From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 27 11:02:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A30916A4CE for ; Mon, 27 Dec 2004 11:02:43 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25E0443D5A for ; Mon, 27 Dec 2004 11:02:43 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iBRB2hXO030878 for ; Mon, 27 Dec 2004 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iBRB2gUf030872 for ipfw@freebsd.org; Mon, 27 Dec 2004 11:02:42 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 27 Dec 2004 11:02:42 GMT Message-Id: <200412271102.iBRB2gUf030872@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Dec 2004 11:02:43 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported 7 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 28 02:28:33 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F8C116A4CE for ; Tue, 28 Dec 2004 02:28:33 +0000 (GMT) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B99743D3F for ; Tue, 28 Dec 2004 02:28:32 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1Cj792-0001rA-5k for freebsd-ipfw@freebsd.org; Tue, 28 Dec 2004 10:31:32 +0800 Message-Id: <6.2.0.14.2.20041228101826.03400250@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Tue, 28 Dec 2004 10:28:18 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: ipfw Traffic statistic by countries, TLD and sites X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 02:28:33 -0000 Hi, I'm using ipfw in bridged mode on FreebSD 5.3 FreeBSD fw.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #10: Fri Nov 19 09:18:17 ULAT 2004 tsgan@fw.ub.mng.net:/usr/obj/usr/src/sys/FW i386 I would like to collect statistics from traffic, which passing through ipfw, and make report which should include usage statistics by countries, TLD, sites etc. In other words I would like to make customers Internet usage statistics by their accessed IP. Is it possible? How can I accomplish that? Do there any tools and methods exist? Or should I post my question to freebsd-isp mailing list? thanks in advance, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 28 17:59:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3A9C16A4CE for ; Tue, 28 Dec 2004 17:59:52 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73F9043D49 for ; Tue, 28 Dec 2004 17:59:52 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iBSI1NFJ027358; Tue, 28 Dec 2004 10:01:23 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iBSI1Nf4027357; Tue, 28 Dec 2004 10:01:23 -0800 Date: Tue, 28 Dec 2004 10:01:23 -0800 From: Brooks Davis To: Yudi Message-ID: <20041228180123.GA26192@odin.ac.hmc.edu> References: <20041225084255.49089.qmail@web21326.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline In-Reply-To: <20041225084255.49089.qmail@web21326.mail.yahoo.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-ipfw@freebsd.org Subject: Re: bandwitdh is not limited X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 17:59:52 -0000 --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 25, 2004 at 12:42:55AM -0800, Yudi wrote: > I'm student who's doing final project about QoS in ipv6, > Finally, I can use dummynet by changing FREEBSDv4.9 to FREEBSDv5.3 for li= miting my local bandwitdh. > But, i'm confused that the bandwitdh is not limited. I know that by using= ethereal and some streaming video. > the sintag is oke , here it is : > =20 > # ipfw add pipe 1 ipv6 from any to any > # ipfw pipe 1 config bw 10kbit/s > # ipfw show > 00100 0 0 pipe 1 ipv6 from any to any > 65535 0 0 allow ip from any to any The IPv6 keyword is only supported due to a feature of the parsing code that treats it as "ip". If you need IPv6 support, please apply the patch at: http://people.freebsd.org/~brooks/patches/ipfw6.diff I think it will apply to 5.3 with only minimal pain, but it was generated against 6.x. If you use 6.x, please make sure to remove WITNESS from your kernel config as that caused an 80% performance hit in one case. In our lab. Please reports any results. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB0Z9yXY6L6fI4GtQRAi5FAJwKVrZamgSs233cRC4N6L0GvBGS7ACg3Kb/ erNS9MTVl+EJwfh0npq71Uk= =yFlK -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 28 18:00:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAA1F16A4CE for ; Tue, 28 Dec 2004 18:00:54 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C31943D46 for ; Tue, 28 Dec 2004 18:00:54 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iBSI2PN3027453; Tue, 28 Dec 2004 10:02:25 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iBSI2PKb027452; Tue, 28 Dec 2004 10:02:25 -0800 Date: Tue, 28 Dec 2004 10:02:25 -0800 From: Brooks Davis To: Yudi Message-ID: <20041228180225.GB26192@odin.ac.hmc.edu> References: <20041225103959.45800.qmail@web21321.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1UWUbFP1cBYEclgG" Content-Disposition: inline In-Reply-To: <20041225103959.45800.qmail@web21321.mail.yahoo.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet for ipv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 18:00:54 -0000 --1UWUbFP1cBYEclgG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 25, 2004 at 02:39:58AM -0800, Yudi wrote: > I'm sorry, this is the addition of the previous email. > I wonder, did ipfw/dummynet support ipv6 ??? IPv6 is not supported in 5.3's ipfw. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --1UWUbFP1cBYEclgG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB0Z+wXY6L6fI4GtQRAhPdAKDLSOtX8Mp16SIyiVJUpl+8e4B/1gCgso9i /9Mx9SKLpHk1GnFa6QAiH2w= =hDcQ -----END PGP SIGNATURE----- --1UWUbFP1cBYEclgG-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 29 08:20:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08C8E16A4CE for ; Wed, 29 Dec 2004 08:20:11 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id C393943D1D for ; Wed, 29 Dec 2004 08:20:10 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000341208.msg for ; Tue, 28 Dec 2004 23:56:10 -0800 From: "David Schwartz" To: Date: Wed, 29 Dec 2004 00:20:04 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Tue, 28 Dec 2004 23:56:10 -0800 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Tue, 28 Dec 2004 23:56:12 -0800 Subject: PATCH: AGAIN, Add creation time to dynamic firewall rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 08:20:11 -0000 I submitted this email and patch about a month ago. I received a few "this is a good idea" type replies. I'd like to see it committed to current. David Schwartz > FreeBSD/ipfw2 currently keeps the expiration time for > dynamic firewall > rules (obviously), but it does not track the creation time. The attached > patch keeps the creation time and adds a flag to 'ipfw' to show the time > since creation instead of the time until expiration. > > This is useful for two reasons. First, knowing how long a > connection has > been around gives you an idea of how stable it is. Second, the packet/byte > counters are not as meaningful without knowing what time period they > cover -- with both the counters and the time frame, you can estimate the > bandwidth consumption of the connection. > > The cost is four bytes of memory per dynamic firewall rule. > This is both > consumed kernel memory for the dynamic rule table and cost of copying out > the rules when they're requested. In addition, retrieving the dynamic > firewall rules requries an extra computation to relativize the time (as is > done for expiration time now). Even for a large firewall with, say, 10,000 > states, this is still a minimal amount of memory (40Kb). > > This patch is tested and is offered under the FreeBSD > license. I would like > to see it included in the distribution. The patch is against 5_STABLE, and > the versions of the various files patched are in the patch headers. The > patch has been tested. > > Note that both copies of ip_fw.h must be patched. > > David Schwartz > > > -- > > > --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 > +++ ip_fw.h Fri Nov 26 18:51:15 2004 > @@ -353,6 +353,7 @@ struct _ipfw_dyn_rule { > u_int64_t bcnt; /* byte match counter */ > struct ipfw_flow_id id; /* (masked) flow id */ > u_int32_t expire; /* expire time */ > + u_int32_t created; /* creation time */ > u_int32_t bucket; /* which bucket in hash table */ > u_int32_t state; /* state of this rule (typically a > * combination of TCP flags) > > --- ip_fw2.c 1.54.2.3 2004/09/17 14:49:08 > +++ ip_fw2.c Fri Nov 26 18:56:41 2004 > @@ -1037,6 +1037,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_ > > r->id = *id; > r->expire = time_second + dyn_syn_lifetime; > + r->created = time_second; > r->rule = rule; > r->dyn_type = dyn_type; > r->pcnt = r->bcnt = 0; > @@ -3089,6 +3090,9 @@ ipfw_getrules(struct ip_fw_chain *chain, > dst->expire = > TIME_LEQ(dst->expire, > time_second) ? > 0 : dst->expire - > time_second ; > + dst->created = > + TIME_LEQ(time_second, > dst->created) ? > + 0 : time_second - > dst->created; > bp += sizeof(ipfw_dyn_rule); > } > } > > --- ipfw.8 1.150.2.4 2004/11/08 19:07:03 > +++ ipfw.8 Fri Nov 26 18:59:20 2004 > @@ -13,7 +13,7 @@ > .Cm add > .Ar rule > .Nm > -.Op Fl acdefnNStT > +.Op Fl acCdefnNStT > .Brq Cm list | show > .Op Ar rule | first-last ... > .Nm > @@ -223,6 +223,10 @@ Implies > When entering or showing rules, print them in compact form, > i.e., without the optional "ip from any to any" string > when this does not carry any additional information. > +.It Fl C > +When viewing dynamic firewall rules, print the number of > +seconds since the rule was created rather than the number > +of seconds until the rule expires. > .It Fl d > While listing, show dynamic rules in addition to static ones. > .It Fl e > > > --- ipfw2.c 1.54.2.3 2004/09/17 14:49:08 > +++ ipfw2.c Fri Nov 26 18:57:04 2004 > @@ -67,6 +67,7 @@ int > show_sets, /* display rule sets */ > test_only, /* only check syntax */ > comment_only, /* only print action and comment */ > + show_created, /* show creation time */ > verbose; > > #define IP_MASK_ALL 0xffffffff > @@ -1367,7 +1368,8 @@ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi > if (pcwidth>0 || bcwidth>0) > printf(" %*llu %*llu (%ds)", pcwidth, > align_uint64(&d->pcnt), bcwidth, > - align_uint64(&d->bcnt), d->expire); > + align_uint64(&d->bcnt), > + show_created ? d->created : d->expire); > switch (d->dyn_type) { > case O_LIMIT_PARENT: > printf(" PARENT %d", d->count); > @@ -3843,7 +3845,7 @@ ipfw_main(int oldac, char **oldav) > save_av = av; > > optind = optreset = 0; > - while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1) > + while ((ch = getopt(ac, av, "abcCdefhnNqs:STtv")) != -1) > switch (ch) { > case 'a': > do_acct = 1; > @@ -3906,7 +3908,9 @@ ipfw_main(int oldac, char **oldav) > case 'v': /* verbose */ > verbose = 1; > break; > - > + case 'C': /* created time */ > + show_created = 1; > + break; > default: > free_args(save_ac, save_av); > return 1; > From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 29 08:35:10 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FB6616A4CE for ; Wed, 29 Dec 2004 08:35:10 +0000 (GMT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9628D43D2F for ; Wed, 29 Dec 2004 08:35:09 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id BBDC81FF90C; Wed, 29 Dec 2004 09:35:07 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id CBEB91FF9A8; Wed, 29 Dec 2004 09:35:05 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id DA66A15380; Wed, 29 Dec 2004 08:30:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id CFCBD15336; Wed, 29 Dec 2004 08:30:47 +0000 (UTC) Date: Wed, 29 Dec 2004 08:30:47 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: David Schwartz In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-ipfw@freebsd.org Subject: Re: PATCH: AGAIN, Add creation time to dynamic firewall rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 08:35:10 -0000 On Wed, 29 Dec 2004, David Schwartz wrote: > > I submitted this email and patch about a month ago. I received a few "this > is a good idea" type replies. I'd like to see it committed to current. .... > > --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 > > +++ ip_fw.h Fri Nov 26 18:51:15 2004 > > @@ -353,6 +353,7 @@ struct _ipfw_dyn_rule { > > u_int64_t bcnt; /* byte match counter */ > > struct ipfw_flow_id id; /* (masked) flow id */ > > u_int32_t expire; /* expire time */ > > + u_int32_t created; /* creation time */ > > u_int32_t bucket; /* which bucket in hash table */ > > u_int32_t state; /* state of this rule (typically a *hmm* on sparc times are already 64bit. Does that matter? -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 29 12:02:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05A6216A4CE; Wed, 29 Dec 2004 12:02:30 +0000 (GMT) Received: from enterprise.thenetnow.com (enterprise.thenetnow.com [65.39.193.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 467A143D46; Wed, 29 Dec 2004 12:02:29 +0000 (GMT) (envelope-from gpeel@thenetnow.com) Received: from GRANT (hpeel.ody.ca [216.240.12.2])iBTC2Rx01534; Wed, 29 Dec 2004 07:02:27 -0500 (EST) (envelope-from gpeel@thenetnow.com) Message-ID: <008901c4ed9e$44478510$6401a8c0@GRANT> From: "Grant Peel" To: , Date: Wed, 29 Dec 2004 07:02:25 -0500 Organization: The Net Now MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: New IPFW Setup. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Grant Peel List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 12:02:30 -0000 Good morning all, Appologies for sending to both lists, I am hoping to root out the IPFW gurus ! Hope everyone had a Merry Christmas.... I have recentory activated ipfw on 5 of my productive server. All servers are Apache, Exim or Sendmail, MySQL, vm-pop3d, ProFTPD enabled. All serves have multiple domains and UNIX users, though, by default, we do not supply shell accounts. Here is the ruleset I currently use on all the servers. I would like nothing more than to tighten them up a bit, if possible, considering the environment they are used in (Internet). Please feel free to browse and send me any comments, critiques you may have on the ruleset below. 00010 allow ip from any to any via lo0 00020 allow ip from any to any via fxp1 # LAN access ... Is behind a managed switch, VLAN setup. 00030 check-state 00040 allow tcp from N.N.N.N to me 22 keep-state setup # Allow me in via ssh ... I hope! 00050 allow ip from any to 192.168.0.6 # An nfs mount 00060 allow ip from 192.168.0.6 to any 00070 allow icmp from any to any icmptype 0,3,4,8,11,12 00100 allow ip from any to any keep-state out 00110 allow tcp from any to any 20,21 keep-state setup 00120 allow tcp from any to any 25,110 keep-state setup 00130 allow tcp from any to any 53 keep-state setup 00140 allow udp from any to any 53 keep-state 00150 allow tcp from any to any 80,110,443 keep-state setup 00160 allow tcp from any to any 10000,20000 keep-state setup # Webmin and Usermin. 00170 allow tcp from any to any 1024-65534 in setup # ftp ports. Seems to negate alot of the firewall ??? 65534 deny log ip from any to any 65535 deny ip from any to any Of special concern to me is line 170 ... added to allow ftp. Any ideas here? -Grant From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 29 12:32:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F097D16A4CF for ; Wed, 29 Dec 2004 12:32:19 +0000 (GMT) Received: from mail.rfnj.org (ns1.rfnj.org [66.180.172.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7751F43D53 for ; Wed, 29 Dec 2004 12:32:19 +0000 (GMT) (envelope-from asym@rfnj.org) Received: from megalomaniac.rfnj.org (ool-4573643f.dyn.optonline.net [69.115.100.63]) by mail.rfnj.org (Postfix) with ESMTP id B2EFA19D; Wed, 29 Dec 2004 07:32:18 -0500 (EST) Message-Id: <6.2.0.14.2.20041229071517.034c7830@mail.rfnj.org> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Wed, 29 Dec 2004 07:33:23 -0500 To: Grant Peel , From: asym In-Reply-To: <008901c4ed9e$44478510$6401a8c0@GRANT> References: <008901c4ed9e$44478510$6401a8c0@GRANT> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: New IPFW Setup. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 12:32:20 -0000 At 07:02 12/29/2004, Grant Peel wrote: [snip] >00170 allow tcp from any to any 1024-65534 in setup # ftp ports. Seems >to negate alot of the firewall ??? > >Of special concern to me is line 170 ... added to allow ftp. Any ideas here? You have two options here if you really need FTP, more otherwise. 1. Configure your FTP server to only listen on a limited port range such as 5000-5100. Keep in mind you don't need a lot of ports -- in fact you only need enough to cover the maximum number of connections you allow simultaneously from a single host. Clients with different IP addresses can connect to the same port, or at least, they should be able to in a reasonable ftpd. I haven't tested any ftpds to see if this is the case, if it isn't in your ftpd of choice, then you want enough ports for the total number of simultaneous connections you allow. 2. Use natd which supports ipfw "punch through." This will punch holes in your ipfw rules, adding things like "allow tcp from a.b.c.d to w.x.y.z port" for the duration of the ftp data session, and remove them when the connection dies. Read the natd page for more information on this. 3. Force your ftpd to use passive mode. This will cause it to not work for clients behind firewalls that aren't ftp protocol aware. #1 is the generally implemented option and is fairly secure. If you don't really need ftp, and I hope you don't, there are many other ways to share files on a machine that are more firewall friendly. 1. http GET for downloads, http POST for uploads, htaccess for user/passwords, etc. Apache can pretty much replace any ftp server without too much work involved, though there is a limit to how much data can be posted. 2. scp/sftp. These use ssh to copy files. They are significantly slower than ftp due to the encryption overhead, but they only require the ssh port to be open. 3. samba. Only 1-2 ports required, no passwd entries needed as with scp/sftp, and no file size limits as with http. Any windows client will be able to natively access the machine, provided the client ports are not blocked, which many ISPs do these days. Other systems can use samba, smbfs, etc. 4. cvs. Better than samba, though it'll take a while to setup, there's no reason you can't use cvs as a fileserver. Only requires one port, has access controls built in, and the versioning/rollback features may be useful to you depending on your needs. 5. nfs and a whole host of other options that I don't have the time or energy to get into. If you insist on using ftp itself, do yourself a favor and use something like proftpd unless you like screwing around with pam and/or having ftp-only users in your passwd file, with the associated folderol that goes along with this. I mention proftpd because it's what I use when I need a for-real ftp server. It's in ports. From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 29 20:55:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB03E16A4CE for ; Wed, 29 Dec 2004 20:55:55 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8805343D39 for ; Wed, 29 Dec 2004 20:55:55 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000341924.msg for ; Wed, 29 Dec 2004 12:31:56 -0800 From: "David Schwartz" Cc: Date: Wed, 29 Dec 2004 12:55:53 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 In-Reply-To: X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Wed, 29 Dec 2004 12:31:56 -0800 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Wed, 29 Dec 2004 12:31:56 -0800 Subject: RE: PATCH: AGAIN, Add creation time to dynamic firewall rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 20:55:55 -0000 > > I submitted this email and patch about a month ago. I > received a few "this > > is a good idea" type replies. I'd like to see it committed to current. > .... > > > --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 > > > +++ ip_fw.h Fri Nov 26 18:51:15 2004 > > > @@ -353,6 +353,7 @@ struct _ipfw_dyn_rule { > > > u_int64_t bcnt; /* byte match counter */ > > > struct ipfw_flow_id id; /* (masked) flow id */ > > > u_int32_t expire; /* expire time */ > > > + u_int32_t created; /* creation time */ > > > u_int32_t bucket; /* which bucket in hash table */ > > > u_int32_t state; /* state of this rule (typically a > > *hmm* on sparc times are already 64bit. Does that matter? > > -- > Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT The creation time logic is a clone of the expire time logic with suitable alterations for times in the past instead of the future. An unsigned 32-bit integer seems to be enough for seconds in the past or future and this is the from the ipfw code uses. DS