From bugmaster at FreeBSD.org Mon Mar 2 03:07:39 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 2 03:12:00 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200903021106.n22B6vM9057392@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From link at ngc.net.ua Mon Mar 2 09:17:46 2009 From: link at ngc.net.ua (Link) Date: Mon Mar 2 09:17:53 2009 Subject: freebsd 7.1 pf route-to connection stall In-Reply-To: <49A9BBF5.1060706@uffner.com> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> <49A9BBF5.1060706@uffner.com> Message-ID: <49AC14AA.2030808@ngc.net.ua> Tom Uffner ?????: > Zinevich Denis wrote: >> "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not >> work. But anyway question is not in syntax of rules, because nobody >> touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 >> >> Network is quite simple. >> Server has 2 cards bce0 and bce1 >> bce0 - 172.20.51.10 >> bce1 - 172.20.1.130 >> default gw - 172.20.1.1 >> networks are /24 >> >> As i described before qoal of my rule is to ignore default route when >> request comes on 172.20.51.10. >> Without such rule reply will go to 172.20.1.1 and with pf rule it >> will go out to 172.20.51.1 via bce0. >> For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from >> 172.20.51.10 to any >> >>> Link wrote: >>>> My full configuration is: >>>> >>>> if_bce0="bce0" >>>> if_bce0_gw="172.20.51.1" >>>> if_bce1="bce1" >>>> >>>> scrub in all >>>> >>>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 >>>> to any no state flags any > > I apologize for misunderstanding the part of your reply about FreeBSD 7.1 > patchlevels. I realized my error too late after i had sent the message. > > The simplest way to do what you want doesn't involve a firewall at all. > simply configure the devices on the 172.20.51/24 network with the > following > routes: > > Destination Gateway > default 172.20.51.1 > 172.20.1/24 172.20.51.10 > > if this is not possible for some reason and you must bounce them through > the firewall, i think the rules you want are: > > pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 } > pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \ > from $if_bce0:network to any > > according to my understanding of pf syntax, it was probably a bug that > your ruleset ever worked. "... from $if_bce0 ..." should have matched > only packets from the local server w/ source addresses of 172.20.51.10. > > just adding :network to the $if_bce0 in the from clause in your rule > should make it do what you want, but is quite inefficient. you are > checking > every outbound packet on bce1 after all of the normal processing & > routing > has been done, rewriting the ones that arrived on bce0 and sending them > back through the network subsystem again. > > it would be better to check the in-bound packets on bce0, accept the ones > destined for the local host or the 172.20.1/24 network, and re-route the > ones that would use the default gw. > > tom > Thanks for your reply. Tried rules you`ve listed. Does not help.... I`ve checked with tcpdump packets are still going out using default route. From tom at uffner.com Mon Mar 2 11:29:38 2009 From: tom at uffner.com (Tom Uffner) Date: Mon Mar 2 11:29:45 2009 Subject: freebsd 7.1 pf route-to connection stall In-Reply-To: <49AC14AA.2030808@ngc.net.ua> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> <49A9BBF5.1060706@uffner.com> <49AC14AA.2030808@ngc.net.ua> Message-ID: <49AC338F.8080009@uffner.com> Link wrote: > Thanks for your reply. > Tried rules you`ve listed. > Does not help.... > I`ve checked with tcpdump packets are still going out using default route. hmm. it sounds like packets aren't matching the rules. at this point all I can suggest is adding an explicit "pass log all" as the first rule in your config, and then testing either your ruleset or my ruleset by adding "log" to all of the rules and check that packets are matching appropriately. for much more detail you can change "log" to "log (all)" to capture _every_ packet, not just the ones that create state. be careful though. running full logging will consume lots of disk if used in production rather than just while debugging. tom From bettina at apoteelia.net Sat Mar 7 10:36:35 2009 From: bettina at apoteelia.net (Bettina Schmidtberger) Date: Sat Mar 7 10:36:52 2009 Subject: Der versprochene Geheimtipp Message-ID: Hi Du! Wie ich es Dir versprochen habe, wollte ich Dir ja noch die Adresse sagen wo wir die Dinger bestellt haben. Gibt ja viele Seiten wo man echt nur ?bers Ohr gehauen wird. Aber bei der Adresse bekommen wir immer nur Originalware und das innheralb k?rzester Zeit zugeschickt. Mit dem Zoll hatten wir da auch nie Probleme, da der Versand direkt aus Europa erfolgt. Klasse oder? Also hier nun die Adresse: http://www.apoteelia.net Viel Spass w?nsch ich Dir und das es gut funktioniert! Gru?, Deine Bettina . . - . . . . . . . . . . : . Gib Acht! Man hatte dir eingeredet, du h?ttest es schwer, dein Leben sei verpfuscht, das Leben sei eine Schuld, sei schlecht, ohne Sinn, ohne Wert; man wollte dich ducken, dich in die gro?e Armee der Leidenden schmuggeln, du solltest bemitleidenswert werden und bemitleiden: und du glaubtest ihnen ? wie ungern! ? und wieder nicht ? wie gern! Denn du bist stark, aber warst krank ? wo? wie? was wei? ich. Und deine Sehnsucht war, herauszukommen aus allen diesen m?den Verneinungen, diesen t?richten Formeln, die im Nein ihr Ja haben, diesen t?nenden Wissenschaften, diesen Worten ?. Deswegen sprangst du von Buch zu Buch, spieltest mit ihren Formeln und lie?est sie wieder fallen, die Neins und Wenns, um selber eine zu finden, aber ein Ja! sollte sie klingen ? denn du wolltest leben! Aber nicht wie der P?bel lebt ? einen Grund, ein Ziel, eine Lebensformel suchtest du. Nun, hier ist sie: Wei?t du: das Himmelsweinglas, das du ausschl?rfen wolltest ? ? nun niete dir die Formel: Die Welt schaffst du. Du vergeistigst das Chaos zur Welt; das Andere, das Noch-nicht-Du, das alte Ding an sich, ist nur das, was von dir noch nicht geschaffen, vermenschlicht, noch nicht dein Eigentum geworden ist. ? Du schaffst die Welt: nun lebe, lebe! ? Die kleine blaue Blume l?utete so froh und stark ? warum soll ich ihr nicht glauben? Und dann bin ich baden gegangen ? ? ? und habe stundenlang im Grase gelegen; und w?hrend die wei?en Wolken durch den Himmel segelten und der Flu? geruhig durch Schilfduft und Ried und schwatzendes Vogelvolk hinstr?mte, habe ich das Ding an sich, den Intellekt und den Willen verlacht und mir ein Ich-wei?-nicht-was? gew?nscht. Gegen Abend entstiegen Schw?rme von Eintagsfliegen dem Flu?, an den Gr?sern, Halmen und Pfosten kletterten sie hoch und warfen aus der H?lle sich in die Luft zum kurzen Hochzeitsleben. Die Luft war wei? ?ber den Wassern von den auf und nieder tanzenden Massen ? und die sinkende Sonne in dem H?henrauch, den der Nordwind gebracht hatte, rot wie ein Rubin: das h?tte mich fast bezwungen, da? ich schon begann, die stundenkurze Existenz der Imago zu beklagen und daran sentimentale Folgerungen zu kn?pfen ? aber da h?rte ich den Enzian l?uten und ich lachte: Das Tier freut sich jahrelang seines R?uberlebens, und dieser Liebesflug ist sein taumelnder H?hepunkt. Es lebe das Leben und seine ewige Br?cke: Venus genetrix! Vor acht Tagen h?tte ich ihr geflucht und geklagt: Was ist das Leben? So ist das Leben: es flie?t dahin wie Wellenschaum, kommt u From bugmaster at FreeBSD.org Mon Mar 9 10:15:12 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 9 10:16:57 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200903091715.n29HF9re045337@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From MPetersen at gs1us.org Wed Mar 11 11:35:03 2009 From: MPetersen at gs1us.org (Petersen, Mark) Date: Wed Mar 11 11:35:09 2009 Subject: Log Labels? Message-ID: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org> Hello, I'm trying to find out if it's possible to do IPF like log-tags with pf. I found an interesting patch here - http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html that enables this. It doesn't appear to have made it into pflog though. Is there a way to use this feature? I'd much rather be logging a label and rule #. I can see if these patches still work with 7 of course. Has anyone tried this? Finally - it appears there are only patches for pf, but if I compile tcpdump with the pf patches, will it work? What about using mergecap with this? If I recompile mergecap/tshark would this work? I know I can just try, but no sense reinventing the wheel if someone else spent some time trying to do the same. Thanks, Mark From gdoe6545 at yahoo.it Wed Mar 11 12:25:06 2009 From: gdoe6545 at yahoo.it (Gianni) Date: Wed Mar 11 12:25:12 2009 Subject: duplicate nat rules listed by pfctl Message-ID: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it> With the following nat rules pfctl lists duplicate entries, can anyone explain why this is? ext_if = "tun0" nat on $ext_if from $localnet to any -> ($ext_if) no nat on $ext_if from $localnet to $vpn_nets # pfctl -s nat nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 From fox at verio.net Wed Mar 11 13:22:28 2009 From: fox at verio.net (David DeSimone) Date: Wed Mar 11 13:22:34 2009 Subject: duplicate nat rules listed by pfctl In-Reply-To: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it> References: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it> Message-ID: <20090311195007.GE3436@verio.net> Gianni wrote: > > With the following nat rules pfctl lists duplicate entries, can anyone > explain why this is? > > ext_if = "tun0" > nat on $ext_if from $localnet to any -> ($ext_if) > no nat on $ext_if from $localnet to $vpn_nets What is the definition of $localnet? > # pfctl -s nat > nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin > nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin > no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 > no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 Also, don't you think you should put the "no nat" rule before the "nat" rules? -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From gdoe6545 at yahoo.it Wed Mar 11 22:04:12 2009 From: gdoe6545 at yahoo.it (Gianni) Date: Wed Mar 11 22:04:18 2009 Subject: duplicate nat rules listed by pfctl In-Reply-To: <20090311195007.GE3436@verio.net> References: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it> <20090311195007.GE3436@verio.net> Message-ID: <7B51D53B-224C-4887-A017-AF136264F4A9@yahoo.it> On 11/mar/09, at 20:50, David DeSimone wrote: > Gianni wrote: >> >> With the following nat rules pfctl lists duplicate entries, can >> anyone >> explain why this is? >> >> ext_if = "tun0" >> nat on $ext_if from $localnet to any -> ($ext_if) >> no nat on $ext_if from $localnet to $vpn_nets > > What is the definition of $localnet? int_if = "vr0" localnet = $int_if:network From your question I now see the answer: vr0: flags=8843 metric 0 mtu 1500 options=280b inet 192.168.200.250 netmask 0xffffff00 broadcast 192.168.200.255 inet 192.168.200.249 netmask 0xffffff00 broadcast 192.168.200.255 I've got 2 ip addresses on the interface and the :network shortcut does not take into account that they are part of the same subnet. If I do localnet = "192.168.200.0/24" it's fine, I don't get duplicate entries. >> # pfctl -s nat >> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin >> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin >> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 >> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 > > Also, don't you think you should put the "no nat" rule before the > "nat" > rules? Yes probably! Because first matching nat rule wins right? Thanks -Gianni From siseci at gmail.com Wed Mar 11 23:46:19 2009 From: siseci at gmail.com (N. Ersen SISECI) Date: Wed Mar 11 23:46:26 2009 Subject: Log Labels? In-Reply-To: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org> References: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org> Message-ID: <49B8AAA3.7060505@gmail.com> Hello, I have been using this patch for a long time. If you apply if_pflog patchs to pf and print-pflog.c to tcpdump you should see label values in log lines. If you are interested in this patch i can send you its 7.0 version. # tcpdump -nttttveli pflog0 -s 1024 2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label 70: (tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct), 3376786061:3376786061(0) win 65535 Thanks, N. Ersen SISECI http://www.enderunix.org Petersen, Mark yazm??: > Hello, > > I'm trying to find out if it's possible to do IPF like log-tags with pf. > I found an interesting patch here - > http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html > that enables this. It doesn't appear to have made it into pflog though. > > Is there a way to use this feature? I'd much rather be logging a label > and rule #. I can see if these patches still work with 7 of course. > Has anyone tried this? > > Finally - it appears there are only patches for pf, but if I compile > tcpdump with the pf patches, will it work? What about using mergecap > with this? If I recompile mergecap/tshark would this work? I know I > can just try, but no sense reinventing the wheel if someone else spent > some time trying to do the same. > > Thanks, > Mark > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From artis.caune at gmail.com Wed Mar 11 23:48:19 2009 From: artis.caune at gmail.com (Artis Caune) Date: Wed Mar 11 23:48:39 2009 Subject: duplicate nat rules listed by pfctl In-Reply-To: <7B51D53B-224C-4887-A017-AF136264F4A9@yahoo.it> References: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it> <20090311195007.GE3436@verio.net> <7B51D53B-224C-4887-A017-AF136264F4A9@yahoo.it> Message-ID: <9e20d71e0903112348m52e9020cybd37b7333a298d52@mail.gmail.com> 2009/3/12 Gianni : > On 11/mar/09, at 20:50, David DeSimone wrote: > int_if = "vr0" > localnet = $int_if:network > > From your question I now see the answer: > > vr0: flags=8843 metric 0 mtu 1500 > ? ? ? ?options=280b > ? ? ? ?inet 192.168.200.250 netmask 0xffffff00 broadcast 192.168.200.255 > ? ? ? ?inet 192.168.200.249 netmask 0xffffff00 broadcast 192.168.200.255 > > I've got 2 ip addresses on the interface and the :network shortcut does not > take into account that they are part of the same subnet. > If I do localnet = "192.168.200.0/24" it's fine, I don't get duplicate > entries. you can use tables, so duplicates are skipped: int_if = "vr0" table const { $int_if:network } nat on $ext_if from to any -> ($ext_if) -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From MPetersen at gs1us.org Thu Mar 12 13:13:34 2009 From: MPetersen at gs1us.org (Petersen, Mark) Date: Thu Mar 12 13:13:42 2009 Subject: Log Labels? In-Reply-To: <49B8AAA3.7060505@gmail.com> References: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org> <49B8AAA3.7060505@gmail.com> Message-ID: <54B7F7DBCA12D94CA3FE17B68F1461A705EA05A4@LVNJEVS205.UCCORG.org> Great, I would love to try a patch for 7.0. Do you have a patch for wireshark/tshark/mergecap as well by any chance? Have you submitted these patches to OpenBSD people? Any feedback on getting this merged in? Thanks, Mark > -----Original Message----- > From: N. Ersen SISECI [mailto:siseci@gmail.com] > Sent: Thursday, March 12, 2009 1:25 AM > To: Petersen, Mark > Cc: freebsd-pf@freebsd.org > Subject: Re: Log Labels? > > Hello, > > I have been using this patch for a long time. If you apply if_pflog > patchs to pf and > print-pflog.c to tcpdump you should see label values in log lines. > > If you are interested in this patch i can send you its 7.0 version. > > # tcpdump -nttttveli pflog0 -s 1024 > 2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label > 70: > (tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6), > length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct), > 3376786061:3376786061(0) win 65535 > > > Thanks, > > N. Ersen SISECI > http://www.enderunix.org > > > Petersen, Mark yazm??: > > Hello, > > > > I'm trying to find out if it's possible to do IPF like log-tags with > pf. > > I found an interesting patch here - > > http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html > > that enables this. It doesn't appear to have made it into pflog > though. > > > > Is there a way to use this feature? I'd much rather be logging a > label > > and rule #. I can see if these patches still work with 7 of course. > > Has anyone tried this? > > > > Finally - it appears there are only patches for pf, but if I compile > > tcpdump with the pf patches, will it work? What about using mergecap > > with this? If I recompile mergecap/tshark would this work? I know I > > can just try, but no sense reinventing the wheel if someone else > spent > > some time trying to do the same. > > > > Thanks, > > Mark > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > From siseci at gmail.com Thu Mar 12 23:55:41 2009 From: siseci at gmail.com (N. Ersen SISECI) Date: Thu Mar 12 23:55:49 2009 Subject: Log Labels? In-Reply-To: <54B7F7DBCA12D94CA3FE17B68F1461A705EA05A4@LVNJEVS205.UCCORG.org> References: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org> <49B8AAA3.7060505@gmail.com> <54B7F7DBCA12D94CA3FE17B68F1461A705EA05A4@LVNJEVS205.UCCORG.org> Message-ID: <49BA0353.8060105@gmail.com> Hi, I didn't submit this patch to OpenBSD guys. I have just only sent this to the list. I didn't try to patch wireshark. But i think it is as easy as tcpdump. And i didn't test on OpenBSD. May be i should test on OpenBSD first and then send this patch to OpenBSD list. This is the patch for FreeBSD 7.0 pf. --- if_pflog.h.orig 2008-07-10 14:20:58.000000000 +0300 +++ if_pflog.h 2008-07-10 14:21:59.000000000 +0300 @@ -44,6 +44,12 @@ #define PFLOG_RULESET_NAME_SIZE 16 +#ifndef PFLOG_RULE_LABEL_SIZE +#define PFLOG_RULE_LABEL_SIZE 64 +#endif + +#define PFLOG_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -58,6 +64,9 @@ uid_t rule_uid; pid_t rule_pid; u_int8_t dir; +#ifdef PFLOG_LOG_LABEL + char label[PFLOG_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; --- if_pflog.c.orig 2008-07-10 14:22:11.000000000 +0300 +++ if_pflog.c 2008-07-10 14:22:48.000000000 +0300 @@ -342,6 +342,7 @@ hdr.action = rm->action; hdr.reason = reason; memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); + memcpy(hdr.label, rm->label, sizeof(rm->label)); if (am == NULL) { hdr.rulenr = htonl(rm->nr); And this is for Tcpdump. --- print-pflog.c.orig 2008-07-10 14:30:30.000000000 +0300 +++ print-pflog.c 2008-07-10 14:33:42.000000000 +0300 @@ -106,11 +106,21 @@ else printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr); - printf("%s: %s %s on %s: ", +#ifndef PFLOG_LOG_LABEL + printf("%s: %s %s on %s:", tok2str(pf_reasons, "unkn(%u)", hdr->reason), tok2str(pf_actions, "unkn(%u)", hdr->action), tok2str(pf_directions, "unkn(%u)", hdr->dir), hdr->ifname); +#else + printf("%s: %s %s on %s: label %s: ", + tok2str(pf_reasons, "unkn(%u)", hdr->reason), + tok2str(pf_actions, "unkn(%u)", hdr->action), + tok2str(pf_directions, "unkn(%u)", hdr->dir), + hdr->ifname, + hdr->label); +#endif + } u_int Petersen, Mark yazmis: Great, I would love to try a patch for 7.0. Do you have a patch for wireshark/ tshark/mergecap as well by any chance? Have you submitted these patches to Ope nBSD people? Any feedback on getting this merged in? Thanks, Mark -----Original Message----- From: N. Ersen SISECI [[1]mailto:siseci@gmail.com] Sent: Thursday, March 12, 2009 1:25 AM To: Petersen, Mark Cc: [2]freebsd-pf@freebsd.org Subject: Re: Log Labels? Hello, I have been using this patch for a long time. If you apply if_pflog patchs to pf and print-pflog.c to tcpdump you should see label values in log lines. If you are interested in this patch i can send you its 7.0 version. # tcpdump -nttttveli pflog0 -s 1024 2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label 70: (tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct), 3376786061:3376786061(0) win 65535 Thanks, N. Ersen SISECI [3]http://www.enderunix.org Petersen, Mark yazmis: Hello, I'm trying to find out if it's possible to do IPF like log-tags with pf. I found an interesting patch here - [4]http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html that enables this. It doesn't appear to have made it into pflog though. Is there a way to use this feature? I'd much rather be logging a label and rule #. I can see if these patches still work with 7 of course. Has anyone tried this? Finally - it appears there are only patches for pf, but if I compile tcpdump with the pf patches, will it work? What about using mergecap with this? If I recompile mergecap/tshark would this work? I know I can just try, but no sense reinventing the wheel if someone else spent some time trying to do the same. Thanks, Mark _______________________________________________ [5]freebsd-pf@freebsd.org mailing list [6]http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to [7]"freebsd-pf-unsubscribe@freebsd.org" References 1. mailto:siseci@gmail.com 2. mailto:freebsd-pf@freebsd.org 3. http://www.enderunix.org/ 4. http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html 5. mailto:freebsd-pf@freebsd.org 6. http://lists.freebsd.org/mailman/listinfo/freebsd-pf 7. mailto:freebsd-pf-unsubscribe@freebsd.org From bugmaster at FreeBSD.org Mon Mar 16 04:07:00 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 16 04:08:53 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200903161106.n2GB6xd1043339@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From linimon at FreeBSD.org Wed Mar 18 02:14:16 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Wed Mar 18 02:14:27 2009 Subject: kern/132769: [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtentry / ifnet during early boot Message-ID: <200903180914.n2I9EEYa099693@freefall.freebsd.org> Old Synopsis: 2 LOR's with pf task mtx / ifnet and rtentry / ifnet during early boot New Synopsis: [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtentry / ifnet during early boot Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Mar 18 09:13:40 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=132769 From pgoggins at cc.edu Wed Mar 18 06:17:50 2009 From: pgoggins at cc.edu (Patrick Goggins) Date: Wed Mar 18 06:17:56 2009 Subject: pf rdr not redirecting completely In-Reply-To: <49A8FED7.3000603@ngc.net.ua> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com><49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> Message-ID: I'm running into a problem with a transparent bridge and the rdr functionality where when a device hits the rule they are being redirect but are unable to fully connect to the server. Pf is set to skip on the management, external, and bridged interfaces; filtering is just on the internal interface. Eth0: 172.20.5.240 (management interface, also serving apache pages) Eth1: external, non-addressed Eth2: internal, non-addressed Bridge0: bridge between Eth1 and Eth2 Eth0 and Eth1 are on the same vlan [Lan where 172.20.5.240 resides]---[managed switch]---[external interface]----[bridge0]-----[internal interface]------[unmanaged switch]------[test system] Here's the rule I'm trying to run: rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.68.31 port 80 additionally the following rules apply: pass quick on $int_if proto tcp from any to any When testing the rdr rule on another ip 172.20.5.239 (another physical server), the rule works correctly. I'm thinking it's having issues going out and then coming back in because it's seeing the request twice and dropping it??? ~Patrick From pgoggins at cc.edu Wed Mar 18 06:21:01 2009 From: pgoggins at cc.edu (Patrick Goggins) Date: Wed Mar 18 06:21:07 2009 Subject: pf rdr not redirecting completely (Correction) In-Reply-To: References: <49A7D547.9040801@ngc.net.ua><49A811D4.5030900@uffner.com><49A8177B.9010209@ngc.net.ua><49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> Message-ID: Slight correction: Working rule rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.5.239 port 80 rule attempting but does not work rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.5.240 port 80 ~Patrick -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Patrick Goggins Sent: Wednesday, March 18, 2009 8:17 AM To: freebsd-pf@freebsd.org Subject: pf rdr not redirecting completely I'm running into a problem with a transparent bridge and the rdr functionality where when a device hits the rule they are being redirect but are unable to fully connect to the server. Pf is set to skip on the management, external, and bridged interfaces; filtering is just on the internal interface. Eth0: 172.20.5.240 (management interface, also serving apache pages) Eth1: external, non-addressed Eth2: internal, non-addressed Bridge0: bridge between Eth1 and Eth2 Eth0 and Eth1 are on the same vlan [Lan where 172.20.5.240 resides]---[managed switch]---[external interface]----[bridge0]-----[internal interface]------[unmanaged switch]------[test system] Here's the rule I'm trying to run: rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.68.31 port 80 additionally the following rules apply: pass quick on $int_if proto tcp from any to any When testing the rdr rule on another ip 172.20.5.239 (another physical server), the rule works correctly. I'm thinking it's having issues going out and then coming back in because it's seeing the request twice and dropping it??? ~Patrick From fbsdq at peterk.org Wed Mar 18 12:46:11 2009 From: fbsdq at peterk.org (Peter) Date: Wed Mar 18 12:46:18 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... Message-ID: <60287.216.241.167.212.1237403968.squirrel@webmail.pknet.net> iH, Can't figure this out - seems as if others are having the same issue searching online: The queues will not borrow from parent. pf.conf [cut and snipped] altq on fxp0 cbq bandwidth 100Mb qlimit 500 queue {intranet, extranet} queue extranet bandwidth 876Kb { poshta,abakan,usrx11,imvas } queue poshta bandwidth 34% priority 7 cbq(borrow) queue abakan bandwidth 22% priority 2 cbq(borrow) queue usrx11 bandwidth 22% priority 1 cbq(borrow) queue imvas bandwidth 22% priority 1 cbq(borrow) queue intranet bandwidth 90Mb cbq(default) pass in quick proto tcp from any to $poshta_ip port {http} keep state queue poshta pass in quick proto tcp from 172.20.1.13/24 to $poshta_intranet_ip keep state queue intranet On fxp0 I have both internal address and several external addresses. Doing an http get on a large file internally = fast Although all other IPs are not in use, doing the same http get via external address, max transfer rate I get is ~37KB If I change that line from 'queue poshta' to 'queue intranet' the same http get goes at ~100KB - So I'm sure it's that one line causing the slowness. So, it seems that the queue is not borrowing from the parent. I've changed all other queues from 22% to 12% [leaving poshta at 34%], my http is still not going faster than ~37KB. Does cbq(borrow) work as advertised? borrow - the queue can borrow bandwidth from its parent. This can only be specified when using the cbq scheduler. With only one NIC, I'm trying to always guarantee the intranet high speed, and the external IPs prioritized - With no ability to nest with priq, can't use that. Whats a good way to dynamically prioritize/queue traffic based on IP? Anyone done this successfully with pf, altq, cbq(borrow)? ]Peter[ From pp at pp.dyndns.biz Wed Mar 18 13:49:27 2009 From: pp at pp.dyndns.biz (Pojken Purken) Date: Wed Mar 18 13:50:47 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... In-Reply-To: <60287.216.241.167.212.1237403968.squirrel@webmail.pknet.net> References: <60287.216.241.167.212.1237403968.squirrel@webmail.pknet.net> Message-ID: <49C15988.6070007@pp.dyndns.biz> Peter wrote: > iH, > Can't figure this out - seems as if others are having the same issue > searching online: > The queues will not borrow from parent. > > pf.conf [cut and snipped] > > altq on fxp0 cbq bandwidth 100Mb qlimit 500 queue {intranet, extranet} > queue extranet bandwidth 876Kb { poshta,abakan,usrx11,imvas } > queue poshta bandwidth 34% priority 7 cbq(borrow) > queue abakan bandwidth 22% priority 2 cbq(borrow) > queue usrx11 bandwidth 22% priority 1 cbq(borrow) > queue imvas bandwidth 22% priority 1 cbq(borrow) > queue intranet bandwidth 90Mb cbq(default) > You need to add "borrow" to your default queue. That's where the spare bandwidth is, not the root queue. As it is defined now, your child queues below extranet can only borrow bandwidth from each other. If you add borrow to your default queue, extranet can borrow from intranet and share that to its child queues. /Morgan From pp at pp.dyndns.biz Wed Mar 18 13:56:28 2009 From: pp at pp.dyndns.biz (Pojken Purken) Date: Wed Mar 18 13:56:35 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... In-Reply-To: <60287.216.241.167.212.1237403968.squirrel@webmail.pknet.net> References: <60287.216.241.167.212.1237403968.squirrel@webmail.pknet.net> Message-ID: <49C15B1C.9030303@pp.dyndns.biz> Peter wrote: > iH, > Can't figure this out - seems as if others are having the same issue > searching online: > The queues will not borrow from parent. > > pf.conf [cut and snipped] > > altq on fxp0 cbq bandwidth 100Mb qlimit 500 queue {intranet, extranet} > queue extranet bandwidth 876Kb { poshta,abakan,usrx11,imvas } > queue poshta bandwidth 34% priority 7 cbq(borrow) > queue abakan bandwidth 22% priority 2 cbq(borrow) > queue usrx11 bandwidth 22% priority 1 cbq(borrow) > queue imvas bandwidth 22% priority 1 cbq(borrow) > queue intranet bandwidth 90Mb cbq(default) > Sorry, brain is not working tonight. I reversed extranet and intranet in my previous response. Add "borrow" to your extranet queue. You might as well add it to the intranet queue too if you want it to be able to use those 876Kb if they're available. Sorry again for the noise. And yes, the description of borrowing from the parent queue is ofc correct too... Ireally should stop answering these questions at this time of night... ;-) /Morgan From fbsdq at peterk.org Wed Mar 18 14:30:02 2009 From: fbsdq at peterk.org (Peter) Date: Wed Mar 18 14:30:08 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... Message-ID: <60015.216.241.167.212.1237411800.squirrel@webmail.pknet.net> > Peter wrote: >> iH, >> Can't figure this out - seems as if others are having the same issue >> searching online: >> The queues will not borrow from parent. >> >> pf.conf [cut and snipped] >> >> altq on fxp0 cbq bandwidth 100Mb qlimit 500 queue {intranet, extranet} >> queue extranet bandwidth 876Kb { poshta,abakan,usrx11,imvas } >> queue poshta bandwidth 34% priority 7 cbq(borrow) >> queue abakan bandwidth 22% priority 2 cbq(borrow) >> queue usrx11 bandwidth 22% priority 1 cbq(borrow) >> queue imvas bandwidth 22% priority 1 cbq(borrow) >> queue intranet bandwidth 90Mb cbq(default) >> > > You need to add "borrow" to your default queue. That's where the spare > bandwidth is, not the root queue. As it is defined now, your child > queues below extranet can only borrow bandwidth from each other. If you > add borrow to your default queue, extranet can borrow from intranet and > share that to its child queues. > /Morgan That's the thing - My uplink upload is maxed out at ~896Kb - even if I send traffic faster, still physically limited by uplink - That is all the bandwidth I want to allocate to my public IPs - I want the children to borrow bandwidth from each other, and prioritize the traffic.. They are not borrowing from each other - From my tests, the 'poshta' queue is never going over 34%. ]Peter[ From freebsd-pf at pp.dyndns.biz Wed Mar 18 15:14:27 2009 From: freebsd-pf at pp.dyndns.biz (=?ISO-8859-1?Q?Morgan_Wesstr=F6m?=) Date: Wed Mar 18 15:14:36 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... In-Reply-To: <60015.216.241.167.212.1237411800.squirrel@webmail.pknet.net> References: <60015.216.241.167.212.1237411800.squirrel@webmail.pknet.net> Message-ID: <49C16D5A.5060601@pp.dyndns.biz> Peter wrote: >> Peter wrote: >>> iH, >>> Can't figure this out - seems as if others are having the same issue >>> searching online: >>> The queues will not borrow from parent. >>> >>> pf.conf [cut and snipped] >>> >>> altq on fxp0 cbq bandwidth 100Mb qlimit 500 queue {intranet, extranet} >>> queue extranet bandwidth 876Kb { poshta,abakan,usrx11,imvas } >>> queue poshta bandwidth 34% priority 7 cbq(borrow) >>> queue abakan bandwidth 22% priority 2 cbq(borrow) >>> queue usrx11 bandwidth 22% priority 1 cbq(borrow) >>> queue imvas bandwidth 22% priority 1 cbq(borrow) >>> queue intranet bandwidth 90Mb cbq(default) >>> >> You need to add "borrow" to your default queue. That's where the spare ;-) >> /Morgan > > > That's the thing - My uplink upload is maxed out at ~896Kb - even if I > send traffic faster, still physically limited by uplink - That is all the > bandwidth I want to allocate to my public IPs - I want the children to > borrow bandwidth from each other, and prioritize the traffic.. They are > not borrowing from each other - From my tests, the 'poshta' queue is never > going over 34%. > If your fxp0 is connected to some broadband service where the max upload is 876Kb, then that's what you should define in the root queue - not the link speed of the interface. pf will get its bandwidth calculations completely messed up by the numbers you have entered. You can never define more bandwidth in your queue definitions than you have avaliable on your Internet connection, regardless of link speed to your modem. /Morgan From grishin-mailing-lists at minselhoz.samara.ru Thu Mar 19 00:27:44 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Thu Mar 19 00:27:51 2009 Subject: synproxy on tuns Message-ID: <49C1EF75.3010204@minselhoz.samara.ru> Hello, I have some problems connecting to my gateway from elsewhere. A rule 1) pass in on tun0 inet proto tcp from any to 94.180.71.150 port = ssh flags S/SA *modulate* state queue(qssh, qack) allow to connect to the host neatly. If I try to protect sshd with synproxy this way : 2) pass in on tun0 inet proto tcp from any to 94.180.71.150 port = ssh flags S/SA *synproxy* state queue(qssh, qack) a connection stucks. Status "connecting...." never changes (it can take a minute or 10 and even more!) I suppose that some packets of the TCP handshake are approved and some not. Why does it happen? Is encapsulation the roots of problem? Now there is second rule activated and anybody can reproduce the situation. -- Yuriy Grishin From fbsdq at peterk.org Thu Mar 19 07:16:53 2009 From: fbsdq at peterk.org (Peter) Date: Thu Mar 19 07:16:59 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... Message-ID: <60673.216.241.167.212.1237472212.squirrel@webmail.pknet.net> > Peter wrote: >>> Peter wrote: >>>> iH, >>>> Can't figure this out - seems as if others are having the same >>>> issue >>>> searching online: >>>> The queues will not borrow from parent. >>>> >>>> pf.conf [cut and snipped] >>>> >>>> altq on fxp0 cbq bandwidth 100Mb qlimit 500 queue {intranet, extranet} >>>> queue extranet bandwidth 876Kb { poshta,abakan,usrx11,imvas } >>>> queue poshta bandwidth 34% priority 7 cbq(borrow) >>>> queue abakan bandwidth 22% priority 2 cbq(borrow) >>>> queue usrx11 bandwidth 22% priority 1 cbq(borrow) >>>> queue imvas bandwidth 22% priority 1 cbq(borrow) >>>> queue intranet bandwidth 90Mb cbq(default) >>>> >>> You need to add "borrow" to your default queue. That's where the spare > > ;-) > >>> /Morgan >> >> >> That's the thing - My uplink upload is maxed out at ~896Kb - even if I >> send traffic faster, still physically limited by uplink - That is all >> the >> bandwidth I want to allocate to my public IPs - I want the children to >> borrow bandwidth from each other, and prioritize the traffic.. They are >> not borrowing from each other - From my tests, the 'poshta' queue is >> never >> going over 34%. >> > > If your fxp0 is connected to some broadband service where the max upload > is 876Kb, then that's what you should define in the root queue - not the > link speed of the interface. pf will get its bandwidth calculations > completely messed up by the numbers you have entered. You can never > define more bandwidth in your queue definitions than you have avaliable > on your Internet connection, regardless of link speed to your modem. > /Morgan fxp0 is connected to broadband ISP _and_ local LAN which is going at 100Mbps - So I have 90Mbps queue defined for 'intranet' 876Kb for 'extranet' - Shouldn't the children of 'extranet' still 'borrow' everything up to 876Kb? - Since I was defining root at 100Mb, I would assume my queues would use up more, instead they are using _exactly_ what is defined for them and refusing to borrow [hence going at 37KB instead of the uplink max of ~100KB]. As soon as I 'up' the 34% to 60%, I get higher dl speeds, although not using/borrowing above the 60%. Changed the 100MB to 896Kb, and set the extranet to 886Kb, the rest for intranet - Still no performance gain. ]Peter[ From freebsd-pf at pp.dyndns.biz Thu Mar 19 07:50:06 2009 From: freebsd-pf at pp.dyndns.biz (=?ISO-8859-1?Q?Morgan_Wesstr=F6m?=) Date: Thu Mar 19 07:50:23 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... In-Reply-To: <60673.216.241.167.212.1237472212.squirrel@webmail.pknet.net> References: <60673.216.241.167.212.1237472212.squirrel@webmail.pknet.net> Message-ID: <49C25B98.7070605@pp.dyndns.biz> > fxp0 is connected to broadband ISP _and_ local LAN which is going at I think you have to explain in more detail the physical layout of your setup. > 100Mbps - So I have 90Mbps queue defined for 'intranet' 876Kb for > 'extranet' - Shouldn't the children of 'extranet' still 'borrow' > everything up to 876Kb? - Since I was defining root at 100Mb, I would > assume my queues would use up more, instead they are using _exactly_ what > is defined for them and refusing to borrow [hence going at 37KB instead of > the uplink max of ~100KB]. As soon as I 'up' the 34% to 60%, I get higher > dl speeds, although not using/borrowing above the 60%. I'm slightly confused here. You're talking about download speeds but pf queues only affect upload bandwidth. Assuming it's upload you are referring to and if you want those four child queues to use free bandwidth from "intranet", then you have to add "borrow" to your "extranet" queue. Child queues can only borrow from their parent queue and if you don't have "borrow" on "extranet", that queue will only have 876Kb to share among its child queues. /Morgan From fbsdq at peterk.org Thu Mar 19 09:06:13 2009 From: fbsdq at peterk.org (Peter) Date: Thu Mar 19 09:06:19 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... Message-ID: <56661.216.241.167.212.1237478769.squirrel@webmail.pknet.net> >> fxp0 is connected to broadband ISP _and_ local LAN which is going at > I think you have to explain in more detail the physical layout of your > setup. > >> 100Mbps - So I have 90Mbps queue defined for 'intranet' 876Kb for >> 'extranet' - Shouldn't the children of 'extranet' still 'borrow' >> everything up to 876Kb? - Since I was defining root at 100Mb, I would >> assume my queues would use up more, instead they are using _exactly_ >> what >> is defined for them and refusing to borrow [hence going at 37KB instead >> of >> the uplink max of ~100KB]. As soon as I 'up' the 34% to 60%, I get >> higher >> dl speeds, although not using/borrowing above the 60%. > I'm slightly confused here. You're talking about download speeds but pf > queues only affect upload bandwidth. Assuming it's upload you are > referring to and if you want those four child queues to use free > bandwidth from "intranet", then you have to add "borrow" to your > "extranet" queue. Child queues can only borrow from their parent queue > and if you don't have "borrow" on "extranet", that queue will only have > 876Kb to share among its child queues. > > /Morgan Sorry, by dl I mean downloading large file from server to remote desktop - The server is uploading to desktop. I want the children to use all the available bandwidth within the 'extranet' queue - The child 'poshta' queue NEVER goes above using 34%, even though all other queues have no services running on them and 'poshta' is set to borrow. If I leave 'poshta' queue at 34% and set all others to 1%, the 'poshta' queue is still never pushing out more than 34% / 37KB. If I set it to '90%' it pushes out at ~90KB - wondering why it's not borrowing when parent has unused bandwidth. ]Peter[ From fbsdq at peterk.org Thu Mar 19 11:50:13 2009 From: fbsdq at peterk.org (Peter) Date: Thu Mar 19 11:50:21 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent Message-ID: <62464.216.241.167.212.1237488612.squirrel@webmail.pknet.net> Did more testing: Downloading on workstation from server / Server uploading. I'm dealing only with fxp0, and only one IP and only ssh/sftp running. 7.1-STABLE #0: Sun Feb 8 01:15:45 MST 2009 uploads +/- several KB as they vary during the 1 minute test [100MB tgz file] upload at 100KB: altq on fxp0 cbq bandwidth 896Kb queue {extranet} queue extranet bandwidth 186Kb cbq(default,borrow) upload at 20KB: altq on fxp0 cbq bandwidth 896Kb queue {extranet} queue extranet bandwidth 186Kb cbq(default) upload at 20KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 186Kb cbq(default) upload at 100KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 186Kb cbq(default,borrow) upload at 100KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb cbq(default) upload at 100KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet,intranet} queue extranet bandwidth 186Kb cbq(default,borrow) queue intranet bandwidth 90Mb upload at 40KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet,intranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 34% cbq(borrow,default) queue intranet bandwidth 90Mb upload at 40KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 34% cbq(borrow,default) upload at 20KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 186Kb cbq(borrow,default) In theory and example as seen on http://www.openbsd.org/faq/pf/queueing.html - Example #2: Company Network The poshta queue should borrow fully from the parent queue [extranet], but borrowing seems to _only_ work from the root queue/first level down. Am I missing something here? ]Peter[ From freebsd-pf at pp.dyndns.biz Thu Mar 19 13:40:47 2009 From: freebsd-pf at pp.dyndns.biz (=?ISO-8859-1?Q?Morgan_Wesstr=F6m?=) Date: Thu Mar 19 13:40:57 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... In-Reply-To: <56661.216.241.167.212.1237478769.squirrel@webmail.pknet.net> References: <56661.216.241.167.212.1237478769.squirrel@webmail.pknet.net> Message-ID: <49C2ADCB.7050604@pp.dyndns.biz> > Sorry, by dl I mean downloading large file from server to remote desktop - > The server is uploading to desktop. > I want the children to use all the available bandwidth within the > 'extranet' queue - The child 'poshta' queue NEVER goes above using 34%, > even though all other queues have no services running on them and 'poshta' > is set to borrow. If I leave 'poshta' queue at 34% and set all others to > 1%, the 'poshta' queue is still never pushing out more than 34% / 37KB. > > If I set it to '90%' it pushes out at ~90KB - wondering why it's not > borrowing when parent has unused bandwidth. > > ]Peter[ > I'm pretty much out of ideas then. I'm running an almost identical setup (2 queues below root and 4 child queues in one of them) and it works for me. The only differences are that I borrow between ALL queues and root queue only has 1800Kb bandwidth. Don't know if my config can give you any new insights. altq on em1 cbq bandwidth 1800Kb queue {q_def, q_pri} queue q_def bandwidth 10% qlimit 200 cbq( borrow default ) queue q_pri bandwidth 90% cbq( borrow ) {q_hv, q_p2p, q_p1, q_p2} queue q_hv bandwidth 10% priority 4 qlimit 200 cbq( borrow ) queue q_p2p bandwidth 10% priority 5 qlimit 200 cbq( borrow ) queue q_p1 bandwidth 20% priority 6 cbq( borrow ) queue q_p2 bandwidth 60% priority 7 cbq( borrow ) Evidence of it working perfectly can be seen on second graph here: http://pp.dyndns.biz/pfstat/pfstat.html /M From pp at pp.dyndns.biz Thu Mar 19 13:46:25 2009 From: pp at pp.dyndns.biz (Pojken Purken) Date: Thu Mar 19 13:46:32 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent In-Reply-To: <62464.216.241.167.212.1237488612.squirrel@webmail.pknet.net> References: <62464.216.241.167.212.1237488612.squirrel@webmail.pknet.net> Message-ID: <49C2AF1C.3030501@pp.dyndns.biz> > In theory and example as seen on > http://www.openbsd.org/faq/pf/queueing.html - Example #2: Company Network > > The poshta queue should borrow fully from the parent queue [extranet], > but borrowing seems to _only_ work from the root queue/first level down. > > Am I missing something here? > > ]Peter[ > I think Max has to answer this if he sees this post. In any case I guess you have to be clear about what your available upload bandwidth is on fxp0, it can't be both 100Mb and 876Kb, can it? /M From max at love2party.net Thu Mar 19 13:56:04 2009 From: max at love2party.net (Max Laier) Date: Thu Mar 19 13:56:10 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent In-Reply-To: <49C2AF1C.3030501@pp.dyndns.biz> References: <62464.216.241.167.212.1237488612.squirrel@webmail.pknet.net> <49C2AF1C.3030501@pp.dyndns.biz> Message-ID: <200903192156.01081.max@love2party.net> On Thursday 19 March 2009 21:46:20 Pojken Purken wrote: > > In theory and example as seen on > > http://www.openbsd.org/faq/pf/queueing.html - Example #2: Company Network > > > > The poshta queue should borrow fully from the parent queue [extranet], > > but borrowing seems to _only_ work from the root queue/first level down. > > > > Am I missing something here? > > > > ]Peter[ > > I think Max has to answer this if he sees this post. In any case I guess > you have to be clear about what your available upload bandwidth is on > fxp0, it can't be both 100Mb and 876Kb, can it? I still don't understand the OP's setup. Peter can you please provide a clear picture of what you are trying to achieve? I have a feeling that you are trying to use ALTQ for shaping incoming traffic - which is a no-go. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From fbsdq at peterk.org Thu Mar 19 14:08:44 2009 From: fbsdq at peterk.org (Peter) Date: Thu Mar 19 14:08:50 2009 Subject: pf + altq + cbq(borrow) not borrowing from parent... Message-ID: <60058.216.241.167.212.1237496922.squirrel@webmail.pknet.net> > >> Sorry, by dl I mean downloading large file from server to remote desktop >> - >> The server is uploading to desktop. >> I want the children to use all the available bandwidth within the >> 'extranet' queue - The child 'poshta' queue NEVER goes above using 34%, >> even though all other queues have no services running on them and >> 'poshta' >> is set to borrow. If I leave 'poshta' queue at 34% and set all others >> to >> 1%, the 'poshta' queue is still never pushing out more than 34% / 37KB. >> >> If I set it to '90%' it pushes out at ~90KB - wondering why it's not >> borrowing when parent has unused bandwidth. >> >> ]Peter[ >> > > I'm pretty much out of ideas then. I'm running an almost identical setup > (2 queues below root and 4 child queues in one of them) and it works for > me. The only differences are that I borrow between ALL queues and root > queue only has 1800Kb bandwidth. Don't know if my config can give you > any new insights. > > altq on em1 cbq bandwidth 1800Kb queue {q_def, q_pri} > queue q_def bandwidth 10% qlimit 200 cbq( borrow default ) > queue q_pri bandwidth 90% cbq( borrow ) {q_hv, q_p2p, q_p1, q_p2} > queue q_hv bandwidth 10% priority 4 qlimit 200 cbq( borrow ) > queue q_p2p bandwidth 10% priority 5 qlimit 200 cbq( borrow ) > queue q_p1 bandwidth 20% priority 6 cbq( borrow ) > queue q_p2 bandwidth 60% priority 7 cbq( borrow ) > > Evidence of it working perfectly can be seen on second graph here: > http://pp.dyndns.biz/pfstat/pfstat.html > upload at 20KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 186Kb cbq(borrow,default) upload at 100KB: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb cbq(borrow) {poshta} queue poshta bandwidth 186Kb cbq(borrow,default) This works, but defeats the purpose of having a queue for the DSL link that is only 896Kb up as the queuing is no longer done at FreeBSD level. I can set to root queue to 896 and all works as needed, but I should be able to do several groups of queuing according to pf faq. I've ran lots of tests in previous email to this list [ http://docs.freebsd.org/cgi/getmsg.cgi?fetch=49104+0+current/freebsd-pf ] The problem is that I want 'poshta' to borrow from parent [extranet], but it doesn't, but for some weird reason when extranet is able to borrow, poshta is able to borrow from extranet - Those are the only lines I have for altq... The parent queue shouldn't need borrow according to pf faq [might be due to new version..?]: ------------------------------------------------ A queue can be configured to borrow bandwidth from its parent if the parent has excess bandwidth available due to it not being used by the other child queues. Consider a queueing setup like this: Root Queue (2Mbps) UserA (1Mbps) ssh (100Kbps) ftp (900Kbps, borrow) UserB (1Mbps) If traffic in the ftp queue exceeds 900Kbps and traffic in the UserA queue is less than 1Mbps (because the ssh queue is using less than its assigned 100Kbps), the ftp queue will borrow the excess bandwidth from UserA. In this way the ftp queue is able to use more than its assigned bandwidth when it faces overload. When the ssh queue increases its load, the borrowed bandwidth will be returned. ------------------------------------------------ That is exactly what I want to do, but its not working as I think/man pf.conf/FAQ says it should... If you remove the borrow from 'q_pri' - do any of the children borrow from each other? Almost seems as if the children are trying to borrow from the root queue, but not the parent/each other. ]Peter[ out of curiosity rebuilding world to -STABLE of today, and perhaps gonna try -CURRENT. From fbsdq at peterk.org Thu Mar 19 14:17:10 2009 From: fbsdq at peterk.org (Peter) Date: Thu Mar 19 14:17:17 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent Message-ID: <59450.216.241.167.212.1237497429.squirrel@webmail.pknet.net> > On Thursday 19 March 2009 21:46:20 Pojken Purken wrote: >> > In theory and example as seen on >> > http://www.openbsd.org/faq/pf/queueing.html - Example #2: Company >> Network >> > >> > The poshta queue should borrow fully from the parent queue >> [extranet], >> > but borrowing seems to _only_ work from the root queue/first level >> down. >> > >> > Am I missing something here? >> > >> > ]Peter[ >> >> I think Max has to answer this if he sees this post. In any case I guess >> you have to be clear about what your available upload bandwidth is on >> fxp0, it can't be both 100Mb and 876Kb, can it? > > I still don't understand the OP's setup. Peter can you please provide a > clear > picture of what you are trying to achieve? I have a feeling that you are > trying to use ALTQ for shaping incoming traffic - which is a no-go. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 I'm trying to queue outgoing traffic from server. In all tests only pulling data from server via sftp server -> 100MB tgz -> desktop I know the queue rules are working because if I change things around, the speed in the sftp pull of this file changes dramatically. These changes are on the server, nothing is touched/changed on desktop: pf+altq are on the server. altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 186Kb cbq(borrow,default) With this setup, I can download FROM this server to desktop at 20KB If I change to this setup: altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 856Kb cbq(borrow,default) I can download FROM this server to desktop at 100KB the 'poshta' queue does not seem to borrow from it's parent as I understand it should. From fbsdq at peterk.org Thu Mar 19 21:07:32 2009 From: fbsdq at peterk.org (Peter) Date: Thu Mar 19 21:07:38 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN Message-ID: <4857.216.241.167.208.1237522051.squirrel@webmail.pknet.net> The server was just updated to 7.2-PRERELEASE FreeBSD 7.2-PRERELEASE #0: Thu Mar 19 20:00:29 MDT 2009 another test: server <-> 100Mb switch <-> desktop 172.20.1.1 <-switch-> 172.20.1.2 ALL traffic stays on local lan. altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 156Kb cbq(borrow,default) I sftp from desktop to server, and do 'get blob.tgz' download to desktop from server goes at ~20KB vi /etc/pf.conf altq on fxp0 cbq bandwidth 100Mb queue {extranet} queue extranet bandwidth 886Kb {poshta} queue poshta bandwidth 856Kb cbq(borrow,default) /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf I sftp from desktop to server, and do 'get blob.tgz' download to desktop from server goes at ~100KB this is all local file system from /tmp/blob.tgz to /tmp/blob.tgz Going to try this tomorrow with 'server' being -CURRENT/latest snapshot. ]Peter[ From freebsd-pf at pp.dyndns.biz Fri Mar 20 01:21:34 2009 From: freebsd-pf at pp.dyndns.biz (=?ISO-8859-1?Q?Morgan_Wesstr=F6m?=) Date: Fri Mar 20 01:21:41 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN In-Reply-To: <4857.216.241.167.208.1237522051.squirrel@webmail.pknet.net> References: <4857.216.241.167.208.1237522051.squirrel@webmail.pknet.net> Message-ID: <49C3520A.9050500@pp.dyndns.biz> Peter wrote: > The server was just updated to > 7.2-PRERELEASE FreeBSD 7.2-PRERELEASE #0: Thu Mar 19 20:00:29 MDT 2009 > > another test: > server <-> 100Mb switch <-> desktop > 172.20.1.1 <-switch-> 172.20.1.2 > ALL traffic stays on local lan. > > altq on fxp0 cbq bandwidth 100Mb queue {extranet} > queue extranet bandwidth 886Kb {poshta} > queue poshta bandwidth 156Kb cbq(borrow,default) > > I sftp from desktop to server, and do 'get blob.tgz' > download to desktop from server goes at ~20KB > > vi /etc/pf.conf > > altq on fxp0 cbq bandwidth 100Mb queue {extranet} > queue extranet bandwidth 886Kb {poshta} > queue poshta bandwidth 856Kb cbq(borrow,default) > > /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf > > I sftp from desktop to server, and do 'get blob.tgz' > download to desktop from server goes at ~100KB > > this is all local file system from /tmp/blob.tgz to /tmp/blob.tgz > > Going to try this tomorrow with 'server' being -CURRENT/latest snapshot. > > ]Peter[ > You are missing "cbq" in your extranet queue definition... don't know how that would affect the behaviour though. Check with pfctl -sq if pf's interpretation of the queue definitions is what you intended. The default queue makes me curious too. Although the man page doesn't give any restrictons to it (other than that there can only be one), I have never seen any example where one of the child queues are used as default queue. Might work perfectly... :-) On a sidenote - although this is an internal LAN with 100Mb you probably can't get that speed during full utilization. Depending on your NIC a more reasonable value would be 80-90% of the linkspeed. This is probably not related to your problem and would only be a potential problem when your trying to use your full bandwidth. Max: Would I be correct in assuming that the bandwidth value for a 100Mb NIC should reflect its real throughput in the root queue definition and not its linkspeed? Regards Morgan From freebsd-pf at pp.dyndns.biz Fri Mar 20 01:27:58 2009 From: freebsd-pf at pp.dyndns.biz (=?ISO-8859-1?Q?Morgan_Wesstr=F6m?=) Date: Fri Mar 20 01:28:04 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN In-Reply-To: <4857.216.241.167.208.1237522051.squirrel@webmail.pknet.net> References: <4857.216.241.167.208.1237522051.squirrel@webmail.pknet.net> Message-ID: <49C3538A.2090909@pp.dyndns.biz> > queue poshta bandwidth 156Kb cbq(borrow,default) One more thing I notice but don't know if it is related. You have a comma separationg your scheduler options. Examples in man page does not use comma only white space. Once again use pfctl -sq to see how this is actually interpreted. /Morgan From grishin-mailing-lists at minselhoz.samara.ru Fri Mar 20 01:31:23 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Fri Mar 20 01:31:30 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN In-Reply-To: <49C3538A.2090909@pp.dyndns.biz> References: <4857.216.241.167.208.1237522051.squirrel@webmail.pknet.net> <49C3538A.2090909@pp.dyndns.biz> Message-ID: <49C35446.309@minselhoz.samara.ru> Morgan Wesstr?m wrote: >> queue poshta bandwidth 156Kb cbq(borrow,default) >> > > One more thing I notice but don't know if it is related. You have a > comma separationg your scheduler options. Examples in man page does not > use comma only white space. Once again use pfctl -sq to see how this is > actually interpreted. > /Morgan > Both ways are acceptable. -- Yuriy Grishin From rafal.pajewski at k2.pl Fri Mar 20 01:45:34 2009 From: rafal.pajewski at k2.pl (Pajewski Rafal) Date: Fri Mar 20 01:45:41 2009 Subject: (bez tematu) Message-ID: <49C3516C.1010104@k2.pl> -- _____________ Pozdrawiam Pajewski Rafa? Administrator -- K2. Dla nas to mozliwe. K2 Internet S.A. tel. +48 22 448 70 00 faks +48 22 448 71 01 00-145 Warszawa al. Solidarnosci 74 A e-mail: biuro@k2.pl http://www.k2.pl KRS 0000059690 NIP 951-19-83-801 Regon 016378720 Wysokosc kapitalu zakladowego 2.030.000,00 PLN (wplacony w calosci) From fbsdq at peterk.org Fri Mar 20 06:53:40 2009 From: fbsdq at peterk.org (Peter) Date: Fri Mar 20 06:53:48 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN Message-ID: <65306.216.241.167.212.1237557217.squirrel@webmail.pknet.net> > Peter wrote: >> The server was just updated to >> 7.2-PRERELEASE FreeBSD 7.2-PRERELEASE #0: Thu Mar 19 20:00:29 MDT 2009 >> >> another test: >> server <-> 100Mb switch <-> desktop >> 172.20.1.1 <-switch-> 172.20.1.2 >> ALL traffic stays on local lan. >> >> altq on fxp0 cbq bandwidth 100Mb queue {extranet} >> queue extranet bandwidth 886Kb {poshta} >> queue poshta bandwidth 156Kb cbq(borrow,default) >> >> I sftp from desktop to server, and do 'get blob.tgz' >> download to desktop from server goes at ~20KB >> >> vi /etc/pf.conf >> >> altq on fxp0 cbq bandwidth 100Mb queue {extranet} >> queue extranet bandwidth 886Kb {poshta} >> queue poshta bandwidth 856Kb cbq(borrow,default) >> >> /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf >> >> I sftp from desktop to server, and do 'get blob.tgz' >> download to desktop from server goes at ~100KB >> >> this is all local file system from /tmp/blob.tgz to /tmp/blob.tgz >> >> Going to try this tomorrow with 'server' being -CURRENT/latest snapshot. >> >> ]Peter[ >> > > You are missing "cbq" in your extranet queue definition... don't know > how that would affect the behaviour though. Check with pfctl -sq if pf's > interpretation of the queue definitions is what you intended. cbq is defined in the root queue that references 'extranet' - Sets fxp0 interface to cbq - according to examples on pf faq, you only need to define cbq if using any of the special cbq options like borrow/red/ecn. [interface can only have one queue] > > The default queue makes me curious too. Although the man page doesn't > give any restrictons to it (other than that there can only be one), I > have never seen any example where one of the child queues are used as > default queue. Might work perfectly... :-) Well I know that the default queue effects my traffic as when I change it, my download on desktop from server goes much faster. If I set it lower, my download goes low - That is all working as designed, but what is not working is the cbq(borrow) option - It just maxes out at whatever I have defined there. No point in setting a hard max for http/imap/smtp/ssh traffic - when one is not being utilized, the extra should be shared. root - parent(borrow) - this borrows from root/works root - parent - child(borrow) - this does not borrow from parent. root - parent(borrow) - child(borrow) - this child borrows from root?? - this works - but this just gives child ability to borrow all of root, I only want child to borrow all of parents bandwidth. > > On a sidenote - although this is an internal LAN with 100Mb you probably > can't get that speed during full utilization. Depending on your NIC a > more reasonable value would be 80-90% of the linkspeed. This is probably > not related to your problem and would only be a potential problem when > your trying to use your full bandwidth. [those are my only 3 altq lines] > > Max: Would I be correct in assuming that the bandwidth value for a 100Mb > NIC should reflect its real throughput in the root queue definition and > not its linkspeed? > > Regards > Morgan Well on LAN 100Mb is the "real throughput" - I'm not concerned on throughput, I'm trying to "prioritize" traffic, experiment with 'borrowing' bandwidth, and testing with only one queue now - This one queue, although it is the only queue, and this box is only on LAN with only sftp going - It will not borrow anything more than what is defined... Without altq, I get throughput in the MB ranges, so it's not a physical limit, the queue is kicking in, but the child is not borrowing from parent when parent is being _very_ underutilized. ]Peter[ From forn at ngs.ru Sat Mar 21 03:02:53 2009 From: forn at ngs.ru (forn) Date: Sat Mar 21 03:03:00 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN In-Reply-To: <65306.216.241.167.212.1237557217.squirrel@webmail.pknet.net> References: <65306.216.241.167.212.1237557217.squirrel@webmail.pknet.net> Message-ID: <49C4B6BC.6040108@ngs.ru> Hello. I'm having the same problem. My system is 7.1-Stable i386. Here's entire pf.conf: ext_if="le0" int_if="le1" all_if="{" $ext_if $int_if "}" localnet="10.20.41.0/24" int_ip="10.20.41.1" ext_ip="10.20.40.61" self="{" $int_ip $ext_ip "}" uplink="10.20.40.1" set skip on lo scrub in altq on $int_if cbq bandwidth 2Mb qlimit 500 queue { defaultq, sshq, localq } queue defaultq bandwidth 500Kb cbq (default) queue sshq bandwidth 100Kb cbq (borrow) queue localq bandwidth 500Kb cbq { www, www5 } queue www bandwidth 100Kb priority 1 cbq (borrow) queue www5 bandwidth 250Kb priority 2 cbq (borrow) nat on $ext_if from $localnet to any -> $ext_ip rdr on $int_if proto tcp from $localnet to any port 80 -> 127.0.0.1 port 3128 block all pass out quick from $self pass in quick proto tcp to $self port ssh queue self_sshq pass quick proto icmp block return on $int_if all pass in quick on $int_if proto tcp from $localnet to 127.0.0.1 port 3128 queue www pass in quick on $int_if proto udp from $localnet to $self port 17094 pass in quick on $int_if proto udp from $localnet to $uplink port 53 pass in quick on $int_if proto tcp from $localnet to $uplink port 55080 queue www5 With this config, speed of traffic in queue www5 never goes higher than 250Kb. But, if queue localq is set to borrow, as follows: altq on $int_if cbq bandwidth 2Mb qlimit 500 queue { defaultq, sshq, localq } queue defaultq bandwidth 500Kb cbq (default) queue sshq bandwidth 100Kb cbq (borrow) queue localq bandwidth 500Kb cbq (borrow) { www, www5 } queue www bandwidth 100Kb priority 1 cbq (borrow) queue www5 bandwidth 250Kb priority 2 cbq (borrow) then queue www5 is able to take the full bandwidth of 2Mb (which is correct). The physical link speed far surpasses 2Mb (actually, these are all virtual machines set up for testing on the same server), so this can't be a problem. From grishin-mailing-lists at minselhoz.samara.ru Sat Mar 21 03:28:38 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Sat Mar 21 03:28:45 2009 Subject: synproxy on tuns In-Reply-To: <49C1EF75.3010204@minselhoz.samara.ru> References: <49C1EF75.3010204@minselhoz.samara.ru> Message-ID: <49C4C14D.9090007@minselhoz.samara.ru> update : The address has been changed. Now it's 94.180.156.209 From sullrich at gmail.com Sat Mar 21 10:15:03 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Sat Mar 21 10:15:09 2009 Subject: synproxy on tuns In-Reply-To: <49C4C14D.9090007@minselhoz.samara.ru> References: <49C1EF75.3010204@minselhoz.samara.ru> <49C4C14D.9090007@minselhoz.samara.ru> Message-ID: 2009/3/21 Yuriy Grishin : > update : > > The address has been changed. Now it's > 94.180.156.209 See the thread "synproxy state does not work on FreeBSD 7.1-PRERELEASE" Hint: set skip on lo0 Scott From grishin-mailing-lists at minselhoz.samara.ru Sat Mar 21 10:34:25 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Sat Mar 21 10:34:35 2009 Subject: synproxy on tuns In-Reply-To: References: <49C1EF75.3010204@minselhoz.samara.ru> <49C4C14D.9090007@minselhoz.samara.ru> Message-ID: <49C52520.8000609@minselhoz.samara.ru> Scott Ullrich wrote: > 2009/3/21 Yuriy Grishin : > >> update : >> >> The address has been changed. Now it's >> 94.180.156.209 >> > > See the thread "synproxy state does not work on FreeBSD 7.1-PRERELEASE" > > Hint: set skip on lo0 > > Scott > It's already set; but still doesn't work anyway. From bugmaster at FreeBSD.org Mon Mar 23 04:07:01 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 23 04:08:51 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200903231107.n2NB70AM004091@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 32 problems total. From fbsdq at peterk.org Mon Mar 23 09:04:09 2009 From: fbsdq at peterk.org (Peter) Date: Mon Mar 23 09:04:16 2009 Subject: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN Message-ID: <62927.216.241.167.212.1237824237.squirrel@webmail.pknet.net> > > Hello. I'm having the same problem. My system is 7.1-Stable i386. > Here's entire pf.conf: snip > With this config, speed of traffic in queue www5 never goes higher > than 250Kb. > But, if queue localq is set to borrow, as follows: snip > then queue www5 is able to take the full bandwidth of 2Mb (which is > correct). > The physical link speed far surpasses 2Mb (actually, these are all > virtual machines set up for testing on the same server), so this can't > be a problem. iH, Installed openbsd 4.4 [VM on ESX] - Still seeing the same problem - Using one of the pf faq examples - still can't figure out what I'm missing: OpenBSD openbsd.my.domain 4.4 GENERIC#1021 i386 # grep -v "^#" /etc/pf.conf |grep -v ^$ set skip on lo0 altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } queue std bandwidth 1Mb cbq(default) queue ssh bandwidth 500Kb { ssh_login, ssh_bulk } queue ssh_login bandwidth 50% priority 4 cbq(borrow) queue ssh_bulk bandwidth 50% cbq(borrow) queue ftp bandwidth 500Kb priority 3 cbq(borrow red) pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state queue ssh_login pass in on vic0 proto tcp from any flags S/SA keep state pass out on vic0 proto tcp from any to any flags S/SA keep state queue ssh_login pfctl -vvsq shows the 'ssh_login' queue is being used. doing sftp transfer over sshd on port 222 [just to isolate it] traffic stays at ~250Kb, does not borrow queue root_vic0 on vic0 bandwidth 5Mb priority 0 cbq( wrr root ) {std, ssh, ftp} [ pkts: 799 bytes: 781987 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 32.4 packets/s, 271.97Kb/s ] queue std on vic0 bandwidth 1Mb cbq( default ) [ pkts: 115 bytes: 16978 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 5.2 packets/s, 6.20Kb/s ] queue ssh on vic0 bandwidth 500Kb {ssh_login, ssh_bulk} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue ssh_login on vic0 bandwidth 250Kb priority 4 cbq( borrow ) [ pkts: 684 bytes: 765009 dropped pkts: 0 bytes: 0 ] [ qlength: 14/ 50 borrows: 508 suspends: 97 ] [ measured: 27.2 packets/s, 265.77Kb/s ] queue ssh_bulk on vic0 bandwidth 250Kb cbq( borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue ftp on vic0 bandwidth 500Kb priority 3 cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] Changing the parent 'ssh' queue to borrow: # grep -v "^#" /etc/pf.conf |grep -v ^$ set skip on lo0 altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } queue std bandwidth 1Mb cbq(default) queue ssh bandwidth 500Kb cbq(borrow) { ssh_login, ssh_bulk } queue ssh_login bandwidth 50% priority 4 cbq(borrow) queue ssh_bulk bandwidth 50% cbq(borrow) queue ftp bandwidth 500Kb priority 3 cbq(borrow red) pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state queue ssh_login pass in on vic0 proto tcp from any flags S/SA keep state pass out on vic0 proto tcp from any to any flags S/SA keep state queue ssh_login traffic pretty much uses up right near 5MB... So not a FreeBSD issue it almost seems like it. Have not tried OpenBSD mailing list yet. I'm misunderstanding how pf/cbq should work? ]Peter[ From emagutu at gmail.com Tue Mar 24 08:16:25 2009 From: emagutu at gmail.com (Eric Magutu) Date: Tue Mar 24 08:16:31 2009 Subject: first firewall with pf Message-ID: Hi, I am converting some systems from Linux to freeBSD and I'm new to pf. I wanted to run this on a live system but I'm not sure if everything is correct. Can you please advise me if it would work and if there is anything I need to add or remove to make it work. I have written the following pf.conf: ######## #Tests # ######## #check syntax of rules # pfctl -vf /etc/pf.conf #interpret rules but don't load # pfctl -nf /etc/pf.conf ############# #interfaces # ############# ext_if="bce0" ext_if2="bce1" ##################### #ports to be opened # ##################### #tcp ports good_port_tcp="{ 22, 80, 110, 143, 161, 443, 873, 3306, 40555 }" #udp ports good_port_udp="{ 161, 873 }" ############################################# #allow all connections from and to loopback # ############################################# pass in quick on lo0 all keep state pass out quick on lo0 all keep state ######################################################## #allow all connections out through external interfaces # ######################################################## pass out quick on $ext_if all keep state pass out quick on $ext_if2 all keep state ############## #Blocked ips # ############## # 1.2.3.4 is the ip you want to block block in quick on $ext_if inet 1.2.3.4 # 1.2.3.4/24 is the ip range you want to block block in quick on $ext_if inet 1.2.3.4/24 ############################ #smtp connections allowed # ############################ #a.b.c.d is the server's ip #Euro servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #American servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep state ################################### # pass traffic from allowed ports # ################################### #pass traffic from allowed tcp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state #pass traffic from allowed udp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state ########################################## # allow connections from NMC and servers # ########################################## #x.x.x.x/12 are the internal ips NMC access with pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to a.b.c.d keep state #x.x.x.x/24 are the ips for the other European servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state #x.x.x.x/24 are the ips for the American servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state ########################## #block all other traffic # ########################## # should be last rule block in quick on $ext_if all ################################################## #for any questions contact Eric# ################################################## -- Regards, Eric Magutu From emagutu at gmail.com Tue Mar 24 08:27:51 2009 From: emagutu at gmail.com (Eric Magutu) Date: Tue Mar 24 08:27:59 2009 Subject: first firewall with pf In-Reply-To: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> References: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> Message-ID: Thanks I'll change that On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > [snip] > > > > ########################## > > #block all other traffic # > > ########################## > > > > # should be last rule > > > > block in quick on $ext_if all > > > > > > This should not be the last rule. PF implements the rules in a > top-down fashion, where the last rule always wins. Without actually > loading this ruleset on my own system, it appears this rule will block > all incoming / outgoing traffic completely. > > This rule should be placed above all of your 'pass' rules. > > > -- > Glen Barber > -- Regards, Eric Magutu From fbsdq at peterk.org Tue Mar 24 08:39:25 2009 From: fbsdq at peterk.org (Peter) Date: Tue Mar 24 08:39:37 2009 Subject: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN Message-ID: <59094.216.241.167.212.1237909163.squirrel@webmail.pknet.net> iH, cbq does not work as advertised child will not borrow from parent unless parent borrows from root So a tree did not work: root parent1 p1.child1(borrow) p1.child2(borrow) parent2 p2.child1(borrow) p2.child2(borrow) *child* does not borrow, unless parent is set to borrow from root. parent borrows no problem. Tried this on openbsd 4.4 - same results. short answer: '%s/cbq/hfsc/g' solution that's worked for me: altq on fxp0 bandwidth 100Mb hfsc queue {internal external} queue internal bandwidth 98Mb hfsc(default) queue external bandwidth 876Kb hfsc(upperlimit 876Kb) {poshta abakan usrx11 imvas } queue poshta bandwidth 70% hfsc(realtime 70%) queue abakan bandwidth 10% hfsc(realtime 10%) queue usrx11 bandwidth 10% hfsc(realtime 10%) queue imvas bandwidth 10% hfsc(realtime 10%) When I did not put in the upperlimit for 'external' queue, it would borrow up to 100Mb from root queue. - making the external queue children pointless. This way interal LAN goes at 98Mb, and external WAN is limited to 876Kb and then I break it up further by IPs. Downloading from usrx11 - speed = ~100KB as soon as I start a dl from poshta, usrx11 speed drops to ~12KB, and poshta speed goes to ~86KB. As soon as dl from poshta is cancelled, dl from usrx11 goes to ~100KB ]Peter[ >> >> Hello. I'm having the same problem. My system is 7.1-Stable i386. >> Here's entire pf.conf: > snip >> With this config, speed of traffic in queue www5 never goes higher >> than 250Kb. >> But, if queue localq is set to borrow, as follows: > snip >> then queue www5 is able to take the full bandwidth of 2Mb (which is >> correct). >> The physical link speed far surpasses 2Mb (actually, these are all >> virtual machines set up for testing on the same server), so this >> can't >> be a problem. > > iH, > Installed openbsd 4.4 [VM on ESX] - Still seeing the same problem - > Using one of the pf faq examples - still can't figure out what I'm > missing: > > OpenBSD openbsd.my.domain 4.4 GENERIC#1021 i386 > > # grep -v "^#" /etc/pf.conf |grep -v ^$ > set skip on lo0 > altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } > queue std bandwidth 1Mb cbq(default) > queue ssh bandwidth 500Kb { ssh_login, ssh_bulk } > queue ssh_login bandwidth 50% priority 4 cbq(borrow) > queue ssh_bulk bandwidth 50% cbq(borrow) > queue ftp bandwidth 500Kb priority 3 cbq(borrow red) > pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state > queue ssh_login > pass in on vic0 proto tcp from any flags S/SA keep state > pass out on vic0 proto tcp from any to any flags S/SA keep state queue > ssh_login > > pfctl -vvsq shows the 'ssh_login' queue is being used. > doing sftp transfer over sshd on port 222 [just to isolate it] > traffic stays at ~250Kb, does not borrow > > queue root_vic0 on vic0 bandwidth 5Mb priority 0 cbq( wrr root ) {std, > ssh, ftp} > [ pkts: 799 bytes: 781987 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 32.4 packets/s, 271.97Kb/s ] > queue std on vic0 bandwidth 1Mb cbq( default ) > [ pkts: 115 bytes: 16978 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 5.2 packets/s, 6.20Kb/s ] > queue ssh on vic0 bandwidth 500Kb {ssh_login, ssh_bulk} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue ssh_login on vic0 bandwidth 250Kb priority 4 cbq( borrow ) > [ pkts: 684 bytes: 765009 dropped pkts: 0 bytes: > 0 ] > [ qlength: 14/ 50 borrows: 508 suspends: 97 ] > [ measured: 27.2 packets/s, 265.77Kb/s ] > queue ssh_bulk on vic0 bandwidth 250Kb cbq( borrow ) > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue ftp on vic0 bandwidth 500Kb priority 3 cbq( red borrow ) > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > > > Changing the parent 'ssh' queue to borrow: > # grep -v "^#" /etc/pf.conf |grep -v ^$ > set skip on lo0 > altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } > queue std bandwidth 1Mb cbq(default) > queue ssh bandwidth 500Kb cbq(borrow) { ssh_login, ssh_bulk } > queue ssh_login bandwidth 50% priority 4 cbq(borrow) > queue ssh_bulk bandwidth 50% cbq(borrow) > queue ftp bandwidth 500Kb priority 3 cbq(borrow red) > pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state > queue ssh_login > pass in on vic0 proto tcp from any flags S/SA keep state > pass out on vic0 proto tcp from any to any flags S/SA keep state queue > ssh_login > > traffic pretty much uses up right near 5MB... > > So not a FreeBSD issue it almost seems like it. > Have not tried OpenBSD mailing list yet. > I'm misunderstanding how pf/cbq should work? > > ]Peter[ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From glen.j.barber at gmail.com Tue Mar 24 08:44:47 2009 From: glen.j.barber at gmail.com (Glen Barber) Date: Tue Mar 24 08:44:53 2009 Subject: first firewall with pf In-Reply-To: References: Message-ID: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: [snip] > > ########################## > #block all other traffic # > ########################## > > # should be last rule > > block in quick on $ext_if all > > This should not be the last rule. PF implements the rules in a top-down fashion, where the last rule always wins. Without actually loading this ruleset on my own system, it appears this rule will block all incoming / outgoing traffic completely. This rule should be placed above all of your 'pass' rules. -- Glen Barber From emagutu at gmail.com Tue Mar 24 08:47:45 2009 From: emagutu at gmail.com (Eric Magutu) Date: Tue Mar 24 08:47:52 2009 Subject: first firewall with pf In-Reply-To: References: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> Message-ID: does the rule to block all other traffic have to be explicitly mentioned? On Tue, Mar 24, 2009 at 6:27 PM, Eric Magutu wrote: > Thanks I'll change that > > > On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > >> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: >> [snip] >> > >> > ########################## >> > #block all other traffic # >> > ########################## >> > >> > # should be last rule >> > >> > block in quick on $ext_if all >> > >> > >> >> This should not be the last rule. PF implements the rules in a >> top-down fashion, where the last rule always wins. Without actually >> loading this ruleset on my own system, it appears this rule will block >> all incoming / outgoing traffic completely. >> >> This rule should be placed above all of your 'pass' rules. >> >> >> -- >> Glen Barber >> > > > > -- > Regards, > Eric Magutu > > -- Regards, Eric Magutu From glen.j.barber at gmail.com Tue Mar 24 08:48:33 2009 From: glen.j.barber at gmail.com (Glen Barber) Date: Tue Mar 24 08:48:39 2009 Subject: first firewall with pf In-Reply-To: References: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> Message-ID: <4ad871310903240848o77577209n25f12cd5f45d3cfc@mail.gmail.com> On Tue, Mar 24, 2009 at 11:47 AM, Eric Magutu wrote: > does the rule to block all other traffic have to be explicitly mentioned? > Yes. -- Glen Barber From pp at pp.dyndns.biz Tue Mar 24 09:04:13 2009 From: pp at pp.dyndns.biz (Pojken Purken) Date: Tue Mar 24 09:04:20 2009 Subject: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN In-Reply-To: <59094.216.241.167.212.1237909163.squirrel@webmail.pknet.net> References: <59094.216.241.167.212.1237909163.squirrel@webmail.pknet.net> Message-ID: <49C90468.4030604@pp.dyndns.biz> Peter wrote: > iH, > cbq does not work as advertised > child will not borrow from parent unless parent borrows from root > So a tree did not work: > root > parent1 > p1.child1(borrow) > p1.child2(borrow) > parent2 > p2.child1(borrow) > p2.child2(borrow) > > *child* does not borrow, unless parent is set to borrow from root. > parent borrows no problem. Tried this on openbsd 4.4 - same results. > > short answer: '%s/cbq/hfsc/g' Nice catch. Problem seems to have been around since 2007. http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003021.html /Morgan From emagutu at gmail.com Tue Mar 24 09:09:26 2009 From: emagutu at gmail.com (Eric Magutu) Date: Tue Mar 24 09:09:33 2009 Subject: first firewall with pf In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> Message-ID: Hi Mike, I will make the changes, there is no internal interface though. Yes I meant SMTP Thanks for your input On Tue, Mar 24, 2009 at 6:56 PM, Michael K. Smith - Adhost < mksmith@adhost.com> wrote: > Hello: > > > > > ############# > > #interfaces # > > ############# > > ext_if="bce0" > > ext_if2="bce1" > > > I would also define your inside interface(s), not just your outside. Let's > call it "bce2" for the example: > > int_if="bce2" > > > > > > ############################################# > > #allow all connections from and to loopback # > > ############################################# > > > > pass in quick on lo0 all keep state > > pass out quick on lo0 all keep state > > > You might want to add anti-spoofing as well (can't come in on your IP's) > > antispoof quick for { lo $ext_if $ext_if2 } inet > > > ######################################################## > > #allow all connections out through external interfaces # > > ######################################################## > > > You can shorten these (as below) > > > pass out quick on $ext_if all keep state > > pass out quick on $ext_if2 all keep state > pass out quick on { $ext_if $ext_if2 $int_if } > > Also, add an inbound allow for your inside interface, unless you want to > block things more granularly. > > pass in quick on $int_if > > > > > > ############################ > > #smtp connections allowed # > > ############################ > > > Did you mean SSH? If you meant SMTP you should change 22 to 25 > > >#a.b.c.d is the server's ip > > #Euro servers > > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 > keep > > state > > > > #American servers > > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 > keep > > state > > > > #from the old iptables??? > > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 > keep > > state > > > > > > ################################### > > # pass traffic from allowed ports # > > ################################### > > > > > > #pass traffic from allowed tcp ports > > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > > $good_port_tcp keep state > > > > #pass traffic from allowed udp ports > > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > > $good_port_tcp keep state > > > > ########################################## > > # allow connections from NMC and servers # > > ########################################## > > > > I would limit ICMP to echo-request from the outside. > > pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d > icmp-type { echoreq trace } > > > #x.x.x.x/12 are the internal ips NMC access with > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to > > a.b.c.d keep state > > > > #x.x.x.x/24 are the ips for the other European servers > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > > a.b.c.d keep state > > > > #x.x.x.x/24 are the ips for the American servers > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > > a.b.c.d keep state > > > > > > ########################## > > #block all other traffic # > > ########################## > > > > # should be last rule > > > > block in quick on $ext_if all > > Should be first as previously discussed. > > Regards, > > Mike > -- Regards, Eric Magutu From fbsdq at peterk.org Tue Mar 24 09:13:30 2009 From: fbsdq at peterk.org (Peter) Date: Tue Mar 24 09:13:38 2009 Subject: first firewall with pf Message-ID: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net> > On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > [snip] >> >> ########################## >> #block all other traffic # >> ########################## >> >> # should be last rule >> >> block in quick on $ext_if all >> >> > > This should not be the last rule. PF implements the rules in a > top-down fashion, where the last rule always wins. Without actually > loading this ruleset on my own system, it appears this rule will block > all incoming / outgoing traffic completely. > > This rule should be placed above all of your 'pass' rules. > > > -- > Glen Barber Notice he has the 'quick' keyword in all his rules - Placing this rule on top will 'quick' block everyone without parsing any other rules. rules ~should~ be: block all pass out keep state block quick proto tcp from ZZ to port XX pass in proto tcp port XX keep state pass in proto tcp port YY keep state this will allow outbound everything allow inbound only on ports XX,YY except from ZZ all other packets will match rule 'block all' ]Peter[ From mksmith at adhost.com Tue Mar 24 09:14:19 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue Mar 24 09:14:27 2009 Subject: first firewall with pf In-Reply-To: References: Message-ID: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> Hello: > ############# > #interfaces # > ############# > ext_if="bce0" > ext_if2="bce1" > I would also define your inside interface(s), not just your outside. Let's call it "bce2" for the example: int_if="bce2" > > ############################################# > #allow all connections from and to loopback # > ############################################# > > pass in quick on lo0 all keep state > pass out quick on lo0 all keep state > You might want to add anti-spoofing as well (can't come in on your IP's) antispoof quick for { lo $ext_if $ext_if2 } inet > ######################################################## > #allow all connections out through external interfaces # > ######################################################## > You can shorten these (as below) > pass out quick on $ext_if all keep state > pass out quick on $ext_if2 all keep state pass out quick on { $ext_if $ext_if2 $int_if } Also, add an inbound allow for your inside interface, unless you want to block things more granularly. pass in quick on $int_if > > ############################ > #smtp connections allowed # > ############################ > Did you mean SSH? If you meant SMTP you should change 22 to 25 >#a.b.c.d is the server's ip > #Euro servers > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep > state > > #American servers > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep > state > > #from the old iptables??? > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep > state > > > ################################### > # pass traffic from allowed ports # > ################################### > > > #pass traffic from allowed tcp ports > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > $good_port_tcp keep state > > #pass traffic from allowed udp ports > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > $good_port_tcp keep state > > ########################################## > # allow connections from NMC and servers # > ########################################## > I would limit ICMP to echo-request from the outside. pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d icmp-type { echoreq trace } > #x.x.x.x/12 are the internal ips NMC access with > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to > a.b.c.d keep state > > #x.x.x.x/24 are the ips for the other European servers > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > a.b.c.d keep state > > #x.x.x.x/24 are the ips for the American servers > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > a.b.c.d keep state > > > ########################## > #block all other traffic # > ########################## > > # should be last rule > > block in quick on $ext_if all Should be first as previously discussed. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090324/ed0cdbe5/PGP.pgp From dfeustel at mindspring.com Tue Mar 24 09:24:22 2009 From: dfeustel at mindspring.com (Dave Feustel) Date: Tue Mar 24 09:24:28 2009 Subject: first firewall with pf In-Reply-To: Message-ID: <20090324162417.5186D8FC16@mx1.freebsd.org> On Tue, Mar 24, 2009 at 06:47:40PM +0300, Eric Magutu wrote: > does the rule to block all other traffic have to be explicitly mentioned? > > On Tue, Mar 24, 2009 at 6:27 PM, Eric Magutu wrote: > > > Thanks I'll change that > > > > > > On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > > > >> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > >> [snip] > >> > > >> > ########################## > >> > #block all other traffic # > >> > ########################## > >> > > >> > # should be last rule > >> > > >> > block in quick on $ext_if all Change this rule to block in on $ex_if all and then make it the first rule. The word 'quick' says don't evaluate any more rules if this matches. From fbsdq at peterk.org Tue Mar 24 11:03:52 2009 From: fbsdq at peterk.org (Peter) Date: Tue Mar 24 11:03:58 2009 Subject: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN Message-ID: <56050.216.241.167.212.1237917830.squirrel@webmail.pknet.net> > Peter wrote: >> iH, >> cbq does not work as advertised >> child will not borrow from parent unless parent borrows from root >> So a tree did not work: >> root >> parent1 >> p1.child1(borrow) >> p1.child2(borrow) >> parent2 >> p2.child1(borrow) >> p2.child2(borrow) >> >> *child* does not borrow, unless parent is set to borrow from root. >> parent borrows no problem. Tried this on openbsd 4.4 - same results. >> >> short answer: '%s/cbq/hfsc/g' > > Nice catch. Problem seems to have been around since 2007. > http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003021.html > /Morgan Saw that. First I thought "definitely must be fixed by now, I'm doing something wrong"... Then, hmmm...does openbsd example work in openbsd? Nope - Same borrowing problem on there. ]Peter[ From forn at ngs.ru Tue Mar 24 11:55:15 2009 From: forn at ngs.ru (forn) Date: Tue Mar 24 11:55:23 2009 Subject: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN In-Reply-To: <56050.216.241.167.212.1237917830.squirrel@webmail.pknet.net> References: <56050.216.241.167.212.1237917830.squirrel@webmail.pknet.net> Message-ID: <49C92C76.2000203@ngs.ru> The problem is known and not fixed for 2 years?! I'm starting to think that replacing my linux router with freebsd is not such a good idea at all. Peter wrote: Saw that. First I thought "definitely must be fixed by now, I'm doing something wrong"... Then, hmmm...does openbsd example work in openbsd? Nope - Same borrowing problem on there. ]Peter[ _______________________________________________ [1]freebsd-pf@freebsd.org mailing list [2]http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to [3]"freebsd-pf-unsubscribe@freebsd.org" References 1. mailto:freebsd-pf@freebsd.org 2. http://lists.freebsd.org/mailman/listinfo/freebsd-pf 3. mailto:freebsd-pf-unsubscribe@freebsd.org From forn at ngs.ru Tue Mar 24 12:06:16 2009 From: forn at ngs.ru (forn) Date: Tue Mar 24 12:06:22 2009 Subject: first firewall with pf In-Reply-To: <20090324162417.5186D8FC16@mx1.freebsd.org> References: <20090324162417.5186D8FC16@mx1.freebsd.org> Message-ID: <49C92F0E.6040109@ngs.ru> "block in quick on $ext_if all" being the last and "block in on $ext_if all" being the first do absolutely the same thing. No point in changing. Eric, you might want to just do "set skip on lo" instead of allowing all through it, and add "scrub in" to normalize packets coming in. Dave Feustel wrote: > Change this rule to > block in on $ex_if all > and then make it the first rule. > The word 'quick' says don't evaluate any more rules if this matches. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From myself at rojer.pp.ru Tue Mar 24 16:33:03 2009 From: myself at rojer.pp.ru (Deomid Ryabkov) Date: Tue Mar 24 16:33:10 2009 Subject: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance Message-ID: <49C96933.4030901@rojer.pp.ru> i have a machine with nc running through it. with pf disabled, i see 960-970 mbit/s through it (as reported by systat -ifstat). just having pf enabled, with empty ruleset: # pfctl -vs nat # pfctl -vs rules # reduces throughput to about 700 mbit. this seems wrong. any ideas why this might be happening? OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 thanks. -- Deomid Ryabkov aka Rojer myself@rojer.pp.ru rojer@sysadmins.ru ICQ: 8025844 From max at love2party.net Tue Mar 24 17:07:42 2009 From: max at love2party.net (Max Laier) Date: Tue Mar 24 17:07:48 2009 Subject: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance In-Reply-To: <49C96933.4030901@rojer.pp.ru> References: <49C96933.4030901@rojer.pp.ru> Message-ID: <200903250107.36160.max@love2party.net> On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > i have a machine with nc running through it. > with pf disabled, i see 960-970 mbit/s through it (as reported by systat > -ifstat). > just having pf enabled, with empty ruleset: > > # pfctl -vs nat > # pfctl -vs rules > # > > reduces throughput to about 700 mbit. > this seems wrong. any ideas why this might be happening? You have to search the (empty) ruleset for the (implicit) default "pass all" rule. This is somewhat expensive. Then there is the pf mutex (quite expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a single, global lock and thus reduces the opportunity for parallelism. > OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 > > thanks. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From myself at rojer.pp.ru Tue Mar 24 17:22:23 2009 From: myself at rojer.pp.ru (Deomid Ryabkov) Date: Tue Mar 24 17:22:29 2009 Subject: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance In-Reply-To: <200903250107.36160.max@love2party.net> References: <49C96933.4030901@rojer.pp.ru> <200903250107.36160.max@love2party.net> Message-ID: <49C97936.6020208@rojer.pp.ru> Max Laier wrote: > On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > >> i have a machine with nc running through it. >> with pf disabled, i see 960-970 mbit/s through it (as reported by systat >> -ifstat). >> just having pf enabled, with empty ruleset: >> >> # pfctl -vs nat >> # pfctl -vs rules >> # >> >> reduces throughput to about 700 mbit. >> this seems wrong. any ideas why this might be happening? >> > > You have to search the (empty) ruleset for the (implicit) default "pass all" > rule. This is somewhat expensive. Then there is the pf mutex (quite > expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a > single, global lock and thus reduces the opportunity for parallelism. > > thanks for explanation, Max. further data point: ruleset with 8 nat rules that never match (but have to be checked) chops off further ~50 mbit. that i'm less worried about, but the initial hit for just enabling filtering does worry me quite a bit. is there anything to be done about that? is anything being done? or planned? [hardware is 2 x Xeon E5410 (2.3 GHz), network interfaces are Intel PRO/1000 PT] >> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 >> >> thanks. >> > > -- Deomid Ryabkov aka Rojer myself@rojer.pp.ru rojer@sysadmins.ru ICQ: 8025844 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3308 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090325/5918c74c/smime.bin From pgoggins at cc.edu Tue Mar 24 20:46:32 2009 From: pgoggins at cc.edu (Patrick Goggins) Date: Tue Mar 24 20:46:38 2009 Subject: pf rdr not redirecting completely In-Reply-To: References: <49A7D547.9040801@ngc.net.ua><49A811D4.5030900@uffner.com><49A8177B.9010209@ngc.net.ua><49A85BD4.7050105@uffner.com><49A8FED7.3000603@ngc.net.ua> Message-ID: The problem is with the client being behind the transparent bridged interface, the management interface is not part of the bridge and when clients hit the rdr rule without hitting the IP stack it will not work if without an addressed bridge. To work-around this I've noticed some referencing to using the explicit route-to option but have been getting a syntax error Rdr pass in on $int_if route-to lo0 proto tcp from any to any port 80 -> 127.0.0.1 port 80 What am I missing with this syntax? ~Patrick -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Patrick Goggins Sent: Wednesday, March 18, 2009 8:20 AM To: freebsd-pf@freebsd.org Subject: pf rdr not redirecting completely (Correction) Slight correction: Working rule rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.5.239 port 80 rule attempting but does not work rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.5.240 port 80 ~Patrick -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Patrick Goggins Sent: Wednesday, March 18, 2009 8:17 AM To: freebsd-pf@freebsd.org Subject: pf rdr not redirecting completely I'm running into a problem with a transparent bridge and the rdr functionality where when a device hits the rule they are being redirect but are unable to fully connect to the server. Pf is set to skip on the management, external, and bridged interfaces; filtering is just on the internal interface. Eth0: 172.20.5.240 (management interface, also serving apache pages) Eth1: external, non-addressed Eth2: internal, non-addressed Bridge0: bridge between Eth1 and Eth2 Eth0 and Eth1 are on the same vlan [Lan where 172.20.5.240 resides]---[managed switch]---[external interface]----[bridge0]-----[internal interface]------[unmanaged switch]------[test system] Here's the rule I'm trying to run: rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.68.31 port 80 additionally the following rules apply: pass quick on $int_if proto tcp from any to any When testing the rdr rule on another ip 172.20.5.239 (another physical server), the rule works correctly. I'm thinking it's having issues going out and then coming back in because it's seeing the request twice and dropping it??? ~Patrick From sebster at sebster.com Wed Mar 25 02:26:28 2009 From: sebster at sebster.com (Sebastiaan van Erk) Date: Wed Mar 25 02:26:34 2009 Subject: state mismatch/connection issues Message-ID: <49C9F27F.3010505@sebster.com> Hi, I'm running FreeBSD-7.0 RELEASE with the following patch to the kernel (I know it's integrated in the latest patchlevels which you get when you do freebsd-update, but since I'm still getting state-mismatches WITH the patch I'm holding off on the upgrade until I have more information as to the nature of the problem): *** net/pf.c 2007/09/07 21:34:10 1.558 --- net/pf.c 2007/09/18 19:45:59 1.559 *************** pf_test_state_tcp(struct pf_state **state, int directi *** 3730,3735 **** --- 3730,3751 ---- REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); } + } + + if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && + dst->state >= TCPS_FIN_WAIT_2 && + src->state >= TCPS_FIN_WAIT_2) { + if (pf_status.debug >= PF_DEBUG_MISC) { + printf("pf: state reuse "); + pf_print_state(*state); + pf_print_flags(th->th_flags); + printf("\n"); + } + /* XXX make sure it's the same direction ?? */ + (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; + pf_unlink_state(*state); + *state = NULL; + return (PF_DROP); } if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { The problem I'm having is that I get intermittent connection refused/operation not permitted to another machine on the local network. When I do pfctl -s info I see *huge* numbers of state mismatches: Status: Enabled for 94 days 01:27:40 Debug: Urgent State Table Total Rate current entries 398 searches 986228319 121.4/s inserts 104049508 12.8/s removals 104049110 12.8/s Counters match 107482262 13.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 42 0.0/s memory 3125235 0.4/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 13919 0.0/s state-mismatch 3039814 0.4/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s This is causing serious problems at them moment. It seems that the state problems occur in certain small time windows (my nagios starts reporting that every service is connection refused/operation not permitted, which is about 20 services). Then I get 20 recovery messages. The firewall rules are trivially simple, $ext_if has 2 ips and $int_if has one: interfaces = "{" $ext_if "," $int_if "}" scrub in all set skip on lo0 antispoof for $interfaces inet block out log quick on $ext_if from !$ext_ip1 to any block in quick on $ext_if from any to 255.255.255.255 block log all pass in quick inet proto icmp all icmp-type $icmp_types pass in quick on $int_if from $int_net to any pass out quick on $int_if from any to $int_net pass out on $ext_if proto tcp all pass out on $ext_if proto { udp, icmp } all pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1 pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2 Does anybody have any idea what's going on and where I can look? This is a production server so it's seriously influencing the quality of the hosted services. :-( Regards, Sebastiaan -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3328 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090325/4ae8c512/smime.bin From brucec at FreeBSD.org Wed Mar 25 10:22:42 2009 From: brucec at FreeBSD.org (brucec@FreeBSD.org) Date: Wed Mar 25 10:22:51 2009 Subject: bin/86635: [patch] pfctl(8): allow new page character (^L) in pf.conf Message-ID: <200903251722.n2PHMWSP017431@freefall.freebsd.org> Synopsis: [patch] pfctl(8): allow new page character (^L) in pf.conf Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: brucec Responsible-Changed-When: Wed Mar 25 17:22:07 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=86635 From alexiy at mail.kar.net Thu Mar 26 06:23:29 2009 From: alexiy at mail.kar.net (=?UTF-8?B?0JDQu9C10LrRgdC10Lk=?=) Date: Thu Mar 26 06:23:52 2009 Subject: nat and filtering rules Message-ID: <49CB7DC7.3090500@mail.kar.net> Hi, I'm running FreeBSD 7.1-RC1 and Packet Filter as the firewall. I have the following setup: A LAN using private address range behind the gateway that is doing NAT. I want to use PF with ALTQ on the gateway to limit bandwidth by IP addresses for the computers in the LAN. Here are the relevant parts of the configuration file file: ############################## #Translation # ############################## nat on $ext_if from $internal_net to any -> ($ext_if) ############################## #Queueing # ############################## #Download ... altq on $int_if cbq bandwidth 10Mb queue { me_d, comp_d, mach_d, dd} queue comp_d bandwidth 2Mb cbq queue me_d bandwidth 5Mb cbq(borrow) queue mach_d bandwidth 2Mb cbq queue dd bandwidth 1Mb cbq(default borrow) #Upload... altq on $ext_if cbq bandwidth 10Mb queue { me_u, comp_u, mach_u, du} queue comp_u bandwidth 2Mb cbq queue me_u bandwidth 5Mb cbq(borrow) queue mach_u bandwidth 2Mb cbq queue du bandwidth 1Mb cbq(default borrow) ############################## #Filtering # ############################## # setup a default deny policy block all #Here $me, $comp and $mach are IPs from the LAN #upload #me pass in on $int_if from $me to any queue me_u #comp pass in on $int_if from $comp to any queue comp_u #mach pass in on $int_if from $mach to any queue mach_u #download #me pass out log on $int_if from any to $me queue me_d #comp pass out on $int_if from any to $comp queue comp_d #mach pass out on $int_if from any to $mach queue mach_d Right now all the traffic coming from the Internet to the LAN is assigned to the default queue "dd". I may be wrong here, but judging from the blank output of the log, the rule pass out log on $int_if from any to $me queue me_d is not catching anything. Even if this rule is commented out I am still able to access the Internet from this host in the LAN. I assume that it is the implicit keep state in this rule: pass in on $int_if from $me to any queue me_u that takes care of both the packets originating from the LAN and returning there. Is it really so, or did I misunderstand something? How is it possible to assign the traffic coming from the Internet to the LAN through the NAT to the correct queues? -- Regards, Alex From eri at freebsd.org Thu Mar 26 08:08:40 2009 From: eri at freebsd.org (=?ISO-8859-1?Q?Ermal_Lu=E7i?=) Date: Thu Mar 26 08:08:46 2009 Subject: nat and filtering rules In-Reply-To: <49CB7DC7.3090500@mail.kar.net> References: <49CB7DC7.3090500@mail.kar.net> Message-ID: <9a542da30903260746n1045a708j533cb10505fae95b@mail.gmail.com> Try the modified configuration it should give you what are you after. altq on $int_if cbq bandwidth 10Mb queue { me, comp, mach, ?dd} queue on $int_if comp bandwidth 2Mb cbq queue on $int_if me bandwidth 5Mb cbq(borrow) queue on $int_if mach bandwidth 2Mb cbq queue on $int_if dd bandwidth 1Mb cbq(default borrow) altq on $ext_if cbq ?bandwidth 10Mb queue { me, comp, mach, ?dd} queue on $ext_if comp bandwidth 2Mb cbq queue on $ext_if me bandwidth 5Mb cbq(borrow) queue on $ext_if mach bandwidth 2Mb cbq queue on $ext_if dd bandwidth 1Mb cbq(default borrow) block all pass in on $int_if from $me to any queue me pass in on $int_if from $mach to any queue mach pass in on $int_if from $mach to any queue mach -- Ermal From ja at unc.edu Sat Mar 28 07:38:04 2009 From: ja at unc.edu (Jay Aikat) Date: Sat Mar 28 07:38:25 2009 Subject: pftop queue stats Message-ID: <49CE29DB.7010803@unc.edu> Hi, I am looking for a way to log queue stats at less than 1 second intervals. On my FreeBSD router, the pf.conf file is configured as follows: > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) Using pftop, I can get queue lengths per second at best. $ pftop -s 1 -v queue -d 1000 > pftop.out Is there an option in pftop to log stats per millisecond, or even 100ms? The -s option above seems to default to 1 second at best. Thanks for any pointers you can give me. --Jay. From grishin-mailing-lists at minselhoz.samara.ru Sat Mar 28 07:45:59 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Sat Mar 28 07:46:11 2009 Subject: pftop queue stats In-Reply-To: <49CE29DB.7010803@unc.edu> References: <49CE29DB.7010803@unc.edu> Message-ID: <49CE3822.409@minselhoz.samara.ru> Jay Aikat wrote: > Hi, > I am looking for a way to log queue stats at less than 1 second > intervals. > > On my FreeBSD router, the pf.conf file is configured as follows: > > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } > > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) > > Using pftop, I can get queue lengths per second at best. > $ pftop -s 1 -v queue -d 1000 > pftop.out > > Is there an option in pftop to log stats per millisecond, or even > 100ms? The -s option above seems to default to 1 second at best. > > Thanks for any pointers you can give me. I suppose that there should be some pre-defined variables in the source code. BTW Why do you use an extremely large qlimit? From ja at unc.edu Sat Mar 28 07:52:17 2009 From: ja at unc.edu (Jay Aikat) Date: Sat Mar 28 07:52:23 2009 Subject: pftop queue stats In-Reply-To: <49CE3822.409@minselhoz.samara.ru> References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> Message-ID: <49CE399C.2080406@unc.edu> The large queue limit is just for testing purposes. Once I figure out this logging of the queue at better granularity, I plan to have more realistic queue limits. These are for experiments I am running in our lab to study network traffic characteristics and the effect of that on router queuing - just FYI. Thanks. Yuriy Grishin wrote: > Jay Aikat wrote: >> Hi, >> I am looking for a way to log queue stats at less than 1 second >> intervals. >> >> On my FreeBSD router, the pf.conf file is configured as follows: >> > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } >> > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) >> >> Using pftop, I can get queue lengths per second at best. >> $ pftop -s 1 -v queue -d 1000 > pftop.out >> >> Is there an option in pftop to log stats per millisecond, or even >> 100ms? The -s option above seems to default to 1 second at best. >> >> Thanks for any pointers you can give me. > > I suppose that there should be some pre-defined variables in the source > code. > BTW Why do you use an extremely large qlimit? From grishin-mailing-lists at minselhoz.samara.ru Sat Mar 28 08:08:29 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Sat Mar 28 08:08:35 2009 Subject: pftop queue stats In-Reply-To: <49CE399C.2080406@unc.edu> References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> <49CE399C.2080406@unc.edu> Message-ID: <49CE3D6B.90503@minselhoz.samara.ru> Jay Aikat wrote: > The large queue limit is just for testing purposes. Once I figure out > this logging of the queue at better granularity, I plan to have more > realistic queue limits. > > These are for experiments I am running in our lab to study network > traffic characteristics and the effect of that on router queuing - > just FYI. > > Thanks. I see.... There is no simple way to use a value less than 1 with "-s" parameter because : **********pftop.c*********** case 's': delay = atoi(optarg); if (delay < 1) delay = 1; break; **********pftop.c*********** and : **********engine.c********** int delay = 5; **********engine.c********** Although, you can rewrite the program. From ja at unc.edu Sat Mar 28 08:13:32 2009 From: ja at unc.edu (Jay Aikat) Date: Sat Mar 28 08:13:38 2009 Subject: pftop queue stats In-Reply-To: <49CE3D6B.90503@minselhoz.samara.ru> References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> <49CE399C.2080406@unc.edu> <49CE3D6B.90503@minselhoz.samara.ru> Message-ID: <49CE3E97.3020509@unc.edu> Thank you. This is very helpful to know. I guess I'll just have to rewrite it then. Appreciate your help with this. Yuriy Grishin wrote: > Jay Aikat wrote: >> The large queue limit is just for testing purposes. Once I figure out >> this logging of the queue at better granularity, I plan to have more >> realistic queue limits. >> >> These are for experiments I am running in our lab to study network >> traffic characteristics and the effect of that on router queuing - >> just FYI. >> >> Thanks. > > I see.... > > There is no simple way to use a value less than 1 with "-s" parameter > because : > > **********pftop.c*********** > case 's': > delay = atoi(optarg); > if (delay < 1) > delay = 1; > break; > **********pftop.c*********** > and : > **********engine.c********** > int delay = 5; > **********engine.c********** > > Although, you can rewrite the program. From grishin-mailing-lists at minselhoz.samara.ru Sat Mar 28 10:52:54 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Sat Mar 28 10:53:06 2009 Subject: pftop queue stats In-Reply-To: <49CE3E97.3020509@unc.edu> References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> <49CE399C.2080406@unc.edu> <49CE3D6B.90503@minselhoz.samara.ru> <49CE3E97.3020509@unc.edu> Message-ID: <49CE63F4.5010906@minselhoz.samara.ru> Jay Aikat wrote: > Thank you. This is very helpful to know. I guess I'll just have to > rewrite it then. Appreciate your help with this. > Not at all. From bugmaster at FreeBSD.org Mon Mar 30 04:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 30 04:08:48 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200903301106.n2UB6vvU054831@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 33 problems total. From mlaier at FreeBSD.org Tue Mar 31 05:50:32 2009 From: mlaier at FreeBSD.org (mlaier@FreeBSD.org) Date: Tue Mar 31 05:50:38 2009 Subject: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files Message-ID: <200903311250.n2VCoTgP084694@freefall.freebsd.org> Synopsis: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Tue Mar 31 12:49:33 UTC 2009 State-Changed-Why: No votes have been cas so I'll keep the safety on. http://www.freebsd.org/cgi/query-pr.cgi?pr=127511 From mlaier at FreeBSD.org Tue Mar 31 05:53:58 2009 From: mlaier at FreeBSD.org (mlaier@FreeBSD.org) Date: Tue Mar 31 05:54:04 2009 Subject: kern/129060: [pf] [tun] pf doesn't forget the old tun IP Message-ID: <200903311253.n2VCrvMM094465@freefall.freebsd.org> Synopsis: [pf] [tun] pf doesn't forget the old tun IP State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Tue Mar 31 12:53:23 UTC 2009 State-Changed-Why: Not a pf bug and workaround is available - close this one. http://www.freebsd.org/cgi/query-pr.cgi?pr=129060 From mlaier at FreeBSD.org Tue Mar 31 06:05:04 2009 From: mlaier at FreeBSD.org (mlaier@FreeBSD.org) Date: Tue Mar 31 06:05:11 2009 Subject: kern/132176: [pf] pf stalls connection when using route-to [regression] Message-ID: <200903311305.n2VD530L007544@freefall.freebsd.org> Synopsis: [pf] pf stalls connection when using route-to [regression] State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Tue Mar 31 13:01:17 UTC 2009 State-Changed-Why: There are no changes to pf or the kernel between 7.1-p2 and 7.1-p3 so the error is likely found elsewhere. Since you mention the bce(4) NIC in your configuration you should try the updated bce driver: http://lists.freebsd.org/pipermail/freebsd-stable/2009-March/049195.html http://www.freebsd.org/cgi/query-pr.cgi?pr=132176 From mlaier at FreeBSD.org Tue Mar 31 06:09:16 2009 From: mlaier at FreeBSD.org (mlaier@FreeBSD.org) Date: Tue Mar 31 06:09:21 2009 Subject: kern/127345: [pf] Problem with PF on FreeBSD7.0 [regression] Message-ID: <200903311309.n2VD9D9D007633@freefall.freebsd.org> Synopsis: [pf] Problem with PF on FreeBSD7.0 [regression] State-Changed-From-To: open->feedback State-Changed-By: mlaier State-Changed-When: Tue Mar 31 13:05:28 UTC 2009 State-Changed-Why: It seems that you are affected by the change of pf default behavior as described in UPDATING. "keep state" is now the default and this doesn't play well with multiple pptp sessions. You can add "no state" to your rules to mitigate that. http://www.freebsd.org/cgi/query-pr.cgi?pr=127345 From darius at dons.net.au Tue Mar 31 18:10:02 2009 From: darius at dons.net.au (Daniel O'Connor) Date: Tue Mar 31 18:10:09 2009 Subject: kern/129060: [pf] [tun] pf doesn't forget the old tun IP Message-ID: <200904010110.n311A25r075283@freefall.freebsd.org> The following reply was made to PR kern/129060; it has been noted by GNATS. From: "Daniel O'Connor" To: bug-followup@freebsd.org, darius@dons.net.au Cc: Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP Date: Wed, 1 Apr 2009 11:01:37 +1030 It's still _a_ bug. Is it a tun bug? Can it be reassigned so someone who groks tun can have a look at it? While there is a work around available it isn't documented anywhere except the lists. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C