From ansarm at gmail.com Tue Jul 1 06:42:50 2008 From: ansarm at gmail.com (Ansar Mohammed) Date: Tue Jul 1 06:42:54 2008 Subject: authpf win32 client Message-ID: <001e01c8db45$aa6f0cd0$ff4d2670$@com> Hello All, I am writing a small win32 tray icon client for authpf. If anyone is interested in assisting me with some testing can you please msg me offlist. From stef-list at memberwebs.com Thu Jul 3 01:08:33 2008 From: stef-list at memberwebs.com (Stef) Date: Thu Jul 3 01:08:37 2008 Subject: connect(): Operation not permitted References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> Message-ID: <20080703003955.859BCF180C0@mx.npubs.com> Kian Mohageri wrote: > On Sun, May 18, 2008 at 3:33 AM, Johan Str?m wrote: >> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: >> >>> Johan Str?m wrote: >>> >>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule >>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags >>>> S/SA keep state". Where did that "keep state" come from? >>> 'flags S/SA keep state' is the default now for tcp filter rules -- that >>> was new in 7.0 reflecting the upstream changes made between the 4.0 and >>> 4.1 >>> releases of OpenBSD. If you want a stateless rule, append 'no state'. >>> >>> http://www.openbsd.org/faq/pf/filter.html#state >> Thanks! I was actually looking around in the pf.conf manpage but failed to >> find it yesterday, but looking closer today I now saw it. >> Applied the no state (and quick) to the rule, and now no state is created. >> And the problem I had in the first place seems to have been resolved too >> now, even though it didn't look like a state problem.. (started to deny new >> connections much earlier than the states was full, altough maybee i wasnt >> looking for updates fast enough or something). >> > > I'd be willing to bet it's because you're reusing the source port on a > new connection before the old state expires. > > You'll know if you check the state-mismatch counter. > > Anyway, glad you found a resolution. I've been experiencing this "Operation not permitted" too. I've been trying to track down the problem for many months, but due to the complexity of my firewalls (scores of jails each with scores of rules), I wasn't brave enough to ask for help :) As a work around we started creating rules without state, whenever we would run into the problem. Thanks for the pointer about state-mismatch. The state-mismatch counter does is in fact high in my case (see below). How would I go about getting the pf state timeout and the reuse of ports for outbound connections to match? Or is this an intractable problem, that just needs to be worked around? Cheers, Stef Walter Status: Enabled for 13 days 23:55:25 Debug: Urgent Hostid: 0x38ae6776 State Table Total Rate current entries 65 searches 819507771 677.7/s inserts 1136670 0.9/s removals 1136605 0.9/s Counters match 787482855 651.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 748 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s From kian.mohageri at gmail.com Thu Jul 3 16:20:06 2008 From: kian.mohageri at gmail.com (Kian Mohageri) Date: Thu Jul 3 16:20:10 2008 Subject: connect(): Operation not permitted In-Reply-To: <20080703003955.859BCF180C0@mx.npubs.com> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> Message-ID: On Wed, Jul 2, 2008 at 5:39 PM, Stef wrote: > Kian Mohageri wrote: >> On Sun, May 18, 2008 at 3:33 AM, Johan Str?m wrote: >>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: >>> >>>> Johan Str?m wrote: >>>> >>>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule >>>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags >>>>> S/SA keep state". Where did that "keep state" come from? >>>> 'flags S/SA keep state' is the default now for tcp filter rules -- that >>>> was new in 7.0 reflecting the upstream changes made between the 4.0 and >>>> 4.1 >>>> releases of OpenBSD. If you want a stateless rule, append 'no state'. >>>> >>>> http://www.openbsd.org/faq/pf/filter.html#state >>> Thanks! I was actually looking around in the pf.conf manpage but failed to >>> find it yesterday, but looking closer today I now saw it. >>> Applied the no state (and quick) to the rule, and now no state is created. >>> And the problem I had in the first place seems to have been resolved too >>> now, even though it didn't look like a state problem.. (started to deny new >>> connections much earlier than the states was full, altough maybee i wasnt >>> looking for updates fast enough or something). >>> >> >> I'd be willing to bet it's because you're reusing the source port on a >> new connection before the old state expires. >> >> You'll know if you check the state-mismatch counter. >> >> Anyway, glad you found a resolution. > > I've been experiencing this "Operation not permitted" too. I've been > trying to track down the problem for many months, but due to the > complexity of my firewalls (scores of jails each with scores of rules), > I wasn't brave enough to ask for help :) > > As a work around we started creating rules without state, whenever we > would run into the problem. > > Thanks for the pointer about state-mismatch. The state-mismatch counter > does is in fact high in my case (see below). How would I go about > getting the pf state timeout and the reuse of ports for outbound > connections to match? Or is this an intractable problem, that just needs > to be worked around? > Make sure your state-mismatch counter is increasing at the same times you experience the problem (and isn't just high from some unrelated issue). A similar/related problem was addressed in OpenBSD 4.3 (http://www.openbsd.org/plus43.html). * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a new SYN arrives. I'm not sure if it's been imported yet. If not, you could try tuning your timeout values (see pf.conf(5)). The specific issue I was experienced was solved by shortening tcp.closed, IIRC. It's been a while though. -Kian From koitsu at FreeBSD.org Fri Jul 4 11:32:14 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Fri Jul 4 11:32:26 2008 Subject: connect(): Operation not permitted In-Reply-To: References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> Message-ID: <20080704113213.GA13586@eos.sc1.parodius.com> On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote: > On Wed, Jul 2, 2008 at 5:39 PM, Stef wrote: > > Kian Mohageri wrote: > >> On Sun, May 18, 2008 at 3:33 AM, Johan Str?m wrote: > >>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: > >>> > >>>> Johan Str?m wrote: > >>>> > >>>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule > >>>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags > >>>>> S/SA keep state". Where did that "keep state" come from? > >>>> 'flags S/SA keep state' is the default now for tcp filter rules -- that > >>>> was new in 7.0 reflecting the upstream changes made between the 4.0 and > >>>> 4.1 > >>>> releases of OpenBSD. If you want a stateless rule, append 'no state'. > >>>> > >>>> http://www.openbsd.org/faq/pf/filter.html#state > >>> Thanks! I was actually looking around in the pf.conf manpage but failed to > >>> find it yesterday, but looking closer today I now saw it. > >>> Applied the no state (and quick) to the rule, and now no state is created. > >>> And the problem I had in the first place seems to have been resolved too > >>> now, even though it didn't look like a state problem.. (started to deny new > >>> connections much earlier than the states was full, altough maybee i wasnt > >>> looking for updates fast enough or something). > >>> > >> > >> I'd be willing to bet it's because you're reusing the source port on a > >> new connection before the old state expires. > >> > >> You'll know if you check the state-mismatch counter. > >> > >> Anyway, glad you found a resolution. > > > > I've been experiencing this "Operation not permitted" too. I've been > > trying to track down the problem for many months, but due to the > > complexity of my firewalls (scores of jails each with scores of rules), > > I wasn't brave enough to ask for help :) > > > > As a work around we started creating rules without state, whenever we > > would run into the problem. > > > > Thanks for the pointer about state-mismatch. The state-mismatch counter > > does is in fact high in my case (see below). How would I go about > > getting the pf state timeout and the reuse of ports for outbound > > connections to match? Or is this an intractable problem, that just needs > > to be worked around? > > Make sure your state-mismatch counter is increasing at the same times > you experience the problem (and isn't just high from some unrelated > issue). > > A similar/related problem was addressed in OpenBSD 4.3 > (http://www.openbsd.org/plus43.html). > > * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a > new SYN arrives. > > I'm not sure if it's been imported yet. If not, you could try tuning > your timeout values (see pf.conf(5)). > > The specific issue I was experienced was solved by shortening > tcp.closed, IIRC. It's been a while though. When administrators see state-mismatch increasing, they get concerned. The common scapegoat is tcp.closed, which people don't even bother to describe (pf has an internal value of 10 seconds applied to that value, e.g. tcp.closed=5 means 15 seconds). You can set tcp.closed as low as you want, but chances are random Internet users will have equipment with IP stacks that re-use outbound sockets which haven't fully closed down within the aforementioned interval. pf cannot fix this. For example, on our production/hosting systems, we see state-mismatch increase fairly often. I just pfctl -F info'd our main webserver, and within about 15 minutes, state-mismatch was up to 22. We use tcp.closed of 5 (which means 15 seconds). Workarounds such as "no state" suffice, but if you use rdr rules, you MUST track state, which means there's no way of winning in that case. For sake of example, OpenBSD spamd requires the use of rdr rules. Administrators then ask 3 questions: 1) How do I determine whether or not state-mismatch increasing is a sign of bad things, or due to peoples' broken IP stacks, 2) What happens to packets which cause state-mismatch to increment, e.g. are they blocked, passed, or what? 3) Why isn't state-mismatch described in detail in the documentation? Finally, the fix in OpenBSD 4.3 should really be backported to FreeBSD ASAP. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From koitsu at FreeBSD.org Fri Jul 4 12:10:50 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Fri Jul 4 12:11:02 2008 Subject: connect(): Operation not permitted In-Reply-To: <20080704113213.GA13586@eos.sc1.parodius.com> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> <20080704113213.GA13586@eos.sc1.parodius.com> Message-ID: <20080704121050.GA14604@eos.sc1.parodius.com> On Fri, Jul 04, 2008 at 04:32:13AM -0700, Jeremy Chadwick wrote: > On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote: > > A similar/related problem was addressed in OpenBSD 4.3 > > (http://www.openbsd.org/plus43.html). > > > > * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a > > new SYN arrives. The OpenBSD diff: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r2=1.559&r1=1.558&f=H I've submit a FreeBSD PR to get the above backported into RELENG_7 and RELENG_6: http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From linimon at FreeBSD.org Fri Jul 4 13:11:04 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Fri Jul 4 13:11:14 2008 Subject: kern/125261: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Message-ID: <200807041310.m64DAwuE071290@freefall.freebsd.org> Old Synopsis: Backport OpenBSD 4.3 patch for pf re-using state New Synopsis: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 4 13:10:36 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 From mlaier at FreeBSD.org Fri Jul 4 15:18:52 2008 From: mlaier at FreeBSD.org (mlaier@FreeBSD.org) Date: Fri Jul 4 15:18:58 2008 Subject: kern/125261: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Message-ID: <200807041518.m64FIqpl082341@freefall.freebsd.org> Synopsis: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Responsible-Changed-From-To: freebsd-pf->mlaier Responsible-Changed-By: mlaier Responsible-Changed-When: Fri Jul 4 15:17:48 UTC 2008 Responsible-Changed-Why: I'll take a look at this. While here I'll also try to get the missing diffs for SACK vs. modulate state imported. http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 From kian.mohageri at gmail.com Fri Jul 4 21:30:57 2008 From: kian.mohageri at gmail.com (Kian Mohageri) Date: Fri Jul 4 21:31:14 2008 Subject: connect(): Operation not permitted In-Reply-To: <20080704113213.GA13586@eos.sc1.parodius.com> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> <20080704113213.GA13586@eos.sc1.parodius.com> Message-ID: On Fri, Jul 4, 2008 at 4:32 AM, Jeremy Chadwick wrote: > On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote: >> On Wed, Jul 2, 2008 at 5:39 PM, Stef wrote: >> > Kian Mohageri wrote: >> >> On Sun, May 18, 2008 at 3:33 AM, Johan Str?m wrote: >> >>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: >> >>> >> >>>> Johan Str?m wrote: >> >>>> >> >>>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule >> >>>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags >> >>>>> S/SA keep state". Where did that "keep state" come from? >> >>>> 'flags S/SA keep state' is the default now for tcp filter rules -- that >> >>>> was new in 7.0 reflecting the upstream changes made between the 4.0 and >> >>>> 4.1 >> >>>> releases of OpenBSD. If you want a stateless rule, append 'no state'. >> >>>> >> >>>> http://www.openbsd.org/faq/pf/filter.html#state >> >>> Thanks! I was actually looking around in the pf.conf manpage but failed to >> >>> find it yesterday, but looking closer today I now saw it. >> >>> Applied the no state (and quick) to the rule, and now no state is created. >> >>> And the problem I had in the first place seems to have been resolved too >> >>> now, even though it didn't look like a state problem.. (started to deny new >> >>> connections much earlier than the states was full, altough maybee i wasnt >> >>> looking for updates fast enough or something). >> >>> >> >> >> >> I'd be willing to bet it's because you're reusing the source port on a >> >> new connection before the old state expires. >> >> >> >> You'll know if you check the state-mismatch counter. >> >> >> >> Anyway, glad you found a resolution. >> > >> > I've been experiencing this "Operation not permitted" too. I've been >> > trying to track down the problem for many months, but due to the >> > complexity of my firewalls (scores of jails each with scores of rules), >> > I wasn't brave enough to ask for help :) >> > >> > As a work around we started creating rules without state, whenever we >> > would run into the problem. >> > >> > Thanks for the pointer about state-mismatch. The state-mismatch counter >> > does is in fact high in my case (see below). How would I go about >> > getting the pf state timeout and the reuse of ports for outbound >> > connections to match? Or is this an intractable problem, that just needs >> > to be worked around? >> >> Make sure your state-mismatch counter is increasing at the same times >> you experience the problem (and isn't just high from some unrelated >> issue). >> >> A similar/related problem was addressed in OpenBSD 4.3 >> (http://www.openbsd.org/plus43.html). >> >> * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a >> new SYN arrives. >> >> I'm not sure if it's been imported yet. If not, you could try tuning >> your timeout values (see pf.conf(5)). >> >> The specific issue I was experienced was solved by shortening >> tcp.closed, IIRC. It's been a while though. > > When administrators see state-mismatch increasing, they get concerned. > The common scapegoat is tcp.closed, which people don't even bother to > describe (pf has an internal value of 10 seconds applied to that value, > e.g. tcp.closed=5 means 15 seconds). > > You can set tcp.closed as low as you want, but chances are random > Internet users will have equipment with IP stacks that re-use outbound > sockets which haven't fully closed down within the aforementioned > interval. pf cannot fix this. > > For example, on our production/hosting systems, we see state-mismatch > increase fairly often. I just pfctl -F info'd our main webserver, and > within about 15 minutes, state-mismatch was up to 22. We use tcp.closed > of 5 (which means 15 seconds). > > Workarounds such as "no state" suffice, but if you use rdr rules, you > MUST track state, which means there's no way of winning in that case. > For sake of example, OpenBSD spamd requires the use of rdr rules. > > Administrators then ask 3 questions: > For the sake of a helpful archive... > 1) How do I determine whether or not state-mismatch increasing is a > sign of bad things, or due to peoples' broken IP stacks, You can't. Only way you know is probably when people complain, or you notice scripts/page loads failing. > 2) What happens to packets which cause state-mismatch to increment, > e.g. are they blocked, passed, or what? Dropped. In the case of a state-mismatch during TCP handshake, an RST is sent. That's why the failure happens immediately. > 3) Why isn't state-mismatch described in detail in the documentation? > Good question. I guess because it would be difficult to document all of the reasons a state wouldn't match. It would be easier to simply document what a state _is_, but that's already in the archives. -Kian From torsten at cnc-london.net Sun Jul 6 00:52:59 2008 From: torsten at cnc-london.net (Torsten) Date: Sun Jul 6 00:53:05 2008 Subject: Server for FreeBSD-PF project sponsorship In-Reply-To: <951843799.20080626164431@rcfd.spb.ru> References: <951843799.20080626164431@rcfd.spb.ru> Message-ID: <016e01c8defe$d92773c0$8b765b40$@net> HI Everyone This is intended only for the developers/maintainers of FreeBSD and there projects. I have just made a deal on eBay for 7 servers very cheap and I would like to donate on or two to your efforts on maintaining and developing FreeBSD. I'm a lover and heavy user of FreeBSD in corporate environments of FreeBSD an since 2003 and have scavenged/leeched of your efforts Because of this I'm very keen on giving something back. The machines are 2U rack mount servers with the following each: 2 x 2.4 Xeon processors, 512MB cache, 533 MHz bus 2 x 1 gig memory DDR 266 ECC 2 x 100 MHz pcix slots 2 x 32 bit pci slots 2 x Intel Gigabit NIS (pre em6.6.3 drivers) ATI rage pro Graphs 400 watt eps 12.1 power supplies 4 x 3.5 drives 2 x 5-1/4 drive bays basically they are super micro motherboards X5DEI-GG and Dual Xeons and the best HW-config for FreeBSD I'm definitely able to give one but if convinced by good reasons I will give two. My priority to sponsor is kernel, network, *PF* and they will only be handed over to the FreeBSD Foundation for any use the foundation sees fit. I will pay the shipping if I can afford it , :-) Please write back to me directly or over the mailing list Regards Torsten PS.: I have 3 pretty fast DLS links (ADSL 24+) with fixed IP's here in the UK , if you want me to keep them here and make available to what ever is required, let me know From bugmaster at FreeBSD.org Mon Jul 7 11:07:04 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 7 11:08:49 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200807071107.m67B737i062123@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total. From m.pagulayan at auckland.ac.nz Wed Jul 9 07:15:12 2008 From: m.pagulayan at auckland.ac.nz (Mark Pagulayan) Date: Wed Jul 9 07:15:18 2008 Subject: Suggestions on how to do Layer 2 load balacing with PF Message-ID: <6E7521247AB3F04685C35F382AADE1B123932C7967@UXCHANGE7-2.UoA.auckland.ac.nz> Hi Guys, I was just wondering if anyone of you have done layer 2 load balancing with PF. We tried to load balance traffic between two bridge firewall through OSPF, by putting equal weights on the router ports. But the problem we encountered is that when packet exits FW1 ( a state is created) it returns to FW2, the packet gets drop because the state created on FW1 has not yet synced on FW2. We did this experiment because the firewall starts to drop packets when packet rates reach 30Kp/s hoping that we load balance it, we can distribute traffic to the firewalls. And just for information where a using a Gig interface (em) I wanted to ask if anyone of you have done load balancing on layer2 and how they have done it. Your help guys would be mostly appreciated. Best Regards, Mark From leccine at gmail.com Wed Jul 9 10:06:24 2008 From: leccine at gmail.com (=?ISO-8859-1?Q?Istv=E1n_Szuk=E1cs?=) Date: Wed Jul 9 10:06:30 2008 Subject: Suggestions on how to do Layer 2 load balacing with PF In-Reply-To: <6E7521247AB3F04685C35F382AADE1B123932C7967@UXCHANGE7-2.UoA.auckland.ac.nz> References: <6E7521247AB3F04685C35F382AADE1B123932C7967@UXCHANGE7-2.UoA.auckland.ac.nz> Message-ID: hi! http://people.freebsd.org/~mlaier/sucon.pdf CARP Supports layer 2 load balancing (ARP based) cheers On Wed, Jul 9, 2008 at 8:14 AM, Mark Pagulayan wrote: > Hi Guys, > > I was just wondering if anyone of you have done layer 2 load balancing with > PF. > > We tried to load balance traffic between two bridge firewall through OSPF, > by putting equal weights on the router ports. But the problem we encountered > is that when packet exits FW1 ( a state is created) it returns to FW2, the > packet gets drop because the state created on FW1 has not yet synced on FW2. > > We did this experiment because the firewall starts to drop packets when > packet rates reach 30Kp/s hoping that we load balance it, we can distribute > traffic to the firewalls. And just for information where a using a Gig > interface (em) > > I wanted to ask if anyone of you have done load balancing on layer2 and > how they have done it. > > Your help guys would be mostly appreciated. > > Best Regards, > > Mark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- the sun shines for all From jd at ods.org Wed Jul 9 10:43:05 2008 From: jd at ods.org (Jason DiCioccio) Date: Wed Jul 9 10:43:12 2008 Subject: Suggestions on how to do Layer 2 load balacing with PF In-Reply-To: <6E7521247AB3F04685C35F382AADE1B123932C7967@UXCHANGE7-2.UoA.auckland.ac.nz> References: <6E7521247AB3F04685C35F382AADE1B123932C7967@UXCHANGE7-2.UoA.auckland.ac.nz> Message-ID: <4874925D.4020306@ods.org> Hey Mark, Mark Pagulayan wrote: > Hi Guys, > > I was just wondering if anyone of you have done layer 2 load balancing with PF. > > We tried to load balance traffic between two bridge firewall through OSPF, by putting equal weights on the router ports. But the problem we encountered is that when packet exits FW1 ( a state is created) it returns to FW2, the packet gets drop because the state created on FW1 has not yet synced on FW2. > The first thing that comes to my mind is changing the behavior on the router. Many routers allow you to choose how they forward in a situation with equal-cost paths. See below for the Juniper version of this. http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/policy-actions-config11.html Regards, -JD- From stefan.lambrev at moneybookers.com Wed Jul 9 12:06:27 2008 From: stefan.lambrev at moneybookers.com (Stefan Lambrev) Date: Wed Jul 9 12:06:33 2008 Subject: Suggestions on how to do Layer 2 load balacing with PF In-Reply-To: References: <6E7521247AB3F04685C35F382AADE1B123932C7967@UXCHANGE7-2.UoA.auckland.ac.nz> Message-ID: <4874A61E.1040508@moneybookers.com> Hi, It's a very interesting question - at least for me. :) Istv?n Szuk?cs wrote: > hi! > > http://people.freebsd.org/~mlaier/sucon.pdf > > CARP > > Supports layer 2 load balancing (ARP based) > But the OP claims that pfsync is not fast enough to sync all states? How will balancing work then? Also I can't imagine the combination of bridge and carp (on same firewall).. after all CARP needs IP and bridge is transparent? > cheers > > On Wed, Jul 9, 2008 at 8:14 AM, Mark Pagulayan > wrote: > > >> Hi Guys, >> >> I was just wondering if anyone of you have done layer 2 load balancing with >> PF. >> >> We tried to load balance traffic between two bridge firewall through OSPF, >> by putting equal weights on the router ports. But the problem we encountered >> is that when packet exits FW1 ( a state is created) it returns to FW2, the >> packet gets drop because the state created on FW1 has not yet synced on FW2. >> I guess you have two external uplinks - one for every firewall. Can you draw simple schema of the network topology? >> We did this experiment because the firewall starts to drop packets when >> packet rates reach 30Kp/s hoping that we load balance it, we can distribute >> traffic to the firewalls. And just for information where a using a Gig >> interface (em) >> 30kpps is very low. Bridge with stateful PF should handle at least 100-150kpps, probably your hardware is not up to the task? You may want to look at "Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp]" thread in freebsd-net archives for how to tune your router/firewall. >> I wanted to ask if anyone of you have done load balancing on layer2 and >> how they have done it. >> >> Your help guys would be mostly appreciated. >> >> Best Regards, >> >> Mark >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > > > -- Best Wishes, Stefan Lambrev ICQ# 24134177 From leslie at eskk.nu Wed Jul 9 18:55:38 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Wed Jul 9 18:55:46 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. Message-ID: <48750381.1030004@eskk.nu> Hello When I boot the machine where pf is installed, every thing I can see looks ok. It's hard to read the text scrolling on the screen and the information concerning pf is not to be found in /var/log/messages. Anyway I have one PC on the inside and it takes some time before it's able to reach the outside world. I can speed up the process by making a change to pf.conf and then use the command pfctl -f /etc/pf.conf. Another thing I see is that for example I add log (all) to one of my filters and do pfctl -f /etc/pf.conf, then later I remove it again and do pfctl -f /etc/pf.conf. The output from tcpdump -n -e -ttt -i pflog0 still shows packages as if it had not refreshed and still have the "log (all)" active. I know my problems is a little bit unclear but I hope someone will help my solving this behaviour in the right way. Thanks /Leslie ----------- My pf.conf -------------------- # macros int_if="xl0" ext_if="bfe0" tcp_services="{ 22 }" tcp_priv_services="{ 389, 443 }" icmp_types="echoreq" # tables table { something.somewhere.com, somethingelse.somewhere.com, xxx.yyy.zzz.qqq } # options set block-policy return set loginterface $ext_if set skip on lo0 # scrub scrub in # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) # filter rules block in log (all) on $ext_if pass out keep state # Let the goodguys access the machine from the outside pass in on $ext_if inet proto tcp from to ($ext_if) \ port $tcp_services flags S/SA keep state # ICMP traffic needs to be passed: pass inet proto icmp all icmp-type $icmp_types keep state # traffic must be passed to and from the internal network pass in quick on $int_if -------------------------------------------- From fox at verio.net Wed Jul 9 23:25:39 2008 From: fox at verio.net (David DeSimone) Date: Wed Jul 9 23:25:46 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <48750381.1030004@eskk.nu> References: <48750381.1030004@eskk.nu> Message-ID: <20080709225423.GB1011@verio.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leslie Jensen wrote: > > # tables > table { something.somewhere.com, somethingelse.somewhere.com, > xxx.yyy.zzz.qqq } This looks like the problem. You have put hostnames in your pf.conf. While this is supported, hostname lookups at boot time are problematic because the network is just getting started. Nameservers are not always immediately reachable, so these name lookups will stall out. I recommend you put IP addresses in your pf.conf so that it can be loaded without waiting for a nameserver. Alternatively, put these hostnames (and IP's) in your /etc/hosts file. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIdUGfFSrKRjX5eCoRAjZBAKCVjmLXTht41z8OVtUIAdjxEbhmyACgpSkr kpKtjfEnBwMxdDhe30pVxpI= =hFXu -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From max at love2party.net Wed Jul 9 23:48:13 2008 From: max at love2party.net (Max Laier) Date: Wed Jul 9 23:48:22 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <48750381.1030004@eskk.nu> References: <48750381.1030004@eskk.nu> Message-ID: <200807100145.26576.max@love2party.net> On Wednesday 09 July 2008 20:29:21 Leslie Jensen wrote: > Anyway I have one PC on the inside and it takes some time before it's > able to reach the outside world. What David said. > Another thing I see is that for example I add log (all) to one of my > filters and do pfctl -f /etc/pf.conf, then later I remove it again and > do pfctl -f /etc/pf.conf. The output from tcpdump -n -e -ttt -i pflog0 > still shows packages as if it had not refreshed and still have the "log > (all)" active. That's expected. The rule will create a state with the "log (all)" flag set. When you reload the ruleset no more new states will be created with that flag, but the existing states stick around and keep logging all packets. You can either "pfctl -Fstates" or simply wait until they die off on their own. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From leslie at eskk.nu Thu Jul 10 09:15:50 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Thu Jul 10 09:15:56 2008 Subject: ***SPAM*** Re: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <20080709225423.GB1011@verio.net> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> Message-ID: <4875D33C.2010506@eskk.nu> David DeSimone skrev: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Leslie Jensen wrote: >> # tables >> table { something.somewhere.com, somethingelse.somewhere.com, >> xxx.yyy.zzz.qqq } > > This looks like the problem. You have put hostnames in your pf.conf. > While this is supported, hostname lookups at boot time are problematic > because the network is just getting started. Nameservers are not always > immediately reachable, so these name lookups will stall out. > > I recommend you put IP addresses in your pf.conf so that it can be > loaded without waiting for a nameserver. > > Alternatively, put these hostnames (and IP's) in your /etc/hosts file. Oh, I didn't know that! Can you tell me how to handle this? The problem is these hosts are not fixed IP's so they use no-ip (http://www.no-ip.com/) to provide a fixed address. Thanks /Leslie From linimon at FreeBSD.org Thu Jul 10 09:23:28 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Thu Jul 10 09:23:52 2008 Subject: kern/125467: [pf] pf keep state bug while handling sessions between vlan trunk Message-ID: <200807100923.m6A9NRqC072692@freefall.freebsd.org> Old Synopsis: pf keep state bug while handling sessions between vlan trunk New Synopsis: [pf] pf keep state bug while handling sessions between vlan trunk Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jul 10 09:22:47 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=125467 From hideous at mail.ru Thu Jul 10 10:15:36 2008 From: hideous at mail.ru (Dennis) Date: Thu Jul 10 10:16:32 2008 Subject: ***SPAM*** Re: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4875D33C.2010506@eskk.nu> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> Message-ID: <3910389261.20080710125542@mail.ru> LJ> David DeSimone skrev: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Leslie Jensen wrote: >>> # tables >>> table { something.somewhere.com, somethingelse.somewhere.com, >>> xxx.yyy.zzz.qqq } >> >> This looks like the problem. You have put hostnames in your pf.conf. >> While this is supported, hostname lookups at boot time are problematic >> because the network is just getting started. Nameservers are not always >> immediately reachable, so these name lookups will stall out. >> >> I recommend you put IP addresses in your pf.conf so that it can be >> loaded without waiting for a nameserver. >> >> Alternatively, put these hostnames (and IP's) in your /etc/hosts file. LJ> Oh, I didn't know that! Can you tell me how to handle this? LJ> The problem is these hosts are not fixed IP's so they use no-ip LJ> (http://www.no-ip.com/) to provide a fixed address. It's possible to populate the table after network initialized and all other cervices are up. Just place empty table table persist in your pf.conf and pfctl -t goodguys -T add \ something.somewhere.com \ somethingelse.somewhere.com \ xxx.yyy.zzz.qqq & into your /etc/rc.local, so pf will start up without delays. Regards, Dennis From leslie at eskk.nu Thu Jul 10 12:15:23 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Thu Jul 10 12:15:30 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <3910389261.20080710125542@mail.ru> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> Message-ID: <4875FD52.1090201@eskk.nu> Dennis skrev: > LJ> Oh, I didn't know that! Can you tell me how to handle this? > > LJ> The problem is these hosts are not fixed IP's so they use no-ip > LJ> (http://www.no-ip.com/) to provide a fixed address. > > It's possible to populate the table after network initialized and all > other cervices are up. Just place empty table > > table persist > > in your pf.conf and > > pfctl -t goodguys -T add \ > something.somewhere.com \ > somethingelse.somewhere.com \ > xxx.yyy.zzz.qqq & > > into your /etc/rc.local, so pf will start up without delays. > > Regards, > Dennis > Thanks Dennis. I forgot to mention that I'm on a FreeBSD 7 system so the rc.local thing must go somewhere else, do you know where? /Leslie From leslie at eskk.nu Thu Jul 10 12:24:39 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Thu Jul 10 12:24:46 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4875FD52.1090201@eskk.nu> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> Message-ID: <4875FF7D.8050304@eskk.nu> Leslie Jensen skrev: > > Dennis skrev: > >> LJ> Oh, I didn't know that! Can you tell me how to handle this? >> >> LJ> The problem is these hosts are not fixed IP's so they use no-ip >> LJ> (http://www.no-ip.com/) to provide a fixed address. >> >> It's possible to populate the table after network initialized and all >> other cervices are up. Just place empty table >> >> table persist >> >> in your pf.conf and >> >> pfctl -t goodguys -T add \ >> something.somewhere.com \ >> somethingelse.somewhere.com \ >> xxx.yyy.zzz.qqq & >> >> into your /etc/rc.local, so pf will start up without delays. >> >> Regards, >> Dennis >> > > > Thanks Dennis. > > I forgot to mention that I'm on a FreeBSD 7 system so the rc.local thing > must go somewhere else, do you know where? > > /Leslie Sorry!!!! I had to create the file. If I've understood this right this will only be right at the time the machine starts. How do I get to know if the hosts changes their addresses. Should I invoke a cron job that does the same as you suggested? Thanks /Leslie From tevans.uk at googlemail.com Thu Jul 10 12:46:31 2008 From: tevans.uk at googlemail.com (Tom Evans) Date: Thu Jul 10 12:46:38 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4875FD52.1090201@eskk.nu> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> Message-ID: <1215692423.35536.73.camel@localhost> On Thu, 2008-07-10 at 14:15 +0200, Leslie Jensen wrote: > Thanks Dennis. > > I forgot to mention that I'm on a FreeBSD 7 system so the rc.local thing > must go somewhere else, do you know where? > > /Leslie > It still applies to FreeBSD 7. Create /etc/rc.local if it doesn't exist. It is started (well, sourced) by /etc/rc.d/local Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080710/7879cacf/attachment.pgp From hideous at mail.ru Thu Jul 10 13:01:34 2008 From: hideous at mail.ru (Dennis) Date: Thu Jul 10 13:01:41 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4875FF7D.8050304@eskk.nu> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> <4875FF7D.8050304@eskk.nu> Message-ID: <101002322.20080710160132@mail.ru> LJ> Leslie Jensen skrev: >> >> Dennis skrev: >> >>> LJ> Oh, I didn't know that! Can you tell me how to handle this? >>> >>> LJ> The problem is these hosts are not fixed IP's so they use no-ip >>> LJ> (http://www.no-ip.com/) to provide a fixed address. >>> >>> It's possible to populate the table after network initialized and all >>> other cervices are up. Just place empty table >>> >>> table persist >>> >>> in your pf.conf and >>> >>> pfctl -t goodguys -T add \ >>> something.somewhere.com \ >>> somethingelse.somewhere.com \ >>> xxx.yyy.zzz.qqq & >>> >>> into your /etc/rc.local, so pf will start up without delays. >>> >> >> I forgot to mention that I'm on a FreeBSD 7 system so the rc.local thing >> must go somewhere else, do you know where? >> LJ> If I've understood this right this will only be right at the time the LJ> machine starts. How do I get to know if the hosts changes their LJ> addresses. Should I invoke a cron job that does the same as you suggested? LJ> Thanks Yes. Also you would have to clear the table before loading new IP addresses into it. Querying authoritative server with, for example `nslookup`, instead of relying on local resolver would make this thing more robust. Regards, Dennis. From leslie at eskk.nu Thu Jul 10 13:52:41 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Thu Jul 10 13:52:47 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <101002322.20080710160132@mail.ru> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> <4875FF7D.8050304@eskk.nu> <101002322.20080710160132@mail.ru> Message-ID: <4876141F.6060202@eskk.nu> >>>> in your pf.conf and >>>> >>>> pfctl -t goodguys -T add \ >>>> something.somewhere.com \ >>>> somethingelse.somewhere.com \ >>>> xxx.yyy.zzz.qqq & >>>> >>>> into your /etc/rc.local, so pf will start up without delays. >>>> >>> I forgot to mention that I'm on a FreeBSD 7 system so the rc.local thing >>> must go somewhere else, do you know where? >>> > LJ> If I've understood this right this will only be right at the time the > LJ> machine starts. How do I get to know if the hosts changes their > LJ> addresses. Should I invoke a cron job that does the same as you suggested? > LJ> Thanks > > Yes. Also you would have to clear the table before loading new IP > addresses into it. Querying authoritative server with, for example > `nslookup`, instead of relying on local resolver would make this thing > more robust. > > Regards, > Dennis. Thank you Dennis. I've started on a script to run as root fron cron. I need a little help to invoke the nslookup function and make it go into the goodguys table. The flushing part I've got ;-) But then what do I do? ---------------------------- #!/bin/sh pfctl -F Tables ---------------------------- Thanks /Leslie From leslie at eskk.nu Thu Jul 10 14:04:55 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Thu Jul 10 14:05:02 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <1215692423.35536.73.camel@localhost> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> <1215692423.35536.73.camel@localhost> Message-ID: <487616FD.7010905@eskk.nu> > > It still applies to FreeBSD 7. Create /etc/rc.local if it doesn't exist. > It is started (well, sourced) by /etc/rc.d/local > > Tom After some Googling I found this article http://www.freebsddiary.org/startup.php I suggests that one should not use /etc/rc.local ! /Leslie From hideous at mail.ru Thu Jul 10 14:51:08 2008 From: hideous at mail.ru (Dennis) Date: Thu Jul 10 14:51:15 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4876141F.6060202@eskk.nu> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> <4875FF7D.8050304@eskk.nu> <101002322.20080710160132@mail.ru> <4876141F.6060202@eskk.nu> Message-ID: <1188419671.20080710175106@mail.ru> >>>>> in your pf.conf and >>>>> >>>>> pfctl -t goodguys -T add \ >>>>> something.somewhere.com \ >>>>> somethingelse.somewhere.com \ >>>>> xxx.yyy.zzz.qqq & >>>>> >>>>> into your /etc/rc.local, so pf will start up without delays. >>>>> >>>> I forgot to mention that I'm on a FreeBSD 7 system so the rc.local thing >>>> must go somewhere else, do you know where? >>>> >> LJ> If I've understood this right this will only be right at the time the >> LJ> machine starts. How do I get to know if the hosts changes their >> LJ> addresses. Should I invoke a cron job that does the same as you suggested? >> LJ> Thanks >> >> Yes. Also you would have to clear the table before loading new IP >> addresses into it. Querying authoritative server with, for example >> `nslookup`, instead of relying on local resolver would make this thing >> more robust. >> >> Regards, >> Dennis. LJ> Thank you Dennis. LJ> I've started on a script to run as root fron cron. LJ> I need a little help to invoke the nslookup function and make it go into LJ> the goodguys table. LJ> The flushing part I've got ;-) LJ> But then what do I do? LJ> ---------------------------- LJ> #!/bin/sh LJ> pfctl -F Tables LJ> ---------------------------- LJ> Thanks LJ> /Leslie ( cat goodguys.names | ( xargs -n1 -J% nslookup % nf2.no-ip.com ) | egrep -o '(([[:digit:]])+\.){3}[[:digit:]]+$' | xargs -J% pfctl -t aaa -T add % ) & of course, utilities and files should have full paths in their names for a script. Regards, Dennis. From tevans.uk at googlemail.com Thu Jul 10 15:01:51 2008 From: tevans.uk at googlemail.com (Tom Evans) Date: Thu Jul 10 15:02:00 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <487616FD.7010905@eskk.nu> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> <1215692423.35536.73.camel@localhost> <487616FD.7010905@eskk.nu> Message-ID: <1215702103.35536.77.camel@localhost> On Thu, 2008-07-10 at 16:04 +0200, Leslie Jensen wrote: > > > > It still applies to FreeBSD 7. Create /etc/rc.local if it doesn't exist. > > It is started (well, sourced) by /etc/rc.d/local > > > > Tom > > After some Googling I found this article > > http://www.freebsddiary.org/startup.php > > I suggests that one should not use /etc/rc.local ! > > /Leslie > In this case, I'd still use rc.local, regardless of what that says. A full fledged rc script is unnecessary for something this trivial and transient. IMHO :) Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080710/5ad70259/attachment.pgp From leslie at eskk.nu Thu Jul 10 15:16:12 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Thu Jul 10 15:16:18 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <1215702103.35536.77.camel@localhost> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> <4875FD52.1090201@eskk.nu> <1215692423.35536.73.camel@localhost> <487616FD.7010905@eskk.nu> <1215702103.35536.77.camel@localhost> Message-ID: <487627AC.9050000@eskk.nu> Tom Evans skrev: > On Thu, 2008-07-10 at 16:04 +0200, Leslie Jensen wrote: >>> It still applies to FreeBSD 7. Create /etc/rc.local if it doesn't exist. >>> It is started (well, sourced) by /etc/rc.d/local >>> >>> Tom >> After some Googling I found this article >> >> http://www.freebsddiary.org/startup.php >> >> I suggests that one should not use /etc/rc.local ! >> >> /Leslie >> > > In this case, I'd still use rc.local, regardless of what that says. A > full fledged rc script is unnecessary for something this trivial and > transient. IMHO :) > > > Tom OK. I'm a newbie here so I listen to all the advise I can get. At times I find conflicting information when googling so I need to verify it. I'm thankful for your time and effort :-) /Leslie From leslie at eskk.nu Fri Jul 11 07:16:41 2008 From: leslie at eskk.nu (Leslie Jensen) Date: Fri Jul 11 07:16:47 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <3910389261.20080710125542@mail.ru> References: <48750381.1030004@eskk.nu> <20080709225423.GB1011@verio.net> <4875D33C.2010506@eskk.nu> <3910389261.20080710125542@mail.ru> Message-ID: <487708CE.2020302@eskk.nu> Dennis skrev: > It's possible to populate the table after network initialized and all > other cervices are up. Just place empty table > > table persist > > in your pf.conf and > > pfctl -t goodguys -T add \ > something.somewhere.com \ > somethingelse.somewhere.com \ > xxx.yyy.zzz.qqq & > > into your /etc/rc.local, so pf will start up without delays. > > Regards, > Dennis I tried this but I get no output other than what you can see below pfctl -T show -t goodguys No ALTQ support in kernel ALTQ related functions disabled Should there be something else in rc.local? /Leslie From bugmaster at FreeBSD.org Mon Jul 14 11:07:03 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 14 11:08:28 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200807141107.m6EB72oH014501@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From glen.j.barber at gmail.com Thu Jul 17 12:31:22 2008 From: glen.j.barber at gmail.com (Glen Barber) Date: Thu Jul 17 12:31:29 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <48750381.1030004@eskk.nu> References: <48750381.1030004@eskk.nu> Message-ID: <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> On Wed, Jul 9, 2008 at 2:29 PM, Leslie Jensen wrote: [:: snip ::] > > # tables > table { something.somewhere.com, somethingelse.somewhere.com, > xxx.yyy.zzz.qqq } > [:: snip ::] > > # Let the goodguys access the machine from the outside > pass in on $ext_if inet proto tcp from to ($ext_if) \ > port $tcp_services flags S/SA keep state > Hi. I'm just curious why you decided to use a table for this. I have done something similar (disallowing access to certain domains) using macros as follows: deny_sites="{ badsite.com , www.myspace.com , badsite2.com }" and didn't notice 'slowness' at boot. This was on a 6.3-RELEASE box, if that matters. Regards, -- Glen Barber http://www.dev-urandom.com/ From koitsu at FreeBSD.org Thu Jul 17 12:55:40 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Thu Jul 17 12:55:47 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> Message-ID: <20080717125540.GA73950@eos.sc1.parodius.com> On Thu, Jul 17, 2008 at 08:15:03AM -0400, Glen Barber wrote: > Hi. I'm just curious why you decided to use a table for this. I have > done something similar (disallowing access to certain domains) using > macros as follows: > > deny_sites="{ badsite.com , www.myspace.com , badsite2.com }" > > and didn't notice 'slowness' at boot. This was on a 6.3-RELEASE box, > if that matters. I don't think it matters if the entries are in a table or in a macro. Chances are whatever resolver you're using (e.g. an ISPs DNS server, or something upstream, versus named on the same box) had all of those entries cached, or has very good overall response time for DNS lookups. In the case of the OP, I believe he runs his own named. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From glen.j.barber at gmail.com Thu Jul 17 13:00:03 2008 From: glen.j.barber at gmail.com (Glen Barber) Date: Thu Jul 17 13:00:09 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <20080717125540.GA73950@eos.sc1.parodius.com> References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> <20080717125540.GA73950@eos.sc1.parodius.com> Message-ID: <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> On Thu, Jul 17, 2008 at 8:55 AM, Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 08:15:03AM -0400, Glen Barber wrote: >> Hi. I'm just curious why you decided to use a table for this. I have >> done something similar (disallowing access to certain domains) using >> macros as follows: >> >> deny_sites="{ badsite.com , www.myspace.com , badsite2.com }" >> >> and didn't notice 'slowness' at boot. This was on a 6.3-RELEASE box, >> if that matters. > > I don't think it matters if the entries are in a table or in a macro. > > Chances are whatever resolver you're using (e.g. an ISPs DNS server, or > something upstream, versus named on the same box) had all of those > entries cached, or has very good overall response time for DNS lookups. > In the case of the OP, I believe he runs his own named. > I was under the assumption the OP runs his own DNS server, as that is how my machine was set up. Regards, -- Glen Barber http://www.dev-urandom.com/ From glen.j.barber at gmail.com Thu Jul 17 13:13:07 2008 From: glen.j.barber at gmail.com (Glen Barber) Date: Thu Jul 17 13:13:12 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> <20080717125540.GA73950@eos.sc1.parodius.com> <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> Message-ID: <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber wrote: > I was under the assumption the OP runs his own DNS server, as that is > how my machine was set up. > Another reason I thought about 'why' the OP used tables - aren't PF tables evaluated at boot, and macros evaluated when they are called? I think the latter negates the need for resolving at boot. Please correct me if I am wrong. Regards, -- Glen Barber http://www.dev-urandom.com/ From phoemix at harmless.hu Thu Jul 17 13:44:48 2008 From: phoemix at harmless.hu (CZUCZY Gergely) Date: Thu Jul 17 13:44:55 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> References: <48750381.1030004@eskk.nu> <4ad871310807170515x5b553661yd64245f7daf2dd61@mail.gmail.com> <20080717125540.GA73950@eos.sc1.parodius.com> <4ad871310807170600of904ddvfa31f3f1bf2e421d@mail.gmail.com> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> Message-ID: <20080717152849.0e90b307@twoflower.in.publishing.hu> On Thu, 17 Jul 2008 09:13:03 -0400 "Glen Barber" wrote: > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber wrote: > > I was under the assumption the OP runs his own DNS server, as that is > > how my machine was set up. > > > > Another reason I thought about 'why' the OP used tables - aren't PF > tables evaluated at boot, and macros evaluated when they are called? > I think the latter negates the need for resolving at boot. Please > correct me if I am wrong. Macros are evaluated at pfctl-time. That means, parse-time. Tables are evaluated at runtime (that means, when a lookup is in progress). -- ?dv?lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080717/351bf618/signature.pgp From opteron.delivery at gmail.com Thu Jul 17 14:36:41 2008 From: opteron.delivery at gmail.com (Dave Graham) Date: Thu Jul 17 14:36:47 2008 Subject: Help with BSD7 (pf) and VMWare Message-ID: <4f8a92b40807170710r7eb0bda9t234aade6ed89ca33@mail.gmail.com> All, Definitely a noob when it comes to FreeBSD but I'm trying to accomplish the following: use a BSD7 VM as a NAT device within my ESX infrastructure. I've started reading through the online man pages for pf, but I'm getting completely lost. to start with, I want to set up a simple NAT and then expand it, as need, to provide DNS services to my other VMs (all linux). can anyone point me to a good starting place? thanks! Dave Graham Flickerdown Data Systems 1207 Main St. #2 Holden, MA 01520 978.239.2489 From max at love2party.net Thu Jul 17 15:11:55 2008 From: max at love2party.net (Max Laier) Date: Thu Jul 17 15:12:02 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <20080717152849.0e90b307@twoflower.in.publishing.hu> References: <48750381.1030004@eskk.nu> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> <20080717152849.0e90b307@twoflower.in.publishing.hu> Message-ID: <200807171711.51208.max@love2party.net> On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > On Thu, 17 Jul 2008 09:13:03 -0400 > > "Glen Barber" wrote: > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber wrote: > > > I was under the assumption the OP runs his own DNS server, as that > > > is how my machine was set up. > > > > Another reason I thought about 'why' the OP used tables - aren't PF > > tables evaluated at boot, and macros evaluated when they are called? > > I think the latter negates the need for resolving at boot. Please > > correct me if I am wrong. > > Macros are evaluated at pfctl-time. That means, parse-time. Tables are > evaluated at runtime (that means, when a lookup is in progress). DNS lookups are always performed in userland at pfctl-time. It does not matter if you put your hostnames into a macro, table or rule directly - it will always be looked up by pfctl before even loading the rule/table into the kernel. If you really want to trust DNS lookups to influence your firewall rules (3 weeks till dooms day - is your resolver patched?!?) you should add an rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or whereeverelse you can be sure that your resolver is working) and fill a predefined table from that script. i.e. "pfctl -t mytable -T add foo.bar.local" -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From max at love2party.net Thu Jul 17 15:14:27 2008 From: max at love2party.net (Max Laier) Date: Thu Jul 17 15:14:35 2008 Subject: Help with BSD7 (pf) and VMWare In-Reply-To: <4f8a92b40807170710r7eb0bda9t234aade6ed89ca33@mail.gmail.com> References: <4f8a92b40807170710r7eb0bda9t234aade6ed89ca33@mail.gmail.com> Message-ID: <200807171714.24828.max@love2party.net> On Thursday 17 July 2008 16:10:47 Dave Graham wrote: > All, > > Definitely a noob when it comes to FreeBSD but I'm trying to accomplish > the following: > > use a BSD7 VM as a NAT device within my ESX infrastructure. I've > started reading through the online man pages for pf, but I'm getting > completely lost. > > to start with, I want to set up a simple NAT and then expand it, as > need, to provide DNS services to my other VMs (all linux). > > can anyone point me to a good starting place? http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html http://www.openbsd.org/faq/pf/index.html http://home.nuug.no/~peter/pf/en/ -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From koitsu at FreeBSD.org Thu Jul 17 15:19:03 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Thu Jul 17 15:19:09 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <200807171711.51208.max@love2party.net> References: <48750381.1030004@eskk.nu> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> <20080717152849.0e90b307@twoflower.in.publishing.hu> <200807171711.51208.max@love2party.net> Message-ID: <20080717151902.GA79577@eos.sc1.parodius.com> On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > "Glen Barber" wrote: > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > wrote: > > > > I was under the assumption the OP runs his own DNS server, as that > > > > is how my machine was set up. > > > > > > Another reason I thought about 'why' the OP used tables - aren't PF > > > tables evaluated at boot, and macros evaluated when they are called? > > > I think the latter negates the need for resolving at boot. Please > > > correct me if I am wrong. > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables are > > evaluated at runtime (that means, when a lookup is in progress). > > DNS lookups are always performed in userland at pfctl-time. It does not > matter if you put your hostnames into a macro, table or rule directly - > it will always be looked up by pfctl before even loading the rule/table > into the kernel. > > If you really want to trust DNS lookups to influence your firewall rules > (3 weeks till dooms day - is your resolver patched?!?) you should add an > rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or > whereeverelse you can be sure that your resolver is working) and fill a > predefined table from that script. i.e. "pfctl -t mytable -T add > foo.bar.local" Which induces another question (probably answered in a post a few weeks ago, knowing my luck): Does pf(4) use gethostbyname()? If so, the OP should be able to add entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS lookups. (I'm curious about this myself, since we have some pf.conf rules which refer to IPs bound to our servers, and I've always wanted to switch them over to FQDNs that are listed in /etc/hosts...) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From max at love2party.net Thu Jul 17 15:28:06 2008 From: max at love2party.net (Max Laier) Date: Thu Jul 17 15:28:13 2008 Subject: New pf install on Freebsd7 seem to be a slow starter. In-Reply-To: <20080717151902.GA79577@eos.sc1.parodius.com> References: <48750381.1030004@eskk.nu> <200807171711.51208.max@love2party.net> <20080717151902.GA79577@eos.sc1.parodius.com> Message-ID: <200807171728.04369.max@love2party.net> On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > > > "Glen Barber" wrote: > > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > > > > > > > > wrote: > > > > > I was under the assumption the OP runs his own DNS server, as > > > > > that is how my machine was set up. > > > > > > > > Another reason I thought about 'why' the OP used tables - aren't > > > > PF tables evaluated at boot, and macros evaluated when they are > > > > called? I think the latter negates the need for resolving at > > > > boot. Please correct me if I am wrong. > > > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables > > > are evaluated at runtime (that means, when a lookup is in > > > progress). > > > > DNS lookups are always performed in userland at pfctl-time. It does > > not matter if you put your hostnames into a macro, table or rule > > directly - it will always be looked up by pfctl before even loading > > the rule/table into the kernel. > > > > If you really want to trust DNS lookups to influence your firewall > > rules (3 weeks till dooms day - is your resolver patched?!?) you > > should add an rc.d that depends on NETWORKING (or hook something up > > to ppp.linkup, or whereeverelse you can be sure that your resolver is > > working) and fill a predefined table from that script. i.e. "pfctl -t > > mytable -T add foo.bar.local" > > Which induces another question (probably answered in a post a few weeks > ago, knowing my luck): > > Does pf(4) use gethostbyname()? If so, the OP should be able to add > entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS > lookups. (I'm curious about this myself, since we have some pf.conf > rules which refer to IPs bound to our servers, and I've always wanted > to switch them over to FQDNs that are listed in /etc/hosts...) gethostbyname(3), but that should - iirc - also tie into etc/hosts if your nsswitch.conf points there. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From ansarm at gmail.com Fri Jul 18 02:25:12 2008 From: ansarm at gmail.com (Ansar Mohammed) Date: Fri Jul 18 02:25:18 2008 Subject: GRE Limitation Message-ID: <047001c8e87d$8078b710$816a2530$@com> Hello All, I just read the following on the pfsense website: "PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections." Is this also true for stock FreeBSD with PF or just a pfsense issue? From ansarm at gmail.com Fri Jul 18 03:48:08 2008 From: ansarm at gmail.com (Ansar Mohammed) Date: Fri Jul 18 03:48:14 2008 Subject: GRE Limitation In-Reply-To: References: <047001c8e87d$8078b710$816a2530$@com> Message-ID: <048f01c8e889$160fffd0$422fff70$@com> Is this like "a known bug" that's being fixed or is this "by design" and we have to deal with it? > -----Original Message----- > From: Chris Buechler [mailto:cbuechler@gmail.com] > Sent: July 17, 2008 11:37 PM > To: Ansar Mohammed > Cc: freebsd-pf@freebsd.org > Subject: Re: GRE Limitation > > On Thu, Jul 17, 2008 at 10:25 PM, Ansar Mohammed > wrote: > > Hello All, > > I just read the following on the pfsense website: > > > > "PPTP and GRE Limitation - The state tracking code in pf for the GRE > > protocol can only track a single session per public IP per external > server. > > This means if you use PPTP VPN connections, only one internal machine > can > > connect simultaneously to a PPTP server on the Internet. A thousand > machines > > can connect simultaneously to a thousand different PPTP servers, but > only > > one simultaneously to a single server. The only available work around > is to > > use multiple public IPs on your firewall, one per client, or to use > multiple > > public IPs on the external PPTP server. This is not a problem with > other > > types of VPN connections." > > > > Is this also true for stock FreeBSD with PF or just a pfsense issue? > > > > That's true with every OS that runs pf, and anything based on any of > those (including pfSense). > > Chris From cbuechler at gmail.com Fri Jul 18 04:01:04 2008 From: cbuechler at gmail.com (Chris Buechler) Date: Fri Jul 18 04:01:11 2008 Subject: GRE Limitation In-Reply-To: <047001c8e87d$8078b710$816a2530$@com> References: <047001c8e87d$8078b710$816a2530$@com> Message-ID: On Thu, Jul 17, 2008 at 10:25 PM, Ansar Mohammed wrote: > Hello All, > I just read the following on the pfsense website: > > "PPTP and GRE Limitation - The state tracking code in pf for the GRE > protocol can only track a single session per public IP per external server. > This means if you use PPTP VPN connections, only one internal machine can > connect simultaneously to a PPTP server on the Internet. A thousand machines > can connect simultaneously to a thousand different PPTP servers, but only > one simultaneously to a single server. The only available work around is to > use multiple public IPs on your firewall, one per client, or to use multiple > public IPs on the external PPTP server. This is not a problem with other > types of VPN connections." > > Is this also true for stock FreeBSD with PF or just a pfsense issue? > That's true with every OS that runs pf, and anything based on any of those (including pfSense). Chris From cbuechler at gmail.com Fri Jul 18 04:05:30 2008 From: cbuechler at gmail.com (Chris Buechler) Date: Fri Jul 18 04:05:37 2008 Subject: GRE Limitation In-Reply-To: <048f01c8e889$160fffd0$422fff70$@com> References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> Message-ID: On Thu, Jul 17, 2008 at 11:48 PM, Ansar Mohammed wrote: > Is this like "a known bug" that's being fixed or is this "by design" and we > have to deal with it? > It's not a bug. If you search the OpenBSD list archives you'll find plenty of discussion on it. There are proxies that are supposed to work around this, like Frickin PPTP. It's not highly regarded by the OpenBSD community apparently (not sure why, saw that in passing in their list archives at one point), and it doesn't work right on FreeBSD (if any OS?). There may be other proxy alternatives, I'm not aware of any that work. Ermal Luci, a pfSense and FreeBSD committer, has been working on improved state tracking for GRE that would eliminate this limitation. Not sure of the status other than it's not done. If/when it's finished it'll be in pfSense development releases first, maybe integrated into the BSDs later or possibly not. Chris From sullrich at gmail.com Fri Jul 18 04:30:27 2008 From: sullrich at gmail.com (Scott Ullrich) Date: Fri Jul 18 04:30:35 2008 Subject: GRE Limitation In-Reply-To: <048f01c8e889$160fffd0$422fff70$@com> References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> Message-ID: On Thu, Jul 17, 2008 at 11:48 PM, Ansar Mohammed wrote: > Is this like "a known bug" that's being fixed or is this "by design" and we > have to deal with it? Ermal Luci is working on a patch. Maybe he can offer it for testing. Scott From rkramer at mweb.com Fri Jul 18 10:18:45 2008 From: rkramer at mweb.com (Rudi Kramer - MWEB) Date: Fri Jul 18 10:18:56 2008 Subject: GRE Limitation References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> > It's not a bug. If you search the OpenBSD list archives you'll find > plenty of discussion on it. I had the same issue and when I checked with our ms-admin team they said it was a Microsoft limitation. From cbuechler at gmail.com Fri Jul 18 12:23:39 2008 From: cbuechler at gmail.com (Chris Buechler) Date: Fri Jul 18 12:23:45 2008 Subject: GRE Limitation In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> Message-ID: On Fri, Jul 18, 2008 at 6:03 AM, Rudi Kramer - MWEB wrote: > > I had the same issue and when I checked with our ms-admin team they said > it was a Microsoft limitation. > No, it's an issue with many NAT implementations and how they handle state for the GRE protocol. pf only tracks source IP, dest IP and protocol. It has to do something more advanced, like tracking by GRE call ID in addition to src/dst, to track connections in this manner. Chris From catalin at starcomms.com Fri Jul 18 14:00:18 2008 From: catalin at starcomms.com (Catalin Miclaus) Date: Fri Jul 18 14:00:25 2008 Subject: GRE Limitation In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> Message-ID: <3A0AA7018522134597ED63B3B794C92A0267DBF1@STA-HQ-S001.starcomms.local> It is not a Microsoft limitation. Please stop spreading wrong information on same. Netfilter team has been able to solve it; for those who are using a Linux distribution you can apply some patches to Iptables and it will work fine. Best Regards Catalin Miclaus Network/Security ISP-Data Starcomms Ltd. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Rudi Kramer - MWEB Sent: Friday, July 18, 2008 11:03 AM To: Chris Buechler; Ansar Mohammed Cc: freebsd-pf@freebsd.org Subject: RE: GRE Limitation > It's not a bug. If you search the OpenBSD list archives you'll find > plenty of discussion on it. I had the same issue and when I checked with our ms-admin team they said it was a Microsoft limitation. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any form of dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited if you are not the intended recipient of this e-mail. Please note that e-mails are susceptible to change. STARCOMMS PLC shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. STARCOMMS PLC does not guarantee that the integrity of this communication has been maintained or that this communication is free of viruses, interceptions or interferences. STARCOMMS PLC reserves the right to monitor all e-mail communications, whether related to the business of STARCOMMS or not, through its internal or external networks. From aturetta at commit.it Sat Jul 19 11:18:16 2008 From: aturetta at commit.it (Angelo Turetta) Date: Sat Jul 19 11:18:23 2008 Subject: GRE Limitation In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> Message-ID: <4881CABB.7080907@commit.it> Rudi Kramer - MWEB wrote: > I had the same issue and when I checked with our ms-admin team they said > it was a Microsoft limitation. Quite the opposite. Since Windows2000 MS introduced, or started using, a CallID in the GRE header. Remember, many-to-one NAT has only become widely used/mandatory in recent years, I remember getting a full ClassC subnet from my first provider (128Kbps, ca. 1995-1996) without even asking. Angelo Turetta Modena - Italy From Greg.Hennessy at nviz.net Sun Jul 20 12:28:54 2008 From: Greg.Hennessy at nviz.net (Greg Hennessy) Date: Sun Jul 20 12:29:01 2008 Subject: GRE Limitation In-Reply-To: <4881CABB.7080907@commit.it> References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> <4881CABB.7080907@commit.it> Message-ID: <48832996.4060300@nviz.net> Angelo Turetta wrote: > Rudi Kramer - MWEB wrote: >> I had the same issue and when I checked with our ms-admin team they said >> it was a Microsoft limitation. > > Quite the opposite. Since Windows2000 MS introduced, or started using, > a CallID in the GRE header. Indeed. > > Remember, many-to-one NAT has only become widely used/mandatory in > recent years, I wouldn't say that recent, trying to get address space out of RIPE for the past decade is like pulling teeth. > I remember getting a full ClassC subnet from my first provider > (128Kbps, ca. 1995-1996) without even asking. Those were the days, I can remember having a conversation with Pipex here in the UK circa 1994 where their account manager asked if a /24 would be enough for the 64k line I was connecting. His assured me that they recommended at least 2 and that 4 * /24s wouldn't be a problem. Considering I was plumbing connectivity using SCO and the TIS FWTK at the time, a /29 was overkill. Regards Greg > > Angelo Turetta > Modena - Italy > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From artemrts at ukr.net Mon Jul 21 09:31:57 2008 From: artemrts at ukr.net (Vitaliy Vladimirovich) Date: Mon Jul 21 09:32:03 2008 Subject: PF and blocking of some ports Message-ID: Hi, ?I have question about blocking some ports for LAN users. ?Below a part of my pf.conf: nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> $ext_if:0 pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp 53 pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp udp} from $LAN to $int_if port 53 All works fine. But when I wish block not only 25 port and 5190 or some others ports, blocking does not occur. And I can connect to 25 port to any host in Internet from any computer in local network. Rules, which I try to use: pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if port {!=25 !=5190} tag LAN_INET_TCP_UDP Please, tell me where is my mistake? Thanks. From max at love2party.net Mon Jul 21 10:48:27 2008 From: max at love2party.net (Max Laier) Date: Mon Jul 21 10:48:34 2008 Subject: PF and blocking of some ports In-Reply-To: References: Message-ID: <200807211248.23181.max@love2party.net> On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote: > Hi, > > ?I have question about blocking some ports for LAN users. > > ?Below a part of my pf.conf: > > > nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> > $ext_if:0 > > pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP > pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp > 53 > > > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp > udp} from $LAN to $int_if port 53 > > > All works fine. But when I wish block not only 25 port and 5190 or some > others ports, blocking does not occur. And I can connect to 25 port to > any host in Internet from any computer in local network. > > Rules, which I try to use: > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port {!=25 !=5190} tag LAN_INET_TCP_UDP > > Please, tell me where is my mistake? The above will expand to 4 rules: pass quick ... tcp ... to !int_if port != 25 ... pass quick ... udp ... to !int_if port != 25 ... pass quick ... tcp ... to !int_if port != 5190 ... pass quick ... udp ... to !int_if port != 5190 ... It should be obvious that the first rule will allow tcp traffic to port 5190 and the third to port 25. In general you should rather block unwanted traffic explicitly. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From bugmaster at FreeBSD.org Mon Jul 21 11:07:00 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 21 11:08:22 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200807211106.m6LB6xOF031955@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From artemrts at ukr.net Mon Jul 21 11:44:45 2008 From: artemrts at ukr.net (Vitaliy Vladimirovich) Date: Mon Jul 21 11:44:51 2008 Subject: PF and blocking of some ports In-Reply-To: <200807211248.23181.max@love2party.net> Message-ID: --- Original Message --- From: Max Laier To: freebsd-pf@freebsd.org Date: 21 july, 13:48:23 Subject: Re: PF and blocking of some ports On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote: > Hi, > > ?I have question about blocking some ports for LAN users. > > ?Below a part of my pf.conf: > > > nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> > $ext_if:0 > > pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP > pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp > 53 > > > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp > udp} from $LAN to $int_if port 53 > > > All works fine. But when I wish block not only 25 port and 5190 or some > others ports, blocking does not occur. And I can connect to 25 port to > any host in Internet from any computer in local network. > > Rules, which I try to use: > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port {!=25 !=5190} tag LAN_INET_TCP_UDP > > Please, tell me where is my mistake? The above will expand to 4 rules: pass quick ... tcp ... to !int_if port != 25 ... pass quick ... udp ... to !int_if port != 25 ... pass quick ... tcp ... to !int_if port != 5190 ... pass quick ... udp ... to !int_if port != 5190 ... It should be obvious that the first rule will allow tcp traffic to port 5190 and the third to port 25. In general you should rather block unwanted traffic explicitly. ??????????? Ok, thanks for advice. ? I have changed the rule pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port $ports tag LAN_INET_TCP_UDP ? And define $ports ports= "{20 21 80 443 8000 8080}" From dfeustel at mindspring.com Mon Jul 21 12:38:00 2008 From: dfeustel at mindspring.com (Dave) Date: Mon Jul 21 12:38:06 2008 Subject: BNF Syntax of pf commands Message-ID: <20080721123800.1C79E8FC21@mx1.freebsd.org> Hi! I'm looking for a BNF description of the PF ruleset. Is that available somewhere? Thanks, Dave Feustel From koitsu at FreeBSD.org Mon Jul 21 12:40:55 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Mon Jul 21 12:41:06 2008 Subject: BNF Syntax of pf commands In-Reply-To: <20080721123800.1C79E8FC21@mx1.freebsd.org> References: <20080721123800.1C79E8FC21@mx1.freebsd.org> Message-ID: <20080721124055.GA33609@eos.sc1.parodius.com> On Mon, Jul 21, 2008 at 12:38:00PM +0000, Dave wrote: > I'm looking for a BNF description of the PF ruleset. > Is that available somewhere? It's in the manpage, section GRAMMAR. http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+7.0-stable&format=html#end -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From dfeustel at mindspring.com Mon Jul 21 17:01:55 2008 From: dfeustel at mindspring.com (Dave) Date: Mon Jul 21 17:02:01 2008 Subject: BNF Syntax of pf commands In-Reply-To: <20080721124055.GA33609@eos.sc1.parodius.com> Message-ID: <20080721170155.5BF2B8FC18@mx1.freebsd.org> On Mon, Jul 21, 2008 at 05:40:55AM -0700, Jeremy Chadwick wrote: >On Mon, Jul 21, 2008 at 12:38:00PM +0000, Dave wrote: >> I'm looking for a BNF description of the PF ruleset. >> Is that available somewhere? > >It's in the manpage, section GRAMMAR. > >http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+7.0-stable&format=html#end Thanks! I had just found this myself using google and noticed that the bnf is coded up by hand instead of via yacc or bison. The reason I got interested in this is that I saw pretty clear indications on my OpenBSD 4,3 pf firewall that certain 'equivalent' rules (differing only the presence or absence of 'optional' syntactic sugar keywords ) in my pf.conf file did not produce identical behavior from pf. I've started wondering about how one would implement regression testing on pf. From max at love2party.net Mon Jul 21 17:52:03 2008 From: max at love2party.net (Max Laier) Date: Mon Jul 21 17:52:09 2008 Subject: BNF Syntax of pf commands In-Reply-To: <20080721170155.5BF2B8FC18@mx1.freebsd.org> References: <20080721170155.5BF2B8FC18@mx1.freebsd.org> Message-ID: <200807211952.00497.max@love2party.net> On Monday 21 July 2008 19:01:55 Dave wrote: > On Mon, Jul 21, 2008 at 05:40:55AM -0700, Jeremy Chadwick wrote: > >On Mon, Jul 21, 2008 at 12:38:00PM +0000, Dave wrote: > >> I'm looking for a BNF description of the PF ruleset. > >> Is that available somewhere? > > > >It's in the manpage, section GRAMMAR. > > > >http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&m > >anpath=FreeBSD+7.0-stable&format=html#end > > Thanks! I had just found this myself using google and noticed that the > bnf is coded up by hand instead of via yacc or bison. The reason I got > interested in this is that I saw pretty clear indications on my OpenBSD > 4,3 pf firewall that certain 'equivalent' rules (differing only the > presence or absence of 'optional' syntactic sugar keywords ) in my > pf.conf file did not produce identical behavior from pf. I've started > wondering about how one would implement regression testing on pf. Do you have an example? It's hard to imagine how that would be possible. There are some parser regression tests in OpenBSD's source tree, but to my knowledge there is no "action" testing. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From rkramer at mweb.com Tue Jul 22 09:53:23 2008 From: rkramer at mweb.com (Rudi Kramer - MWEB) Date: Tue Jul 22 09:53:29 2008 Subject: GRE Limitation References: <047001c8e87d$8078b710$816a2530$@com><048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> <3A0AA7018522134597ED63B3B794C92A0267DBF1@STA-HQ-S001.starcomms.local> Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45F09@MWBEXCH.mweb.com> Catalin Miclaus: > It is not a Microsoft limitation. > Please stop spreading wrong information on same. My apologies it was not my intent to spread disinformation regarding Microsoft, I was only relaying information that I given by a Microsoft Administrator. I mean really, this must be the first time in history that the fault isn't with MS ;-) From odhiambo at gmail.com Tue Jul 22 10:48:49 2008 From: odhiambo at gmail.com (Odhiambo Washington) Date: Tue Jul 22 10:48:55 2008 Subject: GRE Limitation In-Reply-To: <39DC135F7F0571489196E0B6F5D58B4A03B45F09@MWBEXCH.mweb.com> References: <047001c8e87d$8078b710$816a2530$@com> <048f01c8e889$160fffd0$422fff70$@com> <39DC135F7F0571489196E0B6F5D58B4A03B45EED@MWBEXCH.mweb.com> <3A0AA7018522134597ED63B3B794C92A0267DBF1@STA-HQ-S001.starcomms.local> <39DC135F7F0571489196E0B6F5D58B4A03B45F09@MWBEXCH.mweb.com> Message-ID: <991123400807220324s6e25e251va04cc25a6b2a23ac@mail.gmail.com> On Tue, Jul 22, 2008 at 12:52 PM, Rudi Kramer - MWEB wrote: > Catalin Miclaus: >> It is not a Microsoft limitation. >> Please stop spreading wrong information on same. > > My apologies it was not my intent to spread disinformation regarding > Microsoft, I was only relaying information that I given by a Microsoft > Administrator. > > I mean really, this must be the first time in history that the fault > isn't with MS ;-) In the old days when I used mutt as my MuA, this would be a great candidate for those fortunes:-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Oh My God! They killed init! You Bastards!" --from a /. post From ivanatora at gmail.com Wed Jul 23 09:29:49 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Wed Jul 23 09:29:56 2008 Subject: Problems in basic usage of ALTQ Message-ID: Hello, I'm trying to do very simple traffic shaping on my box with ALTQ. For beginning I want just to restrict HTTP downloading speed (which is port 80) to a fixed number... lets say 100Kbps. I'm on ADSL line providing me 12Mb down / 2Mb up, (and I know every ADSL tutorial recommend limiting uploads) but for syntax learning purposes let's concentrate only on limiting downloading speed. I've read some tutorials and I've reached to the following code: [code] ### Queueing # I'm not sure what to set up for a total bandwidth - 100Mb for the carrier media (Cat5 cables) or 12Mb for the provided bandwidth altq on re0 cbq bandwidth 12Mb queue {restrict, fast} # This queue 'restrict' should get the shaped traffic queue restrict bandwidth 100Kb cbq(default) # This 'fast' queue should take some fast traffic, DNS requests for example. queue fast bandwidth 500Kb priority 4 ### Translation # This is for my other PC and I don't think it plays a role here nat pass on re0 from 192.168.0.5 to any -> 10.10.10.21 ### Filtering # Restrict traffic on port 80. This is my IP. pass in on re0 proto tcp from any port 80 to 10.10.10.21 queue restrict # Pass DNS requests on the 'fast' queue pass in on re0 proto { udp, tcp } from any port 53 to 10.10.10.21 queue fast [/code] So I see DNS resolutions are done really fast (definately faster than if they fell into the 'restricted' queue), but HTTP traffic is not going with the specified bandwidth. Instead it goes about 3Mb. First I thought it is due to wrong number here: altq on re0 cbq bandwidth *100Mb* queue {restrict, fast} But changing that did not reflected in any way - the downloads went on 3Mb. Second problem - how to build the rule for queuing the other PC's NATed bandwidth? I tried [code] pass on re0 from any to 192.168.0.5 queue restrict [/code] and variations but it just didn't passed to the queue. I.e. the effect was nothing. I'm routing over only one NIC - re0 (using aliases - 10.10.10.21 and 192.168.0.5) and maybe this is wrong? From weaseal at gmail.com Wed Jul 23 13:27:58 2008 From: weaseal at gmail.com (Walter Venable) Date: Wed Jul 23 13:28:04 2008 Subject: Limiting client bandwidth with PF Message-ID: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> Hi all, I'm having some trouble getting pf to do what I want. I'm a newbie to pf, so I can't get my configuration quite right. We have a 3Mb/1Mb connection and I want to limit my clients each to 128Kbps/64Kbps. First things first, limit them to 128Kbps, but that isn't even working, as clients are still maxing at 3Mbps: $ cat /etc/pf.conf int_if="rl0" ext_if="nfe0" int_net="192.168.2.0/24" altq on $ext_if hfsc bandwidth 3Mb queue { clients } queue clients bandwidth 128Kb hfsc ( default rio ) pass in quick log on $int_if proto tcp from $int_net to any \ flags S/SA keep state queue clients $ sudo pfctl -sq queue root_nfe0 on nfe0 bandwidth 3Mb priority 0 {clients} queue clients on nfe0 bandwidth 128Kb hfsc( rio default ) Can anyone say why this isn't working? More info about the network if you need it: Internet -- Router (192.168.1.1) -- (nfe0 @ 192.168.1.200 ) FreeBSD Gateway (rl0 @ 192.168.2.1) -- switch -- Clients (192.168.2.0/24) From buchtajz at borsice.net Wed Jul 23 15:54:52 2008 From: buchtajz at borsice.net (Michal Buchtik) Date: Wed Jul 23 15:54:59 2008 Subject: Limiting client bandwidth with PF In-Reply-To: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> References: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> Message-ID: <1216827349.1598.4.camel@manwe.buchtikov.borsice.sfn> Walter Venable p??e v st 23. 07. 2008 v 16:03 +0300: > First things first, limit them to 128Kbps, but that isn't even working, as > clients are still maxing at 3Mbps: > > $ cat /etc/pf.conf > int_if="rl0" > ext_if="nfe0" > int_net="192.168.2.0/24" > > altq on $ext_if hfsc bandwidth 3Mb queue { clients } > queue clients bandwidth 128Kb hfsc ( default rio ) > pass in quick log on $int_if proto tcp from $int_net to any \ > flags S/SA keep state queue clients > You can limit only OUTGOING traffic (from router point of view). So change the line to: altq on $int_if hfsc bandwidth 3Mb queue { clients } Michal From catalin at starcomms.com Wed Jul 23 16:26:48 2008 From: catalin at starcomms.com (Catalin Miclaus) Date: Wed Jul 23 16:26:59 2008 Subject: Limiting client bandwidth with PF In-Reply-To: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> References: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> Message-ID: <3A0AA7018522134597ED63B3B794C92A027402C3@STA-HQ-S001.starcomms.local> Hello Walter, There are some open bugs for pf with altq. You may want to consider ipfw and pipes to achieve same. Best Regards Catalin Miclaus Network/Security ISP-Data Starcomms Ltd. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Walter Venable Sent: Wednesday, July 23, 2008 2:04 PM To: freebsd-pf@freebsd.org Subject: Limiting client bandwidth with PF Hi all, I'm having some trouble getting pf to do what I want. I'm a newbie to pf, so I can't get my configuration quite right. We have a 3Mb/1Mb connection and I want to limit my clients each to 128Kbps/64Kbps. First things first, limit them to 128Kbps, but that isn't even working, as clients are still maxing at 3Mbps: $ cat /etc/pf.conf int_if="rl0" ext_if="nfe0" int_net="192.168.2.0/24" altq on $ext_if hfsc bandwidth 3Mb queue { clients } queue clients bandwidth 128Kb hfsc ( default rio ) pass in quick log on $int_if proto tcp from $int_net to any \ flags S/SA keep state queue clients $ sudo pfctl -sq queue root_nfe0 on nfe0 bandwidth 3Mb priority 0 {clients} queue clients on nfe0 bandwidth 128Kb hfsc( rio default ) Can anyone say why this isn't working? More info about the network if you need it: Internet -- Router (192.168.1.1) -- (nfe0 @ 192.168.1.200 ) FreeBSD Gateway (rl0 @ 192.168.2.1) -- switch -- Clients (192.168.2.0/24) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any form of dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited if you are not the intended recipient of this e-mail. Please note that e-mails are susceptible to change. STARCOMMS PLC shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. STARCOMMS PLC does not guarantee that the integrity of this communication has been maintained or that this communication is free of viruses, interceptions or interferences. STARCOMMS PLC reserves the right to monitor all e-mail communications, whether related to the business of STARCOMMS or not, through its internal or external networks. From ivanatora at gmail.com Wed Jul 23 17:25:44 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Wed Jul 23 17:25:50 2008 Subject: Why this rule doesn't score a match? Message-ID: Hello, I'm trying very simple 'block all, allow a few' firewall, but something doesn't seem right. As far as I remember 'the right matched rule' is taken and executed - this doesn't seem working here. Here is my firewall: ##################### #macros if = "re0" ext_ip = "10.10.10.21" tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" udp_services = "{domain, 5190, 5222, ftp}" #filter block in log on $if pass on $if proto tcp from any port $tcp_services pass on $if proto udp from any port $udp_services #################### The point here is that if a packet for some of the listed service is matching against the rules, it will match the block rule, but after that will match some of the last two and get passed. Instead it gets blocked and I see it into the log: tcpdump -n -i pflog0 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 [bad hdr length 0 - too short, < 20] (there are many of these, including on the other ports) Now, there is something different. I tried removing the block rule, and added logging for the 'pass' rules. In that case a packet traveling down the rules should match only on the 'pass' rules and get logged. #################### #filter #block in log on $if pass log on $if proto tcp from any port $tcp_services pass log on $if proto udp from any port $udp_services #################### Well, it doesn't get logged. The only thing I see into the log is: 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80... What could be wrong here - it is fairly simple ruleset? From ivanatora at gmail.com Wed Jul 23 18:28:06 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Wed Jul 23 18:28:13 2008 Subject: Why this rule doesn't score a match? In-Reply-To: References: <48876DAD.9080100@optiksecurite.com> Message-ID: Hmmm, yes I'm on FreeBSD 7 I tried these pass rules before - nothing gets logged. I thought traffic is going both TO these ports and FROM these ports. Let's take for example a simple HTTP connection. The browser communicates to the remote server trough remote port 80 and says 'GET /index.html', then closes the connection. The HTTP server on the remote side opens a connection to the local machine (on some of our local port range)... but what is the port number on his side? I think that it is again 80. About pass in/pass out - I think that in/out keyword can be dropped? PF can do without that, right? These are my current filter rules, still nothing gets logged: ############################## pass log on $if proto tcp from any port $tcp_services pass log on $if proto udp from any port $udp_services pass log on $if proto tcp from any to $ext_ip port $tcp_services pass log on $if proto udp from any to $ext_ip port $udp_services ############################# Regards, Ivan. On Wed, Jul 23, 2008 at 8:43 PM, FreeBSD wrote: > Ivan Petrushev a ?crit : >> >> Hello, >> I'm trying very simple 'block all, allow a few' firewall, but >> something doesn't seem right. >> As far as I remember 'the right matched rule' is taken and executed - >> this doesn't seem working here. >> Here is my firewall: >> ##################### >> #macros >> if = "re0" >> ext_ip = "10.10.10.21" >> tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" >> udp_services = "{domain, 5190, 5222, ftp}" >> >> #filter >> block in log on $if >> pass on $if proto tcp from any port $tcp_services >> pass on $if proto udp from any port $udp_services >> #################### >> The point here is that if a packet for some of the listed service is >> matching against the rules, it will match the block rule, but after >> that will match some of the last two and get passed. Instead it gets >> blocked and I see it into the log: >> tcpdump -n -i pflog0 >> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 >> [bad hdr length 0 - too short, < 20] >> (there are many of these, including on the other ports) >> >> Now, there is something different. I tried removing the block rule, >> and added logging for the 'pass' rules. In that case a packet >> traveling down the rules should match only on the 'pass' rules and get >> logged. >> #################### >> #filter >> #block in log on $if >> pass log on $if proto tcp from any port $tcp_services >> pass log on $if proto udp from any port $udp_services >> #################### >> >> Well, it doesn't get logged. The only thing I see into the log is: >> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] >> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or >> 80... >> >> What could be wrong here - it is fairly simple ruleset? >> > > You should try "pass in on $if proto tcp from any to $ext_ip port > $tcp_services flags S/SA keep state" and "pass in on $if proto udp from any > to $ext_ip port $udp_services keep state" > > Your rule expect the traffic to came FROM $tcp_services but it is goint TO > those ports. > > You can omit the "flags S/SA keep state" and the "keep state" if you're > using FreeBSD 7, it is added automatically. > > I would also suggest you to use "block all log" instead of "block in log" > and specifiy rules for your outgoing traffic too. > > Good luck > > Martin > From freebsd at optiksecurite.com Wed Jul 23 18:44:33 2008 From: freebsd at optiksecurite.com (FreeBSD) Date: Wed Jul 23 18:44:40 2008 Subject: Why this rule doesn't score a match? In-Reply-To: References: Message-ID: <48876DAD.9080100@optiksecurite.com> Ivan Petrushev a ?crit : > Hello, > I'm trying very simple 'block all, allow a few' firewall, but > something doesn't seem right. > As far as I remember 'the right matched rule' is taken and executed - > this doesn't seem working here. > Here is my firewall: > ##################### > #macros > if = "re0" > ext_ip = "10.10.10.21" > tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" > udp_services = "{domain, 5190, 5222, ftp}" > > #filter > block in log on $if > pass on $if proto tcp from any port $tcp_services > pass on $if proto udp from any port $udp_services > #################### > The point here is that if a packet for some of the listed service is > matching against the rules, it will match the block rule, but after > that will match some of the last two and get passed. Instead it gets > blocked and I see it into the log: > tcpdump -n -i pflog0 > 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 > [bad hdr length 0 - too short, < 20] > (there are many of these, including on the other ports) > > Now, there is something different. I tried removing the block rule, > and added logging for the 'pass' rules. In that case a packet > traveling down the rules should match only on the 'pass' rules and get > logged. > #################### > #filter > #block in log on $if > pass log on $if proto tcp from any port $tcp_services > pass log on $if proto udp from any port $udp_services > #################### > > Well, it doesn't get logged. The only thing I see into the log is: > 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] > And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80... > > What could be wrong here - it is fairly simple ruleset? > You should try "pass in on $if proto tcp from any to $ext_ip port $tcp_services flags S/SA keep state" and "pass in on $if proto udp from any to $ext_ip port $udp_services keep state" Your rule expect the traffic to came FROM $tcp_services but it is goint TO those ports. You can omit the "flags S/SA keep state" and the "keep state" if you're using FreeBSD 7, it is added automatically. I would also suggest you to use "block all log" instead of "block in log" and specifiy rules for your outgoing traffic too. Good luck Martin From ivanatora at gmail.com Wed Jul 23 19:21:57 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Wed Jul 23 19:22:03 2008 Subject: Why this rule doesn't score a match? In-Reply-To: <488780A6.4010807@radel.com> References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> Message-ID: Hi Jon, Aaahhh, I see now - these FROM rules must be TO rules :D Thank you both for your replies. I'm going to monitor the outbond connections as well, but I think I will be OK then. This was the little stone in the shoe. I've already managed to let ICMP trough that 'block all' ;) Btw, I like the way pflog is working - deploying tcpdump on pflog0 and track down the logged packets. Is there a way to create another pflog device and use it for some different rules? I've seen there is an option to the 'log' keyword - (to pflogX), but I didn't managed to find out how to create more pflog devices. Regards, Ivan. On Wed, Jul 23, 2008 at 10:04 PM, Jon Radel wrote: > Ivan Petrushev wrote: >> >> Hmmm, yes I'm on FreeBSD 7 >> I tried these pass rules before - nothing gets logged. >> I thought traffic is going both TO these ports and FROM these ports. >> Let's take for example a simple HTTP connection. The browser >> communicates to the remote server trough remote port 80 and says 'GET >> /index.html', then closes the connection. The HTTP server on the >> remote side opens a connection to the local machine (on some of our >> local port range)... but what is the port number on his side? I think >> that it is again 80. >> About pass in/pass out - I think that in/out keyword can be dropped? >> PF can do without that, right? >> >> These are my current filter rules, still nothing gets logged: >> ############################## >> pass log on $if proto tcp from any port $tcp_services >> pass log on $if proto udp from any port $udp_services >> pass log on $if proto tcp from any to $ext_ip port $tcp_services >> pass log on $if proto udp from any to $ext_ip port $udp_services >> ############################# > > HTTP doesn't work like that. The client opens a connection from an > arbitrary port (generally high and pseudo-random) to port 80 (or 8080, or > whatever the published port the server listens on is). The server does NOT > open a connection to you. > > Your initial packet to the web server > > from YOU port NNNN > to SERVER port 80 > > never gets through your rule set so there's never a response from the server > to get logged. > > You'd do much better, if this is a workstation on which you run a webbrowser > and other clients, rather than a router/firewall, to do something like: > > pass out on $if proto tcp to any port $tcp_services flags S/SA keep state > > This allows the initial packet from your machine out and uses the PF state > mechanism (which you really, really, really should be using for reasons of > efficiency and security) to allow all further packets for that TCP > connection both in and out on that interface. > > Unless you're offering services on this computer to which you want other > machines to establish connections, you're much better off having no, or > minimal, "pass in" rules. That way people can't send you random, possibly > nasty, packets which you accept simply because they used a source port of > 80. > > --Jon Radel > From portcitycs at gmail.com Wed Jul 23 19:35:31 2008 From: portcitycs at gmail.com (Lyle Scott III) Date: Wed Jul 23 19:35:38 2008 Subject: Limiting client bandwidth with PF In-Reply-To: <3A0AA7018522134597ED63B3B794C92A027402C3@STA-HQ-S001.starcomms.local> References: <8dfae1c10807230603o1060aa69jc9ccf2e4bc66f275@mail.gmail.com> <3A0AA7018522134597ED63B3B794C92A027402C3@STA-HQ-S001.starcomms.local> Message-ID: <5a1835cd0807231210h14b580cfy51e823df486ae61f@mail.gmail.com> I have used PF for a few years on various servers and would like to play with ALTQ functionality (finally have some time!), yet I read about quite a few 'bugs' with pf/altq ... Should I even bother? It is posts such as these that are quite discouraging! (not hating on poster :) ) I think FreeBSD is the greatest OS ever and I love the functionality (and syntax) of PF... and would love to see ALTQ throw in to the mix. On Wed, Jul 23, 2008 at 10:51 AM, Catalin Miclaus wrote: > Hello Walter, > > There are some open bugs for pf with altq. > You may want to consider ipfw and pipes to achieve same. > > > > > > > > > > Best Regards > Catalin Miclaus > Network/Security ISP-Data > Starcomms Ltd. > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On Behalf Of Walter Venable > Sent: Wednesday, July 23, 2008 2:04 PM > To: freebsd-pf@freebsd.org > Subject: Limiting client bandwidth with PF > > Hi all, I'm having some trouble getting pf to do what I want. > I'm a newbie to pf, so I can't get my configuration quite right. > > We have a 3Mb/1Mb connection and I want to limit my clients each to > 128Kbps/64Kbps. > > First things first, limit them to 128Kbps, but that isn't even working, > as > clients are still maxing at 3Mbps: > > $ cat /etc/pf.conf > int_if="rl0" > ext_if="nfe0" > int_net="192.168.2.0/24" > > altq on $ext_if hfsc bandwidth 3Mb queue { clients } > queue clients bandwidth 128Kb hfsc ( default rio ) > pass in quick log on $int_if proto tcp from $int_net to any \ > flags S/SA keep state queue clients > > $ sudo pfctl -sq > queue root_nfe0 on nfe0 bandwidth 3Mb priority 0 {clients} > queue clients on nfe0 bandwidth 128Kb hfsc( rio default ) > > Can anyone say why this isn't working? More info about the network if > you > need it: > > Internet -- Router (192.168.1.1) -- (nfe0 @ 192.168.1.200 ) FreeBSD > Gateway > (rl0 @ 192.168.2.1) -- switch -- Clients (192.168.2.0/24) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > DISCLAIMER: The information contained in this message (including any > attachments) is confidential and may be privileged. If you have received it > by mistake please notify the sender by return e-mail and permanently delete > this message and any attachments from your system. Any form of > dissemination, use, review, distribution, printing or copying of this > message in whole or in part is strictly prohibited if you are not the > intended recipient of this e-mail. Please note that e-mails are susceptible > to change. STARCOMMS PLC shall not be liable for the improper or incomplete > transmission of the information contained in this communication nor for any > delay in its receipt or damage to your system. STARCOMMS PLC does not > guarantee that the integrity of this communication has been maintained or > that this communication is free of viruses, interceptions or interferences. > STARCOMMS PLC reserves the right to monitor all e-mail communications, > whether related to the business of STARCOMMS or not, through its internal or > external networks. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Lyle Scott, III http://www.lylescott.ws From jon at radel.com Wed Jul 23 20:04:25 2008 From: jon at radel.com (Jon Radel) Date: Wed Jul 23 20:04:40 2008 Subject: Why this rule doesn't score a match? In-Reply-To: References: <48876DAD.9080100@optiksecurite.com> Message-ID: <488780A6.4010807@radel.com> Ivan Petrushev wrote: > Hmmm, yes I'm on FreeBSD 7 > I tried these pass rules before - nothing gets logged. > I thought traffic is going both TO these ports and FROM these ports. > Let's take for example a simple HTTP connection. The browser > communicates to the remote server trough remote port 80 and says 'GET > /index.html', then closes the connection. The HTTP server on the > remote side opens a connection to the local machine (on some of our > local port range)... but what is the port number on his side? I think > that it is again 80. > About pass in/pass out - I think that in/out keyword can be dropped? > PF can do without that, right? > > These are my current filter rules, still nothing gets logged: > ############################## > pass log on $if proto tcp from any port $tcp_services > pass log on $if proto udp from any port $udp_services > pass log on $if proto tcp from any to $ext_ip port $tcp_services > pass log on $if proto udp from any to $ext_ip port $udp_services > ############################# HTTP doesn't work like that. The client opens a connection from an arbitrary port (generally high and pseudo-random) to port 80 (or 8080, or whatever the published port the server listens on is). The server does NOT open a connection to you. Your initial packet to the web server from YOU port NNNN to SERVER port 80 never gets through your rule set so there's never a response from the server to get logged. You'd do much better, if this is a workstation on which you run a webbrowser and other clients, rather than a router/firewall, to do something like: pass out on $if proto tcp to any port $tcp_services flags S/SA keep state This allows the initial packet from your machine out and uses the PF state mechanism (which you really, really, really should be using for reasons of efficiency and security) to allow all further packets for that TCP connection both in and out on that interface. Unless you're offering services on this computer to which you want other machines to establish connections, you're much better off having no, or minimal, "pass in" rules. That way people can't send you random, possibly nasty, packets which you accept simply because they used a source port of 80. --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3283 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080723/b7fe6043/smime.bin From thomas at gibfest.dk Wed Jul 23 21:22:03 2008 From: thomas at gibfest.dk (Thomas Rasmussen) Date: Wed Jul 23 21:22:09 2008 Subject: Why this rule doesn't score a match? In-Reply-To: References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> Message-ID: <48879B35.1060905@gibfest.dk> Ivan Petrushev wrote: > Hi Jon, > Aaahhh, I see now - these FROM rules must be TO rules :D > Thank you both for your replies. > > I'm going to monitor the outbond connections as well, but I think I > will be OK then. This was the little stone in the shoe. > I've already managed to let ICMP trough that 'block all' ;) > > Btw, I like the way pflog is working - deploying tcpdump on pflog0 and > track down the logged packets. Is there a way to create another pflog > device and use it for some different rules? I've seen there is an > option to the 'log' keyword - (to pflogX), but I didn't managed to > find out how to create more pflog devices. > > Regards, > Ivan. > Hello, To create another pflog interface do: ifconfig pflog1 create And to create it at boot time add: cloned_interfaces="pflog1" to /etc/rc.conf Regards Thomas From rj at dawnshosting.com Thu Jul 24 11:01:02 2008 From: rj at dawnshosting.com (Robert Jameson) Date: Thu Jul 24 11:01:32 2008 Subject: network problems 7.0-p3: sendto: Operation not permitted In-Reply-To: <9072a4470807240321y59f827fdn287011c0336ae866@mail.gmail.com> References: <9072a4470807232259x603f46k49474f5eb309d0fa@mail.gmail.com> <20080724074919.GA36163@eos.sc1.parodius.com> <9072a4470807240255v4d3f8e72gf8bfb39999b2dcbd@mail.gmail.com> <9072a4470807240321y59f827fdn287011c0336ae866@mail.gmail.com> Message-ID: <9072a4470807240334l7829fddbudbeea941fe1b77ad@mail.gmail.com> Hello everyone, I'm not sure about how this works, I was told to share this information with this group because of a possible issue with PF My rules are in place @ http://rj.dawnshosting.com/fbsd_ml/pf.conf If anyone has a chance and can tell me what is wrong about them, it would mean alot to me. My configuration worked fine before the update to 7.0-P3 like i said, but if we fix the rules then we can begin the process of elimanation. Thank's so much guys From: *Robert Jameson* Date: Thu, Jul 24, 2008 at 1:59 AM To: freebsd-stable Hello Everyone, Recently I upgraded to freebsd 7.0-p3 from 7.0-p2, once i upgraded i began to have problems with my network, nothing has changed configuration wise, let me show you guy's an example. (12:46 AM):(root@cube)/$ ping google.com PING google.com (72.14.207.99): 56 data bytes 64 bytes from 72.14.207.99: icmp_seq=0 ttl=240 time=64.713 ms ^C --- google.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 64.713/64.713/64.713/0.000 ms (12:46 AM):(root@cube)/$ ping google.com PING google.com (72.14.207.99): 56 data bytes 64 bytes from 72.14.207.99: icmp_seq=0 ttl=240 time=73.814 ms 64 bytes from 72.14.207.99: icmp_seq=1 ttl=240 time=64.943 ms ^C --- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 64.943/69.379/73.814/4.435 ms (12:46 AM):(root@cube)/$ ping google.com PING google.com (72.14.207.99): 56 data bytes ping: sendto: Operation not permitted ^C --- google.com ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss (12:46 AM):(root@cube)/$ As you can see above, I issued the ping command (4) times waiting for output and then doing CTRL+C to interrupt the commands quickly and send them again on the 4th try i did not intterupt it and received the operation not permitted. hitting ctrl+c on this error I can type ping again and it will work correctly. I have the same problem with almost every network command, wget, curl, fetch, lynx, ssh, nslookup, host etc. This appears to be an issue with the network. I have attached my rc.conf and sysctl.conf and pf.conf please let me know if any other information is required. Errors from /var/log/console.log: Jul 18 21:10:02 cube kernel: Jul 18 21:10:02 cube named[908]: socket: too many open file descriptors Jul 19 00:30:13 cube kernel: Jul 19 00:30:13 cube named[9748]: socket: too many open file descriptors Jul 19 00:30:54 cube kernel: Jul 19 00:30:14 cube last message repeated 28 times Initially I figured this problem was bind related and since it has been a planned project for the past few months to switch to djbdns, I took the time to switch to djbdns, so bind is no longer running. I was also receiving this in /var/log/messages: Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to 200 packets/sec Jul 20 22:15:40 cube kernel: Limiting open port RST response from 624 to 200 packets/sec Jul 20 22:15:42 cube kernel: Limiting open port RST response from 213 to 200 packets/sec Jul 20 22:15:50 cube kernel: Limiting open port RST response from 439 to 200 packets/sec Jul 20 22:15:51 cube kernel: Limiting open port RST response from 673 to 200 packets/sec Jul 20 22:15:52 cube kernel: Limiting open port RST response from 730 to 200 packets/sec Jul 20 22:15:53 cube kernel: Limiting open port RST response from 307 to 200 packets/sec Jul 20 22:16:02 cube kernel: Limiting open port RST response from 435 to 200 packets/sec Jul 20 22:16:03 cube kernel: Limiting open port RST response from 730 to 200 packets/sec Jul 20 22:16:04 cube kernel: Limiting open port RST response from 287 to 200 packets/sec Jul 20 22:16:13 cube kernel: Limiting open port RST response from 519 to 200 packets/sec Jul 20 22:16:14 cube kernel: Limiting open port RST response from 740 to 200 packets/sec Jul 20 22:16:15 cube kernel: Limiting open port RST response from 258 to 200 packets/sec Jul 20 22:16:24 cube kernel: Limiting open port RST response from 407 to 200 packets/sec Jul 20 22:16:25 cube kernel: Limiting open port RST response from 660 to 200 packets/sec After spending some time on Google i came up with: /etc/sysctl.conf net.inet.icmp.icmplim=2000 I know it seems abit high, but i kept adjusting until the error went away. (not really fixing the problem?) If your mail client or the mailing list prevents you from seeing the attached You can view them here: http://rj.dawnshosting.com/fbsd_ml/ PS: While running tcpdump I see this tcpdump -i fxp0 Neither one of these ip's exist on my system is my cable company doing something wrong? 01:47:12.135929 arp who-has 64.253.3.161.dyn-cm-pool73.pool.hargray.net tell 64.253.3.1.dyn-cm-pool73.pool.hargray.net 01:47:12.155931 arp who-has 216.16.218.141.dyn-cm-pool46.pool.hargray.nettell 216.16.218.1.dyn-cm-pool46.pool.hargray.net 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell 1.131.216.67.1.static.hargray.net tcpdump -i fxp0 | grep ICMP: Is this an attack? 01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37084, length 64 01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37085, length 64 01:55:43.285913 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37086, length 64 01:55:44.286340 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37087, length 64 01:55:45.287380 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37088, length 64 01:55:46.345843 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37089, length 64 01:55:47.346685 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37090, length 64 01:55:48.347366 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37091, length 64 01:55:49.348370 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37092, length 64 01:55:50.360130 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37093, length 64 01:55:51.596916 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37094, length 64 01:55:52.597659 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37095, length 64 01:55:53.640120 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37096, length 64 01:55:54.735275 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37097, length 64 01:55:55.735568 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37098, length 64 01:55:56.745012 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37099, length 64 01:55:57.835442 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37100, length 64 01:55:58.920583 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37101, length 64 01:56:00.022747 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP echo request, id 22055, seq 37102, length 64 ---------- From: *Alex Trull* Date: Thu, Jul 24, 2008 at 3:29 AM To: Robert Jameson Robert, The config files you attached were a series of 403 forbidden htmls. The icmp pings (1 per second) do not constitute an attack. It looks like you are genuinely running out of free states or file descriptors. Had you applied any tuning that may have been lost in the upgrade ? How many packets and sessions is this host meant to be handling - and what sort of traffic ? -- Alex > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" ---------- From: *Alex Trull* Date: Thu, Jul 24, 2008 at 3:31 AM To: Robert Jameson Cc: freebsd-stable ---------- From: *Jeremy Chadwick* Date: Thu, Jul 24, 2008 at 3:49 AM To: Robert Jameson Cc: freebsd-stable Let's see if I can figure out the multitude of things you've posted about, since a bunch are unrelated and you appear to be flailing around with your arms in the air. :-) This usually indicates firewall rules on the local machine, although I believe there are some other operations where EPERM can be returned. Can you provide uname -a output? There was a "cable modem compatibility fix" applied to FreeBSD a while ago (a user informed me of such), although I do not know if it applies to you, as I do not know the original symptoms. I believe that fix was also just for TCP. This indicates a completely different/unrelated problem. This indicates a high number of ICMP packets being received. Keep in mind this can also be seen due to TCP connections which are being reset and other such things -- ICMP is at a higher layer than TCP. I don't think there's necessarily anything "wrong" with that number (you show up to 740), but it would be worthwhile investigating what's soliciting that amount of ICMP traffic. Are you seeing this 24x7x365? It's not a big high; FreeBSD's 200 default is too low for any production server, if you ask me. Setting it to 2000 is probably fine. You should discuss your firewalling rules on freebsd-pf, and not here. I believe you may have some mistakes which are inducing said problem. Nope. This is normal behaviour for a cable modem network; they constantly spam layer 2 ARP for *everyone* on the entire cable network segment. Yes, you read that right. At this rate (1 ICMP packet a second), absolutely not. You also don't mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based on your local hostname in the above. Your machine is sending out an ICMP ping packet to purple.haze.bluntroll.in every 1 second. If you don't know why, you need to investigate why. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ---------- From: *Robert Jameson* Date: Thu, Jul 24, 2008 at 5:55 AM To: Jeremy Chadwick Sorry about that, bit of a information overload, i really am flailing my arms around! Tried running with my firewall disabled/wide problem still occurs FreeBSD cube.dawnshosting.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #5: Wed Jul 16 21:55:02 EDT 2008 root@cube.dawnshosting.com:/usr/obj/usr/src/sys/CUBE i386 Was the patch applied upstream? if not and its not too much trouble can you point me in the direction of it. Ah, thought they were related, what's causing this :)! Yes its constant. let it me known i also have a 2 network cards in the machne, 1 into my cable modem and nother into a linksys 16port vpn router. the defaultrouter is set to a WAN IP (not 10.192.240.1), not that any of that matters, i dont think? I read a bit about it from the handbook, i think it's a non issue. Might be worth mentioning the only real service change to this machine was an ircd daemon w/ about 500 users. I will send them an e-mail shortly, thanks. ah, ok, nothing to see here, keep moving. Correct, cube.dawnshosting.com is the actual FreeBSD machinr. sorry for the newbish question, off the top of your head how can i see who/what is using this process? > > -- ---------- From: *Robert Jameson* Date: Thu, Jul 24, 2008 at 6:21 AM To: freebsd-stable Still don't know whats going on, im currently sitting here with no firewall between me and the internet (very nervous) seeing if it fixes the problems, as of right this moment, still seeing permission denied errors. I have fixed the 403 errors now. http://rj.dawnshosting.com/fbsd_ml/ now contains sysctl.conf rc.conf pf.conf -------------- next part -------------- A non-text attachment was scrubbed... Name: rc.conf Type: application/octet-stream Size: 344 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080724/dde533fb/rc.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sysctl.conf Type: application/octet-stream Size: 344 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080724/dde533fb/sysctl.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: pf.conf Type: application/octet-stream Size: 344 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080724/dde533fb/pf.obj -------------- next part -------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBIiC/mey4m6/eWxTQRAvnQAJ9H2EeeOYcpNqxt1DLwG69stTDLBACgibvr FIMP7ahxUHjP19f2LjTNc7k= =UPoB -----END PGP SIGNATURE----- From ivanatora at gmail.com Thu Jul 24 12:57:54 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Thu Jul 24 12:58:00 2008 Subject: Why this rule doesn't score a match? In-Reply-To: <48879B35.1060905@gibfest.dk> References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> <48879B35.1060905@gibfest.dk> Message-ID: Hello Thomas, I'm recieving an error: # ifconfig plog1 create ifconfig: SIOCIFCREATE2: Invalid argument and I can't see anything in 'man ifconfig' related to the pflog device. Regards, Ivan On Wed, Jul 23, 2008 at 11:57 PM, Thomas Rasmussen wrote: > Ivan Petrushev wrote: >> >> Hi Jon, >> Aaahhh, I see now - these FROM rules must be TO rules :D >> Thank you both for your replies. >> >> I'm going to monitor the outbond connections as well, but I think I >> will be OK then. This was the little stone in the shoe. >> I've already managed to let ICMP trough that 'block all' ;) >> >> Btw, I like the way pflog is working - deploying tcpdump on pflog0 and >> track down the logged packets. Is there a way to create another pflog >> device and use it for some different rules? I've seen there is an >> option to the 'log' keyword - (to pflogX), but I didn't managed to >> find out how to create more pflog devices. >> >> Regards, >> Ivan. >> > > Hello, > > To create another pflog interface do: > ifconfig pflog1 create > > And to create it at boot time add: > cloned_interfaces="pflog1" > to /etc/rc.conf > > Regards > > Thomas > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From freebsd at optiksecurite.com Thu Jul 24 13:55:46 2008 From: freebsd at optiksecurite.com (FreeBSD) Date: Thu Jul 24 13:55:53 2008 Subject: Why this rule doesn't score a match? In-Reply-To: References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> <48879B35.1060905@gibfest.dk> Message-ID: <488889EA.8000306@optiksecurite.com> Ivan Petrushev a ?crit : > Hello Thomas, > I'm recieving an error: > # ifconfig plog1 create > ifconfig: SIOCIFCREATE2: Invalid argument > > and I can't see anything in 'man ifconfig' related to the pflog device. > > I think it's just a typo: you forgot the 'f' in pflog1...;) Martin > Regards, Ivan > > On Wed, Jul 23, 2008 at 11:57 PM, Thomas Rasmussen wrote: > >> Ivan Petrushev wrote: >> >>> Hi Jon, >>> Aaahhh, I see now - these FROM rules must be TO rules :D >>> Thank you both for your replies. >>> >>> I'm going to monitor the outbond connections as well, but I think I >>> will be OK then. This was the little stone in the shoe. >>> I've already managed to let ICMP trough that 'block all' ;) >>> >>> Btw, I like the way pflog is working - deploying tcpdump on pflog0 and >>> track down the logged packets. Is there a way to create another pflog >>> device and use it for some different rules? I've seen there is an >>> option to the 'log' keyword - (to pflogX), but I didn't managed to >>> find out how to create more pflog devices. >>> >>> Regards, >>> Ivan. >>> >>> >> Hello, >> >> To create another pflog interface do: >> ifconfig pflog1 create >> >> And to create it at boot time add: >> cloned_interfaces="pflog1" >> to /etc/rc.conf >> >> Regards >> >> Thomas >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From ivanatora at gmail.com Thu Jul 24 16:47:58 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Thu Jul 24 16:48:08 2008 Subject: Why this rule doesn't score a match? In-Reply-To: <488889EA.8000306@optiksecurite.com> References: <48876DAD.9080100@optiksecurite.com> <488780A6.4010807@radel.com> <48879B35.1060905@gibfest.dk> <488889EA.8000306@optiksecurite.com> Message-ID: Omg, silly me... Thaks! On Thu, Jul 24, 2008 at 4:55 PM, FreeBSD wrote: > Ivan Petrushev a ?crit : >> >> Hello Thomas, >> I'm recieving an error: >> # ifconfig plog1 create >> ifconfig: SIOCIFCREATE2: Invalid argument >> >> and I can't see anything in 'man ifconfig' related to the pflog device. >> >> > > I think it's just a typo: you forgot the 'f' in pflog1...;) > > Martin > >> Regards, Ivan >> >> On Wed, Jul 23, 2008 at 11:57 PM, Thomas Rasmussen >> wrote: >> >>> >>> Ivan Petrushev wrote: >>> >>>> >>>> Hi Jon, >>>> Aaahhh, I see now - these FROM rules must be TO rules :D >>>> Thank you both for your replies. >>>> >>>> I'm going to monitor the outbond connections as well, but I think I >>>> will be OK then. This was the little stone in the shoe. >>>> I've already managed to let ICMP trough that 'block all' ;) >>>> >>>> Btw, I like the way pflog is working - deploying tcpdump on pflog0 and >>>> track down the logged packets. Is there a way to create another pflog >>>> device and use it for some different rules? I've seen there is an >>>> option to the 'log' keyword - (to pflogX), but I didn't managed to >>>> find out how to create more pflog devices. >>>> >>>> Regards, >>>> Ivan. >>>> >>>> >>> >>> Hello, >>> >>> To create another pflog interface do: >>> ifconfig pflog1 create >>> >>> And to create it at boot time add: >>> cloned_interfaces="pflog1" >>> to /etc/rc.conf >>> >>> Regards >>> >>> Thomas >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >>> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > From rkramer at mweb.com Fri Jul 25 07:23:41 2008 From: rkramer at mweb.com (Rudi Kramer - MWEB) Date: Fri Jul 25 07:23:48 2008 Subject: PF+ALTQ+PRIQ References: <48876DAD.9080100@optiksecurite.com><488780A6.4010807@radel.com><48879B35.1060905@gibfest.dk> <488889EA.8000306@optiksecurite.com> Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45F35@MWBEXCH.mweb.com> Hello, I wanted to play around with ALTQ and PRIQ queuing and I came up with the following pf config. My goal was to have TCP ACKs that have no payload having the highest priority and then cod, dns, ssh in their own queues and everything else falling in to the default queue. ################################################## #Macros ext_if = "tun0" cod_ports = "{28960:29000}" ##Tables table { 192.168.0.0/24 } ##Options ##Normalization scrub in all ##Queueing altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def, q_cod, q_domain, q_ssh } queue q_pri priority 10 queue q_cod priority 9 queue q_domain priority 8 queue q_ssh priority 7 queue q_def priority 1 priq(default) #default to deny block in log all #allow loopback pass quick on lo0 all #Setup PRIQ Rules pass out on $ext_if proto tcp from ($ext_if) to any queue (q_pri, q_def) pass in on $ext_if proto tcp from any to ($ext_if) queue (q_pri, q_def) pass out quick on $ext_if proto udp from ($ext_if) to any port $cod_ports queue q_cod pass in quick on $ext_if proto udp from any to ($ext_if) port $cod_ports queue q_cod pass out quick on $ext_if proto udp from ($ext_if) to any port domain queue q_domain pass in quick on $ext_if proto udp from any to ($ext_if) port domain queue q_domain pass out quick on $ext_if proto tcp from ($ext_if) to any port ssh queue q_ssh pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh queue q_ssh #allow from fw to ext pass out quick log on $ext_if proto tcp all pass out quick log on $ext_if proto { udp, icmp } all #allow from internal network out pass quick log on $int_if proto tcp from to any pass quick log on $int_if proto {udp, icmp } from to any ######################################### As far as I can see it is working but I was hoping to get some input from the list. Thanks Rudi From news at topocentras.lt Mon Jul 28 07:09:47 2008 From: news at topocentras.lt (news@topocentras.lt) Date: Mon Jul 28 07:09:54 2008 Subject: need help with keep state and shaping Message-ID: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> ext_if="bge0" int_if="bge1" pass out quick on $ext_if from 10.0.0.1 to any queue upload1 pass out quick on $int_if from any to 10.0.0.1 queue download1 pass out quick on $ext_if from 10.0.0.2 to any queue upload2 pass out quick on $int_if from any to 10.0.0.2 queue download2 pass out quick on $ext_if from 10.0.0.3 to any queue upload3 pass out quick on $int_if from any to 10.0.0.3 queue download3 pass in all pass out all #10.0.0.x users subnet Hello, I have problems with keep state usage. I need to shape ingoing and outgoing trafic (no nat). Before I used sintax like above, but then I used it with keyword "keep state" some useres reported problems with trafic. With version FreeBSD 7 with keep state on pass rules are not working at all. Question is how to deal with keep state for in and out trafic then i need to shape both? I tried to use set state-policy if-bound but it had no impact. From bugmaster at FreeBSD.org Mon Jul 28 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 28 11:08:29 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200807281107.m6SB718B078993@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From nejc at skoberne.net Tue Jul 29 09:25:28 2008 From: nejc at skoberne.net (=?ISO-8859-2?Q?Nejc_=A9koberne?=) Date: Tue Jul 29 09:25:47 2008 Subject: pf randomly blocks specific packets? Message-ID: <488EE046.4010602@skoberne.net> Hello, I have a FreeBSD 7.0 system with jails (and services in them). In one of the jails there is an Apache server, which also runs on the host system (and forwards traffic using mod_proxy to the jailed Apache). Everything works as expected, I only have problems with pf which seems to block certain packets randomly (not all of them). This is how my rc.conf on host system looks like (relevant parts): --------------------------------------------------------------------------------- defaultrouter="172.20.2.1" ifconfig_em0="inet 172.20.2.2 netmask 255.255.255.0" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" apache22_enable="YES" cloned_interfaces="lo1" ifconfig_lo1="192.168.223.1" jail_enable="YES" jail_sysvipc_allow="YES" jail_list="mail" jail_mail_rootdir="/usr/jail/j/mail" jail_mail_hostname="mail" jail_mail_ip="192.168.223.10" jail_mail_interface="lo1 netmask 255.255.255.0" jail_mail_devfs_enable="YES" jail_mail_procfs_enable="YES" jail_mail_devfs_ruleset="devfsrules_jail" --------------------------------------------------------------------------------- This is how my pf.conf looks like: --------------------------------------------------------------------------------- int_Trust = "em0" int_Loop = "lo0" int_Jails = "lo1" int_jail_mail = "{" $int_Trust "}" addr_net_Private = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" addr_net_Local = "{" $int_Trust:network ", 172.20.2.0/24, 192.168.0.0/16 }" addr_sysSvarun = "a.b.c.d" addr_jail_mail = "192.168.223.10" svc_TCP_HOST_Private = "{ ssh, iwebmin, itelnet }" svc_TCP_HOST_Public = "{ ssh, http, https, domain }" svc_UDP_HOST_Public = "{ domain }" svc_TCP_jail_mail = "{ smtp, smtps, pop3, pop3s, imap, imaps }" ICMPTypes = "echoreq" AllProtocols = "{ tcp, udp, ipv6, icmp, esp, ipencap, gre }" table persist file "/usr/local/etc/trusted.addresses" set loginterface $int_Trust scrub on $int_Trust all no-df random-id reassemble tcp nat on $int_Trust from $int_Jails:network to any -> $int_Trust rdr pass on $int_jail_mail proto tcp from any to $int_jail_mail port \ $svc_TCP_jail_mail -> $addr_jail_mail block log all pass in quick on $int_Trust from $addr_sysSvarun to any keep state pass quick on $int_Loop all pass quick on $int_Jails all pass quick inet proto icmp all icmp-type $ICMPTypes keep state pass in on $int_Trust from any to any keep state pass out on $int_Trust from any to $addr_net_Local keep state pass out on $int_Trust from $int_Trust to any keep state pass out on lo1 from 192.168.223.10 to 192.168.223.10 keep state --------------------------------------------------------------------------------- So as you can see there is a "pass quick on $int_Jails all" line. Which, as far as I understand, should do exactly that. But, when I do "tcpdump -n -r /var/log/pflog", I get these: 10:22:56.353027 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:23:06.744057 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:23:27.330096 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:23:47.918481 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:24:08.508126 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:24:29.096918 IP 192.168.223.10.53777 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 10:33:12.341285 IP 192.168.223.10.51214 > 192.168.223.10.80: F 1457218003:1457218003(0) ack 1764186631 win 8960 10:33:12.637811 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:13.029827 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:13.609705 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:14.561443 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:16.256344 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:19.073348 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:24.504722 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:35.163039 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:33:56.274140 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:34:38.293842 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:35:20.310801 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:36:02.326561 IP 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 10:36:44.339793 IP 192.168.223.10.51214 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 or, if I pass "-e -ttt" parameters to tcpdump as well, these: rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.53777 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 1457218003:1457218003(0) ack 1764186631 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: F 0:0(0) ack 1 win 8960 rule 0/0(match): block out on lo1: 192.168.223.10.51214 > 192.168.223.10.80: R 1:1(0) ack 1 win 8960 Which means, pf blocks these packets. Why would this be? The consequence of blocking these packets are, that I get this in the hosts's Apache server: [Fri Jul 25 09:57:10 2008] [error] (1)Operation not permitted: proxy: HTTP: attempt to connect to 192.168.223.10:80 (mail) failed [Fri Jul 25 09:57:10 2008] [error] ap_proxy_connect_backend disabling worker for (mail) [Fri Jul 25 09:57:10 2008] [error] proxy: HTTP: disabled connection for (mail) which disables connections to the jailed Apache for a while. Which is very annoying. However, this (that Apache get's blocked) doesn't happen always, I would say 10-20 times daily. Any ideas? Thanks, Nejc From koitsu at FreeBSD.org Tue Jul 29 10:10:53 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Tue Jul 29 10:10:59 2008 Subject: pf randomly blocks specific packets? In-Reply-To: <488EE046.4010602@skoberne.net> References: <488EE046.4010602@skoberne.net> Message-ID: <20080729101052.GA65160@eos.sc1.parodius.com> On Tue, Jul 29, 2008 at 11:17:58AM +0200, Nejc ?koberne wrote: > I have a FreeBSD 7.0 system with jails (and services in them). In one of the jails there > is an Apache server, which also runs on the host system (and forwards traffic using > mod_proxy to the jailed Apache). > > Everything works as expected, I only have problems with pf which seems to block certain > packets randomly (not all of them). > > {snip} Does removing "reassemble tcp" from your scrub rules fix anything? I cannot comment on the rest of the ruleset. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From peter.wullinger at googlemail.com Tue Jul 29 10:31:33 2008 From: peter.wullinger at googlemail.com (Peter Wullinger) Date: Tue Jul 29 10:31:41 2008 Subject: pf randomly blocks specific packets? In-Reply-To: <488EE046.4010602@skoberne.net> References: <488EE046.4010602@skoberne.net> Message-ID: <488EE858.9010708@googlemail.com> Nejc ?koberne wrote: > pass in quick on $int_Trust from $addr_sysSvarun to any keep state Note: You can remove "keep state". This is implicit for newer version of pf. > pass quick on $int_Loop all > pass quick on $int_Jails all Note: These keep state, see above. You might want to add "no state" here, to decrease state table usage. > pass quick inet proto icmp all icmp-type $ICMPTypes keep state > pass in on $int_Trust from any to any keep state > pass out on $int_Trust from any to $addr_net_Local keep state > pass out on $int_Trust from $int_Trust to any keep state > pass out on lo1 from 192.168.223.10 to 192.168.223.10 keep state > --------------------------------------------------------------------------------- > > > So as you can see there is a "pass quick on $int_Jails all" line. > Which, as far > as I understand, should do exactly that. But, when I do > "tcpdump -n -r /var/log/pflog", I get these: > > 10:22:56.353027 IP 192.168.223.10.53777 > 192.168.223.10.80: F 0:0(0) > ack 1 win 8960 From the frequency of the logs, it looks like that there is heavy load on the server (or a high connection latency). If so, this may be a problem of state table exhaustion or timeouts. pf may drop a "dangling, almost finished" connection before the final "FIN" packet arrives and thus create such log entries as the final packet gets blocked, when the corresponding state table entry is not present any more. Do you monitor your state table size? If this is exhausted, other problems are likely to occur, too. > > Which means, pf blocks these packets. Why would this be? The > consequence of > blocking these packets are, that I get this in the hosts's Apache server: > > [Fri Jul 25 09:57:10 2008] [error] (1)Operation not permitted: proxy: > HTTP: attempt to connect to 192.168.223.10:80 (mail) failed What is being blocked by PF are TCP packets with the FIN bit set. These are part of the connection shutdown sequence. The error message here indicates, that connection establishment failed. I would find it strange, if these are really related /directly/, but see below. If I figure out the error message correctly, this means that the "connect()"system call failed. I guess (would have to confirm by looking at the source code but after a short mailing list search it seems to be likely), that a state table exhaustion can also create "connect()" errors such as these. "Cannot connect, because pf cannot create a state table entry for your connection". To eliminate this possibility, you should monitor the size of your state table and possible increase the limits, if so. Or insert some "no state" statements into your ruleset. Regards, Peter From nejc at skoberne.net Tue Jul 29 10:41:31 2008 From: nejc at skoberne.net (=?windows-1252?Q?Nejc_=8Akoberne?=) Date: Tue Jul 29 10:41:38 2008 Subject: pf randomly blocks specific packets? In-Reply-To: <20080729101052.GA65160@eos.sc1.parodius.com> References: <488EE046.4010602@skoberne.net> <20080729101052.GA65160@eos.sc1.parodius.com> Message-ID: <488EF3D4.40100@skoberne.net> Hey, > Does removing "reassemble tcp" from your scrub rules fix anything? Will try and let you know if it helps. Thanks, Nejc From nejc at skoberne.net Tue Jul 29 11:11:56 2008 From: nejc at skoberne.net (=?windows-1252?Q?Nejc_=8Akoberne?=) Date: Tue Jul 29 11:12:02 2008 Subject: pf randomly blocks specific packets? In-Reply-To: <488EF3D4.40100@skoberne.net> References: <488EE046.4010602@skoberne.net> <20080729101052.GA65160@eos.sc1.parodius.com> <488EF3D4.40100@skoberne.net> Message-ID: <488EFAF7.8000104@skoberne.net> Hey, >> Does removing "reassemble tcp" from your scrub rules fix anything? > > Will try and let you know if it helps. Looks like this doesn't help. I still get those blocks logged in pflog. By the way, if I comment out "block log all" from pf.conf, the pf doesn't block those packets any more. But I'd like to have "block log all" turned on, of course. Thanks, Nejc From koitsu at FreeBSD.org Tue Jul 29 11:33:28 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Tue Jul 29 11:35:06 2008 Subject: pf randomly blocks specific packets? In-Reply-To: <488EE858.9010708@googlemail.com> References: <488EE046.4010602@skoberne.net> <488EE858.9010708@googlemail.com> Message-ID: <20080729113328.GA67866@eos.sc1.parodius.com> On Tue, Jul 29, 2008 at 11:52:24AM +0200, Peter Wullinger wrote: > Nejc ?koberne wrote: >> pass in quick on $int_Trust from $addr_sysSvarun to any keep state > Note: You can remove "keep state". This is implicit for newer version of pf. >> pass quick on $int_Loop all >> pass quick on $int_Jails all > Note: These keep state, see above. You might want to add "no state" here, > to decrease state table usage. Or better use, use "set skip on $int_Loop $int_Jails", and avoid having pf process any of them. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From nejc at skoberne.net Tue Jul 29 12:53:53 2008 From: nejc at skoberne.net (=?ISO-8859-2?Q?Nejc_=A9koberne?=) Date: Tue Jul 29 12:53:59 2008 Subject: pf randomly blocks specific packets? In-Reply-To: <488EE858.9010708@googlemail.com> References: <488EE046.4010602@skoberne.net> <488EE858.9010708@googlemail.com> Message-ID: <488F12DB.8090908@skoberne.net> Hello, > Note: You can remove "keep state". This is implicit for newer version of > pf. > Note: These keep state, see above. You might want to add "no state" here, > to decrease state table usage. But if it is "no state" it means it eats more CPU? Or not? > From the frequency of the logs, it looks like that there is heavy load > on the server > (or a high connection latency). If so, this may be a problem of state > table exhaustion > or timeouts. pf may drop a "dangling, almost finished" connection before > the final "FIN" > packet arrives and thus create such log entries as the final packet gets > blocked, when the > corresponding state table entry is not present any more. Actually the server was just deployed and there shouldn't be much traffic going through. I checked with pfctl: State Table Total Rate current entries 79 searches 9652489 16.2/s inserts 486382 0.8/s removals 486303 0.8/s These seem pretty low, huh? > To eliminate this possibility, you should monitor the size of your state > table and possible increase the limits, if so. > Or insert some "no state" statements into your ruleset. So, what would be the next idea to try? For now I did "set skip on $int_Jails" and it seems to help. Thanks, Nejc From news at topocentras.lt Wed Jul 30 06:43:20 2008 From: news at topocentras.lt (news@topocentras.lt) Date: Wed Jul 30 06:43:26 2008 Subject: need help with keep state and shaping In-Reply-To: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> Message-ID: <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> Hello once more, It whould be very interesting to hear from you how to use keep state for router, shaping in and out traffic. I am using around thousand of queues(hfsc) and it makes a lot of performace problems. Using keep state it would reduce it, but as i mention before, i have problems using it. Sincerely Yours, Albertas > ext_if="bge0" > int_if="bge1" > > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > pass out quick on $int_if from any to 10.0.0.1 queue download1 > > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > pass out quick on $int_if from any to 10.0.0.2 queue download2 > > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > pass out quick on $int_if from any to 10.0.0.3 queue download3 > > pass in all > pass out all > > #10.0.0.x users subnet > > Hello, > I have problems with keep state usage. I need to shape ingoing and > outgoing trafic (no nat). > Before I used sintax like above, but then I used it with keyword "keep > state" some useres reported problems with trafic. > With version FreeBSD 7 with keep state on pass rules are not working at > all. > Question is how to deal with keep state for in and out trafic then i need > to shape both? I tried to use set state-policy if-bound but it had no > impact. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From ivanatora at gmail.com Wed Jul 30 07:58:22 2008 From: ivanatora at gmail.com (Ivan Petrushev) Date: Wed Jul 30 07:58:28 2008 Subject: need help with keep state and shaping In-Reply-To: <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> Message-ID: Hello ALbertas, I thought 'keep state' is a default behavior in FreeBSD 7 and you don't have to specify that keyword? Regards, Ivan On Wed, Jul 30, 2008 at 9:43 AM, wrote: > Hello once more, > It whould be very interesting to hear from you how to use keep state for > router, shaping in and out traffic. > I am using around thousand of queues(hfsc) and it makes a lot of > performace problems. Using keep state it would reduce it, but as i mention > before, i have problems using it. > > Sincerely Yours, > Albertas > >> ext_if="bge0" >> int_if="bge1" >> >> pass out quick on $ext_if from 10.0.0.1 to any queue upload1 >> pass out quick on $int_if from any to 10.0.0.1 queue download1 >> >> pass out quick on $ext_if from 10.0.0.2 to any queue upload2 >> pass out quick on $int_if from any to 10.0.0.2 queue download2 >> >> pass out quick on $ext_if from 10.0.0.3 to any queue upload3 >> pass out quick on $int_if from any to 10.0.0.3 queue download3 >> >> pass in all >> pass out all >> >> #10.0.0.x users subnet >> >> Hello, >> I have problems with keep state usage. I need to shape ingoing and >> outgoing trafic (no nat). >> Before I used sintax like above, but then I used it with keyword "keep >> state" some useres reported problems with trafic. >> With version FreeBSD 7 with keep state on pass rules are not working at >> all. >> Question is how to deal with keep state for in and out trafic then i need >> to shape both? I tried to use set state-policy if-bound but it had no >> impact. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From buchtajz at borsice.net Wed Jul 30 08:23:19 2008 From: buchtajz at borsice.net (Michal Buchtik) Date: Wed Jul 30 08:23:25 2008 Subject: need help with keep state and shaping In-Reply-To: <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> Message-ID: <1217406136.31805.6.camel@buchtajz> PF makes 2 states per connection, so try this ($int_if is users LAN) pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 pass out quick on $int_if tagged user1 queue download1 pass out quick on $ext_if tagged user1 queue upload1 .....and so on for another users news@topocentras.lt p??e v St 30. 07. 2008 v 09:43 +0300: > Hello once more, > It whould be very interesting to hear from you how to use keep state for > router, shaping in and out traffic. > I am using around thousand of queues(hfsc) and it makes a lot of > performace problems. Using keep state it would reduce it, but as i mention > before, i have problems using it. > > Sincerely Yours, > Albertas > > > ext_if="bge0" > > int_if="bge1" > > > > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > > pass out quick on $int_if from any to 10.0.0.1 queue download1 > > > > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > > pass out quick on $int_if from any to 10.0.0.2 queue download2 > > > > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > > pass out quick on $int_if from any to 10.0.0.3 queue download3 > > > > pass in all > > pass out all > > > > #10.0.0.x users subnet > > > > Hello, > > I have problems with keep state usage. I need to shape ingoing and > > outgoing trafic (no nat). > > Before I used sintax like above, but then I used it with keyword "keep > > state" some useres reported problems with trafic. > > With version FreeBSD 7 with keep state on pass rules are not working at > > all. > > Question is how to deal with keep state for in and out trafic then i need > > to shape both? I tried to use set state-policy if-bound but it had no > > impact. > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From news at topocentras.lt Wed Jul 30 08:29:18 2008 From: news at topocentras.lt (news@topocentras.lt) Date: Wed Jul 30 08:29:28 2008 Subject: need help with keep state and shaping In-Reply-To: <1217406136.31805.6.camel@buchtajz> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> Message-ID: <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> Thanks for suggestion. Is any difference using set state-policy if-bound? When what state policy to use? Thanks, Albertas > PF makes 2 states per connection, so try this > ($int_if is users LAN) > > pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 > pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 > pass out quick on $int_if tagged user1 queue download1 > pass out quick on $ext_if tagged user1 queue upload1 > .....and so on for another users > > > news@topocentras.lt p??e v St 30. 07. 2008 v 09:43 +0300: >> Hello once more, >> It whould be very interesting to hear from you how to use keep state for >> router, shaping in and out traffic. >> I am using around thousand of queues(hfsc) and it makes a lot of >> performace problems. Using keep state it would reduce it, but as i >> mention >> before, i have problems using it. >> >> Sincerely Yours, >> Albertas >> >> > ext_if="bge0" >> > int_if="bge1" >> > >> > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 >> > pass out quick on $int_if from any to 10.0.0.1 queue download1 >> > >> > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 >> > pass out quick on $int_if from any to 10.0.0.2 queue download2 >> > >> > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 >> > pass out quick on $int_if from any to 10.0.0.3 queue download3 >> > >> > pass in all >> > pass out all >> > >> > #10.0.0.x users subnet >> > >> > Hello, >> > I have problems with keep state usage. I need to shape ingoing and >> > outgoing trafic (no nat). >> > Before I used sintax like above, but then I used it with keyword "keep >> > state" some useres reported problems with trafic. >> > With version FreeBSD 7 with keep state on pass rules are not working >> at >> > all. >> > Question is how to deal with keep state for in and out trafic then i >> need >> > to shape both? I tried to use set state-policy if-bound but it had no >> > impact. >> > >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From buchtajz at borsice.net Wed Jul 30 09:59:56 2008 From: buchtajz at borsice.net (Michal Buchtik) Date: Wed Jul 30 10:00:23 2008 Subject: need help with keep state and shaping In-Reply-To: <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> Message-ID: <1217411931.31805.10.camel@buchtajz> I use default state-policy (floating). As I can remember, if-bound policy works diferent. news@topocentras.lt p??e v St 30. 07. 2008 v 11:29 +0300: > Thanks for suggestion. Is any difference using set state-policy if-bound? > When what state policy to use? > > Thanks, Albertas > > > > PF makes 2 states per connection, so try this > > ($int_if is users LAN) > > > > pass in quick on $int_if from 10.0.0.1 to any tag user1 queue download1 > > pass in quick on $ext_if from any to 10.0.0.1 tag user1 queue upload1 > > pass out quick on $int_if tagged user1 queue download1 > > pass out quick on $ext_if tagged user1 queue upload1 > > .....and so on for another users > > > > > > news@topocentras.lt p??e v St 30. 07. 2008 v 09:43 +0300: > >> Hello once more, > >> It whould be very interesting to hear from you how to use keep state for > >> router, shaping in and out traffic. > >> I am using around thousand of queues(hfsc) and it makes a lot of > >> performace problems. Using keep state it would reduce it, but as i > >> mention > >> before, i have problems using it. > >> > >> Sincerely Yours, > >> Albertas > >> > >> > ext_if="bge0" > >> > int_if="bge1" > >> > > >> > pass out quick on $ext_if from 10.0.0.1 to any queue upload1 > >> > pass out quick on $int_if from any to 10.0.0.1 queue download1 > >> > > >> > pass out quick on $ext_if from 10.0.0.2 to any queue upload2 > >> > pass out quick on $int_if from any to 10.0.0.2 queue download2 > >> > > >> > pass out quick on $ext_if from 10.0.0.3 to any queue upload3 > >> > pass out quick on $int_if from any to 10.0.0.3 queue download3 > >> > > >> > pass in all > >> > pass out all > >> > > >> > #10.0.0.x users subnet > >> > > >> > Hello, > >> > I have problems with keep state usage. I need to shape ingoing and > >> > outgoing trafic (no nat). > >> > Before I used sintax like above, but then I used it with keyword "keep > >> > state" some useres reported problems with trafic. > >> > With version FreeBSD 7 with keep state on pass rules are not working > >> at > >> > all. > >> > Question is how to deal with keep state for in and out trafic then i > >> need > >> > to shape both? I tried to use set state-policy if-bound but it had no > >> > impact. > >> > > >> > _______________________________________________ > >> > freebsd-pf@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > > >> > >> > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From arved at arved.at Thu Jul 31 16:10:02 2008 From: arved at arved.at (Tilman Linneweh) Date: Thu Jul 31 16:10:31 2008 Subject: pf dropping packets despite pass all rule Message-ID: <20080731153506.GA61317@arved.priv.at> Hi list, My setup: LAN -> Router with PF <- gif tunnel with IPSEC -> Server The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, but TCPv6 from LAN to Server does not work, unless i disable PF. Excerpt from pf.conf: pass in quick on gif0 all keep state pass out quick on gif0 all keep state pflog0 contains some strange packets: http://arved.priv.at/~arved/strangepackets.pcap IPSEC_FILTERTUNNEL does not make a difference. I don't understand why pf is dropping something on gif0. And i can't decode what kind of packets these are, and why they are necessary for TCPv6. Any ideas? regards arved From max at love2party.net Thu Jul 31 16:26:54 2008 From: max at love2party.net (Max Laier) Date: Thu Jul 31 16:27:01 2008 Subject: pf dropping packets despite pass all rule In-Reply-To: <20080731153506.GA61317@arved.priv.at> References: <20080731153506.GA61317@arved.priv.at> Message-ID: <200807311826.51457.max@love2party.net> On Thursday 31 July 2008 17:35:06 Tilman Linneweh wrote: > Hi list, > > My setup: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > but TCPv6 from LAN to Server does not work, unless i disable PF. > > Excerpt from pf.conf: > pass in quick on gif0 all keep state > pass out quick on gif0 all keep state > > pflog0 contains some strange packets: > http://arved.priv.at/~arved/strangepackets.pcap That dump is useless, please cap with "-s0". > IPSEC_FILTERTUNNEL does not make a difference. > > I don't understand why pf is dropping something on gif0. And i can't decode > what kind of packets these are, and why they are necessary for TCPv6. > > Any ideas? I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really want to trust gif0 completely, you could simply add "skip on gif0" and pf will not mess with it at all. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From arved at arved.at Thu Jul 31 17:38:09 2008 From: arved at arved.at (Tilman Linneweh) Date: Thu Jul 31 17:38:16 2008 Subject: pf dropping packets despite pass all rule In-Reply-To: <200807311826.51457.max@love2party.net> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> Message-ID: <20080731173801.GB61317@arved.priv.at> * Max Laier [2008-07-31 18:27]: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > Excerpt from pf.conf: > > pass in quick on gif0 all keep state > > pass out quick on gif0 all keep state > > > > pflog0 contains some strange packets: > > http://arved.priv.at/~arved/strangepackets.pcap > > That dump is useless, please cap with "-s0". Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > IPSEC_FILTERTUNNEL does not make a difference. > > > > I don't understand why pf is dropping something on gif0. And i can't decode > > what kind of packets these are, and why they are necessary for TCPv6. > > > > Any ideas? > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really > want to trust gif0 completely, you could simply add "skip on gif0" and pf will > not mess with it at all. > Ok, allow-opts does not change anything. skip on gif0 works. pfctl -si confirms that there are packets blocked. Status: Enabled for 0 days 02:37:07 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 261859 Bytes Out 0 207299 Packets In Passed 0 2347 Blocked 0 90 Packets Out Passed 0 2185 Blocked 0 0 State Table Total Rate current entries 31 searches 44046 4.7/s inserts 2768 0.3/s removals 2737 0.3/s Counters match 13425 1.4/s bad-offset 0 0.0/s [...rest is all zeros] ...and later: status: Enabled for 0 days 02:37:21 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 263327 Bytes Out 0 208711 Packets In Passed 0 2356 Blocked 0 96 Packets Out Passed 0 2197 Blocked 0 0 State Table Total Rate current entries 30 searches 44128 4.7/s inserts 2772 0.3/s removals 2742 0.3/s Counters match 13451 1.4/s bad-offset 0 0.0/s So yeah, thanks for the "skip on" hint, i can do the filtering on the non-gif interfaces, but i still would like to know what's going on, and why these packets are blocked. regards arved From max at love2party.net Thu Jul 31 18:03:57 2008 From: max at love2party.net (Max Laier) Date: Thu Jul 31 18:04:03 2008 Subject: pf dropping packets despite pass all rule In-Reply-To: <20080731173801.GB61317@arved.priv.at> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at> Message-ID: <200807312003.53098.max@love2party.net> On Thursday 31 July 2008 19:38:01 Tilman Linneweh wrote: > * Max Laier [2008-07-31 18:27]: > > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > > > Excerpt from pf.conf: > > > pass in quick on gif0 all keep state > > > pass out quick on gif0 all keep state > > > > > > pflog0 contains some strange packets: > > > http://arved.priv.at/~arved/strangepackets.pcap > > > > That dump is useless, please cap with "-s0". > > Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap alright ... for some reasons we are blocking the ACKs - i.e. they don't seem to match any state (and the SYN must have gone through somehow). That can happen for two reasons: 1) There is no state created 2) Somethings wrong with the state entry or the involved tcp stacks. To debug this further you could enable pf debug logging (pfctl -xm) and watch the console for state mismatches ... however ... > > > IPSEC_FILTERTUNNEL does not make a difference. > > > > > > I don't understand why pf is dropping something on gif0. And i can't > > > decode what kind of packets these are, and why they are necessary for > > > TCPv6. > > > > > > Any ideas? > > > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you > > really want to trust gif0 completely, you could simply add "skip on gif0" > > and pf will not mess with it at all. > > Ok, allow-opts does not change anything. skip on gif0 works. > > pfctl -si confirms that there are packets blocked. > Status: Enabled for 0 days 02:37:07 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 261859 > Bytes Out 0 207299 > Packets In > Passed 0 2347 > Blocked 0 90 > Packets Out > Passed 0 2185 > Blocked 0 0 > > State Table Total Rate > current entries 31 > searches 44046 4.7/s > inserts 2768 0.3/s > removals 2737 0.3/s > Counters > match 13425 1.4/s > bad-offset 0 0.0/s > [...rest is all zeros] > > ...and later: > status: Enabled for 0 days 02:37:21 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 263327 > Bytes Out 0 208711 > Packets In > Passed 0 2356 > Blocked 0 96 > Packets Out > Passed 0 2197 > Blocked 0 0 > > State Table Total Rate > current entries 30 > searches 44128 4.7/s > inserts 2772 0.3/s > removals 2742 0.3/s > Counters > match 13451 1.4/s > bad-offset 0 0.0/s ... if there is no counter increase on "state-mismatch" (please double-check), it would suggest that no state is created in the first place. Could you provide your complete ruleset with rule numbers? (pfctl -vvvsr) > So yeah, thanks for the "skip on" hint, i can do the filtering on the > non-gif interfaces, but i still would like to know what's going on, and > why these packets are blocked. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From arved at arved.at Thu Jul 31 20:08:50 2008 From: arved at arved.at (Tilman Linneweh) Date: Thu Jul 31 20:08:56 2008 Subject: pf dropping packets despite pass all rule In-Reply-To: <200807312003.53098.max@love2party.net> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at> <200807312003.53098.max@love2party.net> Message-ID: <96F634DC-33DE-407D-A56C-6E28FE327276@arved.at> On Jul 31, 2008, at 20:03, Max Laier wrote: >>>> LAN -> Router with PF <- gif tunnel with IPSEC -> Server >>>> >>>> The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, >>>> but TCPv6 from LAN to Server does not work, unless i disable PF. >>>> >>>> Excerpt from pf.conf: >>>> pass in quick on gif0 all keep state >>>> pass out quick on gif0 all keep state >>>> >> Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > alright ... for some reasons we are blocking the ACKs - i.e. they > don't seem > to match any state (and the SYN must have gone through somehow). > That can > happen for two reasons: 1) There is no state created 2) Somethings > wrong with > the state entry or the involved tcp stacks. > > To debug this further you could enable pf debug logging (pfctl -xm) > and watch > the console for state mismatches ... however ... >> >> pfctl -si confirms that there are packets blocked. >> Status: Enabled for 0 days 02:37:07 Debug: Urgent >> >> Interface Stats for gif0 IPv4 IPv6 >> Bytes In 0 261859 >> Bytes Out 0 207299 >> Packets In >> Passed 0 2347 >> Blocked 0 90 >> Packets Out >> Passed 0 2185 >> Blocked 0 0 >> >> State Table Total Rate >> current entries 31 >> searches 44046 4.7/s >> inserts 2768 0.3/s >> removals 2737 0.3/s >> Counters >> match 13425 1.4/s >> bad-offset 0 0.0/s >> [...rest is all zeros] >> >> ...and later: >> status: Enabled for 0 days 02:37:21 Debug: Urgent >> >> Interface Stats for gif0 IPv4 IPv6 >> Bytes In 0 263327 >> Bytes Out 0 208711 >> Packets In >> Passed 0 2356 >> Blocked 0 96 >> Packets Out >> Passed 0 2197 >> Blocked 0 0 >> >> State Table Total Rate >> current entries 30 >> searches 44128 4.7/s >> inserts 2772 0.3/s >> removals 2742 0.3/s >> Counters >> match 13451 1.4/s >> bad-offset 0 0.0/s > > ... if there is no counter increase on "state-mismatch" (please > double-check), > it would suggest that no state is created in the first place. > Could you > provide your complete ruleset with rule numbers? (pfctl -vvvsr) > There is now a single state-mismatch. But that could be something else. The debug-logging shows nothing about state mismatch. @0 scrub in all fragment reassemble [ Evaluations: 3890 Packets: 2146 Bytes: 255350 States: 0 ] [ Inserted: uid 0 pid 2258 ] @0 pass in all flags S/SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @1 pass out all flags S/SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @2 block return log all [ Evaluations: 75 Packets: 23 Bytes: 7440 States: 0 ] [ Inserted: uid 0 pid 2258 ] @3 pass in quick on sis0 proto tcp from any to any port = ssh flags S/ SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @4 pass in quick on sis0 proto tcp from any to any port = domain flags S/SA keep state [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @5 pass in quick on sis0 proto tcp from any to any port = smtp flags S/SA keep state [ Evaluations: 2 Packets: 30 Bytes: 2340 States: 2 ] [ Inserted: uid 0 pid 2258 ] @6 pass in quick on sis0 proto udp from any to any port = ssh keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @7 pass in quick on sis0 proto udp from any to any port = domain keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @8 pass in quick on sis0 proto udp from any to any port = smtp keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @9 block return out quick on sis0 inet proto udp from 62.178.208.15 to any port = who [ Evaluations: 43 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @10 pass in on sis1 inet from 192.168.1.0/24 to any flags S/SA keep state allow-opts [ Evaluations: 73 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @11 pass in on sis1 inet6 from 2001:6f8:13fb:3::/64 to any flags S/SA keep state allow-opts [ Evaluations: 23 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @12 pass out on sis1 inet from any to 192.168.1.0/24 flags S/SA keep state allow-opts [ Evaluations: 25 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @13 pass out on sis1 inet6 from any to 2001:6f8:13fb:3::/64 flags S/ SA keep state allow-opts [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @14 pass in on sis1 inet6 all flags S/SA keep state [ Evaluations: 25 Packets: 2 Bytes: 144 States: 2 ] [ Inserted: uid 0 pid 2258 ] @15 pass out on sis1 inet6 all flags S/SA keep state [ Evaluations: 4 Packets: 2 Bytes: 136 States: 2 ] [ Inserted: uid 0 pid 2258 ] @16 pass in on sis1 inet from 192.168.0.0/16 to any flags S/SA keep state [ Evaluations: 25 Packets: 180 Bytes: 51414 States: 21 ] [ Inserted: uid 0 pid 2258 ] @17 pass out on sis1 inet from any to 192.168.0.0/16 flags S/SA keep state [ Evaluations: 23 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @18 pass in inet proto icmp all icmp-type echoreq keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @19 pass out inet proto icmp all keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @20 pass out on sis0 proto tcp all flags S/SA keep state [ Evaluations: 73 Packets: 160 Bytes: 49118 States: 11 ] [ Inserted: uid 0 pid 2258 ] @21 pass out on sis0 proto udp all keep state [ Evaluations: 21 Packets: 21 Bytes: 2100 States: 10 ] [ Inserted: uid 0 pid 2258 ] @22 pass in quick on gif0 all flags S/SA keep state allow-opts [ Evaluations: 73 Packets: 382 Bytes: 27496 States: 2 ] [ Inserted: uid 0 pid 2258 ] @23 pass out quick on gif0 all flags S/SA keep state allow-opts [ Evaluations: 2 Packets: 3 Bytes: 288 States: 2 ] [ Inserted: uid 0 pid 2258 ] @24 pass in quick on sis0 inet proto ipv6 from any to 62.178.208.15 keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @25 pass out quick on sis0 inet proto ipv6 from 62.178.208.15 to any keep state [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @26 pass in quick proto esp all keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @27 pass in quick proto ipencap all keep state [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @28 pass in quick proto udp from any port = isakmp to any port = isakmp keep state [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @29 pass in quick proto tcp from any port = isakmp to any port = isakmp flags S/SA keep state [ Evaluations: 11 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @30 pass out quick proto esp all keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @31 pass out quick proto ipencap all keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @32 pass out quick proto udp from any port = isakmp to any port = isakmp keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @33 pass out quick proto tcp from any port = isakmp to any port = isakmp flags S/SA keep state [ Evaluations: 13 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @34 anchor "ftp-proxy/*" all [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @35 pass out inet6 proto tcp from ::1 to any port = ftp flags S/SA keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @36 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/ SA keep state [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ]