From owner-freebsd-pf@FreeBSD.ORG Sun Feb 19 18:46:52 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CD83106566C for ; Sun, 19 Feb 2012 18:46:52 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id BBD1C8FC0C for ; Sun, 19 Feb 2012 18:46:51 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 472F125D3888; Sun, 19 Feb 2012 18:46:50 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 5C2FBBDBB4D; Sun, 19 Feb 2012 18:46:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id pbFl02ww0HXZ; Sun, 19 Feb 2012 18:46:48 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 60B33BDBB4C; Sun, 19 Feb 2012 18:46:48 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <1329507755.83518.YahooMailNeo@web120505.mail.ne1.yahoo.com> Date: Sun, 19 Feb 2012 18:46:47 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <965F172B-B1B1-46BB-957E-DF186A1037ED@lists.zabbadoz.net> References: <1329507755.83518.YahooMailNeo@web120505.mail.ne1.yahoo.com> To: Robert Z X-Mailer: Apple Mail (2.1084) Cc: "freebsd-pf@freebsd.org" Subject: Re: FreeBSD 9.0-RELEASE: VIMAGE and PF, Constant Kernel Panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 18:46:52 -0000 On 17. Feb 2012, at 19:42 , Robert Z wrote: > I am getting constant kernel panics with VIMAGE and PF on FreeBSD = 9-RELEASE with jails. >=20 > I have tried diffrent PF configurations with VIMAGE + epair or VIMAGE = + netgragh and still get kernel panics. > The kernel panics stop as soon as I disable PF in rc.conf. >=20 > Example of setup PF + VIMAGE + epair. > http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet >=20 > Example of setup PF + VIMAGE + netgragh =20 > http://druidbsd.sourceforge.net/vimage.shtml=20 >=20 >=20 > I am attaching an example pic of said panics. > http://i40.tinypic.com/2q00etz.jpg >=20 >=20 > Any advice on solving this will be appreciated. VIMAGE is experimental. pf is not yet supported as are a couple of = other things including most cloned interfaces etc. --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Sun Feb 19 18:49:11 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D1E7106564A; Sun, 19 Feb 2012 18:49:11 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6FDF08FC19; Sun, 19 Feb 2012 18:49:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1JInBi4022487; Sun, 19 Feb 2012 18:49:11 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1JInBtw022483; Sun, 19 Feb 2012 18:49:11 GMT (envelope-from bz) Date: Sun, 19 Feb 2012 18:49:11 GMT Message-Id: <201202191849.q1JInBtw022483@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, freebsd-virtualization@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/165252: [pf] [panic] kernel panics with VIMAGE and PF on FreeBSD 9.0 rel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 18:49:11 -0000 Synopsis: [pf] [panic] kernel panics with VIMAGE and PF on FreeBSD 9.0 rel Responsible-Changed-From-To: freebsd-pf->freebsd-virtualization Responsible-Changed-By: bz Responsible-Changed-When: Sun Feb 19 18:48:42 UTC 2012 Responsible-Changed-Why: Re-assign to where it belongs. http://www.freebsd.org/cgi/query-pr.cgi?pr=165252 From owner-freebsd-pf@FreeBSD.ORG Sun Feb 19 18:49:37 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 150F5106564A; Sun, 19 Feb 2012 18:49:37 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DD2968FC08; Sun, 19 Feb 2012 18:49:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1JInawe022589; Sun, 19 Feb 2012 18:49:36 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1JInaf6022585; Sun, 19 Feb 2012 18:49:36 GMT (envelope-from bz) Date: Sun, 19 Feb 2012 18:49:36 GMT Message-Id: <201202191849.q1JInaf6022585@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, freebsd-virtualization@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/164924: Re: kern/164271: pf] not working pf nat on FreeBSD 9.0 [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 18:49:37 -0000 Synopsis: Re: kern/164271: pf] not working pf nat on FreeBSD 9.0 [regression] Responsible-Changed-From-To: freebsd-pf->freebsd-virtualization Responsible-Changed-By: bz Responsible-Changed-When: Sun Feb 19 18:49:21 UTC 2012 Responsible-Changed-Why: Re-assign to where it belongs. http://www.freebsd.org/cgi/query-pr.cgi?pr=164924 From owner-freebsd-pf@FreeBSD.ORG Sun Feb 19 18:53:35 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 01CB2106566B; Sun, 19 Feb 2012 18:53:35 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id A8A728FC19; Sun, 19 Feb 2012 18:53:34 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id E8C1625D3891; Sun, 19 Feb 2012 18:53:33 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 387F9BDBB4C; Sun, 19 Feb 2012 18:53:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id q1-ypZGNqcQH; Sun, 19 Feb 2012 18:53:32 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1DA69BDBB50; Sun, 19 Feb 2012 18:53:32 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <201202191849.q1JInaf6022585@freefall.freebsd.org> Date: Sun, 19 Feb 2012 18:53:30 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201202191849.q1JInaf6022585@freefall.freebsd.org> To: "freebsd-pf@freebsd.org" X-Mailer: Apple Mail (2.1084) Cc: freebsd-virtualization@FreeBSD.org Subject: Re: kern/164924: Re: kern/164271: pf] not working pf nat on FreeBSD 9.0 [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 18:53:35 -0000 On 19. Feb 2012, at 18:49 , bz@FreeBSD.org wrote: That one not but it seems only the emails go out, sorry about that. > Synopsis: Re: kern/164271: pf] not working pf nat on FreeBSD 9.0 = [regression] >=20 > Responsible-Changed-From-To: freebsd-pf->freebsd-virtualization > Responsible-Changed-By: bz > Responsible-Changed-When: Sun Feb 19 18:49:21 UTC 2012 > Responsible-Changed-Why:=20 > Re-assign to where it belongs. >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D164924 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Sun Feb 19 19:37:55 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0C59106566C; Sun, 19 Feb 2012 19:37:55 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B47AB8FC1D; Sun, 19 Feb 2012 19:37:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1JJbtcC070017; Sun, 19 Feb 2012 19:37:55 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1JJbtcI070013; Sun, 19 Feb 2012 19:37:55 GMT (envelope-from linimon) Date: Sun, 19 Feb 2012 19:37:55 GMT Message-Id: <201202191937.q1JJbtcI070013@freefall.freebsd.org> To: work@megasid.com, linimon@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/127345: [pf] Problem with PF on FreeBSD7.0 [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 19:37:56 -0000 Synopsis: [pf] Problem with PF on FreeBSD7.0 [regression] State-Changed-From-To: feedback->closed State-Changed-By: linimon State-Changed-When: Sun Feb 19 19:37:08 UTC 2012 State-Changed-Why: It appears no feedback was ever received on this PR. Please let us know if it is still a problem. http://www.freebsd.org/cgi/query-pr.cgi?pr=127345 From owner-freebsd-pf@FreeBSD.ORG Mon Feb 20 11:07:12 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FA4D1065672 for ; Mon, 20 Feb 2012 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3E1518FC1D for ; Mon, 20 Feb 2012 11:07:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1KB7C9Y090203 for ; Mon, 20 Feb 2012 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1KB7BLK090201 for freebsd-pf@FreeBSD.org; Mon, 20 Feb 2012 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Feb 2012 11:07:11 GMT Message-Id: <201202201107.q1KB7BLK090201@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 11:07:12 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 03:48:41 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0AFB106564A; Wed, 22 Feb 2012 03:48:41 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 745418FC18; Wed, 22 Feb 2012 03:48:41 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1M3mfI5083833; Wed, 22 Feb 2012 03:48:41 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1M3mfI8083829; Wed, 22 Feb 2012 03:48:41 GMT (envelope-from linimon) Date: Wed, 22 Feb 2012 03:48:41 GMT Message-Id: <201202220348.q1M3mfI8083829@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/165315: [pf] States never cleared in PF with DEVICE_POLLING X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 03:48:41 -0000 Old Synopsis: States never cleared in PF with DEVICE_POLLING New Synopsis: [pf] States never cleared in PF with DEVICE_POLLING Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Feb 22 03:47:57 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=165315 From owner-freebsd-pf@FreeBSD.ORG Thu Feb 23 09:07:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4798A106564A for ; Thu, 23 Feb 2012 09:07:41 +0000 (UTC) (envelope-from alimdi@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 093528FC0C for ; Thu, 23 Feb 2012 09:07:40 +0000 (UTC) Received: by iaeo4 with SMTP id o4so1676848iae.13 for ; Thu, 23 Feb 2012 01:07:40 -0800 (PST) Received-SPF: pass (google.com: domain of alimdi@gmail.com designates 10.42.157.133 as permitted sender) client-ip=10.42.157.133; Authentication-Results: mr.google.com; spf=pass (google.com: domain of alimdi@gmail.com designates 10.42.157.133 as permitted sender) smtp.mail=alimdi@gmail.com; dkim=pass header.i=alimdi@gmail.com Received: from mr.google.com ([10.42.157.133]) by 10.42.157.133 with SMTP id d5mr404919icx.46.1329988060456 (num_hops = 1); Thu, 23 Feb 2012 01:07:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type:content-transfer-encoding; bh=k+wqtWVr4xrnaxPxkhDdPC1xshdiNUkcEJz25H4UVAE=; b=NPo/u9CSJPoDFBtZRAAkkTHkEi+U6Nis6q8XFwYAaW5xecj7GbxtmcFjhADo9lzo62 DYjVrNDEvtw75BBHzhy2L9Ms8TYhXRgkktylRIAUteoqB+76lEhxSdvNBQ40VnPYCVnP bNst9/IEeGISugepjv80SVIzGR+kAteCEmgJA= Received: by 10.42.157.133 with SMTP id d5mr294423icx.46.1329986686777; Thu, 23 Feb 2012 00:44:46 -0800 (PST) MIME-Version: 1.0 Sender: alimdi@gmail.com Received: by 10.42.224.197 with HTTP; Thu, 23 Feb 2012 00:44:16 -0800 (PST) From: Ali Mdidech Date: Thu, 23 Feb 2012 09:44:16 +0100 X-Google-Sender-Auth: lIt4P_1HMNMcc5sm4LakP-tSKPI Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2012 09:07:41 -0000 Hi List, I've a box that panics multiple times randomly since a year whatever the release is (8 or 9) The crash dump shows that the problem is related to pf. Is this some sort of identified bug? Below some info and my pf.conf file. Thank you very much for your help. panic: page fault GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you ar= e welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. =A0Type "show warranty" for detail= s. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =A0 =3D 0x6c fault code =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D supervisor read, page not present instruction pointer =A0 =A0 =3D 0x20:0xc0a25dc0 stack pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5910 frame pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5954 code segment =A0 =A0 =A0 =A0 =A0 =A0=3D base 0x0, limit 0xfffff, type 0x1b =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D DPL 0, pres 1, def32 1, = gran 1 processor eflags =A0 =A0 =A0 =A0=3D interrupt enabled, resume, IOPL =3D 0 current process =A0 =A0 =A0 =A0 =3D 12 (irq256: em0:rx 0) trap number =A0 =A0 =A0 =A0 =A0 =A0 =3D 12 panic: page fault cpuid =3D 0 KDB: stack backtrace: #0 0xc08380b7 at kdb_backtrace+0x47 #1 0xc0805617 at panic+0x117 #2 0xc0aebcc3 at trap_fatal+0x323 #3 0xc0aec802 at trap+0x182 #4 0xc0ad5f8c at calltrap+0x6 #5 0xc589f7cc at pfr_update_stats+0x1cc #6 0xc588de21 at pf_test+0x981 #7 0xc5895e79 at pf_check_in+0x39 #8 0xc08c3c68 at pfil_run_hooks+0x78 #9 0xc08e18ae at ip_input+0x24e #10 0xc08c2d9f at netisr_dispatch_src+0x8f #11 0xc08c3040 at netisr_dispatch+0x20 #12 0xc08b9721 at ether_demux+0x171 #13 0xc08b9b6f at ether_nh_input+0x37f #14 0xc08c2d9f at netisr_dispatch_src+0x8f #15 0xc08c3040 at netisr_dispatch+0x20 #16 0xc08b9269 at ether_input+0x19 #17 0xc05b383f at em_rxeof+0x30f Uptime: 1h45m44s Physical memory: 2002 MB Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel/pf.ko.symbols... done. done. Loaded symbols for /boot/kernel/pf.ko #0 =A0doadump (textdump=3D1) at pcpu.h:244 244 =A0 =A0 pcpu.h: No such file or directory. =A0 =A0 =A0 =A0in pcpu.h (kgdb) #0 =A0doadump (textdump=3D1) at pcpu.h:244 #1 =A00xc08053ba in kern_reboot (howto=3D260) =A0 =A0at /usr/src/sys/kern/kern_shutdown.c:442 #2 =A00xc0805651 in panic (fmt=3DVariable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:607 #3 =A00xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) =A0 =A0at /usr/src/sys/i386/i386/trap.c:975 #4 =A00xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i386/i386/tra= p.c:352 #5 =A00xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 #6 =A00xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, flags=3D257) =A0 =A0at pcpu.h:244 #7 =A00xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, a=3D0xc56aa01a, af= =3D2 '\002', =A0 =A0len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:305 #8 =A00xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, m0=3D0xc4df5acc, eh= =3D0x0, =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:7057 #9 =A00xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, ifp=3D0xc5253c0= 0, dir=3D1, =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_ioctl.= c:4139 #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b24, =A0 =A0ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) at /usr/src/sys/net/pfil.c:82 #11 0xc08e18ae in ip_input (m=3D0xc567db00) =A0 =A0at /usr/src/sys/netinet/ip_input.c:510 #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, m=3D0xc567db0= 0) =A0 =A0at /usr/src/sys/net/netisr.c:1013 #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) =A0 =A0at /usr/src/sys/net/netisr.c:1104 #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) =A0 =A0at /usr/src/sys/net/if_ethersubr.c:937 #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) =A0 =A0at /usr/src/sys/net/if_ethersubr.c:756 #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, m=3D0xc567db0= 0) =A0 =A0at /usr/src/sys/net/netisr.c:1013 #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) =A0 =A0at /usr/src/sys/net/netisr.c:1104 #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) =A0 =A0at /usr/src/sys/net/if_ethersubr.c:797 #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D0x0) =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:4340 #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:1577 #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, ie=3D0xc5241= 680) =A0 =A0at /usr/src/sys/kern/kern_intr.c:1257 #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) =A0 =A0at /usr/src/sys/kern/kern_intr.c:1270 #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , =A0 =A0arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern/kern_fork= .c:995 #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:= 275 (kgdb) ################## pf.conf ################## ext_if =3D "em0" public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" public_udp_ports =3D "53" table {someip} table persist counters ### Redirection for SMTP rdr on $ext_if proto tcp from any to $ext_if port 225 -> $ext_if port 25 ### Block everything in an pass everything out pass out on $ext_if all modulate state block in on $ext_if all ### secure users pass in quick on $ext_if proto tcp from to any flags S/SA \ modulate state ### public tcp/udp ports rules pass in on $ext_if proto udp to $ext_if port $public_udp_ports pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports flags S/SA \ modulate state ### block ssh bruteforce block in quick from pass in quick on $ext_if proto tcp to $ext_if port 22 flags S/SA modulate state \ (max-src-conn 5, max-src-conn-rate 10/60, overload flush global= ) ### block icmp timestamp request/response block in quick on $ext_if inet proto icmp all icmp-type {13, 14} pass in quick on $ext_if proto icmp all ############ end pf.conf ############## -- Ali Mdidech From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 07:20:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF0CF1065673 for ; Fri, 24 Feb 2012 07:20:34 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id B0CBD8FC12 for ; Fri, 24 Feb 2012 07:20:34 +0000 (UTC) Received: by iaeo4 with SMTP id o4so3470094iae.13 for ; Thu, 23 Feb 2012 23:20:34 -0800 (PST) Received-SPF: pass (google.com: domain of ermal.luci@gmail.com designates 10.50.15.234 as permitted sender) client-ip=10.50.15.234; Authentication-Results: mr.google.com; spf=pass (google.com: domain of ermal.luci@gmail.com designates 10.50.15.234 as permitted sender) smtp.mail=ermal.luci@gmail.com; dkim=pass header.i=ermal.luci@gmail.com Received: from mr.google.com ([10.50.15.234]) by 10.50.15.234 with SMTP id a10mr1239157igd.29.1330068034162 (num_hops = 1); Thu, 23 Feb 2012 23:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Y9GST2jbceO5865IC/48sTKc/fOGxDTPa3OLSyeZBXM=; b=EoKjTL2tmO6dqJcaAuRcXQzn50OcQx60qeKub4DPQm5nJ/LHxwtEsON/PWTiagONSW DAlSqGJ8Jd5F0UaPwohP9qmwevd7W/Cn1QmaVbD/7iCChYbKWzdr35PXCigb9SeSMOcM nM9rTEaTVyxgXWnBnM1pKcmqlErFORAym/0K0= MIME-Version: 1.0 Received: by 10.50.15.234 with SMTP id a10mr1011208igd.29.1330068034088; Thu, 23 Feb 2012 23:20:34 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.44.209 with HTTP; Thu, 23 Feb 2012 23:20:34 -0800 (PST) In-Reply-To: References: Date: Fri, 24 Feb 2012 07:20:34 +0000 X-Google-Sender-Auth: j35J_GwuZZqNo7GOPAyKwV_C3i0 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ali Mdidech Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 07:20:35 -0000 On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech wrote: > Hi List, > > I've a box that panics multiple times randomly since a year whatever > the release is (8 or 9) > The crash dump shows that the problem is related to pf. > Is this some sort of identified bug? > Below some info and my pf.conf file. > > Thank you very much for your help. > Can you try do disable SMP through sysctl and see if you still get this? What are you doing to get the panic? Also its very helpful to know the `uname -a` command output. > panic: page fault > > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you = are > welcome to change it and/or distribute copies of it under certain conditi= ons. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. =A0Type "show warranty" for deta= ils. > This GDB was configured as "i386-marcel-freebsd"... > > Unread portion of the kernel message buffer: > > > Fatal trap 12: page fault while in kernel mode > cpuid =3D 0; apic id =3D 00 > fault virtual address =A0 =3D 0x6c > fault code =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D supervisor read, page not prese= nt > instruction pointer =A0 =A0 =3D 0x20:0xc0a25dc0 > stack pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5910 > frame pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5954 > code segment =A0 =A0 =A0 =A0 =A0 =A0=3D base 0x0, limit 0xfffff, type 0x1= b > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D DPL 0, pres 1, def32 1= , gran 1 > processor eflags =A0 =A0 =A0 =A0=3D interrupt enabled, resume, IOPL =3D 0 > current process =A0 =A0 =A0 =A0 =3D 12 (irq256: em0:rx 0) > trap number =A0 =A0 =A0 =A0 =A0 =A0 =3D 12 > panic: page fault > cpuid =3D 0 > KDB: stack backtrace: > #0 0xc08380b7 at kdb_backtrace+0x47 > #1 0xc0805617 at panic+0x117 > #2 0xc0aebcc3 at trap_fatal+0x323 > #3 0xc0aec802 at trap+0x182 > #4 0xc0ad5f8c at calltrap+0x6 > #5 0xc589f7cc at pfr_update_stats+0x1cc > #6 0xc588de21 at pf_test+0x981 > #7 0xc5895e79 at pf_check_in+0x39 > #8 0xc08c3c68 at pfil_run_hooks+0x78 > #9 0xc08e18ae at ip_input+0x24e > #10 0xc08c2d9f at netisr_dispatch_src+0x8f > #11 0xc08c3040 at netisr_dispatch+0x20 > #12 0xc08b9721 at ether_demux+0x171 > #13 0xc08b9b6f at ether_nh_input+0x37f > #14 0xc08c2d9f at netisr_dispatch_src+0x8f > #15 0xc08c3040 at netisr_dispatch+0x20 > #16 0xc08b9269 at ether_input+0x19 > #17 0xc05b383f at em_rxeof+0x30f > Uptime: 1h45m44s > Physical memory: 2002 MB > Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 > > Reading symbols from /boot/kernel/pf.ko...Reading symbols from > /boot/kernel/pf.ko.symbols... > done. > done. > Loaded symbols for /boot/kernel/pf.ko > #0 =A0doadump (textdump=3D1) at pcpu.h:244 > 244 =A0 =A0 pcpu.h: No such file or directory. > =A0 =A0 =A0 =A0in pcpu.h > (kgdb) #0 =A0doadump (textdump=3D1) at pcpu.h:244 > #1 =A00xc08053ba in kern_reboot (howto=3D260) > =A0 =A0at /usr/src/sys/kern/kern_shutdown.c:442 > #2 =A00xc0805651 in panic (fmt=3DVariable "fmt" is not available. > ) at /usr/src/sys/kern/kern_shutdown.c:607 > #3 =A00xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) > =A0 =A0at /usr/src/sys/i386/i386/trap.c:975 > #4 =A00xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i386/i386/t= rap.c:352 > #5 =A00xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 > #6 =A00xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, flags=3D257) > =A0 =A0at pcpu.h:244 > #7 =A00xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, a=3D0xc56aa01a, af= =3D2 '\002', > =A0 =A0len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:305 > #8 =A00xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, m0=3D0xc4df5acc, = eh=3D0x0, > =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:70= 57 > #9 =A00xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, ifp=3D0xc5253= c00, dir=3D1, > =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_ioct= l.c:4139 > #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b24, > =A0 =A0ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) at /usr/src/sys/net/pfil.c:8= 2 > #11 0xc08e18ae in ip_input (m=3D0xc567db00) > =A0 =A0at /usr/src/sys/netinet/ip_input.c:510 > #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, m=3D0xc567d= b00) > =A0 =A0at /usr/src/sys/net/netisr.c:1013 > #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) > =A0 =A0at /usr/src/sys/net/netisr.c:1104 > #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) > =A0 =A0at /usr/src/sys/net/if_ethersubr.c:937 > #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) > =A0 =A0at /usr/src/sys/net/if_ethersubr.c:756 > #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, m=3D0xc567d= b00) > =A0 =A0at /usr/src/sys/net/netisr.c:1013 > #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) > =A0 =A0at /usr/src/sys/net/netisr.c:1104 > #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) > =A0 =A0at /usr/src/sys/net/if_ethersubr.c:797 > #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D0x0) > =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:4340 > #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) > =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:1577 > #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, ie=3D0xc52= 41680) > =A0 =A0at /usr/src/sys/kern/kern_intr.c:1257 > #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) > =A0 =A0at /usr/src/sys/kern/kern_intr.c:1270 > #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , > =A0 =A0arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern/kern_fo= rk.c:995 > #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/exception.= s:275 > (kgdb) > > > ################## pf.conf ################## > ext_if =3D "em0" > > public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" > public_udp_ports =3D "53" > > table {someip} > table persist counters > > ### Redirection for SMTP > rdr on $ext_if proto tcp from any to $ext_if port 225 -> $ext_if port 25 > > ### Block everything in an pass everything out > pass out on $ext_if all modulate state > block in on $ext_if all > > ### secure users > pass in quick on $ext_if proto tcp from to any flags S/SA \ > modulate state > > ### public tcp/udp ports rules > pass in on $ext_if proto udp to $ext_if port $public_udp_ports > pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports flags S/SA= \ > modulate state > > ### block ssh bruteforce > block in quick from > pass in quick on $ext_if proto tcp to $ext_if port 22 flags S/SA > modulate state \ > (max-src-conn 5, max-src-conn-rate 10/60, overload flush glob= al) > > ### block icmp timestamp request/response > block in quick on $ext_if inet proto icmp all icmp-type {13, 14} > pass in quick on $ext_if proto icmp all > > ############ end pf.conf ############## > > -- > Ali Mdidech > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 09:11:08 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C1FB106564A for ; Fri, 24 Feb 2012 09:11:08 +0000 (UTC) (envelope-from alimdi@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 40B7C8FC0C for ; Fri, 24 Feb 2012 09:11:07 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so3347560obc.13 for ; Fri, 24 Feb 2012 01:11:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=cmLBTv2W5vofM8bJFbaMxBfm60cKNKzejWPy1rk6Jzw=; b=t/aqSYlIeS+etjnHGTLGP+xXdOXbl6IxTMA/0LT0Bi3aApMwc0yraQOhSawpiGsy2a ypvI6revOKWbSAfGQT4BdK7MROZmTGrHvKOFqe5D9goodpF6iniu6tXuMXp4P5zq1F+6 eAhAUJ5V+6+Pp1/Lcf0f+uWZel0S8aDF1wLUg= Received: by 10.50.95.195 with SMTP id dm3mr1393995igb.9.1330074667411; Fri, 24 Feb 2012 01:11:07 -0800 (PST) MIME-Version: 1.0 Sender: alimdi@gmail.com Received: by 10.42.224.197 with HTTP; Fri, 24 Feb 2012 01:10:36 -0800 (PST) In-Reply-To: References: From: Ali Mdidech Date: Fri, 24 Feb 2012 10:10:36 +0100 X-Google-Sender-Auth: Qy-BD3jqj59XyTp73CU6kXKBf40 Message-ID: To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 09:11:08 -0000 Hi Ermal, 2012/2/24 Ermal Lu=E7i : > On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech wrote: >> Hi List, >> >> I've a box that panics multiple times randomly since a year whatever >> the release is (8 or 9) >> The crash dump shows that the problem is related to pf. >> Is this some sort of identified bug? >> Below some info and my pf.conf file. >> >> Thank you very much for your help. >> > > Can you try do disable SMP through sysctl and see if you still get this? > What are you doing to get the panic? Well, I'm able now to avoid or reproduce the panic. Disabling counters in table makes the server stable enough and no panic for 48 hours. Restoring the counters and adding a host in the table by hand (pfctl -t ssh_brute -T add someip) provokes the panic within few seconds. I've disabled smp (adding kern.smp.disabled=3D1 in loader.conf and rebooting) =3D> kernel still panics. FreeBSD somehost 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Jan 21 09:31:30 CET 2012 root@somehost:/usr/obj/usr/src/sys/DDX3KRNL i386 > Also its very helpful to know the `uname -a` command output. > >> panic: page fault >> >> GNU gdb 6.1.1 [FreeBSD] >> Copyright 2004 Free Software Foundation, Inc. >> GDB is free software, covered by the GNU General Public License, and you= are >> welcome to change it and/or distribute copies of it under certain condit= ions. >> Type "show copying" to see the conditions. >> There is absolutely no warranty for GDB. =A0Type "show warranty" for det= ails. >> This GDB was configured as "i386-marcel-freebsd"... >> >> Unread portion of the kernel message buffer: >> >> >> Fatal trap 12: page fault while in kernel mode >> cpuid =3D 0; apic id =3D 00 >> fault virtual address =A0 =3D 0x6c >> fault code =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D supervisor read, page not pres= ent >> instruction pointer =A0 =A0 =3D 0x20:0xc0a25dc0 >> stack pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5910 >> frame pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5954 >> code segment =A0 =A0 =A0 =A0 =A0 =A0=3D base 0x0, limit 0xfffff, type 0x= 1b >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D DPL 0, pres 1, def32 = 1, gran 1 >> processor eflags =A0 =A0 =A0 =A0=3D interrupt enabled, resume, IOPL =3D = 0 >> current process =A0 =A0 =A0 =A0 =3D 12 (irq256: em0:rx 0) >> trap number =A0 =A0 =A0 =A0 =A0 =A0 =3D 12 >> panic: page fault >> cpuid =3D 0 >> KDB: stack backtrace: >> #0 0xc08380b7 at kdb_backtrace+0x47 >> #1 0xc0805617 at panic+0x117 >> #2 0xc0aebcc3 at trap_fatal+0x323 >> #3 0xc0aec802 at trap+0x182 >> #4 0xc0ad5f8c at calltrap+0x6 >> #5 0xc589f7cc at pfr_update_stats+0x1cc >> #6 0xc588de21 at pf_test+0x981 >> #7 0xc5895e79 at pf_check_in+0x39 >> #8 0xc08c3c68 at pfil_run_hooks+0x78 >> #9 0xc08e18ae at ip_input+0x24e >> #10 0xc08c2d9f at netisr_dispatch_src+0x8f >> #11 0xc08c3040 at netisr_dispatch+0x20 >> #12 0xc08b9721 at ether_demux+0x171 >> #13 0xc08b9b6f at ether_nh_input+0x37f >> #14 0xc08c2d9f at netisr_dispatch_src+0x8f >> #15 0xc08c3040 at netisr_dispatch+0x20 >> #16 0xc08b9269 at ether_input+0x19 >> #17 0xc05b383f at em_rxeof+0x30f >> Uptime: 1h45m44s >> Physical memory: 2002 MB >> Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 >> >> Reading symbols from /boot/kernel/pf.ko...Reading symbols from >> /boot/kernel/pf.ko.symbols... >> done. >> done. >> Loaded symbols for /boot/kernel/pf.ko >> #0 =A0doadump (textdump=3D1) at pcpu.h:244 >> 244 =A0 =A0 pcpu.h: No such file or directory. >> =A0 =A0 =A0 =A0in pcpu.h >> (kgdb) #0 =A0doadump (textdump=3D1) at pcpu.h:244 >> #1 =A00xc08053ba in kern_reboot (howto=3D260) >> =A0 =A0at /usr/src/sys/kern/kern_shutdown.c:442 >> #2 =A00xc0805651 in panic (fmt=3DVariable "fmt" is not available. >> ) at /usr/src/sys/kern/kern_shutdown.c:607 >> #3 =A00xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) >> =A0 =A0at /usr/src/sys/i386/i386/trap.c:975 >> #4 =A00xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i386/i386/= trap.c:352 >> #5 =A00xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/exception.s:16= 8 >> #6 =A00xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, flags=3D257= ) >> =A0 =A0at pcpu.h:244 >> #7 =A00xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, a=3D0xc56aa01a, a= f=3D2 '\002', >> =A0 =A0len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:305 >> #8 =A00xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, m0=3D0xc4df5acc,= eh=3D0x0, >> =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:7= 057 >> #9 =A00xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, ifp=3D0xc525= 3c00, dir=3D1, >> =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_ioc= tl.c:4139 >> #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b24, >> =A0 =A0ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) at /usr/src/sys/net/pfil.c:= 82 >> #11 0xc08e18ae in ip_input (m=3D0xc567db00) >> =A0 =A0at /usr/src/sys/netinet/ip_input.c:510 >> #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, m=3D0xc567= db00) >> =A0 =A0at /usr/src/sys/net/netisr.c:1013 >> #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) >> =A0 =A0at /usr/src/sys/net/netisr.c:1104 >> #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) >> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:937 >> #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) >> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:756 >> #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, m=3D0xc567= db00) >> =A0 =A0at /usr/src/sys/net/netisr.c:1013 >> #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) >> =A0 =A0at /usr/src/sys/net/netisr.c:1104 >> #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) >> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:797 >> #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D0x0) >> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:4340 >> #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) >> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:1577 >> #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, ie=3D0xc5= 241680) >> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1257 >> #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) >> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1270 >> #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , >> =A0 =A0arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern/kern_f= ork.c:995 >> #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/exception= .s:275 >> (kgdb) >> >> >> ################## pf.conf ################## >> ext_if =3D "em0" >> >> public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" >> public_udp_ports =3D "53" >> >> table {someip} >> table persist counters >> >> ### Redirection for SMTP >> rdr on $ext_if proto tcp from any to $ext_if port 225 -> $ext_if port 25 >> >> ### Block everything in an pass everything out >> pass out on $ext_if all modulate state >> block in on $ext_if all >> >> ### secure users >> pass in quick on $ext_if proto tcp from to any flags S/SA \ >> modulate state >> >> ### public tcp/udp ports rules >> pass in on $ext_if proto udp to $ext_if port $public_udp_ports >> pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports flags S/S= A \ >> modulate state >> >> ### block ssh bruteforce >> block in quick from >> pass in quick on $ext_if proto tcp to $ext_if port 22 flags S/SA >> modulate state \ >> (max-src-conn 5, max-src-conn-rate 10/60, overload flush glo= bal) >> >> ### block icmp timestamp request/response >> block in quick on $ext_if inet proto icmp all icmp-type {13, 14} >> pass in quick on $ext_if proto icmp all >> >> ############ end pf.conf ############## >> >> -- >> Ali Mdidech >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > -- > Ermal --=20 Ali Mdidech From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 14:47:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E00AC106564A for ; Fri, 24 Feb 2012 14:47:41 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1]) by mx1.freebsd.org (Postfix) with ESMTP id 342FB8FC0C for ; Fri, 24 Feb 2012 14:47:41 +0000 (UTC) Received: from smtp.apple-park.kiev.ua (localhost [127.0.0.1]) by smtp.apple-park.kiev.ua (Postfix) with ESMTP id 96F2DDBB57 for ; Fri, 24 Feb 2012 16:29:53 +0200 (EET) Received: from sysadmin.itdep.smk (sysadmin.itdep.smk [10.1.0.20]) by smtp.apple-park.kiev.ua (Postfix) with ESMTP id 28E4FDBB55 for ; Fri, 24 Feb 2012 16:29:53 +0200 (EET) Message-Id: From: Alexander Vyrlanovich To: freebsd-pf@freebsd.org In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v936) Date: Fri, 24 Feb 2012 16:29:52 +0200 References: X-Mailer: Apple Mail (2.936) X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 14:47:42 -0000 On 24 Feb 2012, at 11:10, Ali Mdidech wrote: > Hi Ermal, > > 2012/2/24 Ermal Lu=C3=A7i : >> On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech wrote: >>> Hi List, >>> >>> I've a box that panics multiple times randomly since a year whatever >>> the release is (8 or 9) >>> The crash dump shows that the problem is related to pf. >>> Is this some sort of identified bug? >>> Below some info and my pf.conf file. >>> >>> Thank you very much for your help. >>> >> >> Can you try do disable SMP through sysctl and see if you still get =20= >> this? >> What are you doing to get the panic? > > Well, I'm able now to avoid or reproduce the panic. > Disabling counters in table makes the server stable enough > and no panic for 48 hours. > Restoring the counters and adding a host in the table by hand (pfctl > -t ssh_brute -T add someip) provokes the panic within few seconds. > I've disabled smp (adding kern.smp.disabled=3D1 in loader.conf and > rebooting) =3D> kernel still panics. > > FreeBSD somehost 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Jan 21 > 09:31:30 CET 2012 root@somehost:/usr/obj/usr/src/sys/DDX3KRNL > i386 I can confirm that problem with counters in pf tables persist at last on i386 and amd64. My systems is: FreeBSD gw 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Jan 3 15:55:41 EET =20= 2012 root@gw:/usr/obj/usr/src/sys/GW3 amd64 FreeBSD gw2 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Wed Jan 25 13:52:48 =20 EET 2012 root@gw2:/usr/obj/usr/src/sys/GWS90 i386 pf + altq compiled in kernel Same result: kernel panic. Without counters systems is rock solid. >> Also its very helpful to know the `uname -a` command output. >> >>> panic: page fault >>> >>> GNU gdb 6.1.1 [FreeBSD] >>> Copyright 2004 Free Software Foundation, Inc. >>> GDB is free software, covered by the GNU General Public License, =20 >>> and you are >>> welcome to change it and/or distribute copies of it under certain =20= >>> conditions. >>> Type "show copying" to see the conditions. >>> There is absolutely no warranty for GDB. Type "show warranty" for =20= >>> details. >>> This GDB was configured as "i386-marcel-freebsd"... >>> >>> Unread portion of the kernel message buffer: >>> >>> >>> Fatal trap 12: page fault while in kernel mode >>> cpuid =3D 0; apic id =3D 00 >>> fault virtual address =3D 0x6c >>> fault code =3D supervisor read, page not present >>> instruction pointer =3D 0x20:0xc0a25dc0 >>> stack pointer =3D 0x28:0xc4df5910 >>> frame pointer =3D 0x28:0xc4df5954 >>> code segment =3D base 0x0, limit 0xfffff, type 0x1b >>> =3D DPL 0, pres 1, def32 1, gran 1 >>> processor eflags =3D interrupt enabled, resume, IOPL =3D 0 >>> current process =3D 12 (irq256: em0:rx 0) >>> trap number =3D 12 >>> panic: page fault >>> cpuid =3D 0 >>> KDB: stack backtrace: >>> #0 0xc08380b7 at kdb_backtrace+0x47 >>> #1 0xc0805617 at panic+0x117 >>> #2 0xc0aebcc3 at trap_fatal+0x323 >>> #3 0xc0aec802 at trap+0x182 >>> #4 0xc0ad5f8c at calltrap+0x6 >>> #5 0xc589f7cc at pfr_update_stats+0x1cc >>> #6 0xc588de21 at pf_test+0x981 >>> #7 0xc5895e79 at pf_check_in+0x39 >>> #8 0xc08c3c68 at pfil_run_hooks+0x78 >>> #9 0xc08e18ae at ip_input+0x24e >>> #10 0xc08c2d9f at netisr_dispatch_src+0x8f >>> #11 0xc08c3040 at netisr_dispatch+0x20 >>> #12 0xc08b9721 at ether_demux+0x171 >>> #13 0xc08b9b6f at ether_nh_input+0x37f >>> #14 0xc08c2d9f at netisr_dispatch_src+0x8f >>> #15 0xc08c3040 at netisr_dispatch+0x20 >>> #16 0xc08b9269 at ether_input+0x19 >>> #17 0xc05b383f at em_rxeof+0x30f >>> Uptime: 1h45m44s >>> Physical memory: 2002 MB >>> Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 >>> >>> Reading symbols from /boot/kernel/pf.ko...Reading symbols from >>> /boot/kernel/pf.ko.symbols... >>> done. >>> done. >>> Loaded symbols for /boot/kernel/pf.ko >>> #0 doadump (textdump=3D1) at pcpu.h:244 >>> 244 pcpu.h: No such file or directory. >>> in pcpu.h >>> (kgdb) #0 doadump (textdump=3D1) at pcpu.h:244 >>> #1 0xc08053ba in kern_reboot (howto=3D260) >>> at /usr/src/sys/kern/kern_shutdown.c:442 >>> #2 0xc0805651 in panic (fmt=3DVariable "fmt" is not available. >>> ) at /usr/src/sys/kern/kern_shutdown.c:607 >>> #3 0xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) >>> at /usr/src/sys/i386/i386/trap.c:975 >>> #4 0xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i386/=20 >>> i386/trap.c:352 >>> #5 0xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/=20 >>> exception.s:168 >>> #6 0xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, = flags=3D257) >>> at pcpu.h:244 >>> #7 0xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, a=3D0xc56aa01a, = =20 >>> af=3D2 '\002', >>> len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:305 >>> #8 0xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, m0=3D0xc4df5acc,= =20 >>> eh=3D0x0, >>> inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:=20= >>> 7057 >>> #9 0xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, =20 >>> ifp=3D0xc5253c00, dir=3D1, >>> inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/=20 >>> pf_ioctl.c:4139 >>> #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b24, >>> ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) at = /usr/src/sys/net/pfil.c:82 >>> #11 0xc08e18ae in ip_input (m=3D0xc567db00) >>> at /usr/src/sys/netinet/ip_input.c:510 >>> #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, =20 >>> m=3D0xc567db00) >>> at /usr/src/sys/net/netisr.c:1013 >>> #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) >>> at /usr/src/sys/net/netisr.c:1104 >>> #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) >>> at /usr/src/sys/net/if_ethersubr.c:937 >>> #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) >>> at /usr/src/sys/net/if_ethersubr.c:756 >>> #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, =20 >>> m=3D0xc567db00) >>> at /usr/src/sys/net/netisr.c:1013 >>> #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) >>> at /usr/src/sys/net/netisr.c:1104 >>> #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) >>> at /usr/src/sys/net/if_ethersubr.c:797 >>> #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D0x0) >>> at /usr/src/sys/dev/e1000/if_em.c:4340 >>> #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) >>> at /usr/src/sys/dev/e1000/if_em.c:1577 >>> #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, =20 >>> ie=3D0xc5241680) >>> at /usr/src/sys/kern/kern_intr.c:1257 >>> #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) >>> at /usr/src/sys/kern/kern_intr.c:1270 >>> #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , >>> arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern/=20 >>> kern_fork.c:995 >>> #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/=20 >>> exception.s:275 >>> (kgdb) >>> >>> >>> ################## pf.conf ################## >>> ext_if =3D "em0" >>> >>> public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" >>> public_udp_ports =3D "53" >>> >>> table {someip} >>> table persist counters >>> >>> ### Redirection for SMTP >>> rdr on $ext_if proto tcp from any to $ext_if port 225 -> $ext_if =20 >>> port 25 >>> >>> ### Block everything in an pass everything out >>> pass out on $ext_if all modulate state >>> block in on $ext_if all >>> >>> ### secure users >>> pass in quick on $ext_if proto tcp from to any flags S/SA \ >>> modulate state >>> >>> ### public tcp/udp ports rules >>> pass in on $ext_if proto udp to $ext_if port $public_udp_ports >>> pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports =20 >>> flags S/SA \ >>> modulate state >>> >>> ### block ssh bruteforce >>> block in quick from >>> pass in quick on $ext_if proto tcp to $ext_if port 22 flags S/SA >>> modulate state \ >>> (max-src-conn 5, max-src-conn-rate 10/60, overload =20 >>> flush global) >>> >>> ### block icmp timestamp request/response >>> block in quick on $ext_if inet proto icmp all icmp-type {13, 14} >>> pass in quick on $ext_if proto icmp all >>> >>> ############ end pf.conf ############## >>> >>> -- >>> Ali Mdidech >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-=20 >>> unsubscribe@freebsd.org" >> >> >> >> -- >> Ermal > > --=20 > Ali Mdidech > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 = =D0=92=D1=8B=D1=80=D0=BB=D0=B0=D0=BD=D0=BE=D0=B2=D0=B8=D1=87 -------------------------- =D0=A1=D0=B8=D1=81=D1=82=D0=B5=D0=BC=D0=BD=D1=8B=D0=B9 = =D0=90=D0=B4=D0=BC=D0=B8=D0=BD=D0=B8=D1=81=D1=82=D1=80=D0=B0=D1=82=D0=BE=D1= =80 =D0=9F=D0=98=D0=9A "=D0=A1=D0=9C=D0=9A"