From invite+kvvuum_d at facebookmail.com Sun Jun 1 22:37:36 2008 From: invite+kvvuum_d at facebookmail.com (Doru Moisa) Date: Sun Jun 1 22:37:41 2008 Subject: Check out my Facebook profile Message-ID: I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. Thanks, Doru Here's the link: http://www.facebook.com/p.php?i=1300898780&k=Y6FTP6Q4QXYM5ADDPBWTSW&r&v=2 ___________________ This e-mail may contain promotional materials. If you do not wish to receive future commercial mailings from Facebook, please click on the link below. Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301. http://www.facebook.com/o.php?u=1304108823&k=2f03bb From bugmaster at FreeBSD.org Mon Jun 2 11:06:58 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 2 11:07:23 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200806021106.m52B6vWD093254@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/123965 pf [pf] tcpdump(1) does not see outgoing RST when pf is e 10 problems total. From mlaier at FreeBSD.org Mon Jun 2 19:03:14 2008 From: mlaier at FreeBSD.org (mlaier@FreeBSD.org) Date: Mon Jun 2 19:03:16 2008 Subject: kern/123965: [pf] tcpdump(1) does not see outgoing RST when pf is enabled Message-ID: <200806021903.m52J3Ds1036079@freefall.freebsd.org> Synopsis: [pf] tcpdump(1) does not see outgoing RST when pf is enabled State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Mon Jun 2 19:02:49 UTC 2008 State-Changed-Why: As noted in follow-up, this problem is fixed. http://www.freebsd.org/cgi/query-pr.cgi?pr=123965 From chelsi2004 at inbox.ru Tue Jun 3 12:46:18 2008 From: chelsi2004 at inbox.ru (chelsi2004@inbox.ru) Date: Tue Jun 3 12:46:27 2008 Subject: unsubscribe In-Reply-To: <20080603120023.EC979106577A@hub.freebsd.org> References: <20080603120023.EC979106577A@hub.freebsd.org> Message-ID: <45867370.20080603181238@bk.ru> ????????????, Freebsd-pf-request. ?? ?????? 3 ???? 2008 ?., 18:00:23: > Send freebsd-pf mailing list submissions to > freebsd-pf@freebsd.org > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > or, via email, send a message with subject or body 'help' to > freebsd-pf-request@freebsd.org > You can reach the person managing the list at > freebsd-pf-owner@freebsd.org > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-pf digest..." > Today's Topics: > 1. Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST > when pf is enabled (mlaier@FreeBSD.org) > ---------------------------------------------------------------------- > Message: 1 > Date: Mon, 2 Jun 2008 19:03:13 GMT > From: mlaier@FreeBSD.org > Subject: Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST > when pf is enabled > To: kian.mohageri@gmail.com, mlaier@FreeBSD.org, > freebsd-pf@FreeBSD.org > Message-ID: <200806021903.m52J3Ds1036079@freefall.freebsd.org> > Synopsis: [pf] tcpdump(1) does not see outgoing RST when pf is enabled > State-Changed-From-To: open->closed > State-Changed-By: mlaier > State-Changed-When: Mon Jun 2 19:02:49 UTC 2008 > State-Changed-Why: > As noted in follow-up, this problem is fixed. > http://www.freebsd.org/cgi/query-pr.cgi?pr=123965 > ------------------------------ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > End of freebsd-pf Digest, Vol 193, Issue 2 > ****************************************** -- ? ?????????, Roman mailto:chelsi@bk.ru From artemrts at ukr.net Tue Jun 3 19:55:56 2008 From: artemrts at ukr.net (Vitaliy Vladimirovich) Date: Tue Jun 3 19:56:00 2008 Subject: (No subject) Message-ID: Hi, All! ? ? ?? I use pfstat on my FreeBSD box and I have some questions: 1. How can I monitorig not only bandwidth but total upload and download data? 2 Can I have statistic on each IP from LAN? ??? TIA From kkutzko at teksavvy.com Tue Jun 3 20:01:53 2008 From: kkutzko at teksavvy.com (Kevin K) Date: Tue Jun 3 20:01:57 2008 Subject: (No subject) In-Reply-To: References: Message-ID: <001701c8c5b4$7aef2fe0$70cd8fa0$@com> You can use tools from ports like trafshow, iftop and pftop to display the statistics that you are looking for. > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Vitaliy Vladimirovich > Sent: Tuesday, June 03, 2008 3:56 PM > To: freebsd-pf@freebsd.org > Subject: (No subject) > > Hi, All! > > ? ? ?? I use pfstat on my FreeBSD box and I have some questions: > > 1. How can I monitorig not only bandwidth but total upload and download > data? > 2 Can I have statistic on each IP from LAN? > > ??? TIA > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From artemrts at ukr.net Tue Jun 3 20:07:12 2008 From: artemrts at ukr.net (Vitaliy Vladimirovich) Date: Tue Jun 3 20:07:36 2008 Subject: (No subject) In-Reply-To: <001701c8c5b4$7aef2fe0$70cd8fa0$@com> Message-ID: --- Original Message --- From: "Kevin K" To: "'Vitaliy Vladimirovich'" , Date: 3 june, 23:00:32 Subject: RE: (No subject) You can use tools from ports like trafshow, iftop and pftop to display the statistics that you are looking for. I know about pftop and I use it. No. This is mismatch me. I need graphical represent via HTTP. ? > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Vitaliy Vladimirovich > Sent: Tuesday, June 03, 2008 3:56 PM > To: freebsd-pf@freebsd.org > Subject: (No subject) > > Hi, All! > > ? ? ?? I use pfstat on my FreeBSD box and I have some questions: > > 1. How can I monitorig not only bandwidth but total upload and download > data? > 2 Can I have statistic on each IP from LAN? > > ??? TIA > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From mdonada at auroraalimentos.com.br Thu Jun 5 14:37:21 2008 From: mdonada at auroraalimentos.com.br (=?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?=) Date: Thu Jun 5 14:37:27 2008 Subject: Redundacy of the link Message-ID: <4847F4D1.9090607@auroraalimentos.com.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Sorry if that message has no relationship cmo that list. But I have a doubt and I would like to help one of the most experienced people. In a unit of the company already have a link to 1Mb (dedicated) to communication. Now we want to put a link to Internet 1Mb also connected to Mother of the company through a VPN using FreeBSD. I wonder what would be the best situation to carry out the redundancy of the link, because when the dedicated link fails to enter the VPN so that almost automatic. There is a better setup for this? What would be the best idea in this case? solution to pf with redundancy, but when one of the links and I am not going to have problems? thanks! - -- M?rcio Luciano Donada Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIR/TQbjyCr4Ixg0wRAgVGAKCZA+fN1zV+UJy8UGn6BGbWZA+/sgCgpi/y 64Q50s17voWRyf7F9MapJ5Q= =s1RU -----END PGP SIGNATURE----- From max at love2party.net Fri Jun 6 00:08:58 2008 From: max at love2party.net (Max Laier) Date: Fri Jun 6 00:09:03 2008 Subject: Fwd: Multiple routing table support commited Message-ID: <200806060208.19417.max@love2party.net> After I finally found some time to look at the pf part of this it is working - like a charm really. If you have use for it, please test and report back. To classify with pf you can simply use the OpenBSD syntax "rtable " on rules. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------- next part -------------- An embedded message was scrubbed... From: Julian Elischer Subject: Multiple routing table support commited Date: Fri, 09 May 2008 17:52:04 -0700 Size: 4874 Url: http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080606/e0032957/attachment.eml From linimon at FreeBSD.org Sun Jun 8 21:08:54 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Sun Jun 8 21:08:57 2008 Subject: kern/124364: [pf] [panic] Kernel panic with pf + bridge Message-ID: <200806082108.m58L8sIK054237@freefall.freebsd.org> Old Synopsis: Kernel panic with pf + bridge New Synopsis: [pf] [panic] Kernel panic with pf + bridge Responsible-Changed-From-To: freebsd-i386->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jun 8 21:08:36 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=124364 From bugmaster at FreeBSD.org Mon Jun 9 11:07:04 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 9 11:07:33 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200806091107.m59B73ve070826@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total. From z.szalbot at lc-words.com Mon Jun 9 12:50:57 2008 From: z.szalbot at lc-words.com (Zbigniew Szalbot) Date: Mon Jun 9 12:51:03 2008 Subject: altq / priorty queing / limiting rsync bandwidth Message-ID: <484D2288.4040901@lc-words.com> Hello, Many thanks for suggestions how to limit the bandwidth taken up by rsync. I am using pf with priority queuing. Thank you in advance! -- Zbigniew Szalbot www.lc-words.com From 000.fbsd at quip.cz Mon Jun 9 15:50:45 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Mon Jun 9 15:50:50 2008 Subject: altq / priorty queing / limiting rsync bandwidth In-Reply-To: <484D2288.4040901@lc-words.com> References: <484D2288.4040901@lc-words.com> Message-ID: <484D5165.4090706@quip.cz> Zbigniew Szalbot wrote: > Hello, > > Many thanks for suggestions how to limit the bandwidth taken up by > rsync. I am using pf with priority queuing. Why not use rsync option? --bwlimit=KBPS limit I/O bandwidth; KBytes per second Miroslav Lachman From thomas.kinsey at gmail.com Mon Jun 9 23:00:05 2008 From: thomas.kinsey at gmail.com (Thomas Kinsey) Date: Mon Jun 9 23:00:08 2008 Subject: prioritizing outbound traffic from internal services Message-ID: <8c29c6720806091532h49ab27c9t101081279e5138af@mail.gmail.com> Hello List, This is my first time, so be gentle. I want to prioritize outbound traffic from an ssh server behind my pf box. My ADSL connection is almost always flooded, so when I connect to the ssh server from work, there is a lot of lag. Connections originating from the lan hit the outbound queue on the external interface, and all goes well, however packets from the externally initiated connection don't seem to be being queued. Is there any way to do this? I googled around a bit and found rules that did something like this: altq on $ext priq bandwidth 350Kb queue { fast, slow } queue fast priority 7 priq(red) queue slow priority 1 priq(default red) And then applied that to an INBOUND filter rule on the same interface, like this: pass in on $ext proto tcp from any to ($ext) port 22 keep state queue fast But that doesn't seem to work for me. Am I doing something wrong here? The box running pf is a soekris net4521, running FreeBSD 6.3-RELEASE. Maybe the older version of pf is relevant? Thanks in advance, TK From m.pagulayan at auckland.ac.nz Tue Jun 10 00:56:53 2008 From: m.pagulayan at auckland.ac.nz (Mark Pagulayan) Date: Tue Jun 10 00:56:56 2008 Subject: PF: See packet errors on external interface Message-ID: Hi Guys, I was just wondering if you could help me with my problem. Before going to the details here is my setup: OS: FreeBSD 7.0-RELEASE i386 Firewall:PF Interface: em1(external interface) and em0(internal interface) Setup: The 2 interfaces above are setup as a bridge so we are using PF as a layer2 FW. Use altq to define queues on em1 and em0 ( default, unlimited, sponsored, premium, standard) Doing a netstat -d -I em1. I can see that there incoming packet errors but no outgoing packet errors. A number of drops but no collision. Doing a netstat -d -I em0. I can see that there are no errors on the incoming and outgoing packets. A number of drops but no collision. Doing a netstat -d -l bridge0. don't see any errors on the incoming and outgoing packets. No drops and collision. Looking at my ruleset I can see that I have scrub in on em1 Does this rule cause the packet errors? Or presumably because of the speed of the network? We are running at around 8000 packet/s for incoming and outgoing traffic. There was plan of removing this rule? If we do that? What would the implications be? Also using the tool pftop, the default queue has packet drops and suspensions QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S default 134M cbq 1326370 775902K 138 102128 0 0 2798 8182 4340435 Do you think the scrub rule is the causing pf to suspend some packets? I also wish to understand how pftop works to be able to debug the problem. The reason that I am asking this questions is that we get connectivity issues with some external sites that we connect to. It might be the uplink that has problems but I hope I could gather information on what might be causing this, or things might be or not related to this issue. Your help would be greatly appreciated. Thanks Mark Pagulayan University of Auckland From granzon.li at gmail.com Tue Jun 10 04:22:23 2008 From: granzon.li at gmail.com (Granzon Li) Date: Tue Jun 10 04:22:26 2008 Subject: pf with bridge Message-ID: <54b5397b0806092056y187d44d0nc054f9c9673d474c@mail.gmail.com> Hi all! I would like to build a transparente proxy with pf+squid3.0, in bridge mode.But it seems that I can't make pf and bridge work properly. Here is my enviroment: myLan->FreeBSD(pf+squid3.0)->gateway->Internet I just follow the steps building the bridge which were discribed in hankbook,using these commands: # ifconfig bridge create # ifconfig bridge0 addm fxp0 addm fxp1 up # ifconfig fxp0 up # ifconfig fxp1 up but I can't ping the Internet without ip,so I try # ifconfig fxp0 192.168.1.5/24 # route add default 192.168.1.1(my gateway's ip) and after that, I can ping the Internet in myLan,then I think my bridge can work! then I add these to my pf.conf: int_if="fxp0" ext_if="fxp1" rdr pass on $int_if inet proto tcp from any to any port www->127.0.0.1 port 3128(my squid) pass in all pass out all but myLan pc can't surf the webpages using my proxy. And when I turn off pf,myLan pc can surf again! while using pfctl -ss, I can see self tcp 127.0.0.1:3128<-x.x.x.x:80-< but I can't see any requests in my squid,and then I made some tests: rdr pass on $int_if inet proto tcp from any to any port www->www.google.comport 80 It works! rdr pass on $int_if inet proto tcp from any to any port www->192.168.1.121port 80(I just build an apache in one of my lan pc) It didn't work. So I guess maybe there is something wrong with my pf and bridge. Is anybody know what's the problem?Any idea will be appreciated,thanks! From roslisukri at gmail.com Tue Jun 10 10:13:46 2008 From: roslisukri at gmail.com (Rosli Sukri) Date: Tue Jun 10 10:13:49 2008 Subject: multi gateways setup Message-ID: hi scenario: users---->[lan]freebsdpf[wan]----->{gw1,gw2} where gw1 goes to isp1, and gw2 goes to isp2. requirements: ftp, http, https traffic goes to gw1 telnet, ssh, mail and pop goes to gw2 can freebsdpf do this? From arossihin at nora.no-ip.org Tue Jun 10 10:42:57 2008 From: arossihin at nora.no-ip.org (Rossikhin Aleksey) Date: Tue Jun 10 10:43:05 2008 Subject: multi gateways setup In-Reply-To: References: Message-ID: <484E5581.5000100@nora.no-ip.org> Rosli Sukri wrote: > hi > > scenario: > users---->[lan]freebsdpf[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 > > can freebsdpf do this? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > yes, it can look for "reply-to" and "route-to" options in pass rules. for example: pass out route-to ($wan_if $gw1) from $wan_if to any port http keep state here all http traffic from freebsd host goes to gw1 From gergely.czuczy at harmless.hu Tue Jun 10 10:49:10 2008 From: gergely.czuczy at harmless.hu (CZUCZY Gergely) Date: Tue Jun 10 10:49:13 2008 Subject: multi gateways setup In-Reply-To: References: Message-ID: <20080610123357.63ba499b@twoflower.in.publishing.hu> Yes. On Tue, 10 Jun 2008 17:46:11 +0800 "Rosli Sukri" wrote: > hi > > scenario: > users---->[lan]freebsdpf[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 > > can freebsdpf do this? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- ?dv?lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080610/10323353/signature.pgp From swp at swp.pp.ru Tue Jun 10 15:07:46 2008 From: swp at swp.pp.ru (mitrohin a.s.) Date: Tue Jun 10 15:07:53 2008 Subject: multi gateways setup In-Reply-To: References: Message-ID: <20080610143707.GA99039@swp.pp.ru> On Tue, Jun 10, 2008 at 05:46:11PM +0800, Rosli Sukri wrote: > hi > > scenario: > users---->[lan]freebsdpf[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 > > can freebsdpf do this? > nat from any to any port = { ftp http https } tag W1 -> (wan1) nat from any to any port = { telnet ssh mail pop } tag W2 -> (wan2) set skip on lan0 pass quick on wan1 tagged W1 keep state pass quick route-to (wan1 gw1) tagged W1 keep state pass quick on wan2 tagged W2 keep state pass quick route-to (wan2 gw2) tagged W2 keep state /swp From reed at reedmedia.net Thu Jun 12 21:54:28 2008 From: reed at reedmedia.net (Jeremy C. Reed) Date: Thu Jun 12 21:54:33 2008 Subject: random nat source ports not always random Message-ID: I have nat on iwi0 from 192.168.19.4 port 2222 to any port 3333 -> 192.168.19.4 \ port 5000:55000 random 1) I noticed by using a port 5000:55000 range that my random numbers were in a larger pool. I don't know if that is true or not but it appeared that way from a few tests (and not looking at source). Do you know what the default port range is for "random"? 2) Also I did this without "random" and it appeared to be random at first, but then started using same port numbers. I then added "random". From looking at PF FAQ, it seems to say it "might be ... replaced with randomly chosen, unused port", but man page doesn't. Do you know if it defaults to "random"? 3) When using "random", it is mostly random, but when I do multiple requests to same destination (within a short period of time), it uses the same new source port. I can easily repeat this and see this with both tcpdump and pfctl -s state which shows MULTIPLE:MULTIPLE (instead of MULTIPLE:SINGLE). I am trying to find a setting that will disable that, so it will use a new random port each time. It is acting like "sticky-address" option is used. pfctl -s timeouts shows that src.track is 0s (default). Any suggestions on ignoring that state so each connection with identical original source/destination IP/port will be randomized? (By the way, this is not on FreeBSD. But I think this list should be a good help anyways. I am using PF 3.7 on NetBSD.) Thanks From peterjeremy at optushome.com.au Fri Jun 13 14:00:07 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Fri Jun 13 14:00:14 2008 Subject: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output Message-ID: <200806131400.m5DE06oA073950@freefall.freebsd.org> The following reply was made to PR bin/116610; it has been noted by GNATS. From: Peter Jeremy To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output Date: Fri, 13 Jun 2008 07:08:30 +1000 --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This PR seems to have been obsoleted by the import of tcpdump 3.9.8 in October 2007. --=20 Peter Jeremy --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhRkE4ACgkQ/opHv/APuIdc9gCgpRDgmA5uGW09UkSyDBOyzT/A sVoAoJVMFrUerBILjpG+e8DKa4DKJdoC =dbTA -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- From gavin at FreeBSD.org Fri Jun 13 14:06:51 2008 From: gavin at FreeBSD.org (gavin@FreeBSD.org) Date: Fri Jun 13 14:06:54 2008 Subject: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output Message-ID: <200806131406.m5DE6ohn075638@freefall.freebsd.org> Synopsis: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output State-Changed-From-To: open->feedback State-Changed-By: gavin State-Changed-When: Fri Jun 13 14:05:10 UTC 2008 State-Changed-Why: To submitter: it looks like this PR is no longer relevent to RELENG_7 after the import of tcpdump 3.9.8 in October 2007. Can you confirm that this now works for you on 7.0-RELEASE please? Note that it has not been MFC'd to RELENG_6 so won't work there yet. Responsible-Changed-From-To: freebsd-pf->gavin Responsible-Changed-By: gavin Responsible-Changed-When: Fri Jun 13 14:05:10 UTC 2008 Responsible-Changed-Why: Track http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 From rea-fbsd at codelabs.ru Fri Jun 13 18:20:20 2008 From: rea-fbsd at codelabs.ru (Eygene Ryabinkin) Date: Fri Jun 13 18:20:24 2008 Subject: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output In-Reply-To: <200806131406.m5DE6ohn075638@freefall.freebsd.org> References: <200806131406.m5DE6ohn075638@freefall.freebsd.org> Message-ID: <+CtBBnY+dN1BoopFCZb8HoiTdFk@esBrgYnXz2HPkkYsz5tbRsK74kk> Gavin, good day. Fri, Jun 13, 2008 at 02:06:50PM +0000, gavin@FreeBSD.org wrote: > Synopsis: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output > > State-Changed-From-To: open->feedback > State-Changed-By: gavin > State-Changed-When: Fri Jun 13 14:05:10 UTC 2008 > State-Changed-Why: > To submitter: it looks like this PR is no longer relevent to > RELENG_7 after the import of tcpdump 3.9.8 in October 2007. Can > you confirm that this now works for you on 7.0-RELEASE please? Yes, it works. Thanks for the reminder! -- Eygene From mszathmar at gmail.com Sat Jun 14 00:50:14 2008 From: mszathmar at gmail.com (=?ISO-8859-1?Q?Margo_Szathm=E1r?=) Date: Sat Jun 14 00:50:17 2008 Subject: rdr rules with pf Message-ID: Hello everyone, I'm trying to set up jails behind a NAT on my FreeBSD 7.0 box here as I've only got one IP to play with. I'm currently using pf with the following configuration: ext_if="rl0" external_addr="x.x.x.x" internal_net="192.168.222.0/24" nat on $ext_if from $internal_net to any -> $external_addr rdr on rl0 proto tcp from any to any port 5223 -> 192.168.222.2 pass in all pass out all The jail in question is sitting on 192.168.222.2 and is able to connect out. The only problem I'm having is that the rdr statement doesn't seem to be working. The examples I've been able to find so far encompass only situations in which the box has more than one nic (see a lot of ext_if and int_if) and I haven't been able to find anything concrete. The box is also running ipfw which I suspect may be causing some conflicts ... to bypass these, however, I've added rule 1 as "allow ip from any to any" Can anyone point out my error? I realize that this question is probably asked near constantly and there's probably some link I simply haven't consulted yet and for that I apologize. Thanks for your input! With love, Margo S. From m.pagulayan at auckland.ac.nz Sun Jun 15 22:28:14 2008 From: m.pagulayan at auckland.ac.nz (Mark Pagulayan) Date: Sun Jun 15 22:28:17 2008 Subject: pfsync ignoring stale update Message-ID: Hi Guys, I was just wondering if you could help me out with my problem on why state count are different on my Active and Standby FW. The state count on my Standby FW is much bigger than my Active FW. When I did debug mode on the standby FW(pfctl -mx loud) I noticed that there were message saying "pfsync: ignoring stale update". Is this the one causing the state table to unsynchronize? If this is it, any ideas on how to fix this? Here is my setup OS: 7.0-RELEASE FreeBSD 7.0-RELEASE Setup: PF is use as Layer 2 Firewall --------------------- --------------------- - - pfsync - - - Active FW - --------------- Standby FW - - - - - --------------------- --------------------- Failover happens with OSPF. Help would be greatly appreciated. Best Regards, Mark Pagulayan University Of Auckland From koitsu at FreeBSD.org Sun Jun 15 23:08:56 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Sun Jun 15 23:09:00 2008 Subject: rdr rules with pf In-Reply-To: References: Message-ID: <20080615230856.GA28450@eos.sc1.parodius.com> On Fri, Jun 13, 2008 at 05:34:16PM -0700, Margo Szathm?r wrote: > I'm trying to set up jails behind a NAT on my FreeBSD 7.0 box here as I've > only got one IP to play with. I'm currently using pf with the following > configuration: > > ext_if="rl0" > external_addr="x.x.x.x" > internal_net="192.168.222.0/24" > > nat on $ext_if from $internal_net to any -> $external_addr > > rdr on rl0 proto tcp from any to any port 5223 -> 192.168.222.2 > pass in all > pass out all > > The jail in question is sitting on 192.168.222.2 and is able to connect out. > The only problem I'm having is that the rdr statement doesn't seem to be > working. Try adding "pass" to the rdr rule, e.g.: "rdr pass ..." -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From bugmaster at FreeBSD.org Mon Jun 16 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 16 11:07:52 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200806161107.m5GB707p036795@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total. From lan at rcfd.spb.ru Wed Jun 18 05:59:21 2008 From: lan at rcfd.spb.ru (Alexey Lanetskiy) Date: Wed Jun 18 05:59:38 2008 Subject: reply-to speed issue Message-ID: <1354049605.20080618085913@rcfd.spb.ru> Hello! I have a freebsd box (7-release) acting as gateway. The topology is very simple. There are 2 ifaces: em0 and em1, pointing to gateway 1 (gw1) and gw2 correspondingly. Here is the "picture": ,------------. (internal LAN)---* FreeBSD/pf *---(WAN / gw1), $ext_if1, $ext_ip1 | *---(WAN / gw2), $ext_if2, $ext_ip2 `------------' There are some servers inside internal LAN, so I have to respond the request from WAN to the same iface. Well, I need following lines inside my pf.conf: nat on $ext_if1 from !(self) to any -> ($ext_if1:0) nat on $ext_if2 from !(self) to any -> ($ext_if2:0) # example of some internal service, hosted inside the LAN rdr on $ext_if1 proto tcp to port $someport tag IF_1 \ -> $ip_internal port $someport rdr on $ext_if2 proto tcp to port $someport tag IF_2 \ -> $ip_internal port $someport block in all block out all # example of common services, hosted on freebsd box pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ proto tcp from \ to $ext_ip1 port { ftp, ftp-data, 45000:50000 } \ flags S/SA keep state pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ proto tcp from \ to $ext_ip2 port { ftp, ftp-data, 45000:50000 } \ flags S/SA keep state pass in quick reply-to ($ext_if1 $ext_gw1) proto { udp, icmp } \ tagged IF_1 keep state pass in quick reply-to ($ext_if1 $ext_gw1) proto tcp \ tagged IF_1 flags S/SA keep state pass in quick reply-to ($ext_if2 $ext_gw2) proto { udp, icmp } \ tagged IF_2 keep state pass in quick reply-to ($ext_if2 $ext_gw2) proto tcp \ tagged IF_2 flags S/SA keep state Now it works. Connections from outside to both hosted @box & hosted @LAN are estabilishing, data flows, but... strange speed issue detected. Let's shut down pf (pfctl -d) and ftp to any of external ifaces: full speed of iface in both directions. Let's enable pf again, but use pf.conf without any "reply-to" ("route-to"s are still at their places): oops, something wrong with outgoing stream. Look at this numbers: approx. 60kBytes/sec w/o "reply-to" and only 3kBytes/sec with it. Not very nice, isn't it... Let me say some words about the box itself. box: SMP system on single core2duo CPU, 2 em & 1 rl nics. freebsd: default sysctl setup, custom kernel built using GENERIC with following difference: options SCHED_ULE device pf options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ options ALTQ_NOPCC pf: No queues running, very (less than 10 items) small tables, near 120 rules in pf.conf. Here the question begins: what is the source of such a problem with "reply-to". What should I test, may be on another box or in lab? What manuals should I learn before configure pf any more if there are config mistakes? -- wbr, Alexey. From drakyri at hotmail.com Wed Jun 18 22:17:35 2008 From: drakyri at hotmail.com (Michael Zimmer) Date: Wed Jun 18 22:17:39 2008 Subject: reply-to speed issue In-Reply-To: <1354049605.20080618085913@rcfd.spb.ru> References: <1354049605.20080618085913@rcfd.spb.ru> Message-ID: I don't know if this is restricted to reply-to. I have an almost identical setup (except, using route-to) and have the same problem. Anyone have any ideas? thanks, -mike> Date: Wed, 18 Jun 2008 08:59:13 +0400> From: lan@rcfd.spb.ru> To: freebsd-pf@freebsd.org> Subject: reply-to speed issue> > Hello!> > I have a freebsd box (7-release) acting as gateway.> The topology is very simple. There are 2 ifaces: em0 and em1, pointing to> gateway 1 (gw1) and gw2 correspondingly. Here is the "picture":> > ,------------.> (internal LAN)---* FreeBSD/pf *---(WAN / gw1), $ext_if1, $ext_ip1> | *---(WAN / gw2), $ext_if2, $ext_ip2> `------------'> > There are some servers inside internal LAN, so I have to respond the> request from WAN to the same iface. Well, I need following lines inside my> pf.conf:> > nat on $ext_if1 from !(self) to any -> ($ext_if1:0)> nat on $ext_if2 from !(self) to any -> ($ext_if2:0)> > # example of some internal service, hosted inside the LAN> rdr on $ext_if1 proto tcp to port $someport tag IF_1 \> -> $ip_internal port $someport> rdr on $ext_if2 proto tcp to port $someport tag IF_2 \> -> $ip_internal port $someport> > block in all> block out all> > # example of common services, hosted on freebsd box> pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \> proto tcp from \> to $ext_ip1 port { ftp, ftp-data, 45000:50000 } \> flags S/SA keep state> pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \> proto tcp from \> to $ext_ip2 port { ftp, ftp-data, 45000:50000 } \> flags S/SA keep state> > pass in quick reply-to ($ext_if1 $ext_gw1) proto { udp, icmp } \> tagged IF_1 keep state> pass in quick reply-to ($ext_if1 $ext_gw1) proto tcp \> tagged IF_1 flags S/SA keep state> pass in quick reply-to ($ext_if2 $ext_gw2) proto { udp, icmp } \> tagged IF_2 keep state> pass in quick reply-to ($ext_if2 $ext_gw2) proto tcp \> tagged IF_2 flags S/SA keep state> > Now it works. Connections from outside to both hosted @box & hosted @LAN> are estabilishing, data flows, but... strange speed issue detected.> Let's shut down pf (pfctl -d) and ftp to any of external ifaces: full> speed of iface in both directions.> Let's enable pf again, but use pf.conf without any "reply-to"> ("route-to"s are still at their places): oops, something wrong with> outgoing stream. Look at this numbers: approx. 60kBytes/sec w/o "reply-to"> and only 3kBytes/sec with it. Not very nice, isn't it...> > Let me say some words about the box itself.> box: SMP system on single core2duo CPU, 2 em & 1 rl nics.> freebsd: default sysctl setup, custom kernel built using GENERIC with> following difference:> options SCHED_ULE> device pf> options ALTQ> options ALTQ_CBQ> options ALTQ_RED> options ALTQ_RIO> options ALTQ_HFSC> options ALTQ_CDNR> options ALTQ_PRIQ> options ALTQ_NOPCC> pf: No queues running, very (less than 10 items) small tables, near 120> rules in pf.conf.> > Here the question begins: what is the source of such a problem with> "reply-to". What should I test, may be on another box or in lab? What> manuals should I learn before configure pf any more if there are config> mistakes?> > -- > wbr, Alexey.> > > > _______________________________________________> freebsd-pf@freebsd.org mailing list> http://lists.freebsd.org/mailman/listinfo/freebsd-pf> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _________________________________________________________________ The other season of giving begins 6/24/08. Check out the i?m Talkathon. http://www.imtalkathon.com?source=TXT_EML_WLH_SeasonOfGiving From salvador_d13 at yahoo.com.ph Fri Jun 20 12:51:45 2008 From: salvador_d13 at yahoo.com.ph (Diego Salvador) Date: Fri Jun 20 12:51:50 2008 Subject: [Queueing Packets with ALTQ on Gigabit Fiber Optic and Gigabit Ethernet] Message-ID: <52345.28040.qm@web76103.mail.sg1.yahoo.com> Hi, Is there any difference in handling packet queues with ALTQ if the network card is a Gigabit fiber network interface and a Gigabit Ethernet network interface with the same driver? For example (em) driver for Intel-based cards. I'm currently having a system configured with FreeBSD-6.2 RELEASE with PF and ALTQ enabled. This host is configured first with Intel 1-Gigabit Ethernet network card and when it receive big amount of traffic, I don't see any packet errors with netstat but when I switched to the 1-Gigabit fiber optic card, I could see packet errors with this interface. A big amount of traffic were bombarded on the interface around 800Mbps. Here's the sample packet errors received on the system with netstat. Gigabit Intel fiber interface ------------------------------------- # netstat -I em0 -w 1 input (em0) output packets errs bytes packets errs bytes colls 3260 149652 2547816 0 0 0 0 3257 150026 2547756 0 0 0 0 3258 150117 2543396 1 0 42 0 3259 150181 2549320 0 0 0 0 3256 149941 2543244 0 0 0 0 3370 149871 2636122 0 0 0 0 3255 149534 2544688 0 0 0 0 3255 150077 2543966 0 0 0 0 3260 150195 2549320 0 0 0 0 3259 149603 2547816 0 0 0 0 3258 149746 2546312 0 0 0 0 3258 149855 2547756 0 0 0 0 3261 149851 2549320 0 0 0 0 3255 150414 2545410 0 0 0 0 3250 149758 2542282 0 0 0 0 3255 149842 2545410 0 0 0 0 3259 149568 2547756 0 0 0 0 3255 149943 2545502 0 0 0 0 3261 149893 2548658 0 0 0 0 3257 149581 2545530 0 0 0 0 Thank you very much! Diego --------------------------------- Look for jobs - Yahoo! Philippines Search. From bugmaster at FreeBSD.org Mon Jun 23 11:06:59 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 23 11:07:28 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200806231106.m5NB6wX2065045@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total. From miguel.alc at gmail.com Mon Jun 23 16:17:38 2008 From: miguel.alc at gmail.com (=?UTF-8?Q?Miguel_Alc=C3=A1ntara?=) Date: Mon Jun 23 16:17:42 2008 Subject: PF and SQUID Message-ID: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID in a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualized an interface with an ip 192.168.1.80 and it has squid, the nic has 192.168.1.60 and all the lan is 192.168.1.0/24. My problem is that I can?t browse some sites the must be permitted. pf.conf #rules for firewall ext_nic = "dc0" yo = "192.168.1.0/24" table {208.67.220.220, 208.67.222.222} #SQUID CONFIGURATION rdr pass on $ext_nic inet proto tcp from $yo to any port www -> 192.168.1.80port 3128 nat on $ext_nic from $yo to any -> ($ext_nic) #FILTER block all #pass in on $ext_nic from $yo pass out on $ext_nic from any to squid.conf #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #///////// acl special_client src 192.168.1.0/24 #acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid" #acl special_url url_regex ucci acl hotmail dstdomain .hotmail.com acl mail dstdomain .blu134.mail.live.com acl mailhot dstdom_regex -i mail acl hotmail_mail dstdomain .hotmail.msn.com acl passport dstdomain .passport.net acl msn dstdomain .msn.com acl ie6 browser MSIE[[:space:]]6 acl permitidos url_regex "/usr/local/etc/squid/free.squid" acl palabra urlpath_regex -i login.srt acl numconn maxconn 80 acl browse_hotmail url_regex www.hotmail.com acl browse_ulima url_regex www.ulima.edu.pe acl browse_yahoo url_regex www.yahoo.com http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports ##http_access allow special_client lista_permitidos ##http_access allow special_client hotmail ##http_access allow special_client mailhot ##http_access allow special_client mail #http_access deny special_url #http_access allow special_client http_access allow special_client permitidos http_access allow special_client hotmail http_access allow special_client mail http_access allow special_client mailhot http_access allow special_client Safe_ports http_access allow special_client hotmail_mail http_access allow special_client palabra http_access allow special_client browse_hotmail http_access allow special_client browse_ulima http_access allow special_client browse_yahoo #http_access allow special_client special_url http_access deny all Well, it doens`t work, when I try to surf in any domain name listed above in squid squid sends me a message: ERROR The requested URL could not be retrieved ------------------------------ While trying to retrieve the URL: http://www.yahoo.com/ The following error was encountered: - * Connection to Failed * The system returned: * (1) Operation not permitted* The remote host or network may be down. Please try the request again. Your cache administrator is webmaster. ------------------------------ Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16) *Then in logs from squid I can see an 503 error TCP_MISS. I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled with pf habilities or something like that. Plz, what I am doing wrong. * -- Atte. Miguel Alc?ntara A. From tommyhp2 at yahoo.com Mon Jun 23 20:03:00 2008 From: tommyhp2 at yahoo.com (Tommy Pham) Date: Mon Jun 23 20:03:05 2008 Subject: PF and SQUID In-Reply-To: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> Message-ID: <640718.84795.qm@web38202.mail.mud.yahoo.com> --- On Mon, 6/23/08, Miguel Alc?ntara wrote: > From: Miguel Alc?ntara > Subject: PF and SQUID > To: freebsd-pf@freebsd.org > Date: Monday, June 23, 2008, 11:50 AM > Hi everybody, I'm having a problem for a week. I have to > setup PF + SQUID in > a P2 machine, with 128RAM and 6GB hard disk and just one > nic. I virtualized > an interface with an ip 192.168.1.80 and it has squid, the > nic has > 192.168.1.60 and all the lan is 192.168.1.0/24. > > My problem is that I can?t browse some sites the must be > permitted. > > pf.conf > > #rules for firewall > ext_nic = "dc0" > yo = "192.168.1.0/24" > > table {208.67.220.220, 208.67.222.222} > #SQUID CONFIGURATION > rdr pass on $ext_nic inet proto tcp from $yo to any port > www -> > 192.168.1.80port 3128 I don't know if the missing space between the IP address and "port" is a typo or not in the email but if it's copy and paste from your conf file, that maybe your problem. ~Tommy > nat on $ext_nic from $yo to any -> ($ext_nic) > #FILTER > block all > #pass in on $ext_nic from $yo > pass out on $ext_nic from any to > > squid.conf > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > #///////// > acl special_client src 192.168.1.0/24 > #acl lista_permitidos url_regex > "/usr/local/etc/squid/free.squid" > > #acl special_url url_regex ucci > acl hotmail dstdomain .hotmail.com > acl mail dstdomain .blu134.mail.live.com > acl mailhot dstdom_regex -i mail > acl hotmail_mail dstdomain .hotmail.msn.com > acl passport dstdomain .passport.net > acl msn dstdomain .msn.com > acl ie6 browser MSIE[[:space:]]6 > acl permitidos url_regex > "/usr/local/etc/squid/free.squid" > acl palabra urlpath_regex -i login.srt > acl numconn maxconn 80 > acl browse_hotmail url_regex www.hotmail.com > acl browse_ulima url_regex www.ulima.edu.pe > acl browse_yahoo url_regex www.yahoo.com > > http_access allow manager localhost > http_access deny manager > # Deny requests to unknown ports > http_access deny !Safe_ports > # Deny CONNECT to other than SSL ports > http_access deny CONNECT !SSL_ports > ##http_access allow special_client lista_permitidos > ##http_access allow special_client hotmail > ##http_access allow special_client mailhot > ##http_access allow special_client mail > #http_access deny special_url > #http_access allow special_client > > http_access allow special_client permitidos > http_access allow special_client hotmail > http_access allow special_client mail > http_access allow special_client mailhot > http_access allow special_client Safe_ports > http_access allow special_client hotmail_mail > http_access allow special_client palabra > http_access allow special_client browse_hotmail > http_access allow special_client browse_ulima > http_access allow special_client browse_yahoo > #http_access allow special_client special_url > http_access deny all > > > Well, it doens`t work, when I try to surf in any domain > name listed above in > squid squid sends me a message: > > ERROR The requested URL could not be retrieved > ------------------------------ > > While trying to retrieve the URL: http://www.yahoo.com/ > > The following error was encountered: > > - * Connection to Failed * > > The system returned: > > * (1) Operation not permitted* > > The remote host or network may be down. Please try the > request again. > > Your cache administrator is webmaster. > ------------------------------ > Generated Thu, 27 Dec 2007 13:12:36 GMT by pf > (squid/2.6.STABLE16) > > > *Then in logs from squid I can see an 503 error TCP_MISS. > > I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid > was compiled with > pf habilities or something like that. > > Plz, what I am doing wrong. > * > > > -- > Atte. > > Miguel Alc?ntara > A._______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" From max at love2party.net Mon Jun 23 20:13:38 2008 From: max at love2party.net (Max Laier) Date: Mon Jun 23 20:13:41 2008 Subject: PF and SQUID In-Reply-To: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> References: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> Message-ID: <200806232211.54560.max@love2party.net> On Monday 23 June 2008 17:50:47 Miguel Alc?ntara wrote: > Hi everybody, I'm having a problem for a week. I have to setup PF + > SQUID in a P2 machine, with 128RAM and 6GB hard disk and just one nic. > I virtualized an interface with an ip 192.168.1.80 and it has squid, > the nic has 192.168.1.60 and all the lan is 192.168.1.0/24. > > My problem is that I can?t browse some sites the must be permitted. > > pf.conf > > #rules for firewall > ext_nic = "dc0" > yo = "192.168.1.0/24" > > table {208.67.220.220, 208.67.222.222} > #SQUID CONFIGURATION > rdr pass on $ext_nic inet proto tcp from $yo to any port www -> > 192.168.1.80port 3128 > nat on $ext_nic from $yo to any -> ($ext_nic) > #FILTER > block all > #pass in on $ext_nic from $yo > pass out on $ext_nic from any to With these rules there is no way for your squid to talk to the rest of the world. You have to allow it *somehow*[tm] to connect to the outside. From the above, I kind of doubt that you really understand what you are doing - or are serverly suffering from the language barrier. You might want to try to contact a forum or usergroup in your native language. > squid.conf > Well, it doens`t work, when I try to surf in any domain name listed > above in squid squid sends me a message: > > ERROR The requested URL could not be retrieved > ------------------------------ > > While trying to retrieve the URL: http://www.yahoo.com/ > > The following error was encountered: > > - * Connection to Failed * > > The system returned: > > * (1) Operation not permitted* -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From eculp at encontacto.net Mon Jun 23 23:37:09 2008 From: eculp at encontacto.net (eculp) Date: Mon Jun 23 23:37:12 2008 Subject: PF and SQUID In-Reply-To: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> References: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> Message-ID: <20080623182643.75686fq9ijcydyg4@intranet.encontacto.net> Quoting Miguel Alc?ntara : > Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID in > a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualized > an interface with an ip 192.168.1.80 and it has squid, the nic has > 192.168.1.60 and all the lan is 192.168.1.0/24. > > My problem is that I can?t browse some sites the must be permitted. > > pf.conf > > #rules for firewall > ext_nic = "dc0" > yo = "192.168.1.0/24" As Max suggested, it might be easier for Miguel in his native language but we aren't sure which language that is but I'm going to take a shot in Spanish and see if that helps. Apologies to the list and Miguel can take other questions offline should he feel more comfortable in Spanish. Hola Miguel, Por tu nombre, tal vez ser? m?s f?cil apoyarte en espa?ol. Te acabo de hacer una configuracion basica para squid y otro para pf que espero que te ayudan. Los tome de una configuraci?n m?a pero eliminando lo que no tiene que ver con un firewall basico o la operaci?n de squid. Espero que te ayuda. http://encontacto.net/SHARE/pf.conf.BASICA.txt http://encontacto.net/SHARE/squid.conf.BASICA.txt Agreg? unos # comentarios que espero que sean utiles. Suerte y saludos, ed > > table {208.67.220.220, 208.67.222.222} > #SQUID CONFIGURATION > rdr pass on $ext_nic inet proto tcp from $yo to any port www -> > 192.168.1.80port 3128 > nat on $ext_nic from $yo to any -> ($ext_nic) > #FILTER > block all > #pass in on $ext_nic from $yo > pass out on $ext_nic from any to > > squid.conf > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > #///////// > acl special_client src 192.168.1.0/24 > #acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid" > > #acl special_url url_regex ucci > acl hotmail dstdomain .hotmail.com > acl mail dstdomain .blu134.mail.live.com > acl mailhot dstdom_regex -i mail > acl hotmail_mail dstdomain .hotmail.msn.com > acl passport dstdomain .passport.net > acl msn dstdomain .msn.com > acl ie6 browser MSIE[[:space:]]6 > acl permitidos url_regex "/usr/local/etc/squid/free.squid" > acl palabra urlpath_regex -i login.srt > acl numconn maxconn 80 > acl browse_hotmail url_regex www.hotmail.com > acl browse_ulima url_regex www.ulima.edu.pe > acl browse_yahoo url_regex www.yahoo.com > > http_access allow manager localhost > http_access deny manager > # Deny requests to unknown ports > http_access deny !Safe_ports > # Deny CONNECT to other than SSL ports > http_access deny CONNECT !SSL_ports > ##http_access allow special_client lista_permitidos > ##http_access allow special_client hotmail > ##http_access allow special_client mailhot > ##http_access allow special_client mail > #http_access deny special_url > #http_access allow special_client > > http_access allow special_client permitidos > http_access allow special_client hotmail > http_access allow special_client mail > http_access allow special_client mailhot > http_access allow special_client Safe_ports > http_access allow special_client hotmail_mail > http_access allow special_client palabra > http_access allow special_client browse_hotmail > http_access allow special_client browse_ulima > http_access allow special_client browse_yahoo > #http_access allow special_client special_url > http_access deny all > > > Well, it doens`t work, when I try to surf in any domain name listed above in > squid squid sends me a message: > > ERROR The requested URL could not be retrieved > ------------------------------ > > While trying to retrieve the URL: http://www.yahoo.com/ > > The following error was encountered: > > - * Connection to Failed * > > The system returned: > > * (1) Operation not permitted* > > The remote host or network may be down. Please try the request again. > > Your cache administrator is webmaster. > ------------------------------ > Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16) > > > *Then in logs from squid I can see an 503 error TCP_MISS. > > I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled with > pf habilities or something like that. > > Plz, what I am doing wrong. > * > > > -- > Atte. > > Miguel Alc?ntara A. > From jcw at highperformance.net Tue Jun 24 06:11:26 2008 From: jcw at highperformance.net (Jason C. Wells) Date: Tue Jun 24 06:11:28 2008 Subject: PF with ftp-proxy Message-ID: <4860836B.4030402@highperformance.net> I am running pf with ftp-proxy and nat on 6.3-RELEASE. I am using the docs on the openbsd faq. The fine manual is not serving me well this evening. When attempting ftp connections firefox reports a variety of errors like "Bad IP" or "Passive connection must come from same host as control connection." From inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -t 180 -a 127.0.0.1 From pf.conf: **snip** nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from any to any port ftp -> $localhost **snip** port ftp-proxy pass in all pass out all **snip** Inetd is spawning the ftp-proxy process when I attempt client access to ftp.freebsd.org. This seems to be working correctly. ftp-proxy -D is not producing any log output in /var/log/messages. How can that be? But even more mysteriously, as I typed this message I fired up tcpdump to try and figure things out. I then attempted to connect to ftp.freebsd.org and succeeded. I have changed no firewall rules during the time that I have been writing this message. Then I did a refresh in firefox and the ftp session failed. Double WTF? How on earth can the firewall work one second and then not work the next? One thing I miss in the documentation. Does ftp-proxy inject rules into pf using the ftp-proxy anchors? I realize my message is poorly written. I'm pretty confused right now. I'm not really sure what to ask to figure this out. I've followed the very simple docs. I can't imagine what I have missed. Regards, Jason From albinootje at gmail.com Tue Jun 24 08:47:32 2008 From: albinootje at gmail.com (albinootje) Date: Tue Jun 24 08:47:37 2008 Subject: PF with ftp-proxy In-Reply-To: <4860836B.4030402@highperformance.net> References: <4860836B.4030402@highperformance.net> Message-ID: <4860AEEA.8090905@gmail.com> Jason C. Wells wrote: > But even more mysteriously, as I typed this message I fired up tcpdump > to try and figure things out. I then attempted to connect to > ftp.freebsd.org and succeeded. I have changed no firewall rules during > the time that I have been writing this message. Then I did a refresh in > firefox and the ftp session failed. Double WTF? How on earth can the > firewall work one second and then not work the next? i'm using the following lines in pf.conf : rdr on $intif proto tcp from $intif:network to any port ftp -> 127.0.0.1 port 8021 pass in on $extif inet proto tcp from port ftp-data to $extif user proxy flags S/SA keep state and this does not work in firefox (2.x), but it works fine with ncftp and gftp From biancalana at gmail.com Wed Jun 25 02:12:21 2008 From: biancalana at gmail.com (Alexandre Biancalana) Date: Wed Jun 25 02:12:23 2008 Subject: When carpdev will be committed ? Message-ID: <8e10486b0806241845h6e9151f1x1b26584dfd386ddc@mail.gmail.com> From linimon at FreeBSD.org Wed Jun 25 05:30:33 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Wed Jun 25 05:30:35 2008 Subject: kern/124933: [pf] [ip6] pf does not support (drops) IPv6 fragmented packets Message-ID: <200806250530.m5P5UW6m055794@freefall.freebsd.org> Old Synopsis: pf does not support (drops) IPv6 fragmented packets New Synopsis: [pf] [ip6] pf does not support (drops) IPv6 fragmented packets State-Changed-From-To: open->suspended State-Changed-By: linimon State-Changed-When: Wed Jun 25 05:28:51 UTC 2008 State-Changed-Why: Over to maintainers; mark as suspended as it may be an upstream problem. Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Jun 25 05:28:51 UTC 2008 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=124933 From lan at rcfd.spb.ru Thu Jun 26 12:44:39 2008 From: lan at rcfd.spb.ru (Alexey Lanetskiy) Date: Thu Jun 26 12:44:46 2008 Subject: reply-to speed issue Message-ID: <951843799.20080626164431@rcfd.spb.ru> Hello everybody. Please, take a few minutes to read and answer: http://lists.freebsd.org/pipermail/freebsd-pf/2008-June/004516.html -- wbr, Alexey. From remko at FreeBSD.org Thu Jun 26 23:30:05 2008 From: remko at FreeBSD.org (Remko Lodder) Date: Thu Jun 26 23:30:31 2008 Subject: [Fwd: need help from pf developer(s)] Message-ID: <48641C68.1070203@FreeBSD.org> FYI -------- Original Message -------- Subject: need help from pf developer(s) Date: Thu, 26 Jun 2008 12:44:48 -0700 From: Julian Elischer To: FreeBSD Net If you are one of the people that know and love pf, I'd like to speak to you on one side about testing pf with vimage.. (and making it work as I'm sure it doesn't). _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From bugmaster at FreeBSD.org Mon Jun 30 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 30 11:07:21 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200806301107.m5UB71EO095829@freefall.freebsd.org> Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total.