From swun2010 at gmail.com Fri May 1 08:39:28 2009 From: swun2010 at gmail.com (Sam Wun) Date: Fri May 1 08:39:35 2009 Subject: PF rules blocking incoming traffic originated from my port 25. - repost witih consistent IP address Message-ID: <736c47cb0905010133l62859430u813ef04d754f7218@mail.gmail.com> Hi guys, OS: FreeBSD 6.2. I don't know what happened with my PF rules. I tried to send email from the webmail installed in this freebsd box. >From the log, it said my PF rule is blocking: tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 2. 994216 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 971917 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 2. 229844 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 3. 197738 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 ... scrub in all fragment reassemble block drop in log on ! em0 inet from 1.2.3.200/29 to any block drop in log on ! em0 inet from 1.2.3.200/29 to any block drop in log inet from 1.2.3.202 to any block drop in log inet from 1.2.3.206 to any block drop in log all block drop in log quick on em0 inet from 127.0.0.0/8 to any block drop in log quick on em0 inet from 192.168.0.0/16 to any block drop in log quick on em0 inet from 172.16.0.0/12 to any block drop in log quick on em0 inet from 10.0.0.0/8 to any block drop in log quick on em0 inet from 169.254.0.0/16 to any block drop in log quick on em0 inet from 192.0.2.0/24 to any block drop in log quick on em0 inet from 0.0.0.0/8 to any block drop in log quick on em0 inet from 240.0.0.0/4 to any block drop out log quick on em0 inet from any to 127.0.0.0/8 block drop out log quick on em0 inet from any to 192.168.0.0/16 block drop out log quick on em0 inet from any to 172.16.0.0/12 block drop out log quick on em0 inet from any to 10.0.0.0/8 block drop out log quick on em0 inet from any to 169.254.0.0/16 block drop out log quick on em0 inet from any to 192.0.2.0/24 block drop out log quick on em0 inet from any to 0.0.0.0/8 block drop out log quick on em0 inet from any to 240.0.0.0/4 block drop in log quick on em0 from to any block drop out log quick on em0 from any to block drop in log quick on em0 from to any block drop out log quick on em0 from any to pass in on em0 inet proto tcp from any to 1.2.3.202 port = ssh keep state pass in on em0 inet proto tcp from any to 1.2.3.206 port = ssh keep state pass in on em0 inet proto tcp from any to 1.2.3.202 port = domain keep state pass in on em0 inet proto tcp from any to 1.2.3.206 port = domain keep state pass in on em0 inet proto tcp from any to 1.2.3.202 port = imap keep state pass in on em0 inet proto tcp from any to 1.2.3.206 port = imap keep state pass in on em0 inet proto tcp from any to 1.2.3.202 port = smtp keep state pass in on em0 inet proto tcp from any to 1.2.3.206 port = smtp keep state pass in on em0 inet proto tcp from any to 1.2.3.202 port = https keep state pass in on em0 inet proto tcp from any to 1.2.3.206 port = https keep state pass in on em0 inet proto udp from any to 1.2.3.202 port = domain pass in on em0 inet proto udp from any to 1.2.3.206 port = domain pass in on em0 inet proto tcp from any to 1.2.3.202 port = 8080 keep state pass in on em0 inet proto tcp from any to 1.2.3.206 port = 8080 keep state pass out on em0 proto tcp all keep state pass out on em0 proto udp all keep state pass out on em0 inet proto udp from any to any port 33433 >< 33626 keep state From swun2010 at gmail.com Fri May 1 08:59:23 2009 From: swun2010 at gmail.com (Sam Wun) Date: Fri May 1 08:59:31 2009 Subject: PF rules blocking incoming traffic originated from my port 25. Message-ID: <736c47cb0905010129k18f834aex9f1484cbf1f7e02e@mail.gmail.com> Hi guys, OS: FreeBSD 6.2. I don't know what happened with my PF rules. I tried to send email from the webmail installed in this freebsd box. >From the log, it said my PF rule is blocking: tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 2. 994216 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 971917 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 2. 229844 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 3. 197738 rule 4/0(match): block in on em0: 209.85.217.27.25 > 1.2.3.206.50725: S 1649853456:1649853456(0) ack 2736129674 win 5792 ... My PF rules shown as below: scrub in all fragment reassemble block drop in log on ! em0 inet from 1.2.3.4/29 to any block drop in log on ! em0 inet from 1.2.3.6/29 to any block drop in log inet from 1.2.3.4 to any block drop in log inet from 1.2.3.6 to any block drop in log all block drop in log quick on em0 inet from 127.0.0.0/8 to any block drop in log quick on em0 inet from 192.168.0.0/16 to any block drop in log quick on em0 inet from 172.16.0.0/12 to any block drop in log quick on em0 inet from 10.0.0.0/8 to any block drop in log quick on em0 inet from 169.254.0.0/16 to any block drop in log quick on em0 inet from 192.0.2.0/24 to any block drop in log quick on em0 inet from 0.0.0.0/8 to any block drop in log quick on em0 inet from 240.0.0.0/4 to any block drop out log quick on em0 inet from any to 127.0.0.0/8 block drop out log quick on em0 inet from any to 192.168.0.0/16 block drop out log quick on em0 inet from any to 172.16.0.0/12 block drop out log quick on em0 inet from any to 10.0.0.0/8 block drop out log quick on em0 inet from any to 169.254.0.0/16 block drop out log quick on em0 inet from any to 192.0.2.0/24 block drop out log quick on em0 inet from any to 0.0.0.0/8 block drop out log quick on em0 inet from any to 240.0.0.0/4 block drop in log quick on em0 from to any block drop out log quick on em0 from any to block drop in log quick on em0 from to any block drop out log quick on em0 from any to pass in on em0 inet proto tcp from any to 125.255.112.202 port = ssh keep state pass in on em0 inet proto tcp from any to 125.255.112.206 port = ssh keep state pass in on em0 inet proto tcp from any to 125.255.112.202 port = domain keep state pass in on em0 inet proto tcp from any to 125.255.112.206 port = domain keep state pass in on em0 inet proto tcp from any to 125.255.112.202 port = imap keep state pass in on em0 inet proto tcp from any to 125.255.112.206 port = imap keep state pass in on em0 inet proto tcp from any to 125.255.112.202 port = smtp keep state pass in on em0 inet proto tcp from any to 125.255.112.206 port = smtp keep state pass in on em0 inet proto tcp from any to 125.255.112.202 port = https keep state pass in on em0 inet proto tcp from any to 125.255.112.206 port = https keep state pass in on em0 inet proto udp from any to 125.255.112.202 port = domain pass in on em0 inet proto udp from any to 125.255.112.206 port = domain pass in on em0 inet proto tcp from any to 125.255.112.202 port = 8080 keep state pass in on em0 inet proto tcp from any to 125.255.112.206 port = 8080 keep state pass out on em0 proto tcp all keep state pass out on em0 proto udp all keep state pass out on em0 inet proto udp from any to any port 33433 >< 33626 keep state Can anybody please shed some lights on this problem? Thanks From bugmaster at FreeBSD.org Mon May 4 11:08:00 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon May 4 11:09:27 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200905041107.n44B7wb8098758@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From ml at infosec.pl Thu May 7 20:07:11 2009 From: ml at infosec.pl (Michal) Date: Thu May 7 20:07:18 2009 Subject: state of pf port in 8.x Message-ID: <4A03391B.6070009@infosec.pl> Hello, Any ideas what's cooking for 8.0 in this regard? Optimistically assuming that we'll see 8.0 in September this year, are we getting equivalent of OpenBSD 4.5 or porting is not that easy and straightforward? Michal -- "There cannot be a crisis next week. My schedule is already full." -Henry Kissinger From swun2010 at gmail.com Fri May 8 12:52:44 2009 From: swun2010 at gmail.com (Sam Wun) Date: Fri May 8 12:52:56 2009 Subject: Can pfsync be used over router or WAN? Message-ID: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> Hi, Have anyone tried pfsync over router or WAN? I have read setup guide of CARP+pfsync, the pfsync interface is connected through a crossover cable. Can I connect 2 pfsync interfaces through a router or WAN? Thanks From fox at verio.net Fri May 8 17:06:28 2009 From: fox at verio.net (David DeSimone) Date: Fri May 8 17:06:36 2009 Subject: Can pfsync be used over router or WAN? In-Reply-To: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> Message-ID: <20090508164432.GW2160@verio.net> Sam Wun wrote: > > Have anyone tried pfsync over router or WAN? > I have read setup guide of CARP+pfsync, the pfsync interface is > connected through a crossover cable. Can I connect 2 pfsync > interfaces through a router or WAN? pfsync(4) talks about this: NETWORK SYNCHRONISATION States can be synchronised between two or more firewalls using this interface, by specifying a synchronisation interface using ifconfig(8). For example, the following command sets fxp0 as the synchronisation interface: # ifconfig pfsync0 syncdev fxp0 It is important that the underlying synchronisation interface is up and has an IP address assigned. By default, state change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. When a peer address is specified using the syncpeer keyword, the peer address is used as a destination for the pfsync traffic, and the traffic can then be protected using ipsec(4). In such a configuration, the syncdev should be set to the enc(4) interface, as this is where the traffic arrives when it is decapsulated, e.g.: # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof packets which create states, bypassing the pf ruleset. Either run the pfsync protocol on a trusted network - ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with ipsec(4). For pfsync to start its operation automatically at the system boot time, pfsync_enable and pfsync_syncdev variables should be used in rc.conf(5). It is not advisable to set up pfsync with common network interface configuration variables of rc.conf(5) because pfsync must start after its syncdev, which cannot be always ensured in the latter case. Syncing over a WAN doesn't seem like it would make sense, offhand. Normally you psync between devices that will be able to provide routing for a firewalled connection. A device far across a WAN doesn't seem like it would be able to provide redundant service. But that's up to your design, I suppose. Syncing across a LAN could make sense, but you will want to take steps to secure the traffic. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From swun2010 at gmail.com Sat May 9 00:54:26 2009 From: swun2010 at gmail.com (Sam Wun) Date: Sat May 9 00:54:37 2009 Subject: Can pfsync be used over router or WAN? In-Reply-To: <20090508164432.GW2160@verio.net> References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> <20090508164432.GW2160@verio.net> Message-ID: <736c47cb0905081754s32d9414fhe89f1920c8675869@mail.gmail.com> Establish a IPSEC bewteen this 2 pfsync points is a way to go. On Sat, May 9, 2009 at 2:44 AM, David DeSimone wrote: > Sam Wun wrote: >> >> Have anyone tried pfsync over router or WAN? >> I have read setup guide of CARP+pfsync, the pfsync interface is >> connected through a crossover cable. ?Can I connect 2 pfsync >> interfaces through a router or WAN? > > pfsync(4) talks about this: > > ? ?NETWORK SYNCHRONISATION > ? ? ? ? States can be synchronised between two or more firewalls using > ? ? ? ? this interface, by specifying a synchronisation interface using > ? ? ? ? ifconfig(8). ?For example, the following command sets fxp0 as > ? ? ? ? the synchronisation interface: > > ? ? ? ? ? # ifconfig pfsync0 syncdev fxp0 > > ? ? ? ? It is important that the underlying synchronisation interface > ? ? ? ? is up and has an IP address assigned. > > ? ? ? ? By default, state change messages are sent out on the > ? ? ? ? synchronisation interface using IP multicast packets. ?The > ? ? ? ? protocol is IP protocol 240, PFSYNC, and the multicast group > ? ? ? ? used is 224.0.0.240. ?When a peer address is specified using > ? ? ? ? the syncpeer keyword, the peer address is used as a destination > ? ? ? ? for the pfsync traffic, and the traffic can then be protected > ? ? ? ? using ipsec(4). ?In such a configuration, the syncdev should > ? ? ? ? be set to the enc(4) interface, as this is where the traffic > ? ? ? ? arrives when it is decapsulated, e.g.: > > ? ? ? ? ? # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 > > ? ? ? ? It is important that the pfsync traffic be well secured as > ? ? ? ? there is no authentication on the protocol and it would be > ? ? ? ? trivial to spoof packets which create states, bypassing the > ? ? ? ? pf ruleset. ?Either run the pfsync protocol on a trusted > ? ? ? ? network - ideally a network dedicated to pfsync messages such > ? ? ? ? as a crossover cable between two firewalls, or specify a peer > ? ? ? ? address and protect the traffic with ipsec(4). > > ? ? ? ? For pfsync to start its operation automatically at the system > ? ? ? ? boot time, pfsync_enable and pfsync_syncdev variables should be > ? ? ? ? used in rc.conf(5). ?It is not advisable to set up pfsync with > ? ? ? ? common network interface configuration variables of rc.conf(5) > ? ? ? ? because pfsync must start after its syncdev, which cannot be > ? ? ? ? always ensured in the latter case. > > Syncing over a WAN doesn't seem like it would make sense, offhand. > Normally you psync between devices that will be able to provide routing > for a firewalled connection. ?A device far across a WAN doesn't seem > like it would be able to provide redundant service. ?But that's up to > your design, I suppose. > > Syncing across a LAN could make sense, but you will want to take steps > to secure the traffic. > > -- > David DeSimone == Network Admin == fox@verio.net > ?"I don't like spinach, and I'm glad I don't, because if I > ? liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. ?Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From bms at incunabulum.net Sat May 9 18:16:18 2009 From: bms at incunabulum.net (Bruce Simpson) Date: Sat May 9 18:16:23 2009 Subject: Can pfsync be used over router or WAN? In-Reply-To: <736c47cb0905081754s32d9414fhe89f1920c8675869@mail.gmail.com> References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> <20090508164432.GW2160@verio.net> <736c47cb0905081754s32d9414fhe89f1920c8675869@mail.gmail.com> Message-ID: <4A05C4BA.2090506@incunabulum.net> Sam Wun wrote: > Establish a IPSEC bewteen this 2 pfsync points is a way to go. > Yup. The key observation about pfsync is that you can configure the peer(s) for synchronization in the 'syncdev' mode or the 'syncpeer' mode. Unlike CARP, pfsync(4) has no authentication built-in. With syncdev, you are telling pfsync to periodically send out state updates to a link-scope IPv4 multicast group. Obviously, this only works if all the peer(s) are on-link (i.e. the same LAN), and any Layer 2 switches in the middle are configured to forward the multicast traffic. The IGMP code will send a membership report for the 224.0.0.240 address, unless it's configured explicitly to not do so for 224.0.0.0/24 link-scope groups via sysctl, which should appease snooping switches. Note that it defaults to IGMPv3 in HEAD, it should downgrade to v2 or v1 if it sees a v2 Query. This mechanism operates wholly independently of CARP. You can IPSEC encapsulate multicast traffic, but of course that gives rise to 'interesting' key distribution problems. With syncpeer, you are telling pfsync to periodically send out state updates to a *single* peer, not a list, and all such traffic is unicasted. As far as I know, you can't specify multiple peers, so you are limited to 1 other member (unless the peer address is a CARP address, or anycasted by some other mechanism). This should work just fine with IPSEC, provided your key distribution is taken care of. If your WAN link can carry multicast traffic without additional encapsulation (most can, even if they're not link-layer multicast-capable), then using 'syncdev' should work fine, although the IGMP and MLD code in HEAD will suppress sending membership reports on interfaces without the IFF_MULTICAST flag. This doesn't disallow the stack from sending multicast traffic, though. [This should perhaps be revisited, because I can think of situations where the WAN link may not have a native link-layer multicast capability, but it's still desirable for the IGMP/MLD reports to go upstream, i.e. DSL in ATM native mode. Userland PPP via tun(4) needs to be told to enable IFF_MULTICAST with the TUNSIFMODE ioctl]. For those who are interested in experiments: pfsync(4) could in theory be enhanced to use Source-Specific Multicast (SSM) for pushing pf state to multiple border firewalls inside an AS boundary -- but it would require knowing all the addresses of the peer(s), and you'd be dependent on a multicast routing protocol like PIM at a minimum for distributing the traffic throughout your AS, as well as needing a unicast routing IGP for the traffic to pass the uRPF checks. It would be desirable to use a different address for this than 224.0.0.240. You could probably get away with Any-Source Multicast (ASM) for distributing the pfsync updates, but I'd advise against that, as ASM is a little bit harder to secure -- you don't/can't control the endpoints without explicit firewall rules, and of course that introduces recursion (you're having to firewall your firewall updates...) For kernel hacking: The KPIs involved require that kernel consumers do their own SSM housekeeping, though -- splicing of consumer layer memberships is only done for sockets, and you'd have to craft your own RB-trees, although the multicast code takes care of knitting together the right state-change reports to send upstream, doing filter matches etc -- that's a different matter. It's for this reason that SSM apps are generally best written in userland. Doing SSM in-kernel is possible, sure, but the whole point of using a socket for it is that a load of stuff gets taken care of for you, and using a socket in-kernel is still irksome. Obviously the more mechanisms you introduce to push out the updates, the wider the range of possible points of failure you introduce. pfsync is cool because it's a tightly integrated solution to a common problem in its space, but it may not be the right choice for all folks in its present state. ... By the way, does anyone out there have patches to get pfsync(4) to work over IPv6? cheers, BMS From info at lottery.co.uk Sun May 10 15:51:05 2009 From: info at lottery.co.uk (UK NATIONAL LOTTERY) Date: Sun May 10 15:51:12 2009 Subject: National Lottery: Your Email Won Message-ID: <20090510153416.196F03C04E@hm1207.locaweb.com.br> United Kingdom National Lottery 101 Bovill Road, London SE23 1EL United Kingdom File #: EGS/2251256003/02 Congratulations, we are pleased to inform you of the result of the United Kingdom National Lottery Award Winners. Your email address have been randomly selected as a winner in the ongoing United Kingdom National Lottery Online program, the draw was held on 30th April, 2009 using a computerized balloting system of selection. The United Kingdom National Lottery is aimed and focused at global development and improvement of living standard across the world. Free �77 Million Pounds won including *four* Ten Million Pounds Winners and *fourteen* Millionaires plus thousands of other cash prizes. Winner from all over the world, India, France, Singapore, USA, United Kingdom, Spain, South America, Malaysia, Indonesia, South Africa, Belgium, Denmark, Ireland and many more. We wish to express our sincere apologies for the late notification, this free award online program is been conducted bi-quarterly. United Kingdom National Lottery Free Award draw was conducted at the Europe Issuing Centre, you were selected from an exclusive list of 1,000,000,000 e-mail addresses of internet users from the following categories; consumers, professionals and corporate bodies picked by an advanced automated random computer ballot search from the internet 'NO TICKETS OR DRAFTS WERE SOLD'. Your email address attached to Security File #: EGS/2251256003/02 with Serial number No: 002839 emerged as a winner of Six Hundred Thousand Pounds (�600.000.00 GBP), therefore you are eligible to file claim for your prize as one of our lucky winners for the payout of your total sum after a thorough verification that will be conducted by our various credible financial institutions. This online program is precisely aimed at enabling all internet users across the world benefit from the United Kingdom National Lottery, your email address falls within the First Category Winner as such your file has been designated to our European Centre, where the complete verification and payout will be conducted only if there are no exceptions during the claims process, to file your claim immediately please contact our International Programs Director Anderson Spencer with the following information: 1. Name in full----------------------------------------- 2. Phone/Fax------------------------------------------- 3. Occupation------------------------------------------ TO: Contact Person: Anderson Spencer European Payment Issuing Office Tel: +447024065192 (8am - 5pm GMT) Fax: +447092894160 Email: zonal.anderson-spencer@msn.com NOTE: In order to benefit from this program, you are advised in your own best interest to file your claim not later than 7days days from the date of this notification to avoid disqualification; anybody under the age of 18 is automatically disqualified. Please include this File #: EGS/2251256003/02 in every of your correspondence with our Foreign Service Director Anderson Spencer. IMPORTANT: Solemn confidentiality should be ensured until successful remittance of your prize to you to avoid undue taking of advantage, unwarranted claim and abuse of program, any breach of confidentiality on the part of the winner will result to automatic disqualification. Sincerely Yours, Mrs. Julie Van Hans, Executive Director. United Kingdom National Lottery. From bugmaster at FreeBSD.org Mon May 11 11:07:02 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon May 11 11:08:53 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200905111107.n4BB71mP086048@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From dschulz at gmail.com Tue May 12 22:05:13 2009 From: dschulz at gmail.com (Diego Schulz) Date: Tue May 12 22:05:19 2009 Subject: state of pf port in 8.x In-Reply-To: <4A03391B.6070009@infosec.pl> References: <4A03391B.6070009@infosec.pl> Message-ID: <47dcfe400905121432m238ff132yb2c489e92b84ba3@mail.gmail.com> On Thu, May 7, 2009 at 3:40 PM, Michal wrote: > Hello, > > Any ideas what's cooking for 8.0 in this regard? > Optimistically assuming that we'll see 8.0 in September this year, are we > getting equivalent of OpenBSD 4.5 or porting is not that easy and > straightforward? > > Michal > -- +1 I'm also curious about this From sullrich at gmail.com Tue May 12 23:08:07 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Tue May 12 23:08:13 2009 Subject: state of pf port in 8.x In-Reply-To: <4A03391B.6070009@infosec.pl> References: <4A03391B.6070009@infosec.pl> Message-ID: On Thu, May 7, 2009 at 3:40 PM, Michal wrote: > Hello, > > Any ideas what's cooking for 8.0 in this regard? > Optimistically assuming that we'll see 8.0 in September this year, are we > getting equivalent of OpenBSD 4.5 or porting is not that easy and > straightforward? Code freeze for 8.X is coming in about 3 weeks so I doubt seriously that we will see a new PF import. However Ermal and myself are working on a PF VIMAGE conversion so that will hopefully make the tree if we can get everything sorted out. Scott From sfourman at gmail.com Wed May 13 04:39:29 2009 From: sfourman at gmail.com (Sam Fourman Jr.) Date: Wed May 13 04:39:35 2009 Subject: state of pf port in 8.x In-Reply-To: References: <4A03391B.6070009@infosec.pl> Message-ID: <11167f520905122114m176b979qab4a5fe7e45a2ec5@mail.gmail.com> > Code freeze for 8.X is coming in about 3 weeks so I doubt seriously > that we will see a new PF import. ?However Ermal and myself are > working on a PF VIMAGE conversion so that will hopefully make the tree > if we can get everything sorted out. > > Scott I am really hoping to see OpenBSD's Active / Active in 8.0 Sam Fourman Jr. From espartano.mail at gmail.com Wed May 13 16:24:44 2009 From: espartano.mail at gmail.com (Espartano) Date: Wed May 13 16:24:51 2009 Subject: Question about numbers of connections Message-ID: Hi folks, I have a question about PF over FreeBSD. I would like to know how many connections can manage pf with 256 Mb of ram, I think that PF can manage a lot of connections because it only needs to negotiate the firts package of the connection then it would acept or deny the rest of connection's packages, but I don't sure if my thinks are right or not, anybody could say me if my argument is right or not? I have an Alix machine based in Geode LX800 processor with 256 Mb of ram, and I would like to know if I can do a firewall (PF) with my alix machine and put it in a place with a lot of traffic without troubles. Sorry for my english it's very poor :( Thanks a lot. -- "Linux is for people who hate Windows, BSD is for people who love UNIX". "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." My personal webblog http://people.linuxreal.org/espartano/blog/ Sent from Cordoba, Ver, Mexico From swun2010 at gmail.com Thu May 14 00:52:44 2009 From: swun2010 at gmail.com (Sam Wun) Date: Thu May 14 00:52:51 2009 Subject: Question about numbers of connections In-Reply-To: References: Message-ID: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> Alix is for home user. On Thu, May 14, 2009 at 2:02 AM, Espartano wrote: > Hi folks, I have a question about PF over FreeBSD. > > I would like to know how many connections can manage pf with 256 Mb of > ram, I think that PF can manage a lot of connections ?because it only > needs to negotiate the firts package of the connection then it would > acept or deny the rest of connection's packages, but I don't sure if > my thinks are right or not, anybody could say me if my argument is > right or not? > > I have an Alix machine based in Geode LX800 processor with 256 Mb of > ram, and I would like to know if I can do a firewall (PF) with my alix > machine and ?put it in a place with a lot of traffic without troubles. > > Sorry for my english it's very poor :( > > Thanks a lot. > > -- > "Linux is for people who hate Windows, BSD is for people who love UNIX". > > "Documentation is like sex: when it is good, it is very, very good; > and when it is bad, it is better than nothing." > > My personal webblog http://people.linuxreal.org/espartano/blog/ > Sent from Cordoba, Ver, Mexico > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From jon at radel.com Thu May 14 02:16:21 2009 From: jon at radel.com (Jon Radel) Date: Thu May 14 02:16:27 2009 Subject: Question about numbers of connections In-Reply-To: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> Message-ID: <4A0B70D3.3080405@radel.com> Sam Wun wrote: > Alix is for home user. > Which is just about as useful as the OP asking if the machine can handle "a lot of traffic without troubles" without giving us any hint whether he means traffic that keeps a 128 kbps DSL line semi-busy or if he has a 100 mbps fiber to his house that's practically melting from all the traffic. :-) That said, I'll report that for years I used a "consumer class" Celeron machine with 384 MB of RAM to act as a firewall for some web sites with a T1 (1.5 mbps) of traffic hitting it at times, and had no known issues. I've upgraded a bit by now but mainly just because rather than to solve any particular issue. Without knowing more about the traffic to be put across the machine, about the only real answer is: Try it and see what happens. -- --Jon Radel jon@radel.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3283 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090514/3235ddeb/smime.bin From espartano.mail at gmail.com Thu May 14 03:48:20 2009 From: espartano.mail at gmail.com (Espartano) Date: Thu May 14 03:48:27 2009 Subject: Question about numbers of connections In-Reply-To: <4A0B70D3.3080405@radel.com> References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> <4A0B70D3.3080405@radel.com> Message-ID: On Wed, May 13, 2009 at 8:16 PM, Jon Radel wrote: > Sam Wun wrote: >> >> Alix is for home user. >> > > Which is just about as useful as the OP asking if the machine can handle "a > lot of traffic without troubles" without giving us any hint whether he means > traffic that keeps a 128 kbps DSL line semi-busy or if he has a 100 mbps > fiber to his house that's practically melting from all the traffic. ?:-) > > That said, I'll report that for years I used a "consumer class" Celeron > machine with 384 MB of RAM to act as a firewall for some web sites with a T1 > (1.5 mbps) of traffic hitting it at times, and had no known issues. ?I've > upgraded a bit by now but mainly just because rather than to solve any > particular issue. > Ok, I think that I didn't explain it very well, I don?t have any hight speed network, I only have used my Alix board at my house, but I wondering how much work the Alix board could support, more specifically I wonder if the Alix board could manage about 1 thousand concurrent connections through a 100Mbps network making round-robin to load balance and spread the connections between 3 or 4 servers, I think that the Alix board could do it, It is only a hypothetical case but I would like to know if I can trust on my Alix board to do this kind of job or not. In other hand, what kind of embedded hardware do you recomend to manage this kind of jobs ? maybe the answer could be buying a real server and replace the hard disk with a CF memory using NanoBSD + PF. Thanks a lot for your patience. > Without knowing more about the traffic to be put across the machine, about > the only real answer is: ?Try it and see what happens. > > -- > > --Jon Radel > jon@radel.com > -- "Linux is for people who hate Windows, BSD is for people who love UNIX". "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." My personal webblog http://people.linuxreal.org/espartano/blog/ From david.figuera at gmail.com Sat May 16 20:49:54 2009 From: david.figuera at gmail.com (David Figuera) Date: Sat May 16 20:50:01 2009 Subject: Question about numbers of connections In-Reply-To: References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> <4A0B70D3.3080405@radel.com> Message-ID: <4A0F20A8.6040200@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Espartano wrote: > Ok, I think that I didn't explain it very well, I don?t have any hight > speed network, I only have used my Alix board at my house, but I > wondering how much work the Alix board could support, more > specifically I wonder if the Alix board could manage about 1 thousand > concurrent connections through a 100Mbps network making round-robin to > load balance and spread the connections between 3 or 4 servers, I > think that the Alix board could do it, It is only a hypothetical case > but I would like to know if I can trust on my Alix board to do this > kind of job or not. If you're thinking about buying an ALIX and you are not sure if it's going to do the trick, well, I'm not very sure, but I think it will work just fine. I have an ALIX 2C3 (Geode LX800 @500MHz) and would make some tests. PS: Are you subscribed to freebsd-es list as well? I think I've seen you there. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoPIKcACgkQsGqVGJtK6HqbtQCgjIYCX8azYviyRTvRNYrObEyY 8lcAnif76j55+5GTtwzVRcc7n/UjhODe =WB// -----END PGP SIGNATURE----- From irix at ukr.net Sun May 17 01:07:31 2009 From: irix at ukr.net (irix) Date: Sun May 17 01:07:38 2009 Subject: altq Message-ID: <1393808851.20090517034541@ukr.net> Hello Freebsd-pf, Sorry for my english. OpenBSD team is abandon the altq project. Maybe FreeBSD team does not come as OpenBSD team. In Kernel is present "options ALTQ_CDNR # Traffic conditioner", that is may be used for simple ingress traffic shaping (like dummynet). Maybe you may add this function to pfctl to make use it. Maybe after this OpenBSD team is backport this function to base. Also lacking in pf/altq dynamic queues like in dummynet with dst-masks (src-masks)(ipfw pipe 10 config mask dst-ip 0x000000ff bw 1024bit/s queue; ipfw add pipe 10 tcp from any to 1.1.1.0/24 via fxp0), when with one rule may create many dynamic queues for per ip shaping from subnet. This maybe useful for many people, because pf is most popular firewall. Thank you. -- Best regards, irix mailto:irix@ukr.net From espartano.mail at gmail.com Sun May 17 04:41:52 2009 From: espartano.mail at gmail.com (Espartano) Date: Sun May 17 04:41:58 2009 Subject: Question about numbers of connections In-Reply-To: <4A0F20A8.6040200@gmail.com> References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> <4A0B70D3.3080405@radel.com> <4A0F20A8.6040200@gmail.com> Message-ID: On Sat, May 16, 2009 at 3:23 PM, David Figuera wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Espartano wrote: >> Ok, I think that I didn't explain it very well, I don?t have any hight >> speed network, I only have used my Alix board at my house, but I >> wondering how much work the Alix board could support, more >> specifically I wonder if the Alix board could manage about 1 thousand >> concurrent connections through a 100Mbps network making round-robin to >> load balance and spread the connections between 3 or 4 servers, I >> think that the Alix board could do it, It is only ?a hypothetical case >> but I would like to know if I can trust on my Alix board to do this >> kind of job or not. > > If you're thinking about buying an ALIX and you are not sure if it's going > to do the trick, well, I'm not very sure, but I think it will work just fine. > > I have an ALIX 2C3 (Geode LX800 @500MHz) and would make some tests. > > > PS: Are you subscribed to freebsd-es list as well? I think I've seen you there. Yes, Already I'm subscriber to freebsd-es list too :) -- "Linux is for people who hate Windows, BSD is for people who love UNIX". "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." From grishin-mailing-lists at minselhoz.samara.ru Sun May 17 04:46:40 2009 From: grishin-mailing-lists at minselhoz.samara.ru (Yuriy Grishin) Date: Sun May 17 04:46:47 2009 Subject: Question about numbers of connections In-Reply-To: References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> <4A0B70D3.3080405@radel.com> Message-ID: <4A0F8E99.1080904@minselhoz.samara.ru> Espartano wrote: > On Wed, May 13, 2009 at 8:16 PM, Jon Radel wrote: > >> Sam Wun wrote: >> >>> Alix is for home user. >>> >>> >> Which is just about as useful as the OP asking if the machine can handle "a >> lot of traffic without troubles" without giving us any hint whether he means >> traffic that keeps a 128 kbps DSL line semi-busy or if he has a 100 mbps >> fiber to his house that's practically melting from all the traffic. :-) >> >> That said, I'll report that for years I used a "consumer class" Celeron >> machine with 384 MB of RAM to act as a firewall for some web sites with a T1 >> (1.5 mbps) of traffic hitting it at times, and had no known issues. I've >> upgraded a bit by now but mainly just because rather than to solve any >> particular issue. >> >> > > Ok, I think that I didn't explain it very well, I don?t have any hight > speed network, I only have used my Alix board at my house, but I > wondering how much work the Alix board could support, more > specifically I wonder if the Alix board could manage about 1 thousand > concurrent connections through a 100Mbps network making round-robin to > load balance and spread the connections between 3 or 4 servers, I > think that the Alix board could do it, It is only a hypothetical case > but I would like to know if I can trust on my Alix board to do this > kind of job or not. > > In other hand, what kind of embedded hardware do you recomend to > manage this kind of jobs ? maybe the answer could be buying a real > server and replace the hard disk with a CF memory using NanoBSD + PF. > > Thanks a lot for your patience. > > I have a Pentium III machine with 128Mbytes SDRAM two realtek cards and FreeBSD 6.3 It serves 40 pppoe users (raduis+mysql+mpd). It connected to a Wi-Max 2Mbps link and does altq shaping (cbq). In addition spamd and pfstat runs there (there is a bandwidth graphic here http 80.76.128.74 ). More than 500Gbytes/month flows through this gateway. In general it works satisfactory but as you can see the uptime is no good. That is because it has no UPS (ungraceful reboots are often). It's a very stressful mode and the hardware its runs on is used (I just took an old pc of my friend). But it works more than a year! Another story : I build a bittorrent-downloader for my friend lately. It was a P-200MMX with two Intel cards and 96Mbytes of RAM. I tested It in my LAN and It gave about 8Mbps. So if you take a good hardware network card that performs most the work by itself (not by CPU via the driver) I suppose you can easily achieve 30-50Mbps. Also read this http://www.openbsd.org/faq/pf/perf.html -- Code cheap ($3 per an application) From matheus at eternamente.info Sun May 17 17:57:03 2009 From: matheus at eternamente.info (Nenhum_de_Nos) Date: Sun May 17 17:57:10 2009 Subject: altq In-Reply-To: <1393808851.20090517034541@ukr.net> References: <1393808851.20090517034541@ukr.net> Message-ID: <516ec81c51d6232dd6e1ae75e852c4e5.squirrel@cygnus.homeunix.com> On Sat, May 16, 2009 21:45, irix wrote: > Hello Freebsd-pf, > > Sorry for my english. > > OpenBSD team is abandon the altq project. I just got curious about this: where you heard that OpenBSD is abandoning altq ? thanks, matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style From repcsike at gmail.com Sun May 17 20:22:45 2009 From: repcsike at gmail.com (Kevin Smith) Date: Sun May 17 20:22:52 2009 Subject: PF Nat Problem after PPP reconnection Message-ID: Hello, I have a weird problem I couldn't solve. I have it from 7.0, after ppp reconnects to the ISP weird stuff happening, packets don't come back, the connection to the ISP gets very slow, http requests got timed out or load but items missing or the connection gets reset, but only for the computers behind NAT. I'm using PF for filtering and for natting too. I have a dynamic IP address from my ISP, but it's not forcing the reconnection every 24 hours (happening once or twice a week). I tried the following things: tweak mtu from 1492 to 1452. no use. reload the whole pf config with pfctl -F all -f /etc/pf.conf - no use look at netstat -m and -rn all looks alright- memory is ok, routing looks ok, and i can initiate connections from the box. tun0 interface looks alright ip address is ok, and gw is ok too. only rebooting the computer solves the problem after this! I tried pfctl -F nat and I set up ipnat, and now NAT is working alright. Here are the data and configs: uname -a FreeBSD homeserver.workgroup.local 7.1-RELEASE-p4 FreeBSD 7.1-RELEASE-p4 #1: Wed Apr 15 19:03:33 CEST 2009 repcsi@homeserver.workgroup.local:/usr/obj/usr/src/sys/REPCSI i386 The kernel (/usr/src/sys/i386/conf/REPCSI)was built from the 7.1 GENERIC with these addons: #PF device<><------>pf<----><------><------>#PF OpenBSD packet-filter firewall device<><------>pflog<-><------><------>#logging support interface for PF device<><------>pfsync<><------><------>#synchronization interface for PF device<><------>carp<--><------><------>#Common Address Redundancy Protocol #ALTQ options <------>ALTQ options <------>ALTQ_CBQ<------># Class Based Queueing options <------>ALTQ_RED<------># Random Early Detection options <------>ALTQ_RIO<------># RED In/Out options <------>ALTQ_HFSC<-----># Hierarchical Packet Scheduler options <------>ALTQ_CDNR<-----># Traffic conditioner options <------>ALTQ_PRIQ<-----># Priority Queueing options <------>ALTQ_NOPCC<----># Required for SMP build /etc/rc.conf relevant sections: ifconfig_nfe0="inet 172.20.0.1 netmask 255.255.255.0" ifconfig_fxp0="MTU 1492 UP" ifconfig_tun0="DHCP" gateway_enable="YES" ppp_enable="YES" ppp_profile="dsl" ppp_mode="ddial" ppp_nat="NO" ppp_user="root" pf_enable="YES" pf_rules="/etc/pf.conf" pf_program="/sbin/pfctl" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command # set log Phase tun command ident user-ppp VERSION (built COMPILATIONDATE) set timeout 0 set reconnect 5 999 set device /dev/cuad1 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set timeout 180<------><------><------># 3 minute idle timer (the default) enable dns<---><------><------><------># request DNS info (for resolv.conf) papchap: set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR<--><------><------># Add a (sticky) default route dsl: set device PPPoE:fxp0 set mtu max 1452 set authname USERNAME set authkey PASSWORD set dial set login set ifaddr 10.0.0.1/0 10.0.0.2/0 add default HISADDR nat enable no set cd off set crtscts off set redial 0 0 enable lqr echo enable lcp enable dns /etc/ppp/ppp.linkup dsl: !bg sh -c "/sbin/pfctl -F all -f /etc/pf.conf" /etc/ppp/ppp.linkdown < had to set this up for testing because ppp restart couldn't destroy the tun0 interface and ppp used tun1 after that ;\ however at reconnect it destroys it, and tells me this command is invalid.: dsl: !bg ifconfig tun0 destroy /etc/pf.conf - i just added log for debugging but without log the behaviour was the same ext_if = "tun0" int_if = "nfe0" ext_ad = "(tun0)" prv_ads = "172.20.0.0/24" nat_p = "{tcp, udp, icmp}" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, ntp, 43 }" udp_services = "{ domain, ntp }" client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, https, 446, icmp_types = "{ echoreq, unreach }" table persist martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" proxy="127.0.0.1" # ftp proxy IP proxyport="8021" # ftp proxy port scrub in all altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport block in log all pass out log on $ext_if proto tcp from any to any queue (q_def, q_pri) pass in log on $ext_if proto tcp from any to any queue (q_def, q_pri) block return log pass out log keep state anchor "ftp-proxy/*" set skip on { lo0, $int_if } block in log quick from urpf-failed antispoof log for $ext_if block drop in log (all) quick on $ext_if from { $martians, } to any block drop out log (all) quick on $ext_if from any to $martians pass out log on $ext_if proto tcp to any port $tcp_services pass out log on $ext_if proto udp to any port $udp_services pass out log on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state pass log inet proto icmp all icmp-type $icmp_types keep state pass log inet proto tcp from any to $ext_if port ssh keep state (max-src-conn 5, max-src-conn-rate 3/5 overload flush global) Thanks for every reply :) Best Regards, Repcsi From max at love2party.net Sun May 17 20:59:51 2009 From: max at love2party.net (Max Laier) Date: Sun May 17 20:59:58 2009 Subject: PF Nat Problem after PPP reconnection In-Reply-To: References: Message-ID: <200905172258.46521.max@love2party.net> On Sunday 17 May 2009 21:50:52 Kevin Smith wrote: > /etc/pf.conf - i just added log for debugging but without log the > behaviour was the same > > ext_if = "tun0" > int_if = "nfe0" > ext_ad = "(tun0)" change that to "(tun0:0)" - it's an FAQ, only we don't have a good place to document it. Suggestions - once again welcome. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From max at love2party.net Sun May 17 21:22:08 2009 From: max at love2party.net (Max Laier) Date: Sun May 17 21:22:14 2009 Subject: PF Nat Problem after PPP reconnection In-Reply-To: References: <200905172258.46521.max@love2party.net> Message-ID: <200905172321.03996.max@love2party.net> On Sunday 17 May 2009 23:08:32 Kevin Smith wrote: > You mean the ext_ad macro right ? > > What do you tell with that to pf, and why do I need it, can you tell me > ? :) http://www.freebsd.org/cgi/query-pr.cgi?pr=69954 > Thank you! > > 2009/5/17 Max Laier > > > On Sunday 17 May 2009 21:50:52 Kevin Smith wrote: > > > /etc/pf.conf - i just added log for debugging but without log the > > > behaviour was the same > > > > > > ext_if = "tun0" > > > int_if = "nfe0" > > > ext_ad = "(tun0)" > > > > change that to "(tun0:0)" - it's an FAQ, only we don't have a good > > place to document it. Suggestions - once again welcome. > > > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > !DSPAM:4a107cd6836601928620662! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From irix at ukr.net Sun May 17 23:47:41 2009 From: irix at ukr.net (irix) Date: Sun May 17 23:47:49 2009 Subject: altq Message-ID: <904030579.20090518024822@ukr.net> Hello , First of all,person who is responsible for this answer for my question about dynamics queues and finely complete to merge cdnr into pf, that altq nothing else, and complete does not this function. You need and you do. We are not interested in this. But altq is not complete solution. From altqd make any abnormality. The idea of merging with pf excellent, but the realization of an unfinished, even at 30%. Removed 70% of traffic disciplince's (like blue, JoBBs), did not finish cdnr, nothing new added. How can this be called complete project? In DfBSD in altq add fairq, is one new option in altq for last six years. No development, the project is dead. I can understand, when project is complete, more it did not need to add. But altq in pf have almost nothing. And developers say it does not concern us. So I wrote up in maillist freebsd, as in most advanced bsd system. Developers who think for a few years in advance. > On Sat, May 16, 2009 21:45, irix wrote: > Hello Freebsd-pf, > > Sorry for my english. > > OpenBSD team is abandon the altq project. > >I just got curious about this: where you heard that OpenBSD is abandoning >altq ? > >thanks, > >matheus > >-- >We will call you cygnus, >The God of balance you shall be > >A: Because it messes up the order in which people normally read text. >Q: Why is top-posting such a bad thing? > >http://en.wikipedia.org/wiki/Posting_style -- Best regards, irix mailto:irix@ukr.net From britneyfreek at googlemail.com Mon May 18 00:24:21 2009 From: britneyfreek at googlemail.com (britneyfreek) Date: Mon May 18 00:24:28 2009 Subject: PF Nat Problem after PPP reconnection In-Reply-To: <200905172321.03996.max@love2party.net> References: <200905172258.46521.max@love2party.net> <200905172321.03996.max@love2party.net> Message-ID: <2ad621ab0905171701r723f0898s672249600df4455c@mail.gmail.com> i've had such problems when using a mtu other than 1492... sorry, have no other solution. 2009/5/17 Max Laier : > On Sunday 17 May 2009 23:08:32 Kevin Smith wrote: >> You mean the ext_ad macro right ? >> >> What do you tell with that to pf, and why do I need it, can you tell me >> ? :) > > http://www.freebsd.org/cgi/query-pr.cgi?pr=69954 > >> Thank you! >> >> 2009/5/17 Max Laier >> >> > On Sunday 17 May 2009 21:50:52 Kevin Smith wrote: >> > > /etc/pf.conf ?- i just added log for debugging but without log the >> > > behaviour was the same >> > > >> > > ext_if = "tun0" >> > > int_if = "nfe0" >> > > ext_ad = "(tun0)" >> > >> > change that to "(tun0:0)" - it's an FAQ, only we don't have a good >> > place to document it. ?Suggestions - once again welcome. >> > >> > -- >> > /"\ ?Best regards, ? ? ? ? ? ? ? ? ? ? ?| mlaier@freebsd.org >> > \ / ?Max Laier ? ? ? ? ? ? ? ? ? ? ? ? ?| ICQ #67774661 >> > ?X ? http://pf4freebsd.love2party.net/ ?| mlaier@EFnet >> > / \ ?ASCII Ribbon Campaign ? ? ? ? ? ? ?| Against HTML Mail and News >> >> !DSPAM:4a107cd6836601928620662! > > -- > /"\ ?Best regards, ? ? ? ? ? ? ? ? ? ? ?| mlaier@freebsd.org > \ / ?Max Laier ? ? ? ? ? ? ? ? ? ? ? ? ?| ICQ #67774661 > ?X ? http://pf4freebsd.love2party.net/ ?| mlaier@EFnet > / \ ?ASCII Ribbon Campaign ? ? ? ? ? ? ?| Against HTML Mail and News > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From mehmasarja at gmail.com Mon May 18 06:46:21 2009 From: mehmasarja at gmail.com (mehma sarja) Date: Mon May 18 06:46:28 2009 Subject: Testing new firewall to replace operational firewall Message-ID: This is a long and complicated affair. I have warned you and you still persist on reading further. I will try to protect you as much as possible, but please be forewarned. GOAL I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The FreeBSD firewall does NOT have altq enabled. Here is the setup: INTERNET ===[outside port bridged to inside port OLD pf] === [outside port bridged to inside port NEW pf] === LAN CONTEXT a. The old firewall is in production and is running as expected - blocking and passing as we need. b. I am in the process of replacing it with a new one. It happens that OpenBSD was inconvenient on the hardware we have, so the new firewall is implemented on FreeBSD. I copied most stuff over and tested it within our network - which is not a complete test. c. So, one test is to put these two firewalls in tandem - just for testing. The idea being that the inside firewall will catch stuff going out and we can see it in the logs and the outside firewall will catch stuff coming in and we can see that as well. They should not have anything in the logs for stuff going the other ways. if you know what I mean. WHY ARE WE DOING THIS? We are replacing a production firewall and want to test the new one for about a month before taking the old one away. Is there a better way to test out the functionality over an extended period of time - without setting up a separate environment? RESULTS OF TEST The tandem configuration got hooked in and everything (by 'everything', I mean this is our single pipe in and out of our organization and we have a lot of other services we provide) works except smpts, https and maybe imaps and pop3s (we did not test for these since we quickly reverted back when we found out that some services were being blocked) DATA THAT MIGHT BE HELPFUL OLD FIREWALL - smtps pfctl -s rules|grep 465 pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = 465 flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = 465 flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.22.166 port = 465 flags S/SA modulate state pass in log quick on em0 inet proto tcp from 56.69.235.49 to 118.124.23.218 port = 465 flags S/SA modulate state em0 is the outside port of the bridge NEW FIREWALL - smtps pfctl -s rules|grep smtps pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = smtps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = smtps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.22.166 port = smtps flags S/SA modulate state pass in log quick on em0 inet proto tcp from 56.69.235.49 to 128.114.23.218 port = smtps flags S/SA modulate state OLD FIREWALL and NEW FIREWALL imaps DATA is the same pfctl -s rules|grep imaps pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = imaps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = imaps flags S/SA modulate state OLD FIREWALL and NEW FIREWALL https DATA is the same pfctl -s rules|grep https pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = imaps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = imaps flags S/SA modulate state OLD FIREWALL and NEW FIREWALL pop3s DATA is the same pfctl -s rules|grep pop3s pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = pop3s flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = pop3s flags S/SA modulate state MY CONJECTURES Referring to one rule: pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = imaps flags S/SA modulate state FIRST I suspect "modulate state" may be the culprit. Here is what the manual says: "modulate state - works only with TCP. PF will generate strong Initial Sequence Numbers (ISNs) for packets matching this rule." So we have 2 machines generating ISNs for the same connection. Could this be the problem? SECOND Are the "flags S/SA" altq functions? Because, as I said before, the new firewall is FreeBSD GENERIC kernel with altq not compiled in. Yudhvir "I play with fire....walls" === From gm.jin.wang at gmail.com Mon May 18 08:45:25 2009 From: gm.jin.wang at gmail.com (jin wang) Date: Mon May 18 08:45:30 2009 Subject: Is there any plan to remove the global mutex lock (PF_LOCK/PF_UNLOCK) ? Message-ID: <7f8c92fb0905180124m24346fc3x2b39c8d4a5bfa893@mail.gmail.com> From milu at dat.pl Mon May 18 09:33:43 2009 From: milu at dat.pl (Maciej Milewski) Date: Mon May 18 09:33:50 2009 Subject: Testing new firewall to replace operational firewall In-Reply-To: References: Message-ID: <200905181114.24507.milu@dat.pl> Monday 18 May 2009 08:20:40 mehma sarja napisa?(a): > SECOND > Are the "flags S/SA" altq functions? Because, as I said before, the new > firewall is FreeBSD GENERIC kernel with altq not compiled in. No, they aren't as far as I know. Altq is a mechanism using for queuing/traffic shaping. If you don't compile it it just can't be used. For more info please look at PF FAQ or pf manual. S/SA is from flags and means SYN and ACK. Handbook says "FreeBSD 7.X -- PF is at OpenBSD 4.1" So this option (flags S/SA) is set by default. If you omit it in config it will be set. Best Regards, Maciej Milewski From dr.pesko at gmail.com Mon May 18 10:40:19 2009 From: dr.pesko at gmail.com (Dr.Pesko) Date: Mon May 18 10:40:25 2009 Subject: altq with lagg Message-ID: <4A1134CF.4060605@gmail.com> Hello everyone, Is it possible to use ALTQ with lagg and vlan interfaces? Thanks. Best Regards, Dr.Pesko From bugmaster at FreeBSD.org Mon May 18 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon May 18 11:09:01 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200905181106.n4IB6vk9075747@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From sullrich at gmail.com Mon May 18 15:30:04 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Mon May 18 15:30:10 2009 Subject: Is there any plan to remove the global mutex lock (PF_LOCK/PF_UNLOCK) ? In-Reply-To: <7f8c92fb0905180124m24346fc3x2b39c8d4a5bfa893@mail.gmail.com> References: <7f8c92fb0905180124m24346fc3x2b39c8d4a5bfa893@mail.gmail.com> Message-ID: > Is there any plan to remove the global mutex lock (PF_LOCK/PF_UNLOCK) ? I believe the plan is to do a sync against openbsd-current after 8.0 release and then begin to restructure the locking to allow it run across multiple cores/cpus targeting 9.0. Scott From mehmasarja at gmail.com Tue May 19 05:11:13 2009 From: mehmasarja at gmail.com (mehma sarja) Date: Tue May 19 05:11:19 2009 Subject: Testing new firewall to replace operational firewall In-Reply-To: <200905181114.24507.milu@dat.pl> References: <200905181114.24507.milu@dat.pl> Message-ID: Maciej, Thanks for answering one question. Now, does anyone know anything about "modulated state" running on tandem firewalls causing problems? Yudhvir === 2009/5/18 Maciej Milewski > Monday 18 May 2009 08:20:40 mehma sarja napisa?(a): > > SECOND > > Are the "flags S/SA" altq functions? Because, as I said before, the new > > firewall is FreeBSD GENERIC kernel with altq not compiled in. > No, they aren't as far as I know. Altq is a mechanism using for > queuing/traffic shaping. If you don't compile it it just can't be used. For > more info please look at PF FAQ or pf manual. > > > S/SA is from flags and means SYN and ACK. > Handbook says "FreeBSD 7.X -- PF is at OpenBSD 4.1" So this option (flags > S/SA) is set by default. If you omit it in config it will be set. > > > > Best Regards, > Maciej Milewski > From peter at vk2pj.dyndns.org Tue May 19 09:55:29 2009 From: peter at vk2pj.dyndns.org (Peter Jeremy) Date: Tue May 19 09:55:36 2009 Subject: Testing new firewall to replace operational firewall In-Reply-To: References: Message-ID: <20090519094434.GA5943@server.vk2pj.dyndns.org> On 2009-May-17 23:20:40 -0700, mehma sarja wrote: >I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is >on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The >FreeBSD firewall does NOT have altq enabled. Here is the setup: I can't think of anything specific that would make this break. >I suspect "modulate state" may be the culprit. Here is what the manual says: >"modulate state - works only with TCP. PF will generate strong Initial >Sequence Numbers (ISNs) for packets matching this rule." So we have 2 >machines generating ISNs for the same connection. Could this be the problem? No. The inner firewall will generate "strong" ISNs and forward the packets. The outer firewall will then generate its own "strong" ISN and forward the packet to the internet. Neither firewall cares about the sequence numbers other than for tracking windows. >SECOND >Are the "flags S/SA" altq functions? No but I presume your testing took into account that inserting/removing the firewall would kill all existing TCP connections. My suggestion would be to do some repeat testing (hopefully you have a maintenance window or low-traffic period where you can afford a planned outage) with tcpdump running on inner, middle and outer interfaces and follow the packets through. Looking at how the packets are transformed will hopefully provide a clue as to what is not working the way you expect. -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090519/50aa4a24/attachment.pgp From alessandro.dev at gmail.com Tue May 19 14:54:56 2009 From: alessandro.dev at gmail.com (Alessandro Silveira) Date: Tue May 19 14:55:01 2009 Subject: Best method to stream Message-ID: <720e1f20905190725q7659f6a5o5c64fa85aad996c8@mail.gmail.com> I have a Storage with high input/output traffic in a network What is the best implementation for the transmission stream without delay HSFC or CBQ? Regards Alessandro From dr.pesko at gmail.com Tue May 19 18:27:23 2009 From: dr.pesko at gmail.com (Dr.Pesko) Date: Tue May 19 18:27:28 2009 Subject: altq with lagg In-Reply-To: <4A1134CF.4060605@gmail.com> References: <4A1134CF.4060605@gmail.com> Message-ID: <4A12F9DA.3070604@gmail.com> On 5/18/2009 3:13 PM, Dr.Pesko wrote: > Hello everyone, > > Is it possible to use ALTQ with lagg and vlan interfaces? Thanks. > > Best Regards, > Dr.Pesko > Yesssss! It worsk! I just used "altq on lagg0 cbq blabla" in my pf.conf file. Thanks! Best Regards, Dr.Pesko From jmclaughlin at tssg.org Mon May 25 09:30:31 2009 From: jmclaughlin at tssg.org (John McLaughlin) Date: Mon May 25 09:30:37 2009 Subject: Address family problems with ECN + ALTQ on IPv6 Message-ID: <4A1A61D0.9010108@tssg.org> Hi, I'm trying to set up a testbed to play around with some ideas regarding ECN. The hardware scenario involves having a Linux box (has to be Linux) either side of a FreeBSD router. All addressing is IPv6 (also a requirement) I've configured Pf really in a really simple fashion thus: ext_if="xl0" altq on $ext_if cbq bandwidth 1Mb tbrsize 4000 qlimit 5 queue { def } queue def bandwidth 100% cbq(default red ecn) and this works insofar as the bandwidth is limited as specified. I use Netperf to generate traffic between the 2 endpoints through the router, but no packet ever gets marked with CE - only dropped. Traffic is always a TCP stream I investigated further be embedding debug statements into altq_ecn.c, and have discovered that the mark_ecn() function is failing at the line: if (af != AF_INET && af != AF_INET6) return (0); Checking the value of af, it is *always* returned as 0 - I would expect 28 from looking at socket.h. ECN usage between the two endpoints is negotiated successfully - using Wireshark I can see this in the SYN/SYN ACK packet. Furthermore the outgoing data packets are marked with the ECT(0) (10) codepoint, but the router never signals congestion with the CE (11) codepoint as it always fails the address family check Am I missing some sysctl configuration somewhere or possibly a kernel option, or is this a bug? The following are my kernel options: # ALTQ support device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build Any help will be much appreciated! Regards, John McLaughlin From bugmaster at FreeBSD.org Mon May 25 11:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon May 25 11:09:01 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200905251106.n4PB6vA6092904@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From gugge at guggemand.dk Tue May 26 11:00:10 2009 From: gugge at guggemand.dk (Karsten Schmidt) Date: Tue May 26 11:00:16 2009 Subject: kern/132176: [pf] pf stalls connection when using route-to [regression] Message-ID: <200905261100.n4QB09AE077331@freefall.freebsd.org> The following reply was made to PR kern/132176; it has been noted by GNATS. From: Karsten Schmidt To: bug-followup@FreeBSD.org, link@ngc.net.ua Cc: Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] Date: Tue, 26 May 2009 12:40:52 +0200 I have the same error on a 7.2 box with a bce device and vlans #pf.conf # send all packets from x.x.x.128/26 to nonlocal addresses through x.x.x.129 pass out quick route-to ( bce0.11 x.x.x.129 ) from x.x.x.128/26 to !x.x.x.128/26 no state #default gateway 91.208.16.1 #ifconfig bce0: flags=8843 metric 0 mtu 1500 options=1bb ether 00:1f:29:06:85:28 inet x.x.x.125 netmask 0xffffff80 broadcast x.x.x.127 media: Ethernet autoselect (1000baseTX ) status: active bce0.11: flags=8843 metric 0 mtu 1500 options=3 ether 00:1f:29:06:85:28 inet x.x.x.140 netmask 0xffffffc0 broadcast x.x.x.191 media: Ethernet autoselect (1000baseTX ) status: active vlan: 11 parent interface: bce0 -- Karsten From eri at freebsd.org Tue May 26 13:47:33 2009 From: eri at freebsd.org (=?ISO-8859-1?Q?Ermal_Lu=E7i?=) Date: Tue May 26 13:47:39 2009 Subject: kern/132176: [pf] pf stalls connection when using route-to [regression] In-Reply-To: <200905261100.n4QB09AE077331@freefall.freebsd.org> References: <200905261100.n4QB09AE077331@freefall.freebsd.org> Message-ID: <9a542da30905260625p4dda01a6l1e6ebbc7d3130266@mail.gmail.com> On Tue, May 26, 2009 at 1:00 PM, Karsten Schmidt wrote: > The following reply was made to PR kern/132176; it has been noted by GNATS. > > From: Karsten Schmidt > To: bug-followup@FreeBSD.org, link@ngc.net.ua > Cc: > Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] > Date: Tue, 26 May 2009 12:40:52 +0200 > > ?I have the same error on a 7.2 box with a bce device and vlans > > ?#pf.conf > ?# send all packets from x.x.x.128/26 to nonlocal addresses through x.x.x.129 > ?pass out quick route-to ( bce0.11 x.x.x.129 ) from x.x.x.128/26 to > ?!x.x.x.128/26 no state > > ?#default gateway > ?91.208.16.1 > > ?#ifconfig > ?bce0: flags=8843 metric 0 mtu 1500 > > ?options=1bb > ? ? ? ? ether 00:1f:29:06:85:28 > ? ? ? ? inet x.x.x.125 netmask 0xffffff80 broadcast x.x.x.127 > ? ? ? ? media: Ethernet autoselect (1000baseTX ) > ? ? ? ? status: active > ?bce0.11: flags=8843 metric 0 mtu > ?1500 > ? ? ? ? options=3 > ? ? ? ? ether 00:1f:29:06:85:28 > ? ? ? ? inet x.x.x.140 netmask 0xffffffc0 broadcast x.x.x.191 > ? ? ? ? media: Ethernet autoselect (1000baseTX ) > ? ? ? ? status: active > ? ? ? ? vlan: 11 parent interface: bce0 > > ?-- Can you show your complete ruleset? -- Ermal From gugge at guggemand.dk Wed May 27 19:07:48 2009 From: gugge at guggemand.dk (Karsten Schmidt) Date: Wed May 27 19:08:23 2009 Subject: kern/132176: [pf] pf stalls connection when using route-to [regression] In-Reply-To: <9a542da30905260625p4dda01a6l1e6ebbc7d3130266@mail.gmail.com> References: <200905261100.n4QB09AE077331@freefall.freebsd.org> <9a542da30905260625p4dda01a6l1e6ebbc7d3130266@mail.gmail.com> Message-ID: <4A1D8BA6.1000909@guggemand.dk> Ermal Lu?i skrev: > On Tue, May 26, 2009 at 1:00 PM, Karsten Schmidt wrote: > >> The following reply was made to PR kern/132176; it has been noted by GNATS. >> >> From: Karsten Schmidt >> To: bug-followup@FreeBSD.org, link@ngc.net.ua >> Cc: >> Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] >> Date: Tue, 26 May 2009 12:40:52 +0200 >> >> I have the same error on a 7.2 box with a bce device and vlans >> >> #pf.conf >> # send all packets from x.x.x.128/26 to nonlocal addresses through x.x.x.129 >> pass out quick route-to ( bce0.11 x.x.x.129 ) from x.x.x.128/26 to >> !x.x.x.128/26 no state >> >> #default gateway >> 91.208.16.1 >> >> #ifconfig >> bce0: flags=8843 metric 0 mtu 1500 >> >> options=1bb >> ether 00:1f:29:06:85:28 >> inet x.x.x.125 netmask 0xffffff80 broadcast x.x.x.127 >> media: Ethernet autoselect (1000baseTX ) >> status: active >> bce0.11: flags=8843 metric 0 mtu >> 1500 >> options=3 >> ether 00:1f:29:06:85:28 >> inet x.x.x.140 netmask 0xffffffc0 broadcast x.x.x.191 >> media: Ethernet autoselect (1000baseTX ) >> status: active >> vlan: 11 parent interface: bce0 >> >> -- >> > Can you show your complete ruleset? > > After making a simple setup with no vlans, and only one ip on the bce0 interface i tried a ruleset with only one rule. #pass out route-to ( bce0 $defaultgate ) from $localip to any no state Where $defaultgate is the gateway used without the rule too, and $localip is the only ip on the bce0 interface This made scp transfers stall to a near halt too. Trying different options it seems disabling TSO on bce0 works. hw.bce.tso_enable=0 in loader.conf or simply ifconfig bce0 -tso makes the scp transfers run at full speed. Checking with 7.1-RELEASE and 7.0-RELEASE-p4 its the same behavior, so i guess its not the samme error as kern/132176 -- Karsten From biancalana at gmail.com Wed May 27 22:08:42 2009 From: biancalana at gmail.com (Alexandre Biancalana) Date: Wed May 27 22:08:49 2009 Subject: Multiple ftp servers behind pf with carp multi-ip Message-ID: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> Hi list, I have two firewall with 7.2-STABLE, PF and Carp for failover. The machine have one physical interface dedicated to two internet links (from different providers) and using two vlans on top of this physical interface. Each vlan have one real ip address and a carp interface with multiple real ip addresses for each vlan. I have three ftp servers with invalid ip addresses behind the firewall that need to be accessible from internet. Then I configured ftp-proxy in the following way: ftp-proxy -a -b -p21 -R When ftp_external_ip is an ip associated to the carp interface, the ftp connection is unstable, some times the connection is opened, some times the connection is broken in the middle of list command or before enter the password. If I start the ftp-proxy command using as ftp_external_ip the ip associated with the vlan interface everything works great. This machines are in production, so I'm building a lab with virtual machines to do some experiments and try to reproduce this. Did someone had seen something like this before ? I can provide any additional information needed for help troubleshooting. Best Regards, Alexandre From sullrich at gmail.com Wed May 27 22:12:56 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Wed May 27 22:13:03 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> Message-ID: On Wed, May 27, 2009 at 5:42 PM, Alexandre Biancalana wrote: > Hi list, > > I have two firewall with 7.2-STABLE, PF and Carp for failover. > > The machine have one physical interface dedicated to two internet > links (from different providers) and using two vlans on top of this > physical interface. Each vlan have one real ip address and a carp > interface with multiple real ip addresses for each vlan. I have three > ftp servers with invalid ip addresses behind the firewall that need to > be accessible from internet. > > Then I configured ftp-proxy in the following way: > > ftp-proxy -a -b -p21 -R > > When ftp_external_ip is an ip associated to the carp interface, the > ftp connection is unstable, some times the connection is opened, some > times the connection is broken in the middle of list command or before > enter the password. If I start the ftp-proxy command using as > ftp_external_ip the ip associated with the vlan interface everything > works great. > > This machines are in production, so I'm building a lab with virtual > machines to do some experiments and try to reproduce this. > > Did someone had seen something like this before ? Sure have with pfSense many times. You might want to give this custom pftpx-route port a try that we have. You can start an instance of pftpx for each wan and then it will do the required route-to work. http://www.pfsense.org/~sullrich/ported_software/pftpx_routeto/ Scott From freebsd at optiksecurite.com Thu May 28 17:02:17 2009 From: freebsd at optiksecurite.com (Martin Turgeon) Date: Thu May 28 17:02:24 2009 Subject: State Mismatch and tcp.closed Message-ID: <4A1EB5A0.7030206@optiksecurite.com> Hi list! I had a problem with state mismatch on my DB server that I solved by lowering the tcp.closed timeout. I setted it to 2 instead of 90. I now have what looks like the same problem on the front-end web server. However, when I tried to apply the same fix, I got connection problem with the back-end DB, but the state mismatch disappearred. On the front-end web server, the state mismatch occurs on the external interface, only on port 80. I enabled misc debugging and got this in /var/log/messages on the front-end web server: May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 len=0 ackskew=0 pkts=43:69 dir=in,fwd May 28 05:02:19 francis kernel: pf: State failure on: | May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 len=0 ackskew=0 pkts=40:54 dir=in,fwd May 28 05:02:19 francis kernel: pf: State failure on: | May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd May 28 05:03:06 francis kernel: pf: State failure on: 3 | May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd This server has been up for 12 days and already got almost 600000 state mismatch! I tried to lower tcp.finwait, no result. I tried to set optimization to aggressive, no result. I tried to disable port randomization via sysctl, no result either. I tcpdumped and there is only a few RST so I don't understand why tcp.closed would solve my problem. If it's a problem with source port reuse, tcp.finwait should be the timeout that would help, not tcp.closed, right? How can a lower tcp.closed on the front-end cause mysql connection problem with the back-end? I tcpdumped while there is a connection problem with the DB and there is nothing that seems wrong, no RST at all! The front-end web server tries to connect to the DB, wait 3 sec and if it fails to establish a connection, it then tries to connect to a read-only backup DB, on another server, which never fails to connect. The only thing I'm sure is that it's the tcp.closed that cause the DB connection problem. As soon as I remove it, the state mismatch comes back on the external interface but there's no DB connection problem anymore. What am I missing? Martin From max at love2party.net Thu May 28 17:10:27 2009 From: max at love2party.net (Max Laier) Date: Thu May 28 17:10:34 2009 Subject: State Mismatch and tcp.closed In-Reply-To: <4A1EB5A0.7030206@optiksecurite.com> References: <4A1EB5A0.7030206@optiksecurite.com> Message-ID: <200905281910.24809.max@love2party.net> On Thursday 28 May 2009 18:02:40 Martin Turgeon wrote: > What am I missing? Which version of FreeBSD are you running? This problem (aka kern/125261) is supposed to be fixed by: SVN rev 181295 on 2008-08-04 14:42:09Z by mlaier (in head) and SVN rev 181596 on 2008-08-11 17:59:47Z by mlaier (in stable/7) It is not easily fixable in stable/6 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From freebsd at optiksecurite.com Thu May 28 18:02:12 2009 From: freebsd at optiksecurite.com (Martin Turgeon) Date: Thu May 28 18:02:18 2009 Subject: State Mismatch and tcp.closed In-Reply-To: <200905281910.24809.max@love2party.net> References: <4A1EB5A0.7030206@optiksecurite.com> <200905281910.24809.max@love2party.net> Message-ID: <4A1ED1BD.3010504@optiksecurite.com> Max Laier a ?crit : > On Thursday 28 May 2009 18:02:40 Martin Turgeon wrote: >> What am I missing? > > Which version of FreeBSD are you running? This problem (aka kern/125261) > is supposed to be fixed by: > > SVN rev 181295 on 2008-08-04 14:42:09Z by mlaier (in head) and > SVN rev 181596 on 2008-08-11 17:59:47Z by mlaier (in stable/7) > > It is not easily fixable in stable/6 > Hi and thanks for your answer! uname -a on the front-end web server: FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 07:18:07 UTC 2009 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 uname -a on the back-end MySQL server: FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK amd64 Martin From biancalana at gmail.com Thu May 28 18:25:21 2009 From: biancalana at gmail.com (Alexandre Biancalana) Date: Thu May 28 18:25:28 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> Message-ID: <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> On Wed, May 27, 2009 at 7:12 PM, Scott Ullrich wrote: > On Wed, May 27, 2009 at 5:42 PM, Alexandre Biancalana > wrote: >> Hi list, >> >> I have two firewall with 7.2-STABLE, PF and Carp for failover. >> >> The machine have one physical interface dedicated to two internet >> links (from different providers) and using two vlans on top of this >> physical interface. Each vlan have one real ip address and a carp >> interface with multiple real ip addresses for each vlan. I have three >> ftp servers with invalid ip addresses behind the firewall that need to >> be accessible from internet. >> >> Then I configured ftp-proxy in the following way: >> >> ftp-proxy -a -b -p21 -R >> >> When ftp_external_ip is an ip associated to the carp interface, the >> ftp connection is unstable, some times the connection is opened, some >> times the connection is broken in the middle of list command or before >> enter the password. If I start the ftp-proxy command using as >> ftp_external_ip the ip associated with the vlan interface everything >> works great. >> >> This machines are in production, so I'm building a lab with virtual >> machines to do some experiments and try to reproduce this. >> >> Did someone had seen something like this before ? > > Sure have with pfSense many times. ? ?You might want to give this > custom pftpx-route port a try that we have. ?You can start an instance > of pftpx for each wan and then it will do the required route-to work. > > http://www.pfsense.org/~sullrich/ported_software/pftpx_routeto/ Hi Scott, Thank you for your reply. Against what versions o pftpx this patch can be applied ? I'm running 7.2-STABLE on amd64 and the binary file supplied does not work. Best Regards, Alexandre Biancalana From sullrich at gmail.com Thu May 28 18:38:07 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Thu May 28 18:38:13 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> Message-ID: On Thu, May 28, 2009 at 2:25 PM, Alexandre Biancalana wrote: > ?Thank you for your reply. > > ?Against what versions o pftpx this patch can be applied ? > ?I'm running 7.2-STABLE on amd64 and the binary file supplied does not work. There is a pftpx port in the ports tree. You should be able to drop the patch- file into the files folder and: make clean extract patch If all goes well then do a: make install Let me know if you need further help or if you want me to I can build you a pftpx that will run on 7.2. I have 5 builders here at my disposal that pfSense uses. Scott From biancalana at gmail.com Thu May 28 20:17:54 2009 From: biancalana at gmail.com (Alexandre Biancalana) Date: Thu May 28 20:18:01 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> Message-ID: <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> On Thu, May 28, 2009 at 3:37 PM, Scott Ullrich wrote: > On Thu, May 28, 2009 at 2:25 PM, Alexandre Biancalana > wrote: >> ?Thank you for your reply. >> >> ?Against what versions o pftpx this patch can be applied ? >> ?I'm running 7.2-STABLE on amd64 and the binary file supplied does not work. > > There is a pftpx port in the ports tree. ? You should be able to drop > the patch- file into the files folder and: > > make clean extract patch > The patch does not apply clearly, I merge they by hand (the final diff is attached) and compiled Ok. I will give a try and let you know. I'm curious about the two new command line options -i and -2, what's the exacly purpose of this options ? Alexandre From sullrich at gmail.com Thu May 28 20:23:59 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Thu May 28 20:24:06 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> Message-ID: On Thu, May 28, 2009 at 4:17 PM, Alexandre Biancalana wrote: > The patch does not apply clearly, I merge they by hand (the final diff > is attached) and compiled Ok. I will give a try and let you know. > > I'm curious about the two new command line options -i and -2, what's > the exacly purpose of this options ? That might be a little bit outdated. The most up to date port is here: http://redmine.pfsense.org/repositories/browse/pfsense-tools/pfPorts/pftpx-routeto I quickly glanced at the source and did not see the -i argument but the -2 argument should be the routeto IP address: if (routeto) { memset(&hints, 0, sizeof hints); hints.ai_flags = AI_NUMERICHOST; hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET; hints.ai_socktype = SOCK_STREAM; error = getaddrinfo(routeto, NULL, &hints, &res); if (error) errx(1, "getaddrinfo route-to address failed: %s", gai_strerror(error)); memcpy(&routeto_ss, res->ai_addr, res->ai_addrlen); logmsg(LOG_INFO, "using route-to (%s %s)", routeto_if, sock_ntop(sstosa(&routeto_ss))); freeaddrinfo(res); } Scott From biancalana at gmail.com Thu May 28 20:40:16 2009 From: biancalana at gmail.com (Alexandre Biancalana) Date: Thu May 28 20:40:34 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> Message-ID: <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> On Thu, May 28, 2009 at 5:23 PM, Scott Ullrich wrote: > On Thu, May 28, 2009 at 4:17 PM, Alexandre Biancalana > wrote: >> The patch does not apply clearly, I merge they by hand (the final diff >> is attached) and compiled Ok. I will give a try and let you know. >> >> I'm curious about the two new command line options -i and -2, what's >> the exacly purpose of this options ? > > That might be a little bit outdated. ?The most up to date port is > here: http://redmine.pfsense.org/repositories/browse/pfsense-tools/pfPorts/pftpx-routeto > > I quickly glanced at the source and did not see the -i argument but > the -2 argument should be the routeto IP address: > > ? ? ? ?if (routeto) { > ? ? ? ? ? ? ? ?memset(&hints, 0, sizeof hints); > ? ? ? ? ? ? ? ?hints.ai_flags = AI_NUMERICHOST; > ? ? ? ? ? ? ? ?hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET; > ? ? ? ? ? ? ? ?hints.ai_socktype = SOCK_STREAM; > ? ? ? ? ? ? ? ?error = getaddrinfo(routeto, NULL, &hints, &res); > ? ? ? ? ? ? ? ?if (error) > ? ? ? ? ? ? ? ? ? ? ? ?errx(1, "getaddrinfo route-to address failed: %s", > ? ? ? ? ? ? ? ? ? ? ? ? ? ?gai_strerror(error)); > ? ? ? ? ? ? ? ?memcpy(&routeto_ss, res->ai_addr, res->ai_addrlen); > ? ? ? ? ? ? ? ?logmsg(LOG_INFO, "using route-to (%s %s)", routeto_if, > ? ? ? ? ? ? ? ? ? ?sock_ntop(sstosa(&routeto_ss))); > ? ? ? ? ? ? ? ?freeaddrinfo(res); > ? ? ? ?} Does not work :-( The client side the error happen in a intermittent manner: Pink:/usr/home/ale $ ftp xxx.xxx.11.130 Connected to xxx.xxx.11.130. 220-Microsoft FTP Service 220 FTP SERVER Name (xxx.xxx.11.130:ale): user 421 Service not available, remote server has closed connection. ftp: Login failed. ftp> quit Pink:/usr/home/ale $ ftp xxx.xxx.11.130 Connected to xxx.xxx.11.130. 421 Service not available, remote server has closed connection. ftp> quit Pink:/usr/home/ale $ ftp xxx.xxx.11.130 Connected to xxx.xxx.11.130. 220-Microsoft FTP Service 220 FTP SERVER Name (xxx.xxx.11.130:ale): user 331 Password required for user. Password: 421 Service not available, remote server has closed connection. ftp: Login failed. ftp> the server side looks like this: FW1:/usr/ports/ftp/pftpx # pftpx -D7 -d -c 8023 -f 192.168.0.80 -p 192.168.0.253 using 192.168.0.253 to connect to servers using route-to (lo0 127.0.0.1) using fixed server 192.168.0.80 listening on 127.0.0.1 port 8023 #1 accepted connection from xxx.xxx.153.79 #1 FTP session 1/100 started: client xxx.xxx.153.79 to server 192.168.0.80 via proxy 192.168.0.253 #1 server: 220-Microsoft FTP Service\r\n #1 server: 220 FTP SERVER\r\n #2 accepted connection from xxx.xxx.153.79 #2 FTP session 2/100 started: client xxx.xxx.153.79 to server 192.168.0.80 via proxy 192.168.0.253 #2 server: 220-Microsoft FTP Service\r\n #1 server: 220 FTP SERVER\r\n #2 client: USER user\r\n #2 server: 331 Password required for user.\r\n #2 client reset connection #2 ending session Any other idea ? Alexandre From sullrich at gmail.com Thu May 28 20:43:30 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Thu May 28 20:43:47 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> Message-ID: On Thu, May 28, 2009 at 4:40 PM, Alexandre Biancalana wrote: [snip] > FW1:/usr/ports/ftp/pftpx # ?pftpx -D7 -d -c 8023 -f 192.168.0.80 -p > 192.168.0.253 > using 192.168.0.253 to connect to servers > using route-to (lo0 127.0.0.1) > using fixed server 192.168.0.80 > listening on 127.0.0.1 port 8023 You might want to set the -2 route-to parameter to something other than localhost? Scott From biancalana at gmail.com Thu May 28 20:46:37 2009 From: biancalana at gmail.com (Alexandre Biancalana) Date: Thu May 28 20:46:43 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> Message-ID: <8e10486b0905281346k2ff3e068l52e95055f7e1e412@mail.gmail.com> On Thu, May 28, 2009 at 5:42 PM, Scott Ullrich wrote: > On Thu, May 28, 2009 at 4:40 PM, Alexandre Biancalana > wrote: > [snip] >> FW1:/usr/ports/ftp/pftpx # ?pftpx -D7 -d -c 8023 -f 192.168.0.80 -p >> 192.168.0.253 >> using 192.168.0.253 to connect to servers >> using route-to (lo0 127.0.0.1) >> using fixed server 192.168.0.80 >> listening on 127.0.0.1 port 8023 > > You might want to set the -2 route-to parameter to something other > than localhost? I forget to mention that I already do that, setting the -2 parameter to the default router and the problem remains the same. From sullrich at gmail.com Thu May 28 21:17:36 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Thu May 28 21:17:51 2009 Subject: Multiple ftp servers behind pf with carp multi-ip In-Reply-To: <8e10486b0905281346k2ff3e068l52e95055f7e1e412@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> <8e10486b0905281346k2ff3e068l52e95055f7e1e412@mail.gmail.com> Message-ID: On Thu, May 28, 2009 at 4:46 PM, Alexandre Biancalana wrote: > I forget to mention that I already do that, setting the -2 parameter > to the default router and the problem remains the same. Sorry that did not work out for you. I do not recall the pftp parameters that I used to use for incoming but I believe I forced the FTP proxy to listen on the public IP and then there was a server parameter that forced it to connect back to the internal server. If you feel like experimenting a bit more you can try our latest mojo which is pf libalias integration. It basically lets libalias handle all incoming and outgoing ftp traffic magically. However if you take this route please be advised that the patch is new but tested. Recommend running DDB just in case of a crash so we can get Ermal Luci a bt. http://cvs.pfsense.com/~sullrich/nat_ftphelper.RELENG_7.diff Scott From freebsd at optiksecurite.com Fri May 29 15:32:18 2009 From: freebsd at optiksecurite.com (Martin Turgeon) Date: Fri May 29 15:32:25 2009 Subject: State Mismatch and tcp.closed In-Reply-To: <4A1EB5A0.7030206@optiksecurite.com> References: <4A1EB5A0.7030206@optiksecurite.com> Message-ID: <4A20001E.5000407@optiksecurite.com> Martin Turgeon a ?crit : > Hi list! > > I had a problem with state mismatch on my DB server that I solved by > lowering the tcp.closed timeout. I setted it to 2 instead of 90. > > I now have what looks like the same problem on the front-end web server. > However, when I tried to apply the same fix, I got connection problem > with the back-end DB, but the state mismatch disappearred. > > On the front-end web server, the state mismatch occurs on the external > interface, only on port 80. > > I enabled misc debugging and got this in /var/log/messages on the > front-end web server: > > May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 > 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 > win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 > modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 > len=0 ackskew=0 pkts=43:69 dir=in,fwd > May 28 05:02:19 francis kernel: pf: State failure on: | > May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 > 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 > win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 > modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 > len=0 ackskew=0 pkts=40:54 dir=in,fwd > May 28 05:02:19 francis kernel: pf: State failure on: | > May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 > 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 > win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 > modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 > len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd > May 28 05:03:06 francis kernel: pf: State failure on: 3 | > May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 > 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 > win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 > modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 > len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd > > This server has been up for 12 days and already got almost 600000 state > mismatch! > > I tried to lower tcp.finwait, no result. I tried to set optimization to > aggressive, no result. I tried to disable port randomization via sysctl, > no result either. > > I tcpdumped and there is only a few RST so I don't understand why > tcp.closed would solve my problem. If it's a problem with source port > reuse, tcp.finwait should be the timeout that would help, not > tcp.closed, right? > > How can a lower tcp.closed on the front-end cause mysql connection > problem with the back-end? I tcpdumped while there is a connection > problem with the DB and there is nothing that seems wrong, no RST at > all! The front-end web server tries to connect to the DB, wait 3 sec and > if it fails to establish a connection, it then tries to connect to a > read-only backup DB, on another server, which never fails to connect. > > The only thing I'm sure is that it's the tcp.closed that cause the DB > connection problem. As soon as I remove it, the state mismatch comes > back on the external interface but there's no DB connection problem > anymore. > > What am I missing? > > Martin > I forgot to mention in the starting post what version I'm using: uname -a on the front-end web server: FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 07:18:07 UTC 2009 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 uname -a on the back-end MySQL server: FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK amd64 I read about the port reuse problem when I first experienced it with the DB server and I saw that this wasn't going to happen with the new release. I were happy to build I new 7.2-Rel server so that I wasn't going to face the same problem. But, in fact, I'm facing what looks like the same problem... I'm all ears to any pointers/suggestions! Thanks for your precious help. Martin From max at laiers.net Sat May 30 00:47:22 2009 From: max at laiers.net (Max Laier) Date: Sat May 30 00:47:50 2009 Subject: State Mismatch and tcp.closed In-Reply-To: <4A20001E.5000407@optiksecurite.com> References: <4A1EB5A0.7030206@optiksecurite.com> <4A20001E.5000407@optiksecurite.com> Message-ID: <52a241a292d8df1c0970d071267cb865.squirrel@mlaier.homeunix.org> Can you please post your ruleset. I suspect there is something wrong with it. By the way, I noticed that your are using a 127/8 addresse for your web server. Are you - by chance - running in a jail of kinds? In that case you might need "set skip on lo0" to avoid troubles. Depending on the kind of filtering you are doing this might be complicated, however. In any case, we'd need more details about your setup to help. Am Fr, 29.05.2009, 17:32, schrieb Martin Turgeon: > Martin Turgeon a ?crit : >> Hi list! >> >> I had a problem with state mismatch on my DB server that I solved by >> lowering the tcp.closed timeout. I setted it to 2 instead of 90. >> >> I now have what looks like the same problem on the front-end web server. >> However, when I tried to apply the same fix, I got connection problem >> with the back-end DB, but the state mismatch disappearred. >> >> On the front-end web server, the state mismatch occurs on the external >> interface, only on port 80. >> >> I enabled misc debugging and got this in /var/log/messages on the >> front-end web server: >> >> May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 >> 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 >> win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 >> modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 >> len=0 ackskew=0 pkts=43:69 dir=in,fwd >> May 28 05:02:19 francis kernel: pf: State failure on: | >> May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 >> 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 >> win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 >> modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 >> len=0 ackskew=0 pkts=40:54 dir=in,fwd >> May 28 05:02:19 francis kernel: pf: State failure on: | >> May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 >> 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 >> win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 >> modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 >> len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd >> May 28 05:03:06 francis kernel: pf: State failure on: 3 | >> May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 >> 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 >> win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 >> modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 >> len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd >> >> This server has been up for 12 days and already got almost 600000 state >> mismatch! >> >> I tried to lower tcp.finwait, no result. I tried to set optimization to >> aggressive, no result. I tried to disable port randomization via sysctl, >> no result either. >> >> I tcpdumped and there is only a few RST so I don't understand why >> tcp.closed would solve my problem. If it's a problem with source port >> reuse, tcp.finwait should be the timeout that would help, not >> tcp.closed, right? >> >> How can a lower tcp.closed on the front-end cause mysql connection >> problem with the back-end? I tcpdumped while there is a connection >> problem with the DB and there is nothing that seems wrong, no RST at >> all! The front-end web server tries to connect to the DB, wait 3 sec and >> if it fails to establish a connection, it then tries to connect to a >> read-only backup DB, on another server, which never fails to connect. >> >> The only thing I'm sure is that it's the tcp.closed that cause the DB >> connection problem. As soon as I remove it, the state mismatch comes >> back on the external interface but there's no DB connection problem >> anymore. >> >> What am I missing? >> >> Martin >> > > I forgot to mention in the starting post what version I'm using: > > uname -a on the front-end web server: > FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 > 07:18:07 UTC 2009 > root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > > uname -a on the back-end MySQL server: > FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 > 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK > amd64 > > I read about the port reuse problem when I first experienced it with the > DB server and I saw that this wasn't going to happen with the new > release. I were happy to build I new 7.2-Rel server so that I wasn't > going to face the same problem. > > But, in fact, I'm facing what looks like the same problem... > > I'm all ears to any pointers/suggestions! > > Thanks for your precious help. > > Martin > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > !DSPAM:4a200026570535209328925! > > -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News