From owner-freebsd-pf@FreeBSD.ORG Mon May 7 11:07:19 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E2D1106564A for ; Mon, 7 May 2012 11:07:19 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 37FE28FC08 for ; Mon, 7 May 2012 11:07:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q47B7JKm072458 for ; Mon, 7 May 2012 11:07:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q47B7IRU072456 for freebsd-pf@FreeBSD.org; Mon, 7 May 2012 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 May 2012 11:07:18 GMT Message-Id: <201205071107.q47B7IRU072456@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2012 11:07:19 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 8 15:48:51 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9EEF5106564A; Tue, 8 May 2012 15:48:51 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5A13B8FC15; Tue, 8 May 2012 15:48:51 +0000 (UTC) Received: by obcni5 with SMTP id ni5so13318437obc.13 for ; Tue, 08 May 2012 08:48:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=b5YzeEsvC9PZxbofRpRi5RF33HWbe1LINO/nsLGjJRI=; b=gFtJFGT3XIy7gRoTSBbszSuITm6/tXhwEc9tREubdc0EIlYlrMt20qASvmoQ0Pug3C 7WKM1yFy45bTJ1NOXEtIxe740bRLuvOKR4vJ4uIE5nXaxQvuyEYrT2CACi3BWg4TiPlU uHSxgQThjZRSpAi44USWiomCOLpixhS5A53RJ0otqG6nMzrAZfK9BBl+DpLoloi7LoBW rQZ6b7V1OlTWxs0xe2fIfkPXbxvbx1PUL3qPf3F/Jmuq/hZdbyALTrAp5kCyhaeiooXq wB8wevw2BWoJvIS2ENaNrher06ANzrtJQiE2X07w+4V3iIav03tqpj8Z5Mg4kR/rUytJ no3g== MIME-Version: 1.0 Received: by 10.182.113.73 with SMTP id iw9mr3179089obb.21.1336492130696; Tue, 08 May 2012 08:48:50 -0700 (PDT) Received: by 10.182.5.138 with HTTP; Tue, 8 May 2012 08:48:50 -0700 (PDT) Date: Tue, 8 May 2012 16:48:50 +0100 Message-ID: From: krad To: FreeBSD Questions , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: synproxy definition in pfctl -si X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2012 15:48:51 -0000 Hi, I am looking to track the number of syn packets coming into a system, as the box in question has pf running and using the synproxy attribute on tcp services, I hope to be able to use the synproxy field in pfctl -si. However I cant find a definitive definition of the variable, Ive looking in the source but haven't have much look in finding where it is derived. Can anyone shed any light on if my assumption is valid as without a proper definition of this variable I can't really trust its output is what i think it is. Alternatively if anyone could suggest an another way of tracking inbound syn packets I would be grateful, it must use base os tools though, ie no ports or other apps required. Thanks K From owner-freebsd-pf@FreeBSD.ORG Sat May 12 14:40:54 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8D701065670 for ; Sat, 12 May 2012 14:40:54 +0000 (UTC) (envelope-from victordetoni@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 826048FC15 for ; Sat, 12 May 2012 14:40:54 +0000 (UTC) Received: by qcsg15 with SMTP id g15so3258902qcs.13 for ; Sat, 12 May 2012 07:40:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=d5pwzHMCt9Mx8aiKMEUmGWEfF+1iWNTIUPgKLJDZ9So=; b=jwem+7VRVM1MsnRbOmg6700h7zv9lS5EdFbYa4W+ktU0ovAOSki50jMlRe64mxKJne 539Ws/jwwBBRImUct5S4ruVRiUfi0d8ylOcFOc8vEb0HF1fWKnsxrhkJ7vwnFNaasFJO a1uFw6wAGUIHkGjyqxI2n7/eSV3+1X7nTZyPKhuvZbikgBrNKcLG4n9xmgDAgzhuVLWk PuQ7LlOcv5Iy3qO/0hvIkPDufijqFLxVd7Wg1cC+HMkw1LPKkyy7hBEf0OPo937tPMTC EtHHpxjwOfIuBLMHUWf+QOVXuEOYGSFEP3ItJda/yDgTSdX/kcgLXnufb5sI7KIntEfL sOJQ== MIME-Version: 1.0 Received: by 10.224.34.4 with SMTP id j4mr2873041qad.61.1336833648371; Sat, 12 May 2012 07:40:48 -0700 (PDT) Received: by 10.229.228.136 with HTTP; Sat, 12 May 2012 07:40:48 -0700 (PDT) Date: Sat, 12 May 2012 11:40:48 -0300 Message-ID: From: Victor Detoni To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: synproxy with sloppy enabled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 May 2012 14:40:54 -0000 hi, I would like to open a discuss about synproxy using sloppy, because I've been testing pf performance and I cannot reach a lot of traffic, because assymetric routing we can reach more performance. Why synproxy can not run with sloppy? Would have serious security problems? Some needs checks could fail? tks