From owner-freebsd-ipfw Mon May 1 19: 3:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.dbitech.bc.ca (i.caniserv.com [139.142.95.1]) by hub.freebsd.org (Postfix) with SMTP id 1D41637B8E1 for ; Mon, 1 May 2000 19:03:23 -0700 (PDT) (envelope-from darcy@ok-connect.com) Received: (qmail 19944 invoked from network); 2 May 2000 02:03:21 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (139.142.95.253) by 139.142.95.8 with SMTP; 2 May 2000 02:03:21 -0000 Message-Id: <3.0.32.20000501190519.01ed3ea0@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 01 May 2000 19:05:20 -0700 To: freebsd-ipfw@FreeBSD.ORG From: Darcy Buskermolen Subject: ipfw and rule strangeness Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have a program that I use to dynamically create and destroy ipfw rules, however I just noticed something rather frustrating... # ipfw add deny ip from hacker.host to server.host 00000 deny ip from hacker.host to server.host # ipfw show 00000 ipfw: rule 0 does not exist Looks like the rule number that is being echo'd back is not the same rule it applied to the rule. (my work around has been to grep for deny ip from hacker.host to server.host and grab that rule number, but that seams like a bad way of doing it) My question, is this the expected behavior, or is it not, and while I'm on the subject is there a way to change the default increment from 100 to something smaller ? \\DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 3 3:57:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hydrant.intranova.net (msb-ts-slip11.UMDNJ.EDU [130.219.28.71]) by hub.freebsd.org (Postfix) with SMTP id AEC6137BC2A for ; Wed, 3 May 2000 03:57:31 -0700 (PDT) (envelope-from oogali@intranova.net) Received: (qmail 513 invoked from network); 3 May 2000 10:57:39 -0000 Received: from localhost.abuselabs.com (HELO localhost) (missnglnk@127.0.0.1) by localhost.abuselabs.com with SMTP; 3 May 2000 10:57:39 -0000 Date: Wed, 3 May 2000 06:57:39 -0400 (EDT) From: Omachonu Ogali To: Darcy Buskermolen Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and rule strangeness In-Reply-To: <3.0.32.20000501190519.01ed3ea0@mail.ok-connect.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 1 May 2000, Darcy Buskermolen wrote: > I have a program that I use to dynamically create and destroy ipfw rules, > however I just noticed something rather frustrating... > > # ipfw add deny ip from hacker.host to server.host > 00000 deny ip from hacker.host to server.host 00000 is the number shown since you specified no rule number and it isn't assigned until after the rule is set. > # ipfw show 00000 > ipfw: rule 0 does not exist > > Looks like the rule number that is being echo'd back is not the same rule > it applied to the rule. > (my work around has been to grep for deny ip from hacker.host to server.host > and grab that rule number, but that seams like a bad way of doing it) > > My question, is this the expected behavior, or is it not, and while I'm on > the subject is there a way to change the default increment from 100 to > something smaller ? > > \\DB Here's a patch. -- snip -- --- sys/netinet/ip_fw.c.orig Wed May 3 06:42:28 2000 +++ sys/netinet/ip_fw.c Wed May 3 06:46:29 2000 @@ -176,6 +176,10 @@ &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for other situations"); #endif /* STATEFUL */ +static u_int32_t rule_increment = 100; +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, rule_increment, CTLFLAG_RW, + &rule_increment, 0, "Value to increment non-numbered ipfw rules by"); + #endif #define dprintf(a) do { \ @@ -1440,7 +1444,7 @@ return(0); } - /* If entry number is 0, find highest numbered rule and add 100 */ + /* If entry number is 0, find highest numbered rule and add rule_increment */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) @@ -1448,8 +1452,8 @@ else break; } - if (nbr < IPFW_DEFAULT_RULE - 100) - nbr += 100; + if (nbr < IPFW_DEFAULT_RULE - rule_increment) + nbr += rule_increment; ftmp->fw_number = nbr; } -- snip -- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 3 19:16:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cricket.mindcrime.net (cricket.mindcrime.net [209.70.202.96]) by hub.freebsd.org (Postfix) with ESMTP id 76CE937BF41 for ; Wed, 3 May 2000 19:16:10 -0700 (PDT) (envelope-from sagem@cricket.mindcrime.net) Received: from cricket.mindcrime.net (cricket.mindcrime.net [209.70.202.96]) by cricket.mindcrime.net (8.9.3/8.9.3) with ESMTP id VAA25498 for ; Wed, 3 May 2000 21:17:41 GMT (envelope-from sagem@cricket.mindcrime.net) Date: Wed, 3 May 2000 21:17:41 +0000 (GMT) From: sage@mindcrime.net X-Sender: sagem@cricket.mindcrime.net To: freebsd-ipfw@FreeBSD.ORG Subject: hi/new Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG New to the list, thought i would say hi. New to freebsd, but not *nix, and loving it how wants to give me a huge skinny on everything and anything to do with ipfw. I have a redhat box doing nat, and firewalling, but i know fbsd will kick its butt, if i can get a little direction. lay it on me /sm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 3 19:31:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from home.offwhite.net (home.offwhite.net [156.46.35.30]) by hub.freebsd.org (Postfix) with ESMTP id 1E47037BF86 for ; Wed, 3 May 2000 19:31:33 -0700 (PDT) (envelope-from brennan@offwhite.net) Received: from localhost (brennan@localhost) by home.offwhite.net (8.9.1/8.9.3) with ESMTP id VAA50067; Wed, 3 May 2000 21:30:41 -0500 (CDT) Date: Wed, 3 May 2000 21:30:41 -0500 (CDT) From: Brennan W Stehling To: sage@mindcrime.net Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: hi/new In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Firewalling on FreeBSD is quite easy, you just have to understand firewalls a bit. There is plenty of documentation. Try... http://www.greasydaemon.com/cgi-bin/htsearch?words=ipfw+freebsd&method=and&format=long&config=greasydaemon Brennan Stehling - web developer and sys admin projects: www.greasydaemon.com | www.onmilwaukee.com | www.sncalumni.com fortune: Smoking is one of the leading causes of statistics. -- Fletcher Knebel On Wed, 3 May 2000 sage@mindcrime.net wrote: > New to the list, thought i would say hi. > New to freebsd, but not *nix, and loving it > > how wants to give me a huge skinny on everything and anything to do with > ipfw. I have a redhat box doing nat, and firewalling, but i know fbsd > will kick its butt, if i can get a little direction. > > lay it on me > > > /sm > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 4 4:59:57 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from syrenna.deep-ocean.net (ca-ol-bordeaux-7-4.abo.wanadoo.fr [62.161.110.4]) by hub.freebsd.org (Postfix) with ESMTP id 2EE5237B5FF for ; Thu, 4 May 2000 04:59:52 -0700 (PDT) (envelope-from olivier.cortes@free.fr) Received: from pozeidon (pozeidon.deep-ocean.net [192.168.0.12]) by syrenna.deep-ocean.net (8.9.3/8.9.3) with SMTP id NAA00547; Thu, 4 May 2000 13:54:59 +0200 (CEST) (envelope-from olivier.cortes@free.fr) From: "Olivier Cortes" To: Cc: "FreeBSD IPFW" Subject: RE: hi/new Date: Thu, 4 May 2000 13:55:11 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2776.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi i used to be a linux man. Under FreeBSD, one the best thing i learnt about ipfw is dynamic firewalling. check "keep-state" and "chack-state" in the docs. nat is also quite different from Masquerading (it's done in a process, not in the kernel, and has many options (a best for me: port translation! check tne manual). There are also diferrences between static nat and dynamic nat... plenty of variations between the two OSes. Same concepts (firewalling), but many more details and tuning options in FreeBSD. It's more "mature" when talking 'bout firewalls. We'll see evolution with iptables/netfilter in linux 2.4. for now i own 2 freebsd servers (one little firewall, and a server: web, mail, what ever you can think of...). I'm wondering about how OpenBSD would act on my firewall (same or better ?). Going to install it ;) greets olive deep ocean webmaster, www.deep-ocean.net > -----Message d'origine----- > De : owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]De la part de sage@mindcrime.net > Envoyé : mercredi 3 mai 2000 23:18 > À : freebsd-ipfw@FreeBSD.ORG > Objet : hi/new > > > New to the list, thought i would say hi. > New to freebsd, but not *nix, and loving it > > how wants to give me a huge skinny on everything and anything to do with > ipfw. I have a redhat box doing nat, and firewalling, but i know fbsd > will kick its butt, if i can get a little direction. > > lay it on me > > > /sm > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message