From owner-freebsd-ipfw Sun Oct 22 1:59:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from web9505.mail.yahoo.com (web9505.mail.yahoo.com [216.136.129.135]) by hub.freebsd.org (Postfix) with SMTP id 89ED137B479 for ; Sun, 22 Oct 2000 01:59:48 -0700 (PDT) Message-ID: <20001022085948.3001.qmail@web9505.mail.yahoo.com> Received: from [212.115.199.231] by web9505.mail.yahoo.com; Sun, 22 Oct 2000 01:59:48 PDT Date: Sun, 22 Oct 2000 01:59:48 -0700 (PDT) From: Marinus Tramper To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG auth 51ec5068 unsubscribe freebsd-ipfw \ mptramper@yahoo.com __________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 23 6:59: 4 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from nexus.newsouth.net (nexus.newsouth.net [64.90.1.66]) by hub.freebsd.org (Postfix) with ESMTP id F0E4537B4C5 for ; Mon, 23 Oct 2000 06:59:01 -0700 (PDT) Received: from localhost (michael@localhost) by nexus.newsouth.net (8.10.1/8.10.1) with ESMTP id e9NDwsO09674; Mon, 23 Oct 2000 09:58:54 -0400 (EDT) Date: Mon, 23 Oct 2000 09:58:54 -0400 (EDT) From: Michael Williams X-Sender: michael@nexus.newsouth.net To: "George M. Ellenburg" Cc: freebsd-ipfw@freebsd.org Subject: Re: fwmanager / fwmd In-Reply-To: <00102020520803.10886@archimedes.ellenburg.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 20 Oct 2000, George M. Ellenburg wrote: > Has anyone had success in getting 'fwmd', part of the 'fwmanager' project > from... > ....compiled on a FreeBSD 4.0-STABLE system? Nope. I've tried it on 3.4, 4.0 and 4.1 with no luck whatsoever. Everyone else I've talked to about it (I asked the same question on a couple of other lists a few months back) says they haven't gotten it to work, either. It's broken. Emails sent to those who taught the course for which it was written and the authors themselves have gone unanswered. I gave up on it after a couple of weeks of beating my head against the wall. If you have any luck, though, please share what you learn! Michael Williams NewSouth Communications -- IP Security Team mgwilliams@newsouth.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 23 21:30:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0AD7B37B4C5 for ; Mon, 23 Oct 2000 21:30:41 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 23 Oct 2000 21:29:22 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9O4UbH12535 for freebsd-ipfw@freebsd.org; Mon, 23 Oct 2000 21:30:37 -0700 (PDT) (envelope-from cjc) Date: Mon, 23 Oct 2000 21:30:37 -0700 From: "Crist J . Clark" To: freebsd-ipfw@freebsd.org Subject: sysctl(8) Used? Message-ID: <20001023213037.P75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I wanted to up the lifetime of dynamic rules for UDP "connections." My ISP's DNS servers time out after one minute causing a lot of log spam. No problem, I figured I'd up the lifetime of the dynamic rules to, say, 65 seconds just to be sure. First off, I had to figure out which sysctl to change since there is no UDP setting. After looking through the source, I found that 'dyn_short_lifetime' was what I wanted to change. So, I did, # sysctl -w net.inet.ip.fw.dyn_short_lifetime=65 But then I realized it didn't make any changes. The sysctl values do not seem to be used. # sysctl -a | fgrep short net.inet.ip.fw.dyn_short_lifetime: 65 # nslookup www.freebsd.org >& /dev/null & ipfw sh | awk '/^## Dynamic rules:/ { go = 1 } ( go && $5 != "0," ) { print }' [1] 12486 ## Dynamic rules: 10300 0 0 (T 30, # 165) ty 0 udp, 64.6.211.149 3607 <-> 64.6.204.18 53 Looking again at the code, I can't see exactly why this has no effect. I'm a bit puzzled. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 24 17:55:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id C403337B479 for ; Tue, 24 Oct 2000 17:55:05 -0700 (PDT) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.1/8.11.1) with ESMTP id e9P0swF81636 for ; Tue, 24 Oct 2000 19:54:59 -0500 (CDT) (envelope-from kirk@pooh.honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 13oEqI-0004CX-00 for ; Tue, 24 Oct 2000 19:54:58 -0500 To: freebsd-ipfw@freebsd.org Subject: Stateful? Non-stateful? I'm lost. From: Kirk Strauser Reply-To: kirk@strauser.com Date: 24 Oct 2000 19:54:58 -0500 Message-ID: <87u2a1zqn1.fsf@pooh.honeypot> Lines: 58 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am using ipfw on a FreeBSD 4.1.1-STABLE box. I have written my firewall config in m4, since there are quite a few rules, and since I wanted to minimize the risk of typos. I initially configured my firewall based on the instructions in the handbook. I have m4 macros in the form: define(`tcp_outgoing', `add $1 allow tcp from $2 to $3 $4 out xmit $5 add $1 allow tcp from $3 $4 to $2 in recv $5 established') define(`tcp_incoming', `add $1 allow tcp from $3 to $2 $4 in recv $5 add $1 allow tcp from $2 $4 to $3 out xmit $5 established') define(`udp_outgoing', `add $1 allow udp from $2 to $3 $4 out xmit $5 add $1 allow udp from $3 $4 to $2 in recv $5') define(`udp_incoming', `add $1 allow udp from $3 to $2 $4 in recv $5 add $1 allow udp from $2 $4 to $3 out xmit $5') so that later entries in the form: tcp_outgoing(30400, MAIN_LAN, any, ssh, WAN) tcp_incoming(40200, PROXY, any, smtp, WAN) become 30400 allow tcp from 10.0.1.0/24 to any 22 out xmit ed0 30400 allow tcp from any 22 to 10.0.1.0/24 in recv ed0 established 40200 allow tcp from any to 10.0.0.2 25 in recv ed0 40200 allow tcp from 10.0.0.2 25 to any out xmit ed0 established This has worked perfectly for roughly the last year, and continues to keep me safe from script kiddies. Recently I noticed the keep-state and check-state options to ipfw. I've asked around, and made an honest effort to RTFM (which would first require *finding* TFM!), but I just can't figure out exactly what they're supposed to do. My questions are: 1. What do they do? 2. How could I use them to improve my ruleset? 3. Are there any caveats / efficiency tradeoffs from using them? 4. Would they increase security over what I'm already doing? I'm not a newbie, but I just haven't been able to find the information I need. My only other request is that if you feel that you must answer with "RTFM, darnit!", then please at least tell me where to look for it. I've scoured freebsd.org to the limits of my searching ability and can't find any answers. Thanks, -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 24 18:29:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by hub.freebsd.org (Postfix) with ESMTP id 2D80337B479 for ; Tue, 24 Oct 2000 18:29:46 -0700 (PDT) Received: from fondue.ICSI.Berkeley.EDU (fondue.ICSI.Berkeley.EDU [192.150.186.19]) by ICSI.Berkeley.EDU (8.9.0/8.9.0) with ESMTP id SAA01631; Tue, 24 Oct 2000 18:29:45 -0700 (PDT) Received: from localhost (rizzo@localhost) by fondue.ICSI.Berkeley.EDU (8.8.2/1.8) with ESMTP id SAA17321; Tue, 24 Oct 2000 18:29:44 -0700 (PDT) X-Authentication-Warning: fondue.ICSI.Berkeley.EDU: rizzo owned process doing -bs Date: Tue, 24 Oct 2000 18:29:44 -0700 (PDT) From: Luigi Rizzo To: Kirk Strauser Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful? Non-stateful? I'm lost In-Reply-To: <87u2a1zqn1.fsf@pooh.honeypot> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, > I am using ipfw on a FreeBSD 4.1.1-STABLE box. I have written ... > exactly what they're supposed to do. My questions are: > > 1. What do they do? they basically install a new rule when a packet matches a given template (typically a rule where not all fields are fully specified). The rule has all fields (IPs, ports and protocol type) specified so it only matches that particular session, and expires when the session is over or has been idle for some time. I leave to you the answer to the other questions as it really depend on your needs whether you should use them or not. Typically, dynamic rules allow you to keep your firewall closed by default and open it only from the inside when you transmit a SYN packet, and only for the duration of your session. If you want to protect a server, i am not 100% sure that they are as useful (though they are probably useful). cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (501) 666 2947 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 26 9: 7:21 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8A61437B4F9; Thu, 26 Oct 2000 09:07:09 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id e9QG6tu99580; Thu, 26 Oct 2000 19:06:55 +0300 (EEST) (envelope-from ru) Date: Thu, 26 Oct 2000 19:06:55 +0300 From: Ruslan Ermilov To: Harti Brandt Cc: ipfw@FreeBSD.org Subject: Re: Bug in ip_fw.c? Message-ID: <20001026190655.A99210@sunbay.com> Mail-Followup-To: Harti Brandt , ipfw@FreeBSD.org References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brandt@fokus.gmd.de on Thu, Oct 26, 2000 at 04:01:07PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [redirected to freebsd-ipfw] Certainly, there is a bug. Please test with attached patch. On Thu, Oct 26, 2000 at 04:01:07PM +0200, Harti Brandt wrote: > > Hi, > > I stumbled over an interesting problem: the current kernel's NFS client > code blocks when reading files of size 2828 byte over NFSv3 (see > kern/22309). Today I tracked the problem down. It appears, that an IP > packet cannot be reassembled, when the last fragment of it is from 1 to 7 > bytes long. > > For some reason I have IP_FIREWALL and IP_FIREWALL_DEFAULT_TO_ACCEPT in my > kernel config (well, the reason is, that I wanted to play with > 'sting'). Although there is a comment in ip_fw.c that it is not a problem, > when an incoming packet is a fragment with off!=0, it appears to be a > problem, if the packet is too short to contain a UDP header. ip_fw insists > on having an UDP header (around line 1002) and drops the packet as a bogus > fragment, if it is too short for a header. I think, this is wrong. > > Because I'm not too firm with the firewall code, I have no fix. > -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.146 diff -u -p -w -r1.146 ip_fw.c --- ip_fw.c 2000/10/26 00:16:12 1.146 +++ ip_fw.c 2000/10/26 15:57:53 @@ -970,21 +970,20 @@ ip_fw_chk(struct ip **pip, int hlen, goto bogusfrag; \ ip = mtod(*m, struct ip *); \ *pip = ip; \ - offset = (ip->ip_off & IP_OFFMASK); \ } \ } while (0) /* * Collect parameters into local variables for faster matching. */ + proto = ip->ip_p; + src_ip = ip->ip_src; + dst_ip = ip->ip_dst; offset = (ip->ip_off & IP_OFFMASK); - { + if (offset == 0) { struct tcphdr *tcp; struct udphdr *udp; - dst_ip = ip->ip_dst ; - src_ip = ip->ip_src ; - proto = ip->ip_p ; /* * warning - if offset != 0, port values are bogus. * Not a problem for ipfw, but could be for dummynet. @@ -1014,6 +1013,7 @@ ip_fw_chk(struct ip **pip, int hlen, default : break; } + } #undef PULLUP_TO last_pkt.src_ip = ntohl(src_ip.s_addr) ; last_pkt.dst_ip = ntohl(dst_ip.s_addr) ; @@ -1021,7 +1021,6 @@ ip_fw_chk(struct ip **pip, int hlen, last_pkt.src_port = ntohs(src_port) ; last_pkt.dst_port = ntohs(dst_port) ; last_pkt.flags = flags ; - } if (*flow_id) { /* Accept if passed first test */ --5vNYLRcllDrimb99-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 26 9:31: 6 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhub.fokus.gmd.de (mailhub.fokus.gmd.de [193.174.154.14]) by hub.freebsd.org (Postfix) with ESMTP id 560A437B4CF; Thu, 26 Oct 2000 09:31:04 -0700 (PDT) Received: from beagle (beagle [193.175.132.100]) by mailhub.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id SAA29994; Thu, 26 Oct 2000 18:31:03 +0200 (MET DST) Date: Thu, 26 Oct 2000 18:31:03 +0200 (CEST) From: Harti Brandt To: Ruslan Ermilov Cc: ipfw@FreeBSD.org Subject: Re: Bug in ip_fw.c? In-Reply-To: <20001026190655.A99210@sunbay.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 26 Oct 2000, Ruslan Ermilov wrote: > Certainly, there is a bug. > Please test with attached patch. Well, it seems to work now. Thanks. If this is commited, kern/22309 can be closed. harti -- harti brandt, http://www.fokus.gmd.de/research/cc/cats/employees/hartmut.brandt/private brandt@fokus.gmd.de, harti@begemot.org, lhbrandt@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 26 17:21:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from valis.worldgate.ca (valis.worldgate.ca [198.161.84.2]) by hub.freebsd.org (Postfix) with ESMTP id D9A0A37B479 for ; Thu, 26 Oct 2000 17:21:23 -0700 (PDT) Received: from worldgate.ca (diskless1.worldgate.ca [198.161.84.128]) by valis.worldgate.ca (8.9.3/8.9.3) with ESMTP id SAA12461 for ; Thu, 26 Oct 2000 18:21:16 -0600 (MDT) (envelope-from skafte@worldgate.ca) Message-ID: <39F8CA7B.F409457@worldgate.ca> Date: Thu, 26 Oct 2000 18:21:15 -0600 From: Greg Skafte Organization: WorldGate Inc X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: could this be a sysctl? Content-Type: multipart/mixed; boundary="------------CED3E9EB833461A4F1083EED" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------CED3E9EB833461A4F1083EED Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I was contemplating could the rule autoincrement number be changed to a sysctl? ..... instead of using shell script math, or having to edit ip_fw.c to change the default from 100 to somethingelse. in my firewall scripts it would be nice to just do a sysctl -w net.inet.ip.fw.countincrement = number to change the increment value from the 100 default .... -- Email: skafte@worldgate.ca Voice: +780 413 1910 Fax: +780 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) --------------CED3E9EB833461A4F1083EED Content-Type: text/x-vcard; charset=us-ascii; name="skafte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Greg Skafte Content-Disposition: attachment; filename="skafte.vcf" begin:vcard n:Skafte;Greg tel;pager:+1 (780) 491 4791 tel;cell:+1 (780) 718 1570 tel;fax:+1 (780) 421 4929 tel;work:+1 (780) 413 1910 x-mozilla-html:FALSE org:;Network Operations adr:;;#575 10123 99 Street;Edmonton;Alberta;T5J 3H1;Canada version:2.1 email;internet:Skafte@worldgate.ca title:Operations Manager x-mozilla-cpt:;29088 fn:Greg Skafte end:vcard --------------CED3E9EB833461A4F1083EED-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 26 21:16:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from modemcable101.200-201-24.mtl.mc.videotron.ca (modemcable030.183-200-24.mtl.mc.videotron.ca [24.200.183.30]) by hub.freebsd.org (Postfix) with SMTP id 644BF37B479 for ; Thu, 26 Oct 2000 21:16:21 -0700 (PDT) Received: (qmail 94714 invoked from network); 27 Oct 2000 04:16:20 -0000 Received: from patrak.local.mindstep.com (HELO PATRAK) (192.168.10.4) by jacuzzi.local.mindstep.com with SMTP; 27 Oct 2000 04:16:20 -0000 Message-ID: <0fc801c03fcc$a8db3370$040aa8c0@local.mindstep.com> From: "Patrick Bihan-Faou" To: "Greg Skafte" Cc: References: <39F8CA7B.F409457@worldgate.ca> Subject: Re: could this be a sysctl? Date: Fri, 27 Oct 2000 00:16:20 -0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0FC5_01C03FAB.21A7DAA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0FC5_01C03FAB.21A7DAA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From: "Greg Skafte" > I was contemplating could the rule autoincrement number be changed to > a sysctl? ..... instead of using shell script math, or having to edit > ip_fw.c to change the default from 100 to somethingelse. > > in my firewall scripts it would be nice to just do a > > sysctl -w net.inet.ip.fw.countincrement = number > > to change the increment value from the 100 default .... There are about 3 PR's with patches that implement just that... Here is a patch over a recent (yesterday) RELENG_4 source if you can't wait. Patrick. ------=_NextPart_000_0FC5_01C03FAB.21A7DAA0 Content-Type: application/octet-stream; name="ip_fw.c.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ip_fw.c.patch" --- ip_fw.c.orig=0A= +++ ip_fw.c=0A= @@ -79,6 +79,8 @@=0A= static int fw_verbose_limit =3D 0;=0A= #endif=0A= =0A= +static int fw_auto_increment =3D 100;=0A= +=0A= static u_int64_t counter; /* counter for ipfw_report(NULL...) */=0A= struct ipfw_flow_id last_pkt ;=0A= =0A= @@ -102,6 +104,8 @@=0A= &fw_verbose, 0, "Log matches to ipfw rules");=0A= SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, =0A= &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules = logged");=0A= +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, auto_increment, CTLFLAG_RW, =0A= + &fw_auto_increment, 0, "Set the increment value for unnumbered = rules");=0A= =0A= #if STATEFUL=0A= /*=0A= @@ -1458,7 +1462,7 @@=0A= return(0);=0A= }=0A= =0A= - /* If entry number is 0, find highest numbered rule and add 100 */=0A= + /* If entry number is 0, find highest numbered rule and add = fw_auto_increment */=0A= if (ftmp->fw_number =3D=3D 0) {=0A= for (fcp =3D LIST_FIRST(chainptr); fcp; fcp =3D LIST_NEXT(fcp, = chain)) {=0A= if (fcp->rule->fw_number !=3D (u_short)-1)=0A= @@ -1466,8 +1470,8 @@=0A= else=0A= break;=0A= }=0A= - if (nbr < IPFW_DEFAULT_RULE - 100)=0A= - nbr +=3D 100;=0A= + if (nbr < IPFW_DEFAULT_RULE - fw_auto_increment)=0A= + nbr +=3D fw_auto_increment;=0A= ftmp->fw_number =3D frwl->fw_number =3D nbr;=0A= }=0A= =0A= ------=_NextPart_000_0FC5_01C03FAB.21A7DAA0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 26 23:49:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 1867B37B479 for ; Thu, 26 Oct 2000 23:49:28 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id B36DF1C41; Fri, 27 Oct 2000 02:49:27 -0400 (EDT) Date: Fri, 27 Oct 2000 02:49:27 -0400 From: Bill Fumerola To: Greg Skafte Cc: freebsd-ipfw@freebsd.org Subject: Re: could this be a sysctl? Message-ID: <20001027024927.I37870@jade.chc-chimes.com> References: <39F8CA7B.F409457@worldgate.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39F8CA7B.F409457@worldgate.ca>; from skafte@worldgate.ca on Thu, Oct 26, 2000 at 06:21:15PM -0600 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Oct 26, 2000 at 06:21:15PM -0600, Greg Skafte wrote: > I was contemplating could the rule autoincrement number be changed to > a sysctl? ..... instead of using shell script math, or having to edit > ip_fw.c to change the default from 100 to somethingelse. > > in my firewall scripts it would be nice to just do a > > sysctl -w net.inet.ip.fw.countincrement = number > > to change the increment value from the 100 default .... There already is a PR (assigned to me) that does this. It works and all I need to do is give it a onceover and commit it. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 27 0:11:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from trollkarl.skafte.org (trollkarl.skafte.org [207.167.5.33]) by hub.freebsd.org (Postfix) with ESMTP id 2E9D037B479 for ; Fri, 27 Oct 2000 00:11:13 -0700 (PDT) Received: (from skafte@localhost) by trollkarl.skafte.org (8.11.1/8.11.1) id e9R7Aws09775 for freebsd-ipfw@FreeBSD.ORG; Fri, 27 Oct 2000 01:10:58 -0600 (MDT) (envelope-from skafte) Date: Fri, 27 Oct 2000 01:10:58 -0600 From: Greg Skafte To: freebsd-ipfw@FreeBSD.ORG Subject: Re: could this be a sysctl? Message-ID: <20001027011038.A9747@trollkarl.skafte.org> References: <39F8CA7B.F409457@worldgate.ca> <20001027024927.I37870@jade.chc-chimes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001027024927.I37870@jade.chc-chimes.com>; from billf@chimesnet.com on Fri, Oct 27, 2000 at 02:49:27AM -0400 Organization: WorldGate Inc. Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG shows me for not looking in the PR database .... I don't think of enhancements as P(roblem)R(eports)..... I was mostly just thinking aloud before I submitted my own PR with patches .... but hey ..... Quoting Bill Fumerola (billf@chimesnet.com) On Subject: Re: could this be a sysctl? Date: Fri, Oct 27, 2000 at 02:49:27AM -0400 > On Thu, Oct 26, 2000 at 06:21:15PM -0600, Greg Skafte wrote: > > > I was contemplating could the rule autoincrement number be changed to > > a sysctl? ..... instead of using shell script math, or having to edit > > ip_fw.c to change the default from 100 to somethingelse. > > > > in my firewall scripts it would be nice to just do a > > > > sysctl -w net.inet.ip.fw.countincrement = number > > > > to change the increment value from the 100 default .... > > There already is a PR (assigned to me) that does this. It works and all > I need to do is give it a onceover and commit it. > > -- > Bill Fumerola - Network Architect, BOFH / Chimes, Inc. > billf@chimesnet.com / billf@FreeBSD.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Email: skafte@worldgate.ca Voice: +780 413 1910 Fax: +780 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 27 14: 6:54 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from purpledreams.com (cr728229-a.slnt1.on.wave.home.com [24.114.51.163]) by hub.freebsd.org (Postfix) with SMTP id 8ADB237B4C5 for ; Fri, 27 Oct 2000 14:06:50 -0700 (PDT) Received: (qmail 449 invoked by uid 1069); 27 Oct 2000 20:52:29 -0000 Message-ID: <20001027205229.448.qmail@purpledreams.com> From: super@purpledreams.com Subject: Routing Problem To: freebsd-ipfw@freebsd.org Date: Fri, 27 Oct 2000 16:52:29 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am having a weird problem and hope you can help. (I realise it's not 100% an ipfw problem, but FreeBSD-Hackers has WAY too much traffic, and I am running ipfw/natd so it kinda fits :) I'm running 4.0-RELEASE and have just switched ISPs. (The overlap while I have two means I can send this message :) The old one was an @home connection, plain and simple. The new one is an ADSL connection, and the specs I was given are IP : 64.x.y.z Netmask : 26 bits (255.255.255.192) Default gateway : 10.10.240.1 This works fine in windows (!) but it won't work in FreeBSD (and, frankly, I think FreeBSD is 'right' :) It won't use a default gateway that's not available on a local network. This is just plain proper : you shouldn't be able to! how would it know where it is???? But, that's what I have. Does anyone know a way of forcing FreeBSD to acknowledge the presence of a host that is not on a logical local subnet but is on a physical connection? Can i force an ARP entry and hope that's enough? It's a shame this works in windows! :) Dana Lacoste To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 27 14:13:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id A9C0037B479 for ; Fri, 27 Oct 2000 14:13:50 -0700 (PDT) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA57099; Fri, 27 Oct 2000 15:12:31 -0600 (MDT) Date: Fri, 27 Oct 2000 15:12:31 -0600 (MDT) From: Nick Rogness To: super@purpledreams.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Routing Problem In-Reply-To: <20001027205229.448.qmail@purpledreams.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 27 Oct 2000 super@purpledreams.com wrote: This problem has been solved (recently) in a previous thread. Search the archives. > I am having a weird problem and hope you can help. > (I realise it's not 100% an ipfw problem, but FreeBSD-Hackers > has WAY too much traffic, and I am running ipfw/natd so it > kinda fits :) > > I'm running 4.0-RELEASE and have just switched ISPs. > > (The overlap while I have two means I can send this message :) > > The old one was an @home connection, plain and simple. > > The new one is an ADSL connection, and the specs I was given are > > IP : 64.x.y.z > Netmask : 26 bits (255.255.255.192) > Default gateway : 10.10.240.1 > > This works fine in windows (!) but it won't work in FreeBSD > (and, frankly, I think FreeBSD is 'right' :) > > It won't use a default gateway that's not available on a local network. > This is just plain proper : you shouldn't be able to! how would it > know where it is???? > > But, that's what I have. Does anyone know a way of forcing > FreeBSD to acknowledge the presence of a host that is not > on a logical local subnet but is on a physical connection? > > Can i force an ARP entry and hope that's enough? > > It's a shame this works in windows! :) > > Dana Lacoste > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message