From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 29 11:08:34 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23A5C16A485 for ; Mon, 29 Jan 2007 11:08:34 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id EB33113C4B3 for ; Mon, 29 Jan 2007 11:08:33 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0TB8X9j042076 for ; Mon, 29 Jan 2007 11:08:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0TB8W7m042072 for freebsd-ipfw@FreeBSD.org; Mon, 29 Jan 2007 11:08:32 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Jan 2007 11:08:32 GMT Message-Id: <200701291108.l0TB8W7m042072@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 11:08:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 29 17:32:47 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 37AF116A401 for ; Mon, 29 Jan 2007 17:32:47 +0000 (UTC) (envelope-from dcasey@debtresolve.com) Received: from debtresolve.com (ip175-18.wp-ny-us.debtresolve.com [66.236.175.18]) by mx1.freebsd.org (Postfix) with ESMTP id EF73213C442 for ; Mon, 29 Jan 2007 17:32:46 +0000 (UTC) (envelope-from dcasey@debtresolve.com) Received: from dummy.name; Mon, 29 Jan 2007 11:32:48 -0500 Message-ID: <45BE2197.30509@debtresolve.com> Date: Mon, 29 Jan 2007 11:32:23 -0500 From: Dan Casey User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: help converting iptables rule into ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 17:32:47 -0000 I have a quick script that takes web traffic on one internal ip, and redirects it to another internal ip. This is working fine in iptables. Can anyone show me how to recreate this in ipfw? From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 1 21:28:07 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5700F16A400 for ; Thu, 1 Feb 2007 21:28:07 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id E455B13C442 for ; Thu, 1 Feb 2007 21:28:06 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so1022492nfc for ; Thu, 01 Feb 2007 13:28:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=U8hQPqE0ZWE51H8a61Kijpw7bEIFrHK/Ont90b6uV01n2LPizhLibS/CmE7/qCV+HnnxMtRoAEtkxLNeWPw0yigWEmEqOAI636XVkWD85oLjhqRq5l2GibuxxOMzM7VQTDtju83PerJoJAS2BwgkgMR2U2cbJSGLW7nydiAIZY4= Received: by 10.49.57.12 with SMTP id j12mr5225482nfk.1170363842668; Thu, 01 Feb 2007 13:04:02 -0800 (PST) Received: by 10.66.233.7 with HTTP; Thu, 1 Feb 2007 13:04:02 -0800 (PST) Message-ID: <66f7e7af0702011304m61385124r5876e0af3d767a55@mail.gmail.com> Date: Thu, 1 Feb 2007 16:04:02 -0500 From: "The Admiral" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: rc.firewall script not running at system boot X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 21:28:07 -0000 We had a power outage last night and I arrived at work today to find that one of our machines no longer has network access (one of the few machines not on a battery backup unit). I checked to see what firewall rules were enabled and the only one that was active was to deny all. It seems as though my rc.firewall script wasn't run automatically when the system booted. I rebooted to double check and sure enough the only rule enabled was the deny all rule. My rc.conf file has the following: --------------------------------------------------------------- hostname="dev" ifconfig_em0="inet 192.168.1.120 netmask 255.255.255.0" ifconfig_vr0="inet 224.87.34.72 netmask 255.255.255.248" #real IP hidden on purpose defaultrouter="224.87.34.71" gateway_enable=YES firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="client" # Firewall type (see /etc/rc.firewall) --------------------------------------------------------------- my kernel configuration file has the following: --------------------------------------------------------------- options IPFIREWALL # required to use ipfw options IPFIREWALL_FORWARD options IPDIVERT # required for natd options IPFIREWALL_VERBOSE # Enables logging of packets that pass through IPFW and have the 'log' keyword specified in the rule set. --------------------------------------------------------------- When I run the rc.firewall script directly (sudo /etc/rc.firewall client) all my rulesets are enabled as they should, however, the rc.firewall file isn't being executed at system boot, which I'd like to resolve, since it means that the machine will be inaccessible if the machine is rebooted for whatever reason, and no one is there to manually execute the firewall script from the console. The strange thing is, the last time I manually rebooted the machine, the script was executed without a problem.. The machine hasn't been rebooted for a while though, and a lot of the software has been updated in the meantime, so I'm thinking that may be the cause, but I'm still unsure how to go about fixing this. Any help is greatly appreciated, thanks. Mike From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 2 00:11:27 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 726C016A400 for ; Fri, 2 Feb 2007 00:11:27 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id B6BD413C48D for ; Fri, 2 Feb 2007 00:11:26 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so613175uge for ; Thu, 01 Feb 2007 16:11:24 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=LDA+4P8aZwLUFNvggvEGGyczh6AaKotk0oPHAJvuSEa2bQOmBn1CbHQCVaFuL/vS+G3T2iDsr/gSD49SKuhjjMGb17YY/hNrKuVHmKY4BY9KavJQ6f3OfTfP30bvQB6Fgq76LolrGKAlvCv2aNitYRvrJ9XsijTiuCku42WFHHM= Received: by 10.67.117.18 with SMTP id u18mr3515902ugm.1170375084019; Thu, 01 Feb 2007 16:11:24 -0800 (PST) Received: by 10.66.233.7 with HTTP; Thu, 1 Feb 2007 16:11:23 -0800 (PST) Message-ID: <66f7e7af0702011611v155a3c2h6a26152d7faf9796@mail.gmail.com> Date: Thu, 1 Feb 2007 19:11:23 -0500 From: "The Admiral" To: freebsd-ipfw@freebsd.org In-Reply-To: <002401c74657$6b169690$0205000a@white> MIME-Version: 1.0 References: <66f7e7af0702011304m61385124r5876e0af3d767a55@mail.gmail.com> <002401c74657$6b169690$0205000a@white> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: rc.firewall script not running at system boot X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 00:11:27 -0000 Hi Dewayne, thanks for the response, although I tried enclosing the YES option in quotes but it didn't make a difference. Mike On 2/1/07, Dewayne Geraghty wrote: > > Put quotes around gateway_enable="YES" > Regards, Dewayne. > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto: > owner-freebsd-ipfw@freebsd.org] > On Behalf Of The Admiral > Sent: Friday, 2 February 2007 8:04 AM > To: freebsd-ipfw@freebsd.org > Subject: rc.firewall script not running at system boot > > We had a power outage last night and I arrived at work today to find that > one of our machines no longer has network access (one of the few machines > not on a battery backup unit). I checked to see what firewall rules were > enabled and the only one that was active was to deny all. It seems as > though my rc.firewall script wasn't run automatically when the system > booted. I rebooted to double check and sure enough the only rule enabled > was the deny all rule. My rc.conf file has the following: > > --------------------------------------------------------------- > hostname="dev" > > ifconfig_em0="inet 192.168.1.120 netmask 255.255.255.0" > ifconfig_vr0="inet 224.87.34.72 netmask 255.255.255.248" #real IP > hidden > on purpose > > defaultrouter="224.87.34.71" > > gateway_enable=YES > firewall_enable="YES" # Set to YES to enable firewall functionality > firewall_script="/etc/rc.firewall" # Which script to run to set up the > firewall > firewall_type="client" # Firewall type (see /etc/rc.firewall) > > --------------------------------------------------------------- > > my kernel configuration file has the following: > > --------------------------------------------------------------- > > options IPFIREWALL # required to use ipfw > options IPFIREWALL_FORWARD > options IPDIVERT # required for natd > options IPFIREWALL_VERBOSE # Enables logging of packets that > pass > through IPFW and have the 'log' keyword specified in the rule set. > > --------------------------------------------------------------- > > When I run the rc.firewall script directly (sudo /etc/rc.firewall client) > all my rulesets are enabled as they should, however, the rc.firewall file > isn't being executed at system boot, which I'd like to resolve, since it > means that the machine will be inaccessible if the machine is rebooted for > whatever reason, and no one is there to manually execute the firewall > script > from the console. The strange thing is, the last time I manually rebooted > the machine, the script was executed without a problem.. The machine > hasn't > been rebooted for a while though, and a lot of the software has been > updated > in the meantime, so I'm thinking that may be the cause, but I'm still > unsure > how to go about fixing this. Any help is greatly appreciated, thanks. > > Mike > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 2 01:59:02 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 534FA16A402 for ; Fri, 2 Feb 2007 01:59:02 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id CFC6B13C4A5 for ; Fri, 2 Feb 2007 01:59:01 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so633735uge for ; Thu, 01 Feb 2007 17:59:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=bhxpHTbtJQmHgHncXUpDrLhg76ES4sDehLp73UsTRMRrMhl2YLaEVnbcSZMm7+JaZL45tbZ0MbaP80Gb43Dnpq3avdBlbEh4iYtAu4+VrrvgGo0hYSQwYwoetLUL9jED139B4yvvOSTlYWu3Z2FSHHdvmoMZfJxOWc9ioSr7LsI= Received: by 10.66.243.2 with SMTP id q2mr3662400ugh.1170381540303; Thu, 01 Feb 2007 17:59:00 -0800 (PST) Received: by 10.66.233.7 with HTTP; Thu, 1 Feb 2007 17:59:00 -0800 (PST) Message-ID: <66f7e7af0702011759t1b4ba6a8jb988d68fe5595601@mail.gmail.com> Date: Thu, 1 Feb 2007 20:59:00 -0500 From: "The Admiral" To: freebsd-ipfw@freebsd.org In-Reply-To: <000001c74663$212a10a0$0205000a@white> MIME-Version: 1.0 References: <66f7e7af0702011304m61385124r5876e0af3d767a55@mail.gmail.com> <002401c74657$6b169690$0205000a@white> <66f7e7af0702011611v155a3c2h6a26152d7faf9796@mail.gmail.com> <000001c74663$212a10a0$0205000a@white> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: rc.firewall script not running at system boot X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 01:59:02 -0000 On 2/1/07, Dewayne Geraghty wrote: > > Hmm - I have a 9 firewalls in different locations and the information that > you've provided seems ok. Kernel options are ok, rc.conf looks ok, is > there > a "client" option still in your rc.firewall. > > The deny rule is always the last as its meant to protect the environment > in > case of rc.firewall not working. Could you try > > script /tmp/ipfw.lis /etc/rc.d/ipfw restart > And examine the output as that is sure to tell you where the hangup is. > There be a rule in the rc.firewall that makes it hang/stop. (tired > fingers > sometimes leave remnant char around). I tried executing "/etc/rc.d/ipfw restart" and sure enough, it showed that one of my firewall rules was mistakenly entered as "addpass" while it should've been "add pass". I corrected the typo, but the strange thing is, when I reboot, it still doesn't work! Running the firewall command manually works without error, but it isn't executed at boot.. Any other ideas? I was sure that the typo was the problem, unfortunately that's not the case. Oh well, at least it seems I'm getting closer to a solution! Thanks, Mike Regards, Dewayne. > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto: > owner-freebsd-ipfw@freebsd.org] > On Behalf Of The Admiral > Sent: Friday, 2 February 2007 11:11 AM > To: freebsd-ipfw@freebsd.org > Subject: Re: rc.firewall script not running at system boot > > Hi Dewayne, thanks for the response, although I tried enclosing the YES > option in quotes but it didn't make a difference. > > Mike > > > On 2/1/07, Dewayne Geraghty > wrote: > > > > Put quotes around gateway_enable="YES" > > Regards, Dewayne. > > > > -----Original Message----- > > From: owner-freebsd-ipfw@freebsd.org [mailto: > > owner-freebsd-ipfw@freebsd.org] > > On Behalf Of The Admiral > > Sent: Friday, 2 February 2007 8:04 AM > > To: freebsd-ipfw@freebsd.org > > Subject: rc.firewall script not running at system boot > > > > We had a power outage last night and I arrived at work today to find > > that one of our machines no longer has network access (one of the few > > machines not on a battery backup unit). I checked to see what > > firewall rules were enabled and the only one that was active was to > > deny all. It seems as though my rc.firewall script wasn't run > > automatically when the system booted. I rebooted to double check and > > sure enough the only rule enabled was the deny all rule. My rc.conffile > has the following: > > > > --------------------------------------------------------------- > > hostname="dev" > > > > ifconfig_em0="inet 192.168.1.120 netmask 255.255.255.0" > > ifconfig_vr0="inet 224.87.34.72 netmask 255.255.255.248" #real IP > > hidden > > on purpose > > > > defaultrouter="224.87.34.71" > > > > gateway_enable=YES > > firewall_enable="YES" # Set to YES to enable firewall > functionality > > firewall_script="/etc/rc.firewall" # Which script to run to set up the > > firewall > > firewall_type="client" # Firewall type (see /etc/rc.firewall) > > > > --------------------------------------------------------------- > > > > my kernel configuration file has the following: > > > > --------------------------------------------------------------- > > > > options IPFIREWALL # required to use ipfw > > options IPFIREWALL_FORWARD > > options IPDIVERT # required for natd > > options IPFIREWALL_VERBOSE # Enables logging of packets that > > pass > > through IPFW and have the 'log' keyword specified in the rule set. > > > > --------------------------------------------------------------- > > > > When I run the rc.firewall script directly (sudo /etc/rc.firewall > > client) all my rulesets are enabled as they should, however, the > > rc.firewall file isn't being executed at system boot, which I'd like > > to resolve, since it means that the machine will be inaccessible if > > the machine is rebooted for whatever reason, and no one is there to > > manually execute the firewall script from the console. The strange > > thing is, the last time I manually rebooted the machine, the script > > was executed without a problem.. The machine hasn't been rebooted for > > a while though, and a lot of the software has been updated in the > > meantime, so I'm thinking that may be the cause, but I'm still unsure > > how to go about fixing this. Any help is greatly appreciated, thanks. > > > > Mike > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >