From owner-freebsd-pf@FreeBSD.ORG Mon Oct 15 11:06:13 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A446D513 for ; Mon, 15 Oct 2012 11:06:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id 727A58FC1C for ; Mon, 15 Oct 2012 11:06:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q9FB6DWB011566 for ; Mon, 15 Oct 2012 11:06:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q9FB6Dib011565 for freebsd-pf@FreeBSD.org; Mon, 15 Oct 2012 11:06:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Oct 2012 11:06:13 GMT Message-Id: <201210151106.q9FB6Dib011565@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2012 11:06:13 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). From owner-freebsd-pf@FreeBSD.ORG Mon Oct 15 15:52:26 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0F7E27E2 for ; Mon, 15 Oct 2012 15:52:26 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 835978FC12 for ; Mon, 15 Oct 2012 15:52:24 +0000 (UTC) Received: by mail-lb0-f182.google.com with SMTP id b5so4415324lbd.13 for ; Mon, 15 Oct 2012 08:52:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=k9P/FBIyTWsSHFseVQVaCOs5ZQILtDN/9rwWDuOh2ig=; b=GQ7FRYx2n687i4bz5g32vRvCxDoUCYJHA0zcasi+5rkcqzg3xx7klP1VDmNB4tmeLZ e15rHDZpnYfX+e+ldyqC4RTBYuG4AeBD6kgefXD10fINqNKx1rHVv+y8MW1bWj4z8++h ifCgXCS2phCf4iZfIKIBqWGFBDiPebDbfwzjTMW70EY39HDEMZGS8L2VXAlzZocpoG/A em8NoEsk3SOe5AEtoZIjelZRvyNyQu6mjTnGxKaPhguax2bWZjX4QsdaC6UNULwHpftV OOmAbYOoYRy2stijQ4EqTeFc/DHpgXPFZ7ch7LD1aRrcUKFrwfsPYFJ0OPBuQCzGgC5Q jhPA== Received: by 10.112.104.4 with SMTP id ga4mr4436273lbb.86.1350316344156; Mon, 15 Oct 2012 08:52:24 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.112.78.49 with HTTP; Mon, 15 Oct 2012 08:52:03 -0700 (PDT) In-Reply-To: <20121012214215.735615d3@davenulle.org> References: <20121012214215.735615d3@davenulle.org> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Mon, 15 Oct 2012 17:52:03 +0200 X-Google-Sender-Auth: 33QmmwGn6qKel2RJim9PARe9iBM Message-ID: Subject: Re: [9.1] PF drop To: Patrick Lamaiziere Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2012 15:52:26 -0000 On Fri, Oct 12, 2012 at 9:42 PM, Patrick Lamaiziere wrote: > Hello, Hi Patrick, > > As far I can see, PF replies with an icmp unreachable if a packet is > droped in output, even if the block policy is "drop". Which is not the > intented behavior. > I've tested with a simple lab: PC_1 (10.0.12.1) <===> (em0) FW (em1)<===> PC_2 (10.0.23.3) and this 3 lines rule set: set block-policy drop block all pass proto tcp from em0:network to em1:network Then I've try to ssh from PC_2 to PC_1, and all traffic are drop (no ICMP generated): Tested on -current, 8.2-RELEASE-p6, and 9.1-RC2. Then I've tried with your rule set adapted to my lab: block log (all) pass in quick to 10.0.23.3 no state block drop out quick on em1 to 10.0.23.3 pass out quick pass in quick inet And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no ICMP generated) too. One remark: I'm using pf as module (not compiled in kernel). Regards, Olivier From owner-freebsd-pf@FreeBSD.ORG Tue Oct 16 07:13:47 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7EEBB0A for ; Tue, 16 Oct 2012 07:13:47 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 800648FC08 for ; Tue, 16 Oct 2012 07:13:46 +0000 (UTC) Received: from baby-jane.lamaiziere.net (mr129166.cri.univ-rennes1.fr [129.20.129.166]) by smtp.lamaiziere.net (Postfix) with ESMTPA id CD368A5C8; Tue, 16 Oct 2012 09:13:38 +0200 (CEST) Received: from mr129166 (localhost [127.0.0.1]) by baby-jane.lamaiziere.net (Postfix) with ESMTP id 40A726195; Tue, 16 Oct 2012 09:13:38 +0200 (CEST) Date: Tue, 16 Oct 2012 09:13:38 +0200 From: Patrick Lamaiziere To: Olivier =?ISO-8859-1?Q?Cochard-Labb=E9?= Subject: Re: [9.1] PF drop Message-ID: <20121016091338.164a6de0@mr129166> In-Reply-To: References: <20121012214215.735615d3@davenulle.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd9) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2012 07:13:48 -0000 Le Mon, 15 Oct 2012 17:52:03 +0200, Olivier Cochard-Labbé a écrit : Hello, > And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no > ICMP generated) too. > > One remark: I'm using pf as module (not compiled in kernel). The box was running a 9.1 prerelease from August 25, I've update to 9.1-RC2. I've checked again and I confirm this icmp unreachable behavior. I've got one other report for this problem on FreeBSD 6.3 and 9.0. To be sure that states are not involved at all I've used a serial console on the firewall (previous tests were made with ssh). So I don't understand why you don't reproduce this. I will make few more tests. The config is 9.1-RC2 / i386, all daemons are stopped (keep sshd). No IPV6. Generic kernel / world and no special tunning. The box is a Soekris Net5501. Thanks for your help. Regards. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 16 10:59:24 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C86B3B4 for ; Tue, 16 Oct 2012 10:59:24 +0000 (UTC) (envelope-from accounts@ocsgroup.co.za) Received: from rrba-ip-smtp-3-4.saix.net (rrba-ip-smtp-3-4.saix.net [196.25.240.214]) by mx1.freebsd.org (Postfix) with ESMTP id A7C1F8FC08 for ; Tue, 16 Oct 2012 10:59:22 +0000 (UTC) Received: from LISAACER (dsl-246-137-28.telkomadsl.co.za [41.246.137.28]) by rrba-ip-smtp-3-4.saix.net (Postfix) with ESMTP id 5B1C32840 for ; Tue, 16 Oct 2012 12:03:59 +0200 (SAST) From: "Babitha \(OCS Group\)" To: Subject: Drive A New Car from R499 P/M Date: Tue, 16 Oct 2012 12:03:52 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0009_01CDAB96.50399ED0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac2rhYvHXp4GbJbzQ7eFzI991MhmDg== Content-Language: en-za X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2012 10:59:24 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0009_01CDAB96.50399ED0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi I need a vehicle quite urgently . The only bank that is financing me is African Bank . Could I buy a vehicle from you through african bank Regards Babitha Dhanukdhari Administration Manager cid:image001.png@01CBBECC.B8EA9BE0 Tel: 031 569 3427 Fax: 031 569 3428 ------=_NextPart_000_0009_01CDAB96.50399ED0-- From owner-freebsd-pf@FreeBSD.ORG Tue Oct 16 20:57:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4CD4FE19 for ; Tue, 16 Oct 2012 20:57:37 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7FB8FC17 for ; Tue, 16 Oct 2012 20:57:36 +0000 (UTC) Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10]) by smtp.lamaiziere.net (Postfix) with ESMTP id A9C4EA701; Tue, 16 Oct 2012 22:57:35 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by baby-jane.lamaiziere.net (Postfix) with ESMTP id 19A712CF261; Tue, 16 Oct 2012 22:57:09 +0200 (CEST) Date: Tue, 16 Oct 2012 22:57:08 +0200 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: Re: [9.1] PF drop Message-ID: <20121016225708.7b23e083@davenulle.org> In-Reply-To: <20121016091338.164a6de0@mr129166> References: <20121012214215.735615d3@davenulle.org> <20121016091338.164a6de0@mr129166> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; i386-portbld-freebsd9) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2012 20:57:37 -0000 Le Tue, 16 Oct 2012 09:13:38 +0200, Patrick Lamaiziere a écrit : Hello, > To be sure that states are not involved at all I've used a serial > console on the firewall (previous tests were made with ssh). > > So I don't understand why you don't reproduce this. I will make few > more tests. I've tested on my workstation at work running a fresh 9.1-STABLE and I still saw "imcp unreachable". So I don't understand... Config of the first example (Net5501) No special sysctl set. $ uname -a FreeBSD malpractice.lamaiziere.net 9.1-RC2 FreeBSD 9.1-RC2 #0 r241596: Mon Oct 15 21:23:23 CEST 2012 root@baby-jane.lamaiziere.net:/usr/obj/usr/src/sys/GENERIC i386 /etc/rc.conf: background_fsck="NO" hostname="malpractice.lamaiziere.net" keymap="fr.iso.acc" dumpdev="/dev/ad0s1b" dumpdir="/usr/crash" devfs_system_ruleset="lpt" clear_tmp_enable="YES" pf_enable="YES" pflog_enable="YES" ipv6_network_interfaces="" ifconfig_vr0="192.168.1.254 netmask 255.255.255.0" ifconfig_vr2="192.168.200.254 netmask 255.255.255.0" ifconfig_vr3="10.0.200.254 netmask 255.255.255.0" defaultrouter="192.168.1.1" gateway_enable="YES" sshd_enable="YES" sshd_flags="-u0" sendmail_enable="YES" sendmail_flags="-bd" sendmail_pidfile="/var/spool/postfix/pid/master.pid" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" ---------- Rules: pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled block drop log (all) all pass in quick inet from any to 192.168.200.2 no state block drop out quick on vr2 inet from any to 192.168.200.2 pass out quick all flags S/SA keep state pass in quick inet all flags S/SA keep state When I ping from 192.168.1.60 to the dropped host (192.168.200.2) : root@malpractice:/root # tcpdump -i vr0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vr0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:55:17.855511 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1072, length 64 22:55:17.855665 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36 22:55:18.856492 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1073, length 64 22:55:18.856610 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36 Regards. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 19 23:44:24 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0CBFD106; Fri, 19 Oct 2012 23:44:24 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.FreeBSD.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id CF90E8FC08; Fri, 19 Oct 2012 23:44:23 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q9JNiNJg063175; Fri, 19 Oct 2012 23:44:23 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q9JNiN6K063171; Fri, 19 Oct 2012 23:44:23 GMT (envelope-from linimon) Date: Fri, 19 Oct 2012 23:44:23 GMT Message-Id: <201210192344.q9JNiN6K063171@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: bin/172888: [patch] authpf(8) feature enhancement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2012 23:44:24 -0000 Old Synopsis: authpf feature enhancement New Synopsis: [patch] authpf(8) feature enhancement Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Oct 19 23:43:57 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=172888