From owner-freebsd-pf@freebsd.org Sun Jun 21 21:12:02 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 814DA334888 for ; Sun, 21 Jun 2020 21:12:02 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49qlbj5gBFz4dxS for ; Sun, 21 Jun 2020 21:12:01 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-io1-xd30.google.com with SMTP id o5so17372195iow.8 for ; Sun, 21 Jun 2020 14:12:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=obyBjCP4hxFbqewxKppC5pSRiVfU1vMEsfQVID3Q1ro=; b=mjQGNvSxf9CojxVHJuvyPnjipBlU9DflkS5G9l7V0OwderT8I96BXwMa8KX0ytPWZV zPiRNXOd3UdhUDQmvzga10bYATXqtBiH8nX6xOQBLgUY6gBF0LTMbfvlKAt+cHQUZXgT +bBEjuuslvefL3RuiuU6T+P+JuRqemCJhsZTWIC7UT76sdBAOV2z9ThZMtFwv+gUqwUZ 43hsaR6msw6r4KaJwBHTqTvdHm+edujtksDrc/Xoe4mEgIeDqqYSxxmYP5HflB+PrT5M Q+rxqW82rX9rFhYarP619blPg1Lyf0HFQKadmYuG+A2Q5EL8rN84kUpOwq/dOIZtnhCz uYqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=obyBjCP4hxFbqewxKppC5pSRiVfU1vMEsfQVID3Q1ro=; b=ezHrpbzgLpX+2p7w+ciG8xsCB6dSsWwUar+Na8l63J12WxxWzs2lX5hEvxN0KHB8D8 LWerNoSWXkqgxuYdmJ8Hj4SjMePwD+Z+I9InOdUYBRUgGwt/mg37995RDG3a8HmAoGDT ysJpLxlLfodtCF8TasuIqRQNRxu5mtLy5NXb+OSBjX9WraLtuby+aGsgTbqR+Y5plt14 rEqyxdlBlvYdg/MG6iyxNqnlfdhAJjvg4hjzqllijaCyAVxACH0ffQ7oP4VLGL/Sa1se rxmCm3jiGiACDSs10Hp7pn9hLayKz9gm1YDoF5GcolBtK9hED+DNIFaFbYL616h2tDo4 plAQ== X-Gm-Message-State: AOAM530J5ti9oysj1sjz4o4SJhINEAsVnhvz4RU0i3LqZwL0k1MchE68 3u0g5Rzg8KdtIvFiRrPMc+Zlyyn1ddvTE+PBv10Ed2F5 X-Google-Smtp-Source: ABdhPJyuXd2LHER9OiPMoscR3uRx5blOKUbEpedIKSlA6+8a5a7gMSKwp97nCKSmfjFHtTdOok8EIWalRyLZNHCFtDw= X-Received: by 2002:a6b:1d7:: with SMTP id 206mr16185310iob.138.1592773920358; Sun, 21 Jun 2020 14:12:00 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:3b52:0:0:0:0:0 with HTTP; Sun, 21 Jun 2020 14:11:59 -0700 (PDT) From: David Mehler Date: Sun, 21 Jun 2020 17:11:59 -0400 Message-ID: Subject: Need a PF consultant To: freebsd-pf Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49qlbj5gBFz4dxS X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=mjQGNvSx; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of davemehler@gmail.com designates 2607:f8b0:4864:20::d30 as permitted sender) smtp.mailfrom=davemehler@gmail.com X-Spamd-Result: default: False [-3.56 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.02)[-1.019]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.02)[-1.022]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d30:from]; NEURAL_HAM_SHORT(-0.52)[-0.517]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2020 21:12:02 -0000 Hello, Anyone a pf expert wanting to make some extra money? I'm in need of consulting, I'm having an issue with my PF configuration, I've got a much longer message with output and netstat and all that, if anyone is interested email me privately with rates and I'll send the details, but in brief I've got FreeBSD 12.1 going, my provider gives me an IPv6 address, on boot if I ping6 out I get a UDP connect no route to host message, disable and reenable pf and I can ping6 out as root, and as a user, for about five minutes, then I start getting packets are able to be sent out, but nothing comes back. About five minutes later again as root and as a user I'm getting the UDP connect no route to host message. I've got two different rulesets. I'd appreciate any help. Thanks. Dave. From owner-freebsd-pf@freebsd.org Sun Jun 21 21:19:53 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 88AFE334C24 for ; Sun, 21 Jun 2020 21:19:53 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49qlmm1r1Xz4fcL for ; Sun, 21 Jun 2020 21:19:52 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 375941615 for ; Sun, 21 Jun 2020 17:19:50 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Sun, 21 Jun 2020 17:19:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=Tr/mjHYcyKUtohqe7Vb97c0hcUZByOR bRXjJLG2l42c=; b=kW4ICyIyQ4Ee9xbAWwMEA/ClhRGOB+3YUJldNxs5zBifZIa i77rumZXmSVoove855GBvY7EGSRNCyHNofXRyXIhNhEKVX2QIh2IYJfKcBHObKSw lSZ4iVU1466e7JtpM1Fv6W6blCKVvXBRf/Gpe/kLTZNlc+rylQOuC2TDh+w3lsg7 51Wqe+Kg/3gd1eiUil3ZRaGt7C/UdaX7h91lMRUylDK0UTL8PYU6VRjvNWpe9imO nCHGEJIwqFbSe8zhKAR0v9NGp4ASuBAfEag1dS397W8o98+upIGGUwl/LujjJbgU //ewrx+Ot3rN3FkCvI06xCjynYeB6TT17CLodUg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=Tr/mjH YcyKUtohqe7Vb97c0hcUZByORbRXjJLG2l42c=; b=W5rwJfi4+mmPOYa9aqQQzf wW2OlErI9Esv9mtpxEN3ypedM5JOVHx7T8Q5LcPTPY52hdec3zih6vhFa1Hndg1x bshFiOapL0SN7zRR0DLsz/kOKC2VA3C56vFdLYk4XgP6q2nG+Tgx9g2VkpK67loX 53JMhzvNqL/wblV6VXo0VwC5un+5lo5o3afPH2GaaJN5jLoxRUkA73sTQPWa5DU4 ap/1WDTCXvLJfmDCVk9bhXrrY2IGDhFXLG0gkam4/7bKcfc9GNN3P8CxsLFpfR2V Xk65mzU9LztNieOsStmHdJnFxcksO+fjVNVFxra/KEmU9kjeddV7+ko90VtpYmjg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudektddgudeivdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdffohhnrghlugcuofhitghkuhhnrghsfdcuoegumhhi tghkuhhnrghsudelheegsehfrghsthhmrghilhdrtghomheqnecuggftrfgrthhtvghrnh epgfeujeehledvteduvddtuddvvdehuddutdevudfhfeevkeelheettdehhfdvvdfhnecu ffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepughmihgtkhhunhgrshduleehgeesfhgrshhtmhgr ihhlrdgtohhm X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8298E3C00A1; Sun, 21 Jun 2020 17:19:49 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-543-gda70334-fm-20200618.004-gda703345 Mime-Version: 1.0 Message-Id: <8745fc5f-5ade-4b0a-8ce7-f1a17f9775ec@www.fastmail.com> In-Reply-To: References: Date: Sun, 21 Jun 2020 17:19:27 -0400 From: "Donald Mickunas" To: freebsd-pf@freebsd.org Subject: Re: Need a PF consultant Content-Type: text/plain X-Rspamd-Queue-Id: 49qlmm1r1Xz4fcL X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=kW4ICyIy; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=W5rwJfi4; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 64.147.123.21 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-3.55 / 15.00]; XM_UA_NO_VERSION(0.01)[]; RWL_MAILSPIKE_GOOD(0.00)[64.147.123.21:from]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; TO_DN_NONE(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.21]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-1.41)[-1.409]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.21:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.995]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm3]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.06)[-1.058]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2020 21:19:53 -0000 David, Run a check on the IPv6 DNS server you are using. I live in eastern Tennessee and Namebench -6 is unable to find a reliable server for IPv6. I am no expert but that turned out to be the issue with my PF Firewall setup. No harm checking. Regards, Don Mickunas On Sun, Jun 21, 2020, at 17:11, David Mehler wrote: > Hello, > > Anyone a pf expert wanting to make some extra money? > > I'm in need of consulting, I'm having an issue with my PF > configuration, I've got a much longer message with output and netstat > and all that, if anyone is interested email me privately with rates > and I'll send the details, but in brief I've got FreeBSD 12.1 going, > my provider gives me an IPv6 address, on boot if I ping6 out I get a > UDP connect no route to host message, disable and reenable pf and I > can ping6 out as root, and as a user, for about five minutes, then I > start getting packets are able to be sent out, but nothing comes back. > About five minutes later again as root and as a user I'm getting the > UDP connect no route to host message. > > I've got two different rulesets. > > I'd appreciate any help. > > Thanks. > Dave. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Sun Jun 21 21:28:24 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C949033500B for ; Sun, 21 Jun 2020 21:28:24 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49qlyc4cTxz4gDs; Sun, 21 Jun 2020 21:28:24 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 69FE62C111; Sun, 21 Jun 2020 21:28:24 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 6A6D21C5C6; Sun, 21 Jun 2020 23:28:22 +0200 (CEST) From: "Kristof Provost" To: "David Mehler" Cc: freebsd-pf Subject: Re: Need a PF consultant Date: Sun, 21 Jun 2020 23:28:21 +0200 X-Mailer: MailMate (1.13.1r5671) Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2020 21:28:24 -0000 On 21 Jun 2020, at 23:11, David Mehler wrote: > Anyone a pf expert wanting to make some extra money? > > I'm in need of consulting, I'm having an issue with my PF > configuration, I've got a much longer message with output and netstat > and all that, if anyone is interested email me privately with rates > and I'll send the details, but in brief I've got FreeBSD 12.1 going, > my provider gives me an IPv6 address, on boot if I ping6 out I get a > UDP connect no route to host message, disable and reenable pf and I > can ping6 out as root, and as a user, for about five minutes, then I > start getting packets are able to be sent out, but nothing comes back. > About five minutes later again as root and as a user I'm getting the > UDP connect no route to host message. > That sounds a lot like you’re dropping router and/or neighbour advertisements. Make sure you’ve got at least the following pass rules: # IPv6 link-local traffic pass quick inet6 proto icmp6 from :: to ff02::/16 pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10 pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16 # IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1) pass quick inet6 proto icmp6 from any to any icmp6-type { unreach, toobig } pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0 pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob code 1, paramprob code 2 } pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq, echorep } # IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2) pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1 pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code 0 # IPv6 local configuration (ND, DAD, RS, etc...) pass quick inet6 proto icmp6 from any to any icmp6-type { routersol, routeradv } pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol, neighbradv } pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 } pass quick inet6 proto icmp6 from any to any icmp6-type { listqry, listenrep, listendone, 143 } pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 } pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153 } At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones you’re running into, but you likely want to allow all of these. Best regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jun 22 00:06:39 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5C73D3395D9 for ; Mon, 22 Jun 2020 00:06:39 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49qqTC0Jc3z3dK8; Mon, 22 Jun 2020 00:06:38 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-il1-x12d.google.com with SMTP id e11so14388753ilr.4; Sun, 21 Jun 2020 17:06:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=rTkH7g4896hwVA4aeKSI7jSecF8qTB49RU3MZws94mw=; b=d+w8/XAsOBWBvqf6U35Bw4tKBmDZynNx3OwNvCG5mzZXubaDMFSpRWxBE5o2YFKY1l niSJu85a81Q/i3/pZTPegMoOQXNv6jeXmD00YOLAaz0tqhGKRug31Q8k9UoHt/cWDDnk 7/DcMMxJPmDKgjQLRIuXsgF0+AEwsBTuT/QP/AaIWk5oF6Y7i6JJwxGrjrtiqzzu+NF/ EmcZKd0wJm1mI+x8I+cb/p/gjbLrvodP8QgflGWgXMeSBO1Rimm7tVBivoCcGo3L3YUS 5waP+22U8tpP8kPjCWFYJr4kVvcU+rrHhSNMti9jq6dtKxqLouGrVLA0pgrOrsk7uRCA m+JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=rTkH7g4896hwVA4aeKSI7jSecF8qTB49RU3MZws94mw=; b=TlbzkGFfk9LVWiV0cKfXW2vMiKfzzaxWQPxA1ITjhkb+oqK2IN1s/noeDfVl7/6LYj P4BdKwh8lSIl6g+qLIL00H+8V7fEE/FdwQ+pLF7c0TDUkM0FDKbfRPvwyXivQpWaZbOM kz1QGsYGY+a+1w8AA7flqzTpzM6eyF0JIagDdwQfOY2xRVvBjegLDZAQ7UsIC95YqAoS 9hIVoGUFuV+bFk+FT5BDunlq9AuTqYz6cjLQ56lbTzyFFnBVMlSQde2kneb50RBRhamb QWP3qEZo08nlfLtSFA/gw7osUjk1jXxjffbdH1LsYUghb776zeVxM7m5vcJ7G96l3wD2 7b1Q== X-Gm-Message-State: AOAM531GRNv0/ahU8YsjtBpgNTv8vLVNy5U2NgMWLzFdYDMjVF4bAEpC N/fN8c5CyoIxlXhLueD86oUbm2mBs2HYOekAJHhLhvC9 X-Google-Smtp-Source: ABdhPJwxHCwS0pv7q33xnXU1KlopT1xKq1HJQCZ6PV7PRNDWsNDasUCzwNSsRzEvWLH0GKfJpvUPlg2+j7viklkqng0= X-Received: by 2002:a05:6e02:ec3:: with SMTP id i3mr14618155ilk.211.1592784397380; Sun, 21 Jun 2020 17:06:37 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:3b52:0:0:0:0:0 with HTTP; Sun, 21 Jun 2020 17:06:36 -0700 (PDT) In-Reply-To: References: From: David Mehler Date: Sun, 21 Jun 2020 20:06:36 -0400 Message-ID: Subject: Re: Need a PF consultant To: Kristof Provost Cc: freebsd-pf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49qqTC0Jc3z3dK8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2020 00:06:39 -0000 Hello, Thanks for all your replies. Donald, the IPv6 dns is working fine in this situation. Kristof, here's what I originally had in my pf.conf file for ICMP: pass out quick on $ext_if proto { icmp, icmp6 } modulate state pass in quick on $ext_if proto { icmp, icmp6 } I commented that out, added in your rules, disabled and reenabled PF, and did a ping6. Good news is the first time I tried ping6 it worked, bad news is the second time I tried it about two minutes later it sent out the ping6 but didn't return anything, zero packets received. A few minutes later doing the UDP connect no route to host thing again. While the original focus of my question was IPv6 would you be willing to assist me with my general configuration? As I said I can go in to much more detail on this. Thanks. Dave. On 6/21/20, Kristof Provost wrote: > On 21 Jun 2020, at 23:11, David Mehler wrote: >> Anyone a pf expert wanting to make some extra money? >> >> I'm in need of consulting, I'm having an issue with my PF >> configuration, I've got a much longer message with output and netstat >> and all that, if anyone is interested email me privately with rates >> and I'll send the details, but in brief I've got FreeBSD 12.1 going, >> my provider gives me an IPv6 address, on boot if I ping6 out I get a >> UDP connect no route to host message, disable and reenable pf and I >> can ping6 out as root, and as a user, for about five minutes, then I >> start getting packets are able to be sent out, but nothing comes back. >> About five minutes later again as root and as a user I'm getting the >> UDP connect no route to host message. >> > That sounds a lot like you=E2=80=99re dropping router and/or neighbour > advertisements. > > Make sure you=E2=80=99ve got at least the following pass rules: > > # IPv6 link-local traffic > pass quick inet6 proto icmp6 from :: to ff02::/16 > pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10 > pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16 > > # IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1) > pass quick inet6 proto icmp6 from any to any icmp6-type { unreach, > toobig } > pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0 > pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob > code 1, paramprob code 2 } > pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq, > echorep } > > # IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2) > pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1 > pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code > 0 > > # IPv6 local configuration (ND, DAD, RS, etc...) > pass quick inet6 proto icmp6 from any to any icmp6-type { routersol, > routeradv } > pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol, > neighbradv } > pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 } > pass quick inet6 proto icmp6 from any to any icmp6-type { listqry, > listenrep, listendone, 143 } > pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 } > pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153 > } > > At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones > you=E2=80=99re running into, but you likely want to allow all of these. > > Best regards, > Kristof From owner-freebsd-pf@freebsd.org Mon Jun 22 06:42:41 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A1A803419EB for ; Mon, 22 Jun 2020 06:42:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49r0G93prfz4FfV; Mon, 22 Jun 2020 06:42:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 69CD82FF69; Mon, 22 Jun 2020 06:42:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 10D081F107; Mon, 22 Jun 2020 08:42:40 +0200 (CEST) From: "Kristof Provost" To: "David Mehler" Cc: freebsd-pf Subject: Re: Need a PF consultant Date: Mon, 22 Jun 2020 08:42:39 +0200 X-Mailer: MailMate (1.13.1r5671) Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2020 06:42:41 -0000 On 22 Jun 2020, at 2:06, David Mehler wrote: > Thanks for all your replies. > > Donald, the IPv6 dns is working fine in this situation. > > Kristof, here's what I originally had in my pf.conf file for ICMP: > > pass out quick on $ext_if proto { icmp, icmp6 } modulate state > pass in quick on $ext_if proto { icmp, icmp6 } > That’s a somewhat bigger hammer than what I proposed, but that should work as well. > I commented that out, added in your rules, disabled and reenabled PF, > and did a ping6. Good news is the first time I tried ping6 it worked, > bad news is the second time I tried it about two minutes later it sent > out the ping6 but didn't return anything, zero packets received. A few > minutes later doing the UDP connect no route to host thing again. > > While the original focus of my question was IPv6 would you be willing > to assist me with my general configuration? As I said I can go in to > much more detail on this. Please do send me the information you have, yes. Best regards, Kristof From owner-freebsd-pf@freebsd.org Fri Jun 26 02:28:19 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 049CC34AE69; Fri, 26 Jun 2020 02:28:19 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49tLQp1dZfz3fSY; Fri, 26 Jun 2020 02:28:18 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.93.0.4) (envelope-from ) id 1joe5o-0005J3-M2; Thu, 25 Jun 2020 20:27:52 -0600 Date: Thu, 25 Jun 2020 20:27:52 -0600 From: The Doctor To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Subject: GRE mpd5 and PPTP Message-ID: <20200626022752.GA17071@doctor.nl2k.ab.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 49tLQp1dZfz3fSY X-Spamd-Bar: / X-Spamd-Result: default: False [-0.48 / 15.00]; INTRODUCTION(2.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.84)[-0.840]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-0.89)[-0.892]; NEURAL_SPAM_SHORT(0.05)[0.053]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[nl2k.ab.ca,quarantine]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2020 02:28:19 -0000 Hello, I am trying to set up a PPTP / L2TP dial in pool so to speak. I have most of the PPTP done except for gre. What are the consideration for PPTP /gre on FB12.1 and for L2TP using packet filtering? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! nk.ca started 1 June 1995 . https://www.empire.kred/ROOTNK?t=94a1f39b They are not born of the Lord, who alter His Word to please fools. -unknown From owner-freebsd-pf@freebsd.org Fri Jun 26 11:56:58 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3E5D2355F8F for ; Fri, 26 Jun 2020 11:56:58 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49tb2w3vmqz4Wl6 for ; Fri, 26 Jun 2020 11:56:55 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x936.google.com with SMTP id u6so151199uau.8 for ; Fri, 26 Jun 2020 04:56:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=w3oY2rXh6UFjlPyYf5SgeJ4uJxJH6dfIM0jQYZw/imk=; b=UarZx4kutbcR5yLrAiOerYwijwe2kUjgMfEMQSJ+y34u29CekBX046xBEEaDAlttsS ZDRhyx0wy7km9NsSFtskJK6EMHl51vgwkWzNuvSEc/Yv3Dtkqq1hPUCZKD+NXH0s3Ngq /LQYqzhD2e2ATwXUxHm8lv26YsKBtulC14j2wfj+JXccMB6Q3I3XDmHT+99YNej98CzA zhVo6OccWoz9O8RzBSAn5Ha+ZUNtyiD0P7fM4GzO68GNqujdNZZpcA3N0oNt8AXRJwtV 1H7YZhebIwswIjLM/BrTZ+m0PpcDRPLMCe8PgU0+FVh2au6oIWHpp/tJUjx85dFGOmji 8pDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=w3oY2rXh6UFjlPyYf5SgeJ4uJxJH6dfIM0jQYZw/imk=; b=QT2XzskxBDV7h78wsvuvhr5Uxg+ShucQlJ0uVV2UyFXaQ4PjhyXPXdmfTYXH8/3pq6 map2+B4ooRh+HLxcJY1+4O0OfKGl+A/bYNHPbWe3Z210eerZ0650tsNhfY2a41s5lfuz OoGUdlNrV6j8qB5D3e7WmRa9rfs4q9/BXV2HWAC/JGuiAiU/JmI6FZbi7aKSe3Y8k9eu xvRnfCMcziY2Wj9qszVWNAGUzKwvvDp51JloSBAW4fktKvPVcasg1uv226UKTDggi8+y MFMmDq4mS/MHKjwZXAchbltibMW9Ef746ihZz8yeC37J4rSP4X9WvrjSfBFChHukvONe wwoQ== X-Gm-Message-State: AOAM530y2wTF2rRwxgn4uqUOtniVsAiUepLNcQoRGtQGDKPkYgdkovLl 7qi95xxN8qEP+Z7K+qDbSdiqhY2NnFr+WowQyB/ALvng X-Google-Smtp-Source: ABdhPJy7t9wg6GtPiqqniT0WdbCb8qCH/BiIyEnUrPJJ/ifDSLrwizPIafFbBenPBmATr+ps1GUlvQSNiykm5ygfkq0= X-Received: by 2002:ab0:36a6:: with SMTP id v6mr1807195uat.62.1593172612458; Fri, 26 Jun 2020 04:56:52 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Fri, 26 Jun 2020 14:56:46 +0300 Message-ID: Subject: pf - state counter tracking like pfsync To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 49tb2w3vmqz4Wl6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=UarZx4ku; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::936 as permitted sender) smtp.mailfrom=ozkankirik@gmail.com X-Spamd-Result: default: False [-2.65 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.001]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.02)[-1.023]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::936:from]; NEURAL_HAM_SHORT(-0.26)[-0.255]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; R_MIXED_CHARSET(0.62)[subject]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2020 11:56:58 -0000 Hi, My goal is save pkt/byte counters of each expired/killed/closed states into a txt file. What is the right way to do this in userspace ? Is it possible to do something with ioctl & poll ? Alternatively is it possible to create multiple pfsync interfaces, first one for real purpose to send state changes to slave host, the second one for sending this log collect process lo1? Following lines prevents cloning second pfsync interface: /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create function) if (unit != 0) return (EINVAL); If I remove these lines, do I hit any error ? Best regards, Thanks