Re: your mail
On Wed, Nov 14, 2007 at 01:21:00PM +0100, Johan Str?m wrote:
> Hello
> First, I've sent this mail to freebsd-pf and freebsd-stable without
> any results, so lets try here to!
>
> I got a FreeBSD 6.2 box running a few jails, with a pretty strict PF
> ruleset. I got a problem with traffic between two of the jails. Both
> have public IPs (one of them have two using the jail-multiple-ip-
> patch). The problem I have is when they are to talk with each other.
> First let med describe the PF ruleset (somewhat stripped down but
> this should be the relevant stuff)
>
> jail1=xx.xx.xx.131
> jail2a=xx.xx.xx.133
> jail2b=xx.xx.xx.134
> scrub in all
> block drop in log
> # base system talk to itself
> pass in on lo0 inet from 127.0.0.1 to 127.0.0.1
>
> # all can talk out
> pass out on em0 proto tcp flags S/SA modulate state
> pass out on em0 proto udp keep state
>
> # jails talk to them selfs
> pass in on lo0 inet from $jail1 to $jail1
> pass in on lo0 inet from {$jail2a $jail2b} to {$jail2a $jail2b}
If the jail is bound to the external NIC, won't it try to talk to the
other jail on that NIC and not on lo0?
>
> # let smtp in on jail1
> pass in on {lo0 em0} inet proto tcp from any to $jail1 port smtp
> flags S/SA modulate state
>
> Okay, so the problem occurs when jail2 shall talk to jail1 on port 25
> (smtp). From the above rules, when the traffic leaves jail2 (traffic
> comes from $jail2b it seems) it should match the last rule and create
> a state. And so it does!
>
> self tcp xx.xx.xx:25 <- xx.xx.xx.134:57557 SYN_SENT:ESTABLISHED
>[3014249759 + 65536](+2074393365) wscale 1 [4121000179 + 65536]
> (+541973245) wscale 1
>age 00:01:03, expires in 00:00:01, 7:10 pkts, 384:640 bytes
>
> So the SYN arives at $jail1, but the SYNACK fails to go back to
> $jail2b (where the state should let the packet back in?), which is
> also seen in the following row from pflog0:
>
> 09:30:34.370402 rule 1/0(match): block in on lo0: (tos 0x0, ttl 64,
> id 35618, offset 0, flags [DF], proto: TCP (6), length: 64) xx.xx.xx.
> 131.25 > xx.xx.xx.134.57557: S 793675827:793675827(0) ack 4121000179
> win 65535
>
> So.. What have I missed? The state is created but it doesnt seem to
> match enough bytes or something? 384:640 matched packets, so et
> matches in both directions?
>
> Any clues are welcome! Thanks
>
> --
> Johan Str?m
> Stromnet
> [EMAIL PROTECTED]
> http://www.stromnet.se/
--
Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.BlackHelicopters.org/~mwlucas/
Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
Re: Need more performance (FreeBSD or OpenBSD)
On Fri, Nov 02, 2007 at 10:11:00AM +0100, Peter N. M. Hansteen wrote: > Michael J McCafferty <[EMAIL PROTECTED]> writes: > > > Should I use OpenBSD 4.2 with the improvements in speed in PF but only > > use one of the two (or more cores) or shall I use FreeBSD 6.2 to be able > > I haven't really stress tested either of them, but all reports > indicate that PF in 4.2 is significantly faster than in earlier > versions. The PF in FreeBSD 6 is OpenBSD 3.7-equivalent or > thereabouts so moving the config from any recent OpenBSD could mean > some pf.conf editing depending on just what features you use. > > My first choice would be to upgrade to OpenBSD 4.2, but I'm also > slightly curious about a direct comparison of FreeBSD vs OpenBSD > performance on the same hardware. Use FreeBSD 7.0 if you want new PF and a higher-performing network stack. 7 has lots of networking improvements over FreeBSD 6. I have no idea about OpenBSD 4.2/PF against FreeBSD 7/PF. Both releases have made substantial gains. It actually seems to me that you're in an ideal position to create those comparison benchmarks. One hosts with each OS, using CARP to failover between them. I suspect that both groups of developers would be interested in the results. Once you have made a decision, upgrading one is simpler than changing both. (I used to have a PF cluster with this configuration, a couple years ago. It worked just fine, and when I suspect OS-related bugs I would swap from one to the other. In every case my suspected bug turned out to be operator error but wow, did I learn a lot about TCP/IP and traffic shaping. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Coming Soon: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
Re: altq chokes on userland pppoe
On Fri, May 11, 2007 at 09:42:47PM +0200, Tobias Freitag wrote: > Hi list, > > > the altq setup on my dsl line seems to be caught in a vicious cycle. Traffic > goes up and down in a regular cycle of about 4 seconds when it convergates > towards the specified limit. A diagram of sent bytes over time (in seconds) > is attached. (red=working state, green=choked state, blue=bandwidth limit) Hi, Attachments are stripped from the mailing list. Can you put your diagram on a Web page? Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
Re: Real-world production experiences with pf please...
On Sun, May 06, 2007 at 05:10:19PM +0200, Henning Brauer wrote: > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-04 09:12]: > > Hi, > > > > I have some time to come up with a new firewall/router/vpn solution > > for our datacentre, and I'm considering a shiny new server with > > OpenBSD and pf instead of a costly PIX. On the part of our network > > that I'm doing this for we might see maximum 20Mbit/s unencrypted > > traffic. > > > > Is anyone using an OpenBSD/pf solution in a production environment > > like this? What hardware are you using? How's it holding up? :-) > > for breakfast, yeah. > > with reasonable network cards and a reasonable ruleset pretty much any > system made in the last, what, make it 2 years, should able to do > several hundred MBit/s. > > the max I have going thru an OpenBSD box at a customer is in the 750 > MBit/s range (and that doesn't max out the machine), but that is > without pf and a carefully hand-crafted kernel. > > with pf, not sure where i have the biggest install... there's certainly > customers in the 50 MBit/s range where the machines mostly idle. > usually performance is just not a problem, so I don't look at these > numbers to closely... Three years ago, I ran PF/altq in a datacenter on crap hardware. We handled 60-90Mb/s easily, with a default block policy and extensive ALTQ CBQ throttling. While I optimized the rules as per the PF FAQ, I did no kernel customization, no tweaking, no so-called optimizations. See this link: http://www.oreillynet.com/sysadmin/blog/2004/05/bsd_success_stories_1.html Look at the story "BSD in a Panic," that was me. The machine in question was, IIRC, a P500, 256 MB RAM. Once the panic was over, I wound up installing pfflowd as well. The machine was *still* mostly idle. I thought about putting DNS on it as well but decided that would be pushing my luck. OpenBSD and PF rock, hands-down. I've moved on from that employer now, but I *still* use OpenBSD/PF whenever I can. Frequently, to replace PIX solutions that just don't handle the load... ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
PF and multicast traffic
Hi, I have two FreeBSD 5.4-stable i386 boxes running PF in the typical failover configuration: one external interface, one internal, one sync. I also have softflowd running on the internal interface of both systems, to capture traffic flow information. About a week and a half ago, I started seeing massive bandwidth spikes via softflowd. Oddly enough, these are coming from one of the sync interfaces (192.168.0.1) and going to 224.0.0.240. So, my questions are: a) should I be seeing multicast traffic from the sync interface on the internal network? b) why would these spikes be occuring all of a sudden? Our change control system shows that nothing has been done other than opening ports 80 and 443 to a couple of IP addresses. Any thoughts on where to check? ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur
Re: dup-to problem with specific packets
On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote: > On 4/11/05, Michael W. Lucas <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I'm trying to duplicate packets matching one particular rule. > > > > Background: I have softflowd running on OpenBSD 3.5 i386. This is > > exporting flows to a logging host. Works beautifully. > > > > The old logging host is being replaced. I would like to run the two > > logging hosts in parallel temporarily, until I'm sure all the bugs are > > out of the new one. > > > > While I could fire up a second instance of softflowd, it seems like > > this would be a good application of dup-to. I don't want to duplicate > > the entire mass of traffic going through this box, just the netflow > > packets. > > > > pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to > > ($int_if a.b.c.252) > > > Should probably read: > pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to > a.b.c.252) Thanks, but that doesn't do it either. :-( Any other suggestions? The rule parses perfectly if I put a # sign right before the dup-to, so I know the rest of it is correct. I'm sending this duplicate out via the same interface as the original packet, could that be the problem? The samples tend to show people dumping traffic over a different NIC, but that won't work in this case. Since netflow transmission is stateless I wasn't expecting any sort of trouble, but I freely admit that lots of people here know more than I do. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
dup-to problem with specific packets
Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) (port number changed to protect the guilty, of course) pfctl -nf gives me a syntax error on line 80, but won't be specific on what the problem is. Any suggestions? Or am I just outright misunderstanding dup-to? Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
Re: PF and promiscuous mode
On Sat, Mar 19, 2005 at 10:53:35AM +0800, Eduardo Tongson wrote: > On Fri, 18 Mar 2005 10:48:45 -0500, Michael W. Lucas > <[EMAIL PROTECTED]> wrote: > > (Context: I'm also using softflowd to export bandwidth usage into > > Netflow. (For those who don't know, softflowd puts the interface into > > promiscuous mode and sniffs the traffic, transmitting flow information > > to a collector. It hooks into the stack right where tcpdump does.) > > btw why not pfflowd? Because softflowd had support for netflow v8 packets a few days before pfflowd, and I *had* to have it during that window. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
PF and promiscuous mode
Hi, I'm using two PF boxes as traffic shapers, with CARP, running 3.5 GENERIC#127 i386 (to be updated to 3.7 as soon as it hits the shelves.) Will promiscuous mode see traffic before or after queueing on an interface? (Context: I'm also using softflowd to export bandwidth usage into Netflow. (For those who don't know, softflowd puts the interface into promiscuous mode and sniffs the traffic, transmitting flow information to a collector. It hooks into the stack right where tcpdump does.) At times, netflow shows that traffic exceeds that permitted by the queueing. These are usually very brief periods. I'm wondering if the system is capturing unshaped traffic before it is throttled by altq.) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
Re: pfctl: carp0: driver does not support altq
On Thu, Jan 06, 2005 at 08:59:53PM +0800, Lars Hansson wrote: > Michael W. Lucas wrote: > >I'd like to have live failover on my traffic shaper box, but when I > >try to queue on the carp interface I get the error "pfctl: carp0: > >driver does not support altq" > > WHy are you trying to queue on the carp interfaces and not on > the real interfaces? If that will work, I'll do it. It seems to me (now *there's* dangerous phrase :-) that since the traffic would be going to the IP address of the carp interface, I would have to queue on the carp interface? If I can just queue on the real interface, I'm fine with that. Can you just queue on the real interface and have it work for traffic arriving via CARP? I haven't been able to find any documentation one way or the other. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
pfctl: carp0: driver does not support altq
Hi, The subject pretty much says it all. :-) The system is an older snapshot, 3.5 GENERIC#127 i386. I'd like to have live failover on my traffic shaper box, but when I try to queue on the carp interface I get the error "pfctl: carp0: driver does not support altq" I imagine that I could do some other sort of workaround to get live failover, say, with a crossover cable and ifstatd, but CARP is much much easier. Any suggestions? I've done some web searches, of course, but it seems that nobody else has this problem... ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
"pfctl -s q -v" question
Hi, We have a pair of 3.5-current PF boxes doing traffic shaping and CARP. One client has a large bandwidth ceiling. They're currently well below the limit; activity on the switch shows that they're pushing about 15Mb in and 15Mb out. With a limit of 64Mb, I would expect all traffic to go through completely unimpeded. We're not dropping any packets, but I'm seeing the "suspends" counter continually incrementing, however, reaching tens of thousands in a matter of minutes. queue dca bandwidth 64Mb [ pkts: 40244 bytes: 22488217 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends:239 ] What does "suspends" mean, actually? Is it anything to worry about? ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] "I'm sorry, but 'Social Darwinism' is no excuse for killing all of your co-workers." -- Ivan Brunetti http://www.BlackHelicopters.org/~mwlucas/
failover problem
Hi, Google just hasn't been too helpful tonight, so I'm trying here. I'm having a problem with carp on two i386 systems. Both machines are 3.5-snapshots, the first running 3.5 GENERIC#5 and the second 3.5 GENERIC#127. The master/backup status passes cleanly between the two machines, but when the second machine becomes master it has difficulty passing traffic to some hosts behind it. When carp machine 2 comes up (the newer one), it can telnet to port 80 on a particular Web server, but machines outside the PF cluster cannot. It doesn't seem to be a routing problem; I can hit some IPs in the same net block, but not others. My first thought was some sort of arp problem, but all the arp addresses for other network devices match between the two PF machines. If I log into machine 2 and run "arp -ad", however, the problem goes away and machine 2 passes traffic normally. Any suggestions? Thanks, ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] "I'm sorry, but 'Social Darwinism' is no excuse for killing all of your co-workers." -- Ivan Brunetti http://www.BlackHelicopters.org/~mwlucas/
Re: A very basic firewall
On Thu, Jan 08, 2004 at 09:29:16AM +0100, Bernard El-Hagin wrote: > Tamas TEVESZ wrote: > > > >On Wed, 7 Jan 2004, Bernard El-Hagin wrote: > > > > > 1. Block *everything* coming in on my external interface (tun0) > > > >do you think icmp is called a *control* protocol just because they > >couldn't come up with a better name? > > > Whosh! > > > That was the sound of your rhetorical question going straight over my > head. > > > It astounds me that you assumed I'd know what you're talking about, by > the way. It's not a good idea to unilaterally block ICMP. A Google search can give you the horrid details, but you will experience occasional issues if you just block it all. And if you're building firewalls, then it's supposed to be a good assumption that you know about ICMP. :-) ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] Today's chance of throwing it all away to start a goat farm: 41.8% http://www.BlackHelicopters.org/~mwlucas/ Absolute OpenBSD: http://www.AbsoluteOpenBSD.com/
Re: Stupid Question
On Fri, Jul 11, 2003 at 01:53:25PM -0400, Jolan Luff wrote: > On Fri, Jul 11, 2003 at 01:30:34PM -0400, Michael W . Lucas wrote: > > A port to Windows would not be feasible. And while I would not wish > > to speak for our esteemed developers, I think I'm fairly safe in > > saying that they would not be interested in doing the work. :-) > > huh? i thought daniel was already working on pf for windows. see the > fourth paragraph: > > http://marc.theaimsgroup.com/?l=openbsd-announce&m=101763309005837 Well, yes, there is that. And I'm certain that Daniel spends every April 1 working on that port... ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Absolute OpenBSD: http://www.AbsoluteOpenBSD.com/
Re: Stupid Question
Hi, A port to Windows would not be feasible. And while I would not wish to speak for our esteemed developers, I think I'm fairly safe in saying that they would not be interested in doing the work. :-) ==ml On Thu, Jul 10, 2003 at 06:38:26PM -0700, Aaron Suen wrote: > OK, so this is (may be, probably is) a stupid question. But I'm > gonna ask it anyway, so if you think it's stupid, go ahead and > at least get a good laugh out of it. > > Does anybody forsee a port, of some sorts, of pf for Windows? > > Yeah, it sounds a little wild, but I could really use something > like this. I have a bunch of Windows clients on my home LAN, and > you can never really trust the LAN (even though it's firewalled) > since these are Windows (a.k.a. virus-laden) machines. So I want > to install software firewalls on every machine to provide secondary > protection against threats on the LAN. > > The big problem is that there are no good free firewalls for Windows. > Of course, everybody will recommend the same things, such as > ZoneAlarm, and similar types of programs, but all I need is something > that can do fragment reassembly, stateful inspection, and block certain > ports (135, 137-139, 445, 1025-1027, 5000) while leaving everything > else open by default. Every free firewall I've seen is missing > something. ZoneAlarm is too aggressive, blocks everything by default > and asks the user questions all the time (I want to set it up and forget > it). Rule-based firewalls like the ones based on Tiny's codebase all > seem to lack some reassembly and stateful inspection capabilities; > they're basically just SYN filters. > > So, how does one get the power of pf onto a Windows system? Well, > the way other firewall products seem to work is that they insert a > bit of code between the network driver and the TCP/IP stack, then > redirect packets and fragments through the filter engine. So, if > somebody were to get his hands on a packet interception thingy like > that, we could make a pf-based firewall to protect Windows machines > without having to have a *BSD machine for every Windows client. > > Sound crazy enough? > > Actually, it would be pretty nice to have a userland application that > does what the pf engine does. One could use it, for instance, to > filter traffic that goes through other userland applications (such > as ppp using tun*). > > I'd like to know how feasible this Windows port idea would be. > > __ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > http://sbc.yahoo.com -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Absolute OpenBSD: http://www.AbsoluteOpenBSD.com/
Re: PF MAC Filter
On Wed, Feb 26, 2003 at 03:26:28AM -0600, Shawn Mitchell wrote: > > Is it possable to specify a MAC Address filter? > > And just to go ahead and cut off the trolls on MAC Filtering... I know you > can change your MAC address. I don't care that you can. I'm wanting to > place a few filters that will stop 98% of the people out there, and put > something in place to where I can force an IP Address to be used only by a > specified network interface. Hi, Different network layer than PF, it won't work. However: man brconfig ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Absolute BSD: http://www.AbsoluteBSD.com/
