From owner-freebsd-ipfw Sun Mar 9 7:39:10 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id DCE8437B401
for <freebsd-ipfw@freebsd.org>; Sun, 9 Mar 2003 07:39:01 -0800 (PST)
Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79])
by mx1.FreeBSD.org (Postfix) with ESMTP id C67DC43FA3
for <freebsd-ipfw@freebsd.org>; Sun, 9 Mar 2003 07:39:00 -0800 (PST)
(envelope-from simon@arthur.nitro.dk)
Received: by arthur.nitro.dk (Postfix, from userid 1000)
id CBEC510BF94; Sun, 9 Mar 2003 16:38:58 +0100 (CET)
Date: Sun, 9 Mar 2003 16:38:58 +0100
From: "Simon L. Nielsen" <simon@nitro.dk>
To: freebsd-ipfw@freebsd.org
Subject: Request for commets: ipfw2 syslog patch
Message-ID: <20030309153857.GA17210@nitro.dk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="i0/AhcQY5QxfSsSZ"
Content-Disposition: inline
User-Agent: Mutt/1.5.3i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
--i0/AhcQY5QxfSsSZ
Content-Type: multipart/mixed; boundary="NzB8fVQJ5HfG6fxh"
Content-Disposition: inline
--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello
I have now completed the patch to make ipfw2 log to different syslog
priorities.
I have tested it under -CURRENT and -STABLE on i386 where it works fine.
I would like to get comments before submitting it as a PR.
The usage is quite simple :
# ipfw add deny log logprio local0.debug udp from any to me 137-140
The patch does not change the default behavior of ipfw. Therefor it also
still logs all 'limit reached on entry' messages to security.notice (the
default for the main packet log messages is security.info). I think it
would be better if 'limit reached' messages where logged with the same
priority as the actual ipfw packet log messages. That would require
changing the current behavior for packets with the default log
priority which might not be a good idea? (POLA)
A patch for 4-STABLE can be found on http://simon.nitro.dk/freebsd/ .
A few minor parts of the patch was "borrowed" from src/usr.bin/logger/.
--=20
Simon L. Nielsen
--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipfw2-syslog.patch.3"
Content-Transfer-Encoding: quoted-printable
Index: sys/netinet/ip_fw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.27
diff -u -d -r1.27 ip_fw2.c
--- sys/netinet/ip_fw2.c 19 Feb 2003 05:47:34 -0000 1.27
+++ sys/netinet/ip_fw2.c 5 Mar 2003 21:54:34 -0000
@@ -418,6 +418,7 @@
char *action;
int limit_reached =3D 0;
char action2[40], proto[48], fragment[28];
+ int log_prio =3D LOG_SECURITY | LOG_INFO;
=20
fragment[0] =3D '\0';
proto[0] =3D '\0';
@@ -442,6 +443,7 @@
if (cmd->opcode =3D=3D O_PROB)
cmd +=3D F_LEN(cmd);
=20
+ log_prio =3D (int) l->prio;
action =3D action2;
switch (cmd->opcode) {
case O_DENY:
@@ -577,7 +579,7 @@
(ip_off & IP_MF) ? "+" : "");
}
if (oif || m->m_pkthdr.rcvif)
- log(LOG_SECURITY | LOG_INFO,
+ log(log_prio,
"ipfw: %d %s %s %s via %s%d%s\n",
f ? f->rulenum : -1,
action, proto, oif ? "out" : "in",
@@ -585,7 +587,7 @@
oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit,
fragment);
else
- log(LOG_SECURITY | LOG_INFO,
+ log(log_prio,
"ipfw: %d %s %s [no if info]%s\n",
f ? f->rulenum : -1,
action, proto, fragment);
Index: sys/netinet/ip_fw.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.75
diff -u -d -r1.75 ip_fw.h
--- sys/netinet/ip_fw.h 24 Oct 2002 22:32:13 -0000 1.75
+++ sys/netinet/ip_fw.h 5 Mar 2003 21:54:34 -0000
@@ -246,6 +246,7 @@
ipfw_insn o;
u_int32_t max_log; /* how many do we log -- 0 =3D all */
u_int32_t log_left; /* how many left to log */
+ u_int32_t prio; /* the level / facility to log to */
} ipfw_insn_log;
=20
/*
Index: sbin/ipfw/ipfw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.21
diff -u -d -r1.21 ipfw2.c
--- sbin/ipfw/ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21
+++ sbin/ipfw/ipfw2.c 6 Mar 2003 23:55:14 -0000
@@ -43,6 +43,8 @@
#include <timeconv.h>
#include <unistd.h>
#include <sysexits.h>
+#define SYSLOG_NAMES
+#include <syslog.h>
=20
#include <net/if.h>
#include <netinet/in.h>
@@ -346,6 +348,70 @@
{ NULL, 0 }
};
=20
+int slogpenc(char *s);
+int slogdec(char *name, CODE *codetab);
+const char* slogpdec(int num, CODE *codetab);
+
+
+/**
+ * slogpenc encodes a symbolic name syslog facility / priority name to a
+ * numeric value
+ */
+int
+slogpenc(char *s)
+{
+ char *save;
+ int fac, lev;
+
+ for (save =3D s; *s && *s !=3D '.'; ++s);
+ if (*s) {
+ *s =3D '\0';
+ fac =3D slogdec(save, facilitynames);
+ if (fac < 0)
+ errx(1, "unknown facility name: %s", save);
+ *s++ =3D '.';
+ }
+ else {
+ fac =3D LOG_SECURITY;
+ s =3D save;
+ }
+ lev =3D slogdec(s, prioritynames);
+ if (lev < 0)
+ errx(1, "unknown priority name: %s", save);
+ return ((lev & LOG_PRIMASK) | (fac & LOG_FACMASK));
+}
+
+int
+slogdec(char *name, CODE *codetab)
+{
+ CODE *c;
+
+ if (isdigit(*name))
+ return (atoi(name));
+
+ for (c =3D codetab; c->c_name; c++)
+ if (!strcasecmp(name, c->c_name))
+ return (c->c_val);
+
+ return (-1);
+}
+
+/**
+ * slogpdec translates a log facility and priority to its symbolic name
+ */
+const char*
+slogpdec(int num, CODE *codetab)
+{
+ CODE *c;
+
+ for (c =3D codetab; c->c_name; c++)
+ if (num =3D=3D c->c_val)
+ return c->c_name;
+
+ return NULL;
+}
+
+=09
/**
* match_token takes a table and a string, returns the value associated
* with the string (0 meaning an error in most cases)
@@ -934,10 +1000,13 @@
}
}
if (logptr) {
+ printf(" log");
if (logptr->max_log > 0)
- printf(" log logamount %d", logptr->max_log);
- else
- printf(" log");
+ printf(" logamount %d", logptr->max_log);
+ if (logptr->prio !=3D (LOG_SECURITY | LOG_INFO))
+ printf(" logprio %s.%s",
+ slogpdec(logptr->prio & LOG_FACMASK, facilitynames),
+ slogpdec(LOG_PRI(logptr->prio), prioritynames));
}
=20
/*
@@ -1695,7 +1764,7 @@
{
=20
fprintf(stderr, "ipfw syntax summary:\n"
-"ipfw add [N] [prob {0..1}] ACTION [log [logamount N]] ADDR OPTIONS\n"
+"ipfw add [N] [prob {0..1}] ACTION LOG ADDR OPTIONS\n"
"ipfw {pipe|queue} N config BODY\n"
"ipfw [pipe] {zero|delete|show} [N{,N}]\n"
"\n"
@@ -1710,6 +1779,7 @@
" [ from IPLIST [ PORT ] to IPLIST [ PORTLIST ] ]\n"
"IPLIST: IPADDR | ( IPADDR or ... or IPADDR )\n"
"IPADDR: [not] { any | me | ip | ip/bits | ip:mask | ip/bits{x,y,z} }\n"
+"LOG: [log [logamount N] [logprio [facility.]level]]\n"
"OPTION_LIST: OPTION [,OPTION_LIST]\n"
);
exit(0);
@@ -2638,7 +2708,7 @@
action =3D next_cmd(action);
=20
/*
- * [log [logamount N]] -- log, optional
+ * [log [logamount N] [logprio [facility.]level]] -- log, optional
*
* If exists, it goes first in the cmdbuf, but then it is
* skipped in the copy section to the end of the buffer.
@@ -2648,6 +2718,7 @@
=20
cmd->len =3D F_INSN_SIZE(ipfw_insn_log);
cmd->opcode =3D O_LOG;
+ c->prio =3D LOG_SECURITY | LOG_INFO;
av++; ac--;
if (ac && !strncmp(*av, "logamount", strlen(*av))) {
ac--; av++;
@@ -2655,6 +2726,12 @@
c->max_log =3D atoi(*av);
if (c->max_log < 0)
errx(EX_DATAERR, "logamount must be positive");
+ ac--; av++;
+ }
+ if (ac && !strncmp(*av, "logprio", strlen(*av))) {
+ ac--; av++;
+ NEED1("logprio requires argument");
+ c->prio =3D (u_int32_t) slogpenc(*av);
ac--; av++;
}
cmd =3D next_cmd(cmd);
Index: sbin/ipfw/ipfw.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.121
diff -u -d -r1.121 ipfw.8
--- sbin/ipfw/ipfw.8 3 Mar 2003 22:46:36 -0000 1.121
+++ sbin/ipfw/ipfw.8 9 Mar 2003 12:30:45 -0000
@@ -395,7 +395,10 @@
.Op Cm prob Ar match_probability
.br
.Ar " " action
-.Op Cm log Op Cm logamount Ar number
+.Oo
+.Cm log Op Cm logamount Ar number
+.Op logprio Ar pri
+.Oc
.Ar body
.Ed
.Pp
@@ -478,13 +481,15 @@
.Pp
Note: this condition is checked before any other condition, including
ones such as keep-state or check-state which might have side effects.
-.It Cm log Op Cm logamount Ar number
+.It Cm log Op Cm logamount Ar number Xo
+.Op Cm logprio Ar pri
+.Xc
When a packet matches a rule with the
.Cm log
keyword, a message will be
logged to
.Xr syslogd 8
-with a
+by default with a
.Dv LOG_SECURITY
facility.
The logging only occurs if the sysctl variable
@@ -501,6 +506,20 @@
is specified, the limit is taken from the sysctl variable
.Em net.inet.ip.fw.verbose_limit .
In both cases, a value of 0 removes the logging limit.
+The
+.Cm logprio
+parameter can be set to change the default syslog priority.
+The priority may be specified numerically or as a=20
+.Dq facility.level
+pair.
+For example,
+.Dq Cm logprio No local3.info
+logs the messages as
+.Ar info Ns rmational
+level in the
+.Ar local3
+facility. The facility may be omitted and it then defaults to
+.Dv LOG_SECURITY .
.Pp
Once the limit is reached, logging can be re-enabled by
clearing the logging counter or the packet counter for that entry, see the
@@ -510,6 +529,11 @@
Note: logging is done after all other packet matching conditions
have been successfully verified, and before performing the final
action (accept, deny, etc.) on the packet.
+.Pp
+Note: The message
+.Dq limit reached on entry
+is always logged to
+.Dq security.notice .
.El
.Ss RULE ACTIONS
A rule can be associated with one of the following actions, which
--NzB8fVQJ5HfG6fxh--
--i0/AhcQY5QxfSsSZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+a2AR8kocFXgPTRwRAlJIAJ4lJkNZen28lCBocmlF8f2eTJRYFwCgg2kn
IwN24og3LQM0hXdKiv+JKhA=
=b5VP
-----END PGP SIGNATURE-----
--i0/AhcQY5QxfSsSZ--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Sun Mar 9 10:31:12 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 92D4B37B401
for <freebsd-ipfw@freebsd.org>; Sun, 9 Mar 2003 10:31:10 -0800 (PST)
Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79])
by mx1.FreeBSD.org (Postfix) with ESMTP id CF5D343FA3
for <freebsd-ipfw@freebsd.org>; Sun, 9 Mar 2003 10:31:09 -0800 (PST)
(envelope-from simon@arthur.nitro.dk)
Received: by arthur.nitro.dk (Postfix, from userid 1000)
id 3745E10BF94; Sun, 9 Mar 2003 19:31:08 +0100 (CET)
Date: Sun, 9 Mar 2003 19:31:08 +0100
From: "Simon L. Nielsen" <simon@nitro.dk>
To: Andrzej Tobo??a <san@wilk.2a.pl>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Request for commets: ipfw2 syslog patch
Message-ID: <20030309183107.GC17210@nitro.dk>
References: <20030309153857.GA17210@nitro.dk> <20030309182243.GA78267@wilk.2a.pl>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="aT9PWwzfKXlsBJM1"
Content-Disposition: inline
In-Reply-To: <20030309182243.GA78267@wilk.2a.pl>
User-Agent: Mutt/1.5.3i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
--aT9PWwzfKXlsBJM1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2003.03.09 19:22:43 +0100, Andrzej Tobo??a wrote:
> > I have now completed the patch to make ipfw2 log to different syslog
> > priorities.
> >=20
> > I have tested it under -CURRENT and -STABLE on i386 where it works fine.
> does not apply clean on just cvsuped -stable:
Sorry I should have been more clear about that. The attached patch was for
-CURRENT only. The patch for -STABLE is on my website
(http://simon.nitro.dk/freebsd/). They are almost identical so I only
posted the one for -CURRENT on the maillinglist.
Btw. note that it is only for IPFW2 on -STABLE.
freebsd-ipfw cc'ed in case anybody should have the same problem.
--=20
Simon L. Nielsen
--aT9PWwzfKXlsBJM1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+a4hr8kocFXgPTRwRAvS8AJ9hmvBX23Q4FUXwihh+nS1GSkM26gCdGmqc
7/+vbbz5C0GJOqhRQZ7Yp9o=
=f1Cg
-----END PGP SIGNATURE-----
--aT9PWwzfKXlsBJM1--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Sun Mar 9 15:46:17 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 73C2437B401; Sun, 9 Mar 2003 15:46:15 -0800 (PST)
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
by mx1.FreeBSD.org (Postfix) with ESMTP
id D745143F75; Sun, 9 Mar 2003 15:46:14 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP
id <2003030923461405100kke3ke>; Sun, 9 Mar 2003 23:46:14 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h29NkDeq088701;
Sun, 9 Mar 2003 15:46:13 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h29Nk9Zj088700;
Sun, 9 Mar 2003 15:46:09 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Sun, 9 Mar 2003 15:46:08 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: denb <denb@front.ru>
Cc: freebsd-net@FreeBSD.ORG, ipfw@FreeBSD.ORG
Subject: Re: Why natd don't divert packets?
Message-ID: <20030309234608.GA88267@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@FreeBSD.ORG>
References: <200303070800.h2780hWF058395@www6.mailru.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200303070800.h2780hWF058395@www6.mailru.com>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Fri, Mar 07, 2003 at 11:00:43AM +0300, denb wrote:
> Why natd don't divert packets?
>
> *********screenshot***********************
>
> #ipfw add divert 1111 tcp from any to any 7
> #ipfw add divert 1111 tcp from any 7 to any
> #natd -v -p 1111 -a 172.16.0.102 -redirect_port tcp 172.16.0.253:7 7
>
> In [TCP] [TCP] 172.16.0.104:49169 -> 172.16.0.102:7 aliased to
> [TCP] 172.16.0.104:49169 -> 172.16.0.253:7
>
> In [TCP] [TCP] 172.16.0.104:49169 -> 172.16.0.102:7 aliased to
> [TCP] 172.16.0.104:49169 -> 172.16.0.253:7
>
> ^C
> *********screenshot***********************
Looks like its working perfectly.
> Where is Out[TCP]?
Dunno.
> Rules after natd running (why second rule has 0 in packets number?):
>
> *********screenshot***********************
> #ipfw show
> 0001 6 180 divert 1111 tcp from any to any dst-port 7
> 0002 0 0 divert 1111 tcp from any 7 to any
> *********screenshot***********************
Are you sure 172.16.253 is responding?
# ipfw add divert 1111 tcp from any to any 7
# ipfw add count tcp from any 7 to any
# ipfw add divert 1111 tcp from any 7 to any
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Sun Mar 9 17:26:46 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 7CE8037B404
for <freebsd-ipfw@freebsd.org>; Sun, 9 Mar 2003 17:26:45 -0800 (PST)
Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63])
by mx1.FreeBSD.org (Postfix) with ESMTP id 5BCDF43F75
for <freebsd-ipfw@freebsd.org>; Sun, 9 Mar 2003 17:26:44 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by sccrmhc03.attbi.com (sccrmhc03) with ESMTP
id <2003031001264300300g0lvle>; Mon, 10 Mar 2003 01:26:43 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2A1Qfeq088960;
Sun, 9 Mar 2003 17:26:42 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2A1QbD2088959;
Sun, 9 Mar 2003 17:26:37 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Sun, 9 Mar 2003 17:26:37 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Sean Chittenden <sean@chittenden.org>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ACK+RST useful?
Message-ID: <20030310012637.GB88267@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
References: <20030303045138.GQ79234@perrin.int.nxad.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030303045138.GQ79234@perrin.int.nxad.com>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Sun, Mar 02, 2003 at 08:51:38PM -0800, Sean Chittenden wrote:
> I'm confused as to what the point of having a packet with the RST and
> ACK flags set. In legitimate use, an RST+ACK packet is only sent
> after the connection has been closed.
Nope, you are missing the most obvious circumstances that give rise to
RST|ACK, a SYN-only packet sent to a closed port.
A RST|ACK packet is sent whenever the the RST segment is a response to
a segment that had no ACK field.
> With stateful firewalls, this
> can cause a great deal of logging of packets that are legit and apart
> of the spec, but are by and large worthless as far as I can tell.
> I've read through RFC 793 and as best as I can tell and with a
> stateful firewall, it strikes me as being _okay_ to have a drop rule
> (following the check-state rule) for packets that have the RST+ACK
> bits set. Am I wrong or missing something with this assertion? -sc
Probably not a good idea. When you try to open a connection to a close
port, rather than immediately fail when the RST is received, you'll
need to wait for the timeout.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Sun Mar 9 23:16:20 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 966ED37B401
for <freebsd-ipfw@FreeBSD.ORG>; Sun, 9 Mar 2003 23:16:19 -0800 (PST)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
by mx1.FreeBSD.org (Postfix) with ESMTP id 0504F43FBD
for <freebsd-ipfw@FreeBSD.ORG>; Sun, 9 Mar 2003 23:16:19 -0800 (PST)
(envelope-from rizzo@xorpc.icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h2A7GIAq066572;
Sun, 9 Mar 2003 23:16:18 -0800 (PST)
(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
by xorpc.icir.org (8.12.3/8.12.3/Submit) id h2A7GIVU066571;
Sun, 9 Mar 2003 23:16:18 -0800 (PST)
(envelope-from rizzo)
Date: Sun, 9 Mar 2003 23:16:18 -0800
From: Luigi Rizzo <rizzo@icir.org>
To: "Simon L. Nielsen" <simon@nitro.dk>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Request for commets: ipfw2 syslog patch
Message-ID: <20030309231618.B66509@xorpc.icir.org>
References: <20030309153857.GA17210@nitro.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030309153857.GA17210@nitro.dk>; from simon@nitro.dk on Sun, Mar 09, 2003 at 04:38:58PM +0100
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Sun, Mar 09, 2003 at 04:38:58PM +0100, Simon L. Nielsen wrote:
>
> Hello
>
> I have now completed the patch to make ipfw2 log to different syslog
> priorities.
it looks good to me
cheers
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Mon Mar 10 11: 1:38 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 1861237B401
for <ipfw@freebsd.org>; Mon, 10 Mar 2003 11:01:37 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id 840C643FE0
for <ipfw@freebsd.org>; Mon, 10 Mar 2003 11:01:36 -0800 (PST)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2AJ1aNS004607
for <ipfw@freebsd.org>; Mon, 10 Mar 2003 11:01:36 -0800 (PST)
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2AJ1ZPU004582
for ipfw@freebsd.org; Mon, 10 Mar 2003 11:01:35 -0800 (PST)
Date: Mon, 10 Mar 2003 11:01:35 -0800 (PST)
Message-Id: <200303101901.h2AJ1ZPU004582@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: ipfw@FreeBSD.org
Subject: Current problem reports assigned to you
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
Current FreeBSD problem reports
Critical problems
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues
1 problem total.
Non-critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau
o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h
o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8)
o [2003/01/18] bin/47196 ipfw ipfw won't format correctly output from '
4 problems total.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Tue Mar 11 5:52:29 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 677FD37B401
for <freebsd-ipfw@FreeBSD.ORG>; Tue, 11 Mar 2003 05:52:28 -0800 (PST)
Received: from trillian.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7120843F75
for <freebsd-ipfw@FreeBSD.ORG>; Tue, 11 Mar 2003 05:52:27 -0800 (PST)
(envelope-from simon@trillian.nitro.dk)
Received: by trillian.nitro.dk (Postfix, from userid 1000)
id C38032E378; Tue, 11 Mar 2003 14:52:25 +0100 (CET)
Date: Tue, 11 Mar 2003 14:52:25 +0100
From: "Simon L. Nielsen" <simon@nitro.dk>
To: Luigi Rizzo <rizzo@icir.org>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Request for commets: ipfw2 syslog patch
Message-ID: <20030311135225.GC76087@nitro.dk>
References: <20030309153857.GA17210@nitro.dk> <20030309231618.B66509@xorpc.icir.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="gj572EiMnwbLXET9"
Content-Disposition: inline
In-Reply-To: <20030309231618.B66509@xorpc.icir.org>
User-Agent: Mutt/1.5.3i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
--gj572EiMnwbLXET9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2003.03.09 23:16:18 -0800, Luigi Rizzo wrote:
> On Sun, Mar 09, 2003 at 04:38:58PM +0100, Simon L. Nielsen wrote:
> > I have now completed the patch to make ipfw2 log to different syslog
> > priorities.
> it looks good to me
Ok, thanks for looking at it. It is now filed as PR/49086.
--=20
Simon L. Nielsen
--gj572EiMnwbLXET9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+beoZ8kocFXgPTRwRAlmOAJ92h1Nlw1Bs+dsDpTbbajLuPDT3qwCgzdJZ
UCAtE6CDFKw1GFCGkYmpzOA=
=cM6Q
-----END PGP SIGNATURE-----
--gj572EiMnwbLXET9--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Tue Mar 11 16:23:43 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 38BB937B401
for <freebsd-ipfw@freebsd.org>; Tue, 11 Mar 2003 16:23:42 -0800 (PST)
Received: from cocono.com.tw (170-142.kingnet.net.tw [61.57.170.142])
by mx1.FreeBSD.org (Postfix) with ESMTP id 842E543FBD
for <freebsd-ipfw@freebsd.org>; Tue, 11 Mar 2003 16:23:39 -0800 (PST)
(envelope-from ibenz@cocono.com.tw)
From: acom@cm.com.tw
To: freebsd-ipfw@freebsd.org
Subject: =?ISO-8859-1?B?pOmxYKXOq36kV7r0wco=?=
Reply-To: com@cc.com.tw
Date: 12 Mar 2003 08:22:14 +0800
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <20030312002339.842E543FBD@mx1.FreeBSD.org>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>您有下列特質嗎</title>
</head>
<body>
<table width="600" border="0">
<tbody>
<tr>
<td width="100%" bgColor="#ffccff"><font size="6"><b><a href="home.kimo.com.tw/amity508"><span style="BACKGROUND-COLOR: #ffccff">
<marquee>勁爆!!震撼!!</marquee>
</span></a></b></font></td>
</tr>
<tr>
<td width="100%" bgColor="#ff9933"><font color="#800000" size="3"><b>您有下列特質嗎?</b></font></td>
</tr>
<tr>
<td width="100%" bgColor="#ffcc00"><b><font color="#cc0000" size="5"><a href="http://home.kimo.com.tw/amity508">1.事業企圖心</a></font></b></td>
</tr>
<tr>
<td width="100%" bgColor="#ffcc00"><b><font color="#cc0000" size="5"><a href="http://home.kimo.com.tw/amity508">2.不甘心平凡</a></font></b></td>
</tr>
<tr>
<td width="100%" bgColor="#ffcc00"><b><font color="#cc0000" size="5"><a href="http://home.kimo.com.tw/amity508">3.不滿於現狀</a></font></b></td>
</tr>
<tr>
<td width="100%" bgColor="#ffcc00"><b><font color="#cc0000" size="5"><a href="http://home.kimo.com.tw/amity508">4.勇於面對未來</a></font></b></td>
</tr>
<tr>
<td width="100%" bgColor="#ff9933"><b><font color="#800000">只要您擁有上列特質,我們將<a href="http://home.kimo.com.tw/amity508"><font size="4">免費培訓</font></a>您所有相關技職能力,提供您結合網路、實體,食衣住行、
吃喝玩樂的<a href="http://home.kimo.com.tw/amity508"><font size="4">通路事業</font></a>!<a href="http://home.kimo.com.tw/amity508"><font size="4">點選我</font></a>,您就可以得到!<br>
ps:將會有專人為您詳細解說喔!</font></b></td>
</tr>
<tr>
<td width="100%" bgColor="#ffcc00"><span style="BACKGROUND-COLOR: #ffff00"><a href="http://home.kimo.com.tw/amity508"><img src="104_banner.gif" border="0" width="468" height="60"></a>
<a href="http://home.kimo.com.tw/amity508"><img src="AD1.gif" border="0" width="120" height="60"></a></span></td>
</tr>
</tbody>
</table>
</body>
</html>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 0: 6:32 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 5DDF637B401
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 00:06:26 -0800 (PST)
Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62])
by mx1.FreeBSD.org (Postfix) with ESMTP id 61E1543FBD
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 00:06:25 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by sccrmhc02.attbi.com (sccrmhc02) with ESMTP
id <2003031208062400200mlpbhe>; Wed, 12 Mar 2003 08:06:24 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2C86Meq042945
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 00:06:23 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2C86MuX042944
for ipfw@freebsd.org; Wed, 12 Mar 2003 00:06:22 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 12 Mar 2003 00:06:22 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: ipfw@freebsd.org
Subject: Anti-Spoofing Option
Message-ID: <20030312080622.GA42446@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I've created a new option for ipfw(8) (IPFW2-only to be exact) that
basically does automatic anti-spoofing. I've called the knob,
"verrevpath," in honor of the Cisco command,
ip verify unicast reverse-path
When the option is specified in a rule, a packet tested against the
rule matches iff,
a) The packet is _not_ entering the system, or
b) The packet is coming into the interface that traffic sent to the
packet's source address would go out of.
For example, take a firewall with three interfaces,
Internet}---if0[Firewall]if1---{192.168.0.0/24
--
if2---{172.16.0.0/16
Any packets arriving on if0 with a source of 192.168.0.0/24 or
172.16.0.0/16 will not match a rule with 'verrevpath.' Likewise,
anything coming in on if1 that doesn't have a source of 192.168.0.0/24
will not match, nor will anything on if2 without a 172.16.0.0/16
source.
To turn on anti-spoofing on a firewall, put,
# ipfw add 100 pass ip from any to any verrevpath
Before any other rules. All done (well, only if you're not using
dynamic rules).
The check is done by simply getting the route for the source of the
packet and making sure the interface the route goes out on is the same
as the one the packet arrived on.
Of course, the really interesting appeal of this may not necessarily
for "firewalls," but for routers running dynamic routing protocols
(which is why I was thinking sysctl(8) at first).
Patch for CURRENT is attached. It should apply to STABLE (make sure to
patch ip_fw2.h rather than ip_fw.h), but I've had a little trouble
getting IPFW2 running right on my STABLE crash box so I have not
tested it.
Now, some discussion. I originally was just going to implement a
sysctl(8) knob that did the check in ip_input() for every packet. But
after starting on that, it occured to me that it might be better as a
firewall action. I started doing that when I realized that it doesn't
really work well as a firewall action. I went back to a sysctl(8)
until I decided that it would work fine as a firewall option. I'm not
100% on any of those choices yet.
One of the problems I had with making it an action (and one of the
initial reasons I leaned away from a sysctl(8) knob) is how to handle
logging. And I'm still not happy with the logging issue. It would be
nice to somehow include in the logs that the packet was dropped
because there was a RPF problem and log the incoming interface and
where we expected such a packet to come from. Right now, there is no
logging angle. Making it an action could give you more ways to go
there, but how do you tell it to log only failures? To log failure and
success? To log neither? (Actually, that's pretty easy to do, but the
rules would get ugly lookin'.)
Anyone have any ideas on how to improve on this before I commit it
(after which making major changes is less desirable)? Ideas how to do
the logging better? Keep in mind that I don't want to have to put
terrible, ugly hacks in luigi's purty IPFW2 code to implement any
suggestions.
Oh, and of course, please test it. Also, some thoughts about
configurations where this option can break things (like when you are
purposely doing asymmetric routing) and any creative uses.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipfw_verrevpath_5.patch"
Index: src/sys/netinet/ip_fw2.c
===================================================================
RCS file: /export/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.27
diff -u -r1.27 ip_fw2.c
--- src/sys/netinet/ip_fw2.c 19 Feb 2003 05:47:34 -0000 1.27
+++ src/sys/netinet/ip_fw2.c 12 Mar 2003 07:16:11 -0000
@@ -402,6 +402,43 @@
return(0); /* no match, fail ... */
}
+/*
+ * The 'verrevpath' option checks that the interface that an IP packet
+ * arrives on is the same interface that traffic destined for the
+ * packet's source address would be routed out of. This is a measure
+ * to block forged packets. This is also commonly known as "anti-spoofing"
+ * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The
+ * name of the knob is purposely reminisent of the Cisco IOS command,
+ *
+ * ip verify unicast reverse-path
+ *
+ * which implements the same functionality. But note that syntax is
+ * misleading. The check may be performed on all IP packets whether unicast,
+ * multicast, or broadcast.
+ */
+static int
+verify_rev_path(struct in_addr src, struct ifnet *ifp)
+{
+ struct route ro;
+ struct sockaddr_in *dst;
+
+ dst = (struct sockaddr_in *)&(ro.ro_dst);
+ ro.ro_rt = NULL;
+
+ bzero(dst, sizeof(*dst));
+ dst->sin_family = AF_INET;
+ dst->sin_len = sizeof(*dst);
+ dst->sin_addr = src;
+
+ rtalloc_ign(&ro, RTF_CLONING|RTF_PRCLONING);
+ if ((ro.ro_rt == NULL) || (ifp == NULL) ||
+ (ro.ro_rt->rt_ifp->if_index != ifp->if_index))
+ return 0;
+
+ return 1;
+}
+
+
static u_int64_t norule_counter; /* counter for ipfw_log(NULL...) */
#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
@@ -1755,6 +1792,13 @@
match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
break;
+ case O_VERREVPATH:
+ /* Outgoing packets automatically pass/match */
+ match = ((oif != NULL) ||
+ (m->m_pkthdr.rcvif == NULL) ||
+ verify_rev_path(src_ip, m->m_pkthdr.rcvif));
+ break;
+
/*
* The second set of opcodes represents 'actions',
* i.e. the terminal part of a rule once the packet
@@ -2322,6 +2366,7 @@
case O_TCPFLAGS:
case O_TCPOPTS:
case O_ESTAB:
+ case O_VERREVPATH:
if (cmdlen != F_INSN_SIZE(ipfw_insn))
goto bad_size;
break;
Index: src/sys/netinet/ip_fw.h
===================================================================
RCS file: /export/freebsd/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.75
diff -u -r1.75 ip_fw.h
--- src/sys/netinet/ip_fw.h 24 Oct 2002 22:32:13 -0000 1.75
+++ src/sys/netinet/ip_fw.h 11 Mar 2003 19:10:10 -0000
@@ -89,6 +89,8 @@
O_ICMPTYPE, /* u32 = icmp bitmap */
O_TCPOPTS, /* arg1 = 2*u8 bitmap */
+ O_VERREVPATH, /* none */
+
O_PROBE_STATE, /* none */
O_KEEP_STATE, /* none */
O_LIMIT, /* ipfw_insn_limit */
Index: src/sbin/ipfw/ipfw2.c
===================================================================
RCS file: /export/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.21
diff -u -r1.21 ipfw2.c
--- src/sbin/ipfw/ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21
+++ src/sbin/ipfw/ipfw2.c 11 Mar 2003 19:09:38 -0000
@@ -224,6 +224,7 @@
TOK_ICMPTYPES,
TOK_MAC,
TOK_MACTYPE,
+ TOK_VERREVPATH,
TOK_PLR,
TOK_NOERROR,
@@ -333,6 +334,7 @@
{ "MAC", TOK_MAC },
{ "mac", TOK_MAC },
{ "mac-type", TOK_MACTYPE },
+ { "verrevpath", TOK_VERREVPATH },
{ "not", TOK_NOT }, /* pseudo option */
{ "!", /* escape ? */ TOK_NOT }, /* pseudo option */
@@ -1161,6 +1163,10 @@
}
break;
+ case O_VERREVPATH:
+ printf(" verrevpath");
+ break;
+
case O_KEEP_STATE:
printf(" keep-state");
break;
@@ -3132,6 +3138,10 @@
ac--; av++;
break;
+ case TOK_VERREVPATH:
+ fill_cmd(cmd, O_VERREVPATH, 0, 0);
+ break;
+
default:
errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
}
--yrj/dFKFPuw6o+aM--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 0:15:40 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 6D3BE37B401
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 00:15:39 -0800 (PST)
Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61])
by mx1.FreeBSD.org (Postfix) with ESMTP id 957F743F85
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 00:15:38 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by sccrmhc01.attbi.com (sccrmhc01) with ESMTP
id <200303120815370010039afde>; Wed, 12 Mar 2003 08:15:37 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2C8Faeq042991
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 00:15:36 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2C8FaFl042990
for ipfw@freebsd.org; Wed, 12 Mar 2003 00:15:36 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 12 Mar 2003 00:15:36 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: ipfw@freebsd.org
Subject: Re: Anti-Spoofing Option
Message-ID: <20030312081536.GB42446@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
References: <20030312080622.GA42446@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030312080622.GA42446@blossom.cjclark.org>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Wed, Mar 12, 2003 at 12:06:22AM -0800, Crist J. Clark wrote:
[snip]
> To turn on anti-spoofing on a firewall, put,
>
> # ipfw add 100 pass ip from any to any verrevpath
>
> Before any other rules. All done (well, only if you're not using
> dynamic rules).
Whoa. Must be getting late. You probably don't want to do that on your
firewall. That was for showing the only rule you need on a router
where you only want to enable antispoofing.
To turn on anti-spoofing for a stateless packet filter, start with,
# ipfw add 100 deny ip from any to any not verrevpath in
That is deny incoming packets that don't pass the 'verrevpath' check.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 1:46:11 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id A8EDB37B405
for <ipfw@FreeBSD.ORG>; Wed, 12 Mar 2003 01:46:09 -0800 (PST)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
by mx1.FreeBSD.org (Postfix) with ESMTP id 1452A43F85
for <ipfw@FreeBSD.ORG>; Wed, 12 Mar 2003 01:46:09 -0800 (PST)
(envelope-from rizzo@xorpc.icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h2C9k0Aq098727;
Wed, 12 Mar 2003 01:46:00 -0800 (PST)
(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
by xorpc.icir.org (8.12.3/8.12.3/Submit) id h2C9k0wn098726;
Wed, 12 Mar 2003 01:46:00 -0800 (PST)
(envelope-from rizzo)
Date: Wed, 12 Mar 2003 01:46:00 -0800
From: Luigi Rizzo <rizzo@icir.org>
To: cjclark@alum.mit.edu
Cc: ipfw@FreeBSD.ORG
Subject: Re: Anti-Spoofing Option
Message-ID: <20030312014600.A96366@xorpc.icir.org>
References: <20030312080622.GA42446@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030312080622.GA42446@blossom.cjclark.org>; from crist.clark@attbi.com on Wed, Mar 12, 2003 at 12:06:22AM -0800
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
any idea on the cost (time ?) of the processing of verrevpath ?
I am not sure on what rtalloc_ign() does, whether it allocates
memory or not, etc.
E.g. it would be nice if you had some comparison of the pps throughput of
ipfw add 100 pass ip from any to any verrevpath
vs.
ipfw add 100 pass ip from any to any
on some system (maybe you should take a slow box or you
won't see much degradation as there are spare CPU cycles even
when the interface is maxed out).
cheers
luigi
On Wed, Mar 12, 2003 at 12:06:22AM -0800, Crist J. Clark wrote:
> I've created a new option for ipfw(8) (IPFW2-only to be exact) that
> basically does automatic anti-spoofing. I've called the knob,
> "verrevpath," in honor of the Cisco command,
>
> ip verify unicast reverse-path
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 2:17: 7 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 99D3937B404; Wed, 12 Mar 2003 02:17:05 -0800 (PST)
Received: from jbloom.org (reyim.ne.client2.attbi.com [24.60.104.96])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 7B77943FDF; Wed, 12 Mar 2003 02:17:04 -0800 (PST)
(envelope-from bloom@acm.org)
Received: from acm.org (jmblap.jbloom.org [172.17.235.110])
by jbloom.org (8.12.8/8.12.7) with ESMTP id h2CAH2li041629;
Wed, 12 Mar 2003 05:17:03 -0500 (EST)
(envelope-from bloom@acm.org)
Message-ID: <3E6F090D.1080506@acm.org>
Date: Wed, 12 Mar 2003 05:16:45 -0500
From: Jim Bloom <bloom@acm.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: ipfw@FreeBSD.ORG
Subject: Re: Anti-Spoofing Option
References: <20030312080622.GA42446@blossom.cjclark.org> <20030312081536.GB42446@blossom.cjclark.org>
In-Reply-To: <20030312081536.GB42446@blossom.cjclark.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
Sound like a nice idea for firewalls. I haven't looked at the code closely yet,
but how does it handle the loopback interface? Packets within the machine to
any of its interfaces get sent via the loopback interface but could have any of
the machine's addresses.
My current first rule is
# ipfw add 100 pass any to any via lo0
Also, will this pickup IPv6 as well?
Jim Bloom
Crist J. Clark wrote:
> On Wed, Mar 12, 2003 at 12:06:22AM -0800, Crist J. Clark wrote:
> [snip]
>
>
>>To turn on anti-spoofing on a firewall, put,
>>
>> # ipfw add 100 pass ip from any to any verrevpath
>>
>>Before any other rules. All done (well, only if you're not using
>>dynamic rules).
>
>
> Whoa. Must be getting late. You probably don't want to do that on your
> firewall. That was for showing the only rule you need on a router
> where you only want to enable antispoofing.
>
> To turn on anti-spoofing for a stateless packet filter, start with,
>
> # ipfw add 100 deny ip from any to any not verrevpath in
>
> That is deny incoming packets that don't pass the 'verrevpath' check.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 9:20:11 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 833EE37B401
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 09:20:10 -0800 (PST)
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
by mx1.FreeBSD.org (Postfix) with ESMTP id 51BA743FD7
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 09:20:07 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP
id <2003031217200605100smo00e>; Wed, 12 Mar 2003 17:20:06 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2CHK5eq016184;
Wed, 12 Mar 2003 09:20:05 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2CHK5PU016183;
Wed, 12 Mar 2003 09:20:05 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 12 Mar 2003 09:20:05 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Luigi Rizzo <rizzo@icir.org>
Cc: ipfw@FreeBSD.ORG
Subject: Re: Anti-Spoofing Option
Message-ID: <20030312172005.GA16143@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20030312080622.GA42446@blossom.cjclark.org> <20030312014600.A96366@xorpc.icir.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030312014600.A96366@xorpc.icir.org>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Wed, Mar 12, 2003 at 01:46:00AM -0800, Luigi Rizzo wrote:
> any idea on the cost (time ?) of the processing of verrevpath ?
> I am not sure on what rtalloc_ign() does, whether it allocates
> memory or not, etc.
>
> E.g. it would be nice if you had some comparison of the pps throughput of
>
> ipfw add 100 pass ip from any to any verrevpath
>
> vs.
>
> ipfw add 100 pass ip from any to any
>
> on some system (maybe you should take a slow box or you
> won't see much degradation as there are spare CPU cycles even
> when the interface is maxed out).
Oh-ho, I got slow boxes to test on. I'll set up some runs.
However, I don't think this would be too great of a hit. After all,
this is what is done for each packet leaving the system already. The
code to look up the route is pretty much identical to how it is done
in ip_output().
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 9:38:23 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 9DBAA37B404
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 09:38:21 -0800 (PST)
Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7143C43F3F
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 09:38:20 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by sccrmhc01.attbi.com (sccrmhc01) with ESMTP
id <2003031217381900100c07i6e>; Wed, 12 Mar 2003 17:38:19 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2CHcIeq016267;
Wed, 12 Mar 2003 09:38:18 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2CHcI81016266;
Wed, 12 Mar 2003 09:38:18 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 12 Mar 2003 09:38:18 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Jim Bloom <bloom@acm.org>
Cc: ipfw@FreeBSD.ORG
Subject: Re: Anti-Spoofing Option
Message-ID: <20030312173818.GB16143@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20030312080622.GA42446@blossom.cjclark.org> <20030312081536.GB42446@blossom.cjclark.org> <3E6F090D.1080506@acm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3E6F090D.1080506@acm.org>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Wed, Mar 12, 2003 at 05:16:45AM -0500, Jim Bloom wrote:
> Sound like a nice idea for firewalls. I haven't looked at the code closely
> yet, but how does it handle the loopback interface? Packets within the
> machine to any of its interfaces get sent via the loopback interface but
> could have any of the machine's addresses.
This should work fine. It's pretty simple to figure out if something
will work or not. Take the source address, "src," and do a,
# route get src
If the interface returned is the same as the receiving interface, you
are OK. So,
# route get 127.1
route to: localhost
destination: localhost
interface: lo0
flags: <UP,HOST,DONE,LOCAL>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
49152 49152 0 54 50 0 16384 0
So, 127.1 to 127.1 communication will work fine. For an address
assigned to an interface, you should get the a similar result. That
means packets with that source address coming in on lo0 are kosher.
> My current first rule is
>
> # ipfw add 100 pass any to any via lo0
>
> Also, will this pickup IPv6 as well?
Will that rule? No. You need to use ip6fw(8) for IPv6 firewalling, and
no, I haven't added 'verrevpath' to ip6fw(8).
Actually, it would be a really cool project for someone were to merge
ipfw(8) and ip6fw(8) using the IPFW2 architecture.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 10:23:40 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 3352837B405
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 10:23:37 -0800 (PST)
Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34])
by mx1.FreeBSD.org (Postfix) with ESMTP id 348BF43F93
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 10:23:35 -0800 (PST)
(envelope-from barbish@a1poweruser.com)
Received: from barbish (lanwin2 [10.0.10.6])
by smtp.a1poweruser.com (Postfix) with SMTP
id 1FDBD1EF; Wed, 12 Mar 2003 13:32:38 -0500 (EST)
Reply-To: <barbish@a1poweruser.com>
From: "JoeB" <barbish@a1poweruser.com>
To: <cjclark@alum.mit.edu>, <ipfw@freebsd.org>
Subject: RE: Anti-Spoofing Option
Date: Wed, 12 Mar 2003 13:23:33 -0500
Message-ID: <MIEPLLIBMLEEABPDBIEGGECLDIAA.barbish@a1poweruser.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <20030312080622.GA42446@blossom.cjclark.org>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
This is a half baked idea. Any rule option that only works on
stateless rules is incomplete. This option needs more development so
it will function correctly in an rule set that contains dynamic
rules generated by the keep-state option. Dynamic rules are an
integral part of IPFW and nothing should be allowed into IPFW that
will give the misguided impression that the exclusive use of
stateless rules result in a firewall that will provide adequate
protection in today's world.
-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Crist J. Clark
Sent: Wednesday, March 12, 2003 3:06 AM
To: ipfw@freebsd.org
Subject: Anti-Spoofing Option
I've created a new option for ipfw(8) (IPFW2-only to be exact) that
basically does automatic anti-spoofing. I've called the knob,
"verrevpath," in honor of the Cisco command,
ip verify unicast reverse-path
When the option is specified in a rule, a packet tested against the
rule matches iff,
a) The packet is _not_ entering the system, or
b) The packet is coming into the interface that traffic sent to
the
packet's source address would go out of.
For example, take a firewall with three interfaces,
Internet}---if0[Firewall]if1---{192.168.0.0/24
--
if2---{172.16.0.0/16
Any packets arriving on if0 with a source of 192.168.0.0/24 or
172.16.0.0/16 will not match a rule with 'verrevpath.' Likewise,
anything coming in on if1 that doesn't have a source of
192.168.0.0/24
will not match, nor will anything on if2 without a 172.16.0.0/16
source.
To turn on anti-spoofing on a firewall, put,
# ipfw add 100 pass ip from any to any verrevpath
Before any other rules. All done (well, only if you're not using
dynamic rules).
The check is done by simply getting the route for the source of the
packet and making sure the interface the route goes out on is the
same
as the one the packet arrived on.
Of course, the really interesting appeal of this may not necessarily
for "firewalls," but for routers running dynamic routing protocols
(which is why I was thinking sysctl(8) at first).
Patch for CURRENT is attached. It should apply to STABLE (make sure
to
patch ip_fw2.h rather than ip_fw.h), but I've had a little trouble
getting IPFW2 running right on my STABLE crash box so I have not
tested it.
Now, some discussion. I originally was just going to implement a
sysctl(8) knob that did the check in ip_input() for every packet.
But
after starting on that, it occured to me that it might be better as
a
firewall action. I started doing that when I realized that it
doesn't
really work well as a firewall action. I went back to a sysctl(8)
until I decided that it would work fine as a firewall option. I'm
not
100% on any of those choices yet.
One of the problems I had with making it an action (and one of the
initial reasons I leaned away from a sysctl(8) knob) is how to
handle
logging. And I'm still not happy with the logging issue. It would be
nice to somehow include in the logs that the packet was dropped
because there was a RPF problem and log the incoming interface and
where we expected such a packet to come from. Right now, there is no
logging angle. Making it an action could give you more ways to go
there, but how do you tell it to log only failures? To log failure
and
success? To log neither? (Actually, that's pretty easy to do, but
the
rules would get ugly lookin'.)
Anyone have any ideas on how to improve on this before I commit it
(after which making major changes is less desirable)? Ideas how to
do
the logging better? Keep in mind that I don't want to have to put
terrible, ugly hacks in luigi's purty IPFW2 code to implement any
suggestions.
Oh, and of course, please test it. Also, some thoughts about
configurations where this option can break things (like when you are
purposely doing asymmetric routing) and any creative uses.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 10:58:39 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id D174A37B401
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 10:58:35 -0800 (PST)
Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63])
by mx1.FreeBSD.org (Postfix) with ESMTP id DBD8343FCB
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 10:58:34 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by sccrmhc03.attbi.com (sccrmhc03) with ESMTP
id <20030312185833003002nvvfe>; Wed, 12 Mar 2003 18:58:34 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2CIwWeq016570;
Wed, 12 Mar 2003 10:58:32 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2CIwVR2016569;
Wed, 12 Mar 2003 10:58:31 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 12 Mar 2003 10:58:30 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: JoeB <barbish@a1poweruser.com>
Cc: ipfw@freebsd.org
Subject: Re: Anti-Spoofing Option
Message-ID: <20030312185830.GC16143@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20030312080622.GA42446@blossom.cjclark.org> <MIEPLLIBMLEEABPDBIEGGECLDIAA.barbish@a1poweruser.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MIEPLLIBMLEEABPDBIEGGECLDIAA.barbish@a1poweruser.com>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Wed, Mar 12, 2003 at 01:23:33PM -0500, JoeB wrote:
> This is a half baked idea. Any rule option that only works on
> stateless rules is incomplete. This option needs more development so
> it will function correctly in an rule set that contains dynamic
> rules generated by the keep-state option. Dynamic rules are an
> integral part of IPFW and nothing should be allowed into IPFW that
> will give the misguided impression that the exclusive use of
> stateless rules result in a firewall that will provide adequate
> protection in today's world.
Uh, where does it say that it doesn't work with dynamic rules? The
examples I gave were stateless because it's easier to give
free-standing examples. The reason I made it a option rather than an
action was specfically to make it work better in dynamic rules. This,
# ipfw add 1000 pass ip from ${internal_net} to any verrevpath in via ${if}
Will work fine and check that the returning packets that otherwise
match the dynamic rule are also not spoofed.
> -----Original Message-----
> From: owner-freebsd-ipfw@FreeBSD.ORG
> [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Crist J. Clark
> Sent: Wednesday, March 12, 2003 3:06 AM
> To: ipfw@freebsd.org
> Subject: Anti-Spoofing Option
>
> I've created a new option for ipfw(8) (IPFW2-only to be exact) that
> basically does automatic anti-spoofing. I've called the knob,
> "verrevpath," in honor of the Cisco command,
>
> ip verify unicast reverse-path
>
> When the option is specified in a rule, a packet tested against the
> rule matches iff,
>
> a) The packet is _not_ entering the system, or
>
> b) The packet is coming into the interface that traffic sent to
> the
> packet's source address would go out of.
>
> For example, take a firewall with three interfaces,
>
> Internet}---if0[Firewall]if1---{192.168.0.0/24
> --
> if2---{172.16.0.0/16
>
> Any packets arriving on if0 with a source of 192.168.0.0/24 or
> 172.16.0.0/16 will not match a rule with 'verrevpath.' Likewise,
> anything coming in on if1 that doesn't have a source of
> 192.168.0.0/24
> will not match, nor will anything on if2 without a 172.16.0.0/16
> source.
>
> To turn on anti-spoofing on a firewall, put,
>
> # ipfw add 100 pass ip from any to any verrevpath
>
> Before any other rules. All done (well, only if you're not using
> dynamic rules).
>
> The check is done by simply getting the route for the source of the
> packet and making sure the interface the route goes out on is the
> same
> as the one the packet arrived on.
>
> Of course, the really interesting appeal of this may not necessarily
> for "firewalls," but for routers running dynamic routing protocols
> (which is why I was thinking sysctl(8) at first).
>
> Patch for CURRENT is attached. It should apply to STABLE (make sure
> to
> patch ip_fw2.h rather than ip_fw.h), but I've had a little trouble
> getting IPFW2 running right on my STABLE crash box so I have not
> tested it.
>
> Now, some discussion. I originally was just going to implement a
> sysctl(8) knob that did the check in ip_input() for every packet.
> But
> after starting on that, it occured to me that it might be better as
> a
> firewall action. I started doing that when I realized that it
> doesn't
> really work well as a firewall action. I went back to a sysctl(8)
> until I decided that it would work fine as a firewall option. I'm
> not
> 100% on any of those choices yet.
>
> One of the problems I had with making it an action (and one of the
> initial reasons I leaned away from a sysctl(8) knob) is how to
> handle
> logging. And I'm still not happy with the logging issue. It would be
> nice to somehow include in the logs that the packet was dropped
> because there was a RPF problem and log the incoming interface and
> where we expected such a packet to come from. Right now, there is no
> logging angle. Making it an action could give you more ways to go
> there, but how do you tell it to log only failures? To log failure
> and
> success? To log neither? (Actually, that's pretty easy to do, but
> the
> rules would get ugly lookin'.)
>
> Anyone have any ideas on how to improve on this before I commit it
> (after which making major changes is less desirable)? Ideas how to
> do
> the logging better? Keep in mind that I don't want to have to put
> terrible, ugly hacks in luigi's purty IPFW2 code to implement any
> suggestions.
>
> Oh, and of course, please test it. Also, some thoughts about
> configurations where this option can break things (like when you are
> purposely doing asymmetric routing) and any creative uses.
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Wed Mar 12 11:16:28 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 6253237B401
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 11:16:27 -0800 (PST)
Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63])
by mx1.FreeBSD.org (Postfix) with ESMTP id 928BD43F3F
for <ipfw@freebsd.org>; Wed, 12 Mar 2003 11:16:25 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
by sccrmhc03.attbi.com (sccrmhc03) with ESMTP
id <2003031219162400300am0goe>; Wed, 12 Mar 2003 19:16:24 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2CJGNeq016651;
Wed, 12 Mar 2003 11:16:23 -0800 (PST)
(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2CJGNvq016650;
Wed, 12 Mar 2003 11:16:23 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 12 Mar 2003 11:16:23 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: JoeB <barbish@a1poweruser.com>
Cc: ipfw@freebsd.org
Subject: Re: Anti-Spoofing Option
Message-ID: <20030312191623.GD16143@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20030312080622.GA42446@blossom.cjclark.org> <MIEPLLIBMLEEABPDBIEGGECLDIAA.barbish@a1poweruser.com> <20030312185830.GC16143@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030312185830.GC16143@blossom.cjclark.org>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Wed, Mar 12, 2003 at 10:58:30AM -0800, Crist J. Clark wrote:
[snip]
*sigh*
> Uh, where does it say that it doesn't work with dynamic rules? The
> examples I gave were stateless because it's easier to give
> free-standing examples. The reason I made it a option rather than an
> action was specfically to make it work better in dynamic rules. This,
>
> # ipfw add 1000 pass ip from ${internal_net} to any verrevpath in via ${if}
s/any/any keep-state/
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Thu Mar 13 2:53:18 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id D74DC37B401; Thu, 13 Mar 2003 02:53:17 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 72C7343F3F; Thu, 13 Mar 2003 02:53:17 -0800 (PST)
(envelope-from maxim@FreeBSD.org)
Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2DArHNS079679;
Thu, 13 Mar 2003 02:53:17 -0800 (PST)
(envelope-from maxim@freefall.freebsd.org)
Received: (from maxim@localhost)
by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2DArGcY079675;
Thu, 13 Mar 2003 02:53:16 -0800 (PST)
Date: Thu, 13 Mar 2003 02:53:16 -0800 (PST)
From: Maxim Konovalov <maxim@FreeBSD.org>
Message-Id: <200303131053.h2DArGcY079675@freefall.freebsd.org>
To: never@nevermind.kiev.ua, maxim@FreeBSD.org, ipfw@FreeBSD.org,
maxim@FreeBSD.org
Subject: Re: bin/47196: ipfw won't format correctly output from 'ipfw show' command
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
Synopsis: ipfw won't format correctly output from 'ipfw show' command
State-Changed-From-To: open->patched
State-Changed-By: maxim
State-Changed-When: Thu Mar 13 02:52:10 PST 2003
State-Changed-Why:
Fixed in rev. 1.22 src/sbin/ipfw/ipfw2.c in -CURRENT.
Responsible-Changed-From-To: ipfw->maxim
Responsible-Changed-By: maxim
Responsible-Changed-When: Thu Mar 13 02:52:10 PST 2003
Responsible-Changed-Why:
Will MFC the fix in one month.
http://www.freebsd.org/cgi/query-pr.cgi?pr=47196
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Thu Mar 13 12:49:11 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2006E37B401
for <ipfw@freebsd.org>; Thu, 13 Mar 2003 12:49:11 -0800 (PST)
Received: from fep03-mail.bloor.is.net.cable.rogers.com (fep03-mail.bloor.is.net.cable.rogers.com [66.185.86.73])
by mx1.FreeBSD.org (Postfix) with ESMTP id 122EC43F93
for <ipfw@freebsd.org>; Thu, 13 Mar 2003 12:49:10 -0800 (PST)
(envelope-from eankingston@rogers.com)
Received: from [192.168.89.3] ([24.101.109.121])
by fep03-mail.bloor.is.net.cable.rogers.com
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP
id <20030313204834.MWTC251620.fep03-mail.bloor.is.net.cable.rogers.com@[192.168.89.3]>;
Thu, 13 Mar 2003 15:48:34 -0500
Subject: Re: Anti-Spoofing Option
From: Ean Kingston <eankingston@rogers.com>
To: cjclark@alum.mit.edu
Cc: ipfw@freebsd.org
In-Reply-To: <20030312191623.GD16143@blossom.cjclark.org>
References: <20030312080622.GA42446@blossom.cjclark.org>
<MIEPLLIBMLEEABPDBIEGGECLDIAA.barbish@a1poweruser.com>
<20030312185830.GC16143@blossom.cjclark.org>
<20030312191623.GD16143@blossom.cjclark.org>
Content-Type: text/plain
Organization:
Message-Id: <1047588629.81548.2.camel@prosporo.hedron.org>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.1
Date: 13 Mar 2003 15:50:31 -0500
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH PLAIN at fep03-mail.bloor.is.net.cable.rogers.com from [24.101.109.121] using ID <eankingston@rogers.com> at Thu, 13 Mar 2003 15:48:34 -0500
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
My initial thinking is that I would rather see this as a sysctl. I
really like the idea but I would like to be able to build a router
without firewall and have this.
--
Ean Kingston <eankingston@rogers.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Thu Mar 13 13:49: 9 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 67DD537B404
for <ipfw@freebsd.org>; Thu, 13 Mar 2003 13:49:08 -0800 (PST)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7AB0D43FBF
for <ipfw@freebsd.org>; Thu, 13 Mar 2003 13:49:07 -0800 (PST)
(envelope-from billf@elvis.mu.org)
Received: by elvis.mu.org (Postfix, from userid 1098)
id 52C272ED3CF; Thu, 13 Mar 2003 13:49:07 -0800 (PST)
Date: Thu, 13 Mar 2003 13:49:07 -0800
From: Bill Fumerola <billf@mu.org>
To: Ean Kingston <eankingston@rogers.com>
Cc: cjclark@alum.mit.edu, ipfw@freebsd.org
Subject: Re: Anti-Spoofing Option
Message-ID: <20030313214907.GL490@elvis.mu.org>
References: <20030312080622.GA42446@blossom.cjclark.org> <MIEPLLIBMLEEABPDBIEGGECLDIAA.barbish@a1poweruser.com> <20030312185830.GC16143@blossom.cjclark.org> <20030312191623.GD16143@blossom.cjclark.org> <1047588629.81548.2.camel@prosporo.hedron.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1047588629.81548.2.camel@prosporo.hedron.org>
User-Agent: Mutt/1.4i
X-Operating-System: FreeBSD 4.8-MUORG-20030228 i386
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Thu, Mar 13, 2003 at 03:50:31PM -0500, Ean Kingston wrote:
> My initial thinking is that I would rather see this as a sysctl. I
> really like the idea but I would like to be able to build a router
> without firewall and have this.
using this as a system wide option as opposed to from within the firewall
mechanisms makes defining specific policy with it very difficult. see
cisco's implementation v. juniper's implementation as an example.
i could provide urls, but they both have nice search engines..
--
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Fri Mar 14 0:57:41 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id C9CFD37B404
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 00:57:40 -0800 (PST)
Received: from wrzx35.rz.uni-wuerzburg.de (wrzx35.rz.uni-wuerzburg.de [132.187.3.35])
by mx1.FreeBSD.org (Postfix) with ESMTP id CD64443F3F
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 00:57:38 -0800 (PST)
(envelope-from q@uni.de)
Received: from wrzx30.rz.uni-wuerzburg.de (wrzx30.rz.uni-wuerzburg.de [132.187.1.30])
by wrzx35.rz.uni-wuerzburg.de (8.8.8/8.8.8/uniwue-MM-1.05) with ESMTP id JAA480573
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:57:36 +0100 (CET)
Received: from virusscan (localhost [127.0.0.1])
by wrzx30.rz.uni-wuerzburg.de (Postfix) with ESMTP id 690443C5FF
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:56:37 +0100 (CET)
Received: from wrzx07.rz.uni-wuerzburg.de ([132.187.1.7])
by virusscan (wrzx30 [132.187.1.30:25]) (amavisd-new) with ESMTP id 05763-07
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:56:37 +0100 (CET)
Received: from spamchecker (localhost [127.0.0.1])
by wrzx07.rz.uni-wuerzburg.de (Postfix) with ESMTP id 32868496E
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:56:36 +0100 (CET)
Received: from coyote.local (gb-007.galgenberg.net [132.187.222.7])
by wrzx07.rz.uni-wuerzburg.de (Postfix) with ESMTP id 1090B496C
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:56:36 +0100 (CET)
Received: from roadrunner.local (roadrunner [192.168.0.147])
by coyote.local (8.12.6/8.12.6) with ESMTP id h2E8v4Fd048099
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:57:04 +0100 (CET)
(envelope-from q@roadrunner.local)
Received: from roadrunner.local (localhost [127.0.0.1])
by roadrunner.local (8.12.8/8.12.8) with ESMTP id h2E8uaQm064471
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 09:56:36 +0100 (CET)
(envelope-from q@roadrunner.local)
Received: (from q@localhost)
by roadrunner.local (8.12.8/8.12.8/Submit) id h2E8uaKd064470
for freebsd-ipfw@freebsd.org; Fri, 14 Mar 2003 09:56:36 +0100 (CET)
Date: Fri, 14 Mar 2003 09:56:36 +0100
From: Ulrich Spoerlein <q@uni.de>
To: freebsd-ipfw@freebsd.org
Subject: Prioritizing empty TCP ACKs with ipfw?
Message-ID: <20030314085636.GB64326@galgenberg.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-No-Archive: yes
X-Spam-Status: No, hits=-17.9 required=8.0
tests=BAYES_30,LOCAL_CLIENT,USER_AGENT_MUTT
version=2.50-string_20021002
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.50-string_20021002 (1.173-2003-02-20-exp)
X-Virus-Scanned: by amavisd-new (Rechenzentrum Universitaet Wuerzburg)
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
Hello everyone,
I recently read this paper [1] and have to say that I am amazed. Is this
possible with ipfw/2 too? If so, how would one set this up?
PS: Please CC me, because I'm not on this list. Thank you
[1] http://www.benzedrine.cx/ackpri.html
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Fri Mar 14 11:22:41 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id DCD2B37B401
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 11:22:40 -0800 (PST)
Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155])
by mx1.FreeBSD.org (Postfix) with ESMTP id AE5A843FA3
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 11:22:39 -0800 (PST)
(envelope-from ino-qc@spotteswoode.de.eu.org)
Received: from [194.97.50.138] (helo=mx0.freenet.de)
by mout2.freenet.de with asmtp (Exim 4.12)
id 18tulJ-0004Gt-00
for freebsd-ipfw@freebsd.org; Fri, 14 Mar 2003 20:22:37 +0100
Received: from pd90559d6.dip.t-dialin.net ([217.5.89.214] helo=spotteswoode.dnsalias.org)
by mx0.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.12 #2)
id 18tulJ-0000mq-00
for freebsd-ipfw@freebsd.org; Fri, 14 Mar 2003 20:22:37 +0100
Received: (qmail 6708 invoked by uid 0); 14 Mar 2003 19:22:36 -0000
Date: 14 Mar 2003 20:22:36 +0100
Message-ID: <el59ycqr.fsf@ID-23066.news.dfncis.de>
From: "clemens fischer" <ino-qc@spotteswoode.de.eu.org>
To: "Ulrich Spoerlein" <q@uni.de>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Prioritizing empty TCP ACKs with ipfw?
In-Reply-To: <20030314085636.GB64326@galgenberg.net> (Ulrich Spoerlein's
message of "Fri, 14 Mar 2003 09:56:36 +0100")
References: <20030314085636.GB64326@galgenberg.net>
User-Agent: Gnus/5.090016 (Oort Gnus v0.16) Emacs/21.3.50 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
Ulrich Spoerlein <q@uni.de>:
> I recently read this paper [1] and have to say that I am amazed. Is
> this possible with ipfw/2 too? If so, how would one set this up?
>
> [1] http://www.benzedrine.cx/ackpri.html
if i'm not mistaken, this is available right now with ipfw, see the
link to luigis dummynet page in the article you cited.
clemens
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Fri Mar 14 14:47:47 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id C411137B401
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 14:47:46 -0800 (PST)
Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179])
by mx1.FreeBSD.org (Postfix) with ESMTP id BF1A443F93
for <freebsd-ipfw@freebsd.org>; Fri, 14 Mar 2003 14:47:45 -0800 (PST)
(envelope-from w@evip.pl)
Received: from w by mail.evip.pl with local (Exim 4.10)
id 18txx1-0000lK-00
for freebsd-ipfw@freebsd.org; Fri, 14 Mar 2003 23:46:55 +0100
Date: Fri, 14 Mar 2003 23:46:55 +0100
From: Wiktor Niesiobedzki <w@evip.pl>
To: freebsd-ipfw@freebsd.org
Subject: Re: Prioritizing empty TCP ACKs with ipfw?
Message-ID: <20030314224655.GA2616@mail.evip.pl>
References: <20030314085636.GB64326@galgenberg.net> <el59ycqr.fsf@ID-23066.news.dfncis.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <el59ycqr.fsf@ID-23066.news.dfncis.de>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
On Fri, Mar 14, 2003 at 08:22:36PM +0100, clemens fischer wrote:
> Ulrich Spoerlein <q@uni.de>:
>
> > I recently read this paper [1] and have to say that I am amazed. Is
> > this possible with ipfw/2 too? If so, how would one set this up?
> >
> > [1] http://www.benzedrine.cx/ackpri.html
>
> if i'm not mistaken, this is available right now with ipfw, see the
> link to luigis dummynet page in the article you cited.
>
With IPFW2 I use currently "iplen 40" option, is there any *better* way, of
selecting empty ACK packet?
Cheers,
Wiktor Niesiobedzki
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message