From owner-freebsd-pf@FreeBSD.ORG Wed Sep 17 16:30:05 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E9C51065674 for ; Wed, 17 Sep 2008 16:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 26DAF8FC23 for ; Wed, 17 Sep 2008 16:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8HGU5aK093940 for ; Wed, 17 Sep 2008 16:30:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8HGU4sS093937; Wed, 17 Sep 2008 16:30:04 GMT (envelope-from gnats) Date: Wed, 17 Sep 2008 16:30:04 GMT Message-Id: <200809171630.m8HGU4sS093937@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Geoffrey Mainland Cc: Subject: Re: kern/127439: deadlock in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Geoffrey Mainland List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 16:30:05 -0000 The following reply was made to PR kern/127439; it has been noted by GNATS. From: Geoffrey Mainland To: Christian Peron Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/127439: deadlock in pf Date: Wed, 17 Sep 2008 12:21:15 -0400 Sure, attached below. ext_if = "fxp0" int_if = "em0" wifi_if = "vr0" vpn_if = "tun0" rfc1918_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }" ext_net = "{ 68.164.219.97/24 }" int_net = "{ 192.168.0.0/24 }" wifi_net = "{ 192.168.1.0/24 }" vpn_net = "{ 192.168.2.0/24 }" ext_zeno = 68.164.219.98 ext_hamilton = 68.164.219.99 ext_anaximander = 68.164.219.100 ext_laplace = 68.164.219.100 ext_hilbert = 68.164.219.101 ext_nat = $ext_zeno int_zeno = 192.168.0.10 int_hamilton = 192.168.0.11 int_anaximander = 192.168.0.12 int_laplace = 192.168.0.13 int_hilbert = 192.168.0.16 int_vince = $int_anaximander wifi_gateway = 192.168.1.1 wifi_laplace = 192.168.1.13 icmp_types = "echoreq" # Supposedly 384Kb up, 1.5Mb down. We set the bandwidth to 300Kbps to get the # best performance out of the TCP ACK queue. upstream = 300Kb downstream = 1.5Mb # # Common ports # ssh_ports = "{ ssh }" http_ports = "{ http, https }" vpn_ports = "{ 1194 }" mysqld_ports = "{ 3306 }" # AIM: 5190 # MSN: 1863, 6891-6900 for file transfers # Yahoo: 5050, webcam 5100 # Jabber: 5222, 5269 aim_ports = "{ 5190 }" yahoo_ports = "{ 5050, 5100 }" msn_ports = "{ 1863 }" emule_tcp_ports = "{ 4662 }" emule_udp_ports = "{ 4662, 4665, 4672 }" bittorrent_ports = "{ 3724, 6112, 6881:6999, 46300:46400}" realplayer_ports = "{ 7070 }" battlenet_ports = "{ 6112:6119 }" nwn_ports = "{ 1070:3000, 5120:5300, 6500, 27900, 28900 }" gamespy_ports = "{ 6667, 3783, 27900, 28900, 29900, 29901, 13139, 6515, 6500, 6501 }" directx_ports = "{ 47624, 6073, 2300:2400 }" ts_tcp_ports = "{ 14534, 51234 }" ts_udp_ports = "{ 8767:8768 }" ################################################################################ # Options # ################################################################################ set block-policy return set loginterface $ext_if ################################################################################ # Normalization # ################################################################################ scrub in all ################################################################################ # # Queueing # ################################################################################ #altq on $ext_if priq bandwidth $upstream queue \ # { std_out, im_out, ssh_out, dns_out, tcp_ack_out } #queue std_out priq(default) #queue im_out priority 4 priq(red) #queue ssh_out priority 5 priq(red) #queue dns_out priority 6 #queue tcp_ack_out priority 7 #altq on $int_if cbq bandwidth 100% queue \ # { all_in } #queue all_in bandwidth 100% { int_in, ext_in } # queue int_in bandwidth 8Mb cbq(default) # queue ext_in bandwidth $downstream {std_in, im_in, ssh_in, dns_in, vince_in } # queue std_in bandwidth 500Kb cbq(borrow) # queue im_in bandwidth 100Kb priority 4 # queue ssh_in bandwidth 100Kb priority 5 # queue dns_in bandwidth 100Kb priority 6 # queue vince_in bandwidth 100Kb cbq(borrow) ################################################################################ # Translation # ################################################################################ # cantor rdr pass on $ext_if proto tcp from any to $ext_zeno port 47000:48000 -> 192.168.0.39 port 47000:* # hamilton rdr on $int_if proto tcp from any to $ext_hamilton -> $int_hamilton binat on $ext_if from $int_hamilton to any -> $ext_hamilton # anaximander rdr on $int_if proto tcp from any to $ext_anaximander -> $int_anaximander binat on $ext_if from $int_anaximander to any -> $ext_anaximander # laplace #rdr on $int_if proto tcp from any to $ext_laplace -> $int_laplace #binat on $ext_if from $int_laplace to any -> $ext_laplace # hilbert rdr on $int_if proto tcp from any to $ext_hilbert -> $int_hilbert binat on $ext_if from $int_hilbert to any -> $ext_hilbert nat on $ext_if from $int_if:network -> $ext_nat nat on $ext_if from $vpn_net -> $ext_nat # wifi nat on $ext_if from $wifi_if:network -> $ext_nat # NAT and FTP #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 ################################################################################ # Filtering # ################################################################################ # # Block by default # block quick on $ext_if proto {udp, tcp} from any to any \ port { 135, 139, 445 } block log all # # Blacklist # #block quick from 194.139.33.69 to any # # Whitelist # whitelist = "{ 140.247.60.67 }" pass quick inet proto tcp from $whitelist to any \ flags S/SA keep state pass quick inet proto udp from $whitelist to any \ keep state # # Allow anything on the loopback interface # pass quick on lo0 all # # RFC 1918 addresses should not be seen on the external interface # block drop in quick on $ext_if from $rfc1918_nets to any block drop out quick on $ext_if from any to $rfc1918_nets # # Protect against spoofing # antispoof for lo0 antispoof for $ext_if antispoof for $int_if antispoof for $wifi_if antispoof for $vpn_if # # Ports we open for zeno # # Mail and news pass in on $ext_if inet proto tcp from any to ($ext_if) \ port { smtp, smtps, submission, imaps, nntps, auth } \ flags S/SA keep state \ #queue std_in # auth pass in on $ext_if inet proto tcp from any to ($ext_if) \ port { auth } \ flags S/SA keep state \ #queue std_in # HTTP pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $http_ports \ flags S/SA keep state \ #queue std_in # VPN pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $vpn_ports \ flags S/SA keep state \ #queue std_in pass in on $ext_if inet proto udp from any to ($ext_if) \ port $vpn_ports \ keep state \ #queue std_in # SSH pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $ssh_ports \ flags S/SA keep state \ #queue(std_in, ssh_in) # FTP pass in on $ext_if proto tcp from any to ($ext_if) \ port ftp keep state \ #queue std_in pass in on $ext_if proto tcp from any to ($ext_if) \ port > 49151 keep state \ #queue std_in # TeamSpeak pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $ts_tcp_ports \ flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) \ port $ts_udp_ports \ keep state # DNS pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \ modulate state \ #queue dns_out # # Ports we open up for everyone # # ssh pass in on $ext_if inet proto tcp from any to $int_net \ port $ssh_ports \ flags S/SA keep state pass out on $ext_if inet proto tcp from ($ext_if) to any \ port $ssh_ports \ flags S/SA modulate state \ #queue(std_out, ssh_out) # FTP pass in on $ext_if inet proto tcp from any to $ext_nat \ user proxy flags S/SA modulate state # AIM pass in on $ext_if inet proto tcp from any to $int_net \ port $aim_ports \ flags S/SA keep state pass in on $ext_if inet proto udp from any to $int_net \ port $aim_ports \ keep state pass out on $ext_if inet proto tcp from ($ext_if) to any \ port $aim_ports \ flags S/SA keep state \ #queue(im_out, tcp_ack_out) pass out on $ext_if inet proto udp from ($ext_if) to any \ port $aim_ports \ modulate state \ #queue(im_out) # Yahoo pass in on $ext_if inet proto tcp from any to $int_net \ port $yahoo_ports \ flags S/SA keep state pass in on $ext_if inet proto udp from any to $int_net \ port $yahoo_ports \ keep state pass out on $ext_if inet proto tcp from ($ext_if) to any \ port $yahoo_ports \ flags S/SA modulate state \ #queue(im_out, tcp_ack_out) # emule pass in on $ext_if inet proto tcp from any to $int_net \ port $emule_tcp_ports \ flags S/SA keep state pass in on $ext_if inet proto udp from any to $int_net \ port $emule_udp_ports \ modulate state # BitTorrent pass in on $ext_if inet proto tcp from any to $int_net \ port $bittorrent_ports \ flags S/SA keep state pass in on $ext_if inet proto udp from any to $int_net \ port $bittorrent_ports \ keep state # Realplayer pass in on $ext_if inet proto udp from any to $int_net \ port $realplayer_ports \ keep state # Battlenet pass in on $ext_if inet proto tcp from any to $int_net \ port $battlenet_ports \ flags S/SA keep state # Neverwinter Nights #pass in on $ext_if inet proto udp from any to $int_net \ # port $nwn_ports \ # keep state # Gamespy Arcade #pass in on $ext_if inet proto tcp from any to $int_net \ # port $gamespy_ports \ # flags S/SA keep state # DirectX Gaming #pass in on $ext_if inet proto tcp from any to $int_net \ # port $directx_ports \ # flags S/SA keep state # MySQL pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $mysqld_ports flags S/SA keep state \ # # ICMP # pass in inet proto icmp all icmp-type $icmp_types keep state # # Allow traffic to flow freely between firewall and internal network # pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network modulate state #pass out on $int_if from any to $int_vince modulate state \ # #queue(vince_in) # # Allow traffic to flow freely between firewall and wifi network # pass in on $wifi_if from $wifi_if:network to any keep state pass out on $wifi_if from any to $wifi_if:network modulate state #pass in on $wifi_if inet proto udp from $wifi_if:network \ # to {$ext_zeno, $wifi_gateway} port 1194 \ # keep state #pass out on $wifi_if inet proto udp from {$ext_zeno, $wifi_gateway} port 1194 \ # to $wifi_if:network \ # modulate state # # Allow traffic to flow freely between firewall and vpn network # pass in on $vpn_if from $vpn_net to any keep state pass out on $vpn_if from any to $vpn_net modulate state # # Allow all outgoing traffic from the firewall to the external network # pass out on $ext_if proto tcp all flags S/SA modulate state \ #queue(std_out, tcp_ack_out) pass out on $ext_if proto { udp, icmp } all keep state # # IPv6 # pass out quick proto ipv6 from any to any keep state pass out quick proto ipv6-icmp from any to any keep state