From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 10 09:10:53 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id C2E1A37B401
for <ipfw@freebsd.org>; Sun, 10 Aug 2003 09:10:53 -0700 (PDT)
Received: from epita.fr (hermes.epita.fr [163.5.255.10])
by mx1.FreeBSD.org (Postfix) with ESMTP id 5E36643F3F
for <ipfw@freebsd.org>; Sun, 10 Aug 2003 09:10:52 -0700 (PDT)
(envelope-from le-hen_j@epita.fr)
Received: from carpediem (carpediem.epita.fr [10.42.42.5])
by epita.fr id h7AGAo913699 for ipfw@freebsd.org
EPITA Paris France Sun, 10 Aug 2003 18:10:50 +0200 (CEST)
Date: Sun, 10 Aug 2003 18:10:49 +0200
From: jeremie le-hen <le-hen_j@epita.fr>
To: ipfw@freebsd.org
Message-ID: <20030810161049.GA26412@carpediem.epita.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Subject: Packets going through multiple queues
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2003 16:10:54 -0000
Hi folks,
let's imagine I want to schedule traffic going out through tun0.
First of all, in order to avoid filling modem buffers (and so having queue
delays in the modem), let's define the main pipe, through which all traffic
will go through:
ipfw pipe 1 config bw 125Kbit/s
Now I create a queue for interactive traffic, such as SSH, with a high weight:
ipfw queue 10 config weight 100 pipe 1 mask all
And another one for the rest of the traffic:
ipfw queue 20 config weight 1 pipe 1
And finally the rules which will make packets going in our queues (in order
to simplify, don't take care about the TOS field, though we should in real
world):
ipfw add 100 queue 10 tcp from any to any 22 out via tun0
ipfw add 101 queue 10 tcp from any 22 to any out via tun0
ipfw add 200 queue 20 all from any to any out via tun0
This configuration works perfectly with net.inet.ip.fw.one_pass set to 1; once
an outgoing packet has matched one of this three rules, it will just stop
any further rule checking.
But now, imagine I want to limit my outgoing mail traffic, and be sure it will
not exceed 4KBytes/s. But although outgoing SMTP packets will have to go
though a particular pipe in order to achieve this, I still want to take them
in account in my traffic prioritizing. This means that net.inet.ip.fw.one_pass
must be set to 0.
If I simply configure my pipe and add a rule like this:
ipfw pipe 2 config bw 4KBytes/s
ipfw add 500 pipe 2 tcp from any to any 25 out via tun0
This seems to work, but in fact SSH traffic now goes through both queues 10
and 20, and I'm not sure about the efficiency of this method, I'm afraid to
loose all traffic prioritizing benefits.
One tricky way to avoid the behavior would be to add "skipto" rules after
each "queue" rules, with exactly the same rule body, but this clearly adds
a great overhead. Furthermore, my real traffic prioritizing framework uses
6 queues and number of rules, and adding "skipto" rules as I described here
is just a hard and time-wasting work.
At this point, I wonder if I missed something in ipfw(8) syntax or if the
latter is simply not enough powerful to achieve this easily.
Thanks for your advices.
Regards,
--
Jeremie aka TtZ/TataZ
jeremie.le-hen@epita.fr
From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 10 22:11:36 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 00B7837B404
for <ipfw@freebsd.org>; Sun, 10 Aug 2003 22:11:36 -0700 (PDT)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
by mx1.FreeBSD.org (Postfix) with ESMTP id EF09C43FBD
for <ipfw@freebsd.org>; Sun, 10 Aug 2003 22:11:33 -0700 (PDT)
(envelope-from rizzo@xorpc.icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h7B5BUkN032264;
Sun, 10 Aug 2003 22:11:30 -0700 (PDT)
(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h7B5BTRO032263;
Sun, 10 Aug 2003 22:11:29 -0700 (PDT)
(envelope-from rizzo)
Date: Sun, 10 Aug 2003 22:11:29 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: jeremie le-hen <le-hen_j@epita.fr>
Message-ID: <20030810221129.A32121@xorpc.icir.org>
References: <20030810161049.GA26412@carpediem.epita.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030810161049.GA26412@carpediem.epita.fr>;
from le-hen_j@epita.fr on Sun, Aug 10, 2003 at 06:10:49PM +0200
cc: ipfw@freebsd.org
Subject: Re: Packets going through multiple queues
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 05:11:36 -0000
On Sun, Aug 10, 2003 at 06:10:49PM +0200, jeremie le-hen wrote:
...
<example about using net.inet.ip.fw.one_pass=0>
...
> One tricky way to avoid the behavior would be to add "skipto" rules after
> each "queue" rules, with exactly the same rule body, but this clearly adds
> a great overhead. Furthermore, my real traffic prioritizing framework uses
> 6 queues and number of rules, and adding "skipto" rules as I described here
> is just a hard and time-wasting work.
it is not a great overhead -- it is just one extra rule to check per
packet, which is fast (there are direct pointers to the jump
target). As for the 'hard and time-wasting work'... you just have to
design your ruleset correctly.
Basically what you want is
<foo>
switch (<some field in the packet>) {
case A:
<aaa>
break;
case B:
<bbb>
break;
...
case Z:
<zzz>
break;
}
<bar>
where the blocks in <> are ipfw instructions. Once you have designed your
ruleset this way, it is really trivial to implement it in terms of
conditional and unconditional jumps.
cheers
luigi
> At this point, I wonder if I missed something in ipfw(8) syntax or if the
> latter is simply not enough powerful to achieve this easily.
>
> Thanks for your advices.
> Regards,
> --
> Jeremie aka TtZ/TataZ
> jeremie.le-hen@epita.fr
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 03:12:35 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id A8B3137B405; Mon, 11 Aug 2003 03:12:35 -0700 (PDT)
Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 6BB3D43F75; Mon, 11 Aug 2003 03:12:34 -0700 (PDT)
(envelope-from denb@front.ru)
Received: from ws-2.dep624 ([212.1.235.150])
(authenticated bits=0)
by smtp.hotbox.ru (8.12.9/8.12.9) with ESMTP id h7B9xOCe035049;
Mon, 11 Aug 2003 13:59:40 +0400 (MSD)
(envelope-from denb@front.ru)
From: Denis Borisov <denb@front.ru>
To: ipfw@freebsd.org
Date: Mon, 11 Aug 2003 14:12:18 +0400
User-Agent: KMail/1.5
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308111412.18099.denb@front.ru>
cc: current@freebsd.org
Subject: natd over ipfw2 problem.
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 10:12:36 -0000
Hi, All
I want redirect incoming traffic to internal server.
Why natd don't redirect packet?
OS - FreeBSD 5.1-CURRENT
192.168.0.104
|
|
|
192.168.0.102
| router |
172.16.0.102
|
|
|
172.16.0.253
internal server
#ipfw add divert 7777 ip from 172.16.0.253 to any out
#ipfw add divert 6666 ip from any to 192.168.0.102 in
#ipfw sh
00100 0 0 divert 7777 ip from 172.16.0.253 to any out
00200 0 0 divert 6666 ip from any to 192.168.0.102 in
65535 3363 607801 allow ip from any to any
#natd -v -u -m -a 192.168.0.102 -i 6666 -o 7777 -redirect_address
172.16.0.253 192.168.0.102
In [TCP] [TCP] 192.168.0.104:49155 -> 192.168.0.102:80 aliased to
[TCP] 192.168.0.104:49155 -> 172.16.0.253:80
^C
Why natd don't changes source IP address?
Where OUT chain?
------------------------
Regards,
Denis Borisov
From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 11:01:20 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id E23A737B401
for <freebsd-ipfw@freebsd.org>; Mon, 11 Aug 2003 11:01:20 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id DB87643FE3
for <freebsd-ipfw@freebsd.org>; Mon, 11 Aug 2003 11:01:15 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7BI1FUp080776
for <freebsd-ipfw@freebsd.org>; Mon, 11 Aug 2003 11:01:15 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7BI1FFt080770
for freebsd-ipfw@freebsd.org; Mon, 11 Aug 2003 11:01:15 -0700 (PDT)
Date: Mon, 11 Aug 2003 11:01:15 -0700 (PDT)
Message-Id: <200308111801.h7BI1FFt080770@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: freebsd-ipfw@FreeBSD.org
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 18:01:21 -0000
Current FreeBSD problem reports
Critical problems
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/09/02] bin/42318 ipfw NATD redirect limitations
1 problem total.
Non-critical problems
From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 11:01:35 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id EF6EE37B405
for <ipfw@freebsd.org>; Mon, 11 Aug 2003 11:01:35 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id A44CE43FCB
for <ipfw@freebsd.org>; Mon, 11 Aug 2003 11:01:33 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7BI1XUp081144
for <ipfw@freebsd.org>; Mon, 11 Aug 2003 11:01:33 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7BI1XwI081138
for ipfw@freebsd.org; Mon, 11 Aug 2003 11:01:33 -0700 (PDT)
Date: Mon, 11 Aug 2003 11:01:33 -0700 (PDT)
Message-Id: <200308111801.h7BI1XwI081138@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: ipfw@FreeBSD.org
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 18:01:36 -0000
Current FreeBSD problem reports
Critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled
o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw
2 problems total.
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues
o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu
f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp
3 problems total.
Non-critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul
o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r
a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w
o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau
o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature
o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not
o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags
o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo
8 problems total.
From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 12 03:39:33 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2E02237B401
for <ipfw@freebsd.org>; Tue, 12 Aug 2003 03:39:33 -0700 (PDT)
Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50])
by mx1.FreeBSD.org (Postfix) with ESMTP id AF36643F75
for <ipfw@freebsd.org>; Tue, 12 Aug 2003 03:39:31 -0700 (PDT)
(envelope-from denb@front.ru)
Received: from ws-2.dep624 ([212.1.235.150])
(authenticated bits=0)
by smtp.hotbox.ru (8.12.9/8.12.9) with ESMTP id h7CAQYCe083145
for <ipfw@freebsd.org>; Tue, 12 Aug 2003 14:26:35 +0400 (MSD)
(envelope-from denb@front.ru)
From: Denis Borisov <denb@front.ru>
To: ipfw@freebsd.org
Date: Tue, 12 Aug 2003 14:26:11 +0400
User-Agent: KMail/1.5
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308121426.11858.denb@front.ru>
Subject: When will implemented in-kernel NAT?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Aug 2003 10:39:33 -0000
In comments in file ip_fw2.c i read:
* Dynamic rules can be used for different purposes:
* + stateful rules;
* + enforcing limits on the number of sessions;
* + in-kernel NAT (not implemented yet)
When will implemented in-kernel NAT?
Regards,
Denis
From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 13 05:52:56 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 6FA8837B401; Wed, 13 Aug 2003 05:52:56 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 0A1C243F75; Wed, 13 Aug 2003 05:52:56 -0700 (PDT)
(envelope-from ru@FreeBSD.org)
Received: from freefall.freebsd.org (ru@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7DCqtUp090878;
Wed, 13 Aug 2003 05:52:55 -0700 (PDT)
(envelope-from ru@freefall.freebsd.org)
Received: (from ru@localhost)
by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7DCqrNP090575;
Wed, 13 Aug 2003 05:52:53 -0700 (PDT)
Date: Wed, 13 Aug 2003 05:52:53 -0700 (PDT)
From: Ruslan Ermilov <ru@FreeBSD.org>
Message-Id: <200308131252.h7DCqrNP090575@freefall.freebsd.org>
To: mark@outlander.us, ru@FreeBSD.org, freebsd-ipfw@FreeBSD.org
Subject: Re: bin/42318: NATD redirect limitations
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2003 12:52:56 -0000
Synopsis: NATD redirect limitations
State-Changed-From-To: open->closed
State-Changed-By: ru
State-Changed-When: Wed Aug 13 05:50:53 PDT 2003
State-Changed-Why:
Not possible with NATD (as it's not a function of NAT).
However, Apache web server can deal with this easily.
http://www.freebsd.org/cgi/query-pr.cgi?pr=42318
From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 13 05:58:24 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 3801D37B401; Wed, 13 Aug 2003 05:58:24 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP
id C43D543F85; Wed, 13 Aug 2003 05:58:23 -0700 (PDT)
(envelope-from ru@FreeBSD.org)
Received: from freefall.freebsd.org (ru@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7DCwNUp008293;
Wed, 13 Aug 2003 05:58:23 -0700 (PDT)
(envelope-from ru@freefall.freebsd.org)
Received: (from ru@localhost)
by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7DCwM8b008289;
Wed, 13 Aug 2003 05:58:22 -0700 (PDT)
Date: Wed, 13 Aug 2003 05:58:22 -0700 (PDT)
From: Ruslan Ermilov <ru@FreeBSD.org>
Message-Id: <200308131258.h7DCwM8b008289@freefall.freebsd.org>
To: brucegb@realtime.net, ru@FreeBSD.org, ipfw@FreeBSD.org
Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2003 12:58:24 -0000
Synopsis: natd/ipfw lose TCP packets for firewalled machines
State-Changed-From-To: open->closed
State-Changed-By: ru
State-Changed-When: Wed Aug 13 05:56:51 PDT 2003
State-Changed-Why:
Both natd and ipfw work normally here; please ask questions in
another forum. Also note that the "simple" setup is a prorotype
only, and it lacks many things to be useful in a production
environment, and won't work "as is".
http://www.freebsd.org/cgi/query-pr.cgi?pr=47529
From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 14 19:52:30 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 767F937B401
for <freebsd-ipfw@freebsd.org>; Thu, 14 Aug 2003 19:52:30 -0700 (PDT)
Received: from web11406.mail.yahoo.com (web11406.mail.yahoo.com
[216.136.131.236])
by mx1.FreeBSD.org (Postfix) with SMTP id 0C8C343FD7
for <freebsd-ipfw@freebsd.org>; Thu, 14 Aug 2003 19:52:30 -0700 (PDT)
(envelope-from mass_design@yahoo.com)
Message-ID: <20030815025229.53371.qmail@web11406.mail.yahoo.com>
Received: from [68.11.20.53] by web11406.mail.yahoo.com via HTTP;
Thu, 14 Aug 2003 19:52:29 PDT
Date: Thu, 14 Aug 2003 19:52:29 -0700 (PDT)
From: Gerald Gauthreaux <mass_design@yahoo.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject:
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2003 02:52:30 -0000
Hey guys. Got my firewall to function with natd. It
works fine
except for the fact that everything is open(I think).
zero_gate# ipfw -a l
00100 10061 4078454 divert 8668 ip from any to
any via sis0
06500 13504 5987495 allow ip from any to any
65535 1266 315654 deny ip from any to any
zero_gate#
Of course sis0 is the WAN interface, and rl0 is the
LAN interface.
The problem comes in when I take out rule 6500 (allow
ip from any to
any), and allow certain ports in, and all ports out.
It seem like
nothing comes in unless I specify the outside ip.
Example, 53 is
allowed in and out but no response when I add the ip
of my DNS server
it will work
All out
00700 7 376 allow tcp from
192.168.1.0/24 to any
00800 5 696 allow udp from
192.168.1.0/24 to any
DNS
00500 0 0 allow tcp from any to any
dst-port 53
00600 40 2699 allow udp from any to any
dst-port 53
This is what makes it work.
01800 8 2459 allow udp from
68.xxx.xxx.xxx to any
Do you know of a better way to do this. Any light you
could shed on
this would be greatly appreciated.
Thanks,
Beau
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 14 20:04:58 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id C5E5337B401
for <freebsd-ipfw@freebsd.org>; Thu, 14 Aug 2003 20:04:58 -0700 (PDT)
Received: from meketrex.pix.net (meketrex.pix.net [192.111.45.13])
by mx1.FreeBSD.org (Postfix) with ESMTP id DC85443FB1
for <freebsd-ipfw@freebsd.org>; Thu, 14 Aug 2003 20:04:47 -0700 (PDT)
(envelope-from stripes@meketrex.pix.net)
Received: (from stripes@localhost)
by meketrex.pix.net (8.11.6/8.11.6) id h7F34bO19250
for freebsd-ipfw@freebsd.org; Thu, 14 Aug 2003 23:04:37 -0400 (EDT)
Date: Thu, 14 Aug 2003 23:04:37 -0400
From: Josh Osborne <wfpi.20.stripes@antichef.com>
To: freebsd-ipfw@freebsd.org
Message-ID: <20030814230437.A19173@meketrex.pix.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Subject: Does "ipfw pipe 1 config bw tun0" work under 5.1?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2003 03:04:59 -0000
I'm running "5.1-RELEASE" on a machine and I'm attempting to do a little
bit of traffic shaping.
ipfw queue list looks like this:
00001: tun0 0 ms 50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
q00001: weight 1 pipe 1 50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
q00080: weight 100 pipe 1 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 157.15.34.14/49160 66.35.250.150/80 56 4780 50 4480 5
Whatever traffic I assign to pipe 1 (via one of the queues at least)
shows up in that last line there, but never leaves the queue. I
can see the packet counts going up (TCP retries I assume) and then
the connection times out.
I'm using ppp, and ifconfig shows tun0 as the interface I'm using
(as opposed to tun1, or something else). I'm not sure what else to
try here.
So does "ipfw pipe 1 config bw tun0" really work in 5.1-RELEASE,
or is it busted?
From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 15 00:50:15 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id A3A2837B401
for <ipfw@hub.freebsd.org>; Fri, 15 Aug 2003 00:50:15 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id DC82F43FA3
for <ipfw@hub.freebsd.org>; Fri, 15 Aug 2003 00:50:14 -0700 (PDT)
(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7F7oEUp017509
for <ipfw@freefall.freebsd.org>; Fri, 15 Aug 2003 00:50:14 -0700 (PDT)
(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7F7oEfp017507;
Fri, 15 Aug 2003 00:50:14 -0700 (PDT)
Date: Fri, 15 Aug 2003 00:50:14 -0700 (PDT)
Message-Id: <200308150750.h7F7oEfp017507@freefall.freebsd.org>
To: ipfw@FreeBSD.org
From: Ruslan Ermilov <ru@FreeBSD.org>
Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Ruslan Ermilov <ru@FreeBSD.org>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2003 07:50:15 -0000
The following reply was made to PR kern/47529; it has been noted by GNATS.
From: Ruslan Ermilov <ru@FreeBSD.org>
To: Martin Bartelds <bts@iaehv.nl>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines
Date: Fri, 15 Aug 2003 10:42:51 +0300
On Thu, Aug 14, 2003 at 08:58:09PM +0200, Martin Bartelds wrote:
> I'm not sure about the legitimacy of the "closed" action.
>
> I do have at least one FW/FTP system with NAT which experiences
> significant packet losses since I moved to IPFW2. Even ping's get lost
> every now and then, whereas previously with IPFW this didn't happen.
> Apart from the lost ping's, I also see a lot of hickups when collecting email
> and doing FTP throught the FW/NAT. Locally and to/from the backbone
> everything seems to be perfect, only once NAT is involved I do have
> packet losses. I do use IPFW2's features IPLen, queue, pipe, recv and xmit.
> Between the FW/FTP server and the backbone, I do have transfer rates
> of up to 600 Kbyte/s on a 7.6 Mbit pipe. These transfers don't seem to
> suffer from the hickups.
>
> If you do have suggestions how to pinpoint this to a more definated
> point of failure, I'm open for testing.
>
I wish you would mention that your problem is bound to IPFW2 in the PR.
Whatever, does the problem still exist in recent versions of 5.1-CURRENT?
If not, please try it. If so, please give us simple steps to reproduce
the problem. It should be possible for you, since you tell me that you
believe the problem is with FW/NAT, so please start from a simple config,
and see if the problem exists. If not, add features that you need, and
see again.
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software Ltd,
ru@FreeBSD.org FreeBSD committer
From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 16 01:16:26 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id EBED237B401
for <freebsd-ipfw@freebsd.org>; Sat, 16 Aug 2003 01:16:26 -0700 (PDT)
Received: from luftpost.plosh.net (luftpost.plosh.net [204.152.186.181])
by mx1.FreeBSD.org (Postfix) with ESMTP id 742A043F3F
for <freebsd-ipfw@freebsd.org>; Sat, 16 Aug 2003 01:16:26 -0700 (PDT)
(envelope-from Peter_Losher@isc.org)
Received: from dhcp-2.sql1.plosh.net (tardis-nat.plosh.net [64.139.14.228])
(using TLSv1 with cipher RC4-MD5 (128/128 bits))
(Client did not present a certificate)
by luftpost.plosh.net (Postfix) with ESMTP id 077AB32606
for <freebsd-ipfw@freebsd.org>; Sat, 16 Aug 2003 01:17:04 -0700 (PDT)
(envelope-from Peter_Losher@isc.org)
From: Peter Losher <Peter_Losher@isc.org>
Organization: ISC
To: freebsd-ipfw@freebsd.org
Date: Sat, 16 Aug 2003 01:16:21 -0700
User-Agent: KMail/1.5.3
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308160116.22010.Peter_Losher@isc.org>
Subject: piping killing performance on 5.1-REL-p2
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2003 08:16:27 -0000
Hi -
On several of our servers that provide name service to the local network,
we normally have pipes in our ipfw/ipfw2 rules as such:
add pipe 1 udp from any to any 53 in
pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3
add pipe 2 tcp from any to any 53 in
pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3
to make sure outsiders don't slam us too hard, etc... This setup has worked
fine for us in the past under 4.x, but we have now turned up our first
5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are
killing the response times. dig queries that normally take a couple of
milliseconds from another host on the same subnet now take 40-50
milliseconds. Remove the rules, and the response time goes back
down to a couple of milliseconds. Note that this same configuration on a
4.x system shows very little degradation with the pipes on-line.
Has the syntax changed between ipfw and ipfw2, and have others experienced
this "slowness" issue. (I looked in the archives beforehand)
Best Wishes - Peter
--
Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"
From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 16 02:58:49 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 39B9C37B43C
for <freebsd-ipfw@freebsd.org>; Sat, 16 Aug 2003 02:58:49 -0700 (PDT)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
by mx1.FreeBSD.org (Postfix) with ESMTP id B5A7943FBF
for <freebsd-ipfw@freebsd.org>; Sat, 16 Aug 2003 02:58:16 -0700 (PDT)
(envelope-from rizzo@xorpc.icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h7G9wCkN031279;
Sat, 16 Aug 2003 02:58:12 -0700 (PDT)
(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h7G9wCqr031278;
Sat, 16 Aug 2003 02:58:12 -0700 (PDT)
(envelope-from rizzo)
Date: Sat, 16 Aug 2003 02:58:12 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: Peter Losher <Peter_Losher@isc.org>
Message-ID: <20030816025812.A31188@xorpc.icir.org>
References: <200308160116.22010.Peter_Losher@isc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <200308160116.22010.Peter_Losher@isc.org>;
from Peter_Losher@isc.org on Sat, Aug 16, 2003 at 01:16:21AM -0700
cc: freebsd-ipfw@freebsd.org
Subject: Re: piping killing performance on 5.1-REL-p2
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2003 09:58:49 -0000
well... i don't understand what do you think is wrong here.
A 64-byte (512 bits) packet in a 10Kbit/s pipe will take roughly 50ms
to go through, and this is exactly what you are reporting.~
I suspect your 4.x configuration was not passing the packets
through the pipe and/or had the bandwidth configured differently.
[As an aside, by using "mask src-ip 0xffffffff" you are basically
making yourself a wonderful candidate for DoS attacks as
any IP will create a new pipe. I'd rather have one pipe (or a small
number of pipes) for outsider and if someone is saturating them
you'll still be able to provide service inside.
cheers
luigi
On Sat, Aug 16, 2003 at 01:16:21AM -0700, Peter Losher wrote:
> Hi -
>
> On several of our servers that provide name service to the local network,
> we normally have pipes in our ipfw/ipfw2 rules as such:
>
> add pipe 1 udp from any to any 53 in
> pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3
> add pipe 2 tcp from any to any 53 in
> pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3
>
> to make sure outsiders don't slam us too hard, etc... This setup has worked
> fine for us in the past under 4.x, but we have now turned up our first
> 5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are
> killing the response times. dig queries that normally take a couple of
> milliseconds from another host on the same subnet now take 40-50
> milliseconds. Remove the rules, and the response time goes back
> down to a couple of milliseconds. Note that this same configuration on a
> 4.x system shows very little degradation with the pipes on-line.
>
> Has the syntax changed between ipfw and ipfw2, and have others experienced
> this "slowness" issue. (I looked in the archives beforehand)
>
> Best Wishes - Peter
> --
> Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"