From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 11:07:02 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26B9B1065677 for ; Mon, 11 Aug 2008 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1273E8FC0C for ; Mon, 11 Aug 2008 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7BB71EB047279 for ; Mon, 11 Aug 2008 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7BB71jn047275 for freebsd-pf@FreeBSD.org; Mon, 11 Aug 2008 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Aug 2008 11:07:01 GMT Message-Id: <200808111107.m7BB71jn047275@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 11:07:02 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 13:24:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51CDC1065684 for ; Mon, 11 Aug 2008 13:24:05 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id DB5E38FC18 for ; Mon, 11 Aug 2008 13:24:03 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by ug-out-1314.google.com with SMTP id q2so237922uge.37 for ; Mon, 11 Aug 2008 06:24:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=9Qi64qpO0dg4WcoC4JuM+PbHPXKgUFiNnwqGJAbFjTk=; b=mXR8RrU/R3qHnIJxuc/bR3XP70G/RZggxFHPPgQ0hPrghoF+UKSZC//nYY1GPmVko5 XBfkqdBUEnv/UVcX5SMvRlCEutPYqvlgTM1d/mRBjQTxHTaVGnLXaCU3EiyoMIdASz1y w/k3DhLwhRXWB3uf6ITPQ18reoCZL2nF+xtQ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=T6as5S3pJpzbmlMN7PJuW76xf5Ja/TyOwUJZr6SPALVTWx+mV9auQJ8yeWAUkluVFS yX5AiWNRxR29FhKBcLAfDY+CFhVyz/etzG0vstYNdPwtlQxgV+hcw3k6854K/lo/Kl+r dSd6uj7LJHZ4ukq2P6857R8unb23pCdlAP7kI= Received: by 10.103.16.14 with SMTP id t14mr5808681mui.130.1218459586470; Mon, 11 Aug 2008 05:59:46 -0700 (PDT) Received: by 10.103.199.5 with HTTP; Mon, 11 Aug 2008 05:59:46 -0700 (PDT) Message-ID: Date: Mon, 11 Aug 2008 14:59:46 +0200 From: "Redd Vinylene" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 13:24:05 -0000 Hello hello! Just curious why FreeBSD 7 has to use an old version of pf? There's been so many improvements! I'd very much like to use the new IP range feature for instance, so I can reduce box = "{ 80.252.2.4, 80.252.2.5, 80.252.2.6, 80.252.2.7, 80.252.2.8, 80.252.2.9, 80.252.2.10, 80.252.2.11, 80.252.2.12, 80.252.2.13, 80.252.2.14, 80.252.2.15, 80.252.2.16, 80.252.2.17, 80.252.2.18, 80.252.2.19, 80.252.2.20, 80.252.2.21, 80.252.2.22, 80.252.2.23, 80.252.2.24, 80.252.2.25, 80.252.2.26, 80.252.2.27, 80.252.2.28, 80.252.2.29, 80.252.2.30, 80.252.2.31, 80.252.2.32, 80.252.2.33, 80.252.2.34, 80.252.2.35, 80.252.2.36, 80.252.2.37, 80.252.2.38, 80.252.2.39, 80.252.2.40, 80.252.2.41, 80.252.2.42, 80.252.2.43, 80.252.2.44, 80.252.2.45, 80.252.2.46, 80.252.2.47, 80.252.2.48, 80.252.2.49, 80.252.2.50, 80.252.2.51, 80.252.2.52, 80.252.2.53, 80.252.2.54, 80.252.2.55, 80.252.2.56, 80.252.2.57, 80.252.2.58, 80.252.2.59, 80.252.2.60, 80.252.2.61, 80.252.2.62, 80.252.2.63, 80.252.2.64, 80.252.2.65, 80.252.2.80, 80.252.2.67, 80.252.2.68, 80.252.2.69, 80.252.2.70, 80.252.2.71, 80.252.2.72, 80.252.2.73, 80.252.2.74, 80.252.2.75, 80.252.2.76, 80.252.2.77, 80.252.2.78, 80.252.2.79, 80.252.2.80, 80.252.2.81, 80.252.2.82, 80.252.2.83, 80.252.2.84, 80.252.2.85, 80.252.2.86, 80.252.2.87, 80.252.2.88, 80.252.2.89, 80.252.2.90, 80.252.2.91, 80.252.2.92, 80.252.2.93, 80.252.2.94, 80.252.2.95, 80.252.2.96, 80.252.2.97, 80.252.2.98, 80.252.2.99, 80.252.2.100, 80.252.2.101, 80.252.2.102, 80.252.2.103, 80.252.2.104, 80.252.2.105, 80.252.2.106, 80.252.2.107, 80.252.2.108, 80.252.2.109, 80.252.2.110, 80.252.2.111, 80.252.2.112, 80.252.2.113, 80.252.2.114, 80.252.2.115, 80.252.2.116, 80.252.2.117, 80.252.2.118, 80.252.2.119, 80.252.2.120, 80.252.2.121, 80.252.2.122, 80.252.2.123, 80.252.2.124, 80.252.2.125, 80.252.2.126, 80.252.2.127 }" to box = "{ 80.252.2.4 - 80.252.2.127 }" Much obliged, and thanks! -- http://www.home.no/reddvinylene From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 13:53:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E502106564A for ; Mon, 11 Aug 2008 13:53:46 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id C88E98FC12 for ; Mon, 11 Aug 2008 13:53:45 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id 1086D22884; Mon, 11 Aug 2008 15:44:19 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 06731-01; Mon, 11 Aug 2008 15:44:15 +0200 (CEST) Received: from [192.168.15.2] (simian.skoberne.local [192.168.15.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id AA5B222883; Mon, 11 Aug 2008 15:44:15 +0200 (CEST) Message-ID: <48A0422F.1050403@skoberne.net> Date: Mon, 11 Aug 2008 15:44:15 +0200 From: =?ISO-8859-1?Q?Nejc_S=28koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Redd Vinylene References: In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: freebsd-pf@freebsd.org Subject: Re: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 13:53:46 -0000 Hey, > Just curious why FreeBSD 7 has to use an old version of pf? There's > been so many improvements! I'd very much like to use the new IP range > feature for instance, so I can reduce Can't help you here. > box = "{ 80.252.2.4 - 80.252.2.127 }" But if I am not wrong, you could write this (at least) as: box = "{ 80.252.2.64/26, 80.252.2.32/27, 80.252.2.16/28, \ 80.252.2.8/29, 80.252.2.4/30 }" Bye, Nejc From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 14:24:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F36ED106566C for ; Mon, 11 Aug 2008 14:24:45 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 0116E8FC1D for ; Mon, 11 Aug 2008 14:24:44 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by ug-out-1314.google.com with SMTP id q2so249611uge.37 for ; Mon, 11 Aug 2008 07:24:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=b7PdqlHEbL5GmIs0eexvN7xQJOKUMlUQaIvFyOAHBkI=; b=fjbAaQYYeMGpDYd9MdITee0NQaCO8hKNU4WFADroIu4MHP6Q+3r9YebrM+dbLchelO 05zVVlKrM1TqVxlxHwJ7zMZTsurwfkY6I5AzUfHPKNeNStS3Ch0I3248JKMm27Pwl/oj X7a71TYPyeMWsOb1SXA6q+G9XHr1Pd9+ob+gI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=N2FoCysuLOLg+umZ4RqpmsDT5m+Sjs1z6e7l+WUn0QTfH/PgRmnmuM1w4tGTcXrNQi vlQVHOuYfNkJphPspo7kbePPG4l5d4l7zsXS+pMJPsJIL4F49Fu72hbzM8969TNZMWn7 LcgVKxHr773rWS8e8vLc77hPlVnV43SHvPHDY= Received: by 10.103.20.7 with SMTP id x7mr5901275mui.75.1218464683433; Mon, 11 Aug 2008 07:24:43 -0700 (PDT) Received: by 10.103.199.5 with HTTP; Mon, 11 Aug 2008 07:24:43 -0700 (PDT) Message-ID: Date: Mon, 11 Aug 2008 16:24:43 +0200 From: "Redd Vinylene" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48A0422F.1050403@skoberne.net> <11167f520808110713p69d165bdsb29224f8eb1279a4@mail.gmail.com> Subject: Re: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 14:24:46 -0000 4.1 according to the handbook, no? > On Mon, Aug 11, 2008 at 4:13 PM, Sam Fourman Jr. wrote: >>>> Just curious why FreeBSD 7 has to use an old version of pf? There's >>>> been so many improvements! I'd very much like to use the new IP range >>>> feature for instance, so I can reduce >> >> does anyone know how to find our what version of pf FreeBSD is currently using? >> a switch maybe? >> >> Sam Fourman Jr. >> > > > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 14:39:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6112B1065679 for ; Mon, 11 Aug 2008 14:39:06 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.226]) by mx1.freebsd.org (Postfix) with ESMTP id 337038FC13 for ; Mon, 11 Aug 2008 14:39:05 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so3387521rvf.43 for ; Mon, 11 Aug 2008 07:39:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=ZWOH4v7Zzduf8ZxgNYgn/0mwYSA6IYzEU4RoU/2WW1o=; b=RdBv4bSDMio9Z+rPb03rT+cDdJurS7+ekY0lPuf1nf211bVmeZLWLYYi/KKSomzuEG 848em2x+NNo3UDxI3k2ocJsSgZfxeBRKfs16qpnPLs0peOzCjbkknQsf0TDz68ObmHOJ kHTwoNvzSPET4XGFDtOILwfu89nQqQzJyPls8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=imBAVdoOc/t7+1gmzavUU2xK+D/eucAtU1qXvN5UKrsX2QMrZ6yl38Z1cU2RVajr+d /izVusEswWoaVg8Xh1ONrgSi7EHc1Y/3tkkQs1CrG/F8WZgMUTv90+kEV/BnBD3u+9Kx s78IW804+3wHONp0bwAu3aFBbMAex2AucSTxc= Received: by 10.140.164.6 with SMTP id m6mr3508429rve.210.1218463995326; Mon, 11 Aug 2008 07:13:15 -0700 (PDT) Received: by 10.141.186.2 with HTTP; Mon, 11 Aug 2008 07:13:15 -0700 (PDT) Message-ID: <11167f520808110713p69d165bdsb29224f8eb1279a4@mail.gmail.com> Date: Mon, 11 Aug 2008 09:13:15 -0500 From: "Sam Fourman Jr." To: "Nejc S(koberne" In-Reply-To: <48A0422F.1050403@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48A0422F.1050403@skoberne.net> Cc: freebsd-pf@freebsd.org Subject: Re: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 14:39:06 -0000 >> Just curious why FreeBSD 7 has to use an old version of pf? There's >> been so many improvements! I'd very much like to use the new IP range >> feature for instance, so I can reduce does anyone know how to find our what version of pf FreeBSD is currently using? a switch maybe? Sam Fourman Jr. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 15:05:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DC331065672 for ; Mon, 11 Aug 2008 15:05:34 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 8F8B28FC12 for ; Mon, 11 Aug 2008 15:05:33 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-031-208.pools.arcor-ip.net [88.66.31.208]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1KSYxX3DQx-0001kn; Mon, 11 Aug 2008 17:05:24 +0200 Received: (qmail 19405 invoked from network); 11 Aug 2008 15:05:23 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 11 Aug 2008 15:05:23 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 11 Aug 2008 17:05:22 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <48A0422F.1050403@skoberne.net> <11167f520808110713p69d165bdsb29224f8eb1279a4@mail.gmail.com> In-Reply-To: <11167f520808110713p69d165bdsb29224f8eb1279a4@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200808111705.22825.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18ssP86yuvjTKpHJ0u8aFIDJTk4JdDU5zYN4qx uiADC+wUJ6uItTg+jTbfjnrqPzMH9lcnX4gGwLJrHkgysf8+bZ B1BzOc26fm/iB4bG6DHvA== Cc: Subject: Re: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 15:05:34 -0000 On Monday 11 August 2008 16:13:15 Sam Fourman Jr. wrote: > >> Just curious why FreeBSD 7 has to use an old version of pf? There's > >> been so many improvements! I'd very much like to use the new IP range > >> feature for instance, so I can reduce > > does anyone know how to find our what version of pf FreeBSD is currently > using? a switch maybe? Unfortunately, there is no simple mechanism to figure that out. There is documentation of __FreeBSD_version (aka sysctl kern.osreldate) mapping to pf version in the porter's handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/freebsd- versions.html You can also check sysutils/pftop/Makefile for hints. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 15:18:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AA2B106567C for ; Mon, 11 Aug 2008 15:18:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id C1E678FC16 for ; Mon, 11 Aug 2008 15:18:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-031-208.pools.arcor-ip.net [88.66.31.208]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KSZAa0vua-0006wV; Mon, 11 Aug 2008 17:18:52 +0200 Received: (qmail 19570 invoked from network); 11 Aug 2008 15:18:51 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 11 Aug 2008 15:18:51 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 11 Aug 2008 17:18:51 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200808111718.51616.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+G4uZYpY3gR445hBZ0HE7TC8Y0jNThAZIbt5/ mXaCwcDnRSa2jFxN41itKEys3uoQdnGgAxgWhwaqflQiJImGA1 3yxajV+rnEqfnJHr+nDCA== Cc: Subject: Re: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 15:18:54 -0000 On Monday 11 August 2008 14:59:46 Redd Vinylene wrote: > Just curious why FreeBSD 7 has to use an old version of pf? There's > been so many improvements! It's a mixed bag, I'd say. I'm pondering an update to 4.3, but haven't found the time yet. And now 4.4 is in sight already and has a lot more stuff ... though there seem to be some problems with some of the new stuff ... Right now, the simple answer is just: It hasn't been done. > I'd very much like to use the new IP range > feature for instance, so I can reduce > > box = "{ 80.252.2.4, 80.252.2.5, 80.252.2.6, 80.252.2.7, 80.252.2.8, > ... > 80.252.2.124, 80.252.2.125, 80.252.2.126, 80.252.2.127 }" > > to > > box = "{ 80.252.2.4 - 80.252.2.127 }" Now, if that's your only problem I suggest that you read about netmasks and write the above as either table { 80.252.2.0/25, !80.252.2.3/30 } or box = "{ 80.252.2.64/26, 80.252.2.32/27, 80.252.2.16/28, \ 80.252.2.8/29, 80.252.2.4/30 }" as Nejc suggested. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 15:21:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B040106564A for ; Mon, 11 Aug 2008 15:21:20 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id F40E78FC13 for ; Mon, 11 Aug 2008 15:21:19 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id A342D1B10EE8; Mon, 11 Aug 2008 17:21:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on malcho.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.4 Received: from hater.haters.org (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id 17C941B10EF7; Mon, 11 Aug 2008 17:21:16 +0200 (CEST) Message-ID: <48A058EB.3010308@moneybookers.com> Date: Mon, 11 Aug 2008 18:21:15 +0300 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.14 (X11/20080616) MIME-Version: 1.0 To: Tom Huppi References: <20080807101825.GC10818@huppi.com> <20080807173225.GA17926@verio.net> <20080807180054.GE10818@huppi.com> In-Reply-To: <20080807180054.GE10818@huppi.com> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.93.3/8007/Mon Aug 11 15:51:54 2008 on blah.cmotd.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 15:21:20 -0000 Tom Huppi wrote: > On 12:32 Thu 07 Aug , David DeSimone wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Tom Huppi wrote: >> >>> Anyway, I am getting what I believe to be syn floods >>> periodically. They dwarf my production traffic and sometimes >>> get close to producing as much bandwith as we are paying for. A >>> representative sample looks like so when viewed with tcpdump on >>> my outward interface ('em1'): >>> >>> 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 >>> 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 >>> >> Since you went to the trouble of obscuring the source IP, I presume that >> the source IP is your IP. So, these look like responses, i.e. outbound >> traffic, not inbound, since they are sourced from your IP. You can use >> tcpdump's -e flag to be sure who is sending and who is receiving. >> > > > I obscured my own IP range which is the 74.nnn.nnn. one and it > is a /24. Interestingly most of the IP's on my side are ones > where I have no host. > > The reason why is that I figured that if I myself were a > semi-sophisticated cracker, I would look for targets of > opertunity on the various mailing lists where one could identify > both networks administered by newbie/part-time personel, and > often a fair amount about the configuration of said :) > > The IP '125.21.176.19' is exactly as it appeared on my tcpdump. > It shows as a telcom company in India in this case...usually > it's some network company or another in China. > > My network looks like so: > > ------------- em0 <---> internal range > Network Provider <----> em1 | pf firewall | > (Internap) ------------- bce1 <---> dmz range > > > I took the tcpdump output to indicate that Syn packets showing an Indian Origin were showing up addressed to (mainly non-existant) IP addresses within my /24 network. > > I'll look at 'tcpdump -e'. Thanks for the hint! > If the syn flood comes from single IP you can just block traffic from it. For every SYN packet you are sending SYN-ACK packet so yes the traffic is in both ways. Why you do not see it on tcpdump I duno. In all cases you want to limit the max number of states that can be created by a single source IP and you want to limit the rate of new connections over a time interval. - max-src-states - max-src-conn-rate Anyway if the incoming traffic "floods" your pipe this will not help, but at least your firewall will work properly ;) -- Best Wishes, Stefan Lambrev ICQ# 24134177 From owner-freebsd-pf@FreeBSD.ORG Mon Aug 11 15:23:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C28491065670 for ; Mon, 11 Aug 2008 15:23:35 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id 952C98FC08 for ; Mon, 11 Aug 2008 15:23:35 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so3413810rvf.43 for ; Mon, 11 Aug 2008 08:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=s17mi41VvbLd/dHjuax1uef9LlbPkPqY0mcRpVJu9xY=; b=IHTs+E6MBsk9Mql0JnqJcEg6tgp0P7UEyVOcj7cY76mdLMN14I+JB5DlnBRxfFO7U3 g1Rs2IEr7VhGKN2peQz3CsVIhf0VOiDzvtfEmR/0EnBTg3lcuT3vbLDfhcrdVjs5lQjJ 3wAGQcQ80a47x4hDcew3pvgHp2bPMPVAbmwTE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=dQjV00gorPE0sW7RdmZ8E93f6eissiC6FuDShm5pYiR9Vlj4mERWzdKdPoE9Obn3ZP asJ8nJnTUovhaI45c5cQ2mHKKO8xTmLe2CMtylAfkeNq3vaTGJBgQWruO+DxFJCEngm7 lNnO/KCAb99szplO2/0wsAB6MwKFRt2kdFhc8= Received: by 10.141.193.1 with SMTP id v1mr3578828rvp.245.1218468215152; Mon, 11 Aug 2008 08:23:35 -0700 (PDT) Received: by 10.141.186.2 with HTTP; Mon, 11 Aug 2008 08:23:35 -0700 (PDT) Message-ID: <11167f520808110823l6630b12ck10c6a36d630342@mail.gmail.com> Date: Mon, 11 Aug 2008 10:23:35 -0500 From: "Sam Fourman Jr." To: "Max Laier" In-Reply-To: <200808111718.51616.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200808111718.51616.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Why the old version of pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 15:23:35 -0000 > And now 4.4 is in sight already and has a lot more stuff ... > though there seem to be some problems with some of the new stuff ... What stuff is causing trouble, I could cherry pick a few patches and test. Sam Fourman Jr. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 14:33:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C8C21065672 for ; Fri, 15 Aug 2008 14:33:55 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.235]) by mx1.freebsd.org (Postfix) with ESMTP id 62DCD8FC18 for ; Fri, 15 Aug 2008 14:33:55 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1542819rvf.43 for ; Fri, 15 Aug 2008 07:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=sa1mkJZ54P1ozSVJOKL2vVQ4YXEjdTPu4ud2Vq/SPp8=; b=j9AyCj67hNtpFm5kcrNcQaNQ3mmTrU7aZvvUEgq1E9ZcCVzSusoKahjYLFsdqsMy2b EOTC0aCL9v8wtv3bprul3e4S176DlQKbkgTHwgN2yVaAvjNfFT4GHadToGy4HF9N9HLH t6RbF98wTuXe0a77mZYPs5j+840rdyq8WBQCM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=SJgUBj6uS5kGCOvRZIMxFSnklFkUALy6HsRtyV8wDllrECqcZHWQEszHieSpktrhV3 RiiMuXM7gYQr/iWlRRBMhoyxMAG6B1E30+FZV08z5iYBVD1dGaw0cV2pSfKR6d77TcG+ /r3pBXUWjpjLSkC5iJW+ei5R7k1V+XIV8oh4A= Received: by 10.141.87.13 with SMTP id p13mr1501841rvl.43.1218809318175; Fri, 15 Aug 2008 07:08:38 -0700 (PDT) Received: by 10.141.114.16 with HTTP; Fri, 15 Aug 2008 07:08:38 -0700 (PDT) Message-ID: <8e10486b0808150708j304524e4nade3c215187092a7@mail.gmail.com> Date: Fri, 15 Aug 2008 11:08:38 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 14:33:55 -0000 Hi list, I'm experiencing some problems with blocked connections because of bad states but I need some more information about why this is happening, if this is timeout between tcp handshake, or state creation or application trying to talk on closed connection. I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev patch and two application servers (jboss) that listen on port 9090 behind this firewalls, some connections from external clients off this appservers are (apparently random) being blocked, enabling loud (pfctl -x loud) I can see in /var/log/messages the following messages: kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:52347 [lo=3922530250 high=3922595445 win=65535 modulator=0] [lo=3059100500 high=3059158735 win=65195 modulator=0] 4:4 S seq=398900533 (398900533) ack=3059100500 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:51582 [lo=3528357041 high=3528421509 win=65535 modulator=0] [lo=3809540772 high=3809605893 win=64468 modulator=0] 9:9 S seq=3810516558 (3810516558) ack=3809540772 len=0 ackskew=0 pkts=6:5 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.18:9090 10.10.6.18:9090 10.10.81.242:2434 [lo=538716318 high=538780855 win=65535 modulator=0] [lo=1004209856 high=1004274961 win=64537 modulator=0] 4:9 S seq=1634723484 (1634723484) ack=1004209856 len=0 ackskew=0 pkts=5:4 dir=in,fwd I tried to set custom tcp timeout options in this rules but this does not help pass log proto tcp from any to { $apphpr01 $apphpr02 } port { 9090 } keep state (tcp.opening 60, tcp.closed 180, tcp.finwait 90) Any ideas on how can I know why this connections are being blocked ?? I can provide any additional information needed. Regards, Alexandre From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 14:37:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B5641065679 for ; Fri, 15 Aug 2008 14:37:01 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id A89D88FC19 for ; Fri, 15 Aug 2008 14:37:00 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so872064pyb.10 for ; Fri, 15 Aug 2008 07:37:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=sa1mkJZ54P1ozSVJOKL2vVQ4YXEjdTPu4ud2Vq/SPp8=; b=O7t8h4b/rhZUVHAFsQxqU2ppCAgXQnOwYHmMYp0tUlJ9feCprgIQrfe3O2zJHBvLsU 2Q5+LL8JIStm2alJTobj6mzQf2uG1M3GnxfvVCeM5sWg0jZEmjMGrRHMnRuHRYqgyhVv 77L30AQH8B3Cs7H1cy1Rh9GZIZGHZRvvolwHE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=H6EuQr5Wfr1uXX8HK0G4DkLM7NeysIhpcFOtigTLaR6Y0Mc/F0LMaw0LMfyVpQzOXt fsZTkBRfxap3NKtZiqV/eQv0WLzLDH9js/t8WAr2J/J0wveBdgLJjw5hVa2j4T/wi+S4 ykfZqu3UZco9yS+QaQT2ywIe5zoKpdve1llfw= Received: by 10.114.134.20 with SMTP id h20mr2527653wad.91.1218809318731; Fri, 15 Aug 2008 07:08:38 -0700 (PDT) Received: by 10.115.32.16 with HTTP; Fri, 15 Aug 2008 07:08:38 -0700 (PDT) Message-ID: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> Date: Fri, 15 Aug 2008 11:08:38 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 14:37:01 -0000 Hi list, I'm experiencing some problems with blocked connections because of bad states but I need some more information about why this is happening, if this is timeout between tcp handshake, or state creation or application trying to talk on closed connection. I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev patch and two application servers (jboss) that listen on port 9090 behind this firewalls, some connections from external clients off this appservers are (apparently random) being blocked, enabling loud (pfctl -x loud) I can see in /var/log/messages the following messages: kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:52347 [lo=3922530250 high=3922595445 win=65535 modulator=0] [lo=3059100500 high=3059158735 win=65195 modulator=0] 4:4 S seq=398900533 (398900533) ack=3059100500 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:51582 [lo=3528357041 high=3528421509 win=65535 modulator=0] [lo=3809540772 high=3809605893 win=64468 modulator=0] 9:9 S seq=3810516558 (3810516558) ack=3809540772 len=0 ackskew=0 pkts=6:5 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.18:9090 10.10.6.18:9090 10.10.81.242:2434 [lo=538716318 high=538780855 win=65535 modulator=0] [lo=1004209856 high=1004274961 win=64537 modulator=0] 4:9 S seq=1634723484 (1634723484) ack=1004209856 len=0 ackskew=0 pkts=5:4 dir=in,fwd I tried to set custom tcp timeout options in this rules but this does not help pass log proto tcp from any to { $apphpr01 $apphpr02 } port { 9090 } keep state (tcp.opening 60, tcp.closed 180, tcp.finwait 90) Any ideas on how can I know why this connections are being blocked ?? I can provide any additional information needed. Regards, Alexandre From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 14:58:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1EDF1065676 for ; Fri, 15 Aug 2008 14:58:19 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 240688FC1A for ; Fri, 15 Aug 2008 14:58:19 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-037-045.pools.arcor-ip.net [88.66.37.45]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1KU0kr2WZQ-0001a9; Fri, 15 Aug 2008 16:58:18 +0200 Received: (qmail 51220 invoked from network); 15 Aug 2008 14:58:15 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 15 Aug 2008 14:58:15 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 15 Aug 2008 16:58:15 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> In-Reply-To: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200808151658.15440.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18MxRge4u3ja76yf7sv0LVRN9EZLSHk+sZU0C/ Jx0Hrwr6u2WtKI54JZ4E2vpYS60mFmyZMIQXfGiK9YeiW4Is6s +nWaf9OHSV7OfD/zQkQFg== Cc: Subject: Re: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 14:58:19 -0000 On Friday 15 August 2008 16:08:38 Alexandre Biancalana wrote: > Hi list, > > I'm experiencing some problems with blocked connections because of > bad states but I need some more information about why this is > happening, if this is timeout between tcp handshake, or state creation > or application trying to talk on closed connection. > > I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev > patch and two application servers (jboss) that listen on port 9090 > behind this firewalls, some connections from external clients off this > appservers are (apparently random) being blocked, enabling loud (pfctl > -x loud) I can see in /var/log/messages the following messages: > > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > 10.10.110.34:52347 [lo=3922530250 high=3922595445 win=65535 > modulator=0] [lo=3059100500 high=3059158735 win=65195 modulator=0] 4:4 > S seq=398900533 (398900533) ack=3059100500 len=0 ackskew=0 pkts=6:20 > dir=in,fwd > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] > [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S > seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 > dir=in,fwd > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > 10.10.110.34:51582 [lo=3528357041 high=3528421509 win=65535 > modulator=0] [lo=3809540772 high=3809605893 win=64468 modulator=0] 9:9 > S seq=3810516558 (3810516558) ack=3809540772 len=0 ackskew=0 pkts=6:5 > dir=in,fwd > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] > [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S > seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 > dir=in,fwd > kernel: pf: BAD state: TCP 10.10.6.18:9090 10.10.6.18:9090 > 10.10.81.242:2434 [lo=538716318 high=538780855 win=65535 modulator=0] > [lo=1004209856 high=1004274961 win=64537 modulator=0] 4:9 S > seq=1634723484 (1634723484) ack=1004209856 len=0 ackskew=0 pkts=5:4 > dir=in,fwd > > I tried to set custom tcp timeout options in this rules but this does not > help > > pass log proto tcp from any to { $apphpr01 $apphpr02 } port { 9090 } > keep state (tcp.opening 60, tcp.closed 180, tcp.finwait 90) > > > Any ideas on how can I know why this connections are being blocked ?? > I can provide any additional information needed. The blocked packets are SYNs. That means you are trying to reuse a port. This works if the state on both sides is >= FIN_WAIT2 (9) and you have pf.c r181291 (or one that has it merged). CVS rev 1.55 or 1.46.2.3 (RELENG_7) or apply the following patch: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c.diff?r1=1.54;r2=1.55 This should fix the instances above where it says "...] 9:9 S ..." The others might be an artifact from pfsync or asymmetric routing? You can also mitigate the problem by giving your clients and the pf-forwarding a larger port range for outgoing connections. This is a typical problem if you open a large number of connections from one client (or load balancer) to one server. You can only have so many open at a given time. Check if you can enable streaming mode somehow. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 15:03:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15D751065673 for ; Fri, 15 Aug 2008 15:03:21 +0000 (UTC) (envelope-from ryanfirst@sympatico.ca) Received: from blu0-omc1-s7.blu0.hotmail.com (blu0-omc1-s7.blu0.hotmail.com [65.55.116.18]) by mx1.freebsd.org (Postfix) with ESMTP id BE8098FC2C for ; Fri, 15 Aug 2008 15:03:20 +0000 (UTC) (envelope-from ryanfirst@sympatico.ca) Received: from BLU0-SMTP8 ([65.55.116.8]) by blu0-omc1-s7.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 15 Aug 2008 07:51:18 -0700 X-Originating-IP: [67.68.55.202] X-Originating-Email: [ryanfirst@sympatico.ca] Message-ID: Received: from private ([67.68.55.202]) by BLU0-SMTP8.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.2668); Fri, 15 Aug 2008 07:51:17 -0700 From: "B O'Reilly" To: References: <20080808120026.58759106569E@hub.freebsd.org> Date: Fri, 15 Aug 2008 10:48:40 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-OriginalArrivalTime: 15 Aug 2008 14:51:17.0531 (UTC) FILETIME=[5F53A6B0:01C8FEE6] Subject: Re: syn flood, tcpdump readings (Tom Huppi) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 15:03:21 -0000 Tom, start by hardening the server (I know this isn't pf specific but, it needs to done) Link for hardening FreeBSD - http://www.bsdguides.org/guides/freebsd/security/harden.php. Enable the "configure FreeBSD to drop SYN/FIN packets:" and monitor the results. Drop known garbage using Pf eg: block drop in quick from to any Ports to look into - lockdown and mod_security. I use the denyhost database to drop any connections from the list for a 24 hr period. Regards From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 16:26:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE3DC106567F for ; Fri, 15 Aug 2008 16:26:31 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id A6FC98FC13 for ; Fri, 15 Aug 2008 16:26:31 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wa-out-1112.google.com with SMTP id j4so545608wah.3 for ; Fri, 15 Aug 2008 09:26:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=+6MvFVWhY+bFBHiQ0esusSEBYFpheYmSoiEUpYHQJIY=; b=ueBudf4hQh2OT3A6sgvSnfF1x+kqdFs0g1dNZZm4Vst0JNLxJ2B1/LzMZDXAbtS/Yf JVqj8LCEMIobtOaNOFA5GMOnXbpVoSyCKJmU3aNNO8C8joPJZuMacODwBZ8mJlNfjEbq s+mrPhpgl8Fo3tYKsjDerlsp/0fWiTrbpu6z0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=u4UVYtI6CCr7cMvdjEOAYZ9KXeBsjxL8vwnP8iMk9Frfvx2RwlTDYScN5UtWMc+Ub4 AKLGh+CF8p23mX9YrtkjCGiqrz3FklgMTFH1mQeBofIQsruYkSJvvbAU75xxjzDaOn0W hOkDkmuu8kL8HGNT7DavDVSCSWhNYwSoIhzLY= Received: by 10.114.192.17 with SMTP id p17mr2770060waf.29.1218817591136; Fri, 15 Aug 2008 09:26:31 -0700 (PDT) Received: by 10.115.32.16 with HTTP; Fri, 15 Aug 2008 09:26:31 -0700 (PDT) Message-ID: <8e10486b0808150926m7e25bcedw34b24c2e7707e445@mail.gmail.com> Date: Fri, 15 Aug 2008 13:26:31 -0300 From: "Alexandre Biancalana" To: "Max Laier" In-Reply-To: <200808151658.15440.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> <200808151658.15440.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 16:26:32 -0000 On 8/15/08, Max Laier wrote: > On Friday 15 August 2008 16:08:38 Alexandre Biancalana wrote: > > Hi list, > > > > I'm experiencing some problems with blocked connections because of > > bad states but I need some more information about why this is > > happening, if this is timeout between tcp handshake, or state creation > > or application trying to talk on closed connection. > > > > I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev > > patch and two application servers (jboss) that listen on port 9090 > > behind this firewalls, some connections from external clients off this > > appservers are (apparently random) being blocked, enabling loud (pfctl > > -x loud) I can see in /var/log/messages the following messages: > > > > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > > 10.10.110.34:52347 [lo=3922530250 high=3922595445 win=65535 > > modulator=0] [lo=3059100500 high=3059158735 win=65195 modulator=0] 4:4 > > S seq=398900533 (398900533) ack=3059100500 len=0 ackskew=0 pkts=6:20 > > dir=in,fwd > > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > > 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] > > [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S > > seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 > > dir=in,fwd > > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > > 10.10.110.34:51582 [lo=3528357041 high=3528421509 win=65535 > > modulator=0] [lo=3809540772 high=3809605893 win=64468 modulator=0] 9:9 > > S seq=3810516558 (3810516558) ack=3809540772 len=0 ackskew=0 pkts=6:5 > > dir=in,fwd > > kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 > > 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] > > [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S > > seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 > > dir=in,fwd > > kernel: pf: BAD state: TCP 10.10.6.18:9090 10.10.6.18:9090 > > 10.10.81.242:2434 [lo=538716318 high=538780855 win=65535 modulator=0] > > [lo=1004209856 high=1004274961 win=64537 modulator=0] 4:9 S > > seq=1634723484 (1634723484) ack=1004209856 len=0 ackskew=0 pkts=5:4 > > dir=in,fwd > > > > I tried to set custom tcp timeout options in this rules but this does not > > help > > > > pass log proto tcp from any to { $apphpr01 $apphpr02 } port { 9090 } > > keep state (tcp.opening 60, tcp.closed 180, tcp.finwait 90) > > > > > > Any ideas on how can I know why this connections are being blocked ?? > > I can provide any additional information needed. > > > The blocked packets are SYNs. That means you are trying to reuse a port. > This works if the state on both sides is >= FIN_WAIT2 (9) and you have pf.c > r181291 (or one that has it merged). CVS rev 1.55 or 1.46.2.3 (RELENG_7) or > apply the following patch: > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c.diff?r1=1.54;r2=1.55 Hi Max ! Thank you for your quick the reply. Looking at machine's pf.c this looks too old # grep FBSD /usr/src/sys/contrib/pf/net/pf.c __FBSDID("$FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.46.2.1 2007/11/25 19:26:46 mlaier Exp $"); I will do a csup, rebuild the kernel and see how this improve the situation. > > This should fix the instances above where it says "...] 9:9 S ..." The others > might be an artifact from pfsync or asymmetric routing? You can also mitigate > the problem by giving your clients and the pf-forwarding a larger port range > for outgoing connections. This is a typical problem if you open a large > number of connections from one client (or load balancer) to one server. You > can only have so many open at a given time. Check if you can enable streaming > mode somehow. Looking the logs I made some math on each state 9:9 6174 times 4:4 3283 times 4:9 2611 times 10:10 1382 times 2:0 878 times 9:4 520 times How can I give a larger range for outgoing conections if the clients connect directly to the servers ? In this case I don't have any rdr rule. Thank you again! From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 17:30:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9477A106567B for ; Fri, 15 Aug 2008 17:30:46 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 748718FC20 for ; Fri, 15 Aug 2008 17:30:46 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 670BE1CC0BE; Fri, 15 Aug 2008 10:30:46 -0700 (PDT) Date: Fri, 15 Aug 2008 10:30:46 -0700 From: Jeremy Chadwick To: Alexandre Biancalana Message-ID: <20080815173046.GA99454@eos.sc1.parodius.com> References: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> <200808151658.15440.max@love2party.net> <8e10486b0808150926m7e25bcedw34b24c2e7707e445@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8e10486b0808150926m7e25bcedw34b24c2e7707e445@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 17:30:46 -0000 On Fri, Aug 15, 2008 at 01:26:31PM -0300, Alexandre Biancalana wrote: > Looking the logs I made some math on each state > > 9:9 6174 times > 4:4 3283 times > 4:9 2611 times > 10:10 1382 times > 2:0 878 times > 9:4 520 times pfctl -s info will show a total counter for this (and some other oddities, but the majority are probably for what Max has described above), called state-mismatch. > How can I give a larger range for outgoing conections if the clients > connect directly to the servers ? In this case I don't have any rdr > rule. Clients connecting ***to*** the FreeBSD server would be considered an incoming connection, not an outgoing one. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |