From owner-freebsd-pf@FreeBSD.ORG Sun Jun 17 22:39:22 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 50172106564A; Sun, 17 Jun 2012 22:39:22 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 23BF68FC18; Sun, 17 Jun 2012 22:39:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5HMdMDp068774; Sun, 17 Jun 2012 22:39:22 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5HMdMoG068770; Sun, 17 Jun 2012 22:39:22 GMT (envelope-from linimon) Date: Sun, 17 Jun 2012 22:39:22 GMT Message-Id: <201206172239.q5HMdMoG068770@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-i386@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/168952: [pf] direction scrub rules don't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2012 22:39:22 -0000 Old Synopsis: PF: direction scrub rules don't work New Synopsis: [pf] direction scrub rules don't work Responsible-Changed-From-To: freebsd-i386->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jun 17 22:39:07 UTC 2012 Responsible-Changed-Why: reclassify. http://www.freebsd.org/cgi/query-pr.cgi?pr=168952 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 18 11:07:55 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 66FEC106567B for ; Mon, 18 Jun 2012 11:07:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 50B8D8FC22 for ; Mon, 18 Jun 2012 11:07:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5IB7t82008075 for ; Mon, 18 Jun 2012 11:07:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5IB7suw008073 for freebsd-pf@FreeBSD.org; Mon, 18 Jun 2012 11:07:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Jun 2012 11:07:54 GMT Message-Id: <201206181107.q5IB7suw008073@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2012 11:07:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/168952 pf [pf] direction scrub rules don't work o kern/168200 pf [pf] pf crashes when receiving packets from an address o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 53 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 05:54:55 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA8DB1065694 for ; Tue, 19 Jun 2012 05:54:55 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4F6A68FC1E for ; Tue, 19 Jun 2012 05:54:55 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so5861725wgb.31 for ; Mon, 18 Jun 2012 22:54:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skoberne.net; s=google; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=V9NH9JeeeBm4SFaJZgvHP1W18YMXKw3QmCNb5KB8AvY=; b=QWGWnhL1ifTxZcxymUD/eO9bO2rTJYzjh/64+SwvleUofgdzyMsG++RgLq5+BQzWzC Yr+2aJXiqgvifs3g3xHu0xwLmaxEwbJccqNIjvBlLUpC7TDY+tHXA1N/LmuLOm/OJQE6 Qx4GIau8Qo5PMRpaPxvEE/yJMSF2Q9jbCdgBI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding:x-gm-message-state; bh=V9NH9JeeeBm4SFaJZgvHP1W18YMXKw3QmCNb5KB8AvY=; b=I28oShZb1FtSOoillZzlOy3Ic4Dlqp/O+Oc9l5i0orJn2vj/nyaKxBVVSLH6AvHIj6 AJ02sN5xPUMP3cIsgCpeJwiCkfkCs1lq4ylsnj6HNOtYiRJnNOjq5U0FgwZqoho0AqpS KCmg+hKQ+bGJ0aYSICax1GfPy9Ae4QBfudoGwu0jk/d26ql96wl2OPAaXZsUx3d6oBFw 9F1/4zPavagOZ69X1nzTiK8PigQDCEPppj/YBtEQm+GWGS8Zj/3J/YjLFjKYz6Q/3y1D XX9PNVsZJNQYGKp0O9rNRFu3zy20Wcw8TLcYoketSoNk1gg9jLrJdnc1CD6isLSeyFo8 RbTg== Received: by 10.216.198.23 with SMTP id u23mr9903917wen.195.1340085294372; Mon, 18 Jun 2012 22:54:54 -0700 (PDT) Received: from [192.168.15.134] (89-212-50-81.static.t-2.net. [89.212.50.81]) by mx.google.com with ESMTPS id ei4sm54818884wid.5.2012.06.18.22.54.52 (version=SSLv3 cipher=OTHER); Mon, 18 Jun 2012 22:54:53 -0700 (PDT) Message-ID: <4FE0142A.80003@skoberne.net> Date: Tue, 19 Jun 2012 07:54:50 +0200 From: =?windows-1252?Q?Nejc_=8Akoberne?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQlqwNXK0IfCrj4vDekNw7Jd8cvj06A6B+ywS9v3rAYCbqvtUPBxCmWP5F9l0pk0m3bgaM3L Subject: Source port translation only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 05:54:55 -0000 Hi, I want to do (stateful) source port translation (restriction actually) on my outgoing packets, but no source address translation. And I want to do it for IPv6. So if there is a TCP packet like this: SRC ADDR: 2001:db8::10 DST ADDR: 2001:c0de: SRC PORT: 53523 DST PORT: 80 I want to translate it so that the source port falls into a specific port range, say [1024:2047]: SRC ADDR: 2001:db8::10 DST ADDR: 2001:c0de: SRC PORT: 1500 DST PORT: 80 If the source port is already in the requested port range, no translation is needed (but the state has to be kept anyway). Is this possible to do with pf? If not, does anybody know for any other (simple) way to do it? Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 08:56:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 742D01065673; Tue, 19 Jun 2012 08:56:46 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 140AD8FC16; Tue, 19 Jun 2012 08:56:46 +0000 (UTC) Received: by obcni5 with SMTP id ni5so12417855obc.13 for ; Tue, 19 Jun 2012 01:56:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=9X8lTk8gfETGERa824kwI1C1bfgbD0dUC1NDJpPyB6I=; b=0B6NAG9yTyxj+Bm3YhOEYsUFiDe2hVUl8COP9LZruJGKUklI8wdqT4f0YABvORG+f/ 88Y7NypVOfGyVQJRswGFDF6reefpD0J5TLi1UA/8G3qwqGvdGmYspM9rZ3JoOLMIieNs L5OW4rN4bQESQ5UOBVAQbDNiHT0dRJGfB217yh2KjGuuT3b9mBk0fx8aIBR8q+uuwEBy e2XwxNWA8x4oDlobCw869DNJng4f/zynU058Vbf1u4UEJCFOs4BdhoZSyT7gGkaFzLK7 /JR0ycsCqzMiYym0YrwA/yGTQsqcds++TobIa+HU/k5OHyLXxqBijugswJ0P7aS+ia77 fDlA== MIME-Version: 1.0 Received: by 10.182.47.105 with SMTP id c9mr19261603obn.49.1340096205682; Tue, 19 Jun 2012 01:56:45 -0700 (PDT) Received: by 10.182.44.101 with HTTP; Tue, 19 Jun 2012 01:56:45 -0700 (PDT) Date: Tue, 19 Jun 2012 11:56:45 +0300 Message-ID: From: Sami Halabi To: freebsd-jail@freebsd.org, bz@freebsd.org, freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: VNET X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 08:56:46 -0000 Hi, I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, but not PF firewall in a cnet jail. is that correct? i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my choice? or i can use pf somehow, I never used pf before, so i would like some advise here... Thanks in advance, -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:25:05 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E7951065673 for ; Tue, 19 Jun 2012 11:25:05 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id E25FA8FC0C for ; Tue, 19 Jun 2012 11:25:04 +0000 (UTC) Received: by ggnm2 with SMTP id m2so5218138ggn.13 for ; Tue, 19 Jun 2012 04:25:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=rNxtuqE1e+QVr11/yt+47N7VoIYUcoIlrbzs+tLfSv0=; b=TLbleCoYgemYP3F0g0d7VKSioru/iMaR4QmxMN6JwUdsaN72p1/euHsMN2XQVnbl0R mAuKuSM7Dlgj78+z/sNZoB1QRUk5zKwb3fz5HXpOmtrWSM9gz+QNlsx0Deqt6neYlQZc uFKqCdOBknj+b7JT7GysnMK4Zrnu5pyFtNImw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=rNxtuqE1e+QVr11/yt+47N7VoIYUcoIlrbzs+tLfSv0=; b=NeTw2sHRb11y4y0ay2bJpg4txA3IyRIwbKUSoLilCb2/GBDbHVRBea0mZTM4ctJUce XSsFrlQ5fHaKgQZayaj6deqJCuzSZi3yFUZP60iRN2cpcGA9VLY0leBbT9unpObcpKgu oW9YOWixK+YwLGAJVtOwjTfMEx8FbrlUls2NTwSWvIgtlG+DTdqlUOSoyxeVkfzL1EvG YidsHPYXPb3hiLteGpcba7cqnoQFezaFLkh8Wi6l80JHukHmCE5hSDdMoJNmTaW8CYUZ K7zAHZkAgUQzOJMzEn1y6b1B9V0WmcdCe9b2TcZYgLXs669tDoHxGysTQGnRj23bGsO9 YrUQ== Received: by 10.50.100.169 with SMTP id ez9mr689148igb.44.1340105103948; Tue, 19 Jun 2012 04:25:03 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id iw6sm11746503igc.15.2012.06.19.04.25.02 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Jun 2012 04:25:03 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5JBP0Pt004560 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Jun 2012 07:25:00 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5JBOxS5004553; Tue, 19 Jun 2012 07:24:59 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Tue, 19 Jun 2012 07:24:59 -0400 From: Jason Hellenthal To: Nejc =?utf-8?B?xaBrb2Jlcm5l?= Message-ID: <20120619112459.GA96895@DataIX.net> References: <4FE0142A.80003@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4FE0142A.80003@skoberne.net> X-Gm-Message-State: ALoCoQl3yCat7MZHTQDcWSytK4i0PSq4rqt2bdGVyrUNCxaad8axdxQYs/vG3fvgxhuGvcsvzxEr Cc: freebsd-pf@freebsd.org Subject: Re: Source port translation only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 11:25:05 -0000 On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote: > Hi, > > I want to do (stateful) source port translation (restriction actually) > on my outgoing packets, but no source address translation. And I want to > do it for IPv6. > > So if there is a TCP packet like this: > > SRC ADDR: 2001:db8::10 > DST ADDR: 2001:c0de: > SRC PORT: 53523 > DST PORT: 80 > > I want to translate it so that the source port falls into a specific > port range, say [1024:2047]: > > SRC ADDR: 2001:db8::10 > DST ADDR: 2001:c0de: > SRC PORT: 1500 > DST PORT: 80 > > If the source port is already in the requested port range, no > translation is needed (but the state has to be kept anyway). > > Is this possible to do with pf? If not, does anybody know for any other > (simple) way to do it? > Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? - and - Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? Don't have a clue why on earth you would want to do this though. -- - (2^(N-1)) From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:26:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ECA421065672 for ; Tue, 19 Jun 2012 11:26:33 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 93F598FC18 for ; Tue, 19 Jun 2012 11:26:33 +0000 (UTC) Received: by ggnm2 with SMTP id m2so5219322ggn.13 for ; Tue, 19 Jun 2012 04:26:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=kNrcyPXB6qkowZQ55Z5S8QjHwPnBPzriVr0exzPBP7I=; b=QaflcUbDdRI+H3FG5M7Z0fZ/lPuJNqUwaAo0Qt2NoYeQ1xLbOff4llC0BTUBQvVCyE KfDWG24J1aJytf0zCxI9b0/KBw7SK2su2gaRW0V204uUCOG81Nma4zIsW6cfmCFNNSgQ gB4tgKIVLynRZERUr4ux9u+cGPAbAN+4f83jM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=kNrcyPXB6qkowZQ55Z5S8QjHwPnBPzriVr0exzPBP7I=; b=a0rCP86Njb2F+RZQuAjVapxJrdD5VY0OrQKy8UMaKfpsKtvUX4GNUi/MRI+nMrSj1c Ok4DYF0KgO6/e3QRr8EfgciA/bdbQKrd73B7OppO/v9GymNd/VR3Fugpu3VC7d6fjPlE oYQ5O4UioPgp8TyJFO0sh9ggqie3gkbY6+OS62DnoHmFaJCXXPCGh9YFJgWERum2Tr5K HFzZLwzlgde4eMOwOVMxABeQXEPkMK+B6vt3MrPnWPouIO3BrsgZ7UoDm2nY6YsprsiF JGqC0LKkBqUXaf/9VvODrgLisLiR9+xkCK61F1rUjLyTxHBgH8EtOWi4krpfkaCE0sYf zTNg== Received: by 10.42.38.83 with SMTP id b19mr7281804ice.10.1340105192922; Tue, 19 Jun 2012 04:26:32 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id ut5sm20928378igc.13.2012.06.19.04.26.30 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Jun 2012 04:26:30 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5JBQSAT007313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Jun 2012 07:26:28 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5JBQSAL007312; Tue, 19 Jun 2012 07:26:28 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Tue, 19 Jun 2012 07:26:28 -0400 From: Jason Hellenthal To: Nejc =?utf-8?B?xaBrb2Jlcm5l?= Message-ID: <20120619112628.GB96895@DataIX.net> References: <4FE0142A.80003@skoberne.net> <20120619112459.GA96895@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20120619112459.GA96895@DataIX.net> X-Gm-Message-State: ALoCoQmunR8ncxL/0MnzqghlzHDlfOQtUJ/iz/0EZIfX3W1oqPESHSyy7+CCpG84nOjYbZOYvRv8 Cc: freebsd-pf@freebsd.org Subject: Re: Source port translation only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 11:26:34 -0000 On Tue, Jun 19, 2012 at 07:24:59AM -0400, Jason Hellenthal wrote: > > > On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote: > > Hi, > > > > I want to do (stateful) source port translation (restriction actually) > > on my outgoing packets, but no source address translation. And I want to > > do it for IPv6. > > > > So if there is a TCP packet like this: > > > > SRC ADDR: 2001:db8::10 > > DST ADDR: 2001:c0de: > > SRC PORT: 53523 > > DST PORT: 80 > > > > I want to translate it so that the source port falls into a specific > > port range, say [1024:2047]: > > > > SRC ADDR: 2001:db8::10 > > DST ADDR: 2001:c0de: > > SRC PORT: 1500 > > DST PORT: 80 > > > > If the source port is already in the requested port range, no > > translation is needed (but the state has to be kept anyway). > > > > Is this possible to do with pf? If not, does anybody know for any other > > (simple) way to do it? > > > > Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? > > - and - > > Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? > > > Don't have a clue why on earth you would want to do this though. > Should have added that ... no matter how you do this you are going to be increasing your chances of port collision or exhaustion. -- - (2^(N-1)) From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:32:00 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99777106564A for ; Tue, 19 Jun 2012 11:32:00 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 151ED8FC12 for ; Tue, 19 Jun 2012 11:31:59 +0000 (UTC) Received: by bkvi18 with SMTP id i18so6208334bkv.13 for ; Tue, 19 Jun 2012 04:31:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skoberne.net; s=google; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=DFWS69ZzeokGPEmFxPQUu88PKsaYjBeHSF0gMJgEdM0=; b=nR7X7xmvvgMg4uDrmtBylPaFTXvbSV5Fk7vc0wb+p2pd6Yt6LBBlkxr/a1s1/UzCNq XmYX9H7e9JF6CUa0gfLMwx7ZZsB3fGP+vxbE8IryeXwsWeZhv6KXh2pSX9SWLIlMjYm5 O1wB5l7519EJYAnQYOcymrGXeaOn7dmLot/eA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=DFWS69ZzeokGPEmFxPQUu88PKsaYjBeHSF0gMJgEdM0=; b=L4tkrBckZI7bfa+qbioPMMsfIFoHRK+l7to4J+rqbztalbGvfCGjBzWLn8ZzjXbs/G Z+PEBFSLVRwMzSywO8kpPFkJCOsetvuhc7RKJ61N4UbkgeEo5sp/s+YWjtYutnMNubx2 Wr7xw3E/CZXdtXMf3TKTLcYKeuNjq25+jG8GIhG7ZpRBslRzTos11i2QBFZgcrrUPx72 6ZAWsO01NbhQjNwiwPXQcfIajJTCwAuNZTQl+mUQqXluuNkWsufCzVhnkwwAe52OKXWW LxgnTAbGhoxKnHZJL2IvoR3lZR7KHN+2XDtvL/QASUpAzmWPZiiLY8b2N+FGYja6FFos YZ9A== Received: by 10.204.154.214 with SMTP id p22mr7746830bkw.115.1340105518297; Tue, 19 Jun 2012 04:31:58 -0700 (PDT) Received: from [192.168.15.134] (89-212-50-81.static.t-2.net. [89.212.50.81]) by mx.google.com with ESMTPS id ig1sm22798843bkc.4.2012.06.19.04.31.55 (version=SSLv3 cipher=OTHER); Tue, 19 Jun 2012 04:31:57 -0700 (PDT) Message-ID: <4FE06327.1080503@skoberne.net> Date: Tue, 19 Jun 2012 13:31:51 +0200 From: =?UTF-8?B?TmVqYyDFoGtvYmVybmU=?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Jason Hellenthal References: <4FE0142A.80003@skoberne.net> <20120619112459.GA96895@DataIX.net> In-Reply-To: <20120619112459.GA96895@DataIX.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkQ2kNj4lzajih9PGkGpn8QL+DZmZYFaUiYONczOc7bCxnjGCAVjWUmn6pUkqhHbucv0odl Cc: freebsd-pf@freebsd.org Subject: Re: Source port translation only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 11:32:00 -0000 Hi, > Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? > > - and - > > Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? this is only relevant for hosts, which are sourcing the packets, not for the gateway devices. I want to have a NAT device/gateway which would port-restrict original packets, sources from unchanged (normal) end hosts. > Don't have a clue why on earth you would want to do this though. A NAT device like this is one of the parts of the design of a new A+P IPv4 address sharing mechanism, which I am working on. Currently, we already have a bunch of v4 address sharing mechanisms (some of them being currently worked on in the IETF). Let me know if you're interested in more details. Sure, port exhaustion is one of the problems of A+P v4 address sharing mechanisms, as already noted in RFC6346. Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 14:46:44 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 45FCA106566B; Wed, 20 Jun 2012 14:46:44 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from dhcp170-36-red.yandex.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with ESMTP id 47197B295A; Wed, 20 Jun 2012 14:43:23 +0000 (UTC) Message-ID: <4FE1E175.4060005@FreeBSD.org> Date: Wed, 20 Jun 2012 18:43:01 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120511 Thunderbird/12.0.1 MIME-Version: 1.0 To: Sami Halabi References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, bz@freebsd.org, freebsd-jail@freebsd.org, freebsd-pf@freebsd.org Subject: Re: VNET X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2012 14:46:44 -0000 On 19.06.2012 12:56, Sami Halabi wrote: > Hi, > > I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, > but not PF firewall in a cnet jail. > is that correct? > > i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my 1) You can do nat without vnet. 2) ipfw nat is currently the easiest way to do nat. > choice? or i can use pf somehow, I never used pf before, > so i would like some advise here... > > Thanks in advance, > -- WBR, Alexander From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 17:51:28 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DC001065747; Wed, 20 Jun 2012 17:51:28 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9AD628FC12; Wed, 20 Jun 2012 17:51:27 +0000 (UTC) Received: by yenl8 with SMTP id l8so7018352yen.13 for ; Wed, 20 Jun 2012 10:51:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1Qbyx4a9apwgjwYMpP1el6H/cEoQk1RTv/I3MP2pVXM=; b=lb/INqYkpRREYLJG3+BcMafjA9adnEVg3PXrIO8QLCkR0pKbd26xphTJomiT8H41gP V0pFnGhwN09U7ixMqCIHtfntb+h3WViwhcwJR3CdpuyHukje3GTWVSQj9aNCTKqtAt5W S6YCwlW3hFDZ5Euy74c7LPCEcnNcM5fSKTLReM/kiN2m8aczyKGpe4+s6m/n5eZ4HNpW mnApAzFu78NHnURndnhbtgtA9EFFCkpUWFukPrW/IAehQcxmFE1rPVxkf7ZnX+CXgC9l 0KPAzoNgmv7IBWUEI9E6G3sTAZSocXAVHqxolgtN4TURlrBLUMIOniQyGLj8knW65jJC ntTw== MIME-Version: 1.0 Received: by 10.60.19.196 with SMTP id h4mr24360008oee.56.1340214686779; Wed, 20 Jun 2012 10:51:26 -0700 (PDT) Received: by 10.182.44.101 with HTTP; Wed, 20 Jun 2012 10:51:26 -0700 (PDT) In-Reply-To: <4FE1E175.4060005@FreeBSD.org> References: <4FE1E175.4060005@FreeBSD.org> Date: Wed, 20 Jun 2012 20:51:26 +0300 Message-ID: From: Sami Halabi To: "Alexander V. Chernikov" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, bz@freebsd.org, freebsd-jail@freebsd.org, freebsd-pf@freebsd.org Subject: Re: VNET X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2012 17:51:28 -0000 Thank you. I want to use vnet jail for a specific subnet that I need to seperate from the system. so basicly i create a vlan + a bridged interface to the public. these two (vlan+bridged interface- epair0a) will in in the vnet jail, so I can do NAT only for that vlan going out. This is the idea, as there are more interfaces in the system and there is only one interface out... so basicly it should be a firewall & Nat only between the specific lan and the outside world. Can this be accomplished otherway? Sami On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov < melifaro@freebsd.org> wrote: > On 19.06.2012 12:56, Sami Halabi wrote: > >> Hi, >> >> I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, >> but not PF firewall in a cnet jail. >> is that correct? >> >> i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my >> > 1) You can do nat without vnet. > 2) ipfw nat is currently the easiest way to do nat. > > > choice? or i can use pf somehow, I never used pf before, >> so i would like some advise here... >> >> Thanks in advance, >> >> > > -- > WBR, Alexander > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert