From owner-freebsd-pf@FreeBSD.ORG Sun May 13 14:25:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2F0A106566C for ; Sun, 13 May 2012 14:25:20 +0000 (UTC) (envelope-from eugenyuk@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 39E8E8FC15 for ; Sun, 13 May 2012 14:25:20 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so3996305wgb.31 for ; Sun, 13 May 2012 07:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Kyj90rFkN20mU/xVulF/SSQbbXemTSlJxKyaJ5XYcAg=; b=Wdamx5RXj2Fw8/0GYcjE1gDRczlRuCRPqyMgCnjh1W/ncx+cXjM7og/O/ygR+e9vff Wqrt8Iw289v2KBNhlVQTH4ami0fEqbD5bIt2CUjyPL9h+7jtXL+j9SepS0cUlCeHDjDs d/RZE0lrK9DCByhOwqkhkUQdwybnWQiJLPSfmYa70l/7nAc047+gZrKZ+UPyPdltGvgr 3pNrGtYNKE9MDYE8CQbUYyXfZienD0I3ZKgN0g+oHrJydbva+PKMM8vXEGVPnF0DNWbI 3y+6oxYXYQub95O9nOUbYCK33/vKzMhIhQweUnZeUETKgE+TtsYSMaUyVFyrlvxuJu6b O1Eg== MIME-Version: 1.0 Received: by 10.216.136.131 with SMTP id w3mr3113138wei.15.1336919118497; Sun, 13 May 2012 07:25:18 -0700 (PDT) Received: by 10.227.64.202 with HTTP; Sun, 13 May 2012 07:25:18 -0700 (PDT) Date: Sun, 13 May 2012 17:25:18 +0300 Message-ID: From: orpheus To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: rdr to 127.0.0.1 doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 14:25:20 -0000 Hello, guys! I am trying to configure redirection to 127.0.0.1 port 8025 (spamd service) in pf but with no luck. System: FreeBSD 8.2-RELEASE amd 64 root ~ # sockstat -l | grep 8025 _spamd obspamd 32926 4 tcp4 127.0.0.1:8025 *:* _spamd obspamd 32923 4 tcp4 127.0.0.1:8025 *:* _spamd obspamd 32922 4 tcp4 127.0.0.1:8025 *:* root ~ # ifconfig igb0: flags=8802 metric 0 mtu 1500 options=1bb ether 00:25:90:09:01:b2 media: Ethernet autoselect status: no carrier igb1: flags=8843 metric 0 mtu 1500 options=1bb ether 00:25:90:09:01:b3 inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255 inet 1.1.1.3 netmask 0xffffffff broadcast 1.1.1.3 media: Ethernet autoselect (100baseTX ) status: active ipfw0: flags=8801 metric 0 mtu 65536 lo0: flags=8049 metric 0 mtu 16384 options=3 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 metric 0 mtu 33152 This is my /etc/pf.conf: === ext_if = "igb1" tcp_services="{ 21, 25, 80, 110, 143, 443, 993, 995, 1178, 2224, 2222, 5666 }" udp_services="{ 53 }" icmp_types="{ echoreq, unreach }" table const { self } set skip on lo0 rdr on $ext_if inet proto tcp from any to $ext_if port 25 -> 127.0.0.1 port 8025 block log all pass in log inet proto tcp from any to 127.0.0.1 port 8025 pass in log on $ext_if inet proto tcp from any to $ext_if port 2224 keep state (max-src-conn 10, max-src-conn-rate 5/60, overload flush) pass in log quick on $ext_if proto tcp from any to port www flags S/SA synproxy state pass in log on $ext_if proto tcp from any to port $tcp_services flags S/SA synproxy state pass in log on $ext_if proto { tcp, udp } from any to port $udp_services keep state pass in log on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass in log quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state pass in log on lo0 inet proto tcp from any to 127.0.0.1 port 8025 pass in log on $ext_if inet proto tcp from any to $ext_if port smtp pass out log on $ext_if proto tcp to port smtp === Then i am connecting to 127.0.0.1 from localhost: root ~ # telnet 127.0.0.1 8025 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 m And from remte host to my server to port 25: [root@remoteunixadmin] ~# telnet 212.26.132.2 25 Trying 212.26.132.2... Can't to connect. Checking simultaneously pflogs: root ~ # tcpdump -eni pflog0 dst port 8025 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 17:19:39.787682 rule 2/0(match): pass in on igb1: 46.16.229.18.33722 > 127.0.0.1.8025: tcp 28 [bad hdr length 0 - too short, < 20] 17:19:40.877001 rule 2/0(match): pass in on igb1: 112.234.161.49.26795 > 127.0.0.1.8025: [|tcp] 17:19:41.163942 rule 2/0(match): pass in on igb1: 117.241.70.9.4183 > 127.0.0.1.8025: [|tcp] 17:19:41.366829 rule 2/0(match): pass in on igb1: 117.244.3.240.63272 > 127.0.0.1.8025: tcp 28 [bad hdr length 0 - too short, < 20] 17:19:41.629751 rule 2/0(match): pass in on igb1: 113.162.244.56.3196 > 127.0.0.1.8025: [|tcp] 17:19:42.128182 rule 2/0(match): pass in on igb1: 123.213.32.15.2554 > 127.0.0.1.8025: [|tcp] 17:19:42.387051 rule 2/0(match): pass in on igb1: 211.177.83.30.1836 > 127.0.0.1.8025: tcp 32 [bad hdr length 0 - too short, < 20] ^C 7 packets captured 67 packets received by filter 0 packets dropped by kernel So, seems like packets are redirecting but connection doesn't get to 8025 service, because spamd doesn't answer. Actually this applies not only to spamd but to any service that listens on 127.0.0.1. I've tried to bind service on my external interface and then redirection worked like a charm. Please assist what's the problem? big thanks! From owner-freebsd-pf@FreeBSD.ORG Mon May 14 11:07:18 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC8B9106564A for ; Mon, 14 May 2012 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 966AE8FC19 for ; Mon, 14 May 2012 11:07:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4EB7I3s053345 for ; Mon, 14 May 2012 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4EB7H09053343 for freebsd-pf@FreeBSD.org; Mon, 14 May 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 May 2012 11:07:17 GMT Message-Id: <201205141107.q4EB7H09053343@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2012 11:07:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed May 16 12:15:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2BA01065676 for ; Wed, 16 May 2012 12:15:41 +0000 (UTC) (envelope-from adams-freebsd@ateamsystems.com) Received: from fss.sandiego.ateamservers.com (fss.sandiego.ateamservers.com [69.55.229.149]) by mx1.freebsd.org (Postfix) with ESMTP id A93CC8FC17 for ; Wed, 16 May 2012 12:15:41 +0000 (UTC) Received: from [192.168.15.220] (unknown [118.175.84.92]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by fss.sandiego.ateamservers.com (Postfix) with ESMTPSA id 5ABBCB9066 for ; Wed, 16 May 2012 08:15:34 -0400 (EDT) Message-ID: <4FB39A69.2030706@ateamsystems.com> Date: Wed, 16 May 2012 19:15:37 +0700 From: Adam Strohl Organization: A-Team Systems User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF "synproxy state" doesn't work on CARP IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 12:15:41 -0000 Hello, I've noticed that when I use "synproxy state" on a rule and a connection comes in to an IP on a CARP interface the connection opens but never gets passed on to the process as it should. For example: pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state Will work fine if I come in to a non-CARP IP. The connection is accepted and then brokered to SSHd. However on the same machine with the same rule if I come in to a CARP'd IP it connects but hangs (not passed on to SSHd). If I remove the "synproxy state" portion the CARP test case works. I've done a bunch of flipping and testing and it seems that CARP IP + PF rule with "synproxy state" doesn't work -- the connection will be accepted but not passed on like it should. Is this known behaviour? Is there a work around? Anything else anyone wants to know? I've noticed this too: the physical interface seems to "include" the CARP interfaces associated with it. That above rule I pasted applies to the CARP interface even though its specifying "bce0" as the value for $ext_if (vs. a rule for "carp1", etc) Is that normal/expected? I did notice in the docs that "synproxy state" doesn't work with bridge interfaces, is a CARP interface maybe falling into this category? Any input/thoughts appreciated! P.S. Please be sure to CC me, I am not subscribed to the PF mailing list. -- Adam Strohl A-Team Systems http://ateamsystems.com/ From owner-freebsd-pf@FreeBSD.ORG Fri May 18 10:56:25 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2A83106566B for ; Fri, 18 May 2012 10:56:25 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9B76B8FC14 for ; Fri, 18 May 2012 10:56:25 +0000 (UTC) Received: by yhgm50 with SMTP id m50so3397115yhg.13 for ; Fri, 18 May 2012 03:56:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tHwjic015YH0VuCWnTdiqcdMIdQAAXl+gB60rMjNYVg=; b=jiQb/Z2gIB4O6TZ8YEGufXhx6/PClBqBEoL5Zc6IudWdJguVnsHKTJCHm5Uwz6TDjY R2ObplIxJq4AdPE0hecDeBm7Egk+UfE7CKHiu9cqjwE1E5VO/vO5rj/J7c9AVg3Qonj1 PAxkSLOf96m99Q2D9epMwDYh/9YLAmKGZn/FwJ5k5mfVsyvrstVeIy1Rp6ds1HTRWrLj mZvawMfn3sGJi+X8Lvywa+I4JFPrT5Wlu8xwYVlgKlTPNaPi/up+zoWY5o8wlcuU1TVZ x7WLEHACIf+hKbifxnSH0M8TZEUKxJ9hKhMX3KYm3aE7Fdef1uAPj/z8k/xCy2Yl0QxM hhvA== MIME-Version: 1.0 Received: by 10.50.179.105 with SMTP id df9mr154113igc.4.1337338578671; Fri, 18 May 2012 03:56:18 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.244.8 with HTTP; Fri, 18 May 2012 03:56:18 -0700 (PDT) In-Reply-To: <4FB39A69.2030706@ateamsystems.com> References: <4FB39A69.2030706@ateamsystems.com> Date: Fri, 18 May 2012 12:56:18 +0200 X-Google-Sender-Auth: T2AfjfLPNvXE02XVys7c5yY13u8 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Adam Strohl Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: PF "synproxy state" doesn't work on CARP IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2012 10:56:26 -0000 On Wed, May 16, 2012 at 2:15 PM, Adam Strohl wrote: > Hello, > > I've noticed that when I use "synproxy state" on a rule and a connection > comes in to an IP on a CARP interface the connection opens but never gets > passed on to the process as it should. > > For example: > > pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy > state > > Will work fine if I come in to a non-CARP IP. =A0The connection is accept= ed > and then brokered to SSHd. > > However on the same machine with the same rule if I come in to a CARP'd I= P > it connects but hangs (not passed on to SSHd). > > If I remove the "synproxy state" portion the CARP test case works. > > I've done a bunch of flipping and testing and it seems that CARP IP + PF > rule with "synproxy state" doesn't work -- the connection will be accepte= d > but not passed on like it should. > > Is this known behaviour? =A0Is there a work around? =A0Anything else anyo= ne > wants to know? > Yeah its known behaviour though i am not sure there is a PR related to it. I might have a solution but not sure when i can produce a patch for this. Which FreeBSD version are you on, i thought that with carp(4) rearangment of not using ifnets this solved itself? > I've noticed this too: the physical interface seems to "include" the CARP > interfaces associated with it. =A0That above rule I pasted applies to the= CARP > interface even though its specifying "bce0" as the value for $ext_if (vs.= a > rule for "carp1", etc) Is that normal/expected? > > I did notice in the docs that "synproxy state" doesn't work with bridge > interfaces, is a CARP interface maybe falling into this category? > > Any input/thoughts appreciated! > > P.S. > Please be sure to CC me, I am not subscribed to the PF mailing list. > > -- > > Adam Strohl > A-Team Systems > http://ateamsystems.com/ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Fri May 18 13:20:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 71A431065678; Fri, 18 May 2012 13:20:33 +0000 (UTC) (envelope-from adams-freebsd@ateamsystems.com) Received: from fss.sandiego.ateamservers.com (fss.sandiego.ateamservers.com [69.55.229.149]) by mx1.freebsd.org (Postfix) with ESMTP id 5563C8FC15; Fri, 18 May 2012 13:20:33 +0000 (UTC) Received: from [192.168.15.220] (unknown [118.175.84.92]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by fss.sandiego.ateamservers.com (Postfix) with ESMTPSA id D7C1AB9031; Fri, 18 May 2012 09:20:25 -0400 (EDT) Message-ID: <4FB64C9D.3010703@ateamsystems.com> Date: Fri, 18 May 2012 20:20:29 +0700 From: Adam Strohl Organization: A-Team Systems User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: <4FB39A69.2030706@ateamsystems.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: PF "synproxy state" doesn't work on CARP IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2012 13:20:33 -0000 On 5/18/2012 17:56, Ermal Luçi wrote: > Yeah its known behaviour though i am not sure there is a PR related to it. > I might have a solution but not sure when i can produce a patch for this. > > Which FreeBSD version are you on, i thought that with carp(4) > rearangment of not using ifnets this solved itself? Cool, I feel better just knowing I'm not doing something wrong :) The servers I'm doing this with are on FreeBSD 9.0-R. If/when you do cut a patch for it let me know! For now I'm just leaving it off but would like to use it if possible.