From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 29 15:46:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2390516A4B3 for ; Mon, 29 Sep 2003 15:46:43 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE82643FF5 for ; Mon, 29 Sep 2003 15:46:41 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 30 Sep 2003 00:43:37 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3F07@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Queue sizes. Thread-Index: AcOG22MKfVnlp/zORhKYqqg4ssx6zg== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: Queue sizes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 22:46:43 -0000 Hi! I've experimented with various queue sizes to pipes and i just cant = figure out a generic algorithm from 10mbit through 64kbit (10240, 8192, 4096, 2048, 1024, 512, 256, 128, 64 kbit/s). Does anyone know the most efficient queue size for latency (most = important) vs. bulk (must be _roughly_ same before and after) ?=20 Google doesnt help much (keywords might be wrong?). I would really appreciate if anyone got any tips/clues? -- Sten From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 08:16:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A3D116A4B3 for ; Tue, 30 Sep 2003 08:16:08 -0700 (PDT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EC934400B for ; Tue, 30 Sep 2003 08:16:03 -0700 (PDT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 2ACBD5F103; Tue, 30 Sep 2003 17:19:10 +0200 (CEST) Date: Tue, 30 Sep 2003 17:19:10 +0200 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20030930151910.GB22091@shellma.zin.lublin.pl> References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3F07@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F1F3F07@exchange.wanglobal.net> User-Agent: Mutt/1.4.1i Subject: Re: Queue sizes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 15:16:08 -0000 On Tue, Sep 30, 2003 at 12:43:37AM +0200, Sten Daniel S?rsdal wrote: > I've experimented with various queue sizes to pipes and i just cant figure out a generic algorithm from 10mbit through 64kbit > (10240, 8192, 4096, 2048, 1024, 512, 256, 128, 64 kbit/s). > Does anyone know the most efficient queue size for latency (most important) vs. bulk (must be _roughly_ same before and after) ? > Google doesnt help much (keywords might be wrong?). > I would really appreciate if anyone got any tips/clues? I've found for my own, that usually setting queue (buffer size, it is a bit confusing to call `queue' two things) for about 1/3 of links speed in KBytes is OK. for example, I set queue to 30KBytes for pipe with bw 768kbit/s. When saturated, 768kbit/s (96KB/s) link can transmit 30KB within ~300ms and it is acceptable *for me* (note, this 300ms must be usually doubled because incoming and outgoing traffic have separate pipes). Setting too small queue size can cause problems, for example TCP has problems with packet lossess and data transfer can be lowered twice or even more, I was observing this with WinXP system, this is normal so be carefull and test a lot. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 09:50:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AFA616A4B3 for ; Tue, 30 Sep 2003 09:50:41 -0700 (PDT) Received: from bjpu.edu.cn (egw.bjpu.edu.cn [202.112.78.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBD014401A for ; Tue, 30 Sep 2003 09:50:34 -0700 (PDT) (envelope-from liukang@bjpu.edu.cn) Received: (eyou gateway send program); Wed, 01 Oct 2003 00:54:05 +0800 X-EYOU-ORIGINAL-IP: 202.112.78.224 X-EYOU-ENVELOPE-MAILFROM: liukang@bjpu.edu.cn Received: from unknown (HELO lkatschool) (unknown@202.112.78.224) by 202.112.78.77 with ; Wed, 01 Oct 2003 00:54:05 +0800 From: "Kang Liu" To: Date: Wed, 1 Oct 2003 00:47:17 +0800 Message-ID: <012901c38772$8288c9d0$e04e70ca@lkatschool> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: freebsd-ipfw@freebsd.org cc: maxim@macomnet.ru cc: cokane@FreeBSD.ORG cc: freebsd-hackers@freebsd.org Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 16:50:41 -0000 I reproduced it on the latest 5.1current. Here is the backtrace: ##### GNU gdb 5.2.1 (FreeBSD) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-undermydesk-freebsd"... panic: Most recently used by cred panic messages: --- panic: Most recently used by cred Stack backtrace: syncing disks, buffers remaining... 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 giving up on 520 buffers Uptime: 16m0s Dumping 255 MB 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 --- Reading symbols from /usr/obj/usr/src/sys/IPFW/modules/usr/src/sys/modules/acpi/acpi.ko.debug...done. Loaded symbols for /usr/obj/usr/src/sys/IPFW/modules/usr/src/sys/modules/acpi/acpi.ko.debug Reading symbols from /boot/kernel/daemon_saver.ko...done. Loaded symbols for /boot/kernel/daemon_saver.ko #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 240 dumping++; (kgdb) bt #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 #1 0xc01a0221 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:372 #2 0xc01a05b7 in panic () at /usr/src/sys/kern/kern_shutdown.c:550 #3 0xc02817f7 in mtrash_ctor (mem=0xc29f8a80, size=0, arg=0x0) at /usr/src/sys/vm/uma_dbg.c:137 #4 0xc028002e in uma_zalloc_arg (zone=0xc083ab40, udata=0x0, flags=257) at /usr/src/sys/vm/uma_core.c:1413 #5 0xc0194a23 in malloc (size=3229854528, type=0xc03020c0, flags=257) at /usr/src/sys/vm/uma.h:234 #6 0xc021e03f in add_dyn_rule (id=0xcd7bfc90, dyn_type=39 '\'', rule=0xc2815e00) at /usr/src/sys/netinet/ip_fw2.c:976 #7 0xc021e43e in install_state (rule=0xc28f3a80, cmd=0xc28f3ac0, args=0xcd7bfc70) at /usr/src/sys/netinet/ip_fw2.c:1140 #8 0xc021f4dc in ipfw_chk (args=0xcd7bfc70) at /usr/src/sys/netinet/ip_fw2.c:1942 #9 0xc0221dd7 in ip_input (m=0xc0ed9800) at /usr/src/sys/netinet/ip_input.c:489 #10 0xc0211a82 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:236 #11 0xc018c762 in ithread_loop (arg=0xc0ebec80) at /usr/src/sys/kern/kern_intr.c:534 #12 0xc018b76f in fork_exit (callout=0xc018c5e0 , arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:796 (kgdb) ##### Here is my full ipfw rule set script: # cat ./ipfwpanic.sh dumpon -v /dev/ad0s1b /sbin/ipfw add allow tcp from any to any established /sbin/ipfw add allow ip from a.b.c.0 to a.b.c.d /sbin/ipfw add allow tcp from any to a.b.c.d 80 limit src-addr 20 setup /sbin/ipfw add allow ip from a.b.c.d to any And I added "IPFIREWALL_DEFAULT_TO_ACCEPT" into kernel configure file. ##### Here is my test script. I installed an apache on that machine, and use ab to connect 80 port. cat panicstart.sh #!/bin/sh number=0 while (test $number -lt 10000) do echo "$number" ab -c 100 http://a.b.c.d/ number=`expr $number + 1` done ##### This problem can be reproduced on both MP and UP machine. I've tested it on a dell poweredge2650(with 2 P4xeon, HTT enabled/disabled) and a DIY PC(1 PIII CPU). The backtrace I post above is produced on PC(1CPU). From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 10:00:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7CA616A4B3 for ; Tue, 30 Sep 2003 10:00:41 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C9EF43FF2 for ; Tue, 30 Sep 2003 10:00:41 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8UH0eFY028407 for ; Tue, 30 Sep 2003 10:00:40 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8UH0ecX028406; Tue, 30 Sep 2003 10:00:40 -0700 (PDT) (envelope-from gnats) Date: Tue, 30 Sep 2003 10:00:40 -0700 (PDT) Message-Id: <200309301700.h8UH0ecX028406@freefall.freebsd.org> To: ipfw@FreeBSD.org From: "Kang Liu" Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kang Liu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 17:00:42 -0000 The following reply was made to PR kern/50216; it has been noted by GNATS. From: "Kang Liu" To: Cc: , , "'Xin LI/??'" , , Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules Date: Wed, 1 Oct 2003 00:47:17 +0800 I reproduced it on the latest 5.1current. Here is the backtrace: ##### GNU gdb 5.2.1 (FreeBSD) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-undermydesk-freebsd"... panic: Most recently used by cred panic messages: --- panic: Most recently used by cred Stack backtrace: syncing disks, buffers remaining... 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 628 giving up on 520 buffers Uptime: 16m0s Dumping 255 MB 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 --- Reading symbols from /usr/obj/usr/src/sys/IPFW/modules/usr/src/sys/modules/acpi/acpi.ko.debug...done. Loaded symbols for /usr/obj/usr/src/sys/IPFW/modules/usr/src/sys/modules/acpi/acpi.ko.debug Reading symbols from /boot/kernel/daemon_saver.ko...done. Loaded symbols for /boot/kernel/daemon_saver.ko #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 240 dumping++; (kgdb) bt #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 #1 0xc01a0221 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:372 #2 0xc01a05b7 in panic () at /usr/src/sys/kern/kern_shutdown.c:550 #3 0xc02817f7 in mtrash_ctor (mem=0xc29f8a80, size=0, arg=0x0) at /usr/src/sys/vm/uma_dbg.c:137 #4 0xc028002e in uma_zalloc_arg (zone=0xc083ab40, udata=0x0, flags=257) at /usr/src/sys/vm/uma_core.c:1413 #5 0xc0194a23 in malloc (size=3229854528, type=0xc03020c0, flags=257) at /usr/src/sys/vm/uma.h:234 #6 0xc021e03f in add_dyn_rule (id=0xcd7bfc90, dyn_type=39 '\'', rule=0xc2815e00) at /usr/src/sys/netinet/ip_fw2.c:976 #7 0xc021e43e in install_state (rule=0xc28f3a80, cmd=0xc28f3ac0, args=0xcd7bfc70) at /usr/src/sys/netinet/ip_fw2.c:1140 #8 0xc021f4dc in ipfw_chk (args=0xcd7bfc70) at /usr/src/sys/netinet/ip_fw2.c:1942 #9 0xc0221dd7 in ip_input (m=0xc0ed9800) at /usr/src/sys/netinet/ip_input.c:489 #10 0xc0211a82 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:236 #11 0xc018c762 in ithread_loop (arg=0xc0ebec80) at /usr/src/sys/kern/kern_intr.c:534 #12 0xc018b76f in fork_exit (callout=0xc018c5e0 , arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:796 (kgdb) ##### Here is my full ipfw rule set script: # cat ./ipfwpanic.sh dumpon -v /dev/ad0s1b /sbin/ipfw add allow tcp from any to any established /sbin/ipfw add allow ip from a.b.c.0 to a.b.c.d /sbin/ipfw add allow tcp from any to a.b.c.d 80 limit src-addr 20 setup /sbin/ipfw add allow ip from a.b.c.d to any And I added "IPFIREWALL_DEFAULT_TO_ACCEPT" into kernel configure file. ##### Here is my test script. I installed an apache on that machine, and use ab to connect 80 port. cat panicstart.sh #!/bin/sh number=0 while (test $number -lt 10000) do echo "$number" ab -c 100 http://a.b.c.d/ number=`expr $number + 1` done ##### This problem can be reproduced on both MP and UP machine. I've tested it on a dell poweredge2650(with 2 P4xeon, HTT enabled/disabled) and a DIY PC(1 PIII CPU). The backtrace I post above is produced on PC(1CPU). From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 10:30:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 165ED16A4B3; Tue, 30 Sep 2003 10:30:08 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38D5743FBD; Tue, 30 Sep 2003 10:30:06 -0700 (PDT) (envelope-from sam@errno.com) Received: from 66.127.85.91 ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id h8UHU10x077269 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 30 Sep 2003 10:30:03 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: "Kang Liu" , Date: Tue, 30 Sep 2003 10:28:19 -0700 User-Agent: KMail/1.5.2 References: <012901c38772$8288c9d0$e04e70ca@lkatschool> In-Reply-To: <012901c38772$8288c9d0$e04e70ca@lkatschool> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309301028.19046.sam@errno.com> cc: freebsd-ipfw@freebsd.org Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 17:30:08 -0000 On Tuesday 30 September 2003 09:47 am, Kang Liu wrote: > I reproduced it on the latest 5.1current. Thanks. I'll look at it. Sam From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 10:40:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4726216A4B3 for ; Tue, 30 Sep 2003 10:40:18 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFFBF43FD7 for ; Tue, 30 Sep 2003 10:40:17 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8UHeHFY033523 for ; Tue, 30 Sep 2003 10:40:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8UHeHIN033522; Tue, 30 Sep 2003 10:40:17 -0700 (PDT) (envelope-from gnats) Date: Tue, 30 Sep 2003 10:40:17 -0700 (PDT) Message-Id: <200309301740.h8UHeHIN033522@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Sam Leffler Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Sam Leffler List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 17:40:18 -0000 The following reply was made to PR kern/50216; it has been noted by GNATS. From: Sam Leffler To: "Kang Liu" , Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules Date: Tue, 30 Sep 2003 10:28:19 -0700 On Tuesday 30 September 2003 09:47 am, Kang Liu wrote: > I reproduced it on the latest 5.1current. Thanks. I'll look at it. Sam From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 09:01:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5922B16A4BF for ; Sat, 4 Oct 2003 09:01:06 -0700 (PDT) Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7298E43FE0 for ; Sat, 4 Oct 2003 09:01:04 -0700 (PDT) (envelope-from r.s.a.vandomburg@student.utwente.nl) Received: from gog (gog.student.utwente.nl [130.89.165.107]) by netlx014.civ.utwente.nl (8.11.7/HKD) with SMTP id h94G12010156 for ; Sat, 4 Oct 2003 18:01:03 +0200 Message-ID: <006b01c38a90$dea3b420$6ba55982@gog> From: "Roderick van Domburg" To: Date: Sat, 4 Oct 2003 18:02:10 +0200 Organization: University of Twente MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-UTwente-MailScanner-Information: Scanned by MailScanner. Contact helpdesk@ITBE.utwente.nl for more information. X-UTwente-MailScanner: Found to be clean Subject: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 16:01:06 -0000 Hello everyone, I was pondering if blindly trailing every tcp rule with the 'setup' keyword would incur any performance loss or security hazard. I've got a server setup serving FTP, SSH, SMTP, DNS and HTTP. My rules in question are the following: allow tcp from any to {$ip} dst-port 21 setup allow tcp from any to {$ip} dst-port 22 setup allow tcp from any to {$ip} dst-port 25 setup allow tcp from any to {$ip} dst-port 53 setup allow tcp from any to {$ip} dst-port 80 setup All services run just fine, but I was thinking that excluding 'setup' here and there would make for a cleaner solution? For example, I don't think that HTTP (even 1.1) requires the setup keyword does it? Regards, Roderick From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 10:06:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89D2016A4B3 for ; Sat, 4 Oct 2003 10:06:17 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C6BF43F75 for ; Sat, 4 Oct 2003 10:06:16 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id CCF0C1F34; Sat, 4 Oct 2003 19:05:32 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id LEJPB7WX; Sat, 4 Oct 2003 19:05:32 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id BA2DB1F0A; Sat, 4 Oct 2003 19:05:31 +0200 (CEST) Message-ID: <3F7EFDFA.4060703@fork.pl> Date: Sat, 04 Oct 2003 19:06:02 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: Roderick van Domburg References: <006b01c38a90$dea3b420$6ba55982@gog> In-Reply-To: <006b01c38a90$dea3b420$6ba55982@gog> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavis/mks_vir at math.uni.lodz.pl cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 17:06:17 -0000 On 2003-10-04 18:02, Roderick van Domburg wrote: > I was pondering if blindly trailing every tcp rule with the 'setup' keyword > would incur any performance loss or security hazard. > allow tcp from any to {$ip} dst-port 80 setup > All services run just fine, but I was thinking that excluding 'setup' here > and there would make for a cleaner solution? For example, I don't think that > HTTP (even 1.1) requires the setup keyword does it? Please refer to ipfw manual *and* some TCP/IP reference. ipfw is TCP/IP level firewall, while HTTP is application level protocol (higher). ipfw knows nothing about HTTP. man ipfw says: setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. to make it work you must have also, the rule similar to following: allow tcp from any to any established You can try alternative approach - use 'stateful firewall' features of ipfw instead of setup/established pair (refer to ipfw man, tutorials, etc.) regards -- Marcin Gryszkalis jabber jid:mg@chrome.pl gg:2532994 http://fork.pl From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 10:16:21 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98CA916A4B3 for ; Sat, 4 Oct 2003 10:16:21 -0700 (PDT) Received: from out010.verizon.net (out010pub.verizon.net [206.46.170.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9643A43FAF for ; Sat, 4 Oct 2003 10:16:20 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.14.199]) by out010.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20031004171619.MAPZ12520.out010.verizon.net@mac.com>; Sat, 4 Oct 2003 12:16:19 -0500 Message-ID: <3F7F0062.5000206@mac.com> Date: Sat, 04 Oct 2003 13:16:18 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030925 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Roderick van Domburg References: <006b01c38a90$dea3b420$6ba55982@gog> In-Reply-To: <006b01c38a90$dea3b420$6ba55982@gog> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out010.verizon.net from [68.237.14.199] at Sat, 4 Oct 2003 12:16:19 -0500 cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 17:16:21 -0000 Roderick van Domburg wrote: > Hello everyone, > > I was pondering if blindly trailing every tcp rule with the 'setup' keyword > would incur any performance loss or security hazard. It would incur a security hazard. Any tool which performs "stealth" scans (ie, such as nmap's default scan mode) would go right past your firewall rules. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 10:38:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 940AC16A4BF for ; Sat, 4 Oct 2003 10:38:10 -0700 (PDT) Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 288E043FF9 for ; Sat, 4 Oct 2003 10:38:09 -0700 (PDT) (envelope-from r.s.a.vandomburg@student.utwente.nl) Received: from gog (gog.student.utwente.nl [130.89.165.107]) by netlx014.civ.utwente.nl (8.11.7/HKD) with SMTP id h94Hbx031180; Sat, 4 Oct 2003 19:38:01 +0200 Message-ID: <007d01c38a9e$73883cc0$6ba55982@gog> From: "Roderick van Domburg" To: "Marcin Gryszkalis" References: <006b01c38a90$dea3b420$6ba55982@gog> <3F7EFDFA.4060703@fork.pl> Date: Sat, 4 Oct 2003 19:39:21 +0200 Organization: University of Twente MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-UTwente-MailScanner-Information: Scanned by MailScanner. Contact helpdesk@ITBE.utwente.nl for more information. X-UTwente-MailScanner: Found to be clean cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 17:38:10 -0000 > > All services run just fine, but I was thinking that excluding 'setup' here > > and there would make for a cleaner solution? For example, I don't think that > > HTTP (even 1.1) requires the setup keyword does it? > > Please refer to ipfw manual *and* some TCP/IP reference. > ipfw is TCP/IP level firewall, while HTTP is application level > protocol (higher). ipfw knows nothing about HTTP. I know, but HTTP/1.1 does allow for ``threaded sessions'', so to speak. What I don't know without glancing at any RFC's is whether HTTP/1.1 clients open multiple sockets on port 80 or several sockets in the dynamic range. Hence my question: which services require the setup keyword and which don't? Regards, Roderick From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 10:53:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3D0F16A4B3 for ; Sat, 4 Oct 2003 10:53:13 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C885943FDF for ; Sat, 4 Oct 2003 10:53:12 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id 2C9C81F34; Sat, 4 Oct 2003 19:52:30 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id E4bQ5Jhj; Sat, 4 Oct 2003 19:52:28 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id 8C08B1F0A; Sat, 4 Oct 2003 19:52:26 +0200 (CEST) Message-ID: <3F7F08F6.3050908@fork.pl> Date: Sat, 04 Oct 2003 19:52:54 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: Roderick van Domburg References: <006b01c38a90$dea3b420$6ba55982@gog> <3F7EFDFA.4060703@fork.pl> <007d01c38a9e$73883cc0$6ba55982@gog> In-Reply-To: <007d01c38a9e$73883cc0$6ba55982@gog> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavis/mks_vir at math.uni.lodz.pl cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 17:53:13 -0000 On 2003-10-04 19:39, Roderick van Domburg wrote: > I know, but HTTP/1.1 does allow for ``threaded sessions'', so to speak. What > I don't know without glancing at any RFC's is whether HTTP/1.1 clients open > multiple sockets on port 80 or several sockets in the dynamic range. I've never heard about http service opening ports other than those explicitly specified (usually 80). Client can open several paralell connections to the port. > Hence my question: which services require the setup keyword and which don't? I'd say - every TCP-based service require either setup/established rules or statefull rules. regards -- Marcin Gryszkalis jabber jid:mg@chrome.pl gg:2532994 http://fork.pl From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 10:56:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 769F616A4B3 for ; Sat, 4 Oct 2003 10:56:43 -0700 (PDT) Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C88C43FF9 for ; Sat, 4 Oct 2003 10:56:41 -0700 (PDT) (envelope-from r.s.a.vandomburg@student.utwente.nl) Received: from gog (gog.student.utwente.nl [130.89.165.107]) by netlx014.civ.utwente.nl (8.11.7/HKD) with SMTP id h94Hub002232; Sat, 4 Oct 2003 19:56:37 +0200 Message-ID: <00ca01c38aa1$0e7df790$6ba55982@gog> From: "Roderick van Domburg" To: "Marcin Gryszkalis" References: <006b01c38a90$dea3b420$6ba55982@gog> <3F7EFDFA.4060703@fork.pl> <007d01c38a9e$73883cc0$6ba55982@gog> <3F7F08F6.3050908@fork.pl> Date: Sat, 4 Oct 2003 19:58:02 +0200 Organization: University of Twente MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-UTwente-MailScanner-Information: Scanned by MailScanner. Contact helpdesk@ITBE.utwente.nl for more information. X-UTwente-MailScanner: Found to be clean cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 17:56:43 -0000 > > Hence my question: which services require the setup keyword and which don't? > I'd say - every TCP-based service require either setup/established rules or > statefull rules. Alright, thanks. What are the pros and cons to each method? Regards, Roderick From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 11:06:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07D8D16A4BF for ; Sat, 4 Oct 2003 11:06:54 -0700 (PDT) Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD374400E for ; Sat, 4 Oct 2003 11:06:52 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.14.199]) by out004.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20031004180651.VYLL25700.out004.verizon.net@mac.com>; Sat, 4 Oct 2003 13:06:51 -0500 Message-ID: <3F7F0C3A.7070403@mac.com> Date: Sat, 04 Oct 2003 14:06:50 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030925 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Roderick van Domburg References: <006b01c38a90$dea3b420$6ba55982@gog> <3F7EFDFA.4060703@fork.pl> <007d01c38a9e$73883cc0$6ba55982@gog> In-Reply-To: <007d01c38a9e$73883cc0$6ba55982@gog> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out004.verizon.net from [68.237.14.199] at Sat, 4 Oct 2003 13:06:51 -0500 cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 18:06:54 -0000 Roderick van Domburg wrote: [ ... ] > I know, but HTTP/1.1 does allow for ``threaded sessions'', so to speak. What > I don't know without glancing at any RFC's is whether HTTP/1.1 clients open > multiple sockets on port 80 or several sockets in the dynamic range. Clients using HTTP/1.1 multiplex several requests over a single TCP connection to port 80 on the web server. > Hence my question: which services require the setup keyword and which don't? None of them do, in one sense-- you can write a valid and useful firewall ruleset without ever using the 'setup' keyword. If you know what you are doing, you might want to distinguish between 'setup' versus 'established' connections for logging purposes or fine-grained control. In order to do that, you need to understand TCP/IP well enough to know something about the SYN and ACK bits, the three-way handshake used for TCP connection setup, and so forth. -- -Chuck