From owner-freebsd-pf@FreeBSD.ORG Sun Dec 16 06:54:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2A012811 for ; Sun, 16 Dec 2012 06:54:17 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from paka.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201]) by mx1.freebsd.org (Postfix) with ESMTP id E677B8FC0C for ; Sun, 16 Dec 2012 06:54:16 +0000 (UTC) Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130]) by paka.cyberleo.net (Postfix) with ESMTPSA id C384F11A635; Sat, 15 Dec 2012 22:16:43 -0500 (EST) Message-ID: <50CD3D1B.7060507@cyberleo.net> Date: Sat, 15 Dec 2012 21:16:43 -0600 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20121201 Thunderbird/10.0.11 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: PF IPv6 NAT and The Curse of The Invalid Checksum X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Dec 2012 06:54:17 -0000 Has anyone successfully attempted to NAT IPv6 addresses using PF? I'm running 9.1-RELEASE@2012-12-01, and am trying to cope with my colo provider's provision of a single IPv6 address to feed a few Jails. My fallback approach, via HE Tunnelbroker, is thwarted by the provider's having blocked ICMP echo requests, required by Tunnelbroker to maintain a tunnel. Thus, I decided to leverage PF to NAT a site-scope subnet. For v4, this works fine; v6, not so much. I managed to track down the issue to pf generating improper checksums (or not updating the checksums at all) whenever a translation of the v6 address or port is performed, causing the egress packet to be ignored by the intended global-scope target. A cursory perusal of the pf code in 9.1 suggests that it should be doing the right thing, so I am at a loss as to why it is not. Any suggestions on where I might look? Is this send-pr(1)-worthy? Or is v6 NAT as unwanted as Google suggests it is? Thanks! ---- With the following configuration, all jails (with the exception of the firewalled jump jail) can connect to global IPv4 addresses, but attempts to connect to global IPv6 addresses time out. Conversely, incoming IPv4 connections to port 2222 are properly redirected to ssh in the jump jail, but incoming IPv6 connections time out. base.pf: ----8<---- host_ipv4="216.226.128.201" host_ipv6="2605:3e00::d8e2:80c9" jail_net4="10.4.4.0/24" jail_net6="fec0::4444:0:0:a04:400/120" jump_ipv4="10.4.4.2" jump_ipv6="fec0::4444:0:0:a04:402" set block-policy return # Prevent jump jail from connecting out; blocked below no nat on em1 from $jump_ipv4 to !$jail_net4 no nat on em1 from $jump_ipv6 to !$jail_net6 # Nat all other jails nat on em1 from $jail_net4 to !$jail_net4 -> $host_ipv4 nat on em1 from $jail_net6 to !$jail_net6 -> $host_ipv6 # Invite ssh into jump jail rdr pass on em1 proto tcp from any to $host_ipv4 port 2222 -> $jump_ipv4 port 22 rdr pass on em1 proto tcp from any to $host_ipv6 port 2222 -> $jump_ipv6 port 22 # Prevent leaking privates block out log quick on em1 from any to $jail_net4 block out log quick on em1 from any to $jail_net6 block out log quick on em1 from $jail_net4 to any block out log quick on em1 from $jail_net6 to any # Isolate jump jail from connecting to other jails except via ssh pass in quick on lo0 proto tcp from $jump_ipv4 to $jail_net4 port 22 pass in quick on lo0 proto tcp from $jump_ipv6 to $jail_net6 port 22 block in log quick on lo0 from $jump_ipv4 to any block in log quick on lo0 from $jump_ipv6 to any pass in all pass out all ----8<---- /etc/jail.conf: ----8<---- # Defaults $base="/srv/jail/${name}"; path="${base}/root"; mount.devfs; mount.fstab = "${base}/fstab"; exec.clean; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; jump { host.hostname = "jump.mtumishi.cyberleo.net"; interface = "lo1"; ip4.addr = 10.4.4.2; ip6.addr = fec0::4444:0:0:a04:402; enforce_statfs = 1; } build { host.hostname = "build.mtumishi.cyberleo.net"; interface = "lo1"; ip4.addr = 10.4.4.3; ip6.addr = fec0::4444:0:0:a04:403; enforce_statfs = 1; } main { host.hostname = "main.mtumishi.cyberleo.net"; interface = "lo1"; ip4.addr = 10.4.4.4; ip6.addr = fec0::4444:0:0:a04:404; enforce_statfs = 1; } ----8<---- -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://wwww.fur.com/peace/ From owner-freebsd-pf@FreeBSD.ORG Mon Dec 17 11:06:49 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 07F039D3 for ; Mon, 17 Dec 2012 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id D8A158FC20 for ; Mon, 17 Dec 2012 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qBHB6mHu023551 for ; Mon, 17 Dec 2012 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qBHB6mcF023549 for freebsd-pf@FreeBSD.org; Mon, 17 Dec 2012 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Dec 2012 11:06:48 GMT Message-Id: <201212171106.qBHB6mcF023549@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2012 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 48 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 18 05:32:03 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 722B220A for ; Tue, 18 Dec 2012 05:32:03 +0000 (UTC) (envelope-from s_gammons@charter.net) Received: from que11.charter.net (que11.charter.net [209.225.8.21]) by mx1.freebsd.org (Postfix) with ESMTP id F30648FC0A for ; Tue, 18 Dec 2012 05:32:02 +0000 (UTC) Received: from imp11 ([10.20.200.11]) by mta31.charter.net (InterMail vM.8.01.05.02 201-2260-151-103-20110920) with ESMTP id <20121218050027.HFNG24708.mta31.charter.net@imp11> for ; Tue, 18 Dec 2012 00:00:27 -0500 Received: from [192.168.1.231] ([24.179.72.228]) by imp11 with smtp.charter.net id ct0T1k0064vXLU805t0TtT; Tue, 18 Dec 2012 00:00:27 -0500 X-Authority-Analysis: v=2.0 cv=dIr+A5lb c=1 sm=1 a=Kla410z6cS+EMcx7DfAeDg==:17 a=yUnIBFQkZM0A:10 a=IkcTkHD0fZMA:10 a=hOpmn2quAAAA:8 a=FOuoWqVHwUgA:10 a=Q9Ce8F_wrJxxPu0SHGYA:9 a=QEXdDO2ut3YA:10 a=Kla410z6cS+EMcx7DfAeDg==:117 Message-ID: <1355806867.22593.10.camel@falklands.home.pc> Subject: FreeBSD 9.0+PF+fwanalog From: Stan Gammons To: freebsd-pf@freebsd.org Date: Mon, 17 Dec 2012 23:01:07 -0600 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4 (3.4.4-2.fc17) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2012 05:32:03 -0000 Does anyone have PF on FreeBSD 9 working with fwanalog? Corrupt line errors is what I see. I'm guessing something is different in the format pflogd on FreeBSD versus OpenBSD? It looks like fwanalog and hatchet are no longer maintained. What are others using for a log analyzer for PF on FreeBSD? Stan From owner-freebsd-pf@FreeBSD.ORG Fri Dec 21 18:36:16 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 182C896B for ; Fri, 21 Dec 2012 18:36:16 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) by mx1.freebsd.org (Postfix) with ESMTP id 9493A8FC18 for ; Fri, 21 Dec 2012 18:36:15 +0000 (UTC) Received: by mail-wg0-f49.google.com with SMTP id 15so2194357wgd.4 for ; Fri, 21 Dec 2012 10:36:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=q50INIdvrxXpxlMq6aQuYmLbOCC275VxwNmTPC0o9vQ=; b=ULGTBGEEHrzg4zMKnatujBihDIF09reBgGcJBoKoxnxJVb3KJvMFCm9libgnHljZDN QZWnukbr3MFGiPpeb05RhT4CRVvmyK0W8rahpwcH3AxVlZEFv2kGwimmnN+Qwb30iFmo 6jbPOCZMt4sFLvpFmRXbe7NqTBFYEB50rvpYcmIVPoADbkrZzz2FH90uyljcVAfUCeYI sOyiDJ4zpWpjm80hxUFaTwnvvEJ3Nn8iOTMTjsDFVjpVKI7KQGV02DrwaUN9SGZTbmEI JgyN4KDIJikxqlMuPk708xETgTi2N+z18eHqW+wz2KQYcNpn6n9ZpQ4NFgz4n2lSw9QK 8Xpg== Received: by 10.180.73.202 with SMTP id n10mr24933180wiv.17.1356114969372; Fri, 21 Dec 2012 10:36:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.92.105 with HTTP; Fri, 21 Dec 2012 10:35:39 -0800 (PST) In-Reply-To: <20121126150028.GK84121@FreeBSD.org> References: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> <20121121075642.GR67660@FreeBSD.org> <20121121145240.GE67660@glebius.int.ru> <20121126150028.GK84121@FreeBSD.org> From: Maxim Khitrov Date: Fri, 21 Dec 2012 13:35:39 -0500 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. To: Gleb Smirnoff Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQk3n6k4fwPbdxPp7tELWIwqRNVGnInRamTK+IdjTNZa3oTzCQPJQyS0H/RH1N/7BriN+pvz Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2012 18:36:16 -0000 On Mon, Nov 26, 2012 at 10:00 AM, Gleb Smirnoff wrote: > Paul, > > On Sat, Nov 24, 2012 at 02:11:32PM -0000, Paul Webster wrote: > P> I only really need one question answered in honesty; > P> > P> I personally think that by forking our own version of PF we have > P> essentially made something totally different to what everyone wants to > P> use. Which is fine, but because of that development of new features have > P> dropped behind. > P> > P> If we had kept up with OpenBSD's version even if we trailed it by one > P> MAJOR release; at least part of the development would have been done. > P> > P> So now we end up in a situation where we have these firewalls, > P> IPFW2,ipf,pf(modded) and users wanting the newer features of OpenBSD's pf. > P> So timewise the fork of pf may have actually cost more in time rather than > P> less. > P> > P> I don't however think the 'solution' to the problem is just to say no to > P> the userbase by not even trying to port across the newer pf. I think we > P> should look at bringing it across, slowly and seeing what the uptake is > P> like; in a few MAJOR releases we can start to look at which of the > P> firewalls realistically are not used that much and should be deprecated. > > If you see a large userbase that eagers to see new pf, then you can port > it to FreeBSD, maintain it, catch up with new versions from OpenBSD, > and so on. No one forbids you doing that. Putting aside the issue of new syntax... What is the actual state of pf in the upcoming FreeBSD 9.1-RELEASE? Have there been any changes from 9.0? The most recent list of PRs doesn't look very encouraging. I'm setting up a new office firewall right now. I tried installing OpenBSD 5.2, but it doesn't recognize the Intel X25-E drive in AHCI mode or the Intel X540 10GbE adapter, which should be supported. Maybe I can fix these problems, but I'd much rather see an improvement in the state of FreeBSD firewalls. No one needs three choices, we need one that works and is actively maintained. - Max