From owner-freebsd-ipfw Sun Oct 29 23:31:33 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f31.law7.hotmail.com [216.33.237.31]) by hub.freebsd.org (Postfix) with ESMTP id 935C837B479; Sun, 29 Oct 2000 23:31:31 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 29 Oct 2000 23:31:31 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Mon, 30 Oct 2000 07:31:31 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: freebsd-ipfw@freebsd.org Cc: freebsd-qusetions@freebsd.org Subject: Transparent Bridging with IPFW... Date: Mon, 30 Oct 2000 07:31:31 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 30 Oct 2000 07:31:31.0243 (UTC) FILETIME=[6C3B1FB0:01C04243] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Quick question. Has anyone done transparent (ipless) bridging in FreeBSD with IPFW? If so, the thing I'm wondering about is, what would you put for $oip=? 0.0.0.0 or nothing at all? Also, like in OpenBSD with IPFilter, doing transparent bridging you had to filter in one direction only, pass in on internal/external. Wondering if it's the same for IPFW? Any help/advice would be greatly appreciated! Thanks! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Oct 29 23:37:23 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f228.law7.hotmail.com [216.33.237.228]) by hub.freebsd.org (Postfix) with ESMTP id 18A4737B479; Sun, 29 Oct 2000 23:37:20 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 29 Oct 2000 23:37:19 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Mon, 30 Oct 2000 07:37:19 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: freebsd-questions@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Transparent Ethernet Bridging with IPFW... Date: Mon, 30 Oct 2000 07:37:19 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 30 Oct 2000 07:37:19.0862 (UTC) FILETIME=[3C062960:01C04244] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Sorry if its a repeat, last msg bounced back for some off reason. Quick question. Has anyone done transparent (ipless) bridging in FreeBSD with IPFW? If so, the thing I'm wondering about is, what would you put for $oip=? 0.0.0.0 or nothing at all? Also, like in OpenBSD with IPFilter, doing transparent bridging you had to filter in one direction only, pass in on internal/external. Wondering if it's the same for IPFW? Any help/advice would be greatly appreciated! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 30 12:23:52 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from radius.wavefire.com (radius.wavefire.com [139.142.95.252]) by hub.freebsd.org (Postfix) with SMTP id 5DE2737B479 for ; Mon, 30 Oct 2000 12:23:50 -0800 (PST) Received: (qmail 5690 invoked from network); 30 Oct 2000 20:23:37 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (139.142.95.253) by radius.wavefire.com with SMTP; 30 Oct 2000 20:23:37 -0000 Message-Id: <3.0.32.20001030122811.03ba0540@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 30 Oct 2000 12:28:11 -0800 To: freebsd-ipfw@freebsd.org From: Darcy Buskermolen Subject: Muteing an interface while bridgeing Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Is it posible to to only allow 2 out of 4 interfaces participate in bridgeing, allowing the other 2 to fo routeing/firewalling, if so how can i go about doing it ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 30 12:29: 5 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 03CAE37B479 for ; Mon, 30 Oct 2000 12:29:01 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.9.3/8.9.3) id MAA01401; Mon, 30 Oct 2000 12:28:46 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200010302028.MAA01401@iguana.aciri.org> Subject: Re: Muteing an interface while bridgeing In-Reply-To: <3.0.32.20001030122811.03ba0540@mail.ok-connect.com> from Darcy Buskermolen at "Oct 30, 2000 12:28:11 pm" To: darcy@ok-connect.com (Darcy Buskermolen) Date: Mon, 30 Oct 2000 12:28:46 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Is it posible to to only allow 2 out of 4 interfaces participate in > bridgeing, allowing the other 2 to fo routeing/firewalling, if so how can i > go about doing it ? use at the sysctl variable net.link.ether.bridge_cfg as documented in http://www.iet.unipi.it/~luigi/ip_dummynet/ (and yes, this is not in the bridge(4) manpage yet... if some good soul would like to update it...) cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 30 13:32:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 9F4D637B479 for ; Mon, 30 Oct 2000 13:32:23 -0800 (PST) Received: from 98wkst ([10.10.1.71]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id QAA23909 for ; Mon, 30 Oct 2000 16:32:42 -0500 Reply-To: From: "Peter Brezny" To: Subject: rc.firewall by default does not allow nat of private internal addresses? Date: Mon, 30 Oct 2000 16:32:28 -0500 Message-ID: <001701c042b8$e7f54340$47010a0a@fire.sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Could someone explain to me why the default configuratoin of rc.firewall using the 'simple' configuration does not allow privat ip's to be used on the internal network? I was assuming that since the natd rule is _above_ the deny ip from 10.0.0.0/8 to any via ${oif} ipfw would not 'realize' that the packet originated on 10.0.0.0/8 and would pass it (since natd should have already translated the packet to the external ip before it leaves via the ${oif}...right? any enlightenment on this issue would be greatly appreciated. but as written, it appears to me that the rc.firewall provided with 4.1 is useless unless you pull out the limits of RFC1918 or at least change them to deny all from 10.0.0.0/8 to any in via ${oif} TIA. Peter Brezny SysAdmin Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 31 0: 5:33 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3647037B4CF for ; Tue, 31 Oct 2000 00:05:29 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 31 Oct 2000 00:04:02 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9V85L707659; Tue, 31 Oct 2000 00:05:21 -0800 (PST) (envelope-from cjc) Date: Tue, 31 Oct 2000 00:05:21 -0800 From: "Crist J . Clark" To: Peter Brezny Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall by default does not allow nat of private internal addresses? Message-ID: <20001031000521.E75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <001701c042b8$e7f54340$47010a0a@fire.sysadmininc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <001701c042b8$e7f54340$47010a0a@fire.sysadmininc.com>; from peter@sysadmin-inc.com on Mon, Oct 30, 2000 at 04:32:28PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 30, 2000 at 04:32:28PM -0500, Peter Brezny wrote: > Could someone explain to me why the default configuratoin of rc.firewall > using the 'simple' configuration does not allow privat ip's to be used on > the internal network? > > I was assuming that since the natd rule is _above_ the > > deny ip from 10.0.0.0/8 to any via ${oif} > > ipfw would not 'realize' that the packet originated on 10.0.0.0/8 and would > pass it (since natd should have already translated the packet to the > external ip before it leaves via the ${oif}...right? Wrong. The packet comes in the internal interface, goes through the firewall once, and presumably is accepted. The packet is routed by the kernel and then runs through the firewall rules as it passes out of the external interface. A packet will not be processed by natd(8) until it hits the divert rule. If it reaches the above rule before being diverted to natd, it still has a 10.0.0.0/8 source address and is associated with ${iof} so the packet would indeed match the above rule and be dropped. > but as written, it appears to me that the rc.firewall provided with 4.1 is > useless unless you pull out the limits of RFC1918 or at least change them to > > deny all from 10.0.0.0/8 to any in via ${oif} Yep, that should fix it. Many people, including myself, have offered this solution new firewall users over and over on -ipfw and -questions, but it never seems to get propagated to the default /etc/rc.firewall. Personally, I have decided that its not really terribly important to block RFC1918 addresses. If you block those, do you add the other manning-draft ones? How about the whole 192.0.0.0/16? Block multi-cast and experimental nets (class D and class E)? Recently at SANS 2000, a speaker in the intrusion detection course threw up a list including a bunch of other nets including 65.0.0.0-95.255.255.255. Unfortunately, although those blocks _were_ IANA reserved when she made her slides a few months ago, the 65/8 and 66/8 blocks have been allocated for use since. (I should add that she was very responsive when I pointed this out to her via email.) It's also another place to make silly mistakes. I was just reviewing some configurations on our border routers last week when I noticed someone had blackholed incoming 172/8. Now, the fact that we just cut off a big chunk of AOL addresses does not bother me too much, I think there are others at the company who would not be too pleased. Again, IMHO, if you are using RFC1918 nets on a NAT'ed internal net, it is important to add an anti-spoofing rule like, deny all from ${net} to any recv ${oif} Before the divert rule. Adding anything else is superflous. If someone wants to SYN flood you, for example, they can spoof routable addresses just as easily as RFC1918 ones. (If I were to SYN flood someone, I would never use RFC1918 addresses just because people do sometimes block them). I don't see what blocking them adds. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 31 0:10:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 90F1F37B6C6; Tue, 31 Oct 2000 00:10:37 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 31 Oct 2000 00:09:15 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9V8ATI07684; Tue, 31 Oct 2000 00:10:29 -0800 (PST) (envelope-from cjc) Date: Tue, 31 Oct 2000 00:10:24 -0800 From: "Crist J . Clark" To: Some Person Cc: freebsd-questions@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent Ethernet Bridging with IPFW... Message-ID: <20001031001024.F75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from ntvsunix@hotmail.com on Mon, Oct 30, 2000 at 07:37:19AM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 30, 2000 at 07:37:19AM +0000, Some Person wrote: > Sorry if its a repeat, last msg bounced back for some off reason. > > Quick question. Has anyone done transparent (ipless) bridging in FreeBSD > with IPFW? If so, the thing I'm wondering about is, what would you put for > $oip=? 0.0.0.0 or nothing at all? Are you talking about the variables in the "simple" firewall? That is a starting point for a routing firewall. You probably want to start almost from scratch. However, I would think $oip = $iip would be the best answer. > Also, like in OpenBSD with IPFilter, doing transparent bridging you had to > filter in one direction only, pass in on internal/external. Wondering > if it's the same for IPFW? $ man ipfw . . . Each incoming or outgoing packet is passed through the ipfw rules. If host is acting as a gateway, packets forwarded by the gateway are pro- cessed by ipfw twice. In case a host is acting as a bridge, packets for- warded by the bridge are processed by ipfw once. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 31 0:33:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jason.argos.org (jason.argos.org [216.233.245.106]) by hub.freebsd.org (Postfix) with ESMTP id 8471D37B4C5 for ; Tue, 31 Oct 2000 00:33:39 -0800 (PST) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e9V8VDO18992; Tue, 31 Oct 2000 03:31:13 -0500 Date: Tue, 31 Oct 2000 03:31:13 -0500 (EST) From: Mike Nowlin To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall by default does not allow nat of private internal addresses? In-Reply-To: <20001031000521.E75251@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 31 Oct 2000, Crist J . Clark wrote: > a bunch of other nets including 65.0.0.0-95.255.255.255. Unfortunately, > although those blocks _were_ IANA reserved when she made her slides a > few months ago, the 65/8 and 66/8 blocks have been allocated for use I must chuckle a bit.... (Quiet "chort, snort, gaffaw.") These are the some of the same guys saying that "we're running out of v4 addressing space!".... 65/8 - 95/8... 520,093,696 addresses... :) (I AM in favor of switching things to IPv6 right now, screw whoever's not ready... We'll work out the problems en route. :) ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Understated/funny man-page sentence of the current time period: From route(4) on FreeBSD-3.4, DESCRIPTION section: "FreeBSD provides some packet routing facilities." ...duh....... Mike Nowlin, N8NVW mike@argos.org http://www.viewsnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 31 0:51:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4B81037B4D7 for ; Tue, 31 Oct 2000 00:51:40 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 31 Oct 2000 00:50:10 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9V8pKn08051; Tue, 31 Oct 2000 00:51:20 -0800 (PST) (envelope-from cjc) Date: Tue, 31 Oct 2000 00:51:19 -0800 From: "Crist J . Clark" To: Mike Nowlin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall by default does not allow nat of private internal addresses? Message-ID: <20001031005119.G75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001031000521.E75251@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mike@argos.org on Tue, Oct 31, 2000 at 03:31:13AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Oct 31, 2000 at 03:31:13AM -0500, Mike Nowlin wrote: > On Tue, 31 Oct 2000, Crist J . Clark wrote: > > > a bunch of other nets including 65.0.0.0-95.255.255.255. Unfortunately, > > although those blocks _were_ IANA reserved when she made her slides a > > few months ago, the 65/8 and 66/8 blocks have been allocated for use > > I must chuckle a bit.... (Quiet "chort, snort, gaffaw.") These are the > some of the same guys saying that "we're running out of v4 addressing > space!".... 65/8 - 95/8... 520,093,696 addresses... :) We /were/ running out of addresses back in the old days when class A addresses like those each had to be handed out to a single entity. Do a 'whois -a 65' to see how many chunks they broke 65/8 into. Now-a-days with classless routing, there really is no pressing address shortage... Now, when every device that has a microprocessor is networked and all need globally routable addresses to do IPsec AH, then we will have a problem with IPv4-space. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Nov 2 10: 5:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from c014.sfo.cp.net (c014-h023.c014.sfo.cp.net [209.228.12.87]) by hub.freebsd.org (Postfix) with SMTP id 64E1437B4CF for ; Thu, 2 Nov 2000 10:05:09 -0800 (PST) Received: (cpmta 24486 invoked from network); 2 Nov 2000 10:05:05 -0800 Received: from m12hRs4n205.midsouth.rr.com (HELO mike) (24.95.125.205) by smtp.valuedata.net (209.228.12.87) with SMTP; 2 Nov 2000 10:05:05 -0800 X-Sent: 2 Nov 2000 18:05:05 GMT Message-ID: <02ad01c044f7$6dc1c440$0200000a@mike> From: "Daryl Chance" To: "FreeBSD IPFW" Subject: deny question... Date: Thu, 2 Nov 2000 12:05:04 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ipfw: -1 Refuse TCP 209.1.224.186 24.95.125.205 in via rl0 Fragment = 147 any idea what that means? this have to do with the setting i have for DROP_SYNFIN or RESTRICT_RST? -1 seems to be an odd rule number :) Thanks, ----------------------------------------------------------------------- | Daryl Chance | We start seeing these new accounts being created, | | -------------- | but that could be an anomaly of the system. After | | Valuedata, LLC | a day or two, we realized it was someone hacking | | Memphis, TN | into the system. - Microsoft on thier hacker | ----------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 3 10:11: 4 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from web9108.mail.yahoo.com (web9108.mail.yahoo.com [216.136.128.245]) by hub.freebsd.org (Postfix) with SMTP id C602937B4D7 for ; Fri, 3 Nov 2000 10:11:02 -0800 (PST) Message-ID: <20001103181102.45572.qmail@web9108.mail.yahoo.com> Received: from [64.209.162.50] by web9108.mail.yahoo.com; Fri, 03 Nov 2000 10:11:02 PST Date: Fri, 3 Nov 2000 10:11:02 -0800 (PST) From: Ray Qiu Subject: Natd To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I am running IPFW and NATd. How can I view the internal natd session table? How can I change the natd timeout(per session) parameter? Thanks, Ray __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message