From owner-freebsd-ipfw Sun Apr 7 10:26:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gaia.cs.uoi.gr (gaia.cs.uoi.gr [195.130.121.201]) by hub.freebsd.org (Postfix) with ESMTP id 7B25337B416 for ; Sun, 7 Apr 2002 10:26:35 -0700 (PDT) Received: from zeus.cs.uoi.gr (zeus.cs.uoi.gr [195.130.121.11]) by gaia.cs.uoi.gr (8.11.6/8.11.6) with ESMTP id g37HQXg71788 for ; Sun, 7 Apr 2002 20:26:34 +0300 (EEST) (envelope-from nikop@zeus.cs.uoi.gr) Received: from pontus.cs.uoi.gr (pontus [195.130.121.41]) by zeus.cs.uoi.gr (8.9.1b+Sun/8.9.1) with ESMTP id UAA24166 for ; Sun, 7 Apr 2002 20:26:32 +0300 (EET DST) Received: (from nikop@localhost) by pontus.cs.uoi.gr (8.8.8+Sun/8.8.8) id UAA12257 for freebsd-ipfw@freebsd.org; Sun, 7 Apr 2002 20:26:33 +0300 (EET DST) From: Giannis Nikopoulos Message-Id: <200204071726.UAA12257@pontus.cs.uoi.gr> Subject: Load balancing with NATD To: freebsd-ipfw@freebsd.org Date: Sun, 7 Apr 2002 20:26:32 +0300 (EET DST) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello everybody !!! I 'm just a new member of both the FreeBSD world and this list so I hope you will bare with my ignorance. This is the problem: I have a FreeBSD 4.5 running as a router between the outer world and a private network (192.168.0.0) of 3 servers. I use natd to handle traffic between the outer world and the PN. My goal (as part of a simple university course project) is to perform load balancing among the 3 back-end servers. I 've written down a load balancing algorithm, that uses reporting agents running on the 3 servers and reporting their load on a central coordinator running on the FreeBSD router. The question is: How can I use natd (or maybe another tool, say ipfw or some proxy, I don't know) in order to dynamically dispatch (redirect) incoming connections among the 3 back-end servers. As far as I can tell, natd performs redirection (along with address translation) but in a static way (correct me if I 'm wrong, I 've already explained I 'm new to this stuff). Is there any I way I can instruct natd to selectively choose to which server it will redirect a connection by applying a set of rules or I will have to hack into natd's source code. I don't know if I should have provided more feedback on this case but or be a little more specific. Can anyone help ? Thanx in advance -- Ioannis K. Nikopoulos Postgraduate Student and Reasearcher Computer Science Department University of Ioannina GREECE For more information: http://www.cs.uoi.gr/~nikop To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 8 0:37:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 19C2537B405 for ; Mon, 8 Apr 2002 00:37:12 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g387akF50473; Mon, 8 Apr 2002 10:36:46 +0300 (EEST) (envelope-from ru) Date: Mon, 8 Apr 2002 10:36:46 +0300 From: Ruslan Ermilov To: Giannis Nikopoulos Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Load balancing with NATD Message-ID: <20020408073646.GE45269@sunbay.com> References: <200204071726.UAA12257@pontus.cs.uoi.gr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vv4Sf/kQfcwinyKX" Content-Disposition: inline In-Reply-To: <200204071726.UAA12257@pontus.cs.uoi.gr> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --vv4Sf/kQfcwinyKX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Search for "LSNAT" in the natd(8) manpage. On Sun, Apr 07, 2002 at 08:26:32PM +0300, Giannis Nikopoulos wrote: > Hello everybody !!! >=20 > I 'm just a new member of both the FreeBSD world and this list > so I hope you will bare with my ignorance. >=20 > This is the problem: >=20 > I have a FreeBSD 4.5 running as a router between the outer world and > a private network (192.168.0.0) of 3 servers. I use natd to handle > traffic between the outer world and the PN. My goal (as part of a simple > university course project) is to perform load balancing among the 3 > back-end servers. I 've written down a load balancing algorithm, that > uses reporting agents running on the 3 servers and reporting their load > on a central coordinator running on the FreeBSD router. The question is: >=20 > How can I use natd (or maybe another tool, say ipfw or some proxy, I don't > know) in order to dynamically dispatch (redirect) incoming connections > among the 3 back-end servers. As far as I can tell, natd performs redirec= tion > (along with address translation) but in a static way (correct me if I 'm > wrong, I 've already explained I 'm new to this stuff).=20 >=20 > Is there any I way I can instruct natd to selectively choose to which ser= ver > it will redirect a connection by applying a set of rules or I will have to > hack into natd's source code. >=20 > I don't know if I should have provided more feedback on this case but or = be > a little more specific. Can anyone help ? >=20 > Thanx in advance >=20 > --=20 > Ioannis K. Nikopoulos > Postgraduate Student and Reasearcher > Computer Science Department > University of Ioannina > GREECE --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --vv4Sf/kQfcwinyKX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8sUiOUkv4P6juNwoRAp7XAJ9/WAH0wXjsmNcAVL0OtX9kIGbqRwCfdaaF hmdxzN+cFkayUcj+EmFJtFc= =RUNW -----END PGP SIGNATURE----- --vv4Sf/kQfcwinyKX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 10 12: 3:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f10.law8.hotmail.com [216.33.241.10]) by hub.freebsd.org (Postfix) with ESMTP id A48F037B417 for ; Wed, 10 Apr 2002 12:03:36 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 10 Apr 2002 12:03:36 -0700 Received: from 138.100.4.44 by lw8fd.law8.hotmail.msn.com with HTTP; Wed, 10 Apr 2002 19:03:36 GMT X-Originating-IP: [138.100.4.44] From: "John Massier" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Booting error in rc.firewall Date: Wed, 10 Apr 2002 21:03:36 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 10 Apr 2002 19:03:36.0622 (UTC) FILETIME=[6AFB5CE0:01C1E0C2] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi everyone, I´ve got an odd problem when booting with a firewall_type="filename". In the file( /etc/ipfw.rules ) I add the next rules: add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 deny ip from 127.0.0.0/8 to any add 01002 deny hmp from 1.1.1.1 to 5.4.4.4 add 10000 allow tcp from 2.2.2.2 to 3.3.3.3 add 23232 allow i-nlsp from 67.67.67.67 to 3.3.3.3 add 56565 prob 0.400000 allow log logamount 12000 tcp from not 122.23.2.5:123.23.23.23 3456,8765,1511,1469 to 4.2.2.0/23 123,5678,68,2016,998 uid uucp gid man keep-state 1234 bridged in recv ppp0 ipopt ssrr,lsrr tcpflags syn,ack tcpoptions mss,window add 65000 allow ip from any to any add 65535 deny ip from any to any The problem is in rule 56565. When booting i get the following message: ipfw:Line 7: too many arguments and the remaining rules aren´t added. The rule 56565 is in the file excusively to test if ipfw fails, and that´s exactly what has happen. Any idea please? Thanks in advance. Best regards. _________________________________________________________________ Hable con sus amigos en línea, pruebe MSN Messenger: http://messenger.msn.es To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 10 22:19:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.mipk-kspu.kharkov.ua (flash.mipk-kspu.kharkov.ua [194.44.157.113]) by hub.freebsd.org (Postfix) with ESMTP id 8731F37B405 for ; Wed, 10 Apr 2002 22:19:27 -0700 (PDT) Received: from mipk-kspu.kharkov.ua (rainbow.mipk-kspu.kharkov.ua [192.168.9.241]) by mail.mipk-kspu.kharkov.ua (8.11.6/8.11.1) with ESMTP id g3B5G9k88212; Thu, 11 Apr 2002 08:16:10 +0300 (EEST) (envelope-from artem@mipk-kspu.kharkov.ua) Message-ID: <3CB51C38.5D048F68@mipk-kspu.kharkov.ua> Date: Thu, 11 Apr 2002 08:16:40 +0300 From: "Artyom V. Viklenko" Organization: IIAT NTU "KPI" X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: ru,uk,en MIME-Version: 1.0 To: John Massier Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Booting error in rc.firewall References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG John Massier wrote: > > Hi everyone, > > I´ve got an odd problem when booting with a firewall_type="filename". In the > file( /etc/ipfw.rules ) I add the next rules: > > add 00100 allow ip from any to any via lo0 > add 00200 deny ip from any to 127.0.0.0/8 > add 00300 deny ip from 127.0.0.0/8 to any > add 01002 deny hmp from 1.1.1.1 to 5.4.4.4 > add 10000 allow tcp from 2.2.2.2 to 3.3.3.3 > add 23232 allow i-nlsp from 67.67.67.67 to 3.3.3.3 > add 56565 prob 0.400000 allow log logamount 12000 tcp from not > 122.23.2.5:123.23.23.23 3456,8765,1511,1469 to 4.2.2.0/23 The problem is here, I think. You have to specify the mask for address 122.23.2.5 and value 123.23.23.23 doesn't look like correct value for this purpose. > 123,5678,68,2016,998 uid uucp gid man keep-state 1234 bridged in recv ppp0 > ipopt ssrr,lsrr tcpflags syn,ack tcpoptions mss,window > add 65000 allow ip from any to any > add 65535 deny ip from any to any > > The problem is in rule 56565. When booting i get the following message: > > ipfw:Line 7: too many arguments > > and the remaining rules aren´t added. The rule 56565 is in the file > excusively to test if ipfw fails, and that´s exactly what has happen. > > Any idea please? > > Thanks in advance. Best regards. > > _________________________________________________________________ > Hable con sus amigos en línea, pruebe MSN Messenger: http://messenger.msn.es > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Sincerely yours, Artyom V. Viklenko. ====================================================== System Administrator artem@mipk-kspu.kharkov.ua ------------------------------------------------------ IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002 Phone: +380 (572) 400026 Fax: +380 (572) 474062 ====================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 12 6:40:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.mipk-kspu.kharkov.ua (flash.mipk-kspu.kharkov.ua [194.44.157.113]) by hub.freebsd.org (Postfix) with ESMTP id C33D137B404 for ; Fri, 12 Apr 2002 06:40:30 -0700 (PDT) Received: from mipk-kspu.kharkov.ua (rainbow.mipk-kspu.kharkov.ua [192.168.9.241]) by mail.mipk-kspu.kharkov.ua (8.11.6/8.11.1) with ESMTP id g3CDdhk13322 for ; Fri, 12 Apr 2002 16:39:45 +0300 (EEST) (envelope-from artem@mipk-kspu.kharkov.ua) Message-ID: <3CB6E3B8.F26ECFDB@mipk-kspu.kharkov.ua> Date: Fri, 12 Apr 2002 16:40:08 +0300 From: "Artyom V. Viklenko" Organization: IIAT NTU "KPI" X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: ru,uk,en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: policy-driven routing with ipfw Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! Help me, please. I have FreeBSD 4.5-STABE box with 3 NICs (NE2000-clones). First - ed0 - connected to internal network with address, say, 192.168.1.1. Second - ed1 - connected to ISP #1 with ip 10.0.1.1. Third - ed2 - to ISP #2 with ip 10.0.2.1. The default route is through ed1. Clients with ips 192.168.1.1-192.168.1.127 should get access to outside world via ed1, and rest client - via ed2. I have set up 'ipfw fwd' rules to point out ISPs' router addresses, say 10.0.1.254 and 10.0.2.254 respectively: # ipfw add 1000 fwd 10.0.1.254 ip from 192.168.1.0/25 to not 192.168.1.0/24 in recv ed0 # ipfw add 2000 fwd 10.0.2.254 ip from 192.168.1.128/25 to not 192.168.1.0/24 in recv ed0 All ok at this point. The last wish is to use NAT on both outside interfaces to hide internal network. And I have set up two divert rules and natd daemons: # natd -p 2000 -interface ed1 # natd -p 2001 -interface ed2 # ipfw add 3000 divert 2000 ip from any to any via ed1 # ipfw add 4000 divert 2001 ip from any to any via ed2 But packets never pass to these rules. :( ipfw(8) man page says that search terminates on matching fwd rule. But as I remember, ip packet passes ipfw rules twice. First pass, IMHO, will change next hop at entering stack via ed0. And at second pass when packet leawing machine via ed1(2) packet should be diverted. Where is my mistake? What I'm doing wrong? Kernel variable net.inet.ip.fw.one_pass does not affect this situation. This is only for pipes, isn't it? -- Sincerely yours, Artyom V. Viklenko. ====================================================== System Administrator artem@mipk-kspu.kharkov.ua ------------------------------------------------------ IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002 Phone: +380 (572) 400026 Fax: +380 (572) 474062 ====================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 12 14: 1:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id DBE0737B404 for ; Fri, 12 Apr 2002 14:01:11 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g3CL9EE69490; Fri, 12 Apr 2002 16:09:14 -0500 (CDT) (envelope-from nick@rogness.net) Date: Fri, 12 Apr 2002 16:09:13 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "Artyom V. Viklenko" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: policy-driven routing with ipfw In-Reply-To: <3CB6E3B8.F26ECFDB@mipk-kspu.kharkov.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 12 Apr 2002, Artyom V. Viklenko wrote: > Hi! Help me, please. > > I have FreeBSD 4.5-STABE box with 3 NICs (NE2000-clones). > > First - ed0 - connected to internal network with address, say, > 192.168.1.1. Second - ed1 - connected to ISP #1 with ip 10.0.1.1. > Third - ed2 - to ISP #2 with ip 10.0.2.1. OK. > > The default route is through ed1. > > Clients with ips 192.168.1.1-192.168.1.127 should get access to > outside world via ed1, and rest client - via ed2. > OK. > I have set up 'ipfw fwd' rules to point out ISPs' router addresses, > say 10.0.1.254 and 10.0.2.254 respectively: > > # ipfw add 1000 fwd 10.0.1.254 ip from 192.168.1.0/25 to not > 192.168.1.0/24 in recv ed0 > # ipfw add 2000 fwd 10.0.2.254 ip from 192.168.1.128/25 to not > 192.168.1.0/24 in recv ed0 > > All ok at this point. > > The last wish is to use NAT on both outside interfaces to hide > > And I have set up two divert rules and natd daemons: > > # natd -p 2000 -interface ed1 > # natd -p 2001 -interface ed2 > # ipfw add 3000 divert 2000 ip from any to any via ed1 > # ipfw add 4000 divert 2001 ip from any to any via ed2 > > But packets never pass to these rules. :( What version are you running? It used to be that fwd only worked on outbound connections. There was talk on the list that this behavious has changed. There are several workarounds, one of which is a firewall like so: # Catch packets leaving ed1 (default gateway), send them to # ed2 gateway 100 fwd 10.0.2.254 ip from 192.168.1.128/25 to any out via ed1 # Normal default traffic natd 200 divert natd ip from any to any via ed1 # Natd for second interface 300 divert natd ip from any to any via ed2 # Allow for now 400 allow ip from any to any > > ipfw(8) man page says that search terminates on matching fwd rule. But > as I remember, ip packet passes ipfw rules twice. First pass, IMHO, > will change next hop at entering stack via ed0. And at second pass > when packet leawing machine via ed1(2) packet should be diverted. > > Where is my mistake? What I'm doing wrong? > > Kernel variable net.inet.ip.fw.one_pass does not affect this > situation. This is only for pipes, isn't it? Yes. Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message