From owner-freebsd-pf@FreeBSD.ORG Mon Oct 26 11:07:05 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AAB61065692 for ; Mon, 26 Oct 2009 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F259F8FC15 for ; Mon, 26 Oct 2009 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n9QB74nC043844 for ; Mon, 26 Oct 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n9QB743n043842 for freebsd-pf@FreeBSD.org; Mon, 26 Oct 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Oct 2009 11:07:04 GMT Message-Id: <200910261107.n9QB743n043842@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 26 13:33:57 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35FE01065670 for ; Mon, 26 Oct 2009 13:33:57 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [78.46.126.30]) by mx1.freebsd.org (Postfix) with ESMTP id E77A28FC12 for ; Mon, 26 Oct 2009 13:33:56 +0000 (UTC) Received: from websrv01.jr-hosting.nl (websrv01 [78.47.69.233]) by mailgate.jr-hosting.nl (Postfix) with ESMTP id 59FDC1CCF5; Mon, 26 Oct 2009 14:18:03 +0100 (CET) Received: from milamber.elvandar.org ([78.47.44.222] helo=[10.0.3.2]) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1N2PSV-000O6S-AD; Mon, 26 Oct 2009 14:18:03 +0100 Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: Remko Lodder In-Reply-To: Date: Mon, 26 Oct 2009 14:18:02 +0100 Content-Transfer-Encoding: 7bit Message-Id: References: To: jhell X-Mailer: Apple Mail (2.1076) Cc: freebsd-pf@freebsd.org Subject: Re: return-icmp() relative question to ipf rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 13:33:57 -0000 On Oct 10, 2009, at 4:09 AM, jhell wrote: > > I have a rule I used in ipfilter probably around 2 or so years ago > and I am now getting around to trying to implement in it my pf > rules. So far any results I have achieved have failed with no > response back from the server and get dropped. > > The rule in ipf syntax: > block return-icmp-as-dest(13) in log first quick proto icmp all icmp- > type 8 > > The above ipf rule returns a result of "Destination Administratively > Prohibited" when ping'd > > The following pf syntax: > block return-icmp(3,13) in quick inet proto icmp from any to any > icmp-type 8 code 0 > > The above pf rule returns a result of "Nothing ........" when ping'd > > Just to be sure I wasn't mucking up the chain of rules I added this > as the only rule to test it out and have achieved the same result > multiple times on a test machine. > > Can anyone shed some light on the syntax and help me out with > getting this rule to make the system respond to a echo request with > admin-prohib as the destination system ? > > Thanks > *click* (the light is on) Options returning ICMP packets currently have no effect if pf(4) operates on a if_bridge(4), as the code to support this feature has not yet been implemented. from the Manual page. I think that answers the question? -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Oct 26 15:02:38 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C00FE1065693 for ; Mon, 26 Oct 2009 15:02:38 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qy0-f176.google.com (mail-qy0-f176.google.com [209.85.221.176]) by mx1.freebsd.org (Postfix) with ESMTP id 703C98FC15 for ; Mon, 26 Oct 2009 15:02:38 +0000 (UTC) Received: by qyk6 with SMTP id 6so4861435qyk.3 for ; Mon, 26 Oct 2009 08:02:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=Ad9a2xPSQ5xj1m0/j0Pf/Pvo0KCxOwvupQAjbRiZTB0=; b=sMMAHo919erZhp62JZLQZNg5ld+Q2je6wBUYSnpHQlHaMgmbCW5O91SMHp+kjELdhv 5i6fOFrzc15ZDR9+PYLSkDb5Tgl83fDlt6oyWfRtzu9fnfQ2FSZk3JAMuXu9vFMhUCBP kVus/srsfZM05LNRPP90SI1q4gbIEaiqbLVhI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=WmYxY17k547SHrkHFQ1BMaKA4TMZZ5jFhTxw9J6CU/bspDp8vvQoXrNBfJziGfrJxs xDewFU0kcWU3lL4cMTGKvvYne215T61exHECMCoGtDyMq+ULtx7VG8ByZb853z8zMjHM 7SJ9n4DP1AGQojQc8dtAft0BXLiLjxKOalyjY= Received: by 10.224.117.203 with SMTP id s11mr7235660qaq.332.1256569357926; Mon, 26 Oct 2009 08:02:37 -0700 (PDT) Received: from ppp-22.87.dialinfree.com (ppp-22.87.dialinfree.com [209.172.22.87]) by mx.google.com with ESMTPS id 8sm16408128qwj.31.2009.10.26.08.02.32 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 26 Oct 2009 08:02:36 -0700 (PDT) Sender: "J. Hellenthal" Date: Mon, 26 Oct 2009 11:02:31 -0400 From: jhell To: Remko Lodder In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: return-icmp() relative question to ipf rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 15:02:38 -0000 On Mon, 26 Oct 2009 09:18, remko@ wrote: > On Oct 10, 2009, at 4:09 AM, jhell wrote: > >> >> I have a rule I used in ipfilter probably around 2 or so years ago and I am >> now getting around to trying to implement in it my pf rules. So far any >> results I have achieved have failed with no response back from the server >> and get dropped. >> >> The rule in ipf syntax: >> block return-icmp-as-dest(13) in log first quick proto icmp all icmp-type 8 >> >> The above ipf rule returns a result of "Destination Administratively >> Prohibited" when ping'd >> >> The following pf syntax: >> block return-icmp(3,13) in quick inet proto icmp from any to any icmp-type >> 8 code 0 >> >> The above pf rule returns a result of "Nothing ........" when ping'd >> >> Just to be sure I wasn't mucking up the chain of rules I added this as the >> only rule to test it out and have achieved the same result multiple times >> on a test machine. >> >> Can anyone shed some light on the syntax and help me out with getting this >> rule to make the system respond to a echo request with admin-prohib as the >> destination system ? >> >> Thanks >> > > > *click* (the light is on) > > Options returning ICMP packets currently have no effect if pf(4) > operates on a if_bridge(4), as the code to support this feature has > not yet been implemented. > > from the Manual page. I think that answers the question? > Thanks Remko, No I'm not using if_bridge(4) here, nor any bridge for that matter. I have tested this directly from interface -> interface with a patch cable thinking that the click that I heard from the light above would actually turn something on but was just throwing a breaker. I also have turned my WiFi NIC into a ad-hoc connection and threw the rule on it instead of the test box and then ran a ping(8) from a direct connect and the same thing happens. Same thing from directly connecting to the AP. So unless what you are telling me above is that all interfaces no matter what they are, operate in a bridge mode and the code is missing then I am really confused. -- This does not need to be answered as I know that's not the case. Or the code is just missing to do this all together, in turn I would like to throw a voiced question of "where did it go ?" this was in IPF before pf started making its way through the circuit. The conclusion from what I see thus far is that all the return-icmp* context in the pf.conf(5) man page is false for FreeBSD at least 7.2 right now, as I can't account for earlier or later releases at this point. FreeBSD 7.2-STABLE #0 r198446: Sun Oct 25 16:40:39 EDT 2009 Still obtaining small flicker of light from circuit breaker, Best regards. -- ;; dataix.net!jhell 2048R/89D8547E 2009-09-30 ;; BSD since FreeBSD 4.2 Linux since Slackware 2.1 ;; 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E From owner-freebsd-pf@FreeBSD.ORG Wed Oct 28 08:23:19 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0841B106568F for ; Wed, 28 Oct 2009 08:23:19 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [78.46.126.30]) by mx1.freebsd.org (Postfix) with ESMTP id B68488FC1C for ; Wed, 28 Oct 2009 08:23:18 +0000 (UTC) Received: from websrv01.jr-hosting.nl (websrv01 [78.47.69.233]) by mailgate.jr-hosting.nl (Postfix) with ESMTP id 0C6F31CD25; Wed, 28 Oct 2009 09:23:17 +0100 (CET) Received: from milamber.elvandar.org ([78.47.44.222] helo=[10.0.3.2]) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1N33oK-000JhM-VZ; Wed, 28 Oct 2009 09:23:17 +0100 Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: Remko Lodder In-Reply-To: Date: Wed, 28 Oct 2009 09:23:16 +0100 Content-Transfer-Encoding: 7bit Message-Id: <086A9580-906E-406A-AB00-FC47D6EE72D9@elvandar.org> References: To: jhell X-Mailer: Apple Mail (2.1076) Cc: mlaier@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: return-icmp() relative question to ipf rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2009 08:23:19 -0000 On Oct 26, 2009, at 4:02 PM, jhell wrote: > > On Mon, 26 Oct 2009 09:18, remko@ wrote: >> On Oct 10, 2009, at 4:09 AM, jhell wrote: >> >>> I have a rule I used in ipfilter probably around 2 or so years ago >>> and I am now getting around to trying to implement in it my pf >>> rules. So far any results I have achieved have failed with no >>> response back from the server and get dropped. >>> The rule in ipf syntax: >>> block return-icmp-as-dest(13) in log first quick proto icmp all >>> icmp-type 8 >>> The above ipf rule returns a result of "Destination >>> Administratively Prohibited" when ping'd >>> The following pf syntax: >>> block return-icmp(3,13) in quick inet proto icmp from any to any >>> icmp-type 8 code 0 >>> The above pf rule returns a result of "Nothing ........" when ping'd >>> Just to be sure I wasn't mucking up the chain of rules I added >>> this as the only rule to test it out and have achieved the same >>> result multiple times on a test machine. >>> Can anyone shed some light on the syntax and help me out with >>> getting this rule to make the system respond to a echo request >>> with admin-prohib as the destination system ? >>> Thanks >> >> >> *click* (the light is on) >> >> Options returning ICMP packets currently have no effect if >> pf(4) >> operates on a if_bridge(4), as the code to support this >> feature has >> not yet been implemented. >> >> from the Manual page. I think that answers the question? >> > > Thanks Remko, > > No I'm not using if_bridge(4) here, nor any bridge for that matter. > I have tested this directly from interface -> interface with a patch > cable thinking that the click that I heard from the light above > would actually turn something on but was just throwing a breaker. OK, yes I understand what you mean. I over-read the bridge part. My apologies for the confusion this caused. I am not sure whether it then should or should not work though. One thing that I noticed is that you speak about 'it was in IPF and it isn't in PF', please keep in mind that PF is a complete rewrite and looks similiar to IPF with syntax etc. Features found there are no guarantee that it will be in PF as well. Doesn't make up the fact that the documentation indeed talks about it being possible and seemingly impossible to do it. I added Max to the discussion, he might be able to tell whether or not this is integrated and whether it should work at all :-) Thanks for catching my misread part! -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Wed Oct 28 17:22:54 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D359106568D for ; Wed, 28 Oct 2009 17:22:54 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id D5C3E8FC15 for ; Wed, 28 Oct 2009 17:22:53 +0000 (UTC) Received: by ewy18 with SMTP id 18so939267ewy.43 for ; Wed, 28 Oct 2009 10:22:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=gRl66DBXGf0iI8zjC7vAJ6+TUrMBJiH4qZHDM8atXjM=; b=ECDfc8DlhExfe+6NZgW36WodXTnnm05Ejtu6hRAJfnHqVqwkV2Ojv5qLvUurAsn397 R2b6zQuh46KZa0qwHHOzxkpmVr7zbB+oHbRibtYD3TxZ9aUWMh7S4FShRQq1j+l22DZK MNgs6CfbB21Ruwy37e00JPDkSZ0k+Ka76mEPo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=sVbVzH4vba1WFANOO0bq+la5BDeyEPvhjEnxNq+tdSIni1V6CJhOv7La2jWPxYqJpd mE+MG7BUJ3tiGupnIGSOsC608oXxHlRjRHIm0W+RsrLYiXyMdKzB7P/2UwxaWg2yZ37h MMIdHu1bGQ7Ys+QCEnYBKKXWF6kmG/9mVesZ8= Received: by 10.216.87.81 with SMTP id x59mr55938wee.147.1256750572962; Wed, 28 Oct 2009 10:22:52 -0700 (PDT) Received: from ppp-22.114.dialinfree.com (ppp-22.114.dialinfree.com [209.172.22.114]) by mx.google.com with ESMTPS id i6sm4100213gve.2.2009.10.28.10.22.46 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 28 Oct 2009 10:22:50 -0700 (PDT) Sender: "J. Hellenthal" Date: Wed, 28 Oct 2009 13:22:35 -0400 From: jhell To: Remko Lodder In-Reply-To: <086A9580-906E-406A-AB00-FC47D6EE72D9@elvandar.org> Message-ID: References: <086A9580-906E-406A-AB00-FC47D6EE72D9@elvandar.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: jhell , mlaier@freebsd.org, freebsd-pf@freebsd.org Subject: Re: return-icmp() relative question to ipf rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2009 17:22:54 -0000 On Wed, 28 Oct 2009 04:23, remko@ wrote: > On Oct 26, 2009, at 4:02 PM, jhell wrote: > >> >> On Mon, 26 Oct 2009 09:18, remko@ wrote: >>> On Oct 10, 2009, at 4:09 AM, jhell wrote: >>> >>>> I have a rule I used in ipfilter probably around 2 or so years ago and I >>>> am now getting around to trying to implement in it my pf rules. So far >>>> any results I have achieved have failed with no response back from the >>>> server and get dropped. >>>> The rule in ipf syntax: >>>> block return-icmp-as-dest(13) in log first quick proto icmp all icmp-type >>>> 8 >>>> The above ipf rule returns a result of "Destination Administratively >>>> Prohibited" when ping'd >>>> The following pf syntax: >>>> block return-icmp(3,13) in quick inet proto icmp from any to any >>>> icmp-type 8 code 0 >>>> The above pf rule returns a result of "Nothing ........" when ping'd >>>> Just to be sure I wasn't mucking up the chain of rules I added this as >>>> the only rule to test it out and have achieved the same result multiple >>>> times on a test machine. >>>> Can anyone shed some light on the syntax and help me out with getting >>>> this rule to make the system respond to a echo request with admin-prohib >>>> as the destination system ? >>>> Thanks >>> >>> >>> *click* (the light is on) >>> >>> Options returning ICMP packets currently have no effect if pf(4) >>> operates on a if_bridge(4), as the code to support this feature has >>> not yet been implemented. >>> >>> from the Manual page. I think that answers the question? >>> >> >> Thanks Remko, >> >> No I'm not using if_bridge(4) here, nor any bridge for that matter. I have >> tested this directly from interface -> interface with a patch cable >> thinking that the click that I heard from the light above would actually >> turn something on but was just throwing a breaker. > > > OK, yes I understand what you mean. I over-read the bridge part. My apologies > for the confusion this caused. I am not sure whether it then should or should > not work though. One thing that I noticed is that you speak about > 'it was in IPF and it isn't in PF', please keep in mind that PF is a complete > rewrite and looks similiar to IPF with syntax etc. Features found there are > no guarantee that it will be in PF as well. Doesn't make up the fact that the > documentation indeed talks about it being possible and seemingly impossible > to do it. > > I added Max to the discussion, he might be able to tell whether or not this > is integrated and whether it should work at all :-) > > Thanks for catching my misread part! > Hey its no problem at all, I appreciate the feedback because I thought that possibly I might have missed something that wasn't allowing it to work but I have tried all kinds of trickery around the likes of adding pass out all rules of type ICMP with specific codes and such before and after the rule in question and nothing seems to do it. So some input on this was better than none at all. Thanks for your response and can't wait for some more interaction on this thread as this has now just become a annoying unreachable objective for me. Best regards. -- ;; dataix.net!jhell 2048R/89D8547E 2009-09-30 ;; BSD since FreeBSD 4.2 Linux since Slackware 2.1 ;; 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E From owner-freebsd-pf@FreeBSD.ORG Sat Oct 31 21:00:13 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A78211065695 for ; Sat, 31 Oct 2009 21:00:13 +0000 (UTC) (envelope-from nico@elico-it.be) Received: from zimbra-mx1.xenco.net (zimbra-mx1.xenco.net [79.132.229.23]) by mx1.freebsd.org (Postfix) with ESMTP id 219368FC14 for ; Sat, 31 Oct 2009 21:00:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 188424781E8 for ; Sat, 31 Oct 2009 22:00:11 +0100 (CET) X-Virus-Scanned: amavisd-new at xenco.net Received: from zimbra-mx1.xenco.net ([127.0.0.1]) by localhost (zimbra-mx1.xenco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hIjY2ZTkAld for ; Sat, 31 Oct 2009 22:00:06 +0100 (CET) Received: from zimbra-store.xenco.net (unknown [172.28.70.27]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id C65664780A0 for ; Sat, 31 Oct 2009 22:00:05 +0100 (CET) Date: Sat, 31 Oct 2009 22:00:04 +0100 (CET) From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Message-ID: <3350817.188221257022804727.JavaMail.root@zimbra-store> In-Reply-To: <2849417.188201257022710812.JavaMail.root@zimbra-store> MIME-Version: 1.0 X-Originating-IP: [213.118.152.199] X-Mailer: Zimbra 6.0.0_GA_1802.DEBIAN5 (ZimbraWebClient - FF3.0 (Win)/6.0.0_GA_1802.DEBIAN5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-pf Digest, Vol 266, Issue 4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2009 21:00:13 -0000 Hello, I have an issue with pf bridge. This is my setup Wan --> pf-bridge --> servers (mail, webserver with public IP) When I activate my pf-bridge FW It allows the things as it should be (http, rdp, ssh, ...) But when I try to send a mail for example it cannot find hostname or when I'm connected to the webserver over RDP I cannot browse. It's like I can get in to the correct ports but from the inside I'm not allowed to do stuff. Here's pf-bridge.conf: # #################### # Macro's #################### ext_if="em0" int_if="em1" mng_if="rl0" loop_if="lo0" public_services="{ ssh, http, https, smtp, pop3, imap, 7071, 53, 3389 }" admin_services="{ ssh, http, https }" power_services="{ telnet, http }" # TCP Options #TCP_Options="flags S/SAFRUP modulate state" # UDP Options #UDP_Options="keep state" ####################### # Tables ####################### table { 62.213.196.XXX/xx } table { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx } table { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx } table { 62.213.196.xxx, 62.213.196.xxx } ############################################################################ # Normalization rules: ############################################################################ #set block-policy drop #set fingerprints "/etc/pf.os" set block-policy return # scrub incoming packets scrub in on { $ext_if, $int_if } all fragment reassemble min-ttl 15 max-mss 1400 scrub in on { $ext_if, $int_if } all no-df scrub on { $ext_if, $int_if } all reassemble tcp # Don't filter on the loopback interface set skip on $loop_if # this should block OS fingerprints?? block in log quick proto tcp flags FUP/WEUAPRSF block in log quick proto tcp flags WEUAPRSF/WEUAPRSF block in log quick proto tcp flags SRAFU/WEUAPRSF block in log quick proto tcp flags /WEUAPRSF block in log quick proto tcp flags SR/SR block in log quick proto tcp flags SF/SF # thwart nmap scans block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP ############################################################################ # Filter rules: ############################################################################ # Allow public services to customers IP pass in quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to port $public_services pass out quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to port $public_services # Allow admin services to admin servers pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to port $admin_services pass out quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to port $admin_services # Allow access to powerboots pass in quick on { $ext_if, $int_if } inet proto tcp from any to port $power_services pass out quick on { $ext_if, $int_if } inet proto tcp from any to port $power_services block drop in on $ext_if all block drop out on $ext_if all block drop in on $int_if all block drop out on $int_if all Any idea's? From owner-freebsd-pf@FreeBSD.ORG Sat Oct 31 21:52:17 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91BAF1065670 for ; Sat, 31 Oct 2009 21:52:17 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (uffner.com [66.208.243.25]) by mx1.freebsd.org (Postfix) with ESMTP id 52DA48FC0C for ; Sat, 31 Oct 2009 21:52:16 +0000 (UTC) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n9VLsRns057823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Sat, 31 Oct 2009 17:54:28 -0400 (EDT) (envelope-from tom@uffner.com) Message-ID: <4AECB18F.30106@uffner.com> Date: Sat, 31 Oct 2009 17:52:15 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090925 SeaMonkey/1.1.18 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <3350817.188221257022804727.JavaMail.root@zimbra-store> In-Reply-To: <3350817.188221257022804727.JavaMail.root@zimbra-store> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd-pf Digest, Vol 266, Issue 4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2009 21:52:17 -0000 Nico De Dobbeleer wrote: > # this should block OS fingerprints?? > block in log quick proto tcp flags FUP/WEUAPRSF > block in log quick proto tcp flags WEUAPRSF/WEUAPRSF > block in log quick proto tcp flags SRAFU/WEUAPRSF > block in log quick proto tcp flags /WEUAPRSF > block in log quick proto tcp flags SR/SR > block in log quick proto tcp flags SF/SF > > # thwart nmap scans > block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP > block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP > > Any idea's? yeah. replace all of the strange flag combinations with a simple "block log all" rule. get basic firewall functionality working first, then add the fancy stuff back one rule at a time & test to see what breaks. and when adding the above rules, think about whether you really want "quick". i'm amazed that any TCP gets through that ruleset in either direction.