From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 05:58:58 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E87A106566B for ; Mon, 21 Dec 2009 05:58:58 +0000 (UTC) (envelope-from gaurav@subisu.net.np) Received: from mx-01.subisu.net.np (mx-01.subisu.net.np [202.63.240.20]) by mx1.freebsd.org (Postfix) with ESMTP id 127508FC0A for ; Mon, 21 Dec 2009 05:58:57 +0000 (UTC) Received: from localhost (mx-01.subisu.net.np [127.0.0.1]) by mx-01.subisu.net.np (Postfix) with ESMTP id 94D83EE004A for ; Mon, 21 Dec 2009 11:43:54 +0545 (NPT) X-Virus-Scanned: amavisd-new at subisu.net.np Received: from mx-01.subisu.net.np ([127.0.0.1]) by localhost (mx-01.subisu.net.np [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnCrR1ts-kO7 for ; Mon, 21 Dec 2009 11:43:54 +0545 (NPT) Received: from [202.63.244.34] (unknown [202.63.244.34]) by mx-01.subisu.net.np (Postfix) with ESMTP id 1F0E7EE0047 for ; Mon, 21 Dec 2009 11:43:54 +0545 (NPT) Message-ID: <4B2F0E9D.7020603@subisu.net.np> Date: Mon, 21 Dec 2009 11:43:53 +0545 From: Gaurav Ghimire User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 05:58:58 -0000 Hi all, Are there any possibilities that I could run a script (bash, perl) when any rule is matched. For example, I have some distinct rule and want to get an alert email each time any connection threshold is crossed on it from a singe IP. Say I want one IP only have 1 http connection to a web service in my server, if it goes 2 pf would update a table or run a external script that would alert me about that IP. This is just a concept and I am not doing it in real. Just wanted to know if there are any possibilities that I could run external scripts or invoke them when a rule is matched. I would appreciate any hints or references. Regards, -- Gaurav Ghimire System Administrator - Systems (R&D) Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 121 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company) From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 09:03:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42D32106566C for ; Mon, 21 Dec 2009 09:03:16 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (uffner.com [66.208.243.25]) by mx1.freebsd.org (Postfix) with ESMTP id A6CB68FC0A for ; Mon, 21 Dec 2009 09:03:15 +0000 (UTC) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id nBL95Mgk032268 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=FAIL); Mon, 21 Dec 2009 04:05:29 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <4B2F39CA.5060805@uffner.com> Date: Mon, 21 Dec 2009 04:03:06 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.6) Gecko/20091217 SeaMonkey/2.0.1 MIME-Version: 1.0 To: Gaurav Ghimire References: <4B2F0E9D.7020603@subisu.net.np> In-Reply-To: <4B2F0E9D.7020603@subisu.net.np> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 09:03:16 -0000 Gaurav Ghimire wrote: > Are there any possibilities that I could run a script (bash, perl) when > any rule is matched. make sure the rule you want to trigger your script includes "log". have your script tail pflog, and watch for your trigger rule before performing its action. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4B5F106566C for ; Mon, 21 Dec 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 89A7D8FC15 for ; Mon, 21 Dec 2009 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nBLB711Y004170 for ; Mon, 21 Dec 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nBLB70Lu004168 for freebsd-pf@FreeBSD.org; Mon, 21 Dec 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Dec 2009 11:07:00 GMT Message-Id: <200912211107.nBLB70Lu004168@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 37 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 14:57:58 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1F661065670 for ; Mon, 21 Dec 2009 14:57:58 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 832068FC18 for ; Mon, 21 Dec 2009 14:57:58 +0000 (UTC) Received: by bwz5 with SMTP id 5so3494409bwz.3 for ; Mon, 21 Dec 2009 06:57:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=HMuUkDI08eI9FYvv+hqWSzzE9St+pjZtiaWVWA//d3g=; b=QnMedNHnVwEdDgS8q+gfVYhAAv/iq42RqXHsoNSSF29AG0DMvw+LuGheYPJylyAmjk WjGarAKocvf+M5Ok83TJWJFWcNnYN2qrW5WNnAFDb7SrPypL1n7NBSW24KFCTvkr4Q5T 6/UhBzczSPjFiSUWdMxlIsEBs1uQcUirITXdo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=ZLsMy16HgNzqQrf5zuMsvVULN0XSCNt/Y0QvvRurPiscXD4C3iymMiV5X1tJtBaeFO 1QxLzIjDf8eYsAFPJ6pn/qDPpZSeQCTaArgXWjN/KkyZEkmUJY3TRGpKlwpW5NrHG7UW icSVMrbsqd5C3LIuqbIzz98XUn67D1/bGEusg= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.204.14.82 with SMTP id f18mr4301754bka.204.1261407477360; Mon, 21 Dec 2009 06:57:57 -0800 (PST) In-Reply-To: <4B2F39CA.5060805@uffner.com> References: <4B2F0E9D.7020603@subisu.net.np> <4B2F39CA.5060805@uffner.com> Date: Mon, 21 Dec 2009 14:57:57 +0000 X-Google-Sender-Auth: 48249a0998f3e521 Message-ID: <7731938b0912210657q756fa0fcve69ce02afdd36bca@mail.gmail.com> From: Peter Maxwell To: Tom Uffner , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 14:57:59 -0000 2009/12/21 Tom Uffner : > Gaurav Ghimire wrote: >> >> Are there any possibilities that I could run a script (bash, perl) when >> any rule is matched. > > make sure the rule you want to trigger your script includes "log". > > have your script tail pflog, and watch for your trigger rule before > performing its action. Erm, not to sound completely ignorant but I'm assuming that implies he has to write a perl script to parse binary output? He can't pipe it though tcpdump as that would be a seriously bad idea. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 15:09:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC1861065676 for ; Mon, 21 Dec 2009 15:09:07 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 3E0DD8FC1E for ; Mon, 21 Dec 2009 15:09:06 +0000 (UTC) Received: by bwz5 with SMTP id 5so3504145bwz.3 for ; Mon, 21 Dec 2009 07:09:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=u8tdZ7XRp6OMRyc0c3FiGXq8huE6WctPXWolLR2V/Ko=; b=VQQMQoggVGuslJXoVz+g3vPDZdTkJpfN5fj3ZvfAtOwgmIxxSy808RjDNR6PGKey2o x5xWNuF3/HjqCyGVtwI1CNgmfsC45YjFHz83Aghxf+mRHXlphZu/AUDSRFUKRVA1eBvP PO+Vmr18AOnphQSOpV5zQqXGUsZ2mi9LYdCfM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=p90EE7hO7G5aSIboYAHKdez+khh1jv8s1WfIJC+4hdcefWuI0a6ZUQ47I1/j80Kg2j ftNNUIkp18rHEMmIOOcmqIqawvfzgQakimBxSoEUG671O4DFM89zWkbg04wTcH6mwlnD mdJv5yRFLcENlCPuAdDCChkkMS9r+ii6HkeZE= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.204.10.146 with SMTP id p18mr324968bkp.94.1261408145981; Mon, 21 Dec 2009 07:09:05 -0800 (PST) In-Reply-To: <4B2F0E9D.7020603@subisu.net.np> References: <4B2F0E9D.7020603@subisu.net.np> Date: Mon, 21 Dec 2009 15:09:05 +0000 X-Google-Sender-Auth: e7783f7fc8fa812f Message-ID: <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> From: Peter Maxwell To: Gaurav Ghimire Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 15:09:07 -0000 2009/12/21 Gaurav Ghimire : > Hi all, > > Are there any possibilities that I could run a script (bash, perl) when > any rule is matched. > > For example, I have some distinct rule and want to get an alert email > each time any connection threshold is crossed on it from a singe IP. Say > I want one IP only have 1 http connection to a web service in my server, > if it goes 2 pf would update a table or run a external script that would > alert me about that IP. For tracking source IPs and adding them to a table, you can already do this, c.f. max-src-conn and overload in the pf.conf man page. If you use the overload keyword to dump the bad IPs into a table then as a quick and dirty solution for scripting you can the run a script from cron every few minutes to do something like: pfctl -t table_name_with_bad_ips -T show Just a quick warning in advance though, you're going to need a lot more than just 1 allowed tcp connection per source IP to get an HTTP service working properly, unless you want your web sites to be practically unusable. Personally, I'd set it to around 30 at first then see how it goes - no normal usage should hit this, only a badly configured robot. Remember you're allowing for both users' browsers using more than one connection at a time and the possibility of a single source IP having many clients NAT'ed behind it. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 15:52:37 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C4D5106566B for ; Mon, 21 Dec 2009 15:52:37 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-yw0-f172.google.com (mail-yw0-f172.google.com [209.85.211.172]) by mx1.freebsd.org (Postfix) with ESMTP id EDC618FC08 for ; Mon, 21 Dec 2009 15:52:36 +0000 (UTC) Received: by ywh2 with SMTP id 2so5501672ywh.27 for ; Mon, 21 Dec 2009 07:52:36 -0800 (PST) Received: by 10.150.169.6 with SMTP id r6mr11483390ybe.95.1261410755417; Mon, 21 Dec 2009 07:52:35 -0800 (PST) Received: from kevin (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id 5sm2379387yxd.17.2009.12.21.07.52.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 21 Dec 2009 07:52:34 -0800 (PST) From: "Kevin" To: "'Gaurav Ghimire'" References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> In-Reply-To: <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> Date: Mon, 21 Dec 2009 10:51:50 -0500 Message-ID: <03bd01ca8255$83b5a0f0$8b20e2d0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 x-cr-puzzleid: {33F6076B-291E-4CF3-9C81-B386677257CE} Thread-Index: AcqCT5byzTANwt73QfOXy6Uvls9GLwABaXcQ x-cr-hashedpuzzle: ABrD FNDh GlGj HfZ9 H1H8 Iu1v Jy90 KQkK K0so NZCR Qoad Rn4T SjmS S9uv UlVI UpgQ; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AGcAYQB1AHIAYQB2AEAAcwB1AGIAaQBzAHUALgBuAGUAdAAuAG4AcAA=; Sosha1_v1; 7; {33F6076B-291E-4CF3-9C81-B386677257CE}; awBAAGsAZQB2AGkAbgBrAGUAdgBpAG4ALgBjAG8AbQA=; Mon, 21 Dec 2009 15:51:46 GMT; UgBFADoAIABFAHgAdABlAHIAbgBhAGwAIABzAGMAcgBpAHAAdABzACAAdwBpAHQAaAAgAFAARgAuAA== Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 15:52:37 -0000 > For tracking source IPs and adding them to a table, you can already do > this, c.f. max-src-conn and overload in the pf.conf man page. > > > If you use the overload keyword to dump the bad IPs into a table then > as a quick and dirty solution for scripting you can the run a script > from cron every few minutes to do something like: > > pfctl -t table_name_with_bad_ips -T show > To continue on Peter's idea , here's a script I wrote to parse pf tables and send email alerts based on the output. You can run it as a regular cronjob : http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr ipt-to-report-on-hacking-attempts/ it not up-to-the-minute, but it works pretty good as a daily mail alert. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 21 22:12:54 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E28A1065692 for ; Mon, 21 Dec 2009 22:12:54 +0000 (UTC) (envelope-from adam.egan@gmail.com) Received: from mail-pz0-f185.google.com (mail-pz0-f185.google.com [209.85.222.185]) by mx1.freebsd.org (Postfix) with ESMTP id 1A2418FC1D for ; Mon, 21 Dec 2009 22:12:53 +0000 (UTC) Received: by pzk15 with SMTP id 15so3832884pzk.3 for ; Mon, 21 Dec 2009 14:12:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=sGYSA7KBpBnCkpCpteVCiDJYHPXJU3UzWWvoYuQNUAA=; b=NohtWP5tv2dej7DAn8heoEGDwSescQbyYQ60v9kNRMDlAAaBewj8/FlJf7xLxrKIX/ QSsDywqS1fq2CnHZRGZMdOxMPqm6AA49OPp6mKx/2qM07aAb0Hvf9UF4FJobFx4vYzfG gUzdqcni8R5okb2ICmz9eG1nOXRD6hoVgAz9g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=oYRMYeBMZQkKKGcnG9XKQVSBm4lfD8x0rImDaugWTrLYchKDWemzD9TDI1FL89xaEg +EYcNkCpPObcv8Si4XdMri/VmgjD9lHAnmIaR4sdJyTOVnKSE/GI/uoKRu1PRNbVCB/4 4scPeOwUxxWgl1EFBXMlSxjvuwTnSn3+pw1NQ= MIME-Version: 1.0 Received: by 10.141.188.30 with SMTP id q30mr5472865rvp.145.1261431755146; Mon, 21 Dec 2009 13:42:35 -0800 (PST) Date: Mon, 21 Dec 2009 21:42:35 +0000 Message-ID: <28745bbf0912211342r63f4131dnbab5f41d1260b390@mail.gmail.com> From: Adam Egan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Ruleset causing problems with N95? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 22:12:54 -0000 I've recently been making an effort to get my N95 to work on my LAN. I have reason to believe that for some reason, my router/ruleset is inhibiting the phone's access. My ruleset is here: http://pastebin.com/m56dadcd8 basically, i cannot download files on my phone, or use the sync, spotify, gmail or similar applications. When I try to download a file, it seems to be listed as 2KB, and then nothing happens. I'm not sure what on earth could be causing it, and I have tried playing around with the rules. taking the router out of the equasian does fix the matter. add From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 01:03:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 188361065672 for ; Tue, 22 Dec 2009 01:03:14 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: from mail-px0-f190.google.com (mail-px0-f190.google.com [209.85.216.190]) by mx1.freebsd.org (Postfix) with ESMTP id E3A398FC24 for ; Tue, 22 Dec 2009 01:03:13 +0000 (UTC) Received: by pxi28 with SMTP id 28so3858542pxi.7 for ; Mon, 21 Dec 2009 17:03:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:references:from:in-reply-to:mime-version:date :received:message-id:subject:to:cc:content-type; bh=K3ZMydSUH/I1BjxAcPpMlv5poFWT9aDWlHaGiGqZlxE=; b=NVi8tgsnFPqQaDvZplaNOZRNLWROB8EIMbG1U5WAbrlpGduCAxSE3G8rgHc6BRDxFT DghILE3x8bfhrago168/uE+TzZZDTvT36fc4Z+mzz6VQH2Wt5wxEMm+Cqy1GOFOMnrt9 HGK1wd3J6U/2Rrwolsd5Vo/WoTarsUTf20y5Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :cc:content-type; b=SoTRyrJfLo6QcCQWItVLsNzw0z13ORlS5y7s38Jm3Xgqpuemz/80q6LiusdIiq9qTd DZJV9gurA2Hhq49q63fagFRuWlN4UWY3hVR1IFaAR8oMhtj6We2HMg+Uru62IGCivGPo Ue/rBIPCVe3dzejdMloBtdkWNJxHr9klA6c1c= References: <28745bbf0912211342r63f4131dnbab5f41d1260b390@mail.gmail.com> From: no name In-Reply-To: <28745bbf0912211342r63f4131dnbab5f41d1260b390@mail.gmail.com> Mime-Version: 1.0 (iPhone Mail 7D11) Date: Tue, 22 Dec 2009 02:03:54 +0100 Received: by 10.141.131.20 with SMTP id i20mr5642540rvn.84.1261443791671; Mon, 21 Dec 2009 17:03:11 -0800 (PST) Message-ID: <7517921781821559764@unknownmsgid> To: Adam Egan Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-pf@freebsd.org" Subject: Re: Ruleset causing problems with N95? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 01:03:14 -0000 hello, i had a similar problem on my iphone/podtouch... try to enable any fix-mss option in your pppoe client (i suppose u use one) cheers, b Am 21.12.2009 um 22:42 schrieb Adam Egan : > I've recently been making an effort to get my N95 to work on my LAN. I > have reason to believe that for some reason, my router/ruleset is > inhibiting the phone's access. > > My ruleset is here: http://pastebin.com/m56dadcd8 > > basically, i cannot download files on my phone, or use the sync, > spotify, gmail or similar applications. When I try to download a file, > it seems to be listed as 2KB, and then nothing happens. I'm not sure > what on earth could be causing it, and I have tried playing around > with the rules. > > taking the router out of the equasian does fix the matter. > > add > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 01:41:48 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E27A1065672 for ; Tue, 22 Dec 2009 01:41:48 +0000 (UTC) (envelope-from zimplex@gmail.com) Received: from mail-iw0-f198.google.com (mail-iw0-f198.google.com [209.85.223.198]) by mx1.freebsd.org (Postfix) with ESMTP id CA1E38FC0A for ; Tue, 22 Dec 2009 01:41:47 +0000 (UTC) Received: by iwn36 with SMTP id 36so3998382iwn.3 for ; Mon, 21 Dec 2009 17:41:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Pbvl35Ua7goo8p9HPBX54D3cQXXh3f7P/IH9zGcs2tw=; b=Au65ViuZK02FUAR3lYPjcnljZVgG9jkBVfkx0VrIH7JbQsg9Gha9K0tib53kovOJae Y1mI+OYNeIkewW2RkFpPQZLosy8tbX8o/5SJ6sTf8+rsV7DTXYb6+5L51DqeBNMegf3+ awJ6TDvQQpiPi+0wzXu7H1Xrby8O1CIrEPmxs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=N8Q2umgCa5Hy929v9UlkFlK/BM2Oy1Dif8Oj1JiBfDd/8hKCagi0gHkVHEk31J5T+o 8UM5I3jfV4cX/yJu0YeNHTBkJSd/d1CW/dMyNXZwN0KhnNFL6d0uwwBw0hLpJWhKbzxI IuLDgS+ub+yC7ux3YP2FiIYVWi2sPVgwddNwc= MIME-Version: 1.0 Received: by 10.231.9.218 with SMTP id m26mr6014061ibm.29.1261444669134; Mon, 21 Dec 2009 17:17:49 -0800 (PST) Date: Mon, 21 Dec 2009 20:47:49 -0430 Message-ID: <3603b57e0912211717i2be2f5a8tf0231072cbf134c9@mail.gmail.com> From: Ramon Amable Gonzalez Peguero To: freebsd-pf@freebsd.org X-Mailman-Approved-At: Tue, 22 Dec 2009 02:52:27 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: helo, please i ned information about read and write ethernet frame X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 01:41:48 -0000 hello excuse me English, i from dominican republic. if you can help me, I would appreciate, ando buscando informacion, acerca de programacion de redes, donde yo pueda leer y escribir frame ethernet thanks and please forgive my ignorance From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 04:08:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E5EC1065670 for ; Tue, 22 Dec 2009 04:08:23 +0000 (UTC) (envelope-from gaurav@subisu.net.np) Received: from mx-02.subisu.net.np (smtp.subisu.net.np [202.63.240.2]) by mx1.freebsd.org (Postfix) with ESMTP id 1E3688FC15 for ; Tue, 22 Dec 2009 04:08:21 +0000 (UTC) Received: from localhost (mx-02.subisu.net.np [127.0.0.1]) by mx-02.subisu.net.np (Postfix) with ESMTP id A22F81C02B8; Tue, 22 Dec 2009 09:53:17 +0545 (NPT) X-Virus-Scanned: amavisd-new at subisu.net.np Received: from mx-02.subisu.net.np ([127.0.0.1]) by localhost (mx-02.subisu.net.np [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DGcDBtGWj5D; Tue, 22 Dec 2009 09:53:08 +0545 (NPT) Received: from [202.63.244.34] (unknown [202.63.244.34]) by mx-02.subisu.net.np (Postfix) with ESMTP id A73EA1C02B7; Tue, 22 Dec 2009 09:53:07 +0545 (NPT) Message-ID: <4B304627.5020209@subisu.net.np> Date: Tue, 22 Dec 2009 09:53:07 +0545 From: Gaurav Ghimire User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Kevin References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com> In-Reply-To: <03bd01ca8255$83b5a0f0$8b20e2d0$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 04:08:23 -0000 Kevin wrote: >> For tracking source IPs and adding them to a table, you can already do >> this, c.f. max-src-conn and overload in the pf.conf man page. >> >> >> If you use the overload keyword to dump the bad IPs into a table then >> as a quick and dirty solution for scripting you can the run a script >> from cron every few minutes to do something like: >> >> pfctl -t table_name_with_bad_ips -T show >> >> > > > To continue on Peter's idea , here's a script I wrote to parse pf tables and > send email alerts based on the output. You can run it as a regular cronjob : > > http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr > ipt-to-report-on-hacking-attempts/ > > > > it not up-to-the-minute, but it works pretty good as a daily mail alert. > > > > > Hi kevin and all, Thanks for your replies. Yes regarding reporting the bad IPs I have already done something like your script here http://nixify.blogspot.com/2009/10/getting-reports-on-intrusion-attempts.html . But this time what I wanted was like at times a few of clients from my own network fall in the abusive_ips table I have built to stop any such malicious floods emerging from my network be it because of worms or malwares. I have a pf table that overloads itself when a threshold is crossed as referred by Peter. I was thinking if I could trigger an external script for each time the table is loaded with a IP say I have a rule something like, block in log quick on $ext_if proto tcp from to any block in log quick on $ext_if proto udp from to any pass in quick on $ext_if proto tcp from any to port $mail_ports keep state (max-src-conn 15, max-src-conn-rate 5/5, overload flush) This would block any smtp flooding attempts from any IPs . But I was thinking if I could be informed via an email alert that a new IP has been added to the table abusive_ips. It seems this would have been possible if there was a possibility that I could trigger an external script on the rule 3rd rule I have. And the external script would just do pfctl -t abusive_ips -T show and mail it to me, or I could just have some more intelligence there and save a record of the previous show output and mail the diffs that way I could get the new IPs that have been added to the table. And inform them clients that they have something fishy going at there end that is bombing my mail servers. That way I would not need to make it a regular cron job and would have the advantage of running it only when a new IP is added to the table. Was just thinking if this could have been possible. Again, thanks for your replies. Regards, -- Gaurav Ghimire System Administrator - Systems (R&D) Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 121 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company) From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 06:46:49 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F4CC106566B for ; Tue, 22 Dec 2009 06:46:49 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 910D88FC14 for ; Tue, 22 Dec 2009 06:46:48 +0000 (UTC) Received: by bwz5 with SMTP id 5so3944680bwz.3 for ; Mon, 21 Dec 2009 22:46:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=0BUx3f2vFM/cS+teZluS1jw8C0tg/X+cGG1GE5emcwA=; b=OX3virKQ72Jqyi2hbYFPJuIMOxvsOb9Twm1Wo0wfC7ynbO9gmPiQ7QWRbKsMV2vkbO x/s7FmXIfM/ylb1ZvdLmxe/FWQD9saalgC7XiJ/rYql9SnObGIEftN2CJpk5hGQDhQIi Ukzsq0vaE2xMX7q4OyUF2lnRIdwh2U3Fv/0ho= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=Qi/VfsRvaNJ6mYriILWMHv1/ujx41hmIDmuR4tOd1UIcZ1gp2mxnns9IGRR30mXaxb eeIBgHH/ykyYu+imaOdR78BnnoM+RjsRr9rg+2kimJ9+vvHnpkKrE307+I2VDl05eL7B g0um/H16SwciJMg2V+iICDvhh9BeLYYO2QVtE= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.204.154.209 with SMTP id p17mr5546579bkw.104.1261464407351; Mon, 21 Dec 2009 22:46:47 -0800 (PST) In-Reply-To: <4B304627.5020209@subisu.net.np> References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com> <4B304627.5020209@subisu.net.np> Date: Tue, 22 Dec 2009 06:46:47 +0000 X-Google-Sender-Auth: ffa9a07508dd1228 Message-ID: <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com> From: Peter Maxwell To: Gaurav Ghimire Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 06:46:49 -0000 2009/12/22 Gaurav Ghimire : > thinking if I could be informed via an email alert that =A0a new IP has > been added to the table abusive_ips. =A0It seems this would have been > possible if there was a possibility that I could trigger an external > script on the rule 3rd rule I have. And the external script would just > do pfctl -t abusive_ips -T show and mail it to me, or I could just have > some more intelligence there and save a record of the previous show > output and mail the diffs that way I could get the new IPs that have > been added to the table. And inform them clients that they have > something fishy going at there end that is bombing my mail servers. That > way I would not need to make it a regular cron job and would have the > advantage of running it only when a new IP is added to the table. > > Was just thinking if this could have been possible. Writing or modifying a script to suit your needs then putting it in a crontab to run even every few minutes will do what you want. It will also take significantly less effort than breaking out your C compiler and learning enough about pf's API and internals to do it more elegantly. Apart from anything else, it is poor firewall design to have your firewall box execute code based on rules getting hit; if you don't understand why, seriously - get someone else to setup the firewall for you. If you look at commercial firewalls, any event notification is not done by the firewall appliance itself, it's always done on either a separate management console, IDS, SEM, whatever. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 07:06:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D0E01065672 for ; Tue, 22 Dec 2009 07:06:07 +0000 (UTC) (envelope-from gaurav@subisu.net.np) Received: from mx-02.subisu.net.np (mx-02.subisu.net.np [202.63.240.2]) by mx1.freebsd.org (Postfix) with ESMTP id A70C08FC1B for ; Tue, 22 Dec 2009 07:06:06 +0000 (UTC) Received: from localhost (mx-02.subisu.net.np [127.0.0.1]) by mx-02.subisu.net.np (Postfix) with ESMTP id 879481C0132; Tue, 22 Dec 2009 12:51:02 +0545 (NPT) X-Virus-Scanned: amavisd-new at subisu.net.np Received: from mx-02.subisu.net.np ([127.0.0.1]) by localhost (mx-02.subisu.net.np [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ao52bEwng61s; Tue, 22 Dec 2009 12:50:45 +0545 (NPT) Received: from [202.63.244.34] (unknown [202.63.244.34]) by mx-02.subisu.net.np (Postfix) with ESMTP id B59161C0143; Tue, 22 Dec 2009 12:50:24 +0545 (NPT) Message-ID: <4B306FB4.2040100@subisu.net.np> Date: Tue, 22 Dec 2009 12:50:24 +0545 From: Gaurav Ghimire User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Peter Maxwell References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com> <4B304627.5020209@subisu.net.np> <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com> In-Reply-To: <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 07:06:07 -0000 Peter Maxwell wrote: > 2009/12/22 Gaurav Ghimire : > > >> thinking if I could be informed via an email alert that a new IP has >> been added to the table abusive_ips. It seems this would have been >> possible if there was a possibility that I could trigger an external >> script on the rule 3rd rule I have. And the external script would just >> do pfctl -t abusive_ips -T show and mail it to me, or I could just have >> some more intelligence there and save a record of the previous show >> output and mail the diffs that way I could get the new IPs that have >> been added to the table. And inform them clients that they have >> something fishy going at there end that is bombing my mail servers. That >> way I would not need to make it a regular cron job and would have the >> advantage of running it only when a new IP is added to the table. >> >> Was just thinking if this could have been possible. >> > > Writing or modifying a script to suit your needs then putting it in a > crontab to run even every few minutes will do what you want. It will > also take significantly less effort than breaking out your C compiler > and learning enough about pf's API and internals to do it more > elegantly. > > Apart from anything else, it is poor firewall design to have your > firewall box execute code based on rules getting hit; if you don't > understand why, seriously - get someone else to setup the firewall for > you. If you look at commercial firewalls, any event notification is > not done by the firewall appliance itself, it's always done on either > a separate management console, IDS, SEM, whatever. > Hi Peter, Yes I understand your concern here regarding the alert and notification job being something that a Firewall isn't supposed to do. Lack of resources makes you try to get much more of out of something, though it might seem impractical :) . I will take your suggestions in consideration. Thank you. Regards, -- Gaurav Ghimire System Administrator - Systems (R&D) Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 09:49:19 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D73B106568B for ; Tue, 22 Dec 2009 09:49:19 +0000 (UTC) (envelope-from adam.egan@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id EACB78FC0A for ; Tue, 22 Dec 2009 09:49:18 +0000 (UTC) Received: by pwi15 with SMTP id 15so4055362pwi.3 for ; Tue, 22 Dec 2009 01:49:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=SE+O/wjtsSncsNoSSyFH9qtEaG/SX0DRyOlHoj1ZQ9E=; b=rodTQTYqanN3H0E/cTGiI26KlCIrWxJ0cBQNdTHGGLuFK1xLo20ISkEBu21abW7g2n QHfKKUTXK+hiJ6QPkqFcVagbpBxH3l9Y6/fFkt9kB2sZhKBk+4xeL9BsFCP+WSOxdzl8 Hxe9+jltIVnf6xmXaoor72RsfN9W+VrB4KwQM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Mty2795Jj/a2Si7zvOr7bypcSVON+APaGW2FTc1Sqq+0YcH4miHLQGS1aPnDnONPcQ RwJQrUQTNCuIErkQnqx8bzB1rbTRgS4IAsgwMoLZFSOyjoFeF8hmwlRsvu2x34V5hGj7 f0p3CQE0nnlgse/bxhHLJCICyqWtCu+8pnufA= MIME-Version: 1.0 Received: by 10.140.255.10 with SMTP id c10mr5612259rvi.276.1261475357553; Tue, 22 Dec 2009 01:49:17 -0800 (PST) In-Reply-To: <7517921781821559764@unknownmsgid> References: <28745bbf0912211342r63f4131dnbab5f41d1260b390@mail.gmail.com> <7517921781821559764@unknownmsgid> Date: Tue, 22 Dec 2009 09:49:17 +0000 Message-ID: <28745bbf0912220149o617d7e98i1e753b1ccd7ffd76@mail.gmail.com> From: Adam Egan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: Ruleset causing problems with N95? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 09:49:19 -0000 I'm not using a PPPoE client that I'm aware of... Phone -> Wireless -> router My router has UPnP enabled which I thought might have helped but it doesn't :( I just googled for 'n95 fix-mss' and all I got was this mail on kernaltrap.. was surprised it appeared so fast! I added some tcp reassemble stuff to my ruleset to help with Vista/7's window scaling/autotuninglevel - could this be affecting it? Adam 2009/12/22 no name : > hello, i had a similar problem on my iphone/podtouch... try to enable > any fix-mss option in your pppoe client (i suppose u use one) > > cheers, b > > Am 21.12.2009 um 22:42 schrieb Adam Egan : > >> I've recently been making an effort to get my N95 to work on my LAN. I >> have reason to believe that for some reason, my router/ruleset is >> inhibiting the phone's access. >> >> My ruleset is here: http://pastebin.com/m56dadcd8 >> >> basically, i cannot download files on my phone, or use the sync, >> spotify, gmail or similar applications. When I try to download a file, >> it seems to be listed as 2KB, and then nothing happens. I'm not sure >> what on earth could be causing it, and I have tried playing around >> with the rules. >> >> taking the router out of the equasian does fix the matter. >> >> add >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 22:32:05 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5AEFE106566B; Tue, 22 Dec 2009 22:32:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 31BFD8FC1B; Tue, 22 Dec 2009 22:32:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nBMMW52I000100; Tue, 22 Dec 2009 22:32:05 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nBMMW5un099995; Tue, 22 Dec 2009 22:32:05 GMT (envelope-from linimon) Date: Tue, 22 Dec 2009 22:32:05 GMT Message-Id: <200912222232.nBMMW5un099995@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-amd64@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/141905: [pf] [panic] pf kernel panic on 7.2-RELEASE with empty pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 22:32:05 -0000 Old Synopsis: pf kernel panic on 7.2-RELEASE with empty pf.conf New Synopsis: [pf] [panic] pf kernel panic on 7.2-RELEASE with empty pf.conf Responsible-Changed-From-To: freebsd-amd64->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Dec 22 22:31:27 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=141905 From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 23:50:17 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B7C1065696 for ; Tue, 22 Dec 2009 23:50:17 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id A5FFE8FC12 for ; Tue, 22 Dec 2009 23:50:17 +0000 (UTC) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 72ACB19E045 for ; Wed, 23 Dec 2009 00:50:16 +0100 (CET) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 579D319E044 for ; Wed, 23 Dec 2009 00:50:10 +0100 (CET) Message-ID: <4B315B31.7050902@quip.cz> Date: Wed, 23 Dec 2009 00:50:09 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.6) Gecko/20091206 SeaMonkey/2.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: How to export / save and compare PF rule sets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 23:50:18 -0000 Hi, I am planning to write script to check PF rulesets and send e-mail / SMS alerts on changes. I am planning to check rules periodically, on boot and save "current" state on shutdown. Compare rules on boot with state on shutdown and report differences, and check differences of current rules compared to well known (read only / signed file used at boot) The main problem is, that pfctl is not consistent in output when used on current (live) ruleset and on file. example: # pfctl -s a | egrep '^(binat|nat|rdr|scrub|block|pass) .*' > /var/tmp/pf_rules.current # pfctl -nvf /etc/pf.conf | egrep '^(binat|nat|rdr|scrub|block|pass) .*' > /var/tmp/pf_rules.boot # diff /var/tmp/pf_rules.boot /var/tmp/pf_rules.current 1,2d0 < scrub in on bge1 all fragment reassemble < scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble 6a5,6 > scrub in on bge1 all fragment reassemble > scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble As you can see, the scrub is placed to a different lines, but only if there are nat/rdr defined. scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr in case of "pfctl -nvf /etc/pf.conf" Is there any other way how can I export live and saved rules in the same format and the same order, ready to comparission by diff? Or can it be fixed in pfctl sources and commited? This is on FreeBSD 7.2-RELEASE GENERIC amd64. Can somebody test it on 8.0 or CURRENT? Thanks for any suggestions Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Wed Dec 23 00:40:44 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 281B9106568D for ; Wed, 23 Dec 2009 00:40:44 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id B58528FC20 for ; Wed, 23 Dec 2009 00:40:43 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-067-230-017.pools.arcor-ip.net [88.67.230.17]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0M3uUc-1OEewi0ewM-00rMq5; Wed, 23 Dec 2009 01:40:42 +0100 Received: (qmail 58836 invoked from network); 23 Dec 2009 00:40:41 -0000 Received: from f8x64.laiers.local (192.168.4.188) by laiers.local with SMTP; 23 Dec 2009 00:40:41 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 23 Dec 2009 01:40:40 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE; KDE/4.3.4; amd64; ; ) References: <4B315B31.7050902@quip.cz> In-Reply-To: <4B315B31.7050902@quip.cz> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Message-Id: <200912230140.40776.max@love2party.net> X-Provags-ID: V01U2FsdGVkX195Oa7nWMnArASeiSL3iP7pydNC83XNU9pEAkq XoR/qvw8JAxOjH/+9XuMNH8/UW3gOUzcMXOCpUJf8h4AQHeUb2 EsdNXeZtKhFXrP1JtaisQ== Cc: Subject: Re: How to export / save and compare PF rule sets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 00:40:44 -0000 On Wednesday 23 December 2009 00:50:09 Miroslav Lachman wrote: > scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr > in case of "pfctl -nvf /etc/pf.conf" The order should always be options, scrub, queues, nat, filters. pfctl -nvf only works with a different order if you have "set require-order no" in your ruleset. You should be able to fix this at your end. > Is there any other way how can I export live and saved rules in the same > format and the same order, ready to comparission by diff? you can always extract the parts individually and cat them together if you insist on keeping the ruleset unordered. Regrads, -- Max From owner-freebsd-pf@FreeBSD.ORG Wed Dec 23 01:12:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0A281065672 for ; Wed, 23 Dec 2009 01:12:32 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8F2068FC19 for ; Wed, 23 Dec 2009 01:12:32 +0000 (UTC) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 83C7819E044; Wed, 23 Dec 2009 02:12:30 +0100 (CET) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 2982219E046; Wed, 23 Dec 2009 02:12:28 +0100 (CET) Message-ID: <4B316E7B.9020404@quip.cz> Date: Wed, 23 Dec 2009 02:12:27 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.6) Gecko/20091206 SeaMonkey/2.0.1 MIME-Version: 1.0 To: Max Laier References: <4B315B31.7050902@quip.cz> <200912230140.40776.max@love2party.net> In-Reply-To: <200912230140.40776.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: How to export / save and compare PF rule sets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 01:12:32 -0000 Max Laier wrote: > On Wednesday 23 December 2009 00:50:09 Miroslav Lachman wrote: >> scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr >> in case of "pfctl -nvf /etc/pf.conf" > > The order should always be options, scrub, queues, nat, filters. pfctl -nvf > only works with a different order if you have "set require-order no" in your > ruleset. You should be able to fix this at your end. I have things in this order in my pf.conf: macros tables options scrub nat rdr pass/block rules I don't have "set require-order no" in pf.conf, the only options I have are: set timeout { interval 10, frag 20 } set limit { states 10000, frags 5000 } set optimization aggressive set block-policy return set skip on $unfiltered then: scrub in on $ext_if scrub out on $ext_if no-df random-id max-mss 1492 nat pass on $ext_if from $vpn_sectun_net to any -> $ext_addr_0 rdr pass on $ext_if inet proto tcp from to $ext_addr_0 port 10443 -> $pdu_addr_0 port 443 rdr pass on $ext_if inet proto tcp from to $ext_addr_0 port 11443 -> $pdu_addr_1 port 443 rdr pass on $ext_if inet proto tcp from to $ext_addr_0 port 12443 -> $pdu_addr_2 port 443 So do I have to change anything? I think I have it in the right order. That's why I asked the question here. The problem is that "pfctl -s a" shows TRANSLATION RULES: (some NAT/RDR here) FILTER RULES: scrub in on bge1 all fragment reassemble scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble pass in quick proto tcp from to any flags S/SA keep state block return in log quick from to any As you can see - scrub is in the FILTER RULES section of the output, but in pf.conf (required according to manpage) scrub is before TRANSLATION RULES and pfctl -nvf print it in this (right) order. >> Is there any other way how can I export live and saved rules in the same >> format and the same order, ready to comparission by diff? > > you can always extract the parts individually and cat them together if you > insist on keeping the ruleset unordered. I was trying to do it in one pass (speed optimization ;]) Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Fri Dec 25 12:59:47 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19A4C106568F for ; Fri, 25 Dec 2009 12:59:47 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from web30806.mail.mud.yahoo.com (web30806.mail.mud.yahoo.com [68.142.200.149]) by mx1.freebsd.org (Postfix) with SMTP id D74928FC13 for ; Fri, 25 Dec 2009 12:59:46 +0000 (UTC) Received: (qmail 55539 invoked by uid 60001); 25 Dec 2009 12:33:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1261744383; bh=Eg6ZFi5QizmZhzNjR/iUfre60FFo+QD+kXnvDTEFLlw=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=ODKpNoYNOLSM2OwNQKuXFG21VME7eolaFZVOYmsPKL5MMq4Zk+N3jSdX6QfmShdo7cZ/zgbXC2RjqJfru3DD50tnJkNx/97OIsq+SmJ4eDYR7RO3LLbcDepWtfNjfDAA9eDrPEr79Y4TxGs5yMXwKRmr3BS9FaDjf3sLQPcm/AM= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=reT6amGCgarGFzk5v1G7vYji7OCzjqGFNmBdcIXYRPPYWUaNr4uPJ/XcRLlNBGs9t+3pXi2Z4eFtei2NVaXa52ZOm9eqeZxM9LhUCgj6mqTMQuGjKV02La4Hgyy4R1s6P4i2I2kO1r0UsUmB+iyl48sxWAAJrffuvMgetMWV5ps=; Message-ID: <899286.55058.qm@web30806.mail.mud.yahoo.com> X-YMail-OSG: cX3oCAMVM1lHBGgl9ckF3WrtMsnxo1bY7QfIffZp7tk0SOHWEs7QpBNS6P0GcUlUfD_1EZgl56jcEqJVlfL3nibyqOIOus9WHazwPGHHxrjjlXrEyw74LF3m2nQYv7LMuOTrgp6jd5NhwXvvjzqfxN01akwFaNwmW_Cgbi6YF7U4UhrKriE9w1CXTDIU0H.65lUl_07k5_T2eLIHJl3RG82i3KjezuSQm._tUSYbBxe6il4PYrlMbjCZp02dTiu811peX0LIZX0KlCgaakVXaw2A2B4a8k9dC3yombQ75.ByDkQhKsx7XkITag-- Received: from [79.113.78.72] by web30806.mail.mud.yahoo.com via HTTP; Fri, 25 Dec 2009 04:33:03 PST X-Mailer: YahooMailRC/240.3 YahooMailWebService/0.8.100.260964 Date: Fri, 25 Dec 2009 04:33:03 -0800 (PST) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2009 12:59:47 -0000 =0A________________________________=0A=0AHello,=0A=0AIt's been a while I st= ruggeling how to deal with apf/netatalk passing trough my pf rules. If I di= sable pf everything is working great (but I still do want firewall on my se= rver). I tried the following rule but it still don't lets me in:=0A=0Apass = in log on $int_if inet proto { tcp, udp } from $localnet to ($int_if) port= =3D548 flags S/SA keep state=0A=0AWhen I try a telnet on port 548 I got "O= peration timed out", in pflog I can see that my Mac tries to connect but I = have no clue why it can't when the coresponding port is open, do you have a= ny idea?=0A=0AThank you!=0ALaci=0A=0A=0A From owner-freebsd-pf@FreeBSD.ORG Fri Dec 25 13:32:10 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14D801065670 for ; Fri, 25 Dec 2009 13:32:10 +0000 (UTC) (envelope-from xkyanh@gmail.com) Received: from mail-pz0-f185.google.com (mail-pz0-f185.google.com [209.85.222.185]) by mx1.freebsd.org (Postfix) with ESMTP id D66818FC14 for ; Fri, 25 Dec 2009 13:32:09 +0000 (UTC) Received: by pzk15 with SMTP id 15so6007541pzk.3 for ; Fri, 25 Dec 2009 05:32:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:message-id:in-reply-to:references:organization:x-mailer :user-agent:x-operating-system:x-face:face:mime-version:content-type :content-transfer-encoding; bh=p5Lo0Wfmnm/guT9BA9FMp9clKq3DZz/MBYzF1I+5ytY=; b=Yk4aGRiZGJSNuvN5aEgF+Q/jkEX0SSUNJalO4YZdHNHUdiHYJ+Idx1Z+ONSW7rS1hE STM2TRTQsAJllaXKqMTVvUWamneNBuBrH1haDwvDWisDVuhd6PXmqc0tRqlNwAzTI4z4 MVlNTZX9YPoDK1pNu/jRRvnWwnrAZjM8MlV14= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:in-reply-to:references :organization:x-mailer:user-agent:x-operating-system:x-face:face :mime-version:content-type:content-transfer-encoding; b=TaqAKDlQr6Z2JvhfwcNsXjzddXNBtRwfOljYSeuWbeJ984zOkElizVkHgeE5GymEqX POZCApuhovsbTKUzh0D3KcFJhmkWF8kdPb//5yuSaInjxAdKxR0/j5ye0RxF794sx68Z +aTGhll6Kas3RUNi//PiULx1RcTF2nu9/uokg= Received: by 10.141.214.39 with SMTP id r39mr4859714rvq.166.1261746396433; Fri, 25 Dec 2009 05:06:36 -0800 (PST) Received: from icy.localdomain ([222.253.101.201]) by mx.google.com with ESMTPS id 21sm8693594pzk.11.2009.12.25.05.06.34 (version=SSLv3 cipher=RC4-MD5); Fri, 25 Dec 2009 05:06:36 -0800 (PST) Sender: "Ky Anh, Huynh" Date: Fri, 25 Dec 2009 20:06:24 +0700 From: "Anh Ky Huynh" To: =?UTF-8?B?RMOhbmllbGlzeiBMw6FzemzDsw==?= Message-ID: <20091225200624.0a19fa55@icy.localdomain> In-Reply-To: <899286.55058.qm@web30806.mail.mud.yahoo.com> References: <899286.55058.qm@web30806.mail.mud.yahoo.com> Organization: Vietnamese TeX Users Group X-Mailer: Claws Mail 3.7.3 (GTK+ 2.18.5; i386-portbld-freebsd8.0) User-Agent: FreeBSD X-Operating-System: FreeBSD X-Face: FreeBSD Face: FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2009 13:32:10 -0000 On Fri, 25 Dec 2009 04:33:03 -0800 (PST) D=C3=A1nielisz L=C3=A1szl=C3=B3 wrote: >=20 > ________________________________ >=20 > Hello, >=20 > It's been a while I struggeling how to deal with apf/netatalk > passing trough my pf rules. If I disable pf everything is working > great (but I still do want firewall on my server). I tried the > following rule but it still don't lets me in: >=20 > pass in log on $int_if inet proto { tcp, udp } from $localnet to > ($int_if) port=3D548 flags S/SA keep state I think the problem is "($int_if)". You should use, for e.g, from $localnet to 192.168.1.123 > When I try a telnet on port 548 I got "Operation timed out", in > pflog I can see that my Mac tries to connect but I have no clue why > it can't when the coresponding port is open, do you have any idea? Regards, --=20 Anh Ky Huynh From owner-freebsd-pf@FreeBSD.ORG Fri Dec 25 16:13:04 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AC48106566B for ; Fri, 25 Dec 2009 16:13:04 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from web30804.mail.mud.yahoo.com (web30804.mail.mud.yahoo.com [68.142.200.147]) by mx1.freebsd.org (Postfix) with SMTP id DBFAB8FC08 for ; Fri, 25 Dec 2009 16:13:03 +0000 (UTC) Received: (qmail 29930 invoked by uid 60001); 25 Dec 2009 16:13:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1261757583; bh=P7hfZyracGD3867Eh1CCz0kpktpMwzfqYxu7Hu/xtXE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=h1ix6+9YDp8C01IFGR5+EU5q27a4CJDkCq+eJOCWfv+Ecg4NMBzkj4Eaz88iRa0xGGDZFFMkUzgYG0Vk8GCr2dotXc0B5ad0e6KR/8g5GtN+44iPWVglC6Kw5h2ugbpXPrYMO3XF5vzdNtfn80Ey6yvCZri2fA5b7ecZRIgZd1I= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=G/2bCNREnwqeM5N4Ptj93cbcdt0HfDIy+dz27r3Tn7tSN4Xv7JA1r3KpgLT6ZQCt0Xc42BzRUsAsT+OsxnTQlDml7kTECU127CpWRCps0Lg5HP0nquNr3kR781B5w5izEf1u2PK2w0p+jBCXQcL2p/EwBsFP8Cew4dy61QMdSbg=; Message-ID: <151838.29532.qm@web30804.mail.mud.yahoo.com> X-YMail-OSG: yqi.LfgVM1kGq83wX14MaD3fYeQr61lnJpUZjIAplqoylNr3sV8- Received: from [79.113.78.72] by web30804.mail.mud.yahoo.com via HTTP; Fri, 25 Dec 2009 08:13:02 PST X-Mailer: YahooMailRC/240.3 YahooMailWebService/0.8.100.260964 References: <899286.55058.qm@web30806.mail.mud.yahoo.com> <20091225200624.0a19fa55@icy.localdomain> Date: Fri, 25 Dec 2009 08:13:02 -0800 (PST) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= To: Anh Ky Huynh In-Reply-To: <20091225200624.0a19fa55@icy.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2009 16:13:04 -0000 I am using "($int_if)" for ports 22, 80 too and they are working as charm.= =0AThis is how I defined it in my pf.conf:=0Aint_if=3D"rl0"=0A=0ARight now = I can not try it but when I'll be able I'll try your idea and than I will l= et you know how it works.=0A=0AThank you!=0A=0A=0A=0A______________________= __________=0AFrom: Anh Ky Huynh =0ATo: D=E1nielisz L=E1s= zl=F3 =0ACc: freebsd-pf@freebsd.org=0ASent: Fri= , December 25, 2009 2:06:24 PM=0ASubject: Re: pf vs. afp=0A=0AOn Fri, 25 De= c 2009 04:33:03 -0800 (PST)=0AD=E1nielisz L=E1szl=F3 wrote:=0A=0A> =0A> ________________________________=0A> =0A> Hello,= =0A> =0A> It's been a while I struggeling how to deal with apf/netatalk=0A>= passing trough my pf rules. If I disable pf everything is working=0A> grea= t (but I still do want firewall on my server). I tried the=0A> following ru= le but it still don't lets me in:=0A> =0A> pass in log on $int_if inet prot= o { tcp, udp } from $localnet to=0A> ($int_if) port=3D548 flags S/SA keep = state=0A=0AI think the problem is "($int_if)". You should use, for e.g,=0A= =0A from $localnet to 192.168.1.123=0A=0A> When I try a telnet on port 5= 48 I got "Operation timed out", in=0A> pflog I can see that my Mac tries to= connect but I have no clue why=0A> it can't when the coresponding port is = open, do you have any idea?=0A=0ARegards,=0A=0A-- =0AAnh Ky Huynh=0A=0A=0A= =0A From owner-freebsd-pf@FreeBSD.ORG Fri Dec 25 22:01:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7588106568B for ; Fri, 25 Dec 2009 22:01:07 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in05.adhost.com (mail-in05.adhost.com [216.211.128.135]) by mx1.freebsd.org (Postfix) with ESMTP id BD7478FC15 for ; Fri, 25 Dec 2009 22:01:07 +0000 (UTC) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in05.adhost.com (Postfix) with ESMTP id 505E698D9F6; Fri, 25 Dec 2009 14:01:07 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from 192.168.136.3 ([192.168.136.3]) by ad-exh01.adhost.lan ([10.142.0.20]) with Microsoft Exchange Server HTTP-DAV ; Fri, 25 Dec 2009 22:01:06 +0000 User-Agent: Microsoft-Entourage/12.23.0.091001 Date: Fri, 25 Dec 2009 14:01:05 -0800 From: "Michael K. Smith" To: =?ISO-8859-1?B?ROFuaWVsaXN6?= =?ISO-8859-1?B?IEzhc3ps8w==?= , Anh Ky Huynh Message-ID: Thread-Topic: pf vs. afp Thread-Index: AcqFrcEoU2eeG/YMGUmaNmYSUdypdw== In-Reply-To: <151838.29532.qm@web30804.mail.mud.yahoo.com> Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2009 22:01:07 -0000 You can use the ($int_if) for traffic terminating on the firewall. Any traffic going through to another host needs to have the destination defined= . Could you include a complete copy (sanitized, of course) of your pf.conf file? There might be something else at work but it's hard to tell without the file. Kind Regards, Mike On 12/25/09 8:13 AM, "D=E1nielisz L=E1szl=F3" wrote: > I am using "($int_if)" for ports 22, 80 too and they are working as char= m. > This is how I defined it in my pf.conf: > int_if=3D"rl0" >=20 > Right now I can not try it but when I'll be able I'll try your idea and t= han I > will let you know how it works. >=20 > Thank you! >=20 >=20 >=20 > ________________________________ > From: Anh Ky Huynh > To: D=E1nielisz L=E1szl=F3 > Cc: freebsd-pf@freebsd.org > Sent: Fri, December 25, 2009 2:06:24 PM > Subject: Re: pf vs. afp >=20 > On Fri, 25 Dec 2009 04:33:03 -0800 (PST) > D=E1nielisz L=E1szl=F3 wrote: >=20 >>=20 >> ________________________________ >>=20 >> Hello, >>=20 >> It's been a while I struggeling how to deal with apf/netatalk >> passing trough my pf rules. If I disable pf everything is working >> great (but I still do want firewall on my server). I tried the >> following rule but it still don't lets me in: >>=20 >> pass in log on $int_if inet proto { tcp, udp } from $localnet to >> ($int_if) port=3D548 flags S/SA keep state >=20 > I think the problem is "($int_if)". You should use, for e.g, >=20 > from $localnet to 192.168.1.123 >=20 >> When I try a telnet on port 548 I got "Operation timed out", in >> pflog I can see that my Mac tries to connect but I have no clue why >> it can't when the coresponding port is open, do you have any idea? >=20 > Regards, From owner-freebsd-pf@FreeBSD.ORG Sat Dec 26 01:02:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 547AC1065676 for ; Sat, 26 Dec 2009 01:02:29 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from web30802.mail.mud.yahoo.com (web30802.mail.mud.yahoo.com [68.142.200.145]) by mx1.freebsd.org (Postfix) with SMTP id 17CE18FC13 for ; Sat, 26 Dec 2009 01:02:28 +0000 (UTC) Received: (qmail 92724 invoked by uid 60001); 26 Dec 2009 01:02:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1261789348; bh=CeZfbTxdTDSh9kQJjRA9vD1fVPhYoDssRrHRcPWmjZ0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ENYj4S9fPO953P+Ntq4hWwFZ9F6YFmN9kuJsu44n8RjxEO6AcNnTQFo9NDaLFMOO3GrjhYgS9IWXrG/EZS3AeYnbQrOLA8Lj4mScrBw2qSwm66AtgFJLjAOZi1Y/65180UWB+MdC134nTlhsjVOEKOZ7Y9WMM9WSoue2ZSzm/zk= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=YaVpN06sxilvwUhqIorR4Xi9yf+rF+yYWXSgzoDutiqKTutoQAtPMgDu1whBZLdxgrkAy0LeK1R4fsnrzNf9OTKBVYJZwKxcPOWqubdYuKgPW1L4ssJbeFkifoaPdxpfiO2do1fQQJEPwEyAcbOCpvb8+pkEGsqeAgIxXYxaKoM=; Message-ID: <206966.91825.qm@web30802.mail.mud.yahoo.com> X-YMail-OSG: QNGFkCQVM1ndorPgjvfvqXHDjns733o8E12WWNN.VhaC84PWOgrss5JZzK4HZARS6alTs.ZyJ1ih4FBQZaxS_pc1wXhhSccT.XoNzOldFR_zsDp9Vre6ZhPZT15fPu6YttD4g7aiuCTv6hvuOFmtM9gFHpOVh0q.zsGsZSCcQFRVbS5GsExf4ErJ.dOBCFRhOFMaqVdGYZaH_olgM_XvR0yT1JcTgTJ_Tha4ZAMu3eutbMvtXZ2DiP10vIc_U04OCWR22mOZYc4HKS6t4iJxwnk72Y6qoHZ4yPuA12ukdu3L_5xrxvNJ4CNmddlQr0PMq3I.U8y7q4JtrOu_XjDnpL.IHNQABR7MicChpjRUPytUorKLZxLrIjRDUtaJRF11af4EWDRXmL9K4YoZQLh71jkQIM.KwFVH5hK9kfboHfPnUgSlcCpr73hl7B3FtUnVnfOjEnohuqnrBeUmRvye6lBnHJb9qx9jr7gykij2dPmbi7umN4IjhMyV6iLwF5X20VswusxCMHVUAHwKHUOHa8kPsT7mYUXdEtacJrzRUnDSF7DeyJRnrjVGwKjJlUpJRSNncg-- Received: from [79.113.78.72] by web30802.mail.mud.yahoo.com via HTTP; Fri, 25 Dec 2009 17:02:28 PST X-Mailer: YahooMailRC/240.3 YahooMailWebService/0.8.100.260964 References: Date: Fri, 25 Dec 2009 17:02:28 -0800 (PST) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= To: "Michael K. Smith" , Anh Ky Huynh In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 01:02:29 -0000 Hi,=0A=0AHere comes my pf.conf=0A=0A#MACROS=0Aext_if=3D"tun0"=0Aint_if=3D"r= l0"=0Alocalnet =3D $int_if:network=0Agood_ip=3D"{ ***** }"=0Aicmp_types=3D"= echoreq"=0Abad_ports =3D "69,135,137,138,139,445,524,548,1433,6000,31337,66= 6,12345"=0Ano_route =3D "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0= .0.0/8, 255.255.255.255/32 }"=0A=0A=0A#DEFAULT RULES=0Ascrub in all=0A=0A##= #NAT=0Anat on $ext_if from $localnet to any -> ($ext_if)=0A=0A=0A# SPECIAL = IMMEDIATE BLOCKS:=0A# block bad ports and external broadcasts=0Ablock in qu= ick proto { udp,tcp } from any to any port { =3D $bad_ports }=0Ablock in = quick on $ext_if from any to 255.255.255.255 =0A# block weird tcp= packets on ext_if:=0Ablock in quick on $ext_if inet proto tcp from any to = any flags FUP/FUP=0Ablock in quick on $ext_if inet proto tcp from any to an= y flags SF/SFRA=0Ablock in quick on $ext_if inet proto tcp from any to any = flags /SFRA=0A=0A# don't allow anyone to spoof non-routeable addresses=0Abl= ock in quick on $ext_if from $no_route to any=0Ablock out quick on $ext_if= from any to $no_route=0Ablock in all=0A=0A=0A### LOOPBACK=0Apass in quick = on lo0 all=0Apass out quick on lo0 all=0A=0A=0A### EXTERNAL INTERFACE=0A###= =0A#INCOMING: ssh, http=0Apass in log on $ext_if inet proto tcp from $good_= ip to ($ext_if) port { 22 } flags S/SA keep state=0Apass in inet proto icm= p all icmp-type $icmp_types keep state =0A#OUTGOING=0Apass out on $ext_if a= ll=0A=0A### INTERNAL INTERFACE=0A# INCOMING: forward traffic to all over de= stinations =0Apass in quick on $int_if from $int_if/24 to any=0A=0A#pass in= et from { lo0, $localnet } to any=0A=0A#INCOMING: =0Apass in log on $int_i= f inet proto { tcp, udp } from $localnet to ($int_if) port { 21, 22, 80 } f= lags S/SA keep state=0Apass in log on $int_if inet proto { tcp, udp } from = $localnet to ($int_if) port=3D548 flags S/SP keep state =0Apass in log on $= int_if inet proto { tcp, udp } from $localnet to ($int_if) port=3D548 flags= S/SU keep state =0A=0A#pass in dhcp=0Apass in log on $int_if proto { tcp,u= dp } from 192.168.1.0/24 to $int_if port =3D 67 keep state=0A#pass in quick= on $int_if proto { tcp,udp } from 192.168.1.0/24 to $int_if port =3D 67 ke= ep state=0A=0A#incoming ftp=0Apass in log on $int_if proto tcp from $localn= et to any port > 49151 keep state=0A=0A =0A# OUTGOING: pass all.=0Apass out= quick on $int_if proto { tcp,udp,icmp } from any to $int_if/24 keep stat= e=0A=0A=0A=0A=0A________________________________=0AFrom: Michael K. Smith <= mksmith@adhost.com>=0ATo: D=E1nielisz L=E1szl=F3 ; Anh Ky Huynh =0ACc: freebsd-pf@freebsd.org=0ASent: F= ri, December 25, 2009 11:01:05 PM=0ASubject: Re: pf vs. afp=0A=0AYou can us= e the ($int_if) for traffic terminating on the firewall. Any=0Atraffic goi= ng through to another host needs to have the destination defined.=0A=0ACoul= d you include a complete copy (sanitized, of course) of your pf.conf=0Afile= ? There might be something else at work but it's hard to tell without=0Ath= e file.=0A=0AKind Regards,=0A=0AMike=0A=0A=0AOn 12/25/09 8:13 AM, "D=E1niel= isz L=E1szl=F3" wrote:=0A=0A> I am using "($i= nt_if)" for ports 22, 80 too and they are working as charm.=0A> This is how= I defined it in my pf.conf:=0A> int_if=3D"rl0"=0A> =0A> Right now I can no= t try it but when I'll be able I'll try your idea and than I=0A> will let y= ou know how it works.=0A> =0A> Thank you!=0A> =0A> =0A> =0A> ______________= __________________=0A> From: Anh Ky Huynh =0A> To: D=E1n= ielisz L=E1szl=F3 =0A> Cc: freebsd-pf@freebsd.o= rg=0A> Sent: Fri, December 25, 2009 2:06:24 PM=0A> Subject: Re: pf vs. afp= =0A> =0A> On Fri, 25 Dec 2009 04:33:03 -0800 (PST)=0A> D=E1nielisz L=E1szl= =F3 wrote:=0A> =0A>> =0A>> ___________________= _____________=0A>> =0A>> Hello,=0A>> =0A>> It's been a while I struggeling = how to deal with apf/netatalk=0A>> passing trough my pf rules. If I disable= pf everything is working=0A>> great (but I still do want firewall on my se= rver). I tried the=0A>> following rule but it still don't lets me in:=0A>> = =0A>> pass in log on $int_if inet proto { tcp, udp } from $localnet to=0A>>= ($int_if) port=3D548 flags S/SA keep state=0A> =0A> I think the problem i= s "($int_if)". You should use, for e.g,=0A> =0A> from $localnet to 192.= 168.1.123=0A> =0A>> When I try a telnet on port 548 I got "Operation timed = out", in=0A>> pflog I can see that my Mac tries to connect but I have no cl= ue why=0A>> it can't when the coresponding port is open, do you have any id= ea?=0A> =0A> Regards,=0A=0A=0A From owner-freebsd-pf@FreeBSD.ORG Sat Dec 26 09:56:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99BE91065697 for ; Sat, 26 Dec 2009 09:56:18 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 65D4A8FC13 for ; Sat, 26 Dec 2009 09:56:18 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 7717FB03881C; Sat, 26 Dec 2009 04:56:17 -0500 (EST) thread-index: AcqGEarH3xhiF+IgTYex4JJELny3kg== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.7]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Sat, 26 Dec 2009 04:56:15 -0500 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Sat, 26 Dec 2009 03:56:14 +0000 Date: Sat, 26 Dec 2009 03:56:14 -0600 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: =?us-ascii?B?RGFuaWVsaXN6IExhc3psbw==?= Message-ID: <20091226095613.GX5508@verio.net> Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Mail-Followup-To: =?utf8?Q?D=E1nielisz_L=E1szl=F3?= , freebsd-pf@freebsd.org References: <206966.91825.qm@web30802.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <206966.91825.qm@web30802.mail.mud.yahoo.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 26 Dec 2009 09:56:16.0158 (UTC) FILETIME=[AA33FBE0:01CA8611] Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 09:56:18 -0000 Dnielisz Lszl wrote: > > bad_ports = "69,135,137,138,139,445,524,548,1433,6000,31337,666,12345" > > # SPECIAL IMMEDIATE BLOCKS: > # block bad ports and external broadcasts > block in quick proto { udp,tcp } from any to any port { = $bad_ports } This rule specifies to block (quick) port 548 (part of $bad_ports), so your rules that occur later cannot allow that port. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Sat Dec 26 12:54:55 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B06B1065670 for ; Sat, 26 Dec 2009 12:54:55 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from web30804.mail.mud.yahoo.com (web30804.mail.mud.yahoo.com [68.142.200.147]) by mx1.freebsd.org (Postfix) with SMTP id E0FD58FC12 for ; Sat, 26 Dec 2009 12:54:54 +0000 (UTC) Received: (qmail 16147 invoked by uid 60001); 26 Dec 2009 12:54:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1261832094; bh=6O0YOiOCUunXn3pFFDnxyOgaU1IVwp1qNWYW4Cy9o28=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=TFfrFFseYpytDQlvVvebEEZYPio01iNBNag8nvQFjP1gLOmh03NfTdHLQmjgG39xg5oLivfM3YlrjihPOqCIbOQ73Wze2BA8hbd1Fbk5+bi1OIuDQWTTtEMYI5q5Y1c5q+90H4r+97Ux+SMlwMOTsnbajz6O2AixzIBxobqkP6o= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Edy8/b/VQU1ixMpqKW5gvNlY6v3tMxWH/FofNMRHwpxBhA25FZvP0N+umW/yjT/2PINj7RhmpqUL72AFrNE8btxLSJCF99djj3GbVNnVnZnXY65hi6BW06QdWPGyK5qH6oLuxq/LhHZGE4yw37NoHLZ6ejkkgBCCJ4eZkK+o/LY=; Message-ID: <193907.15997.qm@web30804.mail.mud.yahoo.com> X-YMail-OSG: zd0BqFcVM1mQH.q3LpurDnAzPimjAR2rdwgA3dESIeyrkdio9Wesm4ekYRQ_.KE23yMo7_VzcHPLBZn4BfwiI75pVJj83.W15506KWDCQhygsqvkqQo4ErM0y6LBaER5gkxXLNdNB7W3oiYXDvVNyHXgP88iLF5APvgRvT5ET.UjINL3CvWc8xR6MicVni0ZzgI132uPBuxk80AAiU6tPN8UAtzJ80BgAOjjxo1_aGW0e4frLsWkZiTacUvILQ3ODGTcoW809N_xdVEjIAeBtUuHN63z9622J2vqj_LTcOEH_DNmEcfSkUK2Z9n3bNDGaYuYmlH.pOaWU_ILBlHs5RogyA-- Received: from [79.113.77.15] by web30804.mail.mud.yahoo.com via HTTP; Sat, 26 Dec 2009 04:54:53 PST X-Mailer: YahooMailRC/240.3 YahooMailWebService/0.8.100.260964 References: <206966.91825.qm@web30802.mail.mud.yahoo.com> <20091226095613.GX5508@verio.net> Date: Sat, 26 Dec 2009 04:54:53 -0800 (PST) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= To: David DeSimone In-Reply-To: <20091226095613.GX5508@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 12:54:55 -0000 Gosh, I feel so ashamed, blind me.=0AThank you very much!=0A=0A=0A=0A______= __________________________=0AFrom: David DeSimone =0ATo: Dan= ielisz Laszlo =0ACc: freebsd-pf@freebsd.org=0AS= ent: Sat, December 26, 2009 10:56:14 AM=0ASubject: Re: pf vs. afp=0A=0ADnie= lisz Lszl wrote:=0A>=0A> bad_ports =3D "69,135= ,137,138,139,445,524,548,1433,6000,31337,666,12345"=0A> =0A> # SPECIAL IMME= DIATE BLOCKS:=0A> # block bad ports and external broadcasts=0A> block in qu= ick proto { udp,tcp } from any to any port { =3D $bad_ports }=0A=0AThis r= ule specifies to block (quick) port 548 (part of $bad_ports), so=0Ayour rul= es that occur later cannot allow that port.=0A=0A-- =0ADavid DeSimone =3D= =3D Network Admin =3D=3D fox@verio.net=0A "I don't like spinach, and I'm g= lad I don't, because if I=0A liked it I'd eat it, and I just hate it." --= Clarence Darrow=0A=0A=0AThis email message is intended for the use of the = person to whom it has been sent, and may contain information that is confid= ential or legally protected. If you are not the intended recipient or have = received this message in error, you are not authorized to copy, distribute,= or otherwise use this message or its attachments. Please notify the sender= immediately by return e-mail and permanently delete this message and any a= ttachments. Verio, Inc. makes no warranty that this email is error or virus= free. Thank you.=0A=0A=0A=0A