From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 19 11:02:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 409FE16A4CE for ; Mon, 19 Jul 2004 11:02:13 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B6F843D31 for ; Mon, 19 Jul 2004 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i6JB2D98015871 for ; Mon, 19 Jul 2004 11:02:13 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i6JB2CTb015865 for ipfw@freebsd.org; Mon, 19 Jul 2004 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Jul 2004 11:02:12 GMT Message-Id: <200407191102.i6JB2CTb015865@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2004 11:02:13 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 21 14:48:08 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E77C216A4CE; Wed, 21 Jul 2004 14:48:08 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA37743D55; Wed, 21 Jul 2004 14:48:08 +0000 (GMT) (envelope-from vs@FreeBSD.org) Received: from freefall.freebsd.org (vs@localhost [127.0.0.1]) i6LEm8c9057256; Wed, 21 Jul 2004 14:48:08 GMT (envelope-from vs@freefall.freebsd.org) Received: (from vs@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i6LEm8nf057252; Wed, 21 Jul 2004 14:48:08 GMT (envelope-from vs) Date: Wed, 21 Jul 2004 14:48:08 GMT From: Volker Stolz Message-Id: <200407211448.i6LEm8nf057252@freefall.freebsd.org> To: vs@FreeBSD.org, freebsd-i386@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: i386/60154: ipfw core (crash) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 14:48:09 -0000 Synopsis: ipfw core (crash) Responsible-Changed-From-To: freebsd-i386->ipfw Responsible-Changed-By: vs Responsible-Changed-When: Wed Jul 21 14:47:02 GMT 2004 Responsible-Changed-Why: Assign to ipfw mailing-list http://www.freebsd.org/cgi/query-pr.cgi?pr=60154 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 22 06:43:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 527C716A4CE for ; Thu, 22 Jul 2004 06:43:39 +0000 (GMT) Received: from sloti.sofia.itdnet.net (sloti.sofia.itdnet.net [212.116.151.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 4138D43D41 for ; Thu, 22 Jul 2004 06:43:36 +0000 (GMT) (envelope-from evgeny@sofia.itdnet.net) Received: (qmail 1282 invoked by uid 0); 22 Jul 2004 06:43:29 -0000 Received: from unknown (HELO ?192.168.0.192?) (212.116.151.30) by sloti.sofia.itdnet.net with SMTP; 22 Jul 2004 06:43:29 -0000 Message-ID: <40FF6220.9030506@sofia.itdnet.net> Date: Thu, 22 Jul 2004 09:43:44 +0300 From: Evgeny Ivanov User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW2 tables Again X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jul 2004 06:43:39 -0000 Hi all, I have now the tables and ipfw2 but want to ask you for some details. I have the following config: In table 1 are added about 120 network addresses - from class B networks to single IP's. The idea is that I want to create 2 different bandwidth limitations for addresses in the table and for all other addresses. What I did was: ipfw add pipe 1 all from table(1) to 192.168.0.1 out via int-if - For IP's in table ipfw add pipe 10 all from any to 192.168.0.1 out via int-if - For all other IP's ipfw pipe 1 config bw 1Mbit/s ipfw pipe 10 config bw 128Kbit/s The question is: can I do it for about 200 users, and would that affect the machine performance. Because the table will be checked many many times. Can you please advice me ? Regards Evgeny Ivanov From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 23 21:21:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A62A916A4CE for ; Fri, 23 Jul 2004 21:21:13 +0000 (GMT) Received: from ctb-mesg6.saix.net (ctb-mesg6.saix.net [196.25.240.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08F3543D1D for ; Fri, 23 Jul 2004 21:21:13 +0000 (GMT) (envelope-from savage@savage.za.org) Received: from netsphere.varynet.co.za (wblv-229-49.telkomadsl.co.za [165.165.229.49]) by ctb-mesg6.saix.net (Postfix) with ESMTP id CA57CFED1 for ; Fri, 23 Jul 2004 23:21:06 +0200 (SAST) Received: from netphobia.varynet.co.za ([192.168.1.10] helo=netphobia) by netsphere.varynet.co.za with smtp (Exim 4.34 (FreeBSD)) id 1Bo7TQ-0009L9-qn for freebsd-ipfw@freebsd.org; Fri, 23 Jul 2004 23:21:01 +0200 Message-ID: <000d01c470fa$f7785590$310013c6@savage.za.org> From: "Chris Knipe" To: Date: Fri, 23 Jul 2004 23:21:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Received-SPF: softfail (netsphere.savage.za.org: transitioning domain of savage@savage.za.org does not designate 192.168.1.10 as permitted sender) X-Spam-Score: 0.1 (/) X-Spam-Report: 0.1/5.5 Subject: ipfw & MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Knipe List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 21:21:13 -0000 Lo all, Just very quickly... 00500 0 0 allow ip from any to any MAC 00:30:4f:27:0e:1a any via ath1 00501 0 0 allow ip from any to any MAC any 00:30:4f:27:0e:1a via ath1 su-2.05b# arp -an ? (198.19.0.49) at 00:30:4f:27:0e:1a on ath1 [ethernet] su-2.05b# uname -sr FreeBSD 5.2.1-RELEASE-p9 Why does it not see anything?? Basically, I want to try and firewall any device on the network except for a specific list of MAC addresses.... However, I am lost because ipfw does not seem to even want to see the mac address?? :/ -- Chris. From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 23 21:56:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 520FA16A4CE for ; Fri, 23 Jul 2004 21:56:22 +0000 (GMT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id E618243D46 for ; Fri, 23 Jul 2004 21:56:20 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 96656 invoked from network); 23 Jul 2004 21:56:19 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 23 Jul 2004 21:56:19 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org, Chris Knipe Date: Fri, 23 Jul 2004 23:56:08 +0200 User-Agent: KMail/1.6.2 References: <000d01c470fa$f7785590$310013c6@savage.za.org> In-Reply-To: <000d01c470fa$f7785590$310013c6@savage.za.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_CmYABD560NMfbVE"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407232356.18977.4711@chello.at> Subject: Re: ipfw & MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 21:56:22 -0000 --Boundary-02=_CmYABD560NMfbVE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 23 July 2004 23:21, Chris Knipe wrote: > Lo all, > > Just very quickly... > > 00500 0 0 allow ip from any to any MAC 00:30:4f:27:0e:1a any via > ath1 > 00501 0 0 allow ip from any to any MAC any 00:30:4f:27:0e:1a via > ath1 > > su-2.05b# arp -an > ? (198.19.0.49) at 00:30:4f:27:0e:1a on ath1 [ethernet] > > su-2.05b# uname -sr > FreeBSD 5.2.1-RELEASE-p9 > > Why does it not see anything?? > > Basically, I want to try and firewall any device on the network except for > a specific list of MAC addresses.... However, I am lost because ipfw does > not seem to even want to see the mac address?? :/ > Have you set sysctl net.link.ether.ipfw=3D1 ? br ch =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_CmYABD560NMfbVE Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBBAYmCcyi/EZQbawsRAtbZAJ9oYdwobdAuTD0XlGWmNf/N/qJgxQCdEheD CoMq/f9Ys5Iga/K7YBlT7og= =WM8h -----END PGP SIGNATURE----- --Boundary-02=_CmYABD560NMfbVE-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 23 21:58:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5621016A4CE for ; Fri, 23 Jul 2004 21:58:06 +0000 (GMT) Received: from ctb-mesg6.saix.net (ctb-mesg6.saix.net [196.25.240.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA8F643D2D for ; Fri, 23 Jul 2004 21:58:05 +0000 (GMT) (envelope-from savage@savage.za.org) Received: from netsphere.varynet.co.za (wblv-229-49.telkomadsl.co.za [165.165.229.49]) by ctb-mesg6.saix.net (Postfix) with ESMTP id 0F860C8DB; Fri, 23 Jul 2004 23:58:03 +0200 (SAST) Received: from netphobia.varynet.co.za ([192.168.1.10] helo=netphobia) by netsphere.varynet.co.za with smtp (Exim 4.34 (FreeBSD)) id 1Bo83F-0009n2-qi; Fri, 23 Jul 2004 23:58:02 +0200 Message-ID: <001401c47100$25cdcec0$310013c6@savage.za.org> From: "Chris Knipe" To: "Christian Hiris" <4711@chello.at>, References: <000d01c470fa$f7785590$310013c6@savage.za.org> <200407232356.18977.4711@chello.at> Date: Fri, 23 Jul 2004 23:58:10 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Received-SPF: softfail (netsphere.savage.za.org: transitioning domain of savage@savage.za.org does not designate 192.168.1.10 as permitted sender) X-Spam-Score: 0.1 (/) X-Spam-Report: 0.1/5.5 Subject: Re: ipfw & MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Knipe List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 21:58:06 -0000 Thanks Christiaan :)) Works now, and yes - I feel stupid... Regards, Chris. ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: ; "Chris Knipe" Sent: Friday, July 23, 2004 11:56 PM Subject: Re: ipfw & MAC Filtering From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 23 22:37:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA9DE16A4CE for ; Fri, 23 Jul 2004 22:37:16 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 746C843D39 for ; Fri, 23 Jul 2004 22:37:16 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 8FA8AF7EA; Fri, 23 Jul 2004 16:48:34 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 6B127F7E6; Fri, 23 Jul 2004 16:48:33 -0600 (CST) From: Jose Hidalgo Herrera To: Chris Knipe In-Reply-To: <001401c47100$25cdcec0$310013c6@savage.za.org> References: <000d01c470fa$f7785590$310013c6@savage.za.org> <200407232356.18977.4711@chello.at> <001401c47100$25cdcec0$310013c6@savage.za.org> Organization: Corp. Hosta Rica Message-Id: <1090622234.24752.3.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 23 Jul 2004 16:37:14 -0600 X-Virus-Scanned: by amavisd 0.1 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: Christian Hiris <4711@chello.at> cc: jose@hostarica.com cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 22:37:16 -0000 I think you shouldn't that variable should be set to 1 if you use the "MAC" operator you already said what you want! On Fri, 2004-07-23 at 15:58, Chris Knipe wrote: > Thanks Christiaan :)) > > Works now, and yes - I feel stupid... > > Regards, > Chris. > > ----- Original Message ----- > From: "Christian Hiris" <4711@chello.at> > To: ; "Chris Knipe" > Sent: Friday, July 23, 2004 11:56 PM > Subject: Re: ipfw & MAC Filtering > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"