From bugmaster at FreeBSD.org Mon Dec 1 03:07:00 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 1 03:08:47 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200812011106.mB1B6xtI052633@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From stas at FreeBSD.org Mon Dec 1 14:53:12 2008 From: stas at FreeBSD.org (Stanislav Sedov) Date: Mon Dec 1 14:53:23 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <425805.11833.qm@web38505.mail.mud.yahoo.com> References: <692660060811290748i33059137g3977e51f692d8340@mail.gmail.com> <425805.11833.qm@web38505.mail.mud.yahoo.com> Message-ID: <20081202012350.5f2415f3.stas@FreeBSD.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 29 Nov 2008 08:26:57 -0800 (PST) David Roseman mentioned: > It also has a traffic monitor that is indispensable in tracking down > DOS attacks, worms and out of control servers. I'd pay $500. just for the monitor. I have a problem, I fire up the monitor and bingo, I find the > problem. I think you can buy the lowest priced license and still use the > monitor and gather statistics no matter how large your network is. > How does this traffic monitor differ from tcpdump? From pictures it looks like just a web-interface for tcpdump and nothing more... - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkk0Y/sACgkQK/VZk+smlYFIMgCePZdDAbMJRrH/L7uvrTDoPGk6 LfYAn1BWfBBDyTTmALteVUEFcxfMvOib =jnfa -----END PGP SIGNATURE----- From sfourman at gmail.com Mon Dec 1 15:35:49 2008 From: sfourman at gmail.com (Sam Fourman Jr.) Date: Mon Dec 1 15:35:55 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <705757.42117.qm@web38504.mail.mud.yahoo.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> Message-ID: <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> > You should consider a commercial product rather than relying on > old and somewhat unreliable technology. We've been able to squeeze a > lot more customers onto our network for a $3500. investment. It paid for > itself in 2 months. We have a dual-core 2.33Ghz system passing 95Mb/s > with 12000 rules in place and it runs at about 10%. The latest version is > truly amazing. So I would like to hear some ideas on how we could use FreeBSD or any other BSD to limit bandwidth per customer( say one customer (with root access) per server ) I attended BSDCan 2008 in Canada this may, and I asked a few of the pfsense devlopers this exact question it was meet with limited feedback. I guess what I would like to know is What is the limitation of what we can achieve with FreeBSD would it be appropriate given the topic to cross post this to misc@openbsd.org? Sam Fourman Jr. Fourman Networks From sullrich at gmail.com Mon Dec 1 16:22:52 2008 From: sullrich at gmail.com (Scott Ullrich) Date: Mon Dec 1 16:22:58 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> Message-ID: On Mon, Dec 1, 2008 at 6:08 PM, Sam Fourman Jr. wrote: >> You should consider a commercial product rather than relying on >> old and somewhat unreliable technology. We've been able to squeeze a >> lot more customers onto our network for a $3500. investment. It paid for >> itself in 2 months. We have a dual-core 2.33Ghz system passing 95Mb/s >> with 12000 rules in place and it runs at about 10%. The latest version is >> truly amazing. > > So I would like to hear some ideas on how we could use FreeBSD or any other BSD > to limit bandwidth per customer( say one customer (with root access) > per server ) > > I attended BSDCan 2008 in Canada this may, and I asked a few of the > pfsense devlopers this exact question > it was meet with limited feedback. There was not much to report at that point. However, pfSense 2.0 has per user bandwidth ported from DragonFlyBSD. If you would like to test the patch, it is located here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_1/fairq.RELENG_7.diff?rev=1.3;content-type=text%2Fplain Scott From peterjeremy at optushome.com.au Mon Dec 1 23:56:38 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Mon Dec 1 23:56:46 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> Message-ID: <20081202075634.GT51761@server.vk2pj.dyndns.org> On 2008-Dec-01 17:08:40 -0600, "Sam Fourman Jr." wrote: >So I would like to hear some ideas on how we could use FreeBSD or any other BSD >to limit bandwidth per customer( say one customer (with root access) >per server ) That description sounds like it simplifies to "limit bandwidth based on IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. ipfw+dummynet can also filter on uid/gid but I believe there are some race conditions in that code -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20081202/7582884b/attachment.pgp From antik at bsd.ee Tue Dec 2 01:12:33 2008 From: antik at bsd.ee (Andrei Kolu) Date: Tue Dec 2 01:12:40 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <20081202075634.GT51761@server.vk2pj.dyndns.org> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> Message-ID: <4934F4F3.1030808@bsd.ee> Peter Jeremy wrote: > On 2008-Dec-01 17:08:40 -0600, "Sam Fourman Jr." wrote: > >> So I would like to hear some ideas on how we could use FreeBSD or any other BSD >> to limit bandwidth per customer( say one customer (with root access) >> per server ) >> > > That description sounds like it simplifies to "limit bandwidth based on > IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. > > ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no shaping going on), because instead of limiting bandwidth it will drop packets to simulate bad connection. I hear many years about "trivial" configuration per user bandwidth limit with pf+altq but never saw ANY code... You can't set bandwidth limit with PF like 3Mbit per 100 clients if your lan card is 100Mbit. This is just lame- in reality clients never use all bandwidth and never all clients are connected all the time. Even Linux ipfilter does it for years with insane cryptic commandline but it just works. > ipfw+dummynet can also filter on uid/gid but I believe there are some > race conditions in that code > > From peterjeremy at optushome.com.au Tue Dec 2 01:22:14 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Tue Dec 2 01:22:21 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <4934F4F3.1030808@bsd.ee> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> Message-ID: <20081202092204.GU51761@server.vk2pj.dyndns.org> On 2008-Dec-02 10:42:27 +0200, Andrei Kolu wrote: >> That description sounds like it simplifies to "limit bandwidth based on >> IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. >> >ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no >shaping going on), because instead of limiting bandwidth it will drop >packets to simulate bad connection. I've been using ipfw+dummynet for traffic shaping for 7 or 8 years without problems (and have recently moved to pf+dummynet). I don't understand your comment about limiting bandwidth: An incoming packet is put on a queue that is emptied at no more than the (simulated) available outbound bandwidth. If the queue is full then incoming packets will be dropped. This is the same behaviour as any other router (or switch). What do you want/expect? > I hear many years about "trivial" >configuration per user bandwidth limit with pf+altq but never saw ANY >code... Note that I never mentioned per-user bandwidth with pf+altq - though it looks possible. There are some trivial traffic-shaping examples in pf.conf(5) but I will admit that I've never tried to actually use altq - I use dummynet because I need functionality that isn't present in altq. -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20081202/97fe46f5/attachment.pgp From alexander.shevchenko at itv.ru Tue Dec 2 02:30:26 2008 From: alexander.shevchenko at itv.ru (=?koi8-r?B?4czFy9PBzsTSIPvF197FzsvP?=) Date: Tue Dec 2 02:30:57 2008 Subject: PF + ALTQ - Bandwidth per customer Message-ID: <76463C1E8CB14B958088F7E54C611560@ashevchenko> Using ipfw+dummynet you could easily limit bandwidth per ip: $IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff $IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff $IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in $IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out Using pf+altq you could limit easily bandwith for all clients: altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_inet } queue powernet_local bandwidth 95% cbq(default) queue powernet_inet bandwidth 40Mb pass out on $int_if from to queue powernet_local pass out on $int_if from ! to queue powernet_inet But you could not limit bandwidth per ip using PF. Ryan McBride wrote in it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbsd-p f/msg/512d1eba9683cea6?hl=ru&dmode=source) > P.S. By the way, no chance to shaping like ipfw(dummynet), by getting > mask for all ip addresses? It's the last reason to stay with ipfw: No, there is nothing like this in PF right now. It's on my list of things to look at, but that list grows faster than I can get things done... -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Andrei Kolu Sent: Tuesday, December 02, 2008 11:42 AM To: Peter Jeremy; freebsd-pf@freebsd.org; freebsd-isp@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no shaping going on), because instead of limiting bandwidth it will drop packets to simulate bad connection. I hear many years about "trivial" configuration per user bandwidth limit with pf+altq but never saw ANY code... You can't set bandwidth limit with PF like 3Mbit per 100 clients if your lan card is 100Mbit. This is just lame- in reality clients never use all bandwidth and never all clients are connected all the time. Even Linux ipfilter does it for years with insane cryptic commandline but it just works. From eculp at encontacto.net Tue Dec 2 05:13:48 2008 From: eculp at encontacto.net (eculp) Date: Tue Dec 2 05:13:55 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <20081202092204.GU51761@server.vk2pj.dyndns.org> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> Message-ID: <20081202070343.34221p9405nzs76s@econet.encontacto.net> Quoting Peter Jeremy : > On 2008-Dec-02 10:42:27 +0200, Andrei Kolu wrote: >>> That description sounds like it simplifies to "limit bandwidth based on >>> IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. >>> >> ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no >> shaping going on), because instead of limiting bandwidth it will drop >> packets to simulate bad connection. > > I've been using ipfw+dummynet for traffic shaping for 7 or 8 years > without problems (and have recently moved to pf+dummynet). I don't > understand your comment about limiting bandwidth: An incoming packet > is put on a queue that is emptied at no more than the (simulated) > available outbound bandwidth. If the queue is full then incoming > packets will be dropped. This is the same behaviour as any other > router (or switch). > > What do you want/expect? > >> I hear many years about "trivial" >> configuration per user bandwidth limit with pf+altq but never saw ANY >> code... > > Note that I never mentioned per-user bandwidth with pf+altq - though > it looks possible. There are some trivial traffic-shaping examples in > pf.conf(5) but I will admit that I've never tried to actually use altq > - I use dummynet because I need functionality that isn't present in > altq. I had forgotten that dummynet can be used with pf. Maybe i should start this with a new subject but it is directly related in that I need bandwidth control again that I don?t have since changing to pf. o- What needs to be patched/done to make them work together on Current and Releng? o- Are you happier with the combination of dummynet with pf than with IPFW? DummyNet was one of the reasons that I was slow to leave IPFW. Thanks and I am really not trying to hijack this thread, be glad to start a new one. ed From freebsd at optiksecurite.com Tue Dec 2 08:38:22 2008 From: freebsd at optiksecurite.com (FreeBSD) Date: Tue Dec 2 08:38:29 2008 Subject: BAD state using PF Message-ID: <493564BD.9020100@optiksecurite.com> Hi everyone, I know this has been discussed earlier, but I'm not sure that the ephemeral port reuse is really my problem and if it is, I not sure what to do. There is my situation: I'm running FreeBSD 7.0-REL on a server running a jail to isolate MySQL. The jail is bind to 127.0.0.40 and I use RDR in pf.conf to redirect the traffic directed to port 3306 in the jail. This works great excepted that I got random "Can't connect to MySQL" when another jail (127.0.0.20) or when another server tries to connect to MySQL. I noticed that the State Mismatch counter of pfctl -vsi is increasing, so I enabled misc debugging (pfctl -xm). There is a snip of what I got in /var/log/messages: Dec 2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 modulator=4106 wscale=3] 9:9 S seq=3346121963 (3346121963) ack=1318579582 len=0 ackskew=0 pkts=53:55 dir=out,fwd Dec 2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 modulator=4106 wscale=3] 9:9 F seq=3346121964 (3346121964) Dec 2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 modulator=4201 wscale=3] 9:9 S seq=452986485 (452986485) ack=3296964218 len=0 ackskew=0 pkts=18:16 dir=out,fwd Dec 2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 modulator=4201 wscale=3] 9:9 F seq=452986486 (452986486) ack=3296964218 len=0 ackskew=0 pkts=18:16 dir=out,fwd So my question is how can I be sure that the problem is due to the port reuse? If so, what am I supposed to do to deal with this? Would the best solution be to decrease the tcp.closed timeout? Thanks everyone for your help! Martin From sfourman at gmail.com Tue Dec 2 09:40:30 2008 From: sfourman at gmail.com (Sam Fourman Jr.) Date: Tue Dec 2 09:40:42 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <20081202070343.34221p9405nzs76s@econet.encontacto.net> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> <20081202070343.34221p9405nzs76s@econet.encontacto.net> Message-ID: <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> > I had forgotten that dummynet can be used with pf. Maybe i should start this > with a new subject but it is directly related in that I need bandwidth > control again that I don?t have since changing to pf. > > o- What needs to be patched/done to make them work together > on Current and Releng? > o- Are you happier with the combination of dummynet with pf > than with IPFW? > > DummyNet was one of the reasons that I was slow to leave IPFW. > > Thanks and I am really not trying to hijack this thread, be glad to start a > new one. so you actually can use DummyNet w/ pf to limit bandwidth per ip? is there anyway to say.. ip address x must be used with MAC Address y then follow the per ip bandwidth limit if not then drop all traffic in and out? Sam Fourman Jr. Fourman Networks From sfourman at gmail.com Tue Dec 2 10:08:50 2008 From: sfourman at gmail.com (Sam Fourman Jr.) Date: Tue Dec 2 10:09:01 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <493575F7.7020904@binarysalad.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> <20081202070343.34221p9405nzs76s@econet.encontacto.net> <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> <493575F7.7020904@binarysalad.com> Message-ID: <11167f520812021008r13cb927cy409af862f0bbaa9e@mail.gmail.com> On Tue, Dec 2, 2008 at 11:52 AM, Kahlil Erwin Talledo wrote: > Sam Fourman Jr. wrote: >>> I had forgotten that dummynet can be used with pf. Maybe i should start this >>> with a new subject but it is directly related in that I need bandwidth >>> control again that I don?t have since changing to pf. >>> >>> o- What needs to be patched/done to make them work together >>> on Current and Releng? >>> o- Are you happier with the combination of dummynet with pf >>> than with IPFW? >>> >>> DummyNet was one of the reasons that I was slow to leave IPFW. >>> >>> Thanks and I am really not trying to hijack this thread, be glad to start a >>> new one. >> >> so you actually can use DummyNet w/ pf to limit bandwidth per ip? >> >> is there anyway to say.. ip address x must be used with MAC Address y >> then follow the per ip bandwidth limit >> if not then drop all traffic in and out? > > you have to remember that mac is layer two and it can be easily spoofed. > so doing it that way might not be the best thing to do it. that's just > my two cents though. you are absolutely right, after thinking about it a bit more, the right idea would be to somehow limit bandwidth per ip or group of ip's(several bound to the same interface) any ideas? Sam Fourman Jr. Fourman Networks From kstalledo at binarysalad.com Tue Dec 2 11:03:13 2008 From: kstalledo at binarysalad.com (Kahlil Erwin Talledo) Date: Tue Dec 2 11:03:25 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> <20081202070343.34221p9405nzs76s@econet.encontacto.net> <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> Message-ID: <493575F7.7020904@binarysalad.com> Sam Fourman Jr. wrote: >> I had forgotten that dummynet can be used with pf. Maybe i should start this >> with a new subject but it is directly related in that I need bandwidth >> control again that I don?t have since changing to pf. >> >> o- What needs to be patched/done to make them work together >> on Current and Releng? >> o- Are you happier with the combination of dummynet with pf >> than with IPFW? >> >> DummyNet was one of the reasons that I was slow to leave IPFW. >> >> Thanks and I am really not trying to hijack this thread, be glad to start a >> new one. > > so you actually can use DummyNet w/ pf to limit bandwidth per ip? > > is there anyway to say.. ip address x must be used with MAC Address y > then follow the per ip bandwidth limit > if not then drop all traffic in and out? you have to remember that mac is layer two and it can be easily spoofed. so doing it that way might not be the best thing to do it. that's just my two cents though. > > Sam Fourman Jr. > Fourman Networks > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From rmaglasang at infoweapons.com Tue Dec 2 23:46:10 2008 From: rmaglasang at infoweapons.com (Ronnel P. Maglasang) Date: Tue Dec 2 23:46:16 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <76463C1E8CB14B958088F7E54C611560@ashevchenko> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> Message-ID: <493634DA.7000408@infoweapons.com> ????????? ???????? wrote: > Using ipfw+dummynet you could easily limit bandwidth per ip: > > $IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff > $IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff > $IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in > $IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out > > > Using pf+altq you could limit easily bandwith for all clients: > > altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_inet } > queue powernet_local bandwidth 95% cbq(default) > queue powernet_inet bandwidth 40Mb > > pass out on $int_if from to queue > powernet_local > pass out on $int_if from ! to queue > powernet_inet > > But you could not limit bandwidth per ip using PF. > > why not? you create pf+altq equivalent rules for ipfw+dummynet rules. you may look at policy based filtering if needed. you just have to play with "tag" and "tagged" directives. > Ryan McBride wrote in > it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbsd-p > f/msg/512d1eba9683cea6?hl=ru&dmode=source) > > >> P.S. By the way, no chance to shaping like ipfw(dummynet), by getting >> mask for all ip addresses? It's the last reason to stay with ipfw: >> > > No, there is nothing like this in PF right now. It's on my list of > things to look at, but that list grows faster than I can get things > done... > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On > Behalf Of Andrei Kolu > Sent: Tuesday, December 02, 2008 11:42 AM > To: Peter Jeremy; freebsd-pf@freebsd.org; freebsd-isp@freebsd.org > Subject: Re: PF + ALTQ - Bandwidth per customer > > ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no > shaping going on), because instead of limiting bandwidth it will drop > packets to simulate bad connection. I hear many years about "trivial" > configuration per user bandwidth limit with pf+altq but never saw ANY > code... You can't set bandwidth limit with PF like 3Mbit per 100 clients > if your lan card is 100Mbit. This is just lame- in reality clients never > use all bandwidth and never all clients are connected all the time. Even > Linux ipfilter does it for years with insane cryptic commandline but it > just works. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From eculp at encontacto.net Wed Dec 3 05:19:43 2008 From: eculp at encontacto.net (eculp) Date: Wed Dec 3 05:19:50 2008 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <493634DA.7000408@infoweapons.com> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> Message-ID: <20081203071940.324735uokbfgyh6o@econet.encontacto.net> Quoting "Ronnel P. Maglasang" : > ????????? ???????? wrote: >> Using ipfw+dummynet you could easily limit bandwidth per ip: >> >> $IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff >> $IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff >> $IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in >> $IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out >> >> >> Using pf+altq you could limit easily bandwith for all clients: >> >> altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_inet } >> queue powernet_local bandwidth 95% cbq(default) >> queue powernet_inet bandwidth 40Mb >> >> pass out on $int_if from to queue >> powernet_local >> pass out on $int_if from ! to queue >> powernet_inet >> >> But you could not limit bandwidth per ip using PF. >> >> > why not? you create pf+altq equivalent rules for ipfw+dummynet rules. > you may look at policy based filtering if needed. you just have to play > with "tag" and "tagged" directives. I don't remember why but for some reason I have the idea that pf+altq is not bidirectional. Am I mistaken? Thanks, ed > >> Ryan McBride wrote in >> it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbsd-p >> f/msg/512d1eba9683cea6?hl=ru&dmode=source) >> >> >>> P.S. By the way, no chance to shaping like ipfw(dummynet), by getting >>> mask for all ip addresses? It's the last reason to stay with ipfw: >>> >> >> No, there is nothing like this in PF right now. It's on my list of >> things to look at, but that list grows faster than I can get things >> done... >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On >> Behalf Of Andrei Kolu >> Sent: Tuesday, December 02, 2008 11:42 AM >> To: Peter Jeremy; freebsd-pf@freebsd.org; freebsd-isp@freebsd.org >> Subject: Re: PF + ALTQ - Bandwidth per customer >> >> ipfw+dummynet is really ugly traffic "shaper" (let's face it there >> is no shaping going on), because instead of limiting bandwidth it >> will drop packets to simulate bad connection. I hear many years >> about "trivial" configuration per user bandwidth limit with pf+altq >> but never saw ANY code... You can't set bandwidth limit with PF >> like 3Mbit per 100 clients if your lan card is 100Mbit. This is >> just lame- in reality clients never use all bandwidth and never all >> clients are connected all the time. Even Linux ipfilter does it for >> years with insane cryptic commandline but it just works. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From alessandro.dev at gmail.com Wed Dec 3 12:03:00 2008 From: alessandro.dev at gmail.com (Alessandro Silveira) Date: Wed Dec 3 12:03:31 2008 Subject: Optimize HFSC Message-ID: <720e1f20812031133g11b1ec2ah2f7b3fdc7245dd54@mail.gmail.com> Hi, I have a Storage with high input traffic in a network, in add 192.168.16.8, and a playout in add 192.168.16.50. I am using Packet Filter for to ensure low delay in streams of video with samba, using real time, but i get poor results, someone know a best AltQ/PF configuration for streams. My Altq configuration: queue root_em0 bandwidth 1Gb priority 1 qlimit 100 {SYSTEM_QUEUE} queue SYSTEM_QUEUE bandwidth 1Gb qlimit 100 {AVNQOS1, SYSYTEM_DEFAULT} queue AVNQOS1 bandwidth 100Mb priority 7 qlimit 10000 hfsc( ecn realtime 100Mb upperlimit 100Mb ) But in Realtime m1 is 100Mb, m2 is 50MB and d is 18. My Rule configuration: pass out on em0 inet proto tcp from 192.168.16.8 to 192.168.16.50 tos 0x10 queue AVNQOS1 Thanks. P.S. Sorry for my bad english. From ermal.luci at gmail.com Wed Dec 3 15:19:23 2008 From: ermal.luci at gmail.com (=?ISO-8859-1?Q?Ermal_Lu=E7i?=) Date: Wed Dec 3 15:19:29 2008 Subject: Optimize HFSC In-Reply-To: <720e1f20812031133g11b1ec2ah2f7b3fdc7245dd54@mail.gmail.com> References: <720e1f20812031133g11b1ec2ah2f7b3fdc7245dd54@mail.gmail.com> Message-ID: <9a542da30812031519x56f690d2vbd0fc16b84db235c@mail.gmail.com> On Wed, Dec 3, 2008 at 8:33 PM, Alessandro Silveira wrote: > Hi, > > I have a Storage with high input traffic in a network, in add > 192.168.16.8, and a playout in add 192.168.16.50. > > I am using Packet Filter for to ensure low delay in streams of video > with samba, using real time, but i get poor results, > someone know a best AltQ/PF configuration for streams. > > My Altq configuration: > > queue root_em0 bandwidth 1Gb priority 1 qlimit 100 {SYSTEM_QUEUE} > queue SYSTEM_QUEUE bandwidth 1Gb qlimit 100 {AVNQOS1, SYSYTEM_DEFAULT} > queue AVNQOS1 bandwidth 100Mb priority 7 qlimit 10000 hfsc( ecn > realtime 100Mb upperlimit 100Mb ) > > But in Realtime m1 is 100Mb, m2 is 50MB and d is 18. > > My Rule configuration: > > pass out on em0 inet proto tcp from 192.168.16.8 to 192.168.16.50 tos > 0x10 queue AVNQOS1 > > Thanks. > I understand it this way http://forum.pfsense.org/index.php/topic,11986.0.html Just consider that that post considers an patched pfctl to allow m1 smaller than m2. Reports say that it actually improves performance and it was the way initial HFSC implementation worked. > P.S. Sorry for my bad english. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From samflanker at gmail.com Thu Dec 4 07:24:12 2008 From: samflanker at gmail.com (Vladimir Ermakov) Date: Thu Dec 4 07:24:29 2008 Subject: synproxy state does not work on FreeBSD 7.1-PRERELEASE Message-ID: <4937F627.8080602@gmail.com> problem is fixed in OpenBSD 4.4 http://www.openbsd.org/plus44.html /Vladimir Ermakov From max at love2party.net Thu Dec 4 07:47:16 2008 From: max at love2party.net (Max Laier) Date: Thu Dec 4 07:47:28 2008 Subject: synproxy state does not work on FreeBSD 7.1-PRERELEASE In-Reply-To: <4937F627.8080602@gmail.com> References: <4937F627.8080602@gmail.com> Message-ID: <200812041647.14049.max@love2party.net> On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: > problem is fixed in OpenBSD 4.4 > http://www.openbsd.org/plus44.html The bug this note refers to was introduced after OpenBSD 4.1 (our last import) and should not be present in the FreeBSD code. I'll double check in a bit to make sure synproxy is working, but I don't think it was broken after my last import ... do you have a particular test case that I could reproduce? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From matheus at eternamente.info Thu Dec 4 08:49:51 2008 From: matheus at eternamente.info (Nenhum_de_Nos) Date: Thu Dec 4 08:49:57 2008 Subject: issue with hfsc Message-ID: <1faecc59f0d150fd76b4c92c6043aaf8.squirrel@cygnus.homeunix.com> hail, I have 7-STABLE running as a router, and now I found to have this issue: altq on $ext_if bandwidth 310Kb hfsc queue { ack_dns, ack_ssh, ack_msn, ack_http, ack_http2, ack_bolo, ack_jogos } queue ack_dns bandwidth 7% priority 7 qlimit 500 hfsc (realtime 5%) queue ack_ssh bandwidth 10% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_bulk, ssh_login} queue ack_jogos bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20%) queue ack_msn bandwidth 10% priority 4 qlimit 500 hfsc (realtime 5%) queue ack_http bandwidth 35% priority 3 qlimit 500 hfsc (realtime 15%) queue ack_http2 bandwidth 13% priority 6 qlimit 500 hfsc (realtime 10%) # queue ack_bolo bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 10% default) queue ack_bolo bandwidth 1% priority 1 qlimit 500 hfsc (realtime 1% default) altq on $int_if bandwidth 100Mb hfsc queue { http, ssh, dns, msn, bolo, jogos, lan } queue dns bandwidth 70Kb priority 7 qlimit 500 hfsc (realtime 50Kb) queue ssh bandwidth 100Kb priority 6 qlimit 500 hfsc (realtime 100Kb ) queue msn bandwidth 50Kb priority 5 qlimit 500 hfsc (realtime 50Kb) queue jogos bandwidth 100Kb priority 4 qlimit 500 hfsc (realtime 100Kb) queue http bandwidth 500Kb priority 3 qlimit 500 hfsc (realtime 350Kb) queue bolo bandwidth 180Kb priority 2 qlimit 500 hfsc (realtime 50Kb default) my problem is that http2 (and I assume the others also) just use all upload when ack_bolo has upperlimit XX, not with realtime YY. this "bolo" rule is the bulk (as for calomel's pf howto) and this should be the least packets to go. http2 is for Folding@Home uploads, to be more than ack_bolo (p2p) and less than http. if I use uperlimit 10%, it works ok, but when not uploading from F@H, I loose bandwidth for p2p. if I put realtime 1%, it takes almost all bandwidth :( if anyone has anything to help, thanks in advance, matheus -- We will call you cygnus, The God of balance you shall be From max at love2party.net Thu Dec 4 09:28:37 2008 From: max at love2party.net (Max Laier) Date: Thu Dec 4 09:28:49 2008 Subject: synproxy state does not work on FreeBSD 7.1-PRERELEASE In-Reply-To: <200812041647.14049.max@love2party.net> References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> Message-ID: <200812041828.34033.max@love2party.net> On Thursday 04 December 2008 16:47:13 Max Laier wrote: > On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: > > problem is fixed in OpenBSD 4.4 > > http://www.openbsd.org/plus44.html > > The bug this note refers to was introduced after OpenBSD 4.1 (our last > import) and should not be present in the FreeBSD code. I'll double check > in a bit to make sure synproxy is working, but I don't think it was broken > after my last import ... do you have a particular test case that I could > reproduce? Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But you need to be careful how you use it. If you - like the OP - intend to use it to protect a service running on the same box as your pf, you must make sure to "set skip on lo0" or it will not work. If you are protecting a box behind the pf box, there is no need for that. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From samflanker at gmail.com Thu Dec 4 23:16:03 2008 From: samflanker at gmail.com (Vladimir Ermakov) Date: Thu Dec 4 23:16:09 2008 Subject: synproxy state does not work on FreeBSD 7.1-PRERELEASE In-Reply-To: <200812041828.34033.max@love2party.net> References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> <200812041828.34033.max@love2party.net> Message-ID: <4938D540.4080304@gmail.com> Max Laier wrote: > > > Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But > you need to be careful how you use it. If you - like the OP - intend to use > it to protect a service running on the same box as your pf, you must make sure > to "set skip on lo0" or it will not work. If you are protecting a box behind > the pf box, there is no need for that. > > Max, sorry for your time. Thanks, i solved the problem. /Vladimir Ermakov From samflanker at gmail.com Fri Dec 5 00:23:14 2008 From: samflanker at gmail.com (Vladimir Ermakov) Date: Fri Dec 5 00:23:20 2008 Subject: synproxy state does not work on FreeBSD 7.1-PRERELEASE In-Reply-To: <200812041828.34033.max@love2party.net> References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> <200812041828.34033.max@love2party.net> Message-ID: <4938E500.9090805@gmail.com> Max Laier wrote: > On Thursday 04 December 2008 16:47:13 Max Laier wrote: > >> On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: >> >>> problem is fixed in OpenBSD 4.4 >>> http://www.openbsd.org/plus44.html >>> >> The bug this note refers to was introduced after OpenBSD 4.1 (our last >> import) and should not be present in the FreeBSD code. I'll double check >> in a bit to make sure synproxy is working, but I don't think it was broken >> after my last import ... do you have a particular test case that I could >> reproduce? >> > > Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But > you need to be careful how you use it. If you - like the OP - intend to use > it to protect a service running on the same box as your pf, you must make sure > to "set skip on lo0" or it will not work. If you are protecting a box behind > the pf box, there is no need for that. > > Can a `synproxy state` to work on the CARP interface? /Vladimir Ermakov From bugmaster at FreeBSD.org Mon Dec 8 03:07:00 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 8 03:08:39 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200812081107.mB8B709G014346@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From leslie at eskk.nu Tue Dec 9 06:53:10 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Tue Dec 9 06:53:17 2008 Subject: Personal firewall with two interfaces Message-ID: <493E82B3.5090002@eskk.nu> Hello I'm running pf as my personal firewall on my laptop. I've got one ethernet and one wifi interface, both are configured during boot. I usually make a change pf.conf where I change # ext_if="em0" ext_if="rum0" or vice versa. My problem is that if the "wrong" interface is active in pf.conf there'll be some waiting for ntpd sshd and bsdstats to time out. I would like to configure pf so that both interfaces are treathed the same, only one active interface at the time, but to remove the need for a manual change of pf.conf at startup. Any hints are appreciated. Thank you /Leslie From greg at bestnet.kharkov.ua Tue Dec 9 08:11:12 2008 From: greg at bestnet.kharkov.ua (Gregory Edigarov) Date: Tue Dec 9 08:11:19 2008 Subject: Personal firewall with two interfaces In-Reply-To: <493E82B3.5090002@eskk.nu> References: <493E82B3.5090002@eskk.nu> Message-ID: <493E9335.9020500@bestnet.kharkov.ua> Leslie Jensen wrote: > Hello > > I'm running pf as my personal firewall on my laptop. > > I've got one ethernet and one wifi interface, both are configured > during boot. > > I usually make a change pf.conf where I change > > # ext_if="em0" > ext_if="rum0" > > or vice versa. > > My problem is that if the "wrong" interface is active in pf.conf > there'll be some waiting for ntpd sshd and bsdstats to time out. > > I would like to configure pf so that both interfaces are treathed the > same, only one active interface at the time, but to remove the need > for a manual change of pf.conf at startup. seems like you'll be done by using the rules without an interface pointer... -- With best regards, Gregory Edigarov From atkin901 at yahoo.com Tue Dec 9 13:48:21 2008 From: atkin901 at yahoo.com (Mark Atkinson) Date: Tue Dec 9 13:48:28 2008 Subject: Personal firewall with two interfaces References: <493E82B3.5090002@eskk.nu> Message-ID: Leslie Jensen wrote: > I usually make a change pf.conf where I change > > # ext_if="em0" > ext_if="rum0" > > or vice versa. > > My problem is that if the "wrong" interface is active in pf.conf > there'll be some waiting for ntpd sshd and bsdstats to time out. > > I would like to configure pf so that both interfaces are treathed the > same, only one active interface at the time, but to remove the need for > a manual change of pf.conf at startup. > > Any hints are appreciated. You should leave your pf.conf alone and rename your interfaces (based on which one is inserted -- maybe via devd). You could also code something up in like /etc/rc.d/early.sh to figure out which one is available and rename it. for example: ifconfig msk0 name external ifconfig xl0 name internal ifconfig sk0 name wireless and just leave ext_if="external" in your pf.conf. -- Mark Atkinson atkin901@yahoo.com (!wired)?(coffee++):(wired); From sa at mbg.se Wed Dec 10 02:58:33 2008 From: sa at mbg.se (=?ISO-8859-1?Q?Sven-=C5ke_Svensson?=) Date: Wed Dec 10 02:58:40 2008 Subject: Personal firewall with two interfaces In-Reply-To: <493E82B3.5090002@eskk.nu> References: <493E82B3.5090002@eskk.nu> Message-ID: <493F9BCC.7000703@mbg.se> Hi I use the following in my pf.conf # Macros ext_if="{ em0 iwi0 }" Sven-?ke Leslie Jensen skrev: > Hello > > I'm running pf as my personal firewall on my laptop. > > I've got one ethernet and one wifi interface, both are configured during > boot. > > I usually make a change pf.conf where I change > > # ext_if="em0" > ext_if="rum0" > > or vice versa. > > My problem is that if the "wrong" interface is active in pf.conf > there'll be some waiting for ntpd sshd and bsdstats to time out. > > I would like to configure pf so that both interfaces are treathed the > same, only one active interface at the time, but to remove the need for > a manual change of pf.conf at startup. > > Any hints are appreciated. > > Thank you > > /Leslie > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From iskander at apple-park.kiev.ua Wed Dec 10 04:31:33 2008 From: iskander at apple-park.kiev.ua (Alexander Vyrlanovich) Date: Wed Dec 10 04:31:41 2008 Subject: Dose pfsync work with route-ro/reply-to rules? Message-ID: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua> Hello All I have two firewalls with CARP + pfsync for failover #uname -mrs: FreeBSD 7.1-PRERELEASE i386 sources from Nov 24 Three ISPs are connected, default route points to ISP1 I use pf "route-to" option to forward some traffic via ISP2 and ISP3 The problem: When backup firewall becomes a master, all packets forwarded via ISP2 and ISP3 which has a state in state table, go to the ISP1 (default route) and of course are blocked by pf on outgoing interface. More over, those packets bypass nat rules and try to go out as is. Looks like pfsync loses routing information. Can somebody confirm this? Alexander Vyrlanovich System Administrator From iskander at apple-park.kiev.ua Thu Dec 11 00:10:04 2008 From: iskander at apple-park.kiev.ua (Alexander Vyrlanovich) Date: Thu Dec 11 00:10:11 2008 Subject: Dose pfsync work with route-ro/reply-to rules? In-Reply-To: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua> References: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua> Message-ID: <254A0CF2-6152-4E23-8FFC-48344F4EC66C@apple-park.kiev.ua> On 10 Dec 2008, at 14:12, Alexander Vyrlanovich wrote: > Hello All > > I have two firewalls with CARP + pfsync for failover > #uname -mrs: > FreeBSD 7.1-PRERELEASE i386 > sources from Nov 24 > > Three ISPs are connected, default route points to ISP1 > I use pf "route-to" option to forward some traffic via ISP2 and ISP3 > > The problem: > When backup firewall becomes a master, all packets forwarded via > ISP2 and ISP3 > which has a state in state table, go to the ISP1 (default route) and > of course > are blocked by pf on outgoing interface. > More over, those packets bypass nat rules and try to go out as is. Please ignore my sentence about nat - it was incorrect. > Looks like pfsync loses routing information. Can somebody confirm > this? Alexander Vyrlanovich System Administrator From bugmaster at FreeBSD.org Mon Dec 15 03:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 15 03:08:45 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200812151106.mBFB6uoX004420@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From leslie at eskk.nu Fri Dec 19 05:21:45 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Fri Dec 19 05:21:57 2008 Subject: clientNatLookup: PF open failed: (13) Permission denied Message-ID: <494B9FE5.6070501@eskk.nu> I've tried the squid users mail list but I try here. I'm aware that this list is not a squid list, but with it beeing PF I hope someone has a suggestion how to fix my problem. I'm not sure if I want to change the rights on /dev/pf that's why I'm asking. I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF. I've noticed that in cache.log are a lot of entries as the one below clientNatLookup: PF open failed: (13) Permission denied I've found some information on the problem via Google. One is "start Squid as root". Squid is started via rc.conf so I think that is sorted. There is a concern about rights on /dev/pf Finally there's some advice ---- snip---- If you are performing any kind of transparent interception with squid you will need one of the --*-transparent options. Without it squid will fail to correctly spoof the clients IP. ----- snip ---- I do not fully understand where the "--*-transparent options" are to be found. And if it's the solution to the problem. Will someone Please enlighten me? Thank you /Leslie From peter at allicient.co.uk Fri Dec 19 05:48:45 2008 From: peter at allicient.co.uk (Peter Maxwell) Date: Fri Dec 19 05:48:52 2008 Subject: clientNatLookup: PF open failed: (13) Permission denied In-Reply-To: <494B9FE5.6070501@eskk.nu> References: <494B9FE5.6070501@eskk.nu> Message-ID: <7731938b0812190548r399e6c2by4ff666ce9fa63481@mail.gmail.com> Hi Leslie, The message you're getting is usually associated with the rule base blocking an outbound connection - so check that you've opened all the outbound ports that squid needs in your pf.conf. Tip: you can use tcpdump to see what's going on, the openbsd pf pages at http://www.openbsd.org/faq/pf/logging.html will give an introduction and there's lots of info on tcpdump around - note tcpdump is great for testing purposes but don't use tcpdump on a production box (it's not got a great security record and if you get the parameters wrong with high load you can kill the box). Transparent http proxing is basically where there is a rdr rule in your pf config so that outbound port 80 connections (or 443 for that matter) are forwarded to squid's inbound port and, if configured properly, squid can then handle the request. The reason its called 'transparent' is because the user's broswer doesn't need configuring because pf redirects all http traffic - so to the browser it just looks like a direct connection to the internet (with a few extra HTTP headers). There are several implications of this, if squid fails (which it does a lot) then you don't get web browsing until you fix squid; it forces use of the proxy; you can use any authentication mechanisms with squid. Personally, transparent proxying is more trouble than its worth but your milage may vary. Best wishes, Peter 2008/12/19 Leslie Jensen : > I've tried the squid users mail list but I try here. I'm aware that this > list is not a squid list, but with it beeing PF I hope someone has a > suggestion how to fix my problem. > > I'm not sure if I want to change the rights on /dev/pf that's why I'm > asking. > > > > I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF. > > I've noticed that in cache.log are a lot of entries as the one below > > clientNatLookup: PF open failed: (13) Permission denied > > I've found some information on the problem via Google. > > One is "start Squid as root". Squid is started via rc.conf so I think > that is sorted. > > There is a concern about rights on /dev/pf > > Finally there's some advice > > ---- snip---- > If you are performing any kind of transparent interception with squid > you will need one of the --*-transparent options. Without it squid will > fail to correctly spoof the clients IP. > ----- snip ---- > > I do not fully understand where the "--*-transparent options" are to be > found. And if it's the solution to the problem. > > Will someone Please enlighten me? > > Thank you > /Leslie > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From bugmaster at FreeBSD.org Mon Dec 22 03:06:56 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 22 03:08:44 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200812221106.mBMB6tZV060656@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From crt at soup.si Mon Dec 22 07:23:04 2008 From: crt at soup.si (Crt Zerjal) Date: Mon Dec 22 07:23:11 2008 Subject: reply-to in RELENG_7not working for networks attached to router Message-ID: hi, this is my config file that worked well on RELENG_6.2 ext_ip1 = "{ x.x.81.190 }" ext_ip2 = "{ y.y.6.177 }" gw1 = "{ x.x.81.161 }" gw2 = "{ y.y.0.1 }" # NAT rdr on le0 proto tcp from any to $ext_ip1 port { 80 } -> 192.168.233.1 rdr on le2 proto tcp from any to $ext_ip2 port { 80 } -> 192.168.233.1 # RULES pass in quick on le0 reply-to ( em0 $gw1 )from any to any keep state pass in quick on le2 reply-to ( em1 $gw2 ) from any to any keep state but on RELENG_7 if the ip accessing one of the wans is in the subnet of the other wan the response is routed through the wrong interface -- some ip lets say y.y.15.123 acess the router on x.x.81.190 on port 80 then reaches my web server on 192.168.233.1 and should leave on the same interface that it came in but it is routed back on the other if From linimon at FreeBSD.org Mon Dec 22 13:44:11 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Mon Dec 22 13:44:23 2008 Subject: kern/129861: [pf] [patch] Argument names reversed in pf_table.c:_copyout() Message-ID: <200812222144.mBMLiBhp048559@freefall.freebsd.org> Old Synopsis: Argument names reversed in pf_table.c:_copyout() New Synopsis: [pf] [patch] Argument names reversed in pf_table.c:_copyout() Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon Dec 22 21:43:49 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=129861 From bugmaster at FreeBSD.org Mon Dec 29 03:06:59 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 29 03:08:41 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200812291106.mBTB6xZn024526@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 26 problems total.