From bugmaster at FreeBSD.org Mon Nov 2 11:07:01 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 2 11:09:05 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200911021107.nA2B70Ct033681@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From andre at netvision.com.br Fri Nov 6 11:46:21 2009 From: andre at netvision.com.br (=?utf-8?B?QW5kcsOp?= Luiz dos Santos) Date: Fri Nov 6 11:46:29 2009 Subject: PF route-to on 7.2-RELEASE-p4 Message-ID: <20091106113011.GA25470@homemail.fastville.com.br> I was getting the following panic on 7.2-RELEASE-p4 a few times a day. I removed all "route-to" from the ruleset and it's been 24 hours without any panics. Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xc fault code = supervisor read, page not present instruction pointer = 0x20:0xc0834736 stack pointer = 0x28:0xc3f5f974 frame pointer = 0x28:0xc3f5f9a0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 31 (irq23: rl0 ehci0) trap number = 12 panic: page fault cpuid = 0 GEOM_MIRROR: Device floor: rebuilding provider ad2s1a stopped. Uptime: 47m14s Physical memory: 1002 MB (kgdb) bt #0 doadump () at pcpu.h:196 #1 0xc07e25f7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418 #2 0xc07e28c9 in panic (fmt=Variable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:574 #3 0xc0ae3f2c in trap_fatal (frame=0xc3f5f934, eva=12) at /usr/src/sys/i386/i386/trap.c:939 #4 0xc0ae41b0 in trap_pfault (frame=0xc3f5f934, usermode=0, eva=12) at /usr/src/sys/i386/i386/trap.c:852 #5 0xc0ae4b5c in trap (frame=0xc3f5f934) at /usr/src/sys/i386/i386/trap.c:530 #6 0xc0ac926b in calltrap () at /usr/src/sys/i386/i386/exception.s:159 #7 0xc0834736 in m_copym (m=0x0, off0=1500, len=1480, wait=1) at /usr/src/sys/kern/uipc_mbuf.c:539 #8 0xc08c6eb5 in ip_fragment (ip=0xc5568810, m_frag=0xc3f5fa44, mtu=1500, if_hwassist_flags=0, sw_csum=3073) at /usr/src/sys/netinet/ip_output.c:731 #9 0xc513e061 in pf_route (m=0xc3f5fb94, r=0xc518b33c, dir=1, oifp=0xc41d9c00, s=0x0, pd=0xc3f5faa0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6321 #10 0xc513d14f in pf_test (dir=1, ifp=0xc41d9c00, m0=0xc3f5fb94, eh=0x0, inp=0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:7125 #11 0xc5144b69 in pf_check_in (arg=0x0, m=0xc3f5fb94, ifp=0xc41d9c00, dir=1, inp=0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:3647 #12 0xc088c528 in pfil_run_hooks (ph=0xc0cbf0c0, mp=0xc3f5fbf0, ifp=0xc41d9c00, dir=1, inp=0x0) at /usr/src/sys/net/pfil.c:78 #13 0xc08c5b0a in ip_input (m=0xc6c8d100) at /usr/src/sys/netinet/ip_input.c:416 #14 0xc088acc5 in netisr_dispatch (num=2, m=0xc6c8d100) at /usr/src/sys/net/netisr.c:185 #15 0xc0880c61 in ether_demux (ifp=0xc41d9c00, m=0xc6c8d100) at /usr/src/sys/net/if_ethersubr.c:834 #16 0xc0881053 in ether_input (ifp=0xc41d9c00, m=0xc6c8d100) at /usr/src/sys/net/if_ethersubr.c:692 #17 0xc09ad0d2 in rl_rxeof (sc=0xc4210000) at /usr/src/sys/pci/if_rl.c:1320 #18 0xc09ae0ea in rl_intr (arg=0xc4210000) at /usr/src/sys/pci/if_rl.c:1477 #19 0xc07c055b in ithread_loop (arg=0xc41f7410) at /usr/src/sys/kern/kern_intr.c:1088 #20 0xc07bd0a9 in fork_exit (callout=0xc07c03a0 , arg=0xc41f7410, frame=0xc3f5fd38) at /usr/src/sys/kern/kern_fork.c:810 #21 0xc0ac92e0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:264 (kgdb) From k at kevinkevin.com Fri Nov 6 15:33:49 2009 From: k at kevinkevin.com (Kevin) Date: Fri Nov 6 15:33:56 2009 Subject: Question about round robin Message-ID: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> Hello, I am curious about simple round robin load balancing w/ PF. I see how simple it is to setup within the FreeBSD configuration file, but have a fairly simple question. Does PF detect if one of the addresses in the "pool" is not responsive? Or does it just blindly send traffic to all the addresses in the pool regardless? Is there some sort of heartbeat functionality or status check perhaps? Has anyone accomplished something along these lines? Load balancing would be pretty useless if I couldn't take a server out of the pool without having to re-configure PF every time. Any comments are appreciated! Thanks, Kevin www.stardothosting.com From k at kevinkevin.com Fri Nov 6 16:02:03 2009 From: k at kevinkevin.com (Kevin) Date: Fri Nov 6 16:02:11 2009 Subject: Question about round robin In-Reply-To: <-3431979369893017739@unknownmsgid> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> <-3431979369893017739@unknownmsgid> Message-ID: <00a501ca5efa$65640890$302c19b0$@com> > -----Original Message----- > From: no name [mailto:britneyfreek@googlemail.com] > Sent: Friday, November 06, 2009 10:52 AM > To: Kevin > Cc: freebsd-pf@freebsd.org > Subject: Re: Question about round robin > > i am not quite sure but i assume pf does no availabililtty checks as > responses from systems behind an address might take too long... > > - regards > > Am 06.11.2009 um 16:34 schrieb "Kevin" : > > > Hello, > > > > > > > > I am curious about simple round robin load balancing w/ PF. I see > > how simple > > it is to setup within the FreeBSD configuration file, but have a > > fairly > > simple question. > > > > Does PF detect if one of the addresses in the "pool" is not > > responsive? Or > > does it just blindly send traffic to all the addresses in the pool > > regardless? Is there some sort of heartbeat functionality or status > > check > > perhaps? Has anyone accomplished something along these lines? Load > > balancing > > would be pretty useless if I couldn't take a server out of the pool > > without > > having to re-configure PF every time. > > > > > > Any comments are appreciated! > > > > > > Thanks, > > > > > > Kevin > > www.stardothosting.com I've searched the freebsd-* mailing list as well as gone through the handbook regarding load balancing w/ PF (http://www.openbsd.org/faq/pf/pools.html) and found no mention of any kind of inherent availability checks or anything along those lines. Have I missed something? Seems that all the options (bitmask, random, source-hash, round-robin) provide for different ways to distribute traffic to the servers, but if a server dies or becomes unresponsive it would compromise the pool in itself. Most other load balancing solutions such as LVS can be incorporated with keepalived to allow for status checking. I would love to know anyone who may have implemented a solution like that with PF + round robin. Thanks, Kevin From britneyfreek at googlemail.com Fri Nov 6 16:15:59 2009 From: britneyfreek at googlemail.com (no name) Date: Fri Nov 6 16:16:09 2009 Subject: Question about round robin In-Reply-To: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> Message-ID: <-3431979369893017739@unknownmsgid> i am not quite sure but i assume pf does no availabililtty checks as responses from systems behind an address might take too long... - regards Am 06.11.2009 um 16:34 schrieb "Kevin" : > Hello, > > > > I am curious about simple round robin load balancing w/ PF. I see > how simple > it is to setup within the FreeBSD configuration file, but have a > fairly > simple question. > > Does PF detect if one of the addresses in the "pool" is not > responsive? Or > does it just blindly send traffic to all the addresses in the pool > regardless? Is there some sort of heartbeat functionality or status > check > perhaps? Has anyone accomplished something along these lines? Load > balancing > would be pretty useless if I couldn't take a server out of the pool > without > having to re-configure PF every time. > > > Any comments are appreciated! > > > Thanks, > > > Kevin > www.stardothosting.com > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From CatalinM at starcomms.com Fri Nov 6 16:23:43 2009 From: CatalinM at starcomms.com (Catalin Miclaus) Date: Fri Nov 6 16:23:51 2009 Subject: Question about round robin In-Reply-To: <-3431979369893017739@unknownmsgid> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> <-3431979369893017739@unknownmsgid> Message-ID: <3A0AA7018522134597ED63B3B794C92A0702E0A4@STA-HQ-S001.starcomms.local> As workaround you can write a script to check availability and update pf config accordingly that you can run from cron every minute. Catalin Miclaus I ISP/Data Team Starcomms Plc. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of no name Sent: Friday, November 06, 2009 4:52 PM To: Kevin Cc: freebsd-pf@freebsd.org Subject: Re: Question about round robin i am not quite sure but i assume pf does no availabililtty checks as responses from systems behind an address might take too long... - regards Am 06.11.2009 um 16:34 schrieb "Kevin" : > Hello, > > > > I am curious about simple round robin load balancing w/ PF. I see > how simple > it is to setup within the FreeBSD configuration file, but have a > fairly > simple question. > > Does PF detect if one of the addresses in the "pool" is not > responsive? Or > does it just blindly send traffic to all the addresses in the pool > regardless? Is there some sort of heartbeat functionality or status > check > perhaps? Has anyone accomplished something along these lines? Load > balancing > would be pretty useless if I couldn't take a server out of the pool > without > having to re-configure PF every time. > > > Any comments are appreciated! > > > Thanks, > > > Kevin > www.stardothosting.com > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any form of dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited if you are not the intended recipient of this e-mail. Please note that e-mails are susceptible to change. STARCOMMS PLC shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. STARCOMMS PLC does not guarantee that the integrity of this communication has been maintained or that this communication is free of viruses, interceptions or interferences. STARCOMMS PLC reserves the right to monitor all e-mail communications, whether related to the business of STARCOMMS or not, through its internal or external networks. From sullrich at gmail.com Fri Nov 6 16:35:48 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Fri Nov 6 16:35:55 2009 Subject: Question about round robin In-Reply-To: <00a501ca5efa$65640890$302c19b0$@com> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> <-3431979369893017739@unknownmsgid> <00a501ca5efa$65640890$302c19b0$@com> Message-ID: On Fri, Nov 6, 2009 at 11:01 AM, Kevin wrote: > I've searched the freebsd-* mailing list as well as gone through the handbook regarding load balancing w/ PF (http://www.openbsd.org/faq/pf/pools.html) and found no mention of any kind of inherent availability checks or anything along those lines. Have I missed something? > > Seems that all the options (bitmask, random, source-hash, round-robin) provide for different ways to distribute traffic to the servers, but if a server dies or becomes unresponsive it would compromise the pool in itself. Most other load balancing solutions such as LVS can be incorporated with keepalived to allow for status checking. > > I would love to know anyone who may have implemented a solution like that with PF + round robin. Take a look at relayd and slbd. Scott From max at love2party.net Fri Nov 6 16:45:56 2009 From: max at love2party.net (Max Laier) Date: Fri Nov 6 16:46:04 2009 Subject: Question about round robin In-Reply-To: References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> <00a501ca5efa$65640890$302c19b0$@com> Message-ID: <200911061745.52616.max@love2party.net> On Friday 06 November 2009 17:35:26 Scott Ullrich wrote: > On Fri, Nov 6, 2009 at 11:01 AM, Kevin wrote: > > I've searched the freebsd-* mailing list as well as gone through the > > handbook regarding load balancing w/ PF > > (http://www.openbsd.org/faq/pf/pools.html) and found no mention of any > > kind of inherent availability checks or anything along those lines. Have > > I missed something? > > > > Seems that all the options (bitmask, random, source-hash, round-robin) > > provide for different ways to distribute traffic to the servers, but if a > > server dies or becomes unresponsive it would compromise the pool in > > itself. Most other load balancing solutions such as LVS can be > > incorporated with keepalived to allow for status checking. > > > > I would love to know anyone who may have implemented a solution like that > > with PF + round robin. > > Take a look at relayd and slbd. I was about to say ... http://www.freshports.org/net/relayd/ -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From k at kevinkevin.com Fri Nov 6 16:47:54 2009 From: k at kevinkevin.com (Kevin) Date: Fri Nov 6 16:47:59 2009 Subject: Question about round robin In-Reply-To: <200911061745.52616.max@love2party.net> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> <00a501ca5efa$65640890$302c19b0$@com> <200911061745.52616.max@love2party.net> Message-ID: <00a801ca5f00$d182a800$7487f800$@com> > > Take a look at relayd and slbd. > > I was about to say ... http://www.freshports.org/net/relayd/ Thank you all for the suggestions so far. Ideally I'd like something that can work with PF, such as relayd. Since this is only www load balancing, I think that may be the best solution, although I am evaluating HAProxy as well. Thanks again , Kevin From k at kevinkevin.com Fri Nov 6 16:54:50 2009 From: k at kevinkevin.com (Kevin) Date: Fri Nov 6 16:54:56 2009 Subject: Question about round robin In-Reply-To: <4AF453B4.8050909@quip.cz> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> <4AF453B4.8050909@quip.cz> Message-ID: <00ab01ca5f01$c7afe580$570fb080$@com> > Tables are easily maintained by external applications / scripts - you > can update theme without reloading of the rules. So you can write some > little daemon pinging all your hosts and drop IP of unresponsive host > from the table. > Or you can write some complex system to monitor hosts resources (CPU > load, free memory, disk IO, etc.) and maintain content of the table by > this criteria so you can get balancing based on real server load. > > Miroslav Lachman Since what I'm trying to do (balance simple www traffic) isn't that complicated, I was hoping for some of this functionality to be inherent in PF. Wishful thinking I guess :) I wanted to avoid writing scripts, however, perhaps existing heartbeat / status checking solutions can be integrated in this way. Thank you From 000.fbsd at quip.cz Fri Nov 6 17:07:46 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Fri Nov 6 17:07:52 2009 Subject: Question about round robin In-Reply-To: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> References: <00a201ca5ef6$7a4f3ee0$6eedbca0$@com> Message-ID: <4AF453B4.8050909@quip.cz> Kevin wrote: > I am curious about simple round robin load balancing w/ PF. I see how simple > it is to setup within the FreeBSD configuration file, but have a fairly > simple question. > > Does PF detect if one of the addresses in the "pool" is not responsive? Or > does it just blindly send traffic to all the addresses in the pool > regardless? Is there some sort of heartbeat functionality or status check > perhaps? Has anyone accomplished something along these lines? Load balancing > would be pretty useless if I couldn't take a server out of the pool without > having to re-configure PF every time. "The round-robin method will accept multiple individual addresses using a list or table." Tables are easily maintained by external applications / scripts - you can update theme without reloading of the rules. So you can write some little daemon pinging all your hosts and drop IP of unresponsive host from the table. Or you can write some complex system to monitor hosts resources (CPU load, free memory, disk IO, etc.) and maintain content of the table by this criteria so you can get balancing based on real server load. Miroslav Lachman From bugmaster at FreeBSD.org Mon Nov 9 11:07:00 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 9 11:08:59 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200911091106.nA9B6xj2079075@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From linimon at FreeBSD.org Thu Nov 12 22:32:09 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Thu Nov 12 22:32:20 2009 Subject: kern/140512: [pf] pf doesn't block udp packets on multicast addresses Message-ID: <200911122232.nACMW9Fu014283@freefall.freebsd.org> Old Synopsis: pf doesn't block udp packets on multicast addresses New Synopsis: [pf] pf doesn't block udp packets on multicast addresses Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Nov 12 22:31:46 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=140512 From cmb at pfsense.org Thu Nov 12 22:49:29 2009 From: cmb at pfsense.org (Chris Buechler) Date: Thu Nov 12 22:49:35 2009 Subject: kern/140512: [pf] pf doesn't block udp packets on multicast addresses In-Reply-To: <200911122232.nACMW9Fu014283@freefall.freebsd.org> References: <200911122232.nACMW9Fu014283@freefall.freebsd.org> Message-ID: On Thu, Nov 12, 2009 at 5:32 PM, wrote: > Old Synopsis: pf doesn't block udp packets on multicast addresses > New Synopsis: [pf] pf doesn't block udp packets on multicast addresses > This isn't a legit PR, tcpdump shows traffic before it's evaluated by the ruleset. From remko at FreeBSD.org Fri Nov 13 08:21:54 2009 From: remko at FreeBSD.org (remko@FreeBSD.org) Date: Fri Nov 13 08:21:59 2009 Subject: kern/140512: [pf] pf doesn't block udp packets on multicast addresses Message-ID: <200911130821.nAD8LrxE056310@freefall.freebsd.org> Synopsis: [pf] pf doesn't block udp packets on multicast addresses State-Changed-From-To: open->closed State-Changed-By: remko State-Changed-When: Fri Nov 13 08:21:53 UTC 2009 State-Changed-Why: Traffic is being shown before hitting the firewall rule. (Chris Buechler) http://www.freebsd.org/cgi/query-pr.cgi?pr=140512 From repcsike at gmail.com Sun Nov 15 21:23:14 2009 From: repcsike at gmail.com (=?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?=) Date: Sun Nov 15 21:23:24 2009 Subject: PF NAT problems. Message-ID: Hello, I'm struggling with pf nat to work when connecting to ipsec vpns, when I have a pf and pfnat gateway on my LAN side. Sometimes it's ok to some networks, but most of the time it's not. Usually I'm using Cisco vpn client, and connecting to cisco ASA devices and sometimes pptp and l2tp vpn with the client from Windows XP. I tried passing ipsec relevant packets through the pf fw but if I use ipnat it works perfectly without any added rules. Somewhere I found that I have to statically map port 500 for pf to map that to the external interface as well(and don't change port number), but I couldn't make that work. Relevant part of my pf.conf: I just pasted the macros, because I think the problem lies somewhere else. prv_ads = 192.168.0.0/24 nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if:0) #we need this to work with dyn ip and pppoe tun0 ##Some port forwarding rules deleted from here... rdr-anchor miniupnpd ipnat.conf: map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:65000 map tun0 192.168.0.0/24 -> 0/32 #some port redirection deleted from here. Thanks for any help, B. From ask at develooper.com Mon Nov 16 10:37:44 2009 From: ask at develooper.com (=?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?=) Date: Mon Nov 16 10:37:51 2009 Subject: Avoid keeping state of ntp requests Message-ID: Hi, I'm trying to avoid keeping state of ntp requests to our ntp servers. They are on UDP and numerous, so it's just wasting a lot of space in the state table. I've tried various variations of 'pass quick', but some rule keeps adding state for the port 123 requests. I've put the full output of 'pfctl -sa' here: http://tmp.askask.com/2009/11/pf.txt Any ideas? - ask From ask at develooper.com Mon Nov 16 10:59:33 2009 From: ask at develooper.com (=?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?=) Date: Mon Nov 16 10:59:40 2009 Subject: Avoid keeping state of ntp requests In-Reply-To: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> References: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> Message-ID: <6967A89E-CF55-4F65-972E-864AAA50ED32@develooper.com> On Nov 16, 2009, at 2:44, Denny Lin wrote: > >> I'm trying to avoid keeping state of ntp requests to our ntp servers. They are on UDP and numerous, so it's just wasting a lot of space in the state table. >> >> I've tried various variations of 'pass quick', but some rule keeps adding state for the port 123 requests. I've put the full output of 'pfctl -sa' here: > > Have you tried adding "no state" at the end of the rule? This way they > aren't added to the state table. Hi Denny, Yes, indeed - that's what I'm doing; I should have made that explicit in the mail. I've put the pfctl -vsr output up here: http://tmp.askask.com/2009/11/pfctl-vsr.txt [ a little later ] Aargh! The problem was that the table in my rule was , but the table with the IP addresses was ! Thanks for making me take a second[1] look. - ask [1] That's a joke, more like look number 217! From dennylin93 at cnmc32.hs.ntnu.edu.tw Mon Nov 16 11:03:09 2009 From: dennylin93 at cnmc32.hs.ntnu.edu.tw (Denny Lin) Date: Mon Nov 16 11:03:16 2009 Subject: Avoid keeping state of ntp requests In-Reply-To: References: Message-ID: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> > I'm trying to avoid keeping state of ntp requests to our ntp servers. They are on UDP and numerous, so it's just wasting a lot of space in the state table. > > I've tried various variations of 'pass quick', but some rule keeps adding state for the port 123 requests. I've put the full output of 'pfctl -sa' here: Have you tried adding "no state" at the end of the rule? This way they aren't added to the state table. -- Denny Lin From bugmaster at FreeBSD.org Mon Nov 16 11:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 16 11:09:00 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200911161106.nAGB6woV011247@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From sergey.dyatko at gmail.com Tue Nov 17 11:02:02 2009 From: sergey.dyatko at gmail.com (Sergey V. Dyatko) Date: Tue Nov 17 11:02:08 2009 Subject: pf and max-src-conn-rate In-Reply-To: <20091117124804.08d70a8e@notebook> References: <20091117124804.08d70a8e@notebook> Message-ID: <20091117130205.2e3a5500@notebook> on Tue, 17 Nov 2009 12:48:04 +0200 "Sergey V. Dyatko" wrote: Ooops, sorry for the noice. I didn't seen that is only 1 connect SVD> Hi list, SVD> I'm trying to stop ssh bruteforce on my box (rules bellow), but it SVD> doesn't work. looks like 1sec interval is too small:( SVD> SVD> from auth.log: SVD> ... SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from SVD> 200.27.164.214 SVD> Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication SVD> error for illegal user cobert from server.aconex.cl SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Failed SVD> keyboard-interactive/pam for invalid user cobert from SVD> 200.27.164.214 port 57587 ssh2 ... SVD> Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication SVD> error for illegal user colman from 80.243.172.54 SVD> Nov 17 13:40:17 master-db6 sshd[3961]: Failed SVD> keyboard-interactive/pam for invalid user colman from SVD> 80.243.172.54 port 45081 ssh2 ... SVD> SVD> As you can see I got 2 connections from 1 ip in 1 second but... SVD> SVD> #pfctl -tbots -Tshow|wc -l SVD> 0 SVD> SVD> where i'm wrong? SVD> pf.conf: SVD> SVD> ext_if="em0" SVD> SVD> table { my_net/24, some_ip/32} SVD> table persist SVD> SVD> scrub in all SVD> SVD> pass in quick on $ext_if proto tcp from SVD> block in quick from SVD> SVD> pass in quick on $ext_if proto tcp to $ext_if port ssh \ SVD> flags S/SA keep state \ SVD> ( max-src-conn-rate 2/1 overload flush ) SVD> SVD> pass in all SVD> pass out all SVD> SVD> -- wbr, tiger From sergey.dyatko at gmail.com Tue Nov 17 11:10:03 2009 From: sergey.dyatko at gmail.com (Sergey V. Dyatko) Date: Tue Nov 17 11:10:10 2009 Subject: pf and max-src-conn-rate Message-ID: <20091117124804.08d70a8e@notebook> Hi list, I'm trying to stop ssh bruteforce on my box (rules bellow), but it doesn't work. looks like 1sec interval is too small:( from auth.log: ... Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from 200.27.164.214 Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication error for illegal user cobert from server.aconex.cl Nov 17 13:32:14 master-db6 sshd[3902]: Failed keyboard-interactive/pam for invalid user cobert from 200.27.164.214 port 57587 ssh2 ... Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication error for illegal user colman from 80.243.172.54 Nov 17 13:40:17 master-db6 sshd[3961]: Failed keyboard-interactive/pam for invalid user colman from 80.243.172.54 port 45081 ssh2 ... As you can see I got 2 connections from 1 ip in 1 second but... #pfctl -tbots -Tshow|wc -l 0 where i'm wrong? pf.conf: ext_if="em0" table { my_net/24, some_ip/32} table persist scrub in all pass in quick on $ext_if proto tcp from block in quick from pass in quick on $ext_if proto tcp to $ext_if port ssh \ flags S/SA keep state \ ( max-src-conn-rate 2/1 overload flush ) pass in all pass out all -- wbr, tiger From mohacsi at niif.hu Thu Nov 19 10:15:28 2009 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu Nov 19 10:15:34 2009 Subject: pf behaviour changes - must be documented Message-ID: <20091119101522.7D9E5847EC@mail.ki.iif.hu> >Submitter-Id: current-users >Originator: Mohacsi Janos >Organization: NIIF >Confidential: no >Synopsis: pf behaviour changes - must be documented >Severity: non-critical >Priority: low >Category: kern >Class: doc-bug >Release: FreeBSD 6.4-STABLE i386 >Environment: System: FreeBSD mignon.ki.iif.hu 6.4-STABLE FreeBSD 6.4-STABLE #18: Tue Oct 27 16:19:23 CET 2009 root@mignon.ki.iif.hu:/usr/obj/usr/src/sys/MIGNON2 i386 >Description: The pf behaviour about the fragmented packets has been changed since FreeBSD 6.4-STABLE #17: Fri Jul 3 14:34:44 CEST 2009 At least to FreeBSD 6.4-STABLE #18: Tue Oct 27 16:19:23 CET 2009. Before some changes in pf it was working without scrubbing. After the changes: scrub in on no-df must be configured to proper operation.... >How-To-Repeat: try earlier version of FreeBSD and latest 6.4 stable. >Fix: Document this pf changes . From linimon at FreeBSD.org Thu Nov 19 20:30:53 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Thu Nov 19 20:31:06 2009 Subject: kern/140697: [pf] pf behaviour changes - must be documented Message-ID: <200911192030.nAJKUqdQ044717@freefall.freebsd.org> Old Synopsis: pf behaviour changes - must be documented New Synopsis: [pf] pf behaviour changes - must be documented Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Nov 19 20:30:32 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=140697 From fullblaststorm at gmail.com Sat Nov 21 15:27:53 2009 From: fullblaststorm at gmail.com (Victor Lyapunov) Date: Sat Nov 21 15:27:59 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) Message-ID: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> Hi all, I have production network with FreeBSD box acting as firewall. The problem emerge as soon as users send mail with attachments. (Sending mail without attachments always succeeds). Basically, when a user tries to send a message, only part of it transmitted before connection is interrupted and sending fails. The problem persists only when pf is enabled. My ruleset: scrub in all fragment reassemble block drop on em0 all pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA keep state pass proto udp from any to any port = domain keep state This is what i get from pfctl -si just after #/etc/rc.d/pf start # pfctl -si Status: Enabled for 0 days 00:00:09 Debug: Urgent State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s After I try to send some mail with attachments a couple of times(which always fail), i get this from pfctl -si: Status: Enabled for 0 days 00:02:58 Debug: Urgent State Table Total Rate current entries 48 searches 1313 7.4/s inserts 131 0.7/s removals 83 0.5/s Counters match 152 0.9/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 22 0.1/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Any suggestions/ideas would be appreciated, Best regards, Victor FreeBSD router 7.2-RELEASE FreeBSD 7.2-RELEASE #4: Sun May 3 23:29:04 2009 root@router:/usr/obj/usr/src/sys/GENERIC i386 From ohauer at gmx.de Sat Nov 21 17:54:12 2009 From: ohauer at gmx.de (olli hauer) Date: Sat Nov 21 17:54:18 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> Message-ID: <4B082302.3040704@gmx.de> Victor Lyapunov wrote: > Hi all, > > I have production network with FreeBSD box acting as firewall. The > problem emerge as soon as users send mail with attachments. (Sending > mail without attachments always succeeds). Basically, when a user > tries to send a message, only part of it transmitted before connection > is interrupted and sending fails. The problem persists only when pf is > enabled. > > My ruleset: > scrub in all fragment reassemble > block drop on em0 all > pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA > keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA > keep state > pass proto udp from any to any port = domain keep state > [...] Is this only for client submitting (imap) or even for incoming mails from outside via smtp? What about outgoing traffic from the machine? Try the following in pf.conf to see why this happens set loginterface pflog0 set block-policy drop set skip on lo0 block drop in log on em0 all pass out log on em0 all Now use tcpdump to see which rule drops the traffic #> tcpdump -net -i pflog0 -- olli From fullblaststorm at gmail.com Sat Nov 21 18:07:16 2009 From: fullblaststorm at gmail.com (Victor Lyapunov) Date: Sat Nov 21 18:07:23 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <4B082302.3040704@gmx.de> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> Message-ID: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> Thanks for your answer, olli. As i send mail not from my freebsd server, but rather from the clients on the local network, so here's what i did: my pf.conf: set loginterface pflog0 set block-policy drop set skip on lo0 block drop log on em0 all pass log inet proto tcp from 192.168.0.0/24 to any port {smtp, pop3, imap, smtps, pop3s} flags S/SA keep state pass log proto udp from any to any port = domain keep state # tcpdump -net -i pflog0 Now i went to a windows computer and tried to send an email with attachment to gmail.com (sending failed at 2%) here's what i got in my pflog: rule 4/0(match): pass in on em0: (tos 0x0, ttl 128, id 19860, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > 209.85.129.111.465: [|tcp] rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] 2 packets captured 2 packets received by filter 0 packets dropped by kernel Again, everything works just fine when pf is disabled. And there's no problems for incoming traffic, only outgoing traffic gets corrupted( that is, dropped in the middle of transmitting data). Any ideas? 2009/11/21 olli hauer : > Victor Lyapunov wrote: >> >> Hi all, >> >> I have production network with FreeBSD box acting as firewall. The >> problem emerge as soon as users send mail with attachments. (Sending >> mail without attachments always succeeds). Basically, when a user >> tries to send a message, only part of it transmitted before connection >> is interrupted and sending fails. The problem persists only when pf is >> enabled. >> >> My ruleset: >> scrub in all fragment reassemble >> block drop on em0 all >> pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA >> keep state >> pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA >> keep state >> pass proto udp from any to any port = domain keep state >> > > [...] > > Is this only for client submitting (imap) or even for incoming mails from > outside via smtp? > > What about outgoing traffic from the machine? > > Try the following in pf.conf to see why this happens > > set loginterface pflog0 > set block-policy drop > set skip on lo0 > > block drop in log on em0 all > pass out log on em0 all > > Now use tcpdump to see which rule drops the traffic > #> tcpdump -net -i pflog0 > > -- > olli > From mike at jellydonut.org Sat Nov 21 18:24:00 2009 From: mike at jellydonut.org (Michael Proto) Date: Sat Nov 21 18:24:06 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> Message-ID: <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov wrote: > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465: ?tcp 28 [bad hdr length 0 - too short, < 20] This looks to be your problem-- bad hdr length 0. I don't know enough of what mailer(s) you're using to relay this message outbound, but since port 465 is smtp over TLS/SSL are you sure your smtp encryption is working correctly? I often see these types of errors with other TLS/SSL apps when one side is expecting an encrypted connection and the other is not (correctly) providing it. Have you tried using unencrypted smtp on port 25? Does that work? -Proto From mike at jellydonut.org Sat Nov 21 18:27:09 2009 From: mike at jellydonut.org (Michael Proto) Date: Sat Nov 21 18:27:16 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> Message-ID: <1de79840911211027mbc0e731l565817f678db128e@mail.gmail.com> On Sat, Nov 21, 2009 at 1:23 PM, Michael Proto wrote: > On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov > wrote: > >> rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset >> 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > >> 209.85.129.111.465: ?tcp 28 [bad hdr length 0 - too short, < 20] > > This looks to be your problem-- bad hdr length 0. I don't know enough > of what mailer(s) you're using to relay this message outbound, but > since port 465 is smtp over TLS/SSL are you sure your smtp encryption > is working correctly? I often see these types of errors with other > TLS/SSL apps when one side is expecting an encrypted connection and > the other is not (correctly) providing it. > > Have you tried using unencrypted smtp on port 25? Does that work? > Er... wait, I just re-read that you said things work fine with pf disabled, so my theory about bad encryption probably isn't very accurate. Are you still using a scrub rule? Have you tried disabling it? If pf is seeing a "bad hdr length" error it might be dropping the packet due to scrubbing. Of course, this could also mean that TSO is enabled on your ethernet interface and bpf just isn't seeing the tcp header at all, so my whole theory might be moot. -Proto From ohauer at gmx.de Sat Nov 21 19:25:21 2009 From: ohauer at gmx.de (olli hauer) Date: Sat Nov 21 19:25:27 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> Message-ID: <4B083E9D.5070508@gmx.de> Victor Lyapunov wrote: > Thanks for your answer, olli. > > As i send mail not from my freebsd server, but rather from the clients > on the local network, so here's what i did: > > my pf.conf: > set loginterface pflog0 > set block-policy drop > set skip on lo0 > block drop log on em0 all > pass log inet proto tcp from 192.168.0.0/24 to any port {smtp, pop3, > imap, smtps, pop3s} flags S/SA keep state > pass log proto udp from any to any port = domain keep state > > > # tcpdump -net -i pflog0 > Now i went to a windows computer and tried to send an email with > attachment to gmail.com (sending failed at 2%) > > here's what i got in my pflog: > > rule 4/0(match): pass in on em0: (tos 0x0, ttl 128, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465: [|tcp] > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] why is the [DF] bit set? can you try with the following pf option scrub all no-df From fox at verio.net Sun Nov 22 02:53:11 2009 From: fox at verio.net (David DeSimone) Date: Sun Nov 22 02:53:18 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> Message-ID: <20091122022346.GK2392@verio.net> Michael Proto wrote: > > > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset > > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] > > This looks to be your problem-- bad hdr length 0. This is caused when tcpdump has too small a snaplen; it is not seeing enough of the packet from the pflog interface, so it reports incorrect information at the end. Try adding "-s 128" to collect a larger packet and you should see the full description from tcpdump. That said, the original problem seems like it could easily be caused by a PF state mismatch resulting from assymetric routing. If packets come in a different interface than they go out, or worse, if the return path doesn't even go through the firewall, PF cannot see the reply traffic allowing it to update its TCP window tracking. As a result, short TCP sessions, such as those that fit within the default TCP window, can work okay, but longer sessions that go beyond that window will stall out and fail. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From fullblaststorm at gmail.com Sun Nov 22 08:37:01 2009 From: fullblaststorm at gmail.com (Victor Lyapunov) Date: Sun Nov 22 08:37:07 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <20091122022346.GK2392@verio.net> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> <20091122022346.GK2392@verio.net> Message-ID: <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> Thank you guys for your attention to my problem. This time i increased the tcpdump capture buffer to 128 bytes and i got this: # tcpdump -s 128 -net -i pflog0 (I tried to send mail with an attachment(700kb) to gmail.com(REQUIRES SSL) using outlook, which again timeout- failed) rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 794764624:794764677(53) ack 146734048 win 65535 rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 1/0(match): pass in on em0: 192.168.0.5.1025 > 192.168.0.3.53: 1016+ A? smtp.gmail.com. (32) rule 1/0(match): pass out on em0: 192.168.0.3.61974 > 208.67.222.222.53: 44197+% [1au] A? smtp.gmail.com. (43) rule 1/0(match): pass out on em0: 192.168.0.3.53758 > 208.67.222.222.53: 57704+% [1au][|domain] rule 1/0(match): pass in on em0: 192.168.0.5.2029 > 74.125.39.109.465: S 207714378:207714378(0) win 65535 rule 1/0(match): pass out on em0: 192.168.0.5.2029 > 74.125.39.109.465: S 207714378:207714378(0) win 65535 rule 1/0(match): pass out on em0: 192.168.0.3.55398 > 208.67.222.222.53: 26150+% [1au][|domain] rule 0/0(match): block in on em0: 192.168.0.1.2078 > 192.168.0.3.445: P 0:53(53) ack 1 win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2437 > 192.168.0.3.445: S 3245362396:3245362396(0) win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2442 > 192.168.0.3.445: S 3154965483:3154965483(0) win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2444 > 192.168.0.3.445: S 3857149154:3857149154(0) win 65535 rule 1/0(match): pass in on em0: 169.254.113.220.2447 > 192.168.0.3.139: S 4208647498:4208647498(0) win 65535 rule 1/0(match): pass in on em0: 192.168.0.1.2448 > 192.168.0.3.139: S 3459916613:3459916613(0) win 65535 rule 1/0(match): pass in on em0: 169.254.113.220.2449 > 192.168.0.3.139: S 2672892612:2672892612(0) win 65535 17 packets captured 17 packets received by filter 0 packets dropped by kernel After that i tried to send mail to a server that does not require ssl and i got this: rule 1/0(match): pass in on em0: 192.168.0.5.2035 > 94.100.177.1.25: S 237079791:237079791(0) win 65535 rule 1/0(match): pass out on em0: 192.168.0.5.2035 > 94.100.177.1.25: S 237079791:237079791(0) win 65535 2 packets captured 2 packets received by filter 0 packets dropped by kernel The sending process fails regardless of whether i use SSL or not. 192.168.0.1 -- Router 192.168.0.3 -- The FreeBSD box 192.168.0.5 -- Windows machine with default gateway set to 192.168.0.3 The ruleset is: block drop log on em0 all pass log on em0 all flags S/SA keep state I can't figure out what might be the cause of the problem... Is it possible that the router causes this? 2009/11/22 David DeSimone : > Michael Proto wrote: >> >> > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset >> > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > >> > 209.85.129.111.465: ?tcp 28 [bad hdr length 0 - too short, < 20] >> >> This looks to be your problem-- bad hdr length 0. > > This is caused when tcpdump has too small a snaplen; it is not seeing > enough of the packet from the pflog interface, so it reports incorrect > information at the end. > > Try adding "-s 128" to collect a larger packet and you should see the > full description from tcpdump. > > > That said, the original problem seems like it could easily be caused by > a PF state mismatch resulting from assymetric routing. ?If packets come > in a different interface than they go out, or worse, if the return path > doesn't even go through the firewall, PF cannot see the reply traffic > allowing it to update its TCP window tracking. > > As a result, short TCP sessions, such as those that fit within the > default TCP window, can work okay, but longer sessions that go beyond > that window will stall out and fail. > > -- > David DeSimone == Network Admin == fox@verio.net > ?"I don't like spinach, and I'm glad I don't, because if I > ? liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. ?Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From bugmaster at FreeBSD.org Mon Nov 23 11:07:01 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 23 11:08:59 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200911231107.nANB70pL070208@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 37 problems total. From sife.mailling at yahoo.com Mon Nov 23 16:01:50 2009 From: sife.mailling at yahoo.com (Sife Mailling) Date: Mon Nov 23 16:01:56 2009 Subject: block ip's and ports Message-ID: <745127.92574.qm@web113110.mail.gq1.yahoo.com> Salamo Alikom i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports . this my pf.conf : net_card="sis0" tcp_ports="{80 ,https ,domain ,auth ,21}" udp_ports="{domain}" table file "/etc/pf/banned" table {www.google.com} block in log (all) on $net_card proto {tcp ,udp} all pass in on $net_card proto tcp from any to any port $tcp_ports pass in on $net_card proto udp from any to any port $udp_ports pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16 block in on $net_card proto tcp from { , } to any port $tcp_ports pass out on $net_card proto tcp from any to any port $tcp_ports pass out on $net_card proto udp from any to any port $udp_ports pass out on $net_card inet proto tcp from any to any port ftp pass out on $net_card inet proto tcp from any to any port > 1023 now skype is work and the both tables banned and banned2 i can browse sites including theme . From ohauer at gmx.de Mon Nov 23 16:22:45 2009 From: ohauer at gmx.de (olli hauer) Date: Mon Nov 23 16:22:52 2009 Subject: block ip's and ports In-Reply-To: <745127.92574.qm@web113110.mail.gq1.yahoo.com> References: <745127.92574.qm@web113110.mail.gq1.yahoo.com> Message-ID: <4B0AB6D1.2040206@gmx.de> Sife Mailling wrote: > Salamo Alikom > i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports . > this my pf.conf : > net_card="sis0" > tcp_ports="{80 ,https ,domain ,auth ,21}" > udp_ports="{domain}" > table file "/etc/pf/banned" > table {www.google.com} > block in log (all) on $net_card proto {tcp ,udp} all > pass in on $net_card proto tcp from any to any port $tcp_ports > pass in on $net_card proto udp from any to any port $udp_ports > pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16 > block in on $net_card proto tcp from { , } to any port $tcp_ports > pass out on $net_card proto tcp from any to any port $tcp_ports > pass out on $net_card proto udp from any to any port $udp_ports > pass out on $net_card inet proto tcp from any to any port ftp > pass out on $net_card inet proto tcp from any to any port > 1023 > > now skype is work and the both tables banned and banned2 i can browse sites including theme . > Try the quick keyword, so traffic is not allowed in later rules. Additional disable outgoing traffic since if you create a connect from inside to a state which permits incoming traffic is created. example ordering: table file "/etc/pf/banned" table {www.google.com} block in log (all) on $net_card proto {tcp ,udp} all block in quick on $net_card proto tcp from { , } \ to any port $tcp_ports label blockin block out quick on $net_card proto tcp from { , } \ to any port $tcp_ports label blockout pass in on $net_card proto tcp from any to any port $tcp_ports From fox at verio.net Mon Nov 23 22:18:13 2009 From: fox at verio.net (David DeSimone) Date: Mon Nov 23 22:18:20 2009 Subject: sending mail with attachments always fails (FreeBSD/pf) In-Reply-To: <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> <20091122022346.GK2392@verio.net> <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> Message-ID: <20091123221718.GR2392@verio.net> Victor Lyapunov wrote: > > After that i tried to send mail to a server that does not require ssl > and i got this: > > rule 1/0(match): pass in on em0: 192.168.0.5.2035 > 94.100.177.1.25: S > 237079791:237079791(0) win 65535 > rule 1/0(match): pass out on em0: 192.168.0.5.2035 > 94.100.177.1.25: > S 237079791:237079791(0) win 65535 > 2 packets captured > 2 packets received by filter > 0 packets dropped by kernel This doesn't appear to be the same problem you originally submitted, about SMTP connections with no attachments working fine, but with attachments they fail. Seems like you are now describing that SMTP doesn't work at all. > 192.168.0.1 -- Router > 192.168.0.3 -- The FreeBSD box > 192.168.0.5 -- Windows machine with default gateway set to 192.168.0.3 This is probably the source of your problems. Your router and your firewall and your firewalled client are all on the same subnet together. There is nothing preventing the router from sending packets directly back to the Windows box, bypassing your firewall. As such, the firewall cannot see any of the reply traffic, and so it cannot follow the TCP state correctly, so eventually it begins to block the traffic. If you turn on logging with "pfctl -x loud" you will probably see a lot of messages about TCP state mismatches. The proper way to fix this is to rearchitect your network so that your firewall has two interfaces, one public, one private. The public interface connects only to your router, while the private interface connects to all your firewall clients. This forces the firewall to be the only path to and from the network, giving enhanced security. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.