From owner-freebsd-pf@FreeBSD.ORG Sun Jul 1 18:34:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 454971065670 for ; Sun, 1 Jul 2012 18:34:37 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 01D168FC1B for ; Sun, 1 Jul 2012 18:34:37 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1SlOyb-0007fn-4E for freebsd-pf@freebsd.org; Sun, 01 Jul 2012 20:34:29 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 01 Jul 2012 20:34:29 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 01 Jul 2012 20:34:29 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Marcin Wisnicki Date: Sun, 1 Jul 2012 18:34:18 +0000 (UTC) Lines: 24 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.134 (Wait for Me; Unknown) Subject: Can't kill connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2012 18:34:37 -0000 I'm trying to kill all connections to/from certain host after reloading ruleset to force it to go through new ruleset but it does not seem to work. My host is a simple gateway with $if_ext being natted to $if_int. I put this rule as the first filter rule: block log quick on $if_ext label "block-ext" Which should prevent any connection from reaching internet. State policy is set to if-bound. Then I kill existing states (tcp and udp): pfctl -k $host && pfctl -k 0/0 -k $host pfctl -k $gateway && pfctl -k 0/0 $gateway The states are killed and disappear from pftop but immediately new connections get through as if rule "block-ext" didn't exist. These new states have high rule numbers that correspond to pass rules on $if_int. How is this possible when "block-ext" should block everything ? From owner-freebsd-pf@FreeBSD.ORG Sun Jul 1 19:31:58 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89A6A106564A for ; Sun, 1 Jul 2012 19:31:58 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3003E8FC15 for ; Sun, 1 Jul 2012 19:31:58 +0000 (UTC) Received: by ghbz22 with SMTP id z22so4404314ghb.13 for ; Sun, 01 Jul 2012 12:31:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=GV/l0A6JLlw4GGndtV3ewLAJSz8r1Cc1NJH1JAFUbr0=; b=T6B5NnKhAHFiY6u8sMPkWttczIIHtCHEGeim+qF2WO2WaiWqljw0tkpIfHEDeKON8G Fn/ej2XYlWyzHeB47S8mJpYivOiCMZ7ryEELx41zBJPdJYurCUw0RyFeVgnyPp04Aj4s I06TW+JQBrIzWSjT6Tt1b3WPWtVvqHXWdfht4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=GV/l0A6JLlw4GGndtV3ewLAJSz8r1Cc1NJH1JAFUbr0=; b=gQKA9iywsGbIDEdwa6zUQMFTNIl9xtgX3sHseahR1Ycwoimj1gglvAgIhnzxsLDSC5 xLHzaT9cuIj7FyrXLliGzb4MolRYZ7LoaXMjD8VIb6YisU57SgPLj0NpQVSHXtUJIgWA Omd74u8v3OMJXEVBJMF9VuJONufH8x65hiMUVYsmqOyGgab9uomzwNHbM1PXrsepicZl M/nUXfwYaRyTION1nZ/+I5CYImXMYAk6rxCuB0l3+iUUENLtRj/ZAgoUtdD9Ebzco6Ex V/v39vny57zYszn3WfN6D5nKiAcCHeMsUurfJ9VfxAMI7TK+oGqzrtZGGlzLiThRijFO yBig== Received: by 10.42.41.11 with SMTP id n11mr4767012ice.13.1341171117334; Sun, 01 Jul 2012 12:31:57 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id bo7sm15359280igb.2.2012.07.01.12.31.56 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 01 Jul 2012 12:31:56 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q61JVrj2078659 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 1 Jul 2012 15:31:53 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q61JVrll078649; Sun, 1 Jul 2012 15:31:53 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Sun, 1 Jul 2012 15:31:53 -0400 From: Jason Hellenthal To: Marcin Wisnicki Message-ID: <20120701193153.GA73402@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: X-Gm-Message-State: ALoCoQlersh4Aqm3fpMsE8+fppQ37Mq9KGzqS3Ap2gGJPNkbD+GynQDtWXQ/PLA4bRNYT0roUiu/ Cc: freebsd-pf@freebsd.org Subject: Re: Can't kill connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2012 19:31:58 -0000 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Press 5 -or- 6 after firing up pftop and see which rule is counting upward that is accepting this traffic. On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote: > I'm trying to kill all connections to/from certain host after reloading= =20 > ruleset to force it to go through new ruleset but it does not seem to wor= k. >=20 > My host is a simple gateway with $if_ext being natted to $if_int. >=20 > I put this rule as the first filter rule: >=20 > block log quick on $if_ext label "block-ext" >=20 > Which should prevent any connection from reaching internet. > State policy is set to if-bound. >=20 > Then I kill existing states (tcp and udp): >=20 > pfctl -k $host && pfctl -k 0/0 -k $host > pfctl -k $gateway && pfctl -k 0/0 $gateway >=20 > The states are killed and disappear from pftop but immediately new=20 > connections get through as if rule "block-ext" didn't exist. >=20 > These new states have high rule numbers that correspond to pass rules on= =20 > $if_int. >=20 > How is this possible when "block-ext" should block everything ? >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 - (2^(N-1)) --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJP8KWoAAoJEBSh2Dr1DU7WsVgIAJsuk9ab3d8OH2YMc1t72KY+ z//xLRUZJg2BXWNjTcwHL99s7Kq41MzckOMn1gLIr0vFJReTs4EOgsQANHYzJ+Ly Klsenitjz5l7y7F1vmP6otNlNvGtE7SYjTkvBI7GQYo+Weh7d/bmylueOl7bfdun kaNg9qVt0RHxG92zxWHAOmd7IeFCxqHxqngAxq0cfQOrmQiZD+IsrklKLRRHv4T5 FRNiwIeKKtEQ6OAyisy+ImEghA9/cvk0cS2m053ugHuHTCQg5Vd5kD8g097yTzpi NOY0zf1cWqbOuxnOOk1DRKRrzGa4y6S/F7GJ+ziYBDvRGQ84yf5pmxIq3XU8ocs= =C3NT -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- From owner-freebsd-pf@FreeBSD.ORG Sun Jul 1 20:03:29 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C2641065676 for ; Sun, 1 Jul 2012 20:03:29 +0000 (UTC) (envelope-from mwisnicki@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 410A88FC08 for ; Sun, 1 Jul 2012 20:03:29 +0000 (UTC) Received: by obbun3 with SMTP id un3so9162404obb.13 for ; Sun, 01 Jul 2012 13:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=MDQ7aMupZz4ZD0QZ9j9S7DN4BNaA43tZmNC1Saootfo=; b=o33oUY83qpBljiY8d7T6m74bSWFaPovCCtsepIa09T7tPj2JFNSn7GIwolXoVEIJMv Q8XVp8AmVTHmgZMyJYqrArHsPT9r6OI4t5PDWD4UeiWp9+zx17rBFnqV+gixdmxPOAJj Gq56H277b3pz8tRgXINxckY1r5mRnglE7egpDYmaOMZ2xsvmEkrfWHZ80IX97DNpuz5R 8CmH1XrfMWTQYdEoN3b/awzOZO0VWla66o+9H7VBm1PD5WLavHCqr3bb8chWETm0vcdF uybzAfUKzDH+0ItVVTXn8LVLCJwKIGZFhmFRoC3xb/WRReUUswvY5SXtJXdlMkqJE8dA 5Tng== MIME-Version: 1.0 Received: by 10.50.185.163 with SMTP id fd3mr3835636igc.22.1341173008347; Sun, 01 Jul 2012 13:03:28 -0700 (PDT) Sender: mwisnicki@gmail.com Received: by 10.42.1.68 with HTTP; Sun, 1 Jul 2012 13:03:28 -0700 (PDT) In-Reply-To: <20120701193153.GA73402@DataIX.net> References: <20120701193153.GA73402@DataIX.net> Date: Sun, 1 Jul 2012 22:03:28 +0200 X-Google-Sender-Auth: Smbtw0xHCE1R4I80hmcc_qcTEA8 Message-ID: From: Marcin Wisnicki To: Jason Hellenthal Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Can't kill connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2012 20:03:29 -0000 On Sun, Jul 1, 2012 at 9:31 PM, Jason Hellenthal w= rote: > > Press 5 -or- 6 after firing up pftop and see which rule is counting > upward that is accepting this traffic. > I've found it! They were passed via "rdr pass" rules under "miniupnpd" anch= or. Unfortunately pftop does not show nat/rdr rules. > On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote: >> I'm trying to kill all connections to/from certain host after reloading >> ruleset to force it to go through new ruleset but it does not seem to wo= rk. >> >> My host is a simple gateway with $if_ext being natted to $if_int. >> >> I put this rule as the first filter rule: >> >> =C2=A0 block log quick on $if_ext label "block-ext" >> >> Which should prevent any connection from reaching internet. >> State policy is set to if-bound. >> >> Then I kill existing states (tcp and udp): >> >> =C2=A0 pfctl -k $host && pfctl -k 0/0 -k $host >> =C2=A0 pfctl -k $gateway && pfctl -k 0/0 $gateway >> >> The states are killed and disappear from pftop but immediately new >> connections get through as if rule "block-ext" didn't exist. >> >> These new states have high rule numbers that correspond to pass rules on >> $if_int. >> >> How is this possible when "block-ext" should block everything ? >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- > > =C2=A0- (2^(N-1)) From owner-freebsd-pf@FreeBSD.ORG Mon Jul 2 11:07:18 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 433D51065672 for ; Mon, 2 Jul 2012 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2D8398FC1E for ; Mon, 2 Jul 2012 11:07:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q62B7ITW012699 for ; Mon, 2 Jul 2012 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q62B7H8u012697 for freebsd-pf@FreeBSD.org; Mon, 2 Jul 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Jul 2012 11:07:17 GMT Message-Id: <201207021107.q62B7H8u012697@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2012 11:07:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jul 4 08:54:38 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBD331065675 for ; Wed, 4 Jul 2012 08:54:38 +0000 (UTC) (envelope-from mailman@news15.3waycontact.co.za) Received: from news15.3waycontact.co.za (news15.3waycontact.co.za [176.9.243.162]) by mx1.freebsd.org (Postfix) with SMTP id B9A688FC16 for ; Wed, 4 Jul 2012 08:54:37 +0000 (UTC) Date: Wed, 4 Jul 2012 10:53:59 +0200 From: "Karen" Sender: "Karen" To: "" Message-ID: <5127608@news15.3waycontact.co.za> X-Priority: 3 X-Mailer: Pro Contact X-Report-Abuse-At: abuse@abuse.procontact.co.za X-Report-Abuse-Info: It is important to please include full email headers in the report X-Abuse: ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw==|TENfTDFfMTAwNzA5OTY3QEwxXzI2NzAyOTkw X-Sender: karen@home-owners.co.za MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_Custom_Nerve_0.5588179074155986" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Home Owners Cover X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Karen List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 08:54:39 -0000 This is a multi-part message in MIME format... ------=_NextPart_Custom_Nerve_0.5588179074155986 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Unsubscribe Here http://marketing.3waycontact.co.za/view_form.php?15431%3A%3A1+Vsgbwf+freebsd-pf@freebsd.org+23343%3A%3B54++23343%3A%3A54 Home Owner Cover Enjoy a minimum GUARANTEED saving of 20% on Home Owners (Building) Insurance. When insurance companies offer "up to 20% reduction" this could be any thing from 0% to 20%. We GUARANTEE AT LEAST 20% saving! Get a consultant to call me back with Home Owners Cover quotes. http://www.home-owners.co.za?sourceID=10000036&campaignID=51 Its Hassle Free! We will deal with your existing Home Owners insurer and handle everything on your behalf! All you need to do is give us permission to save you money every month We will never expose you to under insurance. Under-insurance occurs when the amount for which the property is insured, is less than the value of such property. We are the only company in South Africa that offers this! We offer full geyser warranty. We are available 24/7 - 365 whether its an emergency or not. Terms and conditions apply Be advised that product benefits and offering may differ from insurer to insurer. ------=_NextPart_Custom_Nerve_0.5588179074155986--