From bugmaster at FreeBSD.org Mon Sep 7 11:07:05 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 7 11:09:13 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200909071107.n87B74we010328@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From josep at bellera.cat Tue Sep 8 07:59:23 2009 From: josep at bellera.cat (Josep Pujadas i Jubany) Date: Tue Sep 8 07:59:30 2009 Subject: ADSL bonding Message-ID: <20090908071705.M81528@bellera.cat> Hello! I want to use a PF box to balance 4 ADSL lines. I read: http://www.openbsd.org/faq/pf/pools.html#outgoing but I'm not sure what it happens when one ADSL line fails. How round-robin algorithm works in this case? Thanks, Josep Pujadas From mkhitrov at gmail.com Fri Sep 11 01:46:39 2009 From: mkhitrov at gmail.com (Maxim Khitrov) Date: Fri Sep 11 01:46:46 2009 Subject: Rule equivalence of uRPF check Message-ID: <26ddd1750909101846t131b6e0byaec95189f363c076@mail.gmail.com> Hello all, I would like to verify my assumptions regarding the way uRPF check works. I'm using a Soekris net5501 board as a firewall; port 0 ($ext_if) is internet uplink, ports 1-3 ($int_if, $mil_if, $vpn_if) are separate lan segments that should not be communicating with one another. Here is the start of my filter section: # Block all traffic by default block log # Broadcast DHCP traffic must be passed before urpf check pass in quick on !$ext_if proto udp from port dhcpc to 255.255.255.255 port dhcps # Enable source address spoofing protection block in quick from urpf-failed The question I have is whether the urpf-failed check is equivalent to the following three rules for each of the interfaces (I'm using $int_if as an example here): block in quick on $int_if from !$int_if:network block in quick on !$int_if from $int_if:network block in quick from $int_if The OpenBSD pf faq states that urpf-check is equivalent to the antispoof rules, but the antispoof section lists only the last two rules in my example as being equivalent. So the question is does urpf imply the first rule as well? - Max From gaurav at subisu.net.np Mon Sep 14 04:29:54 2009 From: gaurav at subisu.net.np (Gaurav Ghimire) Date: Mon Sep 14 04:30:01 2009 Subject: Packet Filter alerting system. Message-ID: <4AADC15B.5060501@subisu.net.np> Hi all, Just curious to know if we have something, some alerting system or mechanism that provides the administrator with the daily reports that pf itself or some other tool collects on pf's behalf. That probably reports the admin of: ~ Total connection counts matched on each rulesets. ~ Total number of counts matched on deny rules. ~ IP/Port attack logs and relatives. I would really appreciate if there are any mechanisms, or am provided with any pointers on achieving this. Regards, -- Gaurav Ghimire System Administrator Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 110 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company) From bugmaster at FreeBSD.org Mon Sep 14 11:07:06 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 14 11:08:59 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200909141107.n8EB754r072429@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From mkhitrov at gmail.com Tue Sep 15 17:46:07 2009 From: mkhitrov at gmail.com (Maxim Khitrov) Date: Tue Sep 15 17:46:13 2009 Subject: Moving the pf rc.d scripts to run before netif In-Reply-To: <4A36A051.3040007@FreeBSD.org> References: <4A242035.8010101@FreeBSD.org> <20090615065817.GJ290@greenie.muc.de> <4A36A051.3040007@FreeBSD.org> Message-ID: <26ddd1750909151045ia8bc7f1r9abfccb360538c8@mail.gmail.com> On Mon, Jun 15, 2009 at 3:26 PM, Doug Barton wrote: > Gert Doering wrote: >> Hi Doug, >> >> thanks for taking this up - and sorry for not responding more timely. >> >> I can't answer all the questions but might have a yet-unmentioned idea >> that could solve all this in one go :-) >> >> On Mon, Jun 01, 2009 at 11:38:45AM -0700, Doug Barton wrote: >>> 2. The previous rcorder for the pf script was right after netif (the >>> network coming up) and before routing .... why? Is this related to how >>> pf does its work? The reason I ask this question is that in order to >>> fix the IPv6 rcorder problem in the pr the way that Gert is suggesting >>> the "BEFORE: routing" would have to be removed because our IPv6 >>> startup depends on RA which depends on routing being up. (Side note, >>> in the long term I'd like to revise this so that an IPv6-only host >>> and/or a host with statically assigned IPv6 addresses can easily be >>> configured within rc.d, but that's another thing altogether.) >>> >>> 3. Is the need to be able to use $ext_if after the network is up so >>> overwhelmingly important that it justifies running pf after netif? Or >>> is using ($ext_if) a reasonable solution? >> >> Well - let's turn this one around: since we *have* the functionality in >> pf(4), let's not cripple it by building a framework that makes using this >> functionality effectively impossible. ?If I understand Bjoern right, this >> is also a performance issue - ($ext_if) needs a per-packet lookup to >> get the now-current address, while $ext_if reads the address at pf setup >> time. >> >> >> I can see the arguments for having the firewall initialization right at >> the start - to avoid opening an window of opportunity where services are >> "up" but the firewall hasn't yet been loaded. >> >> >> So what about the following approach: >> >> ?- split the firewall initialization into two halves >> >> ?- the first half is run before any other networking stuff is configured >> ? ?and basically sets up a "deny everything incoming" filter (with >> ? ?exceptions for IPv6 RD/ND, of course). >> >> ? ?Optionally this could permit outbound connections (with state), to >> ? ?enable things like bgpd to run. >> >> ?- after this, run interface configuration, set up routing, ... >> >> ?- when all this is finished, load the "real" set of firewall rules, >> ? ?which can now (if so desired) safely use $ext_if > > I already said I support this solution, I'm just waiting for someone > with some real pf knowledge to propose something. > > Doug Hello all, I just ran into this problem of pf start-up order on 7.2. I have a number of nat and rdr rules that allow people on the outside to access some internal servers (web, mail, etc.). To avoid having to specify public and private IPs once in the DNS server, which is on the internal interface, and a second time in the pf configuration, all of these rules use host names. During start-up, the DNS server cannot be reached, so pf.conf is not loaded due to unresolved hostnames. The solution I used is basically as explained by Gert. It works for me, but would be much better if someone could commit a more permanent fix. The idea is to have two separate pf configuration files and rc scripts. One rc script (I called mine pf_init and put it into /usr/local/etc/rc.d/ for now) runs instead of the current /etc/rc.d/pf (before routing is enabled). This script loads /etc/pf.init which contains the following configuration: # pf configuration that is loaded before routing set skip on lo scrub in block in Just a basic filter that has no external dependencies and blocks all incoming traffic. Outgoing traffic, like DNS queries, would be allowed by the default pass rule. The second rc script is a modified version of the current /etc/rc.d/pf. All I did was change two lines: --- /usr/src/etc/rc.d/pf 2009-04-14 23:14:26.000000000 -0400 +++ /etc/rc.d/pf 2009-09-15 13:06:07.000000000 -0400 @@ -7,2 +7,2 @@ -# REQUIRE: FILESYSTEMS netif pflog pfsync -# BEFORE: routing +# REQUIRE: FILESYSTEMS netif pflog pfsync named +# BEFORE: DAEMON ntpdate I added named to the REQUIRE list, which in my case is provided by dnsmasq. This allows the firewall to query ISP and internal DNS servers before the real pf.conf is loaded. I also wanted pf.conf loaded before other network-related scripts like ntpdate. Not sure if there are some other things that need to be included for a more general solution, but this works for me. My pf_init script is at the bottom of this message. Feel free to take any of my work, improve it, and commit to the source tree. You would need to move pf_init_rules variable, which is currently defined in pf_init to /etc/defaults/rc.conf. That would allow people to specify a config to use other than /etc/pf.init. The only thing I wasn't sure about is if there is a better way to disable stop and restart rc commands than to set stop_cmd and restart_cmd to an empty function. We don't want to use pf_init to reload or restart the firewall, since that would replace the correct ruleset with the pre-routing one. - Max /usr/local/etc/rc.d/pf_init: #!/bin/sh # # PROVIDE: pf_init # REQUIRE: FILESYSTEMS netif pflog pfsync # BEFORE: routing # KEYWORD: nojail . /etc/rc.subr name="pf_init" rcvar=`set_rcvar` load_rc_config "pf" start_cmd="" stop_cmd="pf_pass" restart_cmd="pf_pass" pf_init_rules="/etc/pf.init" required_files="$pf_init_rules" required_modules="pf" pf_start() { echo "Enabling pf (init)." $pf_program -F all > /dev/null 2>&1 $pf_program -f "$pf_init_rules" $pf_flags if ! $pf_program -s info | grep -q "Enabled" ; then $pf_program -e fi } pf_pass() { } run_rc_command "$1" From tom at uffner.com Tue Sep 15 19:05:19 2009 From: tom at uffner.com (Tom Uffner) Date: Tue Sep 15 19:05:30 2009 Subject: Packet Filter alerting system. In-Reply-To: <4AADC15B.5060501@subisu.net.np> References: <4AADC15B.5060501@subisu.net.np> Message-ID: <4AAFE24A.2040602@uffner.com> Gaurav Ghimire wrote: > Just curious to know if we have something, some alerting system or mechanism that provides the administrator with the daily reports that pf itself or some other > tool collects on pf's behalf. > > That probably reports the admin of: > ~ Total connection counts matched on each rulesets. > ~ Total number of counts matched on deny rules. /etc/periodic/security/520.pfdenied it should be enabled by default if you haven't done anything unnatural to the /etc/periodic system > ~ IP/Port attack logs and relatives. only if you specify "log" in one or more of your pf rules, in which case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and /var/log/pf.{today,yesterday} tom From steinex at nognu.de Wed Sep 16 16:28:35 2009 From: steinex at nognu.de (Frank Steinborn) Date: Wed Sep 16 16:28:41 2009 Subject: NAT traffic not seen on an interface Message-ID: <20090916155517.GA78914@haydn.nognu.de> Hi, I have configured seven jails on the lo1 interface, NAT is configured via pf, and all works fine. Now i configured an eight jail where i need to measure the traffic going through this special jail, so I configured it's IP on a dedicated lo2 interface. However, after some testing (eg. watching 'systat if' and generating traffic on that jail) I don't see the traffic at all. There actually is some traffic, but it's definitely not all. What am I missing? Is that approach reasonable at all? Thanks! From admin at anes.su Wed Sep 16 20:41:58 2009 From: admin at anes.su (Anes Muhametov) Date: Wed Sep 16 20:42:05 2009 Subject: Relayd l3 redirect send/expect check Message-ID: <4AB148CA.9050901@anes.su> It seems like the problem is still not resolved. Situation the same on freebsd 7.2. Is freebsd-pf correct for this problem? From tim at hoganzoo.com Thu Sep 17 19:30:27 2009 From: tim at hoganzoo.com (Tim Hogan) Date: Thu Sep 17 19:30:34 2009 Subject: Packet Filter alerting system. In-Reply-To: <4AAFE24A.2040602@uffner.com> References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com> Message-ID: <4AB28A7A.2060206@hoganzoo.com> Tom Uffner wrote: > Gaurav Ghimire wrote: >> Just curious to know if we have something, some alerting system or >> mechanism that provides the administrator with the daily reports that >> pf itself or some other >> tool collects on pf's behalf. >> >> That probably reports the admin of: >> ~ Total connection counts matched on each rulesets. >> ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom > Not sure if this will help but I have added the following line to /etc/periodic/security/520.pfdenied pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0 } $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root This will produce something like the following for each rule that you have; pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port = syslog keep state [ Evaluations: 560355 Packets: 46 Bytes: 4058 States: 0 ] The down side is that the numbers will increment from the last time PF was restarted, not from the previous day. Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3772 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090917/1410a6ad/smime.bin From k at kevinkevin.com Fri Sep 18 05:10:38 2009 From: k at kevinkevin.com (Kevin) Date: Fri Sep 18 05:10:44 2009 Subject: Packet Filter alerting system. In-Reply-To: <4AAFE24A.2040602@uffner.com> References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com> Message-ID: <020001ca381e$4b8bade0$e2a309a0$@com> > Gaurav Ghimire wrote: > > Just curious to know if we have something, some alerting system or > mechanism that provides the administrator with the daily reports that > pf itself or some other > > tool collects on pf's behalf. > > > > That probably reports the admin of: > > ~ Total connection counts matched on each rulesets. > > ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural > to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom I wrote a script that compiles a daily report on any pf table based threshold breaches -- something that could be modified to produce many different types of daily pf based reports : http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr ipt-to-report-on-hacking-attempts/ Something to look at anyways. From bugmaster at FreeBSD.org Mon Sep 21 11:07:01 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 21 11:09:03 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200909211107.n8LB70gf030368@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From lowbotskie at gmail.com Thu Sep 24 09:28:49 2009 From: lowbotskie at gmail.com (shoks) Date: Thu Sep 24 09:28:55 2009 Subject: removing states within an anchor Message-ID: <725c97180909240214j7501a680jd43950e4fc1ddb41@mail.gmail.com> Hi All, I'm not sure if this is a bug or a limitation. Is it possible to remove the states created inside an anchor? Or show all the states created by rules inside an anchor? I have an anchor "ssh_a" which has created two states: # pfctl -a ssh_a -sr -v pass in log quick on vr0 inet proto tcp from any to 10.10.0.161 port = ssh flags S/SA keep state [ Evaluations: 4681 Packets: 6956 Bytes: 983364 States: 2 ] [ Inserted: uid 0 pid 2045 ] # I wanted to display the states created by rules within "ssh_a", but the command below shows all the states. # pfctl -a ssh_a -ss -v all tcp 10.10.0.161:22 <- 10.3.1.42:58120 ESTABLISHED:ESTABLISHED [4069877326 + 66560] wscale 3 [1308386281 + 66608] wscale 3 age 00:22:10, expires in 24:00:00, 1148:842 pkts, 91792:138616 bytes, anchor 5, rule 0 all tcp 10.10.0.161:22 <- 10.3.1.42:62296 ESTABLISHED:ESTABLISHED [555879689 + 66560] wscale 3 [1395082873 + 66608] wscale 3 age 00:05:05, expires in 23:59:11, 20:19 pkts, 3376:4620 bytes, anchor 5, rule 0 all tcp 10.10.0.161:80 <- 10.3.1.42:62952 FIN_WAIT_2:FIN_WAIT_2 [3637383497 + 66608] wscale 3 [3544701268 + 66607] wscale 3 age 00:00:17, expires in 00:01:23, 6:4 pkts, 802:440 bytes, anchor 4, rule 0 all ipv6-icmp ff02::1[16584] <- fe80::21b:21ff:fe1d:35bc NO_TRAFFIC:NO_TRAFFIC age 00:00:08, expires in 00:00:12, 1:0 pkts, 96:0 bytes, anchor 3, rule 14 all icmp 10.10.0.161:21514 <- 10.3.1.42 0:0 age 00:00:02, expires in 00:00:08, 1:1 pkts, 84:84 bytes, anchor 3, rule 2 # Removing the states within "ssh_a" with the command "pfctl -a ssh_a -Fs" would remove all the states. Thanks, sho From bugmaster at FreeBSD.org Mon Sep 28 11:07:01 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 28 11:08:57 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200909281107.n8SB703C064108@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total.