From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 28 11:03:18 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53A1C16A4CE for ; Mon, 28 Jun 2004 11:03:18 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E29343D53 for ; Mon, 28 Jun 2004 11:03:18 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i5SB2YWn004261 for ; Mon, 28 Jun 2004 11:02:34 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i5SB2X2F004255 for ipfw@freebsd.org; Mon, 28 Jun 2004 11:02:33 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 28 Jun 2004 11:02:33 GMT Message-Id: <200406281102.i5SB2X2F004255@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2004 11:03:18 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 28 12:08:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B01216A4CE for ; Mon, 28 Jun 2004 12:08:09 +0000 (GMT) Received: from mail.hostthecoast.org (dsl-230-142.ipns.com [209.210.230.142]) by mx1.FreeBSD.org (Postfix) with SMTP id F0EF243D39 for ; Mon, 28 Jun 2004 12:08:08 +0000 (GMT) (envelope-from jtd@hostthecoast.org) Received: (qmail 40121 invoked from network); 28 Jun 2004 12:09:20 -0000 Received: from dsl-230-144.ipns.com (HELO Jay) (209.210.230.144) by mail.hostthecoast.org with SMTP; 28 Jun 2004 12:09:20 -0000 From: "J.T. Davies" To: Date: Mon, 28 Jun 2004 05:07:20 -0700 Message-ID: <000801c45d08$8629e2b0$90e6d2d1@Jay> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: hardbound resources X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2004 12:08:09 -0000 There's a couple of book names floating around as suggested reading for designing firewalls and understanding the various states of packets (ack, syn, fin, rst)...but for the life of me, I can't remember the title of a specific one. :) I believe it was an O'Reilly book, and it was generic (not specific for FreeBSD or other O/S)... Can anyone throw some titles out that may jingle a bell in my mind so I can go buy it? Thanks!! J.T. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 28 21:30:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6901216A4CE for ; Mon, 28 Jun 2004 21:30:31 +0000 (GMT) Received: from gw.pelleg.org (gw.pelleg.org [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2D1143D46 for ; Mon, 28 Jun 2004 21:30:30 +0000 (GMT) (envelope-from daniel+bsd@pelleg.org) Received: from lank.here (lank.wburn [192.168.3.41]) by gw.pelleg.org (Postfix) with ESMTP id 4C1E55A53; Mon, 28 Jun 2004 17:30:04 -0400 (EDT) Received: by lank.here (Postfix, from userid 7675) id EA16361D; Mon, 28 Jun 2004 17:29:58 -0400 (EDT) To: "J.T. Davies" References: <000801c45d08$8629e2b0$90e6d2d1@Jay> From: Dan Pelleg Date: Mon, 28 Jun 2004 17:29:58 -0400 In-Reply-To: <000801c45d08$8629e2b0$90e6d2d1@Jay> (J. T. Davies's message of "Mon, 28 Jun 2004 05:07:20 -0700") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.1 (Cuyahoga Valley, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: hardbound resources X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2004 21:30:31 -0000 "J.T. Davies" writes: > There's a couple of book names floating around as suggested reading for > designing firewalls and understanding the various states of packets (ack, > syn, fin, rst)...but for the life of me, I can't remember the title of a > specific one. :) > > I believe it was an O'Reilly book, and it was generic (not specific for > FreeBSD or other O/S)... > > Can anyone throw some titles out that may jingle a bell in my mind so I can > go buy it? > > Thanks!! > J.T. You're probably thinking of "Building Internet Firewalls". For full details check the comments at /etc/rc.firewall -- Dan Pelleg From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 29 09:41:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADC2416A4CE for ; Tue, 29 Jun 2004 09:41:05 +0000 (GMT) Received: from melexc01.stateautomation.com (bytecr.lnk.telstra.net [139.130.142.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id F06DA43D41 for ; Tue, 29 Jun 2004 09:41:04 +0000 (GMT) (envelope-from freebsd@stateautomation.com) Received: by MELEXC01 with Internet Mail Service (5.5.2655.55) id ; Tue, 29 Jun 2004 19:45:41 +1000 Message-ID: From: freebsd@stateautomation.com To: freebsd-ipfw@freebsd.org Date: Tue, 29 Jun 2004 19:45:40 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain Subject: ipdivert rule will not load X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 09:41:05 -0000 ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. ipfw add 3000 divert 8668 ip from any to any via sis0 The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument I have built a custom kernel with the following optional lines options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPDIVERT Does anyone know why the system will not accept the divert rule? Thankyou. J.S. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 29 15:57:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D693116A4CE for ; Tue, 29 Jun 2004 15:57:37 +0000 (GMT) Received: from merlin.com.ua (Merlin.Com.UA [195.66.196.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82CAF43D4C for ; Tue, 29 Jun 2004 15:57:37 +0000 (GMT) (envelope-from sid@merlin.com.ua) Received: from H55_2.homeinet.loc (localhost [127.0.0.1]) by merlin.com.ua (Postmaster) with ESMTP id 16A8CB839 for ; Tue, 29 Jun 2004 18:57:33 +0300 (EEST) Date: Tue, 29 Jun 2004 18:55:04 -0700 From: sid@merlin.com.ua X-Mailer: The Bat! (v2.10.03) Business X-Priority: 3 (Normal) Message-ID: <841905563.20040629185504@merlin.com.ua> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw add allow ip from @access_list1 to any in X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sid@merlin.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 15:57:37 -0000 Hi, for my own purposes I add some new features to ipfw2. now hereis patches for 5.1 Luigi some time ago have a look at ones, but now.. if it is looks like interesting, get and enjoy it free this is not a release, I stil work about it. and I wait for 5.3 to make complete patches for 5.3. will be pleasure for me if this will include to release... read first: ftp://merlin.com.ua/pub/FreeBSD/5.1/ipfw_sid/readme ftp://merlin.com.ua/pub/FreeBSD/5.1/ipfw_sid/*.tgz disclaimer: who downloaded it, please make backups your original files, extract patches in new directory and look at ones first. if you not sure that you doing, do not do anything, please. support of that features only if ones will include in FreeBSD and only via freebsd-hackers@freebsd.org its do like this: ipnt add @MY_NET 192.168.0.0/16 ipnt add @MY_NET 195.66.199.0/24 ipnt add @MY_NET 62.16.9.0/24 ipfw add 350 pipe 350 ip from any to @MY_NET out you can manipulate that lists without changing firewall ipnt del @MY_NET 0/0 ipnt add @MY_NET 1.1.1.1 sid_at_merlin.com.ua From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 29 19:26:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48C0016A4CF for ; Tue, 29 Jun 2004 19:26:20 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A16D43D1F for ; Tue, 29 Jun 2004 19:26:18 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i5TJNEuG046178 for ; Tue, 29 Jun 2004 21:23:14 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i5TJNCdn046170; Tue, 29 Jun 2004 21:23:13 +0200 (CEST) (envelope-from tw@wsf.at) Date: Tue, 29 Jun 2004 19:23:12 -0000 To: freebsd@stateautomation.com, freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040629212312.fsp0rmyjzpk4g0@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: ipdivert rule will not load X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 19:26:20 -0000 freebsd@stateautomation.com schrieb: > ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. > ipfw add 3000 divert 8668 ip from any to any via sis0 > The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument > I have built a custom kernel with the following optional lines > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT > options IPDIVERT > Does anyone know why the system will not accept the divert rule? Thankyou. The options seem to be correct, however the error message indicates the lack of 'divert' in the kernel. Are you sure you properly built and *installed* your custom kernel? Check the output of 'dmesg | grep divert', you should see '... divert enabled...', otherwise something went wrong with your kernel build. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 30 06:33:18 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D307E16A4CE for ; Wed, 30 Jun 2004 06:33:18 +0000 (GMT) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8347C43D55 for ; Wed, 30 Jun 2004 06:33:18 +0000 (GMT) (envelope-from freebsd@stateautomation.com) X-Sasl-enc: keWzRSj2eT36D85zROJWWw 1088577166 Received: from stateautomation.com (CPE-203-45-47-137.vic.bigpond.net.au [203.45.47.137]) by mail.messagingengine.com (Postfix) with ESMTP id 74DAFC0E0FC for ; Wed, 30 Jun 2004 02:32:45 -0400 (EDT) Message-ID: <40E25E2B.9040606@stateautomation.com> Date: Wed, 30 Jun 2004 16:31:07 +1000 From: "JS (freebsd@stateautomation.com)" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030708 Thunderbird/0.1a X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw will not accept a DIVERT rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@stateautomation.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 06:33:18 -0000 ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. ipfw add 3000 divert 8668 ip from any to any via sis0 The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument I have built a custom kernel with the following optional lines options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPDIVERT Does anyone know why the system will not accept the divert rule? Thanks. J.S. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 30 20:29:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D659C16A4CE for ; Wed, 30 Jun 2004 20:29:45 +0000 (GMT) Received: from smtp.well.com (smtp.well.com [206.14.209.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id C50C443D4C for ; Wed, 30 Jun 2004 20:29:45 +0000 (GMT) (envelope-from howardjp@well.com) Received: from well.com (well.com [206.14.209.5]) by smtp.well.com (8.12.11/8.12.11) with ESMTP id i5UKTblP011496 for ; Wed, 30 Jun 2004 13:29:37 -0700 (PDT) Received: from localhost (howardjp@localhost) by well.com (8.12.11/8.12.11/Submit) with ESMTP id i5UKTat8023389 for ; Wed, 30 Jun 2004 13:29:36 -0700 (PDT) Date: Wed, 30 Jun 2004 13:29:36 -0700 (PDT) From: James Howard To: freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: clamd / ClamAV version devel-20040628, clamav-milter version 0.73d on smtp X-Virus-Status: Clean Subject: Routing problem in IPv4/IPSec VPN environment X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 20:29:46 -0000 I sent the following to -questions yesterday and received no response, so I thought I'd try a more specific venue for this post. As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843 mtu 1500 options=3 inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP ) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.1.1 --> 10.1.2.1 netmask 0xffffffff inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 --> 192.168.1.102 bge0: flags=8843 mtu 1500 options=3 inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=1 inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 faith0: flags=8002 mtu 1500 gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.101 --> 192.168.1.102 inet 10.1.1.1 --> 10.1.2.1 netmask 0xffffffff inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGSc 3 6082 xl0 10.1.1/24 link#1 UC 2 0 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW 0 306 lo0 10.1.1.254 link#1 UHLW 2 14933 bge0 10.1.2/24 10.1.2.0 UGSc 0 15578 xl0 10.1.2.1 10.1.1.1 UH 0 2060 gif0 127.0.0.1 127.0.0.1 UH 1 48 lo0 192.168.1 link#2 UC 3 0 xl0 192.168.1.1 00:0c:41:7f:8a:6e UHLW 4 2 xl0 1042 192.168.1.100 00:30:65:2e:ae:f7 UHLW 0 0 xl0 1100 192.168.1.101 127.0.0.1 UGHS 0 0 lo0 192.168.1.102 00:b0:d0:a1:81:09 UHLW 3 13842 xl0 1054 WALTWHITMAN: waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.2.1 --> 10.1.1.1 netmask 0xffffffff inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64 physical address inet 192.168.1.102 --> 192.168.1.101 bge0: flags=8843 mtu 1500 options=3 inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255 inet6 fe80::209:5bff:fe62:1ab2%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:1a:b2 media: Ethernet autoselect (none) status: no carrier bge1: flags=8843 mtu 1500 options=3 inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP ) status: active xl0: flags=8843 mtu 1500 options=1 inet6 fe80::2b0:d0ff:fea1:8109%xl0 prefixlen 64 scopeid 0x3 inet 192.168.1.102 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:b0:d0:a1:81:09 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 faith0: flags=8002 mtu 1500 gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.102 --> 192.168.1.101 inet 10.1.2.1 --> 10.1.1.1 netmask 0xffffffff inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64 scopeid 0x7 Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGSc 1 1416 xl0 10.1.1/24 10.1.1.1 UGSc 0 9633 gif0 10.1.1.1 10.1.2.1 UH 1 1986 gif0 10.1.2/24 link#2 UC 2 0 bge1 10.1.2.1 00:09:5b:60:e5:08 UHLW 0 14 lo0 10.1.2.254 link#2 UHLW 2 883 bge1 127.0.0.1 127.0.0.1 UH 1 48 lo0 172.16.1/24 link#1 UC 0 0 bge0 192.168.1 link#3 UC 2 0 xl0 192.168.1.1 00:0c:41:7f:8a:6e UHLW 3 2 xl0 192 192.168.1.101 00:b0:d0:23:5b:8d UHLW 5 12307 xl0 204 192.168.1.102 127.0.0.1 UGHS 0 0 lo0 -- James P. Howard, II -- howardjp@vocito.com http://www.jameshoward.us/ -- 202-390-4933 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 01:15:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AE3D16A4CE for ; Thu, 1 Jul 2004 01:15:20 +0000 (GMT) Received: from speedbuggy.telerama.com (speedbuggy.telerama.com [205.201.1.216]) by mx1.FreeBSD.org (Postfix) with SMTP id D71AB43D48 for ; Thu, 1 Jul 2004 01:15:19 +0000 (GMT) (envelope-from m@telerama.com) Received: (qmail 99932 invoked from network); 1 Jul 2004 01:14:51 -0000 Received: from unknown (HELO ?205.201.9.222?) (205.201.9.222) by speedbuggy.telerama.com with SMTP; 1 Jul 2004 01:14:51 -0000 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Wed, 30 Jun 2004 21:14:46 -0400 From: m To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: IPFW doing some wierd stuff. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 01:15:20 -0000 I posted this to the FreeBSD general list and got no response. I'm using FreeBSD 5.2.1 with IPFW2 as a firewall/router on a network. I'm seeing some very strange things in the dynamic ruleset. The last 4 entries in the list are the issues. You can see that none of the informatin in the last 4 dynamic rules makes any sense -- not the #/packets or bytes, the rule #, or even the protocol. The IP addresses referred to are not local to any part of the network, and some aren't even listed in the appropriate WHOIS database. I'm totally lost on this. Any help would be appreciated, including suggestions as to how to generate better log information. Nothing shows in my logs, either. Interestingly, these last (wierd) rules appear & disappear at random intervals, with different information each time -- different rule numebrs (but non-existent in my ruleset), different Ips, and different protocols. host-64-179-35-23# ipfw -de show 00050 35654 14976392 divert 8668 ip from any to any via xl0 00100 2988 2071714 allow ip from 127.0.0.0/8 to 127.0.0.0/8 00200 0 0 deny ip from 127.0.0.0/8 to any 00300 0 0 deny ip from any to 127.0.0.0/8 00310 0 0 allow ip from 224.0.0.1 to any 00311 110 3960 allow ip from any to 224.0.0.1 00350 0 0 deny log argus from any to any 00351 0 0 deny log scps from any to any 00352 0 0 deny log igmp from any to any 00354 0 0 deny log netblt from any to any 00355 0 0 deny ip from 0.0.0.0 to any 00356 0 0 deny ip from any to 0.0.0.0 00357 0 0 deny ipv6-nonxt from any to any 00359 0 0 deny log trunk-2 from any to any 00360 99 6224 deny log icmp from any to any 00400 891 111330 allow ip from 205.201.9.0/24 to me setup keep-state 00410 0 0 allow ip from 151.201.141.231 to me setup keep-state 00420 0 0 deny ip from any to me dst-port 22 00450 1272 539440 allow ip from any to me dst-port 25 setup keep-state 00451 151 12032 allow ip from me to any dst-port 21 setup keep-state 00452 0 0 allow ip from me to any dst-port 20 setup keep-state 00453 11513 1798157 allow ip from me to any dst-port 80 setup keep-state 00454 11 1457 allow ip from me to any dst-port 443 setup keep-state 00455 0 0 allow ip from any 20 to me setup keep-state 00457 0 0 allow ip from me to any dst-port 22 setup keep-state 00458 0 0 allow ip from any 25 to me setup keep-state 00459 0 0 allow ip from any to me dst-port 80 setup keep-state 00498 2373 267409 allow ip from any to me 00499 6267 1635428 allow ip from me to any 00520 0 0 allow ip from 224.0.0.1 to any 00530 0 0 allow ip from any to 224.0.0.1 00800 11 739 allow udp from any to 207.69.188.200 dst-port 53 00810 22 10768 allow udp from 207.69.188.200 53 to any 00820 250 15731 allow udp from any to 64.65.223.6 dst-port 53 00830 498 141930 allow udp from 64.65.223.6 53 to any 00840 94 6784 allow udp from any to any dst-port 53 00841 122 36608 allow udp from any 53 to any 00850 0 0 allow ip from 255.255.255.255 to any 00860 232 70064 allow ip from any to 255.255.255.255 00998 82 18216 allow ip from 192.168.1.0/24 to 192.168.1.0/24 not via xl0 00999 0 0 check-state 01000 0 0 allow ip from any to 192.168.1.5 dst-port 25 setup keep-state 01010 1115 517038 allow ip from any to 192.168.1.5 dst-port 80 setup keep-state 01020 0 0 allow ip from any to 192.168.1.5 dst-port 2500 setup keep-state 01100 332 49019 allow ip from 192.168.1.5 to any dst-port 25 setup keep-state 01110 1177 978983 allow ip from 192.168.1.5 to any dst-port 80 setup keep-state 01115 0 0 allow ip from 192.168.1.5 to any dst-port 443 setup keep-state 01120 0 0 allow ip from 192.168.1.5 to any dst-port 21 setup keep-state 01125 0 0 allow ip from 192.168.1.5 to any dst-port 20 setup keep-state 01130 0 0 allow ip from 192.168.1.5 20 to any setup keep-state 01998 83 3704 deny log ip from 192.168.1.5 to any 01999 36 1440 deny log ip from any to 192.168.1.5 02010 0 0 allow ip from 192.168.1.0/24 to any dst-port 20 setup keep-state 02020 40906 23355938 allow ip from 192.168.1.0/24 to any dst-port 80 setup keep-state 02030 39 20505 allow ip from 192.168.1.0/24 to any dst-port 443 setup keep-state 02040 0 0 allow ip from 192.168.1.0/24 to any dst-port 21 setup keep-state 02050 0 0 allow ip from 192.168.1.0/24 20 to any setup keep-state 65000 1968 176664 deny log ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules (105): 02020 10 2859 (0s) STATE tcp 192.168.1.22 2943 <-> 65.54.194.59 80 01010 260 145073 (0s) STATE tcp 67.165.52.118 61735 <-> 192.168.1.5 80 01010 62 25228 (0s) STATE tcp 67.165.52.118 61734 <-> 192.168.1.5 80 00450 23 1680 (0s) STATE tcp 66.118.177.230 31470 <-> 64.179.35.23 25 01010 167 84950 (0s) STATE tcp 67.165.52.118 61739 <-> 192.168.1.5 80 01010 16 2474 (0s) STATE tcp 67.165.52.118 61737 <-> 192.168.1.5 80 00453 18 8792 (0s) STATE tcp 64.179.35.23 1369 <-> 63.111.24.21 80 01010 9 1148 (0s) STATE tcp 67.165.52.118 61743 <-> 192.168.1.5 80 02020 116 56383 (0s) STATE tcp 192.168.1.101 1388 <-> 64.65.208.72 80 02020 10 2210 (0s) STATE tcp 192.168.1.101 1382 <-> 64.65.208.71 80 02020 23 12664 (0s) STATE tcp 192.168.1.101 1384 <-> 64.65.208.72 80 02020 66 26546 (0s) STATE tcp 192.168.1.101 1386 <-> 64.65.208.72 80 00453 5 558 (0s) STATE tcp 64.179.35.23 1352 <-> 56.0.134.22 80 02020 30 10124 (0s) STATE tcp 192.168.1.101 1383 <-> 64.65.208.72 80 02020 19 10674 (0s) STATE tcp 192.168.1.101 1378 <-> 216.39.69.76 80 02020 87 83654 (0s) STATE tcp 192.168.1.22 2971 <-> 207.68.173.254 80 02020 33 16730 (0s) STATE tcp 192.168.1.22 2859 <-> 207.91.5.68 80 00453 4 597 (0s) STATE tcp 64.179.35.23 1376 <-> 216.73.86.13 80 02020 47 24913 (0s) STATE tcp 192.168.1.22 2857 <-> 207.91.5.68 80 00453 11 698 (0s) STATE tcp 64.179.35.23 2856 <-> 207.91.5.68 80 02020 10 2000 (0s) STATE tcp 192.168.1.22 2560 <-> 65.205.8.106 80 00453 5 1273 (0s) STATE tcp 64.179.35.23 1395 <-> 216.52.17.116 80 00453 6 1143 (0s) STATE tcp 64.179.35.23 1392 <-> 216.52.17.116 80 02020 8 1136 (0s) STATE tcp 192.168.1.22 2830 <-> 216.27.102.15 80 00453 5 968 (0s) STATE tcp 64.179.35.23 1372 <-> 206.65.183.80 80 02020 12 5126 (0s) STATE tcp 192.168.1.101 1313 <-> 64.65.208.71 80 00450 8 388 (0s) STATE tcp 208.17.205.133 1246 <-> 64.179.35.23 25 00400 890 111270 (300s) STATE tcp 205.201.9.222 56200 <-> 64.179.35.23 22 02020 12 1253 (0s) STATE tcp 192.168.1.101 1376 <-> 216.73.86.13 80 00453 4 592 (0s) STATE tcp 64.179.35.23 2777 <-> 143.231.86.196 80 02020 12 1342 (0s) STATE tcp 192.168.1.22 2777 <-> 143.231.86.196 80 00450 28 7929 (0s) STATE tcp 207.69.231.40 4731 <-> 64.179.35.23 25 00451 67 5443 (0s) STATE tcp 64.179.35.23 53377 <-> 205.201.9.227 21 00453 7 862 (0s) STATE tcp 64.179.35.23 1378 <-> 216.39.69.76 80 00453 7 862 (0s) STATE tcp 64.179.35.23 1377 <-> 216.39.69.76 80 00450 28 3078 (0s) STATE tcp 68.95.226.39 2373 <-> 64.179.35.23 25 00453 4 527 (0s) STATE tcp 64.179.35.23 2801 <-> 143.231.86.196 80 02020 12 1105 (0s) STATE tcp 192.168.1.22 2807 <-> 143.231.86.196 80 00453 1 40 (0s) STATE tcp 64.179.35.23 2806 <-> 143.231.86.196 80 00453 10 1182 (0s) STATE tcp 64.179.35.23 2805 <-> 143.231.86.196 80 02020 38 27372 (0s) STATE tcp 192.168.1.22 2805 <-> 143.231.86.196 80 02020 10 1543 (0s) STATE tcp 192.168.1.22 2976 <-> 65.54.140.158 80 02020 12 1105 (0s) STATE tcp 192.168.1.22 2809 <-> 143.231.86.196 80 00453 4 529 (0s) STATE tcp 64.179.35.23 2808 <-> 143.231.86.196 80 02020 86 77940 (0s) STATE tcp 192.168.1.22 2941 <-> 64.65.208.71 80 02020 12 1105 (0s) STATE tcp 192.168.1.22 2813 <-> 143.231.86.196 80 00453 4 529 (0s) STATE tcp 64.179.35.23 2812 <-> 143.231.86.196 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2639 <-> 128.121.26.136 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2638 <-> 128.121.26.136 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2637 <-> 128.121.26.136 80 02020 17 9707 (0s) STATE tcp 192.168.1.22 2866 <-> 209.195.176.247 80 00453 5 604 (0s) STATE tcp 64.179.35.23 2867 <-> 209.195.176.247 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2634 <-> 128.121.26.136 80 00453 6 938 (0s) STATE tcp 64.179.35.23 2957 <-> 209.225.33.67 80 02020 10 1929 (0s) STATE tcp 192.168.1.22 2945 <-> 216.39.69.76 80 00453 4 671 (0s) STATE tcp 64.179.35.23 2944 <-> 216.39.69.76 80 00453 5 598 (0s) STATE tcp 64.179.35.23 2877 <-> 209.195.176.247 80 02020 15 2241 (0s) STATE tcp 192.168.1.22 2876 <-> 209.195.176.247 80 00453 5 549 (0s) STATE tcp 64.179.35.23 2949 <-> 216.39.69.76 80 02020 11 1295 (0s) STATE tcp 192.168.1.22 2949 <-> 216.39.69.76 80 00453 6 722 (0s) STATE tcp 64.179.35.23 2964 <-> 209.225.33.67 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2651 <-> 128.121.26.136 80 00453 5 520 (0s) STATE tcp 64.179.35.23 2650 <-> 128.121.26.136 80 00453 5 772 (0s) STATE tcp 64.179.35.23 2746 <-> 216.109.117.106 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2643 <-> 128.121.26.136 80 00453 4 519 (0s) STATE tcp 64.179.35.23 2937 <-> 65.54.140.158 80 00450 22 3072 (0s) STATE tcp 207.69.231.40 1415 <-> 64.179.35.23 25 02020 14 1218 (0s) STATE tcp 192.168.1.100 2591 <-> 128.121.26.136 80 02020 22 15737 (0s) STATE tcp 192.168.1.22 2725 <-> 64.65.208.71 80 00453 1 40 (0s) STATE tcp 64.179.35.23 2724 <-> 64.65.208.71 80 00453 5 520 (0s) STATE tcp 64.179.35.23 2665 <-> 128.121.26.136 80 00453 5 520 (0s) STATE tcp 64.179.35.23 2664 <-> 128.121.26.136 80 02020 11 1165 (0s) STATE tcp 192.168.1.100 2645 <-> 64.124.109.200 80 00453 4 480 (0s) STATE tcp 64.179.35.23 2661 <-> 128.121.26.136 80 00453 4 639 (0s) STATE tcp 64.179.35.23 2933 <-> 65.54.140.158 80 02020 10 1663 (0s) STATE tcp 192.168.1.22 2933 <-> 65.54.140.158 80 02020 10 1697 (0s) STATE tcp 192.168.1.22 2961 <-> 216.73.87.102 80 00450 19 1484 (0s) STATE tcp 66.118.177.230 33626 <-> 64.179.35.23 25 02020 10 2812 (0s) STATE tcp 192.168.1.22 2713 <-> 216.73.86.105 80 00453 5 723 (0s) STATE tcp 64.179.35.23 2712 <-> 216.73.86.105 80 02020 17 10529 (0s) STATE tcp 192.168.1.22 2712 <-> 216.73.86.105 80 00453 4 598 (0s) STATE tcp 64.179.35.23 2713 <-> 216.73.86.105 80 02020 17 10167 (0s) STATE tcp 192.168.1.22 2711 <-> 216.73.86.105 80 00453 4 523 (0s) STATE tcp 64.179.35.23 2710 <-> 216.73.86.105 80 00453 20 1316 (0s) STATE tcp 64.179.35.23 2834 <-> 66.218.71.233 80 00453 1 40 (0s) STATE tcp 64.179.35.23 2657 <-> 216.157.112.153 80 02020 8 1324 (0s) STATE tcp 192.168.1.22 2656 <-> 216.157.112.153 80 02020 15 1212 (0s) STATE tcp 192.168.1.100 2664 <-> 128.121.26.136 80 02020 15 1212 (0s) STATE tcp 192.168.1.100 2665 <-> 128.121.26.136 80 02020 14 1172 (0s) STATE tcp 192.168.1.100 2661 <-> 128.121.26.136 80 02020 2234 588879 (258s) STATE tcp 192.168.1.22 2208 <-> 207.46.110.4 80 02020 14 1218 (0s) STATE tcp 192.168.1.100 2651 <-> 128.121.26.136 80 02020 14 1218 (0s) STATE tcp 192.168.1.100 2646 <-> 128.121.26.136 80 02020 14 1172 (0s) STATE tcp 192.168.1.100 2647 <-> 128.121.26.136 80 02020 15 1677 (0s) STATE tcp 192.168.1.100 2642 <-> 128.121.26.136 80 00453 6 642 (0s) STATE tcp 64.179.35.23 2880 <-> 209.195.176.247 80 02020 15 1672 (0s) STATE tcp 192.168.1.22 2881 <-> 209.195.176.247 80 02020 14 1172 (0s) STATE tcp 192.168.1.100 2637 <-> 128.121.26.136 80 02020 14 1172 (0s) STATE tcp 192.168.1.100 2638 <-> 128.121.26.136 80 00453 6 646 (0s) STATE tcp 64.179.35.23 2885 <-> 209.195.176.247 80 02020 15 2479 (0s) STATE tcp 192.168.1.22 2884 <-> 209.195.176.247 80 02020 14 1218 (0s) STATE tcp 192.168.1.100 2634 <-> 128.121.26.136 80 00450 22 5933 (0s) STATE tcp 207.69.231.40 3549 <-> 64.179.35.23 25 17803 51868116715982822 207007877431296 (-1014956032s) nsfnet-igp 182.141.195.93 0 <-> 95.94.91.124 0 54357 103166144177045504 17130536501248 (244479s) proto 212 1.138.233.0 17805 <-> 0.0.1.186 0 25648 7005922216430549619 7234316394206028643 (1919246953s) proto 114 115.35.10.35 25459 <-> 10.35.35.10 25205 28773 746535686742044009 7237131173698865443 (1819176809s) gmtp 112.104.115.101 28521 <-> 114.102.101.114 29285 -- Mark J. Nernberg Downtown Help Desk IT Specialist (412)478-6262 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 04:36:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8FEF16A4CE for ; Thu, 1 Jul 2004 04:36:32 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id B581043D2F for ; Thu, 1 Jul 2004 04:36:32 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id A73622F9D9; Thu, 1 Jul 2004 00:36:28 -0400 (EDT) Date: Thu, 1 Jul 2004 00:36:28 -0400 From: James To: sid@merlin.com.ua Message-ID: <20040701043628.GA96007@scylla.towardex.com> References: <841905563.20040629185504@merlin.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <841905563.20040629185504@merlin.com.ua> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw add allow ip from @access_list1 to any in X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 04:36:33 -0000 Hi Sid, I haven't really had chance look at your actual code, but do want to let you know that there is a recent table patch done by Ruslan Ermilov for IPFW2. The tables patch so far works well (been using it on couple production boxes running 4.9-STABLE), and it checks the packets against the list in a patricia trie lookup, which is significantly faster than linear search for a firewall. I am not sure how your @accesslist element is checked, but if it is searched in a linear order, it's probably not going to be any different than matching using { a or b or c } braces, in terms of performance/efficiency. -J On Tue, Jun 29, 2004 at 06:55:04PM -0700, sid@merlin.com.ua wrote: > Hi, > for my own purposes I add some new features to ipfw2. > now hereis patches for 5.1 > Luigi some time ago have a look at ones, but now.. > if it is looks like interesting, get and enjoy it free > this is not a release, I stil work about it. > and I wait for 5.3 to make complete patches for 5.3. > will be pleasure for me if this will include to release... > > read first: > ftp://merlin.com.ua/pub/FreeBSD/5.1/ipfw_sid/readme > > ftp://merlin.com.ua/pub/FreeBSD/5.1/ipfw_sid/*.tgz > > disclaimer: > who downloaded it, please make backups your original files, > extract patches in new directory and look at ones first. > if you not sure that you doing, do not do anything, please. > support of that features only if ones will include in FreeBSD > and only via freebsd-hackers@freebsd.org > > its do like this: > > ipnt add @MY_NET 192.168.0.0/16 > ipnt add @MY_NET 195.66.199.0/24 > ipnt add @MY_NET 62.16.9.0/24 > > ipfw add 350 pipe 350 ip from any to @MY_NET out > > you can manipulate that lists without changing firewall > > ipnt del @MY_NET 0/0 > ipnt add @MY_NET 1.1.1.1 > > > > sid_at_merlin.com.ua > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 08:24:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68D3216A4CE for ; Thu, 1 Jul 2004 08:24:05 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8012F43D48 for ; Thu, 1 Jul 2004 08:24:04 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i618TDBl064403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Jul 2004 11:29:14 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i618Mptl042863; Thu, 1 Jul 2004 11:22:51 +0300 (EEST) (envelope-from ru) Date: Thu, 1 Jul 2004 11:22:50 +0300 From: Ruslan Ermilov To: James Message-ID: <20040701082250.GA42696@ip.net.ua> References: <841905563.20040629185504@merlin.com.ua> <20040701043628.GA96007@scylla.towardex.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline In-Reply-To: <20040701043628.GA96007@scylla.towardex.com> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw add allow ip from @access_list1 to any in X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 08:24:05 -0000 --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 01, 2004 at 12:36:28AM -0400, James wrote: [...] > I am not sure how your @accesslist element is checked, but if it is searc= hed in > a linear order, it's probably not going to be any different than matching= using > { a or b or c } braces, in terms of performance/efficiency. >=20 It actually uses two linear searches, first to find a block by ID, and then a matching row in this block. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA48naqRfpzJluFF4RAlhHAJ9oAt9Ii5whywEsr5gP513F36QZCACgiaus Unlf2ZA6nhfLHVR62WyoDsI= =+aUF -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 08:53:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C38416A4CE for ; Thu, 1 Jul 2004 08:53:20 +0000 (GMT) Received: from melexc01.stateautomation.com (bytecr.lnk.telstra.net [139.130.142.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 960B143D2F for ; Thu, 1 Jul 2004 08:53:19 +0000 (GMT) (envelope-from administrator@stateautomation.com) Received: by MELEXC01 with Internet Mail Service (5.5.2655.55) id ; Thu, 1 Jul 2004 18:58:41 +1000 Message-ID: From: administrator@stateautomation.com To: freebsd-ipfw@freebsd.org Date: Thu, 1 Jul 2004 18:58:33 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain Subject: RE: ipdivert rule will not load X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 08:53:20 -0000 > -----Original Message----- > From: Thomas Wolf [SMTP:tw@wsf.at] > Sent: Wednesday, 30 June 2004 5:23 AM > To: freebsd@stateautomation.com; freebsd-ipfw@freebsd.org > Subject: Re: ipdivert rule will not load > > > freebsd@stateautomation.com schrieb: > > > ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. > > > ipfw add 3000 divert 8668 ip from any to any via sis0 > > The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument > > I have built a custom kernel with the following optional lines > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT > > options IPDIVERT > > Does anyone know why the system will not accept the divert rule? > Thankyou. > > The options seem to be correct, however the error message indicates > the lack of 'divert' in the kernel. Are you sure you properly > built and *installed* your custom kernel? Check the output of > 'dmesg | grep divert', you should see '... divert enabled...', > otherwise something went wrong with your kernel build. > > Thomas > Thomas, you are right - thankyou. The output of "dmesg | grep divert" shows that divert is disabled. kldstat also shows that the loadable module ipfw.ko is loaded which suggests that that may be stopping ipfw being loaded in the main kernel (and therefore divert sockets not being available - I read this in a post in the archives). Does anyone know where to look to see where the loadable module ipfw.ko may be getting loaded? Is there a way I can grep for the pattern ipfw.ko from the / directory so that it will look for a match on my entire file system? When I use grep -r -i ipfw.ko /* |more (to search my entire filesystem from the / directory) I get the response grep: memory exhausted (I have 256MB RAM). Thanks for any responses. Regards, J.S. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 10:08:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BA4616A4CE for ; Thu, 1 Jul 2004 10:08:09 +0000 (GMT) Received: from melexc01.stateautomation.com (bytecr.lnk.telstra.net [139.130.142.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFF7B43D54 for ; Thu, 1 Jul 2004 10:08:07 +0000 (GMT) (envelope-from freebsd@stateautomation.com) Received: by MELEXC01 with Internet Mail Service (5.5.2655.55) id ; Thu, 1 Jul 2004 20:13:33 +1000 Message-ID: From: freebsd@stateautomation.com To: freebsd-ipfw@freebsd.org Date: Thu, 1 Jul 2004 20:13:27 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain Subject: RE: ipdivert rule will not load X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 10:08:09 -0000 > freebsd@stateautomation.com schrieb: > > > ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. > > > ipfw add 3000 divert 8668 ip from any to any via sis0 > > The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument > > I have built a custom kernel with the following optional lines > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT > > options IPDIVERT > > Does anyone know why the system will not accept the divert rule? > Thankyou. > J.S. > The options seem to be correct, however the error message indicates > the lack of 'divert' in the kernel. Are you sure you properly > built and *installed* your custom kernel? Check the output of > 'dmesg | grep divert', you should see '... divert enabled...', > otherwise something went wrong with your kernel build. > > Thomas > > Thomas, you are right - thankyou. The output of "dmesg | grep divert" shows that divert is disabled. kldstat also shows that the loadable module ipfw.ko is loaded which suggests that that may be stopping ipfw being loaded in the main kernel (and therefore divert sockets not being available - I read this in a post in the archives). Does anyone know where to look to see where the loadable module ipfw.ko may be getting loaded? Is there a way I can grep for the pattern ipfw.ko from the / directory so that it will look for a match on my entire file system? When I use grep -r -i ipfw.ko /* |more (to search my entire filesystem from the / directory) I get the response grep: memory exhausted (I have 256MB RAM). Thanks for any responses. Regards, J.S. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 12:05:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D720C16A4E5 for ; Thu, 1 Jul 2004 12:05:30 +0000 (GMT) Received: from merlin.com.ua (Merlin.Com.UA [195.66.196.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5068543D5C for ; Thu, 1 Jul 2004 12:05:21 +0000 (GMT) (envelope-from sid@merlin.com.ua) Received: from H55_2.homeinet.loc (localhost [127.0.0.1]) by merlin.com.ua (Postmaster) with ESMTP id E5EB4BEFD for ; Thu, 1 Jul 2004 15:04:32 +0300 (EEST) Date: Thu, 1 Jul 2004 15:02:26 -0700 From: sid@merlin.com.ua X-Mailer: The Bat! (v2.10.03) Business X-Priority: 3 (Normal) Message-ID: <1557380813.20040701150226@merlin.com.ua> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sid@merlin.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 12:05:31 -0000 Hello freebsd-ipfw, does anyone think, what fwd is side feature, and we are using fwd because we do not have enougt route options ? why we cant write route add NETS1 for USERS1 gw 1.1.1.1 route add NETS2 for USERS1 gw 1.1.1.2 or route add from *** to ** gw *** or route add from any to NETS fwd *** ? if it will be done, what yet reason to use fwd ? (exept, of couse tcp-fwd to proxy and so on) I have 3 ISP connection, and couple of users. user can select provider by himself. it done with ipfw fwd, but IMHO what is not completelly ipfw task 8-\ From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 12:10:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93CE216A4CF for ; Thu, 1 Jul 2004 12:10:06 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4B4543D1D for ; Thu, 1 Jul 2004 12:10:05 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1Bg0Md-0007WQ-00; Thu, 01 Jul 2004 14:08:27 +0200 To: freebsd@stateautomation.com From: Ian FREISLICH In-Reply-To: Message from freebsd@stateautomation.com Date: Thu, 01 Jul 2004 14:08:27 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org Subject: Re: ipdivert rule will not load X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 12:10:06 -0000 > > > freebsd@stateautomation.com schrieb: > > > > > ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. > > > > > ipfw add 3000 divert 8668 ip from any to any via sis0 > > > The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument > > > I have built a custom kernel with the following optional lines > > > options IPFIREWALL > > > options IPFIREWALL_VERBOSE > > > options IPFIREWALL_VERBOSE_LIMIT > > > options IPDIVERT > > > Does anyone know why the system will not accept the divert rule? > > Thankyou. > > > J.S. > > > The options seem to be correct, however the error message indicates > > the lack of 'divert' in the kernel. Are you sure you properly > > built and *installed* your custom kernel? Check the output of > > 'dmesg | grep divert', you should see '... divert enabled...', > > otherwise something went wrong with your kernel build. > > > > Thomas > > > > > Thomas, you are right - thankyou. The output of "dmesg | grep > divert" shows that divert is disabled. > kldstat also shows that the loadable module ipfw.ko is loaded which > suggests that that may > be stopping ipfw being loaded in the main kernel (and therefore > divert sockets not being available - > I read this in a post in the archives). No, that would be the other way around. If the firewall is built into the kernel, the module won't load. If you see the module using kldstat, then you're not running the kernel that you think you are. Are you *sure* that you correctly built, and *installed* your custom kernel? 'Install' includes a reboot because that's currently the only way I know of to load the new kernel. I'm not sure if you're running FreeBSD-4.x or FreeBSD-5.x. So, make sure that /kernel (for FreeBSD-4.x) or /boot/kernel (for FreeBSD-5.x) has roughly the same modification time as when you built and installed the kernel. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 16:56:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6934B16A4CE for ; Thu, 1 Jul 2004 16:56:30 +0000 (GMT) Received: from out007.verizon.net (out007pub.verizon.net [206.46.170.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0311343D31 for ; Thu, 1 Jul 2004 16:56:30 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out007.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040701165525.QSCC28276.out007.verizon.net@[192.168.1.3]>; Thu, 1 Jul 2004 11:55:25 -0500 Message-ID: <40E441F7.8060909@mac.com> Date: Thu, 01 Jul 2004 12:55:19 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: sid@merlin.com.ua References: <1557380813.20040701150226@merlin.com.ua> In-Reply-To: <1557380813.20040701150226@merlin.com.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out007.verizon.net from [68.161.84.3] at Thu, 1 Jul 2004 11:55:25 -0500 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 16:56:30 -0000 sid@merlin.com.ua wrote: > does anyone think, what fwd is side feature, > and we are using fwd because we do not have > enougt route options ? That's perhaps a reasonable option. :-) > why we cant write > route add NETS1 for USERS1 gw 1.1.1.1 > route add NETS2 for USERS1 gw 1.1.1.2 > or route add from *** to ** gw *** > or route add from any to NETS fwd *** > ? > if it will be done, what yet reason to use fwd ? The normal IP routing table only makes decisions based upon the destination IP address. The IPFW fwd command can make decisions based on many other criteria, such as the sender IP address, port # or protocol, etc. However, there are also some ports will handle other routing mechanisms beyond RIPv2, such as OSPF and BGP/EGP: quagga, zebra, etc.... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 16:58:02 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8FE316A4CE for ; Thu, 1 Jul 2004 16:58:02 +0000 (GMT) Received: from out011.verizon.net (out011pub.verizon.net [206.46.170.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7398D43D31 for ; Thu, 1 Jul 2004 16:58:02 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out011.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040701165658.EBVQ18566.out011.verizon.net@[192.168.1.3]>; Thu, 1 Jul 2004 11:56:58 -0500 Message-ID: <40E44254.10400@mac.com> Date: Thu, 01 Jul 2004 12:56:52 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: sid@merlin.com.ua References: <1557380813.20040701150226@merlin.com.ua> In-Reply-To: <1557380813.20040701150226@merlin.com.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out011.verizon.net from [68.161.84.3] at Thu, 1 Jul 2004 11:56:58 -0500 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 16:58:03 -0000 [ ...possible resend, mac.com timed out on me the first time... ] sid@merlin.com.ua wrote: > does anyone think, what fwd is side feature, > and we are using fwd because we do not have > enougt route options ? That's perhaps a reasonable opinion. :-) > why we cant write > route add NETS1 for USERS1 gw 1.1.1.1 > route add NETS2 for USERS1 gw 1.1.1.2 > or route add from *** to ** gw *** > or route add from any to NETS fwd *** > ? > if it will be done, what yet reason to use fwd ? The normal IP routing table only makes decisions based upon the destination IP address. The IPFW fwd command can make decisions based on many other criteria, such as the sender IP address, port # or protocol, etc. However, there are also some ports will handle other routing mechanisms beyond RIPv2, such as OSPF and BGP/EGP: quagga, zebra, etc.... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 17:56:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E2CE16A4CE for ; Thu, 1 Jul 2004 17:56:42 +0000 (GMT) Received: from merlin.com.ua (Merlin.Com.UA [195.66.196.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87E7243D1F for ; Thu, 1 Jul 2004 17:56:41 +0000 (GMT) (envelope-from sid@merlin.com.ua) Received: from H55_2.homeinet.loc (localhost [127.0.0.1]) by merlin.com.ua (Postmaster) with ESMTP id 7ADE7B815 for ; Thu, 1 Jul 2004 20:54:40 +0300 (EEST) Date: Thu, 1 Jul 2004 20:52:44 -0700 From: sid@merlin.com.ua X-Mailer: The Bat! (v2.10.03) Business X-Priority: 3 (Normal) Message-ID: <18676152.20040701205244@merlin.com.ua> To: freebsd-ipfw@freebsd.org In-Reply-To: <40E44254.10400@mac.com> References: <1557380813.20040701150226@merlin.com.ua> <40E44254.10400@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sid@merlin.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 17:56:42 -0000 Hello Chuck, Thursday, July 1, 2004, 9:56:52 AM, you wrote: CS> The normal IP routing table only makes decisions based upon the destination IP CS> address. The IPFW fwd command can make decisions based on many other CS> criteria, such as the sender IP address, port # or protocol, etc. CS> However, there are also some ports will handle other routing mechanisms beyond CS> RIPv2, such as OSPF and BGP/EGP: quagga, zebra, etc.... IMHO zebra and so on manipulate standard routing table inside kernel. and situation that kernel routing table cannot use from From-to routing, only destination. and, very important that zebra (dynamic routing, OSPF) and ipfw_fwd not a frend! I cannot use in friendship zebra and fwd. BGP it's protocol for between AS routing, not inside AS. IMHO IMHO.. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 19:46:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0329416A4CE for ; Thu, 1 Jul 2004 19:46:34 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5358343D2F for ; Thu, 1 Jul 2004 19:46:33 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 83E0F5F104; Thu, 1 Jul 2004 21:52:41 +0200 (CEST) Date: Thu, 1 Jul 2004 21:52:41 +0200 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20040701195241.GA95231@shellma.zin.lublin.pl> References: <1557380813.20040701150226@merlin.com.ua> <40E44254.10400@mac.com> <18676152.20040701205244@merlin.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <18676152.20040701205244@merlin.com.ua> User-Agent: Mutt/1.4.2i Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 19:46:34 -0000 On Thu, Jul 01, 2004 at 08:52:44PM -0700, sid@merlin.com.ua wrote: Hello, > IMHO zebra and so on manipulate standard routing table inside kernel. > and situation that kernel routing table cannot use from From-to > routing, only destination. and, very important that zebra (dynamic > routing, OSPF) and ipfw_fwd not a frend! I cannot use in friendship zebra > and fwd. Please search -net archives for policy routing and Andre Oppermanns message about planned changes in networking stack in CURRENT. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 19:58:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 198B816A4CE for ; Thu, 1 Jul 2004 19:58:06 +0000 (GMT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB18643D1D for ; Thu, 1 Jul 2004 19:58:05 +0000 (GMT) (envelope-from matt@atopia.net) Received: from [192.168.1.100] (pcp02025587pcs.plsntv01.nj.comcast.net[68.44.29.50]) by comcast.net (sccrmhc13) with ESMTP id <2004070119574501600k7bj6e>; Thu, 1 Jul 2004 19:57:46 +0000 Message-ID: <40E46E1D.6070109@atopia.net> Date: Thu, 01 Jul 2004 16:03:41 -0400 From: Matt Juszczak User-Agent: Mozilla Thunderbird 0.6 (X11/20040526) X-Accept-Language: en-us, en MIME-Version: 1.0 To: James References: <841905563.20040629185504@merlin.com.ua> <20040701043628.GA96007@scylla.towardex.com> In-Reply-To: <20040701043628.GA96007@scylla.towardex.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: sid@merlin.com.ua cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw add allow ip from @access_list1 to any in X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 19:58:06 -0000 Is there a howto on access lists in ipfw? I'm heading into the same kind of setup... gonna have to have a list of MAC addresses allowed past the firewall.