From owner-freebsd-pf@FreeBSD.ORG Mon Dec 11 08:09:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 862C116A407 for ; Mon, 11 Dec 2006 08:09:23 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F3843CAC for ; Mon, 11 Dec 2006 08:08:07 +0000 (GMT) (envelope-from fayerwall@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1387213wxc for ; Mon, 11 Dec 2006 00:09:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=gJP3iufEnHwExT8I2IJuWfZcMT4YKPtUHo9ft1GiW6H0Evvz7NIvP/GgItY2b/TE6QpxDDagvNsjgNo1xbiXeaKBqjoHgtqQU5h5p2BIp5SCEiUiu7MSoO8p1PSia894VorQ8xOfZ/c2+1aPyIz8fnvV0GiTpsALqr+S5xKRWWk= Received: by 10.90.90.16 with SMTP id n16mr6376048agb.1165824562352; Mon, 11 Dec 2006 00:09:22 -0800 (PST) Received: by 10.90.115.13 with HTTP; Mon, 11 Dec 2006 00:09:22 -0800 (PST) Message-ID: Date: Mon, 11 Dec 2006 00:09:22 -0800 From: "Fire walls" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problems with pftpx rules. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 08:09:23 -0000 Hi people. I have been working with pftpx port, because it suppose to have a better features than ftp-proxy, but maybe i still don't understand how to setup my rules, i read the manual page and setup my rules this way: ext_if="tun0" int_if="fxp0" local_net="192.168.10.0/24" tcpflags="flags S/SA" scrub in all nat on $ext_if from $local_net to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from $local_net to any port 21 -> 127.0.0.1 \ port 8021 ##################################################################### # Filtering # ##################################################################### # Local LAN anchor "pftpx/*" pass in quick on $int_if inet proto tcp from any to any port 21 flags S/SA \ keep state pass in quick on $int_if inet proto tcp from any to any port 20 flags S/SA \ keep state pass in quick on $int_if all pass out quick on $int_if inet proto tcp from any to any port = 21 flags S/SA \ keep state pass out quick on $int_if inet proto tcp from any to any port = 20 flags S/SA \ keep state pass out quick on $int_if all # Loopback # pass in quick on lo0 all pass out quick on lo0 all ##################################################################### # tun Interface # # Inbound # ##################################################################### #anchor "ftp-proxy/*" block in all block out all pass in quick on $ext_if inet proto udp from X.Y.Z.A to any \ port = 68 keep state pass in quick on $ext_if inet proto udp from X.Y.Z.B to any \ port = 68 keep state pass in quick on $ext_if inet proto udp from X.Y.Z.C to any \ port = 68 keep state pass in quick on $ext_if inet proto udp from X.Y.Z.D to any \ port = 68 keep state pass in log quick on $ext_if inet proto tcp from any to $ext_if port \ 22 flags S/SA keep state # keep state block drop in log-all quick on $ext_if from any to any ##################################################################### # tun Interface # # Outbound # ##################################################################### pass out quick on $ext_if inet proto tcp from any to any port = 53 \ $tcpflags keep state pass out quick on $ext_if inet proto udp from any to any port = 53 \ keep state pass out quick on $ext_if inet proto udp from any to any port = 67 \ keep state pass out quick on $ext_if inet proto tcp from any to any port = 80 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 443 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 25 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 110 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 37 \ $tcpflags keep state pass out log-all quick on $ext_if inet proto tcp from any to any port = 21 \ $tcpflags keep state pass out log-all quick on $ext_if inet proto tcp from any to any port = 20 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 22 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 23 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 5999 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 43 \ $tcpflags keep state pass out quick on $ext_if inet proto udp from any to any port = 123 \ keep state pass out quick on $ext_if inet proto icmp all keep state block out log-all quick on $ext_if all ################################################################# My clients behind my firewall sometines can connect to Internet FTP servers, sometimes don't, anothers can access but cannot display any folder, anothers say "No route to host". I had been playing with pftpx, if i dont use the rules in my $int_if to let me pass rules for ftp and just put pass in quick on $int_if all They sometimes cannot reach any ftp server, other times, they access but went i execute the command ls, the server waits and get me back 421 service not available, or no route to host. Maybe my rules are wrong, did some see where is my mistake? How can i fix this problem? Any advice will be apreciate, thanks all for your time. FreeBSD 6.1-p11. pftpx from ports. -- :-) From owner-freebsd-pf@FreeBSD.ORG Mon Dec 11 11:14:48 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AF5C116A6A1 for ; Mon, 11 Dec 2006 11:14:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12EF843DC1 for ; Mon, 11 Dec 2006 11:07:29 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBBB8i5Q022945 for ; Mon, 11 Dec 2006 11:08:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBBB8gxY022941 for freebsd-pf@FreeBSD.org; Mon, 11 Dec 2006 11:08:42 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Dec 2006 11:08:42 GMT Message-Id: <200612111108.kBBB8gxY022941@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 11:14:48 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 11 15:56:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 177B216A4D0 for ; Mon, 11 Dec 2006 15:56:03 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from mxout2.iskon.hr (mxout2.iskon.hr [213.191.128.81]) by mx1.FreeBSD.org (Postfix) with SMTP id 61CAD43CDA for ; Mon, 11 Dec 2006 15:54:09 +0000 (GMT) (envelope-from marko.lerota@claresco.hr) Received: (qmail 26688 invoked from network); 11 Dec 2006 16:55:24 +0100 X-Remote-IP: 213.191.142.124 Received: from unknown (HELO mx.iskon.hr) (213.191.142.124) by mxout2.iskon.hr with SMTP; 11 Dec 2006 16:55:24 +0100 Received: (qmail 16928 invoked from network); 11 Dec 2006 16:55:24 +0100 X-Remote-IP: 89.164.2.169 Received: from 2-169.dsl.iskon.hr (HELO sparrow.local) (89.164.2.169) by mx.iskon.hr with SMTP; 11 Dec 2006 16:55:10 +0100 Received: (qmail 5522 invoked by uid 1001); 11 Dec 2006 15:54:05 -0000 To: freebsd-pf@freebsd.org Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Mon, 11 Dec 2006 16:54:05 +0100 Message-ID: <868xhebf8i.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Borrowing and priority not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 15:56:03 -0000 I have setup like this altq on $int_if cbq bandwidth 1024Kb queue { def, developers, marketing } queue def bandwidth 100Kb cbq(default) queue developers bandwidth 850Kb priority 6 queue marketing bandwidth 50Kb priority 1 cbq(borrow) If only marketing is using all available bandwidth it's OK, but when developers want to use some, priority and borrowing doesn't work. The bandwidth is split in two ways developers 500Kb marketing 500Kb Why marketing didn't slow to 50Kb? I want all them to have all the bandwidth but in case of using 100% of the link, I want marketing to have only 50Kb reserved. Is it possible to do so? -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-pf@FreeBSD.ORG Tue Dec 12 20:17:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E03BF16A54C for ; Tue, 12 Dec 2006 20:17:33 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56AD543F10 for ; Tue, 12 Dec 2006 19:59:52 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id 3829864F7A0; Tue, 12 Dec 2006 14:02:20 -0600 (CST) Date: Tue, 12 Dec 2006 14:02:20 -0600 From: "Travis H." To: freebsd-pf@freebsd.org Message-ID: <20061212200220.GD18938@subspacefield.org> Mail-Followup-To: freebsd-pf@freebsd.org References: <200612060916.53866.rmiranda@digitalrelay.ca> <200612060937.49554.rmiranda@digitalrelay.ca> <20061206154206.GB95890@harmless.hu> <200612060945.30335.rmiranda@digitalrelay.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qrgsu6vtpU/OV/zm" Content-Disposition: inline In-Reply-To: <200612060945.30335.rmiranda@digitalrelay.ca> X-GPG-fingerprint: A04E 557F F9A6 F0FD EFD4 0DF3 6415 6591 0326 DF47 X-PGP-Key: http://www.subspacefield.org/~travis/pubkey.asc User-Agent: Mutt/1.5.11 Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2006 20:17:34 -0000 --Qrgsu6vtpU/OV/zm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 06, 2006 at 09:45:29AM -0600, Roger Miranda (Digital Relay) wro= te: > [tons of nested quotations] Ye Gods, do either of you know how to delete lines of text? --=20 "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- --Qrgsu6vtpU/OV/zm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (OpenBSD) iQIVAwUBRX8Ky2QVZZEDJt9HAQI3ew//W/YdYmIdp265QoVAdzT1On/aTE4SEBTa rJolFCIr8+rpFG3MSlz5jlbX4/YmftEW/z+tr0pDBW4AIr4gov1Pj0mfhy3en9jv RGvcC0h0Ogru/HCqNapXiki9rRRbZUuMSYglBEsOoiJH2+yk8yqS0Mxshfekm8Sv Egy7eOYMp6wp5IKbtJJdK7xxmEwSA+OLDx07mqJVblY1SvzOXkLjXWS3kb5oldY5 aXteoQtn0q1UUwQId4woibdkrdvu0xZqZ5OsJbtzlh+wtANC80IpUBGyvrRAyQpC gVjzFruE1I+OVsq5h7hzSVHuryJAYqP+QOUSgiMmYzwHj2rFD1fYTUCTNsJLbsLU eYzA2jMUQMXZkNiHsK49AE+y0rF+DiaFYXTrJWOcnJnu4d+uHa7KcDE+jUJV0/dI kdI0uQK+hOT5LfM4jN9bF0m2XucSem2XIZ3povuVl4WyGxOYLNfFheln0DZwpoX6 vWf1cwVW5j6X6LY0+uIe9PPYg79JB39aj0yMfQPckmfKVX7Zs41BxlDwvmt0g92o xuU7gLOFqcyr/R5iU16jAZTYcAa9UPZ4GR6jj2uk9YiYf7DWfXHzDirpI1VrA9fz DEaij3d3muRPu6wHo5z//P4wBGRhmzPEG5mk74hEsmzg9Ginmnn1Vv/rNLrH0KD5 3npKza9BwJE= =e5Qa -----END PGP SIGNATURE----- --Qrgsu6vtpU/OV/zm-- From owner-freebsd-pf@FreeBSD.ORG Tue Dec 12 20:28:33 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B6CDA16A417 for ; Tue, 12 Dec 2006 20:28:33 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FA3643F88 for ; Tue, 12 Dec 2006 20:18:43 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBCKK7aq014630 for ; Tue, 12 Dec 2006 20:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBCKK7xQ014623; Tue, 12 Dec 2006 20:20:07 GMT (envelope-from gnats) Date: Tue, 12 Dec 2006 20:20:07 GMT Message-Id: <200612122020.kBCKK7xQ014623@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Jon Simola" Cc: Subject: Re: kern/103304: pf accepts nonexistent queue in rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jon Simola List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2006 20:28:33 -0000 The following reply was made to PR kern/103304; it has been noted by GNATS. From: "Jon Simola" To: bug-followup@freebsd.org Cc: Subject: Re: kern/103304: pf accepts nonexistent queue in rules Date: Tue, 12 Dec 2006 11:55:03 -0800 This is by design. Queueing, Translation, and Packet Filtering are seperate functions in PF, and they can be manipulated independantly of each other. Flushing the queueing configuration should not leave the filtering rules in an undetermined state, nor should filtering rules that reference a queue that may not have been created yet. If you are experiencing problems with queueing, it is certainly advantageous to be able to disable it entirely by "pfctl -F queue" rather than having to rewrite the entire ruleset and remove all references to queues. PF also allows rules to specify non-existant interfaces, so that hotplugging does not require reloading the ruleset. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 13 03:37:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4AB1A16A403 for ; Wed, 13 Dec 2006 03:37:57 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96AD943CA2 for ; Wed, 13 Dec 2006 03:36:30 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id F34FD64F7A1; Tue, 12 Dec 2006 21:38:59 -0600 (CST) Date: Tue, 12 Dec 2006 21:38:59 -0600 From: "Travis H." To: freebsd-pf@freebsd.org Message-ID: <20061213033859.GA5482@subspacefield.org> Mail-Followup-To: freebsd-pf@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Subject: Re: Help with issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2006 03:37:57 -0000 --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 08, 2006 at 08:39:29AM -0600, Isaac Grover wrote: > ext_if=3D"xl2" > ext_net=3D$ext_if:network > wireless_if=3D"xl1" > wireless_if_addr=3D"192.168.100.1" > wireless_net=3D$wireless_if:network > my_laptop=3D"192.168.100.X" Is that censored or really an X? > table { $wireless_net, !$my_laptop } No point in excluding your laptop because all your rules are permits. > nat on $ext_if from to any port $tcp_services -> ($ext_if) > nat on $ext_if from $my_laptop to any -> ($ext_if) >=20 > rdr on $wireless_if inet proto tcp from $wireless_net to any port 80 > -> $wireless_if_addr port 3080 Try putting the "pass" keyword on these, it fixes things if you forget the nat/rdr occurs before the filter rules. =20 > pass out on $ext_if inet proto tcp from $wireless_net to any port 3080 > keep state > pass out on $ext_if inet proto tcp from to any port > $tcp_services keep state > pass out on $ext_if inet proto tcp from $my_laptop to any keep state > pass out on $ext_if inet proto udp from $wireless_net to any port > $udp_services keep state > pass inet proto icmp from any to any Feed your rules into pf and see what pfctl -s all says they expand to. Redirect it to a file or use "screen" then "screen -r". --=20 "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><- --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (OpenBSD) iQIVAwUBRX9102QVZZEDJt9HAQLN/A//SbB1bwhajwchBMDNfKkGdlaGwjG57/49 vLgPY0Y1DRnv+ZZdyK2SLhC7SVaUj5BW9gndPg2a1ehStOaUb3ywBjjv2EPGGj+V cnpX7lEVBZwN/7jtJaWz4Q+yk3dRY+bGnJmrUTPARWyfTpC/a/wwekpa5fjcpgeD 7OV1xSmzVbq4sRps+tJ7DopwzTFgPzSuMScnF0ezx8dMXTBrT1Qn0zKTW0Sg2AkG +GGmnBRJxldwRABoNkWikda3as7qK2C47Rz6F7pkVq18TqdaMxz6jMbI7OvHrIcq cuqTnP2CFEnwks3zvQib5mr8zbfDrNAd8QWcgl4slAea4yYL9yZlQTXKGrgOxIYC mLXftLVNoWwSlD4nEspcneU0fI4Ae0MB8Dr3iaBinTN6XQs1vJ9z0KJpksb9sOoS 2yCvDztEqdCADLN6ko0Dbn9u5KbrmV0oj+qpgRVg3W2tF3LG/kyo2fa9FmD6962W JmcN2imOHQhMRvBaHa92K4Nrc+Bqhb1IxwqeTvRxUTE/dagRVYXE13U6WqaMDKc/ v9HXP5FNIIGXcNcGpO/2BLKuQfEkPA1gQA456EbgK+iSaTCdI58RgjRoTVfN+ZLe YJzXZm79NFM40qA8yWNI3bbWt+T/OEoJkVQtA4/4rsqHtoS0F+dVfCVwYrYIpgR/ d1hxwlf+hXI= =CcSL -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 13 10:54:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2482C16A492 for ; Wed, 13 Dec 2006 10:54:29 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 891C243CB6 for ; Wed, 13 Dec 2006 10:52:58 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by hu-out-0506.google.com with SMTP id 38so97226huc for ; Wed, 13 Dec 2006 02:54:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=G+R2RNGIJQgjcA5QhSbNfy1duCSvQY5TvLi9nX8etv9MDLBY1bIQFfHjUCElWVfLYyub0009YC6spgSqkPsrcDTFlpE6B4Q8b85iUqafcQmbx0af8wH2gAJKKoNRQPGiO3MiUEsk5LvMyKMIANWsBb//Q++H1IiSuMma5hMk8Lk= Received: by 10.78.201.15 with SMTP id y15mr525901huf.1166007265172; Wed, 13 Dec 2006 02:54:25 -0800 (PST) Received: by 10.78.45.7 with HTTP; Wed, 13 Dec 2006 02:54:25 -0800 (PST) Message-ID: <82832a960612130254p5c956fddp92e12e0ad9aac554@mail.gmail.com> Date: Wed, 13 Dec 2006 10:54:25 +0000 From: "tim m" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: adding greylisting to spamd.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2006 10:54:29 -0000 I have been using OpenBSD's spamd for a few weeks now. It has irritated many spammers but sadly the amount of spam coming in really has not decreased very much. I would like to get the greylisting up and running. For this I've done already: loaded the fdescfs module Id Refs Address Size Name 1 6 0xc0400000 6cdcb4 kernel 2 1 0xc1b53000 16000 linux.ko 3 1 0xc286f000 3000 fdescfs.ko And I added fdescfs /dev/fd fdescfs rw 0 0 to the fstab However, in the spamd.conf do I need to put something in there for the greylisting? I'm using spews 1 and 2, beck's list, china and korea. I hope with the greylisting the spam will come down. ta, t. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 13 15:05:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7164216A407 for ; Wed, 13 Dec 2006 15:05:42 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id A23F943CB9 for ; Wed, 13 Dec 2006 15:04:06 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1GuVfi-0006Jq-Ge; Wed, 13 Dec 2006 07:05:26 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 8942-1166022299; Wed, 13 Dec 2006 09:05:28 -0600 Date: Wed, 13 Dec 2006 09:04:59 -0600 (CST) From: "Jeremy C. Reed" To: tim m In-Reply-To: <82832a960612130254p5c956fddp92e12e0ad9aac554@mail.gmail.com> Message-ID: References: <82832a960612130254p5c956fddp92e12e0ad9aac554@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: adding greylisting to spamd.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2006 15:05:42 -0000 > However, in the spamd.conf do I need to put something in there for the > greylisting? I'm using spews > 1 and 2, beck's list, china and korea. > > I hope with the greylisting the spam will come down. Use the -g command line option for spamd. (If you want more details, let me know and I will send you a PDF of a spamd chapter.) From owner-freebsd-pf@FreeBSD.ORG Wed Dec 13 18:31:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BC2B216A4FE for ; Wed, 13 Dec 2006 18:31:04 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7AA44414D for ; Wed, 13 Dec 2006 18:25:42 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by an-out-0708.google.com with SMTP id c24so75400ana for ; Wed, 13 Dec 2006 10:27:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=eGBrUNdaCoKXhtQs0CGcx6xMXSiaAyhgJ43jQ+jHpisir2qa5q45ZprQCJ6hrjDO6EBeBWWn0yEFDtME7bfEzbgAZocRrzDeqU6oTDpQkXwiVWHsq3816bBVdidiKqUtRvSeo8geK2Pw89HxojrIH1f/1J2RUKSdqplAtwdUwzE= Received: by 10.78.158.11 with SMTP id g11mr871227hue.1166034041859; Wed, 13 Dec 2006 10:20:41 -0800 (PST) Received: by 10.78.45.7 with HTTP; Wed, 13 Dec 2006 10:20:41 -0800 (PST) Message-ID: <82832a960612131020n22fde88ekd2e5cc4d7c237f13@mail.gmail.com> Date: Wed, 13 Dec 2006 18:20:41 +0000 From: "tim m" To: "Jeremy C. Reed" In-Reply-To: MIME-Version: 1.0 References: <82832a960612130254p5c956fddp92e12e0ad9aac554@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: adding greylisting to spamd.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2006 18:31:04 -0000 aaah, thanks jeremy. I would like that .. let's see if I can learn more. I really need to. I have the following option in the /etc/rc.conf: pfspamd_flags="-v -g" the /var/db/spamd is still empty, I don't know how much time it should take for it to start working (it's only been a few hours). t. 2006/12/13, Jeremy C. Reed : > > > However, in the spamd.conf do I need to put something in there for the > > greylisting? I'm using spews > > 1 and 2, beck's list, china and korea. > > > > I hope with the greylisting the spam will come down. > > Use the -g command line option for spamd. > > (If you want more details, let me know and I will send you a PDF of a > spamd chapter.) > From owner-freebsd-pf@FreeBSD.ORG Thu Dec 14 21:03:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 30A1216A54E for ; Thu, 14 Dec 2006 21:03:23 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3861943CAD for ; Thu, 14 Dec 2006 21:01:42 +0000 (GMT) (envelope-from peter@bsdly.net) Received: from thingy.datadok.no ([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1Guxja-0007rW-Hs for freebsd-pf@freebsd.org; Thu, 14 Dec 2006 22:03:18 +0100 To: freebsd-pf@freebsd.org References: <82832a960612130254p5c956fddp92e12e0ad9aac554@mail.gmail.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Thu, 14 Dec 2006 22:03:17 +0100 In-Reply-To: <82832a960612130254p5c956fddp92e12e0ad9aac554@mail.gmail.com> (tim m.'s message of "Wed, 13 Dec 2006 10:54:25 +0000") Message-ID: <87fybiqjfu.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: adding greylisting to spamd.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Dec 2006 21:03:23 -0000 "tim m" writes: > I would like to get the greylisting up and running. You need to ensure that spamlogd is running. See if http://home.nuug.no/~peter/pf/en/spamd.html and so on isn't useful -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 11:39:53 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1636B16A403; Sat, 16 Dec 2006 11:39:53 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0DBB43C9D; Sat, 16 Dec 2006 11:39:52 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBGBdqYf099354; Sat, 16 Dec 2006 11:39:52 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBGBdqGE099350; Sat, 16 Dec 2006 11:39:52 GMT (envelope-from linimon) Date: Sat, 16 Dec 2006 11:39:52 GMT From: Mark Linimon Message-Id: <200612161139.kBGBdqGE099350@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/106805: [pf] [pathch] RELENG_6 hard lockup when debug.mpsafenet=1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 11:39:53 -0000 Synopsis: [pf] [pathch] RELENG_6 hard lockup when debug.mpsafenet=1 Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Dec 16 11:39:46 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=106805 From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 13:35:48 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBBB316A407; Sat, 16 Dec 2006 13:35:48 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE41D43CA9; Sat, 16 Dec 2006 13:35:46 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBGDZkY1012026; Sat, 16 Dec 2006 13:35:46 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBGDZkMj012022; Sat, 16 Dec 2006 13:35:46 GMT (envelope-from mlaier) Date: Sat, 16 Dec 2006 13:35:46 GMT From: Max Laier Message-Id: <200612161335.kBGDZkMj012022@freefall.freebsd.org> To: avatar@mmlab.cse.yzu.edu.tw, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/106805: [pf] [pathch] RELENG_6 hard lockup when debug.mpsafenet=1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 13:35:48 -0000 Synopsis: [pf] [pathch] RELENG_6 hard lockup when debug.mpsafenet=1 State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Sat Dec 16 13:33:14 UTC 2006 State-Changed-Why: The patch is completely bogus. The soure of the lock is the LOR you can see in the posted dmesg. This is likely caused by a user/group rule, which are *documented* to cause problems with debug.mpsafenet=1 i.e. RTFM, please! http://www.freebsd.org/cgi/query-pr.cgi?pr=106805 From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 13:54:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 848FD16A403 for ; Sat, 16 Dec 2006 13:54:33 +0000 (UTC) (envelope-from m.broeders@hublabs.nl) Received: from services.hub.nl (services.hub.nl [217.194.110.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id C826643CA3 for ; Sat, 16 Dec 2006 13:54:32 +0000 (GMT) (envelope-from m.broeders@hublabs.nl) Received: from exchsrvr1.hub.local (exchsrvr1.hub.local [172.16.1.2]) by services.hub.nl (8.13.6/8.13.6) with ESMTP id kBGDsNw8071573 for ; Sat, 16 Dec 2006 14:54:23 +0100 (CET) (envelope-from m.broeders@hublabs.nl) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Sat, 16 Dec 2006 14:54:23 +0100 Message-ID: <1DDD0EBB36ACA443BD81C8243F7051CD844B@exchsrvr1.hub.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ADSL modem in bridged mode Thread-Index: AcchGbFfdhSYcu7lS9C9iheVrhCppA== From: "Martijn Broeders - HUB Labs" To: X-Virus-Scanned: by amavisd-new Subject: ADSL modem in bridged mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 13:54:33 -0000 Hello, I just started to move my ipfilter configs to pf, so I'm really a newbie to pf. I have an ADSL2-connection to the internet and my Alcatel SpeedTouch 516 is in 'bridged' mode. This means one of the nics in my FreeBSD-machine get an external IP-adres. Like this: to internet ^ | | ADSL2 Modem(Bridged) |=20 V ip ext from isp FreeBSD router with pf+NAT ip 192.168.0.1 ^ | | V local network (192.168.0.0/24) This is my very 'simple' firewall-ruleset: --- begin firewall-ruleset --- # macros ext_if=3D"xl1" int_if=3D"xl0" tcp_services=3D"{ 22, 25, 113, 80, 443 }" icmp_types=3D"echoreq" webserver1=3D"192.168.0.2" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to any port 80 -> $webserver1 rdr on $ext_if proto tcp from any to any port 443 -> $webserver1 # filter rules block in pass out keep state anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to $webserver1 port 80 \ flags S/SA synproxy state pass in on $ext_if inet proto tcp from any to $webserver1 port 443 \ flags S/SA synproxy state pass in inet proto icmp all icmp-type $icmp_types keep state pass quick on $int_if --- end firewall-ruleset --- When I load this ruleset and try to connect to port 80 or 443 (from the outside), no connection to the internal webserver is made. When I do a 'pfctl -ss', this is displayed: self tcp 192.168.0.2:80 <- 217.194.110.35:80 <- 213.84.86.15:35452 PROXY:DST Can someone tell me what is means? And why does the redirection fail to the internal webserver? (a simular ipfilter ruleset works perfectly on this machine, but I don't want ipfilter anymore, I want pf for its features like ALTQ, tagging, etc.) I hope you can help. Best regards, Martijn Broeders From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 16:10:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B46AA16A403; Sat, 16 Dec 2006 16:10:00 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0D1143C9D; Sat, 16 Dec 2006 16:09:59 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.184.71] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1Gvc6f2nfZ-0003BC; Sat, 16 Dec 2006 17:09:51 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 16 Dec 2006 17:09:42 +0100 User-Agent: KMail/1.9.4 References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> In-Reply-To: <200612161335.kBGDZkMj012022@freefall.freebsd.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2247468.qizqeL3thi"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612161709.48875.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org Subject: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 16:10:00 -0000 --nextPart2247468.qizqeL3thi Content-Type: multipart/mixed; boundary="Boundary-01=_IpBhF/ciB5YZr+C" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_IpBhF/ciB5YZr+C Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Okay, spoken too quick ... I just had an idea (enlightment you might say -= =20 given the time of year), that might finally get us rid of this symptom=20 (not of the problem though). Short recap on why this is happening: Checking socket credentials on the=20 IP layer (where pf lives) is a layering violation. A useful one, you may=20 argue, but nontheless - it causes a lock order reversal: In order to=20 walk the pf rules we need to hold the pf lock, in order to walk the=20 socket hash we need to hold the "inp" lock. The attached diff circumvents the problem by **always** doing the=20 credential lookup *before* walking the pf rules. This has the benefit,=20 that it works (at least I think it should), but there is a price to pay. =20 Now we have to pay for the socket lookup for *every* tcp and udp packet=20 instead of just for those that really hit uid/gid rules. That's why I=20 decided to make is a config option "PF_MPFSAFE_UGID" which you can turn=20 on if you are running a setup that will benefit. The patch turns it on=20 for the module-built by default. A possible scenario that should benefit is a big iron SMP box running lot=20 of services that you want to filter using *stateful* uid/gid rules. For=20 this setup where a huge percentage of the packets that are not captured=20 by states eventually match a uid/gid rule, you will even get added=20 parallelism with this patch. On every other typical setup, it should be better to avoid user/group=20 rules or to disable mpsafenet. In order for this to hit the tree, I need tests confirming that it really=20 helps and possibly benchmarks that qualify the impact of it. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_IpBhF/ciB5YZr+C Content-Type: text/x-diff; charset="iso-8859-6"; name="pf.ugid.take42.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf.ugid.take42.diff" Index: conf/options =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/conf/options,v retrieving revision 1.567 diff -u -r1.567 options =2D-- conf/options 10 Dec 2006 04:23:23 -0000 1.567 +++ conf/options 16 Dec 2006 15:36:08 -0000 @@ -349,6 +349,7 @@ DEV_PF opt_pf.h DEV_PFLOG opt_pf.h DEV_PFSYNC opt_pf.h +PF_MPSAFE_UGID opt_pf.h ETHER_II opt_ef.h ETHER_8023 opt_ef.h ETHER_8022 opt_ef.h Index: contrib/pf/net/pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.42 diff -u -r1.42 pf.c =2D-- contrib/pf/net/pf.c 22 Oct 2006 11:52:11 -0000 1.42 +++ contrib/pf/net/pf.c 16 Dec 2006 15:34:52 -0000 @@ -3032,6 +3032,12 @@ return (PF_DROP); } =20 +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); +#endif + r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); =20 if (direction =3D=3D PF_OUT) { @@ -3428,6 +3434,12 @@ return (PF_DROP); } =20 +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); +#endif + r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); =20 if (direction =3D=3D PF_OUT) { Index: modules/pf/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/modules/pf/Makefile,v retrieving revision 1.12 diff -u -r1.12 Makefile =2D-- modules/pf/Makefile 12 Sep 2006 04:25:12 -0000 1.12 +++ modules/pf/Makefile 16 Dec 2006 15:41:00 -0000 @@ -10,7 +10,7 @@ in4_cksum.c \ opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h =20 =2DCFLAGS+=3D -I${.CURDIR}/../../contrib/pf +CFLAGS+=3D -I${.CURDIR}/../../contrib/pf -DPF_MPSAFE_UGID =20 .if !defined(KERNBUILDDIR) opt_inet.h: --Boundary-01=_IpBhF/ciB5YZr+C-- --nextPart2247468.qizqeL3thi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFhBpMXyyEoT62BG0RAivGAJ9hRgwyXIJtXsmpiI5t+Z94l5+qaACfTqsP DLlzi0gXLtJQsIi7CWbpiuQ= =y678 -----END PGP SIGNATURE----- --nextPart2247468.qizqeL3thi-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 19:18:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3FBE016A407; Sat, 16 Dec 2006 19:18:04 +0000 (UTC) (envelope-from csjp@FreeBSD.ORG) Received: from ems01.seccuris.com (ems01.seccuris.com [204.112.0.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19D7E43CA2; Sat, 16 Dec 2006 19:17:52 +0000 (GMT) (envelope-from csjp@FreeBSD.ORG) Received: from [127.0.0.1] (stf01.seccuris.com [204.112.0.40]) by ems01.seccuris.com (Postfix) with ESMTP id F4081462E55; Sat, 16 Dec 2006 14:16:58 -0600 (CST) Message-ID: <458446AC.6080309@FreeBSD.ORG> Date: Sat, 16 Dec 2006 13:19:08 -0600 From: "Christian S.J. Peron" User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025) MIME-Version: 1.0 To: Max Laier References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> In-Reply-To: <200612161709.48875.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: avatar@mmlab.cse.yzu.edu.tw, julian@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 19:18:04 -0000 Max, I thought about doing the exact same thing. There is only one problem, you just move the LOR from pf<->inpcb to pfil<->inpcb. One main difference is that pfil currently uses an rw_lock, which allows for current read access of the filter lists. (So, in this path, the in/out pcb->pfil/pfil->pcb: one thread will never be blocked waiting on the firewall chain lock). Unless of course there is a write involved. But I can't see where a chain modifier picks up a the inpcb lock. That said, we still wind up with a nasty LOR message, however it should be completely harmless in principal. Currently, ipfw uses rw(9) so the LOR should be completely harmless there, too. I think the correct approach to this problem is to: (1) Don't do that (2) If we are going to do that, drop the pfil(9) locks (somehow) and move the pcb lookups "unconditionally" to before we pickup the firewall chain lock. Unconditionally might just mean "do this lookup if we have uid/gid rules). (3) Introduce a PFIL_STATIC kernel option which requires that packet filtering modules be registered at boot-time via /boot/loader.conf. This would allow us to drop the pfil(9) lock. I think that the implementation of a PFIL_STATIC kernel option would be useful regardless, as it would allow us to eliminate two mutex acquisitions in the fast path for those of us with 'boot-time-static' setups. A similar mechanism was used in the Mandatory Access Control (MAC) framework. I have also included Julian on the CC list, as we had some conversations regarding this too. I think we have enough momentum to get this fixed now. It's been bugging me for years! :) Max Laier wrote: > Okay, spoken too quick ... I just had an idea (enlightment you might say - > given the time of year), that might finally get us rid of this symptom > (not of the problem though). > > Short recap on why this is happening: Checking socket credentials on the > IP layer (where pf lives) is a layering violation. A useful one, you may > argue, but nontheless - it causes a lock order reversal: In order to > walk the pf rules we need to hold the pf lock, in order to walk the > socket hash we need to hold the "inp" lock. > > The attached diff circumvents the problem by **always** doing the > credential lookup *before* walking the pf rules. This has the benefit, > that it works (at least I think it should), but there is a price to pay. > Now we have to pay for the socket lookup for *every* tcp and udp packet > instead of just for those that really hit uid/gid rules. That's why I > decided to make is a config option "PF_MPFSAFE_UGID" which you can turn > on if you are running a setup that will benefit. The patch turns it on > for the module-built by default. > > A possible scenario that should benefit is a big iron SMP box running lot > of services that you want to filter using *stateful* uid/gid rules. For > this setup where a huge percentage of the packets that are not captured > by states eventually match a uid/gid rule, you will even get added > parallelism with this patch. > > On every other typical setup, it should be better to avoid user/group > rules or to disable mpsafenet. > > In order for this to hit the tree, I need tests confirming that it really > helps and possibly benchmarks that qualify the impact of it. Thanks. > > > ------------------------------------------------------------------------ > > Index: conf/options > =================================================================== > RCS file: /usr/store/mlaier/fcvs/src/sys/conf/options,v > retrieving revision 1.567 > diff -u -r1.567 options > --- conf/options 10 Dec 2006 04:23:23 -0000 1.567 > +++ conf/options 16 Dec 2006 15:36:08 -0000 > @@ -349,6 +349,7 @@ > DEV_PF opt_pf.h > DEV_PFLOG opt_pf.h > DEV_PFSYNC opt_pf.h > +PF_MPSAFE_UGID opt_pf.h > ETHER_II opt_ef.h > ETHER_8023 opt_ef.h > ETHER_8022 opt_ef.h > Index: contrib/pf/net/pf.c > =================================================================== > RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v > retrieving revision 1.42 > diff -u -r1.42 pf.c > --- contrib/pf/net/pf.c 22 Oct 2006 11:52:11 -0000 1.42 > +++ contrib/pf/net/pf.c 16 Dec 2006 15:34:52 -0000 > @@ -3032,6 +3032,12 @@ > return (PF_DROP); > } > > +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) > + PF_UNLOCK(); > + lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp); > + PF_LOCK(); > +#endif > + > r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); > > if (direction == PF_OUT) { > @@ -3428,6 +3434,12 @@ > return (PF_DROP); > } > > +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) > + PF_UNLOCK(); > + lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp); > + PF_LOCK(); > +#endif > + > r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); > > if (direction == PF_OUT) { > Index: modules/pf/Makefile > =================================================================== > RCS file: /usr/store/mlaier/fcvs/src/sys/modules/pf/Makefile,v > retrieving revision 1.12 > diff -u -r1.12 Makefile > --- modules/pf/Makefile 12 Sep 2006 04:25:12 -0000 1.12 > +++ modules/pf/Makefile 16 Dec 2006 15:41:00 -0000 > @@ -10,7 +10,7 @@ > in4_cksum.c \ > opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h > > -CFLAGS+= -I${.CURDIR}/../../contrib/pf > +CFLAGS+= -I${.CURDIR}/../../contrib/pf -DPF_MPSAFE_UGID > > .if !defined(KERNBUILDDIR) > opt_inet.h: > From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 20:02:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E30016A4CE for ; Sat, 16 Dec 2006 20:02:37 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from alias1.ihug.co.nz (alias1.ihug.co.nz [203.96.222.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BFFB43CBB for ; Sat, 16 Dec 2006 19:58:51 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from ironport2.ihug.co.nz [203.109.254.20] by alias1.ihug.co.nz with esmtp (Exim 3.36 #1 (Debian)) id 1Gvfcd-0006AR-00; Sun, 17 Dec 2006 08:55:03 +1300 Received: from 203-109-251-39.static.bliink.ihug.co.nz (HELO heff.fud.org.nz) ([203.109.251.39]) by ironport2.ihug.co.nz with ESMTP; 17 Dec 2006 09:11:25 +1300 X-Ironport-Seen: Yes Received: by heff.fud.org.nz (Postfix, from userid 1001) id 229EB1CC1F; Sun, 17 Dec 2006 08:58:49 +1300 (NZDT) Date: Sun, 17 Dec 2006 08:58:49 +1300 From: Andrew Thompson To: Max Laier Message-ID: <20061216195849.GA52916@heff.fud.org.nz> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200612161709.48875.max@love2party.net> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 20:02:37 -0000 On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > Okay, spoken too quick ... I just had an idea (enlightment you might say - > given the time of year), that might finally get us rid of this symptom > (not of the problem though). > > The attached diff circumvents the problem by **always** doing the > credential lookup *before* walking the pf rules. This has the benefit, > that it works (at least I think it should), but there is a price to pay. > Now we have to pay for the socket lookup for *every* tcp and udp packet > instead of just for those that really hit uid/gid rules. That's why I > decided to make is a config option "PF_MPFSAFE_UGID" which you can turn > on if you are running a setup that will benefit. The patch turns it on > for the module-built by default. Is it possible to keep a reference count of the number of uid/gid rules and perform the lookup early if it is non-zero? Andrew From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 21:24:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D78D316A417; Sat, 16 Dec 2006 21:24:20 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 287DE43CBD; Sat, 16 Dec 2006 21:23:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.56.193] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1Gvh0M1kPA-00080b; Sat, 16 Dec 2006 22:23:40 +0100 From: Max Laier Organization: FreeBSD To: Andrew Thompson Date: Sat, 16 Dec 2006 22:23:30 +0100 User-Agent: KMail/1.9.4 References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> <20061216195849.GA52916@heff.fud.org.nz> In-Reply-To: <20061216195849.GA52916@heff.fud.org.nz> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1262884.czgsFRxcJh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612162223.37089.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 21:24:20 -0000 --nextPart1262884.czgsFRxcJh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 16 December 2006 20:58, Andrew Thompson wrote: > On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > > Okay, spoken too quick ... I just had an idea (enlightment you might > > say - given the time of year), that might finally get us rid of this > > symptom (not of the problem though). > > > > The attached diff circumvents the problem by **always** doing the > > credential lookup *before* walking the pf rules. This has the > > benefit, that it works (at least I think it should), but there is a > > price to pay. Now we have to pay for the socket lookup for *every* > > tcp and udp packet instead of just for those that really hit uid/gid > > rules. That's why I decided to make is a config option > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > that will benefit. The patch turns it on for the module-built by > > default. > > Is it possible to keep a reference count of the number of uid/gid rules > and perform the lookup early if it is non-zero? Possible, but not trivial. If we see that this static version works we=20 can still look at making it more dynamical. A middle ground might be a=20 sysctl you have to set in order to safely use uid/gid rules with=20 mpsafenet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1262884.czgsFRxcJh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFhGPZXyyEoT62BG0RAi2yAJ9nHOYHFFD3DQZpo/7dF0ZvpOducgCfVJ59 oTLAWkifYBYYzJ23Tzi0+f0= =6e25 -----END PGP SIGNATURE----- --nextPart1262884.czgsFRxcJh-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 23:25:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7707416A403 for ; Sat, 16 Dec 2006 23:25:52 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40B2643CC4 for ; Sat, 16 Dec 2006 23:25:43 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kBGNPjcN014865 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 17 Dec 2006 00:25:45 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kBGNPeBB017443; Sun, 17 Dec 2006 00:25:40 +0100 (MET) Date: Sun, 17 Dec 2006 00:25:40 +0100 From: Daniel Hartmeier To: Martijn Broeders - HUB Labs Message-ID: <20061216232540.GO6704@insomnia.benzedrine.cx> References: <1DDD0EBB36ACA443BD81C8243F7051CD844B@exchsrvr1.hub.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1DDD0EBB36ACA443BD81C8243F7051CD844B@exchsrvr1.hub.local> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: ADSL modem in bridged mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 23:25:52 -0000 On Sat, Dec 16, 2006 at 02:54:23PM +0100, Martijn Broeders - HUB Labs wrote: > self tcp 192.168.0.2:80 <- 217.194.110.35:80 <- 213.84.86.15:35452 > PROXY:DST > > Can someone tell me what is means? And why does the redirection fail to > the internal webserver? Most likely that 192.168.0.2's default route does not point back to the pf box (192.168.0.1). synproxy has completed the handshake with the external client. It is now replaying the handshake with the server. It has sent the SYN to the server and is waiting for the SYN+ACK from the server. Which doesn't arrive. Daniel