From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 2 04:40:17 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1183B1065670 for ; Mon, 2 Jun 2008 04:40:17 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp8.yandex.ru (smtp8.yandex.ru [213.180.200.213]) by mx1.freebsd.org (Postfix) with ESMTP id 2E9688FC13 for ; Mon, 2 Jun 2008 04:40:15 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mail.kirov.so-cdu.ru ([77.72.136.145]:23551 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S7455880AbYFBEkE (ORCPT ); Mon, 2 Jun 2008 08:40:04 +0400 X-Yandex-Spam: 1 X-Yandex-Front: smtp8 X-Yandex-TimeMark: 1212381604 X-MsgDayCount: 2 X-Comment: RFC 2476 MSA function at smtp8.yandex.ru logged sender identity as: bu7cher Message-ID: <48437998.1040807@yandex.ru> Date: Mon, 02 Jun 2008 08:39:52 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: rihad@mail.ru References: <484113B4.4010006@mail.ru> In-Reply-To: <484113B4.4010006@mail.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: tablearg q'n X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2008 04:40:17 -0000 rihad wrote: > ipfw add pipe tablearg ip from 'table(0)' to 'table(1)' > > Which of the two tables will tablearg come from? Last 'table' argument will be used for tablearg. >Any way to make the choice explicit? Patches are welcome =) -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 2 11:06:54 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C85681065735 for ; Mon, 2 Jun 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BD2278FC1F for ; Mon, 2 Jun 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m52B6sgq093192 for ; Mon, 2 Jun 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m52B6sAY093188 for freebsd-ipfw@FreeBSD.org; Mon, 2 Jun 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Jun 2008 11:06:54 GMT Message-Id: <200806021106.m52B6sAY093188@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2008 11:06:54 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 30 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 2 21:02:15 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3305F1065683 for ; Mon, 2 Jun 2008 21:02:15 +0000 (UTC) (envelope-from fportnoy@mail.plymouth.edu) Received: from cygnus.plymouth.edu (cygnus.plymouth.edu [158.136.1.191]) by mx1.freebsd.org (Postfix) with ESMTP id 1A41C8FC1E for ; Mon, 2 Jun 2008 21:02:14 +0000 (UTC) (envelope-from fportnoy@mail.plymouth.edu) Received: from localhost (localhost.localdomain [127.0.0.1]) by cygnus.plymouth.edu (Postfix) with ESMTP id E17F86088080; Mon, 2 Jun 2008 16:42:38 -0400 (EDT) X-Virus-Scanned: amavisd-new at Received: from cygnus.plymouth.edu ([127.0.0.1]) by localhost (cygnus.plymouth.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwNTOdLBR7uK; Mon, 2 Jun 2008 16:42:38 -0400 (EDT) Received: from cygnus.plymouth.edu (cygnus.plymouth.edu [158.136.1.191]) by cygnus.plymouth.edu (Postfix) with ESMTP id 88F2D6088176; Mon, 2 Jun 2008 16:42:38 -0400 (EDT) Date: Mon, 2 Jun 2008 16:42:38 -0400 (EDT) From: Fred Portnoy To: freebsd-ipfw@freebsd.org Message-ID: <1732391433.1036781212439358454.JavaMail.root@cygnus.plymouth.edu> In-Reply-To: <2079218658.1034491212438588445.JavaMail.root@cygnus.plymouth.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [158.136.112.63] Subject: bridgeing not routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2008 21:02:15 -0000 I'm looking at a packet from a packet capture. The packet's IP address was sourced within our LAN, destination a server out on the Internet (it is a tcp ack, part of an ongoing session) The packet's mac addresses were sourced from the inside interface of the firewall and destination to our LAN's core router. Our firewall is operating in bridging mode, however, not routing. It has a management IP address on the inside interface, but that's it. No other IP address assigned. Under what conditions would an ipfw bridging firewall grab hold of an outgoing packet and send it back, substituting it's own mac address for the source and the inner LAN router for the destination? TIA for any insight Fred Portnoy Network Analyst Plymouth State University "unfettered by edgy modernisms, or classical influences" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 2 23:30:11 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 497BF1065677 for ; Mon, 2 Jun 2008 23:30:11 +0000 (UTC) (envelope-from davids@webmaster.com) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.169]) by mx1.freebsd.org (Postfix) with ESMTP id 3C69E8FC14 for ; Mon, 2 Jun 2008 23:30:11 +0000 (UTC) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v8.1.3.R) with ESMTP id md50002077238.msg for ; Mon, 02 Jun 2008 16:20:48 -0700 From: "David Schwartz" To: Date: Mon, 2 Jun 2008 16:18:57 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: <1732391433.1036781212439358454.JavaMail.root@cygnus.plymouth.edu> Importance: Normal X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Mon, 02 Jun 2008 16:20:48 -0700 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Mon, 02 Jun 2008 16:20:48 -0700 Subject: RE: bridgeing not routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: davids@webmaster.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2008 23:30:11 -0000 > I'm looking at a packet from a packet capture. The packet's IP=20 > address was sourced within our LAN, destination a server out on=20 > the Internet (it is a tcp ack, part of an ongoing session) The=20 > packet's mac addresses were sourced from the inside interface of=20 > the firewall and destination to our LAN's core router. Our=20 > firewall is operating in bridging mode, however, not routing. It=20 > has a management IP address on the inside interface, but that's=20 > it. No other IP address assigned. >=20 > Under what conditions would an ipfw bridging firewall grab hold=20 > of an outgoing packet and send it back, substituting it's own mac=20 > address for the source and the inner LAN router for the destination?=20 >=20 > TIA for any insight >=20 > Fred Portnoy > Network Analyst > Plymouth State University There are probably a few reasons I can't think of, but there are a few = obvious ones. First, the machine that sent the packet may have the = firewall's management IP set as its default route or as a route to that = destination. Second, the machine that sent the packet may have received = an ICMP redirect from the firewall. Third, the packet might be = maliciously crafted. Fourth, the firewall may have either fragmented or = reassembled the packet. DS From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 4 23:47:33 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99D2F1065671 for ; Wed, 4 Jun 2008 23:47:33 +0000 (UTC) (envelope-from dmartens@fresnochristian.com) Received: from mail.fresnochristian.com (mail.fresnochristian.com [64.192.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 6AE328FC1C for ; Wed, 4 Jun 2008 23:47:33 +0000 (UTC) (envelope-from dmartens@fresnochristian.com) Received: from localhost (localhost [127.0.0.1]) by mail.fresnochristian.com (Postfix) with ESMTP id 7E0ED1BE5FD8 for ; Wed, 4 Jun 2008 16:16:42 -0700 (PDT) Received: from dmartens.fcscl.net (unknown [192.168.1.42]) by mail.fresnochristian.com (Postfix) with ESMTP id 9202D1BE5FCB for ; Wed, 4 Jun 2008 16:16:41 -0700 (PDT) Message-Id: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> From: David Martens To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 (Apple Message framework v924) Date: Wed, 4 Jun 2008 16:20:52 -0700 X-Mailer: Apple Mail (2.924) X-Virus-Scanned: by amavisd-new at fresnochristian.com Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: fwd problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jun 2008 23:47:33 -0000 I'm trying to set up a transparent proxy using two machines, the gateway and the proxy. The proxy is 192.168.3.22 and is listening on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 so everything is on the same subnet. I set the following rules on the gateway: 00100 allow ip from any to any via lo0 00110 deny ip from any to 127.0.0.0/8 via en0 00800 divert 8668 ip from any to any via en0 00850 deny ip from any to any in frag 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 When I get a packet count (ipfw -a list) rule 990 increments when I try to access a web page. On the proxy box I have the following rules: 00100 allow tcp from 192.168.3.22 to any 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 rule 110 never receives any forwarded packets. Any ideas what I've done wrong here? The http requests do go out, but are not forwarded through the proxy. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 5 10:14:26 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39AC9106566B for ; Thu, 5 Jun 2008 10:14:26 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from sepehrs.com (sepehrs.com [213.217.59.98]) by mx1.freebsd.org (Postfix) with ESMTP id 4F6CC8FC12 for ; Thu, 5 Jun 2008 10:14:24 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from [192.168.1.180] ([192.168.1.180]) by sepehrs.com (8.13.6/8.13.6) with ESMTP id m55DNR2r011322; Thu, 5 Jun 2008 13:23:27 GMT (envelope-from fazaeli@sepehrs.com) Message-ID: <4847B603.6080105@sepehrs.com> Date: Thu, 05 Jun 2008 14:16:43 +0430 From: "H.fazaeli" User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: David Martens References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> In-Reply-To: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Sepehr-MailScanner-Information: Please contact the ISP for more information X-Sepehr-MailScanner: Found to be clean X-Sepehr-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.921, required 5, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, DATE_IN_PAST_03_06 0.48) X-MailScanner-From: fazaeli@sepehrs.com X-Spam-Status: No Cc: freebsd-ipfw@freebsd.org Subject: Re: fwd problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2008 10:14:26 -0000 This is what is happening: 1. Client's packet match with fwd rule on gateway. 2. gateway tries to fwd packet to 192.168.3.2. For this, it should replace destination mac address with that of proxy (192.168.3.22). 3. gateway fails to obtain proxy mac address, since it is not on the same subnet as proxy (can not use arp). 4. fwd rule drops the packet. FIX: assign a 192.168.3.XXX address to the gateway's interface which proxy is supposed to be reachable from. David Martens wrote: > I'm trying to set up a transparent proxy using two machines, the > gateway and the proxy. The proxy is 192.168.3.22 and is listening on > port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 so > everything is on the same subnet. > > I set the following rules on the gateway: > > 00100 allow ip from any to any via lo0 > 00110 deny ip from any to 127.0.0.0/8 via en0 > 00800 divert 8668 ip from any to any via en0 > 00850 deny ip from any to any in frag > 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 > > When I get a packet count (ipfw -a list) rule 990 increments when I > try to access a web page. > > On the proxy box I have the following rules: > > 00100 allow tcp from 192.168.3.22 to any > 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 > > rule 110 never receives any forwarded packets. Any ideas what I've > done wrong here? The http requests do go out, but are not forwarded > through the proxy. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Best regards. Hooman Fazaeli Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352 From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 6 12:10:05 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D6821065686 for ; Fri, 6 Jun 2008 12:10:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CABF38FC0A for ; Fri, 6 Jun 2008 12:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m56CA4cK015115 for ; Fri, 6 Jun 2008 12:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m56CA4KL015114; Fri, 6 Jun 2008 12:10:04 GMT (envelope-from gnats) Date: Fri, 6 Jun 2008 12:10:04 GMT Message-Id: <200806061210.m56CA4KL015114@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Gavin Atkinson Cc: Subject: Re: kern/115755: [ipfw][patch] unify message and add a rule number where limit was reached X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gavin Atkinson List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2008 12:10:05 -0000 The following reply was made to PR kern/115755; it has been noted by GNATS. From: Gavin Atkinson To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/115755: [ipfw][patch] unify message and add a rule number where limit was reached Date: Fri, 06 Jun 2008 13:04:12 +0100 This has not yet been MFC'd to RELENG_6. However, I'm not sure it can be, as it does change the format of a logged message, so may be unsuitable to merge to a STABLE branch. Opinions? Please close if it can't be merged. Gavin From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 6 21:03:28 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04D0C1065670 for ; Fri, 6 Jun 2008 21:03:28 +0000 (UTC) (envelope-from dmartens@fresnochristian.com) Received: from mail.fresnochristian.com (mail.fresnochristian.com [64.192.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id E6CD98FC21 for ; Fri, 6 Jun 2008 21:03:27 +0000 (UTC) (envelope-from dmartens@fresnochristian.com) Received: from localhost (localhost [127.0.0.1]) by mail.fresnochristian.com (Postfix) with ESMTP id 2A16F1BFEB04 for ; Fri, 6 Jun 2008 13:59:22 -0700 (PDT) Received: from [192.168.3.42] (unknown [192.168.3.42]) by mail.fresnochristian.com (Postfix) with ESMTP id 0C9AA1BFEAF9 for ; Fri, 6 Jun 2008 13:59:21 -0700 (PDT) Message-Id: <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> From: David Martens To: freebsd-ipfw@freebsd.org In-Reply-To: <4847B603.6080105@sepehrs.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v924) Date: Fri, 6 Jun 2008 14:03:25 -0700 References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> <4847B603.6080105@sepehrs.com> X-Mailer: Apple Mail (2.924) X-Virus-Scanned: by amavisd-new at fresnochristian.com Subject: Re: fwd problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2008 21:03:28 -0000 I've taken H.Fazaeli's suggestion and moved the proxy to the same class C as the gateway with no change. So now my rule set on the gateway is: 00100 allow ip from any to any via lo0 00110 deny ip from any to 127.0.0.0/8 via en0 00800 divert 8668 ip from any to any via en0 00850 deny ip from any to any in frag 00890 allow ip from any to 192.168.0.2 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80 And on the proxy: 00080 allow tcp from any to any out 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80 For testing purposes I've set the forward to only a single ip address. Eventually this will be set to the entire /22 subnet. A tcpdump on the LAN interface on the gateway indicates traffic from 192.168.1.60 & and fwd rule increments, but the packets don't make it to the proxy. They are not dropped, the requested web pages load fine in the browser, just no proxy. On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote: > > This is what is happening: > > 1. Client's packet match with fwd rule on gateway. > 2. gateway tries to fwd packet to 192.168.3.2. For this, it should > replace > destination mac address with that of proxy (192.168.3.22). > 3. gateway fails to obtain proxy mac address, since it is not on the > same > subnet as proxy (can not use arp). > 4. fwd rule drops the packet. > > FIX: assign a 192.168.3.XXX address to the gateway's interface > which proxy is supposed to be reachable from. > > > > David Martens wrote: >> I'm trying to set up a transparent proxy using two machines, the >> gateway and the proxy. The proxy is 192.168.3.22 and is listening >> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 >> so everything is on the same subnet. >> >> I set the following rules on the gateway: >> >> 00100 allow ip from any to any via lo0 >> 00110 deny ip from any to 127.0.0.0/8 via en0 >> 00800 divert 8668 ip from any to any via en0 >> 00850 deny ip from any to any in frag >> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 >> >> When I get a packet count (ipfw -a list) rule 990 increments when I >> try to access a web page. >> >> On the proxy box I have the following rules: >> >> 00100 allow tcp from 192.168.3.22 to any >> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 >> >> rule 110 never receives any forwarded packets. Any ideas what I've >> done wrong here? The http requests do go out, but are not forwarded >> through the proxy. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org >> " >> >> > > -- > > > Best regards. > > Hooman Fazaeli > Sepehr S. T. Co. Ltd. > > Web: http://www.sepehrs.com > Tel: (9821)88975701-2 > Fax: (9821)88983352 > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 7 03:22:55 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57DAE1065675 for ; Sat, 7 Jun 2008 03:22:55 +0000 (UTC) (envelope-from berlowin@yahoo.com) Received: from web52510.mail.re2.yahoo.com (web52510.mail.re2.yahoo.com [206.190.48.193]) by mx1.freebsd.org (Postfix) with SMTP id EB2668FC13 for ; Sat, 7 Jun 2008 03:22:54 +0000 (UTC) (envelope-from berlowin@yahoo.com) Received: (qmail 23667 invoked by uid 60001); 7 Jun 2008 02:56:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=5fGWijcbPerbyfe7qxqdhjXMGqI0HBOmc2QG9geE06WL91kaRfg6ReXodUqdFEXyr1DENS2yii8Fjn81eGcqBZQ7CJ68weEy14mUNnn0dCUr2jvr2HUeFLzdqWxUX08CDalqFbvJ2LZBG+uxVDCRE4ehVqGTobGEutqdfL6ofao=; Received: from [118.136.66.242] by web52510.mail.re2.yahoo.com via HTTP; Fri, 06 Jun 2008 19:56:12 PDT X-Mailer: YahooMailRC/975.45 YahooMailWebService/0.7.199 Date: Fri, 6 Jun 2008 19:56:12 -0700 (PDT) From: Edwin Sanjoto To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <58008.22311.qm@web52510.mail.re2.yahoo.com> Subject: About IPv6 Firewall and Others X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2008 03:22:55 -0000 Hi All of FreeBSD Experts, I am Newbie in FreeBSD. I am using FreeBSD 6.3. Sorry for my bad English. I just want to ask 2 questions: 1. In your opinion, what are the best rules for implementing firewall in my router which is connected to internet? Like about the protocol or services blocked? Or which is the best rule for default ( is it "deny any to any" or "allow any to any") ? 2. How to setup firewall for IPv6 from beginning? Like, what i must do with the kernel or something else like changing /etc/rc.conf? And how to write the RULES for IPv6? is it different from IPv4? Do you have an example RULES? Thank you very much. Regards, EDWIN Sanyoto (berlowin@yahoo.com)