From bugzilla-noreply at freebsd.org Mon Sep 1 13:00:57 2014
From: bugzilla-noreply at freebsd.org (bugzilla-noreply at freebsd.org)
Date: Mon, 01 Sep 2014 13:00:57 +0000
Subject: [Bug 177808] [pf] [patch] route-to rule forwarding traffic inspite
of state limit
In-Reply-To:
References:
Message-ID:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=177808
--- Comment #3 from commit-hook at freebsd.org ---
A commit references this bug:
Author: glebius
Date: Mon Sep 1 13:00:46 UTC 2014
New revision: 270928
URL: http://svnweb.freebsd.org/changeset/base/270928
Log:
Explicitly free packet on PF_DROP, otherwise a "quick" rule with
"route-to" may still forward it.
PR: 177808
Submitted by: Kajetan Staszkiewicz
Sponsored by: InnoGames GmbH
Changes:
head/sys/netpfil/pf/pf.c
--
You are receiving this mail because:
You are the assignee for the bug.
From bugzilla-noreply at freebsd.org Mon Sep 1 13:01:24 2014
From: bugzilla-noreply at freebsd.org (bugzilla-noreply at freebsd.org)
Date: Mon, 01 Sep 2014 13:01:24 +0000
Subject: [Bug 177808] [pf] [patch] route-to rule forwarding traffic inspite
of state limit
In-Reply-To:
References:
Message-ID:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=177808
Gleb Smirnoff changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|In Discussion |Needs MFC
CC| |glebius at FreeBSD.org
Assignee|freebsd-pf at FreeBSD.org |glebius at FreeBSD.org
--
You are receiving this mail because:
You are the assignee for the bug.
From vincejaca at gmail.com Sat Sep 6 21:27:45 2014
From: vincejaca at gmail.com (Vince)
Date: Sat, 06 Sep 2014 23:27:33 +0200
Subject: Information about costs
Message-ID:
hiy I would like to know if the monthly installment will increase? And if so why and how please send me a complete broucher of price increase of all the car advertised if the are any.!
From bugzilla-noreply at freebsd.org Mon Sep 8 15:40:41 2014
From: bugzilla-noreply at freebsd.org (bugzilla-noreply at freebsd.org)
Date: Mon, 08 Sep 2014 15:40:41 +0000
Subject: [Bug 163208] [pf] PF state key linking mismatch
In-Reply-To:
References:
Message-ID:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163208
Dan Langille changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dvl at FreeBSD.org
Severity|Affects Only Me |Affects Some People
--- Comment #17 from Dan Langille ---
This situation persists in FreeBSD 9.3-RELEASE
--
You are receiving this mail because:
You are the assignee for the bug.
From andrei693 at gmail.com Sat Sep 13 19:52:42 2014
From: andrei693 at gmail.com (Andrei Brezan)
Date: Sat, 13 Sep 2014 21:52:38 +0200
Subject: pf firewall blocking packets with a pass rule in place
Message-ID: <5414A086.5020608@gmail.com>
Hi,
I have some odd behaviour on one network which has a pf gateway
firewall. This is from a tcpdump on pflog on the firewall, 1.2.3.4 is my
remote address, 5.6.7.8 is the pf firewall, 10.0.0.252 is an OpenVPN
server (tap) behind the firewall, 10.0.0.250 is my mail server:
20:45:26.682551 rule 32..16777216/0(match): pass out on vlan333:
1.2.3.4.61384 > 10.0.0.252.1194: UDP, length 14
20:46:36.230485 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.57412 > 10.0.0.250.80: Flags [S], seq 1335812154, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 687134035 ecr 0], length 0
20:46:36.244606 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.53156 > 10.0.0.250.443: Flags [S], seq 3626719163, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 3971340937 ecr 0], length 0
20:52:28.494174 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.51684 > 10.0.0.250.993: Flags [S], seq 3306743615, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 2707206732 ecr 0], length 0
20:52:30.650788 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.59297 > 10.0.0.250.993: Flags [S], seq 4090099168, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 2986073365 ecr 0], length 0
20:57:27.585665 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.50367 > 10.0.0.250.80: Flags [S], seq 920232625, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 809211507 ecr 0], length 0
20:57:27.599151 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.54013 > 10.0.0.250.443: Flags [S], seq 281501721, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 1810969707 ecr 0], length 0
21:01:13.826452 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.64792 > 10.0.0.250.25: Flags [S], seq 1871587187, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 1261752165 ecr 0], length 0
21:03:16.371844 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [P.], seq 3402837478:3402837515,
ack 2361346111, win 1026, options [nop,nop,TS val 5284083 ecr 52159031],
length 37
21:03:16.372008 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [F.], seq 37, ack 1, win 1026,
options [nop,nop,TS val 5284083 ecr 52159031], length 0
21:03:16.373308 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.54156 > 10.0.0.250.993: Flags [S], seq 3275327108, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 2062181022 ecr 0], length 0
21:03:16.615875 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5284327 ecr 52159031], length 37
21:03:16.891824 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5284603 ecr 52159031], length 37
21:03:17.231604 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5284943 ecr 52159031], length 37
21:03:17.685793 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5285397 ecr 52159031], length 37
21:03:18.408137 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5286119 ecr 52159031], length 37
21:03:19.583723 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5287295 ecr 52159031], length 37
21:03:21.713816 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5289425 ecr 52159031], length 37
21:03:25.766916 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5293478 ecr 52159031], length 37
21:03:33.679722 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5301391 ecr 52159031], length 37
21:03:49.240190 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5316951 ecr 52159031], length 37
21:04:04.821702 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5332533 ecr 52159031], length 37
21:04:20.382912 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026,
options [nop,nop,TS val 5348094 ecr 52159031], length 37
21:04:35.947297 rule 0..16777216/0(match): block out on vlan333:
1.2.3.4.54922 > 10.0.0.250.993: Flags [R.], seq 38, ack 1, win 1026,
options [nop,nop,TS val 5363658 ecr 52159031], length 0
21:38:41.708989 rule 32..16777216/0(match): pass out on igb0:
5.6.7.8.54206 > 1.2.3.4.61384: UDP, length 101
21:40:11.470576 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.58407 > 10.0.0.250.993: Flags [S], seq 3179386733, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 3544878749 ecr 0], length 0
21:41:10.356274 rule 0..16777216/0(match): block out on igb0:
5.6.7.8.63184 > 1.2.3.4.58407: Flags [R.], seq 542623300, ack
3179387863, win 0, length 0
21:42:42.139787 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.58246 > 10.0.0.250.993: Flags [S], seq 2033854095, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 2222918259 ecr 0], length 0
21:42:58.173371 rule 0..16777216/0(match): block out on igb0:
5.6.7.8.55938 > 1.2.3.4.58246: Flags [P.], seq 1671786524:1671786577,
ack 2033855225, win 252, options [nop,nop,TS val 52409345 ecr 7663492],
length 53
21:43:01.035543 rule 0..16777216/0(match): block out on igb0:
5.6.7.8.62485 > 1.2.3.4.51684: Flags [R.], seq 1560010735, ack
3306749941, win 0, length 0
21:43:43.457948 rule 32..16777216/0(match): pass out on vlan333:
1.2.3.4.61028 > 192.168.0.252.1194: UDP, length 14
21:43:51.279156 rule 32..16777216/0(match): pass out on igb0:
5.6.7.8.64507 > 1.2.3.4.61028: UDP, length 101
21:44:42.074698 rule 35..16777216/0(match): pass out on vlan333:
1.2.3.4.57041 > 10.0.0.250.993: Flags [S], seq 3652350806, win 65535,
options [mss 1440,nop,wscale 6,sackOK,TS val 2369373378 ecr 0], length 0
21:45:11.441957 rule 0..16777216/0(match): block in on vlan333:
10.0.0.250.993 > 1.2.3.4.54156: Flags [.], seq 2259431444:2259431445,
ack 3275340784, win 255, length 1
I really don't understand why are these packages blocked. I'm
experiencing intermittent and random connection loss, what's really odd,
happens mostly during the evening or night, plus I don't see the pass in
pflog for the established state, after this round of blocked packets I
am still able to connect to the IMAPs server:
% sudo pfctl -vvs state | grep -A 3 -E "1.2.3.4.*993"
No ALTQ support in kernel
ALTQ related functions disabled
all tcp 1.2.3.4:59297 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
[4090185320 + 65054] wscale 6 [521715590 + 65664] wscale 8
age 00:43:22, expires in 23:58:49, 1341:1208 pkts, 155891:390868
bytes, rule 35
id: 0300000053fe8341 creatorid: d8aa2c51
--
all tcp 1.2.3.4:54106 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
[2304345867 + 65536] wscale 6 [3058330740 + 65664] wscale 8
age 01:39:27, expires in 23:58:45, 197:161 pkts, 22303:35201 bytes,
rule 35
id: 0000000053fe91c7 creatorid: d8aa2c51
--
all tcp 1.2.3.4:51684 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
[3306749755 + 64806] wscale 6 [1560010681 + 65664] wscale 8
age 00:43:24, expires in 23:37:21, 163:285 pkts, 14623:190269 bytes,
rule 35
id: 0000000053fe9440 creatorid: d8aa2c51
--
all tcp 1.2.3.4:54156 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
[3275340128 + 64626] wscale 6 [2259430819 + 65664] wscale 8
age 00:32:36, expires in 24:00:00, 374:490 pkts, 32475:273389 bytes,
rule 35
id: 0000000053fe944f creatorid: d8aa2c51
% sudo pfctl -vvs state | grep -A 3 -E "993.*1.2.3.4"
No ALTQ support in kernel
ALTQ related functions disabled
all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:59297
ESTABLISHED:ESTABLISHED
[521721120 + 65664] wscale 8 [4090191500 + 64828] wscale 6
age 00:44:12, expires in 23:59:55, 1429:1274 pkts, 166647:399830 bytes
id: 0300000053fe8340 creatorid: d8aa2c51
--
all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54106
ESTABLISHED:ESTABLISHED
[3058330915 + 1026] [2304346089 + 255]
age 00:51:21, expires in 23:59:51, 71:53 pkts, 7588:5901 bytes
id: 0000000053fe9427 creatorid: d8aa2c51
all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:51684
ESTABLISHED:ESTABLISHED
[1560010681 + 65664] wscale 8 [3306749755 + 64806] wscale 6
age 00:44:14, expires in 23:36:31, 163:285 pkts, 14623:190269 bytes
id: 0000000053fe943f creatorid: d8aa2c51
--
all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54156
ESTABLISHED:ESTABLISHED
[2259430819 + 65664] wscale 8 [3275340128 + 64626] wscale 6
age 00:33:26, expires in 23:59:10, 374:490 pkts, 32475:273389 bytes
id: 0000000053fe944e creatorid: d8aa2c51
Anyone has any idea what might be amiss here? What can I look into? I
hope someone with more pf and TCP knowledge than me can shed some light.
Thank you,
--
Andrei
From andrei693 at gmail.com Sat Sep 13 20:02:43 2014
From: andrei693 at gmail.com (Andrei Brezan)
Date: Sat, 13 Sep 2014 22:02:38 +0200
Subject: pf firewall blocking packets with a pass rule in place
In-Reply-To: <5414A086.5020608@gmail.com>
References: <5414A086.5020608@gmail.com>
Message-ID: <5414A2DE.9020307@gmail.com>
On 09/13/14 21:52, Andrei Brezan wrote:
> Hi,
>
Forgot to mention, this is on 10.0-RELEASE-p7.
> I have some odd behaviour on one network which has a pf gateway
> firewall. This is from a tcpdump on pflog on the firewall, 1.2.3.4 is
> my remote address, 5.6.7.8 is the pf firewall, 10.0.0.252 is an
> OpenVPN server (tap) behind the firewall, 10.0.0.250 is my mail server:
>
> 20:45:26.682551 rule 32..16777216/0(match): pass out on vlan333:
> 1.2.3.4.61384 > 10.0.0.252.1194: UDP, length 14
> 20:46:36.230485 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.57412 > 10.0.0.250.80: Flags [S], seq 1335812154, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 687134035 ecr 0], length 0
> 20:46:36.244606 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.53156 > 10.0.0.250.443: Flags [S], seq 3626719163, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 3971340937 ecr 0], length 0
> 20:52:28.494174 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.51684 > 10.0.0.250.993: Flags [S], seq 3306743615, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 2707206732 ecr 0], length 0
> 20:52:30.650788 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.59297 > 10.0.0.250.993: Flags [S], seq 4090099168, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 2986073365 ecr 0], length 0
> 20:57:27.585665 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.50367 > 10.0.0.250.80: Flags [S], seq 920232625, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 809211507 ecr 0], length 0
> 20:57:27.599151 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.54013 > 10.0.0.250.443: Flags [S], seq 281501721, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 1810969707 ecr 0], length 0
> 21:01:13.826452 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.64792 > 10.0.0.250.25: Flags [S], seq 1871587187, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 1261752165 ecr 0], length 0
> 21:03:16.371844 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [P.], seq 3402837478:3402837515,
> ack 2361346111, win 1026, options [nop,nop,TS val 5284083 ecr
> 52159031], length 37
> 21:03:16.372008 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [F.], seq 37, ack 1, win 1026,
> options [nop,nop,TS val 5284083 ecr 52159031], length 0
> 21:03:16.373308 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.54156 > 10.0.0.250.993: Flags [S], seq 3275327108, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 2062181022 ecr 0], length 0
> 21:03:16.615875 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5284327 ecr 52159031], length 37
> 21:03:16.891824 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5284603 ecr 52159031], length 37
> 21:03:17.231604 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5284943 ecr 52159031], length 37
> 21:03:17.685793 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5285397 ecr 52159031], length 37
> 21:03:18.408137 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5286119 ecr 52159031], length 37
> 21:03:19.583723 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5287295 ecr 52159031], length 37
> 21:03:21.713816 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5289425 ecr 52159031], length 37
> 21:03:25.766916 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5293478 ecr 52159031], length 37
> 21:03:33.679722 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5301391 ecr 52159031], length 37
> 21:03:49.240190 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5316951 ecr 52159031], length 37
> 21:04:04.821702 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5332533 ecr 52159031], length 37
> 21:04:20.382912 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win
> 1026, options [nop,nop,TS val 5348094 ecr 52159031], length 37
> 21:04:35.947297 rule 0..16777216/0(match): block out on vlan333:
> 1.2.3.4.54922 > 10.0.0.250.993: Flags [R.], seq 38, ack 1, win 1026,
> options [nop,nop,TS val 5363658 ecr 52159031], length 0
> 21:38:41.708989 rule 32..16777216/0(match): pass out on igb0:
> 5.6.7.8.54206 > 1.2.3.4.61384: UDP, length 101
> 21:40:11.470576 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.58407 > 10.0.0.250.993: Flags [S], seq 3179386733, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 3544878749 ecr 0], length 0
> 21:41:10.356274 rule 0..16777216/0(match): block out on igb0:
> 5.6.7.8.63184 > 1.2.3.4.58407: Flags [R.], seq 542623300, ack
> 3179387863, win 0, length 0
> 21:42:42.139787 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.58246 > 10.0.0.250.993: Flags [S], seq 2033854095, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 2222918259 ecr 0], length 0
> 21:42:58.173371 rule 0..16777216/0(match): block out on igb0:
> 5.6.7.8.55938 > 1.2.3.4.58246: Flags [P.], seq 1671786524:1671786577,
> ack 2033855225, win 252, options [nop,nop,TS val 52409345 ecr
> 7663492], length 53
> 21:43:01.035543 rule 0..16777216/0(match): block out on igb0:
> 5.6.7.8.62485 > 1.2.3.4.51684: Flags [R.], seq 1560010735, ack
> 3306749941, win 0, length 0
> 21:43:43.457948 rule 32..16777216/0(match): pass out on vlan333:
> 1.2.3.4.61028 > 192.168.0.252.1194: UDP, length 14
> 21:43:51.279156 rule 32..16777216/0(match): pass out on igb0:
> 5.6.7.8.64507 > 1.2.3.4.61028: UDP, length 101
> 21:44:42.074698 rule 35..16777216/0(match): pass out on vlan333:
> 1.2.3.4.57041 > 10.0.0.250.993: Flags [S], seq 3652350806, win 65535,
> options [mss 1440,nop,wscale 6,sackOK,TS val 2369373378 ecr 0], length 0
> 21:45:11.441957 rule 0..16777216/0(match): block in on vlan333:
> 10.0.0.250.993 > 1.2.3.4.54156: Flags [.], seq 2259431444:2259431445,
> ack 3275340784, win 255, length 1
>
> I really don't understand why are these packages blocked. I'm
> experiencing intermittent and random connection loss, what's really
> odd, happens mostly during the evening or night, plus I don't see the
> pass in pflog for the established state, after this round of blocked
> packets I am still able to connect to the IMAPs server:
>
> % sudo pfctl -vvs state | grep -A 3 -E "1.2.3.4.*993"
> No ALTQ support in kernel
> ALTQ related functions disabled
> all tcp 1.2.3.4:59297 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
> [4090185320 + 65054] wscale 6 [521715590 + 65664] wscale 8
> age 00:43:22, expires in 23:58:49, 1341:1208 pkts, 155891:390868
> bytes, rule 35
> id: 0300000053fe8341 creatorid: d8aa2c51
> --
> all tcp 1.2.3.4:54106 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
> [2304345867 + 65536] wscale 6 [3058330740 + 65664] wscale 8
> age 01:39:27, expires in 23:58:45, 197:161 pkts, 22303:35201 bytes,
> rule 35
> id: 0000000053fe91c7 creatorid: d8aa2c51
> --
> all tcp 1.2.3.4:51684 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
> [3306749755 + 64806] wscale 6 [1560010681 + 65664] wscale 8
> age 00:43:24, expires in 23:37:21, 163:285 pkts, 14623:190269
> bytes, rule 35
> id: 0000000053fe9440 creatorid: d8aa2c51
> --
> all tcp 1.2.3.4:54156 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED
> [3275340128 + 64626] wscale 6 [2259430819 + 65664] wscale 8
> age 00:32:36, expires in 24:00:00, 374:490 pkts, 32475:273389
> bytes, rule 35
> id: 0000000053fe944f creatorid: d8aa2c51
>
> % sudo pfctl -vvs state | grep -A 3 -E "993.*1.2.3.4"
> No ALTQ support in kernel
> ALTQ related functions disabled
> all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:59297
> ESTABLISHED:ESTABLISHED
> [521721120 + 65664] wscale 8 [4090191500 + 64828] wscale 6
> age 00:44:12, expires in 23:59:55, 1429:1274 pkts, 166647:399830 bytes
> id: 0300000053fe8340 creatorid: d8aa2c51
> --
> all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54106
> ESTABLISHED:ESTABLISHED
> [3058330915 + 1026] [2304346089 + 255]
> age 00:51:21, expires in 23:59:51, 71:53 pkts, 7588:5901 bytes
> id: 0000000053fe9427 creatorid: d8aa2c51
> all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:51684
> ESTABLISHED:ESTABLISHED
> [1560010681 + 65664] wscale 8 [3306749755 + 64806] wscale 6
> age 00:44:14, expires in 23:36:31, 163:285 pkts, 14623:190269 bytes
> id: 0000000053fe943f creatorid: d8aa2c51
> --
> all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54156
> ESTABLISHED:ESTABLISHED
> [2259430819 + 65664] wscale 8 [3275340128 + 64626] wscale 6
> age 00:33:26, expires in 23:59:10, 374:490 pkts, 32475:273389 bytes
> id: 0000000053fe944e creatorid: d8aa2c51
>
> Anyone has any idea what might be amiss here? What can I look into? I
> hope someone with more pf and TCP knowledge than me can shed some light.
>
> Thank you,
> --
> Andrei
--
Andrei
From bugzilla-noreply at freebsd.org Thu Sep 18 11:29:57 2014
From: bugzilla-noreply at freebsd.org (bugzilla-noreply at freebsd.org)
Date: Thu, 18 Sep 2014 11:29:57 +0000
Subject: [Bug 168190] [pf] panic when using pf and route-to (maybe: bad
fragment handling?)
In-Reply-To:
References:
Message-ID:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=168190
Tomasz changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |wwt at op.pl
--- Comment #24 from Tomasz ---
Hello
I have the same or similar problem with Dell R210 II kern/193452
I add patch
http://www.benzedrine.cx/fbsd-byteorder.diff
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=124691&action=diff
Index: sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
===================================================================
RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c,v
retrieving revision 1.20.4.1
diff -u -r1.20.4.1 ip_fil_freebsd.c
--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c 23 Sep 2011 00:51:37
-0000 1.20.4.1
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c 4 Jun 2012 10:19:04
-0000
@@ -182,8 +182,18 @@
static int
fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
{
+ int r;
+
struct ip *ip = mtod(*mp, struct ip *);
- return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
+ ASSERT_HOST_BYTE_ORDER(*mp);
+ r = fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
+ if (*mp != NULL && (*mp)->m_pkthdr.len >= sizeof(struct ip) &&
+ (*mp)->m_len < sizeof(struct ip)) {
+ printf("fr_check_wrapper: m_len %d fixed\n",
+ (int)(*mp)->m_len);
+ *mp = m_pullup(*mp, sizeof(struct ip));
+ }
+ return r;
}
# ifdef USE_INET6
For now system work correctly for 3 days without panic and its lot off
log message
Sep 18 12:50:47 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 12:52:09 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 12:55:50 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:03:26 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:07:53 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:07:56 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:11:13 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:11:36 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:11:36 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:12:01 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:13:07 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:14:24 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:15:45 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:15:49 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:17:16 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:17:55 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:18:35 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:18:57 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:19:23 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:19:30 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:19:34 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:19:43 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:19:56 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:19:56 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:20:02 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:20:08 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:20:24 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:20:24 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:20:33 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
Sep 18 13:25:27 <0.2> ns2 kernel: fr_check_wrapper: m_len 0 fixed
9.2-RELEASE-p10 FreeBSD 9.2-RELEASE-p10
Kernel is Generic with
options DEVICE_POLLING
options DUMMYNET
options IPFILTER_LOG
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL
options IPFILTER
network card is bce
in sysctl I found something strange
dev.bce.0.%desc: Broadcom NetXtreme II BCM5716 1000Base-T (C0)
dev.bce.1.%desc: Broadcom NetXtreme II BCM5716 1000Base-T (C0)
dev.brgphy.0.%desc: BCM5709 10/100/1000baseT PHY
dev.brgphy.1.%desc: BCM5709 10/100/1000baseT PHY
Best Regards
Tomek
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
From curtis at ipv6.occnc.com Fri Sep 19 00:26:38 2014
From: curtis at ipv6.occnc.com (Curtis Villamizar)
Date: Thu, 18 Sep 2014 20:26:33 -0400
Subject: is it possible (practical) to add af-to
Message-ID: <201409190026.s8J0QYf8086871@maildrop31.somerville.occnc.com>
Hi,
NAT46 and NAT64 require af-to or equivalent.
This may be naive on my part but it doesn't seem like it would be a
lot of trouble to add af-to to the existing pf.
That said, I am aware of the discussion of further diverging from the
openbsd pf as discussed in the thread in the archives at
http://lists.freebsd.org/pipermail/freebsd-pf/2014-July/007391.html
I'm willing to contribute code if there is a chance anyone would be
willing to take it as an interim until freebsd pf catches up to
openbsd pf.
Thoughts on this below.
Curtis
Currently the syntax of rdr and nat accept the following:
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ] ]
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
Both of these end in:
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
(with nat-rule having the optional [ "static-port" ]).
Changing the syntax is no big deal and that would be the easy part.
In sbin/pf/parse.y some change would be needed to the redirpool rule
where the two forms are (yacc actions omitted):
redirpool :
| ARROW redirspec
| ARROW redirspec PORT portstar
to this (or to redirspec) we'd have to add an af_to which would be
similar to the af rule but with the keywork af-to:
af_to ; /* empty */ { $$ = 0; }
| AF_TO INET { $$ = AF_INET; }
| AF_TO INET6 { $$ = AF_INET6; }
If this is added to the redirpool then af_to would appear after ARROW
and $2 and $4 are bumped. It means adding sa_family_t af to the
struct redirection.
In the natrule rule if ((! $9->af) || (r.af == $9->af)), then nothing
needs to be done, else an address family translation is needed. The
following lines have to be changed, replacing r.af with $9->af adding
a line before this to replace 0 with r.af if af_to was empty.
remove_invalid_hosts(&$9->host, &r.af);
if (invalid_redirect($9->host, r.af))
YYERROR;
if (check_netmask($9->host, r.af))
YYERROR;
At this point the rule can be one address family and all of the
redirect addresses consistent with each other but not necissarily the
same af as the rule. The next problem is that there is no way to pass
this af to expand_rule. That's OK since $9->host ends up as the
protos argument to expand_rule and the af is in each entry. On this
case the af in proto won't match the af in src_hosts and the
consistency checks (nat_consistent, rdr_consistent) don't check and
its off to pfctl_add_rule.
This gets us to a laer ioctl call of type DIOCADDRULE which puts us in
the kernel code in pf_ioctl.c.
In the case DIOCADDRULE code the checks of pr->rule.af are no longer
enough. Similar checks are needed on the rule actions. Something
along the lines of:
#ifndef INET
if (pr->rule.af == AF_INET) {
error = EAFNOSUPPORT;
break;
}
if ((pr->rule.action == PF_NAT)
|| (pr->rule.action == PF_RDR)) {
if (rule_dst_has_af(pr->rule.dst.addr), AF_INET) {
error = EAFNOSUPPORT;
break:
}
}
#endif /* INET */
Where rule_dst_has_af loops through the table and checks for
instances of the af in the argument list.
Where the real work would have to be done is in pf_test, pf_test_rule,
pf_get_translation, pf_match_translation, and pf_create_state, and
some functions they use, such as pf_map_addr where mixed af is not
anticipated. This would definitely be the messy part of any attempt
to make af-to work.
There is no INET/INET6 specific code in pf_test_rule except for ICMP
there is no INET/INET6 specific code and getting the packet length
when dropping TCP and sending a RST. As a first cut, if ICMP from/to
ICMP6 in NAT and RDR didn't work that would be OK. A FAIL would send
back TCP RST using the source af, so that code should be OK.
My understanding of this code is still very fuzzy after about a half
day of looking at it. Perhaps looking at the openbsd pf would help
(hopefully they still resemble each other).
Any help would be appreciated, but for now I'd just like to know
whether if I took the trouble to add af-to support the code would be
picked up (after code review, testing, etc). I haven't yet decided
whether this is something I want to take on in the first place.
From eri at freebsd.org Fri Sep 19 08:22:03 2014
From: eri at freebsd.org (=?UTF-8?Q?Ermal_Lu=C3=A7i?=)
Date: Fri, 19 Sep 2014 10:22:02 +0200
Subject: is it possible (practical) to add af-to
In-Reply-To: <201409190026.s8J0QYf8086871@maildrop31.somerville.occnc.com>
References: <201409190026.s8J0QYf8086871@maildrop31.somerville.occnc.com>
Message-ID:
Hello Curtis,
On Fri, Sep 19, 2014 at 2:26 AM, Curtis Villamizar
wrote:
> Hi,
>
> NAT46 and NAT64 require af-to or equivalent.
>
> This may be naive on my part but it doesn't seem like it would be a
> lot of trouble to add af-to to the existing pf.
>
> That said, I am aware of the discussion of further diverging from the
> openbsd pf as discussed in the thread in the archives at
> http://lists.freebsd.org/pipermail/freebsd-pf/2014-July/007391.html
>
> I'm willing to contribute code if there is a chance anyone would be
> willing to take it as an interim until freebsd pf catches up to
> openbsd pf.
>
> Thoughts on this below.
>
I have interest on this.
Though it would be necessary to pickup the IPv6 header parsing code
together with this.
It is related to both to be able to achive this at the end.
My recommendation is to pickup that first and then proceed with this.
If you have any code to share i can take care of reviewing it and probably
glebius@ will be in the loop as well.
>
> Curtis
>
>
>
> Currently the syntax of rdr and nat accept the following:
>
> nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
> [ "on" ifspec ] [ af ]
> [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
> [ "->" ( redirhost | "{" redirhost-list "}" )
> [ portspec ] [ pooltype ] [ "static-port" ] ]
>
> rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
> [ "on" ifspec ] [ af ]
> [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
> [ "->" ( redirhost | "{" redirhost-list "}" )
> [ portspec ] [ pooltype ] ]
>
> Both of these end in:
>
> [ "->" ( redirhost | "{" redirhost-list "}" )
> [ portspec ] [ pooltype ] ]
>
> (with nat-rule having the optional [ "static-port" ]).
>
> Changing the syntax is no big deal and that would be the easy part.
>
> In sbin/pf/parse.y some change would be needed to the redirpool rule
> where the two forms are (yacc actions omitted):
>
> redirpool :
> | ARROW redirspec
> | ARROW redirspec PORT portstar
>
> to this (or to redirspec) we'd have to add an af_to which would be
> similar to the af rule but with the keywork af-to:
>
> af_to ; /* empty */ { $$ = 0; }
> | AF_TO INET { $$ = AF_INET; }
> | AF_TO INET6 { $$ = AF_INET6; }
>
> If this is added to the redirpool then af_to would appear after ARROW
> and $2 and $4 are bumped. It means adding sa_family_t af to the
> struct redirection.
>
> In the natrule rule if ((! $9->af) || (r.af == $9->af)), then nothing
> needs to be done, else an address family translation is needed. The
> following lines have to be changed, replacing r.af with $9->af adding
> a line before this to replace 0 with r.af if af_to was empty.
>
> remove_invalid_hosts(&$9->host, &r.af);
> if (invalid_redirect($9->host, r.af))
> YYERROR;
> if (check_netmask($9->host, r.af))
> YYERROR;
>
> At this point the rule can be one address family and all of the
> redirect addresses consistent with each other but not necissarily the
> same af as the rule. The next problem is that there is no way to pass
> this af to expand_rule. That's OK since $9->host ends up as the
> protos argument to expand_rule and the af is in each entry. On this
> case the af in proto won't match the af in src_hosts and the
> consistency checks (nat_consistent, rdr_consistent) don't check and
> its off to pfctl_add_rule.
>
> This gets us to a laer ioctl call of type DIOCADDRULE which puts us in
> the kernel code in pf_ioctl.c.
>
> In the case DIOCADDRULE code the checks of pr->rule.af are no longer
> enough. Similar checks are needed on the rule actions. Something
> along the lines of:
>
> #ifndef INET
> if (pr->rule.af == AF_INET) {
> error = EAFNOSUPPORT;
> break;
> }
> if ((pr->rule.action == PF_NAT)
> || (pr->rule.action == PF_RDR)) {
> if (rule_dst_has_af(pr->rule.dst.addr), AF_INET) {
> error = EAFNOSUPPORT;
> break:
> }
> }
> #endif /* INET */
>
> Where rule_dst_has_af loops through the table and checks for
> instances of the af in the argument list.
>
> Where the real work would have to be done is in pf_test, pf_test_rule,
> pf_get_translation, pf_match_translation, and pf_create_state, and
> some functions they use, such as pf_map_addr where mixed af is not
> anticipated. This would definitely be the messy part of any attempt
> to make af-to work.
>
> There is no INET/INET6 specific code in pf_test_rule except for ICMP
> there is no INET/INET6 specific code and getting the packet length
> when dropping TCP and sending a RST. As a first cut, if ICMP from/to
> ICMP6 in NAT and RDR didn't work that would be OK. A FAIL would send
> back TCP RST using the source af, so that code should be OK.
>
> My understanding of this code is still very fuzzy after about a half
> day of looking at it. Perhaps looking at the openbsd pf would help
> (hopefully they still resemble each other).
>
> Any help would be appreciated, but for now I'd just like to know
> whether if I took the trouble to add af-to support the code would be
> picked up (after code review, testing, etc). I haven't yet decided
> whether this is something I want to take on in the first place.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
--
Ermal
From Edwin.Nagle at austinenergy.com Wed Sep 24 13:37:01 2014
From: Edwin.Nagle at austinenergy.com (Nagle, Edwin (James))
Date: Wed, 24 Sep 2014 13:35:53 +0000
Subject: Source based routing
Message-ID: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
Hi all,
I'm trying to accomplish something that I think should be pretty simple, but cannot figure out how to do... Here is my scenario:
I am building a remote access server which will accept ssh connections on three private IP addresses in the same subnet. The users coming in will need to have their IP sourced from the same IP as they arrived on because current infrastructure is in place to firewall and segment those connections to prevent unauthorized access to assets. Incoming access will be controlled by radius based on IP address. Outbound traffic will be controlled via an external firewall based on IP address (thus the need to lock users to the IP address they arrive on).
The server has four interfaces configured, the physical interface (bce0) and three virtual (tap0, tap1, tap2).
I have rebuilt my kernel to allow NAT in PF as well as multiple routing tables. I found a good article which describes source based routing with multiple routing tables but I think my problem stems from having all the IP addresses on the same network subnet. I have successfully been able to have the outbound NAT to a single IP but I'm still unclear on how PF works so I'm basically mucking around trying to find something that works (please forgive my ignorance):
My current pf.conf:
nat on ! tap0 from any to any port ssh -> 10.1.9.59
nat on ! tap1 from any to any port ssh -> 10.1.9.60
nat on ! tap2 from any to any port ssh -> 10.1.9.61
All outbound traffic now translates to 10.1.9.59 regardless of which IP I arrived on. I need to basically match the incoming IP and nat outbound TCP 22 traffic across the same IP.
Anyone have any ideas or suggestions as to how to accomplish this?
Many thanks in advance for any guidance.
James
From Edwin.Nagle at austinenergy.com Wed Sep 24 14:09:38 2014
From: Edwin.Nagle at austinenergy.com (Nagle, Edwin (James))
Date: Wed, 24 Sep 2014 14:09:37 +0000
Subject: Source based routing
References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
Message-ID: <27DBC528FBF8094FA7247CC9A0A5C85F02A6B3B9@AE-PEXCH02.aenetad.net>
Hello,
Thanks for the information. I have built multiple routing tables and am running separate sshd instances:
#
# /etc/rc.local
#
# Build my alternate routing tables
/usr/sbin/setfib 0 /sbin/route add default 10.1.9.58
/usr/sbin/setfib 1 /sbin/route add default 10.1.9.59
/usr/sbin/setfib 2 /sbin/route add default 10.1.9.60
/usr/sbin/setfib 3 /sbin/route add default 10.1.9.61
# Start SSH daemons for each interface
/usr/sbin/setfib 0 /usr/sbin/sshd -f /etc/ssh/sshd_config
/usr/sbin/setfib 1 /usr/sbin/sshd -f /etc/ssh/sshd_config.tap0
/usr/sbin/setfib 2 /usr/sbin/sshd -f /etc/ssh/sshd_config.tap1
/usr/sbin/setfib 3 /usr/sbin/sshd -f /etc/ssh/sshd_config.tap2
And have tried the following in my pf.conf:
pass in log on bce0 inet proto tcp from any to (bce0) port ssh rtable 0
pass in log on tap0 inet proto tcp from any to (tap0) port ssh rtable 1
pass in log on tap1 inet proto tcp from any to (tap1) port ssh rtable 2
pass in log on tap2 inet proto tcp from any to (tap2) port ssh rtable 3
But this still doesn?t work. Any ideas what I?m doing wrong?
Thanks!
James
From: claudiu vasadi [mailto:claudiu.vasadi at gmail.com]
Sent: Wednesday, September 24, 2014 8:59 AM
To: Nagle, Edwin (James)
Subject: Re: Source based routing
Hi,
Have a look at the route-to (ex: pass in log (all) on $int_if route-to { ($ext_if0 $ext_gw0), ($ext_if1 $ext_gw1) } ... etc ... ) and/or rtable (ex: pass in on $ext_if1 proto tcp from any to port 22 rtable 1)
By default, all outbound traffic is using the defaultrouter.
On Wed, Sep 24, 2014 at 3:35 PM, Nagle, Edwin (James) > wrote:
Hi all,
I'm trying to accomplish something that I think should be pretty simple, but cannot figure out how to do... Here is my scenario:
I am building a remote access server which will accept ssh connections on three private IP addresses in the same subnet. The users coming in will need to have their IP sourced from the same IP as they arrived on because current infrastructure is in place to firewall and segment those connections to prevent unauthorized access to assets. Incoming access will be controlled by radius based on IP address. Outbound traffic will be controlled via an external firewall based on IP address (thus the need to lock users to the IP address they arrive on).
The server has four interfaces configured, the physical interface (bce0) and three virtual (tap0, tap1, tap2).
I have rebuilt my kernel to allow NAT in PF as well as multiple routing tables. I found a good article which describes source based routing with multiple routing tables but I think my problem stems from having all the IP addresses on the same network subnet. I have successfully been able to have the outbound NAT to a single IP but I'm still unclear on how PF works so I'm basically mucking around trying to find something that works (please forgive my ignorance):
My current pf.conf:
nat on ! tap0 from any to any port ssh -> 10.1.9.59
nat on ! tap1 from any to any port ssh -> 10.1.9.60
nat on ! tap2 from any to any port ssh -> 10.1.9.61
All outbound traffic now translates to 10.1.9.59 regardless of which IP I arrived on. I need to basically match the incoming IP and nat outbound TCP 22 traffic across the same IP.
Anyone have any ideas or suggestions as to how to accomplish this?
Many thanks in advance for any guidance.
James
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
--
Best regards,
Claudiu Vasadi
From lists at peter.de.com Wed Sep 24 14:18:28 2014
From: lists at peter.de.com (Oliver Peter)
Date: Wed, 24 Sep 2014 16:18:13 +0200
Subject: Source based routing
In-Reply-To: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
Message-ID: <20140924141813.GA14170@mail.opdns.de>
On Wed, Sep 24, 2014 at 01:35:53PM +0000, Nagle, Edwin (James) wrote:
> Hi all,
>
> I'm trying to accomplish something that I think should be pretty simple, but cannot figure out how to do... Here is my scenario:
>
> I am building a remote access server which will accept ssh connections on three private IP addresses in the same subnet. The users coming in will need to have their IP sourced from the same IP as they arrived on because current infrastructure is in place to firewall and segment those connections to prevent unauthorized access to assets. Incoming access will be controlled by radius based on IP address. Outbound traffic will be controlled via an external firewall based on IP address (thus the need to lock users to the IP address they arrive on).
>
> The server has four interfaces configured, the physical interface (bce0) and three virtual (tap0, tap1, tap2).
>
> I have rebuilt my kernel to allow NAT in PF as well as multiple routing tables. I found a good article which describes source based routing with multiple routing tables but I think my problem stems from having all the IP addresses on the same network subnet. I have successfully been able to have the outbound NAT to a single IP but I'm still unclear on how PF works so I'm basically mucking around trying to find something that works (please forgive my ignorance):
>
> My current pf.conf:
>
> nat on ! tap0 from any to any port ssh -> 10.1.9.59
> nat on ! tap1 from any to any port ssh -> 10.1.9.60
> nat on ! tap2 from any to any port ssh -> 10.1.9.61
>
> All outbound traffic now translates to 10.1.9.59 regardless of which IP I arrived on. I need to basically match the incoming IP and nat outbound TCP 22 traffic across the same IP.
>
> Anyone have any ideas or suggestions as to how to accomplish this?
Checkout the Routing section in pf.conf and give 'route-to' a try,
example for outgoing traffic could be:
pass out log quick on $ext_if route-to tap0 from (tap0:network) to any port ssh
--
Oliver PETER oliver at gfuzz.de 0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
From mikemacleod at gmail.com Wed Sep 24 14:35:54 2014
From: mikemacleod at gmail.com (Michael MacLeod)
Date: Wed, 24 Sep 2014 10:35:32 -0400
Subject: FW: Source based routing
In-Reply-To: <27DBC528FBF8094FA7247CC9A0A5C85F02A6B3CA@AE-PEXCH02.aenetad.net>
References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6B3CA@AE-PEXCH02.aenetad.net>
Message-ID:
Hello James,
It's still a little unclear to me how you want traffic to flow in this
environment (in particular how the user traffic is arriving on the box),
but it'll probably be easier if you can have each class of user using a
different subnet. Regardless, it appears that you've set the default route
of each FIB to be the address of the interface you want each FIB to use,
which isn't going to work - your default gateway generally isn't yourself.
It appears that all of your traffic should be using the same default
gateway, and you're only interested in ensuring the egress interface/IP of
the traffic. You *may* not even need multiple FIBs, but instead just
multiple instances of SSHD set to listen to specific addresses (emphasis on
may - you might instead need separate FIB, though each one would still have
the same default gateway set).
Regards,
Mike
From laszlo.danielisz at yahoo.com Thu Sep 25 18:30:51 2014
From: laszlo.danielisz at yahoo.com (Laszlo Danielisz)
Date: Thu, 25 Sep 2014 11:24:01 -0700
Subject: referer filtering
Message-ID: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
Hi,
I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.
Any ideas?
Thx!
Laszlo
From javad at smarty.az Thu Sep 25 19:45:35 2014
From: javad at smarty.az (Javad Mustafayev)
Date: Fri, 26 Sep 2014 00:37:31 +0500
Subject: referer filtering
Message-ID:
Hi, i can suggest config below
lets say this config will be on server B's pf.conf. and your network interface of B ip address 2.2.2.2 is bge0
then you can use the following config
#pf.conf
#macros
ext_if="bge0"
A="1.1.1.1"
B="2.2.2.2"
#global options
set block-policy return #or you can use drop
set skip on lo0
set loginterface $ext_if #optional
#all other configurations
#here you block all
block return in all #or you can use drop :)
#and here allow TCP connections on port 80 only from A(1.1.1.1) to B(2.2.2.2)
pass in log on $ext_if inet proto tcp from $A to $B port 80 keep state
that's all. its so simple configuration file. you can find more advanced and fancy configuration models on the web. but i suggest pf manual ;)
good luck.
--
???/
name:?????????????????????? Javad Mustafayev
title:??????????????????? System Administrator
company:??????????????????????????? Smarty LLC
mobile:???????????????? 00994.51.927.11.99
mail:?????????????????????????? javad at smarty.az
web.mail:??? j.mustafayev at gmail.com
????/
?
On Sep 25, 2014 11:24 PM, Laszlo Danielisz via freebsd-pf wrote:
>
> Hi,
>
> I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
> Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.
>
> Any ideas?
>
> Thx!
> Laszlo
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
From laszlo.danielisz at yahoo.com Fri Sep 26 03:44:46 2014
From: laszlo.danielisz at yahoo.com (Laszlo Danielisz)
Date: Thu, 25 Sep 2014 20:41:23 -0700
Subject: referer filtering
In-Reply-To: <20140925194539.18FCDFEE@hub.freebsd.org>
References: <20140925194539.18FCDFEE@hub.freebsd.org>
Message-ID: <1411702883.12303.YahooMailNeo@web160702.mail.bf1.yahoo.com>
Thank you!
Isn't this just going to accept traffic on port 80 from A t0 B?
pass in log on $ext_if inet proto tcp from $A to $B port 80 keep state
I mean customers who would like to connect to $B won't be able.
On Thursday, September 25, 2014 9:45 PM, Javad Mustafayev wrote:
Hi, i can suggest config below
lets say this config will be on server B's pf.conf. and your network interface of B ip address 2.2.2.2 is bge0
then you can use the following config
#pf.conf
#macros
ext_if="bge0"
A="1.1.1.1"
B="2.2.2.2"
#global options
set block-policy return #or you can use drop
set skip on lo0
set loginterface $ext_if #optional
#all other configurations
#here you block all
block return in all #or you can use drop :)
#and here allow TCP connections on port 80 only from A(1.1.1.1) to B(2.2.2.2)
pass in log on $ext_if inet proto tcp from $A to $B port 80 keep state
that's all. its so simple configuration file. you can find more advanced and fancy configuration models on the web. but i suggest pf manual ;)
good luck.
--
???/
name: Javad Mustafayev
title: System Administrator
company: Smarty LLC
mobile: 00994.51.927.11.99
mail: javad at smarty.az
web.mail: j.mustafayev at gmail.com
???/
On Sep 25, 2014 11:24 PM, Laszlo Danielisz via freebsd-pf wrote:
>
> Hi,
>
> I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
> Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.
>
> Any ideas?
>
> Thx!
> Laszlo
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
From daniel at benzedrine.cx Fri Sep 26 11:50:55 2014
From: daniel at benzedrine.cx (Daniel Hartmeier)
Date: Fri, 26 Sep 2014 13:22:13 +0200
Subject: referer filtering
In-Reply-To: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
References: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
Message-ID: <20140926112213.GA18108@insomnia.benzedrine.cx>
On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote:
> I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
> Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.
You mean filtering based on a HTTP Referer: header?
pf doesn't work on that layer at all.
Technically, B has to accept the client's connection and read the HTTP
request (for the Referer: header) to make its decision. It can produce
an error (or redirect) or close the connection, but "not accepting the
connection" is impossible.
You'd have to do this at the application layer, e.g. Apache has modules
that allow access control based on HTTP headers[1], or use a HTTP proxy
like squid (pf can assist redirecting to it).
Also note that the referer header isn't always reliable, as it can be
faked easily[2].
HTH,
Daniel
[1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation
[2] http://www.stardrifter.org/refcontrol/
From mar_jmes20 at outlook.com Fri Sep 26 17:32:19 2014
From: mar_jmes20 at outlook.com (Sahar alGhrarri)
Date: Fri, 26 Sep 2014 18:32:08 +0100
Subject: I await your response
Message-ID: <694004.1501.bm@smtp215.mail.gq1.yahoo.com>
?Greetings,
I am Mrs. Sahar alGhrarri, the only surviving member of a family that was crushed in a bomb-blast during the war in Libya. Currently, I am battling with a (partial stroke) which resulted from the shock gotten from the incident. Please view the below link for details: http://www.wsws.org/articles/2011/jun2011/liby-j20.shtml
When my husband whom was a crude oil merchant was alive, we had plans to use the last days of our lives to disburse part of our resources to charity organization and several unknown individuals because when we were much younger in life as a couple, we received financial help from an unknown individual whom we have not met till this day. The impact we got from such gesture made us want to do same.
Unfortunately, my husband is not alive today to do this with me and my health is deteriorating so fast; hence I have decided it on our behalf. Having donated to several individuals and charity organization from our savings, I have decided to anonymously donate the last of our family savings to you.
Irrespective of your previous financial status, please do accept this kind and peaceful offer on behalf of my beloved family. Please acknowledge Mrs. Sahar Email: sahar-alghram102 at gmx.com
May war and pains never come close to your dwelling place.
Regards
Mrs. Sahar alGhrarri
From russell.yount at gmail.com Sun Sep 28 04:17:19 2014
From: russell.yount at gmail.com (Russell Yount)
Date: Sun, 28 Sep 2014 00:17:18 -0400
Subject: pf IPv6 NAT using link local addresses
Message-ID:
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external)
results in pf attempting to load balance between the routable IPv6
addresses and the link-local IPv6 address as the translation addresses.
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external:0)
results in pf using the link-local IPv6 address as address as the
translation address.
Both of these behaviors are wrong; pf does not understand scope of IPv6
link-local addresses as different from routable ipV6 addresses.
The following patch permits the use of ($external::0) syntax to select the
first routable IPv6 address rather than the link-local address so it can be
used with IPv6 NAT correctly. It only handles the case of one routable IPV6
address and ($external) syntax still attempts to round-robin between
routable IPv6 addresses and the link-local IPv6 address. Not sure if
changing ($external) syntax to omit link-local addresses would cause other
problems?
-Russ
--- usr/src/sys/contrib//pf/net/pf_if.c-orig 2014-07-10
17:59:41.000000000 -0400
+++ usr/src/sys/contrib//pf/net/pf_if.c 2014-08-24 18:13:57.000000000 -0400
@@ -690,6 +690,10 @@
IN6_IS_ADDR_LINKLOCAL(
&((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
continue;
+ if ((flags & PFI_AFLAG_NOALIAS) && af == AF_INET6 &&
+ IN6_IS_ADDR_LINKLOCAL(
+ &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
+ continue;
if (flags & PFI_AFLAG_NOALIAS) {
if (af == AF_INET && got4)
continue;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freebsd-9.3-pf-ipv6-nat.patch
Type: application/octet-stream
Size: 522 bytes
Desc: not available
URL:
From eri at freebsd.org Mon Sep 29 18:21:24 2014
From: eri at freebsd.org (=?UTF-8?Q?Ermal_Lu=C3=A7i?=)
Date: Mon, 29 Sep 2014 20:21:21 +0200
Subject: pf stuck
In-Reply-To: <542997C3.5090004@netfence.it>
References: <542997C3.5090004@netfence.it>
Message-ID:
Probably is better you ask this on freebsd-pf at .
Though this sounds like state limit reached.
On Mon, Sep 29, 2014 at 7:32 PM, Andrea Venturoli wrote:
> Hello.
>
> Today a box of mine (8.4p16/amd64) stopped working as a router; I don't
> have a clear picture, but the internal nets were working perfectly, while
> the external interfaces lagged, dropped connections or stopped packets from
> passing.
>
> The box is running pf (for handling multiple Internet lines) + ipfw (for
> firewalling).
> I tried a simple telnet xxx:80 and this is what I observed:
> _ tcpdump would see packets going out and replies coming in;
> _ an early ipfw allow rule with setup keep-state would see no packet going
> out and would not create any dinamic rule.
>
> This lead me to look into pf...
> "/etc/rc.d/pf restart" did not solve.
> "/etc/rc.d/pf stop ; /etc/rc.d/pf start" did!
>
>
>
> These are my pf rules:
>
>> pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state
>> pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state
>> pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24
>> to ! 192.168.x.0/24 no state
>> pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state
>> pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state
>> pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to !
>> a.b.c.d/29 no state
>> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state
>> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state
>> pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to !
>> i.j.k.l/29 no state
>>
>
> These rules are working fine, but have hanged already twice in two weeks
> (once on this box, once on an almost identical one).
>
>
>
> Is there any known problem wrt running pf? pf+ipfw? pf on 8.4?
> Any hint on how to search for what's wrong?
>
>
>
> bye & Thanks
> av.
>
> P.S. Please, forgive me, but I'm quite noob with pf.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
Ermal
From ml at netfence.it Mon Sep 29 20:42:20 2014
From: ml at netfence.it (Andrea Venturoli)
Date: Mon, 29 Sep 2014 22:42:12 +0200
Subject: pf stuck
In-Reply-To:
References: <542997C3.5090004@netfence.it>
Message-ID: <5429C424.9060400@netfence.it>
On 09/29/14 20:21, Ermal Lu?i wrote:
> Probably is better you ask this on freebsd-pf at .
Thanks, I see you have already cc:ed it.
> Though this sounds like state limit reached.
Can this happen even if all my pf rules have "no state"?
bye & Thanks
av.
From hoomanfazaeli at gmail.com Tue Sep 30 10:21:07 2014
From: hoomanfazaeli at gmail.com (Hooman Fazaeli)
Date: Tue, 30 Sep 2014 13:51:05 +0330
Subject: pf stuck
In-Reply-To: <5429C424.9060400@netfence.it>
References: <542997C3.5090004@netfence.it>
<5429C424.9060400@netfence.it>
Message-ID: <542A8411.1060608@gmail.com>
On 9/30/2014 12:12 AM, Andrea Venturoli wrote:
> On 09/29/14 20:21, Ermal Lu?i wrote:
>> Probably is better you ask this on freebsd-pf at .
>
> Thanks, I see you have already cc:ed it.
>
>
>
>> Though this sounds like state limit reached.
>
> Can this happen even if all my pf rules have "no state"?
No. Anyway, you can check state statistics with: pfctl -s i ; pfctl -s m
--
Best regards.
Hooman Fazaeli