From owner-freebsd-pf@FreeBSD.ORG Fri Nov 23 07:50:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02F9DFD7; Fri, 23 Nov 2012 07:50:34 +0000 (UTC) (envelope-from ianf@cloudseed.co.za) Received: from zcs03.jnb1.cloudseed.co.za (zcs03.jnb1.cloudseed.co.za [41.154.0.139]) by mx1.freebsd.org (Postfix) with ESMTP id 2768A8FC14; Fri, 23 Nov 2012 07:50:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTP id 05EDD2B42C43; Fri, 23 Nov 2012 09:50:24 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs03.jnb1.cloudseed.co.za Received: from zcs03.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs03.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQLKqdn8cLxx; Fri, 23 Nov 2012 09:50:18 +0200 (SAST) Received: from clue.co.za (41-135-84-24.dsl.mweb.co.za [41.135.84.24]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id A47442B42C07; Fri, 23 Nov 2012 09:50:18 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1Tbo1h-0000Vg-95; Fri, 23 Nov 2012 09:50:17 +0200 To: Maxim Khitrov From: Ian FREISLICH Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. In-Reply-To: References: X-Attribution: BOFH Date: Fri, 23 Nov 2012 09:50:17 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2012 07:50:34 -0000 > > Today its a null op. So it voids the keyword which should be deprecated in > > FreeBSD or should be reintroduced! > > Also it may break people assumptions on it. > > So I take it that "set state-policy if-bound" will no longer have any > effect either? Is this expected to hit 10.0-RELEASE? > > It's definitely not ok to break this functionality. SMP changes are > far less valuable than being able to filter each packet on ingress and > egress. Except that it does work (Relevant config snippet): FreeBSD firewall1.jnb1.gp-online.net 10.0-CURRENT FreeBSD 10.0-CURRENT #10 r242311: Mon Oct 29 16:31:29 SAST 2012 ianf@firewall1.jnb1.gp-online.net:/usr/obj/usr/src/sys/FIREWALL amd64 --- /etc/pf.conf --- ... # Options # ~~~~~~~ set timeout { \ adaptive.start 900000, \ adaptive.end 1800000 \ } set block-policy return set state-policy if-bound set optimization normal set ruleset-optimization basic set limit states 1500000 set limit frags 40000 set limit src-nodes 150000 ... # Servers anchor vlan4 quick on vlan4 load anchor vlan4 from "/var/db/firewall/vlan4" ... # L2TP tunnel termination anchor vlan24 quick on vlan24 load anchor vlan24 from "/var/db/firewall/vlan24" ... #EOF --- /var/db/firewall/vlan4 --- ... # Test block out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh } pass in all #EOF --- /var/db/firewall/vlan24 --- pass in all pass out all #EOF [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... telnet: connect to address 41.154.0.151: Operation timed out telnet: Unable to connect to remote host [firewall1.jnb1] ~ # tcpdump -envi pflog0 host 41.154.88.19 and host 41.154.0.151 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes 09:31:41.323353 rule 3.vlan4.126/0(match): block out on vlan4: (tos 0x10, ttl 62, id 25475, offset 0, flags [DF], proto TCP (6), length 60) 41.154.88.19.26211 > 41.154.0.151.22: Flags [S], cksum 0x1264 (correct), seq 3408095044, win 65535, options [mss 1410,nop,wscale 3,sackOK,TS val 3679262149 ecr 0], length 0 [firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.88.19 |grep 41.154.0.151 vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:26211 CLOSED:SYN_SENT However, with the #Test rule commented out: [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... Connected to inbound01.jnb1.gp-online.net. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9etch2 [firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.0.211 |grep 41.154.2.69 vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:24898 ESTABLISHED:ESTABLISHED vlan4 tcp 41.154.88.19:24898 -> 41.154.0.151:22 ESTABLISHED:ESTABLISHED I think the only thing that's not working properly is set block-policy return but I'm not sure if that was working properly before. I had to modify the rule as follows to get a connection refused: block return out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh } to get: [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... telnet: connect to address 41.154.0.151: Connection refused telnet: Unable to connect to remote host Ermal, do you have a test case that exposes the issue? Ian -- Ian Freislich