suspends count on pfctl -vvsq
Good time of day,
pfctl -vvsq shows counter, named suspends, what specific events
it counts ?
I just tryin' to understand what it means:
queue root_pcn1 bandwidth 50Mb priority 0 cbq( wrr root ) {stub}
[ pkts: 668486 bytes: 115633409 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 703.2 packets/s, 1.03Mb/s ]
queue stub bandwidth 30Mb qlimit 5000 cbq( borrow default )
[ pkts: 668486 bytes: 115633409 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 borrows: 0 suspends: 65311 ]
[ measured: 703.2 packets/s, 1.03Mb/s ]
queue root_pcn0 bandwidth 100Mb priority 0 cbq( wrr root ) {stub}
[ pkts: 773002 bytes: 654654161 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 785.9 packets/s, 5.35Mb/s ]
queue stub bandwidth 30Mb qlimit 5000 cbq( borrow default )
[ pkts: 773002 bytes: 654654161 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 borrows: 2607 suspends: 56563 ]
[ measured: 785.9 packets/s, 5.35Mb/s ]
i.e. speed rates is good, but suspends (dequeuing stalls ?) with
empty queues looks strange for me.
I can guess, possible _cause_ of such behavior - host is runninig on
virtual hardware under VMWare Hypervisor, but can't understand the
_process_ itself.
Kind regards,
Ilya A. Kovalenko
diff: m_pkthdr.pf.hdr for default queue
Good time of day,
Following diff removes testing queue id against zero, because
of which default queue packets (seems to) passed to ALTQ w/o header
hint (m_pkthdr.pf.hdr), so their headers can't be inspected or altered
by ALTQ (with RED/ECN, for example).
Diff against -current. Tested on 4.5
Index: pf.c
===
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.680
diff -u -r1.680 pf.c
--- pf.c24 Dec 2009 04:24:19 - 1.680
+++ pf.c11 Jan 2010 05:57:38 -
@@ -1971,7 +1971,7 @@
m-m_pkthdr.rdomain = rdom;
#ifdef ALTQ
- if (r != NULL r-qid) {
+ if (r != NULL) {
m-m_pkthdr.pf.qid = r-qid;
/* add hints for ecn */
m-m_pkthdr.pf.hdr = mtod(m, struct ip *);
@@ -2094,11 +2094,9 @@
m0-m_pkthdr.rdomain = rdomain;
#ifdef ALTQ
- if (r-qid) {
- m0-m_pkthdr.pf.qid = r-qid;
- /* add hints for ecn */
- m0-m_pkthdr.pf.hdr = mtod(m0, struct ip *);
- }
+ m0-m_pkthdr.pf.qid = r-qid;
+ /* add hints for ecn */
+ m0-m_pkthdr.pf.hdr = mtod(m0, struct ip *);
#endif /* ALTQ */
switch (af) {
@@ -5712,7 +5710,7 @@
m-m_pkthdr.pf.statekey = s-key[PF_SK_STACK];
#ifdef ALTQ
- if (action == PF_PASS qid) {
+ if (action == PF_PASS) {
m-m_pkthdr.pf.qid = qid;
m-m_pkthdr.pf.hdr = h; /* hints for ecn */
}
@@ -6156,7 +6154,7 @@
m-m_pkthdr.pf.statekey = s-key[PF_SK_STACK];
#ifdef ALTQ
- if (action == PF_PASS s s-qid) {
+ if (action == PF_PASS s) {
if (pd.tos IPTOS_LOWDELAY)
m-m_pkthdr.pf.qid = s-pqid;
else
Kind regards,
Ilya A. Kovalenko
SA, SpecialEQ SW sections
JSC Oganer-Service
typo on altq.h ?
(sorry for winmua-broken diff) Index: altq.h === RCS file: /cvs/src/sys/altq/altq.h,v retrieving revision 1.6 diff -r1.6 altq.h 48c48 /* simple token backet meter profile */ --- /* simple token bucket meter profile */
Re[2]: states handling
So, single state entry affects traffic on single interface only ? It is little a bit different than that. A state also has a 'direction' associated with it. So, a state matches either incoming or outgoing traffic. As long as the direction matches, the interface does not really matter. Sometimes, rarely, you have to enforce the interface (usually only useful for IPSec (enc0) traffic) this is what the ifbound states (check pf.conf man page) are for. Thank you very much for comprehensive explanation. I totally miss, that state entry uses gateway-related direction to match packets. *reading manuals one more time* Keep in mind that address translation is done before matching rules. NAT changes the source and always done at the outgoing interface. RDR changes destination, at the incoming interface. yes, I learnt it after 3.1 migration :) Actually, once you are comfortable with states, queueing is very flexible and powerful. Looks like, it's time to learn PF-usage again ...
states handling
(Detailed description of problem, broached on faults list topic) Two host, on oposite sides of gateway: _____ ___ | | | | | | |114.31 - 114.2190.254 - 0.1 | | priv | | step | | pub | |___| |__| |___| where, PRIV (192.168.114.31) is private network host PUB (192.168.0.1)is public host STEP (192.168.114.219/192.168.0.254) is firewall gateway Target: deny any access from PUB to PRIV, but allow PRIV to access PUB's resources (at least, pings and TCP) OS version: step# uname -a OpenBSD step.oganer.net 4.2 GENERIC#0 i386 Ruleset variants and PF's behavior (trying to ping PUB and connect to it's webserver): block in inet from 192.168.0.1 to 192.168.114.31 pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work - neither pings nor TCP) Preferred version, because it does not affect queueing step# pfctl -ss all icmp 192.168.0.1:512 - 192.168.114.31 0:0 all tcp 192.168.0.1:80 - 192.168.114.31:3538 CLOSED:SYN_SENT block in inet from 192.168.0.1 to 192.168.114.31 pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (works) step# pfctl -ss all icmp 192.168.114.31:512 - 192.168.0.1 0:0 all tcp 192.168.114.31:3547 - 192.168.0.1:80 ESTABLISHED:ESTABLISHED In addition: block out inet from 192.168.0.1 to 192.168.114.31 pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (works) step# pfctl -ss all icmp 192.168.0.1:512 - 192.168.114.31 0:0 all tcp 192.168.0.1:80 - 192.168.114.31:3565 ESTABLISHED:ESTABLISHED block out inet from 192.168.0.1 to 192.168.114.31 pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work) step# pfctl -ss all icmp 192.168.114.31:512 - 192.168.0.1 0:0 all tcp 192.168.114.31:3542 - 192.168.0.1:80 ESTABLISHED:SYN_SENT block inet from 192.168.0.1 to 192.168.114.31 pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work) step# pfctl -ss all icmp 192.168.0.1:512 - 192.168.114.31 0:0 all tcp 192.168.0.1:80 - 192.168.114.31:3566 CLOSED:SYN_SENT block inet from 192.168.0.1 to 192.168.114.31 pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work) step# pfctl -ss all icmp 192.168.114.31:512 - 192.168.0.1 0:0 all tcp 192.168.114.31:3572 - 192.168.0.1:80 ESTABLISHED:SYN_SENT And one more: block inet from 192.168.0.1 to 192.168.114.31 pass inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (works) step# pfctl -ss all icmp 192.168.0.1:512 - 192.168.114.31 0:0 all icmp 192.168.114.31:512 - 192.168.0.1 0:0 all tcp 192.168.0.1:80 - 192.168.114.31:3574 ESTABLISHED:ESTABLISHED all tcp 192.168.114.31:3574 - 192.168.0.1:80 ESTABLISHED:ESTABLISHED Supposition: In all non-working cases, answer packets, somewhy does not match created state (by iface and/or direction ?), and are blocked by block rule. In last case, each communication stream creates 2 states. state-policy option setting to floating or if-bound does not change situation. Questions: Is this some kind of feature ? Is there any solution to make PF behave other way (for example, to work w/ first ruleset variant) ? Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
Re[2]: My PF faults list
you must be cofnused here. dunno. people rarely have problems in that area. Hmm, maybe, I'm, truly, too stupid to work with PF ... I'll re-test on clean environment it and write to the list. i thought we did that with -vv or so hmm ... alas, no such warnings with -vv: evil# pfctl -vv -f /etc/pf.conf | grep notexist @67 pass in from notexist:0 to notexist2:0 no state queue notexist3 evil# uname -a OpenBSD evil.oganer.net 4.1 EVIL#0 i386 you are confused. not keeping state is stupid. Agree ... until states can work ... parts of your mail come pretty offensive... maybe i should not have bothered at all. I beg my pardon, these little things annoyed me sometimes. Thank you for answer. anyway. you know how things work: if you miss sth, you send a diff. yes, indeed :)
Re[2]: 400Mbps PF based firewall, which hardware?
SG Since your network is only 100Mpbs my recommendation is a dlink ehternet card. SG Now I may not be fully correct but from my experience it performs well :-) AFAIK D-Link NICs is worst choice. Two reasons: 1. D-link NICs always was cheap low-end solution. 2. Couple months ago D-link switched it's NICs from RTL8139 (pretty stable) to VIA Rhino III chip (which has problems under OpenBSD) without any changes in model number. VIA chips has permanent problems w/ OpenBSD - it hangs and stops responding network connected to it (tcpdump(8) or reboot can reset NIC until next fault). Maybe, due driver imperfection. So I recommend you to avoid VIA NICs. Ilya A. Kovalenko S.A.
Re[2]: handling nonexisting table/queue names
pfctl(8) silently ignores nonexisting table and queue names.
I suppose, it is some kind of feature (like dynamic creation,
or so),
CB Yes, that's a feature: the table can be created later by some daemon
CB like spamd.
..
CB ... so you can easily spot empty table: pfctl -vvsr | grep ':0'
hmm, looks like, pfctl -vvsr | grep ':\*'
crater[3.7]# pfctl -vvsr | grep ':\*'
@0 pass in from nx_table:* to any
.. What about ALTQ queue names (mistyped on filter rules) ?
for example:
crater[3.7]# pfctl -sq
queue root_rl0 bandwidth 100Mb priority 0 cbq( wrr root ) {def, sandbox}
queue def bandwidth 70Mb cbq( borrow default )
queue sandbox bandwidth 2Mb cbq( red )
crater[3.7]# pfctl -vvsr
@0 pass in from nx_table:* to any
[ Evaluations: 189 Packets: 0 Bytes: 0 States: 0
]
@1 pass in from (rl0:2) to any queue sendbox
^^^
mistyped name
[ Evaluations: 121 Packets: 0 Bytes: 0 States: 0
]
handling nonexisting table/queue names
Greetings, pfctl(8) silently ignores nonexisting table and queue names. I suppose, it is some kind of feature (like dynamic creation, or so), but such silent handling complicates debugging typos on ruleset. Can pfctl(8), at least, display warnings ? Thank you, Ilya A. Kovalenko(mailto:[EMAIL PROTECTED])
Re[2]: feature suggest: ability to load/add _inverted_ table file
GH Is there some unknown reason why he cannot use GH ~~ # grep \!\ /etc/pf.conf | head -3 GH nat on $Ext from $LAN to !InsideNets - $Ext:0 GH pass out quick on $Ext $TCP to !InsideNets user squid $KSF queue (q_def,\ GH q_pri) GH pass out log quick on $Ext $TCP from $Ext:0 to !InsideNets port nntp\ GH user news $KSF GH for the same effect ? No it is not the same. I suggested list exclude feature in addition to existing list include feature on table RULE. As result, administrator would be able to assemble ONE table instead of two-three, and would be able to reduce number of rules, without external lists preprocess or dynamic table loading. IMHO, my suggest was pretty simple, and at the same time, very efficient for PF's core flexibility. Developers don't think so. Sad. Ilya A. Kovalenko Better is the worst enemy of Good
Re[3]: feature suggest: ability to load/add _inverted_ table file
More correct shorter diff, against -current (21.12)
-
diff 2 orig/pfctl_parser.h ../pfctl-current/pfctl_parser.h
--- orig/pfctl_parser.h Thu Nov 18 21:57:45 2004
+++ ../pfctl-current/pfctl_parser.h Thu Nov 18 21:09:24 2004
@@ -149,4 +149,5 @@
struct node_host*host;
char*file;
+ int flags;
};
diff 2 orig/pfctl.h ../pfctl-current/pfctl.h
--- orig/pfctl.hThu Nov 18 21:57:42 2004
+++ ../pfctl-current/pfctl.hThu Nov 18 21:26:34 2004
@@ -34,4 +34,8 @@
#define _PFCTL_H_
+/* append_addr() flags */
+#define PFAAF_NONETWORK(1)
+#define PFAAF_INVERT (2)
+
enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
PFRB_IFACES, PFRB_TRANS, PFRB_MAX };
diff 2 orig/parse.y ../pfctl-current/parse.y
--- orig/parse.yThu Nov 18 21:57:39 2004
+++ ../pfctl-current/parse.yThu Nov 18 21:41:30 2004
@@ -396,4 +396,5 @@
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
+%token FILENAMEINV
%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
@@ -1105,4 +1106,15 @@
table_opts.init_addr = 1;
}
+ | FILENAMEINV STRING{
+ struct node_tinit *ti;
+
+ if (!(ti = calloc(1, sizeof(*ti
+ err(1, table_opt: calloc);
+ ti-file = $2;
+ ti-flags |= PFAAF_INVERT;
+ SIMPLEQ_INSERT_TAIL(table_opts.init_nodes, ti,
+ entries);
+ table_opts.init_addr = 1;
+ }
;
@@ -3789,5 +3801,5 @@
SIMPLEQ_FOREACH(ti, opts-init_nodes, entries) {
if (ti-file)
- if (pfr_buf_load(ab, ti-file, 0, append_addr)) {
+ if (pfr_buf_load(ab, ti-file, ti-flags
PFAAF_INVERT, append_addr)) {
if (errno)
yyerror(cannot load \%s\: %s,
@@ -4499,4 +4511,5 @@
{ fastroute, FASTROUTE},
{ file, FILENAME},
+ { file-inv, FILENAMEINV},
{ fingerprints, FINGERPRINTS},
{ flags, FLAGS},
diff 2 orig/pfctl_radix.c ../pfctl-current/pfctl_radix.c
--- orig/pfctl_radix.c Thu Nov 18 21:57:46 2004
+++ ../pfctl-current/pfctl_radix.c Thu Nov 18 21:25:18 2004
@@ -556,5 +556,5 @@
int
-pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork,
+pfr_buf_load(struct pfr_buffer *b, char *file, int flags,
int (*append_addr)(struct pfr_buffer *, char *, int))
{
@@ -573,5 +573,5 @@
}
while ((rv = pfr_next_token(buf, fp)) == 1)
- if (append_addr(b, buf, nonetwork)) {
+ if (append_addr(b, buf, flags)) {
rv = -1;
break;
diff 2 orig/pfctl_parser.c ../pfctl-current/pfctl_parser.c
--- orig/pfctl_parser.c Thu Nov 18 21:57:45 2004
+++ ../pfctl-current/pfctl_parser.c Thu Nov 18 22:06:08 2004
@@ -1494,4 +1494,5 @@
* test:
* if set to 1, only simple addresses are accepted (no netblock, no !).
+ * bit 1 (PFAAF_INVERT flag) - add given address exclusion
*/
int
@@ -1500,5 +1501,7 @@
char *r;
struct node_host*h, *n;
- int rv, not = 0;
+ int rv, not = (test PFAAF_INVERT) ? 1:0;
+
+ test = PFAAF_NONETWORK;
for (r = s; *r == '!'; r++)
-
Re: feature suggest: ability to load/add _inverted_ table file
Here is diff (against 3.6-stable), that implements loading list to table
in inverted form, by rule like this:
table private file priv_nets.tab file-inv pub_hosts.tab
Unfortunately, it demands more changes, than I expected :(, so I don't
think that it has a chance to be accepted.
---
diff 2 orig/pfctl_parser.h ../pfctl/pfctl_parser.h
--- orig/pfctl_parser.h Tue Dec 21 21:58:31 2004
+++ ../pfctl/pfctl_parser.h Tue Dec 21 22:06:39 2004
@@ -149,4 +149,5 @@
struct node_host*host;
char*file;
+ int flags;
};
@@ -257,5 +258,5 @@
struct node_host *host(const char *);
-int append_addr(struct pfr_buffer *, char *, int);
+int append_addr(struct pfr_buffer *, char *, int, int);
int append_addr_host(struct pfr_buffer *,
struct node_host *, int, int);
diff 2 orig/pfctl.h ../pfctl/pfctl.h
--- orig/pfctl.hTue Dec 21 21:58:31 2004
+++ ../pfctl/pfctl.hTue Dec 21 22:03:54 2004
@@ -34,4 +34,7 @@
#define _PFCTL_H_
+/* invert table file */
+#define FL_INVERTED (1)
+
enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
PFRB_IFACES, PFRB_TRANS, PFRB_MAX };
@@ -72,5 +75,5 @@
int pfr_buf_grow(struct pfr_buffer *, int);
int pfr_buf_load(struct pfr_buffer *, char *, int,
- int (*)(struct pfr_buffer *, char *, int));
+ int (*)(struct pfr_buffer *, char *, int, int), int);
char *pfr_strerror(int);
int pfi_get_ifaces(const char *, struct pfi_if *, int *, int);
diff 2 orig/parse.y ../pfctl/parse.y
--- orig/parse.yTue Dec 21 21:58:31 2004
+++ ../pfctl/parse.yTue Dec 21 21:58:46 2004
@@ -383,5 +383,5 @@
%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
-%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
+%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME FILENAMEINV ROUTETO DUPTO
REPLYTO NO LABEL
%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
@@ -1082,4 +1082,15 @@
table_opts.init_addr = 1;
}
+ | FILENAMEINV STRING{
+ struct node_tinit *ti;
+
+ if (!(ti = calloc(1, sizeof(*ti
+ err(1, table_opt: calloc);
+ ti-file = $2;
+ ti-flags |= FL_INVERTED;
+ SIMPLEQ_INSERT_TAIL(table_opts.init_nodes, ti,
+ entries);
+ table_opts.init_addr = 1;
+ }
;
@@ -3617,5 +3628,5 @@
SIMPLEQ_FOREACH(ti, opts-init_nodes, entries) {
if (ti-file)
- if (pfr_buf_load(ab, ti-file, 0, append_addr)) {
+ if (pfr_buf_load(ab, ti-file, 0, append_addr,
ti-flags)) {
if (errno)
yyerror(cannot load \%s\: %s,
@@ -4327,4 +4338,5 @@
{ fastroute, FASTROUTE},
{ file, FILENAME},
+ { file-inv, FILENAMEINV},
{ fingerprints, FINGERPRINTS},
{ flags, FLAGS},
diff 2 orig/pfctl_radix.c ../pfctl/pfctl_radix.c
--- orig/pfctl_radix.c Tue Dec 21 21:58:31 2004
+++ ../pfctl/pfctl_radix.c Tue Dec 21 22:08:01 2004
@@ -557,5 +557,5 @@
int
pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork,
-int (*append_addr)(struct pfr_buffer *, char *, int))
+int (*append_addr)(struct pfr_buffer *, char *, int, int), int flags)
{
FILE*fp;
@@ -573,5 +573,5 @@
}
while ((rv = pfr_next_token(buf, fp)) == 1)
- if (append_addr(b, buf, nonetwork)) {
+ if (append_addr(b, buf, nonetwork, flags)) {
rv = -1;
break;
diff 2 orig/pfctl_parser.c ../pfctl/pfctl_parser.c
--- orig/pfctl_parser.c Tue Dec 21 21:58:31 2004
+++ ../pfctl/pfctl_parser.c Tue Dec 21 21:58:46 2004
@@ -1455,9 +1455,9 @@
*/
int
-append_addr(struct pfr_buffer *b, char *s, int test)
+append_addr(struct pfr_buffer *b, char *s, int test, int flags)
{
char *r;
struct node_host*h, *n;
- int rv, not = 0;
+ int rv, not = (flags FL_INVERTED) ? 1:0;
for (r = s; *r == '!'; r++)
diff 2 orig/pfctl_table.c ../pfctl/pfctl_table.c
--- orig/pfctl_table.c Tue Dec 21 21:58:31 2004
+++ ../pfctl/pfctl_table.c Tue Dec 21 21:58:46 2004
@@ -375,10 +375,10 @@
{
while (argc--)
- if (append_addr(b,
Re[2]: feature suggest: ability to load/add _inverted_ table file
Feature to load/add address list from file onto table in INVERTED form (i.e. replacing A.B.C.D - ! A.B.C.D vice versa) from table rule (sth. like file-inverted name) and command line (sth. like -T add-inverted/load-inverted). DH You could use sed(1) to do that, like DH # sed -e 's/^/!/' -e 's/^!!//' file | pfctl -t foo -Ta -f - Yes, you're right. There is no reasons for extra command line interface. But I can't do same thing on /etc/pf.conf, because table rule can only summarize list files. Of course, I can always generate inverted files or even full-compiled list files by some external utilites, and load rules after generation, but non-standard solutions causes specific problems.
Re[2]: Note: states with asymmetric routing
Stateful inspection on gateway can hamper tcp-connections, when inbound or outbound packets goes another route (i.e. when one of directions not goes thru gateway). kpo well, yeah. How is a firewall supposed to deduce state if it doesn't kpo see any replies? psychic deduction? You, totally, miss my point. I don't asking question, why PF behave this way. I am programmer, and I guess, can understand it enough. Only thing I want to do - just to notify PF developers and users, that stateful inspection seems to does not applicable for cases with asymmetric routing. Connection works fine on low rate, but fast transfers stops on each 64K (because suddenly PF stops passing packets). I guess, it is not bug, just some feature (like some tcp-window-related state protection). So think, is there reasons to correct this PF behavior. found something on man --8--- man pf.conf ---8- This has several advantages. Comparing a packet to a state involves checking its sequence numbers. If the sequence numbers are outside the narrow windows of expected values, the packet is dropped. This prevents spoofing attacks, such as when an attacker sends packets with a fake source address/port but does not know the connection's sequence numbers. --8--- man pf.conf ---8- kpo Correct? If you can design a prescient packet filter, then more kpo power to you. In general, prescience is hardware problem :) Seriously, there are couple of things can be done for solving such case, w/o prescience. Of course, ONLY if developers think that it's important enough. For example, it is posible, to make PF smart enough to detect asymmetric routing and turn off checks, that cannot be performed on such states. Or make ability to select more light inspection mode for such cases (w/ postfix like keep light-state :). Anyway, I can't and do not try to decide something for developers. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. SpeciaEQ SW section JSC Oganer-Service
Re: traffic leaking out on PPP connection
PM My firewall is pretty tight. I block all incoming by default and let out only certain PM destination ports. I'm currently filtering on external interface only. PM Now I decided to do a check on all outgoing traffic PM (filtering out of course the allowed ports) PM and I made an interesting discovery. PM I am on dial-up (PPP) with a Canadian ISP (Sympatico) and I PM am sending out regular replies to PM port 135. I figured this is due to PPP tunneling. In 15 PM minutes I was replying to about a PM dozen different IP addresses but they all resolve back to my ISPs servers (or clients?): These hosts, probably, infected w/ Lovesan (aka MS-blast) virus. It scans networks for vulnerable Windows boxes to infect. but you, should see it as incoming requests, than, your host replys. Ilya A. Kovalenkomailto:[EMAIL PROTECTED]
Re[2]: Note: states with asymmetric routing
JO i will assume that you do not have delusions that this should work with JO NAT-ed connections, because it most certainly will not. of course, it will not, because pf must alter both directions.
Note: states with asymmetric routing
Greetings, Just note. Stateful inspection on gateway can hamper tcp-connections, when inbound or outbound packets goes another route (i.e. when one of directions not goes thru gateway). Connection works fine on low rate, but fast transfers stops on each 64K (because suddenly PF stops passing packets). I guess, it is not bug, just some feature (like some tcp-window-related state protection). So think, is there reasons to correct this PF behavior. Thank you Ilya A. Kovalenko
Re: preventing state runaway
JW Summer is over. School is back in session. The 4,500 students behind my
JW OpenBSD 3.5 pf firewall are mostly settled into their dorm rooms. My
JW nightmare begins. A single Blaster infection can spray out thousands of
JW connections in seconds. One sad day, I had to reboot my firewall three or
JW four times before we could identify and disconnect the offending
JW student(s).
hmm ... what about just
block in quick proto tcp from any to any port {135, 137, 445}
works fine for me
Ilya A. Kovalenko
SOLVED: TODO: pass unidir. TCP connections
Hurray! Solved by following change: - pass in proto tcp from nPrivate to nPublic keep state + pass out proto tcp from nPrivate to nPublic keep state I think, community, NEEDS documentation about PF's stateful inspection, it's internal organization, posibilites and limitations. Documentation, not maillist arhive (I guess, nobody needs an differrence explanation). Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service For archives: IAK I trying to pass any outgoing TCP connections from my IAK office (nPrivate) onto campus network (nPublic) sites, IAK but block any incoming connections from campus to office. IAK Can use for it, PF ruleset like this (on 2-ifaced GW IAK between office campus): IAK blockinall block return-rst in proto tcp all pass in on lo0 all pass in from nPublic to nPublic pass in from nPrivate to nPublic pass in from nPrivate to nPrivate pass in proto tcp from nPrivate to nPublic keep state IAK IAK I suppose to think, that last rule would create state for IAK outgoing connection and pass all campus packets for it. IAK But it seems to does not work ... or I missed some other IAK factors. IAKtcpdump(8) shows this interchange: IAKOFFICE __CAMPUS IAK| | IAKSYN - | GW | - SYN IAK| | - SYN ACK IAK| | - RST IAKand | | IAK again| | IAK| | IAKSYN - | | - SYN IAK| | - SYN ACK IAK|__| - RST IAKShould such ruleset work ? IAK Previously, I've used construction like this pass in proto tcp from nPublic to nPrivate block in proto tcp from nPublic to nPrivate flags S/SA IAK but it has security issue - public host could send spoofed IAK TCP packet, on which, internal host responds with RST. IAK So public host could perform ping-scan (by nmap, for example) IAK for internal network.
TODO: pass unidir. TCP connections
Addition (GW behavior description): [ ... skipped ... ] outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. + + tcpdump(8) shows this interchange: + +OFFICE __CAMPUS +| | +SYN - | GW | - SYN +| | - SYN ACK +| | - RST +and | | + again| | +| | +SYN - | | - SYN +| | - SYN ACK +|__| - RST + -Should it work ? +Should such ruleset work ? Previously, I've used construction like this [ ... skipped ... ] - Ilya A. Kovalenko
TODO: pass unidir. TCP connections
Good day, I trying to pass any outgoing TCP connections from my office (nPrivate) onto campus network (nPublic) sites, but block any incoming connections from campus to office. Can use for it, PF ruleset like this (on 2-ifaced GW between office campus): blockinall block return-rst in proto tcp all pass in on lo0 all pass in from nPublic to nPublic pass in from nPrivate to nPublic pass in from nPrivate to nPrivate pass in proto tcp from nPrivate to nPublic keep state I suppose to think, that last rule would create state for outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. Should it work ? Previously, I've used construction like this pass in proto tcp from nPublic to nPrivate block in proto tcp from nPublic to nPrivate flags S/SA but it has security issue - public host could send spoofed TCP packet, on which, internal host responds with RST. So public host could perform ping-scan (by nmap, for example) for internal network. (feel free for any RTFM links) Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service
ruleset tracing
Greetings, Reckon as mad idea. Is there any posibilites/ideas for PF-ruleset tracing - automatic finding out last matching rule for specific packet(s), on active (kernel) ruleset or ruleset loaded into some kind of filter emulation. Best regards, Ilya A. Kovalenko
Re[2]: Inet on table
CB But the real question I've is why do you need that.
CB You can just do the opposite table:
CB table x { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}
CB And then use the table in negative rules, like:
CB pass in from !x
hmm, yes, it's better idea.
Inet on table
Good time of day,
I want to define table, that includes all Internet IP
addresses (i.e. all except fake ones).
Excludes-only table does not work.
table nInet {!192.168.0.0/16 !172.16.0.0/12 !10.0.0.0/8}
How can I add all IP addresses onto table ?
any causes error
0/0 does not work (as said on FAQ)
construction 0/1 128/1 seems to work
How I should do it ?
Thank you.
Ilya A. Kovalenko
HFSC on PF FAQ
Greetings, Shell we ever see HFSC scheduler on PF FAQ Queueing section ? Thank you. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. JSC Oganer-Service
Re: Per direction rule counters in PF
MOB Does anyone know, how to account per-direction traffic with PF? MOB Imagine I have a rule: MOB pass in on $int_if from $some_machine to any keep state label some-machine MOB When I invoke /sbin/pfctl -sl I get something like: MOB some-machine 5904 2510 130379 MOB where 130371 (the last number) is the TOTAL traffic that was generated by MOB the named rule. MOB I wish I could know the amount of incoming traffic for that machine MOB separately from MOB the outgoing. AFAIK - write two rules (for each direction) and don't use keep state
ALTQ filter rules
Good time of day,
When ALTQ was merged with PF, it become more more flexible.
But now, packets can be assigned to specific queue only on filter rule.
It's good, then filter and queue layout are the same.
But if aren't, we have an issues:
superfluous filter rules (added for queuing only)
necessity of queue modifier in _each_ rule that controls
non-default queue packets
I suggest to create new type of rules - Queuing filters. Same as
(packet) filter rules, except one thing - no pass or block
action.
Let them define default queues assignment, applied to
(packet) filter rule, w/o queue modifier and implicit rules.
Example pf.conf (for illustration only)
# Queueing: rule-based bandwidth control.
altq on if0 bandwidth 2Mb cbq queue { dflt, developers, marketing }
queue dflt bandwidth 5% cbq(default)
queue developers bandwidth 80%
queue marketing bandwidth 15%
# Queueing filters: defines default queue assignment
# developers subnet
assign out on if0 from 10.0.1.0/24 to any queue developers
# un-assign person from developers (re-assign to default)
assign out on if0 from 10.0.1.125 to any
# marketing subnet
assign out on if0 from 10.0.2.0/24 to any queue marketing
# developer on marketing subnet
assign out on if0 from 10.0.2.35 to any queue developers
# ssh traffic
assign in on if0 proto tcp from any to any port 22 keep state queue developers
# Filtering:
# Repository access
block in on if0 from any to $hRepository
# pass developers (assigned to developers queue)
pass in on if0 from 10.0.1.0/24 to $hRepository
block in on if0 from 10.0.1.125 to $hRepository
pass in on if0 from 10.0.2.35 to $hRepository
# exclusion: pass _marketing_ person to repository with
# developers bandwidth
# (re-assingning Repository traffic to developers queue)
pass in on if0 from 10.0.2.34 to $hRepository queue developers
Something like that ...
This leaves PF to be more flexible powerful.
Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
S.A.
JSC Oganer-Service
Special Equipment Software Section
