kern/127439: deadlock in pf
Geoffrey Mainland
mainland at apeiron.net
Wed Sep 17 16:30:05 UTC 2008
The following reply was made to PR kern/127439; it has been noted by GNATS.
From: Geoffrey Mainland <mainland at apeiron.net>
To: Christian Peron <csjp at freebsd.org>
Cc: FreeBSD-gnats-submit at freebsd.org
Subject: Re: kern/127439: deadlock in pf
Date: Wed, 17 Sep 2008 12:21:15 -0400
Sure, attached below.
ext_if = "fxp0"
int_if = "em0"
wifi_if = "vr0"
vpn_if = "tun0"
rfc1918_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
ext_net = "{ 68.164.219.97/24 }"
int_net = "{ 192.168.0.0/24 }"
wifi_net = "{ 192.168.1.0/24 }"
vpn_net = "{ 192.168.2.0/24 }"
ext_zeno = 68.164.219.98
ext_hamilton = 68.164.219.99
ext_anaximander = 68.164.219.100
ext_laplace = 68.164.219.100
ext_hilbert = 68.164.219.101
ext_nat = $ext_zeno
int_zeno = 192.168.0.10
int_hamilton = 192.168.0.11
int_anaximander = 192.168.0.12
int_laplace = 192.168.0.13
int_hilbert = 192.168.0.16
int_vince = $int_anaximander
wifi_gateway = 192.168.1.1
wifi_laplace = 192.168.1.13
icmp_types = "echoreq"
# Supposedly 384Kb up, 1.5Mb down. We set the bandwidth to 300Kbps to get the
# best performance out of the TCP ACK queue.
upstream = 300Kb
downstream = 1.5Mb
#
# Common ports
#
ssh_ports = "{ ssh }"
http_ports = "{ http, https }"
vpn_ports = "{ 1194 }"
mysqld_ports = "{ 3306 }"
# AIM: 5190
# MSN: 1863, 6891-6900 for file transfers
# Yahoo: 5050, webcam 5100
# Jabber: 5222, 5269
aim_ports = "{ 5190 }"
yahoo_ports = "{ 5050, 5100 }"
msn_ports = "{ 1863 }"
emule_tcp_ports = "{ 4662 }"
emule_udp_ports = "{ 4662, 4665, 4672 }"
bittorrent_ports = "{ 3724, 6112, 6881:6999, 46300:46400}"
realplayer_ports = "{ 7070 }"
battlenet_ports = "{ 6112:6119 }"
nwn_ports = "{ 1070:3000, 5120:5300, 6500, 27900, 28900 }"
gamespy_ports = "{ 6667, 3783, 27900, 28900, 29900, 29901, 13139, 6515, 6500, 6501 }"
directx_ports = "{ 47624, 6073, 2300:2400 }"
ts_tcp_ports = "{ 14534, 51234 }"
ts_udp_ports = "{ 8767:8768 }"
################################################################################
# Options
#
################################################################################
set block-policy return
set loginterface $ext_if
################################################################################
# Normalization
#
################################################################################
scrub in all
################################################################################
#
# Queueing
#
################################################################################
#altq on $ext_if priq bandwidth $upstream queue \
# { std_out, im_out, ssh_out, dns_out, tcp_ack_out }
#queue std_out priq(default)
#queue im_out priority 4 priq(red)
#queue ssh_out priority 5 priq(red)
#queue dns_out priority 6
#queue tcp_ack_out priority 7
#altq on $int_if cbq bandwidth 100% queue \
# { all_in }
#queue all_in bandwidth 100% { int_in, ext_in }
# queue int_in bandwidth 8Mb cbq(default)
# queue ext_in bandwidth $downstream {std_in, im_in, ssh_in, dns_in, vince_in }
# queue std_in bandwidth 500Kb cbq(borrow)
# queue im_in bandwidth 100Kb priority 4
# queue ssh_in bandwidth 100Kb priority 5
# queue dns_in bandwidth 100Kb priority 6
# queue vince_in bandwidth 100Kb cbq(borrow)
################################################################################
# Translation
#
################################################################################
# cantor
rdr pass on $ext_if proto tcp from any to $ext_zeno port 47000:48000 -> 192.168.0.39 port 47000:*
# hamilton
rdr on $int_if proto tcp from any to $ext_hamilton -> $int_hamilton
binat on $ext_if from $int_hamilton to any -> $ext_hamilton
# anaximander
rdr on $int_if proto tcp from any to $ext_anaximander -> $int_anaximander
binat on $ext_if from $int_anaximander to any -> $ext_anaximander
# laplace
#rdr on $int_if proto tcp from any to $ext_laplace -> $int_laplace
#binat on $ext_if from $int_laplace to any -> $ext_laplace
# hilbert
rdr on $int_if proto tcp from any to $ext_hilbert -> $int_hilbert
binat on $ext_if from $int_hilbert to any -> $ext_hilbert
nat on $ext_if from $int_if:network -> $ext_nat
nat on $ext_if from $vpn_net -> $ext_nat
# wifi
nat on $ext_if from $wifi_if:network -> $ext_nat
# NAT and FTP
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
################################################################################
# Filtering
#
################################################################################
#
# Block by default
#
block quick on $ext_if proto {udp, tcp} from any to any \
port { 135, 139, 445 }
block log all
#
# Blacklist
#
#block quick from 194.139.33.69 to any
#
# Whitelist
#
whitelist = "{ 140.247.60.67 }"
pass quick inet proto tcp from $whitelist to any \
flags S/SA keep state
pass quick inet proto udp from $whitelist to any \
keep state
#
# Allow anything on the loopback interface
#
pass quick on lo0 all
#
# RFC 1918 addresses should not be seen on the external interface
#
block drop in quick on $ext_if from $rfc1918_nets to any
block drop out quick on $ext_if from any to $rfc1918_nets
#
# Protect against spoofing
#
antispoof for lo0
antispoof for $ext_if
antispoof for $int_if
antispoof for $wifi_if
antispoof for $vpn_if
#
# Ports we open for zeno
#
# Mail and news
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port { smtp, smtps, submission, imaps, nntps, auth } \
flags S/SA keep state \
#queue std_in
# auth
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port { auth } \
flags S/SA keep state \
#queue std_in
# HTTP
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $http_ports \
flags S/SA keep state \
#queue std_in
# VPN
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $vpn_ports \
flags S/SA keep state \
#queue std_in
pass in on $ext_if inet proto udp from any to ($ext_if) \
port $vpn_ports \
keep state \
#queue std_in
# SSH
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $ssh_ports \
flags S/SA keep state \
#queue(std_in, ssh_in)
# FTP
pass in on $ext_if proto tcp from any to ($ext_if) \
port ftp keep state \
#queue std_in
pass in on $ext_if proto tcp from any to ($ext_if) \
port > 49151 keep state \
#queue std_in
# TeamSpeak
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $ts_tcp_ports \
flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) \
port $ts_udp_ports \
keep state
# DNS
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \
modulate state \
#queue dns_out
#
# Ports we open up for everyone
#
# ssh
pass in on $ext_if inet proto tcp from any to $int_net \
port $ssh_ports \
flags S/SA keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any \
port $ssh_ports \
flags S/SA modulate state \
#queue(std_out, ssh_out)
# FTP
pass in on $ext_if inet proto tcp from any to $ext_nat \
user proxy flags S/SA modulate state
# AIM
pass in on $ext_if inet proto tcp from any to $int_net \
port $aim_ports \
flags S/SA keep state
pass in on $ext_if inet proto udp from any to $int_net \
port $aim_ports \
keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any \
port $aim_ports \
flags S/SA keep state \
#queue(im_out, tcp_ack_out)
pass out on $ext_if inet proto udp from ($ext_if) to any \
port $aim_ports \
modulate state \
#queue(im_out)
# Yahoo
pass in on $ext_if inet proto tcp from any to $int_net \
port $yahoo_ports \
flags S/SA keep state
pass in on $ext_if inet proto udp from any to $int_net \
port $yahoo_ports \
keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any \
port $yahoo_ports \
flags S/SA modulate state \
#queue(im_out, tcp_ack_out)
# emule
pass in on $ext_if inet proto tcp from any to $int_net \
port $emule_tcp_ports \
flags S/SA keep state
pass in on $ext_if inet proto udp from any to $int_net \
port $emule_udp_ports \
modulate state
# BitTorrent
pass in on $ext_if inet proto tcp from any to $int_net \
port $bittorrent_ports \
flags S/SA keep state
pass in on $ext_if inet proto udp from any to $int_net \
port $bittorrent_ports \
keep state
# Realplayer
pass in on $ext_if inet proto udp from any to $int_net \
port $realplayer_ports \
keep state
# Battlenet
pass in on $ext_if inet proto tcp from any to $int_net \
port $battlenet_ports \
flags S/SA keep state
# Neverwinter Nights
#pass in on $ext_if inet proto udp from any to $int_net \
# port $nwn_ports \
# keep state
# Gamespy Arcade
#pass in on $ext_if inet proto tcp from any to $int_net \
# port $gamespy_ports \
# flags S/SA keep state
# DirectX Gaming
#pass in on $ext_if inet proto tcp from any to $int_net \
# port $directx_ports \
# flags S/SA keep state
# MySQL
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $mysqld_ports flags S/SA keep state \
#
# ICMP
#
pass in inet proto icmp all icmp-type $icmp_types keep state
#
# Allow traffic to flow freely between firewall and internal network
#
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network modulate state
#pass out on $int_if from any to $int_vince modulate state \
# #queue(vince_in)
#
# Allow traffic to flow freely between firewall and wifi network
#
pass in on $wifi_if from $wifi_if:network to any keep state
pass out on $wifi_if from any to $wifi_if:network modulate state
#pass in on $wifi_if inet proto udp from $wifi_if:network \
# to {$ext_zeno, $wifi_gateway} port 1194 \
# keep state
#pass out on $wifi_if inet proto udp from {$ext_zeno, $wifi_gateway} port 1194 \
# to $wifi_if:network \
# modulate state
#
# Allow traffic to flow freely between firewall and vpn network
#
pass in on $vpn_if from $vpn_net to any keep state
pass out on $vpn_if from any to $vpn_net modulate state
#
# Allow all outgoing traffic from the firewall to the external network
#
pass out on $ext_if proto tcp all flags S/SA modulate state \
#queue(std_out, tcp_ack_out)
pass out on $ext_if proto { udp, icmp } all keep state
#
# IPv6
#
pass out quick proto ipv6 from any to any keep state
pass out quick proto ipv6-icmp from any to any keep state
More information about the freebsd-pf
mailing list