yandex.ru> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 19:35:23 -0000 Quoting Scott Ullrich : > On 9/7/06, KES wrote: >> Hello >> >> pf fails to start if interface doesnt exist or IP address not assigned >> >> I have trobles with tun0 (pppeo connection) >> >> Look at next picture: >> >> 1) power fail, >> 2) FreeBSD starting, >> 3) do pppoe connection to provider >> 3.a) pppoe fail (ISP has some problem) >> 4) pf starts and fails =(( >> 5) FreeBSD fall to infinit loop (I have wait 15minutes and then pressCTRL+C) >> >> Copy of console messages: >> pflog promiscios >> pf enabled >> pflog: here some message (I don't remember) >> >> some experements: >> >> kes# ps ax|grep ppp >> 357 ?? Ss 0:18.88 /usr/sbin/ppp -ddial -unit1 adsl >> 373 ?? Rs 46:53.56 /usr/sbin/ppp -dedicated -quiet -unit0 leased >> 47226 p2 DL+ 0:00.00 grep ppp >> >> #KILL pppoe connection >> kes# kill -9 373 >> kes# kill -9 373 >> 373: No such process >> >> #Reload pf.conf >> kes# pfctl -f /etc/pf.conf >> no IP address found for tun0 >> /etc/pf.conf:48: could not parse host specification >> no IP address found for tun0 >> /etc/pf.conf:66: could not parse host specification >> no IP address found for tun0 >> /etc/pf.conf:100: could not parse host specification >> no IP address found for tun0 >> /etc/pf.conf:101: could not parse host specification >> pfctl: Syntax error in config file: pf rules not loaded >> >> #start pppoe >> kes# /usr/sbin/ppp -dedicated -quiet -unit0 leased >> kes# pfctl -f /etc/pf.conf >> >> #no errors here. >> kes# >> >> So I have no "Syntax error in config file" >> >> TO authur of pf: >> You must change behavior of pf like ipfw does. >> ipfw only do warning messages in situations like this. > > Please share your entire pf rules file. There are ways to work around > this. Most notably you can wrap tun0 around () and PF will silently > ignore the item until the interface is actually up and running. Whould that be "(" tun0 ")" ? Or would a simple ( tun0 ) work? Thanks, ed > > Scott > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 22:06:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D3AB16A4DA for ; Thu, 7 Sep 2006 22:06:51 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAA5043D46 for ; Thu, 7 Sep 2006 22:06:50 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so395346uge for ; Thu, 07 Sep 2006 15:06:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s4Lc0NLRFQzAhzzDuDKANAZHujaQojTGb1LFA20HhU6in6gKmMiyooYho10598wPsRw3lgm2T13w9bLN/w9R9aA0JT8VMyNp/KD+QjK3011/uUG7AWtYFl5hYkTp/W6ewzXYdDxwMybdVOyy1u9qTz10WzxdMZAa5ec/arasX98= Received: by 10.66.224.3 with SMTP id w3mr718405ugg; Thu, 07 Sep 2006 15:06:49 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Thu, 7 Sep 2006 15:06:48 -0700 (PDT) Message-ID: Date: Fri, 8 Sep 2006 01:06:48 +0300 From: "Ivan Levchenko" To: "eculp@bafirst.com" In-Reply-To: <20060907143415.scknj7rgo40k8k0w@mail.bafirst.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <922498059.20060907160002@yandex.ru> <20060907143415.scknj7rgo40k8k0w@mail.bafirst.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 22:06:51 -0000 i was having the same problem so i tried this out and here is what i got: snip from pf.conf ext_if="tun0" nat on ($ext_if) from to any -> ($ext_if) # this gives me an error but the following: nat on $ext_if from to any -> ($ext_if) doesn't give me any errors. i also added the braces in all of my rules and they all started to give me errors, for example: pass out on ($ext_if) proto { tcp, udp } all keep state The error i'm getting is: /etc/pf.conf:48: syntax error # i get 9 of them any clues anybody??? On 9/7/06, eculp@bafirst.com wrote: > Quoting Scott Ullrich : > > > On 9/7/06, KES wrote: > >> Hello > >> > >> pf fails to start if interface doesnt exist or IP address not assigned > >> > >> I have trobles with tun0 (pppeo connection) > >> > >> Look at next picture: > >> > >> 1) power fail, > >> 2) FreeBSD starting, > >> 3) do pppoe connection to provider > >> 3.a) pppoe fail (ISP has some problem) > >> 4) pf starts and fails =(( > >> 5) FreeBSD fall to infinit loop (I have wait 15minutes and then pressCTRL+C) > >> > >> Copy of console messages: > >> pflog promiscios > >> pf enabled > >> pflog: here some message (I don't remember) > >> > >> some experements: > >> > >> kes# ps ax|grep ppp > >> 357 ?? Ss 0:18.88 /usr/sbin/ppp -ddial -unit1 adsl > >> 373 ?? Rs 46:53.56 /usr/sbin/ppp -dedicated -quiet -unit0 leased > >> 47226 p2 DL+ 0:00.00 grep ppp > >> > >> #KILL pppoe connection > >> kes# kill -9 373 > >> kes# kill -9 373 > >> 373: No such process > >> > >> #Reload pf.conf > >> kes# pfctl -f /etc/pf.conf > >> no IP address found for tun0 > >> /etc/pf.conf:48: could not parse host specification > >> no IP address found for tun0 > >> /etc/pf.conf:66: could not parse host specification > >> no IP address found for tun0 > >> /etc/pf.conf:100: could not parse host specification > >> no IP address found for tun0 > >> /etc/pf.conf:101: could not parse host specification > >> pfctl: Syntax error in config file: pf rules not loaded > >> > >> #start pppoe > >> kes# /usr/sbin/ppp -dedicated -quiet -unit0 leased > >> kes# pfctl -f /etc/pf.conf > >> > >> #no errors here. > >> kes# > >> > >> So I have no "Syntax error in config file" > >> > >> TO authur of pf: > >> You must change behavior of pf like ipfw does. > >> ipfw only do warning messages in situations like this. > > > > Please share your entire pf rules file. There are ways to work around > > this. Most notably you can wrap tun0 around () and PF will silently > > ignore the item until the interface is actually up and running. > > Whould that be "(" tun0 ")" ? Or would a simple ( tun0 ) work? > > Thanks, > > ed > > > > Scott > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 22:26:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B825F16A4DA for ; Thu, 7 Sep 2006 22:26:51 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5921643D49 for ; Thu, 7 Sep 2006 22:26:50 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id D8409B828; Fri, 8 Sep 2006 00:26:49 +0200 (CEST) Date: Fri, 8 Sep 2006 00:26:49 +0200 From: Frank Steinborn To: Ivan Levchenko Mail-Followup-To: Ivan Levchenko , "eculp@bafirst.com" , freebsd-pf@freebsd.org References: <922498059.20060907160002@yandex.ru> <20060907143415.scknj7rgo40k8k0w@mail.bafirst.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060907222649.D8409B828@shodan.nognu.de> Cc: freebsd-pf@freebsd.org Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 22:26:51 -0000 Ivan Levchenko wrote: > i was having the same problem so i tried this out and here is what i got: > > snip from pf.conf > > ext_if="tun0" > > nat on ($ext_if) from to any -> ($ext_if) # this gives me an error That has to go in { }, like everything you list in pf. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 22:37:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BA5C16A4DF for ; Thu, 7 Sep 2006 22:37:33 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABC9743D53 for ; Thu, 7 Sep 2006 22:37:32 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so402631uge for ; Thu, 07 Sep 2006 15:37:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=F5Zka/uQaccXiuZV/dH2rJSxqIrAIWNIwtm6ufDRkaENKw7ml64nkDsHEXRWx37Mtv14iYEbcNHpBzwlBIIRJdQ0dDL90WLQbpm92g0FXWkNaR89uBWQqIsNRmOX7Bh+AAMbjbmavZbFXFwaXbKZloe9YEE0FvdSQtjn5XuSE2s= Received: by 10.67.10.12 with SMTP id n12mr711374ugi; Thu, 07 Sep 2006 15:37:31 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Thu, 7 Sep 2006 15:37:30 -0700 (PDT) Message-ID: Date: Fri, 8 Sep 2006 01:37:31 +0300 From: "Ivan Levchenko" To: "Ivan Levchenko" , "eculp@bafirst.com" , freebsd-pf@freebsd.org In-Reply-To: <20060907222649.D8409B828@shodan.nognu.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <922498059.20060907160002@yandex.ru> <20060907143415.scknj7rgo40k8k0w@mail.bafirst.com> <20060907222649.D8409B828@shodan.nognu.de> Cc: Subject: Re: pf fails to start X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 22:37:33 -0000 ok, now it doesn't give me a syntax error. but it still gives errors: no IP address found for tun0 /etc/pf.conf:35: could not parse host specification no IP address found for tun0 /etc/pf.conf:47: could not parse host specification no IP address found for tun0 /etc/pf.conf:60: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded when i try to start up pf when the internet connection is down.. is there a way to get pf up without an ip address assinged to a interface? On 9/8/06, Frank Steinborn wrote: > Ivan Levchenko wrote: > > i was having the same problem so i tried this out and here is what i got: > > > > snip from pf.conf > > > > ext_if="tun0" > > > > nat on ($ext_if) from to any -> ($ext_if) # this gives me an error > > That has to go in { }, like everything you list in pf. > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Fri Sep 8 06:43:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7857A16A4DE for ; Fri, 8 Sep 2006 06:43:13 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C91543D45 for ; Fri, 8 Sep 2006 06:43:12 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so229906nzn for ; Thu, 07 Sep 2006 23:43:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VUzpKiyp0BzEPAU69F7uPhfbcjnf5Fy+hu1LAcL5KWQHyfN2VobuPqABph9h0IkK0SCalTr3B9aiOmrcQHW9LxKevEymse71kKuisMBF4L5Cq1jzZmPHEqPEoqPkMNxps5JHd4ltE/uc5oE+XLp0G1iVlkzgsirxGy4RxqcaUmg= Received: by 10.65.112.5 with SMTP id p5mr1865703qbm; Thu, 07 Sep 2006 23:43:12 -0700 (PDT) Received: by 10.65.248.1 with HTTP; Thu, 7 Sep 2006 23:43:12 -0700 (PDT) Message-ID: <64de5c8b0609072343h19cc40aaked48adb4d9a0b48e@mail.gmail.com> Date: Fri, 8 Sep 2006 12:13:12 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org In-Reply-To: <200609072125.25957.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <19710703252.20060907212112@yandex.ru> <200609072125.25957.max@love2party.net> Subject: Re: NEW IDEAS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 06:43:13 -0000 On 9/8/06, Max Laier wrote: > On Thursday 07 September 2006 20:21, KES wrote: > > Archie Cobbs wrote: > > >>KES wrote: > > >> How about 'ALTQ' node? or may be 'queue' node > > >> for packets scheduling > The problem is, how do you classify your traffic for queueing? i.e. where > and how do you decide whether to put a given packet into queue A or B? Is it possible to have a netgraph hook for pf also? Some thing like queue in on dc0 from 192.168.0.0/24 to 192.168.0.1 Where the packet will be passed to a netgraph node with full state information about the TCP stream. If the packet is dropped in netgraph then it's as good as a block, other wise it's a pass. The idea is to have some sort of userspace processing for things like blocking p2p. I can already take packets from ethernet interfaces, but getting packets from pf has some advantages like: Ability to select which packets I want to pass to userspace Take advantage of tcp reassembly and state tracking of pf. The state tracking is important because that can help in identifying patters that span multiple packets in userspace easily. The pf netgraph node can set tags as well as assign the packet to a particular queue, for example slow down kazaa. I am not sure how much of this is feasible or even desirable, but just thinking out loud. raj From owner-freebsd-pf@FreeBSD.ORG Fri Sep 8 13:16:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F6AF16A4DA for ; Fri, 8 Sep 2006 13:16:47 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3435D43D49 for ; Fri, 8 Sep 2006 13:16:46 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so746948pye for ; Fri, 08 Sep 2006 06:16:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JCSHxTaoEKbDe5vKuWZaLAUD8l9KHozm+xhImSQf+8pNpyXfPhlDQSfVRErlnv/fb/O7F6DQkIjJyeiw8z2twrT1Ud641oCetdlVpb9As2Tb8tUgua3K5fL3XnFgtx3wFYX3d6oJrgSOE88PPqpUI/sQ/c6gn7laC14c/5/XGdA= Received: by 10.35.88.17 with SMTP id q17mr2900053pyl; Fri, 08 Sep 2006 06:16:45 -0700 (PDT) Received: by 10.35.131.17 with HTTP; Fri, 8 Sep 2006 06:16:45 -0700 (PDT) Message-ID: <55e8a96c0609080616r61f28321y59a41ad207ee4d4c@mail.gmail.com> Date: Fri, 8 Sep 2006 08:16:45 -0500 From: "Bill Marquette" To: "Rajkumar S" In-Reply-To: <64de5c8b0609072343h19cc40aaked48adb4d9a0b48e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <19710703252.20060907212112@yandex.ru> <200609072125.25957.max@love2party.net> <64de5c8b0609072343h19cc40aaked48adb4d9a0b48e@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: NEW IDEAS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 13:16:47 -0000 On 9/8/06, Rajkumar S wrote: > On 9/8/06, Max Laier wrote: > > On Thursday 07 September 2006 20:21, KES wrote: > > > Archie Cobbs wrote: > > > >>KES wrote: > > > > >> How about 'ALTQ' node? or may be 'queue' node > > > >> for packets scheduling > > > The problem is, how do you classify your traffic for queueing? i.e. where > > and how do you decide whether to put a given packet into queue A or B? > > Is it possible to have a netgraph hook for pf also? Some thing like > > queue in on dc0 from 192.168.0.0/24 to 192.168.0.1 > > Where the packet will be passed to a netgraph node with full state > information about the TCP stream. If the packet is dropped in netgraph > then it's as good as a block, other wise it's a pass. You can just delete the state using a pf ioctl - although that interface needs to be slightly modified so you can delete an individual state. > The idea is to have some sort of userspace processing for things like > blocking p2p. I can already take packets from ethernet interfaces, but > getting packets from pf has some advantages like: > > Ability to select which packets I want to pass to userspace > Take advantage of tcp reassembly and state tracking of pf. > > The state tracking is important because that can help in identifying > patters that span multiple packets in userspace easily. The pf > netgraph node can set tags as well as assign the packet to a > particular queue, for example slow down kazaa. > > I am not sure how much of this is feasible or even desirable, but just > thinking out loud. I've had other things to work on, so this has kind of stagnated (especially seeing as there's no userland tool to make use of it yet), but take a look at: http://www.pfsense.org/~billm/patches/billm-expose-queues.patch which in combination with the ability to update a given state would allow you to reclassify state entries. The idea behind it, is to track the queue assigned in the state entry instead of the rule that created that state entry (it includes a pfctl hack - and I do mean hack - to display the queue number assigned to the state). There are some obvious flaws in it...but they more or less exist in pf today (queue 1 is no longer a high priority queue after rule reload, but a low priority queue...guess what happens to your flow - assuming of course I actually understand the packet flow through altq enough). --Bill From owner-freebsd-pf@FreeBSD.ORG Fri Sep 8 14:56:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75FAE16A4DA for ; Fri, 8 Sep 2006 14:56:39 +0000 (UTC) (envelope-from popescu.mircea@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD23F43D45 for ; Fri, 8 Sep 2006 14:56:38 +0000 (GMT) (envelope-from popescu.mircea@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so736955nfc for ; Fri, 08 Sep 2006 07:56:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=PMp+X8/GDSz7ESuaWoB9VoQRi55AanvQQgCZTyTIcF2mBoD+euEIGc+H2zfgHjerhVih19oETsBneI4/FeUktV6mqgPzRG1ozP7gd/XEJlX3voDgRjNHY1xXlbywOlmZBvxQi0emDUl4+Ab+4zu1JInbwebjidR8rH2izMflZp0= Received: by 10.49.8.1 with SMTP id l1mr4279200nfi; Fri, 08 Sep 2006 07:56:37 -0700 (PDT) Received: by 10.49.33.1 with HTTP; Fri, 8 Sep 2006 07:56:37 -0700 (PDT) Message-ID: Date: Fri, 8 Sep 2006 17:56:37 +0300 From: "Mircea Popescu" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: TRansparent firewalll (pf vs ipfw) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 14:56:39 -0000 Hi! I have an Freebsd 6.0 box with a functioning bridge (bridge0 = fxp0 + rl0) My problem is that if I try to cut access to any port on bridge0 interface using PF, nothing happens. For example I've tried to cut access to ssh service from a certain ip ... putty still managed to get through. The rule was: block on bridge0 proto { tcp udp } from yy.yy.yy.yy to xx.xx.xx.xx port pppppp BUT, with the following rule: block on rl0 proto { tcp udp } from yy.yy.yy.yy to xx.xx.xx.xx. port pppppp Putty couldn't obtain a connection. Considering the fact that in linux, which I gave up using, making a bridge would disable the interfaces within, I WOULD LIKE TO HAVE SOME QUESTIONS ANSWERED: 1. Once the bridge0 interface is created, the fxp0 and rl0 interfaces could still get their own ip addresses? (in linux this would be imposible) 2. Which firewall it is more desirable to use with a bridge? PF or IPFW) Thx a lot From owner-freebsd-pf@FreeBSD.ORG Fri Sep 8 17:00:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9132E16A4DF for ; Fri, 8 Sep 2006 17:00:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAA3743D58 for ; Fri, 8 Sep 2006 17:00:07 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.183.15] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1GLji13tC6-0008S5; Fri, 08 Sep 2006 19:00:06 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 8 Sep 2006 18:59:59 +0200 User-Agent: KMail/1.9.3 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6782219.Lfiik0g3gK"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609081900.04884.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: TRansparent firewalll (pf vs ipfw) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 17:00:09 -0000 --nextPart6782219.Lfiik0g3gK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 08 September 2006 16:56, Mircea Popescu wrote: > I have an Freebsd 6.0 box with a functioning bridge (bridge0 =3D fxp0 + > rl0) > > My problem is that if I try to cut access to any port on bridge0 > interface using PF, nothing happens. > > For example I've tried to cut access to ssh service from a certain ip > ... putty still managed to get through. > > The rule was: > block on bridge0 proto { tcp udp } from yy.yy.yy.yy to xx.xx.xx.xx port > pppppp > > BUT, with the following rule: > block on rl0 proto { tcp udp } from yy.yy.yy.yy to xx.xx.xx.xx. port > pppppp > > Putty couldn't obtain a connection. I suggest that you read the if_bridge(4) manual page, which talks=20 extensively about packet filtering options. > Considering the fact that in linux, which I gave up using, making a > bridge would disable the interfaces within, I WOULD LIKE TO HAVE SOME > QUESTIONS ANSWERED: > > 1. Once the bridge0 interface is created, the fxp0 and rl0 interfaces > could still get their own ip addresses? (in linux this would be > imposible) You can either assign an IP to the interface or to the bridge itself,=20 iirc. > 2. Which firewall it is more desirable to use with a bridge? PF or > IPFW) The one you understand best and like the most. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6782219.Lfiik0g3gK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFAaGUXyyEoT62BG0RAvbLAJ4lgSgeyDqS7/S6Mk5sPcokpcUvUgCZAS00 tq7UyZkc3mlTAeyUlX8AuKE= =wbFC -----END PGP SIGNATURE----- --nextPart6782219.Lfiik0g3gK-- From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 00:51:11 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FA0B16A412; Sat, 9 Sep 2006 00:51:11 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 082C043D49; Sat, 9 Sep 2006 00:51:11 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k890pA1b025194; Sat, 9 Sep 2006 00:51:10 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k890pAWa025190; Sat, 9 Sep 2006 00:51:10 GMT (envelope-from mlaier) Date: Sat, 9 Sep 2006 00:51:10 GMT From: Max Laier Message-Id: <200609090051.k890pAWa025190@freefall.freebsd.org> To: steinex@nognu.de, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 00:51:11 -0000 Synopsis: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box State-Changed-From-To: patched->closed State-Changed-By: mlaier State-Changed-When: Sat Sep 9 00:50:45 UTC 2006 State-Changed-Why: Committed, thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=102647 From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 09:34:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1259116A40F for ; Sat, 9 Sep 2006 09:34:27 +0000 (UTC) (envelope-from news@topocentras.lt) Received: from top.topocentras.lt (top.topocentras.lt [213.197.161.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 26E3043D4C for ; Sat, 9 Sep 2006 09:34:25 +0000 (GMT) (envelope-from news@topocentras.lt) Received: (qmail 10293 invoked by uid 1013); 9 Sep 2006 10:05:43 -0000 Received: from 127.0.0.1 by top (envelope-from , uid 64011) with qmail-scanner-1.25 (clamdscan: 0.87.1/1198. Clear:RC:1(127.0.0.1):. Processed in 0.020196 secs); 09 Sep 2006 10:05:43 -0000 X-Qmail-Scanner-Mail-From: news@topocentras.lt via top X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 0.020196 secs) Received: from unknown (HELO mail.topocentras.lt) (127.0.0.1) by top.topocentras.lt with SMTP; 9 Sep 2006 10:05:43 -0000 Received: from 213.197.161.67 (proxying for 192.168.0.22) (SquirrelMail authenticated user news@topocentras.lt) by mail.topocentras.lt with HTTP; Sat, 9 Sep 2006 13:05:43 +0300 (EEST) Message-ID: <62217.213.197.161.67.1157796343.squirrel@mail.topocentras.lt> Date: Sat, 9 Sep 2006 13:05:43 +0300 (EEST) From: "Albertas Guscius" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Bug or other packet processing or misconfiguration error in FreeBSD. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 09:34:27 -0000 Bug or other packet processing or misconfiguration error in FreeBSD. Hello folks, I'm trying the same pf configuration on FreeBSD and OpenBSD, but results are different. The problem is that all outgoing traffic goes to default queue ignoring quick pass rules. I can't shape outgoing traffic on FreeBSD due to unknown problem. It looks like problem is bescause of after NAT rules are not processed. With OpenBSD everything works fine. I tested it on FreeBSD_6_1, 5_5 and OpenBSD_3_9. Does anyone have any advice? Sincerely Yours, Albertas pf.conf: ext_if="rl0" int_if="rl1" internal_net="10.0.10.0/24" external_addr="192.168.0.22" internal_addr="10.0.10.1" altq on $ext_if hfsc bandwidth 10Mb queue { ip_out, local_out } queue ip_out bandwidth 1Mb hfsc (upperlimit 6Mb) queue local_out bandwidth 1Mb hfsc (default upperlimit 6Mb) altq on $int_if hfsc bandwidth 10Mb queue { ip_in, local_in } queue ip_in bandwidth 1Mb hfsc (upperlimit 6Mb) queue local_in bandwidth 1Mb hfsc (default upperlimit 6Mb) nat on $ext_if from $internal_net to any -> $external_addr pass out quick on $ext_if from any to any queue ip_out pass out quick on $int_if from any to any queue ip_in pass in all pass out all #in FreeBSD6.1 all traffic goes through local_out, in OpenBSD3.9 all traffic goes through ip_out. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 11:00:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2004216A407 for ; Sat, 9 Sep 2006 11:00:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 529A843D49 for ; Sat, 9 Sep 2006 11:00:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.60] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1GM0ZE2vJg-0004Na; Sat, 09 Sep 2006 13:00:09 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 9 Sep 2006 12:59:52 +0200 User-Agent: KMail/1.9.3 References: <62217.213.197.161.67.1157796343.squirrel@mail.topocentras.lt> In-Reply-To: <62217.213.197.161.67.1157796343.squirrel@mail.topocentras.lt> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4276749.krbKPyXChp"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609091300.07082.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Bug or other packet processing or misconfiguration error in FreeBSD. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 11:00:14 -0000 --nextPart4276749.krbKPyXChp Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 09 September 2006 12:05, Albertas Guscius wrote: > Bug or other packet processing or misconfiguration error in FreeBSD. > > Hello folks, > > I'm trying the same pf configuration on FreeBSD and OpenBSD, but > results are different. The problem is that all outgoing traffic goes to > default queue ignoring quick pass rules. I can't shape outgoing traffic > on FreeBSD due to unknown problem. It looks like problem is bescause of > after NAT rules are not processed. With OpenBSD everything works fine. > I tested it on FreeBSD_6_1, 5_5 and OpenBSD_3_9. > Does anyone have any advice? > > Sincerely Yours, > Albertas > > > pf.conf: > > ext_if=3D"rl0" > int_if=3D"rl1" > internal_net=3D"10.0.10.0/24" > > external_addr=3D"192.168.0.22" > internal_addr=3D"10.0.10.1" > > altq on $ext_if hfsc bandwidth 10Mb queue { ip_out, local_out } > queue ip_out bandwidth 1Mb hfsc (upperlimit 6Mb) > queue local_out bandwidth 1Mb hfsc (default upperlimit 6Mb) > > altq on $int_if hfsc bandwidth 10Mb queue { ip_in, local_in } > queue ip_in bandwidth 1Mb hfsc (upperlimit 6Mb) > queue local_in bandwidth 1Mb hfsc (default upperlimit 6Mb) > > nat on $ext_if from $internal_net to any -> $external_addr > > pass out quick on $ext_if from any to any queue ip_out > pass out quick on $int_if from any to any queue ip_in > > pass in all > pass out all > > #in FreeBSD6.1 all traffic goes through local_out, in OpenBSD3.9 all > traffic goes through ip_out. Can you provide "pfctl -vvsr" and "pfctl -vsq" after some traffic has been= =20 generated? Can you also share details about your setup? Most=20 interestingly: Does the traffic destined to $ext_if pass through userland=20 ppp, or the like, before hitting rl0? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4276749.krbKPyXChp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFAp63XyyEoT62BG0RAni8AJ9dorENtilexUI3FoTMxAxoP6qxvgCeNF62 hQgdHMY0vPMSZLQRtPhHx58= =NYgg -----END PGP SIGNATURE----- --nextPart4276749.krbKPyXChp-- From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 14:27:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA59216A403 for ; Sat, 9 Sep 2006 14:27:28 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18F3443D46 for ; Sat, 9 Sep 2006 14:27:27 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so914543uge for ; Sat, 09 Sep 2006 07:27:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=N0WQP4wBeyLoNyrlsl1YRbTGfQpMzrdSPH4S5KvaKFu79iMtDFybDWUtsXQfHRApx2+73tcEaoEmFX6IwfUT5l37PcJ1tMS+Kj4dcoKtjpRgC3oZyXVYks43JDWsbt51+XnrKHyEd5Ja0Q7qi3knQ5mYWcvbx5iNx71Q1z2wM6M= Received: by 10.66.249.11 with SMTP id w11mr1667852ugh; Sat, 09 Sep 2006 07:27:26 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Sat, 9 Sep 2006 07:27:26 -0700 (PDT) Message-ID: Date: Sat, 9 Sep 2006 17:27:26 +0300 From: "Ivan Levchenko" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 14:27:28 -0000 Hello Everybody, Could anybody help with how to use this scheduler and what is it used for anyway? I looked in the openbsd pf faq on this and could only find Class Based Queueing and Priority Queueing. THanks in advance. -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 17:10:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE2D816A415 for ; Sat, 9 Sep 2006 17:10:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C5F743D4C for ; Sat, 9 Sep 2006 17:10:49 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.60] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GM6Lv3XG9-0002nB; Sat, 09 Sep 2006 19:10:47 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 9 Sep 2006 19:10:40 +0200 User-Agent: KMail/1.9.3 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1894868.RpMbf0sLVA"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609091910.46785.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 17:10:49 -0000 --nextPart1894868.RpMbf0sLVA Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 09 September 2006 16:27, Ivan Levchenko wrote: > Could anybody help with how to use this scheduler and what is it used > for anyway? Why would you need something about which you don't even know what it does? = =20 On top of that 5 seconds quality time spent with Google would have turned=20 up http://www.cs.cmu.edu/~hzhang/HFSC/main.html with all the gory details=20 about HFSC. > I looked in the openbsd pf faq on this and could only find Class Based > Queueing and Priority Queueing. > > THanks in advance. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1894868.RpMbf0sLVA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFAvWWXyyEoT62BG0RAiWNAJ9dzSh5FHNh19Y0DMHT2ByAU6d7AwCfagFj 3zUXFNGoeVEaxWgaRM/ylV4= =s5M3 -----END PGP SIGNATURE----- --nextPart1894868.RpMbf0sLVA-- From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 17:53:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C5C116A417 for ; Sat, 9 Sep 2006 17:53:51 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id D26B543D55 for ; Sat, 9 Sep 2006 17:53:50 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so953338uge for ; Sat, 09 Sep 2006 10:53:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JCEdS5XiGUScPYkqGQgETsbwykYpzSIQWdS12EJPCv25APeK3pMAvAQaJgbGPTEANJwh0QdVSUnPpesz5qUIKRSYCjzvNyu6EXW6kcKVdmK3F6mtLd7GctFki/8VP2WZ6S7XnhA3ZQY8lEeH+5Ql2pExGNnCM2cWORMVlvgU5xU= Received: by 10.67.89.5 with SMTP id r5mr1769699ugl; Sat, 09 Sep 2006 10:53:49 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Sat, 9 Sep 2006 10:53:48 -0700 (PDT) Message-ID: Date: Sat, 9 Sep 2006 20:53:49 +0300 From: "Ivan Levchenko" To: "Max Laier" , freebsd-pf@freebsd.org In-Reply-To: <200609091910.46785.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200609091910.46785.max@love2party.net> Cc: Subject: Re: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 17:53:51 -0000 that i found, but to be honest didn't quite understand.. =) maybe somebody could explain it in two words... On 9/9/06, Max Laier wrote: > On Saturday 09 September 2006 16:27, Ivan Levchenko wrote: > > Could anybody help with how to use this scheduler and what is it used > > for anyway? > > Why would you need something about which you don't even know what it does? > On top of that 5 seconds quality time spent with Google would have turned > up http://www.cs.cmu.edu/~hzhang/HFSC/main.html with all the gory details > about HFSC. > > > I looked in the openbsd pf faq on this and could only find Class Based > > Queueing and Priority Queueing. > > > > THanks in advance. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 19:52:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E879716A40F for ; Sat, 9 Sep 2006 19:52:10 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC50243D6D for ; Sat, 9 Sep 2006 19:52:04 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so972569uge for ; Sat, 09 Sep 2006 12:52:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EUQtEbRWHYx1E7POJLdQSPH5HAKiTEye5otZtXxPAr4aF02Q9YDcL0VOVKPNwTx3zmOkdQ1RoTMJkJzlsTOnMJnAfguldqifjRDBuzhmzagwXFaIOecW92jAUceH4P8gh7ZIsF6Pvkcl76M4Iqz+kRC0EUqgb1DUdyAu97Ghr0U= Received: by 10.67.97.18 with SMTP id z18mr1807051ugl; Sat, 09 Sep 2006 12:52:03 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Sat, 9 Sep 2006 12:52:03 -0700 (PDT) Message-ID: Date: Sat, 9 Sep 2006 15:52:03 -0400 From: "Scott Ullrich" To: "Ivan Levchenko" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200609091910.46785.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 19:52:11 -0000 On 9/9/06, Ivan Levchenko wrote: > that i found, but to be honest didn't quite understand.. =) > maybe somebody could explain it in two words... HFSC is a fun animal to learn. We've tried to gather some data, check out http://wiki.pfsense.com/wikka.php?wakka=ReadingRoom and http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes .. Unfortunately the more that I learn about HFSC it seems like the more I really don't know what I am doing. Scott From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 20:19:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 569BB16A403 for ; Sat, 9 Sep 2006 20:19:16 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-1.gradwell.net (lon-mail-1.gradwell.net [193.111.201.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BB1A43D49 for ; Sat, 9 Sep 2006 20:19:15 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from 195-112-60-117.dyn.gotadsl.co.uk ([195.112.60.117] helo=vaio country=GB ident=gregh^pop3^nviz$net) by lon-mail-1.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.232) id 450321c0.cc2f.10f5 for freebsd-pf@freebsd.org; Sat, 9 Sep 2006 21:19:12 +0100 (envelope-sender ) From: "Greg Hennessy" To: Date: Sat, 9 Sep 2006 21:17:19 +0100 Message-ID: <000001c6d44c$f4244ae0$0201a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: Thread-Index: AcbUSq6urwNHrt/GTDaES19MpWaGqQAAExXA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Subject: RE: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 20:19:16 -0000 > HFSC is a fun animal to learn. We've tried to gather some > data, check out > http://wiki.pfsense.com/wikka.php?wakka=ReadingRoom and > http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes .. > Unfortunately the more that I learn about HFSC it seems like > the more I really don't know what I am doing. > I would whole heartedly concur, trying to make sense of the HFSC minutiae is 'here be dragons' in triplicate. Greg From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 20:24:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9C8516A407 for ; Sat, 9 Sep 2006 20:24:39 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 490F343D45 for ; Sat, 9 Sep 2006 20:24:39 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so977647uge for ; Sat, 09 Sep 2006 13:24:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QJjR6nXxFPH4/0pMpRqcOuR26dMQvArY7Cy/tiu/7L0UX0ixOKVVmKd1hPHDyihC9MdzqEUgQkJZGHcJJhXc2Aienh1WGCK4tSxAEfpemVy3dy2FbMQkLxT48BhKDJP5SCv/lmHDdkJHi0naNCuDYXwRYdUux+7kjiFZpfAZNgk= Received: by 10.67.103.7 with SMTP id f7mr1823793ugm; Sat, 09 Sep 2006 13:24:37 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Sat, 9 Sep 2006 13:24:37 -0700 (PDT) Message-ID: Date: Sat, 9 Sep 2006 23:24:37 +0300 From: "Ivan Levchenko" To: "Scott Ullrich" , freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200609091910.46785.max@love2party.net> Cc: Subject: Re: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 20:24:40 -0000 now this helps out a bit, thanks! On 9/9/06, Scott Ullrich wrote: > On 9/9/06, Ivan Levchenko wrote: > > that i found, but to be honest didn't quite understand.. =) > > maybe somebody could explain it in two words... > > HFSC is a fun animal to learn. We've tried to gather some data, check > out http://wiki.pfsense.com/wikka.php?wakka=ReadingRoom and > http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes .. > Unfortunately the more that I learn about HFSC it seems like the more > I really don't know what I am doing. > > Scott > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Sat Sep 9 20:30:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45C6216A415 for ; Sat, 9 Sep 2006 20:30:33 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C92643D55 for ; Sat, 9 Sep 2006 20:30:32 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so978471uge for ; Sat, 09 Sep 2006 13:30:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=joyUW8AAoClxidLAyagFJa/obkI8+qYUNUegwVEWQ4JeJdU7tUsckBevYXTmeM+n8zrttS291MrFjZV2Z/pfOjuAdKvLm6//I9Zq5Fj46hMYpPlC2VGFlTVpQVKGMLC4hzD4fq/pRq1IFqnWtUsDeqnRf3+yKTpn7hB29q0Xmj4= Received: by 10.66.221.6 with SMTP id t6mr1827313ugg; Sat, 09 Sep 2006 13:30:30 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Sat, 9 Sep 2006 13:30:30 -0700 (PDT) Message-ID: Date: Sat, 9 Sep 2006 16:30:30 -0400 From: "Scott Ullrich" To: "Ivan Levchenko" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200609091910.46785.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Hierarchical Packet Scheduler (HFSC) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 20:30:33 -0000 On 9/9/06, Ivan Levchenko wrote: > now this helps out a bit, thanks! No problem. If you find something that is in error or if you learn any new tricks, please add them to the wiki :) Scott