From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 02:41:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FDD416A4CE for ; Sun, 18 Jan 2004 02:41:55 -0800 (PST) Received: from holodoc.ip.se (ua-213-115-163-137.cust.bredbandsbolaget.se [213.115.163.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9B7843D48 for ; Sun, 18 Jan 2004 02:41:48 -0800 (PST) (envelope-from rd@tilde.se) Received: by holodoc.ip.se (Postfix, from userid 103) id 56C98128454; Sun, 18 Jan 2004 11:39:22 +0100 (CET) Received: from nyalaptopen (c-f79572d5.02-85-73746f13.cust.bredbandsbolaget.se [213.114.149.247]) by holodoc.ip.se (Postfix) with ESMTP id 4600812844E; Sun, 18 Jan 2004 11:39:20 +0100 (CET) Message-ID: <007801c3ddaf$a76957e0$8b01010a@nyalaptopen> From: "Rickard Dahlstrand" To: "Per Engelbrecht" References: <00c001c3dc19$5d033410$7901010a@nyalaptopen> <36682.62.242.151.142.1074266446.squirrel@mailbox.wingercom.dk> Date: Sun, 18 Jan 2004 11:41:39 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Sanitizer: This message has been sanitized! cc: freebsd-ipfw@freebsd.org Subject: Re: Arps when bridged. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 10:41:55 -0000 Thanks, Sorry about the lack of information. But after trying the -arp in the bridged interfaces it actually stopped complaining about this. I will dig down into the bridging issue, but right now it's doing what I want. Thanks, Rickard. ----- Original Message ----- From: "Per Engelbrecht" To: Cc: Sent: Friday, January 16, 2004 4:20 PM Subject: Re: Arps when bridged. > Hi Rickard > This is more of 'net' problem than 'ipfw' but anyway, don't disable > 'arp'.When sending a piece of your log, please also include the (in this case) > 'ifconfig' and 'sysctl.conf' ! > I could be wrong, but it seems more likely that you're having a loop. > Read 'man bridge(4)' the last paragraph above the 'examples' section. > > If your bridging from a performance point of view, then have a look at > 'ngctl' aswell http://bsdvault.net/sections.php?op=viewarticle&artid=98 > Only downfall is when it's used in conjunktion with HP Procurve > switches -they don't like the idea "two identical" mac-addresses! > > Regards > /per > per@xterm.dk > > > Hi, > > > > I'm getting these messages. I have three interfaces, one uses DHCP > > and the other two are bridged. > > > > Here is the log I get: > > > > Jan 16 10:13:57 testburk /kernel: arp: 00:10:f3:03:44:69 is using > > my IP address 10.1.1.69! Jan 16 10:13:57 testburk /kernel: arp: > > 00:10:f3:03:44:6a is using my IP address 10.1.1.69! Jan 16 10:14:47 > > testburk /kernel: arp: 00:10:f3:03:44:69 is using my IP address > > 10.1.1.69! Jan 16 10:14:47 testburk /kernel: arp: 00:10:f3:03:44:6a > > is using my IP address 10.1.1.69! Jan 16 10:57:31 testburk /kernel: > > arp: 00:10:f3:03:44:69 is using my IP address 10.1.1.69! Jan 16 > > 10:57:31 testburk /kernel: arp: 00:10:f3:03:44:6a is using my IP > > address 10.1.1.69! Jan 16 11:03:06 testburk /kernel: arp: > > 00:10:f3:03:44:69 is using my IP address 10.1.1.69! Jan 16 11:03:06 > > testburk /kernel: arp: 00:10:f3:03:44:6a is using my IP address > > 10.1.1.69! Jan 16 11:06:40 testburk /kernel: arp: 00:10:f3:03:44:69 > > is using my IP address 10.1.1.69! Jan 16 11:06:40 testburk /kernel: > > arp: 00:10:f3:03:44:6a is using my IP address 10.1.1.69! > > > > What is the problem and does anyone know if ifconfig fxp1 -arp > > should stop this? > > > > Thanks, Rickard. > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > > "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 06:44:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55ACB16A4CE for ; Sun, 18 Jan 2004 06:44:52 -0800 (PST) Received: from m1.imap-partners.net (m1.imap-partners.net [205.217.153.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1877C43D39 for ; Sun, 18 Jan 2004 06:44:48 -0800 (PST) (envelope-from greg@ltcc.com) Received: from presidio ([64.2.54.196]) by m1.imap-partners.net (Mirapoint Messaging Server MOS 3.3.8-GR) with ESMTP id AGS06756 (AUTH greg@ltcc.com); Sun, 18 Jan 2004 06:44:46 -0800 (PST) From: "Greg Robinson" To: Date: Sun, 18 Jan 2004 06:44:39 -0800 Organization: LTCC / Lucrosol Message-ID: <000901c3ddd1$9abb5ee0$32fea8c0@presidio> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw rule for aliased ip virtual hosts X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg@ltcc.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 14:44:52 -0000 All: Unable to compose a rule that permits me to use the IP's I've aliased to fxp0, What am I missing? Goal: Fxp0 is configured as XX.XX.XX.197, and 198,199 are aliased. Out of the box rc.firewall "simple" permits the web site configured as 197 to function yet the others do not. This box is running named, sendmail, and apache at this point. Want it to support six web sites all with their own mail and web pages. What I've done so far is attempt to add an additional rule to rc.firewall - simple. Check the mailing lists, docs, How-tos, and google searching on "virtual hosts" and IPFW. Any assistance or direction is appreciated - I'm of the opinion I'm trying to do something you can not do or I'm missing a very simple point. Regards, Greg From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 08:20:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51BA816A4CE for ; Sun, 18 Jan 2004 08:20:48 -0800 (PST) Received: from mx1.subnetmask.net (mx1.subnetmask.net [207.44.145.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F54A43D3F for ; Sun, 18 Jan 2004 08:20:46 -0800 (PST) (envelope-from mcgehrin@reverse.net) Received: from localhost (mx1.subnetmask.net [207.44.145.31]) by mx1.subnetmask.net (Postfix) with ESMTP id 95F97F3982 for ; Sun, 18 Jan 2004 11:20:43 -0500 (EST) Received: by localhost (Postfix, from userid 1012) id 6379E6484; Sun, 18 Jan 2004 11:20:44 -0500 (EST) Received: from orange (unknown [192.168.0.175]) by localhost (Postfix) with SMTP id 2A3EF6482 for ; Sun, 18 Jan 2004 11:20:41 -0500 (EST) Message-ID: <002301c3dddf$03a3fc70$af00a8c0@orange> From: "Matthew McGehrin" To: References: <000901c3ddd1$9abb5ee0$32fea8c0@presidio> Date: Sun, 18 Jan 2004 11:20:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Spam-Checker-Version: SpamAssassin 2.62 (2004-01-11) X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_00 autolearn=ham version=2.62 X-Spam-Level: Subject: Re: ipfw rule for aliased ip virtual hosts X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 16:20:48 -0000 1. How are you adding aliases? using /etc/rc.conf or direct? Using rc.conf, the format is: ifconfig_rl0_alias0="inet 192.168.2.3 netmask 255.255.255.255" ifconfig_rl0_alias1="inet 192.168.2.4 netmask 255.255.255.255" ifconfig_rl0_alias2="inet 192.168.2.5 netmask 255.255.255.255" Using rc.local the format is: ifconfig rl0 192.168.2.3 netmask 255.255.255.255 alias ifconfig rl0 192.168.2.4 netmask 255.255.255.255 alias ifconfig rl0 192.168.2.5 netmask 255.255.255.255 alias 2. Can you ping or access other services to your vhost ip? i.e.: ping 192.168.2.3 or telnet 192.168.2.3 22 3. Please post the output of 'ipfw list' if your still stuck. Thanks ----- Original Message ----- From: "Greg Robinson" To: Sent: Sunday, January 18, 2004 9:44 AM Subject: ipfw rule for aliased ip virtual hosts > Fxp0 is configured as XX.XX.XX.197, and 198,199 are aliased. > Out of the box rc.firewall "simple" permits the web site configured as > 197 to function yet the others do not. > This box is running named, sendmail, and apache at this point. > Want it to support six web sites all with their own mail and web pages. From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 10:23:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7144316A4CE; Sun, 18 Jan 2004 10:23:59 -0800 (PST) Received: from out010.verizon.net (out010pub.verizon.net [206.46.170.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA6EB43D45; Sun, 18 Jan 2004 10:23:57 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com ([68.161.129.47]) by out010.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040118182357.PWDL26012.out010.verizon.net@mac.com>; Sun, 18 Jan 2004 12:23:57 -0600 Message-ID: <400ACF39.4000609@mac.com> Date: Sun, 18 Jan 2004 13:23:53 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208 X-Accept-Language: en-us, en MIME-Version: 1.0 To: fbsd_user@a1poweruser.com References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out010.verizon.net from [68.161.129.47] at Sun, 18 Jan 2004 12:23:56 -0600 cc: freebsd-ipfw@freebsd.org cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: 5.2 + ipfw2 + keep-state rules Bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 18:23:59 -0000 fbsd_user wrote: > Using an fresh install of FBSD 5.2 RC2 I am trying to > get stateful rules to function. > For some reason ipfw2 seems to be issuing an ICMP:3.3 > packet to my ISP's dns. [ ... ] > # Internal gateway housekeeping > $cmd 00100 allow all from any to any via lo0 # allow all localhost > $cmd 00105 allow all from any to any via xl0 # allow all local Lan > $cmd 00110 check-state log logamount 500 > $cmd 00150 divert natd all from any to any > $cmd 00170 count log logamount 500 all from any to any > $cmd 00310 allow log logamount 500 tcp from any to any 53 out via > rl0 setup keep-state > $cmd 00311 allow log logamount 500 udp from any to any 53 out via > rl0 keep-state > $cmd 00315 allow log logamount 500 tcp from any to any 80 out via > rl0 setup keep-state > $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 > keep-state > $cmd 00500 deny log logamount 500 all from any to any Something like the following would be better in terms of DNS and not blocking essential types of ICMP traffic: allow tcp from any to any 53 out via rl0 setup keep-state allow udp from any to any 53 allow icmp from any to any icmptypes 0,3,4,8,11,12 This allows bidirectional UDP-based DNS queries, but only outbound long (TCP-based) DNS queries like zone-transfers. YMMV, and it may not solve your problem-- it looked like your queries were coming from an internal host (10.0.10.5) using NAT? Are you sure that natd is okay? Maybe put the divert statement before the "check-state" rule? -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 11:02:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF12F16A4CE for ; Mon, 19 Jan 2004 11:02:15 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 500BC43D8C for ; Mon, 19 Jan 2004 11:01:30 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i0JJ1UFR061855 for ; Mon, 19 Jan 2004 11:01:30 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0JJ1ThH061849 for freebsd-ipfw@freebsd.org; Mon, 19 Jan 2004 11:01:29 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Jan 2004 11:01:29 -0800 (PST) Message-Id: <200401191901.i0JJ1ThH061849@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 19:02:15 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp 1 problem total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 11:03:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E70B316A4CE for ; Mon, 19 Jan 2004 11:03:15 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CF8143D9D for ; Mon, 19 Jan 2004 11:01:47 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i0JJ1lFR062207 for ; Mon, 19 Jan 2004 11:01:47 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0JJ1kja062200 for ipfw@freebsd.org; Mon, 19 Jan 2004 11:01:46 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Jan 2004 11:01:46 -0800 (PST) Message-Id: <200401191901.i0JJ1kja062200@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 19:03:16 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 11:45:50 2004 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F19E16A4D0; Mon, 19 Jan 2004 11:45:50 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76EE843D2F; Mon, 19 Jan 2004 11:45:49 -0800 (PST) (envelope-from simon@FreeBSD.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) i0JJjnFR071514; Mon, 19 Jan 2004 11:45:49 -0800 (PST) (envelope-from simon@freefall.freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0JJjn6w071510; Mon, 19 Jan 2004 11:45:49 -0800 (PST) (envelope-from simon) Date: Mon, 19 Jan 2004 11:45:49 -0800 (PST) From: "Simon L. Nielsen" Message-Id: <200401191945.i0JJjn6w071510@freefall.freebsd.org> To: simon@FreeBSD.org, freebsd-ipfw@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/60719: ipfw: Headerless fragments generate cryptic error message X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 19:45:50 -0000 Synopsis: ipfw: Headerless fragments generate cryptic error message Responsible-Changed-From-To: freebsd-ipfw->ipfw Responsible-Changed-By: simon Responsible-Changed-When: Mon Jan 19 11:44:46 PST 2004 Responsible-Changed-Why: Reassign from freebsd-ipfw -> ipfw so the list doesn't get two mails when GNATS is sending out reminders. http://www.freebsd.org/cgi/query-pr.cgi?pr=60719 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 11:45:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F19E16A4D0; Mon, 19 Jan 2004 11:45:50 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76EE843D2F; Mon, 19 Jan 2004 11:45:49 -0800 (PST) (envelope-from simon@FreeBSD.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) i0JJjnFR071514; Mon, 19 Jan 2004 11:45:49 -0800 (PST) (envelope-from simon@freefall.freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0JJjn6w071510; Mon, 19 Jan 2004 11:45:49 -0800 (PST) (envelope-from simon) Date: Mon, 19 Jan 2004 11:45:49 -0800 (PST) From: "Simon L. Nielsen" Message-Id: <200401191945.i0JJjn6w071510@freefall.freebsd.org> To: simon@FreeBSD.org, freebsd-ipfw@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/60719: ipfw: Headerless fragments generate cryptic error message X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 19:45:50 -0000 Synopsis: ipfw: Headerless fragments generate cryptic error message Responsible-Changed-From-To: freebsd-ipfw->ipfw Responsible-Changed-By: simon Responsible-Changed-When: Mon Jan 19 11:44:46 PST 2004 Responsible-Changed-Why: Reassign from freebsd-ipfw -> ipfw so the list doesn't get two mails when GNATS is sending out reminders. http://www.freebsd.org/cgi/query-pr.cgi?pr=60719 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 20 06:21:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F403716A4CE for ; Tue, 20 Jan 2004 06:21:04 -0800 (PST) Received: from vulcan.g3host.net (vulcan.g3host.net [207.44.154.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4FF443D5C for ; Tue, 20 Jan 2004 06:20:47 -0800 (PST) (envelope-from lattera@nosleep.info) Received: (from apache@localhost) by vulcan.g3host.net (8.11.6/8.11.6) id i0KEKlK26541; Tue, 20 Jan 2004 09:20:47 -0500 X-Authentication-Warning: vulcan.g3host.net: apache set sender to lattera@nosleep.info using -f Received: from 216.190.11.115 (SquirrelMail authenticated user lattera@nosleep.info) by vulcan.g3host.net with HTTP; Tue, 20 Jan 2004 21:20:47 +0700 (GMT-7) Message-ID: <49344.216.190.11.115.1074608447.squirrel@vulcan.g3host.net> Date: Tue, 20 Jan 2004 21:20:47 +0700 (GMT-7) From: "lattera" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.1-1.7.ct MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="----=_20040120212047_33052" X-Priority: 3 Importance: Normal X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: divert sockets code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 14:21:05 -0000 ------=_20040120212047_33052 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit I can't seem to get pointers right in my code: #include #include #include #include #define USE_BSD #include #include #include #include #include #include #define PORT 6137 int main(int argc, char *argv[]) { int sockfd, n, clisize, ipsize, tcpsize, i; struct sockaddr_in server, client; char buf[65536], *payload; struct tcphdr *tcp; struct ip *iphdr; if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) < 0) { perror("socket"); exit(1); } server.sin_family = PF_INET; server.sin_port = htons(PORT); server.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) < 0) { perror("bind"); exit(1); } exit(1); while (1) { clisize = sizeof(client); if ((n=recvfrom(sockfd, buf, sizeof(buf), 0, (struct sockaddr *)&client, &clisize))<0) { perror("recv"); exit(1); } iphdr = (struct ip *)buf; if (iphdr->ip_p != IPPROTO_TCP) { if (sendto(sockfd, buf, n, 0, (struct sockaddr *)&client, clisize) != n) { perror("send"); exit(1); } } tcp = (struct tcphdr *)(buf + (4*(iphdr->ip_hl))); if (!(tcp->th_flags & TH_PUSH)) { if (sendto(sockfd, buf, n, 0, (struct sockaddr *)&client, clisize) != n) { perror("send"); exit(1); } continue; } payload = (char *)(tcp + ((tcp->th_off)*4)); if (strstr(payload, "GET /etc/passwd")) continue; if (sendto(sockfd, buf, n, 0, (struct sockaddr *)&client, clisize) != n) { perror("send"); exit(1); } } } Can someone tell me what I need to do? Attached is the C source file of the above code (for readability) -- "So crucify the go before it's far too late to leave behind this place so negative and blind and cynical and you will come to find that we are all one mind capable of all that's imagined and all conceivable." -- Tool - Reflection http://lattera.nosleep.info http://www.sf.net/projects/hidprox ------=_20040120212047_33052-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 20 13:45:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2717A16A4CE for ; Tue, 20 Jan 2004 13:45:22 -0800 (PST) Received: from vulcan.g3host.net (vulcan.g3host.net [207.44.154.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A9143D1F for ; Tue, 20 Jan 2004 13:45:14 -0800 (PST) (envelope-from lattera@nosleep.info) Received: (from apache@localhost) by vulcan.g3host.net (8.11.6/8.11.6) id i0KLjEm23782; Tue, 20 Jan 2004 16:45:14 -0500 X-Authentication-Warning: vulcan.g3host.net: apache set sender to lattera@nosleep.info using -f Received: from 204.113.120.202 (proxying for 204.113.113.135) (SquirrelMail authenticated user lattera@nosleep.info) by vulcan.g3host.net with HTTP; Wed, 21 Jan 2004 04:45:14 +0700 (GMT-7) Message-ID: <1651.204.113.120.202.1074635114.squirrel@vulcan.g3host.net> Date: Wed, 21 Jan 2004 04:45:14 +0700 (GMT-7) From: "lattera" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.1-1.7.ct MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Re: divert sockets code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 21:45:22 -0000 Correction: if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) < 0) { perror("bind"); exit(1); } exit(1); should read: if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) < 0) { perror("bind"); exit(1); } > I can't seem to get pointers right in my code: > > #include > #include > #include > #include > > #define USE_BSD > #include > #include > #include > > #include > #include > #include > > #define PORT 6137 > > int main(int argc, char *argv[]) > { > int sockfd, n, clisize, ipsize, tcpsize, i; > struct sockaddr_in server, client; > char buf[65536], *payload; > struct tcphdr *tcp; > struct ip *iphdr; > > if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) < 0) > { > perror("socket"); > exit(1); > } > server.sin_family = PF_INET; > server.sin_port = htons(PORT); > server.sin_addr.s_addr = INADDR_ANY; > if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) < 0) { > perror("bind"); > exit(1); > } exit(1); > > while (1) > { > clisize = sizeof(client); > if ((n=recvfrom(sockfd, buf, sizeof(buf), 0, (struct sockaddr *)&client, > &clisize))<0) > { > perror("recv"); > exit(1); > } > iphdr = (struct ip *)buf; > if (iphdr->ip_p != IPPROTO_TCP) > { > if (sendto(sockfd, buf, n, 0, (struct sockaddr *)&client, clisize) != > n) > { > perror("send"); > exit(1); > } > } > tcp = (struct tcphdr *)(buf + (4*(iphdr->ip_hl))); > if (!(tcp->th_flags & TH_PUSH)) > { > if (sendto(sockfd, buf, n, 0, (struct sockaddr *)&client, clisize) != > n) > { > perror("send"); > exit(1); > } > continue; > } > > payload = (char *)(tcp + ((tcp->th_off)*4)); > if (strstr(payload, "GET /etc/passwd")) > continue; > > if (sendto(sockfd, buf, n, 0, (struct sockaddr *)&client, clisize) != n) { > perror("send"); > exit(1); > } > } > } > > Can someone tell me what I need to do? > > Attached is the C source file of the above code (for readability) > > > -- > "So crucify the go before it's far too late to leave behind this place so negative and blind and cynical and you will come to find that we are all one mind capable of all that's imagined and all conceivable." -- Tool - Reflection > http://lattera.nosleep.info > http://www.sf.net/projects/hidprox_______________________________________________ freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- "So crucify the go before it's far too late to leave behind this place so negative and blind and cynical and you will come to find that we are all one mind capable of all that's imagined and all conceivable." -- Tool - Reflection http://lattera.nosleep.info http://www.sf.net/projects/hidprox From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 05:26:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CE8716A4CE for ; Wed, 21 Jan 2004 05:26:13 -0800 (PST) Received: from riffraff.plig.net (riffraff.plig.net [195.40.6.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF8A643D1D for ; Wed, 21 Jan 2004 05:26:11 -0800 (PST) (envelope-from marcs@draenor.org) Received: by riffraff.plig.net (Postfix, from userid 3010) id 990D5FA2EB; Wed, 21 Jan 2004 13:26:10 +0000 (GMT) Date: Wed, 21 Jan 2004 13:26:10 +0000 From: Marc Silver To: freebsd-ipfw@freebsd.org Message-ID: <20040121132610.GX70495@draenor.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 13:26:13 -0000 Hi guys and gals, The short story: I wrote an article a while back about dialup firewalling with FreeBSD, and after an update was made to the article a few months back by another individual it's been slightly broken. I am currently working on fixing this document and get it more up to date, and was hoping to run the following ruleset past all of you. The problem is mostly that I no longer have a dialup connection to test with this, so I was hoping to ask opinions on whether or not the following rulebase would work: # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all connections that we initiate, and keep their state, # but deny established connections that don't have a dynamic rule. $fwcmd add check-state $fwcmd add allow ip from me to any keep-state $fwcmd add deny tcp from any to any established # Allow internet users to connect to the port 22 and 80 on my machine. # This example specifically allows connections to the sshd and a # webserver. $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state # Allow ICMP packets: remove type 8 if you don't want your host # to be pingable. $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # Deny and log everything else. $fwcmd add deny log ip from any to any Now, if my knowledge of ipfw2 is correct, this should allow everything out, and should only allow port 22 and 80 in. It'll also allow ICMP. Simple enough, but am I correct in my assumptions? Any help would be highly appreciated as I would like to correct the article as soon as possible. Thanks again, Marc p.s. please reply to me as I am not subscribed to this list. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 06:30:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 121C016A4CE for ; Wed, 21 Jan 2004 06:30:59 -0800 (PST) Received: from mail002.syd.optusnet.com.au (mail002.syd.optusnet.com.au [211.29.132.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id B306C43D2D for ; Wed, 21 Jan 2004 06:30:55 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-189.eburwd5.vic.optusnet.com.au [211.28.241.189])i0LEUmV04315; Thu, 22 Jan 2004 01:30:50 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id CF8CB30C; Thu, 22 Jan 2004 01:30:48 +1100 (EST) Date: Thu, 22 Jan 2004 01:30:48 +1100 From: Tony Frank To: Marc Silver Message-ID: <20040121143048.GA62883@marvin.home.local> References: <20040121132610.GX70495@draenor.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040121132610.GX70495@draenor.org> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 14:30:59 -0000 Hi Marc, On Wed, Jan 21, 2004 at 01:26:10PM +0000, Marc Silver wrote: > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 For dialup using user-ppp I prefer to use the ppp built-in nat functionality. You also probably want some rules upfront for loopback, although the 'me to any' likely covers it: >From /etc/rc.firewall: ${fwcmd} add 100 allow all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state > $fwcmd add allow ip from me to any keep-state > $fwcmd add deny tcp from any to any established > # Allow internet users to connect to the port 22 and 80 on my machine. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state Looks ok. > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 I personally have never seen a use for 13 & 14 (timestamp) so would block these also. Hope it helps, Tony From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 07:26:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62B8716A4CE for ; Wed, 21 Jan 2004 07:26:58 -0800 (PST) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F53F43D41 for ; Wed, 21 Jan 2004 07:26:54 -0800 (PST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i0LFNihm022368 for ; Wed, 21 Jan 2004 16:23:44 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i0LFNh68022360; Wed, 21 Jan 2004 16:23:43 +0100 (CET) (envelope-from tw@wsf.at) Date: Wed, 21 Jan 2004 15:23:43 -0000 To: Marc Silver , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040121162343.45gqrbzfytkwc@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 15:26:58 -0000 Marc Silver schrieb: > Hi guys and gals, > > The short story: I wrote an article a while back about dialup > firewalling with FreeBSD, and after an update was made to the article a > few months back by another individual it's been slightly broken. > > I am currently working on fixing this document and get it more up to > date, and was hoping to run the following ruleset past all of you. The > problem is mostly that I no longer have a dialup connection to test with > this, so I was hoping to ask opinions on whether or not the following > rulebase would work: > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 > > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state > $fwcmd add allow ip from me to any keep-state > $fwcmd add deny tcp from any to any established > > # Allow internet users to connect to the port 22 and 80 on my machine. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state > > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 > > # Deny and log everything else. > $fwcmd add deny log ip from any to any > > Now, if my knowledge of ipfw2 is correct, this should allow everything > out, and should only allow port 22 and 80 in. It'll also allow ICMP. > Simple enough, but am I correct in my assumptions? No, it will not work. keep-state rules and natd are difficult to handle. In your setup, traffic from a box in your lan ($lanclientip) with a destination on the internet ($targetip), going via your gateway ($gatewayip) will be handled like this: original packet: $lanclientip -> $targetip on leaving the gateway, packets are going through the divert rule, now the packet has $gatewayip -> $targetip. The keep-state rule now creates a temporary rule for '$gatewayip <-> $targetip' and allows the packet out. The response from $targetip gets 'natted first so when it reaches the check-state rule, it already has $targetip -> $lanclientip and will not match the temporary rule. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 10:52:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 730A716A4CE for ; Wed, 21 Jan 2004 10:52:51 -0800 (PST) Received: from riffraff.plig.net (riffraff.plig.net [195.40.6.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C66243D55 for ; Wed, 21 Jan 2004 10:52:35 -0800 (PST) (envelope-from marcs@draenor.org) Received: by riffraff.plig.net (Postfix, from userid 3010) id A94BEFA3E6; Wed, 21 Jan 2004 18:52:34 +0000 (GMT) Date: Wed, 21 Jan 2004 18:52:34 +0000 From: Marc Silver To: Thomas Wolf Message-ID: <20040121185234.GE70495@draenor.org> References: <20040121162343.45gqrbzfytkwc@.mailhost.wsf.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040121162343.45gqrbzfytkwc@.mailhost.wsf.at> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 18:52:51 -0000 Hi guys, Thanks very much. You have all been fantastic, and a great help to me. I've revised the document to use PPP NAT, and amended the ruleset as below: # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Define our outside interface. With userland-ppp this # defaults to tun0. oif="tun0" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Allow all connections that we initiate, and keep their state, # but deny established connections that don't have a dynamic rule. $fwcmd add check-state $fwcmd add allow ip from me to any out via $oif keep-state $fwcmd add deny tcp from any to any established in via $oif # Allow internet users to connect to the port 22 and 80. # This example specifically allows connections to the sshd and a # webserver. $fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state # Allow ICMP packets: remove type 8 if you don't want your host # to be pingable. $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 # Deny and log all the rest. $fwcmd add deny log ip from any to any Does this ruleset look more correct and will it definitely work with PPP's NAT? Once again, thank you all very much and I look forward to your replies. Cheers, Marc On Wed, Jan 21, 2004 at 03:23:43PM -0000, Thomas Wolf wrote: > > Marc Silver schrieb: > > > Hi guys and gals, > > > > The short story: I wrote an article a while back about dialup > > firewalling with FreeBSD, and after an update was made to the article a > > few months back by another individual it's been slightly broken. > > > > I am currently working on fixing this document and get it more up to > > date, and was hoping to run the following ruleset past all of you. The > > problem is mostly that I no longer have a dialup connection to test with > > this, so I was hoping to ask opinions on whether or not the following > > rulebase would work: > > > > # Force a flushing of the current rules before we reload. > > $fwcmd -f flush > > > > # Divert all packets through the tunnel interface. > > $fwcmd add divert natd all from any to any via tun0 > > > > # Allow all connections that we initiate, and keep their state, > > # but deny established connections that don't have a dynamic rule. > > $fwcmd add check-state > > $fwcmd add allow ip from me to any keep-state > > $fwcmd add deny tcp from any to any established > > > > # Allow internet users to connect to the port 22 and 80 on my machine. > > # This example specifically allows connections to the sshd and a > > # webserver. > > $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state > > > > # Allow ICMP packets: remove type 8 if you don't want your host > > # to be pingable. > > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 > > > > # Deny and log everything else. > > $fwcmd add deny log ip from any to any > > > > Now, if my knowledge of ipfw2 is correct, this should allow everything > > out, and should only allow port 22 and 80 in. It'll also allow ICMP. > > Simple enough, but am I correct in my assumptions? > > No, it will not work. keep-state rules and natd are difficult to handle. > In your setup, traffic from a box in your lan ($lanclientip) with a > destination on the internet ($targetip), going via your gateway > ($gatewayip) will be handled like this: > > original packet: $lanclientip -> $targetip > > on leaving the gateway, packets are going through the divert rule, > now the packet has $gatewayip -> $targetip. The keep-state rule > now creates a temporary rule for '$gatewayip <-> $targetip' and allows > the packet out. > > The response from $targetip gets 'natted first so when it reaches > the check-state rule, it already has $targetip -> $lanclientip and > will not match the temporary rule. > > Thomas > > -- > Thomas Wolf > Wiener Software Fabrik > Dubas u. Wolf GMBH > 1050 Wien, Mittersteig 4 -- Success is never final. Failure is never fatal. It is courage that counts. -- Winston Churchill From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 20:15:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED82116A4CE; Wed, 21 Jan 2004 20:15:22 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF8D443D2D; Wed, 21 Jan 2004 20:15:20 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1AjWC5-000FaJ-LC; Thu, 22 Jan 2004 12:11:49 +0800 Message-Id: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Thu, 22 Jan 2004 12:19:17 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-hackers@freebsd.org cc: rizzo@icir.org Subject: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 04:15:23 -0000 Hi, I'm still having trouble limiting bandwidth for emule ports using dummynet features. I'm using FreeBSD 5.2-current machine for firewall. It has 2 Intel pro 100 cards and it is configured as a bridge. I'm doing bandwidth limiting in the following way: # eMule ${fwcmd} pipe 59 config bw 256kbit/s ${fwcmd} pipe 60 config bw 256kbit/s ${fwcmd} pipe 61 config bw 128kbit/s ${fwcmd} add 80 pipe 59 ip from 202.179.x.x/19 to any 2323,4242,4243,4661-4672,7700-7800 ${fwcmd} add 81 pipe 60 ip from any 2323,4242,4243,4661-4672,7700-7800 to 202.179.x.x/19 ${fwcmd} add 82 pipe 61 ip from any to 202.179.x.x/19 2323,4242,4243,4661-4672,7700-7800 Am I doing right? For what NIC should I implement filtering, outside or inside interface? When I see MRTG graphs for ipfw it still shows bandwidth more than it supposed to:( I really hope somebody in this list point me to the right direction. thanks in advance, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 20:43:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D104216A4CE; Wed, 21 Jan 2004 20:43:01 -0800 (PST) Received: from smtp3.adl2.internode.on.net (smtp3.adl2.internode.on.net [203.16.214.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52A6C43D41; Wed, 21 Jan 2004 20:42:57 -0800 (PST) (envelope-from doconnor@gsoft.com.au) Received: from midget.dons.net.au (ppp37-107.lns1.adl1.internode.on.net [150.101.37.107])i0M4grPv000237; Thu, 22 Jan 2004 15:12:54 +1030 (CST) Received: from chowder.gsoft.com.au (root@localhost.dons.net.au [127.0.0.1]) by midget.dons.net.au (8.12.9/8.12.9) with ESMTP id i0M4gonY095877; Thu, 22 Jan 2004 15:12:52 +1030 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: Ganbold , freebsd-ipfw@freebsd.org Date: Thu, 22 Jan 2004 15:12:49 +1030 User-Agent: KMail/1.5.4 References: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> In-Reply-To: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401221512.49260.doconnor@gsoft.com.au> X-Spam-Score: -5.3 () IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,TO_LOCALPART_EQ_REAL,USER_AGENT,USER_AGENT_KMAIL X-Scanned-By: MIMEDefang 2.26 (www . roaringpenguin . com / mimedefang) cc: freebsd-hackers@freebsd.org Subject: Re: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 04:43:02 -0000 On Thursday 22 January 2004 14:49, Ganbold wrote: > Am I doing right? For what NIC should I implement filtering, outside or > inside interface? > When I see MRTG graphs for ipfw it still shows bandwidth more than it > supposed to:( A few points.. - The nic is not really relevant except as a way of selecting packets more accurately. - Incoming packets (from the outside world to you) are more difficult to limit because the other end sends them and the gateway can only do the limiting after they are already received. That said it DOES work but it tends to lag behind reality a little. I use dummynet to limit TCP traffic when playing games and I use the following rules.. ipfw pipe 1 config bw 1kbyte/sec queue 10kbytes ipfw pipe 2 config bw 5kbyte/sec queue 10kbytes ... ipfw add 01900 pipe 1 tcp from any to any out xmit tun0 ipfw add 02000 pipe 2 tcp from any to any in recv tun0 ... ie I limit incoming(downloads) to 5k/sec and outgoing(uploads) to 1k/sec. I use in/out because I only want to limit packets across my tun0 (PPPoE) interface. Hope that helps. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 9A8C 569F 685A D928 5140 AE4B 319B 41F4 5D17 FDD5 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 21:43:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABE7616A4CE; Wed, 21 Jan 2004 21:43:05 -0800 (PST) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D6CF43D54; Wed, 21 Jan 2004 21:43:04 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) i0M5h282018423; Wed, 21 Jan 2004 21:43:03 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9p2/8.12.9/Submit) id i0M5h2dv018422; Wed, 21 Jan 2004 21:43:02 -0800 (PST) (envelope-from dillon) Date: Wed, 21 Jan 2004 21:43:02 -0800 (PST) From: Matthew Dillon Message-Id: <200401220543.i0M5h2dv018422@apollo.backplane.com> To: Ganbold References: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> cc: freebsd-ipfw@freebsd.org cc: rizzo@icir.org cc: freebsd-hackers@freebsd.org Subject: Re: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 05:43:05 -0000 :Hi, : :I'm still having trouble limiting bandwidth for emule ports using dummynet :features. :I'm using FreeBSD 5.2-current machine for firewall. It has 2 Intel pro 100 :cards and it is configured as a bridge. : :I'm doing bandwidth limiting in the following way: : :# eMule :${fwcmd} pipe 59 config bw 256kbit/s :${fwcmd} pipe 60 config bw 256kbit/s :${fwcmd} pipe 61 config bw 128kbit/s The ipfw pipe command is *EXTREMELY* sensitive to case and capitalization. It only looks at the first few characters. Try 256Kbit/s instead of 256kbit/s. See the difference? 256kb... -> not recognized properly 256Kb... -> bits per second 256KB... -> bytes per second. I've always been annoyed by that. I think I'll go fix it in DFly. -Matt From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 21:46:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 054F716A4CE; Wed, 21 Jan 2004 21:46:49 -0800 (PST) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1646943D2F; Wed, 21 Jan 2004 21:46:48 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) i0M5kl82018461; Wed, 21 Jan 2004 21:46:47 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9p2/8.12.9/Submit) id i0M5kkPf018458; Wed, 21 Jan 2004 21:46:46 -0800 (PST) (envelope-from dillon) Date: Wed, 21 Jan 2004 21:46:46 -0800 (PST) From: Matthew Dillon Message-Id: <200401220546.i0M5kkPf018458@apollo.backplane.com> To: "Daniel O'Connor" References: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> <200401221512.49260.doconnor@gsoft.com.au> cc: freebsd-ipfw@freebsd.org cc: Ganbold cc: freebsd-hackers@freebsd.org Subject: Re: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 05:46:49 -0000 Oops... sorry, I gave bad advise. I'm looking at the code. It recognizes 'K' or 'k' so your specification was right. It's the 'b' verses 'B' that it's sensitive to, so if you say: kbytes/sec it will think it's kbits/sec, and if you say kBits/sec it will think it's kBytes/sec. One thing I have noticed, however, is that the ipfw pipes seem rather sensitive to configuration changes, especially if there are packets already in the pipe. I've never been able to pin it down. -Matt From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 21:51:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32EDD16A4CE; Wed, 21 Jan 2004 21:51:00 -0800 (PST) Received: from smtp3.adl2.internode.on.net (smtp3.adl2.internode.on.net [203.16.214.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5846643D3F; Wed, 21 Jan 2004 21:50:57 -0800 (PST) (envelope-from doconnor@gsoft.com.au) Received: from midget.dons.net.au (ppp37-107.lns1.adl1.internode.on.net [150.101.37.107])i0M5ooPv076655; Thu, 22 Jan 2004 16:20:51 +1030 (CST) Received: from chowder.gsoft.com.au (root@localhost.dons.net.au [127.0.0.1]) by midget.dons.net.au (8.12.9/8.12.9) with ESMTP id i0M5omnY028700; Thu, 22 Jan 2004 16:20:48 +1030 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: Matthew Dillon Date: Thu, 22 Jan 2004 16:20:46 +1030 User-Agent: KMail/1.5.4 References: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> <200401221512.49260.doconnor@gsoft.com.au> <200401220546.i0M5kkPf018458@apollo.backplane.com> In-Reply-To: <200401220546.i0M5kkPf018458@apollo.backplane.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401221620.46740.doconnor@gsoft.com.au> X-Spam-Score: -5 () IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_KMAIL X-Scanned-By: MIMEDefang 2.26 (www . roaringpenguin . com / mimedefang) cc: freebsd-ipfw@freebsd.org cc: Ganbold cc: freebsd-hackers@freebsd.org Subject: Re: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 05:51:00 -0000 On Thursday 22 January 2004 16:16, Matthew Dillon wrote: > Oops... sorry, I gave bad advise. I'm looking at the code. It > recognizes 'K' or 'k' so your specification was right. It's the 'b' verses > 'B' that it's sensitive to, so if you say: kbytes/sec it will think it's > kbits/sec, and if you say kBits/sec it will think it's kBytes/sec. eww :( > One thing I have noticed, however, is that the ipfw pipes seem rather > sensitive to configuration changes, especially if there are packets > already in the pipe. I've never been able to pin it down. Yeah, I found some hangs in situations like that (which I believe are fixed now) so I turn the limits on an off by adding/removing the firewall rules rather than reconfiguring the pipes. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 9A8C 569F 685A D928 5140 AE4B 319B 41F4 5D17 FDD5 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 21:51:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E3F516A4CE; Wed, 21 Jan 2004 21:51:32 -0800 (PST) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EB5A43D1D; Wed, 21 Jan 2004 21:51:31 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) i0M5pV82018500; Wed, 21 Jan 2004 21:51:31 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9p2/8.12.9/Submit) id i0M5pUdE018499; Wed, 21 Jan 2004 21:51:30 -0800 (PST) (envelope-from dillon) Date: Wed, 21 Jan 2004 21:51:30 -0800 (PST) From: Matthew Dillon Message-Id: <200401220551.i0M5pUdE018499@apollo.backplane.com> To: "Daniel O'Connor" , freebsd-ipfw@freebsd.org, Ganbold , freebsd-hackers@freebsd.org References: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> <200401220546.i0M5kkPf018458@apollo.backplane.com> Subject: Re: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 05:51:32 -0000 : : : Oops... sorry, I gave bad advise. I'm looking at the code. It recognizes : 'K' or 'k' so your specification was right. It's the 'b' verses 'B' that : it's sensitive to, so if you say: kbytes/sec it will think it's kbits/sec, : and if you say kBits/sec it will think it's kBytes/sec. : : One thing I have noticed, however, is that the ipfw pipes seem rather : sensitive to configuration changes, especially if there are packets : already in the pipe. I've never been able to pin it down. : : -Matt Cripes, wrong again. Batting 0 tonight! It does understand 'by', so it will do 'kbytes' or 'kBytes' or 'KBytes' properly. It doesn't understand 'KBits'.... it will think 'KBits' are actually KBytes. It also has no clue about MBits... it will think that means MBytes. The code is aweful. I think I'm going to rewrite it for DFly. -Matt From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 23:40:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C461016A4CE; Wed, 21 Jan 2004 23:40:13 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84A0D43D3F; Wed, 21 Jan 2004 23:40:12 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 789271FF90C; Thu, 22 Jan 2004 08:40:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id DE9CC1FF931; Thu, 22 Jan 2004 08:40:06 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 9B968154EA; Thu, 22 Jan 2004 07:37:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 91326153AA; Thu, 22 Jan 2004 07:37:08 +0000 (UTC) Date: Thu, 22 Jan 2004 07:37:08 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: stable@freebsd.org, ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Subject: Need committer for missing MfC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 07:40:13 -0000 Hi, can someone please MfC this: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.50&r2=1.51&f=h TIA -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 22 00:33:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8051916A4CE for ; Thu, 22 Jan 2004 00:33:26 -0800 (PST) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 491D443D4C for ; Thu, 22 Jan 2004 00:33:24 -0800 (PST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i0M8UFt4046864 for ; Thu, 22 Jan 2004 09:30:15 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i0M8UE68046856; Thu, 22 Jan 2004 09:30:14 +0100 (CET) (envelope-from tw@wsf.at) Date: Thu, 22 Jan 2004 08:30:14 -0000 To: Marc Silver , Thomas Wolf From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040122093014.1hbffi6ifnoks@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 08:33:26 -0000 Marc Silver schrieb: > Hi guys, > > Thanks very much. You have all been fantastic, and a great help to me. > I've revised the document to use PPP NAT, and amended the ruleset as > below: > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Define our outside interface. With userland-ppp this > # defaults to tun0. > oif="tun0" Assuming that you are building a gateway for your lan, you will need some rules for your internal interface too, so: iif="fxp0" # whatever your internal if is ... > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state Suggestion - Stop spoofing on your outside interface: $fwcmd add deny ip from any to any in via $oif not verrevpath > $fwcmd add allow ip from me to any out via $oif keep-state > $fwcmd add deny tcp from any to any established in via $oif > Somewhere, you have to allow the traffic lan -> wan to enter your gateway: $fwcmd add allow ip from any to not me in via $iif (if you allow your lan to access all services on your gateway, you could also do: $fwcmd add allow ip from any to any via $iif) allowing traffic via lo0 as Tony suggested is also a good idea.. $fwcmd add allow all from any to any via lo0 $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any > # Allow internet users to connect to the port 22 and 80. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state If you do not have the 'any to any via $iif' - rule, you should specify the services on the gateway allowed for the lan: $fwcmd add allow tcp from any to me dst-port 22,80 in via $iif setup keep-state > > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 > > # Deny and log all the rest. > $fwcmd add deny log ip from any to any Personally, I prefer to 'reset' or 'unreach' instead of 'deny' but that's a matter of personal taste. I suggest to reset at least incoming packets to port 113, avoiding delays when accessing your mailserver. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 22 00:50:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEBA016A4DE; Thu, 22 Jan 2004 00:50:51 -0800 (PST) Received: from relay.macomnet.ru (relay.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD25343D45; Thu, 22 Jan 2004 00:50:49 -0800 (PST) (envelope-from maxim@macomnet.ru) Received: from news1.macomnet.ru (5zjeeau2@news1.macomnet.ru [195.128.64.14]) by relay.macomnet.ru (8.12.10/8.12.10) with ESMTP id i0M8omo24142854; Thu, 22 Jan 2004 11:50:48 +0300 (MSK) Date: Thu, 22 Jan 2004 11:50:48 +0300 (MSK) From: Maxim Konovalov To: "Bjoern A. Zeeb" In-Reply-To: Message-ID: <20040122115036.U44024@news1.macomnet.ru> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: stable@freebsd.org cc: ipfw@freebsd.org Subject: Re: Need committer for missing MfC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 08:50:52 -0000 On Thu, 22 Jan 2004, 07:37-0000, Bjoern A. Zeeb wrote: > Hi, > > can someone please MfC this: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.50&r2=1.51&f=h Done. -- Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 22 02:31:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE1B516A4CE for ; Thu, 22 Jan 2004 02:31:48 -0800 (PST) Received: from mx1.subnetmask.net (mx1.subnetmask.net [207.44.145.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0B5543D2D for ; Thu, 22 Jan 2004 02:31:44 -0800 (PST) (envelope-from mcgehrin@reverse.net) Received: from localhost (mx1.subnetmask.net [207.44.145.31]) by mx1.subnetmask.net (Postfix) with ESMTP id 58F31F3966 for ; Thu, 22 Jan 2004 05:31:39 -0500 (EST) Received: by localhost (Postfix, from userid 1012) id 59C91648B; Thu, 22 Jan 2004 05:31:39 -0500 (EST) Received: from orange (unknown [192.168.0.175]) by localhost (Postfix) with SMTP id 9C1635B36 for ; Thu, 22 Jan 2004 05:31:36 -0500 (EST) Message-ID: <001201c3e0d2$e9877af0$af00a8c0@orange> From: "Matthew McGehrin" To: Date: Thu, 22 Jan 2004 05:31:36 -0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) X-Spam-Status: No, hits=-3.9 required=4.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham version=2.63 X-Spam-Level: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Static rules (Stateless) verses Dynamic (Statefull) Rulesets in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 10:31:49 -0000 It seems to be a recent trend in which Firewall Authors are using = dynamic rulesets for their firewall code. It's been my experience, that = dynamic rules work in low to medium load situations, (less than 1024 = Active TCPIP connections), but anything beyond this limit, Static Rules = are the way to go.=20 For example, I run a irc shell company. I maintain multiple boxes that = have 1500+ Active TCPIP connections. My upstream provides basic DoS = filtering, but it's my responsibility to protect my machines. I use the = following ruleset: 00001 allow ip from any to any via lo0 # pipes 00010 pipe 10 tcp from 1.2.3.0/24 6660-9999,4400 to any out 00012 pipe 10 tcp from 1.2.3.0/24 to any 6660-9999,4400 out 00014 pipe 10 tcp from 1.2.3.0/24 to any 53,80,113,1080 out 00020 pipe 10 ip from 1.2.3.3 to any out 00022 pipe 10 udp from 1.2.3.0/24 to any out 00024 pipe 10 icmp from 1.2.3.0/24 to any out 00050 pipe 50 ip from 1.2.3.0/24 to any out ipfw pipe 10 config bw 115k queue 8k mask dst-ip 0xff000000 ipfw pipe 50 config bw 256k queue 8k mask dst-ip 0xff000000 # split protocol 00100 skipto 2000 tcp from any to any 00200 skipto 4000 udp from any to any 00300 skipto 6000 icmp from any to any # tcp 02000 allow tcp from any to any established 02100 allow tcp from any to any 1024-65535,25,80,81,443 setup 02200 allow tcp from any to any 20-21,22,43,53,110,113 setup 02300 allow tcp from any to any 23,873 out setup 02400 deny tcp from any to any # udp 04000 allow udp from any to any 50-53,123 04100 allow udp from any to any 1024-65535 04200 deny udp from any to any # icmp 06000 allow icmp from any to any in icmptype 0,3,4,11,12 06100 allow icmp from any to any out icmptype 3,4,8 06200 deny icmp from any to any # default 65535 deny ip from any to any In this situation, using a 'dynamic ruleset' brings the box to a crawl. = However, a static ruleset works with very little cpu overhead. Thanks -- Matthew From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 22 04:51:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD7F16A4CE for ; Thu, 22 Jan 2004 04:51:37 -0800 (PST) Received: from jawa.at (jawa.at [213.229.17.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E10143D31 for ; Thu, 22 Jan 2004 04:51:35 -0800 (PST) (envelope-from mranner@jawa.at) Received: from mike.jawa.at (mike.jawa.at [192.168.200.51]) by jawa.at (8.12.9p2/8.12.8) with ESMTP id i0MCpVcj074794; Thu, 22 Jan 2004 13:51:32 +0100 (CET) (envelope-from mranner@jawa.at) From: Michael Ranner To: Ganbold Date: Thu, 22 Jan 2004 13:51:27 +0100 User-Agent: KMail/1.5 References: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> In-Reply-To: <6.0.1.1.2.20040122120552.0293bd20@202.179.0.80> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401221351.27862.mranner@jawa.at> X-Virus-Scanned: by amavisd-new cc: freebsd-ipfw@freebsd.org Subject: Re: Bandwidth limiting for eMule ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 12:51:37 -0000 Am Donnerstag, 22. Januar 2004 05:19 schrieb Ganbold: > Hi, > > I'm still having trouble limiting bandwidth for emule ports using dummynet > features. > I'm using FreeBSD 5.2-current machine for firewall. It has 2 Intel pro 100 > cards and it is configured as a bridge. > > I'm doing bandwidth limiting in the following way: > > # eMule > ${fwcmd} pipe 59 config bw 256kbit/s > ${fwcmd} pipe 60 config bw 256kbit/s > ${fwcmd} pipe 61 config bw 128kbit/s > > ${fwcmd} add 80 pipe 59 ip from 202.179.x.x/19 to any > 2323,4242,4243,4661-4672,7700-7800 > ${fwcmd} add 81 pipe 60 ip from any 2323,4242,4243,4661-4672,7700-7800 to > 202.179.x.x/19 > ${fwcmd} add 82 pipe 61 ip from any to 202.179.x.x/19 > 2323,4242,4243,4661-4672,7700-7800 Because emule bittorrent seems to use almost any midrange port greater 1024, I use the following rules to limit the bandwith for such tools for a single machine very effectively: #${fwcmd} add count all from any to any via ${oif} ${fwcmd} add pipe 3 tcp from ${lupo} to any 1024-32768 via ${iif} ${fwcmd} add pipe 4 tcp from any 1024-32768 to ${lupo} via ${iif} ${fwcmd} pipe 3 config bw 64Kbit/s queue 10Kbytes ${fwcmd} pipe 4 config bw 160Kbit/s queue 30Kbytes -- /\/\ichael Ranner mranner@jawa.at - mranner@bitonline.cc - webmaster@mariazell.at ---------------------------------------------------------------------- JAWA Management Software GmbH - http://www.jawa.at/ Liebenauer Hauptstrasse 2oo - A-8041 Graz Tel +43 316 403274 21 - Fax +43 316 403274 10 ---------------------------------------------------------------------- Mariazell Online - http://www.mariazell.at/ ---------------------------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 23 21:02:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD2F516A4CE for ; Fri, 23 Jan 2004 21:02:00 -0800 (PST) Received: from hotmail.com (bay4-f18.bay4.hotmail.com [65.54.171.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D59143D53 for ; Fri, 23 Jan 2004 21:01:58 -0800 (PST) (envelope-from konn_@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 23 Jan 2004 21:01:58 -0800 Received: from 64.86.34.6 by by4fd.bay4.hotmail.msn.com with HTTP; Sat, 24 Jan 2004 05:01:56 GMT X-Originating-IP: [64.86.34.6] X-Originating-Email: [konn_@msn.com] X-Sender: konn_@msn.com From: "Umar Draz" To: freebsd-ipfw@freebsd.org Date: Sat, 24 Jan 2004 05:01:56 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 24 Jan 2004 05:01:58.0126 (UTC) FILETIME=[31B0E0E0:01C3E237] Subject: IPFW (Biggner) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jan 2004 05:02:00 -0000 hi i am a new user of freeBSD. I have a server of Linux 7.3 with dsl connection. Now on Linux 7.3 i have configure Squid as transparent and also Linux 7.3 running as a Gatway. i have use these command for configure transparent Proxy for my users iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 202.147.x.x now its running fine. Every Thing is fine. My Client Just add my linux 7.3's ip as a Gateway and DNS (and access internet) now i want Linux 7.3 replace with FreeBSD 4.8. so there is no iptables in freeBSD. there is ipfw plz tel me how i can configure my freebsd machine that my freebsd machine can work as a gateway and also running squid as a transparent. thanks and regards Umar Draz _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail