From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 4 04:03:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA3516A4CF; Sun, 4 Apr 2004 04:03:52 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D8A443D2D; Sun, 4 Apr 2004 04:03:52 -0700 (PDT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) i34B3qbv063728; Sun, 4 Apr 2004 04:03:52 -0700 (PDT) (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i34B3q34063724; Sun, 4 Apr 2004 04:03:52 -0700 (PDT) (envelope-from maxim) Date: Sun, 4 Apr 2004 04:03:52 -0700 (PDT) From: Maxim Konovalov Message-Id: <200404041103.i34B3q34063724@freefall.freebsd.org> To: marck@rinet.ru, maxim@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 11:03:52 -0000 Synopsis: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath) State-Changed-From-To: open->closed State-Changed-By: maxim State-Changed-When: Sun Apr 4 04:02:39 PDT 2004 State-Changed-Why: Andre has fixed this bug in rev. 1.6.2.21 sys/netinet/ip_fw2.c. Thanks for the report. http://www.freebsd.org/cgi/query-pr.cgi?pr=64345 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 06:02:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49D0316A4CE for ; Mon, 5 Apr 2004 06:02:01 -0700 (PDT) Received: from uranium.btinternet.com (uranium.btinternet.com [194.73.73.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0147243D5D for ; Mon, 5 Apr 2004 06:02:01 -0700 (PDT) (envelope-from Co0lkizz@btinternet.com) Received: from [81.129.116.242] (helo=B77) by uranium.btinternet.com with esmtp (Exim 3.22 #25) id 1BATjj-0006MP-00 for freebsd-ipfw@freebsd.org; Mon, 05 Apr 2004 14:01:59 +0100 From: "Grant Millar" To: Date: Mon, 5 Apr 2004 14:02:05 +0100 Message-ID: <000801c41b0e$326c0a90$0300a8c0@B77> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: FW: misc/64694: UID/GID matching in ipfw non-functional X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 13:02:01 -0000 I understand this but it should not mean that uid matching should not work for ALL sockets am I correct. This all started by a friend of mine entering exactly the same rules in my rule set as his and it not working he too was using 4.9 Release and we compiled our kernels with exactly the same options this is what lead me the submit this as a bug. I mean why even implement uid matching if it does not work... Another example, I setup an ircd on the IP 66.90.x.236 on the uid admin and add the following rules to ipfw, 01600 21092 1981319 allow ip from any to 66.90.x.236 in 01700 90 10033 allow ip from 66.90.x.236 to any out via fxp0 uid admin 01800 144 13517 deny ip from 66.90.x.236 to any The 90 packets being accepted were from just before I added the deny rule after adding the deny rule all packets were dropped. Does anyone agree that this is a problem? Grant From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 06:50:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F199F16A4CE for ; Mon, 5 Apr 2004 06:50:01 -0700 (PDT) Received: from smtp.wan.no (smtp.wan.no [80.86.128.91]) by mx1.FreeBSD.org (Postfix) with SMTP id C0A9D43D41 for ; Mon, 5 Apr 2004 06:49:58 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) Received: (qmail 13804 invoked from network); 5 Apr 2004 14:04:28 -0000 Received: from unknown (HELO exchange.wan.no) (10.30.1.52) by smtp.wan.no with SMTP; 5 Apr 2004 14:04:28 -0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Mon, 5 Apr 2004 15:49:51 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Is this a bug? ifname[wildcard] matches other interfaces? thread-index: AcQbFN34HVSZlIPcSVe+bBGcLjxYag== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: Is this a bug? ifname[wildcard] matches other interfaces? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 13:50:02 -0000 Hi I was led to belive that using ifname* (read: interface name + wildcard) = would work. Apparently the fxp* matches all, even the ones originating or destined = to tunX. A bug or did i misunderstand the man page? In ip_fw2.c ~@388 i read the following, which i -belive- skips name = comparison when=20 matching interface, am i understanding the code correctly? ... if (cmd->name[0] !=3D '\0') { /* match by name */ /* Check unit number (-1 is wildcard) */ if (cmd->p.unit !=3D -1 && cmd->p.unit !=3D = ifp->if_unit) return(0); /* Check name */ if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ)) return(1); } else { ... FreeBSD 4.9-RELEASE-p3 with IPFW2 as module, dummynet module loaded. 00200 796 233528 allow via lo0 // &! permit all via loopback interface 00201 159 13155 allow dst-port 53,22,80 00202 0 0 deny dst-port 135,137,138,139,445 00203 3897 293591 skipto 207 out // &! skip ahead for outgoing packets 00204 5565 405417 skipto 400 recv fxp* // &! received on main fxp* 00205 0 0 skipto 800 recv tun* // &! received on main tun* 00206 0 0 skipto 209 in // &! skip ahead for unhandled 00207 3897 293591 skipto 600 xmit fxp* // &! xmitted on main fxp* 00208 0 0 skipto 1000 xmit tun* // &! xmitted on main tun* 00209 0 0 allow // &! default for main main 00400 1733 89195 pipe 1000 { dst-port = 1214,6699,5190,4661-4665,6345-6350 or src-port = 1214,6699,5190,4661-4665,6345-6350 } 00401 3832 316222 allow // &! default for interfacegroup in_fxp 00600 1232 121000 deny not src-ip 80.x.x.0/24,80.x.x.0/29 out xmit fxp0 00601 0 0 pipe 1001 { dst-port = 1214,6699,5190,4661-4665,6345-6350 or src-port = 1214,6699,5190,4661-4665,6345-6350 } 00602 0 0 fwd 80.x.x.21 src-ip 80.x.x.22 out xmit fxp0 00603 2665 172591 allow // &! default for interfacegroup out_fxp 00800 0 0 pipe 2 recv tun0 // &! received on tun0 00801 0 0 pipe 3 recv tun1 // &! received on tun1 ... 01000 0 0 pipe 103 xmit tun0 // &! transmitted on tun0 01001 0 0 pipe 104 xmit tun1 // &! transmitted on tun1 ... _// Sten Daniel S=F8rsdal From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 11:01:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC15C16A4CE for ; Mon, 5 Apr 2004 11:01:58 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4F4843D66 for ; Mon, 5 Apr 2004 11:01:58 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i35I1wbv070454 for ; Mon, 5 Apr 2004 11:01:58 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i35I1vQh070448 for ipfw@freebsd.org; Mon, 5 Apr 2004 11:01:57 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 5 Apr 2004 11:01:57 -0700 (PDT) Message-Id: <200404051801.i35I1vQh070448@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 18:01:58 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 06:12:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B806916A4CE; Tue, 6 Apr 2004 06:12:09 -0700 (PDT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1184B43D5C; Tue, 6 Apr 2004 06:12:09 -0700 (PDT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1BAqMX-000H0d-00; Tue, 06 Apr 2004 15:11:33 +0200 To: FreeBSD bugmaster From: Ian FREISLICH In-Reply-To: Message from FreeBSD bugmaster <200404051801.i35I1vQh070448@freefall.freebsd.org> Date: Tue, 06 Apr 2004 15:11:33 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: ipfw@FreeBSD.org Subject: Re: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 13:12:09 -0000 Hi > o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing Is there someone here that can commit the patch in this PR, or let me know how I should change it to make it committable? Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 11:18:10 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B28C516A4CE for ; Tue, 6 Apr 2004 11:18:10 -0700 (PDT) Received: from web40703.mail.yahoo.com (web40703.mail.yahoo.com [66.218.78.160]) by mx1.FreeBSD.org (Postfix) with SMTP id A12C043D3F for ; Tue, 6 Apr 2004 11:18:10 -0700 (PDT) (envelope-from thuan_an@yahoo.com) Message-ID: <20040406181724.73532.qmail@web40703.mail.yahoo.com> Received: from [62.178.225.200] by web40703.mail.yahoo.com via HTTP; Tue, 06 Apr 2004 11:17:24 PDT Date: Tue, 6 Apr 2004 11:17:24 -0700 (PDT) From: An Tran To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Optional NOT operator of ports problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 18:18:10 -0000 Hi all, I was having a problem with the optional NOT operator of ports. I have tested this rule but it didn't worked: #ipfw add xxx allow ip from xx.xx.xx.xx to any not 25 ipfw: unknown argument ``not'' My server is running FreeBSD 4.9-STABLE and I have seen in the ipfw man page that we can use the optional not operator as follow: ... src and dst: {addr | { addr or ... }} [[not] ports] An address (or a list, see below) optionally followed by ports specifiers. ... ports: {port | port-port}[,ports] For protocols which support port numbers (such as TCP and UDP), optional ports may be specified as one or more ports or port ranges, separated by commas but no spaces, and an optional not operator. The `-' notation specifies a range of ports (including boundaries). ... Could anyone please tell me that what was wrong in my rule? Thank you in advance. --------------------------------- Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway - Enter today From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 12:34:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 759B316A4CE for ; Tue, 6 Apr 2004 12:34:40 -0700 (PDT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF89443D41 for ; Tue, 6 Apr 2004 12:34:38 -0700 (PDT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i36JURTx055274 for ; Tue, 6 Apr 2004 21:30:28 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i36JURqY055247; Tue, 6 Apr 2004 21:30:27 +0200 (CEST) (envelope-from tw@wsf.at) Date: Tue, 6 Apr 2004 19:30:27 -0000 To: An Tran , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040406213027.2a5tp308z3msk@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Optional NOT operator of ports problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 19:34:40 -0000 An Tran schrieb: > Hi all, > > I was having a problem with the optional NOT operator of ports. I have tested this rule but it didn't worked: > > #ipfw add xxx allow ip from xx.xx.xx.xx to any not 25 > ipfw: unknown argument ``not'' > AFAIK this works only with ipfw2: gateway# ipfw -n add 1 count all from any to any not 25 00001 count ip from any to any not dst-port 25 Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 01:14:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AE3816A4CE for ; Fri, 9 Apr 2004 01:14:20 -0700 (PDT) Received: from sa.vdk.ru (sa.vdk.ru [81.16.143.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 736AB43D1D for ; Fri, 9 Apr 2004 01:14:19 -0700 (PDT) (envelope-from roman@sa.vdk.ru) Received: from sa.vdk.ru (localhost [127.0.0.1]) by sa.vdk.ru (8.12.11/8.12.11) with ESMTP id i398EGWB044200 for ; Fri, 9 Apr 2004 16:14:17 +0800 (KRAST) (envelope-from roman@sa.vdk.ru) Received: (from roman@localhost) by sa.vdk.ru (8.12.11/8.12.11/Submit) id i398EFrG044199 for ipfw@freebsd.org; Fri, 9 Apr 2004 16:14:15 +0800 (KRAST) (envelope-from roman) Date: Fri, 9 Apr 2004 16:14:15 +0800 From: Stepanishev Roman Petrovich To: ipfw@freebsd.org Message-ID: <20040409081415.GA44082@petrovich.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: [Q] setup_loopback X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 08:14:20 -0000 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi ifpw ! It may be offtopic, but why setup_loopback call=20 is not running in a case when rules are stored in an external file? What reasons prevent to include a call of thit subroutine in to rc.firewall script? --=20 Stepanishev Roman Petrovich, ZAO Vodokanal, system administrator roman@petrovich.pp.ru | 2:5006/10.71 | ICQ 35756399 +7 (3843) 790419 --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAdltXeLA++UC0qgwRAkfTAKCwcniswLtqd67O8IGRpwXcobASgQCgmTGT +B8uQpP6ayswcauTF+woqQU= =/Cp6 -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 01:25:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 462E016A4CE for ; Fri, 9 Apr 2004 01:25:13 -0700 (PDT) Received: from flash.mipk.kharkiv.edu (flash.mipk.kharkiv.edu [194.44.157.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5E6A43D45 for ; Fri, 9 Apr 2004 01:25:08 -0700 (PDT) (envelope-from artem@mipk.kharkiv.edu) Received: from mipk.kharkiv.edu (rainbow.mipk.kharkiv.edu [192.168.9.241]) i398OnOL004691; Fri, 9 Apr 2004 11:24:50 +0300 (EEST) (envelope-from artem@mipk.kharkiv.edu) Message-ID: <40765DD0.9020101@mipk.kharkiv.edu> Date: Fri, 09 Apr 2004 11:24:48 +0300 From: Artyom Viklenko Organization: IIAT NTU "KhPI" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: Stepanishev Roman Petrovich References: <20040409081415.GA44082@petrovich.pp.ru> In-Reply-To: <20040409081415.GA44082@petrovich.pp.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org Subject: Re: [Q] setup_loopback X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 08:25:13 -0000 Stepanishev Roman Petrovich wrote: > Hi ifpw ! > > It may be offtopic, but why setup_loopback call > is not running in a case when > rules are stored in an external file? > > What reasons prevent to include a call of thit subroutine in to > rc.firewall script? > This was discussed some time before. When you create your own ipfw configuration you have to take care about whole picture and nothing else shuldn't appear in rule base. -- Sincerely yours, Artyom V. Viklenko. ====================================================== System Administrator artem@mipk.kharkiv.edu ------------------------------------------------------ IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002 Phone: +38 (0572) 400026 Fax: +38 (057) 7062749 ====================================================== From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 23:48:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81E8016A4D0 for ; Fri, 9 Apr 2004 23:48:41 -0700 (PDT) Received: from calypso.bi.lt (calypso.bi.lt [213.226.153.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E2C443D4C for ; Fri, 9 Apr 2004 23:48:40 -0700 (PDT) (envelope-from hugle@vkt.lt) Received: by calypso.bi.lt (Postfix, from userid 506) id 56DF15986C9; Sat, 10 Apr 2004 09:48:41 +0300 (EEST) X-Original-To: freebsd-ipfw@freebsd.org Received: from vkt-dell (unknown [213.252.192.162]) by calypso.bi.lt (Postfix) with ESMTP id 13C98598692 for ; Sat, 10 Apr 2004 09:48:41 +0300 (EEST) Date: Sat, 10 Apr 2004 09:48:38 +0300 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <19129087455.20040410094838@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw LIMIT question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2004 06:48:41 -0000 Hello all :) Writing here to ask.. if there is a way to limit every : to have not more than 100 established conenctions and up to 30 NEW? and also should I write rule for every IP? and it will for for all (for example) 192.168.0.0/24 per host? ' but not all the subnet will have max 400 connections :) thanks. Best regards,Hugle