From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 28 00:00:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4DCD16A42C for ; Sun, 28 Aug 2005 00:00:47 +0000 (GMT) (envelope-from SRS0+GL4U+63+gmail.com=ebourlotos@internode.on.net) Received: from mail.internode.on.net (bld-mail03.adl2.internode.on.net [203.16.214.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FB4143D7F for ; Sun, 28 Aug 2005 00:00:12 +0000 (GMT) (envelope-from SRS0+GL4U+63+gmail.com=ebourlotos@internode.on.net) Received: from [10.0.0.1] (unverified [203.122.244.125]) by mail.internode.on.net (SurgeMail 3.2f) with ESMTP id 174791717 for ; Sun, 28 Aug 2005 09:30:09 +0930 (CST) Message-ID: <4310FE89.10104@gmail.com> Date: Sun, 28 Aug 2005 09:30:09 +0930 From: Evan B User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-User: ebourlotos@internode.on.net Subject: dymmynet+intro+apologies X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 00:00:48 -0000 Greetings List, sorry: it went out with the wrong email address this is my list subscription address I am a new subscriber to the list (from Adelaide, Australia). Just introducing myself and looking for some pointers in the use of dummynet. I am a win32/linux user I have some experience in the use/development of network simulators through my postgrad studies. I also have very limited BSD knowledge. I am currently trying to evaluate a number of PABXs and have setup the picobsd version of dummynet. (prefering it over nistnet) I want to put the pabxs through their paces with regards to IP trunking between 2 units (h323). These units will be spread out geographically (dsl tails) and converging to a central point (our office). I would like to setup a number of differing scenarios for link conditions both typical and atypical and rediculous. I have managed some trivial ones like a dsl link from examples but I would like to setup in such a way that I can try a number of different links and script it to make life easier. 1. main link to the HO will be either wireless or landline to the ISP cloud. 2. the tails will be a smattering of DSL grade links with varying properties latency, jitter, and PL. I would like to establish the main link (I assume as a pipe) and setup another representing the tail. So the questions. 1. Does anyone have some suggestions for a typical line of sight wirless link. 2. Does anyone have some suggestions for a the DSL tails. I only need 2 nodes for testing purposes. All suggestions will be most useful regards evan From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 28 21:19:38 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFF1B16A41F; Sun, 28 Aug 2005 21:19:38 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 923F343D46; Sun, 28 Aug 2005 21:19:37 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.192]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 0FA6F24C7CC; Sun, 28 Aug 2005 23:04:17 +0200 (CEST) Date: Mon, 29 Aug 2005 00:19:29 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1752667837.20050829001929@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: challenge with dummynet+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 21:19:39 -0000 Hi! I want to organize my bandwith in this mode # download section 1000kbit/s | | |--------------------| | | | | hight low priorized traffic priorized | | 512kbit/s | | | user |---------------| share same | | bandwith | | 300 kbit/s 512kbit/s | | | | | | users share users share same bandwith same bandwith I want to use ipfw+dummynet. Solutions is to pass traffic that match an rule to multiple pipe or queue with different weights. But how? What is the precedence? (need sysctl net.inet.ip.fw.one_pass=0) If any have an solutions please be explicity. I dont want to be easy, but is significant in this case, in wich order apply rule, and how is configured pipe and queue. For this reason, solutions please put in this form (example): #section pipe and queue configuration ipfw pipe 1 config ..... ipfw queue 8 config weight 3 pipe 6 .... .................. #section ipfw rules ipfw add pipe 1 {match hight pri.} ipfw add pipe 5 {match low pri. 300k same bandwith} ipfw add queue 3 {match for hight pri. 512k same share} ............................... I work for a time with dummynet. In this example have an important to build some hierarchy with dummy. P.S. this scheme is not changeable. Please refer to this situation. Thanks in advance! From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 28 21:29:02 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3AB816A41F; Sun, 28 Aug 2005 21:29:02 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8439B43D45; Sun, 28 Aug 2005 21:29:02 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (216-70-228-172.cust.telepacific.net [216.70.228.172]) (authenticated bits=0) by cobalt.antimatter.net (8.13.4/8.13.4) with ESMTP id j7SLSuIL025178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 28 Aug 2005 14:29:01 -0700 X-MailKey: purple frogs are falling from the sky Message-Id: <6.2.3.4.2.20050828142736.0402bad0@cobalt.antimatter.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 28 Aug 2005 14:29:09 -0700 To: vladone , freebsd-ipfw@freebsd.org From: Glenn Dawson In-Reply-To: <1752667837.20050829001929@spaingsm.com> References: <1752667837.20050829001929@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-questions@freebsd.org Subject: Re: challenge with dummynet+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 21:29:02 -0000 At 02:19 PM 8/28/2005, vladone wrote: >Hi! >I want to organize my bandwith in this mode ># download section > 1000kbit/s > | > | > |--------------------| > | | > | | > hight low > priorized traffic priorized > | | > 512kbit/s | > | | > user |---------------| > share same | | > bandwith | | > 300 kbit/s 512kbit/s > | | > | | > | | > users share users share > same bandwith same bandwith > >I want to use ipfw+dummynet. Solutions is to pass traffic that match >an rule to multiple pipe or queue with different weights. But how? >What is the precedence? (need sysctl net.inet.ip.fw.one_pass=0) >If any have an solutions please be explicity. I dont want to be easy, >but is significant in this case, in wich order apply rule, and how is >configured pipe and queue. For this reason, solutions please put in >this form (example): You'd probably be better of using the altq features in pf. -Glenn >#section pipe and queue configuration >ipfw pipe 1 config ..... >ipfw queue 8 config weight 3 pipe 6 .... >.................. > >#section ipfw rules >ipfw add pipe 1 {match hight pri.} >ipfw add pipe 5 {match low pri. 300k same bandwith} >ipfw add queue 3 {match for hight pri. 512k same share} >............................... > >I work for a time with dummynet. In this >example have an important to build some hierarchy with dummy. > >P.S. this scheme is not changeable. Please refer to this situation. > > Thanks in advance! > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 28 21:50:45 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29A7016A421; Sun, 28 Aug 2005 21:50:45 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C8A743D49; Sun, 28 Aug 2005 21:50:44 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.165]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 4996B24C7CE; Sun, 28 Aug 2005 23:35:23 +0200 (CEST) Date: Mon, 29 Aug 2005 00:50:41 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <118386989.20050829005041@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <6.2.3.4.2.20050828142736.0402bad0@cobalt.antimatter.net> References: <1752667837.20050829001929@spaingsm.com> <6.2.3.4.2.20050828142736.0402bad0@cobalt.antimatter.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re[2]: challenge with dummynet+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 21:50:45 -0000 I know about pf+altq. I can use even ipfw+altw. But i'm fun dummynet, and i want to use'it. :) My work at moment is: #download total $cmd pipe 1 config bw 1000kbits/s #download agregate (low pri. 300kbits/s agregate) $cmd pipe 2 config bw 300kbits/s $cmd queue 2 config weight 1 pipe 1 $cmd queue 3 config weight 1 pipe 2 mask dst-ip 0xffffff # down agregate games (hight priorized due flow reason) $cmd pipe 4 config bw 512kbit/s $cmd queue 4 config weight 100 pipe 1 mask dst-ip 0xffffff $cmd queue 8 config weight 1 pipe 4 mask dst-ip 0xffffff #download agregate net (low pri. 512kbit/s agregate) $cmd pipe 6 config bw 512kbit/s $cmd queue 5 config weight 1 pipe 1 $cmd queue 6 config weight 1 pipe 6 mask dst-ip 0xffffff and ipfw rules: #traffic hight priorized $cmd add 700 queue 4 ip any $games_ports to $local_net in recv $pif $cmd add 700 pipe 4 ip any $games_ports to $local_net in recv $pif $cmd add 700 queue 8 ip any $games_ports to $local_net in recv $pif $cmd add 700 skipto 65000 ip from any $games_ports to $local_net in recv $pif #traffic from special ip (low pri. 300kbit/s agregate) $cmd add 700 queue 2 ip from $ip_list to $local_net in recv $pif $cmd add 700 pipe 2 ip from $ip_list to $local_net in recv $pif $cmd add 700 queue 3 ip from $ip_list to $local_net in recv $pif $cmd add 700 skipto 65000 ip from $ip_list to $local_net in recv $pif #traffic from internet (low pri. 512kbit/s agregate) $cmd add 700 queue 5 ip from any to $local_net in recv $pif $cmd add 700 pipe 6 ip from any to $local_net in recv $pif $cmd add 700 queue 6 ip from any to $local_net in recv $pif $cmd add 700 skipto 65000 ip from any to $local_net in recv $pif This set work but i dont know if is corect. If any have experience plase help me! From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 29 11:02:09 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45F8A16A429 for ; Mon, 29 Aug 2005 11:02:09 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E565843D4C for ; Mon, 29 Aug 2005 11:02:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7TB28Dt021513 for ; Mon, 29 Aug 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7TB28fv021507 for freebsd-ipfw@freebsd.org; Mon, 29 Aug 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Aug 2005 11:02:08 GMT Message-Id: <200508291102.j7TB28fv021507@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 11:02:09 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 29 11:02:53 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D0B916A41F for ; Mon, 29 Aug 2005 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7511A43D5A for ; Mon, 29 Aug 2005 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7TB2kJh022088 for ; Mon, 29 Aug 2005 11:02:46 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7TB2kvL022082 for ipfw@freebsd.org; Mon, 29 Aug 2005 11:02:46 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Aug 2005 11:02:46 GMT Message-Id: <200508291102.j7TB2kvL022082@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 11:02:53 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 29 16:33:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3664616A41F; Mon, 29 Aug 2005 16:33:57 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74C443D46; Mon, 29 Aug 2005 16:33:56 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 40FB732345B; Mon, 29 Aug 2005 18:33:55 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id DE832405A; Mon, 29 Aug 2005 18:34:14 +0200 (CEST) Date: Mon, 29 Aug 2005 18:34:14 +0200 From: Jeremie Le Hen To: vladone Message-ID: <20050829163414.GO659@obiwan.tataz.chchile.org> References: <1752667837.20050829001929@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1752667837.20050829001929@spaingsm.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: challenge with dummynet+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 16:33:57 -0000 Hi, [ please try to avoid cross-posting on FreeBSD lists ] > I want to organize my bandwith in this mode > # download section > 1000kbit/s > | > | > |--------------------| > | | > | | > hight low > priorized traffic priorized > | | > 512kbit/s | > | | > user |---------------| > share same | | > bandwith | | > 300 kbit/s 512kbit/s > | | > | | > | | > users share users share > same bandwith same bandwith > > I want to use ipfw+dummynet. Solutions is to pass traffic that match > an rule to multiple pipe or queue with different weights. But how? > What is the precedence? (need sysctl net.inet.ip.fw.one_pass=0) > If any have an solutions please be explicity. I dont want to be easy, > but is significant in this case, in wich order apply rule, and how is > configured pipe and queue. For this reason, solutions please put in this form (example): > > #section pipe and queue configuration > ipfw pipe 1 config ..... > ipfw queue 8 config weight 3 pipe 6 .... > .................. > > #section ipfw rules > ipfw add pipe 1 {match hight pri.} > ipfw add pipe 5 {match low pri. 300k same bandwith} > ipfw add queue 3 {match for hight pri. 512k same share} > ............................... > > I work for a time with dummynet. In this > example have an important to build some hierarchy with dummy. > > P.S. this scheme is not changeable. Please refer to this situation. Note that queue's weight do not implement priorities. The rule is quite simple : sum up all weight of all queues connected to one pipe and then each queue will be assigned the following bandwidth : queuebw = totalbw * queueweight / totalweight ALTQ does prioritize the traffic. This means that packets with high priority are placed before lower prioritized packets in the device output FIFO. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 30 23:47:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C06016A41F; Tue, 30 Aug 2005 23:47:13 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from pipa.profix.cz (pipa.profix.cz [82.208.25.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC35543D45; Tue, 30 Aug 2005 23:47:12 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from localhost (localhost [127.0.0.1]) by pipa.profix.cz (Postfix) with ESMTP id 9719D4E706; Wed, 31 Aug 2005 01:47:18 +0200 (CEST) Received: from pipa.profix.cz ([127.0.0.1]) by localhost (pipa [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05812-08; Wed, 31 Aug 2005 01:47:18 +0200 (CEST) Received: from gandalf (unknown [80.95.121.105]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pipa.profix.cz (Postfix) with ESMTP id 3D5E14E704; Wed, 31 Aug 2005 01:47:17 +0200 (CEST) From: =?iso-8859-2?Q?Daniel_Dvo=F8=E1k?= To: , , Date: Wed, 31 Aug 2005 01:47:09 +0200 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWtvSK61OuDttUMQUioxjDpS/tELg== Message-Id: <20050830234717.3D5E14E704@pipa.profix.cz> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at profix.cz Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dandee@volny.cz List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 23:47:13 -0000 Hi all, let me ask you for task "how to control p2p applications and their = traffic with dynamic ports from user=B4s commputers on gateway". We are small wireless community and have shared access to internet for = all members. Core members decided to control p2p traffic by default and to = allow each person in individual way, after showing their knowledge of = authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so = on use dynamic not standard ports, how to control it ? Linux use l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is = based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall = with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in = searching so far. If my question is not right in this mailing list, if my question is = annoying here, so I am sorry. Dan From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 31 00:08:51 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7574816A41F; Wed, 31 Aug 2005 00:08:51 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E57B43D46; Wed, 31 Aug 2005 00:08:49 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 21740BC071; Wed, 31 Aug 2005 03:08:45 +0300 (EEST) Received: from R3B (unknown [62.38.169.11])by smtp.freemail.gr (Postfix) with ESMTP id 22D64BC00A; Wed, 31 Aug 2005 03:08:43 +0300 (EEST) Message-ID: <000f01c5adc0$1d0d1590$0100000a@R3B> From: "Chris Dionissopoulos" To: , , References: <20050830234717.3D5E14E704@pipa.profix.cz> Date: Wed, 31 Aug 2005 03:08:26 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Cc: Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 00:08:51 -0000 Hi, How about to use snort (/usr/ports/security/snort) to create alerts based on snort p2p rules, and snortsams (i)pf(w) plugin (www.snortsam.net) to make (i)pf(w) deny (or delay) such p2p sessions ? Chris. ----- Original Message ----- From: "Daniel Dvoψαk" To: ; ; Sent: Wednesday, August 31, 2005 2:47 AM Subject: Application layer firewall on FreeBSD, is it possible ? Hi all, let me ask you for task "how to control p2p applications and their traffic with dynamic ports from user΄s commputers on gateway". We are small wireless community and have shared access to internet for all members. Core members decided to control p2p traffic by default and to allow each person in individual way, after showing their knowledge of authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so on use dynamic not standard ports, how to control it ? Linux use l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in searching so far. If my question is not right in this mailing list, if my question is annoying here, so I am sorry. Dan ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 31 00:16:28 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1138716A41F; Wed, 31 Aug 2005 00:16:28 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from pipa.profix.cz (server1.pcsvet.net [82.208.25.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76E4C43D45; Wed, 31 Aug 2005 00:16:27 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from localhost (localhost [127.0.0.1]) by pipa.profix.cz (Postfix) with ESMTP id BF1434E706; Wed, 31 Aug 2005 02:16:34 +0200 (CEST) Received: from pipa.profix.cz ([127.0.0.1]) by localhost (pipa [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23968-08; Wed, 31 Aug 2005 02:16:34 +0200 (CEST) Received: from gandalf (unknown [80.95.121.105]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pipa.profix.cz (Postfix) with ESMTP id 63B2C4E704; Wed, 31 Aug 2005 02:16:34 +0200 (CEST) From: =?iso-8859-2?Q?Daniel_Dvo=F8=E1k?= To: , , Date: Wed, 31 Aug 2005 02:16:26 +0200 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWtvSK61OuDttUMQUioxjDpS/tELgAA+4+w Message-Id: <20050831001634.63B2C4E704@pipa.profix.cz> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at profix.cz Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: FW: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dandee@volny.cz List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 00:16:28 -0000 ... but you know, proxy is not what I am asking, proxy is not firewall. We do not need to restrict everything and all members. We like full routeable network with full access to IPv6 / IPv4 internet without any necessary action like configure proxy clients at all pc=B4s = our members. We only want to deny only p2p applications by default for all pc=B4s regardless of used protocol/ports and to allow grantting access to p2p networks each members in individual way, because we have to prevent = another letter from our ISP which was contacted by BSA that from our public IP ( from one member in private ip space ) ... traffic ... share ... violate = ... authorial law.=20 So of course it must be combination of IP and application osi model firewall. Gateway server should check all packets and their contents to decide if allowed or denied in fast way like l7-filter on Linux OS. So is it possible on FreeBSD OS ? Thanks Dan _____ =20 From: Daniel Dvo=F8=E1k [mailto:dandee@hellteam.net]=20 Sent: Wednesday, August 31, 2005 1:47 AM To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; 'freebsd-pf@freebsd.org' Subject: Application layer firewall on FreeBSD, is it possible ? Hi all, let me ask you for task "how to control p2p applications and their = traffic with dynamic ports from user=B4s commputers on gateway". We are small wireless community and have shared access to internet for = all members. Core members decided to control p2p traffic by default and to = allow each person in individual way, after showing their knowledge of = authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so = on use dynamic not standard ports, how to control it ? Linux use l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is = based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall = with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in = searching so far. If my question is not right in this mailing list, if my question is = annoying here, so I am sorry. Dan From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 31 00:39:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBCD416A41F for ; Wed, 31 Aug 2005 00:39:25 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B5CA43D46 for ; Wed, 31 Aug 2005 00:39:25 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 91DE0BC071; Wed, 31 Aug 2005 03:39:24 +0300 (EEST) Received: from R3B (unknown [62.38.169.11])by smtp.freemail.gr (Postfix) with ESMTP id A55FCBC00A; Wed, 31 Aug 2005 03:39:23 +0300 (EEST) Message-ID: <003f01c5adc4$65735660$0100000a@R3B> From: "Chris Dionissopoulos" To: , References: <20050831001634.63B2C4E704@pipa.profix.cz> Date: Wed, 31 Aug 2005 03:39:06 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Cc: Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 00:39:26 -0000 >So is it possible on FreeBSD OS ? ... or try this one: /usr/ports/security/snort_inline with this guide: http://freebsd.rogness.net/snort_inline/ a very quick example: your ipfw rules: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 02000 divert 666 ip from any to any 65000 allow ip from any to any 65535 deny ip from any to anywhile your gateway running:snort_inline -J 666 -c snort_with_p2p_rules.confChris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 31 10:47:35 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED16C16A41F for ; Wed, 31 Aug 2005 10:47:35 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95BEC43D46 for ; Wed, 31 Aug 2005 10:47:34 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.162]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 0081824C8A9 for ; Wed, 31 Aug 2005 12:31:55 +0200 (CEST) Date: Wed, 31 Aug 2005 13:47:24 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1236974368.20050831134724@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: about queue size X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 10:47:36 -0000 How i can calculate (or best aproximate) queue size? From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 31 14:59:59 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8810D16A41F for ; Wed, 31 Aug 2005 14:59:59 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C0E543D45 for ; Wed, 31 Aug 2005 14:59:59 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id AA6481734D4; Wed, 31 Aug 2005 16:59:57 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id C2792405A; Wed, 31 Aug 2005 17:00:15 +0200 (CEST) Date: Wed, 31 Aug 2005 17:00:15 +0200 From: Jeremie Le Hen To: vladone Message-ID: <20050831150015.GI659@obiwan.tataz.chchile.org> References: <1236974368.20050831134724@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1236974368.20050831134724@spaingsm.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: about queue size X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 14:59:59 -0000 Hi, > How i can calculate (or best aproximate) queue size? It depends on what you are targeting. For example a big queue will likely drop less packets than a small one but OTOH, this could add a big latency because of numerous packets being queued. Small queues will drop more packets but latency will be reduced. Generally I would advice to use small queues when used for interactive traffic such as a ssh session or even HTTP requests. IIRC big queues will maximize bandwidth, but some network guy may precise these rules, I would be glad to. The rules to compute queue sizes are deductible from the ipfw(8) manual page, DUMMYNET section (see "queue {slots | sizeKbytes}"). Hope this helps. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 31 21:05:15 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 949AB16A431 for ; Wed, 31 Aug 2005 21:05:15 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3EA643D58 for ; Wed, 31 Aug 2005 21:05:10 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.172]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 6921024C776 for ; Wed, 31 Aug 2005 22:49:27 +0200 (CEST) Date: Thu, 1 Sep 2005 00:05:12 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1126236392.20050901000512@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 21:05:15 -0000 Hi! What is difference between: 1. in via - in recv 2. out via - out xmit When need to use an variant or another? From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 1 03:55:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DD6916A41F; Thu, 1 Sep 2005 03:55:16 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 380F343D45; Thu, 1 Sep 2005 03:55:15 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1EAgWf-000JCA-1D; Thu, 01 Sep 2005 13:18:09 +0900 Message-Id: <6.2.1.2.2.20050901124651.0357db30@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 01 Sep 2005 12:55:09 +0900 To: Gleb Smirnoff From: Ganbold In-Reply-To: <20050831092848.GI60614@cell.sick.ru> References: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80> <20050830111049.GK60614@cell.sick.ru> <6.2.1.2.2.20050831173013.0355eaf0@202.179.0.80> <20050831092848.GI60614@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Re: ng_netflow and bridging firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 03:55:16 -0000 Gleb, Thanks for reply. However as long as I run ngctl commands to create the graph in order to catch both outgoing and incoming traffic ipfw started work abnormally. Basically all my customers complained that they couldn't connect to Internet. Because I'm running bridge firewall, is this due to ng_ether and bridge(4) bug you mentioned? Or it is something else? Where can I find the bug info? # uname -an FreeBSD machine.mng.net 5.4-STABLE FreeBSD 5.4-STABLE #4: Fri Aug 12 09:58:18 ULAST 2005 tsgan@machine.mng.net:/usr/obj/usr/src/sys/PRXY i386 thanks, Ganbold At 06:28 PM 8/31/2005, you wrote: >On Wed, Aug 31, 2005 at 05:50:21PM +0900, Ganbold wrote: >G> At 08:10 PM 8/30/2005, you wrote: >G> >On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote: >G> >G> ngctl mkpeer xl1: tee lower right >G> >G> ngctl connect xl1: xl1:lower upper left >G> >G> ngctl name xl1:lower xl1_tee >G> >G> ngctl mkpeer xl1_tee: netflow left2right iface0 >G> >G> ngctl name xl1:lower.left2right netflow >G> >G> ngctl connect xl1_tee: netflow: right2left iface1 >G> >G> ngctl msg netflow: setifindex { iface=0 index=2 } >G> >G> ngctl msg netflow: setifindex { iface=1 index=1 } >G> >G> ngctl mkpeer netflow: ksocket export inet/dgram/udp >G> >G> ngctl msg netflow:export connect inet/127.0.0.1:8818 >G> >G> >G> >G> I'm just using second xl1 interface for ng_netflow. However when I see >G> >the >G> >G> flow data I can only see my network addresses in >G> >G> the dstIP field. Is it correct? I thought both srcIP, dstIP should >G> >contain >G> >G> my IPs, because I'm trying to catch traffic which goes both >directions >G> >of >G> >G> xl1. Is my assumption correct? If I'm wrong, how to make it work in >G> >correct >G> >G> way? >G> > >G> >No. Look at ng_ether(4) manpage, and draw your graph. You are catching >only >G> >one direction with the above script. >G> >G> OK. I see. I'm catching only incoming traffic to xl1 interface. >G> I can see it from ngctl issuing msg xl1_tee: getstats command and also >G> flowctl netflow: show command. >G> >G> I read the ng_ether man page and didn't quite get it. >G> >G> I'm including xl0 interface in similar way as xl1. >G> Is following sufficient for catching outgoing traffic? >G> >G> ngctl mkpeer xl0: tee lower right >G> ngctl connect xl0: xl0:lower upper left >G> ngctl name xl0:lower xl0_tee >G> ngctl mkpeer xl0_tee: netflow left2right iface2 >G> ngctl name xl0:lower.left2right netflow0 >G> ngctl msg netflow0: setifindex { iface=2 index=4 } >G> ngctl connect xl0_tee: netflow0: right2left iface3 >G> ngctl msg netflow0: setifindex { iface=3 index=3 } >G> ngctl mkpeer netflow0: ksocket export inet/dgram/udp >G> ngctl msg netflow0:export connect inet/127.0.0.1:8818 > >Looks like correct. > >G> The graph is something like: >G> >G> ng_ether >G> upper | |lower >G> left | |right >G> ng_tee >G> right2left| |left2right >G> iface0 | |iface1 >G> ng_netflow >G> >G> Maybe I did something wrong. How should I do it in right way? >G> I googled and didn't find good source/samples of ng_netflow. >G> >G> thanks in advance, >G> >G> Ganbold >G> >G> > >-- >Totus tuus, Glebius. >GLEBIUS-RIPN GLEB-RIPE >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 1 04:02:12 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F17AF16A41F; Thu, 1 Sep 2005 04:02:11 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1993343D45; Thu, 1 Sep 2005 04:02:11 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1EAgdJ-000JIC-6l; Thu, 01 Sep 2005 13:25:01 +0900 Message-Id: <6.2.1.2.2.20050901125645.0357d9e0@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 01 Sep 2005 13:02:01 +0900 To: Gleb Smirnoff From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Re: ng_netflow and bridging firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 04:02:12 -0000 Gleb, I also tried to create graph like following way: ngctl mkpeer xl1: tee lower left ngctl connect xl1: xl1:lower upper right ngctl mkpeer xl1:lower one2many left2right many0 ngctl connect xl1:lower.left2right xl1:lower many1 right2left ngctl name xl1:lower.right2left o2m ngctl mkpeer o2m: netflow one iface0 ngctl name o2m:one netflow ngctl mkpeer netflow: ksocket export inet/dgram/udp ngctl msg netflow:export connect inet/127.0.0.1:8818 I got above from http://www.unix.lviv.ua/index_rus.html?art/nf.html site. Right after it firewall didn't work again. How can I solve this problem? I don't know yet why ipfw started not to work. Is this bug of ipfw or something else? thanks, Ganbold At 06:28 PM 8/31/2005, you wrote: >On Wed, Aug 31, 2005 at 05:50:21PM +0900, Ganbold wrote: >G> At 08:10 PM 8/30/2005, you wrote: >G> >On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote: >G> >G> ngctl mkpeer xl1: tee lower right >G> >G> ngctl connect xl1: xl1:lower upper left >G> >G> ngctl name xl1:lower xl1_tee >G> >G> ngctl mkpeer xl1_tee: netflow left2right iface0 >G> >G> ngctl name xl1:lower.left2right netflow >G> >G> ngctl connect xl1_tee: netflow: right2left iface1 >G> >G> ngctl msg netflow: setifindex { iface=0 index=2 } >G> >G> ngctl msg netflow: setifindex { iface=1 index=1 } >G> >G> ngctl mkpeer netflow: ksocket export inet/dgram/udp >G> >G> ngctl msg netflow:export connect inet/127.0.0.1:8818 >G> >G> >G> >G> I'm just using second xl1 interface for ng_netflow. However when I see >G> >the >G> >G> flow data I can only see my network addresses in >G> >G> the dstIP field. Is it correct? I thought both srcIP, dstIP should >G> >contain >G> >G> my IPs, because I'm trying to catch traffic which goes both >directions >G> >of >G> >G> xl1. Is my assumption correct? If I'm wrong, how to make it work in >G> >correct >G> >G> way? >G> > >G> >No. Look at ng_ether(4) manpage, and draw your graph. You are catching >only >G> >one direction with the above script. >G> >G> OK. I see. I'm catching only incoming traffic to xl1 interface. >G> I can see it from ngctl issuing msg xl1_tee: getstats command and also >G> flowctl netflow: show command. >G> >G> I read the ng_ether man page and didn't quite get it. >G> >G> I'm including xl0 interface in similar way as xl1. >G> Is following sufficient for catching outgoing traffic? >G> >G> ngctl mkpeer xl0: tee lower right >G> ngctl connect xl0: xl0:lower upper left >G> ngctl name xl0:lower xl0_tee >G> ngctl mkpeer xl0_tee: netflow left2right iface2 >G> ngctl name xl0:lower.left2right netflow0 >G> ngctl msg netflow0: setifindex { iface=2 index=4 } >G> ngctl connect xl0_tee: netflow0: right2left iface3 >G> ngctl msg netflow0: setifindex { iface=3 index=3 } >G> ngctl mkpeer netflow0: ksocket export inet/dgram/udp >G> ngctl msg netflow0:export connect inet/127.0.0.1:8818 > >Looks like correct. > >G> The graph is something like: >G> >G> ng_ether >G> upper | |lower >G> left | |right >G> ng_tee >G> right2left| |left2right >G> iface0 | |iface1 >G> ng_netflow >G> >G> Maybe I did something wrong. How should I do it in right way? >G> I googled and didn't find good source/samples of ng_netflow. >G> >G> thanks in advance, >G> >G> Ganbold >G> >G> > >-- >Totus tuus, Glebius. >GLEBIUS-RIPN GLEB-RIPE >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 1 07:12:34 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C08816A41F for ; Thu, 1 Sep 2005 07:12:34 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44B143D46 for ; Thu, 1 Sep 2005 07:12:33 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j817CRmj099185 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Sep 2005 11:12:28 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j817CRsX099184; Thu, 1 Sep 2005 11:12:27 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 1 Sep 2005 11:12:27 +0400 From: Gleb Smirnoff To: Ganbold Message-ID: <20050901071227.GR86630@cell.sick.ru> References: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80> <20050830111049.GK60614@cell.sick.ru> <6.2.1.2.2.20050831173013.0355eaf0@202.179.0.80> <20050831092848.GI60614@cell.sick.ru> <6.2.1.2.2.20050901124651.0357db30@202.179.0.80> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <6.2.1.2.2.20050901124651.0357db30@202.179.0.80> User-Agent: Mutt/1.5.6i Cc: freebsd-ipfw@FreeBSD.org Subject: Re: ng_netflow and bridging firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 07:12:34 -0000 On Thu, Sep 01, 2005 at 12:55:09PM +0900, Ganbold wrote: G> Thanks for reply. However as long as I run ngctl commands to create the G> graph in order to catch both outgoing and incoming G> traffic ipfw started work abnormally. Basically all my customers complained G> that they couldn't connect to Internet. G> Because I'm running bridge firewall, is this due to ng_ether and bridge(4) G> bug you mentioned? Or it is something else? Very probably. G> Where can I find the bug info? In CVS log for revision 1.85 of src/sys/net/bridge.c -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 1 07:13:17 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3BBF16A41F for ; Thu, 1 Sep 2005 07:13:17 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D68B43D45 for ; Thu, 1 Sep 2005 07:13:16 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j817DFbr099202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Sep 2005 11:13:15 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j817DFDb099201; Thu, 1 Sep 2005 11:13:15 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 1 Sep 2005 11:13:15 +0400 From: Gleb Smirnoff To: Ganbold Message-ID: <20050901071315.GS86630@cell.sick.ru> References: <6.2.1.2.2.20050901125645.0357d9e0@202.179.0.80> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <6.2.1.2.2.20050901125645.0357d9e0@202.179.0.80> User-Agent: Mutt/1.5.6i Cc: freebsd-ipfw@FreeBSD.org Subject: Re: ng_netflow and bridging firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 07:13:17 -0000 On Thu, Sep 01, 2005 at 01:02:01PM +0900, Ganbold wrote: G> I also tried to create graph like following way: G> G> ngctl mkpeer xl1: tee lower left G> ngctl connect xl1: xl1:lower upper right G> ngctl mkpeer xl1:lower one2many left2right many0 G> ngctl connect xl1:lower.left2right xl1:lower many1 right2left G> ngctl name xl1:lower.right2left o2m G> ngctl mkpeer o2m: netflow one iface0 G> ngctl name o2m:one netflow G> ngctl mkpeer netflow: ksocket export inet/dgram/udp G> ngctl msg netflow:export connect inet/127.0.0.1:8818 G> G> I got above from http://www.unix.lviv.ua/index_rus.html?art/nf.html site. G> G> Right after it firewall didn't work again. How can I solve this problem? G> I don't know yet why ipfw started not to work. Is this bug of ipfw or G> something else? You can try 6.0-BETA3. The bug betwee ng_ether(4) and bridge(4) interaction has been fixed here. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 1 08:54:32 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94C3016A41F for ; Thu, 1 Sep 2005 08:54:32 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 368FC43D46 for ; Thu, 1 Sep 2005 08:54:31 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.167]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id A43A224C78E for ; Thu, 1 Sep 2005 10:38:45 +0200 (CEST) Date: Thu, 1 Sep 2005 11:54:30 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <12110289463.20050901115430@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <200508312232.j7VMW5p1054040@bernina.office> References: <200508312232.j7VMW5p1054040@bernina.office> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 08:54:32 -0000 So: in via fxp0 = in recv fxp0? out via fxp0 = out xmit fxp0? Or give some example, please! From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 1 11:04:55 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3946816A41F for ; Thu, 1 Sep 2005 11:04:55 +0000 (GMT) (envelope-from nicolas@i.0x5.de) Received: from narr.dauerreden.de (n.0x5.de [217.197.85.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D01C43D48 for ; Thu, 1 Sep 2005 11:04:53 +0000 (GMT) (envelope-from nicolas@i.0x5.de) Received: by pc5.i.0x5.de (Postfix, from userid 1003) id 13B8181C41; Thu, 1 Sep 2005 13:04:52 +0200 (CEST) Date: Thu, 1 Sep 2005 13:04:52 +0200 From: Nicolas Rachinsky To: freebsd-ipfw@freebsd.org Message-ID: <20050901110452.GC31138@mid.pc5.i.0x5.de> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <200508312232.j7VMW5p1054040@bernina.office> <12110289463.20050901115430@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <12110289463.20050901115430@spaingsm.com> X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: A32C2932 (Communication) and F66AFAF2 (Certification) X-PGP-Fingerprint1: 97EB FA8B 4C8F A54B D89A 697E A6BC AF72 A32C 2932 (Comm.) X-PGP-Fingerprint2: 1DE8 DF23 56F0 3E14 238D 740C E598 C87E F66A FAF2 (Cert.) X-PGP-Keys: http://www.rachinsky.de/nicolas/pgp/nicolas_rachinsky.asc User-Agent: Mutt/1.5.9i Subject: Re: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 11:04:55 -0000 * vladone [2005-09-01 11:54 +0300]: > So: > in via fxp0 = in recv fxp0? Yes. > out via fxp0 = out xmit fxp0? AFAIK it's out via fxp0 = out (recv fxp0 or xmit fxp0) I'm not shure if this is valid ipfw syntax But after looking in the man page again I'm not shure if it's out via fxp0 = out recv fxp0 xmit fxp0 "The via keyword causes the interface to always be checked." It seems to be a good thing, that I don't use 'via'. Nicolas (a bit confused now) From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 2 09:39:34 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 085C716A41F for ; Fri, 2 Sep 2005 09:39:34 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D57443D48 for ; Fri, 2 Sep 2005 09:39:32 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.8.8] (14.80-203-184.nextgentel.com [80.203.184.14]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.4/8.13.4) with ESMTP id j829dSjE007163; Fri, 2 Sep 2005 11:39:28 +0200 Message-ID: <43181DC5.9030806@wm-access.no> Date: Fri, 02 Sep 2005 11:39:17 +0200 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vladone References: <1126236392.20050901000512@spaingsm.com> In-Reply-To: <1126236392.20050901000512@spaingsm.com> X-Enigmail-Version: 0.92.0.0 OpenPGP: id=C308A003 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2005 09:39:34 -0000 vladone wrote: > Hi! > What is difference between: > 1. in via - in recv > 2. out via - out xmit > When need to use an variant or another? > via fxp0 will match a packet either coming in or going out on fxp0. in via fxp0 will match a packet on the way in and comes in on fxp0. out via fxp0 will match a packet on the way out and if the packet previously came in on fxp0 or is now exitting fxp0. recv fxp0 will match a packet that was received on fxp0 xmit fxp0 will match a packet that is exitting fxp0. Use recv and xmit, via can be very misleading (imho). "via fxp0" can also be written "{ recv fxp0 or xmit fxp0 }". in/out has no relations to "via" as they are independant options. -- Sten Daniel Sψrsdal