From catalin at starcomms.com Wed Oct 1 01:35:55 2008 From: catalin at starcomms.com (Catalin Miclaus) Date: Wed Oct 1 01:36:02 2008 Subject: Need best practice advice: carp and /30 In-Reply-To: <20080930211232.GA35980@huppi.com> References: <20080930074533.GA7549@huppi.com> <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local> <20080930211232.GA35980@huppi.com> Message-ID: <3A0AA7018522134597ED63B3B794C92A0301B45C@STA-HQ-S001.starcomms.local> -----Original Message----- From: Tom Huppi [mailto:tomh@huppi.com] Sent: Tuesday, September 30, 2008 10:13 PM To: Catalin Miclaus Cc: freebsd-pf@freebsd.org Subject: Re: Need best practice advice: carp and /30 On 10:44 Tue 30 Sep , Catalin Miclaus wrote: > tomh writes: > > I am trying to build a pfsync implementation so that I can > > work on various hardening and other experiments with minimal > > downtime, and could use some advice. > > > > I expect to be using the most current FreeBSD codebase with this > > implementation. Indeed, being able to do so is a driving force > > behind my project. > > > > My network layout looks like so: > > > > > > > > ----------------- > > /-- | em0 PF-1 em1 | --- > > | ------------ | / | em2 | > > ISP -- | special vlan | ---------------- > > | cisco 3560 | | > > |------------- |\ ---------------- > > \ | em2 | > > - | em0 PF-2 em1 | ---- > > ---------------- > > > > > > > > My ISP provides a single IP on a /30. Say 70.187.255.246, and > > that carries my class-C traffic which is on a different subnet > > entirely. > > > > A similar solution but with only one PF firewall (also acting as > > a simple router) has been working well enough over the last 10 > > months, although I did have certain problems which I have yet to > > get to the bottom of. Possibly they have something to do with > > the Cisco which I neglected to mention in my last query to this > > list since I thought it unimportant at the time. > > > > Anyway, my question relates to what are best-practices vis-a-vis > > the network of the 'em0' interface. Pretty clearly the carp0 > > interface is my ISP assigned one, but there is not room in the > > /30 for other addresses. > > > > My guess is that I should 'invent' a RFC1918 network for the two > > em0 interfaces, but I certainly don't want this to cause wierd > > problems in the VLAN (I don't anticipate doing any routing in > > this VLAN, by the way.) > > > > In my googleing I found some info about getting 'carpdev' > > supported and the threads seem to have dried up over a year > > ago, so I think that it is probably in and working these days(?) > > Even if so, still remains unclear to me what is safe and > > appropriate in my situation. > > > > If anyone has experiance with a similar setup and hardware, I > > would very much appreciate knowing of their experiances. The > > IOS revision on the Cisco is from about a year ago...don't have > > it handy, but can get it if it is a factor. > > > > (Also, thank you to all who had input on my last question to the > > list. I got some feedback from my ISP about it, but it only > > adds to the mystery. I'll follow-up on that thread when I know > > more.) > > > > Thanks, > > > > - Tom > > > On external interface you need to configure at least the default route. > Moreover your ISP will have to configure same private range on his > equipments which I doubt he will agree. > > The way I see it you have 2 solutions: > > 1. request for a /29 from your ISP > 2. use enhanced image for 3560 (that will make it a layer 3 device) with > private range to your firewalls and public range on the ISP link Thank you for your suggestions. The 3560 I have to work with has 'C3560-IPBASE-M' while the one I have currently in production has 'C3560-ADVIPSERVICESK9-M'. The one in production will support also IP routing. I think that both of these IOS version would do simple VLAN routing. I am very much a novice at this and don't use any VLAN routing at all currently since I was able to do the simple stuff I needed host-side in on my current setup. (I have been planning to abandon that strategy with my new carp implementation and try to do more with VLAN routing, but that is on the 'other side' of the issue I am currently trying to deal with.) I wonder if it would/could work to have something like: ---------- ---------- ISP --> | 3560 | --> | 3560 | -- em0:pf-1 | VLAN /30 | | VLAN /29 | -- em0:pf-2 ---------- ---------- Yes, however, on ISP interface you don't need any VLAN. Just use 'ip routing' on global config mode and 'no switchport' on interface config mode so that your switch port will become a router port. where I arrange appropriate routing between the two VLANs? Perhaps that is basically what you are suggesting? See above suggestion. Don't forget to point default route towards your ISP. I am quite confused about what traffic one would expect to see makeing it out of the em0 interfaces when carp is active and working. Relatedly, what exactly the default route does in such a scenerio. These details don't seem to be broadly described in the documentation I have run across so far. Default route is routing all traffic with for which does not exist a specific route in the routing table. Aka default gateway, gateway of last resort, etc. Thanks again for any thoughts on the matter. - Tom Best Regards Catalin Miclaus ISP-Data Ops. Starcomms Ltd. > Best Regards > Catalin Miclaus > ISP-Data Ops. > Starcomms Ltd. > > > > -- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any form of dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited if you are not the intended recipient of this e-mail. Please note that e-mails are susceptible to change. STARCOMMS PLC shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. STARCOMMS PLC does not guarantee that the integrity of this communication has been maintained or that this communication is free of viruses, interceptions or interferences. STARCOMMS PLC reserves the right to monitor all e-mail communications, whether related to the business of STARCOMMS or not, through its internal or external networks. -- DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any form of dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited if you are not the intended recipient of this e-mail. Please note that e-mails are susceptible to change. STARCOMMS PLC shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. STARCOMMS PLC does not guarantee that the integrity of this communication has been maintained or that this communication is free of viruses, interceptions or interferences. STARCOMMS PLC reserves the right to monitor all e-mail communications, whether related to the business of STARCOMMS or not, through its internal or external networks. From reddvinylene at gmail.com Fri Oct 3 09:38:29 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Fri Oct 3 09:38:36 2008 Subject: Jail, pf and ftpd: Connection refused Message-ID: Greetings ladies and gentlemen! Why does the below pf.conf (run from box1) give me "getpeername(control_sock): Transport endpoint is not connected, Socket error (Connection refused) - reconnecting" when trying to log onto box3 via passive FTP? Active FTP gives me "425 Can't build data connection: Connection refused." (box2 and box3 are jails running off box1) - root@box1# cat /etc/pf.conf box1 = "80.203.2.2" box2 = "80.203.2.3" box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" ext_if = "rl0" set block-policy return set skip on { lo0 } scrub in pass out keep state block in pass in on $ext_if inet proto tcp from any to any port { 22 } keep state pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, 110 } keep state pass in on $ext_if inet proto udp from any to $box2 port 53 keep state pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 } keep state pass in on $ext_if inet proto icmp from any to any keep state - root@box3# cat /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l - I hope I've been verbose enough. Thank you! -- http://www.home.no/reddvinylene From max at love2party.net Fri Oct 3 09:56:11 2008 From: max at love2party.net (Max Laier) Date: Fri Oct 3 09:56:18 2008 Subject: Jail, pf and ftpd: Connection refused In-Reply-To: References: Message-ID: <200810031156.07623.max@love2party.net> On Friday 03 October 2008 11:11:57 Redd Vinylene wrote: > Greetings ladies and gentlemen! > > Why does the below pf.conf (run from box1) give me > "getpeername(control_sock): Transport endpoint is not connected, > Socket error (Connection refused) - reconnecting" when trying to log > onto box3 via passive FTP? Active FTP gives me "425 Can't build data > connection: Connection refused." (box2 and box3 are jails running off > box1) See ftp-proxy(8). Note that active works with the ruleset you provided (due to the "pass out keep state"-rule), but there is obviously a firewall problem on the client preventing that. > - > > root@box1# cat /etc/pf.conf > > box1 = "80.203.2.2" > > box2 = "80.203.2.3" > > box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" > > ext_if = "rl0" > > set block-policy return > > set skip on { lo0 } > > scrub in > > pass out keep state > > block in > > pass in on $ext_if inet proto tcp from any to any port { 22 } keep state > > pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, > 110 } keep state > > pass in on $ext_if inet proto udp from any to $box2 port 53 keep state > > pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 > } keep state > > pass in on $ext_if inet proto icmp from any to any keep state > > - > > root@box3# cat /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > > - > > I hope I've been verbose enough. Thank you! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From max at love2party.net Fri Oct 3 10:08:46 2008 From: max at love2party.net (Max Laier) Date: Fri Oct 3 10:09:03 2008 Subject: Jail, pf and ftpd: Connection refused In-Reply-To: References: Message-ID: <200810031156.07623.max@love2party.net> On Friday 03 October 2008 11:11:57 Redd Vinylene wrote: > Greetings ladies and gentlemen! > > Why does the below pf.conf (run from box1) give me > "getpeername(control_sock): Transport endpoint is not connected, > Socket error (Connection refused) - reconnecting" when trying to log > onto box3 via passive FTP? Active FTP gives me "425 Can't build data > connection: Connection refused." (box2 and box3 are jails running off > box1) See ftp-proxy(8). Note that active works with the ruleset you provided (due to the "pass out keep state"-rule), but there is obviously a firewall problem on the client preventing that. > - > > root@box1# cat /etc/pf.conf > > box1 = "80.203.2.2" > > box2 = "80.203.2.3" > > box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" > > ext_if = "rl0" > > set block-policy return > > set skip on { lo0 } > > scrub in > > pass out keep state > > block in > > pass in on $ext_if inet proto tcp from any to any port { 22 } keep state > > pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, > 110 } keep state > > pass in on $ext_if inet proto udp from any to $box2 port 53 keep state > > pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 > } keep state > > pass in on $ext_if inet proto icmp from any to any keep state > > - > > root@box3# cat /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > > - > > I hope I've been verbose enough. Thank you! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From koitsu at FreeBSD.org Fri Oct 3 11:38:28 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Fri Oct 3 11:38:41 2008 Subject: pf rules not being loaded during boot on 7.1-PRERELEASE In-Reply-To: <20081003111703.GA27385@icarus.home.lan> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> Message-ID: <20081003113824.GA27757@icarus.home.lan> On Fri, Oct 03, 2008 at 04:17:03AM -0700, Jeremy Chadwick wrote: > On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote: > > I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE. I > > rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no > > rules got loaded during boot, despite pf itself having been enabled: > > > > router# pfctl -s rules > > router# pfctl -e -f /etc/pf.conf > > pfctl: pf already enabled > > [connection is closed due to new rules being loaded] > > router# pfctl -s rules > > scrub in all fragment reassemble > > [... lots of rules listed] > > > > Has anyone else seen this problem, or have I just missed something > > that's changed between 7.0 and 7.1 in the way pf works? > > I was seeing something similar on my own box which I just upgraded from > a 150-day-old RELENG_6 to present RELENG_6. pfctl -s rules output no > rules. pfctl -s info showed packet counters, but no interface stats > (due to the rules not being loaded, e.g. no loginterface). > > kldstat showed pflog.ko and pf.ko loaded. > > If I did /etc/rc.d/pf start, the rules would loaded, and everything > starts working as expected. > > I rebooted the box and saw the following on serial console, which I'm > pretty sure is what's responsible for the breakage: > > Enabling pf. > Oct 3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received > cannot determine interface bandwidth for bge0, specify an absolute > bandwidth > altq not defined on bge0 > altq not defined on bge0 > /conf/ME/pf.conf:52: errors in queue definition > altq not defined on bge0 > /conf/ME/pf.conf:53: errors in queue definition > altq not defined on bge0 > /conf/ME/pf.conf:54: errors in queue definition > pfctl: Syntax error in config file: pf rules not loaded > pf enabled Cross-posting to freebsd-pf (I'm sorry for doing this, but it needs attention from both -pf and -stable). I've figured out what the problem is. This is not good, and is guaranteed to bite other people. I'd like to believe this is an rc-related problem, but I'm not sure how to fix it. The problem in my case: The physical interfaces were brought online, but were still technically offline (the switch and NIC PHY were taking some time to negotiate speed and duplex). Boot messages: bge0: link state changed to DOWN bge1: link state changed to DOWN lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 bge0: flags=8843 mtu 1500 options=1b inet XXXXXXXXXXX netmask 0xffffff80 broadcast XXXXXXXXXXXXX ether 00:30:48:81:fc:8a media: Ethernet autoselect (none) status: no carrier bge1: flags=8843 mtu 1500 options=1b inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXXX ether 00:30:48:81:fc:8b media: Ethernet autoselect (none) status: no carrier Note that the interfaces are UP, not DOWN. Then the very next thing seen on the console: Starting pflog. pflog0: promiscuous mode enabled Enabling pf. Oct 3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received cannot determine interface bandwidth for bge0, specify an absolute bandwidth altq not defined on bge0 altq not defined on bge0 /conf/ME/pf.conf:52: errors in queue definition altq not defined on bge0 /conf/ME/pf.conf:53: errors in queue definition altq not defined on bge0 /conf/ME/pf.conf:54: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded pf enabled The error message about "interface bandwidth" is the key here. My ALTQ rules use "bandwidth ", not a static amount in bits: altq on $ext_if cbq bandwidth 100% queue { std, blah, blah2 } queue std bandwidth 95% cbq(default borrow) queue blah bandwidth 384Kb queue blah2 bandwidth 384Kb Since the PHY hadn't negotiated speed, pf was unable to determine what the percentage really mapped to bandwidth/bit-wise. If at all possible, pf should wait for the interfaces to come up fully (that includes autonegotiation being completed; do we have framework for this?) before starting. I changed my rules to use a static speeds (100% --> 100Mb, and 95% --> 95Mb), which appear to work, but after the 2nd reboot the speed/duplex had been negotiated by the time pf had started, so I don't know if it truly fixed anything. I don't know what pf will do if you say "100Mb" for an interface which has no link/speed defined yet. It may behave the same way as shown above; I don't know. This needs some thought and definitely a solution. Again, note that I'm using RELENG_6, but I've a feeling this might bite RELENG_7 too. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From freebsd at violetlan.net Fri Oct 3 12:54:23 2008 From: freebsd at violetlan.net (Reinhold) Date: Fri Oct 3 12:54:29 2008 Subject: limiting bandwidth at certain times during the day Message-ID: <56157.217.45.165.129.1223037455.squirrel@www.violetlan.net> Hi I was asked to limit the amount of bandwidth being used by our openvpn connections during our office hours and then allow full access after hours. In my current set up I'm using pf that does load balancing over 2 adsl lines on a FreeBSD 7-STABLE system, I'm using mpd5 for dialing in and establish the connections with our ISP. I'm in the process of implementing HFSC to see if I can improve our bandwidth usage, I tried PRIQ but ended up loosing packets and the over all performance decreased to a point where I had to disable it. How can I go about setting up a limit for a certain time period on the amount of bandwidth being used by openvpn? Thanks Reinhold From linimon at FreeBSD.org Fri Oct 3 14:42:49 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Fri Oct 3 14:43:00 2008 Subject: conf/127814: [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended Message-ID: <200810031442.m93EgmYn086124@freefall.freebsd.org> Old Synopsis: The flush in pf_reload in /etc/rc.d/pf does not work as intended New Synopsis: [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Oct 3 14:42:02 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127814 From bruce at cran.org.uk Fri Oct 3 22:06:21 2008 From: bruce at cran.org.uk (Bruce Cran) Date: Fri Oct 3 22:06:33 2008 Subject: pf rules not being loaded during boot on 7.1-PRERELEASE In-Reply-To: <20081003113824.GA27757@icarus.home.lan> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> Message-ID: <20081003230534.60b4c1cb@tau.draftnet> On Fri, 3 Oct 2008 04:38:24 -0700 Jeremy Chadwick wrote: > I've figured out what the problem is. This is not good, and is > guaranteed to bite other people. I'd like to believe this is an > rc-related problem, but I'm not sure how to fix it. > > The problem in my case: > > The physical interfaces were brought online, but were still > technically offline (the switch and NIC PHY were taking some time to > negotiate speed and duplex). Boot messages: > My box is headless so I didn't see the startup messages until I attached a serial cable. It's a similar problem in my case, but caused because I'm firewalling an ADSL connection which uses PPP, and pf is being enabled before PPP has configured tun0: Setting hostname: router.draftnet. vr0: link state changed to DOWN dc0: link state changed to UP dc3: link state changed to UP lo0: flags=8049 metric 0 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff000000 vr0: flags=8843 metric 0 mtu 1500 options=2808 ether 00:40:63:e3:d1:b7 inet6 XXXXXXXXXX%vr0 prefixlen 64 tentative scopeid 0x1 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXX media: Ethernet autoselect (none) status: no carrier dc0: flags=8843 metric 0 mtu 1500 options=8 ether 00:80:c8:c9:96:6d inet6 XXXXXXXXX%dc0 prefixlen 64 tentative scopeid 0x2 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX media: Ethernet autoselect (100baseTX ) status: active dc3: flags=8843 metric 0 mtu 1500 options=8 ether 00:80:c8:c9:96:70 inet6 XXXXXXXXX%dc3 prefixlen 64 tentative scopeid 0x5 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX media: Ethernet autoselect (100baseTX ) status: active Enabling pf. no IP address found for tun0 /etc/pf.conf:45: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded pf enabled Starting PPP profile: demonLoading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Lodading /lib/libalcias_nbt.so Load1ing /lib/libalia:s_pptp.so Loadi ng /lib/libaliasl_skinny.so Loadiing /lib/libalians_smedia.so k. no IP address found for tun0 s /etc/pf.conf:45t: could not parsae host specificattion pfctl: Synetax error in con fig file: pf rulces not loaded ahdd net default: agateway tun0 Adnditional routingg options: IP gateeway=YES. dadd net ::ffff:0 .0.0.0: gateway t::1 add net ::0o.0.0.0: gateway ::1 net.inet6.iDp6.forwarding: 0O -> 1 net.inet6W.ip6.accept_rtadNv: 0 -> 0 dc2: link state changed to DOWN The messages following "link state changed to DOWN" indicate that all the interfaces are now properly configured with IP addresses, including the external ADSL tun0 and IPv6 gif0 interfaces. -- Bruce Cran From volker at vwsoft.com Fri Oct 3 23:05:42 2008 From: volker at vwsoft.com (Volker) Date: Fri Oct 3 23:05:56 2008 Subject: pf rules not being loaded during boot on 7.1-PRERELEASE In-Reply-To: <20081003230534.60b4c1cb@tau.draftnet> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> <20081003230534.60b4c1cb@tau.draftnet> Message-ID: <48E69F6D.5050001@vwsoft.com> On 10/04/08 00:05, Bruce Cran wrote: > On Fri, 3 Oct 2008 04:38:24 -0700 > Jeremy Chadwick wrote: >> I've figured out what the problem is. This is not good, and is >> guaranteed to bite other people. I'd like to believe this is an >> rc-related problem, but I'm not sure how to fix it. >> >> The problem in my case: >> >> The physical interfaces were brought online, but were still >> technically offline (the switch and NIC PHY were taking some time to >> negotiate speed and duplex). Boot messages: >> > > My box is headless so I didn't see the startup messages until I > attached a serial cable. It's a similar problem in my case, but caused > because I'm firewalling an ADSL connection which uses PPP, and pf is > being enabled before PPP has configured tun0: > > Setting hostname: router.draftnet. > vr0: link state changed to DOWN > dc0: link state changed to UP > dc3: link state changed to UP > lo0: flags=8049 metric 0 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 > inet 127.0.0.1 netmask 0xff000000 > vr0: flags=8843 metric 0 mtu > 1500 options=2808 > ether 00:40:63:e3:d1:b7 > inet6 XXXXXXXXXX%vr0 prefixlen 64 tentative > scopeid 0x1 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXX > media: Ethernet autoselect (none) > status: no carrier > dc0: flags=8843 metric 0 mtu > 1500 options=8 > ether 00:80:c8:c9:96:6d > inet6 XXXXXXXXX%dc0 prefixlen 64 tentative > scopeid 0x2 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX > media: Ethernet autoselect (100baseTX ) > status: active > dc3: flags=8843 metric 0 mtu > 1500 options=8 > ether 00:80:c8:c9:96:70 > inet6 XXXXXXXXX%dc3 prefixlen 64 tentative > scopeid 0x5 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX > media: Ethernet autoselect (100baseTX ) > status: active > Enabling pf. > no IP address found for tun0 > /etc/pf.conf:45: could not parse host specification > pfctl: Syntax error in config file: pf rules not loaded > pf enabled > Starting PPP profile: demonLoading /lib/libalias_cuseeme.so > Loading /lib/libalias_ftp.so > Loading /lib/libalias_irc.so > Lodading /lib/libalcias_nbt.so > Load1ing /lib/libalia:s_pptp.so > Loadi ng /lib/libaliasl_skinny.so > Loadiing /lib/libalians_smedia.so > k. > no IP address found for tun0 > s > /etc/pf.conf:45t: could not parsae host specificattion > pfctl: Synetax error in con fig file: pf rulces not loaded > ahdd net default: agateway tun0 > Adnditional routingg options: IP gateeway=YES. > dadd net ::ffff:0 .0.0.0: gateway t::1 > add net ::0o.0.0.0: gateway ::1 > net.inet6.iDp6.forwarding: 0O -> 1 > net.inet6W.ip6.accept_rtadNv: 0 -> 0 > > dc2: link state changed to DOWN > > The messages following "link state changed to DOWN" indicate that all > the interfaces are now properly configured with IP addresses, including > the external ADSL tun0 and IPv6 gif0 interfaces. > Bruce, looking into my crystal ball... ;) You seem to have a rule like: pass ... on tun0 from any to tun0 ... If you change that into: pass ... on tun0 from any to (tun0) ... pf will happily parse your rules and activate your firewall even while tun0 does not already have an IP address. You may also try to use rules naming an interface family instead of a single interface. Other than that suggestion, I may help you if you'll send me your rules (private mail is ok for me). Volker From bruce at cran.org.uk Fri Oct 3 23:23:01 2008 From: bruce at cran.org.uk (Bruce Cran) Date: Fri Oct 3 23:23:07 2008 Subject: pf rules not being loaded during boot on 7.1-PRERELEASE In-Reply-To: <48E69F6D.5050001@vwsoft.com> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> <20081003230534.60b4c1cb@tau.draftnet> <48E69F6D.5050001@vwsoft.com> Message-ID: <20081004002229.7089be9c@tau.draftnet> On Sat, 04 Oct 2008 00:40:45 +0200 Volker wrote: > You seem to have a rule like: > > pass ... on tun0 from any to tun0 ... > > If you change that into: > > pass ... on tun0 from any to (tun0) ... > > pf will happily parse your rules and activate your firewall even while > tun0 does not already have an IP address. You may also try to use > rules naming an interface family instead of a single interface. You're right - I mostly used lines with (tun0) but line 45 didn't have the brackets. I've just added them, rebooted and pf loaded the rules during boot. -- Bruce Cran From volker at vwsoft.com Fri Oct 3 23:26:07 2008 From: volker at vwsoft.com (Volker) Date: Fri Oct 3 23:26:20 2008 Subject: pf rules not being loaded during boot on 7.1-PRERELEASE In-Reply-To: <20081004002229.7089be9c@tau.draftnet> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> <20081003230534.60b4c1cb@tau.draftnet> <48E69F6D.5050001@vwsoft.com> <20081004002229.7089be9c@tau.draftnet> Message-ID: <48E6A9FD.4060406@vwsoft.com> On 10/04/08 01:22, Bruce Cran wrote: > On Sat, 04 Oct 2008 00:40:45 +0200 > Volker wrote: >> You seem to have a rule like: >> >> pass ... on tun0 from any to tun0 ... >> >> If you change that into: >> >> pass ... on tun0 from any to (tun0) ... >> >> pf will happily parse your rules and activate your firewall even while >> tun0 does not already have an IP address. You may also try to use >> rules naming an interface family instead of a single interface. > > You're right - I mostly used lines with (tun0) but line 45 didn't have > the brackets. I've just added them, rebooted and pf loaded the rules > during boot. > Well, sometimes my crystal ball works ;) From reddvinylene at gmail.com Sat Oct 4 10:24:11 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Oct 4 10:24:30 2008 Subject: Jail, pf and ftpd: Connection refused In-Reply-To: <200810031156.07623.max@love2party.net> References: <200810031156.07623.max@love2party.net> Message-ID: On Fri, Oct 3, 2008 at 11:56 AM, Max Laier wrote: > > See ftp-proxy(8). > > Note that active works with the ruleset you provided (due to the "pass out > keep state"-rule), but there is obviously a firewall problem on the client > preventing that. > Are you sure I need ftp-proxy? I opened the datarange 49152:65535 and now I no longer get a connection refused. I seem to be able to list, download, you know the usual stuff. I still get the "getpeername(control_sock): Transport endpoint is not connected" though. If I do need ftp-proxy, I take it it's the "FTP Server Protected by an External PF Firewall Running NAT" at http://www.openbsd.org/faq/pf/ftp.html that applies to my setup? I can't quite comprehend the nat/rdr rules in that example, as I ain't really got an int_if. As I stated earlier, I have a FreeBSD server running pf and two jails, and I'm trying to get ftpd running smoothly inside one of those jails. Thank you so much. -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Sat Oct 4 12:51:54 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Oct 4 12:52:12 2008 Subject: Jail, pf and ftpd: Connection refused In-Reply-To: References: <200810031156.07623.max@love2party.net> Message-ID: > On Fri, Oct 3, 2008 at 11:56 AM, Max Laier wrote: > > See ftp-proxy(8). > > Note that active works with the ruleset you provided (due to the "pass out > keep state"-rule), but there is obviously a firewall problem on the client > preventing that. > Nevermind, I think the "Transport endpoint is not connected" is most likely due to lftp. Nonetheless, much obliged for the assistance! -- http://www.home.no/reddvinylene From david.marec at davenulle.org Sun Oct 5 15:00:59 2008 From: david.marec at davenulle.org (David Marec) Date: Sun Oct 5 15:01:06 2008 Subject: Pf, ftp-proxy and proftp running into a jail Message-ID: <200810051642.45864.david.marec@davenulle.org> hi, I am trying to get protftp running into a jail, avalaible from outside the host. First, i wrote rules to redirect ftp traffic from ext_if to the jail and to nat jailled traffic to ext_if. After login, the data connection keeps being closed in passive mode; the active mode is running well. then, i tried to use ftp-proxy, by adding the following entries into rc.conf: ftpproxy_enable="yes" ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if" and followed the tutorial i found on the openbsd website: http://www.openbsd.org/faq/pf/ftp.html But, i can't even connect to the ftp server. What is the right way to use ftp-proxy ? The pf.conf file could be loaded from here: http://user.lamaiziere.net/david/pf/pf.conf -- http://www.freebsd.org/fr/ http://www.arcadehits.net/ http://www.diablotins.org/ From 000.fbsd at quip.cz Sun Oct 5 17:04:21 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sun Oct 5 17:04:27 2008 Subject: Pf, ftp-proxy and proftp running into a jail In-Reply-To: <200810051642.45864.david.marec@davenulle.org> References: <200810051642.45864.david.marec@davenulle.org> Message-ID: <48E8EFD3.4030000@quip.cz> David Marec wrote: > hi, > > I am trying to get protftp running into a jail, avalaible from outside the > host. > > First, i wrote rules to redirect ftp traffic from ext_if to the jail and to > nat jailled traffic to ext_if. > After login, the data connection keeps being closed in passive mode; the > active mode is running well. > > then, i tried to use ftp-proxy, by adding the following entries into rc.conf: > ftpproxy_enable="yes" > ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if" > > and followed the tutorial i found on the openbsd website: > http://www.openbsd.org/faq/pf/ftp.html > > But, i can't even connect to the ftp server. > > What is the right way to use ftp-proxy ? Are you sure you need ftp-proxy? I have ProFTPd in jail on private IP bidirectional NATed by PF 1:1 to public IP with following rules: binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1 ## pass incoming in to jails (from outside world) ## The filter engine will see the IP packet as it looks after translation has taken place pass in on $ext_if inet proto tcp from any to $jail_addr_1 port $jail_tcp_1_inports ## pass in/out (both directions) on jail interface (operations inside jail) pass on $jail_if inet from $jail_addr_1 to $jail_addr_1 ## passive FTP transfer - highports - for FTP in Jail (must use MasqueradeAddress in proftpd.conf) pass in on $ext_if inet proto tcp from any to $jail_addr_1 port 54000 >< 55000 keep state And in proftpd.conf I have: # If Jail has NATed local IP address MasqueradeAddress 1.2.3.4 PassivePorts 54000 55000 (1.2.3.4 is public IP address on which FTP will be accessible) You do not need 1:1 mapping, you can use NAT + RDR rules to redirect just some port range in to you jail. Miroslav Lachman From bugmaster at FreeBSD.org Mon Oct 6 11:06:59 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Oct 6 11:08:34 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200810061106.m96B6xDh035562@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 23 problems total. From linimon at FreeBSD.org Tue Oct 7 16:11:16 2008 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Tue Oct 7 16:11:30 2008 Subject: kern/127920: [pf] ipv6 and synproxy don't play well together Message-ID: <200810071611.m97GBGqV013054@freefall.freebsd.org> Old Synopsis: pf : ipv6 and synproxy don't play well together New Synopsis: [pf] ipv6 and synproxy don't play well together Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Oct 7 16:10:55 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127920 From plurk_noreply at plurk.com Wed Oct 8 03:23:12 2008 From: plurk_noreply at plurk.com (Plurk) Date: Wed Oct 8 03:23:18 2008 Subject: cangak has invited you to create a Plurk.com account Message-ID: <20081008030307.D4C348C138@mail.plurk.com> plurk nice try --- Check out cangak's Plurk profile by going to: http://plurk.com/redeem?code=s34QMGKH2M&from_uid=3185627 Plurk.com is a free social journal that makes it easy and fun to keep in touch. _________________________________ Opt Out of Plurk emails: This email was sent in connection with you Plurk.com membership. To stop receiving emails from Plurk, click this link: http://plurk.com/unsubscribe?email=freebsd-pf@freebsd.org&key=37b3050db94d12efc60fc85dd30d0fbc You can contact us at http://www.plurk.com/contact Plurk.com, 2425 Matheson Blvd 8th Floor, Suite 813 Mississauga, Ontario L4W 5K4 Canada From alancyang at gmail.com Thu Oct 9 23:03:44 2008 From: alancyang at gmail.com (alan yang) Date: Thu Oct 9 23:03:50 2008 Subject: packet flow in pf framework Message-ID: <290865fd0810091536s2fa38f4ao8fb2114fa7431441@mail.gmail.com> sorry if this is naive. i wonder how packet flow in / out pf framework within kernel, is it BSD Packet Filter (BPF) approach...? appreciate if people can shed some light where to start tracing pf code. thanks in advance. From mksmith at adhost.com Sun Oct 12 02:02:34 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Sun Oct 12 02:02:40 2008 Subject: Passive FTP Issues Message-ID: Hello All: We are having issues with a ?standard? configuration and getting passive ftp to work. Here are our present rules related to one server $liv_ftp_int/ext nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext rdr pass on ! $vlan924_if proto tcp from any to $liv_ftp_ext port { ftp, 990, 49152:65535 } -> $liv_ftp_int pass in quick on $vlan2_if proto tcp from any to port { ftp, 49152:65535 } keep state flags S/SA When we put a ?block in log on $vlan2_if? rule before everything else, ftp breaks. When we move the block rule to the end of the pass rules, it works like a champ. Am I missing something obvious? Any help would be greatly appreciated. This is 6.3 Release 1. Regards, Mike From bugmaster at FreeBSD.org Mon Oct 13 11:06:54 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Oct 13 11:08:33 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200810131106.m9DB6rL4029513@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 24 problems total. From alancyang at gmail.com Tue Oct 14 00:01:48 2008 From: alancyang at gmail.com (alan yang) Date: Tue Oct 14 00:01:55 2008 Subject: packet flow in pf framework In-Reply-To: <290865fd0810091536s2fa38f4ao8fb2114fa7431441@mail.gmail.com> References: <290865fd0810091536s2fa38f4ao8fb2114fa7431441@mail.gmail.com> Message-ID: <290865fd0810131701i3a0b87cfma7fab18fead4e4a9@mail.gmail.com> can people shed some light on how packet flow through ether_input, ether_demux, ip_input, tcp_input the pf code got invoke. really appreciate. On Thu, Oct 9, 2008 at 3:36 PM, alan yang wrote: > sorry if this is naive. > > i wonder how packet flow in / out pf framework within kernel, is it > BSD Packet Filter (BPF) approach...? > appreciate if people can shed some light where to start tracing pf code. > > thanks in advance. > From koitsu at FreeBSD.org Wed Oct 15 20:27:27 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Wed Oct 15 20:27:33 2008 Subject: PF syntax error In-Reply-To: <48F621C2.8080405@mtmary.edu> References: <48F621C2.8080405@mtmary.edu> Message-ID: <20081015202725.GA88225@icarus.home.lan> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: > Hello, > > I am not sure if I should be here or over at a pf specific list but here > is my problem. I've changed the CC list, so this will now go to the freebsd-pf mailing list instead. > I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving > me problems. > > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > global) > > Actually the "pass in" line does not generate the error. The next line does. > > /etc/pf.conf:71: syntax error > If I remove the line the error goes away (obviously). I have tried using > the exact line from the FreeBSD pf.conf man page: > > (max-src-conn-rate 100/10, overload flush global) > > (I changed to )and that generates the same > error. I tried just using: > (max-src-conn-rate 100/10) > > but that too gives me a syntax error. > > Any help is appreciated. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From ermal.luci at gmail.com Wed Oct 15 20:52:31 2008 From: ermal.luci at gmail.com (=?ISO-8859-1?Q?Ermal_Lu=E7i?=) Date: Wed Oct 15 20:52:38 2008 Subject: PF syntax error In-Reply-To: <20081015202725.GA88225@icarus.home.lan> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> Message-ID: <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: > On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >> Hello, >> >> I am not sure if I should be here or over at a pf specific list but here >> is my problem. > > I've changed the CC list, so this will now go to the freebsd-pf mailing > list instead. > >> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >> me problems. >> >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> global) Is it a copy-paste error or you forgot keep state in there? It should look pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ keep state(max-src-conn 15, max-src-conn-rate 5/3, overload flush global) >> >> Actually the "pass in" line does not generate the error. The next line does. >> >> /etc/pf.conf:71: syntax error >> If I remove the line the error goes away (obviously). I have tried using >> the exact line from the FreeBSD pf.conf man page: >> >> (max-src-conn-rate 100/10, overload flush global) >> >> (I changed to )and that generates the same >> error. I tried just using: >> (max-src-conn-rate 100/10) >> >> but that too gives me a syntax error. >> >> Any help is appreciated. > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From jon at radel.com Wed Oct 15 21:04:46 2008 From: jon at radel.com (Jon Radel) Date: Wed Oct 15 21:04:52 2008 Subject: PF syntax error In-Reply-To: <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> Message-ID: <48F65AD9.808@radel.com> Ermal Lu?i wrote: > On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>> Hello, >>> >>> I am not sure if I should be here or over at a pf specific list but here >>> is my problem. >> I've changed the CC list, so this will now go to the freebsd-pf mailing >> list instead. >> >>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>> me problems. >>> >>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>> >>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> global) > > Is it a copy-paste error or you forgot keep state in there? > It should look > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ > keep state(max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) And here I thought "keep state" was the default in the pf shipped with FreeBSD 7.0.... Actually, it is, as is "flags S/SA" on TCP connections. Those defaults came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3283 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20081015/8376e2db/smime.bin From ermal.luci at gmail.com Wed Oct 15 21:18:22 2008 From: ermal.luci at gmail.com (=?ISO-8859-1?Q?Ermal_Lu=E7i?=) Date: Wed Oct 15 21:18:29 2008 Subject: PF syntax error In-Reply-To: <48F65AD9.808@radel.com> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> Message-ID: <9a542da30810151418j2afc5086te6a23da90889d26f@mail.gmail.com> On Wed, Oct 15, 2008 at 11:04 PM, Jon Radel wrote: > Ermal Lu?i wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but here >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> global) >> >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... Well its just code that tries to be smart if he finds s syntax of the form pass in quick on $ext_if proto tcp from any to any port 22 other than that it needs to be certain that you meant what you meant. > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. > > --Jon Radel > > -- Ermal From jon at radel.com Wed Oct 15 21:54:16 2008 From: jon at radel.com (Jon Radel) Date: Wed Oct 15 21:54:24 2008 Subject: PF syntax error In-Reply-To: <20081015202725.GA88225@icarus.home.lan> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> Message-ID: <48F65863.6040703@radel.com> Jeremy Chadwick wrote: > On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >> me problems. >> >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> global) >> >> Actually the "pass in" line does not generate the error. The next line does. >> >> /etc/pf.conf:71: syntax error Are you absolutely, positively positive that the backslash on the end of the first line has no space or tab character after it and is escaping the newline character? You're trying to split a single line into two, and that has to be done just so. --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3283 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20081015/8911a82b/smime.bin From clarkp at mtmary.edu Wed Oct 15 22:17:52 2008 From: clarkp at mtmary.edu (Peter Clark) Date: Wed Oct 15 22:17:59 2008 Subject: PF syntax error In-Reply-To: <48F65AD9.808@radel.com> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> Message-ID: <48F65E78.9060905@mtmary.edu> Jon Radel wrote: > Ermal Lu?i wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but here >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> global) >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. > > --Jon Radel > A number of people all stated (on this list and on questions-freebsd) that it was because I was missing "keep state" from the directive. Sure enough, when I added that it worked. I am curious why this particular syntax is different from the default of "flags S/SA keep state" for the rest of the connections. Is it only on FreeBSD? Thank you for looking at this. Peter Clark From 000.fbsd at quip.cz Wed Oct 15 22:19:19 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Wed Oct 15 22:19:26 2008 Subject: PF syntax error In-Reply-To: <48F65AD9.808@radel.com> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> Message-ID: <48F66C84.3030505@quip.cz> Jon Radel wrote: > Ermal Lu?i wrote: > >>On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >> >>>On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>> >>>>Hello, >>>> >>>>I am not sure if I should be here or over at a pf specific list but here >>>>is my problem. >>> >>>I've changed the CC list, so this will now go to the freebsd-pf mailing >>>list instead. >>> >>> >>>>I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>>me problems. >>>> >>>>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>>global) >> >>Is it a copy-paste error or you forgot keep state in there? >>It should look >>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. Yes, keep state is the default, but syntax for source tracking required these explicitly as stated in man pf.conf: ------------- man pf.conf -------------- STATEFUL TRACKING OPTIONS A number of options related to stateful tracking can be applied on a per rule basis. keep state, modulate state and synproxy state support these options, and *keep state must be specified explicitly* to apply options to a rule. ------------- man pf.conf -------------- Miroslav Lachman From artemrts at ukr.net Thu Oct 16 06:05:01 2008 From: artemrts at ukr.net (Vitaliy Vladimirovich) Date: Thu Oct 16 06:05:07 2008 Subject: PF syntax error In-Reply-To: <20081015202725.GA88225@icarus.home.lan> Message-ID: --- Original Message --- From: Jeremy Chadwick To: Peter Clark Date: 15 october, 20:27:25 Subject: Re: PF syntax error On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: > Hello, > > I am not sure if I should be here or over at a pf specific list but here > is my problem. I've changed the CC list, so this will now go to the freebsd-pf mailing list instead. > I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving > me problems. > > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > global) > > Actually the "pass in" line does not generate the error. The next line does. > > /etc/pf.conf:71: syntax error > If I remove the line the error goes away (obviously). I have tried using > the exact line from the FreeBSD pf.conf man page: > > (max-src-conn-rate 100/10, overload flush global) > > (I changed to )and that generates the same > error. I tried just using: > (max-src-conn-rate 100/10) > > but that too gives me a syntax error. > > Any help is appreciated. If you want use the? stateful tracking options you should specify source-track option: source-track rule or source-track global. ? From jumper99 at gmx.de Fri Oct 17 17:05:13 2008 From: jumper99 at gmx.de (Helmut Schneider) Date: Fri Oct 17 17:05:19 2008 Subject: net-snmp support Message-ID: Hi, are there any plans/projects to support net-snmp like http://www.packetmischief.ca/openbsd/snmp/#pfmib? Thanks, Helmut -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn From max at love2party.net Fri Oct 17 17:13:58 2008 From: max at love2party.net (Max Laier) Date: Fri Oct 17 17:14:05 2008 Subject: net-snmp support In-Reply-To: References: Message-ID: <200810171913.54009.max@love2party.net> On Friday 17 October 2008 18:43:49 Helmut Schneider wrote: > are there any plans/projects to support net-snmp like > http://www.packetmischief.ca/openbsd/snmp/#pfmib? We have a pf-mib in bsnmpd, see http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ Not sure if that's the same as the one you are after, but there is a definition in that directory so it's easy enough to check. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From jumper99 at gmx.de Fri Oct 17 19:00:45 2008 From: jumper99 at gmx.de (Helmut Schneider) Date: Fri Oct 17 19:01:02 2008 Subject: net-snmp support References: <200810171913.54009.max@love2party.net> Message-ID: Max Laier wrote: > On Friday 17 October 2008 18:43:49 Helmut Schneider wrote: >> are there any plans/projects to support net-snmp like >> http://www.packetmischief.ca/openbsd/snmp/#pfmib? > > We have a pf-mib in bsnmpd, see > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ > > Not sure if that's the same as the one you are after, but there is a > definition in that directory so it's easy enough to check. For lack of knowledge in C and ports I will try to contact the maintainer of net-snmp. What is the preferred way, open a PR? Helmut -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn From bugmaster at FreeBSD.org Mon Oct 20 11:06:56 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Oct 20 11:08:33 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200810201106.m9KB6t9q082746@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 24 problems total. From xuchen66 at gmail.com Mon Oct 20 18:57:54 2008 From: xuchen66 at gmail.com (Chen Xu) Date: Mon Oct 20 18:58:01 2008 Subject: my firewall doesn't work Message-ID: <184b087c0810201125y20714aa9y276d26a9e7e8a3b1@mail.gmail.com> Dear List, I am new to PF, but I have experience with FreeBSD in general. I took a look at the example1 from PF FAQ, since my network is almost exact the same. However, I have problem to connect any where after loading the /etc/pf.conf, I can not ping even myself 127.0.0.1 and 192.168.1.1 which is my internal NIC. Can anyone give me an hint what is wrong? Many thanks in advance. Information about the setup: 1. FreeBSD 5.3-release-p26 2. with those line compiled in kernel # device pf device pflog device pfsync # 3. here are line in /etc/rc.conf # pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" # 4. /etc/pf.conf # ------------------------------- # # macros ext_if = "fxp0" int_if = "em0" tcp_services = "{ 22, 113 }" icmp_type = "echoreq" tecnai = "192.168.1.2" leginon = "192.168.1.3" # next is the web enable data logging device that record temp and RH% tr_72w = "192.168.1.10" # we might need brandeis DNS local_dns = "{ 129.64.99.11 129.64.99.12 }" # options set block-policy return set loginterface $ext_if # 5.3 doesn't have it. #set skip on lo0 # scrob scrub in # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to any port 80 -> $tr_72w # filter rules pass quick on lo0 block in pass inet proto tcp from $int_if:network to any keep state pass out keep state block out on $ext_if proto { tcp, udp } from $tecnai to any port http #anchor "ftp-proxy/*" #antispoof quick for $int_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to $tr_72w \ port 80 flags S/SA synproxy state # may or may not need this, need test pass in on $ext_if inet proto udp from $local_dns to any port 53 pass in inet proto icmp all icmp-type $icmp_type keep state pass in quick on $int_if # the end ------------------------------ Chen From max at love2party.net Mon Oct 20 19:25:15 2008 From: max at love2party.net (Max Laier) Date: Mon Oct 20 19:25:21 2008 Subject: my firewall doesn't work In-Reply-To: <184b087c0810201125y20714aa9y276d26a9e7e8a3b1@mail.gmail.com> References: <184b087c0810201125y20714aa9y276d26a9e7e8a3b1@mail.gmail.com> Message-ID: <200810202125.12758.max@love2party.net> On Monday 20 October 2008 20:25:24 Chen Xu wrote: > 1. FreeBSD 5.3-release-p26 This is no longer supported ... and hasn't been for a long time. There is absolutely no point in running this code on a firewall! Update and report back if the problem still exists. On a general note: In order to debug a pf ruleset, you should add a log-directive to all block rules and watch pflog0 for blocked packets. Then you decide if this packet should have passed and if so, you add a pass rule to allow that traffic (or track down why the rule you have in place didn't trigger). -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From rajkumars at gmail.com Tue Oct 21 16:42:49 2008 From: rajkumars at gmail.com (Rajkumar S) Date: Tue Oct 21 16:42:56 2008 Subject: pf and 10g NICs Message-ID: <64de5c8b0810210918x38c9d6e7u5244b7dbdc13c8b3@mail.gmail.com> Hi, Recently Vyatta had a press release about it's software (Linux) able to route 10gbps traffic. That got me curious as to the maximum throughput pf can sustain with a 10G NIC. Any one with any links of tests/benchmarks done?? I know the number of rules have an impact on throughput (amongst lot of other factors), but numbers like 10G looks great on press releases and in proposals, even if it's done with just a single pass rule :) raj From cmarlatt at rxsec.com Tue Oct 21 18:05:24 2008 From: cmarlatt at rxsec.com (Chris Marlatt) Date: Tue Oct 21 18:05:30 2008 Subject: pf and 10g NICs In-Reply-To: <64de5c8b0810210918x38c9d6e7u5244b7dbdc13c8b3@mail.gmail.com> References: <64de5c8b0810210918x38c9d6e7u5244b7dbdc13c8b3@mail.gmail.com> Message-ID: <48FE1394.7000700@rxsec.com> Rajkumar S wrote: > Hi, > > Recently Vyatta had a press release about it's software (Linux) able > to route 10gbps traffic. That got me curious as to the maximum > throughput pf can sustain with a 10G NIC. Any one with any links of > tests/benchmarks done?? I know the number of rules have an impact on > throughput (amongst lot of other factors), but numbers like 10G looks > great on press releases and in proposals, even if it's done > with just a single pass rule :) > > raj There is a huge difference between routing at 10Gb/s and filtering at 10Gb/s. I'd be willing to bet their performance with features enabled and filtering (acl's) is significantly less than advertised. To answer your question though. There is a lot of information in the archives relating to pps performance and ipfw/pf. Fairly detailed accounts of what was achieved. I would suggest searching there for more information. Regards, Chris From jcjanos245 at gmail.com Thu Oct 23 18:16:05 2008 From: jcjanos245 at gmail.com (JC Janos) Date: Thu Oct 23 18:16:12 2008 Subject: Pf-Beginner help with using Binat & Nat with several machines Message-ID: <7259d7020810231009s6e719143r1239d265a41f48cc@mail.gmail.com> Hello, I have a small office that I'm expanding my IT for, and the off-the-shelf Netgear router I had just wasn't flexible enough. Especially after it died! :-) After reading up, and talking to some technical folks, I decided it was time to upgrade to a Freebsd Pf-firewall. With a bit of reading & trial and error, I've now managed to get a simple firewall running including basic Nat stuff. Pretty powerful it looks like! But now, I'm really stuck at understanding the more-advanced Nat & Binat for directing traffic to/from specific servers, etc. Here's what I want to do; I'm hoping someone here might be able to help? I have a "/29 block" of Static IP addresses (X.X.X.104 to X.X.X.111) provided by my ISP. The "main" address is X.X.X.110. Right now, all my internet traffic appears as if it's coming to & from that address. In my office I have three machines that I want to have communicate to & from one of the other IPs, X.X.X.109. Those machines are using the Internal Nat addresses of 192.168.1.10, 192.168.1.11 & 192.168.1.12. To do this, I think I need both nat & binat, and from what I understand, I should add the following to my "pf.conf" file -- wanIF = "tun0" lanIF = "sis0" wanIP_1 = "X.X.X.110" wanIP_2 = "X.X.X.109" server_1 = "192.168.1.10" server_2 = "192.168.1.11" server_3 = "192.168.1.12" binat on $wanIF from $server_1 to any -> $wanIP_2 binat on $wanIF from $server_2 to any -> $wanIP_2 binat on $wanIF from $server_3 to any -> $wanIP_2 nat on $wanIF from $server_1 to any -> $wanIP_2 nat on $wanIF from $server_2 to any -> $wanIP_2 nat on $wanIF from $server_3 to any -> $wanIP_2 But the thing that confuses me is that BINAT is supposedly "1:1 mapping", and I'm worried that using all three binat lines is going to cause some sort of collision or confusion. My head's spinning from reading up on this. I've managed to get more confused from all the examples, and I'm just not sure how to go about this. Any helpful suggestions would be appreaciated a lot! Thanks alot, JC From peter.wullinger at googlemail.com Fri Oct 24 09:32:33 2008 From: peter.wullinger at googlemail.com (Peter Wullinger) Date: Fri Oct 24 09:32:40 2008 Subject: Pf-Beginner help with using Binat & Nat with several machines In-Reply-To: <7259d7020810231009s6e719143r1239d265a41f48cc@mail.gmail.com> References: <7259d7020810231009s6e719143r1239d265a41f48cc@mail.gmail.com> Message-ID: <49018EA5.7040607@googlemail.com> JC Janos schrieb: > Hello, > > To do this, I think I need both nat & binat, and from what I > understand, I should add the following to my "pf.conf" file -- The idea between nat/binat is the following: NAT maps packets going matching an address specification to a different /source/ address. In short, this means, that a rule like nat from $src to $dst -> $mapped_address Causes all packets that originate from $src and going to $dst have the source address rewritten to $mapped_address. If you have stateful filtering enabled (as sure you do), the translation is applied in the reverse order for packets that match a recorded state. In this case, it is also possible to map multiple hosts to the same external IP address, as incoming traffic is only translated when it matches a state table entry. PF also comes with some additional "obfuscation" possibilities for added security. See the OpenBSD PF FAQ for another and more elaborate explanation: http://www.openbsd.org/faq/pf/nat.html#works BINAT --on the other hand-- establishes a 1:1 between two IP addresses. A rule like binat from $src to $dst -> $ext Causes the source address in all packets from $src in the direction of $dst to be replaced by $ext AND vice versa. Basically, BINAT says "Everything that originates from $dst should be faked as if to originate from $ext AND everything that comes in for $ext from $dst shall be rewritten and forwarded to $src". All of the above is of course to be considered without regard to any employed packet filtering. Again, see the OpenBSD PF FAQ for more details: http://www.openbsd.org/faq/pf/nat.html#binat [snip] > binat on $wanIF from $server_1 to any -> $wanIP_2 > binat on $wanIF from $server_2 to any -> $wanIP_2 > binat on $wanIF from $server_3 to any -> $wanIP_2 Is this really correct, all with the same $wanIP_2? If this was intended, it probably does not work. Where should incoming traffic for $wanIP_2 be forwarded to? Maybe you wanted: binat on $wanIF from $server_1 to any -> $wanIP_1 binat on $wanIF from $server_2 to any -> $wanIP_2 binat on $wanIF from $server_3 to any -> $wanIP_3 Put somewhat sloppily, these rules expose the $server_? to the internet with $wanIP_?, where the firewall does the automatic translation (again minus additional filtering) > My head's spinning from reading up on this. I've managed to get more > confused from all the examples, and I'm just not sure how to go about > this. The road ahead depends on what you intend to do. Do you want to expose the internal hosts to the internet as if they were actually assigned the external addresses or do you need a more elaborate ruleset e.g. something on the lines of "incoming connections for tcp port 80 on $wanIP_2 goes to $server_1 and tcp port 443 goes to $server_2, but all outgoing traffic of $server_1 will use an external address of $wanIP_3", but I think I can guess the answer ;-). Regards, Peter From melissa-nabble at littlebluecar.co.uk Sun Oct 26 10:35:03 2008 From: melissa-nabble at littlebluecar.co.uk (7charlie) Date: Sun Oct 26 10:35:15 2008 Subject: altq: dynamic queues In-Reply-To: <15260126.post@talk.nabble.com> References: <15260126.post@talk.nabble.com> Message-ID: <20171926.post@talk.nabble.com> cnupm wrote: > > My English is no good, so I tried to describe what I want at this example: > > ### /etc/pf.conf > altq on bge0 bandwidth 10Mb hfsc queue { u1_in, u1_out, u2_in, u2_out...} > anchor users_queues > > block all > anchor users_rules > > ### When user connected - teke parameter $x from DB (for example) and > execute: > echo "queue u1_in bandwidth 1Kb hfsc (upperlimit $xKb)" | pfctl -a > user_queues:u1_in -f - > echo "queue u1_out bandwidth 1Kb hfsc (upperlimit $xKb)" | pfctl -a > user_queues:u1_out -f - > *** ... users_rules... *** > > I know: it doesn't works - it's simplest way (with my English) to explain > what I wont. > How to dynamicly create/delete queues? > I worked around this by telling PF to only reload the queue section of the file. I generate the queues from a mysql database, writing into /etc/pf.conf. I put the "pass" rules that assign the queue into an anchor called classify_rules. then execute: pfctl -A -f /etc/pf.conf pfctl -a classify_rules -f /etc/pf-classify.conf This doesn't reload any of the main rules, and doesn't reset counters except in the anchor and for the queues. Quoted from: http://www.nabble.com/altq%3A-dynamic-queues-tp15260126p15260126.html -- View this message in context: http://www.nabble.com/altq%3A-dynamic-queues-tp15260126p20171926.html Sent from the freebsd-pf mailing list archive at Nabble.com. From bugmaster at FreeBSD.org Mon Oct 27 11:07:18 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Oct 27 11:08:44 2008 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200810271107.m9RB7IRk002050@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 24 problems total. From niekdekker at gmail.com Tue Oct 28 15:36:09 2008 From: niekdekker at gmail.com (Niek Dekker) Date: Tue Oct 28 15:36:16 2008 Subject: Pf: packets on lo0 blocked in spite of pass rule Message-ID: <49072B6A.7010305@gmail.com> Hi, I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. After the upgrade connection problems arised on lo0, for java > mysql and apache > tomcat. The network interfaces are all in default setup. Here is the output of pfctl -sr, cleaned from network numbers. scrub in all fragment reassemble block drop in log all block drop in log quick on fxp0 from to any block drop out log quick on fxp0 from any to block drop in log quick on fxp0 from to any pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA keep state pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA keep state pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA keep state pass out on fxp0 proto tcp all flags S/SA keep state pass out on fxp0 proto udp all keep state pass on lo0 proto tcp all flags S/SA keep state pass on lo0 proto udp all keep state block drop in on ! fxp0 inet from ext_network/25 to any block drop in inet from ext_if to any Since the upgrade to 7.0, some packets on lo0 are being blocked nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. Some, but not all of these packets are blocked. For example (pflog): 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 In some of these lines, there is mention of "[bad hdr length 0 - too short, < 20]" BUT NOT IN ALL. The state table isn't full by far (78). There is some 123 'state mismatch' in the output of pfctl -s all. I have "set skip on lo0" to prevent the problem, but it seems to me there is an issue to address here. I am likely to submit a PR, unless someone comes up with a solution. Niek From koitsu at FreeBSD.org Tue Oct 28 16:19:20 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Tue Oct 28 16:19:27 2008 Subject: Pf: packets on lo0 blocked in spite of pass rule In-Reply-To: <49072B6A.7010305@gmail.com> References: <49072B6A.7010305@gmail.com> Message-ID: <20081028161915.GA53560@icarus.home.lan> On Tue, Oct 28, 2008 at 04:10:34PM +0100, Niek Dekker wrote: > Hi, > > I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. > After the upgrade connection problems arised on lo0, for java > mysql > and apache > tomcat. > The network interfaces are all in default setup. > > Here is the output of pfctl -sr, cleaned from network numbers. > > scrub in all fragment reassemble > block drop in log all > block drop in log quick on fxp0 from to any > block drop out log quick on fxp0 from any to > block drop in log quick on fxp0 from to any > pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA > keep state > pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA > keep state > pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA > keep state > pass out on fxp0 proto tcp all flags S/SA keep state > pass out on fxp0 proto udp all keep state > pass on lo0 proto tcp all flags S/SA keep state > pass on lo0 proto udp all keep state > block drop in on ! fxp0 inet from ext_network/25 to any > block drop in inet from ext_if to any > > Since the upgrade to 7.0, some packets on lo0 are being blocked > nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. > Some, but not all of these packets are blocked. For example (pflog): > > 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 132868137> I'm betting money this is a rule order problem. I *highly* recommend you stop with the "lo0" rules and use "set skip lo0" like you mention later on. This is a good idea for performance reasons as well; don't waste cycles having pf(4) parse packets for lo0, as nothing can talk to that interface except local stuff anyway. Also, because you're using FreeBSD 7.x, you do not need "keep state" or "flags S/SA" on any of your rules. Only 6.x and below need this, or explicit situations where you're using a mix of "no state" and other things. > In some of these lines, there is mention of "[bad hdr length 0 - too > short, < 20]" BUT NOT IN ALL. That's because you're using tcpdump against a pflog interface. You need to increase the snaplen from 68 bytes to something larger; try -s 256 and that message will go away. It's harmless. > The state table isn't full by far (78). > There is some 123 'state mismatch' in the output of pfctl -s all. Probably normal. Consider upgrading to 7.1-PRERELEASE, which contains a fix for re-use of sockets in some situations (I can point you to a PR if you want to read it). "state mismatch" is also normal depending upon the circumstances; I wouldn't worry too much about it. For example, our production webserver running RELENG_6 with the aforementioned fix: Status: Enabled for 25 days 04:49:53 Debug: Urgent Counters state-mismatch 53454 0.0/s This number was significantly higher prior to the fix being committed. > I have "set skip on lo0" to prevent the problem, but it seems to me > there is an issue to address here. I am likely to submit a PR, unless > someone comes up with a solution. You *should* be using "set skip on lo0". You're gaining nothing (in your setup) by applying firewall rules to loopback. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From max at love2party.net Tue Oct 28 16:39:01 2008 From: max at love2party.net (Max Laier) Date: Tue Oct 28 16:39:08 2008 Subject: Pf: packets on lo0 blocked in spite of pass rule In-Reply-To: <20081028161915.GA53560@icarus.home.lan> References: <49072B6A.7010305@gmail.com> <20081028161915.GA53560@icarus.home.lan> Message-ID: <200810281738.57767.max@love2party.net> On Tuesday 28 October 2008 17:19:15 Jeremy Chadwick wrote: > On Tue, Oct 28, 2008 at 04:10:34PM +0100, Niek Dekker wrote: > > Hi, > > > > I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. > > After the upgrade connection problems arised on lo0, for java > mysql > > and apache > tomcat. > > The network interfaces are all in default setup. > > > > Here is the output of pfctl -sr, cleaned from network numbers. > > > > scrub in all fragment reassemble > > block drop in log all > > block drop in log quick on fxp0 from to any > > block drop out log quick on fxp0 from any to > > block drop in log quick on fxp0 from to any > > pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA > > keep state > > pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA > > keep state > > pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA > > keep state > > pass out on fxp0 proto tcp all flags S/SA keep state > > pass out on fxp0 proto udp all keep state > > pass on lo0 proto tcp all flags S/SA keep state > > pass on lo0 proto udp all keep state > > block drop in on ! fxp0 inet from ext_network/25 to any > > block drop in inet from ext_if to any > > > > Since the upgrade to 7.0, some packets on lo0 are being blocked > > nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. > > Some, but not all of these packets are blocked. For example (pflog): > > > > 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > > > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 > 132868137> > > I'm betting money this is a rule order problem. I *highly* recommend > you stop with the "lo0" rules and use "set skip lo0" like you mention > later on. This is a good idea for performance reasons as well; don't > waste cycles having pf(4) parse packets for lo0, as nothing can talk > to that interface except local stuff anyway. Indeed. In fact, "set skip on" was especially made for this case. The problem is that lo0 is special. The packet direction and the fact that on lo0 127.0.0.1 talks to itself, greatly confuse the state checking. Hence the option to skip an interface completely. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News