Current problem reports assigned to freebsd-pf@FreeBSD.org
Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
pf synproxy
Hello all - I've tried searching the list but it seems something is broken and I'm getting 500 errors. Alas, Is there something unique about using synproxy in a gateway style firewall that isn't outlined in the PF manuals? Here's the scenario: Internet -> em0 | pf rules | em1 -> target host. 1.2.3.1/29 on em0, 1.2.4.1/29 on em1, 1.2.5.1/29 on target host. PF rules: set skip on lo0 pass out on em1 pass in on em1 pass out on em0 proto tcp all modulate state pass in on em0 proto tcp from any to any port 80 synproxy state When using synproxy state - the connection never completes. If we change synproxy to keep, everything works fine. Alternately, if the service in question is running locally on the actual firewall itself, I'll see state entries show up in pfctl -s doing a proxy and then passing the connection on to its self - so why doesn't it work in the same manner when passing on to a host behind the machine? I've tried all sorts of variations and skipping processing on internal interface, but I just can't seem to get it to work. All my searching has turned up nothing. I've also tried state-policy if-bound and there appears to be no change. Is this a bug? Have I missed something totally obvious? -Justin ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pf synproxy
On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: >Hello all - I've tried searching the list but it seems something is > broken and I'm getting 500 errors. Alas, > > Is there something unique about using synproxy in a gateway style > firewall that isn't outlined in the PF manuals? Here's the scenario: > > Internet -> em0 | pf rules | em1 -> target host. Synproxy does not work when on bridges. >From pf.conf(5): Rules with synproxy will not work if pf(4) operates on a if_bridge(4). -- Denny Lin ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pf synproxy
... it's not an if_bridge, thanks. On 7/26/2010 7:05 AM, Denny Lin wrote: On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: Hello all - I've tried searching the list but it seems something is broken and I'm getting 500 errors. Alas, Is there something unique about using synproxy in a gateway style firewall that isn't outlined in the PF manuals? Here's the scenario: Internet -> em0 | pf rules | em1 -> target host. Synproxy does not work when on bridges. From pf.conf(5): Rules with synproxy will not work if pf(4) operates on a if_bridge(4). ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pf synproxy
On Mon, July 26, 2010 6:02 pm, Justin wrote: > ... it's not an if_bridge, thanks. > > > On 7/26/2010 7:05 AM, Denny Lin wrote: > >> On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: >> >> >>> Hello all - I've tried searching the list but it seems something is >>> broken and I'm getting 500 errors. Alas, >>> >>> Is there something unique about using synproxy in a gateway style >>> firewall that isn't outlined in the PF manuals? Here's the scenario: >>> >>> Internet -> em0 | pf rules | em1 -> target host. >>> >>> >> Synproxy does not work when on bridges. >> >> >> From pf.conf(5): >> Rules with synproxy will not work if pf(4) operates on a if_bridge(4). >> >> >> > > ___ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > > If it helps, you're not the only one with issues. Synproxy is not for general fw use IMHO. I.e.: a friend is running a high traffic website and synproxy slows down the packet flow. Another example, if I remember correctly, is that it doesn't work with packet tagging, another one just mentioned, doesn't work with if_bridge... I gave up on it long time ago (on FreeBSD 6). (of course, everything is subject to different factors, like hw). You could, instead, try ftp-proxy which works great with pf and passive ftp (I really can't say how effective is it against a syn flood, but you can test it). Synproxy is a great addition to pf but, unfortunately, it doesn't lack of bugs. ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
