From owner-freebsd-pf@FreeBSD.ORG Sun Oct 5 15:00:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53C7310656A1 for ; Sun, 5 Oct 2008 15:00:59 +0000 (UTC) (envelope-from david.marec@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [91.121.44.19]) by mx1.freebsd.org (Postfix) with ESMTP id 186648FC23 for ; Sun, 5 Oct 2008 15:00:58 +0000 (UTC) (envelope-from david.marec@davenulle.org) Received: from david.dmarec.homeunix.net (84.215.194-77.rev.gaoland.net [77.194.215.84]) by smtp.lamaiziere.net (Postfix) with ESMTPA id B05BA63366E for ; Sun, 5 Oct 2008 16:42:46 +0200 (CEST) From: David Marec Organization: LaMienne To: freebsd-pf@freebsd.org Date: Sun, 5 Oct 2008 16:42:45 +0200 User-Agent: KMail/1.9.10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810051642.45864.david.marec@davenulle.org> Subject: Pf, ftp-proxy and proftp running into a jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 15:00:59 -0000 hi, I am trying to get protftp running into a jail, avalaible from outside the host. First, i wrote rules to redirect ftp traffic from ext_if to the jail and to nat jailled traffic to ext_if. After login, the data connection keeps being closed in passive mode; the active mode is running well. then, i tried to use ftp-proxy, by adding the following entries into rc.conf: ftpproxy_enable="yes" ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if" and followed the tutorial i found on the openbsd website: http://www.openbsd.org/faq/pf/ftp.html But, i can't even connect to the ftp server. What is the right way to use ftp-proxy ? The pf.conf file could be loaded from here: http://user.lamaiziere.net/david/pf/pf.conf -- http://www.freebsd.org/fr/ http://www.arcadehits.net/ http://www.diablotins.org/ From owner-freebsd-pf@FreeBSD.ORG Sun Oct 5 17:04:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 378B71065686 for ; Sun, 5 Oct 2008 17:04:21 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id E79FE8FC0C for ; Sun, 5 Oct 2008 17:04:20 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 060D519E027; Sun, 5 Oct 2008 18:47:49 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 4909019E023; Sun, 5 Oct 2008 18:47:46 +0200 (CEST) Message-ID: <48E8EFD3.4030000@quip.cz> Date: Sun, 05 Oct 2008 18:48:19 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: David Marec References: <200810051642.45864.david.marec@davenulle.org> In-Reply-To: <200810051642.45864.david.marec@davenulle.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Pf, ftp-proxy and proftp running into a jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 17:04:21 -0000 David Marec wrote: > hi, > > I am trying to get protftp running into a jail, avalaible from outside the > host. > > First, i wrote rules to redirect ftp traffic from ext_if to the jail and to > nat jailled traffic to ext_if. > After login, the data connection keeps being closed in passive mode; the > active mode is running well. > > then, i tried to use ftp-proxy, by adding the following entries into rc.conf: > ftpproxy_enable="yes" > ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if" > > and followed the tutorial i found on the openbsd website: > http://www.openbsd.org/faq/pf/ftp.html > > But, i can't even connect to the ftp server. > > What is the right way to use ftp-proxy ? Are you sure you need ftp-proxy? I have ProFTPd in jail on private IP bidirectional NATed by PF 1:1 to public IP with following rules: binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1 ## pass incoming in to jails (from outside world) ## The filter engine will see the IP packet as it looks after translation has taken place pass in on $ext_if inet proto tcp from any to $jail_addr_1 port $jail_tcp_1_inports ## pass in/out (both directions) on jail interface (operations inside jail) pass on $jail_if inet from $jail_addr_1 to $jail_addr_1 ## passive FTP transfer - highports - for FTP in Jail (must use MasqueradeAddress in proftpd.conf) pass in on $ext_if inet proto tcp from any to $jail_addr_1 port 54000 >< 55000 keep state And in proftpd.conf I have: # If Jail has NATed local IP address MasqueradeAddress 1.2.3.4 PassivePorts 54000 55000 (1.2.3.4 is public IP address on which FTP will be accessible) You do not need 1:1 mapping, you can use NAT + RDR rules to redirect just some port range in to you jail. Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Mon Oct 6 11:06:59 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95FF81065686 for ; Mon, 6 Oct 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 84CFC8FC23 for ; Mon, 6 Oct 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m96B6xbo035566 for ; Mon, 6 Oct 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m96B6xDh035562 for freebsd-pf@FreeBSD.org; Mon, 6 Oct 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Oct 2008 11:06:59 GMT Message-Id: <200810061106.m96B6xDh035562@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 23 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 7 16:11:16 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 710951065694; Tue, 7 Oct 2008 16:11:16 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 473AE8FC0C; Tue, 7 Oct 2008 16:11:16 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m97GBGUI013058; Tue, 7 Oct 2008 16:11:16 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m97GBGqV013054; Tue, 7 Oct 2008 16:11:16 GMT (envelope-from linimon) Date: Tue, 7 Oct 2008 16:11:16 GMT Message-Id: <200810071611.m97GBGqV013054@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Oct 2008 16:11:16 -0000 Old Synopsis: pf : ipv6 and synproxy don't play well together New Synopsis: [pf] ipv6 and synproxy don't play well together Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Oct 7 16:10:55 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127920 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 8 03:23:11 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5E501065686 for ; Wed, 8 Oct 2008 03:23:11 +0000 (UTC) (envelope-from plurk_noreply@plurk.com) Received: from mail.plurk.com (mail.plurk.com [216.86.152.127]) by mx1.freebsd.org (Postfix) with ESMTP id AD3438FC0C for ; Wed, 8 Oct 2008 03:23:11 +0000 (UTC) (envelope-from plurk_noreply@plurk.com) Received: from mail.plurk.com (mail.plurk.com [192.168.0.126]) by mail.plurk.com (Postfix) with ESMTP id EA16B8C615 for ; Wed, 8 Oct 2008 03:03:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=plurk.com; h=to:from: subject:reply-to:content-type:message-id:date; q=dns/txt; s=test; bh= 35kMABYACpOthdHXkrM3Yd/vEc8=; b=ufXYFSPrETZHNE2XESQe0SHx8ze/bGJS w1usn79qvMlNHYQWIBDbTGwESOVp7R6qqiAE00c/uteooFVt7fKb90iUhhzptWjL sKBpwQdaBA0H57oNbeS/DHJrk8OVBXQhLJ52l763wDtwHF2qObSTjp/MhlO4CoCX sz5Mu+bHmj8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=plurk.com; h=to:from:subject: reply-to:content-type:message-id:date; q=dns; s=test; b=JMmaKSOL 9G1lK5c2EHpZ7jEy8UuBhriAa+BDLJ6DRAO/pB9HYWzfgAMo5BwH89BEVd68x4yZ Igr2AF5QTgLhd3u5PZcsCa/BRK4V/NQ5imIeV2oUzOfa6lglzSZUY5OvZpLJJfP/ S0JDIEv9HTehzpDu839APLO0C1wc7sLOKlU= Received: from plurk.com (mail.plurk.com [216.86.152.127]) by mail.plurk.com (Postfix) with ESMTP id D4C348C138 for ; Wed, 8 Oct 2008 03:03:07 +0000 (UTC) To: freebsd-pf@freebsd.org From: Plurk Content-Type: text/plain; charset=utf-8 Accreditor: Habeas X-Habeas-Report: Please report use of this mark in spam to http://www.habeas.com/report/ Message-Id: <20081008030307.D4C348C138@mail.plurk.com> Date: Wed, 8 Oct 2008 03:03:07 +0000 (UTC) Subject: cangak has invited you to create a Plurk.com account X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: plurk_noreply@plurk.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 03:23:12 -0000 plurk nice try --- Check out cangak's Plurk profile by going to: http://plurk.com/redeem?code=s34QMGKH2M&from_uid=3185627 Plurk.com is a free social journal that makes it easy and fun to keep in touch. _________________________________ Opt Out of Plurk emails: This email was sent in connection with you Plurk.com membership. To stop receiving emails from Plurk, click this link: http://plurk.com/unsubscribe?email=freebsd-pf@freebsd.org&key=37b3050db94d12efc60fc85dd30d0fbc You can contact us at http://www.plurk.com/contact Plurk.com, 2425 Matheson Blvd 8th Floor, Suite 813 Mississauga, Ontario L4W 5K4 Canada From owner-freebsd-pf@FreeBSD.ORG Thu Oct 9 23:03:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0657D1065686 for ; Thu, 9 Oct 2008 23:03:44 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.232]) by mx1.freebsd.org (Postfix) with ESMTP id B6ACC8FC13 for ; Thu, 9 Oct 2008 23:03:43 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: by wr-out-0506.google.com with SMTP id c8so59700wra.27 for ; Thu, 09 Oct 2008 16:03:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=YQAmXPloOwELcdf225tFV7juQYb7hLTasZ7OcISJ6PY=; b=x2MuSffeHYHmz2drB2DWcOZn+MZHCQnAyZpPritvlV80V6eiB0wFYlenTJv3Hp/aoG iG2ppTntTcXI4P30j1VyI2lkDPGTKy9CZMxKwVsmAiciG2+zC7OD+gV4oeym/qZbQXyH 9A7JHevZDaivTyFY9arpnJm4OcrkHvqChDnys= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=gKozfZj9Ix77xMNIAJf20++qCAdhkoX3Ro2Zn0AS9jxbylGcEOzFtWaEIw0XG5F4h5 2wxei2VrjcQ3YTTpuSqewJxyqSp3vJa956qRvM60jYID6mbZVd0bM+UK1M0XHiWP4gZl VVJ48sAh2cL18fCZ2nJ5pUyoKb4TY8cQJ05J8= Received: by 10.90.99.3 with SMTP id w3mr614505agb.27.1223591813344; Thu, 09 Oct 2008 15:36:53 -0700 (PDT) Received: by 10.90.94.14 with HTTP; Thu, 9 Oct 2008 15:36:52 -0700 (PDT) Message-ID: <290865fd0810091536s2fa38f4ao8fb2114fa7431441@mail.gmail.com> Date: Thu, 9 Oct 2008 15:36:52 -0700 From: "alan yang" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: packet flow in pf framework X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2008 23:03:44 -0000 sorry if this is naive. i wonder how packet flow in / out pf framework within kernel, is it BSD Packet Filter (BPF) approach...? appreciate if people can shed some light where to start tracing pf code. thanks in advance.