From owner-freebsd-ipfw Mon Apr 22 17:19:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.isppro.net (mail.isppro.net [196.40.37.88]) by hub.freebsd.org (Postfix) with ESMTP id D4AD537B426 for ; Mon, 22 Apr 2002 17:19:08 -0700 (PDT) Received: (from root@localhost) by mail.isppro.net (8.11.6/8.11.6) id g3N0J2X02239 for freebsd-ipfw@freebsd.org; Mon, 22 Apr 2002 18:19:02 -0600 (CST) (envelope-from jimmy@isppro.net) Received: from localhost (jimmy@localhost) by mail.isppro.net (8.11.6/8.11.6av) with ESMTP id g3N0J0k02231 for ; Mon, 22 Apr 2002 18:19:01 -0600 (CST) (envelope-from jimmy@isppro.net) X-Authentication-Warning: mail.isppro.net: jimmy owned process doing -bs Date: Mon, 22 Apr 2002 18:19:00 -0600 (CST) From: Jimmy To: freebsd-ipfw@freebsd.org Message-ID: <20020422181104.D2070-100000@mail.isppro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Every Body: Since some time ago I has had the need of routing based on the source instead of the destination. I has been playing with ipfw and ipf without success, then I found this article[1] refering to the Linux ip routing implementacion and its policy routing. My question is, is there something like this in FreeBSD? I am sorry if this is not the proper place where I can ask this. May be freebsd-hackers? I do not know ... Thank You very much. --JImmy [1] http://www.samag.com/documents/s=1169/sam0001f/0001f.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 22 23: 5:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id F132537B41A for ; Mon, 22 Apr 2002 23:05:10 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020423060510.VGXT1901.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 23 Apr 2002 06:05:10 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3N659h84972; Mon, 22 Apr 2002 23:05:09 -0700 (PDT) (envelope-from cjc) Date: Mon, 22 Apr 2002 23:05:09 -0700 From: "Crist J. Clark" To: Jimmy Cc: freebsd-ipfw@FreeBSD.ORG Subject: Routing on Src Addr Message-ID: <20020422230509.A84809@blossom.cjclark.org> References: <20020422181104.D2070-100000@mail.isppro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020422181104.D2070-100000@mail.isppro.net>; from jimmy@isppro.net on Mon, Apr 22, 2002 at 06:19:00PM -0600 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Apr 22, 2002 at 06:19:00PM -0600, Jimmy wrote: > > Hello Every Body: > > Since some time ago I has had the need of routing based on the source > instead of the destination. I has been playing with ipfw and ipf without > success, Use the 'fwd' action in ipfw(8) or 'fastroute' in ipf(8). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 25 0:53: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by hub.freebsd.org (Postfix) with ESMTP id 7A40737B431 for ; Thu, 25 Apr 2002 00:53:04 -0700 (PDT) Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by goliath.siemens.de (8.11.6/8.11.6) with ESMTP id g3P7r2R25830 for ; Thu, 25 Apr 2002 09:53:03 +0200 (MEST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail3.siemens.de (8.11.6/8.11.6) with ESMTP id g3P7r1O00668 for ; Thu, 25 Apr 2002 09:53:02 +0200 (MEST) Received: (from localhost) by curry.mchp.siemens.de (8.12.2/8.12.2) id g3P7r1Rl078979 for freebsd-ipfw@freebsd.org; Thu, 25 Apr 2002 09:53:01 +0200 (CEST) Date: Thu, 25 Apr 2002 09:53:01 +0200 From: Andre Albsmeier To: freebsd-ipfw@freebsd.org Subject: bandwith shaping only for big tcp packets Message-ID: <20020425095301.A18975@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Echelon: BND CIA NSA Mossad KGB MI6 IRA detonator nuclear assault strike X-RAVMilter-Version: 8.3.1(snapshot 20020109) (curry.mchp.siemens.de) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I would like to do something like: ipfw add 2000 pipe 1 tcp from 192.168.128.4/32 to any len gt 100 ipfw pipe 1 config bw 4KBytes/s queue 4KBytes This would mean that only packets which are bigger than 100 bytes will be fed to pipe 1. Any ideas? -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 25 4:31:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp15.singnet.com.sg (smtp15.singnet.com.sg [165.21.6.35]) by hub.freebsd.org (Postfix) with ESMTP id CF46A37B423 for ; Thu, 25 Apr 2002 04:31:05 -0700 (PDT) Received: from zehn.mine.nu (ad202.166.1.178.magix.com.sg [202.166.1.178]) by smtp15.singnet.com.sg (8.12.3/8.12.3) with ESMTP id g3PBV4i9020501 for ; Thu, 25 Apr 2002 19:31:04 +0800 Received: (from bennyc@localhost) by zehn.mine.nu (8.12.3/8.12.3/Submit) id g3PBV1Gt020360 for freebsd-ipfw@FreeBSD.ORG; Thu, 25 Apr 2002 19:31:01 +0800 (SGT) (envelope-from bennyc@magix.com.sg) Date: Thu, 25 Apr 2002 19:31:01 +0800 From: Benny Chee To: freebsd-ipfw@FreeBSD.ORG Subject: ipfw+fwd+divert+natd Message-ID: <20020425193101.B20143@magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Organization: Singapore Telecommunications Ltd Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi, just have a minor issue with the following features in ipfw: fxp0: 207.1.1.1/24 (public IP) fxp1: 10.0.0.1/24 (private IP) windoze: 10.0.0.2:3389 (terminal server - no default route) scenario: internet -> fxp0-fxp1 -> windoze 1) Just to be able to tunnel in from the internet to my freebsd4.5 box to reach the windoze box at TCP port 3389. 2) Problem is, my windoze box do not have any default route. It can only reach 10.0.0.1. 3) When packet reaches fxp0, it has to modify it's source to that of fxp1, and passes the packet onto the windoze box. 4) i have turned on natd, with natd -n fxp0 -redirect_port tcp 10.0.0.2:3389 3389 How can this be done? benny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 25 13:48: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by hub.freebsd.org (Postfix) with ESMTP id 4BBE637B416 for ; Thu, 25 Apr 2002 13:48:02 -0700 (PDT) Received: from gunjin.wccnet.org (localhost.wccnet.org [127.0.0.1]) by gunjin.wccnet.org (8.12.2/8.12.2) with ESMTP id g3PKqrpc090393; Thu, 25 Apr 2002 16:52:53 -0400 (EDT) Received: (from rex@localhost) by gunjin.wccnet.org (8.12.2/8.12.1/Submit) id g3PKqrj0090391; Thu, 25 Apr 2002 16:52:53 -0400 (EDT) Date: Thu, 25 Apr 2002 16:52:53 -0400 (EDT) From: "Rex A. Roof" Message-Id: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> To: freebsd-ipfw@freebsd.org Subject: Putting in place an incoming sendmail limit Cc: rex@gunjin.wccnet.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In order to prevent incoming DoS attacks via multiple sendmail connections, I've tried adding the following ipfw rule: allow tcp from any to any smtp limit src-addr 1 This works great, except that when it's triggered I get A LOT of messages like this: OUCH! cannot remove rule, count 1 drop session, too many entries over and over and over and over... I've tried adding a 'log logamount 1' in there, no difference. I've tried changing the following sysctl settings, with no luck: net.inet.ip.fw.debug, net.inet.ip.fw.verbose, net.inet.ip.fw.verbose_limit I'd like to limit these incoming sendmail connections, but the amount of logging output it creates is a bit extreme. I tried setting this up and just using telnet to connect to the sendmail port, and a dozen or so messages is created in a few seconds, just with two telnet sessions from the same machine. -Rex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 25 14:17: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id C1D8137B427 for ; Thu, 25 Apr 2002 14:15:59 -0700 (PDT) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.3/8.12.3) with ESMTP id g3PLFxA2067870 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 25 Apr 2002 14:15:59 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.3/8.12.3/Submit) id g3PLFwC1067867; Thu, 25 Apr 2002 14:15:58 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15560.29198.657946.738003@horsey.gshapiro.net> Date: Thu, 25 Apr 2002 14:15:58 -0700 From: Gregory Neil Shapiro To: "Rex A. Roof" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Putting in place an incoming sendmail limit In-Reply-To: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> References: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG rex> In order to prevent incoming DoS attacks via multiple sendmail rex> connections, I've tried adding the following ipfw rule: rex> allow tcp from any to any smtp limit src-addr 1 rex> This works great, except that when it's triggered I get A LOT rex> of messages like this: rex> OUCH! cannot remove rule, count 1 rex> drop session, too many entries Perhaps it is because that rule matches every packet into of just the TCP setup packet. You might try using the 'setup' keyword. (Just a guess). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 25 15:24: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by hub.freebsd.org (Postfix) with ESMTP id 5153137B416; Thu, 25 Apr 2002 15:23:59 -0700 (PDT) Received: from gunjin.wccnet.org (localhost.wccnet.org [127.0.0.1]) by gunjin.wccnet.org (8.12.2/8.12.2) with ESMTP id g3PMSppc091506; Thu, 25 Apr 2002 18:28:51 -0400 (EDT) Received: (from rex@localhost) by gunjin.wccnet.org (8.12.2/8.12.1/Submit) id g3PMSpKo091505; Thu, 25 Apr 2002 18:28:51 -0400 (EDT) Date: Thu, 25 Apr 2002 18:28:50 -0400 From: "Rex A. Roof" To: Gregory Neil Shapiro Cc: "Rex A. Roof" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Putting in place an incoming sendmail limit Message-ID: <20020425182850.A91480@rexroof.com> References: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> <15560.29198.657946.738003@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15560.29198.657946.738003@horsey.gshapiro.net>; from gshapiro@FreeBSD.ORG on Thu, Apr 25, 2002 at 02:15:58PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Apr 25, 2002 at 02:15:58PM -0700, Gregory Neil Shapiro wrote: > > Perhaps it is because that rule matches every packet into of just the TCP > setup packet. You might try using the 'setup' keyword. (Just a guess). okay, I added the setup keyword and it seemed to get rid of the "OUCH! cannot remove rule, count 1" message. I also noticed that if I open an smtp connection to the computer, and then close it and wait a minute, I can't make another smtp connection to the firewalled machine. Is there a way to define that I want any machine to be able to have 1 and only one smtp connection? or will this always limit them for a set period of time? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 25 23:24:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id E5F9C37B417; Thu, 25 Apr 2002 23:24:45 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020426062445.DRJD8969.rwcrmhc51.attbi.com@blossom.cjclark.org>; Fri, 26 Apr 2002 06:24:45 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3Q6OiA34698; Thu, 25 Apr 2002 23:24:44 -0700 (PDT) (envelope-from cjc) Date: Thu, 25 Apr 2002 23:24:44 -0700 From: "Crist J. Clark" To: Gregory Neil Shapiro Cc: "Rex A. Roof" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Putting in place an incoming sendmail limit Message-ID: <20020425232444.B34367@blossom.cjclark.org> References: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> <15560.29198.657946.738003@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15560.29198.657946.738003@horsey.gshapiro.net>; from gshapiro@FreeBSD.ORG on Thu, Apr 25, 2002 at 02:15:58PM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Apr 25, 2002 at 02:15:58PM -0700, Gregory Neil Shapiro wrote: > rex> In order to prevent incoming DoS attacks via multiple sendmail > rex> connections, I've tried adding the following ipfw rule: > > rex> allow tcp from any to any smtp limit src-addr 1 > > rex> This works great, except that when it's triggered I get A LOT > rex> of messages like this: > > rex> OUCH! cannot remove rule, count 1 > rex> drop session, too many entries > > Perhaps it is because that rule matches every packet into of just the TCP > setup packet. You might try using the 'setup' keyword. (Just a guess). That's probably not the problem. Remember 'limit' rules are dynamic rules. What version of FreeBSD are you running? I believe the 'OUCH!' is luigi's way of saying that you shouldn't be seeing that error. It indicates an internal error. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 26 3:34:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 523C137B416; Fri, 26 Apr 2002 03:34:09 -0700 (PDT) To: "Crist J. Clark" Cc: Gregory Neil Shapiro , "Rex A. Roof" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Putting in place an incoming sendmail limit References: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> <15560.29198.657946.738003@horsey.gshapiro.net> <20020425232444.B34367@blossom.cjclark.org> From: Dan Pelleg Date: 26 Apr 2002 06:33:28 -0400 In-Reply-To: <20020425232444.B34367@blossom.cjclark.org> Message-ID: Lines: 35 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Crist J. Clark" writes: > On Thu, Apr 25, 2002 at 02:15:58PM -0700, Gregory Neil Shapiro wrote: > > rex> In order to prevent incoming DoS attacks via multiple sendmail > > rex> connections, I've tried adding the following ipfw rule: > > > > rex> allow tcp from any to any smtp limit src-addr 1 > > > > rex> This works great, except that when it's triggered I get A LOT > > rex> of messages like this: > > > > rex> OUCH! cannot remove rule, count 1 > > rex> drop session, too many entries > > > > Perhaps it is because that rule matches every packet into of just the TCP > > setup packet. You might try using the 'setup' keyword. (Just a guess). > > That's probably not the problem. Remember 'limit' rules are dynamic > rules. > > What version of FreeBSD are you running? I believe the 'OUCH!' is > luigi's way of saying that you shouldn't be seeing that error. It > indicates an internal error. It is, and it's been discussed on this mailing list before. I have a patch for this, which I've discussed with luigi in the past. For some reason, I never heard back from him after posting it. This way or the other, it's here if you want to apply it yourself: http://www.freebsd.org/cgi/query-pr.cgi?pr=32600 -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 26 7:17:59 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by hub.freebsd.org (Postfix) with ESMTP id 880A737B417; Fri, 26 Apr 2002 07:17:56 -0700 (PDT) Received: from gunjin.wccnet.org (localhost.wccnet.org [127.0.0.1]) by gunjin.wccnet.org (8.12.2/8.12.2) with ESMTP id g3QEMnpc002289; Fri, 26 Apr 2002 10:22:49 -0400 (EDT) Received: (from rex@localhost) by gunjin.wccnet.org (8.12.2/8.12.1/Submit) id g3QEMnTX002288; Fri, 26 Apr 2002 10:22:49 -0400 (EDT) Date: Fri, 26 Apr 2002 10:22:49 -0400 From: "Rex A. Roof" To: Dan Pelleg Cc: "Crist J. Clark" , Gregory Neil Shapiro , "Rex A. Roof" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Putting in place an incoming sendmail limit Message-ID: <20020426102249.A1538@rexroof.com> References: <200204252052.g3PKqrj0090391@gunjin.wccnet.org> <15560.29198.657946.738003@horsey.gshapiro.net> <20020425232444.B34367@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dpelleg+bsd@cs.cmu.edu on Fri, Apr 26, 2002 at 06:33:28AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG uname output says this: FreeBSD m-net.arbornet.org 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Apr 25 13:26:42 EDT 2002 trex@m-net.arbornet.org:/freebsd/stable/src/sys/compile/MNET i386 and the source code was cvsed about 12 hours before that, from the REGENG_4 tree. I guess I should subscribe to this list. heh. On Fri, Apr 26, 2002 at 06:33:28AM -0400, Dan Pelleg wrote: > "Crist J. Clark" writes: > > > > That's probably not the problem. Remember 'limit' rules are dynamic > > rules. > > > > What version of FreeBSD are you running? I believe the 'OUCH!' is > > luigi's way of saying that you shouldn't be seeing that error. It > > indicates an internal error. > > It is, and it's been discussed on this mailing list before. I have a patch > for this, which I've discussed with luigi in the past. For some reason, I > never heard back from him after posting it. This way or the other, > it's here if you want to apply it yourself: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=32600 > > > -- > > Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 27 23:15:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 7D84E37B41A for ; Sat, 27 Apr 2002 23:15:32 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g3S6FSo63299; Sat, 27 Apr 2002 23:15:28 -0700 (PDT) (envelope-from rizzo) Date: Sat, 27 Apr 2002 23:15:28 -0700 From: Luigi Rizzo To: Andre Albsmeier Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: bandwith shaping only for big tcp packets Message-ID: <20020427231528.B63189@iguana.icir.org> References: <20020425095301.A18975@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020425095301.A18975@curry.mchp.siemens.de> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Apr 25, 2002 at 09:53:01AM +0200, Andre Albsmeier wrote: > I would like to do something like: > > ipfw add 2000 pipe 1 tcp from 192.168.128.4/32 to any len gt 100 > ipfw pipe 1 config bw 4KBytes/s queue 4KBytes > > This would mean that only packets which are bigger than 100 bytes > will be fed to pipe 1. > > Any ideas? well you'd need to write the necessary extensions in the ipfw matching code to implement the "gt NN" part. I can partly see the point of what you are asking (e.g. differentiating interactive ssh sessions from scp and other bulk transfers-over-ssh stuff) but: 1) i wonder if, for the time being, you cannot achieve the same by e.g. looking at the PSH flag in TCP packets; 2) it is probably about time that someone implements the ability to run BPF code segments for packet matching in ipfw rules! cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message