From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 4 04:03:52 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 5EA3516A4CF; Sun, 4 Apr 2004 04:03:52 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 3D8A443D2D; Sun, 4 Apr 2004 04:03:52 -0700 (PDT)
(envelope-from maxim@FreeBSD.org)
Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1])
i34B3qbv063728; Sun, 4 Apr 2004 04:03:52 -0700 (PDT)
(envelope-from maxim@freefall.freebsd.org)
Received: (from maxim@localhost)
by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i34B3q34063724;
Sun, 4 Apr 2004 04:03:52 -0700 (PDT)
(envelope-from maxim)
Date: Sun, 4 Apr 2004 04:03:52 -0700 (PDT)
From: Maxim Konovalov <maxim@FreeBSD.org>
Message-Id: <200404041103.i34B3q34063724@freefall.freebsd.org>
To: marck@rinet.ru, maxim@FreeBSD.org, ipfw@FreeBSD.org
Subject: Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+rote
flaps+verrevpath)
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2004 11:03:52 -0000
Synopsis: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
State-Changed-From-To: open->closed
State-Changed-By: maxim
State-Changed-When: Sun Apr 4 04:02:39 PDT 2004
State-Changed-Why:
Andre has fixed this bug in rev. 1.6.2.21 sys/netinet/ip_fw2.c. Thanks
for the report.
http://www.freebsd.org/cgi/query-pr.cgi?pr=64345
From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 06:02:01 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 49D0316A4CE
for <freebsd-ipfw@freebsd.org>; Mon, 5 Apr 2004 06:02:01 -0700 (PDT)
Received: from uranium.btinternet.com (uranium.btinternet.com [194.73.73.89])
by mx1.FreeBSD.org (Postfix) with ESMTP id 0147243D5D
for <freebsd-ipfw@freebsd.org>; Mon, 5 Apr 2004 06:02:01 -0700 (PDT)
(envelope-from Co0lkizz@btinternet.com)
Received: from [81.129.116.242] (helo=B77)
by uranium.btinternet.com with esmtp (Exim 3.22 #25)
id 1BATjj-0006MP-00
for freebsd-ipfw@freebsd.org; Mon, 05 Apr 2004 14:01:59 +0100
From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-ipfw@freebsd.org>
Date: Mon, 5 Apr 2004 14:02:05 +0100
Message-ID: <000801c41b0e$326c0a90$0300a8c0@B77>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: FW: misc/64694: UID/GID matching in ipfw non-functional
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2004 13:02:01 -0000
I understand this but it should not mean that uid matching should not
work
for ALL sockets am I correct. This all started by a friend of mine
entering
exactly the same rules in my rule set as his and it not working he too
was
using 4.9 Release and we compiled our kernels with exactly the same
options
this is what lead me the submit this as a bug. I mean why even implement
uid
matching if it does not work...
Another example, I setup an ircd on the IP 66.90.x.236 on the uid admin
and add the following rules to ipfw,
01600 21092 1981319 allow ip from any to 66.90.x.236 in
01700 90 10033 allow ip from 66.90.x.236 to any out via fxp0 uid
admin
01800 144 13517 deny ip from 66.90.x.236 to any
The 90 packets being accepted were from just before I added the deny
rule
after adding the deny rule all packets were dropped.
Does anyone agree that this is a problem?
Grant
From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 06:50:01 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id F199F16A4CE
for <freebsd-ipfw@freebsd.org>; Mon, 5 Apr 2004 06:50:01 -0700 (PDT)
Received: from smtp.wan.no (smtp.wan.no [80.86.128.91])
by mx1.FreeBSD.org (Postfix) with SMTP id C0A9D43D41
for <freebsd-ipfw@freebsd.org>; Mon, 5 Apr 2004 06:49:58 -0700 (PDT)
(envelope-from sten.daniel.sorsdal@wan.no)
Received: (qmail 13804 invoked from network); 5 Apr 2004 14:04:28 -0000
Received: from unknown (HELO exchange.wan.no) (10.30.1.52)
by smtp.wan.no with SMTP; 5 Apr 2004 14:04:28 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Date: Mon, 5 Apr 2004 15:49:51 +0200
Message-ID: <E3AE90582399B14EB7D037B53B9B17E94DFF@exchange.wanglobal.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Is this a bug? ifname[wildcard] matches other interfaces?
thread-index: AcQbFN34HVSZlIPcSVe+bBGcLjxYag==
From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To: <freebsd-ipfw@freebsd.org>
Subject: Is this a bug? ifname[wildcard] matches other interfaces?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2004 13:50:02 -0000
Hi
I was led to belive that using ifname* (read: interface name + wildcard) =
would work.
Apparently the fxp* matches all, even the ones originating or destined =
to tunX.
A bug or did i misunderstand the man page?
In ip_fw2.c ~@388 i read the following, which i -belive- skips name =
comparison when=20
matching interface, am i understanding the code correctly?
...
if (cmd->name[0] !=3D '\0') { /* match by name */
/* Check unit number (-1 is wildcard) */
if (cmd->p.unit !=3D -1 && cmd->p.unit !=3D =
ifp->if_unit)
return(0);
/* Check name */
if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ))
return(1);
} else {
...
FreeBSD 4.9-RELEASE-p3 with IPFW2 as module, dummynet module loaded.
00200 796 233528 allow via lo0 // &! permit all via loopback interface
00201 159 13155 allow dst-port 53,22,80
00202 0 0 deny dst-port 135,137,138,139,445
00203 3897 293591 skipto 207 out // &! skip ahead for outgoing packets
00204 5565 405417 skipto 400 recv fxp* // &! received on main fxp*
00205 0 0 skipto 800 recv tun* // &! received on main tun*
00206 0 0 skipto 209 in // &! skip ahead for unhandled
00207 3897 293591 skipto 600 xmit fxp* // &! xmitted on main fxp*
00208 0 0 skipto 1000 xmit tun* // &! xmitted on main tun*
00209 0 0 allow // &! default for main main
00400 1733 89195 pipe 1000 { dst-port =
1214,6699,5190,4661-4665,6345-6350 or src-port =
1214,6699,5190,4661-4665,6345-6350 }
00401 3832 316222 allow // &! default for interfacegroup in_fxp
00600 1232 121000 deny not src-ip 80.x.x.0/24,80.x.x.0/29 out xmit fxp0
00601 0 0 pipe 1001 { dst-port =
1214,6699,5190,4661-4665,6345-6350 or src-port =
1214,6699,5190,4661-4665,6345-6350 }
00602 0 0 fwd 80.x.x.21 src-ip 80.x.x.22 out xmit fxp0
00603 2665 172591 allow // &! default for interfacegroup out_fxp
00800 0 0 pipe 2 recv tun0 // &! received on tun0
00801 0 0 pipe 3 recv tun1 // &! received on tun1
...
01000 0 0 pipe 103 xmit tun0 // &! transmitted on tun0
01001 0 0 pipe 104 xmit tun1 // &! transmitted on tun1
...
_// Sten Daniel S=F8rsdal
From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 11:01:58 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id AC15C16A4CE
for <ipfw@freebsd.org>; Mon, 5 Apr 2004 11:01:58 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id A4F4843D66
for <ipfw@freebsd.org>; Mon, 5 Apr 2004 11:01:58 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i35I1wbv070454
for <ipfw@freebsd.org>; Mon, 5 Apr 2004 11:01:58 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i35I1vQh070448
for ipfw@freebsd.org; Mon, 5 Apr 2004 11:01:57 -0700 (PDT)
(envelope-from owner-bugmaster@freebsd.org)
Date: Mon, 5 Apr 2004 11:01:57 -0700 (PDT)
Message-Id: <200404051801.i35I1vQh070448@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: ipfw@FreeBSD.org
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2004 18:01:58 -0000
Current FreeBSD problem reports
Critical problems
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues
o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu
f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp
o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work
o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing
5 problems total.
Non-critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w
o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau
o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature
o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not
o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags
o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo
o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul
o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r
o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo
o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp
o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended
o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module
o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly
13 problems total.
From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 06:12:09 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id B806916A4CE; Tue, 6 Apr 2004 06:12:09 -0700 (PDT)
Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 1184B43D5C; Tue, 6 Apr 2004 06:12:09 -0700 (PDT)
(envelope-from ianf@hetzner.co.za)
Received: from localhost ([127.0.0.1])
by hetzner.co.za with esmtp (Exim 3.36 #1)
id 1BAqMX-000H0d-00; Tue, 06 Apr 2004 15:11:33 +0200
To: FreeBSD bugmaster <bugmaster@freebsd.org>
From: Ian FREISLICH <if@hetzner.co.za>
In-Reply-To: Message from FreeBSD bugmaster <bugmaster@freebsd.org>
<200404051801.i35I1vQh070448@freefall.freebsd.org>
Date: Tue, 06 Apr 2004 15:11:33 +0200
Sender: ianf@hetzner.co.za
Message-Id: <E1BAqMX-000H0d-00@hetzner.co.za>
cc: ipfw@FreeBSD.org
Subject: Re: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2004 13:12:09 -0000
Hi
> o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing
Is there someone here that can commit the patch in this PR, or let
me know how I should change it to make it committable?
Ian
--
Ian Freislich
From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 11:18:10 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id B28C516A4CE
for <freebsd-ipfw@freebsd.org>; Tue, 6 Apr 2004 11:18:10 -0700 (PDT)
Received: from web40703.mail.yahoo.com (web40703.mail.yahoo.com
[66.218.78.160]) by mx1.FreeBSD.org (Postfix) with SMTP id A12C043D3F
for <freebsd-ipfw@freebsd.org>; Tue, 6 Apr 2004 11:18:10 -0700 (PDT)
(envelope-from thuan_an@yahoo.com)
Message-ID: <20040406181724.73532.qmail@web40703.mail.yahoo.com>
Received: from [62.178.225.200] by web40703.mail.yahoo.com via HTTP;
Tue, 06 Apr 2004 11:17:24 PDT
Date: Tue, 6 Apr 2004 11:17:24 -0700 (PDT)
From: An Tran <thuan_an@yahoo.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Content-Filtered-By: Mailman/MimeDel 2.1.1
Subject: Optional NOT operator of ports problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2004 18:18:10 -0000
Hi all,
I was having a problem with the optional NOT operator of ports. I have tested this rule but it didn't worked:
#ipfw add xxx allow ip from xx.xx.xx.xx to any not 25
ipfw: unknown argument ``not''
My server is running FreeBSD 4.9-STABLE and I have seen in the ipfw man page that we can use the optional not operator as follow:
...
src and dst: {addr | { addr or ... }} [[not] ports]
An address (or a list, see below) optionally followed by ports
specifiers.
...
ports: {port | port-port}[,ports]
For protocols which support port numbers (such as TCP and UDP),
optional ports may be specified as one or more ports or port
ranges, separated by commas but no spaces, and an optional not
operator. The `-' notation specifies a range of ports (including
boundaries).
...
Could anyone please tell me that what was wrong in my rule?
Thank you in advance.
---------------------------------
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today
From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 12:34:40 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 759B316A4CE
for <freebsd-ipfw@freebsd.org>; Tue, 6 Apr 2004 12:34:40 -0700 (PDT)
Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202])
by mx1.FreeBSD.org (Postfix) with ESMTP id AF89443D41
for <freebsd-ipfw@freebsd.org>; Tue, 6 Apr 2004 12:34:38 -0700 (PDT)
(envelope-from tw@wsf.at)
Received: from mailhost.wsf.at (root@localhost)i36JURTx055274
for <freebsd-ipfw@freebsd.org>; Tue, 6 Apr 2004 21:30:28 +0200 (CEST)
(envelope-from tw@wsf.at)
Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203])
i36JURqY055247; Tue, 6 Apr 2004 21:30:27 +0200 (CEST)
(envelope-from tw@wsf.at)
Date: Tue, 6 Apr 2004 19:30:27 -0000
To: An Tran <thuan_an@yahoo.com>, freebsd-ipfw@freebsd.org
From: Thomas Wolf <tw@wsf.at>
X-Mailer: twiggi 1.10.3
Message-ID: <20040406213027.2a5tp308z3msk@.mailhost.wsf.at>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: Optional NOT operator of ports problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: tw@wsf.at
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2004 19:34:40 -0000
An Tran <thuan_an@yahoo.com> schrieb:
> Hi all,
>
> I was having a problem with the optional NOT operator of ports. I have tested this rule but it didn't worked:
>
> #ipfw add xxx allow ip from xx.xx.xx.xx to any not 25
> ipfw: unknown argument ``not''
>
AFAIK this works only with ipfw2:
gateway# ipfw -n add 1 count all from any to any not 25
00001 count ip from any to any not dst-port 25
Thomas
--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4
From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 01:14:20 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 7AE3816A4CE
for <ipfw@freebsd.org>; Fri, 9 Apr 2004 01:14:20 -0700 (PDT)
Received: from sa.vdk.ru (sa.vdk.ru [81.16.143.45])
by mx1.FreeBSD.org (Postfix) with ESMTP id 736AB43D1D
for <ipfw@freebsd.org>; Fri, 9 Apr 2004 01:14:19 -0700 (PDT)
(envelope-from roman@sa.vdk.ru)
Received: from sa.vdk.ru (localhost [127.0.0.1])
by sa.vdk.ru (8.12.11/8.12.11) with ESMTP id i398EGWB044200
for <ipfw@freebsd.org>; Fri, 9 Apr 2004 16:14:17 +0800 (KRAST)
(envelope-from roman@sa.vdk.ru)
Received: (from roman@localhost)
by sa.vdk.ru (8.12.11/8.12.11/Submit) id i398EFrG044199
for ipfw@freebsd.org; Fri, 9 Apr 2004 16:14:15 +0800 (KRAST)
(envelope-from roman)
Date: Fri, 9 Apr 2004 16:14:15 +0800
From: Stepanishev Roman Petrovich <roman@petrovich.pp.ru>
To: ipfw@freebsd.org
Message-ID: <20040409081415.GA44082@petrovich.pp.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q"
Content-Disposition: inline
User-Agent: Mutt/1.5.6i
Subject: [Q] setup_loopback
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2004 08:14:20 -0000
--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi ifpw !
It may be offtopic, but why setup_loopback call=20
is not running in a case when
rules are stored in an external file?
What reasons prevent to include a call of thit subroutine in to
rc.firewall script?
--=20
Stepanishev Roman Petrovich, ZAO Vodokanal, system administrator
roman@petrovich.pp.ru | 2:5006/10.71 | ICQ 35756399
+7 (3843) 790419
--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAdltXeLA++UC0qgwRAkfTAKCwcniswLtqd67O8IGRpwXcobASgQCgmTGT
+B8uQpP6ayswcauTF+woqQU=
=/Cp6
-----END PGP SIGNATURE-----
--ikeVEW9yuYc//A+q--
From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 01:25:13 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 462E016A4CE
for <ipfw@freebsd.org>; Fri, 9 Apr 2004 01:25:13 -0700 (PDT)
Received: from flash.mipk.kharkiv.edu (flash.mipk.kharkiv.edu
[194.44.157.113])
by mx1.FreeBSD.org (Postfix) with ESMTP id A5E6A43D45
for <ipfw@freebsd.org>; Fri, 9 Apr 2004 01:25:08 -0700 (PDT)
(envelope-from artem@mipk.kharkiv.edu)
Received: from mipk.kharkiv.edu (rainbow.mipk.kharkiv.edu [192.168.9.241])
i398OnOL004691; Fri, 9 Apr 2004 11:24:50 +0300 (EEST)
(envelope-from artem@mipk.kharkiv.edu)
Message-ID: <40765DD0.9020101@mipk.kharkiv.edu>
Date: Fri, 09 Apr 2004 11:24:48 +0300
From: Artyom Viklenko <artem@mipk.kharkiv.edu>
Organization: IIAT NTU "KhPI"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.5) Gecko/20031007
X-Accept-Language: ru, uk, en
MIME-Version: 1.0
To: Stepanishev Roman Petrovich <roman@petrovich.pp.ru>
References: <20040409081415.GA44082@petrovich.pp.ru>
In-Reply-To: <20040409081415.GA44082@petrovich.pp.ru>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: ipfw@freebsd.org
Subject: Re: [Q] setup_loopback
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2004 08:25:13 -0000
Stepanishev Roman Petrovich wrote:
> Hi ifpw !
>
> It may be offtopic, but why setup_loopback call
> is not running in a case when
> rules are stored in an external file?
>
> What reasons prevent to include a call of thit subroutine in to
> rc.firewall script?
>
This was discussed some time before.
When you create your own ipfw configuration you have
to take care about whole picture and nothing else shuldn't
appear in rule base.
--
Sincerely yours,
Artyom V. Viklenko.
======================================================
System Administrator artem@mipk.kharkiv.edu
------------------------------------------------------
IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002
Phone: +38 (0572) 400026 Fax: +38 (057) 7062749
======================================================
From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 23:48:41 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 81E8016A4D0
for <freebsd-ipfw@freebsd.org>; Fri, 9 Apr 2004 23:48:41 -0700 (PDT)
Received: from calypso.bi.lt (calypso.bi.lt [213.226.153.10])
by mx1.FreeBSD.org (Postfix) with ESMTP id 5E2C443D4C
for <freebsd-ipfw@freebsd.org>; Fri, 9 Apr 2004 23:48:40 -0700 (PDT)
(envelope-from hugle@vkt.lt)
Received: by calypso.bi.lt (Postfix, from userid 506)
id 56DF15986C9; Sat, 10 Apr 2004 09:48:41 +0300 (EEST)
X-Original-To: freebsd-ipfw@freebsd.org
Received: from vkt-dell (unknown [213.252.192.162])
by calypso.bi.lt (Postfix) with ESMTP id 13C98598692
for <freebsd-ipfw@freebsd.org>; Sat, 10 Apr 2004 09:48:41 +0300 (EEST)
Date: Sat, 10 Apr 2004 09:48:38 +0300
From: hugle <hugle@vkt.lt>
X-Mailer: The Bat! (v2.01)
X-Priority: 3 (Normal)
Message-ID: <19129087455.20040410094838@vkt.lt>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: ipfw LIMIT question.
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: hugle <hugle@vkt.lt>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2004 06:48:41 -0000
Hello all :)
Writing here to ask.. if there is a way to limit every :
to have not more than 100 established conenctions
and up to 30 NEW?
and also should I write rule for every IP?
and it will for for all (for example) 192.168.0.0/24 per host? '
but not all the subnet will have max 400 connections :)
thanks.
Best regards,Hugle