From owner-freebsd-pf@FreeBSD.ORG Sun Nov 15 21:23:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC372106566C for ; Sun, 15 Nov 2009 21:23:14 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 4EE258FC19 for ; Sun, 15 Nov 2009 21:23:14 +0000 (UTC) Received: by bwz5 with SMTP id 5so5358692bwz.3 for ; Sun, 15 Nov 2009 13:23:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=vBwOb1gBjLuU2UjzbfSjVLP9kTZAVJ5TrXwCXQgPLC0=; b=naAcwg7/fAkPAYtXT7rdZ8lx3YA7/8gJt6u07WstCJM9YWDODcEGX8RFz/cGDPkCTz /J4Ge6K5AAd3TBd58DF5DcIC/SNxPVxGkalZUqnDvcdIEZek36LWHOBgRK3DG4IByie3 bfTAZYT00TTzYPFXVBaVnuEO3FQHnnR0w3ZpY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=LqLqM1COxH+ECU3nvV0yz5YDpojF4DmjJekDtZnskyPc5faM6anQ6PRt0SrSrFFs0S KPSqn8a0NXF8HSl0V0Ue5TidXw8ossIxQVBxZ/E2HGC0WuEjmIV60VLqb4dj+ZyHEiCZ icc3eBhOLYFEcKWh3rBD+SQ3YF/W5ks0gQ1Us= MIME-Version: 1.0 Received: by 10.213.0.135 with SMTP id 7mr663918ebb.65.1258320193049; Sun, 15 Nov 2009 13:23:13 -0800 (PST) Date: Sun, 15 Nov 2009 22:23:13 +0100 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF NAT problems. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2009 21:23:14 -0000 Hello, I'm struggling with pf nat to work when connecting to ipsec vpns, when I have a pf and pfnat gateway on my LAN side. Sometimes it's ok to some networks, but most of the time it's not. Usually I'm using Cisco vpn client, and connecting to cisco ASA devices and sometimes pptp and l2tp vpn with the client from Windows XP. I tried passing ipsec relevant packets through the pf fw but if I use ipnat it works perfectly without any added rules. Somewhere I found that I have to statically map port 500 for pf to map that to the external interface as well(and don't change port number), but I couldn't make that work. Relevant part of my pf.conf: I just pasted the macros, because I think the problem lies somewhere else. prv_ads = 192.168.0.0/24 nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if:0) #we need this to work with dyn ip and pppoe tun0 ##Some port forwarding rules deleted from here... rdr-anchor miniupnpd ipnat.conf: map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:65000 map tun0 192.168.0.0/24 -> 0/32 #some port redirection deleted from here. Thanks for any help, B. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 16 10:37:44 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E34F106566C for ; Mon, 16 Nov 2009 10:37:44 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (mbox1.develooper.com [207.171.7.178]) by mx1.freebsd.org (Postfix) with ESMTP id 4DF238FC0C for ; Mon, 16 Nov 2009 10:37:44 +0000 (UTC) Received: (qmail 29590 invoked from network); 16 Nov 2009 10:11:03 -0000 Received: from cpe-75-83-150-233.socal.res.rr.com (HELO embla.bn.dev) (ask@mail.dev@75.83.150.233) by smtp.develooper.com with ESMTPA; 16 Nov 2009 10:11:03 -0000 From: =?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?= Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 16 Nov 2009 02:11:02 -0800 Message-Id: To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Apple Message framework v1077) X-Mailer: Apple Mail (2.1077) Subject: Avoid keeping state of ntp requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2009 10:37:44 -0000 Hi, I'm trying to avoid keeping state of ntp requests to our ntp servers. = They are on UDP and numerous, so it's just wasting a lot of space in the = state table. I've tried various variations of 'pass quick', but some rule keeps = adding state for the port 123 requests. I've put the full output of = 'pfctl -sa' here: http://tmp.askask.com/2009/11/pf.txt Any ideas? - ask= From owner-freebsd-pf@FreeBSD.ORG Mon Nov 16 10:59:33 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E96F106566C for ; Mon, 16 Nov 2009 10:59:33 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (mbox1.develooper.com [207.171.7.178]) by mx1.freebsd.org (Postfix) with ESMTP id 5AD538FC13 for ; Mon, 16 Nov 2009 10:59:33 +0000 (UTC) Received: (qmail 31412 invoked from network); 16 Nov 2009 10:59:32 -0000 Received: from cpe-75-83-150-233.socal.res.rr.com (HELO embla.bn.dev) (ask@mail.dev@75.83.150.233) by smtp.develooper.com with ESMTPA; 16 Nov 2009 10:59:32 -0000 Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: =?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?= In-Reply-To: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> Date: Mon, 16 Nov 2009 02:59:32 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <6967A89E-CF55-4F65-972E-864AAA50ED32@develooper.com> References: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> To: Denny Lin X-Mailer: Apple Mail (2.1077) Cc: freebsd-pf@freebsd.org Subject: Re: Avoid keeping state of ntp requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2009 10:59:33 -0000 On Nov 16, 2009, at 2:44, Denny Lin wrote: >=20 >> I'm trying to avoid keeping state of ntp requests to our ntp servers. = They are on UDP and numerous, so it's just wasting a lot of space in = the state table. >>=20 >> I've tried various variations of 'pass quick', but some rule keeps = adding state for the port 123 requests. I've put the full output of = 'pfctl -sa' here: >=20 > Have you tried adding "no state" at the end of the rule? This way they > aren't added to the state table. Hi Denny, Yes, indeed - that's what I'm doing; I should have made that explicit in = the mail. I've put the pfctl -vsr output up here: http://tmp.askask.com/2009/11/pfctl-vsr.txt [ a little later ] Aargh! The problem was that the table in my rule was , = but the table with the IP addresses was ! Thanks for making me take a second[1] look. - ask [1] That's a joke, more like look number 217! From owner-freebsd-pf@FreeBSD.ORG Mon Nov 16 11:03:09 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77E0C1065676 for ; Mon, 16 Nov 2009 11:03:09 +0000 (UTC) (envelope-from dennylin93@cnmc32.hs.ntnu.edu.tw) Received: from mx.hs.ntnu.edu.tw (mx.hs.ntnu.edu.tw [140.131.149.2]) by mx1.freebsd.org (Postfix) with ESMTP id 46A658FC14 for ; Mon, 16 Nov 2009 11:03:09 +0000 (UTC) Received: by mx.hs.ntnu.edu.tw (Postfix, from userid 1002) id BD6236FC450; Mon, 16 Nov 2009 18:44:13 +0800 (CST) Date: Mon, 16 Nov 2009 18:44:13 +0800 From: Denny Lin To: freebsd-pf@freebsd.org Message-ID: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: Avoid keeping state of ntp requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2009 11:03:09 -0000 > I'm trying to avoid keeping state of ntp requests to our ntp servers. They are on UDP and numerous, so it's just wasting a lot of space in the state table. > > I've tried various variations of 'pass quick', but some rule keeps adding state for the port 123 requests. I've put the full output of 'pfctl -sa' here: Have you tried adding "no state" at the end of the rule? This way they aren't added to the state table. -- Denny Lin From owner-freebsd-pf@FreeBSD.ORG Mon Nov 16 11:06:58 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBF481065694 for ; Mon, 16 Nov 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D12A28FC1A for ; Mon, 16 Nov 2009 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nAGB6wH9011249 for ; Mon, 16 Nov 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nAGB6woV011247 for freebsd-pf@FreeBSD.org; Mon, 16 Nov 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Nov 2009 11:06:58 GMT Message-Id: <200911161106.nAGB6woV011247@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 17 11:02:01 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E22F0106566C for ; Tue, 17 Nov 2009 11:02:01 +0000 (UTC) (envelope-from sergey.dyatko@gmail.com) Received: from mail-bw0-f220.google.com (mail-bw0-f220.google.com [209.85.218.220]) by mx1.freebsd.org (Postfix) with ESMTP id 718058FC14 for ; Tue, 17 Nov 2009 11:02:00 +0000 (UTC) Received: by bwz20 with SMTP id 20so6748646bwz.14 for ; Tue, 17 Nov 2009 03:02:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=6NwH8T4ibGQz3sOfn2k2U5fYNW3Hdwe3xo68ZsHeODI=; b=YLPXzaQofE508BNEphLoruX1dNhIVnyRCgkenC9xqueII9Sek637RzROo1sPgm8b60 gzpz7tjzNswRp44euSWk0AqtEt3EJaguXcn+S09gCKIlQQmyIyf8cFfcOHAka4wOirsT D9nWihIgbIy7Iry2IHAg0jZSE5TRJ6xgNUVSg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=BJeSJOR/3IOIX2uuF77bqgE473DJK3rYGHvIrQ9pgwdKHvk+lZuIDTwDM6mgDqozye 49sHMQM1taoCheDQ1Q3BdZn4nncTT59eKYuKA3frNjA9eo4x8nDATo1zt2+LZ/PWeVII PEwo6XPnbkEAS1Q1mVw/tMf+RIXUtmPGp/eGo= Received: by 10.204.162.210 with SMTP id w18mr7255413bkx.174.1258455719719; Tue, 17 Nov 2009 03:01:59 -0800 (PST) Received: from notebook (minsk.agava.net [212.98.174.157]) by mx.google.com with ESMTPS id e17sm35567fke.26.2009.11.17.03.01.55 (version=SSLv3 cipher=RC4-MD5); Tue, 17 Nov 2009 03:01:56 -0800 (PST) Date: Tue, 17 Nov 2009 13:02:05 +0200 From: "Sergey V. Dyatko" To: freebsd-pf@FreeBSD.org Message-ID: <20091117130205.2e3a5500@notebook> In-Reply-To: <20091117124804.08d70a8e@notebook> References: <20091117124804.08d70a8e@notebook> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf and max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 11:02:02 -0000 on Tue, 17 Nov 2009 12:48:04 +0200 "Sergey V. Dyatko" wrote: Ooops, sorry for the noice. I didn't seen that is only 1 connect SVD> Hi list, SVD> I'm trying to stop ssh bruteforce on my box (rules bellow), but it SVD> doesn't work. looks like 1sec interval is too small:( SVD> SVD> from auth.log: SVD> ... SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from SVD> 200.27.164.214 SVD> Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication SVD> error for illegal user cobert from server.aconex.cl SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Failed SVD> keyboard-interactive/pam for invalid user cobert from SVD> 200.27.164.214 port 57587 ssh2 ... SVD> Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication SVD> error for illegal user colman from 80.243.172.54 SVD> Nov 17 13:40:17 master-db6 sshd[3961]: Failed SVD> keyboard-interactive/pam for invalid user colman from SVD> 80.243.172.54 port 45081 ssh2 ... SVD> SVD> As you can see I got 2 connections from 1 ip in 1 second but... SVD> SVD> #pfctl -tbots -Tshow|wc -l SVD> 0 SVD> SVD> where i'm wrong? SVD> pf.conf: SVD> SVD> ext_if="em0" SVD> SVD> table { my_net/24, some_ip/32} SVD> table persist SVD> SVD> scrub in all SVD> SVD> pass in quick on $ext_if proto tcp from SVD> block in quick from SVD> SVD> pass in quick on $ext_if proto tcp to $ext_if port ssh \ SVD> flags S/SA keep state \ SVD> ( max-src-conn-rate 2/1 overload flush ) SVD> SVD> pass in all SVD> pass out all SVD> SVD> -- wbr, tiger From owner-freebsd-pf@FreeBSD.ORG Tue Nov 17 11:10:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF8AB106568B for ; Tue, 17 Nov 2009 11:10:03 +0000 (UTC) (envelope-from sergey.dyatko@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id 435618FC0C for ; Tue, 17 Nov 2009 11:10:03 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e12so1447787fga.13 for ; Tue, 17 Nov 2009 03:10:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:x-mailer:mime-version:content-type :content-transfer-encoding; bh=4hsYkmjjLSD2l5dHMCO2rMfk2DTfkw1AjzdF++KujW4=; b=SCQ4g8su00Y5qRbu+FD7+yCTDCQ7186zZR5CR/DcQCGJP1W9ublYFjUYl7tZir81uL aQxr0jPTGqbjug3VkjZSq1q+52ZyoGLa3ClYDOzYb+Lq5o8Q3cylWq8Bh7KWxvMRwBm7 HDafoMM/VbJO77VfyTdU1g1JZKeO+pgJRh368= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:x-mailer:mime-version:content-type :content-transfer-encoding; b=SpM7HaCcCOdUCp/zwos/qgYrYKB6ZnH166lrwkBgnwPpRdIc9dmCduMOa0XFs/U9K8 BRD8I4h/T/QI6AvJzLdUo4rtxiLu5fQsi7dWkPY5svUQZAm+FeTlEU81o/nDAE/ifRqj //WZ4Om/w/AAQZj9geBpy11oGPHHu0drtTBSw= Received: by 10.87.38.23 with SMTP id q23mr6910372fgj.35.1258454874308; Tue, 17 Nov 2009 02:47:54 -0800 (PST) Received: from notebook (minsk.agava.net [212.98.174.157]) by mx.google.com with ESMTPS id d6sm826757fga.10.2009.11.17.02.47.52 (version=SSLv3 cipher=RC4-MD5); Tue, 17 Nov 2009 02:47:53 -0800 (PST) Date: Tue, 17 Nov 2009 12:48:04 +0200 From: "Sergey V. Dyatko" To: freebsd-pf@FreeBSD.org Message-ID: <20091117124804.08d70a8e@notebook> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: pf and max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 11:10:03 -0000 Hi list, I'm trying to stop ssh bruteforce on my box (rules bellow), but it doesn't work. looks like 1sec interval is too small:( from auth.log: ... Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from 200.27.164.214 Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication error for illegal user cobert from server.aconex.cl Nov 17 13:32:14 master-db6 sshd[3902]: Failed keyboard-interactive/pam for invalid user cobert from 200.27.164.214 port 57587 ssh2 ... Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication error for illegal user colman from 80.243.172.54 Nov 17 13:40:17 master-db6 sshd[3961]: Failed keyboard-interactive/pam for invalid user colman from 80.243.172.54 port 45081 ssh2 ... As you can see I got 2 connections from 1 ip in 1 second but... #pfctl -tbots -Tshow|wc -l 0 where i'm wrong? pf.conf: ext_if="em0" table { my_net/24, some_ip/32} table persist scrub in all pass in quick on $ext_if proto tcp from block in quick from pass in quick on $ext_if proto tcp to $ext_if port ssh \ flags S/SA keep state \ ( max-src-conn-rate 2/1 overload flush ) pass in all pass out all -- wbr, tiger From owner-freebsd-pf@FreeBSD.ORG Thu Nov 19 10:15:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB516106566B; Thu, 19 Nov 2009 10:15:27 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 6AB878FC16; Thu, 19 Nov 2009 10:15:27 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id 40E6C85312; Thu, 19 Nov 2009 11:15:26 +0100 (CET) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4UiDk-mfH0LA; Thu, 19 Nov 2009 11:15:22 +0100 (CET) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 7D9E5847EC; Thu, 19 Nov 2009 11:15:22 +0100 (CET) To: FreeBSD-gnats-submit@freebsd.org From: Mohacsi Janos X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20091119101522.7D9E5847EC@mail.ki.iif.hu> Date: Thu, 19 Nov 2009 11:15:22 +0100 (CET) Cc: freebsd-pf@freebsd.org Subject: pf behaviour changes - must be documented X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Mohacsi Janos List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2009 10:15:28 -0000 >Submitter-Id: current-users >Originator: Mohacsi Janos >Organization: NIIF >Confidential: no >Synopsis: pf behaviour changes - must be documented >Severity: non-critical >Priority: low >Category: kern >Class: doc-bug >Release: FreeBSD 6.4-STABLE i386 >Environment: System: FreeBSD mignon.ki.iif.hu 6.4-STABLE FreeBSD 6.4-STABLE #18: Tue Oct 27 16:19:23 CET 2009 root@mignon.ki.iif.hu:/usr/obj/usr/src/sys/MIGNON2 i386 >Description: The pf behaviour about the fragmented packets has been changed since FreeBSD 6.4-STABLE #17: Fri Jul 3 14:34:44 CEST 2009 At least to FreeBSD 6.4-STABLE #18: Tue Oct 27 16:19:23 CET 2009. Before some changes in pf it was working without scrubbing. After the changes: scrub in on no-df must be configured to proper operation.... >How-To-Repeat: try earlier version of FreeBSD and latest 6.4 stable. >Fix: Document this pf changes . From owner-freebsd-pf@FreeBSD.ORG Thu Nov 19 20:30:53 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D0171065672; Thu, 19 Nov 2009 20:30:53 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 036A38FC24; Thu, 19 Nov 2009 20:30:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nAJKUqeu044727; Thu, 19 Nov 2009 20:30:52 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nAJKUqdQ044717; Thu, 19 Nov 2009 20:30:52 GMT (envelope-from linimon) Date: Thu, 19 Nov 2009 20:30:52 GMT Message-Id: <200911192030.nAJKUqdQ044717@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/140697: [pf] pf behaviour changes - must be documented X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2009 20:30:53 -0000 Old Synopsis: pf behaviour changes - must be documented New Synopsis: [pf] pf behaviour changes - must be documented Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Nov 19 20:30:32 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=140697 From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 15:27:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 360B0106566B for ; Sat, 21 Nov 2009 15:27:53 +0000 (UTC) (envelope-from fullblaststorm@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id C62598FC1B for ; Sat, 21 Nov 2009 15:27:52 +0000 (UTC) Received: by fxm27 with SMTP id 27so4672540fxm.3 for ; Sat, 21 Nov 2009 07:27:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=52bhV8a87W9T1B0p2O5QKHzvuek2XknjNWey1aoE7ZI=; b=TS22ahzJM2HrZHi18Z5HEBT4pdJaTGdMV+KDafhaHyRSkRSI0CIltCGCANrhy0eYid GZKd45IWgDELai4w8aobXlOVsC6UmRfDR9JsapfTSujg9eGmHAklSLjZZP7hpyPieD3a wY2p3tFkDrZJr7uybG1Vz2lXe00DJdUm7E+qk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=iLQnqoF0Nx7FtlMeuIt1RT29/xCM1AYjYqaNLf3l381dqwct62PSK2GFyxF4PGnuzi Y2hJimBRXWqVd+Qhr/3BaoOiVmw7Kkgvp4spTH2LDXIYeQHffEcDM9IckLpJHWxF51Tc /vt2JdBnL2g/0Tyjf2gSPfWvSQpLWqscAT23Q= MIME-Version: 1.0 Received: by 10.239.139.32 with SMTP id r32mr266040hbr.86.1258816010930; Sat, 21 Nov 2009 07:06:50 -0800 (PST) Date: Sat, 21 Nov 2009 21:06:50 +0600 Message-ID: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> From: Victor Lyapunov To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 15:27:53 -0000 Hi all, I have production network with FreeBSD box acting as firewall. The problem emerge as soon as users send mail with attachments. (Sending mail without attachments always succeeds). Basically, when a user tries to send a message, only part of it transmitted before connection is interrupted and sending fails. The problem persists only when pf is enabled. My ruleset: scrub in all fragment reassemble block drop on em0 all pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA keep state pass proto udp from any to any port = domain keep state This is what i get from pfctl -si just after #/etc/rc.d/pf start # pfctl -si Status: Enabled for 0 days 00:00:09 Debug: Urgent State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s After I try to send some mail with attachments a couple of times(which always fail), i get this from pfctl -si: Status: Enabled for 0 days 00:02:58 Debug: Urgent State Table Total Rate current entries 48 searches 1313 7.4/s inserts 131 0.7/s removals 83 0.5/s Counters match 152 0.9/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 22 0.1/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Any suggestions/ideas would be appreciated, Best regards, Victor FreeBSD router 7.2-RELEASE FreeBSD 7.2-RELEASE #4: Sun May 3 23:29:04 2009 root@router:/usr/obj/usr/src/sys/GENERIC i386 From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 17:54:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD6D3106566B for ; Sat, 21 Nov 2009 17:54:12 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 1491F8FC13 for ; Sat, 21 Nov 2009 17:54:11 +0000 (UTC) Received: (qmail invoked by alias); 21 Nov 2009 17:27:31 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp068) with SMTP; 21 Nov 2009 18:27:31 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/yoURH/hzyRaY6aHatZjI0msIr4a9M/Ppk0Z59oU f5A2PoOuI1dB2y Message-ID: <4B082302.3040704@gmx.de> Date: Sat, 21 Nov 2009 18:27:30 +0100 From: olli hauer User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Victor Lyapunov References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> In-Reply-To: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.66 Cc: freebsd-pf@freebsd.org Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 17:54:12 -0000 Victor Lyapunov wrote: > Hi all, > > I have production network with FreeBSD box acting as firewall. The > problem emerge as soon as users send mail with attachments. (Sending > mail without attachments always succeeds). Basically, when a user > tries to send a message, only part of it transmitted before connection > is interrupted and sending fails. The problem persists only when pf is > enabled. > > My ruleset: > scrub in all fragment reassemble > block drop on em0 all > pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA > keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA > keep state > pass proto udp from any to any port = domain keep state > [...] Is this only for client submitting (imap) or even for incoming mails from outside via smtp? What about outgoing traffic from the machine? Try the following in pf.conf to see why this happens set loginterface pflog0 set block-policy drop set skip on lo0 block drop in log on em0 all pass out log on em0 all Now use tcpdump to see which rule drops the traffic #> tcpdump -net -i pflog0 -- olli From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 18:07:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BBD3106566B for ; Sat, 21 Nov 2009 18:07:16 +0000 (UTC) (envelope-from fullblaststorm@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id B6C848FC13 for ; Sat, 21 Nov 2009 18:07:15 +0000 (UTC) Received: by fxm27 with SMTP id 27so4737704fxm.3 for ; Sat, 21 Nov 2009 10:07:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=OvgKNztoZ1WCzB6Av22ARHWbepP85Cgw6uaSGaiERlg=; b=ZgC+QfY9cieaMEpfw/QHiv5Nfz0vkk+9ppBfvC3jFDQle8/gtIjbFwPTl/BWHbIzfg u4PH802wGnin/bBa/6jWmKusMh0MN6l33mZi3GkmIQfYEa0fH30Qxc3neCvxOhu/O3Nf 1W1PJiDgU7v1riMYpmpT3zAfOY6+4btvxBqz4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=TGufeVvMG213AtUmMLcz5GxAqyBd+JC92XQ1u2xzl/wps0IYvDVY4xio641yOsDo6w N/vJKgrXNE0bXBGZm+EvutmkOfDw42G89mSIrNAMhcThYM76lk9Qc/Ht+Lf76MoCmaxH Ok/UR2Aos7R0cDTNWFKTR3E11w4jA8gpcmtDA= MIME-Version: 1.0 Received: by 10.239.185.77 with SMTP id b13mr267328hbh.158.1258826834539; Sat, 21 Nov 2009 10:07:14 -0800 (PST) In-Reply-To: <4B082302.3040704@gmx.de> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> Date: Sun, 22 Nov 2009 00:07:14 +0600 Message-ID: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> From: Victor Lyapunov To: olli hauer , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 18:07:16 -0000 Thanks for your answer, olli. As i send mail not from my freebsd server, but rather from the clients on the local network, so here's what i did: my pf.conf: set loginterface pflog0 set block-policy drop set skip on lo0 block drop log on em0 all pass log inet proto tcp from 192.168.0.0/24 to any port {smtp, pop3, imap, smtps, pop3s} flags S/SA keep state pass log proto udp from any to any port = domain keep state # tcpdump -net -i pflog0 Now i went to a windows computer and tried to send an email with attachment to gmail.com (sending failed at 2%) here's what i got in my pflog: rule 4/0(match): pass in on em0: (tos 0x0, ttl 128, id 19860, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > 209.85.129.111.465: [|tcp] rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] 2 packets captured 2 packets received by filter 0 packets dropped by kernel Again, everything works just fine when pf is disabled. And there's no problems for incoming traffic, only outgoing traffic gets corrupted( that is, dropped in the middle of transmitting data). Any ideas? 2009/11/21 olli hauer : > Victor Lyapunov wrote: >> >> Hi all, >> >> I have production network with FreeBSD box acting as firewall. The >> problem emerge as soon as users send mail with attachments. (Sending >> mail without attachments always succeeds). Basically, when a user >> tries to send a message, only part of it transmitted before connection >> is interrupted and sending fails. The problem persists only when pf is >> enabled. >> >> My ruleset: >> scrub in all fragment reassemble >> block drop on em0 all >> pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA >> keep state >> pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA >> keep state >> pass proto udp from any to any port = domain keep state >> > > [...] > > Is this only for client submitting (imap) or even for incoming mails from > outside via smtp? > > What about outgoing traffic from the machine? > > Try the following in pf.conf to see why this happens > > set loginterface pflog0 > set block-policy drop > set skip on lo0 > > block drop in log on em0 all > pass out log on em0 all > > Now use tcpdump to see which rule drops the traffic > #> tcpdump -net -i pflog0 > > -- > olli > From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 18:24:00 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DBAF106568D for ; Sat, 21 Nov 2009 18:24:00 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id B3CD08FC21 for ; Sat, 21 Nov 2009 18:23:59 +0000 (UTC) Received: by fxm27 with SMTP id 27so4744408fxm.3 for ; Sat, 21 Nov 2009 10:23:58 -0800 (PST) MIME-Version: 1.0 Received: by 10.102.160.15 with SMTP id i15mr1321340mue.130.1258827838720; Sat, 21 Nov 2009 10:23:58 -0800 (PST) In-Reply-To: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> Date: Sat, 21 Nov 2009 13:23:58 -0500 Message-ID: <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> From: Michael Proto To: Victor Lyapunov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 18:24:00 -0000 On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov wrote: > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465: =A0tcp 28 [bad hdr length 0 - too short, < 20] This looks to be your problem-- bad hdr length 0. I don't know enough of what mailer(s) you're using to relay this message outbound, but since port 465 is smtp over TLS/SSL are you sure your smtp encryption is working correctly? I often see these types of errors with other TLS/SSL apps when one side is expecting an encrypted connection and the other is not (correctly) providing it. Have you tried using unencrypted smtp on port 25? Does that work? -Proto From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 18:27:09 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A17C91065670 for ; Sat, 21 Nov 2009 18:27:09 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 418C18FC12 for ; Sat, 21 Nov 2009 18:27:08 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id d23so1773605fga.13 for ; Sat, 21 Nov 2009 10:27:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.76.21 with SMTP id d21mr1319055mul.78.1258828028231; Sat, 21 Nov 2009 10:27:08 -0800 (PST) In-Reply-To: <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> Date: Sat, 21 Nov 2009 13:27:08 -0500 Message-ID: <1de79840911211027mbc0e731l565817f678db128e@mail.gmail.com> From: Michael Proto To: Victor Lyapunov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 18:27:09 -0000 On Sat, Nov 21, 2009 at 1:23 PM, Michael Proto wrote: > On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov > wrote: > >> rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset >> 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > >> 209.85.129.111.465: =A0tcp 28 [bad hdr length 0 - too short, < 20] > > This looks to be your problem-- bad hdr length 0. I don't know enough > of what mailer(s) you're using to relay this message outbound, but > since port 465 is smtp over TLS/SSL are you sure your smtp encryption > is working correctly? I often see these types of errors with other > TLS/SSL apps when one side is expecting an encrypted connection and > the other is not (correctly) providing it. > > Have you tried using unencrypted smtp on port 25? Does that work? > Er... wait, I just re-read that you said things work fine with pf disabled, so my theory about bad encryption probably isn't very accurate. Are you still using a scrub rule? Have you tried disabling it? If pf is seeing a "bad hdr length" error it might be dropping the packet due to scrubbing. Of course, this could also mean that TSO is enabled on your ethernet interface and bpf just isn't seeing the tcp header at all, so my whole theory might be moot. -Proto From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 19:25:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3F57106566B for ; Sat, 21 Nov 2009 19:25:20 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 2D6078FC0A for ; Sat, 21 Nov 2009 19:25:19 +0000 (UTC) Received: (qmail invoked by alias); 21 Nov 2009 19:25:18 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp044) with SMTP; 21 Nov 2009 20:25:18 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/6kK8clXX6VH4pTKclRI6HBliBJJkHNhROxItm2h CPEJnc62/GPJ34 Message-ID: <4B083E9D.5070508@gmx.de> Date: Sat, 21 Nov 2009 20:25:17 +0100 From: olli hauer User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Victor Lyapunov References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> In-Reply-To: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.6 Cc: freebsd-pf@freebsd.org Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 19:25:21 -0000 Victor Lyapunov wrote: > Thanks for your answer, olli. > > As i send mail not from my freebsd server, but rather from the clients > on the local network, so here's what i did: > > my pf.conf: > set loginterface pflog0 > set block-policy drop > set skip on lo0 > block drop log on em0 all > pass log inet proto tcp from 192.168.0.0/24 to any port {smtp, pop3, > imap, smtps, pop3s} flags S/SA keep state > pass log proto udp from any to any port = domain keep state > > > # tcpdump -net -i pflog0 > Now i went to a windows computer and tried to send an email with > attachment to gmail.com (sending failed at 2%) > > here's what i got in my pflog: > > rule 4/0(match): pass in on em0: (tos 0x0, ttl 128, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465: [|tcp] > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] why is the [DF] bit set? can you try with the following pf option scrub all no-df