From owner-freebsd-pf@FreeBSD.ORG Mon Jun 29 11:07:05 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CC7D106566C for ; Mon, 29 Jun 2009 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D3D9C8FC1C for ; Mon, 29 Jun 2009 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n5TB74ID046443 for ; Mon, 29 Jun 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n5TB74pk046439 for freebsd-pf@FreeBSD.org; Mon, 29 Jun 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Jun 2009 11:07:04 GMT Message-Id: <200906291107.n5TB74pk046439@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jun 2009 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 34 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 2 21:27:44 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DEA791065672 for ; Thu, 2 Jul 2009 21:27:44 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: from mta1.scaledsystems.com (mta1.scaledsystems.com [209.132.4.201]) by mx1.freebsd.org (Postfix) with ESMTP id A76A48FC20 for ; Thu, 2 Jul 2009 21:27:44 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: (qmail 36932 invoked from network); 2 Jul 2009 21:01:03 -0000 Received: from unknown (HELO ?192.168.1.101?) (tt@simplenet.com@76.176.154.181) by mail.ssl.simplenet.com with ESMTPA; 2 Jul 2009 21:01:03 -0000 Message-ID: <4A4D2010.4020908@simplenet.com> Date: Thu, 02 Jul 2009 14:01:04 -0700 From: Tim Traver User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tt-list@simplenet.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 21:27:45 -0000 Hi all, ok, I'm a little new to messing around with pf, but have come up for a need that it sounds like it should be able to solve. I want to be able to redirect outgoing http requests from the box back to local addresses on the box... In reading up, it appears that the redirect config line should do that, and in testing, I have a simple line like this in the pf.conf rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal address here] port 80 now, I haven't made that internal address be an address on the local box yet, cause I'm testing to see how this works... I can manually telnet to [internal address here] port 80 with no problems and get the apache greeting. Once I turn on and load the pf.conf file (with pfctl -F all -f /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic www.yahoo.com), I don't get redirected to the internal address port 80 and get the apache greeting that is expected... I did turn on port forwarding as per the instructions for NAT, although it didn't say if it was needed for rdr. net.inet.ip.forwarding=1 in netstat, I see it trying to actually reach the ouside IP, which it cant, so the translation didn't appear to take affect... am I missing something ? Thanks, Tim. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 10:13:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05371106564A for ; Fri, 3 Jul 2009 10:13:03 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 82FE08FC1B for ; Fri, 3 Jul 2009 10:13:02 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: by ey-out-2122.google.com with SMTP id 9so556517eyd.3 for ; Fri, 03 Jul 2009 03:13:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=TJxd1u/fOkKkykABWiGp9Z7UhadHuVMragnLOnWJzoo=; b=p6/oxqonyV5/Cs+5ydeY4B/Ks3B9ph4waoA8Jw5OHitdaRnd1roY57YIum+JQ2S/lC VSMMhrKYhx+jAW+Yw+xGg/Hzv9SYZlAlZPh82Wd3q2GsxtDzft6dzcbFsRl1D7HzCwDZ 6QInyRD0euNYRojC204lJt0K3szxinHOTxxrM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=nUQgVP/xbVbMwR4AIdIYq8/H+06xP84Ly6+tH+SfHQndRpcsr6rbL5On4hwiwL5CZ0 zX2MiX3hGQ4B6mZwmmwkmf15Wm5KTEpZMp82c7rcJoSxSCwQWRR1FKuRgEnX5TdsMdzK oa0P18f+VknVYmSetKOW4kX7VDLQk7mMnSwzQ= MIME-Version: 1.0 Received: by 10.210.54.9 with SMTP id c9mr954278eba.35.1246615981305; Fri, 03 Jul 2009 03:13:01 -0700 (PDT) In-Reply-To: <4A4D2010.4020908@simplenet.com> References: <4A4D2010.4020908@simplenet.com> Date: Fri, 3 Jul 2009 12:13:01 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 10:13:03 -0000 Hi there, I think you should check pfctl -sr and pfctl -sn that your rules are ok, and you don't deny that traffic explicitly. However, I don't want to start a war, but on a machine I experienced that with FreeBSD 7.0 or 7.1 the pf redirections didn't work, after a minor release update, the problem went away with the same ruleset! (I think it was 7.0 and updated to 7.1 to get it working again) But rdr pass should add the permitting access rule for your redirection entry. Maybe logging can help you too: http://www.openbsd.org/faq/pf/logging.html Hope this helps! Best Regards, MB. 2009/7/2 Tim Traver > Hi all, > > ok, I'm a little new to messing around with pf, but have come up for a need > that it sounds like it should be able to solve. > > I want to be able to redirect outgoing http requests from the box back to > local addresses on the box... > > In reading up, it appears that the redirect config line should do that, and > in testing, I have a simple line like this in the pf.conf > > rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal > address here] port 80 > > now, I haven't made that internal address be an address on the local box > yet, cause I'm testing to see how this works... > > I can manually telnet to [internal address here] port 80 with no problems > and get the apache greeting. > > Once I turn on and load the pf.conf file (with pfctl -F all -f > /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic > www.yahoo.com), I don't get redirected to the internal address port 80 and > get the apache greeting that is expected... > > I did turn on port forwarding as per the instructions for NAT, although it > didn't say if it was needed for rdr. > > net.inet.ip.forwarding=1 > > in netstat, I see it trying to actually reach the ouside IP, which it cant, > so the translation didn't appear to take affect... > > am I missing something ? > > Thanks, > > Tim. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 10:46:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FFBF1065672 for ; Fri, 3 Jul 2009 10:46:53 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from tensor.andric.com (cl-327.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:146::2]) by mx1.freebsd.org (Postfix) with ESMTP id 44DA38FC15 for ; Fri, 3 Jul 2009 10:46:53 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from [IPv6:2001:7b8:3a7:0:2d66:27a4:c4f9:d401] (unknown [IPv6:2001:7b8:3a7:0:2d66:27a4:c4f9:d401]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id B595C5C59; Fri, 3 Jul 2009 12:46:51 +0200 (CEST) Message-ID: <4A4DE199.4010701@andric.com> Date: Fri, 03 Jul 2009 12:46:49 +0200 From: Dimitry Andric User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1pre) Gecko/20090701 Shredder/3.0b3pre MIME-Version: 1.0 To: tt-list@simplenet.com References: <4A4D2010.4020908@simplenet.com> In-Reply-To: <4A4D2010.4020908@simplenet.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 10:46:53 -0000 On 2009-07-02 23:01, Tim Traver wrote: > In reading up, it appears that the redirect config line should do that, > and in testing, I have a simple line like this in the pf.conf > > rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal > address here] port 80 > > now, I haven't made that internal address be an address on the local box > yet, cause I'm testing to see how this works... > > I can manually telnet to [internal address here] port 80 with no > problems and get the apache greeting. > > Once I turn on and load the pf.conf file (with pfctl -F all -f > /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic > www.yahoo.com), I don't get redirected to the internal address port 80 > and get the apache greeting that is expected... Please post your pf.conf, or it will rather difficult to see what is wrong. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 11:53:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3830106564A for ; Fri, 3 Jul 2009 11:53:02 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe10.ukr.net (ffe10.ukr.net [195.214.192.29]) by mx1.freebsd.org (Postfix) with ESMTP id 8B6048FC18 for ; Fri, 3 Jul 2009 11:53:02 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe10.ukr.net with local ID 1MMh1o-000DdV-1l for freebsd-pf@freebsd.org; Fri, 03 Jul 2009 14:34:04 +0300 MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.6.1-current X-Originating-Ip: [194.0.148.10] X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 Message-Id: Date: Fri, 03 Jul 2009 14:34:04 +0300 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: binary Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ALTQ traffic shaping problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 11:53:03 -0000   Hi, All!  I have installed FreeBSD 7.2 with pf as firewall and NAT with ALTQ for traffic shaping. This is my test system on VMWare.  Below my pf.conf. All works perfectly except, shaping.  I want limit outbound (128Kb) and inbound (800Kb) traffic to and from Internet for two computers. I have configured queues on interfaces as is write below. But in real I have only half of specified speed in pf.conf.   ext_if="le0" int_if="le1" lan="172.16.1.0/24" pc1="172.16.1.2" pc2="172.16.1.3" set skip on lo set loginterface le1 set ruleset-optimization basic set block-policy return set state-policy if-bound scrub on $int_if all random-id reassemble tcp fragment reassemble scrub on $ext_if all random-id reassemble tcp fragment reassemble ### ALTQ altq on $int_if cbq bandwidth 100Mb queue { def_download, pc1_download, pc2_download } queue def_download bandwidth 50% cbq(default) queue pc1_download bandwidth 800Kb cbq(red) queue pc2_download bandwidth 800Kb cbq(red) altq on $ext_if cbq bandwidth 10Mb queue {def_upload, pc1_upload, pc2_upload } queue def_upload bandwidth 50% cbq(default) queue pc1_upload bandwidth 128Kb cbq(red) queue pc2_upload bandwidth 128Kb cbq(red) ##### NAT nat on $ext_if from $lan to !$int_if -> $ext_if ### #pass in #pass out block in block out antispoof quick for { lo $int_if } inet #### EXT_IF_OUT pass out quick on $ext_if inet tagged from_pc1 queue pc1_upload pass out quick on $ext_if inet tagged from_pc2 queue pc1_upload pass out quick on $ext_if inet tagged from_def queue def_upload pass out quick on $ext_if inet from $ext_if to any #### EXT_IF_IN pass in quick on $ext_if inet proto tcp from any to $ext_if port ssh #### INT_IF_IN pass in quick on $int_if inet from $pc1 to !$int_if tag from_pc1 queue pc1_download pass in quick on $int_if inet from $pc1 to !$int_if tag from_pc2 queue pc2_download pass in quick on $int_if inet from !$pc1 to !$int_if tag from_def queue def_download pass in quick on $int_if inet proto {tcp udp} from $lan to $int_if port 53 ### INT_IF_OUT ######################### THE END    So, where is my mistake? Very much I hope for your help.     Thanks. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 17:24:49 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24BDC106566C for ; Fri, 3 Jul 2009 17:24:49 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-vw0-f180.google.com (mail-vw0-f180.google.com [209.85.212.180]) by mx1.freebsd.org (Postfix) with ESMTP id D0D218FC19 for ; Fri, 3 Jul 2009 17:24:48 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: by vwj10 with SMTP id 10so567059vwj.3 for ; Fri, 03 Jul 2009 10:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=Sl27YEuQeaPlCLmVie86csjHc/B9VfT8ZMT6v6aQAWM=; b=CU+Z3ox9neLuFOO4J23M239fJ25TBbDCza4usczmpYO5C2L61HI4dbCuRmwzBpSgYL luBrpIbTfWhl/PJjdj3SGwihJbeco0VMenEofxQqSHcOqmPmV60CVZyTwOBwe7qIG62N ZvI9P4BHkSvVRThrN47xdE+xrVfbkOW9AvZcw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=GsRKuZZcGrVLQPKdsA1pedODOIo//iSePNaaPBVMSqAnib9g5fb/HwQM7sS4alM+H4 kvretSb/c+W9183Yz81k8/zNKdBC8iqB1H7F24WMhQUhaSogV4knBCVUHpPlxkaecM3q eaXdTwVycKMtLlgWc7E/++hjGj2RNPDf3Hf4M= MIME-Version: 1.0 Received: by 10.220.72.194 with SMTP id n2mr3115872vcj.36.1246639903996; Fri, 03 Jul 2009 09:51:43 -0700 (PDT) Date: Fri, 3 Jul 2009 23:51:43 +0700 Message-ID: <4d4dc3640907030951g627f096fv16e0b3ac58e9765@mail.gmail.com> From: budsz To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Problem PF and HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 17:24:49 -0000 Hello, I try to use PF under FreeBSD 7.2-STABLE. Here my config file: # Variable global ifint0="rl0" ifext0="rl1" ipcl = "{ 192.168.100.1, 192.168.100.2, 192.168.100.3, 192.168.100.4, 192.168.100.5, \ 192.168.100.6, 192.168.100.7, 192.168.100.8, 192.168.100.11, 192.168.100.12, \ 192.168.100.100 }" ipunlimit = "{ !192.168.1.0/30, !192.168.100.200 }" scrub in all altq on $ifint0 hfsc bandwidth 1Mb queue { downstream } queue downstream bandwidth 10% priority 0 hfsc (upperlimit 99% default) altq on $ifext0 hfsc bandwidth 256Kb queue { upstream } queue upstream bandwidth 10% priority 0 hfsc (upperlimit 99% default) # Outgoing traffic (Downstream banwidth) pass out quick on $ifint0 from $ipunlimit to $ipcl queue (downstream) # Incoming traffic (Upstream bandwidth) pass out quick on $ifext0 from $ipcl to $ipunlimit queue (upstream) This several my problem after I tested: 1. Why PF can't limit incoming traffic in one interface. Let's say on rl0: pass out quick on $ifint0 from $ipunlimit to $ipcl queue (downstream) pass in quick on $ifint0 from $ipcl to $ipunlimit queue (upstream) 2. For list $ipunlimit (192.168.1.0/30 and 192.168.100.200 ) still get limit. I wanna traffic from/to (192.168.1.0/30 and 192.168.100.200 ) to/from pccl _not_ limit, because that's for www/ssh local LAN. 3. I need suggestion for that rule. My purpose is link share for 11 IP address (downstream/upstream), so if saturate traffic reached. The clients still get guaranty with 10% of total bandwidth (About 100KB downstream and 253.44Kb upstream for each other). Thanks for your time. -- budsz From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 20:16:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F20410656B2 for ; Fri, 3 Jul 2009 20:16:34 +0000 (UTC) (envelope-from plaxo@mx.plaxo.com) Received: from mx.plaxo.com (mx.plaxo.com [66.151.128.13]) by mx1.freebsd.org (Postfix) with ESMTP id 53D158FC2F for ; Fri, 3 Jul 2009 20:16:34 +0000 (UTC) (envelope-from plaxo@mx.plaxo.com) Received: from localhost by mx.plaxo.com (StrongMail Enterprise 3.2.2.2(3.00.287)); Fri, 03 Jul 2009 13:16:34 -0700 X-VirtualServer: Pulse, mx.plaxo.com, 10.1.6.55 X-PlaxoMailType: Pulse X-Destination-ID: freebsd-pf@freebsd.org X-MailingID: 00000::00000::00000::00000::::1312968 X-SMHeaderMap: mid="X-MailingID" X-SMFBL: ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw== From: "Jean Dupre" To: freebsd-pf@freebsd.org Message-Id: <42cc7405fbeec038d5a25a804c1fd43e@xpertmailer.com> X-VirtualServerGroup: Pulse Errors-To: plaxo@mx.plaxo.com Date: Fri, 03 Jul 2009 12:42:28 -0700 X-Mailer: XPM4 v.0.3 < www.xpertmailer.com > MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: =?utf-8?q?Jean_Dupre_a_partag=C3=A9_un_message_avec_vous_sur_Pul?= =?utf-8?q?se?= X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ja.dupre@live.fr List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 20:16:36 -0000 Jean Dupre a partag=C3=A9 un message avec vous sur Pulse et souhaitait vous le faire savoir. http://www.plaxo.com/public/event/189178955319?src=3Demail&et=3D6&el=3Dfr_o= 1&key=3D70634ecb3f154d61ab941ea5fed30e573283e72f&email=3Dfreebsd-pf%40freeb= sd.org&share_id=3D4662476&share_key=3D1951352105&name=3D&webmailfix=3D1&lan= g=3Dfr Besoin de pr=C3=AAt ? Bonjour, Je suis DUPRE JEAN ALBERT. Ancien th=C3=A9rapeute, financier suisse et Directeur d=E2=80=99=C3=A9tude de projets dans une banque. J'octroie des pr=C3=AAts =C3=A0 toute personne d=C3=A9sireuse selon le= s crit=C3=A8res suivants: Choix du montant : =C3=A0 partir de 15.000 =E2=82=AC Choix de la dur=C3=A9e de remboursement : 8 ans maximum TEG annuel fixe : 2,15%* (*offre soumise =C3=A0 condition) En option : l=E2=80=99assurance e... http://www.plaxo.com/public/event/189178955319?src=3Demail&et=3D6&el=3Dfr_o= 1&key=3D70634ecb3f154d61ab941ea5fed30e573283e72f&email=3Dfreebsd-pf%40freeb= sd.org&share_id=3D4662476&share_key=3D1951352105&name=3D&webmailfix=3D1&lan= g=3Dfr Merci ! L'=C3=A9quipe Plaxo Plus de 20=C2=A0millions de personnes utilisent Plaxo pour rester en contact avec leur entourage dans le cadre priv=C3=A9 comme professionnel.=20 Vous ne voulez plus recevoir d'e-mails de Plaxo=C2=A0? Rendez-vous sur=C2=A0: http://www.plaxo.com/stop?src=3Demail&et=3D6&el=3Dfr_o1&email=3Dfreebsd-pf%= 40freebsd.org From owner-freebsd-pf@FreeBSD.ORG Sat Jul 4 07:48:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AEAF106566C for ; Sat, 4 Jul 2009 07:48:32 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: from mta1.scaledsystems.com (mta1.scaledsystems.com [209.132.4.201]) by mx1.freebsd.org (Postfix) with ESMTP id DE97C8FC19 for ; Sat, 4 Jul 2009 07:48:31 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: (qmail 71944 invoked from network); 4 Jul 2009 07:48:31 -0000 Received: from unknown (HELO ?192.168.1.101?) (tt@simplenet.com@76.176.154.181) by mail.ssl.simplenet.com with ESMTPA; 4 Jul 2009 07:48:31 -0000 Message-ID: <4A4F0950.7020005@simplenet.com> Date: Sat, 04 Jul 2009 00:48:32 -0700 From: Tim Traver User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Bal=E1zs_M=E1t=E9ffy?= References: <4A4D2010.4020908@simplenet.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tt-list@simplenet.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jul 2009 07:48:32 -0000 Thank you for your response. My rules are ok, because I have no other rules than that one, and I ran the syntax checker on it... I am indeed running 7.0, so I guess I could update the sources on that machine to 7.1 and rebuild pf. Thanks, Tim. Balázs Mátéffy wrote: > Hi there, > > I think you should check pfctl -sr and pfctl -sn that your rules are ok, and > you don't deny that traffic explicitly. > > However, I don't want to start a war, but on a machine I experienced that > with FreeBSD 7.0 or 7.1 the pf redirections didn't work, after a minor > release update, the problem went away with the same ruleset! (I think it was > 7.0 and updated to 7.1 to get it working again) > > But rdr pass should add the permitting access rule for your redirection > entry. > > Maybe logging can help you too: http://www.openbsd.org/faq/pf/logging.html > > Hope this helps! > > Best Regards, > > MB. > > > 2009/7/2 Tim Traver > > >> Hi all, >> >> ok, I'm a little new to messing around with pf, but have come up for a need >> that it sounds like it should be able to solve. >> >> I want to be able to redirect outgoing http requests from the box back to >> local addresses on the box... >> >> In reading up, it appears that the redirect config line should do that, and >> in testing, I have a simple line like this in the pf.conf >> >> rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal >> address here] port 80 >> >> now, I haven't made that internal address be an address on the local box >> yet, cause I'm testing to see how this works... >> >> I can manually telnet to [internal address here] port 80 with no problems >> and get the apache greeting. >> >> Once I turn on and load the pf.conf file (with pfctl -F all -f >> /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic >> www.yahoo.com), I don't get redirected to the internal address port 80 and >> get the apache greeting that is expected... >> >> I did turn on port forwarding as per the instructions for NAT, although it >> didn't say if it was needed for rdr. >> >> net.inet.ip.forwarding=1 >> >> in netstat, I see it trying to actually reach the ouside IP, which it cant, >> so the translation didn't appear to take affect... >> >> am I missing something ? >> >> Thanks, >> >> Tim. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Jul 4 07:49:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8AD4106564A for ; Sat, 4 Jul 2009 07:49:36 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: from mta1.scaledsystems.com (mta1.scaledsystems.com [209.132.4.201]) by mx1.freebsd.org (Postfix) with ESMTP id B66A58FC15 for ; Sat, 4 Jul 2009 07:49:36 +0000 (UTC) (envelope-from tt-list@simplenet.com) Received: (qmail 72370 invoked from network); 4 Jul 2009 07:49:36 -0000 Received: from unknown (HELO ?192.168.1.101?) (tt@simplenet.com@76.176.154.181) by mail.ssl.simplenet.com with ESMTPA; 4 Jul 2009 07:49:36 -0000 Message-ID: <4A4F0992.8090906@simplenet.com> Date: Sat, 04 Jul 2009 00:49:38 -0700 From: Tim Traver User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: Dimitry Andric References: <4A4D2010.4020908@simplenet.com> <4A4DE199.4010701@andric.com> In-Reply-To: <4A4DE199.4010701@andric.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tt-list@simplenet.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jul 2009 07:49:37 -0000 Dimitry Andric wrote: > On 2009-07-02 23:01, Tim Traver wrote: > >> In reading up, it appears that the redirect config line should do that, >> and in testing, I have a simple line like this in the pf.conf >> >> rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal >> address here] port 80 >> >> now, I haven't made that internal address be an address on the local box >> yet, cause I'm testing to see how this works... >> >> I can manually telnet to [internal address here] port 80 with no >> problems and get the apache greeting. >> >> Once I turn on and load the pf.conf file (with pfctl -F all -f >> /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic >> www.yahoo.com), I don't get redirected to the internal address port 80 >> and get the apache greeting that is expected... >> > > Please post your pf.conf, or it will rather difficult to see what is > wrong. > Dmitry, I appreciate your post, but my pf.conf file only consists of the rule that I have stated for the redirect. I have no other filtering going on... Thanks, Tim. From owner-freebsd-pf@FreeBSD.ORG Sat Jul 4 14:05:43 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3436106564A for ; Sat, 4 Jul 2009 14:05:43 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-vw0-f199.google.com (mail-vw0-f199.google.com [209.85.212.199]) by mx1.freebsd.org (Postfix) with ESMTP id 4500A8FC14 for ; Sat, 4 Jul 2009 14:05:43 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by vwj37 with SMTP id 37so96998vwj.3 for ; Sat, 04 Jul 2009 07:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:cc:content-type :content-transfer-encoding; bh=YfG/pHjggdohJ3vB8lts4aWhx0oGX9zn4SUobH8QJTQ=; b=OfI8S26TIgkh9hhXSxJBSZFYlO/SuvTVfIUY6j7FBjD73a1qW5OqLe1h9FW1TV4ZQX 9PgyQ6+a147W8G81Nna7qWXbCn21IdsTSb9hv91I5owuw3fGlKySGtNR+TWOHVEfzzX6 qh75z5gp27tDLkLohP+3zVJW/bM7yWwiHQRxU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type:content-transfer-encoding; b=jtM0spVZ4xEjqGx9GqSDprb0FR6H0ho+kOf8KcXzjuenxdtcso6++Iuiv5JEIYsIsM 174zh1Rv+5e9o9K/wRVf6Dcpd0RkgZYauquXioF7T97ZeI2cr3gZ9AQQ69UD/l0m+HBV ls50HOm7EVoJYS9SV2CSarhBw5PaoVTVfPQFs= MIME-Version: 1.0 Received: by 10.220.100.1 with SMTP id w1mr5292387vcn.10.1246714921588; Sat, 04 Jul 2009 06:42:01 -0700 (PDT) In-Reply-To: <4A4F0950.7020005@simplenet.com> References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> Date: Sat, 4 Jul 2009 09:42:01 -0400 Message-ID: From: Chris Buechler Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jul 2009 14:05:44 -0000 On Sat, Jul 4, 2009 at 3:48 AM, Tim Traver wrote: > Thank you for your response. > > My rules are ok, because I have no other rules than that one, and I ran the > syntax checker on it... > > I am indeed running 7.0, so I guess I could update the sources on that > machine to 7.1 and rebuild pf. > rdr works fine in 7.0 and 7.1 and 7.2 and every other version since pf has been in FreeBSD. The person who claimed it didn't work in some version is wrong. I suspect you're testing from inside your network, which won't work. Test from outside.