From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 18:04:50 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B98E36A8 for ; Sun, 22 Dec 2013 18:04:50 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9952F1E61 for ; Sun, 22 Dec 2013 18:04:50 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1VunOR-00033B-Uy for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 10:04:47 -0800 Date: Sun, 22 Dec 2013 10:04:47 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387735487942-5870782.post@n5.nabble.com> In-Reply-To: <52B5B556.3070209@innolan.dk> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 18:04:50 -0000 Hi Carsten, Thanks very much for your ideas & input. I have it working mostly as you advised. Nat rules: nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS -> $ExtIf # I use dnscrypt-proxy nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag NAT_PRVX -> $ExtIf nat on $ExtIf from any to !($ExtIf) -> $ExtIf I don't have to use different ports, it works as is. Tagging does help distinguish between "same port, different jail" (for port 443 as example). That said, I seem to have run into a strange filter rule problem. I aim to block all ports that each jail is not using. Partial filter rules: block drop log (all) on $ExtIf block drop log (all) on $JaIf ##_PRIVOXY pass in quick on $JaIf proto tcp from any to $jprvx port 8118 pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO The strangeness: When I comment out the block code (rules lines 1 & 2 above), the privoxy jail stops working. tcpdump shows: 1387731935.321882 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.321927 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.322052 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.322084 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 Is the problem with the port that privoxy is using, or do I need to allow some other pass rule for each jail (like jail's lo0 must be able to pass to :8118)? >> Also add scrub to ensure no packet fragmentation. This is needed for pf >> to work. I have a bunch of code I have ommited so as to keep the messages short. Thanks and Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 18:56:24 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2510178 for ; Sun, 22 Dec 2013 18:56:24 +0000 (UTC) Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8F08E113E for ; Sun, 22 Dec 2013 18:56:24 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 24AEFF1C0 for ; Sun, 22 Dec 2013 13:56:15 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date :message-id:from:to:subject:mime-version:content-type :content-transfer-encoding; s=sasl; bh=+FKiYAQHonJWZqZd4wdwDFnI+ rs=; b=QuEZYT23wlwivg5QpHLK4lK1RZsf2Tmwu1UlQwkq/4TdnjOIGW/Hb3tvs nPg/0gAplwHirTjsMPpSdlV7wug89GWzRsZ76/PBAaN/qLJ853NnrT5qsb4sy6c3 GTDVLz93WcjNsGEWUryREIiIm6AD6hu+JwcJ2OAxbtWqn9PeI4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:message-id :from:to:subject:mime-version:content-type :content-transfer-encoding; q=dns; s=sasl; b=wDprJ7I4pYIE3oAf/Vs D2d5xaSd7lGNwmx9gz8h+UbT2fX7UOryTNz58YLgxXvfummtHx6+I7NEw4r51s1z YNZIIm1AbiT7fNwhaIsAg27AgipJapQv8ZP6Gikqm7Ezv1qTJy9fYqlaqz15Fl0P LZyt86nKLmnB/buqJdLuSQp8= Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 1BDDFF1BF for ; Sun, 22 Dec 2013 13:56:15 -0500 (EST) Received: from bmach.nederware.nl (unknown [27.252.206.242]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPA id 70089F1BE for ; Sun, 22 Dec 2013 13:56:14 -0500 (EST) Received: from quadrio.nederware.nl (quadrio.nederware.nl [192.168.33.13]) by bmach.nederware.nl (Postfix) with ESMTP id F256B3A3E8 for ; Mon, 23 Dec 2013 07:56:02 +1300 (NZDT) Received: from quadrio.nederware.nl (quadrio.nederware.nl [127.0.0.1]) by quadrio.nederware.nl (Postfix) with ESMTP id 80E8F4A11CDA for ; Mon, 23 Dec 2013 07:56:02 +1300 (NZDT) Date: Mon, 23 Dec 2013 07:56:02 +1300 Message-ID: <87sitku33x.wl%berend@pobox.com> From: Berend de Boer To: freebsd-pf@freebsd.org Subject: Network severely unstable 10.0-PRERELEASE User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.3 (i686-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) Organization: Xplain Technology Ltd MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Mon_Dec_23_07:56:01_2013-1"; micalg=pgp-sha256; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: BB39FB34-6B3A-11E3-A2E1-873F0E5B5709-48001098!a-pb-sasl-quonix.pobox.com X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 18:56:25 -0000 --pgp-sign-Multipart_Mon_Dec_23_07:56:01_2013-1 Content-Type: text/plain; charset=US-ASCII Hi All, pf has not worked well for me after version 8. Certain rules crash the kernel (http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/182141). Avoiding these rules gave me something that at least kept the system alive on a 10-CURRENT. But since the RC versions my system stays up for only a few days, before I need a reboot as network connectivity gets reset. It's the modem (pppoe), every few minutes all tcp (?) connections get dropped somehow. A reboot fixes it for a week or so. I have no clue how to debug this. But I'm getting pretty scared of pf, and going back to ipfw might seem best. What are people's thoughts on pf in FreeBSD, does it have a future? Are there people working on pf? Should I simply forget about it, and go back to ipfw? -- All the best, Berend de Boer --pgp-sign-Multipart_Mon_Dec_23_07:56:01_2013-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABCAAGBQJStzXBAAoJEKOfeD48G3g5/v8P/2m3IdMWkIh2pVZC2jHyza0Y LjMKSBLGDszeuCHhsjaHSKMFFkmTFgmHc+hR6O3678/lODGNyv22KBHgr3fPBqLd cLOezN5IYa+0P7NN0rwtSkzb1sQRxBomIzRDLFzlvo13oRVLcN1U0pq9Fj+s04yN ZqDWyfUzR5hEWRSD6eE97Rdz1n/sRucbYBT1GOZiqN2HFg9Jo0jVkVHS0QzijR59 TF/UNWDBOKlGlU27N09vg/deBTM4yn++PifpfRleWrr4vRvPJNX4ufyzaIFkd6GE 2Tkk8Yxbdh6+ikNPCEHGbeiK2h4/nEsQ8B7pu1E9K1WR6RX+OpZ8lQzIf5A8/FjK ij2F9MPiYg/+THiolFWl3owhU8EQMcb/Xi3wtVUdm+D4YZIcQMReubxpsnDjHMNA kI/Np+oZqznMdjDY9w6TiGNntpTb5X7iugmnVIK/RHwy6KnWnQFux/fi5mXfdJEE 8fDb5SN19UyGFdZPbFreyXMoeuI4O6H41JnO8c/OQtir8/O3sn572rq/6dLs37za T/m1ak+iXeQDbKQete2nV7WFI6dczncdLim/oXdkjhR7OgJneLGowhZ5KDLhRgWD FA02a5RtIDMLJDGLNlhlndajF3cEVLVp3fCGYp9M4hHvQqDlRIkokQNYJC3RZXNc xKPBF+ymFv12inFD9GSh =J1Bi -----END PGP SIGNATURE----- --pgp-sign-Multipart_Mon_Dec_23_07:56:01_2013-1-- From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 20:06:26 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECE782FE for ; Sun, 22 Dec 2013 20:06:26 +0000 (UTC) Received: from frv191.fwdcdn.com (frv191.fwdcdn.com [212.42.77.191]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A4599156E for ; Sun, 22 Dec 2013 20:06:26 +0000 (UTC) Received: from [10.10.2.23] (helo=frv198.fwdcdn.com) by frv191.fwdcdn.com with esmtp ID 1Vup2u-000DGC-Iz for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 21:50:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=orOquWtgTT5bRBoDwAe7foWgqGHwPiHjPyOUYXoMhVY=; b=JligsQkmQeTNaiw6PnzWN/MOAqBXrGfplpZYmHBCGUJ85CoBXiAQcKrsGW4CDwJtPd9t/Iy/Pn6mrg8OyCOgUx29t938TolKKe5waOV5IQFraK8M9zQh3npyQZcaeNuY99xVAURkxOwmZgagLHHFeuuNyXerK2s5KfDiT6oPrn0=; Received: from [10.10.10.34] (helo=frv34.ukr.net) by frv198.fwdcdn.com with smtp ID 1Vup2k-000DA2-RM for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 21:50:30 +0200 Date: Sun, 22 Dec 2013 21:50:30 +0200 From: wishmaster Subject: Re: Network severely unstable 10.0-PRERELEASE To: Berend de Boer X-Mailer: mail.ukr.net 5.0 Message-Id: <1387740798.766930858.eawg47i5@frv34.ukr.net> In-Reply-To: <87sitku33x.wl%berend@pobox.com> References: <87sitku33x.wl%berend@pobox.com> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.ukr.net; Sun, 22 Dec 2013 21:50:30 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 20:06:27 -0000 --- Original message --- From: "Berend de Boer" Date: 22 December 2013, 20:56:35 > Hi All, > > pf has not worked well for me after version 8. Certain rules crash the > kernel > (http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/182141). Avoiding > these rules gave me something that at least kept the system alive on a > 10-CURRENT. > > But since the RC versions my system stays up for only a few days, > before I need a reboot as network connectivity gets reset. > > It's the modem (pppoe), every few minutes all tcp (?) connections get > dropped somehow. A reboot fixes it for a week or so. > > I have no clue how to debug this. > > But I'm getting pretty scared of pf, and going back to ipfw might seem > best. > > What are people's thoughts on pf in FreeBSD, does it have a future? > Are there people working on pf? Should I simply forget about it, and > go back to ipfw? > It's just my IMHO and experience. Pf in 10 is good, especially in performance context (thx glebius@) but, unfortunately, yes you should forgot about pf if you are planning to use not only firewalling but shaper/prioritization too due to poor performance/flexibility of ALTQ, especially in case of complex network topologies. Or you can use OpenBSD with new "prio" queueing mechanism Cheers, w From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 20:34:50 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63DC3BFE for ; Sun, 22 Dec 2013 20:34:50 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 42D6316FE for ; Sun, 22 Dec 2013 20:34:49 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1Vupjc-0007HM-T9 for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 12:34:48 -0800 Date: Sun, 22 Dec 2013 12:34:48 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387744488896-5870809.post@n5.nabble.com> In-Reply-To: <1387735487942-5870782.post@n5.nabble.com> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk> <1387735487942-5870782.post@n5.nabble.com> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 20:34:50 -0000 The privoxy response is incredibly slow, some pages won't even load. Is this a pf configuration problem? When I used privoxy on host it was not this slow. Here's my full pf. conf: https://docs.google.com/document/d/124ByEsDssH-1rcD68_haSfu2KjlGwIJipnck0KEf45M/edit?usp=sharing ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870809.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 20:36:14 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0A535D2B for ; Sun, 22 Dec 2013 20:36:14 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DE42B1711 for ; Sun, 22 Dec 2013 20:36:13 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1Vupkz-0007MN-4T for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 12:36:13 -0800 Date: Sun, 22 Dec 2013 12:36:13 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387744573129-5870810.post@n5.nabble.com> In-Reply-To: <1387735487942-5870782.post@n5.nabble.com> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk> <1387735487942-5870782.post@n5.nabble.com> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 20:36:14 -0000 The privoxy response is incredibly slow, some pages won't even load. Is this a pf configuration problem? When I used privoxy on host it was not this slow. Here's my full pf. conf: https://docs.google.com/document/d/124ByEsDssH-1rcD68_haSfu2KjlGwIJipnck0KEf45M/edit?usp=sharing ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870810.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 22:21:30 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3ACDD543 for ; Sun, 22 Dec 2013 22:21:30 +0000 (UTC) Received: from mail.intbcst.info (intbcst.info [212.68.41.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 482C31DCA for ; Sun, 22 Dec 2013 22:21:28 +0000 (UTC) Received: (qmail 19939 invoked by uid 0); 22 Dec 2013 23:23:22 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=intbcst.info; b=GVbbu0ZJ6VHrmxqD1eqJiYwf8C5BkcHDp3Vnptwu0i3wh3z9hvTHGNLzQnw9W2LI; Received: from unknown (HELO WIN-5OCJ9IQ2UU8.local) (mail@intbcst.info@5.39.120.75) by intbcst.info with ESMTPA; 22 Dec 2013 23:23:22 -0000 From: "AMPU" To: freebsd-pf@freebsd.org Subject: Community & educational development Date: Sun, 22 Dec 2013 14:21:27 -0800 MIME-Version: 1.0 Message-ID: <1387748212eeda776f2d5c6abb3a0bd8bfd150e08e_@intbcst.info> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 22:21:30 -0000 PRESS RELEASE The Federal Grants and Loans Directory is now available. Our new and revised 2014 edition contains more than 2800 financial programs, subsidies, scholarships, grants and loans offered by the US federal government. In addition you will also have access to over 2400 programs funded by private corporations and foundations. That is over 5200 programs available through various sources of financial providing organizations. NEW: You will also have access to our live Database that is updated on a daily basis. This product also provides daily email alerts as programs are announced. The Database is also available with IP recognition. This allows you to login without a username or password (Great for libraries or educational institutions who want their users to access the database). Businesses, students, researchers, scientists, teachers, doctors, private individuals, municipalities, government departments, educational institutions, law enforcement agencies, nonprofits, foundations and associations will find a wealth of information that will help them with their new ventures or existing projects. The document is a fully searchable PDF file for easy access to your particular needs and interests. Simply enter your keywords to search through the publication. It is the perfect tool for libraries and educational institutions to use as a reference guide for students who require funds to pursue their education. Contents of the Directory: -Web link to program announcement page -Web link to Federal agency or foundation administering the program -Authorization upon which a program is based -Objectives and goals of the program -Types of financial assistance offered under a program -Uses and restrictions placed upon a program -Eligibility requirements -Application and award process -Regulations, guidelines and literature relevant to a program -Information contacts at the headquarters, regional, and local offices -Programs that are related based upon program objectives and uses Programs in the Catalog provide a wide range of benefits and services for categories such as: Agriculture Business and Commerce Community Development Consumer Protection Cultural Affairs Disaster Prevention and Relief Education Employment, Labor and Training Energy Environmental Quality Food and Nutrition Health Housing Income Security and Social Services Information and Statistics Law, Justice, and Legal Services Natural Resources Regional Development Science and Technology Transportation CD version: $69.95 Printed version: $149.95 To order please call: 1 (866) 645-1051 Please do not reply to the sender's email address as this address is only for outgoing mail. If you do not wish to receive information from us in the future please reply here: rem@rembcst.com This is a CANSPAM ACT compliant advertising broadcast sent by: AMPU, 4044 W. Lake Mary Blvd., Unit # 104-221, Lake Mary, FL, 32746-2012 From owner-freebsd-pf@FreeBSD.ORG Mon Dec 23 11:06:52 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5B7175C4 for ; Mon, 23 Dec 2013 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 46F2511C9 for ; Mon, 23 Dec 2013 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rBNB6qMn030092 for ; Mon, 23 Dec 2013 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rBNB6pU5030090 for freebsd-pf@FreeBSD.org; Mon, 23 Dec 2013 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Dec 2013 11:06:51 GMT Message-Id: <201312231106.rBNB6pU5030090@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2013 11:06:52 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 56 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 24 11:38:05 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 089B9B15 for ; Tue, 24 Dec 2013 11:38:05 +0000 (UTC) Received: from mail.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8453E18C0 for ; Tue, 24 Dec 2013 11:38:03 +0000 (UTC) Received: from [10.8.0.10] (unknown [10.8.0.10]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: csf@innolan.dk) by mail.innomanslan.tf (Postfix) with ESMTPSA id 7812212C1CC2; Tue, 24 Dec 2013 12:37:53 +0100 (CET) Message-ID: <52B9720E.1090304@innolan.dk> Date: Tue, 24 Dec 2013 19:37:50 +0800 From: Carsten Larsen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Beeblebrox Subject: Re: NAT & RDR rules for jailed proxy services References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk> <1387735487942-5870782.post@n5.nabble.com> In-Reply-To: <1387735487942-5870782.post@n5.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Dec 2013 11:38:05 -0000 Hi Beeblebrox, I took a look at your configuration on google docs and I must say it is a rather complex strategy you have chosen. I wont try to fix your configuration but instead give some general advice based on my own experience. -> Instead of relying heavily on nat and redirect rules try to use routing between your addresses. This would work just by allowing routing in the kernel. Examine routing tables using netstat -rn. -> Use the tool pftop accessible from the ports collection and examine the state table. This usually give an indication of where to look for the missing responses. It will also show you which IP is being used as gateway while doing NAT. -> Verify your rules looks as expected with 'pfctl -s rules' and 'pfctl -s nat'. -> Be sure you understand how filtering work. I would recommend to read the online tutorials by Peter N. M. Hansteen at http://home.nuug.no/~peter/pf/en/ -> If you really want to dig deep buy the "Book of PF". I read it myself and it helped a lot to understand the possibilities but also the constraints of pf. The book does not specifically treat the subject of jails though. God luck with the rules (and merry Christmas) Carsten Larsen --- Beeblebrox wrote: > Hi Carsten, > Thanks very much for your ideas & input. I have it working mostly as you > advised. Nat rules: > nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS -> > $ExtIf # I use dnscrypt-proxy > nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag > NAT_PRVX -> $ExtIf > nat on $ExtIf from any to !($ExtIf) -> $ExtIf > I don't have to use different ports, it works as is. Tagging does help > distinguish between "same port, different jail" (for port 443 as example). > > That said, I seem to have run into a strange filter rule problem. I aim to > block all ports that each jail is not using. Partial filter rules: > block drop log (all) on $ExtIf > block drop log (all) on $JaIf > ##_PRIVOXY > pass in quick on $JaIf proto tcp from any to $jprvx port 8118 > pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO > > The strangeness: When I comment out the block code (rules lines 1 & 2 > above), the privoxy jail stops working. tcpdump shows: > 1387731935.321882 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win > 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length > 0 > 1387731935.321927 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535, > options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 > 1387731935.322052 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win > 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length > 0 > 1387731935.322084 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win > 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length > 0 > > Is the problem with the port that privoxy is using, or do I need to allow > some other pass rule for each jail (like jail's lo0 must be able to pass to > :8118)? > >>> Also add scrub to ensure no packet fragmentation. This is needed for pf >>> to work. > I have a bunch of code I have ommited so as to keep the messages short. > > Thanks and Regards. > > > > > ----- > FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html > Sent from the freebsd-pf mailing list archive at Nabble.com. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 13:27:57 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A851A44D for ; Wed, 25 Dec 2013 13:27:57 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 30E231633 for ; Wed, 25 Dec 2013 13:27:55 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id rBPDRr7O008226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 25 Dec 2013 17:27:53 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id rBPDRqeq008225; Wed, 25 Dec 2013 17:27:52 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 25 Dec 2013 17:27:52 +0400 From: Gleb Smirnoff To: Berend de Boer Subject: Re: Network severely unstable 10.0-PRERELEASE Message-ID: <20131225132752.GK71033@FreeBSD.org> References: <87sitku33x.wl%berend@pobox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87sitku33x.wl%berend@pobox.com> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 13:27:57 -0000 On Mon, Dec 23, 2013 at 07:56:02AM +1300, Berend de Boer wrote: B> pf has not worked well for me after version 8. Certain rules crash the B> kernel B> (http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/182141). Avoiding B> these rules gave me something that at least kept the system alive on a B> 10-CURRENT. Does the system panic the same way as described in misc/182141) on 10.0? If it does, I'm willing to debug that. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 18:10:56 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EF6A0D30 for ; Wed, 25 Dec 2013 18:10:56 +0000 (UTC) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 710AD17F0 for ; Wed, 25 Dec 2013 18:10:55 +0000 (UTC) Received: from ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by relay.ibs.dn.ua with ESMTP id rBPI9ohx021788 for ; Wed, 25 Dec 2013 20:09:51 +0200 (EET) Message-ID: <20131225200950.21787@relay.ibs.dn.ua> Date: Wed, 25 Dec 2013 20:09:50 +0200 From: "Zeus Panchenko" To: cc: Subject: nat before ipsec ... Organization: I.B.S. LLC X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.0.93 X-Face: &sReWXo3Iwtqql1[My(t1Gkx; y?KF@KF`4X+'9Cs@PtK^y%}^.>Mtbpyz6U=,Op:KPOT.uG )Nvx`=er!l?WASh7KeaGhga"1[&yz$_7ir'cVp7o%CGbJ/V)j/=]vzvvcqcZkf; JDurQG6wTg+?/xA go`}1.Ze//K; Fk&/&OoHd'[b7iGt2UO>o(YskCT[_D)kh4!yY'<&:yt+zM=A`@`~9U+P[qS:f; #9z~ Or/Bo#N-'S'!'[3Wog'ADkyMqmGDvga?WW)qd=?)`Y&k=o}>!ST\ MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Zeus Panchenko List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 18:10:57 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, please, may somebody help with the subj? is it possible at all on FreeBSD with pf? I need to binat some of my LAN (network A) ip addresses to some of secure communication addresses (network B) for, behind IPSec network C, access target <-> world <--> em0 - freebsd - vlanA <--> LAN ^ ^ net A | | +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ when I land some B network address on freebsd box, than everything from that address works but, when I try to bi/nat some network A address to some network B address, it is not in pf.conf I try this: binat on vlanA from A1 to C3 -> B2 where: A1 is some address from net A B2 is some address from net B C3 is some address from net C I can see incoming packets from A1 to C3 on interface vlanA, but after that, packets "disappears", I can not find them any other interface and no return packets as far as I know I need "nat before vpn" ... but I was not able to find how to do that ... can I do that with pf on freebsd? I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf please, help me understand what am I missing ... =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU 078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF =3D2FPq =2D----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 19:33:05 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 459F1B28; Wed, 25 Dec 2013 19:33:05 +0000 (UTC) Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by mx1.freebsd.org (Postfix) with ESMTP id 014721DC8; Wed, 25 Dec 2013 19:33:04 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 839E4EC19; Wed, 25 Dec 2013 14:32:56 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date :message-id:from:to:cc:subject:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=sasl; bh=68+1l5qWDZ/Oz6oVDaJ2YYjNiOw=; b=i8QA/CE/zoe/Ej5LaKjdWOLpgpV2 UMCXtsDvH983t7NL2JdRqhKGwX5uClr7eMGj5J8w2wcBffP+oO2E5+BdZvDw6L39 ii8J5KQY2MgTryEe9McMHrMctOt0tB5PWbCfFqBuY4YVm4xGuxFryyvAgxQ84dlB cPQ+PHmMN5Fz7+c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:message-id :from:to:cc:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=sasl; b=cCVf9C mCu0aNVyDaNu+2oYIdaYeeP2j3RqHOQ3YoCbIKk+WqAsJ76TnfZmHHYHDkzPS0JY WtImSF1FbppFQ9YcVVJd6UJ6EUGfl0S11eeozc4Vpr8yUzSJgZ+BuO5T8ouR0RSn j8rUSCWvGS4VQS3O8WR3iG68mE9JSi6OAZwy4= Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 7D115EC18; Wed, 25 Dec 2013 14:32:56 -0500 (EST) Received: from bmach.nederware.nl (unknown [27.252.91.222]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPA id E8FB8EC17; Wed, 25 Dec 2013 14:32:55 -0500 (EST) Received: from quadrio.nederware.nl (quadrio.nederware.nl [192.168.33.13]) by bmach.nederware.nl (Postfix) with ESMTP id 4932B22920; Thu, 26 Dec 2013 08:32:54 +1300 (NZDT) Received: from quadrio.nederware.nl (quadrio.nederware.nl [127.0.0.1]) by quadrio.nederware.nl (Postfix) with ESMTP id C15FA4A11CDC; Thu, 26 Dec 2013 08:32:53 +1300 (NZDT) Date: Thu, 26 Dec 2013 08:32:53 +1300 Message-ID: <877gasu3oa.wl%berend@pobox.com> From: Berend de Boer To: Gleb Smirnoff Subject: Re: Network severely unstable 10.0-PRERELEASE In-Reply-To: <20131225132752.GK71033@FreeBSD.org> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.3 (i686-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) Organization: Xplain Technology Ltd MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Thu_Dec_26_08:32:53_2013-1"; micalg=pgp-sha256; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: 5AA899DE-6D9B-11E3-AA6F-873F0E5B5709-48001098!a-pb-sasl-quonix.pobox.com Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 19:33:05 -0000 --pgp-sign-Multipart_Thu_Dec_26_08:32:53_2013-1 Content-Type: text/plain; charset=US-ASCII >>>>> "Gleb" == Gleb Smirnoff writes: Gleb> Does the system panic the same way as described in Gleb> misc/182141) on 10.0? Indeed, no change. Purely a kernel issue. Repeatable since FreeBSD 9.x, across 10.x, across 32-bit and 64-bit. There's a related issue: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/182557 Let me know if you need anything else from me. I've just grabbed the latest FreeBSD 10 sources, and recompiling now. Next Monday I'm able to enable the bug triggering keyword again (not now, all the family is here and wants a stable network :-) ). -- All the best, Berend de Boer --pgp-sign-Multipart_Thu_Dec_26_08:32:53_2013-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABCAAGBQJSuzLlAAoJEKOfeD48G3g5BZkP/2s5xF7izAqDviuldYbVyCdW lavCkAi+EYoIu1KP7CBauVLSeloonljCVfRJ2XjlcHrNANRDZQg1D+lMgorrst9Z NAfia/BtX5RHn+d80TnyE/TE4o5fJBORhZlwXcJLI/O6xe6jF6p24RJnWiTpwLXs wbkqIlHBTln1v7tQSV4bCQrvcpsknUy2iE4M238g/oCgTWgE6FTjSlMEgDLk21+r vHl/8MGN1QvJBQcFBy2FWnTHiABIg9dm6PkAq5OglGvafhz0fxvLHqAuuAlgC3lc CoBVCsSIzN6A5Y2UiuBkZRngEXJasUNv5IoLX9l9Iovgjh9bzTjuP30Qle0nic8C VvqwhIZ0y6cYfKqa4Z+PJfGIU+OdzZpbmD/hIVT6JOn0ONc1hEbYDRjK2DioLjAx Tdpd7HicKUW5zeQyi7MMaJvWLBpPsxTqFxaIvFfvBgkuUszdaa1yQMzpO5K2Voee UjpAGcvmeEoP4RiiJ1cy72ml6DhfPVdaCOCL136y72M6UM08i/mI3ITQ2Aol7EOO YCyc1BKSKsK3rKsT5w3e6jfSXd64NRVLwbeZuQSDBnxtqRPlYdGVdJXrmuk9otSu U8qFZwugZ9hkvtLmj/WDL40MwXLNLxn7pJPQ7/glQTPQrU9LovppnJZXuouWpQOO WqEHGb3GkICpo5netBt2 =z8kT -----END PGP SIGNATURE----- --pgp-sign-Multipart_Thu_Dec_26_08:32:53_2013-1-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 20:16:52 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE6E29C for ; Wed, 25 Dec 2013 20:16:51 +0000 (UTC) Received: from frv190.fwdcdn.com (frv190.fwdcdn.com [212.42.77.190]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 98740103B for ; Wed, 25 Dec 2013 20:16:51 +0000 (UTC) Received: from [10.10.1.23] (helo=frv199.fwdcdn.com) by frv190.fwdcdn.com with esmtp ID 1Vvusr-0002Yu-Hs for freebsd-pf@freebsd.org; Wed, 25 Dec 2013 22:16:49 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=Ub7ObD6Co45HOrk+Zv5D0GSJkZpx/CevqLqWlx7aARs=; b=FxxDxG0t4ORNVm7UfYPsRTdZUsfDC1+8pEuoxuuiusqRQnbKETvjaR4pxIClFDmb7kaACxRmV3KSfCWSEcLMYrf7n/FxccI9nRyKpS6r3VxaQjY/n6QoR0eRXNaDS3a0FafA61zQszMXqBxbItVanebYkF5TkBBHx/mYvQStSHU=; Received: from [10.10.10.34] (helo=frv34.ukr.net) by frv199.fwdcdn.com with smtp ID 1Vvush-0002GN-2T for freebsd-pf@freebsd.org; Wed, 25 Dec 2013 22:16:39 +0200 Date: Wed, 25 Dec 2013 22:16:38 +0200 From: wishmaster Subject: Re: nat before ipsec ... To: Zeus Panchenko X-Mailer: mail.ukr.net 5.0 Message-Id: <1388002486.266885449.d63pm7a2@frv34.ukr.net> In-Reply-To: <20131225200950.21787@relay.ibs.dn.ua> References: <20131225200950.21787@relay.ibs.dn.ua> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.ukr.net; Wed, 25 Dec 2013 22:16:38 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 20:16:52 -0000 If I understand you correctly, you want binat inside IPSec and therefore you must enable filtering in tunnel. This will help you: net.inet.ipsec.filtertunnel=1 Cheers, w --- Original message --- From: "Zeus Panchenko" Date: 25 December 2013, 20:11:05 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hi, > > please, may somebody help with the subj? is it possible at all on > FreeBSD with pf? > > I need to binat some of my LAN (network A) ip addresses to some of > secure communication addresses (network B) for, behind IPSec network C, > access > > target <-> world <--> em0 - freebsd - vlanA <--> LAN > ^ ^ net A > | | > +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ > > when I land some B network address on freebsd box, than everything from > that address works but, when I try to bi/nat some network A address to some > network B address, it is not > > in pf.conf I try this: > > binat on vlanA from A1 to C3 -> B2 > > where: > A1 is some address from net A > B2 is some address from net B > C3 is some address from net C > > I can see incoming packets from A1 to C3 on interface vlanA, but after > that, packets "disappears", I can not find them any other interface and > no return packets > > as far as I know I need "nat before vpn" ... but I was not able to find > how to do that ... can I do that with pf on freebsd? > > I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf > > please, help me understand what am I missing ... > > - -- > Zeus V. Panchenko jid:zeus@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (FreeBSD) > > iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU > 078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF > =2FPq > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 20:33:37 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2BD4B458 for ; Wed, 25 Dec 2013 20:33:37 +0000 (UTC) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9BF0A1149 for ; Wed, 25 Dec 2013 20:33:35 +0000 (UTC) Received: from ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by relay.ibs.dn.ua with ESMTP id rBPKXWRM032021; Wed, 25 Dec 2013 22:33:32 +0200 (EET) Message-ID: <20131225223332.32019@relay.ibs.dn.ua> Date: Wed, 25 Dec 2013 22:33:32 +0200 From: "Zeus Panchenko" To: "wishmaster" Subject: Re: nat before ipsec ... In-reply-to: Your message of Wed, 25 Dec 2013 22:16:38 +0200 <1388002486.266885449.d63pm7a2@frv34.ukr.net> References: <20131225200950.21787@relay.ibs.dn.ua> <1388002486.266885449.d63pm7a2@frv34.ukr.net> Organization: I.B.S. LLC X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.0.93 X-Face: &sReWXo3Iwtqql1[My(t1Gkx; y?KF@KF`4X+'9Cs@PtK^y%}^.>Mtbpyz6U=,Op:KPOT.uG )Nvx`=er!l?WASh7KeaGhga"1[&yz$_7ir'cVp7o%CGbJ/V)j/=]vzvvcqcZkf; JDurQG6wTg+?/xA go`}1.Ze//K; Fk&/&OoHd'[b7iGt2UO>o(YskCT[_D)kh4!yY'<&:yt+zM=A`@`~9U+P[qS:f; #9z~ Or/Bo#N-'S'!'[3Wog'ADkyMqmGDvga?WW)qd=?)`Y&k=o}>!ST\ MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Zeus Panchenko List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 20:33:37 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 wishmaster wrote: > If I understand you correctly, you want binat inside IPSec and I'm not sure ... what I want is to nat packets from net A before they are entering IPSec, as if they originate not on the freebsd host so, they enters IPSec already as net B packets ... =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7QRsACgkQr3jpPg/3oyoDeACglvxBxGXrq1/F5UxjKBIZLuj2 jN8AoNSp+doX77JlS1o4uFnhyQT0C4sC =3DHPrd =2D----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 21:12:37 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5DCC8841 for ; Wed, 25 Dec 2013 21:12:37 +0000 (UTC) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 132A01350 for ; Wed, 25 Dec 2013 21:12:37 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 0F9C525D38A4; Wed, 25 Dec 2013 21:12:35 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id BC62EC22BE8; Wed, 25 Dec 2013 21:12:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id M9GV2g09EVa7; Wed, 25 Dec 2013 21:12:32 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 83BF1C22BBC; Wed, 25 Dec 2013 21:12:31 +0000 (UTC) Date: Wed, 25 Dec 2013 21:12:30 +0000 (UTC) From: "Bjoern A. Zeeb" To: Zeus Panchenko Subject: Re: nat before ipsec ... In-Reply-To: <20131225223332.32019@relay.ibs.dn.ua> Message-ID: References: <20131225200950.21787@relay.ibs.dn.ua> <1388002486.266885449.d63pm7a2@frv34.ukr.net> <20131225223332.32019@relay.ibs.dn.ua> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 21:12:37 -0000 On Wed, 25 Dec 2013, Zeus Panchenko wrote: > wishmaster wrote: > >> If I understand you correctly, you want binat inside IPSec and that would not really work as policies wouldn't match easily. > I'm not sure ... what I want is to nat packets from net A before they > are entering IPSec, as if they originate not on the freebsd host > > so, they enters IPSec already as net B packets ... If nothing has changed and no one implemented inside NAT for pf (or ported it) it cannot do it; I used to do it with ipfw ages ago, but back then it still required a third policy if I remember correctly. There should be some posting from me on net@ or ipfw@ from sometime in the last decade. /bz -- Bjoern A. Zeeb ????????? ??? ??????? ??????: '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ???? ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.??? From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 21:35:48 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E4EEF4D for ; Wed, 25 Dec 2013 21:35:48 +0000 (UTC) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 705C11554 for ; Wed, 25 Dec 2013 21:35:48 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id q10so7388439pdj.36 for ; Wed, 25 Dec 2013 13:35:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=iQ6HNI9Te5/1fc9yiqXVEr9iH3ysNLtCLa06iGnap38=; b=ox+w0zTUKh35T+9o/MGf7+k5n8BNaVqfucpk6KTMMR3n5PedRs1pLMZKPRWlZ0WVim 1q/2OrJ/XSQQa96yCwRQwlYp0rkio8QubI/MboufyGwteljUW98BSIVU9DTouAELa/97 +wdn75YFEbYKVs+zJMDtwggwzN+Oq9tLKQE0e62erCYepj5hYXQTF3XWakyckaicnru+ dJIC4mG/8MRn9sq9bQ2YFFhuFFs8FjLPlFvB6SxVMTU4aehqAZIRXQPBPMRGcDMZg9pK 4BKMFRjvsBfRU1D/B2E8O84tHhpZIEhf+576qLCnglNn5c/cFs41F0ehJxsajnqsZoF8 WgjA== MIME-Version: 1.0 X-Received: by 10.68.57.98 with SMTP id h2mr40818407pbq.17.1388007347651; Wed, 25 Dec 2013 13:35:47 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.46.105 with HTTP; Wed, 25 Dec 2013 13:35:47 -0800 (PST) In-Reply-To: References: <20131225200950.21787@relay.ibs.dn.ua> <1388002486.266885449.d63pm7a2@frv34.ukr.net> <20131225223332.32019@relay.ibs.dn.ua> Date: Wed, 25 Dec 2013 22:35:47 +0100 X-Google-Sender-Auth: rk1Wcd6UJCWSn1Bix1JUxluA0gg Message-ID: Subject: Re: nat before ipsec ... From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 21:35:48 -0000 Hello, just use the ipsec-tools port from here https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/ipsec-tools-0.8.1 . You need to specify the sainfo with original subnet in braces the natted subnet and the remote subnet. Than enter spd policies related to local network and remote for out and natted subnet and remote subnet for in. Also create whatever nat/rdr/binat rules with pf on the enc interface. Its almost the same solution as here http://undeadly.org/cgi?action=article&sid=20090127205841 but in this case racoon was modified to accept the syntax for the natted subnet and the different polcies for in and out are not a problem in FreeBSD. The easy other way is setup a pfSense VM create your config from the GUI and get the relevant configs in /var/etc/ipsec. On Wed, Dec 25, 2013 at 10:12 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > On Wed, 25 Dec 2013, Zeus Panchenko wrote: > > wishmaster wrote: >> >> If I understand you correctly, you want binat inside IPSec and >>> >> > that would not really work as policies wouldn't match easily. > > > > I'm not sure ... what I want is to nat packets from net A before they >> are entering IPSec, as if they originate not on the freebsd host >> >> so, they enters IPSec already as net B packets ... >> > > If nothing has changed and no one implemented inside NAT for pf (or > ported it) it cannot do it; I used to do it with ipfw ages ago, but > back then it still required a third policy if I remember correctly. > There should be some posting from me on net@ or ipfw@ from sometime in > the last decade. > > /bz > > -- > Bjoern A. Zeeb ????????? ??? ??????? ??????: > '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ???? > ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.??? > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Dec 26 10:17:42 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 110182A5 for ; Thu, 26 Dec 2013 10:17:42 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8CAF61310 for ; Thu, 26 Dec 2013 10:17:41 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id rBQAHdnV013271 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Dec 2013 14:17:39 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id rBQAHcM3013270; Thu, 26 Dec 2013 14:17:38 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 26 Dec 2013 14:17:38 +0400 From: Gleb Smirnoff To: Berend de Boer Subject: Re: Network severely unstable 10.0-PRERELEASE Message-ID: <20131226101738.GN71033@glebius.int.ru> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877gasu3oa.wl%berend@pobox.com> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Dec 2013 10:17:42 -0000 On Thu, Dec 26, 2013 at 08:32:53AM +1300, Berend de Boer wrote: B> Gleb> Does the system panic the same way as described in B> Gleb> misc/182141) on 10.0? B> B> Indeed, no change. Purely a kernel issue. Repeatable since FreeBSD B> 9.x, across 10.x, across 32-bit and 64-bit. B> B> There's a related issue: B> B> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/182557 B> B> Let me know if you need anything else from me. B> B> I've just grabbed the latest FreeBSD 10 sources, and recompiling now. B> B> Next Monday I'm able to enable the bug triggering keyword again (not B> now, all the family is here and wants a stable network :-) ). What is the bug triggering keyword? Can you please provide a minimal configuration that reproduced the bug? -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 26 10:18:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BD0122EE for ; Thu, 26 Dec 2013 10:18:54 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 42D0D1316 for ; Thu, 26 Dec 2013 10:18:54 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id rBQAIqCV013290 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Dec 2013 14:18:52 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id rBQAIqJ7013289; Thu, 26 Dec 2013 14:18:52 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 26 Dec 2013 14:18:52 +0400 From: Gleb Smirnoff To: Berend de Boer Subject: Re: Network severely unstable 10.0-PRERELEASE Message-ID: <20131226101852.GO71033@FreeBSD.org> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> <20131226101738.GN71033@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20131226101738.GN71033@glebius.int.ru> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Dec 2013 10:18:54 -0000 On Thu, Dec 26, 2013 at 02:17:38PM +0400, Gleb Smirnoff wrote: T> On Thu, Dec 26, 2013 at 08:32:53AM +1300, Berend de Boer wrote: T> B> Gleb> Does the system panic the same way as described in T> B> Gleb> misc/182141) on 10.0? T> B> T> B> Indeed, no change. Purely a kernel issue. Repeatable since FreeBSD T> B> 9.x, across 10.x, across 32-bit and 64-bit. T> B> T> B> There's a related issue: T> B> T> B> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/182557 T> B> T> B> Let me know if you need anything else from me. T> B> T> B> I've just grabbed the latest FreeBSD 10 sources, and recompiling now. T> B> T> B> Next Monday I'm able to enable the bug triggering keyword again (not T> B> now, all the family is here and wants a stable network :-) ). T> T> What is the bug triggering keyword? Can you please provide a minimal T> configuration that reproduced the bug? Already see it in the kern/182557. Thanks! -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 26 15:32:00 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 565533C2 for ; Thu, 26 Dec 2013 15:32:00 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D19B91977 for ; Thu, 26 Dec 2013 15:31:59 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id rBQFVuqd014798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Dec 2013 19:31:56 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id rBQFVteP014797; Thu, 26 Dec 2013 19:31:55 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 26 Dec 2013 19:31:55 +0400 From: Gleb Smirnoff To: Berend de Boer Subject: Re: Network severely unstable 10.0-PRERELEASE Message-ID: <20131226153155.GS71033@glebius.int.ru> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877gasu3oa.wl%berend@pobox.com> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Dec 2013 15:32:00 -0000 Berend, On Thu, Dec 26, 2013 at 08:32:53AM +1300, Berend de Boer wrote: B> Gleb> Does the system panic the same way as described in B> Gleb> misc/182141) on 10.0? B> B> Indeed, no change. Purely a kernel issue. Repeatable since FreeBSD B> 9.x, across 10.x, across 32-bit and 64-bit. B> B> There's a related issue: B> B> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/182557 B> B> Let me know if you need anything else from me. B> B> I've just grabbed the latest FreeBSD 10 sources, and recompiling now. B> B> Next Monday I'm able to enable the bug triggering keyword again (not B> now, all the family is here and wants a stable network :-) ). Can you share a vmcore from paniced FreeBSD 10 system and kernel binary? -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 27 00:55:41 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BD319983; Fri, 27 Dec 2013 00:55:41 +0000 (UTC) Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by mx1.freebsd.org (Postfix) with ESMTP id 78AF71066; Fri, 27 Dec 2013 00:55:40 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 4F3F5FAA5; Thu, 26 Dec 2013 19:55:34 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date :message-id:from:to:cc:subject:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=sasl; bh=Y/uu0fhNRkZAPsI0Kvf3fAnSQJc=; b=OkAkhDa36BOKtsHb8n21nq7/urF2 vmizte7SOQwXQnbI3yl88yVzzlzvCIuUjUaVKIZUlqiXqmMcu99nQ9rY7m3GnWPp ug2o/jp0YFTpNdp3ZtTmPqDz746U1gme+4DPUgylIX71AdsCPaTNOAOJ0sC90eEW 64Kr19eTdFzFPJU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:message-id :from:to:cc:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=sasl; b=tYzXKn pxyt6MvHMU3PgUQ5E2eyJrL0nz0Sqkn55cc7h+5ZTxY2QiZMZdn7+sI/ORv5t+pP bjifY2eW7W61gBjyuNKGIIGSuzP+OGcT3SUE1d6xqlBA1MAyyxqh/u0/QFHQER/h Xlw+D5/hCxJXQoA8JyyOIHpeI0azdf1NGEbCI= Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 46E0AFAA4; Thu, 26 Dec 2013 19:55:34 -0500 (EST) Received: from bmach.nederware.nl (unknown [27.252.238.57]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPA id B783DFAA3; Thu, 26 Dec 2013 19:55:33 -0500 (EST) Received: from quadrio.nederware.nl (quadrio.nederware.nl [192.168.33.13]) by bmach.nederware.nl (Postfix) with ESMTP id DD5F92268D; Fri, 27 Dec 2013 13:55:31 +1300 (NZDT) Received: from quadrio.nederware.nl (quadrio.nederware.nl [127.0.0.1]) by quadrio.nederware.nl (Postfix) with ESMTP id 926414A11CDC; Fri, 27 Dec 2013 13:55:31 +1300 (NZDT) Date: Fri, 27 Dec 2013 13:55:31 +1300 Message-ID: <87sitfcdto.wl%berend@pobox.com> From: Berend de Boer To: Gleb Smirnoff Subject: Re: Network severely unstable 10.0-PRERELEASE In-Reply-To: <20131226153155.GS71033@glebius.int.ru> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> <20131226153155.GS71033@glebius.int.ru> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.3 (i686-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) Organization: Xplain Technology Ltd MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Fri_Dec_27_13:55:31_2013-1"; micalg=pgp-sha256; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: 9737E368-6E91-11E3-B890-873F0E5B5709-48001098!a-pb-sasl-quonix.pobox.com Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 00:55:41 -0000 --pgp-sign-Multipart_Fri_Dec_27_13:55:31_2013-1 Content-Type: text/plain; charset=US-ASCII >>>>> "Gleb" == Gleb Smirnoff writes: Gleb> Can you share a vmcore from paniced FreeBSD 10 system and Gleb> kernel binary? Yes, what kernel options do I need to compile in to get you this? -- All the best, Berend de Boer --pgp-sign-Multipart_Fri_Dec_27_13:55:31_2013-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABCAAGBQJSvNADAAoJEKOfeD48G3g5g3UP/21La+LIIGESs/yGBM4w6dlR pFMYS5hy3dHddilFPsSps5tgyzuVfaNmWs+wXOJtkmPxXMocvTW+1RMJ12wPOF6r hmBiDXfzsIIZ24vzooji7Y/wTgQvQ4TeXdoYSrbJUz9a42lsrPamKyaJD1uMmrYp lHk63P18IjIH1A3g52M1HDBeKXDLMJAypx6ZQ1PYL5zoaTSFZGLgiMLXEjGcpDEm GI8AsjL+pDbajJiCsrzpUqdFsHZmPq6nqU12GkkwhzfI2PEIdKurMkEued3JDEuy eMvQ4lOQmD5D7rJK3wn915RxhUrSGRW+GiZhCLX+O1LQjUxWs13e78+aR7wNbqZO +BxfmFCyRleHmRoCdv8m/QlRn84BOE+nYblCxl9vzYjI79de2zaIo6rGuarH4drv kLV5rYsH1bITZzdLv+Ol9RagejGV82duimPAID5A2ydBKSqTz/RHnCTHt9du5Lq7 CCzROX0imSl8wHrf0XtH7b5gsM0lYXtkFy40XEhUTbYFr1MiIe8cEnSX2Eo69KXw E+PPauxsmGJjBm5L5R83+CuCNjRgEDKQPRe16wFjoCydid2RdyHUsveZNvObJNXx hLDt8zu6a/r14LQcdAG/NIbfp6UCPnRNgpWtyXEXFUi6pgXns66sWyT0hJHGcJ++ oPFQX6Cp3gYnl1yyFbnS =vY+K -----END PGP SIGNATURE----- --pgp-sign-Multipart_Fri_Dec_27_13:55:31_2013-1-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 27 03:32:24 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F328391 for ; Fri, 27 Dec 2013 03:32:24 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 060AB1A9D for ; Fri, 27 Dec 2013 03:32:23 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id rBR3WLhC020784 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 27 Dec 2013 07:32:21 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id rBR3WK50020783; Fri, 27 Dec 2013 07:32:20 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 27 Dec 2013 07:32:20 +0400 From: Gleb Smirnoff To: Berend de Boer Subject: Re: Network severely unstable 10.0-PRERELEASE Message-ID: <20131227033220.GW71033@glebius.int.ru> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> <20131226153155.GS71033@glebius.int.ru> <87sitfcdto.wl%berend@pobox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87sitfcdto.wl%berend@pobox.com> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 03:32:24 -0000 On Fri, Dec 27, 2013 at 01:55:31PM +1300, Berend de Boer wrote: B> >>>>> "Gleb" == Gleb Smirnoff writes: B> B> Gleb> Can you share a vmcore from paniced FreeBSD 10 system and B> Gleb> kernel binary? B> B> Yes, what kernel options do I need to compile in to get you this? http://www.freebsd.org/doc/en/books/developers-handbook/kerneldebug.html#kerneldebug-obtain -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 27 07:22:12 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0A0DC66D for ; Fri, 27 Dec 2013 07:22:12 +0000 (UTC) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6570F17A9 for ; Fri, 27 Dec 2013 07:22:11 +0000 (UTC) Received: from ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by relay.ibs.dn.ua with ESMTP id rBR7M1Fv007031 for ; Fri, 27 Dec 2013 09:22:01 +0200 (EET) Message-ID: <20131227092201.7029@relay.ibs.dn.ua> Date: Fri, 27 Dec 2013 09:22:01 +0200 From: "Zeus Panchenko" To: Subject: Re: nat before ipsec ... In-reply-to: Your message of Wed, 25 Dec 2013 20:09:50 +0200 <20131225200950.21787@relay.ibs.dn.ua> References: <20131225200950.21787@relay.ibs.dn.ua> Organization: I.B.S. LLC X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.0.93 X-Face: &sReWXo3Iwtqql1[My(t1Gkx; y?KF@KF`4X+'9Cs@PtK^y%}^.>Mtbpyz6U=,Op:KPOT.uG )Nvx`=er!l?WASh7KeaGhga"1[&yz$_7ir'cVp7o%CGbJ/V)j/=]vzvvcqcZkf; JDurQG6wTg+?/xA go`}1.Ze//K; Fk&/&OoHd'[b7iGt2UO>o(YskCT[_D)kh4!yY'<&:yt+zM=A`@`~9U+P[qS:f; #9z~ Or/Bo#N-'S'!'[3Wog'ADkyMqmGDvga?WW)qd=?)`Y&k=o}>!ST\ MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Zeus Panchenko List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 07:22:12 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > target <-> world <--> em0 - freebsd - vlanA <--> LAN > ^ ^ net A > | | > +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ > ... > where: > A1 is some address from net A > B2 is some address from net B > C3 is some address from net C > > I can see incoming packets from A1 to C3 on interface vlanA, but after > that, packets "disappears", I can not find them any other interface and > no return packets finally I was able to get the packets redirected (actually after pf restart, not just reload) and now I have A1 packet going to C3 on vlanA # tcpdump -ni tun10 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes 07:10:57.641536 IP A1 > C3: ICMP echo request, id 59179, seq 8913, length 64 07:10:58.641467 IP A1 > C3: ICMP echo request, id 59179, seq 8914, length 64 07:10:59.641882 IP A1 > C3: ICMP echo request, id 59179, seq 8915, length 64 and further I can see them on the interface, IPSec configured on: # tcpdump -ni em1 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 07:12:28.638456 IP A1 > C3: ICMP echo request, id 59179, seq 9004, length 64 07:12:29.636961 IP A1 > C3: ICMP echo request, id 59179, seq 9005, length 64 07:12:30.637647 IP A1 > C3: ICMP echo request, id 59179, seq 9006, length 64 but these packets *does not passing through the nat* ... in pf.conf I do: rdr pass on $if_vpn from A1 to C -> $target-side-of-ipsec binat on $if_vpn from A1 to C3 -> B2 and net.inet.ipsec.filtertunnel is set to 1 is bellow URL the answer? http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106 =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ =3D2rY3 =2D----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 27 14:43:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E05EEA38 for ; Fri, 27 Dec 2013 14:43:54 +0000 (UTC) Received: from sender74.critsend.com (sender74.critsend.com [213.246.55.13]) by mx1.freebsd.org (Postfix) with ESMTP id 8EF6514D6 for ; Fri, 27 Dec 2013 14:43:54 +0000 (UTC) Received: from sender74.critsend.com (localhost.localdomain [127.0.0.1]) by sender74.critsend.com (Postfix) with ESMTP id A30E944BC489 for ; Fri, 27 Dec 2013 13:58:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=viadeo.com; i=@viadeo.com; q=dns/txt; s=critsend2; t=1388152704; h=Content-Type : MIME-Version : To : From : Subject : Reply-To : Precedence : Date : Message-ID : List-Unsubscribe; bh=aR3G+lDEu6gXOCpq4+UERBowGux2QvM95Csn9X9/zak=; b=Gje27WuBlx/02vsch/VRv+lRdJwcKihk9+BHHVJe8Z4cMXdcabnlcsYIABjTDkm6QhAUEQhA7wsbtVY+tyjw92Lomk7aChMM2ZmH+S9yiT+KKhrD+hpeR963szv4b7AJ84C+PAzUZPvl3Xrzzcfatbt8HMavOu6pCAd+gJ2k55w= MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: Norhanid Tongkol Subject: Pending invitation from Norhanid Tongkol Precedence: bulk Date: Fri, 27 Dec 2013 13:58:24 +0000 Message-ID: <4+paathnfsjivuutknfjhnclkiqoz7l4ul2kw2znbnwvzrf46s4nj7hnelrpfofszscnjvf45nvsffh42skkf4ytpuskftes2ads66j7c4fmvugyylbnbvgi3tamjt2mzuqmapenbb5q======+1058835@critsend.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: no-reply@viadeo.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 14:43:54 -0000 Your network is more powerfull than you think. On Saturday 7 December 2013, Norhanid Tongkol sent you an invitation to join Viadeo. Norhanid Tongkol SAFETY & SECURITY OFFICER, SIME DARBY BERHAD View their profile Accept Norhanid's invitation If you'd like to stop receiving Viadeo contact invitations, unsubrcribe From owner-freebsd-pf@FreeBSD.ORG Sat Dec 28 08:40:15 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C3277513; Sat, 28 Dec 2013 08:40:15 +0000 (UTC) Received: from felyko.com (felyko.com [174.136.100.2]) by mx1.freebsd.org (Postfix) with ESMTP id A665A1A42; Sat, 28 Dec 2013 08:40:15 +0000 (UTC) Received: from [10.0.1.3] (c-24-6-16-155.hsd1.ca.comcast.net [24.6.16.155]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by felyko.com (Postfix) with ESMTPSA id 65E413988C; Sat, 28 Dec 2013 00:40:14 -0800 (PST) From: Rui Paulo Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: pf and fragmented packets Message-Id: Date: Sat, 28 Dec 2013 00:39:54 -0800 To: Gleb Smirnoff , freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) X-Mailer: Apple Mail (2.1827) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Dec 2013 08:40:15 -0000 Hi, I found two problems with pf where fragmented packets behind a NAT don't = get properly transmitted/translated. This affects things like the PS3, = PS Vita and probably other consoles. The first problem is when I send a fragmented ICMP/UDP packet and pf = routes packets to the WAN interface _without_ changing the IP address = and port. To see this in action, you can install fragroute and then use = 'fragtest frag www.google.com'. In this case, my rule set has "scrub on = $ext_if all fragment reassemble".=20 Here's the packet dump on the WAN interface (notice the use of RFC 1918 = addresses): 00:27:24.992023 IP (tos 0x0, ttl 63, id 40521, offset 0, flags [+], = proto ICMP (1), length 28, bad cksum 0 (->78a1)!) 10.0.1.87 > 74.125.239.34: ICMP echo request, id 48597, seq 1, = length 8 00:27:24.992115 IP (tos 0x0, ttl 63, id 40521, offset 8, flags [+], = proto ICMP (1), length 28, bad cksum 0 (->78a0)!) 10.0.1.87 > 74.125.239.34: ip-proto-1 00:27:24.992189 IP (tos 0x0, ttl 63, id 40521, offset 16, flags [+], = proto ICMP (1), length 28, bad cksum 0 (->789f)!) 10.0.1.87 > 74.125.239.34: ip-proto-1 00:27:24.992263 IP (tos 0x0, ttl 63, id 40521, offset 24, flags [none], = proto ICMP (1), length 28, bad cksum 0 (->989e)!) 10.0.1.87 > 74.125.239.34: ip-proto-1 If I enable "reassemble tcp fragment reassemble", I get this: 00:28:43.989497 IP (tos 0x0, ttl 63, id 63913, offset 0, flags [none], = proto ICMP (1), length 52, bad cksum 0 (->1fdf)!) 24.6.16.155 > 74.125.239.34: ICMP echo request, id 27701, seq 1, = length 32 It looks like "reassemble tcp" does the trick. However, this is not = TCP, so I'm guessing it's just a side effect. This is also not a = sensible workaround, because it doesn't work when the packets are too = big. That leads us to... The second problem happens with large UDP packets. If I change the rule = "scrub on $ext_if all fragment reassemble" to "scrub on $ext_if all = reassemble tcp fragment reassemble", I can see the UDP packets going out = correctly translated, but if I send a large UDP packet (> MTU), pf sends = the reassembled packet as a large packet which exceeds the MTU.=20 Here's a packet trace from my PS Vita. First on the internal interface: 00:35:06.673636 IP (tos 0x0, ttl 64, id 25171, offset 0, flags [+], = proto UDP (17), length 1500) 10.0.1.125.50929 > 198.107.156.154.3478: UDP, length 2108 00:35:06.673987 IP (tos 0x0, ttl 64, id 25171, offset 1480, flags = [none], proto UDP (17), length 656) 10.0.1.125 > 198.107.156.154: ip-proto-17 And the translated packet: 00:35:06.674096 IP (tos 0x0, ttl 63, id 25171, offset 0, flags [none], = proto UDP (17), length 2136, bad cksum 0 (->859b)!) 24.6.16.155.56632 > 198.107.156.154.3478: [udp sum ok] UDP, length = 2108 This is just getting dropped by the interface because it's too big. =20 I could share my complete rule set if that helps, but it's really easy = to test this with fragtest. The second test is not as simple because = you either need a PS Vita or you will need to modify fragtest.c so that = it sends a large packet. I think this is a serious problem since it impacts the use of FreeBSD as = a router. Any ideas? =20 -- Rui Paulo