linimon | 3 Jul 13:16 2010
Picon

Re: kern/148290: [pf] "sticky-address" option of Packet Filter (PF) blocks connection

Old Synopsis: "sticky-address" option of Packet Filter (PF) blocks connection
New Synopsis: [pf] "sticky-address" option of Packet Filter (PF) blocks connection

Responsible-Changed-From-To: freebsd-bugs-≥freebsd-pf
Responsible-Changed-By: linimon
Responsible-Changed-When: Sat Jul 3 11:16:43 UTC 2010
Responsible-Changed-Why: 
Over to maintainer(s).

http://www.freebsd.org/cgi/query-pr.cgi?pr=148290
_______________________________________________
freebsd-bugs <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe <at> freebsd.org"

linimon | 3 Jul 13:18 2010
Picon

Re: kern/148260: [pf] [patch] pf rdr incompatible with dummynet

Old Synopsis: pf rdr incompatible with dummynet
New Synopsis: [pf] [patch] pf rdr incompatible with dummynet

Responsible-Changed-From-To: freebsd-bugs-≥freebsd-pf
Responsible-Changed-By: linimon
Responsible-Changed-When: Sat Jul 3 11:17:25 UTC 2010
Responsible-Changed-Why: 
Over to maintainer(s).

http://www.freebsd.org/cgi/query-pr.cgi?pr=148260
_______________________________________________
freebsd-bugs <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe <at> freebsd.org"

Reinhard Haller | 3 Jul 15:29 2010
Picon

urpf-failed & ipv6

Hi,

I recently discovered a strange behavior on my border router.
In the following ruleset:

block log all
block in log quick from urpf-failed to any
pass quick on $int_if inet6 proto udp from any to any port ripng
block drop on !$int_if inet6 proto udp from any to any port ripng

all occurrences of

fe80::<mac-address>%$int_if -> ff02::9

were blocked by the urpf-failed rule.

Any suggestuions why this happens?

Thanks Reinhard

_______________________________________________
freebsd-pf <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"

Marcin Wisnicki | 4 Jul 07:24 2010
Picon

Re: urpf-failed & ipv6

On Sat, 03 Jul 2010 15:29:33 +0200, Reinhard Haller wrote:

> Hi,
> 
> I recently discovered a strange behavior on my border router. In the
> following ruleset:
> 
> block log all
> block in log quick from urpf-failed to any pass quick on $int_if inet6
> proto udp from any to any port ripng block drop on !$int_if inet6 proto
> udp from any to any port ripng
> 
> all occurrences of
> 
> fe80::<mac-address>%$int_if -> ff02::9
> 
> were blocked by the urpf-failed rule.
> 
> Any suggestuions why this happens?

Probably this change:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.625
seems it's not yet merged to freebsd.

I'm using following as a temporary solution (adapted from rc.firewall):

block log all
anchor "ipv6-link-local" quick inet6 {
  pass proto icmp6 from :: to ff02::/16
  pass proto icmp6 from fe80::/10 to fe80::/10
(Continue reading)

Maxim Khitrov | 4 Jul 15:26 2010
Picon

Same priority pf/altq queues not supported?

Hello all,

I'm configuring pf on FreeBSD 7.3 and would like to use the following
altq settings:

altq on $ext priq bandwidth 9240Kb queue {low, red, med, top}
altq on {$int1, $int2, $srv} priq bandwidth 100Mb queue {low, red, med, top}

queue low priority 1 priq(default)  # Default priority queue
queue red priority 1 priq(red)      # Default priority TCP queue with RED
queue med priority 2                # DNS, DHCP, ACKs, and TOS == lowdelay
queue top priority 3                # ICMP, NTP

When I try to load these settings, I get the following errors:

pfctl: low and red have the same priority
pfctl: low and red have the same priority
pfctl: low and red have the same priority
pfctl: low and red have the same priority
/etc/pf.conf:79: errors in queue definition

OpenBSD 4.1 documentation states that "if two or more queues are
assigned the same priority then those queues are processed in a
round-robin fashion." Is there any specific reason why this behavior
was altered in the FreeBSD port?

I'm not really sure of what to do, because I don't want to prioritize
or deprioritize TCP traffic, and I can't have RED enabled for any
other protocol. If you have any other general-purpose queuing
suggestions, please let me know.
(Continue reading)

Vadym Chepkov | 4 Jul 18:42 2010
Picon

pf and ftp

Hi,

pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays?

Thank you,
Vadym Chepkov_______________________________________________
freebsd-pf <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"

olli hauer | 4 Jul 19:07 2010
Picon
Picon

Re: pf and ftp

On 2010-07-04 18:42, Vadym Chepkov wrote:
> Hi,
> 
> pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays?
> 
> Thank you,

use ftp-proxy instead, it is included in the OS.
_______________________________________________
freebsd-pf <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"

Vadym Chepkov | 4 Jul 19:09 2010
Picon

Re: pf and ftp

interesting, at some point pftpx was claimed to be a replacement for ftp-proxy, I distinctly remember that.
But according to port it's now part of the base FreeBSD. I guess these things do happen :)

Thanks,
Vadym

On Jul 4, 2010, at 1:01 PM, Jille Timmermans wrote:

> Hi,
> 
> ftp-proxy(8) is what you are looking for :)
>  http://www.openbsd.org/faq/pf/ftp.html
> 
> -- Jille
> 
> Vadym Chepkov schreef:
>> Hi,
>> 
>> pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays?
>> 
>> Thank you,
>> Vadym Chepkov_______________________________________________
>> freebsd-pf <at> freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"

_______________________________________________
freebsd-pf <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"
(Continue reading)

Jille Timmermans | 4 Jul 19:01 2010

Re: pf and ftp

Hi,

ftp-proxy(8) is what you are looking for :)
  http://www.openbsd.org/faq/pf/ftp.html

-- Jille

Vadym Chepkov schreef:
> Hi,
> 
> pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays?
> 
> Thank you,
> Vadym Chepkov_______________________________________________
> freebsd-pf <at> freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"
_______________________________________________
freebsd-pf <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe <at> freebsd.org"

olli hauer | 4 Jul 19:28 2010
Picon
Picon

Re: pf and ftp

If I remember correctly the there was first pftpx and a (unusable) buid-in
ftp-proxy.
Then ftpseesame was build as successor of pftpx and this went into the system.
Now the build-in ftp-proxy was extend to for ipv6 ...

pftpx/ftpsesame site:
http://www.sentia.org/projects/ftpsesame/

lasted version ftpsesame-0.95 (OpenBSD 3.6)

On 2010-07-04 19:09, Vadym Chepkov wrote:
> interesting, at some point pftpx was claimed to be a replacement for ftp-proxy, I distinctly remember that.
> But according to port it's now part of the base FreeBSD. I guess these things do happen :)
> 
> Thanks,
> Vadym
> 
> 
> 
> On Jul 4, 2010, at 1:01 PM, Jille Timmermans wrote:
> 
>> Hi,
>>
>> ftp-proxy(8) is what you are looking for :)
>>  http://www.openbsd.org/faq/pf/ftp.html
>>
>> -- Jille
>>
>> Vadym Chepkov schreef:
>>> Hi,
(Continue reading)


Gmane