From owner-freebsd-pf@FreeBSD.ORG Sun Aug 17 22:21:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A96F41065673 for ; Sun, 17 Aug 2008 22:21:14 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id 769008FC14 for ; Sun, 17 Aug 2008 22:21:14 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2893051rvf.43 for ; Sun, 17 Aug 2008 15:21:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=RNF98MTeUW3sI4k6DrJxph9mQQwU4sVc2nY0yHg+Fh8=; b=NnLUTsWHOXotU0g+TA4PR7etx4Bl2Ujf0SAl5qKoyTAjPyEr2dP08Yqw1qijWWn7S0 lLjyBZdQA9hGZxDr6oj36ko/c2V5I1Rr+2soBV8tc4HZykgUx9EvRD9HVnPXbTW2uZfR rXoG4slotMeo0dpGUXXqJKJES40XgSHIMs9kY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=ipMPhsC4KadL0FP1xkEnNZ19xqxmUei3PvuavDKr1SZCOV8lFVgH7pPvSaMMDDgce7 ydcB7BT1CbGPFzn/3mURCmbHzhD1DTPEWkJ3tRvuDnp/A6OxKBmXoevQkXQ80ymcOsH/ KSb1TShQ4MTCjDCZgsNTF3dUl42s0fQPqXsiI= Received: by 10.141.142.15 with SMTP id u15mr2826274rvn.51.1219011674006; Sun, 17 Aug 2008 15:21:14 -0700 (PDT) Received: by 10.141.114.16 with HTTP; Sun, 17 Aug 2008 15:21:13 -0700 (PDT) Message-ID: <8e10486b0808171521l1e07c3eay4e462a5599b08a79@mail.gmail.com> Date: Sun, 17 Aug 2008 19:21:13 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org In-Reply-To: <20080815173046.GA99454@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> <200808151658.15440.max@love2party.net> <8e10486b0808150926m7e25bcedw34b24c2e7707e445@mail.gmail.com> <20080815173046.GA99454@eos.sc1.parodius.com> Subject: Re: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Aug 2008 22:21:14 -0000 On 8/15/08, Jeremy Chadwick wrote: > On Fri, Aug 15, 2008 at 01:26:31PM -0300, Alexandre Biancalana wrote: > > Looking the logs I made some math on each state > > > > 9:9 6174 times > > 4:4 3283 times > > 4:9 2611 times > > 10:10 1382 times > > 2:0 878 times > > 9:4 520 times > > > pfctl -s info will show a total counter for this (and some other > oddities, but the majority are probably for what Max has described > above), called state-mismatch. I know that. > > > > How can I give a larger range for outgoing conections if the clients > > connect directly to the servers ? In this case I don't have any rdr > > rule. > > > Clients connecting ***to*** the FreeBSD server would be considered an > incoming connection, not an outgoing one. I know that too. What I don't know is how to give a larger range to the connections originated from the clients. After do csup and apply Max carpdev patch, I get the following error running make buildkernel [...] cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -mcmodel=kernel -mno-red-zone -mfpmath=387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -Werror /usr/src/sys/netinet/ip_carp.c cc1: warnings being treated as errors /usr/src/sys/netinet/ip_carp.c: In function 'carp_setroute': /usr/src/sys/netinet/ip_carp.c:394: warning: assignment from incompatible pointer type *** Error code 1 Stop in /usr/obj/usr/src/sys/FWPRDIV. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. Any Ideas ? Regards, Alexandre From owner-freebsd-pf@FreeBSD.ORG Mon Aug 18 11:06:54 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2A4A1065680 for ; Mon, 18 Aug 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id AC10C8FC2F for ; Mon, 18 Aug 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7IB6sub079893 for ; Mon, 18 Aug 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7IB6sKT079889 for freebsd-pf@FreeBSD.org; Mon, 18 Aug 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Aug 2008 11:06:54 GMT Message-Id: <200808181106.m7IB6sKT079889@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2008 11:06:54 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 18 22:39:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A1EC106566C; Mon, 18 Aug 2008 22:39:02 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 7E6058FC1E; Mon, 18 Aug 2008 22:39:01 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d26.q.ppp-pool.de [89.53.125.38]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 5FA6012883F; Tue, 19 Aug 2008 00:15:03 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 6B4932E90F; Tue, 19 Aug 2008 00:14:29 +0200 (CEST) Message-ID: <48A9F452.8020900@vwsoft.com> Date: Tue, 19 Aug 2008 00:14:42 +0200 From: Volker User-Agent: Thunderbird 2.0.0.16 (X11/20080727) MIME-Version: 1.0 To: FreeBSD Stable , "FreeBSD (PF)" X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1219702470.22674@lg3on696R3IlxuyqxZV9gg X-MailScanner-ID: 6B4932E90F.695CC X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Subject: LOR with pf + synproxy state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2008 22:39:02 -0000 Hi! Last week I discovered an LOR on 7-STABLE (last build: 2008-Aug-17, RELENG_7). I can easily recreate the problem when running a synproxy state rule for incoming tcp connections and ssh'ing to my box. W/o using synproxy state (keep'ing state instead), no LOR takes place. lock order reversal: 1st 0xc575c92c pf task mtx (pf task mtx) @ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774 2nd 0xc521777c radix node head (radix node head) @ /usr/src/sys/net/route.c:278 KDB: stack backtrace: db_trace_self_wrapper(c0a2fa65,e557b890,c075f315,c0a30e10,c521777c,...) at db_trace_self_wrapper+0x26 kdb_backtrace(c0a30e10,c521777c,c0a31129,c0a31129,c0a374a0,...) at kdb_backtrace+0x29 witness_checkorder(c521777c,9,c0a374a0,116,c507d000,...) at witness_checkorder+0x5e5 _mtx_lock_flags(c521777c,0,c0a374a0,116,c5fe9a00,...) at _mtx_lock_flags+0x34 rtalloc1_fib(e557b998,1,100,0,e557b994,...) at rtalloc1_fib+0x76 rtalloc_ign_fib(e557b994,100,0,e557b9b4,c5734a38,...) at rtalloc_ign_fib+0xad in_rtalloc_ign(e557b994,100,0,692a1600,5b47f56,...) at in_rtalloc_ign+0x1f pf_calc_mss(c62a881c,2,5b4,2,e557bb4c,...) at pf_calc_mss+0x88 pf_test_tcp(e557bb68,e557bb64,1,c56e9400,c5fe9a00,...) at pf_test_tcp+0xdf6 pf_test(1,c507d000,e557bbc4,0,0,...) at pf_test+0x1028 pf_check_in(0,e557bbc4,c507d000,1,0,...) at pf_check_in+0x39 pfil_run_hooks(c0b79ec0,e557bc18,c507d000,1,0,...) at pfil_run_hooks+0x78 ip_input(c5fe9a00,14e,800,c507d000,800,...) at ip_input+0x265 netisr_dispatch(2,c5fe9a00,10,3,0,...) at netisr_dispatch+0x55 ether_demux(c507d000,c5fe9a00,3,0,3,...) at ether_demux+0x1c1 ether_input(c507d000,c5fe9a00,c0a0391b,c57,c507d000,...) at ether_input+0x323 bge_intr(c5084000,0,c0a2b122,4b6,c4ef84e8,...) at bge_intr+0x77a ithread_loop(c50814f0,e557bd38,c0a2af4a,305,c508cad0,...) at ithread_loop+0x155 fork_exit(c07102d0,c50814f0,e557bd38) at fork_exit+0x94 fork_trampoline() at fork_trampoline+0x8 --- trap 0, eip = 0, esp = 0xe557bd70, ebp = 0 --- KDB: enter: witness_checkorder exclusive sleep mutex pf task mtx r = 0 (0xc575c92c) locked @ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774 shared rw PFil hook read/write mutex r = 0 (0xc0b79ed8) locked @ /usr/src/sys/net/pfil.c:73 exclusive sx so_rcv_sx r = 0 (0xc5db208c) locked @ /usr/src/sys/kern/uipc_sockbuf.c:148 exclusive sx so_rcv_sx r = 0 (0xc551f22c) locked @ /usr/src/sys/kern/uipc_sockbuf.c:148 exclusive sleep mutex pf task mtx r = 0 (0xc575c92c) locked @ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774 shared rw PFil hook read/write mutex r = 0 (0xc0b79ed8) locked @ /usr/src/sys/net/pfil.c:73 pf rules used: ## Macros TCPSYN="S/SA" if_lan = "bge0" if_wlan = "ndis0" if_ipsec = "enc" ########################### tcp_in = "{ ssh http mdns 9102 49101 5900 }" udp_in = "{ mdns snmp 5029 }" passicmp = "{ 3 4 6 9 10 11 12 17 18 }" samba_tcp = "{ 139 445 }" samba_udp = "{ 137 1434 }" ###################################################### table { 127/8 10/8 172.16/12 192.168/16 } table { 224/8 239/8 } ###################################################### ## GLOBAL OPTIONS set block-policy drop set fingerprints "/etc/pf.os" set state-policy if-bound set skip on lo0 set optimization conservative ########################### ## TRAFFIC NORMALIZATION scrub all random-id fragment reassemble reassemble tcp ########################### ## TRANSLATION RULES (NAT) nat on $if_lan -> ($if_lan) nat on $if_wlan -> ($if_wlan) ###################################################### ## FILTER RULES block quick on lo0 proto {tcp udp} from any to any port biff pass quick on lo0 all antispoof log quick for { $if_lan $if_wlan } block drop log all block return in quick proto { tcp udp } from any to any port auth ########################### # IPSEC VPN ########################### pass log quick on {$if_lan $if_wlan} proto udp from any \ to any port isakmp keep state pass log quick on {$if_lan $if_wlan} proto udp from any \ to any port isakmp keep state pass quick log on {$if_lan $if_wlan} proto { ah, esp } from any \ to any keep state pass quick log on {$if_lan $if_wlan} proto { ah, esp } from any \ to any keep state pass quick log on $if_ipsec from any to any keep state ########################### # ICMP ########################### pass quick log on {$if_lan $if_wlan} proto icmp from any to any \ tag PASSOK keep state pass quick log inet proto icmp all icmp-type $passicmp keep state \ (max 2, max-src-states 1, max-src-nodes 1, source-track rule ) pass in quick log on {$if_lan $if_wlan} proto icmp from any to any \ keep state probability 50% ########################### # out traffic ########################### pass out log quick on {$if_lan $if_wlan} all flags $TCPSYN keep state ########################### # in traffic ########################### # allow broadcasts + samba - don't log pass quick on $if_lan from any to ($if_lan:broadcast) pass quick on $if_wlan from any to ($if_wlan:broadcast) pass quick on {$if_lan $if_wlan} from any to 255.255.255.255 pass in log on {$if_lan $if_wlan} proto tcp \ from any to any port $tcp_in \ flags $TCPSYN synproxy state # change to 'keep state' here to avoid LOR pass in log on {$if_lan $if_wlan} proto tcp from any port $tcp_in \ to any flags $TCPSYN synproxy state # change to 'keep state' here to avoid LOR pass in log on {$if_lan $if_wlan} proto udp from any \ to any port $udp_in keep state pass in log on {$if_lan $if_wlan} proto udp from any port $udp_in \ to any keep state pass quick on {$if_lan $if_wlan} from any to # EOF That LOR may be the same as reported here before (2007-12) - haven't checked the old sources (will verify if it's worth the time to confirm): http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2007-12/msg00150.html `uname -a`: FreeBSD cesar.sz.vwsoft.com 7.0-STABLE FreeBSD 7.0-STABLE #38: Sun Aug 17 15:12:10 CEST 2008 root@cesar.sz.vwsoft.com:/usr/obj/usr/src/sys/CESAR i386 Volker From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 07:59:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7C291065672 for ; Wed, 20 Aug 2008 07:59:50 +0000 (UTC) (envelope-from freebsd-pf@pp.dyndns.biz) Received: from proxy1.bredband.net (proxy1.bredband.net [195.54.101.71]) by mx1.freebsd.org (Postfix) with ESMTP id 91E7D8FC22 for ; Wed, 20 Aug 2008 07:59:50 +0000 (UTC) (envelope-from freebsd-pf@pp.dyndns.biz) Received: from ironport2.bredband.com (195.54.101.122) by proxy1.bredband.net (7.3.127) id 4811823A01D7C700 for freebsd-pf@freebsd.org; Wed, 20 Aug 2008 09:38:50 +0200 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArA2AC9nq0hV4jrQPGdsb2JhbAAsgTaQKQEBAQEtoyuBWw Received: from c-d03ae255.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.226.58.208]) by ironport2.bredband.com with ESMTP; 20 Aug 2008 09:38:48 +0200 Received: from [192.168.69.67] (phobos [192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.14.2/8.14.2) with ESMTP id m7K7cmeT075757 for ; Wed, 20 Aug 2008 09:38:49 +0200 (CEST) (envelope-from freebsd-pf@pp.dyndns.biz) Message-ID: <48ABCA08.6010203@pp.dyndns.biz> Date: Wed, 20 Aug 2008 09:38:48 +0200 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= User-Agent: Thunderbird 2.0.0.16 (X11/20080805) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: ALTQ weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 07:59:50 -0000 Hi. For five years I've used ALTQ to shape the upload of my DSL connection and it has worked very well. All details can be found further down in this mail but the basic setup is a default CBQ queue with 10% of the bandwidth and another queue for the remaining 90% with three child queues where I put traffic I want to prioritize. All queues can borrow bandwidth from each other. When the prio queues are fully utilized the default queue falls back to 10% just as expected. The strange thing happens if I saturate my DOWNLOAD at this point. The default queue is then suddenly able to "steal" much more than its 10% share even though the demand for bandwidth in the prio queues are unchanged at max. The bahaviour can be seen in the lower of the pfstat graphs here at -1.5 hours: http://pp.dyndns.biz/altq-weirdness.png The red spike is the TCP ACKs from the download which are correctly put in the highest priority child queue. Another download can be seen at -6 hours but it doesn't saturate the download bandwidth and the default queue remains at 10% there. Obviously there is something I'm doing wrong and don't understand and I'm just curious of what it is so I can make the queues behave exactly the way I intended. Queue definitions from /etc/pf.conf: altq on $ext_if cbq bandwidth $up_limit queue {q_def, q_pri} queue q_def bandwidth 10% qlimit 400 cbq( borrow default ) queue q_pri bandwidth 90% cbq( borrow ) {q_hv, q_p2p, q_p1, q_p2} queue q_hv bandwidth 10% priority 2 cbq( borrow ) queue q_p2p bandwidth 10% priority 3 cbq( borrow ) queue q_p1 bandwidth 20% priority 5 cbq( borrow ) queue q_p2 bandwidth 60% priority 7 cbq( borrow ) # uname -a FreeBSD gatekeeper.pp.dyndns.biz 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #1: Fri Aug 15 14:12:27 CEST 2008 pp@gatekeeper.pp.dyndns.biz:/usr/obj/usr/src/sys/MYKERNEL amd64 This is on amd64 but I experienced the exact same behaviour on my old router running FreeBSD 6.3/i386 Kind regards Morgan Wesström From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 13:21:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4569106567F for ; Wed, 20 Aug 2008 13:21:23 +0000 (UTC) (envelope-from eridan911@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by mx1.freebsd.org (Postfix) with ESMTP id 58DA08FC17 for ; Wed, 20 Aug 2008 13:21:23 +0000 (UTC) (envelope-from eridan911@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so173011yxb.13 for ; Wed, 20 Aug 2008 06:21:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Z+iezrRcD1ZUhUl7BrCJNIXyLYsNTEFcr0pavQAs0wE=; b=xum0G3sE2XN+cy/jyF7I2nJiQDXAAFixryVJQfSNa4YSEIXduUgiltSXpr5gjqrg1T vHq5K/RNOt5CQfcgCvmQ3stZaCNSheqGG2Z1J/YlbYZBg0xwvNCC06wb2Am79PiExeQ4 F8u2kw2bKlMkzCzdUYnP4yyHHHCEgmOKkScPA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=hpWHRFlNf3OVammOEb/qiXM+LfDLdnFktQeQWsdOwXhSWkG5FFmlmPAP9fYPhbj8BX vi+PfnqK1J8Rud9iLocJk7jtwem4ALFspCIOeVVoc/XCxKO93EL1cl3e3xErv6uRfupN ZlhSZ3PI99OGdoDw3ugSOWFafFgp/TGej4A40= Received: by 10.103.244.19 with SMTP id w19mr35941mur.68.1219236961613; Wed, 20 Aug 2008 05:56:01 -0700 (PDT) Received: by 10.103.252.13 with HTTP; Wed, 20 Aug 2008 05:56:01 -0700 (PDT) Message-ID: Date: Wed, 20 Aug 2008 14:56:01 +0200 From: "Erik Danielsson" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Limiting bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 13:21:23 -0000 Hello, I'm using PF together with ALTQ, but my need of limiting bandwidth has changed. I need to be able to limit the bandwidth from/to a certain IP range, but only once a specific amount of data has been transferred from/to that IP range. At midnight I want the counter to be reset, and everything should start over. For example, I want to allow, let's say 10 GiB from e.g 192.168.0.1/24, and once the 10GiB limit has been reached, I want to limit the bandwidth to xx kbits/s until midnight. Any ideas how to accomplish this, can it be done using PF and ALTQ? Regards Erik Danielsson From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 13:42:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEF801065687 for ; Wed, 20 Aug 2008 13:42:05 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2858FC24 for ; Wed, 20 Aug 2008 13:42:05 +0000 (UTC) (envelope-from jille@quis.cx) X-Hexon-MailScanner-Watermark: 1219843589.05744@Vz9eBZJ37P5KvAjhTdRa6g Received: from [10.0.0.72] ([10.15.16.6]) (authenticated bits=0) by mulgore.hexon-is.nl (8.14.1/8.13.8) with ESMTP id m7KDQRhl008364; Wed, 20 Aug 2008 15:26:27 +0200 Message-ID: <48AC1BCE.3050109@quis.cx> Date: Wed, 20 Aug 2008 15:27:42 +0200 From: Jille User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Erik Danielsson References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: m7KDQRhl008364 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx Cc: freebsd-pf@freebsd.org Subject: Re: Limiting bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 13:42:06 -0000 Erik Danielsson wrote: > Hello, > > I'm using PF together with ALTQ, but my need of limiting bandwidth has > changed. I need to be able to limit the bandwidth from/to a certain IP > range, but only once a specific amount of data has been transferred from/to > that IP range. At midnight I want the counter to be reset, and everything > should start over. > > For example, I want to allow, let's say 10 GiB from e.g 192.168.0.1/24, and > once the 10GiB limit has been reached, I want to limit the bandwidth to xx > kbits/s until midnight. > Any ideas how to accomplish this, can it be done using PF and ALTQ? > afaik, you can only limit the bandwith with pf/altq and not count the total usage, and use that in rules. The best you can do (I think), is let pf create stats of the used bandwidth, and let some script check whether they reached the 10GiB limit, and if so add that rule to a table that limits bandwith. and a script that resets the counters at midmight and flush the table. -- Jille > Regards > Erik Danielsson > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 13:43:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD1FE1065672 for ; Wed, 20 Aug 2008 13:43:39 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (mail.telesweet.net [194.110.252.6]) by mx1.freebsd.org (Postfix) with ESMTP id 5BD7F8FC1C for ; Wed, 20 Aug 2008 13:43:39 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id 50AEC10C1E4; Wed, 20 Aug 2008 16:25:43 +0300 (EEST) X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.188, BAYES_00=-2.599] Received: from [10.0.0.109] (pigeon-work.telesweet [10.0.0.109]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.telesweet.net (Postfix) with ESMTPS id 055DC10C1C8; Wed, 20 Aug 2008 16:25:26 +0300 (EEST) Message-ID: <48AC1B8D.6000903@samoylyk.sumy.ua> Date: Wed, 20 Aug 2008 16:26:37 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.16 (X11/20080724) MIME-Version: 1.0 To: Erik Danielsson References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Limiting bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 13:43:39 -0000 Erik Danielsson wrote: > Hello, > > I'm using PF together with ALTQ, but my need of limiting bandwidth has > changed. I need to be able to limit the bandwidth from/to a certain IP > range, but only once a specific amount of data has been transferred from/to > that IP range. At midnight I want the counter to be reset, and everything > should start over. > > For example, I want to allow, let's say 10 GiB from e.g 192.168.0.1/24, and > once the 10GiB limit has been reached, I want to limit the bandwidth to xx > kbits/s until midnight. > > Any ideas how to accomplish this, can it be done using PF and ALTQ? > Probably by means of external scripts which regenerate pf rules as cron jobs? :) -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 14:27:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C6EC10656D9 for ; Wed, 20 Aug 2008 14:27:41 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 079958FC1E for ; Wed, 20 Aug 2008 14:27:40 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id 930971EE8E1 for ; Wed, 20 Aug 2008 16:13:11 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.336 X-Spam-Level: ** X-Spam-Status: No, score=2.336 tagged_above=-999 required=4.2 tests=[AWL=-0.833, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8Y2Q29pyOp9 for ; Wed, 20 Aug 2008 16:12:57 +0200 (CEST) Received: from lesbsdpc.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id C735A1EE912 for ; Wed, 20 Aug 2008 16:12:57 +0200 (CEST) Message-ID: <48AC266D.2030902@eskk.nu> Date: Wed, 20 Aug 2008 16:13:01 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080729) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 14:27:41 -0000 Hello I've done some testing with Steve Gibsons "Shields up" https://www.grc.com/x/ne.dll?bh0bkyd2 These tests lists the ports as closed but visible. Instead the site suggest that one uses stealth so that the ports are not visible from the Internet. Is there a way to achieve this with PF? Thanks Leslie From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 14:38:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AF711065681 for ; Wed, 20 Aug 2008 14:38:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 275578FC24 for ; Wed, 20 Aug 2008 14:38:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 1505F1CC0BC; Wed, 20 Aug 2008 07:38:55 -0700 (PDT) Date: Wed, 20 Aug 2008 07:38:55 -0700 From: Jeremy Chadwick To: Leslie Jensen Message-ID: <20080820143855.GA40160@eos.sc1.parodius.com> References: <48AC266D.2030902@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48AC266D.2030902@eskk.nu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 14:38:55 -0000 On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote: > I've done some testing with Steve Gibsons "Shields up" > https://www.grc.com/x/ne.dll?bh0bkyd2 > > These tests lists the ports as closed but visible. > > Instead the site suggest that one uses stealth so that the ports are not > visible from the Internet. > > Is there a way to achieve this with PF? The "block" directive, along with "set block-policy drop" should suffice for accomplishing this in pf. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 14:48:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBC49106567A for ; Wed, 20 Aug 2008 14:48:05 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id A296B8FC20 for ; Wed, 20 Aug 2008 14:48:05 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by gxk10 with SMTP id 10so333377gxk.19 for ; Wed, 20 Aug 2008 07:48:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=H5RdTw5/ffRZxBfQ25vVnTuE+Zj53hC1btrt2su64lM=; b=SPhBqQEs/EjsvJRxILG43cBN1wqVTsErk7HpUyUJ9/HfMFeIw6NEpqW68/s1TQlWvr 7qOFx5mAigT7lLpfJCTNInYsAQqiWrqMWaXgo+MvNgo3kq4c0/9EZPwYnzlL7MWwLCzm tjw7KVZr6b5Gsrlw2AwYf7u0sMbGJvifvxsDA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=uY1gYOpSNrFNf1AaG2+rjBQRUDQ+5pku4CiqtjLNdchuBfT8O9yX1odMZSqMUHsQ/m Q+zwNIqETvkSpH/bfjXX/w57Pm4s27WHR6GhKyXnWzqpAAWrDmyHk09e9o8Kz6COeVGS pVBebfS9oWYxaEvMJcZTNI50g00y2LR5P+0tk= Received: by 10.150.155.13 with SMTP id c13mr199376ybe.226.1219243685028; Wed, 20 Aug 2008 07:48:05 -0700 (PDT) Received: by 10.151.8.7 with HTTP; Wed, 20 Aug 2008 07:48:04 -0700 (PDT) Message-ID: <4ad871310808200748p154b2d96t4c120278bbce4273@mail.gmail.com> Date: Wed, 20 Aug 2008 10:48:04 -0400 From: "Glen Barber" To: "Leslie Jensen" In-Reply-To: <48AC266D.2030902@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48AC266D.2030902@eskk.nu> Cc: freebsd-pf@freebsd.org Subject: Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 14:48:06 -0000 There is sysctl for it. Look for tcp.blackhole and udp.blackhole. -- Glen Barber (570)328-0318 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 15:06:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69F6A1065673 for ; Wed, 20 Aug 2008 15:06:57 +0000 (UTC) (envelope-from freebsd@chrisbuechler.com) Received: from mail.livebsd.com (mail.livebsd.com [69.64.6.14]) by mx1.freebsd.org (Postfix) with SMTP id 083A78FC24 for ; Wed, 20 Aug 2008 15:06:56 +0000 (UTC) (envelope-from freebsd@chrisbuechler.com) Received: (qmail 94355 invoked by uid 89); 20 Aug 2008 14:38:54 -0000 Received: from unknown (HELO ?10.0.30.2?) (208.60.70.178) by 172.29.29.14 with SMTP; 20 Aug 2008 14:38:54 -0000 Message-ID: <48AC2C86.6060306@chrisbuechler.com> Date: Wed, 20 Aug 2008 10:39:02 -0400 From: Chris Buechler User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Leslie Jensen , freebsd-pf@freebsd.org References: <48AC266D.2030902@eskk.nu> In-Reply-To: <48AC266D.2030902@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 15:06:57 -0000 Leslie Jensen wrote: > Hello > > I've done some testing with Steve Gibsons "Shields up" > > https://www.grc.com/x/ne.dll?bh0bkyd2 > > These tests lists the ports as closed but visible. > > Instead the site suggest that one uses stealth so that the ports are > not visible from the Internet. > > Is there a way to achieve this with PF? That's what pf does by default if you don't specify "return", "return-rst" or "return-icmp" in your block rules. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 17:11:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C94E31065679 for ; Wed, 20 Aug 2008 17:11:17 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6E5C68FC28 for ; Wed, 20 Aug 2008 17:11:17 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id D65981EE972; Wed, 20 Aug 2008 19:11:11 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.336 X-Spam-Level: ** X-Spam-Status: No, score=2.336 tagged_above=-999 required=4.2 tests=[AWL=-0.833, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7OovYp+wGCDq; Wed, 20 Aug 2008 19:11:03 +0200 (CEST) Received: from lesbsdpc.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id 32DF71EE943; Wed, 20 Aug 2008 19:11:03 +0200 (CEST) Message-ID: <48AC502B.8080901@eskk.nu> Date: Wed, 20 Aug 2008 19:11:07 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080729) MIME-Version: 1.0 To: Jeremy Chadwick References: <48AC266D.2030902@eskk.nu> <20080820143855.GA40160@eos.sc1.parodius.com> In-Reply-To: <20080820143855.GA40160@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 17:11:17 -0000 Jeremy Chadwick skrev: > On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote: >> I've done some testing with Steve Gibsons "Shields up" >> https://www.grc.com/x/ne.dll?bh0bkyd2 >> >> These tests lists the ports as closed but visible. >> >> Instead the site suggest that one uses stealth so that the ports are not >> visible from the Internet. >> >> Is there a way to achieve this with PF? > > The "block" directive, along with "set block-policy drop" should suffice > for accomplishing this in pf. > Thank you Jeremy. I had "return" instead of "drop". Now when I do the test the ports 0, 1 and 53 are open. I do not have any rules to allow these ports. Any suggestions on what might be the reason for this? /Leslie From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 17:16:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E0FF1065674 for ; Wed, 20 Aug 2008 17:16:20 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id CC3038FC1F for ; Wed, 20 Aug 2008 17:16:19 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id 67BC31EE87C; Wed, 20 Aug 2008 19:16:14 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.336 X-Spam-Level: ** X-Spam-Status: No, score=2.336 tagged_above=-999 required=4.2 tests=[AWL=-0.833, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtGfAaxc8Pxv; Wed, 20 Aug 2008 19:16:06 +0200 (CEST) Received: from lesbsdpc.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id A7D1B1EE872; Wed, 20 Aug 2008 19:16:06 +0200 (CEST) Message-ID: <48AC515B.7060409@eskk.nu> Date: Wed, 20 Aug 2008 19:16:11 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080729) MIME-Version: 1.0 To: Jeremy Chadwick References: <48AC266D.2030902@eskk.nu> <20080820143855.GA40160@eos.sc1.parodius.com> In-Reply-To: <20080820143855.GA40160@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: #2... sorry typing error Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 17:16:20 -0000 Jeremy Chadwick skrev: > On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote: >> I've done some testing with Steve Gibsons "Shields up" >> https://www.grc.com/x/ne.dll?bh0bkyd2 >> >> These tests lists the ports as closed but visible. >> >> Instead the site suggest that one uses stealth so that the ports are not >> visible from the Internet. >> >> Is there a way to achieve this with PF? > > The "block" directive, along with "set block-policy drop" should suffice > for accomplishing this in pf. > Thank you Jeremy. I had "return" instead of "drop". Now when I do the test the ports 0, 1 and 53 are closed, not dropped. I do not have any rules to allow these ports. Any suggestions on what might be the reason for this? /Leslie _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 17:26:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AE951065672 for ; Wed, 20 Aug 2008 17:26:28 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3C0F38FC12 for ; Wed, 20 Aug 2008 17:26:28 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id C3E4D1EE8F6 for ; Wed, 20 Aug 2008 19:26:22 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.336 X-Spam-Level: ** X-Spam-Status: No, score=2.336 tagged_above=-999 required=4.2 tests=[AWL=-0.833, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b+Kdqye5k75l for ; Wed, 20 Aug 2008 19:26:16 +0200 (CEST) Received: from lesbsdpc.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id 4E4491EE8A6 for ; Wed, 20 Aug 2008 19:26:16 +0200 (CEST) Message-ID: <48AC53BC.8040003@eskk.nu> Date: Wed, 20 Aug 2008 19:26:20 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080729) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Question about icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 17:26:28 -0000 When setting up PF I found the recommendation to use the following rule to allow ICMP to pass. # macros icmp_types="echoreq" # filter rules pass in inet proto icmp all icmp-type $icmp_types keep state I do not understand why this is necessary! Will someone Please explain to me why it's necessary if I must have it, or if I can delete that rule. Thanks /Leslie From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 17:50:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6103E1065681 for ; Wed, 20 Aug 2008 17:50:28 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 22A5B8FC26 for ; Wed, 20 Aug 2008 17:50:28 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id 7E8631EE872 for ; Wed, 20 Aug 2008 19:50:22 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.337 X-Spam-Level: ** X-Spam-Status: No, score=2.337 tagged_above=-999 required=4.2 tests=[AWL=-0.832, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbfYVEMOj1d7 for ; Wed, 20 Aug 2008 19:50:15 +0200 (CEST) Received: from lesbsdpc.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id DF3A01EE893 for ; Wed, 20 Aug 2008 19:50:15 +0200 (CEST) Message-ID: <48AC595C.2090506@eskk.nu> Date: Wed, 20 Aug 2008 19:50:20 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080729) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: A problem with variable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 17:50:28 -0000 I've defined a variable proxyport = "{ 8080 }" The rule rdr on $int_if inet proto tcp from $internal_net to any / port $proxy_services -> $proxy port $proxyport gives me a "Syntax error in config file:" I use the same variable in another rule and it does not produce a "Syntax error" pass in on $int_if inet proto tcp from $internal_net to / $proxy port $proxyport keep state If I change the variable in the first rule to 8080 it works. Can someone shed some light on this? Thanks /Leslie From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 18:40:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A88851065671 for ; Wed, 20 Aug 2008 18:40:59 +0000 (UTC) (envelope-from nicolaskarp@freE.fr) Received: from postfix2-g20.free.fr (postfix2-g20.free.fr [212.27.60.43]) by mx1.freebsd.org (Postfix) with ESMTP id 6F5488FC1A for ; Wed, 20 Aug 2008 18:40:59 +0000 (UTC) (envelope-from nicolaskarp@freE.fr) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by postfix2-g20.free.fr (Postfix) with ESMTP id 2D0DC2931284 for ; Wed, 20 Aug 2008 18:23:12 +0200 (CEST) Received: from smtp3-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp3-g19.free.fr (Postfix) with ESMTP id 71BB517B571; Wed, 20 Aug 2008 20:23:26 +0200 (CEST) Received: from [127.0.0.1] (can59-1-82-66-136-161.fbx.proxad.net [82.66.136.161]) by smtp3-g19.free.fr (Postfix) with ESMTP id 1D0FF17B567; Wed, 20 Aug 2008 20:23:26 +0200 (CEST) Message-ID: <48AC611E.60007@freE.fr> Date: Wed, 20 Aug 2008 20:23:26 +0200 From: Nicolas KARP User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Leslie Jensen References: <48AC53BC.8040003@eskk.nu> In-Reply-To: <48AC53BC.8040003@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Question about icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 18:40:59 -0000 Leslie Jensen a écrit : > > When setting up PF I found the recommendation to use the following > rule to allow ICMP to pass. > > # macros > icmp_types="echoreq" > > # filter rules > pass in inet proto icmp all icmp-type $icmp_types keep state > > I do not understand why this is necessary! > > Will someone Please explain to me why it's necessary if I must have > it, or if I can delete that rule. > > Thanks > > /Leslie > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hi, Fo my mind, it's just an example.. So,you can delete that rule if you don't want to permit the ping request :) You must add an ICMP rule if you are using PMTU discovery ! Bye, Nicos. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 18:57:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 077AA1065672 for ; Wed, 20 Aug 2008 18:57:40 +0000 (UTC) (envelope-from nicolaskarp@freE.fr) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id C11918FC1B for ; Wed, 20 Aug 2008 18:57:39 +0000 (UTC) (envelope-from nicolaskarp@freE.fr) Received: from smtp7-g19.free.fr (smtp7-g19.free.fr [212.27.42.64]) by postfix1-g20.free.fr (Postfix) with ESMTP id 86E5B298FF75 for ; Wed, 20 Aug 2008 20:29:39 +0200 (CEST) Received: from smtp7-g19.free.fr (localhost [127.0.0.1]) by smtp7-g19.free.fr (Postfix) with ESMTP id AA554B01B9; Wed, 20 Aug 2008 20:29:37 +0200 (CEST) Received: from [127.0.0.1] (can59-1-82-66-136-161.fbx.proxad.net [82.66.136.161]) by smtp7-g19.free.fr (Postfix) with ESMTP id 08121B018D; Wed, 20 Aug 2008 20:29:36 +0200 (CEST) Message-ID: <48AC6293.4020607@freE.fr> Date: Wed, 20 Aug 2008 20:29:39 +0200 From: Nicolas KARP User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Leslie Jensen References: <48AC595C.2090506@eskk.nu> In-Reply-To: <48AC595C.2090506@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: A problem with variable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 18:57:40 -0000 Leslie Jensen a écrit : > > I've defined a variable > > proxyport = "{ 8080 }" > > The rule > > rdr on $int_if inet proto tcp from $internal_net to any / > port $proxy_services -> $proxy port $proxyport > > gives me a "Syntax error in config file:" > > I use the same variable in another rule and it does not produce a > "Syntax error" > > pass in on $int_if inet proto tcp from $internal_net to / > $proxy port $proxyport keep state > > If I change the variable in the first rule to 8080 it works. > > Can someone shed some light on this? > > Thanks > > /Leslie > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hi (one more time ;) ) You can't use a list in a rdr rule : see man pf.conf anf precisely the Grammar of PF.conf rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ *portspec* ] [ *pooltype* ] ] pooltype = ( "bitmask" | "random" | "source-hash" [ ( hex-key | string-key ) ] | "round-robin" ) [ sticky-address ] portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 21:45:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44EAA1065671 for ; Wed, 20 Aug 2008 21:45:23 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2D2148FC1F for ; Wed, 20 Aug 2008 21:45:23 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 11A241CC0BF; Wed, 20 Aug 2008 14:45:23 -0700 (PDT) Date: Wed, 20 Aug 2008 14:45:23 -0700 From: Jeremy Chadwick To: Leslie Jensen Message-ID: <20080820214523.GA57450@eos.sc1.parodius.com> References: <48AC266D.2030902@eskk.nu> <20080820143855.GA40160@eos.sc1.parodius.com> <48AC515B.7060409@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48AC515B.7060409@eskk.nu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: #2... sorry typing error Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 21:45:23 -0000 On Wed, Aug 20, 2008 at 07:16:11PM +0200, Leslie Jensen wrote: > Jeremy Chadwick skrev: >> On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote: >>> I've done some testing with Steve Gibsons "Shields up" >>> https://www.grc.com/x/ne.dll?bh0bkyd2 >>> >>> These tests lists the ports as closed but visible. >>> >>> Instead the site suggest that one uses stealth so that the ports are >>> not visible from the Internet. >>> >>> Is there a way to achieve this with PF? >> >> The "block" directive, along with "set block-policy drop" should suffice >> for accomplishing this in pf. >> > > Thank you Jeremy. > > I had "return" instead of "drop". > > Now when I do the test the ports 0, 1 and 53 are closed, not dropped. > > I do not have any rules to allow these ports. > > Any suggestions on what might be the reason for this? Based on my own attempts using Gibson's utility (grudgingly I might add), I have to assume he's talking about TCP ports and not UDP, and that there's only three result states returned: open, closed, or stealth. I assume the following: "Open" probably means a TCP connection was successfully made against the specific port -- meaning, the standard TCP connection handshake was successful (meaning a firewall is passing/allowing the TCP port, **and** there is a program listening on that TCP port). "Closed" probably means that a TCP connection failed against the specific port, but received either a TCP RST in response or an ICMP port unreachable message. "Stealth" probably means that a TCP connection failed against the specific port, and did not receive a TCP RST or ICMP port unreachable message. I can assure you that if you use pf's "block" directive, and ensure your block-policy is set to "drop", the FreeBSD box *will not* send back a TCP RST or an ICMP port unreachable when something attempts to connect to said port. Here's evidence: 72.20.106.125 attempts to connect to TCP port 89 on 72.20.106.126. 72.20.106.126 uses pf to block all incoming packets and only allow certain ports through -- TCP port 89 of which is NOT passed: 14:39:55.188088 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:39:58.186955 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:40:01.386830 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:40:04.586707 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:40:07.786585 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 As you can see, there's no sign of TCP RST being emit by 72.20.106.126 in response to the connection, and there's also no ICMP port unreachable. If you're not using pf at all, you can use the sysctls described in the blackhole(4) manpage to achieve similar results -- but see the WARNING part of the manpage. Keep in mind that NAT port redirection can cause extra headaches, but it doesn't sound like you're testing against an IP that redirects ports via NAT. If you do use NAT, and have certain TCP redirected via a FreeBSD router to a machine on your local network, then there are further complications which need to be discussed. Again -- this is all speculative, because Gibson provides no technical data regarding how his utility works or what he's basing the results on. That is a serious problem, IMHO, and one reason why I tend to stay away from his utilities. Thirdly, regarding "ports 0 and 1" -- silly. Look at /etc/services; chances are you aren't using TCP or UDP port 1, and applications cannot bind to TCP or UDP port 0 (doing so, AFAIK, results in an application binding to an arbitrary/random port number), so I really have no idea what he's testing there. His own documentation even described this fact. Fourthly, you didn't state what FreeBSD version you're testing this against, or what your pf rules look like. Most importantly: you shouldn't base network/firewall security on the results of Gibson's utility. Meaning, if your goal is to make "Shields Up!" return a non-failure result, then you're probably wasting your time. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 21:55:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9FBA106567B for ; Wed, 20 Aug 2008 21:55:39 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 7187F8FC15 for ; Wed, 20 Aug 2008 21:55:39 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-045-187.pools.arcor-ip.net [88.66.45.187]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KVveU0rpd-0007QH; Wed, 20 Aug 2008 23:55:38 +0200 Received: (qmail 52436 invoked from network); 20 Aug 2008 21:55:37 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 20 Aug 2008 21:55:37 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 20 Aug 2008 23:55:37 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <48AC266D.2030902@eskk.nu> <20080820143855.GA40160@eos.sc1.parodius.com> <48AC515B.7060409@eskk.nu> In-Reply-To: <48AC515B.7060409@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200808202355.37629.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18j88wu0PeZsln0k2CN2wGeGmkx1qDHPpzMYic ZOcFjiw2C7/rq/Cn6Z0bbMOmNYLTI3QY9553HE+ER4t6qguNMW mVwym/dKmOWD0lk3De+TQ== Cc: Subject: Re: #2... sorry typing error Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 21:55:39 -0000 On Wednesday 20 August 2008 19:16:11 Leslie Jensen wrote: > Jeremy Chadwick skrev: > > On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote: > >> I've done some testing with Steve Gibsons "Shields up" > >> https://www.grc.com/x/ne.dll?bh0bkyd2 > >> > >> These tests lists the ports as closed but visible. > >> > >> Instead the site suggest that one uses stealth so that the ports are not > >> visible from the Internet. > >> > >> Is there a way to achieve this with PF? > > > > The "block" directive, along with "set block-policy drop" should suffice > > for accomplishing this in pf. > > Thank you Jeremy. > > I had "return" instead of "drop". > > Now when I do the test the ports 0, 1 and 53 are closed, not dropped. This might be your ISP "helping" ... i.e. they filter your traffic in order to protect against stupid Windows worms or enforce a policy ("you must not run a DNS server here"). If you can try tcptracing from outside to see if the RSTs really come from your pf box or from an ISP firewall (though that fact might be obfuscated, too). > I do not have any rules to allow these ports. > > Any suggestions on what might be the reason for this? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Aug 21 05:07:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9942106564A for ; Thu, 21 Aug 2008 05:07:58 +0000 (UTC) (envelope-from eridan911@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 76AF88FC19 for ; Thu, 21 Aug 2008 05:07:58 +0000 (UTC) (envelope-from eridan911@gmail.com) Received: by ug-out-1314.google.com with SMTP id o4so879091uge.39 for ; Wed, 20 Aug 2008 22:07:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=XNgCsDgq8jeCF2IoHC+6cfySBKELaygxh9dcKTR3++c=; b=wXwpPbUTMLw+dOwzfnLXya7i2rhrd0JglZe6CFyYDGB0bE5WNCS9wURzyC5TkUZr65 8P1K53gQtskLH4DiY6KB9jJhbjbdvE6XTW8AP6alKhpYzz1JZpIh0d7P7oBb7cZnKax+ ru4jVl23VfR4mZnmJPCmFO3MideTdUI41s2Mk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=f2i5eO9MRbu9dqAebxOVG8LSVdVnKHRdDu4lPLOxnuj10Gl2AN4rLkr71/amcmN9wK N7qwxAXqlbwLgZb7TTqY0jl94k8ccSwYl44E0mhhzoOWcX2CsIJlEK6M9vfbjUnCImU0 s6Me1YQnt9qlskq4UcxP9Kot+yCplcNdR4tZs= Received: by 10.103.211.3 with SMTP id n3mr644086muq.43.1219295277079; Wed, 20 Aug 2008 22:07:57 -0700 (PDT) Received: by 10.103.252.13 with HTTP; Wed, 20 Aug 2008 22:07:57 -0700 (PDT) Message-ID: Date: Thu, 21 Aug 2008 07:07:57 +0200 From: "Erik Danielsson" To: freebsd-pf@freebsd.org In-Reply-To: <48AC1BCE.3050109@quis.cx> MIME-Version: 1.0 References: <48AC1BCE.3050109@quis.cx> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Limiting bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 05:07:59 -0000 Thanks guys. One question remains though. To count the total traffic from a certain IP range, should a separate PF rule with a label be used? If so, how can I reset only the labels statistics whenever I want to? On Wed, Aug 20, 2008 at 3:27 PM, Jille wrote: > Erik Danielsson wrote: > >> Hello, >> >> I'm using PF together with ALTQ, but my need of limiting bandwidth has >> changed. I need to be able to limit the bandwidth from/to a certain IP >> range, but only once a specific amount of data has been transferred >> from/to >> that IP range. At midnight I want the counter to be reset, and everything >> should start over. >> >> For example, I want to allow, let's say 10 GiB from e.g 192.168.0.1/24, >> and >> once the 10GiB limit has been reached, I want to limit the bandwidth to xx >> kbits/s until midnight. >> Any ideas how to accomplish this, can it be done using PF and ALTQ? >> >> > afaik, you can only limit the bandwith with pf/altq and not count the total > usage, and use that in rules. > The best you can do (I think), is let pf create stats of the used > bandwidth, and let some script check whether they reached the 10GiB limit, > and if so add that rule to a table that limits bandwith. > and a script that resets the counters at midmight and flush the table. > > -- Jille > >> Regards >> Erik Danielsson >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > From owner-freebsd-pf@FreeBSD.ORG Thu Aug 21 05:17:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B3501065675 for ; Thu, 21 Aug 2008 05:17:02 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2C67A8FC0A for ; Thu, 21 Aug 2008 05:17:02 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id EFB0C1CC0BD; Wed, 20 Aug 2008 22:17:01 -0700 (PDT) Date: Wed, 20 Aug 2008 22:17:01 -0700 From: Jeremy Chadwick To: Erik Danielsson Message-ID: <20080821051701.GA82314@eos.sc1.parodius.com> References: <48AC1BCE.3050109@quis.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: Limiting bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 05:17:02 -0000 On Thu, Aug 21, 2008 at 07:07:57AM +0200, Erik Danielsson wrote: > Thanks guys. > > One question remains though. To count the total traffic from a certain IP > range, should a separate PF rule with a label be used? If so, how can I > reset only the labels statistics whenever I want to? The manpage to pfctl doesn't really indicate this is possible. You could simply delete then re-create the label rule, I would think. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Aug 21 05:28:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCBD41065685; Thu, 21 Aug 2008 05:28:50 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from hawk.thalamus.net (hawk.thalamus.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 8AFD88FC0C; Thu, 21 Aug 2008 05:28:50 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost.thalamus.net [127.0.0.1]) by hawk.thalamus.net (Postfix) with ESMTP id 1C4B91EE853; Thu, 21 Aug 2008 07:28:48 +0200 (CEST) X-Virus-Scanned: by amavisd-new at thalamus.net X-Spam-Flag: NO X-Spam-Score: 2.337 X-Spam-Level: ** X-Spam-Status: No, score=2.337 tagged_above=-999 required=4.2 tests=[AWL=-0.832, HELO_LH_HOME=3.169] Received: from hawk.thalamus.net ([127.0.0.1]) by localhost (hawk.thalamus.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lee-esZl0prn; Thu, 21 Aug 2008 07:28:41 +0200 (CEST) Received: from lesbsdpc.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by hawk.thalamus.net (Postfix) with ESMTP id A602E1EE8A6; Thu, 21 Aug 2008 07:28:41 +0200 (CEST) Message-ID: <48ACFD0B.2030600@eskk.nu> Date: Thu, 21 Aug 2008 07:28:43 +0200 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.16 (X11/20080729) MIME-Version: 1.0 To: Jeremy Chadwick References: <48AC266D.2030902@eskk.nu> <20080820143855.GA40160@eos.sc1.parodius.com> <48AC515B.7060409@eskk.nu> <20080820214523.GA57450@eos.sc1.parodius.com> In-Reply-To: <20080820214523.GA57450@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: #2... sorry typing error Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 05:28:50 -0000 > Most importantly: you shouldn't base network/firewall security on the > results of Gibson's utility. Meaning, if your goal is to make "Shields > Up!" return a non-failure result, then you're probably wasting your > time. > Thank you Jeremy :-) I'm fairly new to PF and when I see things I do not understand I need to ask. Now I understand, and as you state I'll stop waisting my time. You're almost certainly right about my ISP, they have limitations on what one can do and not do. /Leslie From owner-freebsd-pf@FreeBSD.ORG Thu Aug 21 07:46:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9432F106566C for ; Thu, 21 Aug 2008 07:46:56 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.188]) by mx1.freebsd.org (Postfix) with ESMTP id 243938FC18 for ; Thu, 21 Aug 2008 07:46:55 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by fk-out-0910.google.com with SMTP id k31so769465fkk.11 for ; Thu, 21 Aug 2008 00:46:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=u/8H+/MC+SK1XwyL9H1g3z0WBJYLv/oeydA0mhhx7/U=; b=sPEteQQZ107N19wYmgyzwi4lPVm+5Rwcnm924Y70CmnRPYMSkxchDx4hpz6TaLshnv 06UYs8Ki94kyKY3iGXqenKZveTt15d3BzbAfLaPesHpb6QaHUWgodVU5ewhih/5lHEEv XU8zqu9zKow/r5s+2oXsjiY9K/LNgX78g4U64= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=EMjv3YrFo8HUi5IUzeOjDxhQ81K/waXoJWZ5EGH5DrmhDkii9xJKHfIojC3ZyFiHrb Lj+klbkVZVsh1ds7LXayhVDwnbp0QLDnPnpwQz8+NsgH/gHSdqdXUam1U8GivxuLLB90 KU8NUxHeh2I3KydBDA8/yaDr02xozp8hIPpT8= Received: by 10.180.217.1 with SMTP id p1mr593208bkg.80.1219303275138; Thu, 21 Aug 2008 00:21:15 -0700 (PDT) Received: by 10.180.242.3 with HTTP; Thu, 21 Aug 2008 00:21:15 -0700 (PDT) Message-ID: <8eea04080808210021v68b34d2cxb07573f8888b25bf@mail.gmail.com> Date: Thu, 21 Aug 2008 00:21:15 -0700 From: "Jon Simola" To: "Erik Danielsson" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48AC1BCE.3050109@quis.cx> Cc: freebsd-pf@freebsd.org Subject: Re: Limiting bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 07:46:56 -0000 On Wed, Aug 20, 2008 at 10:07 PM, Erik Danielsson wrote: > One question remains though. To count the total traffic from a certain IP > range, should a separate PF rule with a label be used? If so, how can I > reset only the labels statistics whenever I want to? PF already maintains counters for each entry in a table, add -v when showing a table to see them. So explaining in pseudo format, I'd try something like table persist; table persist { 10.0.0.1, 10.0.0.2, ... } pass in all pass out from to any pass out from to any queue overlimit You need a cronjob at midnight to flush the over10gb table, and zero the counters for myiprange. A second cronjob would do "pfctl -t myiprange -vT show", add up the numbers, and spit out any IPs that are over into "pfctl -t over10gb -T add $SOMEIPS" Hopefully that's enough to get you started, or at least an idea of some way to approach it. -- Jon