From owner-freebsd-pf@FreeBSD.ORG Sat Apr 14 14:10:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D27316A41B for ; Sat, 14 Apr 2007 14:10:54 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.238]) by mx1.freebsd.org (Postfix) with ESMTP id EE24D13C4BB for ; Sat, 14 Apr 2007 14:10:53 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1089815wxc for ; Sat, 14 Apr 2007 07:10:52 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=jGrtlHPXQ/FDZiRs7glTRs4vdpB1AsSCD/uMmg/MULA2Ax39NKjmBZqiA9l/8HFNQyFj5vpdUihgvuA5ffcRdfa4aJFkRdU8KYewAFiELdON7nvEWKYB8De+NBpuMGi+IOv5zoL85rF/SbTTR6mN/DHuO/PXIRJPKak2b1AdYz0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=r6wcEuCoA/kAG2H9UJzPYK+zeKD9t3876WrpVKFZNAt99ZCRJoFPTE+9a3R7DQs28SH5LuvRZ7V3HtD/bhZpvUZprKPMfGeRnaFdu+yPN1QHXADn2gMqpYMSFMqB6JGgzcoElNOR88XJFnYlPz7a7x99YaFIe71XzsJSZdXvp/I= Received: by 10.70.91.16 with SMTP id o16mr7440313wxb.1176559851832; Sat, 14 Apr 2007 07:10:51 -0700 (PDT) Received: from xp ( [72.73.19.2]) by mx.google.com with ESMTP id i34sm6873580wxd.2007.04.14.07.10.50; Sat, 14 Apr 2007 07:10:50 -0700 (PDT) Message-ID: <001f01c77e9e$b4d6ff70$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> <87648dgubi.fsf@delta.meridian-enviro.com> Date: Sat, 14 Apr 2007 10:10:50 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Scrub problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 14:10:54 -0000 Hi, I finally figured out the issue, but now I honestly don't know what to = do with it. The problem is with fragmented UDP packets from Amanda server I have the scrub directive set: # pfctl -sr | head -1 scrub in all fragment reassemble These packets are getting out from Amanda server: 08:27:13.259450 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 121 08:27:13.268607 00:30:48:5c:27:ad > 00:30:48:27:ea:80, ethertype IPv4 = (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 50 08:27:13.269355 00:30:48:5c:27:ad > 00:30:48:27:ea:80, ethertype IPv4 = (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 87 08:27:13.276096 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 50 08:27:13.277424 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 1514: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 1894 08:27:13.277434 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 456: 192.168.17.2 > 192.168.160.2: udp 08:27:23.529888 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 1514: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 1894 08:27:23.529895 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 456: 192.168.17.2 > 192.168.160.2: udp 08:27:33.527287 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 1514: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 1894 08:27:33.527293 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 456: 192.168.17.2 > 192.168.160.2: udp pf silently (no log entries) drops last packets, because they never = reach the client: 08:27:13.259532 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 = (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 121 08:27:13.268356 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 = (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 50 08:27:13.269021 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 = (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 87 08:27:13.276140 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 = (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 50 I tried to add no-df option to the scrub rule, but it didn't make any = effect But I am 100% positive this is the issue, since when I turn off = scrubbing and add the rule pass in quick proto udp from $amanda_server fragment everything works fine. I am a little confused why size of the first part the fragment is 1514 = bytes, since MTU on the interface is 1500, could it be something to do = with it? I suspect this is happenning with some other packets as well, since it's = nothing to do with amanda per se, so any help is highly appreciated. Thank you, Vadym Chepkov ----- Original Message -----=20 From: "Douglas K. Rand" To: "Vadym Chepkov" Cc: Sent: Tuesday, April 03, 2007 2:57 PM Subject: Re: packet filter and amanda > Vadym> Hello everybody, >=20 > Hello >=20 > Vadym> I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld = kernel: >=20 > Vadym> device pf # PF OpenBSD packet-filter = firewall > Vadym> device pflog # logging support interface for = PF >=20 > Vadym> I am using amanda to backup a client which is behind router > Vadym> with pf running amanda server - FreeBSD pf - amanda client >=20 > Vadym> I compiled amanda with tcp/udp port ranges but I can get that = far. >=20 > We use the knobs in /etc/make.conf to control which ports Amanda uses: >=20 > AMANDA_PORTRANGE =3D 50001,50099 > AMANDA_UDPPORTRANGE =3D 801,899 >=20 > Please note that recent versions of Amanda were not correctly > respecting the AMANDA_PORTRANGE knob. You need a ports tree that is > post PR 110687. >=20 > It was unclear to me if you are trying to backup your firewall or > systems on the other side of your firewall. For backups of the actual > firewall you need to allow traffic from your Amanda server from any > arbitrary UDP port to port 10080 on your firewall. You also need to > allow TCP connections from any port on your Amanda server to your > firewall in the range defined by AMANDA_PORTRANGE. And lastly, your > firewall needs to allow UDP traffic originating from port 10080 from > itself heading back to the Amanda server destined for ports in > AMANDA_UDPPORTRANGE. >=20 > The reference on Amanda FAQ is at >=20 > = http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=3D10080&file=3D= 139 >=20 > Snippets of our ruleset: >=20 > int_amanda=3D"{ 10.10.10.26/32, 67.134.74.26/32 }" > amanda_tcp=3D"50000:50100" > amanda_udp=3D"800:900" > [...] > pass in log quick inet proto tcp from $int_amanda to port = $amanda_tcp flags S/SARF keep state (no-sync) > pass in log quick inet proto udp from $int_amanda to $int port = amanda keep state (no-sync) > [...] > pass out log quick on $int inet proto udp from $int to $int_amanda = port $amanda_udp keep state (no-sync) > [...] > pass log quick inet proto udp from port =3D amanda to = $int_amanda port $amanda_udp >=20 >=20 > And on a DMZ host we have: >=20 > amanda=3D"67.134.74.26" > amandatcpports=3D"50000:50100" > amandaudpports=3D"800:900" > [...] > pass in log quick inet proto tcp from $amanda to $lan port = $amandatcpports flags S/SARF keep state > pass in log quick inet proto udp from $amanda to $lan port amanda = keep state > [...] > pass out log quick inet proto udp from $lan port amanda to $amanda = port $amandaudpports keep state >=20 > Hope this helps.