freebsd-pf Digest, Vol 272, Issue 2

[freebsd-p...@freebsd.org]

Send freebsd-pf mailing list submissions to
freeb...@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org

You can reach the person managing the list at
freebsd-...@freebsd.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."

Today's Topics:

1. FW: clientNatLookup: PF open failed: (13) Permission denied
(John Dakos [ Enovation Technologies ])
2. Transition from IPFW: PF flags for IPFW "setup" and
"established" keywords (Holger Rauch)
3. Re: FW: clientNatLookup: PF open failed: (13) Permission
denied (Ermal Lu?i)
4. IPv6, PF problem (Aaron Stellman)

----------------------------------------------------------------------

Message: 1
Date: Fri, 11 Dec 2009 14:04:07 +0200
From: "John Dakos [ Enovation Technologies ]" <gda...@enovation.gr>
Subject: FW: clientNatLookup: PF open failed: (13) Permission denied
To: <freeb...@freebsd.org>
Message-ID: <4AEC4A6F65A84D258332A61EF5980850@john>
Content-Type: text/plain; charset="iso-8859-7"

Hello all.

I'm running Squid �Version 3.0.STABLE20 on FreeBSD 8 Release� with PF�� and
�..

�--enable-pf-transparent'

Squid is worked but in my cashe.log�� I have ��clientNatLookup: PF open
failed: (13) Permission denied every time...

I have��� in rc.conf���� squid_enable="YES"

Any idea for that ?
�
�
�Thanks

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4678 (20091211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

------------------------------

Message: 2
Date: Fri, 11 Dec 2009 12:59:01 +0100
From: Holger Rauch <holger...@empic.de>
Subject: Transition from IPFW: PF flags for IPFW "setup" and
"established" keywords
To: freeb...@freebsd.org
Message-ID: <20091211115...@heitec.de>
Content-Type: text/plain; charset="utf-8"

Hi to everybody,

what are the correct combinations of flags for the IPFW "setup" and
"established" keywords?

I googled for this but found no real mapping to pf flags.

Any hints/links are welcome.

Thanks in advance & kind regards,

Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20091211/b545004c/attachment-0001.pgp

------------------------------

Message: 3
Date: Fri, 11 Dec 2009 13:11:07 +0100
From: Ermal Lu?i <e...@freebsd.org>
Subject: Re: FW: clientNatLookup: PF open failed: (13) Permission
denied
To: "John Dakos [ Enovation Technologies ]" <gda...@enovation.gr>
Cc: freeb...@freebsd.org
Message-ID:
<9a542da30912110411g6d3...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-7

2009/12/11 John Dakos [ Enovation Technologies ] <gda...@enovation.gr>

>
> Hello all.
>
> I'm running Squid Version 3.0.STABLE20 on FreeBSD 8 Release with PF and
> ..
>
> --enable-pf-transparent'
>
> Squid is worked but in my cashe.log I have clientNatLookup: PF open
> failed: (13) Permission denied every time...
>
> I have in rc.conf squid_enable="YES"
>
> Any idea for that ?
>
Just allow the user with which you run squid permission of read(write?) to
/dev/pf.

--
Ermal

------------------------------

Message: 4
Date: Fri, 11 Dec 2009 17:25:08 -0800
From: Aaron Stellman <zi...@x96.org>
Subject: IPv6, PF problem
To: freeb...@freebsd.org
Message-ID: <20091212012...@x96.org>
Content-Type: text/plain; charset=us-ascii

Hello there,
Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1
machine.

What works:
pass in on $ext_if proto tcp to port 21

What doesn't work:
pass in on $ext_if proto tcp to ($ext_if) port 21

here is what's logged when it doesn't work:
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
1515 bytes
00:00:00.000000 rule 0/0(match): block in on bge0:
2001:1938:235:beef:21b:21ff:fe37:d799.11220 >
2001:1938:235:dead:226:b9ff:fe75:6e5e.21: Flags [S], seq 413041093, win
65535, options [mss 1440,nop,nop,sackOK,nop,wscale 1,nop,nop,TS val
3435338387 ecr 0], length 0

ext_if="bge0"

epsilon# ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:26:b9:75:6e:5e
inet 10.10.11.5 netmask 0xffffffe0 broadcast 10.10.11.31
inet6 fe80::226:b9ff:fe75:6e5e%bge0 prefixlen 64 scopeid 0x1
inet 10.10.11.8 netmask 0xffffffe0 broadcast 10.10.11.31
inet6 2001:1938:235:dead:226:b9ff:fe75:6e5e prefixlen 64
autoconf
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
pflog0: flags=0<> metric 0 mtu 33152

Notice, that it works as expected with IPv4; meaning that when I use "to
($ext_if)" and use ipv4 to connect, connection passes through, unlike
IPv6.
Also, OpenBSD pf works as expected with both IPv{4,6}

------------------------------

End of freebsd-pf Digest, Vol 272, Issue 2
******************************************