From owner-freebsd-pf@FreeBSD.ORG  Sun Aug 26 04:01:06 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 87CA21065674
	for <freebsd-pf@freebsd.org>; Sun, 26 Aug 2012 04:01:06 +0000 (UTC)
	(envelope-from mg_pritchard@telkomsa.net)
Received: from hercules.telkomsa.net (hercules.telkomsa.net [196.25.211.23])
	by mx1.freebsd.org (Postfix) with ESMTP id D128E8FC16
	for <freebsd-pf@freebsd.org>; Sun, 26 Aug 2012 04:01:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hercules.telkomsa.net (Postfix) with ESMTP id 520825D47B4
	for <freebsd-pf@freebsd.org>; Thu, 23 Aug 2012 19:44:56 +0200 (SAST)
X-Virus-Scanned: amavisd-new at hercules.telkomsa.net
Received: from hercules.telkomsa.net ([127.0.0.1])
	by localhost (hercules.telkomsa.net [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id f+H1ye7gtNQD for <freebsd-pf@freebsd.org>;
	Thu, 23 Aug 2012 19:44:56 +0200 (SAST)
Received: from telkomsa.net (nativespace-thebe.ns-thebe.com [83.223.104.6])
	by hercules.telkomsa.net (Postfix) with ESMTPA id 9A2352625B5
	for <freebsd-pf@freebsd.org>; Tue, 21 Aug 2012 07:16:29 +0200 (SAST)
Date: Tue, 21 Aug 2012 6:16:25 +0600
From: =?windows-1251?Q?=CD=E0=E4=E5=E6=E4=E8=EA_=CA=F3=EB=E8=E1=E8=ED=E0?=
	<mg_pritchard@telkomsa.net>
Organization: tqdfgmbkqidwm
X-Priority: 3 (Normal)
Message-ID: <249260179.20120821061625@telkomsa.net>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: 8bit
Subject: =?windows-1251?b?5fHr6CDl8fL8IObl6+Dt6OUg7+7n7eDq7uzo8vzx/w==?=
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Aug 2012 04:01:06 -0000

http://sexy-vkontakt.ru

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 27 11:07:19 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 591231065677
	for <freebsd-pf@FreeBSD.org>; Mon, 27 Aug 2012 11:07:19 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 427C78FC08
	for <freebsd-pf@FreeBSD.org>; Mon, 27 Aug 2012 11:07:19 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7RB7Jwe085946
	for <freebsd-pf@FreeBSD.org>; Mon, 27 Aug 2012 11:07:19 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7RB7Hni085944
	for freebsd-pf@FreeBSD.org; Mon, 27 Aug 2012 11:07:17 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 27 Aug 2012 11:07:17 GMT
Message-Id: <201208271107.q7RB7Hni085944@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: gnats set sender to
	owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@FreeBSD.org>
To: freebsd-pf@FreeBSD.org
Cc: 
Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 11:07:19 -0000

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/169630  pf         [pf] [patch] pf fragment reassembly of padded (undersi
o kern/168952  pf         [pf] direction scrub rules don't work
o kern/168190  pf         [pf] panic when using pf and route-to (maybe: bad frag
s kern/167057  pf         [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo
o kern/166336  pf         [pf] kern.securelevel 3 +pf reload
o kern/165315  pf         [pf] States never cleared in PF with DEVICE_POLLING
o kern/164402  pf         [pf] pf crashes with a particular set of rules when fi
o kern/164271  pf         [pf] not working pf nat on FreeBSD 9.0 [regression]
o kern/163208  pf         [pf] PF state key linking mismatch
o kern/160370  pf         [pf] Incorrect pfctl check of pf.conf
o kern/155736  pf         [pf] [altq] borrow from parent queue does not work wit
o kern/153307  pf         [pf] Bug with PF firewall
o kern/148290  pf         [pf] "sticky-address" option of Packet Filter (PF) blo
o kern/148260  pf         [pf] [patch] pf rdr incompatible with dummynet
o kern/147789  pf         [pf] Firewall PF no longer drops connections by sendin
o kern/143543  pf         [pf] [panic] PF route-to causes kernel panic
o bin/143504   pf         [patch] outgoing states are not killed by authpf(8)
o conf/142961  pf         [pf] No way to adjust pidfile in pflogd
o conf/142817  pf         [patch] etc/rc.d/pf: silence pfctl
o kern/141905  pf         [pf] [panic] pf kernel panic on 7.2-RELEASE with empty
o kern/140697  pf         [pf] pf behaviour changes - must be documented
o kern/137982  pf         [pf] when pf can hit state limits, random IP failures 
o kern/136781  pf         [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948  pf         [pf] [gre] pf not natting gre protocol
o kern/135162  pf         [pfsync] pfsync(4) not usable with GENERIC kernel
o kern/134996  pf         [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732  pf         [pf] max-src-conn issue
o kern/132769  pf         [pf] [lor] 2 LOR's with pf task mtx / ifnet and  rtent
f kern/132176  pf         [pf] pf stalls connection when using route-to [regress
o conf/130381  pf         [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/129861  pf         [pf] [patch] Argument names reversed in pf_table.c:_co
o kern/127920  pf         [pf] ipv6 and synproxy don't play well together
o conf/127814  pf         [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127439  pf         [pf] deadlock in pf
o kern/127121  pf         [pf] [patch] pf incorrect log priority
o kern/127042  pf         [pf] [patch] pf recursion panic if interface group is 
o kern/125467  pf         [pf] pf keep state bug while handling sessions between
s kern/124933  pf         [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/124364  pf         [pf] [panic] Kernel panic with pf + bridge
o kern/122773  pf         [pf] pf doesn't log uid or pid when configured to
o kern/122014  pf         [pf] [panic] FreeBSD 6.2 panic in pf
o kern/120281  pf         [pf] [request] lost returning packets to PF for a rdr 
o kern/120057  pf         [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355   pf         [pf] [patch] pfctl(8) help message options order false
o kern/114567  pf         [pf] [lor] pf_ioctl.c + if.c
s conf/110838  pf         [pf] tagged parameter on nat not working on FreeBSD 5.
o kern/103283  pf         pfsync fails to sucessfully transfer some sessions
o kern/103281  pf         pfsync reports bulk update failures
o kern/93825   pf         [pf] pf reply-to doesn't work
o sparc/93530  pf         [pf] Incorrect checksums when using pf's route-to on s
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o bin/86635    pf         [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271   pf         [pf] cbq scheduler cause bad latency

53 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 31 06:35:34 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 51F77106566C
	for <freebsd-pf@freebsd.org>; Fri, 31 Aug 2012 06:35:34 +0000 (UTC)
	(envelope-from css@morefoo.com)
Received: from mail.morefoo.com (mail.morefoo.com [207.99.53.222])
	by mx1.freebsd.org (Postfix) with ESMTP id 1CE458FC1F
	for <freebsd-pf@freebsd.org>; Fri, 31 Aug 2012 06:35:33 +0000 (UTC)
Received: from nac.morefoo.com (mail.morefoo.com [207.99.53.222])
	by mail.morefoo.com (Postfix) with ESMTP id CACBF2D4A63
	for <freebsd-pf@freebsd.org>; Fri, 31 Aug 2012 02:26:49 -0400 (EDT)
X-Virus-Scanned: amavisd-new at morefoo.com
Received: from mail.morefoo.com ([207.99.53.222])
	by nac.morefoo.com (nac.morefoo.com [207.99.53.222]) (amavisd-new,
	port 10024) with ESMTP id mEac9PD9pFWt for <freebsd-pf@freebsd.org>;
	Fri, 31 Aug 2012 02:26:48 -0400 (EDT)
Received: from toasty.sporklab.com (foon.sporktines.com [96.57.144.66])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: css@morefoo.com)
	by mail.morefoo.com (Postfix) with ESMTPSA id C91572D4806
	for <freebsd-pf@freebsd.org>; Fri, 31 Aug 2012 02:26:48 -0400 (EDT)
From: CSS <css@morefoo.com>
Content-Type: text/plain; charset=us-ascii
Message-Id: <35E5558A-6AF6-4E67-8FF9-70C74B9EB5D0@morefoo.com>
Date: Fri, 31 Aug 2012 02:26:47 -0400
To: freebsd-pf@freebsd.org
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: active pf states vs. active connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2012 06:35:34 -0000

Hello,

We've recently been seeing issues when creating a large number of =
outbound connections where the number of states kept by pf seriously =
outnumbers the number of actual connections as shown by netstat.  It's =
not terribly surprising - the kernel has different timeout values than =
the firewall.  However as I've been slowly moving the pf timeouts down =
(mainly on finwait entries), I'm not seeing the number of states really =
shrink.

For example, we might see about 200 connections in FIN_WAIT_2 in =
netstat, but over 20,000 tracked in pf, even with the tcp.finwait =
dropped down to 5s.

It's a problem I never really thought about before - how to address the =
inherent difference between the how aggressively the kernel ages old =
connections out vs. how aggressively pf times them out.

Before I hit the list with a bunch of stats, I just wanted to get a feel =
for whether I'm on the right track here - should I essentially be =
turning down pf timeouts to match kernel tcp timeout parameters?  If I =
should, why am I seeing so many lingering state entries?

This is FreeBSD 8.3.

Thanks,

Charles=

From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 31 07:49:37 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DBE31106566B;
	Fri, 31 Aug 2012 07:49:37 +0000 (UTC)
	(envelope-from budiyt@gmail.com)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
	[209.85.217.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 2F2B48FC17;
	Fri, 31 Aug 2012 07:49:36 +0000 (UTC)
Received: by lbbgg13 with SMTP id gg13so1238462lbb.13
	for <multiple recipients>; Fri, 31 Aug 2012 00:49:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:cc:content-type;
	bh=VYmomPDJZLkJP9Kig//L9RAJiNAbMb4qV3ypAvOFdlw=;
	b=JBrXOD58OtHKOCg2+xgZWIbEGuJ0Qb7j3Xl6VZYEiViKP200zN9ZVNqk1QO1ZwPziX
	7tyvCEv+1V16T0Inll66kfl2grg1Ckkl+MDsN1uuCXCgaXCskKPpNedDNK0c/QJt4TIV
	6B11Ciw3Bt/XQD86EzHvWtDqGcGs4sXne0vhU96eVNNf+/tnBYYOSr4Ei1XhaE3rLrZd
	P+4XIjijU+J7sNoFL8JlWCqgBmF2q0ct2UPnOiGjYqq0g8WUHBIsLreKPh3RUA1dkXTC
	kX0mcrEwSLrH6zpW6UWl/hYD9fN67wiU7MlNUO7bfwkmtuBnCc5KeJLqPtp3EgXrxm1g
	rizA==
MIME-Version: 1.0
Received: by 10.112.83.8 with SMTP id m8mr2257766lby.115.1346399375783; Fri,
	31 Aug 2012 00:49:35 -0700 (PDT)
Received: by 10.114.28.33 with HTTP; Fri, 31 Aug 2012 00:49:35 -0700 (PDT)
Date: Fri, 31 Aug 2012 14:49:35 +0700
Message-ID: <CADM2n7hMHqA-prFGx4DF0KP4m5H_U=x-_o1ZLqJMSvi0=koR0A@mail.gmail.com>
From: budsz <budiyt@gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-questions@freebsd.org
Subject: PF RDR from LAN to LAN
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2012 07:49:38 -0000

Hi folks,

I've little questions about RDR using Packet Filter (PF), I used IPF
(IPFILTER) before and success with this scenario.

extif = outside interface
intif = internal interface
public_ip = 202.xxx.xxx.xxx
client_create = 192.168.1.1, port = 6112
client_join = 192.168.1.2

for outside/internet
rdr pass on $extif proto tcp from any to $public_ip port 6112  ->
$client_create port 6112

That's rule success can forward from from internet to $client_create,
now other plan how to forward
$client_join to $client_create. I use this rule:

rdr pass on $intif proto tcp from $client_join to $public_ip port 6112
 -> $client_create port 6112

As far i know if $client_create created game host with port 6112 will
be translate to $public_ip with port 6112 too.
so I need to forward from LAN to $public_ip/6112 to actually who
create game ($client_create/6112)

pfctl -s state resulting:

client_create 6112 <- public_ip 6112 <- client_join SYS-CLOSED

Anyone help for this issue - Thank you

-- 
budsz