From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 04:05:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D7FA16A4D0 for ; Mon, 24 May 2004 04:05:20 -0700 (PDT) Received: from web40602.mail.yahoo.com (web40602.mail.yahoo.com [66.218.78.139]) by mx1.FreeBSD.org (Postfix) with SMTP id 4572C43D45 for ; Mon, 24 May 2004 04:05:20 -0700 (PDT) (envelope-from pjn0211@yahoo.com) Message-ID: <20040524110443.70695.qmail@web40602.mail.yahoo.com> Received: from [202.183.248.166] by web40602.mail.yahoo.com via HTTP; Mon, 24 May 2004 12:04:43 BST Date: Mon, 24 May 2004 12:04:43 +0100 (BST) From: =?iso-8859-1?q?Supote=20Leelasupphakorn?= To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: ipfw@freebsd.org Subject: What's the "bridged" option in ipfw's man page ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 11:05:20 -0000 Hi... lists, I've read the "ipfw" man page and in the "RULE OPTION" There is "bridged" option there. I'm currently set the bridge-base firewall so my question is what's the bridged packets and how much I take advantage from this option ? TIA, pjn ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 06:31:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB4C416A4CE for ; Mon, 24 May 2004 06:31:51 -0700 (PDT) Received: from hotmail.com (bay7-f31.bay7.hotmail.com [64.4.11.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id C15BD43D1F for ; Mon, 24 May 2004 06:31:51 -0700 (PDT) (envelope-from agentflicker@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 24 May 2004 06:31:13 -0700 Received: from 213.56.76.185 by by7fd.bay7.hotmail.msn.com with HTTP; Mon, 24 May 2004 13:31:13 GMT X-Originating-IP: [213.56.76.185] X-Originating-Email: [agentflicker@hotmail.com] X-Sender: agentflicker@hotmail.com From: "Simon Chang" To: freebsd-ipfw@freebsd.org Date: Mon, 24 May 2004 15:31:13 +0200 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 24 May 2004 13:31:13.0990 (UTC) FILETIME=[62637660:01C44193] Subject: ISP redundancy and with IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 13:31:52 -0000 Hello all, IPFW newbie question. I am lucky enough to have 2 ADSL connections with 6 static addresses on each router. I have a web server that needs to be always availaible from the internet for our road warriors. What I would like to do is give this web server a private address say 10.0.0.1 and put it behind a freeBSD/IPFW firewall. I would then like to nat this private address to a public address from each ISP's range. Say 100.1.1.2 for ISP1 (The ISP router address is 100.1.1.1) and 200.2.2.2 for ISP2 (The ISP router address is 200.2.2.1) This would mean that our roadwarriors could type into their browsers either http://100.1.1.2 or http://200.2.2.2 and arrive at the web server. The problem I'm not sure about is how to configure the return routing of the packets (I don't think I can use a default router on the firewall). Say for example ISP1 was down - 100.1.1.2 does not work, so the user types 200.2.2.2 the packet arrives at the firewall is natted to 10.0.0.1 and sent to the web server. The retun packet is returned to the firewall where the souce is "unnattted" to 200.2.2.2 (destination could be anything), how do I specify a rule that says for this source address (in ISP2's network) send the packet to ISP2's router (200.2.2.1)? Obviously I cannot route by destination address as this could be anything (for the return packets). Is this possible with IPFW? and Nat together? Has anyone a similar rule set that they could send me? Cheers, Simon Chang. _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 08:13:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE66916A4CE for ; Mon, 24 May 2004 08:13:12 -0700 (PDT) Received: from host.cyberbg.com (web13.mail.bg [193.201.172.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CC4E43D46 for ; Mon, 24 May 2004 08:13:09 -0700 (PDT) (envelope-from angel.kafazov@mail.bg) Received: from localhost (web1.mail.bg [193.201.172.98]) by host.cyberbg.com (Postfix) with ESMTP id 8570B3BCB for ; Mon, 24 May 2004 18:12:30 +0300 (EEST) Received: from pD9522C3F.dip.t-dialin.net (pD9522C3F.dip.t-dialin.net [217.82.44.63]) by www.mail.bg (mail.bG Webmail 4.0.1) with HTTP for ; Mon, 24 May 2004 18:12:30 +0300 Message-ID: <1085411550.d99a113e60ee5@www.mail.bg> Date: Mon, 24 May 2004 18:12:30 +0300 From: angel.kafazov@mail.bg To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: mail.bG Webmail 4.0-cvs X-Originating-IP: 217.82.44.63 Subject: How to give equal bandwidth to each host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 15:13:12 -0000 Hello everybody, I have a problem when trying to shape my traffic so that every IP would get proportional amount of the bandwidth. I mean that any number of hosts should= be able to use the full link at any time proportionally. I have made the follow= ing settings: ipfw add pipe 1 ip from 192.168.2.0/24 to any out ipfw add pipe 2 ip from any to 192.168.2.0/24 in ipfw pipe 1 config mask src-ip 0x000000ff bw 128Kbit/s queue 20Kb= ytes ipfw pipe 2 config mask dst-ip 0x000000ff bw 640Kbit/s queue 20Kb= ytes where 768 is my total bandwidth (640 down). However it does not seem to be working correctly. I have FreeBSD 4.9 box doing nat. I will appreciate any help. Best, Angel Kafazov ----------------------------- =C8=F1=EA=E0=F8 =EB=E8 =C8=ED=F2=E5=F0=ED=E5=F2, =EA=EE=E9=F2=EE =E4=E0 =EB= =E5=F2=E8? =C4=E0 =ED=E0=EB=E8? =96 =C2=EA=EB=FE=F7=E8 =F1=E5! =CA=E0=E1=E5=EB=E5=ED =C8=ED=F2=E5=F0=ED=E5=F2 =EE=F2 =C5=E2=F0=EE=EA=EE=EC = =CA=E0=E1=E5=EB =ED=E0 =ED=EE=E2=E0 =E8 =EE=F9=E5 =EF=EE-=E0=EF=E5=F2=E8=F2=ED=E0 =F6=E5=ED=E0 http://www.ekk.bg From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 11:02:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC4D316A4E2 for ; Mon, 24 May 2004 11:02:13 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A520743D46 for ; Mon, 24 May 2004 11:02:13 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i4OI2CVn076968 for ; Mon, 24 May 2004 11:02:12 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i4OI2Cg5076962 for ipfw@freebsd.org; Mon, 24 May 2004 11:02:12 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 May 2004 11:02:12 -0700 (PDT) Message-Id: <200405241802.i4OI2Cg5076962@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 18:02:13 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 13:59:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D53B516A4CF for ; Mon, 24 May 2004 13:59:20 -0700 (PDT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 6243F43D41 for ; Mon, 24 May 2004 13:59:19 -0700 (PDT) (envelope-from 4711@chello.at) Received: (qmail 14241 invoked from network); 24 May 2004 20:59:05 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 24 May 2004 20:59:05 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org Date: Mon, 24 May 2004 22:58:52 +0200 User-Agent: KMail/1.6.2 References: <20040524110443.70695.qmail@web40602.mail.yahoo.com> In-Reply-To: <20040524110443.70695.qmail@web40602.mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_YImsAYlY1X11BLE"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405242259.05178.4711@chello.at> cc: ipfw@freebsd.org cc: Supote Leelasupphakorn Subject: Re: What's the "bridged" option in ipfw's man page ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 20:59:21 -0000 --Boundary-02=_YImsAYlY1X11BLE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 24 May 2004 13:04, Supote Leelasupphakorn wrote: > Hi... lists, > > I've read the "ipfw" man page and in the "RULE OPTION" > There is "bridged" option there. I'm currently set the > bridge-base firewall so my question is what's the bridged > packets and how much I take advantage from this option ? > > TIA, > pjn The rule option "bridged" is used as an alias for "layer2" by the ipfw=20 command.=20 Some interesting points written in "PACKET FLOW" in man ipfw and "BUGS" in = man=20 bridge. Examples how the layer2 rule option could be used (I have not tested them, = you=20 can find some more on google): ${fwcmd} add pass layer2 mac-type arp // allow arp ${fwcmd} add skipto 20000 layer2 // goto rules for bridged packets ${fwcmd} add [...] // rules for non-bridged packets ${fwcmd} add deny all from any to any // end of rules for non-bridged pack= ets ${fwcmd} add 20000 [...] // rules for bridged packets=20 regards ch --Boundary-02=_YImsAYlY1X11BLE Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAsmIYcyi/EZQbawsRAs4UAJ4mwPgGGQMVgVbPwHBKclJtRs4dWQCfbGX0 2rUJD+qYwTylNVHBb4AkY3s= =xNEd -----END PGP SIGNATURE----- --Boundary-02=_YImsAYlY1X11BLE-- From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 15:08:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D70D016A4CE for ; Mon, 24 May 2004 15:08:49 -0700 (PDT) Received: from mail.hostthecoast.org (dsl-230-142.ipns.com [209.210.230.142]) by mx1.FreeBSD.org (Postfix) with SMTP id BEDA343D3F for ; Mon, 24 May 2004 15:08:48 -0700 (PDT) (envelope-from jtd@hostthecoast.org) Received: (qmail 27105 invoked from network); 24 May 2004 22:09:54 -0000 Received: from dsl-230-144.ipns.com (HELO Jay) (209.210.230.144) by mail.hostthecoast.org with SMTP; 24 May 2004 22:09:54 -0000 From: "J.T. Davies" To: Date: Mon, 24 May 2004 15:08:00 -0700 Message-ID: <000101c441db$a384f720$90e6d2d1@Jay> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: RE: ISP redundancy and with IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 22:08:50 -0000 Hi Simon, >From another IPFW newbie (myself), I solved it with the following: The two router computers would use NATD to redirect the port traffic = inside. On the webserver (if you're fortunate enough to have FreeBSD on that, = which I did), I also enabled IPFW and used two rules: The first would route traffic back to the .1 router if it came from that router. The second would be the same, but direct to .2. I think I used = the forward action with IPFW. (Forward to .1 if the traffic came from .1, forward to .2 if the traffic came from .2) I don't have that configuration anymore to share, but it worked rather = well. It may not have been the best solution (aside from installing another = port), but it did work well! J.T. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org = [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Simon Chang Sent: Monday, May 24, 2004 6:31 AM To: freebsd-ipfw@freebsd.org Subject: ISP redundancy and with IPFW Hello all, IPFW newbie question. I am lucky enough to have 2 ADSL connections with 6 static addresses on = each router. I have a web server that needs to be always availaible from the=20 internet for our road warriors. What I would like to do is give this web = server a private address say 10.0.0.1 and put it behind a freeBSD/IPFW=20 firewall. I would then like to nat this private address to a public = address=20 from each ISP's range. Say 100.1.1.2 for ISP1 (The ISP router address is 100.1.1.1) and = 200.2.2.2 for ISP2 (The ISP router address is 200.2.2.1) This would mean that our roadwarriors could type into their browsers = either=20 http://100.1.1.2 or http://200.2.2.2 and arrive at the web server. The problem I'm not sure about is how to configure the return routing of = the packets (I don't think I can use a default router on the firewall). Say for example ISP1 was down - 100.1.1.2 does not work, so the user = types=20 200.2.2.2 the packet arrives at the firewall is natted to 10.0.0.1 and = sent=20 to the web server. The retun packet is returned to the firewall where = the=20 souce is "unnattted" to 200.2.2.2 (destination could be anything), how = do I=20 specify a rule that says for this source address (in ISP2's network) = send=20 the packet to ISP2's router (200.2.2.1)? Obviously I cannot route by destination address as this could be = anything=20 (for the return packets). Is this possible with IPFW? and Nat together? Has anyone a similar rule set that they could send me? Cheers, Simon Chang. _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE*=20 http://join.msn.com/?page=3Dfeatures/virus _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"