From owner-freebsd-pf@FreeBSD.ORG Mon Nov 4 11:06:54 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1FE3B6E4 for ; Mon, 4 Nov 2013 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0CDE42C42 for ; Mon, 4 Nov 2013 11:06:54 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rA4B6r06048477 for ; Mon, 4 Nov 2013 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rA4B6rl6048475 for freebsd-pf@FreeBSD.org; Mon, 4 Nov 2013 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Nov 2013 11:06:53 GMT Message-Id: <201311041106.rA4B6rl6048475@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Nov 2013 11:06:54 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 57 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 5 17:41:51 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9A8FF400 for ; Tue, 5 Nov 2013 17:41:51 +0000 (UTC) (envelope-from 176374752-63980-94133-socialdigest@bounces.fanbridge.com) Received: from r226-m4.fanbridge.com (r226-m4.fanbridge.com [174.37.97.226]) by mx1.freebsd.org (Postfix) with ESMTP id 58F0128E2 for ; Tue, 5 Nov 2013 17:41:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=p04; d=fanbridge.com; h=From:To:Subject:Message-ID:List-Unsubscribe:Sender:Date:Content-Type:MIME-Version; i=noreply-collection-484984@fanbridge.com; bh=KjrWHWFUyGp0igrJl75s9XGlr4g=; b=r542L4CmdlQU/sYiyldD0T2g7lxGVb1IMrmS+VWK00yim/8Y4HTeV6yWG4B/GffN4wRnQG8LQow0 cn9o2cmJKtQHLUKfeCe5QCDAyAq+bll87qNNhEBSsIJRNwPeZQnVkHUWIg/sLw87gqgqhlZp5Z/K NIfaegGMiysFXRdgYN0= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=p04; d=fanbridge.com; b=gv7pPIVMiPul9fPSyM5hYspmiyzOpJHXD8ovSnD1W3WHNzqCF7d8RPbNdbhJJwgZ7VjGeyOA9FhZ aczZGpZA66/Pg7xmsDsS995qTVe63X+7pgrYGxkzTgw6+Ln31ayNwWUL5JAsdhywktKCwMLMnhn8 DvnpF5vFAjS2q7MnPvc=; Received: from 127.0.0.1 (108.168.153.227) by r226-m4.fanbridge.com id hf4mtu1lrc0c for ; Tue, 5 Nov 2013 12:41:45 -0500 (envelope-from <176374752-63980-94133-socialdigest@bounces.fanbridge.com>) From: "ZOO LIFE ENT." To: freebsd-pf@freebsd.org Subject: =?utf-8?Q?Your=20Weekly=20ZOO=20LIFE=20ENT.=20Digest?= Message-ID: X-fbridge-collection: collection-484984 X-fbridge-sid: 176374752 X-fbridge-cfc: P91er2YdbBeth9e61b5khaYY61 X-fbridge-uid: 63980 X-fbridge-sdrid: 94133 X-fbridge-feature: socialdigest X-fbridge-cluster: limonada X-Report-Abuse: Please report abuse here: http://www.fanbridge.com/contact.php?report_abuse Sender: FanBridge Date: Tue, 05 Nov 2013 12:41:45 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Nov 2013 17:41:51 -0000 =20 =09=09Email not displaying correctly? View it in your browser. [1] ZOO LIFE ENT.=20 Social Digest for the week of November 4, 2013 Follow Me: [2] [3] [4] [5] =20 WELCOME TO THIS WEEKS SOCIAL DIGEST! BELOW YOULL FIND A RECAP OF SOME =09 great things that happened over the past week. If you like what you read, just click on it and reply, comment, post or let us know what you think! Thanks for your support. =20 See something you think is hot? Share it with your friends by clicking on the fire icon =09=09 =09=09 [6] =09=09 [7] =20 =09=09Featured Sponsor =09=09 [8] =09=09 [9] =20 =09 NEW "@djvlad: 40 Glocc AKA Yon Ju - "Hate That" (Music Video) (@40GLOCC)=20 http://t.co/jffWqCDUZp border-bottom: none">=20 =09 RT @Vladtv_djwill: 40 Glocc AKA Yon Ju - "Hate That" (Music Video) (@40GLOCC): New music video from Yon Ju Feat. Tya Ma... =20 =09=09 _4 retweets_ [15]=20 =09=09 [16]=20 =09=09via Twitter [17] on 10.30.13 =09=09 [18] =09HAPPY GEE-DAY @50os -ME, FLAVOR FLAV, LEGEND, @crissangel (THE MAGICIAN), @joejudah , @djerocksf1 & POE.. #turntup #TURNUP #TurndownForWhat #40GLOCC #ZOOGANG #COLTON #IE #LA #LASVEGAS #LOSANGELES #YONJU #zoolife #GUNIT #MUSIC #MONEY #WOMEN #LADIES #GIRLS #FFP #FITNESS #GYM #WORKOUT #INLANDEMPIRE #GLOBAL #TIMETRAVELER =20 =09=09 [19]=20 =09=09 [20]=20 =09=09 via Instagram [21] on 11.03.13=20 =09=09 [22] =09=09 [28] =20 =09=09 [30]=20 =09=09 [31]=20 =09=09VIA INSTAGRAM [32] ON 11.03.13 =09=09 [33] =09ME & @locielocc ..YEA FOO.. THIZ THAT MAD AZZ #ZOOGANG I DOES THIS WORLD WIDE.. "DONT NOTHING COME WITH SLEEP, BUT DREAMS"..ILL SLEEP WHEN IM DEAD.. #40GLOCC #YONJU #ZOOLIFE #MUSIC #MONEY #WOMEN #GIRLS #LADIES #TurndownForWhat #TURNUP #GUNIT #INFAMOUS #WESTCOAST #CALIFORNIA #LASVEGAS #INLANDEMPIRE #LOSANGELOS #LOSANGELES #IE #LA #WESTWEST #SOCAL #FOLLOWME... =20 =09=09 [55]=20 =09=09 [56]=20 =09=09 via Instagram [57] on 11.03.13=20 =09=09 [58] =09=09 [59] =20 =09 HAPPY GEE-DAY @omarsamhan -ME, FLAVOR FLAV, LEGEND, @crissangel (THE MAGICIAN), joejudah , @djerocksf1…=20 http://t.co/KIae1nYKgO [60] =20 =09=09 _1 retweet_ [61]=20 =09=09 [62]=20 =09=09via Twitter [63] on 11.04.13 =09=09 [64] =09 *VIDEO* 40 GLOCC border-bottom: none" colspan=3D"5">=20 =09My Cuzin @sun_days be pissin me off with his driving... #40GLOCC #YONJU #ZOOGANG #ZOOLIFE =20 =09=09 [70]=20 =09=09 [71]=20 =09=09 via Instagram [72] on 11.03.13=20 =09=09 [73] =09 If u never heard thus record check it out on I-tunes 40 glocc aka big bad 40 featuring ceelo green… ... =20 =09=09 _1 retweet_ [74]=20 =09=09 [75]=20 =09=09via Twitter [76] on 11.03.13 =09=09 [77] =09 40 Glocc AKA Yon Ju - "Hate That" (Music Video)=20 http://t.co/0jXOFjWA1U [78] via @youtube =20 =09=09 _1 retweet_ [79]=20 =09=09 [80]=20 =09=09via Twitter [81] on 11.03.13 =09=09 [82] =09IF U CAN FIND THIS MIX TAPE ONLINE U WILL HERE NOTHING BUT THST REAL.. ME border-bottom: none">=20 =09 RT @WorldWrap: New Music: @40Glocc - Dedicated=20 =09=09 Unsubscribe [87] | Update Info [88] | Privacy Policy [89]=20 ZOO LIFE ENT. sent this message to freebsd-pf@freebsd.org Questions? Contact ZOO LIFE ENT.=20 c/o FanBridge, Inc. - 14525 SW Millikan Way #16910 Beaverton Oregon 97005 United States Powered by: [90] =20 =20 ------ [1][6] http://40GLOCC.fanbridge.com/socialdigest/show.php?sdrid=3D94133&sid=3D1= 76374752 [2] http://facebook.com/125820717478711 [3] http://instagram.com/40glocc [4] https://www.youtube.com/subscription_center?add_user_id=3DRwe0GCrUNFehlS= gGLcy7AQ [5][12][13][16][17][25][26][35][36][40][41][48][49][52][53][62][63][67][= 68][75][76][80][81] http://twitter.com/ [7][8] https://www.spotify.com/?utm_source=3Dspotify_webplayer&utm_medium=3Dmkt= _consumer&utm_campaign=3Dacquisition_magnacarta_email_us&utm_content=3Du= s500616&utm_term=3Demail [9][59] https://play.spotify.com/album/0OTjYdGtP7AbwOwbYsGhyi?utm_source=3Dspoti= fy_webplayer&utm_medium=3Dmkt_consumer&utm_campaign=3Dacquisition_magnac= arta_email_us&utm_content=3Dus500614&utm_term=3Demail [10] http://t.co/jffWqCDUZp" [11][14] https://twitter.com/#!//status/395704971137515520 [15][18] https://twitter.com/#!//status/395672537088016384 [19][22] http://instagram.com/p/gR3RFdlHej/ [20][21][44][45][56][57][71][72][84][85] http://40GLOCC.fanbridge.com [23] http://t.co/dKpODHVfJV [24] https://twitter.com/#!//status/392450945734287361 [27] HTTPS://TWITTER.COM/#!//STATUS/392450945734287361 [28][29] HTTPS://PLAY.SPOTIFY.COM/ALBUM/37UQAKT9DLSLOB7YOMDWY4?UTM_SOURCE=3DSPOTI= FY_WEBPLAYER&UTM_MEDIUM=3DMKT_CONSUMER&UTM_CAMPAIGN=3DACQUISITION_MAGNAC= ARTA_EMAIL_US&UTM_CONTENT=3DUS500615&UTM_TERM=3DEMAIL [30] HTTP://INSTAGRAM.COM/P/GRQCCIFHE-/ [31][32] HTTP://40GLOCC.FANBRIDGE.COM [33] http://instagram.com/p/gRqCcIFHe-/ [34][37] https://twitter.com/#!//status/397189284182368256 [38] http://t.co/guUo4ovLq0 [39][42] https://twitter.com/#!//status/396889479870681089 [43][46] http://instagram.com/p/gRfoZilHQM/ [47][50] https://twitter.com/#!//status/395643818214555648 [51][54] https://twitter.com/#!//status/394997008663986176 [55][58] http://instagram.com/p/gRBUv4lHcG/ [60] http://t.co/KIae1nYKgO [61][64] https://twitter.com/#!//status/397218806839640064 [65] http://t.co/gFDuaB6VGI [66][69] https://twitter.com/#!//status/397203840438521856 [70][73] http://instagram.com/p/gQsYXXlHec/ [74][77] https://twitter.com/#!//status/396862726368423937 [78] http://t.co/0jXOFjWA1U [79][82] https://twitter.com/#!//status/396876286544445440 [83][86] http://instagram.com/p/gPh-DelHQ2/ [87] http://t.co/vdhdRxRsGh Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 035187E9 for ; Wed, 6 Nov 2013 23:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CC9292709 for ; Wed, 6 Nov 2013 23:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rA6NK1kI004076 for ; Wed, 6 Nov 2013 23:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rA6NK1D9004075; Wed, 6 Nov 2013 23:20:01 GMT (envelope-from gnats) Date: Wed, 6 Nov 2013 23:20:01 GMT Message-Id: <201311062320.rA6NK1D9004075@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Nat Howard Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nat Howard List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Nov 2013 23:20:02 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: Nat Howard To: bug-followup@FreeBSD.org, mlager@sdunix.com Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Wed, 6 Nov 2013 18:08:23 -0500 --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Similar problem with L2TP over IPSEC, (via mpd5) with the nasty = additional surprise that pf appears not to be correctly processing = packets that come in on the resulting ng0 interface when the pf rules = refer to the ng interface involved. That is, this statement: pass in log quick on ng0 proto tcp to port 25 doesn't result in output when I look at a tcpdump of pflog0, even though = I'm arriving on the ng0 interface, and I can telnet to a port 25 = somewhere. Redirects and such also fail. Oddly, similar rules succeed when we use mpd5 to do PPTP, rather than = L2TP/IPSEC. And of course, we get a zillion error messages=85. pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: = [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found = af=3D2, a0:[concealed ip address]:51375, a1: [concealed ip = address]:1701, proto=3D17. pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: = [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found = af=3D2, a0: [concealed ip address]:51375, a1: [concealed ip = address]:1701, proto=3D17. I've replaced some IP addresses by "[concealed ip address]". --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQGcBAEBAgAGBQJSesvnAAoJEJGOLgO91zLj8RgL/3Z0jT4oAfaFwep01v4KQhoZ x3XOw8wMNpwxf59OOjTHgVBa7QPUwLXrfXsuFjVdQ9ILt1ot2XcSk044JmNzboqk uEMn1kBcHe4eL98veuW6/DLP0zEu34vSTvlL4lNUiriqeiwwloSmHwOVOcnm2NIL qwwpd30q4aDbzaUd4Y7ej0RSG0xH3Mx9MDUZoPQv4O6bOblQgrW/EERQOAqWGxxi ulhIbNPFT2ZjYqyY1wSTUCkkiN/k1Dce4Rtn2bPcFrk7zP81CUyuLccCSMu9cWtH 6LvQBci/Fs4tfzoDQrY/QL3Ug86D8pJxZdFhmBFG9nYq/dztBZnWYlhVnnDbqS1D nxtovQCOeRrsUhFzUaZvs2IMnPe3afSFZzq4x+euDvkfaD9FuSeiVUKoQPRgsdmU xZgI+Fwp+TVGXKL/Iu6mLJQAhFZ7vLBrDBNsTCZ04I8Wxg7ezUqDaVoQ2gK+GBNM qQHVTCOvWjUNCjGX7TueIsT2nWZ/luHdQO7uia0AaA== =3Snm -----END PGP SIGNATURE----- --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 6 23:40:03 2013 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0860022D for ; Wed, 6 Nov 2013 23:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EA6A1284F for ; Wed, 6 Nov 2013 23:40:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rA6Ne2q9008065 for ; Wed, 6 Nov 2013 23:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rA6Ne2CD008064; Wed, 6 Nov 2013 23:40:02 GMT (envelope-from gnats) Date: Wed, 6 Nov 2013 23:40:02 GMT Message-Id: <201311062340.rA6Ne2CD008064@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Nat Howard Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nat Howard List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Nov 2013 23:40:03 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: Nat Howard To: bug-followup@FreeBSD.org, mlager@sdunix.com Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Wed, 6 Nov 2013 18:39:38 -0500 --Apple-Mail=_FDCE4314-C233-48D6-BE30-BF2576C11507 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I should have mentioned that this was 9.2 release, recompiled to include = IPSEC. --Apple-Mail=_FDCE4314-C233-48D6-BE30-BF2576C11507 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQGcBAEBAgAGBQJSetM6AAoJELdaye7DndaaUMgL/RTWdaXMIR01HWwYhKMpbZiI 6rm+QLV41tDllMnzq5TxFakpG29GMLvZx1n5sn25CF4BquWs9mqiRJ49hpt0qeA2 M1DTykF6W1iA6+MNwQ1lA8qz/POhyLFjN72Snf5FQBV3eSFLA13/GZq9PQwxqcsx u04cZo9+MV0X8XQo4iYWhadX4q6F0hMhrFyvYTxGQIU8zNYsy9xrp9RofyiaXCWm H0nWsQ5UwxddicFOhGqbe46u0r14i6u9f/CyqugDCL9NbH8R0zFCxQAwVLK+zJLv kW0BWowDmRXpx4BBXld3NDIKKGzDAEMKQCHnMe+mzart/lFyS7gMsvJkrZZkL+Z4 Z26FSxJpN8ZwXGTgfFvyzrLjsarbvQUfjF20z6JWDhfO8SYgL0w4Oj7CPukHTaUz UEg9eG4h8lZaf2wAGZVZOcstwJYhwcIWVymUwewpOs6vFstmk3vy98xh7luuH6S2 9B2zrcCI8p5V51gdmnkdiPI9ZfHu0LZ9Yjxym/bb9A== =wiI6 -----END PGP SIGNATURE----- --Apple-Mail=_FDCE4314-C233-48D6-BE30-BF2576C11507-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 7 08:48:33 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BF98A514 for ; Thu, 7 Nov 2013 08:48:33 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 589B5268B for ; Thu, 7 Nov 2013 08:48:33 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id ex4so271511wid.9 for ; Thu, 07 Nov 2013 00:48:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:cc:from:subject:in-reply-to:references:date :message-id; bh=dc/x7XLCOxdDF9ucx6XuHVWtctYec8DLxdewu579eqw=; b=fha7RIHA3CJfUUwZ+jPz374rUQKqHtZmlD8PxhaR0rVD7jZaRy7t/Rw03yhbc/U2+n TVEH5gCvAkBqS7ZsAZ04k+XsQGc2sgGn42j+qWrdi61uR+8MSQ2nySon+cYsGJAxFtr8 BToLyEr+8SLP7oRSTvtQQuOMm3rpkkj2/G5e/6Vr6zcKJX3B8q6B5yLzRxwtATvBz8ca A1qvh5eHjhNxdPn9T58fYrnvm7MWr78en4dJroWBEMk5kSJK7sorXQf3pIdcRn1Mu7Ce g9rb2F7Iw4hNr7oiVWgP1IOB3+yjUy2zemUcRP6byTkTljsjwCyKQLPmNikV2U02PZ4C Mxyg== X-Gm-Message-State: ALoCoQme1CzRFgHTnAHMSrpe0QF2Z+7tvSHPu2cT6f/U88s/KtiqMEpfGXLoMzrx/95ndfWQ89Aw X-Received: by 10.194.104.66 with SMTP id gc2mr242243wjb.75.1383814106118; Thu, 07 Nov 2013 00:48:26 -0800 (PST) Received: from clue.co.za (41-135-65-48.dsl.mweb.co.za. [41.135.65.48]) by mx.google.com with ESMTPSA id c10sm33938631wie.11.2013.11.07.00.48.22 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Nov 2013 00:48:25 -0800 (PST) Received: from localhost ([127.0.0.1] helo=zen) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1VeLGD-0003Ua-LB; Thu, 07 Nov 2013 10:48:17 +0200 To: Rumen Telbizov From: Ian FREISLICH Subject: Re: PF sanity check In-Reply-To: References: <201310270128.47766.vegeta@tuxpowered.net> <201310272303.24096.vegeta@tuxpowered.net> X-Attribution: BOFH Date: Thu, 07 Nov 2013 10:48:17 +0200 Message-Id: Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Nov 2013 08:48:33 -0000 Rumen Telbizov wrote: > Yeah, only the number of states was my concern. On a related note what > is the maximum number of states that you have been able to sustain and > in what amount of memory? I know it's pretty low memory overhead but > still. In other words how much memory per state is being consumed by > PF? Currently I am prepared to start with 200K states and the router > has 24GB or RAM. What is a reasonable maximum that I can expect to be > able to handle? I am monitoring closely (nagios + graphite) those > states as well btw. You can increase the states hash table if you have lots of states. I've not managed to find a tuning guide with recomendations. net.pf.states_hashsize: Size of pf(4) states hashtable We use 1048576. The state table can grow quite large depending on your network. Make sure that you set options in pf.conf to prevent states being expired prematurely. We use: set timeout { \ adaptive.start 900000, \ adaptive.end 1800000 \ } set limit states 1500000 set limit frags 40000 Our high water mark is around 950000 states. The router has 16GB RAM and has a full Internet routing table and we've never run into memory issues. Mem: 311M Active, 759M Inact, 1936M Wired, 1647M Buf, 13G Free Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Fri Nov 8 13:41:57 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 27ADE1D2 for ; Fri, 8 Nov 2013 13:41:57 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EEA902A61 for ; Fri, 8 Nov 2013 13:41:56 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id aq17so3274264iec.10 for ; Fri, 08 Nov 2013 05:41:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Sz70PwUqSZuYVlRXCZYMYG5Y1/+Z5jjUgNhcKcj/p6s=; b=VwVtUR6xTD2u/AuNAyZnYp8cGA4zB0IlhDmHAqacMZYf5Qu5UJdHutAsDJNOpT9NtG dZ+sdW8amdO9SEMDOOCmdSjat+ZaRytYuG9gL9ovMIUN/Nojb1bU1P8FBq3PvMinwaUS IuyURKqOfsKnjgwtMExzxF9vS866Ul8L9Sre7MUzRP2GZvJAOY6WGrDTe6uxMzG0Sxex 4nb3UlnjVNMVq+FXHw7/ElzPlLbgrv95QktkX1/fIxVLwCe/C3TILZ0/rtGB7E1zWx2p /6WCCPgga2UrdZoLCY06oSe5VUjKGQ6wb2n5u4ACwcMQ6831J1fZxm40VLSW9t8pOaD4 EbLg== MIME-Version: 1.0 X-Received: by 10.50.57.44 with SMTP id f12mr2299461igq.39.1383918116287; Fri, 08 Nov 2013 05:41:56 -0800 (PST) Received: by 10.64.134.169 with HTTP; Fri, 8 Nov 2013 05:41:56 -0800 (PST) Date: Fri, 8 Nov 2013 14:41:56 +0100 Message-ID: Subject: FreeBSD 9.1-STABLE - pf rule being ignored From: claudiu vasadi To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2013 13:41:57 -0000 Hi all, I have a 9.1-STABLE r251615 acting as a firewall. The rules: block in all pass out all keep state [...] block return from !$internal_ip to $external_ip What I want is to block all the network except $internal to from accessing $external_ip. For some reason, the above rule simply does not work. However, the below does work and block everyone except $internal_ip: block return from $internal_net/24 to $external_ip pass from $internal_ip to $external_ip Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it should work like in the first example. PS: Yes, I can see the rule with pfctl -sr and it does translate properly. -- Best regards, Claudiu Vasadi From owner-freebsd-pf@FreeBSD.ORG Fri Nov 8 14:05:56 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 949BE57F for ; Fri, 8 Nov 2013 14:05:56 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5B3A12B7B for ; Fri, 8 Nov 2013 14:05:56 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id aq17so3246018iec.38 for ; Fri, 08 Nov 2013 06:05:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=WqeOpA1ccAu1X9RdWplCO9JVyEEI0/axGaeeJtzb+TQ=; b=fRggaF2FeJBBv1/AciX4KahFOIgR/adcfTaM3hQY9Kb8GVvwqQMmVRYsE2fkjOlTDZ fu3SMsQ/GHuCklZiovygtuZ5dzmWuwqEbRyINbnpgsZLjierG7tpDXwYYwJEeg+UZTGA cAeNYOnVjt18yWs1hnC8c8kf2SlMjvhH6mams= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=WqeOpA1ccAu1X9RdWplCO9JVyEEI0/axGaeeJtzb+TQ=; b=mSKR1iwKpJdW7d/zWZyW0DFLu5MCc4JZSgNAHt5817bfGFcdWDK6yTB0gjof1Xl7Gb qMNbu8D7cPnaipjev5/DVthWDNLsBPxb29CCgYcMoB0X9hpW9rQkANwjEVZgZMPcXiwp 6ELZ+/ZiF4V9DN5hAQ14depTnUTxmrE4Z6RQ5427YPGxBUvhRQk696S5XjPO0C0FlICL AzY94SVLLk3V5tx60Pl3q+BN+nyPE4ZOl6HKxxo+JzEA8vngDK37Mf7axEALAfvWqjwl dT6Abfq9/993xIpkEs3muTLVPcQCP6l+TxfJlOdgAqOdGfrCPOUOJCKmPtESGI/vyTZU fXUw== X-Gm-Message-State: ALoCoQmB3l+/8JhGJ7qq4jEehb+5AlqUq4x2zFPB4DA5jd6hiFr/YhtN2O23ihw1tuQzWTK84Hq4 X-Received: by 10.50.73.74 with SMTP id j10mr2432026igv.50.1383919555391; Fri, 08 Nov 2013 06:05:55 -0800 (PST) Received: from [172.31.35.3] (75-128-101-59.dhcp.sgnw.mi.charter.com. [75.128.101.59]) by mx.google.com with ESMTPSA id w4sm3208883igb.5.2013.11.08.06.05.53 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 08 Nov 2013 06:05:53 -0800 (PST) References: Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-0F95FABC-56C5-483E-9284-EBBF86F5B58F; protocol="application/pkcs7-signature" Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: iPhone Mail (11B511) From: Jason Hellenthal Subject: Re: FreeBSD 9.1-STABLE - pf rule being ignored Date: Fri, 8 Nov 2013 09:05:50 -0500 To: claudiu vasadi Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2013 14:05:56 -0000 --Apple-Mail-0F95FABC-56C5-483E-9284-EBBF86F5B58F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Curious if your line breaks are correct ? Your block and pass rule appear to= be on the same line. This should do it . . .=20 block in all block return in quick from !$internal_ip to $external_ip pass out all keep state But if you already have a block all rul there is no need for the second as y= our already blocking all traffic so I might suggest this not mowing your top= ology. I also would not suggest "return" for non internal traffic except for specif= ic targeted services that it might affect. . . .=20 :BEGIN spoof on lo0 spoof on $ext_if block all pass out quick from $me pass in quick from $int to $me :END=20 And that should accomplish what you are trying to do IIUC. You can use pftop to verify packets on hit rules. > On Nov 8, 2013, at 8:41, claudiu vasadi wrote: >=20 > Hi all, >=20 > I have a 9.1-STABLE r251615 acting as a firewall. >=20 > The rules: > block in all pass out all keep state [...] block return from !$internal_ip= > to $external_ip >=20 >=20 >=20 > What I want is to block all the network except $internal to from accessing= > $external_ip. For some reason, the above rule simply does not work. > However, the below does work and block everyone except $internal_ip: >=20 > block return from $internal_net/24 to $external_ip pass from $internal_ip > to $external_ip >=20 >=20 > Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it > should work like in the first example. >=20 > PS: Yes, I can see the rule with pfctl -sr and it does translate properly.= >=20 > --=20 > Best regards, > Claudiu Vasadi > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --Apple-Mail-0F95FABC-56C5-483E-9284-EBBF86F5B58F Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAwaijjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEzMDUxODA4NTA0OFoXDTE0MDUxOTIyMDk0N1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnYFS1bWZr3KhKBzWAdRwrY+En+RRV8nCaYubqrMG+ YJbuenaIKSbIuFiDWipW4RHYTpE28pKaSnaVTG9WtAZvsWj0gYN9g2fYCnCOUceES2Yvi3RavxpB hsuzKIfsHb8iNNSEuczLu6gn4mQyaHwE4x6xSUKmbK8njR+YoF522F60wjsnq5dlOJdTrhDfObE5 5P23279WbRp8azgZX1VRB66wdKRDuSI1vBts4Nsha2paXd6HUUduHrPACBQREJTGXN8XtEKVwo63 aKUhRgtUwHNEuSWck/xwVl7PBUWH2dORAWTCqHjNuCKNOQ1/0LMiyMj7FdsBjN4dgL4YZpsCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQU29qUrmZtgQ7ZVoDKogfpJOSfk+YwHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBAHsw8/Hw07gsNTKYnld74NBFtHnQOPkXYuccWx3j0PGQe9nqNxeingBf 2yvx+xBQzBoi4J1u84Jbrbe8Ii3+LLD/QMW9cN0SBIgRStPQLVee4STdjeabGmpXQa7omC02wYYO 83qh6CgJEIbmrsBSZH8ZSVrjkC4UmZS8wAQMS3qTWAPF0ZQGWx2+Gks2fXuacyt2LpNR+p9ogjAZ 1/rmUKjNhQZLswytaLRUdwAwSfQ3+TNs68h6Kv1LC3bNGBT3NEtr2q/nzzb5MzuFcDE6f9exroAC 4BHmokAprhna/vZdb6BrPjpXgRAlWAh3wEMxw75M9S/Nbzj/jNp+I+lvUJYwggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMTEwODE0MDU1MlowIwYJKoZIhvcN AQkEMRYEFPWMIQQ0Ck3B10ZA1qlk54TuDRFVMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMGoo4wDQYJKoZIhvcNAQEBBQAEggEAoMF7XrCpOkaASyunaBa4 afPm+AmVvO1SPmEIkeGP2Wz+5C+RW2nQsbUcgKsJH7s3q3KJ2CB8cT0AaBolqE4LxbiTMaNa8yiK s6My1tgBvE09MzZYFHlpSOg3qeDQxjCztk6peItkCWR5SifzXzNJwu0zAAD8+bcg3LlKcsZHeERB 9JUi/u2DE3rdsJIgkxtxTH/fIMZNO+r474ena7hIJ4gnPY2/GXv6+S1VRLl6VNNh6bATX3eX3E6g LSFOpfRmIh5jOs984UReqeNL106Z+BC+5sC5ZcR1GUuiRdIraI8xcEFHjf0jiWJ6iXIkv+QXw7eb o+5D9atgZc7HC1oW7wAAAAAAAA== --Apple-Mail-0F95FABC-56C5-483E-9284-EBBF86F5B58F-- From owner-freebsd-pf@FreeBSD.ORG Fri Nov 8 14:08:31 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 87AEC5DB for ; Fri, 8 Nov 2013 14:08:31 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4E57A2B8F for ; Fri, 8 Nov 2013 14:08:31 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id aq17so3150968iec.24 for ; Fri, 08 Nov 2013 06:08:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=lUX+8dPAmjJCq9LQS+ybVRY0C8NXCyc9ILAMf0WiLpc=; b=hjE0U8+tKD2EHShiPpQlmVffHbFeKjkziCf0TTPhL/xdtS1iERSnsFjD0BXEHvrqvk fSKkb+lu2RxSoPiaWkpgmRnT14IyKmi3wbcmLh5h6vyk/YRiZvOr94IKPAVB8XV3RGjl psBXG2kQ7RrnbnWqaDn+SmKm9BmDqXcZ3cqOg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=lUX+8dPAmjJCq9LQS+ybVRY0C8NXCyc9ILAMf0WiLpc=; b=hpwBJKZlv5M7xiHCXP6N6zVNpM/gNqs7Hvb7+0STOENG2Bxx+s17Nverhn0heF4QXV DzUfafiOyPSzlUkfQwS50chaYsteg0ts1931u/PLtpOMXAGC+31TPEGa/0Vl76Jd2j9G 9DlcwQN2oxxEx6tL65w6M9rvKjafsOjSOEqoUiKDhu+gtnOlkuYhe/Lc2kZ3MAOSoaDc PPbqcoIACgoWyFDTh+Ii77lVoZQU3T/mSEs2f2Z4B074qyXU5RKpjzEWQ/d+OzjAv5Tf E5LQxTgWJwh+aS9XMnFuONIu09g6F/NjbDZNYcmUYMnaRRgKJEQ8QkPt2R8U4u4cvjP9 OFog== X-Gm-Message-State: ALoCoQkoQbuEERys5zYkw4zt0BsPX2uhENURl0y4oMbA1/nqlB5XqU9gKFrIVJBtuU7Uheam+llJ X-Received: by 10.50.87.33 with SMTP id u1mr2479696igz.42.1383919710463; Fri, 08 Nov 2013 06:08:30 -0800 (PST) Received: from [172.31.35.3] (75-128-101-59.dhcp.sgnw.mi.charter.com. [75.128.101.59]) by mx.google.com with ESMTPSA id qi3sm3203466igc.8.2013.11.08.06.08.28 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 08 Nov 2013 06:08:28 -0800 (PST) References: Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-9A1576E9-F8B0-4AA2-BB10-AB397DBC40A7; protocol="application/pkcs7-signature" Content-Transfer-Encoding: 7bit Message-Id: <6BF6F30B-F937-4C59-819A-770489B90343@dataix.net> X-Mailer: iPhone Mail (11B511) From: Jason Hellenthal Subject: Re: FreeBSD 9.1-STABLE - pf rule being ignored Date: Fri, 8 Nov 2013 09:08:25 -0500 To: claudiu vasadi Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2013 14:08:31 -0000 --Apple-Mail-9A1576E9-F8B0-4AA2-BB10-AB397DBC40A7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Should say too . . . don't forget to either skip on lo0 or pass on lo0 > On Nov 8, 2013, at 9:05, Jason Hellenthal wrote: >=20 > Curious if your line breaks are correct ? Your block and pass rule appear t= o be on the same line. >=20 > This should do it . . .=20 >=20 > block in all > block return in quick from !$internal_ip to $external_ip > pass out all keep state >=20 >=20 > But if you already have a block all rul there is no need for the second as= your already blocking all traffic so I might suggest this not mowing your t= opology. >=20 > I also would not suggest "return" for non internal traffic except for spec= ific targeted services that it might affect. > . . .=20 > :BEGIN >=20 > spoof on lo0 > spoof on $ext_if >=20 > block all > pass out quick from $me > pass in quick from $int to $me >=20 > :END=20 >=20 > And that should accomplish what you are trying to do IIUC. >=20 > You can use pftop to verify packets on hit rules. >=20 >> On Nov 8, 2013, at 8:41, claudiu vasadi wrote:= >>=20 >> Hi all, >>=20 >> I have a 9.1-STABLE r251615 acting as a firewall. >>=20 >> The rules: >> block in all pass out all keep state [...] block return from !$internal_i= p >> to $external_ip >>=20 >>=20 >>=20 >> What I want is to block all the network except $internal to from accessin= g >> $external_ip. For some reason, the above rule simply does not work. >> However, the below does work and block everyone except $internal_ip: >>=20 >> block return from $internal_net/24 to $external_ip pass from $internal_ip= >> to $external_ip >>=20 >>=20 >> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it >> should work like in the first example. >>=20 >> PS: Yes, I can see the rule with pfctl -sr and it does translate properly= . >>=20 >> --=20 >> Best regards, >> Claudiu Vasadi >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --Apple-Mail-9A1576E9-F8B0-4AA2-BB10-AB397DBC40A7 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAwaijjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEzMDUxODA4NTA0OFoXDTE0MDUxOTIyMDk0N1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnYFS1bWZr3KhKBzWAdRwrY+En+RRV8nCaYubqrMG+ YJbuenaIKSbIuFiDWipW4RHYTpE28pKaSnaVTG9WtAZvsWj0gYN9g2fYCnCOUceES2Yvi3RavxpB hsuzKIfsHb8iNNSEuczLu6gn4mQyaHwE4x6xSUKmbK8njR+YoF522F60wjsnq5dlOJdTrhDfObE5 5P23279WbRp8azgZX1VRB66wdKRDuSI1vBts4Nsha2paXd6HUUduHrPACBQREJTGXN8XtEKVwo63 aKUhRgtUwHNEuSWck/xwVl7PBUWH2dORAWTCqHjNuCKNOQ1/0LMiyMj7FdsBjN4dgL4YZpsCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQU29qUrmZtgQ7ZVoDKogfpJOSfk+YwHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBAHsw8/Hw07gsNTKYnld74NBFtHnQOPkXYuccWx3j0PGQe9nqNxeingBf 2yvx+xBQzBoi4J1u84Jbrbe8Ii3+LLD/QMW9cN0SBIgRStPQLVee4STdjeabGmpXQa7omC02wYYO 83qh6CgJEIbmrsBSZH8ZSVrjkC4UmZS8wAQMS3qTWAPF0ZQGWx2+Gks2fXuacyt2LpNR+p9ogjAZ 1/rmUKjNhQZLswytaLRUdwAwSfQ3+TNs68h6Kv1LC3bNGBT3NEtr2q/nzzb5MzuFcDE6f9exroAC 4BHmokAprhna/vZdb6BrPjpXgRAlWAh3wEMxw75M9S/Nbzj/jNp+I+lvUJYwggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMTEwODE0MDgyN1owIwYJKoZIhvcN AQkEMRYEFBhwGUF8eCKq6gCOuIZigJKn0OHaMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMGoo4wDQYJKoZIhvcNAQEBBQAEggEApxfyP+P2DhsYpAaylI3h U2LPJSoR700p4STbVLq6aB4zwIGY+QK2KIZZnfqT2xkDbZ1rMYmPp/jZZV6vlzYTtIDWLY0mgFlJ Jw8MuhbR8A8qORmRYr+xJNu8IIlrlWmCeE374G3urALt1i46lfjMyEyxoBnZeLKsvvpjt2FSQk8B dskgmHRXwNG0mRSCcuE9Pm8/15+a6zWi5HFSp9grvJTKzgCegESvOwjtEkdEBSMMJHfyKpMXFORx /5PeLA+jN8nAHk9tt6iIdRaPhqYgDit+6Rx/1pOyOloq5Kil4ke0fxU2wYGCV/B7+gUWg4XLS0HY zQnd76FLv9qoY6S+FwAAAAAAAA== --Apple-Mail-9A1576E9-F8B0-4AA2-BB10-AB397DBC40A7-- From owner-freebsd-pf@FreeBSD.ORG Fri Nov 8 15:12:09 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1420146B for ; Fri, 8 Nov 2013 15:12:09 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D7D372F4E for ; Fri, 8 Nov 2013 15:12:08 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id u16so131482iet.38 for ; Fri, 08 Nov 2013 07:12:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oRWICFQJ7yGNmk5FmJAkCon3c03aJN0eiSGOQB3cSZg=; b=QqbHQSuQcAOCYQ3Hhpf1eeJSSdQCZ5rOsmce/aS3O67xWL2dRSPx4gIx+LVgh4U2AL QEyJQuzSEYxsTqYYq99dG4/Dv2x3orFDZ4LbJ3p7eADgrWiGRiB1IsgThWp7ek3pxF/g 7KrZNUyRj0vVBWpnxg4OAe796yg6uhTj7DG5tiiRIYA92RACM5YL0hMJB2caFFzyhG0Z 2NaKxJeNIxWq5rIuSsQKJBJ6VWw5cb4VosfKvyb/dlmY12RSrGaC5kAXXSycfgL0kkM8 VZuajF8PfqDZEpWJsqfw57uSuwh6+KU9lrgHUxYXuTmGx1bu4Pniz2sF54Bbpd972Qvk mj8A== MIME-Version: 1.0 X-Received: by 10.42.149.7 with SMTP id t7mr888624icv.60.1383923528217; Fri, 08 Nov 2013 07:12:08 -0800 (PST) Received: by 10.64.134.169 with HTTP; Fri, 8 Nov 2013 07:12:08 -0800 (PST) In-Reply-To: <6BF6F30B-F937-4C59-819A-770489B90343@dataix.net> References: <6BF6F30B-F937-4C59-819A-770489B90343@dataix.net> Date: Fri, 8 Nov 2013 16:12:08 +0100 Message-ID: Subject: Re: FreeBSD 9.1-STABLE - pf rule being ignored From: claudiu vasadi To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2013 15:12:09 -0000 >> And that should accomplish what you are trying to do IIUC. I already accomplished what I wanted. I'm simply trying to understand why I had to go about it this way. lo0 already has a skip on it. On Fri, Nov 8, 2013 at 3:08 PM, Jason Hellenthal wrote: > Should say too . . . don't forget to either skip on lo0 or pass on lo0 > > > On Nov 8, 2013, at 9:05, Jason Hellenthal > wrote: > > > > Curious if your line breaks are correct ? Your block and pass rule > appear to be on the same line. > > > > This should do it . . . > > > > block in all > > block return in quick from !$internal_ip to $external_ip > > pass out all keep state > > > > > > But if you already have a block all rul there is no need for the second > as your already blocking all traffic so I might suggest this not mowing > your topology. > > > > I also would not suggest "return" for non internal traffic except for > specific targeted services that it might affect. > > . . . > > :BEGIN > > > > spoof on lo0 > > spoof on $ext_if > > > > block all > > pass out quick from $me > > pass in quick from $int to $me > > > > :END > > > > And that should accomplish what you are trying to do IIUC. > > > > You can use pftop to verify packets on hit rules. > > > >> On Nov 8, 2013, at 8:41, claudiu vasadi > wrote: > >> > >> Hi all, > >> > >> I have a 9.1-STABLE r251615 acting as a firewall. > >> > >> The rules: > >> block in all pass out all keep state [...] block return from > !$internal_ip > >> to $external_ip > >> > >> > >> > >> What I want is to block all the network except $internal to from > accessing > >> $external_ip. For some reason, the above rule simply does not work. > >> However, the below does work and block everyone except $internal_ip: > >> > >> block return from $internal_net/24 to $external_ip pass from > $internal_ip > >> to $external_ip > >> > >> > >> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it > >> should work like in the first example. > >> > >> PS: Yes, I can see the rule with pfctl -sr and it does translate > properly. > >> > >> -- > >> Best regards, > >> Claudiu Vasadi > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Best regards, Claudiu Vasadi