From owner-freebsd-ipfw Sun Jun 16 12:58:45 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by hub.freebsd.org (Postfix) with SMTP id 514D137B41D for ; Sun, 16 Jun 2002 12:58:35 -0700 (PDT) Received: (qmail 35967 invoked by uid 1005); 16 Jun 2002 19:58:30 -0000 Received: from misho@interbgc.com by keeper.interbgc.com with qmail-scanner-1.01 (uvscan: v4.0.50/v4206. . Clean. Processed in 0.506171 secs); 16 Jun 2002 19:58:30 -0000 Received: from unknown (HELO misho) (217.9.226.238) by mail.interbgc.com with SMTP; 16 Jun 2002 19:58:29 -0000 Message-ID: <001901c2156f$da0c7d80$eee209d9@interbgc.com> Reply-To: "Mihail Balikov" From: "Mihail Balikov" To: "Adam Migus" Cc: References: Subject: Re: New ipfw code available Date: Sun, 16 Jun 2002 22:56:06 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Why would this be useful? keep tracking of changes in ipfw rules > Why would you make the sysctl CTLFLAG_RW? Why > would you use 64 bits? sorry , i have made copy&paste of other code, should be read-only ----- Original Message ----- From: "Adam Migus" To: "Mihail Balikov" Sent: Sunday, June 16, 2002 10:41 PM Subject: RE: New ipfw code available > Dude, > Why would this be useful? Why would you make the sysctl CTLFLAG_RW? Why > would you use 64 bits? Why would you use the same variable (making it > somewhat meaningless anyway)? > > > > -----Original Message----- > > From: owner-freebsd-ipfw@FreeBSD.ORG > > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Mihail Balikov > > Sent: Saturday, June 15, 2002 5:41 PM > > To: Luigi Rizzo > > Cc: ipfw@FreeBSD.ORG > > Subject: Re: New ipfw code available > > > > > > something like this: > > > > sys/netinet/ip_fw.c: > > static u_int64_t seq_num = 0; > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, seq_num, CTLFLAG_RW, > > &seq_num, 0, "Sequence number of changes"); > > > > static int > > ip_fw_ctl(struct sockopt *sopt) > > { > > [...] > > case IP_FW_FLUSH: > > seq_num++; > > [...] > > case IP_FW_ADD: > > seq_num++; > > [...] > > case IP_FW_DEL: > > seq_num++; > > .... > > } > > > > it's should be useful to have similar counter for dummynet. > > > > > > regards, > > m. > > > > ----- Original Message ----- > > From: "Luigi Rizzo" > > To: "Mihail Balikov" > > Cc: > > Sent: Saturday, June 15, 2002 9:20 PM > > Subject: Re: New ipfw code available > > > > > > > On Sat, Jun 15, 2002 at 12:48:30PM +0300, Mihail Balikov wrote: > > > > how about adding simple checksum of rules , something like > > incrementing > > > > counter on every > > > > IP_FW_FLUSH, IP_FW_ADD, IP_FW_DEL > > > > > > what do you mean ? > > > > > > luigi > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 17 9:57:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id E8A1737B40C; Mon, 17 Jun 2002 09:57:02 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5HGv2X36243; Mon, 17 Jun 2002 09:57:02 -0700 (PDT) (envelope-from rizzo) Date: Mon, 17 Jun 2002 09:57:02 -0700 From: "'Luigi Rizzo'" To: ipfw@FreeBSD.ORG Subject: third ipfw snapshot available Message-ID: <20020617095702.C36073@iguana.icir.org> References: <20020613171319.D93980@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020613171319.D93980@iguana.icir.org>; from rizzo@icir.org on Thu, Jun 13, 2002 at 05:13:19PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to -net] A third snapshot of my rewrite of the ipfw code is available at http://info.iet.unipi.it/~luigi/ipfw5.20020617.tgz This code is for -current, and it implements all the existing ipfw features with the exception of ipprecedence, iptos and icmptypes (these will be added in the next snapshot). It also lets you put "not" and "or" connectives in front of almost any field of an ipfw rule, so you can likely write more compact and efficient rulesets. Being the work almost complete, I should be able to run performance tests and produce a -stable version of this code shortly. I would be grateful if you could give this code a try and tell me how it works for you on the rulesets you use (it is supposed to be 100% compatible with the existing ipfw). You need to have a version of -current after May 15th, replace sys/netinet/ip_fw.c sys/netinet/ip_fw.h sys/netinet/ip_dummynet.c sbin/ipfw/ipfw.c with the files in the archive, rebuild a kernel and /sbin/ipfw. Both success and failure reports are welcome. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 17 15:39: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 4C0C937B420 for ; Mon, 17 Jun 2002 15:39:00 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5HMY8838821; Mon, 17 Jun 2002 15:34:08 -0700 (PDT) (envelope-from rizzo) Date: Mon, 17 Jun 2002 15:34:08 -0700 From: "'Luigi Rizzo'" To: ipfw@FreeBSD.ORG Subject: Re: third ipfw snapshot available Message-ID: <20020617153408.A38650@iguana.icir.org> References: <20020613171319.D93980@iguana.icir.org> <20020617095702.C36073@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020617095702.C36073@iguana.icir.org>; from rizzo@icir.org on Mon, Jun 17, 2002 at 09:57:02AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ok, the port to -stable was easier than i thought. Patches against a recent -stable are at http://info.iet.unipi.it/~luigi/ipfw4.20020617.diff they modify the following files: sys/net/bridge.c sys/net/if_ethersubr.c sys/netinet/ip_dummynet.c sys/netinet/ip_dummynet.h sys/netinet/ip_fw.c sys/netinet/ip_fw.h sys/netinet/ip_input.c sys/netinet/ip_output.c sbin/ipfw/ipfw.c I also managed to run some very preliminary performance tests on a net4501 (133 MHz 486), with a simple program which generates short (64-byte on the wire) UDP packets as fast as it can to a remote host on a 10Mbit/s half-duplex link. I used the following sysctl variables: kern.polling.enable=1 kern.polling.user_frac=99 The ruleset was made of a variable number of rules: count ip from any to any [repeated N times] followed by the default rule allow ip from any to any This test is only meant to show how much overhead you save by generating rules which only perform the required actions as opposed to using the old rule structure. Packets-per-second/ipfw overhead in us #of "count" rules Standard IPFW New IPFW 0 4800 / n.a. 4830 / n.a 10 3800 / 55 4460 / 17 20 3240 / 100 4000 / 43 30 2840 / 144 3720 / 61 50 2310 / 224 3166 / 108 So, at least on this box, you cut the overhead in half. Of course if you try the same test with rules which exercise every possible match field and option in the rule, both times are going to go up, but I do not think the new ipfw will lose anything. cheers luigi On Mon, Jun 17, 2002 at 09:57:02AM -0700, 'Luigi Rizzo' wrote: > [Bcc to -net] > > A third snapshot of my rewrite of the ipfw code is available at > > http://info.iet.unipi.it/~luigi/ipfw5.20020617.tgz > > This code is for -current, and it implements all the existing > ipfw features with the exception of ipprecedence, iptos and icmptypes > (these will be added in the next snapshot). > > It also lets you put "not" and "or" connectives in front of almost any > field of an ipfw rule, so you can likely write more compact and > efficient rulesets. > > Being the work almost complete, I should be able to run performance > tests and produce a -stable version of this code shortly. > > I would be grateful if you could give this code a try and tell me > how it works for you on the rulesets you use (it is supposed to > be 100% compatible with the existing ipfw). You need to have > a version of -current after May 15th, replace > > sys/netinet/ip_fw.c > sys/netinet/ip_fw.h > sys/netinet/ip_dummynet.c > sbin/ipfw/ipfw.c > > with the files in the archive, rebuild a kernel and /sbin/ipfw. > > Both success and failure reports are welcome. > > cheers > luigi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 18 21:11:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by hub.freebsd.org (Postfix) with ESMTP id 99FE937B410 for ; Tue, 18 Jun 2002 21:11:13 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020619041112.OSOW1024.sccrmhc01.attbi.com@blossom.cjclark.org>; Wed, 19 Jun 2002 04:11:12 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5J4BCJK018931; Tue, 18 Jun 2002 21:11:12 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5J4BB9N018930; Tue, 18 Jun 2002 21:11:11 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 18 Jun 2002 21:11:11 -0700 From: "Crist J. Clark" To: "'Luigi Rizzo'" Cc: ipfw@FreeBSD.ORG Subject: Re: third ipfw snapshot available Message-ID: <20020618211111.A18867@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020613171319.D93980@iguana.icir.org> <20020617095702.C36073@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020617095702.C36073@iguana.icir.org>; from rizzo@icir.org on Mon, Jun 17, 2002 at 09:57:02AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 17, 2002 at 09:57:02AM -0700, 'Luigi Rizzo' wrote: > [Bcc to -net] > > A third snapshot of my rewrite of the ipfw code is available at > > http://info.iet.unipi.it/~luigi/ipfw5.20020617.tgz Looks like these break libalias(3). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 18 21:28: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 9085137B408; Tue, 18 Jun 2002 21:27:58 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5J4Rwp52747; Tue, 18 Jun 2002 21:27:58 -0700 (PDT) (envelope-from rizzo) Date: Tue, 18 Jun 2002 21:27:57 -0700 From: "'Luigi Rizzo'" To: "Crist J. Clark" Cc: ipfw@FreeBSD.ORG Subject: Re: third ipfw snapshot available Message-ID: <20020618212757.A52553@iguana.icir.org> References: <20020613171319.D93980@iguana.icir.org> <20020617095702.C36073@iguana.icir.org> <20020618211111.A18867@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020618211111.A18867@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Jun 18, 2002 at 09:11:11PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jun 18, 2002 at 09:11:11PM -0700, Crist J. Clark wrote: > On Mon, Jun 17, 2002 at 09:57:02AM -0700, 'Luigi Rizzo' wrote: > > [Bcc to -net] > > > > A third snapshot of my rewrite of the ipfw code is available at > > > > http://info.iet.unipi.it/~luigi/ipfw5.20020617.tgz > > Looks like these break libalias(3). thanks for mentioning -- i did not even know that libalias would try to manipulate the ipfw lists! cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 19 13:22: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from fsg6.fascom.com (fsg6.fascom.com [202.87.109.25]) by hub.freebsd.org (Postfix) with ESMTP id E792F37B40A for ; Wed, 19 Jun 2002 13:21:32 -0700 (PDT) Received: from testing [202.87.100.134] by fsg6.fascom.com (SMTPD32-6.06) id A5FB2DEF00BE; Thu, 20 Jun 2002 02:22:03 +0500 Message-ID: <000801c2183b$e488c1a0$866457ca@testing> From: "Quddus Ullah Khan" To: Subject: transparent proxying Date: Thu, 20 Jun 2002 02:20:59 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C21801.1E132400" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C21801.1E132400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello i want to run transparent proxy on fbsd 4.5 i am running only = squid perfectly but when i am trying to run following command it give me = the error in second line plase someone can help me. ? with examples. ipfw add fwd 127.0.0.1,8080 tcp from 202.87.109.0/24 to not = 202.87.109.0/24 ipfw: getsockopt(IP_FW_ADD): Protocol not available = =20 ------=_NextPart_000_0005_01C21801.1E132400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello i want to run transparent proxy = on fbsd 4.5 i=20 am running only squid perfectly but when i am trying to run following = command it=20 give me the error in second line plase someone can help me. ? with=20 examples.
 
 
ipfw add fwd 127.0.0.1,8080 tcp from=20 202.87.109.0/24 to not 202.87.109.0/24
ipfw: getsockopt(IP_FW_ADD): Protocol = not=20 available          &nbs= p;            = ;    =20
------=_NextPart_000_0005_01C21801.1E132400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 19 13:29:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 2B3EF37B407 for ; Wed, 19 Jun 2002 13:29:41 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g5JKsnv05700; Wed, 19 Jun 2002 15:54:50 -0500 (CDT) (envelope-from nick@rogness.net) Date: Wed, 19 Jun 2002 15:54:49 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Quddus Ullah Khan Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: transparent proxying In-Reply-To: <000801c2183b$e488c1a0$866457ca@testing> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 20 Jun 2002, Quddus Ullah Khan wrote: > Hello i want to run transparent proxy on fbsd 4.5 i am running only > squid perfectly but when i am trying to run following command it give > me the error in second line plase someone can help me. ? with > examples. > > > ipfw add fwd 127.0.0.1,8080 tcp from 202.87.109.0/24 to not > 202.87.109.0/24 > > ipfw: getsockopt(IP_FW_ADD): Protocol not available You need to add: options IPFIREWALL_FORWARD to your kernel config file. Then rebuild, install, and reboot. Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 19 13:35: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 31D9437B403 for ; Wed, 19 Jun 2002 13:35:06 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g5JL0Fc05724; Wed, 19 Jun 2002 16:00:15 -0500 (CDT) (envelope-from nick@rogness.net) Date: Wed, 19 Jun 2002 16:00:15 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Quddus Ullah Khan Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: transparent proxying In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 19 Jun 2002, Nick Rogness wrote: > On Thu, 20 Jun 2002, Quddus Ullah Khan wrote: > >> Hello i want to run transparent proxy on fbsd 4.5 i am running only >> >> squid perfectly but when i am trying to run following command it give >> me the error in second line plase someone can help me. ? >> with examples. >> ipfw add fwd 127.0.0.1,8080 tcp from 202.87.109.0/24 >> to not 202.87.109.0/24 >> ipfw: getsockopt(IP_FW_ADD): Protocol >> notavailable > > You need to add: > > options IPFIREWALL_FORWARD > > to your kernel config file. Then rebuild, install, and reboot. For clarification, rebuild and reinstall your kernel...not your machine :-) Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 19 18:24: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id 0C21737B417 for ; Wed, 19 Jun 2002 18:24:01 -0700 (PDT) Received: from drweb by mail.nsu.ru with drweb-scanned (Exim 3.20 #1) id 17Kqfw-0002AN-00; Thu, 20 Jun 2002 08:23:52 +0700 Received: from uni.land3.nsu.ru ([193.124.213.230] helo=land3.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 17Kqfv-00029r-02; Thu, 20 Jun 2002 08:23:51 +0700 Received: from land3.nsu.ru (localhost [127.0.0.1]) by land3.nsu.ru (8.12.3/8.11.6) with ESMTP id g5K194qw052715; Thu, 20 Jun 2002 08:09:04 +0700 (NOVST) (envelope-from lucky@land3.nsu.ru) Received: from localhost (lucky@localhost) by land3.nsu.ru (8.12.3/8.12.3/Submit) with ESMTP id g5K1939K092331; Thu, 20 Jun 2002 08:09:04 +0700 (NOVST) Date: Thu, 20 Jun 2002 08:09:03 +0700 (NOVST) From: Alexey Privalov To: Quddus Ullah Khan Cc: freebsd-ipfw@freebsd.org Subject: Re: transparent proxying In-Reply-To: <000801c2183b$e488c1a0$866457ca@testing> Message-ID: <20020620080720.M71749-100000@land3.nsu.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Envelope-To: quddus@fascom.com, freebsd-ipfw@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 20 Jun 2002, Quddus Ullah Khan wrote: > Date: Thu, 20 Jun 2002 02:20:59 -0700 > From: Quddus Ullah Khan > To: freebsd-ipfw@freebsd.org > Subject: transparent proxying > > Hello i want to run transparent proxy on fbsd 4.5 i am running only squid perfectly but when i am trying to run following command it give me the error in second line plase someone can help me. ? with examples. > > > ipfw add fwd 127.0.0.1,8080 tcp from 202.87.109.0/24 to not 202.87.109.0/24 > > ipfw: getsockopt(IP_FW_ADD): Protocol not available > you must compile your kernel with IPFIREWALL option (see /sys/i386/conf/LINT) or load a module (kld_load ipfw.ko) /Alexey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 20 0:14: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mel-rto3.wanadoo.fr (smtp-out-3.wanadoo.fr [193.252.19.233]) by hub.freebsd.org (Postfix) with ESMTP id E55D037B41A for ; Thu, 20 Jun 2002 00:13:48 -0700 (PDT) Received: from mel-rta8.wanadoo.fr (193.252.19.79) by mel-rto3.wanadoo.fr (6.5.007) id 3D09BEC80035DBA5 for freebsd-ipfw@FreeBSD.ORG; Thu, 20 Jun 2002 09:13:47 +0200 Received: from urania (80.15.51.169) by mel-rta8.wanadoo.fr (6.5.007) id 3CFB23D9009E7CC7 for freebsd-ipfw@FreeBSD.ORG; Thu, 20 Jun 2002 09:13:46 +0200 From: "Thierry" To: Subject: Newbie/Ipfw/picoBSD Date: Thu, 20 Jun 2002 09:15:42 +0200 Message-ID: <000a01c2182a$4a88af40$0200a8c0@urania> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, I have a picoBSD firewall. My web server is on a dmz. The name of my web server is myname.dyndns.org or 192.168.x.x.... I can browse my web server from the lan (http://192.168.x.x), outside people can do the same thing, but me, i can't do it from my lan, if i do, from my lan computer http://myname.dyndns.org it is not working. lan <--> web (dmz) OK www <--> web (dmz) OK lan <--> by dyndns <--> web (dmz) NO OK I get the same problem when i was using iptables (linux) and i resolve it with a DNAT rules (prerouting) . I don't know the ipfw rules to much, and i am looking to find solution similar to the iptables. Thanks a lot. Thierry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 21 7:38:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 4506E37B406; Fri, 21 Jun 2002 07:38:04 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5LEc4V80244; Fri, 21 Jun 2002 07:38:04 -0700 (PDT) (envelope-from rizzo) Date: Fri, 21 Jun 2002 07:38:04 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: a bug in divert handling of fragments Message-ID: <20020621073804.B79754@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, there is a case with divert/tee of fragmented packets on which I would like clarifications: in ip_input.c::ip_reass(), a comment says: #ifdef IPDIVERT /* * Transfer firewall instructions to the fragment structure. * Any fragment diverting causes the whole packet to divert. */ fp->ipq_div_info = *divinfo; fp->ipq_div_cookie = *divert_rule; *divinfo = 0; *divert_rule = 0; #endif However, the code as you see above does not check for existing divert info, and just overrides whatever state was there with info from the latest incoming fragment. This is in disagreement with the comment, and almost certainly not what one wants, so I believe this has to be fixed. I see two possible alternatives: #1: only trust divert info for the fragment with offset 0 (i.e. the one which should have headers etc.) #2: keep as good the info from the first incoming fragment with a non-zero *divinfo (i.e. one which matched a divert rule). I would prefer #1 because it is less prone to attacks and easier to implement, and also because there is a lot more information that the firewall can use to select the packet. Comments anyone ? cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 21 10:49: 3 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 6E1B037B408 for ; Fri, 21 Jun 2002 10:49:00 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5LHn0r83092; Fri, 21 Jun 2002 10:49:00 -0700 (PDT) (envelope-from rizzo) Date: Fri, 21 Jun 2002 10:49:00 -0700 From: Luigi Rizzo To: ipfw@FreeBSD.ORG Subject: do we need IPFIREWALL_FORWARD to be optional ? Message-ID: <20020621104900.C81994@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am fixing that part of the netinet/ stack, and i wonder why do we need to make this optional. Once the global variables holding its state are removed, all the code reduces to a small set of short blocks (which are never entered if you do not have fwd rules) scattered in ip_input.c ip_output.c ip_fw.c and tcp_input.c, and I strongly believe that the pain and obfuscation of having it conditionally compiled is a lot worse than the modest code size increase. Unless there are strong objections, I am going to make it standard. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 21 14: 5:30 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 95F4E37B412 for ; Fri, 21 Jun 2002 14:05:28 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 715BFAE303; Fri, 21 Jun 2002 14:05:28 -0700 (PDT) Date: Fri, 21 Jun 2002 14:05:28 -0700 From: Bill Fumerola To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: do we need IPFIREWALL_FORWARD to be optional ? Message-ID: <20020621210528.GF75238@elvis.mu.org> References: <20020621104900.C81994@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020621104900.C81994@iguana.icir.org> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020423 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jun 21, 2002 at 10:49:00AM -0700, Luigi Rizzo wrote: > Unless there are strong objections, I am going to make it > standard. i agree. kldloading ipfw and using fwd requires that you build a kernel with IPFIREWALL_FORWARD, which is rather silly. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message