From owner-freebsd-ipfw Sun Nov 25 17: 3:31 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id E0E6D37B419 for ; Sun, 25 Nov 2001 17:03:21 -0800 (PST) Received: from user-33qtmct.dialup.mindspring.com ([199.174.217.157] helo=gohan.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168AB2-0006J5-00; Sun, 25 Nov 2001 17:03:19 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAP7LEu00424; Sat, 24 Nov 2001 23:21:14 -0800 (PST) (envelope-from cjc) Date: Sat, 24 Nov 2001 23:21:14 -0800 From: "Crist J. Clark" To: Julio OROZCO Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Packet marking bridge Message-ID: <20011124232114.A390@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3BFE6F52.4070306@rennes.enst-bretagne.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BFE6F52.4070306@rennes.enst-bretagne.fr>; from julio.orozco@rennes.enst-bretagne.fr on Fri, Nov 23, 2001 at 04:46:26PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 23, 2001 at 04:46:26PM +0100, Julio OROZCO wrote: > I need to set up a bridge that marks packets (set the TOS field) and > ipfw seems a good starting poit, so I would like to know if somebody has > tried (and succeeded) something like that before. ipfw(8) really doesn't do anything to change the contents of packets. However, using ipfw(8) to divert(4) packets to a very simple daemon which then messes with the diffserv field is not tough. I actually made up a very simple daemon, Divert Packet Capture Daemon (dpcd), that is made to take care of all of the divert(4) stuff for you, you just need to add a code module to do the packet modifications. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 26 7:55:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [209.222.117.162]) by hub.freebsd.org (Postfix) with ESMTP id 7C27D37B405 for ; Mon, 26 Nov 2001 07:55:34 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.6/8.11.6) with ESMTP id fAQFtXV53467 for ; Mon, 26 Nov 2001 10:55:33 -0500 (EST) (envelope-from darren@nighttide.net) Date: Mon, 26 Nov 2001 10:55:33 -0500 (EST) From: Darren Henderson To: ipfw@freebsd.org Subject: oddities or misunderstandings? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a couple of issues with which I'm not quite clear as to whats going on, any enlightenment would be appreciated. This is on a 4.4-STABLE last cvsup'd and rebuilt on 11/20. For a while now I've been seeing a dozen or so kernel messages like this: Connection attempt to TCP 209.222.117.162:1230 from 65.203.157.142:80 They come from a couple of different class c's and may be directed to a number of my /28's or my internal 10/8 on various ports. My first thought was that perhpas they were just responses to outstanding browser requests that had timed out etc. See a bit of that with my name server. However some of the addresses that it hits are aliases on the external interface and those addresses wouldn't be generating any requests. Also, they have occured when the only systm on our lan that was powered up was the firewall itself. They don't appear to be coming in through the dynamic rules yet my default final rule (deny ip from any to any) doesn't catch them. If I block it with a rule such as: ipfw add deny log logamount 1000 ip from 65.203.157.0/24 to any ipfw does in fact stop them, at least from that class c. Since I've seen it from at least 2 class c's I thought I would put in a rule like this instead: ipfw add deny log logamount 1000 tcp from any 80 to any in via dc1 which I place after my check-state rule. This doesn't work. It doesn't catch anything and kernel messages still show up so the packets are getting through the firewall. Why would these be getting through ipfw, the final rule should be catching them regardless? Fragments perhaps? On a similar note, playing with nmap, scanning a number of my systems, things seem fine yet for some reason, when it scans port 12345, the firewall doesn't seem to catch it. I realize nmap plays some games and uses various stealth techniques yet scans on that port behave differently then other scans on the other ports. nmap reports it as being open though everything I've looked at indicates otherwise, behaved the same way right after a cvsup and doing a new world and kernel, so I don't suspect anything nefarious. Most likely this is all a failing of my understanding of ipfw even though I've been using it or years. Any thoughts/explanations would be appreciated. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 26 15:59:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 0EFF537B416 for ; Mon, 26 Nov 2001 15:59:30 -0800 (PST) Received: from user-33qtndj.dialup.mindspring.com ([199.174.221.179] helo=gohan.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 168Veq-0007KD-00; Mon, 26 Nov 2001 15:59:29 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAQJs2900389; Mon, 26 Nov 2001 11:54:02 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 11:54:01 -0800 From: "Crist J. Clark" To: Darren Henderson Cc: ipfw@FreeBSD.ORG Subject: Re: oddities or misunderstandings? Message-ID: <20011126115401.D232@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from darren@nighttide.net on Mon, Nov 26, 2001 at 10:55:33AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Nov 26, 2001 at 10:55:33AM -0500, Darren Henderson wrote: > > I have a couple of issues with which I'm not quite clear as to whats going > on, any enlightenment would be appreciated. This is on a 4.4-STABLE last > cvsup'd and rebuilt on 11/20. > > For a while now I've been seeing a dozen or so kernel messages like this: > > Connection attempt to TCP 209.222.117.162:1230 from 65.203.157.142:80 > > They come from a couple of different class c's and may be directed to a > number of my /28's or my internal 10/8 on various ports. My first thought > was that perhpas they were just responses to outstanding browser requests > that had timed out etc. Sounds like it. > See a bit of that with my name server. However > some of the addresses that it hits are aliases on the external interface > and those addresses wouldn't be generating any requests. Hrm. > Also, they have > occured when the only systm on our lan that was powered up was the > firewall itself. Hrm^2. > They don't appear to be coming in through the dynamic rules yet my default > final rule (deny ip from any to any) doesn't catch them. How have you checked this? > If I block it with a rule such as: > > ipfw add deny log logamount 1000 ip from 65.203.157.0/24 to any > > ipfw does in fact stop them, at least from that class c. Since I've seen > it from at least 2 class c's > > I thought I would put in a rule like this instead: > > ipfw add deny log logamount 1000 tcp from any 80 to any in via dc1 > > which I place after my check-state rule. This doesn't work. It doesn't > catch anything and kernel messages still show up so the packets are > getting through the firewall. > > Why would these be getting through ipfw, the final rule should be > catching them regardless? Was the first rule that did catch them also after you check-state? > Fragments perhaps? No, unless you've really set your firewall up in a strange way, reassembleable datagrams should not be getting through. > On a similar note, playing with nmap, scanning a number of my systems, > things seem fine yet for some reason, when it scans port 12345, the > firewall doesn't seem to catch it. I realize nmap plays some games and > uses various stealth techniques yet scans on that port behave differently > then other scans on the other ports. nmap reports it as being open though > everything I've looked at indicates otherwise, behaved the same way right > after a cvsup and doing a new world and kernel, so I don't suspect > anything nefarious. How are you doing the scan? Are there networks which you do not control between the scanner and the firewall? It has actually come to the point where some ISPs filter some of the most common trojan ports. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 26 20:12:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [209.222.117.162]) by hub.freebsd.org (Postfix) with ESMTP id E4D7637B417 for ; Mon, 26 Nov 2001 20:12:34 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.6/8.11.6) with ESMTP id fAR4CWu58374; Mon, 26 Nov 2001 23:12:32 -0500 (EST) (envelope-from darren@nighttide.net) Date: Mon, 26 Nov 2001 23:12:32 -0500 (EST) From: Darren Henderson To: cjclark@alum.mit.edu Cc: ipfw@FreeBSD.ORG Subject: Re: oddities or misunderstandings? In-Reply-To: <20011126115401.D232@gohan.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 26 Nov 2001, Crist J. Clark wrote: > On Mon, Nov 26, 2001 at 10:55:33AM -0500, Darren Henderson wrote: > > > > They don't appear to be coming in through the dynamic rules yet my default > > final rule (deny ip from any to any) doesn't catch them. > > How have you checked this? Well, not sure how to check it definitively frankly. There are perhaps dozens of these but not hundreds so they are not terribly predictable. They tend to come in 4 or 5 at a time (which kind of reenforces the time out idea). I've just been glancing over the dynamic rules when I notice one and haven't spied it in there yet. Hardly definitive though. Guess I will have to install snort and see what I can catch. > Was the first rule that did catch them also after you check-state? No, first rule was quite high up in the rules prior to the check-state. Again making it look like a dynamic rule problem. > How are you doing the scan? Are there networks which you do not > control between the scanner and the firewall? It has actually come to > the point where some ISPs filter some of the most common trojan ports. Ah, good point, yes, there was another firewall in between us when I ran the scan, they must have begun doing out bound filtering. That probably explains that much at least. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 28 14:34:53 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.webjogger.net (www.webjogger.net [208.29.192.4]) by hub.freebsd.org (Postfix) with ESMTP id 5D09737B617 for ; Wed, 28 Nov 2001 14:34:27 -0800 (PST) Received: from shadowfax [208.29.192.19] by mail.webjogger.net (SMTPD32-6.06) id A66F32400D4; Wed, 28 Nov 2001 17:34:23 -0500 Message-ID: <003d01c1785d$8fa436c0$13c01dd0@shadowfax> From: "Sr. Mario Antonio" To: Subject: Controling Bandwidth Date: Wed, 28 Nov 2001 17:39:37 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003A_01C17833.A6BBDF40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_003A_01C17833.A6BBDF40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi :=20 I am running 4.4-STABLE FreeBSD with IPFW built into the kernel. I am configuring this machine to be the gateway of the wireless segment = of our network. The machine has two interfaces: fxp0 and xl0. fxp0 is connected the private segment. xl0 goes to internet. I want to limit the traffic according to the segment of the network. To = do this, I will apply an specific cap per segment. These are the configurations that I have in mind: pipe 10 config mask src-ip 0x000000ff bw 1544kbit/s queue 8Kbytes=20 pipe 20 config mask dst-ip 0x000000ff bw 1544kbit/s queue 8Kbytes add 1000 pipe 10 all from 192.168.1.0/26 to any out via fxp0=20 add 1100 pipe 20 all from any to 192.168.1.0/26 in via fxp0 pipe 30 config mask src-ip 0x000000ff bw 384kbit/s queue 8Kbytes=20 pipe 40 config mask dst-ip 0x000000ff bw 384kbit/s queue 8Kbytes add 1200 pipe 30 all from 192.168.1.64/26 to any out via fxp0=20 add 1300 pipe 40 all from any to 192.168.1.64/26 in via fxp0 pipe 50 config mask src-ip 0x000000ff bw 256kbit/s queue 8Kbytes=20 pipe 60 config mask dst-ip 0x000000ff bw 256kbit/s queue 8Kbytes add 1400 pipe 50 all from 192.168.1.128/26 to any out via fxp0=20 add 1500 pipe 60 all from any to 192.168.1.128/26 in via fxp0 pipe 70 config mask src-ip 0x000000ff bw 128kbit/s queue 8Kbytes=20 pipe 80 config mask dst-ip 0x000000ff bw 128kbit/s queue 8Kbytes add 1600 pipe 70 all from 192.168.1.192/26 to any out via fxp0=20 add 1700 pipe 80 all from any to 192.168.1.192/26 in via fxp0 Any suggestions Regards Mario Antonio Garcia ------=_NextPart_000_003A_01C17833.A6BBDF40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi :
 
I am running  4.4-STABLE FreeBSD = with IPFW=20 built into the kernel.
I am configuring this machine to be the gateway of the wireless = segment of=20 our network.
The machine has two interfaces: fxp0 and xl0.
fxp0 is connected the private segment.
xl0 goes to internet.
I want to limit the traffic according to the segment of the = network. To do=20 this, I will apply an specific cap per segment.
These are the configurations that I have in mind:
 
pipe 10 config mask src-ip 0x000000ff bw 1544kbit/s queue 8Kbytes =
pipe=20 20 config mask dst-ip 0x000000ff bw 1544kbit/s queue 8Kbytes
add 1000 = pipe 10=20 all from 192.168.1.0/26 to any out via fxp0 
add 1100 pipe 20 = all from=20 any to 192.168.1.0/26 in via fxp0
pipe 30 config mask src-ip = 0x000000ff bw=20 384kbit/s queue 8Kbytes
pipe 40 config mask dst-ip 0x000000ff bw = 384kbit/s=20 queue 8Kbytes
add 1200 pipe 30 all from 192.168.1.64/26 to any out = via=20 fxp0 
add 1300 pipe 40 all from any to 192.168.1.64/26 in via=20 fxp0
pipe 50 config mask src-ip 0x000000ff bw 256kbit/s queue 8Kbytes =
pipe 60 config mask dst-ip 0x000000ff bw 256kbit/s queue = 8Kbytes
add 1400=20 pipe 50 all from 192.168.1.128/26 to any out via fxp0 
add 1500 = pipe 60=20 all from any to 192.168.1.128/26 in via fxp0
pipe 70 config mask = src-ip=20 0x000000ff bw 128kbit/s queue 8Kbytes
pipe 80 config mask dst-ip = 0x000000ff=20 bw 128kbit/s queue 8Kbytes
add 1600 pipe 70 all from 192.168.1.192/26 = to any=20 out via fxp0 
add 1700 pipe 80 all from any to 192.168.1.192/26 = in via=20 fxp0
 
Any suggestions
 
Regards
 
Mario Antonio Garcia
 
------=_NextPart_000_003A_01C17833.A6BBDF40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message