From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 17 23:12:24 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CBA816A41C for ; Sun, 17 Jul 2005 23:12:24 +0000 (GMT) (envelope-from lists@natserv.com) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id E178843D46 for ; Sun, 17 Jul 2005 23:12:23 +0000 (GMT) (envelope-from lists@natserv.com) Received: from localhost (localhost.natserv.net [127.0.0.1]) by zoraida.natserv.net (Postfix) with ESMTP id ED1777DC3 for ; Sun, 17 Jul 2005 19:12:22 -0400 (EDT) Date: Sun, 17 Jul 2005 19:12:22 -0400 (EDT) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: freebsd-ipfw@freebsd.org Message-ID: <20050717190755.Q13035@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Trying to understand dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2005 23:12:24 -0000 Learning about dynamic rules today. In particular I would like to know if there is a way to filter out connections based on repeated connections... Basically I keep track of attempts to connect to the SSH port. Any IP that tries to connect using a non existing user numerous times I run a script and blackhole the IP. What I would like was if IPFW would see numerous attempts to connect to SSH from the same IP and automatically create a rule to not allow that IP to connect at all to my machine. Is this possible? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 06:34:58 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 759A216A41C for ; Mon, 18 Jul 2005 06:34:58 +0000 (GMT) (envelope-from w65l76@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11E4443D49 for ; Mon, 18 Jul 2005 06:34:57 +0000 (GMT) (envelope-from w65l76@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so949736wra for ; Sun, 17 Jul 2005 23:34:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AA7WJoKlVgAVyukfSXNBKWy4F/5+rVbYWfZctBBtgjMzbohnc6Q19PRzEnP9arPCmaxuPnhBqkTvbq47kAVC3G48LNuDt9yAzusOWKD+IAINdJUm78wLKcjSUHP6OinqLVKO8FDklAudKgeanwHeO8WR0kcxficubAIqfD5yrZU= Received: by 10.54.24.31 with SMTP id 31mr264199wrx; Sun, 17 Jul 2005 23:34:56 -0700 (PDT) Received: by 10.54.115.14 with HTTP; Sun, 17 Jul 2005 23:34:56 -0700 (PDT) Message-ID: Date: Mon, 18 Jul 2005 06:34:56 +0000 From: Walery Kokarev To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org In-Reply-To: <20050716095353.B86993@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <001c01c58a17$5dbe4a40$0100000a@R3B> <200507161740.38234.max@love2party.net> <20050716095353.B86993@xorpc.icir.org> Cc: Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Walery Kokarev List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 06:34:58 -0000 And why can't one use divert(4) interface? It looks quite suitable for that particular task. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 06:36:48 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA69916A41C; Mon, 18 Jul 2005 06:36:48 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A19943D45; Mon, 18 Jul 2005 06:36:48 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6I6amd5010952; Sun, 17 Jul 2005 23:36:48 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6I6amvP010951; Sun, 17 Jul 2005 23:36:48 -0700 (PDT) (envelope-from rizzo) Date: Sun, 17 Jul 2005 23:36:48 -0700 From: Luigi Rizzo To: Walery Kokarev Message-ID: <20050717233648.A10929@xorpc.icir.org> References: <001c01c58a17$5dbe4a40$0100000a@R3B> <200507161740.38234.max@love2party.net> <20050716095353.B86993@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from w65l76@gmail.com on Mon, Jul 18, 2005 at 06:34:56AM +0000 Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 06:36:49 -0000 On Mon, Jul 18, 2005 at 06:34:56AM +0000, Walery Kokarev wrote: > And why can't one use divert(4) interface? It looks quite suitable for > that particular task. no _that_ would really be a performance killer! From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 07:06:54 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95D8616A41C; Mon, 18 Jul 2005 07:06:54 +0000 (GMT) (envelope-from julian@elischer.org) Received: from delight.idiom.com (delight.idiom.com [216.240.32.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32FD843D53; Mon, 18 Jul 2005 07:06:54 +0000 (GMT) (envelope-from julian@elischer.org) Received: from idiom.com (idiom.com [216.240.32.1]) by delight.idiom.com (Postfix) with ESMTP id D67201F7124; Mon, 18 Jul 2005 00:06:53 -0700 (PDT) Received: from [192.168.2.3] (home.elischer.org [216.240.48.38]) by idiom.com (8.12.11/8.12.11) with ESMTP id j6I76q76037464; Mon, 18 Jul 2005 00:06:52 -0700 (PDT) (envelope-from julian@elischer.org) Message-ID: <42DB550B.9070603@elischer.org> Date: Mon, 18 Jul 2005 00:06:51 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050424 X-Accept-Language: en, hu MIME-Version: 1.0 To: Luigi Rizzo References: <001c01c58a17$5dbe4a40$0100000a@R3B> <200507161740.38234.max@love2party.net> <20050716095353.B86993@xorpc.icir.org> <20050717233648.A10929@xorpc.icir.org> In-Reply-To: <20050717233648.A10929@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Walery Kokarev , freebsd-net@freebsd.org Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 07:06:54 -0000 Luigi Rizzo wrote: > On Mon, Jul 18, 2005 at 06:34:56AM +0000, Walery Kokarev wrote: > >>And why can't one use divert(4) interface? It looks quite suitable for >>that particular task. > > > no _that_ would really be a performance killer! > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" unless you divert to a netgraph socket within the kernel :-) (or use the new ipfw netgraph diversion facility) From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 09:09:01 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6038516A41C for ; Mon, 18 Jul 2005 09:09:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 272AD43D49 for ; Mon, 18 Jul 2005 09:09:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6I9906L013254 for ; Mon, 18 Jul 2005 02:09:00 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6I990K0013253 for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2005 02:09:00 -0700 (PDT) (envelope-from rizzo) Date: Mon, 18 Jul 2005 02:09:00 -0700 From: Luigi Rizzo To: freebsd-ipfw@freebsd.org Message-ID: <20050718020900.D13026@xorpc.icir.org> References: <200507131557.j6DFvrSY024295@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <200507131557.j6DFvrSY024295@lurza.secnetix.de>; from olli@lurza.secnetix.de on Wed, Jul 13, 2005 at 05:57:53PM +0200 Subject: Re: "or" blocks in IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 09:09:01 -0000 On Wed, Jul 13, 2005 at 05:57:53PM +0200, Oliver Fromme wrote: > Hi, ... > # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \} > 04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0 surely the parser is not very robust and should complain :) This said, the 'or' is a conjunction of individual options, and 'in' is one option and 'recv fxp0' is another one. if you need something different you probably have to write separate rules. cheers luigi > Of course, now the rule does something completely different > which doesn't even make any sense. Most confusingly, I > don't get an error message or even a warning from the parser. > > Is this a bug in ipfw, or a bug in the manpage, or do I > just misunderstand things? Do I have to write two separate > rules? > > Thanks in advance! > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "Unix gives you just enough rope to hang yourself -- > and then a couple of more feet, just to be sure." > -- Eric Allman > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 11:02:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 293C816A422 for ; Mon, 18 Jul 2005 11:02:19 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF67A43D46 for ; Mon, 18 Jul 2005 11:02:18 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6IB2IpU098192 for ; Mon, 18 Jul 2005 11:02:18 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6IB2Irq098186 for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2005 11:02:18 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 18 Jul 2005 11:02:18 GMT Message-Id: <200507181102.j6IB2Irq098186@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:02:19 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw Add setnexthop and defaultroute features 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 11:02:56 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FF3116A41C for ; Mon, 18 Jul 2005 11:02:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA32643D49 for ; Mon, 18 Jul 2005 11:02:55 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6IB2t3A098738 for ; Mon, 18 Jul 2005 11:02:55 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6IB2sVu098732 for ipfw@freebsd.org; Mon, 18 Jul 2005 11:02:54 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 18 Jul 2005 11:02:54 GMT Message-Id: <200507181102.j6IB2sVu098732@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:02:56 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 11:06:24 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CDE16A41C for ; Mon, 18 Jul 2005 11:06:24 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F4DA43D68 for ; Mon, 18 Jul 2005 11:06:23 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (wtcfqp@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6IB6KHs008173 for ; Mon, 18 Jul 2005 13:06:21 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6IB6K8D008172; Mon, 18 Jul 2005 13:06:20 +0200 (CEST) (envelope-from olli) Date: Mon, 18 Jul 2005 13:06:20 +0200 (CEST) Message-Id: <200507181106.j6IB6K8D008172@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <20050718020900.D13026@xorpc.icir.org> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: "or" blocks in IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:06:24 -0000 Luigi Rizzo wrote: > On Wed, Jul 13, 2005 at 05:57:53PM +0200, Oliver Fromme wrote: > ... > > # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \} > > 04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0 > > surely the parser is not very robust and should complain :) > > This said, the 'or' is a conjunction of individual options, > and 'in' is one option and 'recv fxp0' is another one. Okay ... So the braces are actually redundant, right? Because the "or" operator has highest priority anyway (except possibly for "not"), and braces cannot be used to change priority. > if you need something different you probably have to write separate rules. Thank you very much for the explanation. So I have to write separate rules. (Not a big deal.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 11:21:04 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE14616A41C for ; Mon, 18 Jul 2005 11:21:04 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D56643D46 for ; Mon, 18 Jul 2005 11:21:03 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (efezkl@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6IBL2KE008547 for ; Mon, 18 Jul 2005 13:21:03 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6IBL277008546; Mon, 18 Jul 2005 13:21:02 +0200 (CEST) (envelope-from olli) Date: Mon, 18 Jul 2005 13:21:02 +0200 (CEST) Message-Id: <200507181121.j6IBL277008546@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <20050717190755.Q13035@zoraida.natserv.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Trying to understand dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:21:04 -0000 Francisco Reyes wrote: > Basically I keep track of attempts to connect to the SSH port. Any IP that > tries to connect using a non existing user numerous times I run a script > and blackhole the IP. That's probably OK, because the source IP cannot easily be spoofed in that case. But ... > What I would like was if IPFW would see numerous attempts to connect to > SSH from the same IP and automatically create a rule to not allow that IP > to connect at all to my machine. Is this possible? It's possible, but it's probably _not_ a good idea, because an attacker can easily perform a denial-of-service attack against your machine. For example, he can make several connection attempts to your machine, using -- say -- the IP addresses of your DNS servers as source IPs (or any other address that might be important to you). Then you would blackhole your own DNS servers. I recommend that you just ignore such attempts. If your filter rules are OK and your ssh configuration is OK (and your passwords are OK, _if_ you allow password authenti- cation), then there's no reason to worry. If any of those are not OK, then fix them first, because blackholing IPs won't save you anyway. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 12:27:07 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5381616A41C for ; Mon, 18 Jul 2005 12:27:07 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D05943D48 for ; Mon, 18 Jul 2005 12:27:07 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6ICR6Vv015866; Mon, 18 Jul 2005 05:27:06 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6ICR6hb015865; Mon, 18 Jul 2005 05:27:06 -0700 (PDT) (envelope-from rizzo) Date: Mon, 18 Jul 2005 05:27:06 -0700 From: Luigi Rizzo To: freebsd-ipfw@freebsd.org Message-ID: <20050718052706.A15796@xorpc.icir.org> References: <20050718020900.D13026@xorpc.icir.org> <200507181106.j6IB6K8D008172@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200507181106.j6IB6K8D008172@lurza.secnetix.de>; from olli@lurza.secnetix.de on Mon, Jul 18, 2005 at 01:06:20PM +0200 Subject: Re: "or" blocks in IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 12:27:07 -0000 On Mon, Jul 18, 2005 at 01:06:20PM +0200, Oliver Fromme wrote: > Luigi Rizzo wrote: > > On Wed, Jul 13, 2005 at 05:57:53PM +0200, Oliver Fromme wrote: > > ... > > > # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \} > > > 04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0 > > > > surely the parser is not very robust and should complain :) > > > > This said, the 'or' is a conjunction of individual options, > > and 'in' is one option and 'recv fxp0' is another one. > > Okay ... So the braces are actually redundant, right? no braces are absolutely necessary and the fact that 'or' has priority is just a bug, accidental and contrary to intuition ('and' has always priority over 'or', and in ipfw the 'and' is implicit). > Because the "or" operator has highest priority anyway > (except possibly for "not"), and braces cannot be used > to change priority. yes but once again accidenta. if someone decides to implement proper expression evaluation we do need the braces. cheers luigi > > if you need something different you probably have to write separate rules. > > Thank you very much for the explanation. So I have to > write separate rules. (Not a big deal.) > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > One Unix to rule them all, One Resolver to find them, > One IP to bring them all and in the zone to bind them. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 12:51:59 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A98E16A41C for ; Mon, 18 Jul 2005 12:51:59 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45EBC43D53 for ; Mon, 18 Jul 2005 12:51:58 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [81.12.155.242]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 033BE24C8D1 for ; Mon, 18 Jul 2005 14:41:57 +0200 (CEST) Date: Mon, 18 Jul 2005 15:47:52 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <838237221.20050718154752@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: prevent Dos with ipfw and limit options X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 12:51:59 -0000 Hi! I dont have experience with ipfw. My question is about DoS. How i can prevent this type of attack or flood with ipfw and limit options? From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 19 09:56:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB28F16A41C for ; Tue, 19 Jul 2005 09:56:16 +0000 (GMT) (envelope-from lasaro.jonas.camargos@lu.unisi.ch) Received: from campus9.usilu.net (campus9.usilu.net [195.176.178.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24F0D43D45 for ; Tue, 19 Jul 2005 09:56:13 +0000 (GMT) (envelope-from lasaro.jonas.camargos@lu.unisi.ch) Received: from [192.168.0.209] ([192.168.66.75] unverified) by campus9.usilu.net with Microsoft SMTPSVC(5.0.2195.5329); Tue, 19 Jul 2005 11:56:12 +0200 Mime-Version: 1.0 (Apple Message framework v733) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-ipfw@freebsd.org From: Lasaro Camargos Date: Tue, 19 Jul 2005 11:56:07 +0200 X-Mailer: Apple Mail (2.733) X-OriginalArrivalTime: 19 Jul 2005 09:56:12.0750 (UTC) FILETIME=[188F36E0:01C58C48] Subject: Interception/Injection. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 09:56:16 -0000 Hi all, I've been playing with interception and re-injection of diverted packets but I am having some problems. The biggest is that I am not really using freebsd, but OSX. But I guess the problems are general enough to be answered here. If not, please ignore this message. The situation is the following: as I didn't find any multicast router for OSX I was obliged to implement one. So I am diverting multicast packets from one interface to the other. Specifically, I divert incoming to a program that reinsert it back in the stack to be received by the router, and inserting a copy of it as outgoing on the other interface (I don't know why, but tee seems not to work). I am aware of possible security implications of this "solution", but it is going to be used in a very restricted environment. By using to instances of my code I am able to forward multicast packets between two networks, and that is good. BUT, when the router/forwarder machine (RFM) also send/receive multicast packets, I find some problems: a multicast packet sent by RFM is diverted but, after reinserted, both original incoming and forced outgoing packets they simply vanish. if the packet is not diverted, RFM receive it, but (of course) not the machines in the network to where the packets should be forwarded. My code and more details of my environment are attached in the bottom. Any comment/pointer is really welcome. Thank you all Lasaro. ------------------- /* ********** This is a program that I use to forward multicast packets on OSX (should work on other BSDs). It will forward any packet diverted (teed) to the raw sockets it listens, though. To use it, create a rule in ipfw to divert packets like this: >> ipfw add divert 5000 from 192.168.0.0/24 to 239.0.0.0/8 recv en0 this rule will divert any multicast packet comming from the network 192.168.0.0/24 entering through the iface en0 (see 1) for multicast addresses in the range 239.0.0.0 - 239.255.255.255 to port 5000. If the router should also receive the packet, use tee instead of divert (see 2). Remember that a teed packet will be immediatelly accepted by ipfw. If you don't want this, you'll have to work on your rules (see 3). diverter 5000 192.168.1.1 #running like this, diverter will forward diverted packets to the network connected in the interface with address 192.168.1.1 Someday I will add the code to add the rule into ipfw from inside this program. Open issues (and possible solutions) : i) loops in the routing. by now, specify both network and interface from where the packet is comming. The last example get rid of loops. (1) ii) loopback delivery have to setsockopt( , MULTICAST_LOOP , 0 ,); or something like that. iii) sending multicast on two interfaces from the router. ipfw add tee 5000 from IP_MULTICAST_INTERFACE to 239.0.0.0/8 out diverter 5000 THE_OTHER_INTERFACE iv) tee not working see next v) security problem with tee use divert in the rule and define __TEE__ to duplicate the packet inside this code. (3) running example: on the router en0: 192.168.0.9/24 en1: 192.168.1.9/24 sudo ipfw add 9 skipto 11 udp from me to 230.2.3.10 recv en0 sudo ipfw add 10 divert 10000 udp from 192.168.0.0/24 to 230.2.3.10 recv en0 sudo ipfw add 11 skipto 13 udp from me to 230.2.3.10 recv en1 sudo ipfw add 12 divert 10001 udp from 192.168.1.0/24 to 230.2.3.10 recv en1 ipfw list 00009 skipto 11 udp from me to 230.2.3.10 recv en0 00010 divert 10000 udp from 192.168.0.0/24 to 230.2.3.10 recv en0 00011 skipto 13 udp from me to 230.2.3.10 recv en1 00012 divert 10001 udp from 192.168.1.0/24 to 230.2.3.10 recv en1 65535 allow ip from any to any everything running except that packets from itself are not forwarded to net 192.168.1.0/24. This is, of course, because of rule 9. But if I remove this rule, diverted packets are received by the router nor in the net 192.168.1.0/24. The packets are being reinserted but not delivered by the application. I can't identify where the packet is being lost. Any idea of which log file should I look at? */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define __DEBUG__ #define __TEE__ #define __IP_MULTICAST__ #define BUFSIZE 65535 int main(int argc, char ** argv) { int sock_fd, data_len, ret, i; struct sockaddr_in bindPort, sin; int sinlen = sizeof(struct sockaddr_in); unsigned char packet[BUFSIZE]; struct ip *hdr; struct in_addr out_iface; if (argc != 3) { fprintf(stderr, "This is a packet forwarder.\nAdd an \"in\" divert (or tee) rule to ipfw to port .\nPackets diverted will be outbounded on interface . CAUTION!! Remember that by now \"tee\"d packets will be imediatelly accepted and that reinjected packets will be processed by the next ipfw rule, not the first.\n Usage: %s \n error: %i\n", argv [0],errno); exit (1); } if(inet_aton(argv[2], &out_iface) != 1) { fprintf(stderr, "%s: wrong IP address param.\n", argv[0]); exit (1); } //Create socket fprintf(stderr, "%s:creating a raw socket\n",argv[0]); sock_fd = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT); if(sock_fd == -1) { fprintf(stderr, "%s: Unable to open divert socket (%i) \n", argv [0],errno); switch(errno) { case EACCES: fprintf(stderr, "EACCESS\n"); break; case EMFILE: fprintf(stderr, "EMFILE\n"); break; case ENFILE: fprintf(stderr, "ENFILE\n"); break; case ENOBUFS: fprintf(stderr, "ENOBUFFS\n"); break; case EPROTONOSUPPORT: fprintf(stderr, "PROTONOSUPPORT\n"); break; default:break; } exit(1); } //Bind on port fprintf(stderr, "%s: Binding a socket\n",argv[0]); bindPort.sin_family = AF_INET; bindPort.sin_port = atol(argv[1]); bindPort.sin_addr.s_addr=0; if( (ret = bind(sock_fd, (struct sockaddr *)&bindPort, sizeof (struct sockaddr_in))) != 0) { close(sock_fd); fprintf(stderr, "%s:Error executing bind():%s\n", argv [0],strerror(ret)); exit(2); } #ifdef __IP_MULTICAST__ fprintf(stderr, "%s: Setting IP MULTICAST interface to %s\n",argv [0],argv[2]); ret = setsockopt(sock_fd, IPPROTO_IP, IP_MULTICAST_IF, &out_iface, sizeof(out_iface)); #ifdef __DEBUG__ if(ret < 0) fprintf(stderr,"%s: set_interface returns %i with errno %i: %s \n", argv[0], ret, errno, strerror(errno)); #endif //__DEBUG__ #endif //__IP_MULTICAST__ /* Wait for packets. */ fprintf(stderr,"\%s:Waiting for data.", argv[0]); while(1) { /* Capture */ data_len = recvfrom(sock_fd, packet, BUFSIZE, 0, (struct sockaddr *)&sin, (socklen_t *)&sinlen); hdr = (struct ip*) packet; #ifdef __DEBUG__ fprintf(stderr,"%s:The packet looks like this:\n\t", argv[0]); for( i = 0; i < data_len; i++) { fprintf(stderr,"%02x ", (int)*(packet+i)); if(!((i+1) %16)) fprintf(stderr,"\n\t"); }; fprintf(stderr,"\n\n\t"); for( i = 28; i < data_len; i++) { fprintf(stderr,"%c", (char)*(packet+i)); if(!((i-28+1) %16)) fprintf(stderr,"\n\t"); }; fprintf(stderr,"\n"); #endif #ifdef __DEBUG__ fprintf(stderr,"%s: Source address %s\n", argv[0], inet_ntoa (hdr->ip_src)); fprintf(stderr,"%s: Destination address %s\n", argv[0], inet_ntoa (hdr->ip_dst)); fprintf(stderr,"%s: Receiving IF address %s\n",argv[0], inet_ntoa (sin.sin_addr)); fprintf(stderr,"%s: Protocol Number %i\n", argv[0], hdr->ip_p); #endif /* Reinjection */ #ifdef __DEBUG__ if(IN_MULTICAST((ntohl(hdr->ip_dst.s_addr)))) { fprintf(stderr,"\%s: Multicast address!\n", argv[0]); } #endif #ifdef __TEE__ //In the case the ipfw do not tee the packet properly. #ifdef __DEBUG__ fprintf(stderr,"%s: Reinjecting diverted packet %i bytes\n", argv [0], data_len); #endif data_len = sendto(sock_fd, packet, data_len, 0, (struct sockaddr *)&sin, sinlen); #ifdef __DEBUG__ fprintf(stderr,"%s: %i bytes reinjected.\n", argv[0], data_len); #endif #endif //__TEE__ //Turn it into an outgoing package. If it already was, it's your mistake. sin.sin_addr.s_addr = INADDR_ANY; #ifdef __DEBUG__ fprintf(stderr,"%s: Reinjecting diverted packet %i bytes\n", argv [0], data_len); #endif data_len = sendto(sock_fd, packet, data_len, 0, (struct sockaddr *)&sin, sinlen); #ifdef __DEBUG__ fprintf(stderr,"%s: %i bytes reinjected.\n", argv[0], data_len); #endif #ifdef __DEBUG__ if (data_len <= 0) fprintf(stderr,"%s errno = %i\n", argv[0], errno); switch(errno) { //case EBADRQC: printf("errno = EBADRQC"); break; case ENETUNREACH: fprintf(stderr,"errno = ENETUNREACH"); break; default : break; } #endif } } From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 19 23:05:05 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1B3516A41F for ; Tue, 19 Jul 2005 23:05:05 +0000 (GMT) (envelope-from lists@natserv.com) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id B206843D45 for ; Tue, 19 Jul 2005 23:05:05 +0000 (GMT) (envelope-from lists@natserv.com) Received: from localhost (localhost.natserv.net [127.0.0.1]) by zoraida.natserv.net (Postfix) with ESMTP id B53587DA8; Tue, 19 Jul 2005 19:05:04 -0400 (EDT) Date: Tue, 19 Jul 2005 19:05:04 -0400 (EDT) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: olli@lurza.secnetix.de Message-ID: <20050719185445.A47246@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Re: Trying to understand dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 23:05:06 -0000 Oliver Fromme olli at lurza.secnetix.de wrote: >It's possible, but it's probably _not_ a good idea, because >an attacker can easily perform a denial-of-service attack >against your machine. For example, he can make several >connection attempts to your machine, using -- say -- the IP >addresses of your DNS servers as source IPs Thanks for the warning. Noted. How would such a rule look like? Although in this particular scenario I agree with you I do think it may be a usefull rule to know. Please CC since I am not on the list. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 02:45:39 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05ED916A41F for ; Wed, 20 Jul 2005 02:45:39 +0000 (GMT) (envelope-from mukden@yahoo.com) Received: from web30607.mail.mud.yahoo.com (web30607.mail.mud.yahoo.com [68.142.200.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 8ECC743D46 for ; Wed, 20 Jul 2005 02:45:38 +0000 (GMT) (envelope-from mukden@yahoo.com) Received: (qmail 53896 invoked by uid 60001); 20 Jul 2005 02:45:38 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=A8Hdze46ltDi2XxH/2DeXAzXqKRYFI/isuk3dSmADmdPpcnHrNBkfs93xZ6ketuyB171m/5LAD6HanGAEq8FzY7GDhd3yFpZSuGmYl5PgnddOSar2OPc6qJjSvLQAQ9+xucfqfPjPQj3vkyIJs0/fwmyaiMoVTih6gkz5HE0oqQ= ; Message-ID: <20050720024538.53894.qmail@web30607.mail.mud.yahoo.com> Received: from [17.202.45.218] by web30607.mail.mud.yahoo.com via HTTP; Tue, 19 Jul 2005 19:45:37 PDT Date: Tue, 19 Jul 2005 19:45:37 -0700 (PDT) From: Muk Dunkin To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: ipfw established option X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 02:45:39 -0000 Hi all, According to the man page, setting the ipfw established option matches TCP packets that have the RST or ACK bits set. But from looking at the source ip_fw2.c, it only rejects packets with SYN only, but allows packets with NO flag bits set and packets with URG/PSH/FIN. /* reject packets which have SYN only */ /* XXX should i also check for TH_ACK ? */ match = (proto == IPPROTO_TCP && offset == 0 && (L3HDR(struct tcphdr,ip)->th_flags & (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); Is this a bug or that's part of the design? thx Mukden ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 06:52:29 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C06EE16A41F; Wed, 20 Jul 2005 06:52:29 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BDA143D4C; Wed, 20 Jul 2005 06:52:28 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id E32E524C8DD; Wed, 20 Jul 2005 08:42:13 +0200 (CEST) Date: Wed, 20 Jul 2005 09:52:59 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1926993869.20050720095259@spaingsm.com> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: force use proxy server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 06:52:29 -0000 Hi! How i can redirect web traffic from my lan, throught my proxy server? From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 07:03:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E39716A420 for ; Wed, 20 Jul 2005 07:03:53 +0000 (GMT) (envelope-from victor@team.outblaze.com) Received: from corpmail.outblaze.com (corpmail.outblaze.com [203.86.166.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7849E43D4C for ; Wed, 20 Jul 2005 07:03:52 +0000 (GMT) (envelope-from victor@team.outblaze.com) Received: from vexira-out.outblaze.com (localhost.localdomain [127.0.0.1]) by corpmail.outblaze.com (Postfix) with SMTP id 3CCA437B30 for ; Wed, 20 Jul 2005 07:03:51 +0000 (GMT) Received: from smtp1.hk1.outblaze.com (smtp1.hk1.outblaze.com [203.86.166.80]) by corpmail.outblaze.com (Postfix) with SMTP id D760D16DD8C for ; Wed, 20 Jul 2005 07:03:50 +0000 (GMT) Received: (qmail 14275 invoked from network); 20 Jul 2005 07:03:50 -0000 Received: from unknown (HELO ?192.168.2.8?) (victor@team.outblaze.com@210.177.227.130) by smtp1.hk1.outblaze.com with SMTP; 20 Jul 2005 07:03:50 -0000 Message-ID: <42DDF755.2070702@outblaze.com> Date: Wed, 20 Jul 2005 15:03:49 +0800 From: victor User-Agent: Mozilla Thunderbird 1.0.5 (X11/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vladone References: <1926993869.20050720095259@spaingsm.com> In-Reply-To: <1926993869.20050720095259@spaingsm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: Checked by VAMS 1.55.018 Build 1.55.018-001 VDB 8.800 Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: force use proxy server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: victor@outblaze.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 07:03:53 -0000 you might want to try setup a transparent proxy by using squid. (www.squid-cache.org) I have found this article using goole, you might find it useful. http://tomclegg.net/squid-tproxy Tor. vladone wrote: >Hi! >How i can redirect web traffic from my lan, throught my proxy server? > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > -- From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 11:55:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29F0B16A41F; Wed, 20 Jul 2005 11:55:47 +0000 (GMT) (envelope-from bsilver@chrononomicon.com) Received: from trans-warp.net (hyperion.trans-warp.net [216.37.208.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7168E43D48; Wed, 20 Jul 2005 11:55:46 +0000 (GMT) (envelope-from bsilver@chrononomicon.com) Received: from [127.0.0.1] (unverified [65.193.73.208]) by trans-warp.net (SurgeMail 2.2g3) with ESMTP id 17090143 for multiple; Wed, 20 Jul 2005 07:55:50 -0400 In-Reply-To: <1926993869.20050720095259@spaingsm.com> References: <1926993869.20050720095259@spaingsm.com> Mime-Version: 1.0 (Apple Message framework v622) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <784a895b353edd59740dce21594ef2c9@chrononomicon.com> Content-Transfer-Encoding: 7bit From: Bart Silverstrim Date: Wed, 20 Jul 2005 07:55:37 -0400 To: vladone X-Mailer: Apple Mail (2.622) X-Server: High Performance Mail Server - http://surgemail.com X-Authenticated-User: bsilver@chrononomicon.com Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: force use proxy server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 11:55:47 -0000 On Jul 20, 2005, at 2:52 AM, vladone wrote: > Hi! > How i can redirect web traffic from my lan, throught my proxy server? We set up Squid/SquidGuard, set the machine to forward traffic and created a firewall rule to forward port 80 traffic to the port Squid was listening to, then told the DHCP server to hand out the IP of the Squid server as the gateway address for client machines to use. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 12:21:58 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0166916A41F for ; Wed, 20 Jul 2005 12:21:58 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A6B743D48 for ; Wed, 20 Jul 2005 12:21:56 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by bafirst.com with local; Wed, 20 Jul 2005 07:21:56 -0500 id 00095803.42DE41E4.0000AFB3 Received: from dsl-201-144-83-29.prod-infinitum.com.mx (dsl-201-144-83-29.prod-infinitum.com.mx [201.144.83.29]) by mail.bafirst.com (Horde MIME library) with HTTP; Wed, 20 Jul 2005 07:21:55 -0500 Message-ID: <20050720072155.cv7e9fqckkgko4c4@mail.bafirst.com> Date: Wed, 20 Jul 2005 07:21:55 -0500 From: eculp@bafirst.com To: freebsd-ipfw@freebsd.org References: <1926993869.20050720095259@spaingsm.com> <784a895b353edd59740dce21594ef2c9@chrononomicon.com> In-Reply-To: <784a895b353edd59740dce21594ef2c9@chrononomicon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: force use proxy server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 12:21:58 -0000 Quoting Bart Silverstrim : > > On Jul 20, 2005, at 2:52 AM, vladone wrote: > >> Hi! >> How i can redirect web traffic from my lan, throught my proxy server? > > We set up Squid/SquidGuard, set the machine to forward traffic and > created a firewall rule to forward port 80 traffic to the port Squid > was listening to, then told the DHCP server to hand out the IP of the > Squid server as the gateway address for client machines to use. This works fine in pf and is very similar to what you do with ipfw. http://www.benzedrine.cx/transquid.html A search on google should find ipfw specific code. I haven't used ipfw for a while but as I remember it was almost the same. good luck, ed From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 12:22:33 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E372B16A41F for ; Wed, 20 Jul 2005 12:22:33 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mail.gwch.net (80-219-201-207.dclient.hispeed.ch [80.219.201.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 641DA43D53 for ; Wed, 20 Jul 2005 12:22:33 +0000 (GMT) (envelope-from roger@gwch.net) Received: from localhost (link [127.0.0.1]) by mail.gwch.net (Postfix) with ESMTP id 31A12408D9 for ; Wed, 20 Jul 2005 14:25:31 +0200 (CEST) Received: from mail.gwch.net ([127.0.0.1]) by localhost (mail.gwch.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21800-07 for ; Wed, 20 Jul 2005 14:25:28 +0200 (CEST) Received: from www.gwch.net (pluto.gwch.net [192.168.2.103]) by mail.gwch.net (Postfix) with ESMTP id 6D9AF40861 for ; Wed, 20 Jul 2005 14:25:28 +0200 (CEST) Received: from 62.2.21.164 (SquirrelMail authenticated user rogerg) by www.gwch.net with HTTP; Wed, 20 Jul 2005 14:22:29 +0200 (CEST) Message-ID: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> Date: Wed, 20 Jul 2005 14:22:29 +0200 (CEST) From: "Roger Grosswiler" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.4-2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at gwch.net Subject: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 12:22:34 -0000 Hi, i would like to know, which "firewall" is most wanted under freebsd. is it ipfw or is it ipf? i imagine, both have their advantages, but i would like to try first the most used because of support - poor rookie, i :-D Roger From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 12:32:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAA3C16A41F for ; Wed, 20 Jul 2005 12:32:13 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68B9143D45 for ; Wed, 20 Jul 2005 12:32:13 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from localhost (localhost [127.0.0.1]) by server.t-hosting.hu (Postfix) with ESMTP id AD244997929; Wed, 20 Jul 2005 14:32:09 +0200 (CEST) Received: from server.t-hosting.hu ([127.0.0.1]) by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 90812-03; Wed, 20 Jul 2005 14:32:06 +0200 (CEST) Received: from [80.98.156.20] (catv-50629c14.catv.broadband.hu [80.98.156.20]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.t-hosting.hu (Postfix) with ESMTP id 19381997924; Wed, 20 Jul 2005 14:32:06 +0200 (CEST) Message-ID: <42DE4444.7030904@t-hosting.hu> Date: Wed, 20 Jul 2005 14:32:04 +0200 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Roger Grosswiler References: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> In-Reply-To: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at t-hosting.hu Cc: freebsd-ipfw@freebsd.org Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 12:32:14 -0000 Roger Grosswiler wrote: >Hi, > >i would like to know, which "firewall" is most wanted under freebsd. is it >ipfw or is it ipf? > >i imagine, both have their advantages, but i would like to try first the >most used because of support - poor rookie, i :-D > > Don't forget about the third one, called pf. ;) It's a hard question. What does matter is which of them is best the *for You*. As for me I use ipf and ipfw together. I think ipf is very easy to configure but ipfw has more sophisticated features, for instance it can be used for bandwith controlling via dummynet facility. As for pf, I don't know it. Cheers, Gábor Kövesdán From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 12:37:41 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A175C16A41F for ; Wed, 20 Jul 2005 12:37:41 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mail.gwch.net (80-219-201-207.dclient.hispeed.ch [80.219.201.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DD0443D48 for ; Wed, 20 Jul 2005 12:37:41 +0000 (GMT) (envelope-from roger@gwch.net) Received: from localhost (link [127.0.0.1]) by mail.gwch.net (Postfix) with ESMTP id AD770408D9 for ; Wed, 20 Jul 2005 14:40:39 +0200 (CEST) Received: from mail.gwch.net ([127.0.0.1]) by localhost (mail.gwch.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21780-09 for ; Wed, 20 Jul 2005 14:40:36 +0200 (CEST) Received: from www.gwch.net (pluto.gwch.net [192.168.2.103]) by mail.gwch.net (Postfix) with ESMTP id 9679840861 for ; Wed, 20 Jul 2005 14:40:36 +0200 (CEST) Received: from 62.2.21.164 (SquirrelMail authenticated user rogerg) by www.gwch.net with HTTP; Wed, 20 Jul 2005 14:37:37 +0200 (CEST) Message-ID: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> Date: Wed, 20 Jul 2005 14:37:37 +0200 (CEST) From: "Roger Grosswiler" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.4-2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at gwch.net Subject: [Fwd: Re: Most wanted packet filter] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 12:37:41 -0000 ------------------------ Ursprüngliche Nachricht ------------------------- Betreff: Re: Most wanted packet filter Von: "Roger Grosswiler" Datum: Mi, 20.07.2005, 14:36 An: Kövesdán Gábor -------------------------------------------------------------------------- > Roger Grosswiler wrote: > >>Hi, >> >>i would like to know, which "firewall" is most wanted under freebsd. is >> it >>ipfw or is it ipf? >> >>i imagine, both have their advantages, but i would like to try first the most used because of support - poor rookie, i :-D >> >> > Don't forget about the third one, called pf. ;) > It's a hard question. What does matter is which of them is best the *for You*. As for me I use ipf and ipfw together. I think ipf is very easy to configure but ipfw has more sophisticated features, for instance it can be used for bandwith controlling via dummynet facility. As for pf, I don't know it. > > Cheers, > > Gábor Kövesdán > Thanks Gabor, I thought so. What i read, i should prefer ipf. What i also would like to know, whether there someting, the freebsd-world calls "standard"? I mean, the title of this list is freebsd-ipfw ;-) Roger From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 12:45:30 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DCDF16A420 for ; Wed, 20 Jul 2005 12:45:30 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A7C943D49 for ; Wed, 20 Jul 2005 12:45:29 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id AE8CB318907; Wed, 20 Jul 2005 14:45:28 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 3DE5B405B; Wed, 20 Jul 2005 14:45:18 +0200 (CEST) Date: Wed, 20 Jul 2005 14:45:18 +0200 From: Jeremie Le Hen To: =?iso-8859-1?Q?K=F6vesd=E1n_G=E1bor?= Message-ID: <20050720124518.GV39292@obiwan.tataz.chchile.org> References: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> <42DE4444.7030904@t-hosting.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <42DE4444.7030904@t-hosting.hu> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org, Roger Grosswiler Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 12:45:30 -0000 Hi Roger, hi Kövesdán, > > i would like to know, which "firewall" is most wanted under freebsd. is it > > ipfw or is it ipf? > > > > i imagine, both have their advantages, but i would like to try first the > > most used because of support - poor rookie, i :-D > > Don't forget about the third one, called pf. ;) > It's a hard question. What does matter is which of them is best the *for > You*. As for me I use ipf and ipfw together. I think ipf is very easy to > configure but ipfw has more sophisticated features, for instance it can > be used for bandwith controlling via dummynet facility. As for pf, I > don't know it. pf's syntax is derived from ipf's one. It has number of powerful features that don't exist in either ipf or ipfw. By the way, I think (but not sure about it) that now pf feature are a kind of superset of ipf's ones. In particular, the ALTQ framework (traffic shapping and scheduling) is tightly bound to pf. I would say that the main advantage of ipf over the two others is its portability, since it has been ported to numerous platforms, from BSD to AIX, as well as Solaris, Linux and so on. pf only exists on FreeBSD since RELENG_5, FreeBSD 4.x ``only'' has ipf and ipfw. With ipfw, it is very easy to add or remove rules from command line, whereas ipf and pf require a configuration file (ipfw is also configurable through a file, of course). Its syntax is felt intuitive by number of people. This is ithe only firewall to be bound to Dummynet. It is regularly improved with new features (for instance it is now able to use ALTQ), and a number of other features lives in the PR [1]. Regards, [1] http://www.freebsd.org/cgi/query-pr-summary.cgi -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 13:33:59 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A27F416A41F for ; Wed, 20 Jul 2005 13:33:59 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F93543D45 for ; Wed, 20 Jul 2005 13:33:58 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C3F9.dip.t-dialin.net [84.163.195.249] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1DvEhv0Xa4-0000Pv; Wed, 20 Jul 2005 15:33:55 +0200 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Wed, 20 Jul 2005 15:33:47 +0200 User-Agent: KMail/1.8 References: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> In-Reply-To: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1417227.yvvrRnJhHJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507201533.53008.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Roger Grosswiler Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 13:33:59 -0000 --nextPart1417227.yvvrRnJhHJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 20 July 2005 14:37, Roger Grosswiler wrote: > > Roger Grosswiler wrote: > >>Hi, > >> > >>i would like to know, which "firewall" is most wanted under freebsd. is > >> it > >>ipfw or is it ipf? > >> > >>i imagine, both have their advantages, but i would like to try first the > > most used because of support - poor rookie, i :-D > > > Don't forget about the third one, called pf. ;) > > It's a hard question. What does matter is which of them is best the *for > > You*. As for me I use ipf and ipfw together. I think ipf is very easy to > configure but ipfw has more sophisticated features, for instance it can > be used for bandwith controlling via dummynet facility. As for pf, I > don't know it. > > > Cheers, > > > > G=E1bor K=F6vesd=E1n > > Thanks Gabor, > > I thought so. What i read, i should prefer ipf. What i also would like to > know, whether there someting, the freebsd-world calls "standard"? I mean, > the title of this list is freebsd-ipfw ;-) There is a list called freebsd-pf@ as well where you will find support for = pf=20 related questions. IMO you have to decide a couple of things: 1) Which syntax is the most natural for you? Choices: IPFW vs. IPF/PF 2) What do you want to achieve? Choices: Fast packet pushing with little sanity checks as usual on an ISP=20 router vs. High level of sanity checks while giving up some performance. IPFW provides for the first, PF for the later. However, both can be=20 configured to provide high performance and both can be configured to provid= e=20 a high level of sanity checks - this reflects just what is the "natural"=20 configuration for the system. PF can check some things that IPFW can't and= =20 IPFW can provide pps-rates that PF will not get close to, but that are edge= =20 cases you probably don't have to deal with. Why not IPF? 1) It seems to be broken in RELENG_5 as several people report on=20 freebsd-stable@ There is an issue with SMP/PREEMPTION and no solution seem= s=20 to be worked on. 2) It's undermaintained (IMO) 3) It doesn't provide any benefit over PF http://www.openbsd.org/faq/pf/index.html is a really good guide to get star= ted=20 with PF, btw. IMHO PF is the best firewall system available for protecting networks as th= e=20 only firewall between clients and the internet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1417227.yvvrRnJhHJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC3lLAXyyEoT62BG0RAngpAJ9r7NOthbJ3GJPSb6rKUC4Whlps8wCeOi6K w9+uUNoOlLOLi7Zp3weyDUY= =Po19 -----END PGP SIGNATURE----- --nextPart1417227.yvvrRnJhHJ-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 14:43:24 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E0D316A41F for ; Wed, 20 Jul 2005 14:43:24 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from smtp.etmail.cz (smtp.etmail.cz [160.218.43.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 014BE43D48 for ; Wed, 20 Jul 2005 14:43:23 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.0.111] (ip-85-160-17-60.eurotel.cz [85.160.17.60]) by smtp.etmail.cz (Postfix) with ESMTP id 8D9411941A3 for ; Wed, 20 Jul 2005 16:43:19 +0200 (CEST) Message-ID: <42DE6302.20907@quip.cz> Date: Wed, 20 Jul 2005 16:43:14 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> In-Reply-To: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 14:43:24 -0000 Roger Grosswiler wrote: > Hi, > > i would like to know, which "firewall" is most wanted under freebsd. is it > ipfw or is it ipf? > > i imagine, both have their advantages, but i would like to try first the > most used because of support - poor rookie, i :-D > > Roger > Few years ago I started with IPFW on my home router / development-server (Cable internet connection and about 5 computers in LAN), last year I try IPF on similar setup in our office. Few month ago I try to setup PF on "webhosting server" and I must say "I Love PF" :o) Which one is the best for you depends on your needs not on your skills. All of them have man & HowTos & disccusions all over the internet. -- Miroslav Lachman Webapplication Developer From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 15:13:30 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3E0116A41F for ; Wed, 20 Jul 2005 15:13:30 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D76CC43D46 for ; Wed, 20 Jul 2005 15:13:27 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (shkjof@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6KFDObI043526 for ; Wed, 20 Jul 2005 17:13:25 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6KFDO4M043525; Wed, 20 Jul 2005 17:13:24 +0200 (CEST) (envelope-from olli) Date: Wed, 20 Jul 2005 17:13:24 +0200 (CEST) Message-Id: <200507201513.j6KFDO4M043525@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <38301.62.2.21.164.1121862149.squirrel@www.gwch.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 15:13:30 -0000 Roger Grosswiler wrote: > [ipfw vs. ipf vs. pf] In addition to the other replies, it is worth mentioning that ipf (ipfilter) does not work reliably on SMP machines under FreeBSD 5.x and 6.x (but 4.x should be fine), causing random crashes when there is load. Apparently this isn't going to change soon, because it is a basic incompatibility between ipf and FreeBSD 5's SMP which cannot easily be fixed. Therefore I would recommend not to use ipf, unless you don't need SMP and you're sure that you won't need it in the foreseeable future. Since pf is nearly a superset of ipf with similar syntax and improved features, I recommend to use pf instead. Or ipfw, of course. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 17:24:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0279C16A41F for ; Wed, 20 Jul 2005 17:24:19 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxsurfer.com (dns1.foxsurfer.com [205.134.229.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9955F43D48 for ; Wed, 20 Jul 2005 17:24:18 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxdaemon.com (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by foxsurfer.com (8.13.3/8.13.3) with ESMTP id j6KHOBwA010917 for ; Wed, 20 Jul 2005 10:24:11 -0700 (PDT) (envelope-from daemon@foxchat.net) From: NetAdmin To: freebsd-ipfw@freebsd.org In-Reply-To: <200507201533.53008.max@love2party.net> References: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> <200507201533.53008.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1 Date: Wed, 20 Jul 2005 13:24:13 -0400 Message-Id: <1121880253.53529.5.camel@foxdaemon.com> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-103.3 required=9.5 tests=ALL_TRUSTED,BAYES_50, USER_IN_WHITELIST autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on FoxSurfer.Com Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 17:24:19 -0000 On Wed, 2005-07-20 at 15:33 +0200, Max Laier wrote: > On Wednesday 20 July 2005 14:37, Roger Grosswiler wrote: > > > Roger Grosswiler wrote: > > >>Hi, > > >> > > >>i would like to know, which "firewall" is most wanted under freebsd. is > > >> it > > >>ipfw or is it ipf? > > >> > > >>i imagine, both have their advantages, but i would like to try first the > > > > most used because of support - poor rookie, i :-D > > > > > Don't forget about the third one, called pf. ;) > > > It's a hard question. What does matter is which of them is best the *for > > > > You*. As for me I use ipf and ipfw together. I think ipf is very easy to > > configure but ipfw has more sophisticated features, for instance it can > > be used for bandwith controlling via dummynet facility. As for pf, I > > don't know it. > > > > > Cheers, > > > > > > Gábor Kövesdán > > > > Thanks Gabor, > > > > I thought so. What i read, i should prefer ipf. What i also would like to > > know, whether there someting, the freebsd-world calls "standard"? I mean, > > the title of this list is freebsd-ipfw ;-) > > There is a list called freebsd-pf@ as well where you will find support for pf > related questions. > > IMO you have to decide a couple of things: > > 1) Which syntax is the most natural for you? > Choices: IPFW vs. IPF/PF > > 2) What do you want to achieve? > Choices: Fast packet pushing with little sanity checks as usual on an ISP > router vs. High level of sanity checks while giving up some performance. > IPFW provides for the first, PF for the later. However, both can be > configured to provide high performance and both can be configured to provide > a high level of sanity checks - this reflects just what is the "natural" > configuration for the system. PF can check some things that IPFW can't and > IPFW can provide pps-rates that PF will not get close to, but that are edge > cases you probably don't have to deal with. > > Why not IPF? > 1) It seems to be broken in RELENG_5 as several people report on > freebsd-stable@ There is an issue with SMP/PREEMPTION and no solution seems > to be worked on. > 2) It's undermaintained (IMO) > 3) It doesn't provide any benefit over PF > > http://www.openbsd.org/faq/pf/index.html is a really good guide to get started > with PF, btw. > > IMHO PF is the best firewall system available for protecting networks as the > only firewall between clients and the internet. > How difficult is it to switch from IPFW2 to PF or use the two in conjunction with one another and are there any good URL "how to" sites with that information? Regards, Mark From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 21:47:20 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E7A216A41F for ; Wed, 20 Jul 2005 21:47:20 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2516A43D45 for ; Wed, 20 Jul 2005 21:47:19 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id C4D07319B0B; Wed, 20 Jul 2005 23:47:18 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 9A63E405B; Wed, 20 Jul 2005 23:47:07 +0200 (CEST) Date: Wed, 20 Jul 2005 23:47:07 +0200 From: Jeremie Le Hen To: NetAdmin Message-ID: <20050720214706.GY39292@obiwan.tataz.chchile.org> References: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> <200507201533.53008.max@love2party.net> <1121880253.53529.5.camel@foxdaemon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1121880253.53529.5.camel@foxdaemon.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 21:47:20 -0000 Hi Mark, > How difficult is it to switch from IPFW2 to PF or use the two in > conjunction with one another and are there any good URL "how to" sites > with that information? The syntax is really different, nothing common. But none is difficult. It is possible to use both, but this makes maintainability more complex, IMO. IIRC the precedence of each firewall depends on the order which they registered on PFIL_HOOKS. The trick to force certain order is to compile the first one in the kernel and the second on as a module. Please correct me if I'm wrong. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 20 22:41:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16D8316A41F for ; Wed, 20 Jul 2005 22:41:49 +0000 (GMT) (envelope-from mukden@yahoo.com) Received: from web30606.mail.mud.yahoo.com (web30606.mail.mud.yahoo.com [68.142.200.129]) by mx1.FreeBSD.org (Postfix) with SMTP id 9ECF643D45 for ; Wed, 20 Jul 2005 22:41:48 +0000 (GMT) (envelope-from mukden@yahoo.com) Received: (qmail 50315 invoked by uid 60001); 20 Jul 2005 22:41:47 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=tc9RniDbjJ34lSQuwl0EfhmE+eOR/ruV2xTxQkfwag5Z3o00jBKF4H5/1ISuegfheGp8zcwq0Tgi2y3+9rqRQNinLYUMVGbHwWY2nm10dBTWq4WRi2cAZXi1z/KJZl9EXwOVXjtSxBinYaDzktpyH3nw0WF24QgBZ/RIp4eSLOM= ; Message-ID: <20050720224147.50313.qmail@web30606.mail.mud.yahoo.com> Received: from [17.202.45.218] by web30606.mail.mud.yahoo.com via HTTP; Wed, 20 Jul 2005 15:41:47 PDT Date: Wed, 20 Jul 2005 15:41:47 -0700 (PDT) From: Muk Dunkin To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: net.inet.ip.fw.enable=1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 22:41:49 -0000 Hi, Does anyone know what's the reason why net.inet.ip.fw.enable was set to 1 as the default? I've tried setting it to 0 and reboot, net.inet.ip.fw.enable was reset to 1. Being that, all packets will go thru the firewall code even if there was no active firewall rules in place. Mukden __________________________________ Yahoo! Mail for Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 01:18:52 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4ECD16A448 for ; Thu, 21 Jul 2005 01:18:52 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id B88B443D5D for ; Thu, 21 Jul 2005 01:18:50 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so22918wri for ; Wed, 20 Jul 2005 18:18:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kQ7c5mCmSEtMGhA/2aRmVWnKYYLBtmMewX9WslCu3E6mPqlz0USxUXN4jyaJQSIxNxaf0D3CxuUHlNlXOZ3Ds+GRpHOwulkIgXPc9nIehj62Uiz062LeStjaL8i0VwLwSAKlYAEOONS/YmV5fi4nWB7+oy+ajK9TDvhDdy5HbOo= Received: by 10.54.116.17 with SMTP id o17mr327228wrc; Wed, 20 Jul 2005 18:18:14 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Wed, 20 Jul 2005 18:18:14 -0700 (PDT) Message-ID: Date: Thu, 21 Jul 2005 04:18:14 +0300 From: Abu Khaled To: Muk Dunkin In-Reply-To: <20050720224147.50313.qmail@web30606.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050720224147.50313.qmail@web30606.mail.mud.yahoo.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: net.inet.ip.fw.enable=1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 01:18:52 -0000 On 7/21/05, Muk Dunkin wrote: > Hi, >=20 > Does anyone know what's the reason why > net.inet.ip.fw.enable was set to 1 as the default? > I've tried setting it to 0 and reboot, > net.inet.ip.fw.enable was reset to 1. Being that, all > packets will go thru the firewall code even if there > was no active firewall rules in place. >=20 > Mukden >=20 IPFW might be enabled in /etc/rc.conf search for the line: firewall_enable=3D"yes" If yes then IPFW well always be enabled on (re)boot --=20 Regards. Abu Khaled From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 01:32:07 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58DE816A421 for ; Thu, 21 Jul 2005 01:32:07 +0000 (GMT) (envelope-from billf@elvis.mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29D9043D48 for ; Thu, 21 Jul 2005 01:32:06 +0000 (GMT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id BECFB5CBD5; Wed, 20 Jul 2005 18:32:06 -0700 (PDT) Date: Wed, 20 Jul 2005 18:32:06 -0700 From: Bill Fumerola To: Muk Dunkin Message-ID: <20050721013206.GQ10302@elvis.mu.org> References: <20050720224147.50313.qmail@web30606.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050720224147.50313.qmail@web30606.mail.mud.yahoo.com> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 4.10-MUORG-20041118 i386 X-PGP-Key: 1024D/7F868268 X-PGP-Fingerprint: 5B2D 908E 4C2B F253 DAEB FC01 8436 B70B 7F86 8268 Cc: freebsd-ipfw@freebsd.org Subject: Re: net.inet.ip.fw.enable=1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 01:32:07 -0000 On Wed, Jul 20, 2005 at 03:41:47PM -0700, Muk Dunkin wrote: > Does anyone know what's the reason why > net.inet.ip.fw.enable was set to 1 as the default? > I've tried setting it to 0 and reboot, > net.inet.ip.fw.enable was reset to 1. Being that, all > packets will go thru the firewall code even if there > was no active firewall rules in place. changes to sysctls are not persistant. of course, you could program something to record the value on shutdown and restore on boot. that'd be overkill, look at the firewall_* directives for rc.conf. regardless, packets will not go very far into the firewall code if no rules are present. i would seriously doubt you could observe any performance difference. -- - bill fumerola / billf@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 05:33:18 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C69F16A41F for ; Thu, 21 Jul 2005 05:33:18 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mail.gwch.net (80-219-201-207.dclient.hispeed.ch [80.219.201.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4914F43D4C for ; Thu, 21 Jul 2005 05:33:17 +0000 (GMT) (envelope-from roger@gwch.net) Received: from localhost (link [127.0.0.1]) by mail.gwch.net (Postfix) with ESMTP id D2051408D9; Thu, 21 Jul 2005 07:36:18 +0200 (CEST) Received: from mail.gwch.net ([127.0.0.1]) by localhost (mail.gwch.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31482-02; Thu, 21 Jul 2005 07:36:14 +0200 (CEST) Received: from www.gwch.net (pluto.gwch.net [192.168.2.103]) by mail.gwch.net (Postfix) with ESMTP id EB57A4087C; Thu, 21 Jul 2005 07:36:13 +0200 (CEST) Received: from 62.2.21.164 (SquirrelMail authenticated user rogerg) by www.gwch.net with HTTP; Thu, 21 Jul 2005 07:33:10 +0200 (CEST) Message-ID: <32481.62.2.21.164.1121923990.squirrel@www.gwch.net> In-Reply-To: <20050720214706.GY39292@obiwan.tataz.chchile.org> References: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> <200507201533.53008.max@love2party.net> <1121880253.53529.5.camel@foxdaemon.com> <20050720214706.GY39292@obiwan.tataz.chchile.org> Date: Thu, 21 Jul 2005 07:33:10 +0200 (CEST) From: "Roger Grosswiler" To: "Jeremie Le Hen" User-Agent: SquirrelMail/1.4.4-2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at gwch.net Cc: freebsd-ipfw@freebsd.org Subject: Re: Most wanted packet filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 05:33:18 -0000 > Hi Mark, > >> How difficult is it to switch from IPFW2 to PF or use the two in >> conjunction with one another and are there any good URL "how to" sites >> with that information? > > The syntax is really different, nothing common. But none is difficult. > > It is possible to use both, but this makes maintainability more complex, > IMO. IIRC the precedence of each firewall depends on the order which > they registered on PFIL_HOOKS. The trick to force certain order is to > compile the first one in the kernel and the second on as a module. > Please correct me if I'm wrong. > > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > So, the most recommended seems to be pf for the moment. I thank you all very much for your input. Roger From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 15:04:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 044F916A41F for ; Thu, 21 Jul 2005 15:04:21 +0000 (GMT) (envelope-from bitchat@hotpop.com) Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BDFE43D46 for ; Thu, 21 Jul 2005 15:04:20 +0000 (GMT) (envelope-from bitchat@hotpop.com) Received: from hotpop.com (kubrick.hotpop.com [38.113.3.103]) by smtp-out.hotpop.com (Postfix) with SMTP id 28BD3149D71C for ; Thu, 21 Jul 2005 15:04:16 +0000 (UTC) Received: from [10.1.1.5] (duck.anderung.com.br [201.6.255.86]) by smtp-1.hotpop.com (Postfix) with ESMTP id C1F861A017C for ; Thu, 21 Jul 2005 15:04:10 +0000 (UTC) From: "Adolfo B. Ferreira" To: freebsd-ipfw@freebsd.org Date: Thu, 21 Jul 2005 11:57:31 -0300 Message-Id: <1121957861.1823.57.camel@notebook> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 15:04:21 -0000 Hi Folks, I'm sending this e-mail to get suggestions about my firewall. I red about firewall in FreeBSD HandBook and I got suggestions from my friends but I would like suggestions from here. # DEVICE: lo0 add 100 allow ip from any to any via lo0 add 102 deny ip from any to 127.0.0.0/8 # LAN: IN add 200 divert natd ip from any to any in via rl0 # LAN: DNS add 300 allow ip from 201.6.255.86 to 201.6.0.100 out via rl0 add 301 allow ip from 201.6.0.100 to 201.6.255.86 in via rl0 add 302 allow udp from 201.6.0.100 to 10.1.1.0/8 in via rl0 add 303 allow udp from 201.6.0.100 to 192.168.0.0/8 in via rl0 add 304 allow udp from 201.6.0.102 to 10.1.1.0/8 in via rl0 # CHECK STATE add 500 check-state # LAN: ROOT add 800 allow tcp from me to any out via rl0 setup keep-state uid root # LAN: OUT add 900 skipto 2000 ip from any to any out via rl0 setup keep-state add 901 skipto 2000 icmp from any to any out via rl0 icmptypes 8 add 902 skipto 2000 udp from any to 201.6.0.100 out via rl0 add 903 skipto 2000 udp from any to 201.6.0.102 out via rl0 # NETCRAFT add 1000 deny all from 195.92.95.0/32 to any in via rl0 # ICMP: BLOCK PING add 1100 allow icmp from any to any in via rl0 icmptypes 0 add 1101 prob 0.2 allow icmp from any to 201.6.255.86 in via rl0 icmptypes 8 add 1102 allow icmp from 201.6.255.86 to any out via rl0 icmptypes 0 # LAN: RFC add 1200 deny all from 192.168.0.0/16 to any in via rl0 add 1220 deny all from 172.16.0.0/12 to any in via rl0 add 1240 deny all from 127.0.0.0/8 to any in via rl0 add 1250 deny all from 0.0.0.0/8 to any in via rl0 add 1260 deny all from 169.254.0.0/16 to any in via rl0 add 1270 deny all from 192.0.2.0/24 to any in via rl0 add 1280 deny all from 204.152.64.0/23 to any in via rl0 add 1290 deny all from 224.0.0.0/3 to any in via rl0 # INTERNET: FRAG add 1300 deny all from any to any frag in via rl0 # INTERNET: STATE STABLE add 1400 deny ip from any to any established in via rl0 # INTERNET: SERVICES IN add 1600 pipe 30 tcp from any to 201.6.255.86 20,21 in via rl0 setup limit src-a ddr 2 add 1603 pipe 60 tcp from any to 201.6.255.86 80 in via rl0 setup limit src-addr 2 # DENY / LOG add 1800 deny log all from any to any out via rl0 add 1900 deny log all from any to any in via rl0 # LAN: NAT add 2000 divert natd ip from any to any out via rl0 add 2001 allow ip from any to any # BLOCK EVERYTHING ELSE add 2100 deny log all from any to any THanks All, Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Sophiex Serviços de Informática Telefone: 11 8135-6090 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 20:42:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0309A16A41F for ; Thu, 21 Jul 2005 20:42:25 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id A499D43D48 for ; Thu, 21 Jul 2005 20:42:24 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 047C024C767 for ; Thu, 21 Jul 2005 22:31:57 +0200 (CEST) Date: Thu, 21 Jul 2005 23:43:03 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <838171610.20050721234303@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: limit tcp with syn flags X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 20:42:25 -0000 Hi! I want to prevent some denyal of service attack and i try to limit tcp with syn flags, but i dont know exactly how to! Or another solution that can be usefull! From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 21:42:45 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 716CD16A41F for ; Thu, 21 Jul 2005 21:42:45 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp15.wxs.nl (smtp15.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1178643D49 for ; Thu, 21 Jul 2005 21:42:44 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp.planet.nl (ip51cc8423.speed.planet.nl [81.204.132.35]) by smtp15.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IJZ002GTYZ786@smtp15.wxs.nl> for ipfw@freebsd.org; Thu, 21 Jul 2005 23:42:43 +0200 (CEST) Received: from Alex.lan (localhost [127.0.0.1]) by smtp.planet.nl (8.13.3/8.13.3) with ESMTP id j6LLggvF002332 for ; Thu, 21 Jul 2005 23:42:42 +0200 Received: (from akruijff@localhost) by Alex.lan (8.13.3/8.13.3/Submit) id j6LLggoE002331 for ipfw@freebsd.org; Thu, 21 Jul 2005 23:42:42 +0200 Content-return: prohibited Date: Thu, 21 Jul 2005 23:42:42 +0200 From: Alex de Kruijff To: ipfw@freebsd.org Message-id: <20050721214242.GA2201@Alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i X-Authentication-warning: Alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f Cc: Subject: error in man ipfw / divert X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 21:42:45 -0000 Hi, I was wrondering is man ipfw wrong here? man ipfw tells: divert port - Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates. man divert tells: Packets written into a divert socket (using sendto(2)) re-enter the packet filter at the rule number following the tag given in the port part of the socket address, which is usually already set at the rule number that caused the diversion (not the next rule if there are several at the same number). If the 'tag' is altered to indicate an alternative re-entry point, care should be taken to avoid loops, where the same packet is diverted more than once at the same rule. I think man ipfw should say something like: when nothing is listening on the port then the search terminates when something is listening on the port then the search continues from the same rule. -- Alex From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 22:30:25 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D04C16A43E for ; Thu, 21 Jul 2005 22:30:25 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF81643D45 for ; Thu, 21 Jul 2005 22:30:20 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6LMUHdD087714; Thu, 21 Jul 2005 15:30:17 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6LMUGsp087713; Thu, 21 Jul 2005 15:30:16 -0700 (PDT) (envelope-from rizzo) Date: Thu, 21 Jul 2005 15:30:16 -0700 From: Luigi Rizzo To: Alex de Kruijff Message-ID: <20050721153016.A87676@xorpc.icir.org> References: <20050721214242.GA2201@Alex.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20050721214242.GA2201@Alex.lan>; from freebsd@akruijff.dds.nl on Thu, Jul 21, 2005 at 11:42:42PM +0200 Cc: ipfw@freebsd.org Subject: Re: error in man ipfw / divert X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 22:30:25 -0000 On Thu, Jul 21, 2005 at 11:42:42PM +0200, Alex de Kruijff wrote: > Hi, > > I was wrondering is man ipfw wrong here? > > man ipfw tells: divert port - > Divert packets that match this rule to the divert(4) socket > bound to port port. The search terminates. ... > I think man ipfw should say something like: > > when nothing is listening on the port then the search terminates > > when something is listening on the port then the search continues from > the same rule. as far as ipfw is concerned, the search terminates. it is up to the userland app to reinject the packet, and it might well not do so if the packet should be processed differntly. so i believe the ipfw manpage is correct. if you want to add a reference to the divert manpage feel free to do so, something like for more details on the operation of divers sockets see divert(4) cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 22 00:02:06 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D37A16A420 for ; Fri, 22 Jul 2005 00:02:06 +0000 (GMT) (envelope-from akruijff@dds.nl) Received: from smtp13.wxs.nl (smtp13.wxs.nl [195.121.6.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D2DB43D46 for ; Fri, 22 Jul 2005 00:02:06 +0000 (GMT) (envelope-from akruijff@dds.nl) Received: from smtp.planet.nl (ip51cc8423.speed.planet.nl [81.204.132.35]) by smtp13.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IK0001FI5FGPM@smtp13.wxs.nl> for ipfw@freebsd.org; Fri, 22 Jul 2005 02:02:04 +0200 (CEST) Received: from Alex.lan (localhost [127.0.0.1]) by smtp.planet.nl (8.13.3/8.13.3) with ESMTP id j6M024Re003117; Fri, 22 Jul 2005 02:02:04 +0200 (CEST envelope-from akruijff@dds.nl) Received: (from akruijff@localhost) by Alex.lan (8.13.3/8.13.3/Submit) id j6M0237a003116; Fri, 22 Jul 2005 02:02:03 +0200 (CEST envelope-from akruijff@dds.nl) Content-return: prohibited Date: Fri, 22 Jul 2005 02:02:03 +0200 From: Alex de Kruijff In-reply-to: <20050721153016.A87676@xorpc.icir.org> To: Luigi Rizzo Message-id: <20050722000203.GF887@Alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20050721214242.GA2201@Alex.lan> <20050721153016.A87676@xorpc.icir.org> X-Authentication-warning: Alex.lan: akruijff set sender to akruijff@dds.nl using -f Cc: ipfw@freebsd.org Subject: Re: error in man ipfw / divert X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 00:02:06 -0000 On Thu, Jul 21, 2005 at 03:30:16PM -0700, Luigi Rizzo wrote: > On Thu, Jul 21, 2005 at 11:42:42PM +0200, Alex de Kruijff wrote: > > Hi, > > > > I was wrondering is man ipfw wrong here? > > > > man ipfw tells: divert port - > > Divert packets that match this rule to the divert(4) socket > > bound to port port. The search terminates. > ... > > I think man ipfw should say something like: > > > > when nothing is listening on the port then the search terminates > > > > when something is listening on the port then the search continues from > > the same rule. > > as far as ipfw is concerned, the search terminates. it is up to > the userland app to reinject the packet, and it might well not > do so if the packet should be processed differntly. > so i believe the ipfw manpage is correct. > if you want to add a reference to the divert manpage feel free to do so, > something like > > for more details on the operation of divers sockets see > divert(4) > > cheers > luigi Tanks, if you say its correct then i'm happy -- Alex From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 22 01:11:55 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37EB916A41F for ; Fri, 22 Jul 2005 01:11:55 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7948E43D73 for ; Fri, 22 Jul 2005 01:11:43 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] (nbr.matik.com.br [200.152.82.190]) by msrv.matik.com.br (8.13.1/8.13.1) with ESMTP id j6M1Bgeg013830 for ; Thu, 21 Jul 2005 22:11:42 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik To: freebsd-ipfw@freebsd.org Date: Thu, 21 Jul 2005 22:11:28 -0300 User-Agent: KMail/1.8.1 References: <20050721214242.GA2201@Alex.lan> <20050721153016.A87676@xorpc.icir.org> In-Reply-To: <20050721153016.A87676@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200507212211.30185.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: error in man ipfw / divert X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 01:11:55 -0000 On Thursday 21 July 2005 19:30, Luigi Rizzo wrote: > > as far as ipfw is concerned, the search terminates. it is up to > the userland app to reinject the packet, and it might well not > do so if the packet should be processed differntly. may be the thing is not well explained or not well read IMO this divert manpage parts are relevant "Packets are diverted either as they are ``incoming'' or ``outgoing.'' Incoming packets are diverted after reception on an IP interface, whereas outgoing packets are diverted before next hop forwarding." and "The port part of the socket address passed to the sendto(2) contains a tag that should be meaningful to the diversion module. In the case of ipfw(8) the tag is interpreted as the rule number after which rule processing should restart." what means for me that either one (in|out) applies after diverting probably it apllies to the next ipfw rule (but not based on ipfw) so like Luigi said > so i believe the ipfw manpage is correct. I believe this also even if not so good explained in man ipfw, but what concerns ipfw it is correct because it does not depend on ipfw if the package goes through it again but anyway the ipfw manpage BUGS part say it all so if you do not pay attention to natd flags and divert rule numbers and options you may think it does not work, still worse when using more than 2 nics and transparent proxying on the same machine then standard how-to-natd really does not work as you aspect or does not work at all Hans -- Infomatik Internet Technology http://www.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 22 02:09:44 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20B5616A462 for ; Fri, 22 Jul 2005 02:09:44 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from smtp2.skyinet.net (smtp2.skyinet.net [202.78.97.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CE4443DD2 for ; Fri, 22 Jul 2005 02:09:09 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from fooler (fooler.ilo.skyinet.net [202.78.118.66]) by smtp2.skyinet.net (Postfix) with SMTP id 9D66F5C10A; Fri, 22 Jul 2005 10:09:02 +0800 (PHT) Message-ID: <05ac01c58e62$5a0bd030$42764eca@ilo.skyinet.net> From: "fooler" To: "vladone" , References: <838171610.20050721234303@spaingsm.com> Date: Fri, 22 Jul 2005 10:09:11 +0800 Organization: Bayan Telecommunications, Inc. MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: limit tcp with syn flags X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 02:09:44 -0000 ----- Original Message ----- From: "vladone" To: Sent: Friday, July 22, 2005 4:43 AM Subject: limit tcp with syn flags > Hi! > I want to prevent some denyal of service attack and i try to limit tcp > with syn flags, but i dont know exactly how to! > Or another solution that can be usefull! check if your tcp syncookie is enabled... fooler. From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 22 16:53:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F2C116A426 for ; Fri, 22 Jul 2005 16:53:40 +0000 (GMT) (envelope-from jas_arlerr@yahoo.com.cn) Received: from web15010.mail.cnb.yahoo.com (web15010.mail.cnb.yahoo.com [202.165.103.67]) by mx1.FreeBSD.org (Postfix) with SMTP id 75C4B43F4C for ; Fri, 22 Jul 2005 16:23:35 +0000 (GMT) (envelope-from jas_arlerr@yahoo.com.cn) Received: (qmail 53722 invoked by uid 60001); 22 Jul 2005 16:23:32 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.cn; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=jUOijCpxZzr9jW55Xhlp1lQ3VIwYT6XoyIWjxXgyYxox4yBgfRsu9p5VaTUJaIGJZjQM9NkDWPo39AdX5dluW0ddiFHU0zaP4gup00EubAO8nLkA7jmHiVlviHdNS05Bdsk8Lbjs2gZZHX3veaEnCxbBbnmMiM7iPK7AdDAFZJs= ; Message-ID: <20050722162332.53720.qmail@web15010.mail.cnb.yahoo.com> Received: from [61.187.54.9] by web15010.mail.cnb.yahoo.com via HTTP; Sat, 23 Jul 2005 00:23:32 CST Date: Sat, 23 Jul 2005 00:23:32 +0800 (CST) From: Jone Jas To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw+dummynet bandwidth control for multi-ip jail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 16:53:40 -0000 Hi list I have a jail with 4 ips, say 10.10.1.1-4, the net interface is lnc0. I would like to use ipfw(8) and dummynet to control the bandwidth of the jail, also the different ips. I know that only limit the jail's inbound and outbound bandwidth is very simple. But for the multi-ip jail, I guess that I should use the dynamic queue rules of ipfw(8). My idea is like this: configure the jail's pipe for given bandwidth, while the 4 ips with 4 queues with different weights. The jail's pipe is the 4 queues' parent pipe. They share the pipe's bandwidth. The 4 queues can be created using the "mask" option in ipfw(8) rule. Is this feasible? I've read the ipfw(8) man page, but found ALMOST nothing about the jail related configuration. I also googled the Internet, few things helpful. I am not very familiar with ipfw and dummynet. Any one with any hints or directions is appreciated! Thanks! Jas __________________________________________________ ¸Ï¿ì×¢²áÑÅ»¢³¬´óÈÝÁ¿Ãâ·ÑÓÊÏä? http://cn.mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 22 23:43:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27C4316A41F for ; Fri, 22 Jul 2005 23:43:03 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A1D243D4C for ; Fri, 22 Jul 2005 23:43:02 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 98D9832332D; Sat, 23 Jul 2005 01:43:01 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 76252407E; Sat, 23 Jul 2005 01:42:48 +0200 (CEST) Date: Sat, 23 Jul 2005 01:42:48 +0200 From: Jeremie Le Hen To: Jone Jas Message-ID: <20050722234248.GZ39292@obiwan.tataz.chchile.org> References: <20050722162332.53720.qmail@web15010.mail.cnb.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050722162332.53720.qmail@web15010.mail.cnb.yahoo.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw+dummynet bandwidth control for multi-ip jail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 23:43:03 -0000 Hi, > I have a jail with 4 ips, say 10.10.1.1-4, the net interface is lnc0. > I would like to use ipfw(8) and dummynet to control the bandwidth of the > jail, also the different ips. I know that only limit the jail's inbound and > outbound bandwidth is very simple. But for the multi-ip jail, I guess that > I should use the dynamic queue rules of ipfw(8). > My idea is like this: configure the jail's pipe for given bandwidth, > while the 4 ips with 4 queues with different weights. The jail's pipe is > the 4 queues' parent pipe. They share the pipe's bandwidth. The 4 > queues can be created using the "mask" option in ipfw(8) rule. Is this > feasible? > I've read the ipfw(8) man page, but found ALMOST nothing about the > jail related configuration. I also googled the Internet, few things helpful. I > am not very familiar with ipfw and dummynet. Any one with any hints or > directions is appreciated! What's wrong with : %%% # Upload ipfw pipe 1 config 100KBits/s ipfw queue 1 config pipe 1 weight 25 mask src-ip 0xfffffff # Download ipfw pipe 2 config 100KBits/s ipfw queue 2 config pipe 2 weight 25 mask dst-ip 0xfffffff ipfw add queue 1 any from any to any xmit lnc0 ipfw add queue 2 any from any to any recv lnc0 %%% Note that I didn't tested, this comes from my memory. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 23 09:35:44 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5953816A41F for ; Sat, 23 Jul 2005 09:35:44 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF6E243D45 for ; Sat, 23 Jul 2005 09:35:43 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id 396D51734C6; Sat, 23 Jul 2005 11:35:42 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id ABA29407E; Sat, 23 Jul 2005 11:35:29 +0200 (CEST) Date: Sat, 23 Jul 2005 11:35:29 +0200 From: Jeremie Le Hen To: Jone Jas Message-ID: <20050723093528.GB39292@obiwan.tataz.chchile.org> References: <20050722234248.GZ39292@obiwan.tataz.chchile.org> <20050723014148.19437.qmail@web15006.mail.cnb.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050723014148.19437.qmail@web15006.mail.cnb.yahoo.com> User-Agent: Mutt/1.5.9i Cc: freebsd ipfw , Jeremie Le Hen Subject: Re: ?????? Re: ipfw+dummynet bandwidth control for multi-ip jail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 09:35:44 -0000 Hi, > I get this from the ifpw(8) man page: > "whereas when dynamic queues are used, each flow will share the > parent's pipe bandwidth evenly with other flows generated by the same > queue". > > Can we use different weight for the queues, so that the share is not > even? Yes, it is possible indeed, but I think this would require to manually set each queue since dynamic one will always have the same parameters. > And, why not use the jail id (prisonID)? How to use the jail IP? > I am confused about the mask src-ip/dst-ip. Can you explaint it for me? The example rules I gave you use the IP addresses because you can't simply use dynamic queues with the prison ID since the "mask" keyword only support source and destination IP address (and ports). If you really want to use prison ID, you will have to manually set each queue again. To understand how the "mask" keyword works, try to conceive you are building a router for multiple /24 subnets. You want to assign a symmetrical bandwidth of 1 MBits/s to each. In order to be as complete as possible, let's say we are routing 10 subnets but we only have a symmetrical 8 MBits/s link : %%% # Upload ipfw pipe 1 config bw 8 MBits/s ipfw queue 1 config weight 12 pipe 1 mask src-ip 0xffffff00 # Download ipfw pipe 2 config bw 8 MBits/s ipfw queue 2 config weight 12 pipe 2 mask dst-ip 0xffffff00 # fxp0 is the interface on the Internet side, these rule won't work # if you use them after NAT'ing packets, in which case you should # use them on the routed subnet's side. ipfw add queue 1 all from any to any xmit fxp0 ipfw add queue 2 all from any to any recv fxp0 %%% With the 0xffffff00 mask (corresponding to a /24), only the network part will be used to identify the queue to use. Which means : 152.17.111.15, 152.17.111.24 and 152.17.111.232 will use the same dynamic queue. 152.17.112.72, 152.17.112.99 and 152.17.112.187 will use the same dynamic queue too, but not the same one as above. And so on. Note that we use a weight of 12 be cause this is about 1/8 of 100, thus each client will be assigned about 1/8 of 8 MBits/s, or in other words : 1 MBits/s. When all of the 10 subnets will be in use, the pipe will limit the whole bandwidth to 8 MBits/s, limiting almost equally all subnets. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 23 19:17:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 814BD16A41F for ; Sat, 23 Jul 2005 19:17:10 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C54043D46 for ; Sat, 23 Jul 2005 19:17:09 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.218]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 6497824C739 for ; Sat, 23 Jul 2005 21:06:28 +0200 (CEST) Date: Sat, 23 Jul 2005 22:17:15 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1287099147.20050723221715@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: divert to multiple public's IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 19:17:10 -0000 I have assignet from my ISP multiple public IP. How i can nat local ip's with different public ip's? Local interface is fxp0 and public interface is rl0. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 23 21:25:06 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C15E16A41F for ; Sat, 23 Jul 2005 21:25:06 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id A644443D46 for ; Sat, 23 Jul 2005 21:25:05 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.214]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 7C31524C739 for ; Sat, 23 Jul 2005 23:14:22 +0200 (CEST) Date: Sun, 24 Jul 2005 00:25:37 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <177514506.20050724002537@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: References: <1287099147.20050723221715@spaingsm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: divert to multiple public's IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 21:25:06 -0000 If i understand corectly with redirect_address i can forward an given public ip (commonly an alias on pubic interface) to an internal ip (private). I dont know if this is good for what i want. More exactly description for what i want: My private network is: 192.168.0.0/24 I have (example) public ip: 1.1.1.1, 1.1.1.6 and 1.1.1.9 I want: ip's: 192.168.0.1-20 out(tranlated) with 1.1.1.1 ip's: 192.168.0.21-30 out with 1.1.1.6 and so.