From owner-freebsd-ipfw Sun Mar 25 22:13:57 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 8127237B719 for ; Sun, 25 Mar 2001 22:13:55 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id IAA67110; Mon, 26 Mar 2001 08:13:35 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200103260613.IAA67110@info.iet.unipi.it> Subject: half-close timeout in stateful ipfw To: ipfw@freebsd.org Date: Mon, 26 Mar 2001 08:13:35 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I received a request from an ipfw user to change the timeout for half-closed connections from dyn_fin_lifetime to something different, such as dyn_ack_lifetime -- the requestor claims that there are many cases where a web client aborts the connection when the (remote) server becomes too slow, and in such cases the dynamic rule timeout for half-closed connection often expires before the fin from the other side comes in. The request seems reasonable, so if there are no objections I would like to ask jordan permission to commit this to 4.3 cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone (510) 666 2927 . ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Mar 25 23: 7: 2 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 0F9DC37B719 for ; Sun, 25 Mar 2001 23:06:58 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f2Q76WZ99844; Mon, 26 Mar 2001 10:06:32 +0300 (EEST) (envelope-from ru) Date: Mon, 26 Mar 2001 10:06:32 +0300 From: Ruslan Ermilov To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: half-close timeout in stateful ipfw Message-ID: <20010326100632.B97610@sunbay.com> Mail-Followup-To: Luigi Rizzo , ipfw@FreeBSD.ORG References: <200103260613.IAA67110@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103260613.IAA67110@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Mon, Mar 26, 2001 at 08:13:35AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Mar 26, 2001 at 08:13:35AM +0200, Luigi Rizzo wrote: > Hi, > I received a request from an ipfw user to change the timeout for > half-closed connections from dyn_fin_lifetime to something > different, such as dyn_ack_lifetime -- the requestor claims > that there are many cases where a web client aborts the connection > when the (remote) server becomes too slow, and in such cases > the dynamic rule timeout for half-closed connection often > expires before the fin from the other side comes in. > > The request seems reasonable, so if there are no objections I > would like to ask jordan permission to commit this to 4.3 > The right solution would be to use keepalives on the server. We should not abort half-closed TCP connections by themselves, they are pretty valid. % rsh host sort < bigfile is a good example from Stevens. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Mar 25 23:10: 4 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id B9E9937B719; Sun, 25 Mar 2001 23:09:59 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id JAA67488; Mon, 26 Mar 2001 09:09:40 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200103260709.JAA67488@info.iet.unipi.it> Subject: Re: half-close timeout in stateful ipfw In-Reply-To: <20010326100632.B97610@sunbay.com> from Ruslan Ermilov at "Mar 26, 2001 10:06:32 am" To: Ruslan Ermilov Date: Mon, 26 Mar 2001 09:09:40 +0200 (CEST) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > The request seems reasonable, so if there are no objections I > > would like to ask jordan permission to commit this to 4.3 > > > The right solution would be to use keepalives on the server. that's totally independent from this problem. In the case at hand, the timeout was so short that even a couple of failed retransmits would make it expire. Anyways, i think the right solution would be use keepalives in the firewall, which is, however, a bit harder to implement. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone (510) 666 2927 . ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 26 10:23:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from johnnydang.net (cp160443-a.mtgmry1.md.home.com [65.1.242.45]) by hub.freebsd.org (Postfix) with ESMTP id 807A537B718 for ; Mon, 26 Mar 2001 10:23:50 -0800 (PST) (envelope-from johnny.dang@johnnydang.net) Received: from localhost (johnny_dang@localhost) by johnnydang.net (8.11.1/8.11.1) with ESMTP id f2QIHP709649 for ; Mon, 26 Mar 2001 13:17:26 -0500 (EST) (envelope-from johnny.dang@johnnydang.net) X-Authentication-Warning: johnnydang.net: johnny_dang owned process doing -bs Date: Mon, 26 Mar 2001 13:17:25 -0500 (EST) From: Johnny Dang X-Sender: johnny_dang@johnnydang.net To: FreeBSD IpFW Subject: Scripting with IPFW Message-ID: Organization: JOHNNYDANG.NET MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello all experts out there, I have a Linux box (used to run ipchains). I then move the box to FreeBSD 4.2... Set it up and everything was running fine (with the help of your guys). Now, I have a small problem. Since the DEC0 of my new IPFW is a DHCP client, I would love to have the script grab the IP(rather than specify it)... I have this line on Linux and it was fine: WAN_IP=`ifconfig $WAN_NIC | grep inet | cut -d: -f2 | cut -d " " -f1` ... Now, how can I can set it up to put it under FreeBSD rc.firewall de0=?????????? Thanks for your help. ++++++++++++++++++++++++++++++++++++++++++++++++++ "The instructions said to use Windows 98 or better, so I installed FreeBSD...It is working now!..." ++++++++++++++++++++++++++++++++++++++++++++++++++ Johnny Dang Senior Network Engineer/MCSE + Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 26 10:32:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from WWW.GraphicExpress.Net (www.GraphicExpress.net [206.168.188.162]) by hub.freebsd.org (Postfix) with ESMTP id 5B6BC37B719 for ; Mon, 26 Mar 2001 10:32:25 -0800 (PST) (envelope-from staylor@coloradomusic.com) Received: from selaptop (boulder.graphicexpress.net [207.174.142.230]) by WWW.GraphicExpress.Net (8.12.0.Beta5/8.9.2) with SMTP id f2QIWYmK005868; Mon, 26 Mar 2001 11:32:39 -0700 (MST) Message-ID: <013401c0b622$ae6f7fe0$835a449e@selaptop> From: "Scott Taylor" To: "Johnny Dang" , "FreeBSD IpFW" References: Subject: Re: Scripting with IPFW Date: Mon, 26 Mar 2001 11:29:18 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Since a dhcp address technically CAN change on the fly or might not even have been fully assigned by the dhcp client daemon by the time your firewall rules are being assigned, it might be wise to allow traffic from the outside world to addresses in the entire subnet that your machine might end up in. Your machine will of course respond only to the one address it is assigned by dhcp, but this way no matter where it ends up in that address block, the proper ports are allowed in without worrying about rebuilding your ipfw rules after each dhcp assignment. ----- Original Message ----- From: Johnny Dang To: FreeBSD IpFW Sent: Monday, March 26, 2001 11:17 AM Subject: Scripting with IPFW > Hello all experts out there, > > I have a Linux box (used to run ipchains). I then move the box to FreeBSD > 4.2... Set it up and everything was running fine (with the help of your > guys). Now, I have a small problem. Since the DEC0 of my new IPFW is a > DHCP client, I would love to have the script grab the IP(rather than > specify it)... I have this line on Linux and it was fine: > > WAN_IP=`ifconfig $WAN_NIC | grep inet | cut -d: -f2 | cut -d " " -f1` ... > Now, how can I can set it up to put it under FreeBSD rc.firewall > de0=?????????? > > Thanks for your help. > > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > "The instructions said to use Windows 98 or better, > so I installed FreeBSD...It is working now!..." > ++++++++++++++++++++++++++++++++++++++++++++++++++ > Johnny Dang > Senior Network Engineer/MCSE + Internet > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 26 11:39: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 9C99C37B718 for ; Mon, 26 Mar 2001 11:39:01 -0800 (PST) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (thoth.upan.org [204.107.76.16]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id OAA84314; Mon, 26 Mar 2001 14:36:44 -0500 (EST) Message-ID: <3ABF9C88.85B4B13E@ocsinternet.com> Date: Mon, 26 Mar 2001 14:46:17 -0500 From: Mikel X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: Johnny Dang Cc: FreeBSD IpFW Subject: Re: Scripting with IPFW References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG in order for this to work you need to change a couple of things... rc.conf: ifconfig_dec0="dchp" rc.dhclient: (if you are on road runner cable you may need to do this...) interface "dec0" { send host-name "bubba"; send dhcp-client-identifier 00:d0:b7:e6:fc:15; # this is your MAC address request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name; require subnet-mask, domain-name-servers; } rc.natd: interface dec0 dynamic use_sockets same_ports log yes rc.firewall: CHANGE ALL ${oip} based rules to use ${oif} instead. Johnny Dang wrote: > Hello all experts out there, > > I have a Linux box (used to run ipchains). I then move the box to FreeBSD > 4.2... Set it up and everything was running fine (with the help of your > guys). Now, I have a small problem. Since the DEC0 of my new IPFW is a > DHCP client, I would love to have the script grab the IP(rather than > specify it)... I have this line on Linux and it was fine: > > WAN_IP=`ifconfig $WAN_NIC | grep inet | cut -d: -f2 | cut -d " " -f1` ... > Now, how can I can set it up to put it under FreeBSD rc.firewall > de0=?????????? > > Thanks for your help. > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > "The instructions said to use Windows 98 or better, > so I installed FreeBSD...It is working now!..." > ++++++++++++++++++++++++++++++++++++++++++++++++++ > Johnny Dang > Senior Network Engineer/MCSE + Internet > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 26 12:49:23 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from johnnydang.net (cp160443-a.mtgmry1.md.home.com [65.1.242.45]) by hub.freebsd.org (Postfix) with ESMTP id E30A237B718 for ; Mon, 26 Mar 2001 12:49:15 -0800 (PST) (envelope-from johnny.dang@johnnydang.net) Received: from localhost (johnny_dang@localhost) by johnnydang.net (8.11.1/8.11.1) with ESMTP id f2QKgpu09782 for ; Mon, 26 Mar 2001 15:42:51 -0500 (EST) (envelope-from johnny.dang@johnnydang.net) X-Authentication-Warning: johnnydang.net: johnny_dang owned process doing -bs Date: Mon, 26 Mar 2001 15:42:51 -0500 (EST) From: Johnny Dang X-Sender: johnny_dang@johnnydang.net To: FreeBSD IpFW Subject: RE: Scripting with IPFW Message-ID: Organization: JOHNNYDANG.NET MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks you all (especially UNIX, SCANNER, Mikel, and Scott)... That is why this FreeBSD is great... This line will do it (I can now base on this and change to fix my need)... ifconfig de0 | grep "inet" | head -1 | awk '{print $2}' Thanks to you all... But why the orginal commands from Linux won't work on FreeBSD? ifconfig de0 | grep "inet" | cut -d -f2 | cut -d " " -f1 ? Just for curiosity? Btw, I download the new RedHAT Wolverines and Mandrake 8.0 and those GUI look like Lindows now. But my boss likes it !!!!! ++++++++++++++++++++++++++++++++++++++++++++++++++ "The instructions said to use Windows 98 or better, so I installed FreeBSD...It is working now!..." ++++++++++++++++++++++++++++++++++++++++++++++++++ Johnny Dang Senior Network Engineer/MCSE + Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 26 13:31: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 5EEB137B71A for ; Mon, 26 Mar 2001 13:31:01 -0800 (PST) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (thoth.upan.org [204.107.76.16]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id QAA90448; Mon, 26 Mar 2001 16:28:47 -0500 (EST) Message-ID: <3ABFB6CB.4A876CC2@ocsinternet.com> Date: Mon, 26 Mar 2001 16:38:19 -0500 From: Mikel X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: Johnny Dang Cc: FreeBSD IpFW Subject: Re: Scripting with IPFW References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hey man cool, hope you don't mind I had to try your script out and well I came up with this...thanks for sending back the code byte... #!/bin/sh oif=`ifconfig fxp0 |grep inet | head -1 | awk '{print $2}'` omask=`ifconfig fxp0 |grep inet | head -1 | awk '{print $4}'` iif=`ifconfig rl0 |grep inet | head -1 | awk '{print $2}'` imask=`ifconfig rl0 |grep inet | head -1 | awk '{print $4}'` onet=`cidr -q ${oif} -h ${omask} | grep network | awk '{print $3}'` inet=`cidr -q ${iif} -h ${imask} | grep network | awk '{print $3}'` echo "onet=\"${onet}\"" echo "oif=\"${oif}\"" echo "omask=\"${omask}\"" echo echo "inet=\"${inet}\"" echo "iif=\"${iif}\"" echo "imask=\"${imask}\"" Cheers, Mikel PS: cidr is a neat little util found in /usr/ports/net/cidr Johnny Dang wrote: > Thanks you all (especially UNIX, SCANNER, Mikel, and Scott)... That is why > this FreeBSD is great... This line will do it (I can now base on this and > change to fix my need)... > > ifconfig de0 | grep "inet" | head -1 | awk '{print $2}' > > Thanks to you all... But why the orginal commands from Linux won't work on > FreeBSD? > > ifconfig de0 | grep "inet" | cut -d -f2 | cut -d " " -f1 ? > > Just for curiosity? Btw, I download the new RedHAT Wolverines and Mandrake > 8.0 and those GUI look like Lindows now. But my boss likes it !!!!! > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > "The instructions said to use Windows 98 or better, > so I installed FreeBSD...It is working now!..." > ++++++++++++++++++++++++++++++++++++++++++++++++++ > Johnny Dang > Senior Network Engineer/MCSE + Internet > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 26 13:50: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from magus.nostrum.com (magus.nostrum.com [216.90.209.2]) by hub.freebsd.org (Postfix) with ESMTP id 1C4EA37B718 for ; Mon, 26 Mar 2001 13:50:01 -0800 (PST) (envelope-from pckizer@nostrum.com) Received: (from pckizer@localhost) by magus.nostrum.com (8.11.0/8.11.0) id f2QLniB61827; Mon, 26 Mar 2001 15:49:44 -0600 (CST) Message-Id: <200103262149.f2QLniB61827@magus.nostrum.com> From: Philip Kizer To: Mikel Cc: Johnny Dang , FreeBSD IpFW Subject: Re: Scripting with IPFW In-reply-to: Your message of "Mon, 26 Mar 2001 16:38:19 EST." <3ABFB6CB.4A876CC2@ocsinternet.com> Date: Mon, 26 Mar 2001 15:49:44 -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mikel wrote: >Hey man cool, hope you don't mind I had to try your script out and well I came >up with this...thanks for sending back the code byte... > >#!/bin/sh >oif=`ifconfig fxp0 |grep inet | head -1 | awk '{print $2}'` Ouch, it's always a bit painful seeing long pipes when one of the commands already used can be the only piped command: try: oif=`ifconfig fxp0 | awk '/inet/{print$2;exit}'` Hope that helps, the others can be formulated similarly. -philip -- Philip Kizer, USENIX Liaison to Texas A&M University Texas A&M CIS Operating Systems Group, Unix To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 27 0: 6:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B095A37B718 for ; Tue, 27 Mar 2001 00:06:22 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA90708; Tue, 27 Mar 2001 00:06:17 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103270806.AAA90708@gndrsh.dnsmgr.net> Subject: Re: Scripting with IPFW In-Reply-To: from Johnny Dang at "Mar 26, 2001 03:42:51 pm" To: johnny.dang@johnnydang.net (Johnny Dang) Date: Tue, 27 Mar 2001 00:06:16 -0800 (PST) Cc: FREEBSD-IPFW@FreeBSD.ORG (FreeBSD IpFW) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Thanks you all (especially UNIX, SCANNER, Mikel, and Scott)... That is why > this FreeBSD is great... This line will do it (I can now base on this and > change to fix my need)... > > ifconfig de0 | grep "inet" | head -1 | awk '{print $2}' > > Thanks to you all... But why the orginal commands from Linux won't work on > FreeBSD? > > ifconfig de0 | grep "inet" | cut -d -f2 | cut -d " " -f1 ? ^^ missing delim arg to -d option, The above command has a syntax error in it is why it won't work :-). Once corrected it works just fine on BSD: ifconfig de0 | grep "inet" | cut -d " " -f2 | cut -d " " -f1 198.145.92.4 > Just for curiosity? Btw, I download the new RedHAT Wolverines and Mandrake > 8.0 and those GUI look like Lindows now. But my boss likes it !!!!! > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > "The instructions said to use Windows 98 or better, > so I installed FreeBSD...It is working now!..." > ++++++++++++++++++++++++++++++++++++++++++++++++++ > Johnny Dang > Senior Network Engineer/MCSE + Internet > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 27 0:22: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 347DF37B71A for ; Tue, 27 Mar 2001 00:22:02 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA90749; Tue, 27 Mar 2001 00:21:51 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103270821.AAA90749@gndrsh.dnsmgr.net> Subject: Re: Scripting with IPFW In-Reply-To: <3ABFB6CB.4A876CC2@ocsinternet.com> from Mikel at "Mar 26, 2001 04:38:19 pm" To: mikel@ocsinternet.com (Mikel) Date: Tue, 27 Mar 2001 00:21:51 -0800 (PST) Cc: johnny.dang@johnnydang.net (Johnny Dang), FREEBSD-IPFW@FreeBSD.ORG (FreeBSD IpFW) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Hey man cool, hope you don't mind I had to try your script out and well I came > up with this...thanks for sending back the code byte... > > #!/bin/sh > > oif=`ifconfig fxp0 |grep inet | head -1 | awk '{print $2}'` Obviosly people have totally forgotten how to program in the language of awk, so instead use 2 other tools to do what could be done much cleaner: oif=`ifconfig fxp0 | awk '/inet/ {print $2; exit}'` Remeber, that grep X | awk 'foo' can almost always be rewritten in a cleaner style as simply awk '/X/ foo'. > omask=`ifconfig fxp0 |grep inet | head -1 | awk '{print $4}'` > iif=`ifconfig rl0 |grep inet | head -1 | awk '{print $2}'` > imask=`ifconfig rl0 |grep inet | head -1 | awk '{print $4}'` The also seemed to have forgotten about doing common value replacement by variables (fxp0 and rl0 should be replaced by $something, which I would have called $iif, but that is in use for something I would have called $iip). New code: oif=fxp0 iif=rl0 oip=`ifconfig ${oif} | awk '/inet/ {print $2; exit}'` omask=`ifconfig ${oif} | awk '/inet/ {print $4; exit}'` iip=`ifconfig ${iif} | awk '/inet/ {print $2; exit}'` imask=`ifconfig ${iif} | awk '/inet/ {print $4; exit}'` onet=`cidr -q ${oif} -h ${omask} | awk '/network/ {print $3}'` inet=`cidr -q ${iif} -h ${imask} | awk '/network/ {print $3}'` > > onet=`cidr -q ${oif} -h ${omask} | grep network | awk '{print $3}'` > inet=`cidr -q ${iif} -h ${imask} | grep network | awk '{print $3}'` > > echo "onet=\"${onet}\"" > echo "oif=\"${oif}\"" > echo "omask=\"${omask}\"" > echo > echo "inet=\"${inet}\"" > echo "iif=\"${iif}\"" > echo "imask=\"${imask}\"" > > > Cheers, > Mikel > > PS: cidr is a neat little util found in /usr/ports/net/cidr > > > Johnny Dang wrote: > > > Thanks you all (especially UNIX, SCANNER, Mikel, and Scott)... That is why > > this FreeBSD is great... This line will do it (I can now base on this and > > change to fix my need)... > > > > ifconfig de0 | grep "inet" | head -1 | awk '{print $2}' > > > > Thanks to you all... But why the orginal commands from Linux won't work on > > FreeBSD? > > > > ifconfig de0 | grep "inet" | cut -d -f2 | cut -d " " -f1 ? > > > > Just for curiosity? Btw, I download the new RedHAT Wolverines and Mandrake > > 8.0 and those GUI look like Lindows now. But my boss likes it !!!!! > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > "The instructions said to use Windows 98 or better, > > so I installed FreeBSD...It is working now!..." > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > Johnny Dang > > Senior Network Engineer/MCSE + Internet > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 27 6:39: 7 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id A986837B71A for ; Tue, 27 Mar 2001 06:38:58 -0800 (PST) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (thoth.upan.org [204.107.76.16]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id JAA12801; Tue, 27 Mar 2001 09:36:43 -0500 (EST) Message-ID: <3AC0A7B9.4E3DF96D@ocsinternet.com> Date: Tue, 27 Mar 2001 09:46:17 -0500 From: Mikel X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: Johnny Dang , FreeBSD IpFW Subject: Re: Scripting with IPFW References: <200103270821.AAA90749@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thankfully Philip kindly pointed out the awk syntax 11 hours prior and I took a few minutes to rewrite the little play script to be exactly as you have presented here, only I didn't feel it was worth reposting wasted bw. What would have been nice for those of us who have only just started playing with awk; would have been to have some one suggest a code byte on how to have this thing automagickally grab the interface name from ifconfig. "Rodney W. Grimes" wrote: > > Hey man cool, hope you don't mind I had to try your script out and well I came > > up with this...thanks for sending back the code byte... > > > > #!/bin/sh > > > > oif=`ifconfig fxp0 |grep inet | head -1 | awk '{print $2}'` > > Obviosly people have totally forgotten how to program in the > language of awk, so instead use 2 other tools to do what could > be done much cleaner: > > oif=`ifconfig fxp0 | awk '/inet/ {print $2; exit}'` > > Remeber, that grep X | awk 'foo' can almost always be rewritten > in a cleaner style as simply awk '/X/ foo'. > > > omask=`ifconfig fxp0 |grep inet | head -1 | awk '{print $4}'` > > iif=`ifconfig rl0 |grep inet | head -1 | awk '{print $2}'` > > imask=`ifconfig rl0 |grep inet | head -1 | awk '{print $4}'` > > The also seemed to have forgotten about doing common value > replacement by variables (fxp0 and rl0 should be replaced > by $something, which I would have called $iif, but that is > in use for something I would have called $iip). > > New code: > oif=fxp0 > iif=rl0 > oip=`ifconfig ${oif} | awk '/inet/ {print $2; exit}'` > omask=`ifconfig ${oif} | awk '/inet/ {print $4; exit}'` > iip=`ifconfig ${iif} | awk '/inet/ {print $2; exit}'` > imask=`ifconfig ${iif} | awk '/inet/ {print $4; exit}'` > > onet=`cidr -q ${oif} -h ${omask} | awk '/network/ {print $3}'` > inet=`cidr -q ${iif} -h ${imask} | awk '/network/ {print $3}'` > > > > > onet=`cidr -q ${oif} -h ${omask} | grep network | awk '{print $3}'` > > inet=`cidr -q ${iif} -h ${imask} | grep network | awk '{print $3}'` > > > > echo "onet=\"${onet}\"" > > echo "oif=\"${oif}\"" > > echo "omask=\"${omask}\"" > > echo > > echo "inet=\"${inet}\"" > > echo "iif=\"${iif}\"" > > echo "imask=\"${imask}\"" > > > > > > Cheers, > > Mikel > > > > PS: cidr is a neat little util found in /usr/ports/net/cidr > > > > > > Johnny Dang wrote: > > > > > Thanks you all (especially UNIX, SCANNER, Mikel, and Scott)... That is why > > > this FreeBSD is great... This line will do it (I can now base on this and > > > change to fix my need)... > > > > > > ifconfig de0 | grep "inet" | head -1 | awk '{print $2}' > > > > > > Thanks to you all... But why the orginal commands from Linux won't work on > > > FreeBSD? > > > > > > ifconfig de0 | grep "inet" | cut -d -f2 | cut -d " " -f1 ? > > > > > > Just for curiosity? Btw, I download the new RedHAT Wolverines and Mandrake > > > 8.0 and those GUI look like Lindows now. But my boss likes it !!!!! > > > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > > "The instructions said to use Windows 98 or better, > > > so I installed FreeBSD...It is working now!..." > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > > Johnny Dang > > > Senior Network Engineer/MCSE + Internet > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 27 9:34:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 22B4E37B718 for ; Tue, 27 Mar 2001 09:34:37 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA91908; Tue, 27 Mar 2001 09:34:26 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103271734.JAA91908@gndrsh.dnsmgr.net> Subject: Re: Scripting with IPFW In-Reply-To: <3AC0A7B9.4E3DF96D@ocsinternet.com> from Mikel at "Mar 27, 2001 09:46:17 am" To: mikel@ocsinternet.com (Mikel) Date: Tue, 27 Mar 2001 09:34:25 -0800 (PST) Cc: johnny.dang@johnnydang.net (Johnny Dang), FREEBSD-IPFW@FreeBSD.ORG (FreeBSD IpFW) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please hard wrap you email at 72 char. > Thankfully Philip kindly pointed out the awk syntax 11 hours prior > and I took a > few minutes to rewrite the little play script to be exactly as you > have presented > here, only I didn't feel it was worth reposting wasted bw. I saw Philip's post, after I had already replied... had I seen it before I would not have bothered. > What would > have been nice > for those of us who have only just started playing with awk; would > have been to have > some one suggest a code byte on how to have this thing automagickally > grab the > interface name from ifconfig. That one is pretty tough, since you don't know which interface is the inside, and which is the outside. But if you just want a list of the interfaces take a look at the output from ``ifconfig -l''. There is no need to use awk on the output from ifconfig -a to get them. For a sample of how to use ifconfig -l in a script take a look at /etc/rc.network. > "Rodney W. Grimes" wrote: > > > > Hey man cool, hope you don't mind I had to try your script out and well I came > > > up with this...thanks for sending back the code byte... > > > > > > #!/bin/sh > > > > > > oif=`ifconfig fxp0 |grep inet | head -1 | awk '{print $2}'` > > > > Obviosly people have totally forgotten how to program in the > > language of awk, so instead use 2 other tools to do what could > > be done much cleaner: > > > > oif=`ifconfig fxp0 | awk '/inet/ {print $2; exit}'` > > > > Remeber, that grep X | awk 'foo' can almost always be rewritten > > in a cleaner style as simply awk '/X/ foo'. > > > > > omask=`ifconfig fxp0 |grep inet | head -1 | awk '{print $4}'` > > > iif=`ifconfig rl0 |grep inet | head -1 | awk '{print $2}'` > > > imask=`ifconfig rl0 |grep inet | head -1 | awk '{print $4}'` > > > > The also seemed to have forgotten about doing common value > > replacement by variables (fxp0 and rl0 should be replaced > > by $something, which I would have called $iif, but that is > > in use for something I would have called $iip). > > > > New code: > > oif=fxp0 > > iif=rl0 > > oip=`ifconfig ${oif} | awk '/inet/ {print $2; exit}'` > > omask=`ifconfig ${oif} | awk '/inet/ {print $4; exit}'` > > iip=`ifconfig ${iif} | awk '/inet/ {print $2; exit}'` > > imask=`ifconfig ${iif} | awk '/inet/ {print $4; exit}'` > > > > onet=`cidr -q ${oif} -h ${omask} | awk '/network/ {print $3}'` > > inet=`cidr -q ${iif} -h ${imask} | awk '/network/ {print $3}'` > > > > > > > > onet=`cidr -q ${oif} -h ${omask} | grep network | awk '{print $3}'` > > > inet=`cidr -q ${iif} -h ${imask} | grep network | awk '{print $3}'` > > > > > > echo "onet=\"${onet}\"" > > > echo "oif=\"${oif}\"" > > > echo "omask=\"${omask}\"" > > > echo > > > echo "inet=\"${inet}\"" > > > echo "iif=\"${iif}\"" > > > echo "imask=\"${imask}\"" > > > > > > > > > Cheers, > > > Mikel > > > > > > PS: cidr is a neat little util found in /usr/ports/net/cidr > > > > > > > > > Johnny Dang wrote: > > > > > > > Thanks you all (especially UNIX, SCANNER, Mikel, and Scott)... That is why > > > > this FreeBSD is great... This line will do it (I can now base on this and > > > > change to fix my need)... > > > > > > > > ifconfig de0 | grep "inet" | head -1 | awk '{print $2}' > > > > > > > > Thanks to you all... But why the orginal commands from Linux won't work on > > > > FreeBSD? > > > > > > > > ifconfig de0 | grep "inet" | cut -d -f2 | cut -d " " -f1 ? > > > > > > > > Just for curiosity? Btw, I download the new RedHAT Wolverines and Mandrake > > > > 8.0 and those GUI look like Lindows now. But my boss likes it !!!!! > > > > > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > > > "The instructions said to use Windows 98 or better, > > > > so I installed FreeBSD...It is working now!..." > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > > > Johnny Dang > > > > Senior Network Engineer/MCSE + Internet > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > -- > > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 28 21: 9:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.noos.fr (verlaine.noos.net [212.198.2.73]) by hub.freebsd.org (Postfix) with ESMTP id 6769737B71C for ; Wed, 28 Mar 2001 21:09:22 -0800 (PST) (envelope-from clefevre@poboxes.com) Received: (qmail 3309868 invoked by uid 0); 29 Mar 2001 06:09:23 -0000 Received: from d165.dhcp212-198-231.noos.fr (HELO gits.dyndns.org) ([212.198.231.165]) (envelope-sender ) by verlaine.noos.net (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 29 Mar 2001 06:09:23 -0000 Received: (from root@localhost) by gits.dyndns.org (8.11.3/8.11.3) id f2T58xo13172; Thu, 29 Mar 2001 07:09:00 +0200 (CEST) (envelope-from clefevre@poboxes.com) To: "Rodney W. Grimes" Cc: mikel@ocsinternet.com (Mikel), johnny.dang@johnnydang.net (Johnny Dang), FREEBSD-IPFW@FreeBSD.ORG (FreeBSD IpFW) Subject: [LONG] Re: Scripting with IPFW References: <200103270821.AAA90749@gndrsh.dnsmgr.net> X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C Reply-To: Cyrille Lefevre In-Reply-To: <200103270821.AAA90749@gndrsh.dnsmgr.net> From: Cyrille Lefevre Mail-Copies-To: never Date: 29 Mar 2001 07:08:54 +0200 Message-ID: Lines: 81 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --=-=-= "Rodney W. Grimes" writes: > oif=fxp0 > iif=rl0 > oip=`ifconfig ${oif} | awk '/inet/ {print $2; exit}'` ^ /inet / I would suggest you to match on inet followed by a space or you'll match inet6 which is probably you don't want. # ifconfig -a | awk '/inet/{print $0;exit}' inet6 fe80::260:8ff:fe1a:9a37%ep0 prefixlen 64 scopeid 0x1 # ifconfig -a | awk '/inet /{print $0;exit}' inet 212.198.231.165 netmask 0xffffff00 broadcast 212.198.231.255 > omask=`ifconfig ${oif} | awk '/inet/ {print $4; exit}'` > iip=`ifconfig ${iif} | awk '/inet/ {print $2; exit}'` > imask=`ifconfig ${iif} | awk '/inet/ {print $4; exit}'` also, these 4 lines may be rewritten as : eval `ifconfig -a | awk -v oif="${oif}:" -v iif="${iif}:" ' $1 == oif { status = 1 ; next } # I/O interfaces $1 == iif { status = 3 ; next } # use odd numbers here $1 ~ /:/ { status = 0; next } # other interfaces !status { next } # are skipped /inet / { status++ } # match on first IPv4 address status == 2 { # and use even numbers there printf "omask=%s oip=%s\n", $4, $2 status = 0; next # skip IPv4 aliases } status == 4 { printf "imask=%s iip=%s\n", $4, $2 status = 0; next } '` which is what I use for months. (well, not exactly true since I have only one interface for input/ouput due to an old BIOS and IRQ conflicts which prevent me from having to network cards :) > onet=`cidr -q ${oif} -h ${omask} | awk '/network/ {print $3}'` ^^^ should be oip. ^^ $NF is safer. > inet=`cidr -q ${iif} -h ${imask} | awk '/network/ {print $3}'` the following first two files are the dhclient's hooks I use for months. the *dhclient-enter-hooks* was essentially used for debugging purpose. recently, I added the multiple aliases hack which is not handled by dhclient right now. it can handle only one alias by interface. the *dhclient-exit-hooks* redo the aliases if needed, restart the firewall, update the dynamic dns and my private dns. the dhclient.conf is provided as a sample for multiple aliases. the *start_if.ep0* is use at boot time to avoid restarting the firewall which is just started before by the rc.network script. since I use many private variables, I also supply the *rc.conf* file. FYI, I'm using and maintaining the *isc-dhcp3* port for months, also, since the dhclient-v2 is too buggy if you are using the /prepend/ tag in *dhclient.conf. hope this help and have fun :) --=-=-= Content-Disposition: attachment; filename=dhclient-enter-hooks Content-Description: /etc/dhclient-enter-hooks #!/bin/sh dhclient_conf=/usr/local/etc/dhclient.conf dhclient_boot=/var/run/dhclient.boot dhclient_log=/var/run/dhclient.$reason.log dhclient_tmp=/var/run/dhclient.$$ dhclient_var=/var/run/dhclient.var if [ -f $dhclient_boot ]; then exec > $dhclient_log 2>&1 ; set -x else exec >> $dhclient_log 2>&1 ; set -x fi trap "rm -f ${dhclient_tmp}" 0 # initialization LOGGER="logger -s -p local1.notice -t dhclient" # logging if [ "x$reason" != x ]; then $LOGGER Reason for $interface: $reason fi if [ "x$medium" != x ]; then $LOGGER Medium for $interface: $medium fi case ${reason} in BOUND|RENEW|REBIND|REBOOT) if [ -f $dhclient_boot ]; then rm -f $dhclient_var fi if [ -f $dhclient_var ]; then : . $dhclient_var fi cp /dev/null $dhclient_var ;; esac for new_var in \ new_host_name \ new_ip_address \ new_subnet_mask \ new_broadcast_address \ new_network_number \ new_routers \ new_static_routes \ new_domain_name \ new_domain_name_servers \ alias_ip_address \ alias_subnet_mask \ new_dhcp_server_identifier \ new_dhcp_message_type \ new_dhcp_lease_time \ new_dhcp_renewal_time \ new_dhcp_rebinding_time \ new_expiry do new_lab= spc= for elem in `echo $new_var | sed "s/_/ /g"`; do caps=`expr $elem : "\(.\).*" | tr a-z A-Z` rest=`expr $elem : ".\(.*\)"` new_lab="$new_lab$spc$caps$rest" spc=" " done new_lab=`echo $new_lab | sed 's/Ip/IP/;s/Dhcp/DHCP/'` eval new_val=\$$new_var old_var=`echo $new_var | sed "s/new/old/"` old_lab=`echo $new_lab | sed "s/New/Old/"` eval old_val=\$$old_var case $old_var in old_domain_name*) old_val=`echo $old_val | \ sed -e :l -e 's/\(.*\) \1 \(.*\)/\1 \2/;t l'` ;; esac if [ "x$old_val" != x ] && [ "x$new_val" != "x$old_val" ]; then $LOGGER "$old_lab: $old_val" fi if [ "x$new_val" != x ]; then $LOGGER "$new_lab: $new_val" fi case ${reason} in BOUND|RENEW|REBIND|REBOOT) if echo $old_var | grep -q old then eval old_val=\$$new_var echo $old_var=\${$old_var:-\"$old_val\"} export $old_var >> $dhclient_var fi ;; esac done case ${reason} in PREINIT) awk -v interface=$interface ' /[ ]*#[ ]*alias/ && $3 == interface { print $4 } ' $dhclient_conf | while read alias_ip_address; do ifconfig $interface inet -alias $alias_ip_address > /dev/null 2>&1 route delete $alias_ip_address 127.0.0.1 > /dev/null 2>&1 done ;; BOUND|RENEW|REBIND|REBOOT|EXPIRE|FAIL|TIMEOUT) awk -v interface=$interface ' /[ ]*#[ ]*alias/ && $3 == interface { print $4 } ' $dhclient_conf | while read alias_ip_address; do if [ x$old_ip_address != x ] && [ x$alias_ip_address != x ] && \ [ x$alias_ip_address != x$old_ip_address ]; then ifconfig $interface inet -alias $alias_ip_address > /dev/null 2>&1 route delete $alias_ip_address 127.0.0.1 > /dev/null 2>&1 fi done ;; esac # eof --=-=-= Content-Disposition: attachment; filename=dhclient-exit-hooks Content-Description: /etc/dhclient-exit-hooks #!/bin/sh # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi # for var in \ # firewall_enable firewall_script firewall_type dhcp_bootfile \ # dyndns_enable dyndns_program dyndns_flags \ # dyndns_database dyndns_hostname dyndns_domainname \ # named_enable named_zone domainname \ # do; # eval echo ${var}=\"\$${var}\" # done case ${reason} in BOUND|RENEW|REBIND|REBOOT|EXPIRE|FAIL|TIMEOUT) awk -v interface=$interface ' /[ ]*#[ ]*alias/ && $3 == interface { print $4, $5 } ' $dhclient_conf | while read alias_ip_address alias_subnet_mask; do alias_subnet_arg="netmask $alias_subnet_mask" if [ x$new_ip_address != x$alias_ip_address ] && [ x$alias_ip_address != x ]; then ifconfig $interface inet alias $alias_ip_address $alias_subnet_arg route add $alias_ip_address 127.0.0.1 fi done ;; esac case ${reason} in BOUND|RENEW|REBIND|REBOOT|EXPIRE|TIMEOUT) # reset the firewall rules, if any case ${firewall_enable} in [Yy][Ee][Ss]) if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi if [ ${firewall_in_kernel} -eq 1 ]; then if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi if [ -f "${dhcp_bootfile}" ]; then rm -f ${dhcp_bootfile} firewall_type="OPEN" fi sh ${firewall_script} ${firewall_type} fi esac ;; esac # reason case ${reason} in BOUND|REBIND|REBOOT|RENEW) # echo domain ${domainname} >> /etc/resolv.conf # record the new ip address, if needed date2julian () # day month year { # Tapani Tarvainen July 1998, May 2000 - Julian Day Number from calendar date day=$1 month=$2 year=$3 tmpmonth=$(( 12 * ${year} + ${month} - 3 )) tmpyear=$(( ${tmpmonth} / 12 )) echo $(( (734 * ${tmpmonth} + 15) / 24 - 2 * ${tmpyear} + \ ${tmpyear}/4 - ${tmpyear}/100 + ${tmpyear}/400 + ${day} + 1721119 )) } days_lapsed () { # file file=$1 cday=$(date +%d) cmonth=$(date +%m) cyear=$(date +%Y) cdate="${cday} ${cmonth} ${cyear}" fdate=$(ls -l ${file} | awk -v cmonth=$cmonth -v cyear=$cyear ' BEGIN { month["Jan"]=1; month["Feb"]=2; month["Mar"]=3 month["Apr"]=4; month["May"]=5; month["Jun"]=6 month["Jul"]=7; month["Aug"]=8; month["Sep"]=9 month["Oct"]=10; month["Nov"]=11; month["Dec"]=12 } { print $7, month[$6], $8 ~ /:/ ? cyear - (month[$6] > cmonth) : $8 }') echo $(( $(date2julian ${cdate} ) - $(date2julian ${fdate}) )) } case ${dyndns_enable} in [Yy][Ee][Ss]) if [ -n "${new_ip_address}" ]; then dyndns_fqdn=${dyndns_hostname}.${dyndns_domainname} dyndns_file=${dyndns_database}/${dyndns_fqdn} sedipre="[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" days_lapsed=0 if [ -f ${dyndns_file} ]; then dyndns_ip_address=$(cat ${dyndns_file}) days_lapsed=$(days_lapsed ${dyndns_file}) fi if [ "${dyndns_ip_address}" != "${new_ip_address}" ] || [ "${days_lapsed}" -ge ${dyndns_interval} ]; then if [ "${dyndns_ip_address}" != "${new_ip_address}" ]; then if [ -n "${dyndns_ip_address}" ]; then $LOGGER "Old DynDNS IP Address: ${dyndns_ip_address}" fi $LOGGER New DynDNS IP Address: ${new_ip_address} else $LOGGER ReNew DynDNS IP Address: ${new_ip_address} fi if [ -x "${dyndns_program}" ]; then cmd=${dyndns_program} args= args="${args} --host ${dyndns_fqdn}" args="${args} --ip ${new_ip_address}" args="${args} ${dyndns_flags}" succeeded="Update of ${dyndns_fqdn} succeeded" notchanged="Host ${dyndns_fqdn} not changed" re="${succeeded}|${notchanged}" email=root ${cmd} ${args} > ${dhclient_tmp} 2>&1; rc=$? if egrep -q "${re}" ${dhclient_tmp}; then echo ${new_ip_address} > ${dyndns_file} else cat - ${dhclient_tmp} <<- EOF | ${cmd} ${args} echo ${new_ip_address} > ${dyndns_file} echo EOF mail -s "dyndns@${hostname} (rc=$rc)" ${email} fi fi case ${named_enable} in [Yy][Ee][Ss]) named_file=${named_database}/${domainname} if [ -f ${named_file} ]; then ed - ${named_file} <<- EOF && g/; ${dyndns_fqdn}/s/${ipre}/${new_ip_address}/ w q EOF killall -1 named 2>/dev/null fi esac fi fi esac ifconfig -a > /var/run/ifconfig.log netstat -rna > /var/run/netstat.log ;; esac # reason # eof --=-=-= Content-Disposition: attachment; filename=dhclient.conf Content-Description: /etc/dhclient.conf # $FreeBSD: src/etc/dhclient.conf,v 1.2 1999/08/27 23:23:41 peter Exp $ # # This file is required by the ISC DHCP client. # See ``man 5 dhclient.conf'' for details. # # In most cases an empty file is suffient for most people as the # defaults are usually fine. # timeout 60; retry 60; select-timeout 5; reboot 10; initial-interval 5; interface "ep0" { request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name; require subnet-mask, domain-name-servers; prepend domain-name "gits.fr.invalid "; # the final space is required prepend domain-name-servers 127.0.0.1; # media "link2"; } alias { interface "ep0"; fixed-address 192.168.144.96; option subnet-mask 255.255.255.0; # alias ep0 192.168.144.97 255.255.255.0 } --=-=-= Content-Disposition: attachment; filename=start_if.ep0 Content-Description: /etc/start_if.ep0 #!/bin/sh # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ "x$dhcp_bootfile" != x ]; then touch $dhcp_bootfile fi --=-=-= Content-Disposition: attachment; filename=rc.conf Content-Description: /etc/rc.conf #!/bin/sh # # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. # -- sysinstall generated deltas -- # ############################################################## ### Important initial Boot-time options ##################### ############################################################## # # apm # apm_enable="YES" hlt_enable="YES" #add-on# apmd_enable="YES" ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network options: ### # # hostname & domainnames # hostname="gits" domainname="gits.fr.invalid" #add-on# # nisdomainname="gits.fr.invalid" ip_address="192.168.144.96" #add-on# ip_netmask="255.255.255.0" #add-on# ip_bitmask="24" #add-on# # # dhcp # dhcp_program="/usr/local/sbin/dhclient" dhcp_flags="-1 -q" # -D dhcp_bootfile="/var/run/dhclient.boot" #add-on# # # bridge # # bridge_enable="YES" #add-on# # bridge_cfg="ep0:1,ep1:1" #add-on# # bridge_ipfw="YES" #add-on# # # firewall # firewall_enable="YES" firewall_quiet="YES" firewall_type="CUSTOM_STATIC" firewall_interface="ep0" #add-on# firewall_logging="YES" # # ipfilter_enable="YES" # ipfilter_program="/sbin/ipf -Fa -f" # ipfilter_flags="=E" # ipfilter_rules="/etc/ipf.rules" # # ipmon_enable="YES" # ipmon_flags="-Dsn" # # natd # natd_enable="YES" natd_interface="ep0" natd_conf="/etc/natd.conf" #add-on# natd_flags="-f $natd_conf" # # ipnat_enable="YES" # ipnat_program="/sbin/ipnat -CF -f" # ipnat_rules="/etc/ipnat.rules" # # routing options # tcp_extensions="YES" log_in_vain="YES" tcp_drop_synfin="YES" tcp_restrict_rst="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" ip_stealth="YES" #add-on# tcp_blackhole="YES" #add-on# udp_blackhole="YES" #add-on# # # network interfaces # network_interfaces="lo0 ep0" # auto ifconfig_ep0="DHCP" # ifconfig_ep0="inet $hostname netmask $ip_netmask" # # ppp # # ppp_enable="YES" # ppp_profile="freesurf" # ppp_nat="YES" ### Network daemon (miscellaneous) & NFS options: ### # # syslogd # syslogd_flags="-a $ip_address/$ip_bitmask -vv" # -a *$domainname # # inetd # inetd_flags="-wW -l" # # named # named_enable="YES" named_flags="-u bind -g bind" named_database="/etc/namedb/zone" #add-on# # # automounter # # amd_enable="YES" # amd_flags="-F /etc/amd.conf" # # rarpd # # rarpd_enable="YES" #add-on# rarpd_interface="-a" #add-on# rarpd_flags="-v -s $rarpd_interface" #add-on# # # bootparamd # # bootparamd_enable="YES" #add-on# bootparamd_flags="-s" #add-on# # # nfs # # nfs_client_enable="YES" # nfs_server_enable="YES" nfs_interface="-a" #add-on# -h $hostname nfs_server_flags="-u -t -n 4 $nfs_interface" # nfs_reserved_port_only="YES" # # mountd # mountd_flags="-l -r -2" # # portmap (used by: rstatd rusersd walld pcnfsd rquotad sprayd) # portmap_enable="NO" portmap_flags="-v" # # sshd # sshd_enable="YES" sshd_flags="-4" ### Network Time Services options: ### # # ntpdate # ntpdate_enable="YES" ntpdate_flags="-bs ntp.obspm.fr ntp.univ-lyon1.fr canon.inria.fr ntp-sop.inria.fr" # # xntpd # xntpd_enable="YES" # Network Information Services (NIS) options: ### # nis_client_enable="YES" # nis_server_enable="YES" # nis_server_flags="-n" # nis_yppasswdd_enable="YES" # nis_yppasswdd_flags="-f" ### Network routing options: ### # # ip forwarding # gateway_enable="YES" # # routed # router_enable="YES" router_flags="-s" # ou -q ############################################################## ### System console options ################################# ############################################################## # # keyboard # # keymap="fr.iso.acc" keymap="us.iso.acc" keyrate="fast" # # cursor # cursor="destructive" # # fonts # # scrnmap="iso-8859-1_to_cp437" font8x16="iso-8x16" font8x14="iso-8x14" font8x8="iso-8x8" # # blanktime # blanktime="600" # # screen saver # saver="green" # saver="matrix" # # moused # moused_enable="YES" moused_port="/dev/psm0" # # all screens options # # allscreens_flags="-m on" # 80x50 # # mixer # mixer="vol 100:100 pcm 25:25 speaker 50:50 line 0:0" #add-on# ############################################################## ### Miscellaneous administrative options ################### ############################################################## # # savecore # dumpdev="/dev/da0s1b" # # quotas # # check_quotas="YES" # enable_quotas="YES" # # accounting # accounting_enable="YES" # # compatibility options # # ibcs2_enable="YES" linux_enable="YES" # svr4_enable="YES" # # cleaning # # clear_tmp_enable="YES" # # vi.recover # vi_recover="/var/preserve" #add-on# # # ldconfig paths # ldconfig_extra_paths= ldconfig_extra_paths="$ldconfig_extra_paths /usr/local/pilot/lib" ast_arch=$(uname -msr | awk '{sub("-.*","",$2);print tolower($3"--"$1$2)}') ldconfig_extra_paths="$ldconfig_extra_paths /usr/local/arch/$ast_arch/lib" for ldconfig_path in $ldconfig_extra_paths; do case " $ldconfig_paths " in *" $ldconfig_path "*) ;; *) ldconfig_paths="$ldconfig_paths $ldconfig_path" ;; esac done ldconfig_extra_paths_aout= # ldconfig_extra_paths_aout="$ldconfig_extra_paths_aout /usr/X11R6-4.0/lib/aout" for ldconfig_path_aout in $ldconfig_extra_paths_aout; do case " $ldconfig_paths_aout " in *" $ldconfig_path_aout "*) ;; *) ldconfig_paths_aout="$ldconfig_paths_aout $ldconfig_path_aout" ;; esac done # # security options # # kern_securelevel_enable="YES" # kern_securelevel="0" # implies 1 in multi-user level # # kernel options # kern_corefile=core #add-on# # # dyndns # dyndns_program="/usr/local/sbin/ddup" #add-on# dyndns_enable="YES" #add-on# dyndns_flags="--wildcard" #add-on# dyndns_hostname="$hostname" #add-on# dyndns_domainname="dyndns.org" #add-on# dyndns_database="/var/db" #add-on# dyndns_interval="25" #add-on# # # upsd # upsd_program="/usr/local/sbin/bkpupsd" #add-on# upsd_enable="YES" #add-on# upsd_flags="/dev/cuaa1" #add-on# # # rc log/debug # rc_log_enable="YES" rc_debug_enable="NO" # -- sysinstall generated deltas -- # noWarn="YES" --=-=-= Cyrille. -- home: mailto:clefevre@poboxes.com UNIX is user-friendly; it's just particular work: mailto:Cyrille.Lefevre@edf.fr about who it chooses to be friends with. --=-=-=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 28 22: 5:12 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 51A9737B71A for ; Wed, 28 Mar 2001 22:05:08 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA96937; Wed, 28 Mar 2001 22:04:54 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103290604.WAA96937@gndrsh.dnsmgr.net> Subject: Re: [LONG] Re: Scripting with IPFW In-Reply-To: from Cyrille Lefevre at "Mar 29, 2001 07:08:54 am" To: clefevre@poboxes.com (Cyrille Lefevre) Date: Wed, 28 Mar 2001 22:04:53 -0800 (PST) Cc: mikel@ocsinternet.com (Mikel), johnny.dang@johnnydang.net (Johnny Dang), FREEBSD-IPFW@FreeBSD.ORG (FreeBSD IpFW) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > "Rodney W. Grimes" writes: > > > oif=fxp0 > > iif=rl0 > > oip=`ifconfig ${oif} | awk '/inet/ {print $2; exit}'` > ^ /inet / > > I would suggest you to match on inet followed by a space or > you'll match inet6 which is probably you don't want. Good catch. Forgot about that case, but then so did the code I was trying to show how to clean up a bit. ... > > > omask=`ifconfig ${oif} | awk '/inet/ {print $4; exit}'` > > iip=`ifconfig ${iif} | awk '/inet/ {print $2; exit}'` > > imask=`ifconfig ${iif} | awk '/inet/ {print $4; exit}'` > > also, these 4 lines may be rewritten as : Lets see, 4 very clean lines easy to read and understand replaced by 15 lines (3 near null so lets call it 12) of harder to read and even harder yet to figure out what it is doing. Nope, this is *sic*, 10 times more sick than grep | head | awk!!! Now granted, you did only invoke ifconfig, and awk 1 time, which would be wonderful if the old code was doing this 100's of times, but that is not the case here. This code does not need that kind of optimization, but this is a good sample of how to write a simple finite state parser in awk :-). [I would have called status, state :-)] > eval `ifconfig -a | awk -v oif="${oif}:" -v iif="${iif}:" ' > $1 == oif { status = 1 ; next } # I/O interfaces > $1 == iif { status = 3 ; next } # use odd numbers here > $1 ~ /:/ { status = 0; next } # other interfaces > !status { next } # are skipped > /inet / { status++ } # match on first IPv4 address > status == 2 { # and use even numbers there > printf "omask=%s oip=%s\n", $4, $2 > status = 0; next # skip IPv4 aliases > } > status == 4 { > printf "imask=%s iip=%s\n", $4, $2 > status = 0; next > } > '` -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 0:14:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.usww.net (ns1.usww.net [216.104.145.2]) by hub.freebsd.org (Postfix) with ESMTP id 2FAB537B720 for ; Fri, 30 Mar 2001 00:14:40 -0800 (PST) (envelope-from unix@usww.com) Received: from usww.com (ppp138.max3.gabn.net [216.104.138.138]) by ns1.usww.net (8.8.8/8.8.8) with ESMTP id OAA23511; Mon, 26 Mar 2001 14:14:00 -0500 (EST) (envelope-from unix@usww.com) Message-ID: <3ABF94FD.B4E7B4A1@usww.com> Date: Mon, 26 Mar 2001 14:14:05 -0500 From: unix@usww.com Organization: USWW (United States Wide Web) X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Johnny Dang Cc: FreeBSD IpFW Subject: Re: Scripting with IPFW References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Here is one I use on many of my servers: It determines your net number, ether allows you to automatically setup your ether with specific ips, set firewall counting for logging. I use this in the old fashion /etc/rc.local I have not totally refined it but it works real well. It is much more in depth than what is below but the following is a cut-n-paste basically to work. It is written very basic so it can be understood by most. #################################################################### ## Start of /etc/rc.local ip=`ifconfig -a | grep "inet " | head -1 | awk '{print $2}'`; q1=`echo $ip | awk -F. '{print $1}'`; q2=`echo $ip | awk -F. '{print $2}'`; q3=`echo $ip | awk -F. '{print $3}'`; subnet="$q1.$q2.$q3";echo "Subnet: ($subnet)"; ether=`grep "ifconfig" /etc/rc.conf | awk -F= '{print $1}' | sed 's/ifconfig_//g;` gate=`cat /etc/rc.conf | grep "defaultrouter" | awk -F= '{print $2'} | sed 's/\"//g';`; hds=`df | head -2 | tail -1 | awk -F/ '{print $3}' | awk -F0 '{print $1}'`; # Save info for future use echo "IP:$ip gateway:$gate Subnet:$subnet Ethernet:$ether HD:$hds ">/tmp/startopts; # Configure ether add routes and count i/o for logging purposes # 130 131 132 133 134 are the quads to configure for the net block # Do not use your machine IP in /etc/rc.conf here for i in 130 131 132 133 134 # your C class quad numbers for this machine do ifconfig $ether $subnet.$i alias route add $subnet.$i $gate ipfw -q add 100 count all from $subnet.$i to any # Used for logs ipfw -q add 100 count all from any to $subnet.$i # Used for logs done # Setup a few items # FreeBSD 4x /sbin/sysctl -w kern.ipc.somaxconn=512 /sbin/sysctl -w net.inet.ip.fw.verbose_limit=100 /sbin/sysctl -w net.inet.icmp.bmcastecho=0 /sbin/sysctl -w net.inet.ip.fw.one_pass=0 /etc/monitor # Start monitor so if sendmail, named, httpd etc go down they will restart ...snip... #################################################################### I hope this gets you on your way. Ben Bentsen USWW Systems http://usww.com http://MallCity.org http://w8.met http://CyberLinkExchange.com http://RackSpaceUnlimited.com Johnny Dang wrote: > > Hello all experts out there, > > I have a Linux box (used to run ipchains). I then move the box to FreeBSD > 4.2... Set it up and everything was running fine (with the help of your > guys). Now, I have a small problem. Since the DEC0 of my new IPFW is a > DHCP client, I would love to have the script grab the IP(rather than > specify it)... I have this line on Linux and it was fine: > > WAN_IP=`ifconfig $WAN_NIC | grep inet | cut -d: -f2 | cut -d " " -f1` ... > Now, how can I can set it up to put it under FreeBSD rc.firewall > de0=?????????? > > Thanks for your help. > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > "The instructions said to use Windows 98 or better, > so I installed FreeBSD...It is working now!..." > ++++++++++++++++++++++++++++++++++++++++++++++++++ > Johnny Dang > Senior Network Engineer/MCSE + Internet > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 11:48:51 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from tomts6-srv.bellnexxia.net (tomts6.bellnexxia.net [209.226.175.26]) by hub.freebsd.org (Postfix) with ESMTP id 5F26B37B718 for ; Fri, 30 Mar 2001 11:48:45 -0800 (PST) (envelope-from dccote@sympatico.ca) Received: from [64.229.106.52] by tomts6-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010330194844.NOZB29116.tomts6-srv.bellnexxia.net@[64.229.106.52]> for ; Fri, 30 Mar 2001 14:48:44 -0500 Mime-Version: 1.0 X-Sender: b1vlya41@pop1.sympatico.ca Message-Id: Date: Fri, 30 Mar 2001 14:48:42 -0500 To: freebsd-ipfw@freebsd.org From: Daniel Cote Subject: ipfw: ppoe0 IP address Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am trying to set up the firewall on Darwin, but I am not too sure how to get the outside ip address since it changes dynamically via pppoe. How do you set up a firewall with a changing address? # # Define your variables # fwcmd=3D"/sbin/ipfw" #leave as is if using ipfw oif=3D"pppoe0" #set to outside interface name onwr=3D"64.229.0.0/16" #set to outside network range oip=3D"a.b.c.d" #set to outside ip address iif=3D"en0" #set to internal interface name inwr=3D"192.168.0.0/24" #set to internal network range iip=3D"192.168.0.1" #set to internal ip address ns1=3D"204.101.251.1" #set to primary name server best if =3D oif #ntp=3D"i.j.k.l" #set to ip of NTP server or leave as is -- Daniel C=F4t=E9 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 13:37:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id 91CF237B718 for ; Fri, 30 Mar 2001 13:37:13 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id QAA17960 for ; Fri, 30 Mar 2001 16:37:12 -0500 (EST) Message-ID: <012001c0b961$a491aab0$9865fea9@book> From: "alexus" To: Subject: seperation of incoming and outgoing connection in firewall Date: Fri, 30 Mar 2001 16:37:18 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi i want to disallow everyone from accession none secure pop3 (110) and allow everyone use pops (995) i create this rule ipfw add deny log from any to any 110 ipfw add allow from any to any 995 supposly this should've worked.. but! i ran into another problem with it.. now from my box i can't access any other computers on port 110 how can i specify in ipfw that this is for incoming connections only not for bi-direction? and how can i disallow anyone from using let's say irc i want to close port 6667 but for outgoing connections only To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 13:52:44 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id CA2F037B71A for ; Fri, 30 Mar 2001 13:52:42 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2UM0Ki85583; Fri, 30 Mar 2001 16:00:20 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 16:00:20 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: seperation of incoming and outgoing connection in firewall In-Reply-To: <012001c0b961$a491aab0$9865fea9@book> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, alexus wrote: > ipfw add deny log from any to any 110 > ipfw add allow from any to any 995 > > supposly this should've worked.. > > but! i ran into another problem with it.. now from my box i can't access any > other computers on port 110 > > how can i specify in ipfw that this is for incoming connections only not for > bi-direction? ipfw add deny log tcp from any to any 110 in via xl0 Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 13:57:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id B011137B718 for ; Fri, 30 Mar 2001 13:57:38 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id QAA18866; Fri, 30 Mar 2001 16:57:36 -0500 (EST) Message-ID: <014f01c0b964$7e353be0$9865fea9@book> From: "alexus" To: "Nick Rogness" Cc: References: Subject: Re: seperation of incoming and outgoing connection in firewall Date: Fri, 30 Mar 2001 16:57:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG in via x10 thats means what? ----- Original Message ----- From: "Nick Rogness" To: "alexus" Cc: Sent: Friday, March 30, 2001 5:00 PM Subject: Re: seperation of incoming and outgoing connection in firewall > On Fri, 30 Mar 2001, alexus wrote: > > > ipfw add deny log from any to any 110 > > ipfw add allow from any to any 995 > > > > supposly this should've worked.. > > > > but! i ran into another problem with it.. now from my box i can't access any > > other computers on port 110 > > > > how can i specify in ipfw that this is for incoming connections only not for > > bi-direction? > > ipfw add deny log tcp from any to any 110 in via xl0 > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 13:59:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 7ED3037B71A for ; Fri, 30 Mar 2001 13:59:16 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2UM6se85620; Fri, 30 Mar 2001 16:06:54 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 16:06:54 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: seperation of incoming and outgoing connection in firewall In-Reply-To: <014f01c0b964$7e353be0$9865fea9@book> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, alexus wrote: > in via x10 > > thats means what? Packets coming in via the interface xl0. > > > how can i specify in ipfw that this is for incoming connections only not > for > > > bi-direction? > > > > ipfw add deny log tcp from any to any 110 in via xl0 > > > Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 14: 2:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id 9842137B718 for ; Fri, 30 Mar 2001 14:02:11 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id RAA19134; Fri, 30 Mar 2001 17:02:09 -0500 (EST) Message-ID: <016001c0b965$2107f920$9865fea9@book> From: "alexus" To: "Nick Rogness" Cc: References: Subject: Re: seperation of incoming and outgoing connection in firewall Date: Fri, 30 Mar 2001 17:02:15 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG i dont have x10 interface i only have fxp0 ----- Original Message ----- From: "Nick Rogness" To: "alexus" Cc: Sent: Friday, March 30, 2001 5:06 PM Subject: Re: seperation of incoming and outgoing connection in firewall > On Fri, 30 Mar 2001, alexus wrote: > > > in via x10 > > > > thats means what? > > Packets coming in via the interface xl0. > > > > > how can i specify in ipfw that this is for incoming connections only not > > for > > > > bi-direction? > > > > > > ipfw add deny log tcp from any to any 110 in via xl0 > > > > > > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 14: 3:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 83A6737B718 for ; Fri, 30 Mar 2001 14:03:36 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2UMBCY85644; Fri, 30 Mar 2001 16:11:12 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 16:11:12 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: seperation of incoming and outgoing connection in firewall In-Reply-To: <016001c0b965$2107f920$9865fea9@book> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, alexus wrote: > i dont have x10 interface > > i only have fxp0 Then it is 'in via fxp0'. xl0 was just an example!! > > > in via x10 > > > > > > thats means what? > > > > Packets coming in via the interface xl0. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 14:12:47 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id 39A4037B719 for ; Fri, 30 Mar 2001 14:12:45 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id RAA19911; Fri, 30 Mar 2001 17:12:43 -0500 (EST) Message-ID: <016a01c0b966$9a8cb7d0$9865fea9@book> From: "alexus" To: "Nick Rogness" Cc: References: Subject: Re: seperation of incoming and outgoing connection in firewall Date: Fri, 30 Mar 2001 17:12:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG and how is it seperating incoming from outgoing? that's what i need to know ----- Original Message ----- From: "Nick Rogness" To: "alexus" Cc: Sent: Friday, March 30, 2001 5:11 PM Subject: Re: seperation of incoming and outgoing connection in firewall > On Fri, 30 Mar 2001, alexus wrote: > > > i dont have x10 interface > > > > i only have fxp0 > > Then it is 'in via fxp0'. xl0 was just an example!! > > > > > in via x10 > > > > > > > > thats means what? > > > > > > Packets coming in via the interface xl0. > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 14:32:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id BE73437B71B for ; Fri, 30 Mar 2001 14:32:37 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2UMeFW85762; Fri, 30 Mar 2001 16:40:15 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 16:40:15 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: seperation of incoming and outgoing connection in firewall In-Reply-To: <016a01c0b966$9a8cb7d0$9865fea9@book> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, alexus wrote: > and how is it seperating incoming from outgoing? > that's what i need to know ipfw add deny tcp from any to any 110 in via fxp0 Means that the firewall will only deny tcp connects to port 110 inbound to your fxp0 ethernet card. Packets outbound via fxp0 are not denied because of the 'in via fxp0'. If you wanted to hit them it would be 'out via fxp0'. Not having the 'in/out via' statement means match any interface inbound or outbound. > > > > > in via x10 > > > > > > > > > > thats means what? > > > > > > > > Packets coming in via the interface xl0. > > Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 14:35:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id 079F537B71A for ; Fri, 30 Mar 2001 14:35:23 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id RAA20974; Fri, 30 Mar 2001 17:35:20 -0500 (EST) Message-ID: <01a401c0b969$c3d9f640$9865fea9@book> From: "alexus" To: "Nick Rogness" Cc: References: Subject: Re: seperation of incoming and outgoing connection in firewall Date: Fri, 30 Mar 2001 17:35:26 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ahh now i got it thanks:) ----- Original Message ----- From: "Nick Rogness" To: "alexus" Cc: Sent: Friday, March 30, 2001 5:40 PM Subject: Re: seperation of incoming and outgoing connection in firewall > On Fri, 30 Mar 2001, alexus wrote: > > > and how is it seperating incoming from outgoing? > > that's what i need to know > > ipfw add deny tcp from any to any 110 in via fxp0 > > Means that the firewall will only deny tcp connects to port 110 inbound to > your fxp0 ethernet card. Packets outbound via fxp0 are not denied because > of the 'in via fxp0'. If you wanted to hit them it would be 'out via > fxp0'. Not having the 'in/out via' statement means match any interface > inbound or outbound. > > > > > > > > in via x10 > > > > > > > > > > > > thats means what? > > > > > > > > > > Packets coming in via the interface xl0. > > > > > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18: 4:37 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id 6CBE037B71A for ; Fri, 30 Mar 2001 18:04:35 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id VAA29951 for ; Fri, 30 Mar 2001 21:04:34 -0500 (EST) Message-ID: <001801c0b986$fe523310$9865fea9@book> From: "alexus" To: Subject: Date: Fri, 30 Mar 2001 21:04:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG how can i disable incoming ping of my box? is it possible disable outgoing and enable incoming? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:15:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 127C637B71A for ; Fri, 30 Mar 2001 18:15:15 -0800 (PST) (envelope-from sean@mailhost.tgd.net) Received: (qmail 511 invoked by uid 1001); 31 Mar 2001 02:15:12 -0000 Date: Fri, 30 Mar 2001 18:15:12 -0800 From: Sean Chittenden To: alexus Cc: freebsd-ipfw@freebsd.org Subject: Re: your mail Message-ID: <20010330181511.B423@rand.tgd.net> References: <001801c0b986$fe523310$9865fea9@book> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline In-Reply-To: <001801c0b986$fe523310$9865fea9@book>; from "ml@db.nexgen.com" on Fri, Mar 30, 2001 at = 09:04:40PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Not with ipfw, however it is if you use ipfilter (stateful firewall that kicks ass). http://www.obfuscation.org/ipf/ -sc On Fri, Mar 30, 2001 at 09:04:40PM -0500, alexus wrote: > Delivered-To: sean-freebsd-ipfw@chittenden.org > Delivered-To: freebsd-ipfw@freebsd.org > From: "alexus" > To: > Subject:=20 > Date: Fri, 30 Mar 2001 21:04:40 -0500 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.50.4133.2400 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 > X-Loop: FreeBSD.ORG > Precedence: bulk >=20 > how can i disable incoming ping of my box? >=20 > is it possible disable outgoing and enable incoming? >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message --=20 Sean Chittenden --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjrFPa8ACgkQn09c7x7d+q2vpwCg4A4fRpHvEHQuMa+GpLm5XxCn GJkAoMzHFJw98XcVcn9Si4KDvK3LfqZr =C8oE -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:17:16 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id F3ED237B71C for ; Fri, 30 Mar 2001 18:17:09 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id VAA00573; Fri, 30 Mar 2001 21:17:06 -0500 (EST) Message-ID: <002e01c0b988$be81c3c0$9865fea9@book> From: "alexus" To: "Sean Chittenden" Cc: References: <001801c0b986$fe523310$9865fea9@book> <20010330181511.B423@rand.tgd.net> Subject: Re: your mail Date: Fri, 30 Mar 2001 21:17:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG thank you ----- Original Message ----- From: "Sean Chittenden" To: "alexus" Cc: Sent: Friday, March 30, 2001 9:15 PM Subject: Re: your mail To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:17:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from speedus.com (saturn.speedus.net [63.251.16.34]) by hub.freebsd.org (Postfix) with ESMTP id DF10D37B71C for ; Fri, 30 Mar 2001 18:17:36 -0800 (PST) (envelope-from ml@db.nexgen.com) Received: from book (p17-96.dialup.speedus.net [63.251.17.96]) by speedus.com (8.9.3/8.9.3) with SMTP id VAA00590 for ; Fri, 30 Mar 2001 21:17:36 -0500 (EST) Message-ID: <003001c0b988$d02e7410$9865fea9@book> From: "alexus" To: Subject: disable ping to box using ipfw Date: Fri, 30 Mar 2001 21:17:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG does anyone know how i can disable ping to my box using ipfw? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:36: 9 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 891F037B71D for ; Fri, 30 Mar 2001 18:36:07 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2V2hmP86506; Fri, 30 Mar 2001 20:43:48 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 20:43:48 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <001801c0b986$fe523310$9865fea9@book> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, alexus wrote: > how can i disable incoming ping of my box? Yes: ipfw add deny icmp from any to any in via fxp0 icmptypes 8 > > is it possible disable outgoing and enable incoming? > Yes, it is: ipfw add deny icmp from any to any out via fxp0 icmptypes 8 Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:40:55 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 2E27E37B718 for ; Fri, 30 Mar 2001 18:40:52 -0800 (PST) (envelope-from sean@mailhost.tgd.net) Received: (qmail 21266 invoked by uid 1001); 31 Mar 2001 02:40:49 -0000 Date: Fri, 30 Mar 2001 18:40:49 -0800 From: Sean Chittenden To: Nick Rogness Cc: alexus , freebsd-ipfw@FreeBSD.ORG Subject: Re: your mail Message-ID: <20010330184049.C423@rand.tgd.net> References: <001801c0b986$fe523310$9865fea9@book> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6" Content-Disposition: inline In-Reply-To: ; from "nick@rogness.net" on Fri, Mar 30, 2001 at = 08:43:48PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please correct me if I'm wrong, but if you're on the system, how are you going to get a ping response back? -sc On Fri, Mar 30, 2001 at 08:43:48PM -0600, Nick Rogness wrote: > Delivered-To: sean-freebsd-ipfw@chittenden.org > Delivered-To: freebsd-ipfw@freebsd.org > Date: Fri, 30 Mar 2001 20:43:48 -0600 (CST) > From: Nick Rogness > X-Sender: nick@cody.jharris.com > To: alexus > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: your mail > In-Reply-To: <001801c0b986$fe523310$9865fea9@book> > X-Loop: FreeBSD.ORG > Precedence: bulk >=20 > On Fri, 30 Mar 2001, alexus wrote: >=20 > > how can i disable incoming ping of my box? >=20 > Yes: >=20 > ipfw add deny icmp from any to any in via fxp0 icmptypes 8 >=20 > >=20 > > is it possible disable outgoing and enable incoming? > >=20 >=20 > Yes, it is: >=20 > ipfw add deny icmp from any to any out via fxp0 icmptypes 8 >=20 >=20 > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message --=20 Sean Chittenden --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjrFQ7EACgkQn09c7x7d+q2S4gCgwz2wo1Onz0YufJ04KVuhHn7I +IgAnRjCG9gdcszpjKtJC/50+8DEKdmD =lVcs -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:47: 3 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 1626137B718 for ; Fri, 30 Mar 2001 18:47:00 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2V2sd686540; Fri, 30 Mar 2001 20:54:39 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 20:54:39 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Sean Chittenden Cc: alexus , freebsd-ipfw@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <20010330184049.C423@rand.tgd.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, Sean Chittenden wrote: > Please correct me if I'm wrong, but if you're on the system, > how are you going to get a ping response back? -sc For outgoing: ipfw add allow icmp from YOUR_FIREWALL to any out via fxp0 icmptypes 8 ipfw add deny icmp from any to any out via fxp0 icmptypes 8 For incoming: ipfw add allow icmp from any to YOUR_FIREWALL in via fxp0 icmptypes 8 ipfw add deny icmp from any to any in via fxp0 icmptypes 8 Of course, this depends on how your machine and network is setup. > > > > On Fri, 30 Mar 2001, alexus wrote: > > > > > how can i disable incoming ping of my box? > > > > Yes: > > > > ipfw add deny icmp from any to any in via fxp0 icmptypes 8 > > > > > > > > is it possible disable outgoing and enable incoming? > > > > > > > Yes, it is: > > > > ipfw add deny icmp from any to any out via fxp0 icmptypes 8 > > Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 18:53:10 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id E3A5537B71A for ; Fri, 30 Mar 2001 18:53:05 -0800 (PST) (envelope-from sean@mailhost.tgd.net) Received: (qmail 27076 invoked by uid 1001); 31 Mar 2001 02:53:04 -0000 Date: Fri, 30 Mar 2001 18:53:04 -0800 From: Sean Chittenden To: Nick Rogness Cc: alexus , freebsd-ipfw@FreeBSD.ORG Subject: Re: your mail Message-ID: <20010330185303.D423@rand.tgd.net> References: <20010330184049.C423@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kvUQC+jR9YzypDnK" Content-Disposition: inline In-Reply-To: ; from "nick@rogness.net" on Fri, Mar 30, 2001 at = 08:54:39PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --kvUQC+jR9YzypDnK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ICMP type 0: echo reply ICMP type 8: echo request Why not do the following? allow outgoing icmp type 8 from host deny incoming icmp type 8 from anywhere -sc On Fri, Mar 30, 2001 at 08:54:39PM -0600, Nick Rogness wrote: > Delivered-To: sean-freebsd-ipfw@chittenden.org > Date: Fri, 30 Mar 2001 20:54:39 -0600 (CST) > From: Nick Rogness > X-Sender: nick@cody.jharris.com > To: Sean Chittenden > cc: alexus , freebsd-ipfw@FreeBSD.ORG > Subject: Re: your mail > In-Reply-To: <20010330184049.C423@rand.tgd.net> >=20 > On Fri, 30 Mar 2001, Sean Chittenden wrote: >=20 > > Please correct me if I'm wrong, but if you're on the system, > > how are you going to get a ping response back? -sc >=20 > For outgoing: >=20 > ipfw add allow icmp from YOUR_FIREWALL to any out via fxp0 icmptypes 8 > ipfw add deny icmp from any to any out via fxp0 icmptypes 8 >=20 > For incoming: >=20 > ipfw add allow icmp from any to YOUR_FIREWALL in via fxp0 icmptypes 8 > ipfw add deny icmp from any to any in via fxp0 icmptypes 8 >=20 > Of course, this depends on how your machine and network is setup. >=20 >=20 > > >=20 > > > On Fri, 30 Mar 2001, alexus wrote: > > >=20 > > > > how can i disable incoming ping of my box? > > >=20 > > > Yes: > > >=20 > > > ipfw add deny icmp from any to any in via fxp0 icmptypes 8 > > >=20 > > > >=20 > > > > is it possible disable outgoing and enable incoming? > > > >=20 > > >=20 > > > Yes, it is: > > >=20 > > > ipfw add deny icmp from any to any out via fxp0 icmptypes 8 > > >=20 >=20 > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" >=20 >=20 --=20 Sean Chittenden --kvUQC+jR9YzypDnK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjrFRo8ACgkQn09c7x7d+q0rMQCZAZyfb/xJslojsrn3IQL+MAp/ oosAoIkFP3fprU9zSlghy4UdcrQXNn9G =dH5L -----END PGP SIGNATURE----- --kvUQC+jR9YzypDnK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 19: 4:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 60E4137B718 for ; Fri, 30 Mar 2001 19:04:39 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2V3CF686594; Fri, 30 Mar 2001 21:12:15 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 30 Mar 2001 21:12:15 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Sean Chittenden Cc: alexus , freebsd-ipfw@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <20010330185303.D423@rand.tgd.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Mar 2001, Sean Chittenden wrote: > ICMP type 0: echo reply > ICMP type 8: echo request > > Why not do the following? > > allow outgoing icmp type 8 from host > deny incoming icmp type 8 from anywhere Well, you can ;-) But what about hosts that are using your BSD firewall machine as a router to the internet? The original request was to block outgoing and incoming...no more detail was provided, so I didn't provide anymore specifics. The point was that ipfw can perform all of his needs for this type of stuff. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 19:13:49 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 1EF0A37B71A for ; Fri, 30 Mar 2001 19:13:47 -0800 (PST) (envelope-from sean@mailhost.tgd.net) Received: (qmail 32799 invoked by uid 1001); 31 Mar 2001 03:13:44 -0000 Date: Fri, 30 Mar 2001 19:13:43 -0800 From: Sean Chittenden To: Nick Rogness Cc: alexus , freebsd-ipfw@FreeBSD.ORG Subject: Re: your mail Message-ID: <20010330191343.E423@rand.tgd.net> References: <20010330185303.D423@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zaRBsRFn0XYhEU69" Content-Disposition: inline In-Reply-To: ; from "nick@rogness.net" on Fri, Mar 30, 2001 at = 09:12:15PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --zaRBsRFn0XYhEU69 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > ICMP type 0: echo reply > > ICMP type 8: echo request > >=20 > > Why not do the following? > >=20 > > allow outgoing icmp type 8 from host > > deny incoming icmp type 8 from anywhere >=20 > Well, you can ;-) But what about hosts that are using your BSD > firewall machine as a router to the internet? Allow icmp type 8 from the netblock behind the bsd system, or allow in via fxp1 and block via fxp0.... or use ipfilter and keep state.... has anyone had any luck using the dynamic rules in ipfw? I moved to ipfilter before I got real deep w/ them. How does that functionality stack up with the state table in ipfilter? In any event, it's Friday, we're splitting hairs and I think a Guinness is in order... ::grin:: -sc --=20 Sean Chittenden --zaRBsRFn0XYhEU69 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjrFS2YACgkQn09c7x7d+q3T3wCfZGVdbPoBRpvNpLrpdNccgc3x xjsAn1iuIbFMzJak6vThPtQ9i2A0hdQY =TtSN -----END PGP SIGNATURE----- --zaRBsRFn0XYhEU69-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 30 19:43:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from midway.uchicago.edu (midway.uchicago.edu [128.135.12.12]) by hub.freebsd.org (Postfix) with ESMTP id 5FCB737B729 for ; Fri, 30 Mar 2001 19:43:52 -0800 (PST) (envelope-from dbsypher@uchicago.edu) Received: from C40948-B.uchicago.edu (broad-173-147.rh.uchicago.edu [128.135.173.147]) by midway.uchicago.edu (8.10.1/8.10.1) with ESMTP id f2V3hpW13333; Fri, 30 Mar 2001 21:43:51 -0600 (CST) Message-Id: <4.3.2.7.2.20010330213837.00c173a0@nsit-popmail.uchicago.edu> X-Sender: dbsypher@nsit-popmail.uchicago.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 30 Mar 2001 21:43:39 -0600 To: "alexus" , From: David Syphers Subject: Re: disable ping to box using ipfw In-Reply-To: <003001c0b988$d02e7410$9865fea9@book> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 09:17 PM 3/30/01 -0500, alexus wrote: >does anyone know how i can disable ping to my box using ipfw? ${fwcmd} add deny icmp from any to ${ip} building on the 'client' prototype (change reference to the ip for 'simple' prototype). However, ping is not allowed by default, and so if your system is set to default deny, nobody can ping the machine if you're using even an unmodified client (or simple) prototype. -David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 31 4:38: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itec.co.za (ns.itec.co.za [196.36.172.155]) by hub.freebsd.org (Postfix) with ESMTP id F203137B71A for ; Sat, 31 Mar 2001 04:38:02 -0800 (PST) (envelope-from ron@itec.co.za) Received: from [192.168.0.2] (helo=ron) by ns.itec.co.za with smtp (Exim 3.22 #1) id 14jKbL-000FdI-00 for freebsd-ipfw@freebsd.org; Sat, 31 Mar 2001 14:35:31 +0200 Message-ID: <014601c0b9df$a66bc4a0$0200a8c0@itec.co.za> Reply-To: "Ron Holloway" From: "Ron Holloway" To: Subject: Subscribe Date: Sat, 31 Mar 2001 14:39:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 31 11:58:33 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C123E37B719 for ; Sat, 31 Mar 2001 11:58:29 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA06382; Sat, 31 Mar 2001 11:58:10 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103311958.LAA06382@gndrsh.dnsmgr.net> Subject: Re: disable ping to box using ipfw In-Reply-To: <4.3.2.7.2.20010330213837.00c173a0@nsit-popmail.uchicago.edu> from David Syphers at "Mar 30, 2001 09:43:39 pm" To: dbsypher@uchicago.edu (David Syphers) Date: Sat, 31 Mar 2001 11:58:09 -0800 (PST) Cc: ml@db.nexgen.com (alexus), freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > At 09:17 PM 3/30/01 -0500, alexus wrote: > >does anyone know how i can disable ping to my box using ipfw? > > ${fwcmd} add deny icmp from any to ${ip} Please don't drop all icmp, he said ``disable ping to'' so lets disable ping: ipfw add deny icmp from any to ${ip} icmptype 8 or ipfw add deny icmp from any to any icmptype 8 in via ${oif} But, to protect yourself from the bad stuff, yet allow the icmp stuff that is needed for a properly functioning RFC compliant host you should probably add this after the above (you can drop the 8 from the list, I just cut-n-pasted this out of a ruleset): ipfw add allow icmp from any to any icmptype 0,3,4,8,11 ipfw add deny log from any to any > building on the 'client' prototype (change reference to the ip for 'simple' > prototype). However, ping is not allowed by default, and so if your system > is set to default deny, nobody can ping the machine if you're using even an > unmodified client (or simple) prototype. root {43}# grep icmp /etc/rc.firewall root {44}# grep FreeBSD !$ grep FreeBSD /etc/rc.firewall # $FreeBSD: src/etc/rc.firewall,v 1.30.2.12 2001/03/06 01:58:02 obrien Exp $ BAD BAD BAD!!! (FreeBSD 4.3-RC1 :-() Doesn't even deal with icmp :-( -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message